diff --git a/third_party/yara/YARAForge/RELEASE b/third_party/yara/YARAForge/RELEASE index ca08e6063..6a2b30eea 100644 --- a/third_party/yara/YARAForge/RELEASE +++ b/third_party/yara/YARAForge/RELEASE @@ -1 +1 @@ -20260517 +20260524 diff --git a/third_party/yara/YARAForge/yara-rules-full.yar b/third_party/yara/YARAForge/yara-rules-full.yar index 4fe8b8838..f876030dd 100644 --- a/third_party/yara/YARAForge/yara-rules-full.yar +++ b/third_party/yara/YARAForge/yara-rules-full.yar @@ -12,9 +12,9 @@ * Force Exclude Importance Level: 0 * Minimum Age (in days): 0 * Minimum Score: 40 - * Creation Date: 2026-05-17 - * Number of Rules: 11679 - * Skipped: 0 (age), 229 (quality), 8 (score), 0 (importance) + * Creation Date: 2026-05-24 + * Number of Rules: 11703 + * Skipped: 0 (age), 231 (quality), 8 (score), 0 (importance) */ import "console" @@ -30,7 +30,7 @@ import "string" * YARA Rule Set * Repository Name: ReversingLabs * Repository: https://github.com/reversinglabs/reversinglabs-yara-rules/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: e0a0be54aa1e11ccfd6854e4f19e9476f328fd84 * Number of Rules: 1240 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -24188,8 +24188,8 @@ rule REVERSINGLABS_Linux_Virus_Vit : TC_DETECTION MALICIOUS MALWARE FILE description = "Yara rule that detects Vit virus." author = "ReversingLabs" id = "4515fe43-4c5a-521d-82b7-273823f0c64e" - date = "2026-05-17" - date = "2026-05-17" + date = "2026-05-24" + date = "2026-05-24" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e0a0be54aa1e11ccfd6854e4f19e9476f328fd84/yara/virus/Linux.Virus.Vit.yara#L3-L36" @@ -40802,8 +40802,8 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Oct : TC_DETECTION MALICIOUS MALWARE description = "Yara rule that detects Oct ransomware." author = "ReversingLabs" id = "e811a0ba-52df-5e88-ab71-df91d5cb584a" - date = "2026-10-17" - date = "2026-10-17" + date = "2026-10-24" + date = "2026-10-24" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e0a0be54aa1e11ccfd6854e4f19e9476f328fd84/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara#L1-L68" @@ -55233,8 +55233,8 @@ rule REVERSINGLABS_Win32_Ransomware_ONI : TC_DETECTION MALICIOUS MALWARE FILE description = "Yara rule that detects Oni ransomware." author = "ReversingLabs" id = "9190aee2-1119-546e-82ca-a7aba44a9d7f" - date = "2026-05-17" - date = "2026-05-17" + date = "2026-05-24" + date = "2026-05-24" modified = "2020-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/e0a0be54aa1e11ccfd6854e4f19e9476f328fd84/yara/ransomware/Win32.Ransomware.Oni.yara#L1-L82" @@ -60236,7 +60236,7 @@ rule REVERSINGLABS_Win32_Ransomware_Mountlocker : TC_DETECTION MALICIOUS MALWARE * YARA Rule Set * Repository Name: R3c0nst * Repository: https://github.com/fboldewin/YARA-rules/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 54e9e6899b258b72074b2b4db6909257683240c2 * Number of Rules: 26 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -60995,8 +60995,8 @@ rule R3C0NST_ATM_Malware_Dispcashbr : FILE * YARA Rule Set * Repository Name: CAPE * Repository: https://github.com/kevoreilly/CAPEv2 - * Retrieval Date: 2026-05-17 - * Git Commit: 3eaf9b6260ad2edab8766bea72ddf35d80825dab + * Retrieval Date: 2026-05-24 + * Git Commit: 901937591781206057f0b00ccd9c7d3a09013935 * Number of Rules: 187 * Skipped: 0 (age), 18 (quality), 3 (score), 0 (importance) * @@ -61678,8 +61678,8 @@ rule CAPE_Guloaderprecursor : FILE date = "2020-12-29" modified = "2023-10-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Guloader.yar#L17-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Guloader.yar#L17-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "ea05c352739366a03da302074b01537382ba26f7fd5049004f156e47d284f070" score = 75 quality = 70 @@ -61702,8 +61702,8 @@ rule CAPE_Amatera : FILE date = "2025-06-25" modified = "2025-06-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Amatera.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Amatera.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af" logic_hash = "1c02f04846568b85acbd4101b2e944dc824179f7cff1bceaec1c657939b610d5" score = 75 @@ -61728,8 +61728,8 @@ rule CAPE_Zloader : FILE date = "2021-03-12" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Zloader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Zloader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "319adca805083c7f5854fe840447cf961addbd748f1f25eb8ec8cdeed7af38aa" score = 75 quality = 70 @@ -61752,8 +61752,8 @@ rule CAPE_Zloader_2024 : FILE date = "2021-03-12" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Zloader.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Zloader.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "38d555ef5f613cf7ca043697c479100a7a22e7f043acf8b6a46f8009eb92fd7e" score = 75 quality = 70 @@ -61777,8 +61777,8 @@ rule CAPE_Hijackloaderstub date = "2026-01-26" modified = "2026-01-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/HijackLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/HijackLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "686a19a416b94f6ccdd1891ff027452c84b2171ee4268ff971f490e18948a6f5" score = 75 quality = 70 @@ -61802,8 +61802,8 @@ rule CAPE_Agentteslav4Jit date = "2023-09-13" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/AgentTesla.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/AgentTesla.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "8f7144d2a989ce8d291af926b292f5f0f7772e707b0e49797eba13ecf91b90bc" score = 75 quality = 70 @@ -61828,8 +61828,8 @@ rule CAPE_Agentteslav3Jit date = "2023-09-13" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "62a49cf4295df637f96ba7c127cfc4aeb9af2fcced497fdf34d726a062edc1ec" score = 75 quality = 70 @@ -61851,8 +61851,8 @@ rule CAPE_Risepro : FILE date = "2023-12-16" modified = "2023-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/RisePro.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/RisePro.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6" logic_hash = "055ca8328923b91f93c116e4a856366356fa11155f4e9fde95da31129b51386a" score = 75 @@ -61877,8 +61877,8 @@ rule CAPE_Anticuckoo : FILE date = "2023-03-17" modified = "2023-03-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "ad5e52f144bb4a1dae3090978c6ecb4c7732538c9b62a6cedd32eccee6094be5" logic_hash = "a039aeca2dae44980e8bffafacfda90975e107001be50f11ac916b35ad43592e" score = 75 @@ -61901,8 +61901,8 @@ rule CAPE_Slowloader date = "2024-09-23" modified = "2024-09-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "f07528c646ebd980a5e843caa4a4715e31b22c3cd091576600e9fe45d7fc2fe4" score = 75 quality = 70 @@ -61925,8 +61925,8 @@ rule CAPE_Darkgate date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/DarkGate.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/DarkGate.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "c1d35921f4fc3bac681a3d5148f517dc0ec90ab8c51e267c8c6cd5b1ca3dc085" logic_hash = "25c0e77a83676c6a18445f8df0b1f7a9148de5f64eeb532f9a4f4d4652dd8191" score = 75 @@ -61954,8 +61954,8 @@ rule CAPE_Smokeinjector : FILE date = "2023-02-06" modified = "2025-11-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "757a2bf8aceb92bee839bfcaba3b1a8bc4c037812b969e0f493e4f7a4ddc9ede" score = 75 quality = 70 @@ -61978,8 +61978,8 @@ rule CAPE_Bumblebee : FILE date = "2022-04-21" modified = "2023-02-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/BumbleBee.yar#L34-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/BumbleBee.yar#L34-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "0a632a0b30b28d544880eb1cfdd85e95f455c343d60f8d6922d4196ef7415961" score = 75 quality = 70 @@ -62003,8 +62003,8 @@ rule CAPE_Buerloader : FILE date = "2021-03-13" modified = "2021-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6f9f9b4c01251c0643c61701084cca2bdfeea08ca95f982355565cf05483d940" score = 75 quality = 70 @@ -62026,8 +62026,8 @@ rule CAPE_Gettickcountantivm date = "2021-12-14" modified = "2022-02-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "662bc7839ed7ddd82d5fdafa29fafd9a9ec299c28820fe4104fbba9be1a09c42" hash = "00f1537b13933762e1146e41f3bac668123fac7eacd0aa1f7be0aa37a91ef3ce" hash = "549bca48d0bac94b6a1e6eb36647cd007fed5c0e75a0e4aa315ceabdafe46541" @@ -62058,8 +62058,8 @@ rule CAPE_Doomedloader : FILE date = "2024-04-12" modified = "2024-07-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/DoomedLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/DoomedLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "54a5962ef49ebf987908c4ea1559788f7c96a7e4ea61d2973636e998a0239c77" score = 75 quality = 70 @@ -62083,8 +62083,8 @@ rule CAPE_Vbcrypter date = "2021-03-28" modified = "2021-03-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "a62bca62ab624ab1a2c2e612c5b7e6d543006026a49c07c46800499e31e41c4e" score = 75 quality = 70 @@ -62106,8 +62106,8 @@ rule CAPE_Bruteratelsyscall date = "2024-07-11" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "5ed054b3cd5d2659c250945d55d6adac90945963c34ad2af0f8d7436141e86b6" score = 75 quality = 70 @@ -62130,8 +62130,8 @@ rule CAPE_Bruteratelpacker date = "2024-07-11" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "2ccb17efe378d034df34d20d7580c58171d0fd11c18fef6c9a23f1ba238514e6" score = 75 quality = 70 @@ -62155,8 +62155,8 @@ rule CAPE_Bruterateldate date = "2024-07-11" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "88589b2d08aea03565668ff1b9af20b6fe11cda50d867c60db7cb4d1826b0fd7" score = 75 quality = 70 @@ -62179,8 +62179,8 @@ rule CAPE_Bruteratelconfig date = "2024-07-11" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "b1815aafec940ab6c8daafc68ccf294845221ada260de5209dcb7e49ccd061c7" score = 75 quality = 70 @@ -62202,8 +62202,8 @@ rule CAPE_Stealcanti : FILE date = "2023-02-22" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" logic_hash = "4132e8094b0b49a89e9f40a8b1a6abbf105bbb04e4ddf3ce739e39fc2baf0d13" score = 75 @@ -62227,8 +62227,8 @@ rule CAPE_Stealcstrings : FILE date = "2023-02-22" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Stealc.yar#L15-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Stealc.yar#L15-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6d402446a979c00b6257ace9924db381d98c530b22968bd2776c66d58c7faefc" score = 75 quality = 70 @@ -62251,8 +62251,8 @@ rule CAPE_Stealcv2Strings : FILE date = "2023-02-22" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Stealc.yar#L28-L43" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Stealc.yar#L28-L43" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "923f70edb3ad70957576994008729bf7a087479eed1973c42161aa96fa694baa" score = 75 quality = 70 @@ -62279,8 +62279,8 @@ rule CAPE_Stealcv2Datecheck : FILE date = "2023-02-22" modified = "2025-09-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Stealc.yar#L45-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Stealc.yar#L45-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "f074aceb7c111156752891acac8690c00dad7c26240fb0752cc12a9a65aa3d30" score = 75 quality = 70 @@ -62303,8 +62303,8 @@ rule CAPE_Privateloader date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "204a86bb3743f19fed0fe55ff5ccd716661f7f315b5966a29e434ccb3e160526" score = 75 quality = 70 @@ -62327,8 +62327,8 @@ rule CAPE_Emotetpacker : FILE date = "2022-03-31" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "5a95d1d87ce69881b58a0e3aafc1929861e2633cdd960021d7b23e2a36409e0d" logic_hash = "5f27d9d18884f7e0805f69960869b332c1577bf8be8ac103285e8bf98cda0ffd" score = 75 @@ -62352,8 +62352,8 @@ rule CAPE_Dridexloader : FILE date = "2021-03-09" modified = "2021-03-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "00a3e4e80a2558ee52035f091e2339fa2dad6f6515b9dc099f2f3800e4c70bce" score = 75 quality = 70 @@ -62375,8 +62375,8 @@ rule CAPE_Darkgateloader date = "2023-08-09" modified = "2025-04-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "00692123615d2f7eaf8aea07754fc9439cf58e1fb8eb4f44f0428b362f27e794" score = 75 quality = 70 @@ -62402,8 +62402,8 @@ rule CAPE_Latrodectus : FILE date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05" logic_hash = "c2c9f23e287253d766425c05eb774f6e07bdcbabc259e04b723a1a87c8b91fbd" score = 75 @@ -62426,8 +62426,8 @@ rule CAPE_Loadersyscall date = "2024-10-29" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "3c7ffd8b95032cffecff7fa7e5f5f561cce13e1109f6a9b30bc743642b495e45" score = 75 quality = 70 @@ -62451,8 +62451,8 @@ rule CAPE_Nitrogenloaderaes date = "2024-10-29" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "de8ed0e98948cfadfd579e334fd9ce9f777ddbd988de897529ba71cb5eb2d396" score = 75 quality = 70 @@ -62476,8 +62476,8 @@ rule CAPE_Nitrogenloaderbypass date = "2024-10-29" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "3a034d3ddd18723ea1f91814c8c2a2c47a749dfd1496a5d4777d8ff8bfab3457" score = 75 quality = 70 @@ -62501,8 +62501,8 @@ rule CAPE_Nitrogenloaderconfig date = "2024-10-29" modified = "2025-07-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L66" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L66" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "06d49ebf3f67476c83a77734dff0245a51027a35d92e5af07bb9146db5b156ca" score = 75 quality = 70 @@ -62537,8 +62537,8 @@ rule CAPE_Lumma : FILE date = "2024-01-05" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Lumma.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Lumma.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "a8f9212b619796f91f14c4164e4d2f30c66b51118f22f3d6c310841b6707b7b0" score = 75 quality = 70 @@ -62563,8 +62563,8 @@ rule CAPE_Lummaremap date = "2024-01-05" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Lumma.yar#L16-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Lumma.yar#L16-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "51093379fbd041f75bdfe161bc9dfcc7d782c23ce16d625ca558bb58d8d57713" score = 75 quality = 70 @@ -62587,8 +62587,8 @@ rule CAPE_Cargobayloader : FILE date = "2023-02-20" modified = "2023-02-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/CargoBayLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/CargoBayLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "75e975031371741498c5ba310882258c23b39310bd258239277708382bdbee9c" logic_hash = "1d5c4ca79f97e1fac358189a8c6530be12506974fc2fb42f63b0b621536a45c9" score = 75 @@ -62612,8 +62612,8 @@ rule CAPE_Blister : FILE date = "2022-05-10" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "aba379b93c85241cf250829832b2c8a5eaafb3abd0ff955dbaf0d06489c00deb" score = 75 quality = 70 @@ -62641,8 +62641,8 @@ rule CAPE_Ursnifv3 date = "2021-06-17" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "d679546e37ee58087fce75920b2ce4e6d2b9ae55fb1ef80d14ec14309396757c" score = 75 quality = 70 @@ -62669,8 +62669,8 @@ rule CAPE_Aurastealerbypass date = "2025-09-02" modified = "2025-09-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/AuraStealer.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/AuraStealer.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "ae174c96c262b1734c58bd6c5f7112221b08596c180612e4970acada35dbd070" score = 75 quality = 70 @@ -62695,8 +62695,8 @@ rule CAPE_Rdtscpantivm date = "2021-12-11" modified = "2021-12-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "be0f9b52fb630730a38160f4ad2d50b6b4bea5edd82e3ea4d1e257cf7b090910" score = 75 quality = 70 @@ -62718,8 +62718,8 @@ rule CAPE_Modiloader : FILE date = "2023-10-19" modified = "2025-01-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/ModiLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/ModiLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "1f0cbf841a6bc18d632e0bc3c591266e77c99a7717a15fc4b84d3e936605761f" logic_hash = "9e64e0c40192cc832a1ffa7b3ac65a704596af82515d03706cd7aa1f4498f32f" score = 75 @@ -62743,8 +62743,8 @@ rule CAPE_Modiloaderold : FILE date = "2023-10-19" modified = "2025-01-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/ModiLoader.yar#L15-L53" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/ModiLoader.yar#L15-L53" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "fc006377e6d41515503b0b234ff87f59d930a7d9f8b32d2e072de79b9c52ddc4" score = 75 quality = 66 @@ -62788,8 +62788,8 @@ rule CAPE_Pikahook : FILE date = "2024-03-07" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Pikabot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Pikabot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "2a50a5f2d905122a5b7ac8ca3666b47caa24d325e246841129e53807daf2a1dd" score = 75 quality = 70 @@ -62814,8 +62814,8 @@ rule CAPE_Pikexport : FILE date = "2024-03-07" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Pikabot.yar#L16-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Pikabot.yar#L16-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646" logic_hash = "33f58703a0e40c2361343dbdcc17111aafbf5cc912393edda79005c6ec566f42" score = 75 @@ -62839,8 +62839,8 @@ rule CAPE_Xworm date = "2023-11-07" modified = "2023-11-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/XWorm.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/XWorm.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "d8e103f3470e83d71cd4992b74698c0721b8a69d764fdb7a4543997b2853014a" score = 75 quality = 70 @@ -62862,8 +62862,8 @@ rule CAPE_Rhadamanthys date = "2023-01-25" modified = "2025-11-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "3c8fbfe14f81e099fc900023d9c856e3f45b99af38889ed952b2ac67a636f51d" score = 75 quality = 70 @@ -62888,8 +62888,8 @@ rule CAPE_Rhadaanti date = "2023-01-25" modified = "2025-11-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Rhadamanthys.yar#L15-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Rhadamanthys.yar#L15-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "b54fd25e3297d358f2a8ec3a868bb4d233ee32d6942f21a53c3d25d35164530b" score = 75 quality = 70 @@ -62911,8 +62911,8 @@ rule CAPE_Rhadunhook date = "2023-01-25" modified = "2025-11-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Rhadamanthys.yar#L26-L36" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Rhadamanthys.yar#L26-L36" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "f2da2f1ee6b0a3b9fe58b2c35ccf0a0f6dee44228ec92659370d30defdef7ea3" score = 75 quality = 70 @@ -62936,8 +62936,8 @@ rule CAPE_Heavenssyscall : FILE date = "2024-03-25" modified = "2024-03-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "aeb981fcba0936ff8b1be4c601445fd45e5d3b74856a9439d351edd57f5a50c3" score = 75 quality = 70 @@ -62961,8 +62961,8 @@ rule CAPE_Themida : FILE date = "2024-09-10" modified = "2024-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Themida.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Themida.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "c4f1e01a3fe3cb66062ce03253bfe9edc09dc6f1a77db99b281106e8ceff9257" score = 75 quality = 70 @@ -62985,8 +62985,8 @@ rule CAPE_Icedidsyscallwritemem : FILE date = "2021-03-30" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/IcedID.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/IcedID.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6b068106b038e9efeb9057cadf314d400c1ada1a1cc70336d3272da3a212c993" score = 75 quality = 70 @@ -63010,8 +63010,8 @@ rule CAPE_Icedidhook date = "2021-03-30" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/IcedID.yar#L15-L25" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/IcedID.yar#L15-L25" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "fd62e0ed6f2a18472fa9336daee0e8a3a55e21779a8385394e85f96da928e24f" score = 75 quality = 70 @@ -63033,8 +63033,8 @@ rule CAPE_Icedidpackera : FILE date = "2021-03-30" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/IcedID.yar#L27-L40" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/IcedID.yar#L27-L40" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe" logic_hash = "aa0681e7794546355e6d61f739c49035a493cdfca7e666531d74e3835ec44408" score = 75 @@ -63059,8 +63059,8 @@ rule CAPE_Icedidpackerb : FILE date = "2021-03-30" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/IcedID.yar#L42-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/IcedID.yar#L42-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "6517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6" logic_hash = "fde1e2c0124d180b2fa3d0675b35e8d78fdd7b06cd27e9228c148aa29ce30ee7" score = 75 @@ -63085,8 +63085,8 @@ rule CAPE_Icedidpackerc : FILE date = "2021-03-30" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/IcedID.yar#L58-L71" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/IcedID.yar#L58-L71" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "c06805b6efd482c1a671ec60c1469e47772c8937ec0496f74e987276fa9020a5" hash = "265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844" logic_hash = "f1e75e380ab0947fdfda012b7a5077a1c2ef51163239846ab2dc29cac95ba166" @@ -63111,8 +63111,8 @@ rule CAPE_Icedidpackerd : FILE date = "2021-03-30" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/IcedID.yar#L73-L86" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/IcedID.yar#L73-L86" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "7b226f8cc05fa7d846c52eb0ec386ab37f9bae04372372509daa6bacc9f885d8" logic_hash = "6685e0246f5a11ce0ca33447837de06506b447a5f8591423e2b76f2ab0274dc7" score = 75 @@ -63137,8 +63137,8 @@ rule CAPE_Icedsleep : FILE date = "2021-03-30" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/IcedID.yar#L88-L99" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/IcedID.yar#L88-L99" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "0b1a8be95b1b8a3b066837f9e47561ee8202d741b39d64e626c0461c2fbf7c70" score = 75 quality = 70 @@ -63161,8 +63161,8 @@ rule CAPE_Qakbot5 : FILE date = "2022-03-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/QakBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/QakBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "303ea2d8d1a7f0fd0ca5508dae2c1b83c03b1e3e975760f15d36d93bcc152767" score = 75 quality = 70 @@ -63186,8 +63186,8 @@ rule CAPE_Qakbot4 : FILE date = "2022-03-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/QakBot.yar#L15-L29" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/QakBot.yar#L15-L29" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "ad75b07b9b786f634fd46cbe6dc089d3f732673320e70714e8ab058f0392c9f5" score = 75 quality = 70 @@ -63213,8 +63213,8 @@ rule CAPE_Qakbotloader : FILE date = "2022-03-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/QakBot.yar#L31-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/QakBot.yar#L31-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "6f99171c95a8ed5d056eeb9234dbbee123a6f95f481ad0e0a966abd2844f0e1a" logic_hash = "00869c0a9bf62cde3f46ca915b0ef689557b09dc58d6de34609e3998abfa7e98" score = 75 @@ -63241,8 +63241,8 @@ rule CAPE_Qakbotantivm date = "2022-03-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/QakBot.yar#L48-L59" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/QakBot.yar#L48-L59" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "e269497ce458b21c8427b3f6f6594a25d583490930af2d3395cb013b20d08ff7" logic_hash = "20f1cd28f38945a3aa328e77e78525fb1ffc47ecf54d5a40c2f18264c3973989" score = 75 @@ -63265,8 +63265,8 @@ rule CAPE_Singlestepantihook date = "2021-08-26" modified = "2021-08-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "fc9f36b0ecc13192fe8b6caaff256ac52c1f14480223d629a38ba84e90dd0809" score = 75 quality = 70 @@ -63288,8 +63288,8 @@ rule CAPE_Mysterysnail date = "2021-10-16" modified = "2021-10-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "9402dbbbfdd286e2309ee83fc08194f70f73657a3a4e3785dfbcb564dbee86a8" score = 75 quality = 70 @@ -63311,8 +63311,8 @@ rule CAPE_Socks5Systemz : FILE date = "2024-05-22" modified = "2025-05-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Socks5Systemz.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Socks5Systemz.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "7e324bacd1ea57585435b6a5a4c93bda63ca146c100f2361a1c5530b87668299" score = 75 quality = 70 @@ -63342,8 +63342,8 @@ rule CAPE_Formhooka date = "2021-03-07" modified = "2026-05-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Formbook.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Formbook.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "21b8101a7039cfad0e9d49cc1f055bc23a2eb4c973dcda2a81a007e452d77a6d" score = 75 quality = 70 @@ -63368,8 +63368,8 @@ rule CAPE_Formconfa date = "2021-03-07" modified = "2026-05-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Formbook.yar#L32-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Formbook.yar#L32-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "b0aa4cec55a21245d8104380c531dd6cc0fdef64fbefd79616eadfb4e95b2d75" score = 75 quality = 70 @@ -63393,8 +63393,8 @@ rule CAPE_Formhelper date = "2021-03-07" modified = "2026-05-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Formbook.yar#L46-L58" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Formbook.yar#L46-L58" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "e049fba8e53934587f97bda5108cf9cece4169a8ff65a5d2788a98f709a68dc0" score = 75 quality = 70 @@ -63418,8 +63418,8 @@ rule CAPE_Formconfb date = "2021-03-07" modified = "2026-05-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/analyzer/windows/data/yara/Formbook.yar#L60-L75" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/analyzer/windows/data/yara/Formbook.yar#L60-L75" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "c8bf1d3c242a02ae8bee42d570010c8b4a881db64d82b157fc4ac18f71e11f71" score = 75 quality = 70 @@ -63446,8 +63446,8 @@ rule CAPE_Emotetloader : FILE date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/EmotetLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/EmotetLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "410872d25ed3a89a2cba108f952d606cd1c3bf9ccc89ae6ab3377b83665c2773" score = 75 quality = 70 @@ -63469,8 +63469,8 @@ rule CAPE_Stxratloader : FILE date = "2026-04-11" modified = "2026-04-14" reference = "https://www.esentire.com/blog/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/STXRat.yar#L1-L47" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/STXRat.yar#L1-L47" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "e9e9ab77424cfb9a18b5363cde78a953505b7ddd97a057068195510fae7117e0" score = 75 quality = 45 @@ -63520,8 +63520,8 @@ rule CAPE_Stxrat : FILE date = "2026-04-11" modified = "2026-04-14" reference = "https://www.esentire.com/blog/stx-rat-a-new-rat-in-2026-with-infostealer-capabilities" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/STXRat.yar#L49-L120" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/STXRat.yar#L49-L120" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "f82b832e6bf936ff936332c059b1d3b981ce387bf82964ecf64a9cb12cda955d" score = 75 quality = 70 @@ -63594,8 +63594,8 @@ rule CAPE_Mykings : FILE date = "2025-10-24" modified = "2025-10-26" reference = "https://x.com/YungBinary/status/1981108948498333900" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/MyKings.yar#L1-L23" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/MyKings.yar#L1-L23" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "82647dd23c0247faa045893ec1cf111da2a30528a1b737b59ce1b71172a64473" score = 75 quality = 70 @@ -63629,8 +63629,8 @@ rule CAPE_Zloader_1 : FILE date = "2020-04-04" modified = "2025-12-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Zloader.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Zloader.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa" logic_hash = "525670973b67aac048199529c97d6be00b0a8cca9bc90deb647366d92a5ea540" score = 75 @@ -63659,8 +63659,8 @@ rule CAPE_Zloader2024 : FILE date = "2020-04-04" modified = "2025-12-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Zloader.yar#L20-L34" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Zloader.yar#L20-L34" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "49405370a33abbf131c5d550cebe00780cc3fd3cbe888220686582ae88f16af7" logic_hash = "27d883f6d6cab07e602f97a0a032a152386693f79dabf1bb87b0a8a053a38b03" score = 75 @@ -63686,8 +63686,8 @@ rule CAPE_Zloader2025 : FILE date = "2020-04-04" modified = "2025-12-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Zloader.yar#L36-L49" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Zloader.yar#L36-L49" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "86ffd411b42d8d06bdb294f48e79393adeea586c56c5c75c1a68ce6315932881" logic_hash = "cc9c39f0b5e7e8c8853982d9c896bbaac5a36bb0f501c8901d8854f2d5e1a19c" score = 75 @@ -63712,8 +63712,8 @@ rule CAPE_Seduploader : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Seduploader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Seduploader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "d70c886699169d4dafc5b063c93682a34af5667df6d293b52256ddc19ab9c516" score = 75 quality = 70 @@ -63735,8 +63735,8 @@ rule CAPE_Doppelpaymer : FILE date = "2019-11-15" modified = "2022-06-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/DoppelPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/DoppelPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "73a2575671bafc31a70af3ce072d6f94ae172b12202baebba586a02524cb6f9d" score = 75 quality = 70 @@ -63759,8 +63759,8 @@ rule CAPE_Eternalromance : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/EternalRomance.yar#L1-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/EternalRomance.yar#L1-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "5390fae3e2411a715cdc965df8648c0c4c511d53d5f76031714f1b784b58eb0d" score = 75 quality = 68 @@ -63804,8 +63804,8 @@ rule CAPE_Agent_Tesla date = "2019-10-30" modified = "2026-01-14" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AgentTesla.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AgentTesla.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "3945754129dcc58e0abfd7485f5ff0c0afdd1078ae2cf164ca8f59a6f79db1be" score = 75 quality = 70 @@ -63831,8 +63831,8 @@ rule CAPE_Agenttesla : FILE date = "2019-10-30" modified = "2026-01-14" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AgentTesla.yar#L19-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AgentTesla.yar#L19-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "1bf9b26c4cf87e674ddffabe40aba5a45499c6a04d4ff3e43c3cda4cbcb4d188" score = 75 quality = 70 @@ -63864,8 +63864,8 @@ rule CAPE_Agentteslav2 : FILE date = "2019-10-30" modified = "2026-01-14" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AgentTesla.yar#L43-L67" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AgentTesla.yar#L43-L67" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "b45296b3b94fa1ff32de48c94329a17402461fb6696e9390565c4dba9738ed78" score = 75 quality = 70 @@ -63901,8 +63901,8 @@ rule CAPE_Agentteslav3 : FILE date = "2019-10-30" modified = "2026-01-14" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AgentTesla.yar#L69-L115" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AgentTesla.yar#L69-L115" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "cc9bbbcf3608b49a76b098acf846ff03eae5e9cb107697627d62661fa1be36c2" score = 75 quality = 70 @@ -63940,8 +63940,8 @@ rule CAPE_Agentteslav4 : FILE date = "2019-10-30" modified = "2026-01-14" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AgentTesla.yar#L117-L130" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AgentTesla.yar#L117-L130" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "0a39036f408728ab312a54ff3354453d171424f57f9a8f3b42af867be3037ca9" score = 75 quality = 70 @@ -63966,8 +63966,8 @@ rule CAPE_Locky : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Locky.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Locky.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "9786c54a2644d9581fefe64be11b26e22806398e54e961fa4f19d26eae039cd7" score = 75 quality = 70 @@ -63991,8 +63991,8 @@ rule CAPE_Hermes : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Hermes.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Hermes.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "9bc974173f39a57e7adfbf8ae106a20d960557696b4c3ce16e9b4e47d3e9e95b" score = 75 quality = 70 @@ -64016,8 +64016,8 @@ rule CAPE_Trickbot date = "2019-10-30" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/TrickBot.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/TrickBot.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "47cc2070b43957601a72745329a9d14fb3fbfd4d2b31cacc35d4ac750dde31ea" score = 75 quality = 70 @@ -64048,8 +64048,8 @@ rule CAPE_Trickbot_Permadll_UEFI_Module date = "2019-10-30" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/TrickBot.yar#L22-L38" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/TrickBot.yar#L22-L38" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "491115422a6b94dc952982e6914adc39" logic_hash = "564055f56fd19bed8900e6d451ba050b4e9013a9208a3bdc3d3d563567d225d2" score = 75 @@ -64077,8 +64077,8 @@ rule CAPE_Arkei : FILE date = "2019-10-30" modified = "2025-01-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Arkei.yar#L1-L50" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Arkei.yar#L1-L50" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "296e420880d8d2f24424d0411e7ef4939e18147689557512f410da48498a44c9" score = 75 quality = 70 @@ -64134,8 +64134,8 @@ rule CAPE_Smokeloader date = "2019-10-30" modified = "2025-11-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/SmokeLoader.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/SmokeLoader.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "8e2f95af9b25ccfd8ad7b56f75a37bb085bde1b2feda2e6502568e86c928ed68" score = 75 quality = 70 @@ -64162,8 +64162,8 @@ rule CAPE_Monsterv2 : FILE date = "2025-09-06" modified = "2025-09-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/MonsterV2.yar#L1-L21" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/MonsterV2.yar#L1-L21" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "d4e65f860e69b2eee8a818a4146d91b84ce6da30c8fa27593587932e4f0847a8" score = 75 quality = 70 @@ -64195,8 +64195,8 @@ rule CAPE_Bumblebeeshellcode_1 date = "2022-04-21" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/BumbleBee.yar#L18-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/BumbleBee.yar#L18-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "d56f8c4e491d0d1b34e396e73750bef9917ca4f708fb6a2681de772a65c13a40" score = 75 quality = 70 @@ -64223,8 +64223,8 @@ rule CAPE_Bumblebee2024 date = "2022-04-21" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/BumbleBee.yar#L52-L68" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/BumbleBee.yar#L52-L68" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "db58272c1ba74bc6e6a90bdacf7e8feec94be5da2b5123e0475ce86448f3edb2" score = 75 quality = 70 @@ -64252,8 +64252,8 @@ rule CAPE_Buerloader_1 : FILE date = "2020-10-29" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/BuerLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/BuerLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "05c1f008f0a2bb8232867977fb23a5ae8312f10f0637c6265561052596319c29" score = 75 quality = 70 @@ -64277,8 +64277,8 @@ rule CAPE_Hancitor : FILE date = "2019-10-30" modified = "2020-10-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Hancitor.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Hancitor.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "84003542a2f587b5fbd43731c4240759806f8ee46df2bd96aae4a3c09d97e41c" score = 75 quality = 70 @@ -64303,8 +64303,8 @@ rule CAPE_Xenorat date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/XenoRAT.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/XenoRAT.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "26f520fb69a52d05786fac0e9e38f5db9601da0a3e7768e00975a9684f3560ef" score = 75 quality = 66 @@ -64331,8 +64331,8 @@ rule CAPE_Tscookie : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/TSCookie.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/TSCookie.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "0461c7fd14c74646437654f0a63a4a89d4efad620e197a8ca1e8d390618842c3" score = 75 quality = 70 @@ -64356,8 +64356,8 @@ rule CAPE_Bruteratel date = "2024-07-11" modified = "2024-07-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/BruteRatel.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/BruteRatel.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "0984977c716d6f8e068c045166eb5db77c9fbce27513e555dceca348375f1a66" score = 75 quality = 70 @@ -64382,8 +64382,8 @@ rule CAPE_Badrabbit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/BadRabbit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/BadRabbit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "309e14ab4ea2f919358631f9d8b2aaff1f51e7708b6114e4e6bf4a9d9a5fc86c" score = 75 quality = 70 @@ -64407,8 +64407,8 @@ rule CAPE_Nightshadec2 : FILE date = "2025-09-04" modified = "2025-09-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/NightshadeC2.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/NightshadeC2.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d" logic_hash = "f9fabc391e21180a1c92abea0a5ded6d7669e8d8f2330b69d6c1227c9b4237a0" score = 75 @@ -64438,8 +64438,8 @@ rule CAPE_Dridexv4 : FILE date = "2019-10-30" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/DridexV4.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/DridexV4.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "cb103fe5f2d4792e3c612db4e2d84a4c8b0ce0f9a8443e9147e2c345f1dbdff6" score = 75 quality = 70 @@ -64465,8 +64465,8 @@ rule CAPE_Stealc : FILE date = "2023-02-22" modified = "2025-08-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" logic_hash = "a6165168b7c74761b91d1691465688c748227b830813067edb4e9bdc934271c4" score = 75 @@ -64490,8 +64490,8 @@ rule CAPE_Stealcv2 : FILE date = "2023-02-22" modified = "2025-08-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Stealc.yar#L15-L32" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Stealc.yar#L15-L32" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "911c6a7f63e91a788898f3cc6e66396e39d5bd48f8fbaac49ee5dbbdaa64d5a0" score = 75 quality = 70 @@ -64520,8 +64520,8 @@ rule CAPE_Petya : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Petya.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Petya.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "f819261bb34f3b2eb7dc2f843b56be25105570fe902a77940a632a54fbe0d014" score = 75 quality = 70 @@ -64545,8 +64545,8 @@ rule CAPE_Kovter : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Kovter.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Kovter.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "888fccb8fbfbe6c05ec63bc5658b4743f8e10a96ef51b3868c2ff94afec76f2d" score = 75 quality = 70 @@ -64571,8 +64571,8 @@ rule CAPE_Dridexloader_1 : FILE date = "2019-11-12" modified = "2021-03-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/DridexLoader.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/DridexLoader.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "20696b1f14539c8ecf21bffc696596040c20b1ee2fcedc173945482c0baca588" score = 75 quality = 70 @@ -64599,8 +64599,8 @@ rule CAPE_Chaosbot : FILE date = "2025-10-16" modified = "2025-10-16" reference = "https://x.com/YungBinary/status/1976580501508182269" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/ChaosBot.yar#L1-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/ChaosBot.yar#L1-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "fcb04697dbef62497421318d5dfe7cdf5533b432975ebbfb3bd64ebbfeb4a592" score = 75 quality = 62 @@ -64634,8 +64634,8 @@ rule CAPE_Asyncrat_Kingrat date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L1-L30" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L1-L30" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "1400d2029dfb66d8f2dc34db8643d6301f3af9bd356639f883d2c10bcc0c3947" score = 75 quality = 58 @@ -64673,8 +64673,8 @@ rule CAPE_Stormkitty : FILE date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L32-L57" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L32-L57" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "258f5d9da80ff912459194b1139f062491df21a44456942951e2bd98e4b86c9b" score = 75 quality = 66 @@ -64709,8 +64709,8 @@ rule CAPE_Worldwind : FILE date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L60-L82" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L60-L82" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "9bb04fad460193cd877ea7f2de9337f69aadda01aee6c79f0a23cdf564b1e6c8" score = 75 quality = 45 @@ -64745,8 +64745,8 @@ rule CAPE_Prynt : FILE date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L85-L107" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L85-L107" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "84f2b33285ab1d129a62940a02990639cc8f7c92d490d7257e6aed9170d1e34e" score = 75 quality = 70 @@ -64781,8 +64781,8 @@ rule CAPE_Xworm_1 : FILE date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L110-L136" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L110-L136" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "5a86c2f0a188135e53d86c176806a208abbe3dd830bde364016859ffa5294bd7" score = 75 quality = 68 @@ -64821,8 +64821,8 @@ rule CAPE_Xworm_Kingrat date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L138-L155" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L138-L155" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "3914be652bb7271e5e6b89d05edf10a54f8ddaf9e22d194b60501aa2cdd495d3" score = 75 quality = 66 @@ -64853,8 +64853,8 @@ rule CAPE_Dcrat : FILE date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L157-L222" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L157-L222" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "5a02dcc2b9c7eb3efdba39047e37886240b45fb7e2db3b82aa5b4b9526dfb7f8" score = 75 quality = 45 @@ -64927,8 +64927,8 @@ rule CAPE_Dcrat_Kingrat date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L224-L243" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L224-L243" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "73ac27c3f0fc71d053e89690b5a7d29c1f8b0ea0a22e8595148a9001799fae54" score = 75 quality = 62 @@ -64960,8 +64960,8 @@ rule CAPE_Quasarrat : FILE date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L245-L266" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L245-L266" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "556b19dc0980761198ea31a285f281adae084463d24bff1eda15326436ad562b" score = 75 quality = 70 @@ -64995,8 +64995,8 @@ rule CAPE_Quasarrat_Kingrat date = "2024-10-09" modified = "2025-02-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AsyncRAT.yar#L268-L287" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AsyncRAT.yar#L268-L287" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "1f4296a592134edbe52e256dc353143af02e897ff1afad98f3dac0c5ab13f3f7" score = 75 quality = 70 @@ -65028,8 +65028,8 @@ rule CAPE_Vipkeylogger : FILE date = "2025-09-11" modified = "2025-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/VIPKeyLogger.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/VIPKeyLogger.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "b9dba7562bba4807c0789692d44650996e62c8d0c4031dedd65773877621b1de" score = 75 quality = 70 @@ -65054,8 +65054,8 @@ rule CAPE_Aurorastealer : FILE date = "2022-12-14" modified = "2023-03-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AuroraStealer.yar#L1-L74" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AuroraStealer.yar#L1-L74" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "0d10e9268184f494a73d5b4ab0d9a478ad0c26d2ef13d5134f8c9769f028b8f5" score = 75 quality = 45 @@ -65134,8 +65134,8 @@ rule CAPE_Cobaltstrikestager date = "2023-01-18" modified = "2023-01-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6a55b0c3ab5f557dfb7a3f8bd616ede1bd9b93198590fc9d52aa19c1154388c5" score = 75 quality = 70 @@ -65161,8 +65161,8 @@ rule CAPE_Nighthawk date = "2022-12-03" modified = "2022-12-05" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Nighthawk.yar#L3-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Nighthawk.yar#L3-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "2d77912678e06503ffef0e8ed84aa4f9ac74357480d57742fbae619acebfb5f2" score = 75 quality = 70 @@ -65186,8 +65186,8 @@ rule CAPE_Nemty : FILE date = "2020-04-03" modified = "2020-04-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Nemty.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Nemty.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "a05974b561c67b4f1e0812639b74831edcf65686a06c0d380f0b45739e342419" score = 75 quality = 70 @@ -65211,8 +65211,8 @@ rule CAPE_Latrodectus_1 date = "2024-01-18" modified = "2025-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Latrodectus.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Latrodectus.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "a547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811" logic_hash = "a8430299930f4c8de0a88c6836d4821871f7183cc5ff44ea9be84fbea47bbb13" score = 75 @@ -65239,8 +65239,8 @@ rule CAPE_Latrodectus_AES date = "2024-01-18" modified = "2025-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Latrodectus.yar#L18-L34" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Latrodectus.yar#L18-L34" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8" logic_hash = "058d278c16527969066d1b4ea7f0e3ab2809d5480cdab06ec476b465e0c4795a" score = 75 @@ -65268,8 +65268,8 @@ rule CAPE_Atlas : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Atlas.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Atlas.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "c3f73b29df5caf804dbfe3e6ac07a9e2c772bd2a126f0487e4a65e72bd501e6e" score = 75 quality = 70 @@ -65293,8 +65293,8 @@ rule CAPE_Masslogger : FILE date = "2020-10-20" modified = "2020-11-24" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/MassLogger.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/MassLogger.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "c8d82694810aafbdc6a35a661e7431e9536035e2f7fef90b9359064c4209b66c" score = 75 quality = 70 @@ -65308,21 +65308,21 @@ rule CAPE_Masslogger : FILE condition: uint16( 0 ) == 0x5A4D and 2 of them } -rule CAPE_Nitrogenloader +rule CAPE_Nitrogenloader : FILE { meta: description = "Nitrogen Loader" author = "enzok" - id = "450dc039-c5d5-5d81-945c-def94671825f" + id = "68282572-5ac2-59f2-8a83-a34fc26e3f88" date = "2024-10-29" - modified = "2025-07-28" + modified = "2026-05-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/NitrogenLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" - logic_hash = "4aab353aacc8f6910884e722f2d57439891680963accb906c2cee245437732c6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/NitrogenLoader.yar#L1-L36" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" + logic_hash = "78040e72da7e106e904edb1ecd72d17652b49dbf729b368d8298935635825ea0" score = 75 quality = 68 - tags = "" + tags = "FILE" cape_type = "NitrogenLoader Loader" hash1 = "7b603d63a23201ff0b6ffa9acdd650df9caa1731837d559d93b3d8ce1d82a962" hash2 = "50c2afd792bfe2966133ee385054eaae1f73b04e013ef3434ef2407f99d7f037" @@ -65353,7 +65353,7 @@ rule CAPE_Nitrogenloader $rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF} condition: - (2 of ( $string* ) and any of ( $syscall* ) ) or 4 of ( $decrypt* ) or ( ( 3 of ( $taskman_* ) or 3 of ( $installers* ) ) and all of ( $rc4decrypt_* ) ) + uint16( 0 ) == 0x5a4d and ( ( 2 of ( $string* ) and any of ( $syscall* ) ) or 4 of ( $decrypt* ) or ( ( 3 of ( $taskman_* ) or 3 of ( $installers* ) ) and all of ( $rc4decrypt_* ) ) ) } rule CAPE_Gandcrab : FILE { @@ -65364,8 +65364,8 @@ rule CAPE_Gandcrab : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Gandcrab.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Gandcrab.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "354ed566dbafbe8e9531bb771d9846952eb8c0e70ee94c26d09368159ce4142c" score = 75 quality = 70 @@ -65390,8 +65390,8 @@ rule CAPE_Lumma_1 : FILE date = "2024-01-05" modified = "2025-07-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Lumma.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Lumma.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "ca7822292c58af68e7a1610362bf0b5d27c93e3222ceec8d216e05a442008f37" score = 75 quality = 70 @@ -65418,8 +65418,8 @@ rule CAPE_Dreambot : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Dreambot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Dreambot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "29c6d648d5d38667c5824c2d20a83a20448c2ae6054ddddb2b2b7f8bdb69f74b" score = 75 quality = 70 @@ -65444,8 +65444,8 @@ rule CAPE_Petrwrap : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/PetrWrap.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/PetrWrap.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6dd1cf5639b63d0ab41b24080dad68d285f2e3969ad34fd724c83e7a0dd4b968" score = 75 quality = 70 @@ -65470,8 +65470,8 @@ rule CAPE_Rozena date = "2024-03-13" modified = "2024-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Rozena.yar#L1-L10" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Rozena.yar#L1-L10" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "c415a8108b58a125a604031bb8d73b58a8aae5429b5b765e35fa8a4add9cd135" score = 75 quality = 70 @@ -65494,8 +65494,8 @@ rule CAPE_Lockbit : FILE date = "2020-05-14" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Lockbit.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Lockbit.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "80ab705c8246a0bd5b3de65146cf32b102f39bf9444bdf1d366b5a794c1229b9" score = 75 quality = 70 @@ -65521,8 +65521,8 @@ rule CAPE_Azer : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Azer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Azer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "48bd4a4e071f10d1911c4173a0cd39c69fed7a3b29eb92beffe709899f4cefa5" score = 75 quality = 70 @@ -65546,8 +65546,8 @@ rule CAPE_Nanolocker : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/NanoLocker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/NanoLocker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "fe6c8a4e259c3c526f8f50771251f6762b2b92a4df2e8bfc705f282489f757db" score = 75 quality = 70 @@ -65571,8 +65571,8 @@ rule CAPE_Nitrobunnydownloader : FILE date = "2025-10-28" modified = "2025-11-05" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/NitroBunnyDownloader.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/NitroBunnyDownloader.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b" logic_hash = "dcc1348c1d1af0c854376cf6331538951362b43d8d76c0ad73bbbdeb1ab4c135" score = 75 @@ -65601,8 +65601,8 @@ rule CAPE_Magniber : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Magniber.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Magniber.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "1875754bdf98c1886f31f6c6e29992a98180f74d8fa168ae391e2c660d760618" score = 75 quality = 70 @@ -65624,8 +65624,8 @@ rule CAPE_Varenyky : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Varenyky.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Varenyky.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "602f1b8b60b29565eabe2171fde4eb58546af68f8acecad402a7a51ea9a08ed9" score = 75 quality = 70 @@ -65647,8 +65647,8 @@ rule CAPE_Blister_1 : FILE date = "2022-05-10" modified = "2023-09-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2" hash = "d3eab2a134e7bd3f2e8767a6285b38d19cd3df421e8af336a7852b74f194802c" logic_hash = "f26d85fdf0eb07e67fe38c43c5f6d024bfb7b2a333cb3411f5cdcff6bf5db12d" @@ -65676,8 +65676,8 @@ rule CAPE_Scarab : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Scarab.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Scarab.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "0d8fa7ab4c8e5699f17f9e9444e85a42563a840a8e7ee9eda54add3a6845d1c6" score = 75 quality = 70 @@ -65701,8 +65701,8 @@ rule CAPE_Carbanak : FILE date = "2023-11-30" modified = "2024-03-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Carbanak.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Carbanak.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "c9c1b06cb9c9bd6fc4451f5e2847a1f9524bb2870d7bb6f0ee09b9dd4e3e4c84" logic_hash = "8ed5ab07f1635dc7cdf296e86a71a0a99d0b2faef8fc460f43d426b24b8c8367" score = 75 @@ -65727,8 +65727,8 @@ rule CAPE_Remcos : FILE date = "2019-10-30" modified = "2022-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Remcos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Remcos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "38142e784ad437d9592353b924f74777bb62e5ed176c811230a2021a437d4710" score = 75 quality = 68 @@ -65753,8 +65753,8 @@ rule CAPE_Ursnifv3_1 : FILE date = "2022-05-31" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/UrsnifV3.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/UrsnifV3.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "501cd52388aba16f9d33b4555f310e1ad58326916b15358a485c701acb87abd8" score = 75 quality = 70 @@ -65783,8 +65783,8 @@ rule CAPE_Codoso : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Codoso.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Codoso.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "32c9ed2ac29e8905266977a9ee573a252442d96fb9ec97d88642180deceec3f8" score = 75 quality = 70 @@ -65808,8 +65808,8 @@ rule CAPE_Wanacry : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/WanaCry.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/WanaCry.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "16d5e39f043d27bbf22f8f21e13971b7e0709b07e44746dd157d11ee4cc51944" score = 75 quality = 70 @@ -65835,8 +65835,8 @@ rule CAPE_Zerot : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/ZeroT.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/ZeroT.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "f60ae25ac3cd741b8bdc5100b5d3c474b5d9fbe8be88bfd184994bae106c3803" score = 75 quality = 68 @@ -65862,8 +65862,8 @@ rule CAPE_Kpot : FILE date = "2020-10-19" modified = "2020-10-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Kpot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Kpot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "75abaab9a10e8ac8808425c389238285ab9bd9cb76f0cd03cc1e35b3ea0a1b0f" score = 75 quality = 70 @@ -65887,8 +65887,8 @@ rule CAPE_Cerber : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Cerber.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Cerber.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "16a8f808c28d3b142c079a305aba7f553f2452e439710bf610a06f8f2924d5a3" score = 75 quality = 70 @@ -65910,8 +65910,8 @@ rule CAPE_Obfuscar : FILE date = "2025-03-07" modified = "2025-03-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Obfuscar.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Obfuscar.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "54581e83e5fa13fae4bda74016b3fa1d18c92e2659f493ebe54d70fd5f77bba5" score = 75 quality = 70 @@ -65932,8 +65932,8 @@ rule CAPE_Oyster date = "2024-03-01" modified = "2024-05-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Oyster.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Oyster.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650" logic_hash = "23ab1518712dbce8319b87785d7ffc0c2b61de82c2bbf533ebf0aae39ec33540" score = 75 @@ -65963,8 +65963,8 @@ rule CAPE_Fareit : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Fareit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Fareit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "ed35391ffc949219f380da3f22bc8397a7d5c742bd68e227c3becdebcab5cf83" score = 75 quality = 70 @@ -65986,8 +65986,8 @@ rule CAPE_Ursnif : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Ursnif.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Ursnif.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "46e79fde81ff5352314618021e394b2e0322df07170c7279363290b7134935fd" score = 75 quality = 70 @@ -66016,8 +66016,8 @@ rule CAPE_Tclient : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/TClient.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/TClient.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6edcd01e4722b367723ed77d9596877d16ee35dc4c160885d125f83e45cee24d" score = 75 quality = 70 @@ -66039,8 +66039,8 @@ rule CAPE_Zeuspanda : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/ZeusPanda.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/ZeusPanda.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "43d8a56cae9fd23c053f6956851734d3270b46a906236854502c136e3bb1e761" score = 75 quality = 70 @@ -66063,8 +66063,8 @@ rule CAPE_Gootkit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Gootkit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Gootkit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "26704b6b0adca51933fc9d5e097930320768fd0e9355dcefc725aee7775316e7" score = 75 quality = 70 @@ -66087,8 +66087,8 @@ rule CAPE_Netsupport : FILE date = "2025-10-17" modified = "2025-10-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/NetSupport.yar#L3-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/NetSupport.yar#L3-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "d12e46d74ae0ba9f599d27dc2f55ff92a6648accbcd1a43cc3f1a9a2755e5fc7" score = 75 quality = 70 @@ -66113,8 +66113,8 @@ rule CAPE_Lokibot : FILE date = "2022-02-01" modified = "2022-02-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/LokiBot.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/LokiBot.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "a5b3d518371138740e913d2d6ce4fa22d3da5cea7e034c7d6b4b502e6bf44b06" score = 75 quality = 70 @@ -66137,8 +66137,8 @@ rule CAPE_Darkcloud : FILE date = "2025-10-16" modified = "2025-10-16" reference = "https://x.com/YungBinary/status/1971585972912689643" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/DarkCloud.yar#L1-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/DarkCloud.yar#L1-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "e9a67fce4c1e4ffa7322c225522263aa4db94ae9f29113a81f5216fb4fa68b57" score = 75 quality = 68 @@ -66182,8 +66182,8 @@ rule CAPE_Pikabotloader : FILE date = "2023-02-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/PikaBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/PikaBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "7e5f1f2911545ee6bd36b54f2627fbdec1b957f4b91df901dd1c6cbd4dff0231" score = 75 quality = 70 @@ -66207,8 +66207,8 @@ rule CAPE_Pikabot : FILE date = "2023-02-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/PikaBot.yar#L15-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/PikaBot.yar#L15-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "ed07217c373831a9a67d914854154988696e6fcea70dedabf333385f0e7bb8b7" score = 75 quality = 70 @@ -66233,8 +66233,8 @@ rule CAPE_Pik23 : FILE date = "2023-02-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/PikaBot.yar#L30-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/PikaBot.yar#L30-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1" logic_hash = "71a71df2f2a075294941c54eed06cafaaa4d3294e45b3a0098c1cffddd0438bc" score = 75 @@ -66260,8 +66260,8 @@ rule CAPE_Rokrat : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/RokRat.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/RokRat.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "2aaa7de7ccd59e0da690f4bc0c7deaacf61314d61f8d2aa3ce6f6892f50612ec" score = 75 quality = 70 @@ -66284,8 +66284,8 @@ rule CAPE_Aurastealer date = "2025-09-02" modified = "2025-09-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AuraStealer.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AuraStealer.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "960b83639a898509dc272f3235822401a8f861fa6607991993285b618b882d8b" score = 75 quality = 70 @@ -66314,8 +66314,8 @@ rule CAPE_Megacortex : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/MegaCortex.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/MegaCortex.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "5de1d8241260070241c91b97f18feb2a90069e3b158e863e2d9f568799c244e6" score = 75 quality = 70 @@ -66339,8 +66339,8 @@ rule CAPE_Koiloader date = "2024-10-25" modified = "2024-10-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/KoiLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/KoiLoader.yar#L1-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "b462e3235c7578450b2b56a8aff875a3d99d22f6970a01db3ba98f7ecb6b01a0" logic_hash = "264a536632f8f11c904b00c9d2e505b3263c733ad8fbc2ef19c25a5ad58cef90" score = 75 @@ -66384,8 +66384,8 @@ rule CAPE_Rhadamanthys_1 date = "2023-01-25" modified = "2025-12-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Rhadamanthys.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Rhadamanthys.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "3ccfc97202690dd996ffd2b4f09d31e6ee322bf9f0b7759f9b8c455164995f84" score = 75 quality = 70 @@ -66415,8 +66415,8 @@ rule CAPE_Rhadamanthysloader date = "2023-01-25" modified = "2025-12-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Rhadamanthys.yar#L21-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Rhadamanthys.yar#L21-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "5505c9ba1f0c6cb9aa9c212bf8bc2c49ad544e99996a1f4c1fa79a27a14d4c7f" score = 75 quality = 70 @@ -66440,8 +66440,8 @@ rule CAPE_Mole : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Mole.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Mole.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "8be4d190d554a610360c0e04b33da59eb00319395e5b2000d580546ce6503786" score = 75 quality = 70 @@ -66465,8 +66465,8 @@ rule CAPE_Ryuk : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Ryuk.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Ryuk.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "b4463993d8956e402b927a3dcfa2ca9693a959908187f720372f2d3a40e6db0c" score = 75 quality = 70 @@ -66491,8 +66491,8 @@ rule CAPE_Salat : FILE date = "2026-04-17" modified = "2026-04-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Salat.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Salat.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "162a7398e0b2a83029bc3369127330636dce2b4f0874a17049cd90995ad89911" score = 75 quality = 70 @@ -66517,8 +66517,8 @@ rule CAPE_Kronos : FILE date = "2019-10-30" modified = "2020-07-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Kronos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Kronos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "52ce9caf3627efe8ae86df6ca59e51e9f738e13ac0265f797e8d70123dbcaeb3" score = 75 quality = 70 @@ -66543,8 +66543,8 @@ rule CAPE_Icedid date = "2019-10-30" modified = "2021-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/IcedID.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/IcedID.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "e60ccbab7a360020744eba65961156ca3e2ae9cf23671014f913d71c1a96a331" score = 75 quality = 45 @@ -66573,8 +66573,8 @@ rule CAPE_Cryptoshield : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Cryptoshield.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Cryptoshield.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "46064b4c69cb1af01330c5d194ef50728e0f0479e9fbf72828822935f8e37ac6" score = 75 quality = 70 @@ -66598,8 +66598,8 @@ rule CAPE_Jaff : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Jaff.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Jaff.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6806a5eeee04b7436ff694addc334bfc0f1ee611116904d57be9506acfd47418" score = 75 quality = 70 @@ -66624,8 +66624,8 @@ rule CAPE_Adaptixbeacon date = "2025-06-16" modified = "2025-10-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/AdaptixBeacon.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/AdaptixBeacon.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d" logic_hash = "2c1d09cd5e19e5a09dde65411691afd5922959d4a7b5232b28ebf56f26d2f07d" score = 75 @@ -66654,8 +66654,8 @@ rule CAPE_Bitpaymer : FILE date = "2019-11-27" modified = "2019-11-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/BitPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/BitPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6ae0dc9a36da13e483d8d653276b06f59ecc15c95c754c268dcc91b181677c4c" score = 75 quality = 70 @@ -66678,8 +66678,8 @@ rule CAPE_Qakbot5_1 : FILE date = "2019-10-30" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/QakBot.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/QakBot.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35" logic_hash = "cc23a92f45619d44af824128b743c259dd9dfa7cb5106932f3425f3dfd1dccdf" score = 75 @@ -66705,8 +66705,8 @@ rule CAPE_Qakbot4_1 : FILE date = "2019-10-30" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/QakBot.yar#L17-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/QakBot.yar#L17-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "b2870e33abffbb3ff49b7891b0f5c538ab48ee63da5553929d4e37dec921344f" score = 75 quality = 70 @@ -66736,8 +66736,8 @@ rule CAPE_Vidar : FILE date = "2019-10-30" modified = "2023-04-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Vidar.yar#L1-L22" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Vidar.yar#L1-L22" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "5d4c030536ed41cf4e0dcb77b2fe4553d789ee2b8095a4b3e050692335a8709d" score = 75 quality = 70 @@ -66770,8 +66770,8 @@ rule CAPE_Squirrelwaffle : FILE date = "2021-09-22" modified = "2021-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "5f799333398421d537ec7a87ca94f6cc9cf1e53e55b353036a5132440990e500" score = 75 quality = 70 @@ -66794,8 +66794,8 @@ rule CAPE_Azorult : FILE date = "2019-10-30" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Azorult.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Azorult.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "4691cf48d513d1965416b0cce1b6e19c8f7b393a940afd68b7c6ca8c0d125d90" score = 75 quality = 70 @@ -66818,8 +66818,8 @@ rule CAPE_Bazar : FILE date = "2021-08-26" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Bazar.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Bazar.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "9375f59b56e47fd0b90b089afdf3be8f16f960038fc625523a2e2d5509ab099d" score = 75 quality = 70 @@ -66842,8 +66842,8 @@ rule CAPE_Amadey : FILE date = "2021-02-18" modified = "2025-08-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Amadey.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Amadey.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" hash = "988258716d5296c1323303e8fe4efd7f4642c87bfdbe970fe9a3bb3f410f70a4" logic_hash = "5a7405a174b63826500f3b04c6f10bc9b40d5b49e85377bef027204e75dd1e9e" score = 75 @@ -66869,8 +66869,8 @@ rule CAPE_Rcsession date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/RCSession.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/RCSession.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "ebd1e9e615a91c35b36332cad55519607323469df738cec4464288b45787630d" score = 75 quality = 70 @@ -66893,8 +66893,8 @@ rule CAPE_Ramnit : FILE date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Ramnit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Ramnit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "6f661f47bdf8377b0fb96f190fcb964c0ed2b43ce7ae7880f9dfce9e43837efd" score = 75 quality = 70 @@ -66918,8 +66918,8 @@ rule CAPE_Formbook date = "2019-10-30" modified = "2023-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Formbook.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Formbook.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "63ee4dd6fe5ed2a3e5ee88ba7de48d2c9e0024961a550d0fdb68891c9885e05e" score = 75 quality = 70 @@ -66948,8 +66948,8 @@ rule CAPE_Conti : FILE date = "2020-10-19" modified = "2021-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/data/yara/CAPE/Conti.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/3eaf9b6260ad2edab8766bea72ddf35d80825dab/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/data/yara/CAPE/Conti.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/901937591781206057f0b00ccd9c7d3a09013935/LICENSE" logic_hash = "c9842f93d012d0189b9c6f10ad558b37ae66226bbb619ad677f6906ccaf0e848" score = 75 quality = 70 @@ -66968,7 +66968,7 @@ rule CAPE_Conti : FILE * YARA Rule Set * Repository Name: BinaryAlert * Repository: https://github.com/airbnb/binaryalert/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: a9c0f06affc35e1f8e45bb77f835b92350c68a0b * Number of Rules: 80 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -69432,7 +69432,7 @@ rule BINARYALERT_Ransomware_Windows_Cryptolocker * YARA Rule Set * Repository Name: DeadBits * Repository: https://github.com/deadbits/yara-rules/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: d002f7ecee23e09142a3ac3e79c84f71dda3f001 * Number of Rules: 19 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -69799,7 +69799,7 @@ rule DEADBITS_Godlua_Linux : LINUXMALWARE FILE license_url = "N/A" logic_hash = "70a8078f261648f050807e82009493e39fa32c0748576b3df76d8aaaa117103e" score = 75 - quality = 51 + quality = 26 tags = "LINUXMALWARE, FILE" Author = "Adam M. Swanda" @@ -70024,7 +70024,7 @@ rule DEADBITS_Acbackdoor_ELF : LINUX MALWARE BACKDOOR description = "No description has been set in the source file - DeadBits" author = "Adam M. Swanda" id = "82eb41bf-cd1d-5b00-973b-31a79c75cfc0" - date = "2019-11-17" + date = "2019-11-24" modified = "2019-12-04" reference = "https://www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/ACBackdoor_Linux.yara#L1-L41" @@ -70071,7 +70071,7 @@ rule DEADBITS_Jsworm : MALWARE FILE license_url = "N/A" logic_hash = "99074e25ec15c5b25fa41bef19203f5ddc227acd51fadca1e2c3ece538b3da01" score = 75 - quality = 78 + quality = 53 tags = "MALWARE, FILE" strings: @@ -70285,7 +70285,7 @@ rule DEADBITS_APT32_Ratsnif : APT32 TROJAN WINMALWARE FILE * YARA Rule Set * Repository Name: DelivrTo * Repository: https://github.com/delivr-to/detections - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: f85e1d0c477cbf4689d1cfe4a80049c465673b23 * Number of Rules: 12 * Skipped: 0 (age), 3 (quality), 0 (score), 0 (importance) @@ -70580,8 +70580,8 @@ rule DELIVRTO_SUSP_ZIP_Smuggling_Jun01 : FILE * YARA Rule Set * Repository Name: ESET * Repository: https://github.com/eset/malware-ioc - * Retrieval Date: 2026-05-17 - * Git Commit: 07a2f4a99c45eac23f688fde6bc801e93cddba7f + * Retrieval Date: 2026-05-24 + * Git Commit: 2917baf0200204ac41a010e9f4cf0e25c97e76a5 * Number of Rules: 99 * Skipped: 0 (age), 8 (quality), 1 (score), 0 (importance) * @@ -70623,8 +70623,8 @@ private rule ESET_Not_Ms_PRIVATE date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/turla-outlook.yar#L34-L40" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/turla-outlook.yar#L34-L40" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "71f492eaa80bee5e8cc5bec67b2a7fd6f5f71ee2594d9f531043747533c80443" score = 75 quality = 80 @@ -70643,8 +70643,8 @@ private rule ESET_IIS_Native_Module_PRIVATE : FILE date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L34-L92" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L34-L92" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "5a388dc3253df606e2648d1f9c018e6dde373bbddce66dba69b7aecdd95bac18" score = 75 quality = 55 @@ -70710,8 +70710,8 @@ private rule ESET_Invisimole_Blob_PRIVATE date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L34-L52" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L34-L52" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "8bddaf874da58fbe6362498f8979b511f39531fe2b98d4be8c099bdafb6d0067" score = 75 quality = 80 @@ -70737,8 +70737,8 @@ private rule ESET_Prikormkaearlyversion_PRIVATE date = "2016-05-18" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/groundbait/prikormka.yar#L112-L128" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/groundbait/prikormka.yar#L112-L128" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "681c7fb322953da162c10b76e453aa8ace6673720012383e3cd5528b59b42de3" score = 75 quality = 28 @@ -70768,8 +70768,8 @@ private rule ESET_Prikormkamodule_PRIVATE date = "2016-05-18" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/groundbait/prikormka.yar#L53-L110" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/groundbait/prikormka.yar#L53-L110" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "d5d7f1a46cbf9ff545c0fa840228d19ee7d45307078b4ae0b5a2fdf1c94d2978" score = 75 quality = 26 @@ -70824,8 +70824,8 @@ private rule ESET_Prikormkadropper_PRIVATE date = "2016-05-18" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/groundbait/prikormka.yar#L33-L51" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/groundbait/prikormka.yar#L33-L51" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "cf524cdf4ffeb5c9280c5c8e7fca524c41e1ce4f9bc46b1fc8cb8b50ea68ec39" score = 75 quality = 28 @@ -70855,8 +70855,8 @@ private rule ESET_Is_Elf_PRIVATE date = "2015-05-25" modified = "2016-11-01" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/moose/linux-moose.yar#L32-L39" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/moose/linux-moose.yar#L32-L39" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "2a3c9a875852cd3ce86d43b9e4a6ba786ecbae1f18bba73a3bef5b7e8ba67a3b" score = 75 quality = 80 @@ -70877,8 +70877,8 @@ private rule ESET_Potaosecondstage_PRIVATE date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/potao/PotaoNew.yara#L81-L95" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/potao/PotaoNew.yara#L81-L95" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "55f9fc2da09aa9c2e76725985c836f7b8ba5e0b69a9327fb911e8265b340b88c" score = 75 quality = 28 @@ -70904,8 +70904,8 @@ private rule ESET_Potaousb_PRIVATE date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/potao/PotaoNew.yara#L71-L80" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/potao/PotaoNew.yara#L71-L80" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "8f72afbf3b123ea3914b3eade267bd21f7435fbf9fbde4049ca2600513bb31d9" score = 75 quality = 28 @@ -70928,8 +70928,8 @@ private rule ESET_Potaodll_PRIVATE date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/potao/PotaoNew.yara#L46-L70" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/potao/PotaoNew.yara#L46-L70" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "1d1154eb10cc70b3252e3ca4a85789e8605f2f3b7044f03ec960fd56ab81886a" score = 75 quality = 28 @@ -70966,8 +70966,8 @@ private rule ESET_Potaodecoy_PRIVATE date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/potao/PotaoNew.yara#L32-L45" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/potao/PotaoNew.yara#L32-L45" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "93cbe1d1545d1fb85b3218b68619e67a1dda80d5888d2685a04915b861dfce01" score = 75 quality = 28 @@ -70994,8 +70994,8 @@ rule ESET_Dino date = "2015-07-14" modified = "2015-08-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/animalfarm/animalfarm.yar#L73-L96" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/animalfarm/animalfarm.yar#L73-L96" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "898e527eb8b05050135dee7cbe974100710a1a3a6a5cb8eb03563ee1c0aca01f" score = 75 quality = 80 @@ -71027,8 +71027,8 @@ rule ESET_Cw_Windows_Redline_Panel_Tab_Headers : FILE date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/redline/redline.yar#L32-L55" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/redline/redline.yar#L32-L55" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" logic_hash = "3198aa9df2814a5f1d5568c6eed5f3189b2f72b3928cc97645f9bf57eebab9ac" score = 75 @@ -71059,8 +71059,8 @@ rule ESET_Cw_Windows_Redline_Panel_Distinctive_Strings : FILE date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/redline/redline.yar#L57-L77" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/redline/redline.yar#L57-L77" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" logic_hash = "7ff0239426c4c3b46a269fad71232295c038c09f276cdc3c7f1142c830260a6d" score = 75 @@ -71087,8 +71087,8 @@ rule ESET_Cw_Windows_Redline_Panel_Prompts : FILE date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/redline/redline.yar#L79-L113" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/redline/redline.yar#L79-L113" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" logic_hash = "0dfab05a9383ba13b3c610f1ab0c81e95804470002f27171ab39706f7723983a" score = 75 @@ -71130,8 +71130,8 @@ rule ESET_Cw_Windows_Redline_Panel_Status_Message_Strings : FILE date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/redline/redline.yar#L115-L142" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/redline/redline.yar#L115-L142" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" logic_hash = "c60fabc81967b083be72ff564af744ab60441de5d563ea6d88d873c0a99bfbdd" score = 75 @@ -71166,8 +71166,8 @@ rule ESET_Cw_Windows_Redline_Panel_Commands : FILE date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/redline/redline.yar#L144-L172" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/redline/redline.yar#L144-L172" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" logic_hash = "724516101264aa89259e847e4703d4eb993f330f82bd2df2433176b11d0c8974" score = 75 @@ -71203,8 +71203,8 @@ rule ESET_Potao date = "2015-07-29" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/potao/PotaoNew.yara#L96-L108" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/potao/PotaoNew.yara#L96-L108" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "c68addb14f7c22cec0c4d58bfffd373b2e3eb5c53a5b65532c84574e073fcbba" score = 75 quality = 80 @@ -71226,8 +71226,8 @@ rule ESET_Mozi_Killswitch : FILE date = "2023-09-29" modified = "2023-10-31" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/mozi/mozi.yar#L32-L51" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/mozi/mozi.yar#L32-L51" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "90eaed2f7f5595b145b2678a46ef6179082192215369fa9235024b0ce1574a49" score = 75 quality = 80 @@ -71254,8 +71254,8 @@ rule ESET_Sparklinggoblin_Chacha20Loader_Richheader date = "2021-03-30" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/sparklinggoblin/SparklingGoblin.yar#L33-L57" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/sparklinggoblin/SparklingGoblin.yar#L33-L57" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "09ffe37a54bc4ebebd8d56098e4c76232f35d821" hash = "29b147b76bb0d9e09f7297487cb972e6a2905586" hash = "33f2c3de2457b758fc5824a2b253ad7c7c2e9e37" @@ -71281,8 +71281,8 @@ rule ESET_Sparklinggoblin_Chacha20 : FILE date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/sparklinggoblin/SparklingGoblin.yar#L59-L368" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/sparklinggoblin/SparklingGoblin.yar#L59-L368" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "2edbea43f5c40c867e5b6bbd93cc972525df598b" hash = "b6d245d3d49b06645c0578804064ce0c072cbe0f" hash = "8be6d5f040d0085c62b1459afc627707b0de89cf" @@ -71592,8 +71592,8 @@ rule ESET_Sparklinggoblin_Etweventwrite date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/sparklinggoblin/SparklingGoblin.yar#L370-L463" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/sparklinggoblin/SparklingGoblin.yar#L370-L463" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "2edbea43f5c40c867e5b6bbd93cc972525df598b" hash = "b6d245d3d49b06645c0578804064ce0c072cbe0f" hash = "8be6d5f040d0085c62b1459afc627707b0de89cf" @@ -71688,8 +71688,8 @@ rule ESET_Sparklinggoblin_Mutex date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/sparklinggoblin/SparklingGoblin.yar#L465-L489" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/sparklinggoblin/SparklingGoblin.yar#L465-L489" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "2edbea43f5c40c867e5b6bbd93cc972525df598b" hash = "b6d245d3d49b06645c0578804064ce0c072cbe0f" hash = "8be6d5f040d0085c62b1459afc627707b0de89cf" @@ -71718,8 +71718,8 @@ rule ESET_Moose_1 date = "2015-04-21" modified = "2016-11-01" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/moose/linux-moose.yar#L41-L76" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/moose/linux-moose.yar#L41-L76" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "8bedac80a1f754ce56294ba9786b62a002aacd074f756724401efc61def127e6" score = 75 quality = 30 @@ -71763,8 +71763,8 @@ rule ESET_Moose_2 date = "2016-10-02" modified = "2016-11-01" reference = "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/moose/linux-moose.yar#L78-L110" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/moose/linux-moose.yar#L78-L110" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "3f50d2d81d4c27e44d93804adcf93971017767ed0e020447cdb343931c2fbc43" score = 75 quality = 80 @@ -71806,8 +71806,8 @@ rule ESET_Apt_Windows_TA410_Tendyron_Dropper date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L34-L53" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L34-L53" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "45f7300a4b85624ad3fda5c73a24f53f53cb7990def4d84e04dcd8e5747f4f2e" score = 75 quality = 80 @@ -71835,8 +71835,8 @@ rule ESET_Apt_Windows_TA410_Tendyron_Installer date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L55-L73" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L55-L73" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "9c3afb924747614f27c31cf2c3d98f4932a9d11597a3ac94263bf93be02801da" score = 75 quality = 80 @@ -71863,8 +71863,8 @@ rule ESET_Apt_Windows_TA410_Tendyron_Downloader date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L75-L107" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L75-L107" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "16030a78ae9af8783f5913644294ceff861c8264ead8ca99435032be6d7949ef" score = 75 quality = 80 @@ -71896,8 +71896,8 @@ rule ESET_Apt_Windows_TA410_X4_Strings date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L109-L125" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L109-L125" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "d4b2321a6d0eb0ca8d7c47596af2a45c22b3aef15d1832d64d6588a62cab312a" score = 75 quality = 74 @@ -71922,8 +71922,8 @@ rule ESET_Apt_Windows_TA410_X4_Hash_Values : FILE date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L127-L149" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L127-L149" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "bcf3891ff888ca99af9aa0e239b29241ae819022607fb829c5731267add308ea" score = 75 quality = 80 @@ -71953,8 +71953,8 @@ rule ESET_Apt_Windows_TA410_X4_Hash_Fct : FILE date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L151-L187" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L151-L187" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "3b2d44cb7685a99e9aeb08f886f6876d43ee99d1e52e40705c3fa97ce3bfa9a0" score = 75 quality = 80 @@ -71986,8 +71986,8 @@ rule ESET_Apt_Windows_TA410_Lookback_Decryption : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L189-L254" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L189-L254" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "016dca6be654fcd193acc481e6a998efbb77e7ebd09b26614422be1136dd02c0" score = 75 quality = 80 @@ -72061,8 +72061,8 @@ rule ESET_Apt_Windows_TA410_Lookback_Loader : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L256-L309" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L256-L309" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "98390dd664227ad747e5572771d12e7ebd2475d26db27e85508347ac6f44f3bf" score = 75 quality = 80 @@ -72125,8 +72125,8 @@ rule ESET_Apt_Windows_TA410_Lookback_Strings : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L311-L331" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L311-L331" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "d17ed604e3691c20fe489f95197b7b802ec951ed13d538fa6643449485b326b2" score = 75 quality = 80 @@ -72154,8 +72154,8 @@ rule ESET_Apt_Windows_TA410_Lookback_HTTP : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L333-L349" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L333-L349" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "0e777f56136cd11d62abdf4f120410d5fe9cd522cfc06afbf085414a96279bf7" score = 75 quality = 80 @@ -72179,8 +72179,8 @@ rule ESET_Apt_Windows_TA410_Lookback_Magic : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L351-L377" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L351-L377" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "442a08a77fd2db03e507c0d5a32b17ab4e5936a209f7af23ef3c33a4b9f3d0d5" score = 75 quality = 80 @@ -72214,8 +72214,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Loader_Strings : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L379-L415" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L379-L415" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "3c90723e009ffe2603910566ac52a324256676ee3ff128d94427681010e10e8b" score = 75 quality = 78 @@ -72256,11 +72256,11 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Header_Decryption : FILE description = "Matches the function used to decrypt resources headers in TA410 FlowCloud" author = "ESET Research" id = "403c1845-bc25-5a49-8553-8a0be18d6970" - date = "2026-01-17" + date = "2026-01-24" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L417-L496" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L417-L496" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "74b6c42bf2de159b2b0a15637e6bd94069367e3000c887714d6e3b50aa3646be" score = 75 quality = 80 @@ -72314,8 +72314,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Dll_Hijacking_Strings : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L498-L517" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L498-L517" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "e8082d4216364a12ba395f772b5caed94b3068d26a2b3a97ef711d61a82f65b3" score = 75 quality = 80 @@ -72343,8 +72343,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Malicious_Dll_Antianalysis : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L519-L552" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L519-L552" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "8f14352118d32a43c17f70bd753acc48bd314965f10ab97818e8a434bbda96d9" score = 75 quality = 80 @@ -72377,8 +72377,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Pdb : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L554-L567" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L554-L567" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "ff95ab0f8e68efe612a6e0d70cebd8bf815d6b5e3877c098ac0761382dc310d6" score = 75 quality = 80 @@ -72398,8 +72398,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Shellcode_Decryption : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L569-L615" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L569-L615" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "939ffe6a41c957aa5d6c012484b2deab49a5e71a4b7e203a41c180f872803921" score = 75 quality = 80 @@ -72437,8 +72437,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Fcclient_Strings : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L617-L639" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L617-L639" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "c05b7031a5aec1bcf29eca06c010c402edeb24a093a2043dbc21781dff22c7fe" score = 75 quality = 80 @@ -72468,8 +72468,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Fcclientdll_Strings : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L641-L669" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L641-L669" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "3a93f58cf14b57a96157077ec14aa6fb181e3da80f4ba46c0379a58b67c08a0e" score = 75 quality = 80 @@ -72505,8 +72505,8 @@ rule ESET_Apt_Windows_TA410_Rootkit_Strings : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L671-L697" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L671-L697" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "1d3ad63508c5e4bca32b9a44b738cb4a7384ccfa5704ce329260adb342ea4e60" score = 75 quality = 80 @@ -72541,8 +72541,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_V5_Resources : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L699-L720" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L699-L720" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "58f75dda53c6d4b3d88f464c452d855ac6dc88add5f4fba2641f52e7a1ae00ed" score = 75 quality = 80 @@ -72563,8 +72563,8 @@ rule ESET_Apt_Windows_TA410_Flowcloud_V4_Resources : FILE date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/ta410/ta410.yar#L722-L741" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/ta410/ta410.yar#L722-L741" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "7b475cfddb5f995f7e8e3293b8e6ae59a9e36143998bc444499b5dce467f8e9d" score = 75 quality = 80 @@ -72584,8 +72584,8 @@ rule ESET_Prikormka date = "2016-05-10" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/groundbait/prikormka.yar#L130-L141" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/groundbait/prikormka.yar#L130-L141" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "f64195e680fbaefedba248aa15b37ed30ba72f42958cc48963a140165e951bff" score = 75 quality = 80 @@ -72608,8 +72608,8 @@ rule ESET_Richheaders_Lazarus_Nukesped_Iconicpayloads_3CX_Q12023 date = "2023-03-31" modified = "2023-04-19" reference = "https://github.com/eset/malware-ioc" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/nukesped_lazarus/rich_headers_IconicPayloads_3CX.yar#L6-L23" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/nukesped_lazarus/rich_headers_IconicPayloads_3CX.yar#L6-L23" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "3b88cda62cdd918b62ef5aa8c5a73a46f176d18b" hash = "cad1120d91b812acafef7175f949dd1b09c6c21a" hash = "5b03294b72c0caa5fb20e7817002c600645eb475" @@ -72631,8 +72631,8 @@ rule ESET_Onimiki : LINUX_ONIMIKI date = "2014-02-06" modified = "2014-04-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/windigo/windigo-onimiki.yar#L32-L59" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/windigo/windigo-onimiki.yar#L32-L59" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "eac30f5c9a9606d1d0e14c55e0532c54976fbb0d2e4f5cd2d9f719b77e07161a" score = 75 quality = 80 @@ -72666,8 +72666,8 @@ rule ESET_Libkeyutils_With_Ctor date = "2024-02-01" modified = "2024-04-29" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/windigo/ebury.yar#L3-L54" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/windigo/ebury.yar#L3-L54" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "e7debd6e453192ad8376db5bab03ed0d87566591" logic_hash = "c6172aebc67a05fb044b0450aafcc71c7d1fd2831985587d1a9ad53f59e14214" score = 40 @@ -72691,8 +72691,8 @@ rule ESET_Ebury_V1_7_Crypto date = "2023-08-01" modified = "2024-04-29" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/windigo/ebury.yar#L56-L97" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/windigo/ebury.yar#L56-L97" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" hash = "e7debd6e453192ad8376db5bab03ed0d87566591" logic_hash = "41908951069a472d7528f2f228f3681f008d16a0436e341d339909efc4933e66" score = 75 @@ -72737,8 +72737,8 @@ rule ESET_Apt_Windows_Invisimole_Logs : FILE date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L54-L77" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L54-L77" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "d42423ccc768f1823c76d5cb2aec26434c796fc35bd4e2fbf435fcf7997d3ff0" score = 75 quality = 80 @@ -72758,8 +72758,8 @@ rule ESET_Apt_Windows_Invisimole_SFX_Dropper : FILE date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L79-L95" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L79-L95" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "6ca248d42c1e889988e5931d80df071cb20e623fb0c4a208044cabe073f71ce4" score = 75 quality = 80 @@ -72782,8 +72782,8 @@ rule ESET_Apt_Windows_Invisimole_CPL_Loader : FILE date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L97-L118" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L97-L118" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "cd5c19e14faa7fd3758b30193ccf2bed3692ad29d8216466523ca25d2abcfe88" score = 75 quality = 80 @@ -72813,8 +72813,8 @@ rule ESET_Apt_Windows_Invisimole_Wrapper_DLL date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L120-L138" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L120-L138" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "156bc5bc7b0ed5c77a5a15e7799a3077d40150896476a60935cf21a9afe36856" score = 75 quality = 80 @@ -72834,8 +72834,8 @@ rule ESET_Apt_Windows_Invisimole_DNS_Downloader : FILE date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L140-L170" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L140-L170" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "88d6ed7ec1331153d19afc18473a4be2b214ad8af29fcf7051a2a8e40e088231" score = 75 quality = 80 @@ -72871,8 +72871,8 @@ rule ESET_Apt_Windows_Invisimole_RC2CL_Backdoor : FILE date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L172-L213" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L172-L213" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "c38550023515d33eaaf0669cc8b874bcfd09653a07c7edbf72e3344d1cf31541" score = 75 quality = 78 @@ -72916,8 +72916,8 @@ rule ESET_Apt_Windows_Invisimole : FILE date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L215-L255" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L215-L255" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "7a2cff9febe77d718089ba4e1a33f3487594588892e418cec685bf22b156fa2b" score = 75 quality = 80 @@ -72948,8 +72948,8 @@ rule ESET_Apt_Windows_Invisimole_C2 : FILE date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/invisimole/invisimole.yar#L257-L297" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/invisimole/invisimole.yar#L257-L297" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "aff8456ce7a9ebe875c02e51c09b77ee7b1fddfc11d4ad236e12c8c5240a01a8" score = 75 quality = 78 @@ -72996,8 +72996,8 @@ rule ESET_Mumblehard_Packer date = "2015-04-07" modified = "2015-05-01" reference = "http://www.welivesecurity.com" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/mumblehard/mumblehard_packer.yar#L32-L47" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/mumblehard/mumblehard_packer.yar#L32-L47" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "a04f50a7054c4ce8ad9be4e7f3373ad4f36eb9443e223601974e852c25603f5f" score = 75 quality = 80 @@ -73021,8 +73021,8 @@ rule ESET_Keydnap_Downloader date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/keydnap/keydnap.yar#L33-L49" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/keydnap/keydnap.yar#L33-L49" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "71c8885193a92fa9c71055c37e629a54d50070cf6820b9216a824ecc4db2ce3c" score = 75 quality = 80 @@ -73046,8 +73046,8 @@ rule ESET_Keydnap_Backdoor_Packer date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/keydnap/keydnap.yar#L51-L67" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/keydnap/keydnap.yar#L51-L67" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "b1740bf38376be81d3b42306c2ce81f578c0b5c9db804f063836bf98f57ed147" score = 75 quality = 80 @@ -73071,8 +73071,8 @@ rule ESET_Keydnap_Backdoor date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/keydnap/keydnap.yar#L69-L86" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/keydnap/keydnap.yar#L69-L86" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "fa209577a562ef9088d3ad3df3fbc0edda96f09d19177842f0ddea42c658f530" score = 75 quality = 80 @@ -73098,8 +73098,8 @@ rule ESET_IIS_Group02 date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L134-L155" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L134-L155" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "3fa2b8fed3c580f446b55412a920a5cfed2317b06aa93d059e9f89fdbec8f683" score = 75 quality = 76 @@ -73127,8 +73127,8 @@ rule ESET_IIS_Group03 date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L157-L176" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L157-L176" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "d811c2ac610780bf968e86e8fd302cffc9434902e547399d06fdeb30d1719f51" score = 75 quality = 80 @@ -73154,8 +73154,8 @@ rule ESET_IIS_Group04_Rgdoor date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L178-L199" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L178-L199" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "be615dc0cc8bf0fd52cc5a88a3759c1cb1cd18703de74d16f5cce3eabccf91c6" score = 75 quality = 80 @@ -73182,8 +73182,8 @@ rule ESET_IIS_Group05_Iistealer date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L201-L232" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L201-L232" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "5dff445121fda59df805d6fcb5db3f8f8e52a6e63e2da2a6875f8c9ad9cafc72" score = 75 quality = 80 @@ -73217,8 +73217,8 @@ rule ESET_IIS_Group06_ISN date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L234-L259" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L234-L259" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "2f59034a642a9b92fc88922433cd5923be02332159cba5e16d99d9523ed43205" score = 75 quality = 80 @@ -73249,8 +73249,8 @@ rule ESET_IIS_Group07_Iispy date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L261-L296" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L261-L296" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "ec5db5f36d06f9b0bdfe598fc72431da35afc1473dcc29f437a0f48ea9835a03" score = 75 quality = 80 @@ -73287,8 +73287,8 @@ rule ESET_IIS_Group08 date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L298-L337" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L298-L337" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "d5826d454d25ecbbb5da464da974023a247517d873cf10dc0eafa91e185451da" score = 75 quality = 53 @@ -73333,8 +73333,8 @@ rule ESET_IIS_Group09 date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L339-L387" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L339-L387" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "5f89f9488221b8db8d493b3c23b7f5edd957c15511148eca890558886c128192" score = 75 quality = 76 @@ -73387,8 +73387,8 @@ rule ESET_IIS_Group10 date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L389-L423" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L389-L423" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "48701168d7da726222227ef757f1a4005a49c0bf300123319ce03db09445b3ef" score = 75 quality = 80 @@ -73428,8 +73428,8 @@ rule ESET_IIS_Group11 date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L425-L455" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L425-L455" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "a67b6b49b5fc2c7f260c06201c59478f5472de63091c510af82d526c410abb0c" score = 75 quality = 80 @@ -73458,8 +73458,8 @@ rule ESET_IIS_Group12 date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L457-L495" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L457-L495" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "8da03328e3702aff8ea5de77fc220f326030c31972d27c0bd9b5918dca550aba" score = 75 quality = 78 @@ -73502,8 +73502,8 @@ rule ESET_IIS_Group13_Iiserpent date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L497-L523" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L497-L523" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "7077b842c53ee1581ad4150cdfaac3502bfc0fbd3b823190ad648e09f36e442d" score = 75 quality = 80 @@ -73536,8 +73536,8 @@ rule ESET_IIS_Group14 date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/badiis/badiis.yar#L525-L552" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/badiis/badiis.yar#L525-L552" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "ef10a4dfb1a9164533677416a7c9ada715ce10bfc1e5f92b56cf54bd890d4575" score = 75 quality = 80 @@ -73569,8 +73569,8 @@ rule ESET_Kobalos date = "2020-11-02" modified = "2021-02-01" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/kobalos/kobalos.yar#L32-L56" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/kobalos/kobalos.yar#L32-L56" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "9161d22f9fbb1700dc3121e32104240e34512cb280aaf950aec61513f89061ef" score = 75 quality = 80 @@ -73601,8 +73601,8 @@ rule ESET_Kobalos_Ssh_Credential_Stealer date = "2020-11-02" modified = "2021-02-01" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/kobalos/kobalos.yar#L58-L73" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/kobalos/kobalos.yar#L58-L73" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "be238f5c2cc976a5638584a8c0fc580f2076735aadfe374e8d4162ba723bce10" score = 75 quality = 80 @@ -73625,8 +73625,8 @@ rule ESET_Linux_Rakos date = "2016-12-13" modified = "2016-12-19" reference = "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/rakos/rakos.yar#L33-L53" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/rakos/rakos.yar#L33-L53" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "79a02ada56bf75c5f178b58822eb905977cace3483453ea8cf4dfc32f6b6c30d" score = 75 quality = 80 @@ -73654,8 +73654,8 @@ rule ESET_Beds_Plugin date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L34-L51" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L34-L51" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "024cb91288f133e4cdf5993ac0477de6de76d38fa06f7affa348c6a28a4600da" score = 75 quality = 80 @@ -73678,8 +73678,8 @@ rule ESET_Beds_Dropper date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L53-L67" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L53-L67" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "4b5d121e182e3fddd766a7a1227c5de273995e9336156e7a6e8a17faad681bea" score = 75 quality = 80 @@ -73701,8 +73701,8 @@ rule ESET_Facebook_Bot : FILE date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L69-L100" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L69-L100" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "8ea779f90fa6080398403e3e6f9d342360c35e93c756ed43cb699f090106504e" score = 75 quality = 55 @@ -73741,8 +73741,8 @@ rule ESET_Pds_Plugins : FILE date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L102-L130" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L102-L130" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "26bbd380b72fb45206178639d67c8737b9984b140ba1048432949e159946c847" score = 75 quality = 80 @@ -73779,8 +73779,8 @@ rule ESET_Stantinko_Pdb date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L132-L148" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L132-L148" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "902c0ee086ce1a8def831d2f30c868165198c6c304faac3a93116a524f8e2fbf" score = 75 quality = 80 @@ -73805,8 +73805,8 @@ rule ESET_Stantinko_Droppers : FILE date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L150-L170" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L150-L170" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "c56fc85834a3e1bb1c14da37fb509c7de3009bf81d52800fe0093dc489f6deaa" score = 75 quality = 80 @@ -73833,8 +73833,8 @@ rule ESET_Stantinko_D3D date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L172-L187" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L172-L187" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "4e8da3f11df15e4aa469db62961ae390c4c4df2a5335eec0bdab19b14cc8343d" score = 75 quality = 80 @@ -73856,8 +73856,8 @@ rule ESET_Stantinko_Ihctrl32 date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L189-L209" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L189-L209" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "1829e08fb2289f738d0e75ad9977169e9a94379da764b1766f23fa47e8bc2543" score = 75 quality = 80 @@ -73886,8 +73886,8 @@ rule ESET_Stantinko_Wsaudio date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L211-L233" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L211-L233" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "45d92f1475f316ba50a9a4a3dd519d1186ed16c68bd2debe326736a1e3154562" score = 75 quality = 80 @@ -73915,8 +73915,8 @@ rule ESET_Stantinko_Ghstore date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/stantinko/stantinko.yar#L235-L255" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/stantinko/stantinko.yar#L235-L255" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "e5628d6ffb2d3684264b3a88c4d7b5d2ce8983aa22badf5839ccb8ba2e3ef2d4" score = 75 quality = 80 @@ -73946,8 +73946,8 @@ rule ESET_Gazer_Certificate_Subject date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/gazer.yar#L33-L46" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/gazer.yar#L33-L46" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "6e870c9cdcee33769162de62ea143ff401af50b22a63d2f212c44d06f5771dec" score = 75 quality = 80 @@ -73967,8 +73967,8 @@ rule ESET_Gazer_Certificate : FILE date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/gazer.yar#L48-L65" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/gazer.yar#L48-L65" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "eb3afbaefd23d4fc6ded494d3378dc910a0832b160e733ab79c590128dd74cea" score = 75 quality = 80 @@ -73992,8 +73992,8 @@ rule ESET_Gazer_Logfile_Name : FILE date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/gazer.yar#L67-L85" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/gazer.yar#L67-L85" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "b50553f4b4b07f124e5bd390e7dc8ac6b60a8ef185f3bc227894f957d6483478" score = 75 quality = 80 @@ -74018,8 +74018,8 @@ rule ESET_Turla_Outlook_Gen date = "2018-05-09" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/turla-outlook.yar#L42-L74" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/turla-outlook.yar#L42-L74" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "f709e517e9d957775601670c426cc9def1c4104cb1ff647d269800d2af4372c7" score = 75 quality = 78 @@ -74061,8 +74061,8 @@ rule ESET_Turla_Outlook_Filenames date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/turla-outlook.yar#L76-L91" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/turla-outlook.yar#L76-L91" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "3be86c9325de6634c032321beed131fdf1e1952afcb43258fb202d0097610501" score = 75 quality = 80 @@ -74087,8 +74087,8 @@ rule ESET_Turla_Outlook_Log date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/turla-outlook.yar#L93-L107" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/turla-outlook.yar#L93-L107" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "e7dc00c33a643c0940aaea2096d099192b27df3c81c518f1dc2b3d45a0a74312" score = 75 quality = 80 @@ -74112,8 +74112,8 @@ rule ESET_Turla_Outlook_Exports date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/turla-outlook.yar#L109-L125" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/turla-outlook.yar#L109-L125" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "a961fdb43ea1e99b308f55b8f5e264b1f3fa817eaf463d512e2ad8b98a18ee99" score = 75 quality = 80 @@ -74133,8 +74133,8 @@ rule ESET_Generic_Carbon : FILE date = "2017-03-30" modified = "2017-03-30" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/carbon.yar#L33-L51" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/carbon.yar#L33-L51" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "6481ccafb7c7c78bc52d01881cb96f3aa6209fdd35e090bdc9d5f5105b4e38ea" score = 75 quality = 80 @@ -74160,8 +74160,8 @@ rule ESET_Carbon_Metadata date = "2017-03-30" modified = "2017-03-30" reference = "https://github.com/eset/malware-ioc/" - source_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/turla/carbon.yar#L53-L69" - license_url = "https://github.com/eset/malware-ioc/blob/07a2f4a99c45eac23f688fde6bc801e93cddba7f/LICENSE" + source_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/turla/carbon.yar#L53-L69" + license_url = "https://github.com/eset/malware-ioc/blob/2917baf0200204ac41a010e9f4cf0e25c97e76a5/LICENSE" logic_hash = "81b59e9566f3b3356acf12dadb80abdcbee28e0b1a9efead66fcb95bf6fc1aa5" score = 75 quality = 80 @@ -74176,7 +74176,7 @@ rule ESET_Carbon_Metadata * YARA Rule Set * Repository Name: FireEye-RT * Repository: https://github.com/mandiant/red_team_tool_countermeasures/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 3561b71724dbfa3e2bb78106aaa2d7f8b892c43b * Number of Rules: 166 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -74392,7 +74392,7 @@ rule FIREEYE_RT_Hacktool_MSIL_Puppyhound_1 : FILE hash = "eeedc09570324767a3de8205f66a5295" logic_hash = "39073bbfef15ecd28c1772e5d01e54c3d5774ecb4c90f0076bda5dc400abacba" score = 75 - quality = 75 + quality = 50 tags = "FILE" rev = 6 @@ -74515,7 +74515,7 @@ rule FIREEYE_RT_Loader_MSIL_DUEDLLIGENCE_3 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "41cc6a4c7765b1e5e88d12660b69e434c83938ca974b9ccf6545b4dd5dd78378" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -75652,7 +75652,7 @@ rule FIREEYE_RT_APT_Loader_Win_PGF_1 : FILE hash = "013c7708f1343d684e3571453261b586" logic_hash = "9dede268d33a38e980026917bd01bc47a72bfe60ba4a999c91eb727a2f377462" score = 75 - quality = 73 + quality = 48 tags = "FILE" rev = 6 @@ -76555,7 +76555,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_LUALOADER_1 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "2d73d434ac39ebde990aca817a54208cd04bfbce33f1bcadcf48a50d9389658c" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -77613,7 +77613,7 @@ rule FIREEYE_RT_FE_APT_Loader_MSIL_REVOLVER_1 : FILE license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" logic_hash = "1231f4c961dec122ebcb142052c2c7c03acf9b556cdb71a3efabde6bcf50a939" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -78114,7 +78114,7 @@ rule FIREEYE_RT_APT_Builder_PY_MATRYOSHKA_1 hash = "25a97f6dba87ef9906a62c1a305ee1dd" logic_hash = "71b26f4b319429ac356b55d22bccd1da85894d61f8c96452422de78d2d893420" score = 75 - quality = 50 + quality = 75 tags = "" rev = 1 @@ -78825,7 +78825,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_1 hash = "0b1e512afe24c31531d6db6b47bac8ee" logic_hash = "45a4c0426b29b8c8bede9c4e8292131da7e756d48fc3ac4a07d08fd52383d21e" score = 75 - quality = 75 + quality = 50 tags = "" rev = 1 @@ -78844,7 +78844,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_1 * YARA Rule Set * Repository Name: GCTI * Repository: https://github.com/chronicle/GCTI - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 1c5fd42b1895098527fde00c2d9757edf6b303bb * Number of Rules: 90 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -82061,9 +82061,9 @@ rule GCTI_Sliver_Implant_64Bit * YARA Rule Set * Repository Name: Malpedia * Repository: https://github.com/malpedia/signator-rules/ - * Retrieval Date: 2026-05-17 - * Git Commit: 173f2e2012643b57ff6521a58ba6dd57331de3c6 - * Number of Rules: 1603 + * Retrieval Date: 2026-05-24 + * Git Commit: c901f97b7df03e41917da74c2a84b04c227316c2 + * Number of Rules: 1629 * Skipped: 0 (age), 17 (quality), 0 (score), 0 (importance) * * @@ -82076,35 +82076,35 @@ rule MALPEDIA_Win_Kegotip_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "70477c51-c689-59a8-8176-7550acce9ee4" - date = "2026-01-05" - modified = "2026-01-06" + id = "a3a248cc-b997-575f-ad2e-565db9605781" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kegotip_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kegotip_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "da81d78c4e1182921c0ea815e9750dcd5bacf467108d0f772088273b021761e1" + logic_hash = "eae1cffe4e8dfa27f32726651b27b3a820b1c9cf25bb1c87b8c1c6317b5ebea2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb04 33c0 eb6d e9???????? eb63 } - $sequence_1 = { 85c9 740b 8b5508 0355f8 8955fc eb02 ebbb } - $sequence_2 = { 8b450c 50 8d8df8feffff 51 e8???????? 83c408 c785a8fcffff80000000 } - $sequence_3 = { 0f840c010000 6a00 6a00 6a03 6a00 6a00 6a50 } - $sequence_4 = { 0fb64df7 85c9 7504 32c0 eb38 c645f700 } - $sequence_5 = { 3b5588 7d1e 8b4508 038578ffffff 0fbe4801 } - $sequence_6 = { ff5510 83c408 0fb6c8 85c9 7504 32c0 eb07 } - $sequence_7 = { 6a00 6800000080 8d95d8feffff 52 ff15???????? 8945e4 837de4ff } - $sequence_8 = { 32c0 e9???????? 68???????? e8???????? 83c404 68???????? } + $sequence_0 = { 6800800000 6a00 ff15???????? a3???????? 833d????????00 752d 8b0d???????? } + $sequence_1 = { 50 64892500000000 81c4e4feffff 53 } + $sequence_2 = { 83c408 8d95f8feffff 52 8b4508 50 ff15???????? } + $sequence_3 = { c78570ffffff01000000 8b9570ffffff 895580 8b4580 6bc014 } + $sequence_4 = { 7408 8b450c 3b4514 7604 } + $sequence_5 = { 8b4d08 034d8c 0fb611 52 e8???????? 83c404 0fb6c0 } + $sequence_6 = { c785f8fdffffff000000 eb09 8b4510 8985f8fdffff 8b8df8fdffff 894d10 } + $sequence_7 = { 8dbd4cfbffff f3a5 a4 a1???????? 898540fbffff b915000000 } + $sequence_8 = { 56 8b4508 0fb608 894df8 8b55f8 c1e208 } $sequence_9 = { 3b4dfc 7324 8b5510 0355e4 8b45f4 0345f8 } condition: @@ -82116,10 +82116,10 @@ rule MALPEDIA_Win_Zumanek_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "87aee693-fd24-5045-ad68-bbf967fca577" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zumanek" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zumanek_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zumanek_auto.yar#L1-L127" license_url = "N/A" logic_hash = "692948458546aa7f1172f720f7a047815fbd39df276c694923c84a71f1135e40" score = 75 @@ -82128,9 +82128,9 @@ rule MALPEDIA_Win_Zumanek_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -82154,36 +82154,36 @@ rule MALPEDIA_Win_Mqsttang_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0fcd67af-429a-5d69-a3b0-3220fad637de" - date = "2026-01-05" - modified = "2026-01-06" + id = "31e470ea-5daf-55d5-9ab9-daffe03ba419" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mqsttang" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mqsttang_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mqsttang_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "11a5ef4fb125e32dd68c79670f73b1f4916ce31a149e2ff34e91c4e49e4be013" + logic_hash = "d63f74e1b4cf54690499c28bf36f092d5dc58ca7c560cdfd72180b19011ef687" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ebd4 ebf3 8d4dcc 89c3 e8???????? ebc6 ebe5 } - $sequence_1 = { f20f105dd8 f20f1065e0 f20f115db8 f20f1165b0 0f87a9000000 890c24 89d9 } - $sequence_2 = { ebec 8b95e4baffff 29ca 83fa02 0f8e87f7ffff 668b4004 6683f83d } - $sequence_3 = { eb0f f6c220 7413 8365081f 837d0801 7420 43 } - $sequence_4 = { ff15???????? 891c24 89442404 89c6 c745d402000000 c745d800000000 c745dc00000000 } - $sequence_5 = { eb16 8b5604 83c301 8b4208 8b4a0c 29c1 39d9 } - $sequence_6 = { f0832a01 742b 8b542420 8b0a 85c9 7451 83f9ff } - $sequence_7 = { f0832801 0f84231b0000 8b4588 8b4010 8b10 85d2 0f84f01a0000 } - $sequence_8 = { c7042400000000 b903000000 ba21000000 89d8 e8???????? 85c0 0f84db000000 } - $sequence_9 = { e8???????? 8985bcfeffff e9???????? 8b4508 8b95fcfeffff 8b4874 8b85f8feffff } + $sequence_0 = { e9???????? c744240804000000 c744240402000000 890424 e8???????? e9???????? 8d4590 } + $sequence_1 = { f0832801 740f 89f1 e8???????? 83c424 89d8 5b } + $sequence_2 = { e8???????? 8b560c 8b4208 8b4a0c 29c1 85c9 7e22 } + $sequence_3 = { e8???????? 89f9 e8???????? 891c24 e8???????? 89c3 ebed } + $sequence_4 = { f0830201 8b500c 8b4010 89530c 894310 f0830301 8b06 } + $sequence_5 = { e9???????? 8b85e0fdffff 8d9dacfdffff 891c24 89442404 e8???????? 8b85acfdffff } + $sequence_6 = { f20f111424 dd0424 0f840d020000 ddd8 f20f1005???????? 660f2ec4 0f8701040000 } + $sequence_7 = { f0832801 0f8444010000 8b4604 8b10 85d2 0f845f010000 83faff } + $sequence_8 = { f0832801 8b44241c 7478 8b0b 80791400 7411 c7042420000000 } + $sequence_9 = { f7d7 89b424a0000000 89fe 21c6 f7d0 21d0 89f7 } condition: 7 of them and filesize < 12651520 @@ -82193,36 +82193,36 @@ rule MALPEDIA_Win_Soundbite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "55542a6a-ff29-54af-9f72-2267cf185584" - date = "2026-01-05" - modified = "2026-01-06" + id = "a06db4e7-8884-520e-ad2e-cc77e77a0d67" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.soundbite_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.soundbite_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "6e24536cd693eee2b46e8cd501f367ecabfbf15578ea8b1ce9e2cbd21490b0c3" + logic_hash = "a93a056689924e344640244b552c96a50f986e207fcb45b2c607d12ca01b9509" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 8dbd64fdffff 898590fdffff 889db7fdffff 899d64fdffff 899d68fdffff 899d6cfdffff } - $sequence_1 = { 51 8dbd64fdffff e8???????? c645fc02 8b13 8bb564fdffff 52 } - $sequence_2 = { 8d7c5702 4b ebea 3bf8 0f83b2000000 0fb707 } - $sequence_3 = { 0f849a010000 e8???????? 85c0 0f848d010000 8d85d8fcffff } - $sequence_4 = { c645fc04 8bbdf8fcffff 3bcb 0f83c9000000 8bd6 3bfa 0f87bf000000 } - $sequence_5 = { 898d54fdffff 898d58fdffff 8d8db7fdffff 40 51 8dbd50fdffff c685b7fdffff00 } - $sequence_6 = { 395de4 741d 8bc7 c1f805 83e71f c1e706 8b048500cf4200 } - $sequence_7 = { ff15???????? 8bf0 8d85a0fdffff e8???????? e9???????? 8bb5a8fdffff 8d85a0fdffff } - $sequence_8 = { 33049df02e4200 81e2ff000000 330495f03a4200 4f 0f85fcfdffff 83fe04 7250 } - $sequence_9 = { 85f6 0f85b3020000 50 e8???????? 83c404 8db578fdffff e8???????? } + $sequence_1 = { 8970f4 8b03 33c9 66890c70 eb21 8d45a0 } + $sequence_2 = { 330495f03a4200 4f 0f85fcfdffff 83fe04 7250 8bd6 c1ea02 } + $sequence_3 = { 8bec 57 8bf8 3b7d08 7458 53 56 } + $sequence_4 = { c785a8fdffff0d000000 8bb5a8fdffff 8b85b0fdffff 33db 3bc3 7608 50 } + $sequence_5 = { c78500ffffffd3e5f4c6 c78504ffffffe9ece5d0 c78508ffffffefe9eef4 66c7850cffffffe5f2 889d0effffff } + $sequence_6 = { 8945f0 8bc4 8938 897804 897808 89780c 8b5518 } + $sequence_7 = { 8b4c2430 8b742414 8bc3 2bc1 03c6 740c 50 } + $sequence_8 = { c745fc02000000 837de810 8b45d4 7303 8d45d4 50 68???????? } + $sequence_9 = { e8???????? 83c40c 8b85acfdffff 3bc3 7413 6800800000 } condition: 7 of them and filesize < 409600 @@ -82232,59 +82232,53 @@ rule MALPEDIA_Win_Plugx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "087f4536-9e07-5d7f-a0d5-0a134931bcd8" - date = "2026-01-05" - modified = "2026-01-06" + id = "ca342e84-019e-549b-8251-0df01eb8ca92" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.plugx_auto.yar#L1-L286" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.plugx_auto.yar#L1-L240" license_url = "N/A" - logic_hash = "341c1f01e0832398e975d439fb075776745e2dea735d9688a1d350eef060bf14" + logic_hash = "63b0360a3b5c86169b64a94cf74635165b32fcd027b6ceab627a8a904b59c676" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 55 8bec 51 0fb74612 } - $sequence_1 = { 55 8bec 8b450c 81780402700000 } - $sequence_2 = { 53 6a00 6a00 6a02 ffd0 85c0 } - $sequence_3 = { 51 56 57 6a1c 8bf8 e8???????? 8bf0 } - $sequence_4 = { 56 8b750c 8b4604 050070ffff } - $sequence_5 = { 41 3bca 7ce0 3bca } - $sequence_6 = { 0145f4 8b45fc 0fafc3 33d2 } - $sequence_7 = { e8???????? 85c0 7508 e8???????? 8945fc } + $sequence_0 = { 55 8bec 8b450c 81780400710000 } + $sequence_1 = { 51 53 6a00 6a00 6a02 ffd0 85c0 } + $sequence_2 = { 55 8bec 51 0fb74612 } + $sequence_3 = { 55 8bec a1???????? 83ec5c 53 } + $sequence_4 = { 0145f4 8b45fc 0fafc3 33d2 } + $sequence_5 = { 51 56 57 6a1c 8bf8 e8???????? } + $sequence_6 = { 33d2 f7f3 33d2 8945fc } + $sequence_7 = { 41 3bca 7ce0 3bca } $sequence_8 = { e8???????? 3de5030000 7407 e8???????? } - $sequence_9 = { 85c0 7413 e8???????? 3de5030000 } - $sequence_10 = { e8???????? 85c0 7407 b84f050000 } + $sequence_9 = { e8???????? 85c0 7508 e8???????? 8945fc } + $sequence_10 = { 85c0 7413 e8???????? 3de5030000 } $sequence_11 = { 50 ff15???????? a3???????? 8b4d18 } - $sequence_12 = { e8???????? 85c0 750a e8???????? 8945fc } - $sequence_13 = { 85c0 750d e8???????? 8945f4 } - $sequence_14 = { 6a00 6a00 6a04 6a00 6a01 6800000040 57 } - $sequence_15 = { 57 e8???????? eb0c e8???????? } - $sequence_16 = { 51 6a00 6800100000 6800100000 68ff000000 6a00 6803000040 } - $sequence_17 = { 6819000200 6a00 6a00 6a00 51 } - $sequence_18 = { 50 ff75e8 6802000080 e8???????? } - $sequence_19 = { ffd7 a3???????? 56 ffd0 } - $sequence_20 = { 6a01 6a00 e8???????? a3???????? 6800080000 68???????? } - $sequence_21 = { 51 6a02 e8???????? 6800f00000 } - $sequence_22 = { 89442424 8b442424 6808020000 6a00 } - $sequence_23 = { 6800080000 68???????? e8???????? 6800080000 68???????? e8???????? } - $sequence_24 = { 6808020000 6a00 ff74242c e8???????? } - $sequence_25 = { 5d c21000 55 53 57 56 83ec18 } - $sequence_26 = { 89742434 89f1 8b442434 e8???????? } - $sequence_27 = { 50 56 ffb42480000000 ff15???????? } - $sequence_28 = { 50 6802000080 53 e8???????? } - $sequence_29 = { 6a5c ff74241c e8???????? 83c408 } - $sequence_30 = { 56 ff742478 ffd0 89442420 } - $sequence_31 = { 6a00 ff74245c e8???????? 83c40c } - $sequence_32 = { 40 eb95 89f1 c644242a00 } + $sequence_12 = { e8???????? 85c0 7407 b84f050000 } + $sequence_13 = { e8???????? 85c0 750a e8???????? 8945fc } + $sequence_14 = { 85c0 750d e8???????? 8945f4 } + $sequence_15 = { 51 6a00 6800100000 6800100000 68ff000000 6a00 6803000040 } + $sequence_16 = { 50 ff75e8 6802000080 e8???????? } + $sequence_17 = { 6808020000 6a00 ff74242c e8???????? } + $sequence_18 = { 50 56 ffb42480000000 ff15???????? } + $sequence_19 = { 89442424 8b442424 6808020000 6a00 } + $sequence_20 = { 89742434 89f1 8b442434 e8???????? } + $sequence_21 = { 5d c21000 55 53 57 56 83ec18 } + $sequence_22 = { 6a5c ff74241c e8???????? 83c408 } + $sequence_23 = { ba80969800 52 50 51 e8???????? } + $sequence_24 = { c6410c00 e8???????? ffd0 83c420 } + $sequence_25 = { bbe6000000 89d7 83e219 f7d7 21df 09fa } + $sequence_26 = { 6a00 ff74245c e8???????? 83c40c } condition: 7 of them and filesize < 1284096 @@ -82294,36 +82288,36 @@ rule MALPEDIA_Win_Apollo_Shadow_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea905677-b1ee-5a47-bc71-e2c692213f7b" - date = "2026-01-05" - modified = "2026-01-06" + id = "76bde173-1488-5294-bcc3-d9c7e9a47266" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.apollo_shadow" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.apollo_shadow_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.apollo_shadow_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "b4c0913bb7700a7eb24e3d781656266dfb7d50769bc9ee1a9816b626000653e9" + logic_hash = "20a8ccbd2545463c3adba429f094df425b6b9ba8f9cf0dd77090b9aab1413193" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bce e8???????? 4183ceff 488d0590880200 4a8b04f8 42f644e03801 } - $sequence_1 = { 48898424e0000000 488bf1 48894c2458 4533f6 4489742430 0f57c0 } - $sequence_2 = { 48b8033bae3ba217f877 488945a7 488b75a7 48b8b89c83748f3838d7 488945a7 488b5da7 48b89553bf5390096f5f } - $sequence_3 = { 48b8ffffffffffffff7f 483bc8 0f8793000000 4803c9 4881f900100000 7224 488d4127 } - $sequence_4 = { 48837d3708 480f43451f 48894d2f 66891c48 eb57 488bd1 } - $sequence_5 = { 4053 4883ec20 b908000000 e8???????? 488bd8 4889442430 48c70001000080 } - $sequence_6 = { 0f28458f 33ff 4c8d7dc7 48837ddf08 4c0f437dc7 } - $sequence_7 = { 448b10 410fb609 83e10f 4a0fbe8431489d0300 428a8c31589d0300 4c2bc8 418b41fc } - $sequence_8 = { c744242804000000 488d842480000000 4889442420 41b904000000 4533c0 488b0f ff15???????? } - $sequence_9 = { f3410f7f01 f30f7e4108 660f60c0 660f71e008 f3410f7f4110 f30f7e4110 660f60c0 } + $sequence_0 = { 4c3bd9 7363 4983e0e0 f30f7e01 4983c220 660f60c0 660f71e008 } + $sequence_1 = { 0f873c060000 e8???????? 660f6f05???????? f30f7f45f8 668975e8 85db 750f } + $sequence_2 = { 41b806000000 488d150f3d0300 e8???????? 90 0f288424d0000000 660f7f8424d0000000 4c8d8424e8000000 } + $sequence_3 = { e9???????? 498bc7 488d0dd7870200 83e03f 4d8be7 49c1fc06 4c8965e8 } + $sequence_4 = { e8???????? 0fb7d8 e8???????? 448bcb 4c8bc0 33d2 488d0d63adfeff } + $sequence_5 = { 498bd0 4c8d155d0a0300 3bcf 7622 498bc0 48c1f806 498bc8 } + $sequence_6 = { 4c8bc3 488d4dff e8???????? 90 488975b7 488b4db7 4c8975b7 } + $sequence_7 = { 7579 488d3dd4710200 ff05???????? 8b4314 90 a9c0040000 7561 } + $sequence_8 = { 488bc3 48bdfeffffffffffff7f 482bc2 483bc5 0f87f5000000 4883f808 0f828f000000 } + $sequence_9 = { 488d8af0000000 e9???????? 488d8ae0000000 e9???????? 488d8a10010000 e9???????? 488d8a58010000 } condition: 7 of them and filesize < 710656 @@ -82333,36 +82327,36 @@ rule MALPEDIA_Win_Venomloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "360daa47-065f-559b-a4bd-3c105892d050" - date = "2026-01-05" - modified = "2026-01-06" + id = "681c577e-0d22-5b07-a8e2-fee5f4d454ec" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.venomloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.venomloader_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.venomloader_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "2a010e987b08fda7866a0ce45dd38105218c7c231dfd9f1e74d7bf8cc14fb654" + logic_hash = "f3aa49e2b0f5413e9d10c518f936557aeb396c63445f44152c2ce0d27cfa4f88" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48894d10 895518 4c894520 837d1803 7758 837d1802 } - $sequence_1 = { 488d1503ad0a00 c70105000000 48895108 c3 488d15f1ac0a00 c7010b000000 48895108 } - $sequence_2 = { 53 4883ec20 4889cb 488d0d91b90000 e8???????? 4889c2 488b03 } - $sequence_3 = { 4883e918 4c89e2 e8???????? eb88 488d0d07f10400 e8???????? 4889c3 } - $sequence_4 = { 4889742468 0f11742450 e8???????? 488b442470 488b542478 488b9c2488000000 4889542478 } - $sequence_5 = { 48c1ea20 83e201 4c39d9 72df 4983eb01 4d29eb 4983e3fc } - $sequence_6 = { 84d2 0f84b8000000 384549 7452 384548 744d 38c1 } - $sequence_7 = { 4989d0 488d1540910c00 4889c1 e8???????? 488d85d0040000 488d95f0040000 4c8d05d3910c00 } - $sequence_8 = { 4c89e2 4889e9 66897c2468 e8???????? 89c7 84c0 0f85fd050000 } - $sequence_9 = { 48895e18 8b08 85c9 0f853e010000 83430801 488d05e02d0b00 48897e20 } + $sequence_0 = { 53 4883ec20 488d0594160400 80796f00 488901 4889cb 7438 } + $sequence_1 = { 488379e800 0f8452fdffff 4084ff 0f8549fdffff 4584ff 0f8416030000 488b842400010000 } + $sequence_2 = { 89da 4889f1 4189c5 e8???????? 85c0 7506 } + $sequence_3 = { 4829c8 48d1f8 48894350 4889da 4889f1 e8???????? 488d0593d00200 } + $sequence_4 = { 5d c3 55 53 4883ec38 488d6c2430 488d45f7 } + $sequence_5 = { 85d2 752e 8340f801 48894308 488d05ff060600 488903 4883c438 } + $sequence_6 = { 488d157ffc0400 4889d9 e8???????? 488b05???????? 4889f1 4883c010 488983e0000000 } + $sequence_7 = { 488d1509b00a00 c70002000000 48895008 c3 488d15f7af0a00 c70002000000 48895008 } + $sequence_8 = { 29d0 85c0 0f8fcb020000 4183fd6f 0f8429020000 4439fa 0f8d88020000 } + $sequence_9 = { 85d2 0f8f64ffffff 4883e918 4c89e2 e8???????? 488b8424b0000000 e9???????? } condition: 7 of them and filesize < 2592768 @@ -82372,36 +82366,36 @@ rule MALPEDIA_Win_Matanbuchus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14891cee-6fee-5b85-a869-72db3819e8d3" - date = "2026-01-05" - modified = "2026-01-06" + id = "f28221c1-680b-5d58-8277-30f46067656d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.matanbuchus_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.matanbuchus_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "8cc6ad0369ae6a09d94059ca0fd839ca0ba525864e83ed2b19f2484b94f687e7" + logic_hash = "2997d28aa1e71c96eb8b8db5aef2af7562f30f6f0a2b4697d1174ed6be704bc6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8955ec 0fb745fc 8b4dd8 668b1441 668955f8 eb0f } - $sequence_1 = { 035120 8955dc 8b45f4 8b4d08 03481c 894dcc c745f000000000 } - $sequence_2 = { 51 b801000000 6bc800 8b5508 0fbe040a 85c0 } - $sequence_3 = { 8b55d4 8b048a 034508 8945d0 0fb74df4 0fb755f8 } - $sequence_4 = { 41 66894df8 0fb755fc 85d2 } - $sequence_5 = { 0fbe1401 33550c 69c293010001 50 b901000000 c1e100 034d08 } - $sequence_6 = { eb04 33c0 eb18 eb82 8b4df4 8b55f4 } - $sequence_7 = { 81fa4d5a0000 7407 33c0 e9???????? 8b45e8 8b4d08 } - $sequence_8 = { ff55f0 6800800000 6a00 8b5508 } - $sequence_9 = { 8b55f0 8b4214 8945e8 33c9 66894dfc } + $sequence_0 = { 0f84a6000000 8b4df4 8b5104 83ea08 d1ea 8955e4 } + $sequence_1 = { 55 8bec 833d????????00 7517 8b450c 50 8b4d08 } + $sequence_2 = { 6bc200 8b4d08 0fbe1401 33550c } + $sequence_3 = { 8b511c 035508 8955d4 8b45f0 8b4df0 8b5018 3b5114 } + $sequence_4 = { 8b55ec 837a7400 7507 33c0 e9???????? b808000000 6bc800 } + $sequence_5 = { 8b55d4 8b048a 034508 8945d0 0fb74df4 0fb755f8 } + $sequence_6 = { 0fb7044a 8b4df4 0fb75110 03c2 668945fc 0fb745fc 8b4df4 } + $sequence_7 = { 034224 8945d0 8b4df4 8b5508 035120 8955dc 8b45f4 } + $sequence_8 = { 8b4224 034508 8945d8 8b4df0 8b511c 035508 } + $sequence_9 = { eb04 33c0 eb18 eb82 8b4df4 8b55f4 } condition: 7 of them and filesize < 13077504 @@ -82411,36 +82405,36 @@ rule MALPEDIA_Win_Cryptoluck_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d021de73-27cb-5bec-a5d2-3e18a59babc5" - date = "2026-01-05" - modified = "2026-01-06" + id = "476c2670-d790-55ec-85fd-c563f315b8b6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cryptoluck_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cryptoluck_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "962cd1309df7966b05578e3a6dacac6ddd19906dbb39c069d91052b1b1100225" + logic_hash = "c24c7722274c413e89c021a9199d9e1c3695af594b0678aa9edf1f88c7cb42e0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 837d1000 7409 c745d880720010 eb07 c745d878720010 837d1000 7409 } - $sequence_1 = { 83c40c 8945f4 6a00 6880000000 6a02 6a00 6a01 } - $sequence_2 = { 83ec20 8d45f8 50 8b4d08 51 ff15???????? 8b55fc } - $sequence_3 = { 51 837d1801 730f 8b4514 50 } - $sequence_4 = { 52 ff15???????? 898504f0ffff 680f040000 8b8504f0ffff 8d8c05e8fbffff } - $sequence_5 = { 8b4508 69c0100e0000 99 03c8 13f2 894de8 } - $sequence_6 = { f610 57 4c 2434 cd40 0234d2 2d734ce893 } - $sequence_7 = { 8b45c8 83c001 8945c8 8b4dc0 83e901 894dc0 ebe0 } - $sequence_8 = { 8b4de8 51 8b55fc 2b55f4 52 8b45f8 } - $sequence_9 = { ff15???????? 898540ffffff 83bd40ffffff00 7472 8b8d40ffffff 51 8b55e0 } + $sequence_0 = { 83bd3cefffff00 7429 8b8544efffff c60000 8b8d44efffff 83c101 } + $sequence_1 = { 6a02 ff15???????? 3d420200c0 751b } + $sequence_2 = { 8b45e8 50 ff15???????? 8b0d???????? 51 8b55e8 } + $sequence_3 = { e8???????? 83c410 8945d4 c745d000000000 6a00 8d55d0 52 } + $sequence_4 = { 8d45fc 50 8b4df8 51 8d5514 52 8b4510 } + $sequence_5 = { 8d45fc 50 8b4d0c 51 6a00 6a00 6a02 } + $sequence_6 = { 6a02 6a00 8b85d8fbffff 50 ff15???????? 8985ccfbffff 83bdccfbffff00 } + $sequence_7 = { 50 8b4d20 51 ff15???????? 8b55e4 } + $sequence_8 = { 8b95f4fdffff 52 e8???????? 83c404 6a00 8d85f8fdffff 50 } + $sequence_9 = { f7da 1ad2 80e217 80c243 0fbec2 8945ec } condition: 7 of them and filesize < 229376 @@ -82450,36 +82444,36 @@ rule MALPEDIA_Win_Nimgrabber_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "89bd52a7-663e-548b-aa96-3fbc1c4d91ac" - date = "2026-01-05" - modified = "2026-01-06" + id = "12aeb4f4-2468-57d3-801f-ca173cc40282" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nimgrabber_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nimgrabber_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "d088108be342ea9771cd179dc72ead263968b1a4b5039d9c99155df864322e6b" + logic_hash = "b07d2e135869e48af06a8b112ddcaf1a2f16912b0ac5571bd00221cda49c694f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89e8 e8???????? 8b4310 8d68f8 85c0 0f8469feffff 8b4500 } - $sequence_1 = { 8b4514 89442414 83fa0f 7f5a 8b5d04 8b4500 85db } - $sequence_2 = { 89f8 25ff010000 0fb78446e4030000 6685c0 0f85a0090000 89f8 89fa } - $sequence_3 = { 8b442420 8b00 39c6 0f8256feffff 83e801 893424 89442404 } - $sequence_4 = { 8b44243c 8b4c2460 8d5c0808 0fb64708 3c2a 0f849b0b0000 0f87f7000000 } - $sequence_5 = { 8d56f8 83e808 8946f8 83f807 0f861a020000 8b4304 85c0 } - $sequence_6 = { 83ff01 0f8492000000 8b11 8d6ffe 39d5 7211 83ea01 } - $sequence_7 = { 037304 8b5208 0fb6f8 89f1 897c2440 83c42c 5b } - $sequence_8 = { e8???????? c1e807 83f001 83e001 e9???????? 837c24687f 0f8ea80b0000 } - $sequence_9 = { 037c2440 0f49c7 83c208 89542414 89c5 89c8 25ffffff3f } + $sequence_0 = { 894c2404 891424 83c001 89442408 e8???????? 8b03 0306 } + $sequence_1 = { 0fb7c0 0fb6542e08 c1e206 81e2c00f0000 09d0 0fb6543e08 83e23f } + $sequence_2 = { c744241008000000 c1eb08 be08000000 e9???????? c744241009000000 c1eb07 be09000000 } + $sequence_3 = { 0f87fc0a0000 395f6c 0f87080b0000 395f70 0f87140b0000 395f74 0f87200b0000 } + $sequence_4 = { 3b5f44 0f82010a0000 3b5f48 0f820d0a0000 3b5f4c 0f822e0a0000 } + $sequence_5 = { 0f8fcffeffff 89fd 8b5504 89e9 e8???????? 8d4d04 89da } + $sequence_6 = { 8b03 83ec0c 89c7 83ef08 0f80d9050000 83e804 8b6c3b08 } + $sequence_7 = { 8b00 89842488000000 85c0 0f8eab1a0000 8b44246c 31db } + $sequence_8 = { 894d14 894500 895508 83fa38 7f08 8b7c241c 3907 } + $sequence_9 = { e9???????? e8???????? e9???????? 894c2414 e8???????? 8b4c2414 e9???????? } condition: 7 of them and filesize < 1238016 @@ -82489,36 +82483,36 @@ rule MALPEDIA_Win_Imprudentcook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e985dc9d-907c-5ecd-b391-7678328944ea" - date = "2026-01-05" - modified = "2026-01-06" + id = "75e4592d-21ea-5b74-beda-d75f8caa17c5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.imprudentcook" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.imprudentcook_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.imprudentcook_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "df9f920c4e9fbf5202cbb078d209a88f010a87e5e4d8cea3492e3733d1c90a2b" + logic_hash = "74810614a85d779678d01380c3bcf3dcf793e759fae3ba5e3f5874f62d02ccb3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 49f7d0 48c1ef20 498bc0 48897c2420 48f7f7 488bc8 } - $sequence_1 = { 4981fd541f0000 7c24 488d0c5b 4881f9aa0f0000 7c17 488bcf 48895c2420 } - $sequence_2 = { 4c8d45f8 488d550f 488d4de7 4889442420 e8???????? 488d4d1f ff15???????? } - $sequence_3 = { 7303 4d03d7 488bca 48c1ea20 418bc3 48c1e120 4803c8 } - $sequence_4 = { 4c8bc7 498bd7 488bce 4889442420 e8???????? eb10 488bf5 } - $sequence_5 = { 488d55e7 483bc1 498bca 7d12 488b45df 4c894c2428 4d8bc8 } - $sequence_6 = { 458bda 488bd0 4885c0 783d 482bc7 498d0cc4 498bc5 } - $sequence_7 = { 493b45f0 752b 4883c8ff 498bd5 498bce 492bd7 492bcf } - $sequence_8 = { 4d892cc4 4f8d2cfc 4c8bcf 4d8bc5 498bd4 e8???????? 488bdf } - $sequence_9 = { 488b8424a0000000 4d8bc4 4889442420 e8???????? 4883c450 415f 415e } + $sequence_0 = { e8???????? 488b5520 894500 8b4528 83f803 7527 488b4508 } + $sequence_1 = { 3b3d???????? 736e 488bdf 4c8bef 49c1fd05 4c8d35384d0200 83e31f } + $sequence_2 = { 753a 4883e908 48ffc8 79eb 488b8c2498000000 4489642428 4d85f6 } + $sequence_3 = { 4c2bc1 49c1e020 4d0bc3 4c3bc2 731a 498b45f8 49ffca } + $sequence_4 = { 4983ec08 493bfd 0f8211020000 4989742408 7732 7563 4d8bcc } + $sequence_5 = { 4b0104ec 4d85f6 7430 488b4d28 4d8d46ff 498bc4 } + $sequence_6 = { 482bfa 660f1f440000 488b0c3b 488b13 483bca 0f8599000000 4883eb08 } + $sequence_7 = { 4c8bc6 48898580000000 e8???????? 48894510 4885c0 7452 660f1f840000000000 } + $sequence_8 = { 4c8b7c2460 4c8b942408010000 4a8d1c38 4f8d2c12 493bdd 7d41 488b842438010000 } + $sequence_9 = { 488905???????? e8???????? 488d15d3ec0400 488bcb 488905???????? e8???????? 488d15d5ec0400 } condition: 7 of them and filesize < 864256 @@ -82528,46 +82522,45 @@ rule MALPEDIA_Win_Stowaway_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fff7cfff-aed4-5ea2-8664-de07b4f99127" - date = "2026-01-05" - modified = "2026-01-06" + id = "8d802ea2-325f-542a-981f-8c2375a02e81" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stowaway_auto.yar#L1-L199" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stowaway_auto.yar#L1-L193" license_url = "N/A" - logic_hash = "84a539e785b0d71993d13deb34a2d8f732a0d59ec389deb587ebb307e97415d7" + logic_hash = "719a82249e2c6544bd756b12bedc1fae86c5b47e6e2fdd1af6a4e45f9d15ac20" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 76e8 77e8 78e8 79e8 } - $sequence_1 = { 78e8 79e8 7ae8 ce f67be8 } - $sequence_2 = { ce f67be8 7ce8 7de8 } - $sequence_3 = { a3???????? 4e fb b501 } - $sequence_4 = { 751e 53 2661 6d b040 3d1db5094f } - $sequence_5 = { 2a37 e394 5e b5a9 0e 2cc6 ec } - $sequence_6 = { 5b 6b5e045f aa 43 9a7f6eb1f75c72 7f30 fa } - $sequence_7 = { 50 91 3e06 48 52 2692 4e } - $sequence_8 = { 1b7f1c b567 8110932238ba 81f82f2437b0 645b f257 326640 } - $sequence_9 = { d4ff 57 ed 7a80 51 80534080 } - $sequence_10 = { 99 0039 801002 3900 99 } - $sequence_11 = { e774 5b 004f49 5c } - $sequence_12 = { 8d843000a03b00 01f3 50 83c708 } - $sequence_13 = { 777c 7781 7782 7783 7786 7787 } - $sequence_14 = { 3c77 0c35 f20b18 40 } - $sequence_15 = { f3676d 51 99 9f 4b 8099543c7bbf7a } - $sequence_16 = { a5 ed 91 34cf } - $sequence_17 = { 60 41 69e038173794 6c 5c d10f } - $sequence_18 = { d7 80cf73 c9 f0f3f9 } - $sequence_19 = { a4 49 07 04bc 3c2f } + $sequence_0 = { 8a7cbe46 a3???????? 4e fb b501 } + $sequence_1 = { f67be8 7ce8 7de8 7ee8 } + $sequence_2 = { 78e8 79e8 7ae8 ce } + $sequence_3 = { 76e8 77e8 78e8 79e8 } + $sequence_4 = { 7ae8 ce f67be8 7ce8 } + $sequence_5 = { e2d9 8dbe00903a00 8b07 09c0 743c 8b5f04 8d843000a03b00 } + $sequence_6 = { 8bae34a03b00 8dbe00f0ffff bb00100000 50 } + $sequence_7 = { 0e d8f4 ef 28f8 386849 } + $sequence_8 = { 5c 72e4 633e 6c e4e4 } + $sequence_9 = { 3e8059805b 805c805d80 5e 8083c65df85f80 60 8061fc63 8064ffdff1 } + $sequence_10 = { b567 8110932238ba 81f82f2437b0 645b f257 326640 b117 } + $sequence_11 = { 68b890e66c 195039 d0f1 1e } + $sequence_12 = { 9c 5c 4d 79c7 4d e081 025c51c9 } + $sequence_13 = { 01a334a1f20b 19e4 1108 4e 10827e53f706 f9 850c2c } + $sequence_14 = { f60904 9c 26b696 7a19 } + $sequence_15 = { 0f11c1 7875 52 43 6b8ad456ed7902 a2???????? 6b89130a83d644 } + $sequence_16 = { 30c2 01420f 9f d8682a 1f d204c6 06 } + $sequence_17 = { 8e4ec2 0c79 72c9 85cd 4f } + $sequence_18 = { 080a 0c11 1214151617181a 1b1c1f 2126 } condition: 7 of them and filesize < 8003584 @@ -82577,36 +82570,36 @@ rule MALPEDIA_Win_Purelocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "19f36305-4b96-510d-a7f2-0dc1a52c7e21" - date = "2026-01-05" - modified = "2026-01-06" + id = "14214de4-01ef-5113-b85d-0115236817d4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.purelocker_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.purelocker_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "938c4b6e5f7cc834fc68e23dd33e35b757eeea1e164b3c0af40b39e69fc933d6" + logic_hash = "d4707eeb3bb5b798f3c6870c6d6ac41b6eba5b1030e7884a4d0013e245c91c25" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8f84240c040000 ffb42410040000 58 89842420040000 8b9c2414040000 3b9c240c040000 0f8da5000000 } - $sequence_1 = { 50 5b 5f 83ffff 7f0b 7c05 83fbff } - $sequence_2 = { e8???????? ffb42458080000 e8???????? 31c0 0fbec0 } - $sequence_3 = { 7505 e9???????? 8b9c2450040000 83fb01 0f85c3000000 83bc245804000000 7411 } - $sequence_4 = { 89442404 ff3424 8d1524400110 59 e8???????? 7415 } - $sequence_5 = { 750e 837c240400 7407 b801000000 eb02 31c0 21c0 } - $sequence_6 = { 7c11 8b5c2420 3b5c2428 7f07 b801000000 eb02 } - $sequence_7 = { e9???????? 6819000000 68ffffffff ff742414 ff742420 e8???????? ff742410 } - $sequence_8 = { 52 e8???????? 5a 50 ff742408 e8???????? 8d44241c } - $sequence_9 = { ffb424bc000000 e8???????? 0fbe842488000000 0fbec0 e9???????? ff742474 } + $sequence_0 = { 8d053a460110 50 e8???????? e8???????? 011424 e8???????? 8d442404 } + $sequence_1 = { 83fb01 753f 8b9c249c000000 21db 7505 e9???????? 8bac249c000000 } + $sequence_2 = { ff74242c e8???????? a3???????? 8b1d???????? 21db 7513 681f84143a } + $sequence_3 = { 7475 52 e8???????? 5a 50 52 } + $sequence_4 = { 6800000000 6800000000 ff742470 ffb4249c000000 8bac24b0000000 8d4578 ff7004 } + $sequence_5 = { e8???????? 31c0 5b c3 55 53 57 } + $sequence_6 = { eb02 31c0 21c0 0f844c020000 ff742410 8d1584400110 59 } + $sequence_7 = { 58 52 e8???????? 5a 50 ff35???????? 8d051a470110 } + $sequence_8 = { 6800000000 6800000000 ff542414 89c3 21db 7509 ff742408 } + $sequence_9 = { 8b5c2418 81fb405ec084 750e 8b6c240c ff7518 58 89442410 } condition: 7 of them and filesize < 193536 @@ -82616,36 +82609,36 @@ rule MALPEDIA_Win_Breach_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c23c3fa3-17cd-5c37-b04d-874bf808dbb3" - date = "2026-01-05" - modified = "2026-01-06" + id = "72f97555-af27-5cf5-a569-4834f58e4e9d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.breach_rat_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.breach_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "f6957c0f2edc673a234b7e2f6939826a76594123ef28991fd2cfa30c71d906d4" + logic_hash = "267b05fcdc8c11bf630ad8e4587954848118db1d1bff6351dfc81df79156bca4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 2b4da4 f7e9 c1fa02 8bc2 c1e81f 03c2 744a } - $sequence_1 = { 8b450c 2bf0 83c002 0345f0 56 50 eb08 } - $sequence_2 = { 8d4db8 e8???????? 83c410 84c0 742c 8b4dd4 } - $sequence_3 = { ff4dc4 895d08 0f8548fdffff 8b5d98 8b7d9c 85db } - $sequence_4 = { c745bc00000000 c645ac00 56 8bd7 c645fc0b 8d8d6cffffff e8???????? } - $sequence_5 = { 8bc2 c1e81f 03c2 83f807 7616 8d87a8000000 3bf0 } - $sequence_6 = { 53 57 8b7d08 33db 895df0 85ff 7464 } - $sequence_7 = { e8???????? 8bc8 e8???????? 8d8d24f1ffff c745fcffffffff e8???????? 68???????? } - $sequence_8 = { e8???????? 50 8d8c2480000000 e8???????? 8b442428 85c0 7416 } - $sequence_9 = { 68???????? 8d8d54f7ffff e8???????? 68???????? 8d8554f7ffff c745fcc8000000 50 } + $sequence_0 = { c745fc50000000 50 8bce e8???????? 8bc8 e8???????? 8d8d2cf5ffff } + $sequence_1 = { 8bc8 e8???????? 8d8decf5ffff c745fcffffffff e8???????? 68???????? } + $sequence_2 = { 8be5 5d c3 837c242c10 8d742418 0f43742418 2bf0 } + $sequence_3 = { c7461898fc4300 eb3b 83fffb 7509 c74618b8fc4300 eb28 83fffc } + $sequence_4 = { 8be5 5d c3 837f1410 7204 8b37 eb05 } + $sequence_5 = { 64892500000000 83ec6c 56 8bf1 8d4dd4 e8???????? } + $sequence_6 = { ba???????? 8d4dc0 e8???????? 84c0 745c c745e400000000 c745e800100000 } + $sequence_7 = { 668945d8 e8???????? 837dd408 720b ff75c0 e8???????? } + $sequence_8 = { 8d4dc0 e8???????? 84c0 745c c745e400000000 c745e800100000 c745ec00100000 } + $sequence_9 = { 6a03 68???????? 8d4ddc e8???????? 68???????? 8d55c4 8d4dac } condition: 7 of them and filesize < 645120 @@ -82655,36 +82648,36 @@ rule MALPEDIA_Win_Blackcoffee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c2ef4943-3003-5a8e-b84c-2fdafd870b99" - date = "2026-01-05" - modified = "2026-01-06" + id = "24f9c95a-158c-55ab-a4f3-f8cabc725f0c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackcoffee_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackcoffee_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "b695e8fbe67a22ec1c98f5f738aa4dd5737b4b8062371c0306d53cad47c03140" + logic_hash = "2b394e9c3cd7e94e4e6651b202e65799c90db4156d7541937f1cbeb7cbc47c4b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff75fc 57 6a01 ff15???????? 8bd8 3bdf } - $sequence_1 = { 53 e8???????? 83c40c ffd3 3bc7 7460 8b5610 } - $sequence_2 = { 897dfc 8945f4 50 8d4610 } - $sequence_3 = { 50 c70614000000 ff15???????? 8d85dcfeffff 83c40c 8945e8 8d45e0 } - $sequence_4 = { c68501f0ffff36 c68502f0ffff34 c68503f0ffff50 c68504f0ffff72 } - $sequence_5 = { 8b45fc 89460c c70614000000 e9???????? 83660c00 8d85b4feffff 50 } - $sequence_6 = { 6800800000 57 53 ff15???????? 8b4610 } + $sequence_0 = { 89461c 8b45f8 894618 8b461c 83c00c 894610 } + $sequence_1 = { e8???????? 8bf0 8d8500fcffff 83c604 33d2 6a08 8bca } + $sequence_2 = { 59 ff15???????? 0faf4608 ff4508 83c704 837d081e } + $sequence_3 = { ff742414 e8???????? 8bf0 85f6 7411 6888130000 ff15???????? } + $sequence_4 = { 8365fc00 66ab aa 80a508f0ffff00 } + $sequence_5 = { 7620 0fb6543904 8bd8 81e3ff000000 33d3 c1e808 } + $sequence_6 = { 6804010000 50 8d4708 50 ffd3 83c418 } $sequence_7 = { e8???????? 8806 8d45b0 50 } - $sequence_8 = { 897dfc 57 ff15???????? 8bd8 3bdf 747a 8b460c } - $sequence_9 = { 895efc ff75f8 56 e8???????? 83c40c 56 } + $sequence_8 = { 83c00c 0107 8b37 03f3 e8???????? 6854414449 } + $sequence_9 = { 750b ff15???????? 89460c eb28 57 57 } condition: 7 of them and filesize < 118784 @@ -82694,47 +82687,48 @@ rule MALPEDIA_Win_Maktub_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ecc73f32-ecbd-5318-a556-c2b45ed34c44" - date = "2026-01-05" - modified = "2026-01-06" + id = "bdd64d5e-7bca-594a-a4b8-23e7aea8b7aa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.maktub_auto.yar#L1-L197" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.maktub_auto.yar#L1-L195" license_url = "N/A" - logic_hash = "ff16c7a452af8c5ebf57513ce479bd7fbd7433b4ce2d8fbd914a83844ba9c640" + logic_hash = "988faaca6a38b1fd1afff7ce22b03171fd885df693fdfe85d1ce608c9abb0b07" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { ffd0 f7d8 1bc0 f7d8 8be5 } - $sequence_1 = { ff15???????? eb0a 57 6a08 } - $sequence_2 = { ff15???????? eb02 33c0 46 } - $sequence_3 = { ff15???????? eb02 33db 8b4df4 } - $sequence_4 = { ff15???????? e9???????? 8d43f4 3d???????? 0f84c1000000 833d????????00 } - $sequence_5 = { e8???????? 8b75fc 8b4df0 83c305 8a4513 } - $sequence_6 = { ff15???????? f6c301 0f8414010000 8d46fc } - $sequence_7 = { ff30 e8???????? 8bc7 5f 5e 5b } - $sequence_8 = { 8bf8 c785d4fdffff2c020000 8d85d4fdffff 50 57 68???????? } - $sequence_9 = { 8d4f14 8b18 8b7004 8d45e8 } - $sequence_10 = { 8bf8 8d442428 6a50 50 897c2424 } - $sequence_11 = { 8d4f2c e8???????? 84c0 7578 } - $sequence_12 = { 8bf8 c744242000000000 f7642424 8bcf 0fafcd 8bd8 8b44241c } - $sequence_13 = { 8bf8 8b4c242c 03f2 03710c } - $sequence_14 = { 8d4f20 e8???????? 84c0 750f } - $sequence_15 = { 8d4f10 e8???????? 8d4f30 8b30 8b5004 8d45f0 } - $sequence_16 = { 8d4f34 e8???????? 8d4f14 8b18 } - $sequence_17 = { 8bf8 8db508040000 b917000000 53 } - $sequence_18 = { 8d4f28 89471c 33c0 c6472000 } - $sequence_19 = { 8bf8 897dec 33db 66895f0c 895dfc 8b450c } - $sequence_20 = { 8d4f30 e8???????? 8b470c 8d4d10 } + $sequence_1 = { ff15???????? eb02 33db 8b4df4 } + $sequence_2 = { ff15???????? f6c301 0f8414010000 8d46fc } + $sequence_3 = { ff15???????? e9???????? a1???????? 3bc1 0f8deefeffff 8bf0 } + $sequence_4 = { ff15???????? eb02 33c0 46 } + $sequence_5 = { ff15???????? eb0a 57 6a08 } + $sequence_6 = { ff15???????? f6c301 7432 8b75b8 } + $sequence_7 = { ff7508 ffd7 50 ffd6 53 } + $sequence_8 = { ff30 e8???????? 8bc7 5f 5e 5b } + $sequence_9 = { 8d5005 e8???????? 8b45f8 8d4d08 } + $sequence_10 = { 8d429f 663b442418 7767 8d42a9 } + $sequence_11 = { 8d55ac 8d4d9c e8???????? 8bd0 } + $sequence_12 = { 8d42a9 0fb7c0 43 0bc8 } + $sequence_13 = { 8d5590 85c0 7507 837a0401 } + $sequence_14 = { 8d42bf 663b442418 7705 8d42c9 } + $sequence_15 = { 8d42d0 663b442410 761c 8d42bf } + $sequence_16 = { 8d55ac 8d4d8c e8???????? 50 } + $sequence_17 = { 8d4202 f30fe6c0 8901 f20f58c8 } + $sequence_18 = { 8d5001 8911 c20400 55 } + $sequence_19 = { 8d4fff 03ca 8a041e 46 8801 } + $sequence_20 = { 8d42c9 eb0d 8d429f 663b442418 } + $sequence_21 = { 8d5001 8955f0 8d4dd4 e8???????? } condition: 7 of them and filesize < 3063808 @@ -82744,64 +82738,64 @@ rule MALPEDIA_Win_9002_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bbbd19a8-8d59-5fa3-924d-0a65e7bf4ff6" - date = "2026-01-05" - modified = "2026-01-06" + id = "752f8964-72c3-5732-afd0-f8064660bdd9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.9002_auto.yar#L1-L337" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.9002_auto.yar#L1-L355" license_url = "N/A" - logic_hash = "b28ab37244f22455bfd7ab977eaff5de257e54ee69c7d856b3cc5dc49768b368" + logic_hash = "91fd894ce77cf739001b02ab805eec30c7177b1a5f8c6eb3bd3a3410eda9846b" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 2d00040000 f7d8 1bc0 23c2 } - $sequence_1 = { 68???????? ff15???????? 6a0a ff15???????? e9???????? } - $sequence_2 = { 89bef8030000 ff15???????? 8986fc030000 ff15???????? 898600040000 } - $sequence_3 = { 83c0fc 50 53 e8???????? } - $sequence_4 = { 03c3 8b00 5b ffd0 } - $sequence_5 = { 6a02 83c144 6800000040 51 } - $sequence_6 = { 8bc1 33c9 894808 894810 8910 c7400c01000000 } - $sequence_7 = { 57 8bf1 50 6801020000 c706???????? e8???????? 8d4604 } - $sequence_8 = { 2bd0 3bfa 760d 85c0 7504 } - $sequence_9 = { 6a02 ff15???????? 68???????? ff15???????? 6a00 6a00 6a00 } - $sequence_10 = { 0ac8 80c910 880e 8ac2 } - $sequence_11 = { 6a02 6a03 6a00 e8???????? } - $sequence_12 = { 8b5c2408 6bdb08 03c3 8b00 } - $sequence_13 = { 33c9 3bc8 1bd2 f7da 8915???????? } - $sequence_14 = { 682c010000 50 ffd3 3d02010000 } - $sequence_15 = { 51 e8???????? 6a06 6a01 6a02 e8???????? } - $sequence_16 = { 8b08 51 e8???????? 8b5714 } - $sequence_17 = { 8b460c 40 33d2 f77614 ff4610 } - $sequence_18 = { e8???????? 50 e8???????? 6a08 e8???????? } - $sequence_19 = { 46 c1ea06 8816 46 } - $sequence_20 = { 56 89442418 ff15???????? a820 } - $sequence_21 = { 8b01 ff5010 8b7614 ff4e0c } - $sequence_22 = { c7422c00000200 8b4648 c7402801000000 8b4648 } - $sequence_23 = { 742e 85f6 7419 0fb6da f683c1d4001004 7406 8816 } - $sequence_24 = { 7622 8b4558 83f805 7316 8a0b } - $sequence_25 = { 8b7c240c 57 8bf1 e8???????? 33d2 } - $sequence_26 = { 894608 ff15???????? 8d4c2414 885c243c ff15???????? 8bc6 8b4c2434 } - $sequence_27 = { 8b4648 689a000000 6a00 50 } - $sequence_28 = { 8d4c240c 8d542418 6a05 8944241c 51 } - $sequence_29 = { 8bf1 8b4610 57 33ff 897e08 } - $sequence_30 = { 8bf8 6a40 6800100000 57 6a00 ff15???????? 8d4df8 } - $sequence_31 = { c3 b8???????? c705????????772b0010 a3???????? } - $sequence_32 = { ff15???????? 8bf8 85ff 7529 ff15???????? 8b560c 52 } - $sequence_33 = { 8b5c247c 55 56 8bb4248c000000 57 8b3b 8b2e } - $sequence_34 = { 52 ffd5 c7460c00000000 8b460c } - $sequence_35 = { 6689bc5a80010000 83c30c 895c2424 e9???????? } - $sequence_36 = { 8b4e04 83c108 33f6 668931 66897102 89510c } - $sequence_37 = { ff15???????? 8bf8 6a40 6800100000 } + $sequence_1 = { 6bdb08 03c3 8b00 5b ffd0 } + $sequence_2 = { 7504 33c9 eb03 8b4914 } + $sequence_3 = { 8b542404 8bc1 33c9 894808 894810 } + $sequence_4 = { 6a01 50 ff15???????? 3d02010000 } + $sequence_5 = { 50 68???????? ff15???????? 6a0a ff15???????? } + $sequence_6 = { 8b461c 85c0 7424 682c010000 } + $sequence_7 = { 51 e8???????? 6a06 6a01 6a02 e8???????? } + $sequence_8 = { 33c9 3bc8 1bd2 f7da 8915???????? } + $sequence_9 = { c7400c01000000 894814 89481c c20400 56 } + $sequence_10 = { eb05 8b5608 2bd0 3bfa 760d 85c0 } + $sequence_11 = { 6a00 51 8944241c c744241801000000 ff15???????? } + $sequence_12 = { 7504 33ed eb04 2bc8 8be9 } + $sequence_13 = { 6a02 ff15???????? 68???????? ff15???????? 6a00 6a00 } + $sequence_14 = { 8b4108 2bc2 c3 56 } + $sequence_15 = { 894810 8910 c7400c01000000 894814 } + $sequence_16 = { 8b4714 8b08 51 e8???????? 8b5714 83c404 894208 } + $sequence_17 = { 6a00 6a02 6a03 6a00 e8???????? } + $sequence_18 = { 6a08 8b0e 50 6aff } + $sequence_19 = { e8???????? 50 e8???????? 6a08 e8???????? } + $sequence_20 = { 50 8bce e8???????? 8b4d0c 8bf8 8b07 } + $sequence_21 = { 6a00 ff15???????? 8d4df8 6a00 8bd8 51 } + $sequence_22 = { 8b0cf5c4c80010 5e 8908 c3 81f9bc000000 } + $sequence_23 = { 8b15???????? f2ae a1???????? 668b0d???????? 4f 6a00 6880000000 } + $sequence_24 = { e8???????? 8bc6 83e61f c1f805 59 8b0485e0d50010 } + $sequence_25 = { 8b4558 83f805 7316 8a0b 884c285c 8b4558 40 } + $sequence_26 = { 894140 8b5648 c7427078000000 8b4648 83c40c } + $sequence_27 = { 50 8b4dfc e8???????? e9???????? 33c0 8be5 5d } + $sequence_28 = { 8b4c2410 8b6c246c 3bcd 7322 8b6c2464 e9???????? 8b542438 } + $sequence_29 = { 5e 5b 8b4728 0b472c 740c 8b4f48 } + $sequence_30 = { 7404 3c0b 7548 8b4e0c } + $sequence_31 = { 50 68???????? e8???????? 83c40c 8b8dc4fdffff 898dd4fdffff 8d95c8fdffff } + $sequence_32 = { 0fb641ff 0fb6d2 3bc2 0f8794000000 8088c1d4001004 40 } + $sequence_33 = { 50 e8???????? 8b4e48 c7019a000000 8b5648 } + $sequence_34 = { 8944241c 51 83c60d 52 8d44242c } + $sequence_35 = { 7411 55 55 6a01 8d4c241c 51 } + $sequence_36 = { 7407 b801000000 5e c3 6a00 6a00 6a00 } + $sequence_37 = { 85ff 7509 8b460c 50 ffd5 897e0c 8d4c2410 } condition: 7 of them and filesize < 204800 @@ -82811,81 +82805,75 @@ rule MALPEDIA_Win_Ghostsocks_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec83c1b8-972c-5302-8f5c-0348597b2510" - date = "2026-01-05" - modified = "2026-01-06" + id = "5c1cb11a-0850-5d40-b71f-408c9daae878" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostsocks" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ghostsocks_auto.yar#L1-L151" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ghostsocks_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "86588affc1ba6a310125c5db73ff776fb8159fe6904364a27563bbbae0b566bf" + logic_hash = "c337a9e96f9dca2a0a87fca084e46544266617e7aebed208b795d0bb71baeab6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f7e2 69df90010000 01da 89c3 } - $sequence_1 = { f7e2 7079 8d5504 89d5 } - $sequence_2 = { f7e2 0fafe9 8b4c2418 0fafcb } - $sequence_3 = { f7e2 707d 83f8ff 7772 8b542418 85d2 } - $sequence_4 = { f7e2 01d1 81e5ffffff3f 89ea c1fd1f 90 } - $sequence_5 = { f7e2 89442468 0fafde 01da } - $sequence_6 = { f7e2 83c6f8 90 90 83c308 } - $sequence_7 = { f7e2 89442428 01d1 05000096b3 } - $sequence_8 = { e8???????? 89856068fcff 89956468fcff 8d8d1bc3faff } - $sequence_9 = { e8???????? 89856071fcff 89956471fcff a1???????? } - $sequence_10 = { e8???????? 89856077feff 89956477feff 8b8d647ffeff } - $sequence_11 = { e8???????? 89856082fcff 89956482fcff 0fb685a77cffff } - $sequence_12 = { e8???????? 89856078fbff 89956478fbff 8b0d???????? } - $sequence_13 = { e8???????? 8985605ffdff 8995645ffdff 0fb6856fd5faff } - $sequence_14 = { e8???????? 89856076fcff 89956476fcff 8b85d0adfdff } - $sequence_15 = { e8???????? 89856074fbff 89956474fbff a1???????? } + $sequence_0 = { eb0b e8???????? 8b4c2434 890f 8908 8b4c241c 8b5130 } + $sequence_1 = { e9???????? 89f1 e8???????? 89f9 89f2 e8???????? 89f8 } + $sequence_2 = { eb18 891c24 897c2404 e8???????? 8b6c2408 8b5c2414 8b7c241c } + $sequence_3 = { eb09 c644243c01 83c428 c3 89c8 89e9 e8???????? } + $sequence_4 = { e8???????? 890f 8b8424a8000000 8b5020 895704 894820 8b4808 } + $sequence_5 = { e8???????? ebb0 8b0d???????? 648b09 8b09 3b6108 0f8646020000 } + $sequence_6 = { e8???????? 837c246803 75cf 8b4c2464 668139646e 75c4 80790273 } + $sequence_7 = { eb3a 894c2424 89442444 891424 894c2404 89742408 894c240c } + $sequence_8 = { f20f114c242c 83c414 c3 8b44241c f30f1000 f30f104804 f30f5ac0 } + $sequence_9 = { e9???????? 0fb64c2412 e9???????? 83f806 0f84b1010000 83f808 751e } condition: - 7 of them and filesize < 25016320 + 7 of them and filesize < 16646144 } rule MALPEDIA_Win_Yanluowang_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4468bae4-7d21-5c9c-b3c6-a951c19ed833" - date = "2026-01-05" - modified = "2026-01-06" + id = "1abc8756-0837-5551-801f-93787a9adedb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yanluowang_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yanluowang_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "7c2e1069418a1f62952d42a3190c40f6e9223a885e325767a86810d1579f3abb" + logic_hash = "13f73cba5e2dc47bc7519cbe3ead263b6ded7801b671034999080b2b4b027200" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745dc00010001 c745e000010001 c745e400010001 c745e800010001 e8???????? 83c40c } - $sequence_1 = { 56 57 50 8d45f4 64a300000000 8995a4fdffff 898da0fdffff } - $sequence_2 = { 33733c 334b30 335338 8bc1 0bce 33f7 23f8 } - $sequence_3 = { 8b442438 336c2434 03d5 0fb6e8 c1e808 339cae00040000 33d8 } - $sequence_4 = { c744242c00000000 8bc3 b902000000 f7f6 807c241300 8bf0 8b442418 } - $sequence_5 = { 7402 890b 3355e8 8d4808 85c9 7402 } - $sequence_6 = { 0fbe41ff 8d04c528984400 ebbd 8a11 } - $sequence_7 = { ebdf c745e4b4a44400 c745e803000000 ebcf c745e4b8a44400 ebbf c745e4c0a44400 } - $sequence_8 = { 0f87f4010000 0fb680bbc94200 ff24859fc94200 8365e400 8d4de4 8365e800 6a7b } - $sequence_9 = { ff742418 6a00 6a00 6a04 6a01 } + $sequence_0 = { c70600000000 c7461000000000 c7461407000000 895dec 83f807 7614 c645f000 } + $sequence_1 = { b9???????? 8d8584f4ffff 0f1f440000 8a10 3a11 0f85f1000000 } + $sequence_2 = { 8bd6 33f9 894238 8bc6 8b484c 8b5044 89783c } + $sequence_3 = { 33e9 89afa0000000 bd01000000 23ea f7dd 23eb 33d8 } + $sequence_4 = { 03048d38034600 50 ff15???????? 5d c3 8bff } + $sequence_5 = { 8b45fc 03c1 894db4 8b4de4 33c6 8b7db4 8945c4 } + $sequence_6 = { 8b7d08 33db 8b450c 8945e4 897ddc 8b0f 895de0 } + $sequence_7 = { 235dc0 33ca 334dc0 335df8 894de4 03de } + $sequence_8 = { 8b4df8 33c6 8945dc 83e701 0fb6c1 f7df 237de8 } + $sequence_9 = { 7402 8938 8d7904 33d2 85ff 7402 } condition: 7 of them and filesize < 834560 @@ -82895,32 +82883,32 @@ rule MALPEDIA_Win_Qhost_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f6a3ef66-17d7-58a0-96de-8a0c0984b5c6" - date = "2026-01-05" - modified = "2026-01-06" + id = "2a91b9f4-4fa5-5bef-a29f-da74de42d2bb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.qhost_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.qhost_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "905b65375bd0a4c7552598ebcf914fdc02a2fd215e8f336ecf0dd12d8b466ba7" + logic_hash = "712edc3e0d2985e51e1a3a002725c99a2510e16d8bf9ecc0d7add8c13fd2f745" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b8???????? eb0c 8b4dfc 51 ff15???????? } + $sequence_0 = { 66c745e80200 8b4508 8945ec 668b4d0c 66894dea } $sequence_1 = { 6a04 8d55f0 52 6a07 8b4508 50 } $sequence_2 = { 50 68???????? 68???????? 680f270000 68???????? } $sequence_3 = { 7430 6a00 6a02 8d55f8 52 6a23 ff55fc } - $sequence_4 = { 894da0 8b55a0 3b55a4 0f8d56040000 8d459c } - $sequence_5 = { 6880000000 6a00 8d8d74feffff 51 e8???????? 83c40c 8b9570feffff } + $sequence_4 = { 6804010000 8d85f4fdffff 50 8b8decfcffff 51 ff15???????? } + $sequence_5 = { 8985ecfcffff 6804010000 6a00 8d85f4fdffff } $sequence_6 = { e8???????? 83c404 e9???????? 83bd68ffffff06 7536 83bd6cffffff00 752d } $sequence_7 = { 52 8b45fc 50 ff15???????? eb4a } $sequence_8 = { 8b8ddcfdffff 51 ff15???????? 83c404 8b95ecfdffff 52 e8???????? } @@ -82934,36 +82922,36 @@ rule MALPEDIA_Win_Kardonloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57227c50-5901-516a-b863-0f33adb6b519" - date = "2026-01-05" - modified = "2026-01-06" + id = "1be252fc-2168-51a0-8a05-ed20d945865b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kardonloader_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kardonloader_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "bf2ff4ff4bbba7fc1d200f179fb3f5bc11f84479969b4348f603834a274497e5" + logic_hash = "52126abc9efb7f85781ef81fdd21078ea7169fa2e02acc90f61e841da236fe51" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c0e904 8a8018314000 c0e002 0ac8 880c32 8bc2 } - $sequence_1 = { 663bc8 751c 8b4208 8bf0 c1ee10 6683f801 6a06 } - $sequence_2 = { 89450c 786a 0fb6443b01 8a9018314000 0fb6443b02 8a9818314000 } - $sequence_3 = { 68???????? e8???????? 8bf0 85f6 0f844a010000 } - $sequence_4 = { 7819 53 6800040000 8d8550f6ffff } - $sequence_5 = { 58 0fb7f1 663bc8 751c 8b4208 8bf0 } - $sequence_6 = { 84c0 ba???????? b9???????? 8d857cffffff 0f44ca } - $sequence_7 = { 51 8d8578fcffff 50 68???????? } - $sequence_8 = { 8bec 81ec1c020000 56 8b35???????? 57 6810270000 ffd6 } - $sequence_9 = { 83c40c 8bcf 5f c6043100 8bc6 5e } + $sequence_0 = { 68???????? 50 e8???????? 8d8500fcffff 50 ff35???????? ff35???????? } + $sequence_1 = { 75c7 ff75fc e8???????? 8b5510 59 } + $sequence_2 = { c745f8???????? c745fc???????? ff74b5d8 ff15???????? } + $sequence_3 = { 59 59 85c0 0f84f7010000 56 57 } + $sequence_4 = { 7861 ff7510 ff7510 e8???????? 59 50 } + $sequence_5 = { 66897df0 ff15???????? 668945f2 8d45f0 6a10 50 } + $sequence_6 = { 66837a0801 7507 c74704???????? 53 } + $sequence_7 = { ff15???????? 32c0 eb12 ff15???????? 3db7000000 } + $sequence_8 = { c745f8???????? c745fc???????? ff74b5d8 ff15???????? 85c0 750a } + $sequence_9 = { 40 8945fc 894d08 8a01 } condition: 7 of them and filesize < 57344 @@ -82973,36 +82961,36 @@ rule MALPEDIA_Win_Ironwind_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b99e462-a945-5218-9501-2580c05d4989" - date = "2026-01-05" - modified = "2026-01-06" + id = "8199e491-beed-5ae7-9c1e-27bfeb8315e8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironwind" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ironwind_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ironwind_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "29c70d85a1620a72f758c4af21c3937f3b52ad156ab8f42df1f1abd2148e1f61" + logic_hash = "15baeefb1cc07db45d74179ef27970b79e64b5e3c134c8a42e2e1a1cd3935c81" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bd3 488bc8 ff15???????? 83f801 0f850b010000 4c3bfb 751e } - $sequence_1 = { 0f848b000000 488b4dc8 ff15???????? 488b55e8 488d0d988e0400 e8???????? 488945c8 } - $sequence_2 = { e9???????? f60603 0f95c0 88878a050000 488b4f18 } - $sequence_3 = { 7425 418bc8 488d15f9db0200 90 410fb60409 48ffc1 3a440aff } - $sequence_4 = { 83fa01 752d 488d0d109c0600 e8???????? 488bc8 ff15???????? } - $sequence_5 = { 0f84aa030000 b001 88476c 48c70700000000 41807c246c00 743d 488bce } - $sequence_6 = { 4c896b18 33ff 0fb6ac2490000000 418b87b4060000 488b4b10 448bc0 483bc8 } - $sequence_7 = { 4c8d4e38 8bca 4533c0 e8???????? 85c0 0f89c9000000 48c74638ffffffff } - $sequence_8 = { 4c896c2438 4c897c2430 e8???????? 4c8be8 4885c0 0f84e0020000 488bd0 } - $sequence_9 = { 807f5100 740e 80bc248000000000 0f846a020000 488b4f28 4885c9 743d } + $sequence_0 = { b81b000000 e9???????? 488987a8020000 e9???????? 488b8fa8020000 e8???????? 488b87e0000000 } + $sequence_1 = { 488d0d66790100 e8???????? 488b442438 488905???????? 488d442438 4883c008 488905???????? } + $sequence_2 = { 48896c2420 57 4154 4157 4883ec30 4d63f8 4d8be1 } + $sequence_3 = { 4803f1 0f84a9010000 4c8bcf 488d1525330300 4d8bc4 488bcd e8???????? } + $sequence_4 = { 896c2420 4c8d05928c0300 498bd6 488bcb e8???????? ff15???????? 3930 } + $sequence_5 = { e8???????? 83f801 0f8596000000 448d482d 4c8d442430 488d542420 8d4816 } + $sequence_6 = { 488b87e0000000 4885c0 7409 4839b0b8000000 750c 488d8fc00a0000 e8???????? } + $sequence_7 = { 8903 e9???????? 4c8b08 4d85c9 0f8448030000 81c6ffffefff } + $sequence_8 = { 4533ed 4c39afc00a0000 0f8436010000 498b16 488d0d42890400 e8???????? } + $sequence_9 = { 41b849000000 440f45c0 0fbe8280060000 413bc0 741e 488b81a0010000 41b113 } condition: 7 of them and filesize < 995328 @@ -83012,36 +83000,36 @@ rule MALPEDIA_Win_Obscene_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "de7d43f1-261f-57f6-aed2-154950ae43ae" - date = "2026-01-05" - modified = "2026-01-06" + id = "826b1a05-1822-5187-a3b9-317240685e4d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.obscene" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.obscene_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.obscene_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "69b57f278cfe3402f37b22931c479ec832951485342c04942f09cb1c1b23263c" + logic_hash = "77ac6687867dad078760e2a2791d3e05d26b90a729335e6ad84e3d577b7dc49c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 6a00 6a00 ff15???????? eb09 } - $sequence_1 = { ff75f0 ff15???????? 50 68c03d1010 e8???????? } - $sequence_2 = { 0fbe00 83f830 7c0b 8b45f8 } - $sequence_3 = { 6828431010 68e4401010 e8???????? 59 59 682c431010 } - $sequence_4 = { 6a06 68???????? ff35???????? 6aff ff15???????? 68???????? } - $sequence_5 = { eb61 68???????? 68???????? 68???????? e8???????? 83c40c 68???????? } - $sequence_6 = { ff750c e8???????? 59 3da0bb0d00 733e ff75fc 6800080000 } + $sequence_0 = { 754e ff750c e8???????? 59 3da0bb0d00 733e } + $sequence_1 = { 0fbe00 83f87a 7e1f 8b45f8 0fbe00 83f85f } + $sequence_2 = { 8b400c 83e010 85c0 754e } + $sequence_3 = { 50 68ff000000 ff15???????? 8d8500ffffff 50 68d83f1010 } + $sequence_4 = { 55 8bec 51 ff7510 ff750c ff15???????? } + $sequence_5 = { ff15???????? 68???????? ff75f8 ff15???????? a3???????? 8d45fc 50 } + $sequence_6 = { ff750c e8???????? 59 3da0bb0d00 733e ff75fc } $sequence_7 = { 59 ff7508 6860ad0010 e8???????? 59 59 68bc501010 } - $sequence_8 = { c605????????68 c705????????d15aaa00 c605????????c3 8d45fc 50 6a06 } - $sequence_9 = { 55 8bec 81ec04080000 68???????? ff750c e8???????? 59 } + $sequence_8 = { 59 ffb5eef7ffff ff15???????? 0fb7c0 83f850 751a ff7510 } + $sequence_9 = { 83f839 7e6c 8b4508 0fbe00 83f841 } condition: 7 of them and filesize < 2170880 @@ -83051,36 +83039,36 @@ rule MALPEDIA_Win_Dma_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0add9e5f-70eb-5058-aac8-c8618a1495ef" - date = "2026-01-05" - modified = "2026-01-06" + id = "738b49e8-744f-5658-bc31-ea4eff7fb17e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dma_locker_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dma_locker_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "a7ffbc7fbe47962bc61977330ab1a66fd9d8632edda819d321196bb89e9e7e32" + logic_hash = "ccc5f9f2d8ed5d61f34a81bc70f5524e446184101dd69a213e7a762aefbe2fd9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8bf0 85f6 0f84ab000000 e8???????? } - $sequence_1 = { 83c404 83c310 ff4c2414 89470c 8b7c2410 758d } - $sequence_2 = { ff15???????? 85c0 7404 c6461801 } - $sequence_3 = { 50 6a00 56 6a19 68fe010000 6894020000 6854010000 } - $sequence_4 = { 6a01 6a00 6a00 6a00 688a020000 6a00 6a00 } - $sequence_5 = { e8???????? 8bf8 83c408 85ff 7425 8b45e4 } - $sequence_6 = { 53 e8???????? 84c0 744f 686c060000 e8???????? 83c404 } - $sequence_7 = { eb0e 8b4810 8b7808 bb2b000000 894df8 33f6 56 } - $sequence_8 = { 6683f87f 8d642408 0f85be730000 eb00 f30f7e442404 } - $sequence_9 = { 83c408 85f6 0f840e040000 56 32db e8???????? } + $sequence_0 = { 50 8bf9 c745d800000000 ff15???????? 85c0 7465 8b55d8 } + $sequence_1 = { 010404 020404 0404 0404 0404 0403 cc } + $sequence_2 = { ffd7 50 6a00 56 6a37 688a020000 6a65 } + $sequence_3 = { 52 8db42480000000 89842488000000 898c248c000000 e8???????? } + $sequence_4 = { e8???????? 68ff0f0000 8d8df5edffff 6a00 51 8bf0 c685f4edffff00 } + $sequence_5 = { 85c0 0f8561feffff 57 ff15???????? 8b4dfc 5f 5e } + $sequence_6 = { 8b742418 6a01 56 e8???????? 8b7620 b967000000 } + $sequence_7 = { 50 c785d8fdffff08020000 ff15???????? 85c0 } + $sequence_8 = { ff15???????? 68ffffff00 57 ff15???????? 6a00 ff15???????? e9???????? } + $sequence_9 = { 56 e8???????? 8b5d0c 8b7508 83c40c e8???????? } condition: 7 of them and filesize < 532480 @@ -83090,36 +83078,36 @@ rule MALPEDIA_Win_Leouncia_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a9724346-fb9d-57ad-b542-cb221faaaa09" - date = "2026-01-05" - modified = "2026-01-06" + id = "f7c02e27-ba73-5133-9156-20f0be211722" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.leouncia_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.leouncia_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "82ead8ce3a400451ff3f5916535aebe7ef2cee2e7927624a2fdf32a62ced8582" + logic_hash = "f147dd4474ec4546834e294cf16c0550dfa8fd999171c414938a0c4472591a15" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 c644141800 ff15???????? 85c0 7512 ff15???????? 83f805 } - $sequence_1 = { 3bf3 7519 8b35???????? 55 } - $sequence_2 = { 895c2464 ff15???????? 85c0 7520 } - $sequence_3 = { 8dbc247c040000 2bd6 8bca 89542418 8be9 c1e902 f3a5 } - $sequence_4 = { 7505 c6440c2820 41 3bc8 7cee 8b842434050000 56 } - $sequence_5 = { 50 e8???????? 8d4c2424 51 e8???????? 8b2d???????? 83c410 } - $sequence_6 = { e8???????? 8b4c2420 83c40c 889c0c14010000 } - $sequence_7 = { 8d542440 8d442450 8d8c24b4040000 52 } - $sequence_8 = { 8b0f 52 50 51 6a00 ff15???????? } - $sequence_9 = { 89942444040000 8b542434 8bc1 8bf5 } + $sequence_0 = { 8bf7 c1f805 83e61f 8d1c8560c14000 c1e603 8b03 f644300401 } + $sequence_1 = { c1e602 8b86f0a64000 eb09 c1e602 8b8624a74000 } + $sequence_2 = { c744244c01000000 ffd7 85c0 750e 5f 5e 5d } + $sequence_3 = { 8bc1 8bf1 c1f805 83e61f 8d1c8560c14000 c1e603 8b03 } + $sequence_4 = { 7229 f3a5 ff249548734000 8bc7 ba03000000 83e904 720c } + $sequence_5 = { 83c40c 80bc242401000063 7510 8d942425010000 52 } + $sequence_6 = { 52 e8???????? 8be8 8d842448010000 50 } + $sequence_7 = { c1e902 f3a5 8bca 83e103 f3a4 c644041800 } + $sequence_8 = { 8bca 83e103 f3aa 017500 } + $sequence_9 = { 47 50 897d00 c744241800040000 ff15???????? 85c0 } condition: 7 of them and filesize < 114688 @@ -83130,10 +83118,10 @@ rule MALPEDIA_Win_Vigilant_Cleaner_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "b2070620-d9f7-5811-b76d-80baf53d08b2" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vigilant_cleaner_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vigilant_cleaner_auto.yar#L1-L119" license_url = "N/A" logic_hash = "7e320a52ca8b714b97d83c5af01f55040082927d0e7ca8657f050cb83fb7182e" score = 75 @@ -83142,9 +83130,9 @@ rule MALPEDIA_Win_Vigilant_Cleaner_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -83168,36 +83156,36 @@ rule MALPEDIA_Win_Findpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce612255-6624-50a9-a03c-c60c58099af8" - date = "2026-01-05" - modified = "2026-01-06" + id = "0118028f-b41f-5842-8844-1fee66e42583" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.findpos_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.findpos_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "5ddd8150bb7549b194e3af334d2fd54523af2954906df2786ddd0dce1684bb61" + logic_hash = "8b94134cf8592dcafa0b3aee69b2f0111b290c4a200e1df07d51445eac138a67" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb6c0 50 0fb6c1 50 8d85e8e7ffff 50 } - $sequence_1 = { 42 8a1a 0fb63411 0fb6c3 83ce20 83c820 2bf0 } - $sequence_2 = { 3375f0 337df4 8b4008 8985dcfeffff } - $sequence_3 = { 8d4dd8 895dfc e8???????? 837dec10 8d55d8 0f4355d8 33c9 } - $sequence_4 = { 83791410 7202 8b09 33d2 e8???????? 85c0 7419 } - $sequence_5 = { 0f84d6000000 48 0f8497000000 83e804 7468 83e803 } - $sequence_6 = { bf3ce91fe0 0adb e3de a863 125f55 cae845 7d31 } - $sequence_7 = { e8???????? 6a00 6a01 8d8c2408010000 e9???????? 83fb27 0f871b010000 } - $sequence_8 = { 57 8b7d08 3b30 7554 394510 } - $sequence_9 = { ff15???????? 8bc8 890d???????? 85c9 743b 8b45f8 a3???????? } + $sequence_0 = { 85ff 747b 8bc7 3bfb 7d17 3bc3 737b } + $sequence_1 = { ad 098525ae1eb2 a5 82b4b01d4b73d7c9 } + $sequence_2 = { 895dfc e8???????? 837dec10 8d55d8 0f4355d8 33c9 e8???????? } + $sequence_3 = { 8bc7 c1f805 8bf7 83e61f c1e606 033485a0ed4100 8975dc } + $sequence_4 = { 48 743f 48 0f8574fcffff 68???????? 8d8c24bc000000 e8???????? } + $sequence_5 = { 42 884dab 83f80b 0f877b020000 ff248547e64000 } + $sequence_6 = { e8???????? 33f6 46 53 85c0 7409 e8???????? } + $sequence_7 = { 8bec 56 8b7508 833cf558b3410000 7513 56 } + $sequence_8 = { 7411 8b45e8 53 8b4808 51 80790d00 7495 } + $sequence_9 = { 6a18 b8???????? e8???????? 8b5d14 } condition: 7 of them and filesize < 286720 @@ -83207,42 +83195,42 @@ rule MALPEDIA_Win_Sierras_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a99a7c2f-d459-55f5-a4a0-be6e81d58ab8" - date = "2026-01-05" - modified = "2026-01-06" + id = "01c3c8e3-9dfc-5d57-ad2c-be28ad0675bb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sierras_auto.yar#L1-L181" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sierras_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "b308bc717193dd71ac31a34af288e6c64991ecd536fc577f8480631d4b62be23" + logic_hash = "87e3b4f821084ba506d4fb28131001981f65d1527ae9e5581564bfcbad8fa9fc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8dbc24fc000000 83c9ff 33c0 f2ae } - $sequence_1 = { 83c408 8d94242c070000 52 ffd5 83f8ff 7516 8d84241c030000 } - $sequence_2 = { 8974243c 741a 56 57 e8???????? 83c660 83c408 } - $sequence_3 = { 817e601e010000 89465c 895df0 773e 837e641e 7738 } - $sequence_4 = { 017514 03fb 3b7d10 72b0 8b5df0 834dfcff 8d4de0 } - $sequence_5 = { f6461104 745f 83ff10 7321 837df800 0f84440d0000 8b45fc } - $sequence_6 = { ffd6 57 ffd6 8bc3 5b 5f 5e } - $sequence_7 = { ffd7 c745fcffffffff e8???????? 33c0 8b4df0 64890d00000000 } - $sequence_8 = { 897dfc 0f8cc0000000 837d0801 7e58 } - $sequence_9 = { 33c0 f2ae f7d1 49 0f8452030000 8d8c24fc000000 } - $sequence_10 = { 56 8bf1 57 68???????? 8d8608020000 50 ff15???????? } - $sequence_11 = { 8bc3 837d0800 50 8b450c 7511 8b4dec } - $sequence_12 = { 57 e8???????? 85c0 750d ff15???????? } - $sequence_13 = { c3 56 8bf1 e8???????? 8b8610010000 } - $sequence_14 = { 56 50 7507 e8???????? eb05 e8???????? 0175f0 } - $sequence_15 = { 837d0803 0f8fb0000000 397d10 897df0 0f86a4000000 8b7d14 8b450c } + $sequence_0 = { c3 56 8bf1 e8???????? 8d8614010000 5e } + $sequence_1 = { 8b45f0 3b4510 72c3 eb62 837d1000 8d5ef8 7656 } + $sequence_2 = { 52 6a00 ffd6 8d842428020000 } + $sequence_3 = { 7202 8bc3 837d0800 50 } + $sequence_4 = { 89442414 8d44240c 50 6a02 56 c744243401000000 } + $sequence_5 = { e8???????? 83c430 683f000f00 6a00 6a00 } + $sequence_6 = { e8???????? 68???????? a3???????? 66c705????????901f e8???????? } + $sequence_7 = { ffd6 e8???????? 85c0 7524 8b35???????? 68???????? } + $sequence_8 = { 68???????? 8d8608020000 50 ff15???????? 8bf8 } + $sequence_9 = { e8???????? 6a00 56 ff7514 8d4de0 e8???????? } + $sequence_10 = { 83f81c 0f87e4100000 ff24851b574000 8b4608 } + $sequence_11 = { 8bce c1e907 0fb689d4924000 8bf9 } + $sequence_12 = { 50 6a00 57 e8???????? 85c0 750d ff15???????? } + $sequence_13 = { 8bcb 56 8bb42410040000 8bc1 } + $sequence_14 = { 897dfc 0f8cc0000000 837d0801 7e58 837d0803 } + $sequence_15 = { 735b 83ff03 7330 837df800 0f842b080000 8b45fc } condition: 7 of them and filesize < 131072 @@ -83252,50 +83240,50 @@ rule MALPEDIA_Win_Cobint_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb358b61-4ba2-55a7-8a20-31d71cd4f25b" - date = "2026-01-05" - modified = "2026-01-06" + id = "176f9656-ccf8-5373-bb9f-f7003f6b4f18" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cobint_auto.yar#L1-L232" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cobint_auto.yar#L1-L247" license_url = "N/A" - logic_hash = "a45731be84e3fdba6ba2e9fa2e98a6d98c16a2eb8dae8c7026872152dd218ff0" + logic_hash = "13d0a835e19ad70ae9fdaf4f7411cafe43dffff4c68466ea694ae99d6e4c9c12" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c418 a1???????? 03c9 891cc8 8b0d???????? a1???????? } - $sequence_1 = { 891cc8 8b0d???????? a1???????? 03c9 8974c804 8b0d???????? } - $sequence_2 = { c745f404000000 50 8d4508 50 6805000020 56 } - $sequence_3 = { 50 8d45f4 50 8d45ec 50 6813000020 ff75f0 } - $sequence_4 = { 57 6a65 eb31 85db 743a } - $sequence_5 = { e8???????? 83c410 eb60 6a01 8d450f } - $sequence_6 = { 57 bf00020000 57 e8???????? 57 6a00 } - $sequence_7 = { 83f820 7cf3 eb07 8bf0 c1e604 03f2 57 } - $sequence_8 = { 740d 8b5508 0355f0 8a45ec } - $sequence_9 = { 31b7807c30ae 807c909090 90 bdfd807c90 } - $sequence_10 = { 8bcb 897db8 e8???????? 8bf0 } - $sequence_11 = { 81ffea968891 740a 33c0 8b12 85d2 } - $sequence_12 = { ffd6 eb03 8b75e4 ff75d8 ffd6 } - $sequence_13 = { 395318 763c 8b3c90 33c0 03fe } - $sequence_14 = { 90 90 90 e10b } - $sequence_15 = { b800a80000 2bc7 50 56 53 ff55f8 85c0 } - $sequence_16 = { 8802 eb0b 8b4d08 034df0 } - $sequence_17 = { bffc807c28 1a807c170e81 7cd7 9b 807c909090 90 90 } - $sequence_18 = { 749b 807ce19a80 7c90 90 } - $sequence_19 = { 90 e10b 96 7c90 90 } - $sequence_20 = { bab1c50790 8bf0 33ff e8???????? 8d4dec 8945f8 } - $sequence_21 = { ffd0 85c0 0f8406010000 8b4de0 ba6a62f095 } - $sequence_22 = { e8???????? 8945f8 8d45c4 50 } - $sequence_23 = { e8???????? 58 83c005 c3 31b7807c30ae } + $sequence_0 = { 8b4508 8945e8 85c0 7470 2175fc } + $sequence_1 = { c3 55 8bec 8a4d0c 56 8b7508 880e } + $sequence_2 = { 55 8bec 836d0c01 7507 6a00 } + $sequence_3 = { 8b7d10 57 e8???????? 57 ff750c } + $sequence_4 = { 8b0d???????? a1???????? 893cc1 a1???????? 8b0d???????? 8974c804 } + $sequence_5 = { c745f404000000 50 8d4508 50 } + $sequence_6 = { 56 ff15???????? 85c0 7412 814d0880330000 8d4508 } + $sequence_7 = { 8b7d08 6a40 6800300000 ff7708 } + $sequence_8 = { 8a45ec 8802 eb0b 8b4d08 034df0 8a55ed 8811 } + $sequence_9 = { e10b 96 7c90 90 } + $sequence_10 = { 7505 b301 885dff 84db 0f8477fdffff 5f 5e } + $sequence_11 = { c3 31b7807c30ae 807c909090 90 bdfd807c90 90 90 } + $sequence_12 = { 90 bffc807c28 1a807c170e81 7cd7 9b 807c909090 90 } + $sequence_13 = { 8b7228 8bf8 663906 742c 33db 8a06 } + $sequence_14 = { 740d 8b5508 0355f0 8a45ec 8802 eb0b } + $sequence_15 = { 885dff 8d45d0 c745d090010000 50 8d8524feffff 50 } + $sequence_16 = { 90 90 749b 807ce19a80 7c90 90 90 } + $sequence_17 = { 51 51 51 8d8524feffff } + $sequence_18 = { 8b12 85d2 75c4 eb03 8b4210 ba2d5f6af8 8945e0 } + $sequence_19 = { 8b75e4 ff75d8 ffd6 8a5dff eb03 8b75e4 ff75d4 } + $sequence_20 = { e8???????? 58 83c005 c3 31b7807c30ae 807c909090 } + $sequence_21 = { 8bc8 e8???????? 8d9524feffff 8945cc } + $sequence_22 = { 8bdf 890496 8bf9 8b45e8 42 c1e802 3bd0 } + $sequence_23 = { bdfd807c90 90 90 90 90 90 90 } condition: 7 of them and filesize < 65536 @@ -83305,36 +83293,36 @@ rule MALPEDIA_Win_Unidentified_006_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "97d4c257-a67c-55d3-ab2d-8345f8133abc" - date = "2026-01-05" - modified = "2026-01-06" + id = "19e0eb56-f60e-535e-944c-8ad3d8aa7fa7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_006_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_006_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "e5d463a76ca11d9b4f7e0289dbf185a64b45114b95835b2526afa161b71d15ae" + logic_hash = "f7ab888f1e71782336f0c7a70aaf6d114c67cfa2e09e4d16325a8737ae874084" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 817c0afc54494b46 750c 83c2fc e8???????? } - $sequence_1 = { 83c603 25ff000000 30041a 42 3bd1 72df } - $sequence_2 = { 7410 8b55f4 85d2 7409 e8???????? } - $sequence_3 = { 59 84db 750d 85f6 7416 56 e8???????? } - $sequence_4 = { 85db 0f840a010000 56 ff75ec } - $sequence_5 = { 1bc0 23f8 0fb6875c204000 47 03c6 83c603 } - $sequence_6 = { 56 e8???????? 59 eb0d 8b45e8 8b4d08 } - $sequence_7 = { 85c0 7529 8b4dfc 85c9 } - $sequence_8 = { 832600 832700 6a06 ebba } - $sequence_9 = { 50 ff75ec 8bfb ff15???????? 85c0 } + $sequence_0 = { 3907 7417 833e00 7408 ff36 e8???????? 59 } + $sequence_1 = { 6a00 8d45fc 897dfc 50 8d45f8 50 6a00 } + $sequence_2 = { 85c9 7410 8b55f4 85d2 7409 e8???????? 894708 } + $sequence_3 = { 85c0 7435 8b4df4 8bd6 50 e8???????? 59 } + $sequence_4 = { 85f6 7410 57 8b7d0c 2bf8 } + $sequence_5 = { 0fb6875c204000 47 03c6 83c603 25ff000000 } + $sequence_6 = { eb45 8b7510 85f6 743c } + $sequence_7 = { 8b4dfc 83c40c 8bf7 8bd7 85c9 7421 83ff0c } + $sequence_8 = { 33ff 53 ff15???????? 53 ff15???????? } + $sequence_9 = { 8bf0 57 56 e8???????? 83c410 33c0 } condition: 7 of them and filesize < 40960 @@ -83344,36 +83332,40 @@ rule MALPEDIA_Win_Gtpdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d10f6aa2-6be7-55e5-960c-d33fee6e5026" - date = "2026-01-05" - modified = "2026-01-06" + id = "4c2eb22f-1923-5a38-a22d-24066f2467b2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gtpdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gtpdoor_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gtpdoor_auto.yar#L1-L151" license_url = "N/A" - logic_hash = "a4a736e9e4f2e881c8a24f738313b79d8075e540890609147499da030ceac3c8" + logic_hash = "713b844ed66d47bff3fdf46c17d0d1006dff6f7bc5a545469b9c6a16669c61d9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb600 31d0 8801 8045fb01 8345fc01 } - $sequence_1 = { 0fb600 31d0 8801 8045fb01 } - $sequence_2 = { fc b932000000 b800000000 f3aa } - $sequence_3 = { 31d0 8801 8045fb01 8345fc01 } - $sequence_4 = { 4989c0 be04000000 e8???????? 0fb785acf9ffff 83c020 } - $sequence_5 = { 8b45cc 66895002 c7042400000000 e8???????? } - $sequence_6 = { 48833d????????00 4889e5 7416 b800000000 4885c0 740c bf???????? } - $sequence_7 = { 83e801 03450c 66c7000a20 c6400200 8b450c } - $sequence_8 = { 4929c4 49c1fc03 4d85e4 741e 31ed } - $sequence_9 = { c9 c3 55 89e5 83ec18 8b450c 8b5514 } + $sequence_0 = { fc b932000000 b800000000 f3aa } + $sequence_1 = { 31d0 8801 8045fb01 8345fc01 } + $sequence_2 = { 750f 837dec00 755a c745f001000000 eb51 } + $sequence_3 = { 488b45f8 48c1e810 480145f8 488b45f8 f7d0 0fb7c0 c9 } + $sequence_4 = { 488b7df0 4883c70c be01000000 e8???????? 488b45f0 0fb7400a } + $sequence_5 = { b800000000 fc 8b7dd4 f2ae 89c8 } + $sequence_6 = { 0fb7f8 e8???????? 89c2 488b45f0 66895001 488b45d8 0fb74004 } + $sequence_7 = { 488b45e0 48c7c1ffffffff 488945c0 b800000000 } + $sequence_8 = { 48c7c1ffffffff 488985a8f1ffff b800000000 fc } + $sequence_9 = { 8945e8 8b45e8 83c434 5f 5d c3 } + $sequence_10 = { 8b45e0 0fb74002 668945e6 8b45e0 0fb710 8b45e0 66895002 } + $sequence_11 = { e8???????? 66c78580feffff0200 8b4508 8b400c } + $sequence_12 = { 8d850afaffff 01d0 8b5514 89c7 89d6 } + $sequence_13 = { 55 4889e5 4881ec60060000 89bdccf9ffff 4889b5c0f9ffff 48898db0f9ffff 4489c0 } condition: 7 of them and filesize < 4210688 @@ -83383,36 +83375,36 @@ rule MALPEDIA_Win_Hyperbro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0527accf-dc31-5cb1-be86-ae182f5b1e44" - date = "2026-01-05" - modified = "2026-01-06" + id = "fa59ffad-47ad-5565-9178-f88dfbf3aa79" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hyperbro_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hyperbro_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "4b67c3c5bbc71bde556bbaa0da5f9d6d067d8c81b3b3ffbe7e62f8abebcb4ca9" + logic_hash = "998a8d5933621455a37e24d216e2380610ec61dd02fd4faddbdc580da70c702e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 e8???????? 8b5620 52 e8???????? 8b4614 50 } - $sequence_1 = { 83fe40 7e33 8b0f 51 e8???????? } - $sequence_2 = { 8a4b05 884f01 8b4308 83c410 50 8bc6 c7460840000000 } - $sequence_3 = { c70600000000 c7460400000000 8d5e0c e8???????? 83c404 } - $sequence_4 = { 0f8617feffff 8a17 8816 46 } - $sequence_5 = { 33ff 3bc7 7412 50 e8???????? 83c404 897e20 } - $sequence_6 = { 8b4614 8b1d???????? 83c404 3bc7 7406 50 ffd3 } - $sequence_7 = { 41 e9???????? 8b442410 8b6c2418 e9???????? 2b4c2428 8b44242c } - $sequence_8 = { 83c410 85ed 750e 8b7c2410 } - $sequence_9 = { 895c2430 895c2434 3bfb 7409 57 e8???????? 83c404 } + $sequence_0 = { 23d3 33db 6685c9 0fb708 0f94c3 } + $sequence_1 = { 83c404 8bd8 8d043b c744241000000000 83fa01 } + $sequence_2 = { 53 55 56 57 7c07 8b08 668b09 } + $sequence_3 = { 8bd0 83e208 c1e20b 8bfe } + $sequence_4 = { 8d54243c 52 ff15???????? 8d442438 50 ff15???????? 8b480c } + $sequence_5 = { c644242281 23d3 33db 663bce 0fb708 } + $sequence_6 = { 0f871c010000 8bd5 2bd1 83fa01 0f82d9000000 } + $sequence_7 = { 8bf0 83fe40 7e3c 8b542460 52 e8???????? 33c9 } + $sequence_8 = { 8bd6 2bd7 c1e802 2bd0 81ea01080000 41 3bd3 } + $sequence_9 = { 83c42c 891e 8d043a 5b 894608 894604 } condition: 7 of them and filesize < 352256 @@ -83422,36 +83414,36 @@ rule MALPEDIA_Win_Unidentified_116_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e8b2ca1f-b6d4-5e1a-8d04-484724c2f148" - date = "2026-01-05" - modified = "2026-01-06" + id = "b3beb29c-9765-5979-b9ed-e9a5d494f00f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_116" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_116_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_116_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "aa3fe5ce882f091eaea8e0baeea989ea94aa46089f7c3aca2e5f5e4ccdc04bad" + logic_hash = "abd2ae8d312f902c2902e82be3c324a44a8f43175cbf86176e76b6eedacb0a8f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48 8d0d628bfaff ff15???????? 48 8d05158bfaff 83fe01 48 } - $sequence_1 = { e8???????? 48 89442428 4c 8d05a724fcff 4c } - $sequence_2 = { ff15???????? 83f8ff 7508 ff15???????? 8bd8 4c 8b8608010000 } - $sequence_3 = { 8bd9 48 8901 f6c201 740a ba38000000 e8???????? } - $sequence_4 = { 8b7c2460 49 63e8 48 03ea 44 8b3f } - $sequence_5 = { 8bc0 c1e010 c1e910 0bc8 41 c1e810 0fb6432f } - $sequence_6 = { eb44 48 8b4c2420 e8???????? 48 8bf8 48 } - $sequence_7 = { f20f59d3 48 03c2 48 ba00803ed5 deb19d014803 c28944 } - $sequence_8 = { 41 5e c3 48 896c2430 48 897c2440 } - $sequence_9 = { 8bf9 0f84be000000 48 895c2430 48 89742438 48 } + $sequence_0 = { 8b30 e8???????? 49 8bce 8b18 ff15???????? e8???????? } + $sequence_1 = { 8bd3 8bcf ffd6 eb0b 48 8bd3 8bcf } + $sequence_2 = { 8d15fadcfbff 48 89442420 e8???????? 48 8d1511ddfbff 660f6e1d???????? } + $sequence_3 = { 8bc8 48 83c428 e9???????? 49 8bc9 e8???????? } + $sequence_4 = { e8???????? 49 03ff 8d04f500000000 4c 8b7c2448 48 } + $sequence_5 = { b901000000 e8???????? 48 8bf8 48 85c0 7509 } + $sequence_6 = { e9???????? 41 8d45ff 41 bb20000000 44 8b548704 } + $sequence_7 = { 8d4b40 4c 897c2448 48 03c8 4c } + $sequence_8 = { c78424d000000000000400 6648 0f6ef8 48 8b4530 48 334510 } + $sequence_9 = { c78318010000ffffffff 48 8b4778 48 85c0 7407 33d2 } condition: 7 of them and filesize < 1040384 @@ -83461,36 +83453,36 @@ rule MALPEDIA_Elf_Gobrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9cb05d8e-88df-5069-9152-096fc77aac24" - date = "2024-10-31" - modified = "2024-11-11" + id = "b3769258-cbca-5096-9dff-e4ae0bcfd207" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gobrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.gobrat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.gobrat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "29d6047280b8adce38a5f6a7e3d8112ab4747228198bdfc531ab746feecbff32" + logic_hash = "48fec45a327b5d5e55911625822b8c11a8af065297a22cc682a99ac6560a2afd" score = 60 quality = 35 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20241030" - malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4" - malpedia_version = "20241030" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 4889fa e9???????? 488d842400010000 488d1d22cf1700 b90b000000 488bbc2420020000 } - $sequence_1 = { e8???????? 488b842408010000 488b9c2400010000 488b4c2468 e8???????? e9???????? 4883f917 } - $sequence_2 = { 8d3431 8d76c6 0f1f440000 4883fa06 0f83bf000000 440fb644145c 4131f0 } - $sequence_3 = { e8???????? 488b5c2460 e8???????? 488b6c2448 4883c450 c3 4889442408 } - $sequence_4 = { e8???????? 488d3d2cd23b00 e8???????? 488b6c2478 4883ec80 c3 4889ca } - $sequence_5 = { ebd5 31f6 90 e8???????? ebcb 498b5010 4839d1 } - $sequence_6 = { e8???????? 488b442430 48ffc0 488b5c2420 4883c3fe 488b9424a8010000 488bb42458010000 } - $sequence_7 = { f20f10442428 f20f5e05???????? f20f114040 488b542450 6690 4883fa08 7e3f } - $sequence_8 = { e8???????? 6690 4885c9 0f8578010000 488d0d90371500 4839c8 7505 } - $sequence_9 = { e8???????? 488b6d00 488d05225c0500 488d4c2470 e8???????? 31c0 eb28 } + $sequence_0 = { e8???????? 488b542428 48895020 48895028 833d????????00 750b 488b542448 } + $sequence_1 = { eb15 8b7a18 488b842490000000 488b742468 e8???????? 488bac2480000000 4881c488000000 } + $sequence_2 = { f3410f1100 488d7001 488b8424b8000000 488b9c2498000000 4889f9 488b542430 4839f0 } + $sequence_3 = { eb0f 4889c7 488d156a5b1900 e8???????? 488d058e841000 488b5c2430 b907000000 } + $sequence_4 = { eb7b 488b742440 488d5601 488b7c2448 4839d7 7207 488b442468 } + $sequence_5 = { ffd1 488b6c2428 4883c430 c3 4889442408 e8???????? 488b442408 } + $sequence_6 = { eb1d 4889f0 e8???????? 89c1 488b442458 6690 eb0a } + $sequence_7 = { 8b0d???????? 85c9 7513 488d05db893600 488d1dcc8e0f00 e8???????? 488b0d???????? } + $sequence_8 = { eb0a 488b4c2450 488b5c2428 48895c2420 48894c2440 488d054bb72800 e8???????? } + $sequence_9 = { ffd7 84c0 7532 488b742478 48ffc6 4c8b442470 4939f0 } condition: 7 of them and filesize < 12853248 @@ -83501,10 +83493,10 @@ rule MALPEDIA_Win_Graphite_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "22d6771d-6e02-5bad-92aa-7abf2f0540bc" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphite" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.graphite_auto.yar#L1-L109" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.graphite_auto.yar#L1-L109" license_url = "N/A" logic_hash = "fac8314c02add0a1a3fcfc7bc6cd359f12eb58a8246911250bf475b51a803e3f" score = 75 @@ -83513,22 +83505,22 @@ rule MALPEDIA_Win_Graphite_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85db 7513 33d2 e8???????? 84c0 } - $sequence_1 = { 7513 33d2 e8???????? 84c0 } - $sequence_2 = { 81e2ff030000 81e1bf030000 83c940 c1e10a } - $sequence_3 = { 81e2ff030000 81e1bf030000 83c940 c1e10a 0bca } - $sequence_4 = { 85db 7513 33d2 e8???????? } - $sequence_5 = { 81e1bf030000 83c940 c1e10a 0bca } - $sequence_6 = { 85db 7513 33d2 e8???????? 84c0 74e4 } - $sequence_7 = { 7513 33d2 e8???????? 84c0 74e4 } - $sequence_8 = { 33d2 e8???????? 84c0 74e4 } + $sequence_0 = { 81e2ff030000 81e1bf030000 83c940 c1e10a } + $sequence_1 = { 81e1bf030000 83c940 c1e10a 0bca } + $sequence_2 = { 85db 7513 33d2 e8???????? } + $sequence_3 = { 85db 7513 33d2 e8???????? 84c0 } + $sequence_4 = { 33d2 e8???????? 84c0 74e4 } + $sequence_5 = { 7513 33d2 e8???????? 84c0 74e4 } + $sequence_6 = { 81e2ff030000 81e1bf030000 83c940 c1e10a 0bca } + $sequence_7 = { 85db 7513 33d2 e8???????? 84c0 74e4 } + $sequence_8 = { 7513 33d2 e8???????? 84c0 } $sequence_9 = { ff15???????? 33c0 eb05 b801010000 } condition: @@ -83539,36 +83531,36 @@ rule MALPEDIA_Win_Excalibur_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6324643e-ef25-5303-a7ee-e63ea03ca117" - date = "2026-01-05" - modified = "2026-01-06" + id = "84ea8fe2-2de7-55e6-84da-f20f94db96c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.excalibur_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.excalibur_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "59d59e89202157c635015f906929dcafdfae271957da35e098ac970aa56a977d" + logic_hash = "904df267113e09626252b871840d91a7d0d12c0c3c05e8d9c8119760d79335d3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4d08 33c0 663b88e4954300 740d 83c002 83f814 72ef } - $sequence_1 = { eb44 8d0492 c1e003 50 8b450c 50 8b00 } - $sequence_2 = { ffd0 83c408 894734 85c0 74de 8b5f14 } - $sequence_3 = { 83793800 7503 83cf04 83e717 89790c 857910 7407 } - $sequence_4 = { 33c4 89442420 8b4508 8944240c 8b450c 53 8b5810 } - $sequence_5 = { 0f43c2 8d8d4cffffff 8a0430 8885f8feffff ffb5f8feffff 6a01 } - $sequence_6 = { 6685c0 75f5 56 8d85d8f9ffff 2bd9 } - $sequence_7 = { 48 894604 8b06 40 8a48ff 8906 84c9 } - $sequence_8 = { 8945bc 8b45c8 8955e4 8b4020 c745e800000000 } - $sequence_9 = { 8d4c245c e8???????? 84c0 7433 68???????? 8d8c2490000000 e8???????? } + $sequence_0 = { 83c404 56 e8???????? 83c404 8d8d7cffffff 6a0d 6a00 } + $sequence_1 = { 85f6 7564 8b450c 8930 3975f4 0f86aa000000 8b5d08 } + $sequence_2 = { 50 8d85f0feffff 50 c645fc08 e8???????? 50 8d4dc0 } + $sequence_3 = { 8d950880ffff 6a14 03d6 83c9ff ff15???????? f7d0 3b84350480ffff } + $sequence_4 = { 8d8538f9ffff 50 8d9560fbffff 8d4dd8 c645fc02 e8???????? 8bf0 } + $sequence_5 = { 68???????? 8d95ccfdffff 8d8db4fdffff c645fc01 e8???????? 8bf8 } + $sequence_6 = { 8945fc 53 56 57 8b7d08 8bda 8b37 } + $sequence_7 = { 75ea 5f 894624 5b 5e 8be5 5d } + $sequence_8 = { 51 68???????? 8d4dc0 e8???????? 83f8ff 0f859f070000 } + $sequence_9 = { 8b35???????? 85c9 7411 51 ffd6 8b856cffffff 33c9 } condition: 7 of them and filesize < 1253376 @@ -83578,36 +83570,36 @@ rule MALPEDIA_Win_Alma_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce864cf3-8ed9-5a77-84b9-9123b66a46f1" - date = "2026-01-05" - modified = "2026-01-06" + id = "07302dbe-c268-5129-a176-209dc26a0b60" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.alma_locker_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.alma_locker_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "8cabf41a3f65a5dd2317b51829855a0a62bf40db235945e5f426bc09d1925bbb" + logic_hash = "1f3ecd5bf2c205888505143d49753a7baa657590e8b3f73ad8b38ff230d6db7b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 750d e8???????? 84c0 0f8461010000 e8???????? 833d????????00 } - $sequence_1 = { 8b08 ff5108 8b45ac 50 8b08 ff5108 } - $sequence_2 = { c745e800000000 c645d800 720b ff75c0 e8???????? 83c404 83ec18 } - $sequence_3 = { 8b85f8fbffff 0f438de8fbffff ffb538f9ffff c785e4fbffff0f000000 c785e0fbffff00000000 8d0441 c685d0fbffff00 } - $sequence_4 = { 1bc0 f7d8 0f854affffff 8b8580fbffff 51 83c0fe 8d8d70fbffff } - $sequence_5 = { 8d558c c645fc04 8d4dbc e8???????? 83c404 c645fc06 837db810 } - $sequence_6 = { 33c0 c645fc0d 33c9 66a3???????? 66390d???????? 8bc6 c705????????07000000 } - $sequence_7 = { 0f8412000000 83a5e0fffefffe 8b8de8fffeff e9???????? c3 8b542408 8d420c } - $sequence_8 = { c78598fbffff00000000 c7859cfbffff0f000000 720e ffb558fbffff e8???????? 83c404 83bdccfbffff08 } - $sequence_9 = { 83bd9cfbffff10 c78584fbffff0f000000 c78580fbffff00000000 c68570fbffff00 720e ffb588fbffff } + $sequence_0 = { 85f6 7403 56 ffd7 68???????? 8d5508 8d8db4feffff } + $sequence_1 = { 6a00 0f4345d4 6880000000 6a04 6a00 6a01 6a02 } + $sequence_2 = { eb90 83ec18 33c0 8bcc 89642420 6aff 50 } + $sequence_3 = { e8???????? 8a45e0 83c40c 84c0 7424 8ad8 } + $sequence_4 = { 83c404 837db810 8d55a4 ff75b4 0f4355a4 8d8d5cffffff c745a00f000000 } + $sequence_5 = { 50 ff510c 8d4db0 c645fc01 8bf8 e8???????? } + $sequence_6 = { 33c0 c78540ffffff07000000 68???????? 8d5508 c7853cffffff00000000 8d8d14ffffff 6689852cffffff } + $sequence_7 = { 8d0441 c68558fbffff00 8d8db8fbffff 0f438db8fbffff 50 51 } + $sequence_8 = { 75e8 895e10 83f808 720f 8b06 33c9 } + $sequence_9 = { c645d400 720e ffb55cffffff e8???????? 83c404 83ec18 8bcc } condition: 7 of them and filesize < 335872 @@ -83617,36 +83609,36 @@ rule MALPEDIA_Win_Eddiestealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e232a61b-2f1e-5ab2-a023-babaefc44f11" - date = "2026-01-05" - modified = "2026-01-06" + id = "d6a6194e-8020-5674-b6fc-b5e602d1fa65" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eddiestealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.eddiestealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.eddiestealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "755d9f27c3527a6497613857d1940285eade46fbad0b63ce47e48a5daf512e5a" + logic_hash = "f37aa12ba0ce685b368f6fb98d1254dd5b6092f3d1dd5609acddf5f9ebe1617c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c3ba42498000000 0f84da010000 498d7c2410 49897f40 488b842488000000 4c8b28 488b842490000000 } - $sequence_1 = { b808000000 488d0d6faf0500 48894d00 48895d08 48894510 0f117518 488dbc24500c0000 } - $sequence_2 = { 4d39d3 4c89d1 490f47cb 4584ff 490f45cb 4c0f45d7 4c8b5c2440 } - $sequence_3 = { 8b542430 e8???????? 0fb66802 440fb738 4181f7aafa0000 4080f544 b903000000 } - $sequence_4 = { e8???????? 660fefc0 488365f000 660f7f45d0 660f7f45e0 31c9 488d1578820600 } - $sequence_5 = { 7720 4c8b0411 4c330408 4c89440c30 4883c108 ebe7 488bb42400010000 } - $sequence_6 = { e8???????? 668932 4889842488000000 4889942490000000 48c784249800000002000000 c68424a000000005 0f108424b0020000 } - $sequence_7 = { e8???????? e8???????? 488b4808 48898c2448010000 488b4010 4889842438010000 488d055e330300 } - $sequence_8 = { c1e80c 31d0 89c2 c1ea10 31c2 69c2fad30000 0fb7c0 } - $sequence_9 = { 31d2 488d0d72810400 49b8001927cf2367fead 41f6c101 741c 440fb60c0a 4d09c1 } + $sequence_0 = { 4c897110 48c7411801000000 e8???????? 83bc248000000006 0f8578260000 e8???????? 488b4808 } + $sequence_1 = { c702818a2dbe 488d442470 8b10 e8???????? 0f29b424b0000000 0f29b424c0000000 0f11b424cc000000 } + $sequence_2 = { e8???????? b003 31c9 483b0b 701d 488b442450 48894628 } + $sequence_3 = { 660f6f842410010000 f30f7f02 488b8c241e010000 48894a0e 4c8d8424d0030000 498900 49895008 } + $sequence_4 = { 89c2 d1c2 31c2 b8311b0000 29d0 25f9ff0000 4801c8 } + $sequence_5 = { 81fa00fc0000 0f8270010000 c745fc00000000 4983c504 81e1ff030000 c1e110 25ff030000 } + $sequence_6 = { 488945c0 48894610 0f1106 488d155b420200 4889f0 4883c478 5e } + $sequence_7 = { 488901 4c8d442440 498908 488d05ee200400 4889442420 488d0d46fd0400 4c8d0db3270300 } + $sequence_8 = { ba01000000 488d4c2458 4531c0 e8???????? 488d8c2410010000 4889da e8???????? } + $sequence_9 = { e8???????? 4889f1 e8???????? 4885c0 0f8550170000 48b80100000002000000 4c8d6570 } condition: 7 of them and filesize < 1316864 @@ -83656,36 +83648,36 @@ rule MALPEDIA_Win_Gopuram_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b03e678a-6ea1-5889-b388-a101df87e17a" - date = "2026-01-05" - modified = "2026-01-06" + id = "d46ee5bd-52d4-54a5-be53-0334cf5f9913" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gopuram" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gopuram_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gopuram_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "6d230510a2c3f67fb9a008e4b353ed01e99faca2f2088eff568ec22152cbe40b" + logic_hash = "871d50c153fa123d087ade67947bc98f3c1ee58497592ec0f7d9b8f854054f61" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d15a3cb0200 488d0d645c0500 e8???????? 488d15c4c60200 488bc8 488b5c2430 4883c420 } - $sequence_1 = { e8???????? 85c0 743e 488d157b930500 488bcf e8???????? 85c0 } - $sequence_2 = { ff10 4c8bc7 ba10000000 488bcb e8???????? 488bc3 e9???????? } - $sequence_3 = { 7e1c 4183ff09 0f8eae000000 4183ff0a 750c 488d05833c0500 4889442450 } - $sequence_4 = { e8???????? 488d5606 488d4da8 41b802000000 66448965bc e8???????? 488d560c } - $sequence_5 = { 8be8 85ed 0f842f010000 488b5c2470 488d8b18010000 ff15???????? 498b06 } - $sequence_6 = { 8bd8 e8???????? 4c8d05df1e0800 41b9de010000 8bd7 498bce c744242000000000 } - $sequence_7 = { 85f6 0f8486050000 488b85600a0000 4889442440 c744242801000000 48895c2420 4533c9 } - $sequence_8 = { c705????????03400080 c705????????f4060780 890d???????? c705????????09000380 418bc4 413b7ffc 750d } - $sequence_9 = { 488bcd e8???????? 8bf8 85c0 782a 498bd6 488bcd } + $sequence_0 = { 488d4df0 e8???????? 8b4584 ffc0 894584 483b45b0 7323 } + $sequence_1 = { 83c804 83e017 894210 854214 7509 488d05c6cbfdff eb0a } + $sequence_2 = { 85c0 488b01 400f94c6 ff9080010000 41b973020000 4c8d05c7ad0700 8bd6 } + $sequence_3 = { e8???????? 4c8d05882a0600 41b91c230000 8bd7 498bce c744242000000000 e8???????? } + $sequence_4 = { 488b6c2438 488b5c2430 488b4f10 4c897708 ff15???????? 488b4f18 4c897710 } + $sequence_5 = { 488d0550aa0500 488945a0 0f1005???????? 0f294590 33ff 4889bc24b0000000 488d4da0 } + $sequence_6 = { 8bd8 ba04000000 498bcf e8???????? 33c9 894c2420 41b9c0100000 } + $sequence_7 = { 8bd3 488bc8 e8???????? 8905???????? 85c0 753f 498b0e } + $sequence_8 = { eb21 4533ff 44897c2420 41b940010000 4c8d05b9990400 8bd6 498bce } + $sequence_9 = { e9???????? 488b442440 410fb74c0728 81e1ff0f0000 8d4180 83f802 760c } condition: 7 of them and filesize < 1591296 @@ -83695,36 +83687,36 @@ rule MALPEDIA_Win_Felismus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "705e1888-c3cf-5bf6-ba18-e8626acda3dd" - date = "2026-01-05" - modified = "2026-01-06" + id = "3f2c0e26-c37d-557f-9ad8-75051e096f9d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.felismus_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.felismus_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "fddb824340564e372ed310ad021f3b3ac8af1c9316519efd06d812e4eb93bb2c" + logic_hash = "893bdfe24db443bd54242bf3384297b8c01720bb5dff66426f96a589ffe0666d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4514 8b35???????? 50 ff15???????? e9???????? 6804010000 e8???????? } - $sequence_1 = { 03c3 5f 894d04 895508 89450c 5e 5d } - $sequence_2 = { 53 56 57 6804010000 e8???????? 8b7c241c 8bd8 } - $sequence_3 = { 83c640 83c740 3bf5 7ce6 8b4c2418 33c0 eb02 } - $sequence_4 = { 8d842430010000 50 33f6 ffd7 85c0 7e26 8a843430010000 } - $sequence_5 = { 8a46ff 83e03f 41 4f 8a907c520110 8851ff } - $sequence_6 = { 55 8b2d???????? 56 57 6804010000 ffd5 8bf0 } - $sequence_7 = { 56 ffd7 8d4c241c 6a00 51 6a02 } - $sequence_8 = { 740a 3818 7406 ff15???????? b8???????? c3 } - $sequence_9 = { 8bd8 b93f000000 33c0 8bfb f3ab 66ab 83c404 } + $sequence_0 = { d3eb 8b0d???????? d3e0 8bce f7d1 0bd8 8b442428 } + $sequence_1 = { d3e6 8b482c 894c243c 0bd6 8bf3 03d3 } + $sequence_2 = { 89542410 8b5110 56 2be8 57 89542420 bb01000000 } + $sequence_3 = { 46 83fe04 88040a 7ceb 43 83c704 83fb04 } + $sequence_4 = { e8???????? 83c444 6a32 e8???????? 8bf8 8b4514 } + $sequence_5 = { 33c0 8bfb 895de4 f3ab eb06 8b5de4 8b7508 } + $sequence_6 = { 83e802 7469 48 7442 48 741b 8d942450040000 } + $sequence_7 = { 56 ffd3 83c40c eb06 8b1d???????? 6804010000 e8???????? } + $sequence_8 = { 6801040000 ff15???????? 8be8 83c404 } + $sequence_9 = { 55 53 ff15???????? 85c0 0f848e010000 6801040000 ff15???????? } condition: 7 of them and filesize < 204800 @@ -83734,36 +83726,36 @@ rule MALPEDIA_Win_Payloadbin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "479cd137-2967-575a-8de8-bab23a965cce" - date = "2026-01-05" - modified = "2026-01-06" + id = "b297e9b6-48f7-5354-b5ea-42bf5667a3a7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.payloadbin_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.payloadbin_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "810f81f232eae27d52097e88c16ab90183a29e32277d9224dad94d2d9c691817" + logic_hash = "cfc448e2b3d41ed418d3f2b553407a12491f48f47835bf9343d7e99469296789" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c744243003000000 488d4c2470 66448bc9 4487c2 6699 4c8d48b0 } - $sequence_1 = { 4d0fbddc 23c6 480fb7cb 0bd8 0fbfca 6698 418919 } + $sequence_0 = { 6641f7c3503b 3bc7 e9???????? 0f8578000000 488b4c2430 660fca 4d0fb7cb } + $sequence_1 = { 488bb42480000000 81ff41628163 e9???????? 483bf7 0f8408010000 488bee } $sequence_2 = { 68eb3a8171 55 68396f8656 6819276b5f 682109a155 4c8b6c2438 48c7442438404fa1db } - $sequence_3 = { 4881c308000000 660fa4d81f f6d8 f9 9d d2e0 } - $sequence_4 = { 4153 310c24 6641ffc3 415b 403aea 6685d7 4863c9 } - $sequence_5 = { f9 f8 4151 41d2e1 311c24 4532cd 4522ce } - $sequence_6 = { ff15???????? 3ac3 e9???????? 0f8492010000 440fb7442430 488b542438 490fb7c9 } + $sequence_3 = { e9???????? bb03000000 4533e4 413bdc e9???????? 0f85a3060000 488b4c2430 } + $sequence_4 = { 4c3be5 e9???????? 0f85acffffff 85f6 e9???????? 0f841e000000 } + $sequence_5 = { 4d8b01 66c1e218 66418b10 f9 40fec7 493bc4 4981c106000000 } + $sequence_6 = { 80bc24100000003d 4155 488184241000000033139340 4c8bac2418000000 688071f060 66c1b42400000000d9 0f8588950100 } $sequence_7 = { 8d56d4 fa 158935079e 9e 4657 250543b1d9 f661fd } $sequence_8 = { 440fb7c1 4080fca3 6683f819 e9???????? 0f8703000000 4503c5 0fb703 } - $sequence_9 = { 4180fd52 4983c004 3bc8 e9???????? 0f860a000000 b801000000 e9???????? } + $sequence_9 = { 4881842408000000dbb6ecff 5d c3 8084241000000078 e8???????? 68bc6baf1f } condition: 7 of them and filesize < 3761152 @@ -83773,36 +83765,36 @@ rule MALPEDIA_Win_Beatdrop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7fbd33c7-5e5a-5775-9e75-19a0333e1225" - date = "2026-01-05" - modified = "2026-01-06" + id = "46467822-0837-5e0e-ad5a-2e4533e72c6b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.beatdrop_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.beatdrop_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "b158347b6f43a3a62739d069377789597416764bca18afcdaffdbcf2df1f7202" + logic_hash = "faf5a42ec876bde3a85e66f73b941a8c1aa9bf26b9c4c55dcbc45470ff897f6e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 47339c8d000c0000 413384bd00080000 4133948d00080000 44335d60 0fb6d8 0fb6cc 4189d1 } - $sequence_1 = { 33557c 413384bd000c0000 4489cf 334578 41c1eb18 } - $sequence_2 = { 443385a4000000 450fb6d2 4733849500040000 450fb6d7 } - $sequence_3 = { 4c3b6610 740f 4c89e1 e8???????? } - $sequence_4 = { 4409c8 4133470c 448b7c2418 89aef8000000 } - $sequence_5 = { 47338495000c0000 4189c2 0fb6cd 41c1ea10 443385a4000000 450fb6d2 4733849500040000 } - $sequence_6 = { c1ea10 338590000000 458b74b500 4489c1 0fb6d2 } - $sequence_7 = { 41c1ef18 0fb6cd 44897c2418 894c2404 89c1 0fb6c0 c1e918 } - $sequence_8 = { c1e818 4489d1 450fb6da 418b448500 41338495000c0000 } - $sequence_9 = { 4133948c00080000 89c1 0fb6ef 440fb6c2 } + $sequence_0 = { 41c1e910 0fb6c9 890c24 4489f9 } + $sequence_1 = { 413384bd000c0000 4489cf 334538 41c1eb18 c1ef10 4133949d00040000 478b5c9d00 } + $sequence_2 = { 334650 450fb6d2 4333849400040000 440fb6d1 4133849c00080000 438b1c9c 43339c94000c0000 } + $sequence_3 = { 453384ac00080000 41c1e918 0fb6ec c1e810 450fb6d2 478b0c8c } + $sequence_4 = { c1e810 418b549500 0fb6c0 413394b5000c0000 c1eb18 } + $sequence_5 = { 4189cf 3396b0000000 41c1ef18 440fb6d3 4133948400040000 4489c0 0fb6c4 } + $sequence_6 = { 440fb6da 458b3484 4489c0 4733b494000c0000 440fb6d1 } + $sequence_7 = { 418b549500 0fb6c0 413394b5000c0000 c1eb18 33552c } + $sequence_8 = { 4883ec28 448b4204 442b02 4989d3 4183f8ff } + $sequence_9 = { 895481fc 483de3000000 75bf 448b0481 48ffc0 8b1481 } condition: 7 of them and filesize < 584704 @@ -83812,36 +83804,36 @@ rule MALPEDIA_Win_Redshawl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f52543ad-f3b0-5635-b08b-6e314d7ab25e" - date = "2026-01-05" - modified = "2026-01-06" + id = "4c456005-6eca-5b81-8b66-a093c12005e5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.redshawl_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.redshawl_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "9697ea4899eafca20347b787cabf2930212702df9b80046d2c793afaab560dfd" + logic_hash = "8e56032befee22912f239204df689020251e0862de8ab36f3ae7f172ba6ad37f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4889442438 895c2430 4489642428 4c89642420 4533c9 4c8bc6 488d942430010000 } - $sequence_1 = { 488b4c2448 e8???????? 90 90 e9???????? 488d542450 418bcc } - $sequence_2 = { 7329 4863d1 488d0d90770000 488bc2 } - $sequence_3 = { 488d8c2431010000 e8???????? ba04010000 488d8c2440020000 ff15???????? 4c8bde 488d8c2430010000 } - $sequence_4 = { 3b3d???????? 737d 488bdf 488bf7 48c1fe05 4c8d25ea7e0000 } - $sequence_5 = { 4c8be9 488b05???????? 4885c0 0f8436010000 48833d????????00 } - $sequence_6 = { 48895c2408 57 4883ec20 488d1d0b6d0000 488d3d046d0000 } - $sequence_7 = { 7532 488d0d239d0000 e8???????? ff15???????? 89442460 488d150c000000 } - $sequence_8 = { 8364242800 41b803000000 488d0d6c320000 4533c9 ba00000040 4489442420 } - $sequence_9 = { 418bcc e8???????? 8bd8 89442440 85c0 } + $sequence_0 = { 8b5c2420 448bc3 488d54246c 488d0d4f9f0000 e8???????? } + $sequence_1 = { baa00f0000 ffc6 488d0c80 488d05baaa0000 488d0cc8 } + $sequence_2 = { 33c0 eb22 488d542440 498bcc ff15???????? 85c0 0f8564ffffff } + $sequence_3 = { ebc9 488bcb 488bc3 488d15eb7d0000 } + $sequence_4 = { 8a03 488d1501840000 ffc7 4a8b0ce2 4188440f4c 4a8b04e2 41c744075001000000 } + $sequence_5 = { 48ff25???????? 4883ec48 488364243000 8364242800 41b803000000 488d0d6c320000 4533c9 } + $sequence_6 = { c744242800000000 488d85b8000000 4889442420 4533c9 448bc3 33d2 b900110000 } + $sequence_7 = { e9???????? 8bb424a0000000 448bc6 418bd4 488d0dee990000 e8???????? } + $sequence_8 = { 488bd9 488d0575910000 488981a0000000 83611000 c7411c01000000 } + $sequence_9 = { 7457 33c0 48898424b8000000 4889442430 89442428 488d8424b8000000 } condition: 7 of them and filesize < 174080 @@ -83851,36 +83843,36 @@ rule MALPEDIA_Win_Liteduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce6d7cbd-e712-527e-8d2e-e59cc7813425" - date = "2026-01-05" - modified = "2026-01-06" + id = "71032488-12d1-54e0-9e53-e596da721d4f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.liteduke_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.liteduke_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "e8630c4a732088757bd3da58bb3967f30c07f9d1aee8531a027e677d423a3358" + logic_hash = "ef31eb65bbff124e8d76ab79059fc893131c48e72bdb9668d03448c51ea9fd18" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c9 c20400 55 89e5 ff7508 6800010000 } - $sequence_1 = { 51 6821020000 50 6a21 50 6888c00700 ffb5d0fdffff } - $sequence_2 = { ad 6a04 59 c1c008 3c3d 7501 45 } - $sequence_3 = { 837d1001 7510 c745f810000000 c745fc0a000000 eb2a 837d1002 7510 } - $sequence_4 = { f70600000080 7409 8b06 25ffffff3f eb60 50 e8???????? } - $sequence_5 = { 8a03 52 50 6a03 e8???????? 83c408 5a } - $sequence_6 = { 7404 0113 ebca 2113 ebc6 58 } - $sequence_7 = { 50 ff15???????? 83c410 ff75e4 e8???????? 6800800000 } - $sequence_8 = { e8???????? 31c0 aa 61 c9 c20c00 55 } - $sequence_9 = { 21df 89d0 21f0 09f8 01c1 034dec } + $sequence_0 = { ff75fc 8f45f0 c745f402000000 c745e801000000 8d45e8 } + $sequence_1 = { 8b5d08 c70300000000 c7430400000000 c7430801234567 c7430c89abcdef c74310fedcba98 c7431476543210 } + $sequence_2 = { 5a 8d928df4ffff c70201000000 8b3e 09ff 742a 8b4604 } + $sequence_3 = { 5a 8955f8 895dec 51 e8???????? 59 8d89d4faffff } + $sequence_4 = { 6802000080 ff15???????? 09c0 0f85de000000 8db5fcefffff 8d4dfc 837d0c00 } + $sequence_5 = { ff35???????? e8???????? ff35???????? ff15???????? c705????????00000000 6a04 } + $sequence_6 = { b800000000 8a03 c1e804 83f809 7f05 83c030 eb03 } + $sequence_7 = { 51 50 ff15???????? 83c40c 58 } + $sequence_8 = { 0f8591000000 50 6a04 6800300000 6800100000 6a00 ff15???????? } + $sequence_9 = { 8b45f4 8b5df8 c9 c20400 55 89e5 83ec18 } condition: 7 of them and filesize < 1171456 @@ -83890,36 +83882,36 @@ rule MALPEDIA_Win_Lightrail_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "58541781-79c6-574d-b195-c74fbba8085e" - date = "2026-01-05" - modified = "2026-01-06" + id = "bcb972fc-d4d9-50e7-a411-1ba49dcd371d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightrail" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lightrail_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lightrail_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "5d9e17bc35bca0e64cb85c52ac794612dc1d7650f37d7c51842cacd140fd6d54" + logic_hash = "2b7d0cedd7faf52083a053dc13ae9bdd61b8c00beb9c92929c73ab7dd8832260" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b931ad0231 e8???????? 48894330 4885c0 0f8486000000 } - $sequence_1 = { 48d3c8 4533c0 33d2 33c9 ff15???????? 488d0d505b0100 eb0c } - $sequence_2 = { 488d152c7d0000 b914000000 e8???????? 4885c0 7452 } - $sequence_3 = { 0f84eb000000 4885c0 0f85e4000000 4d3bc1 0f84d1000000 8b7500 498b9cf700a10100 } - $sequence_4 = { 8b0c8e 4903ca 483bcf 721a 438b84168c000000 } - $sequence_5 = { 746d 4533c9 8d5772 4533c0 488bc8 ff93c8020000 } - $sequence_6 = { 442bc9 4183f90f 7779 428b8c8ef89a0000 4803ce ffe1 } - $sequence_7 = { f2410f1004c1 488d15d6860000 f20f1014c2 f20f1025???????? } - $sequence_8 = { ff9778020000 4c63f0 4983feff 0f84ef000000 } - $sequence_9 = { 8b542430 48891401 488d0d4ab90000 e8???????? } + $sequence_0 = { 4883ec20 488bd9 4c8d0dc8af0000 33c9 4c8d05b7af0000 488d15b8af0000 e8???????? } + $sequence_1 = { 0f85b5000000 b931ad0231 e8???????? 4885c0 } + $sequence_2 = { 488bce ff9398020000 8bc7 488b4d50 4833cc } + $sequence_3 = { 4889442430 4533d2 4c8d1de3ef0000 4d85c9 488d3d3b2f0000 488bc2 4c8bfa } + $sequence_4 = { 0f87cf000000 8b8c86b89a0000 4803ce ffe1 660f73f901 660f73d901 e9???????? } + $sequence_5 = { c74424647a006900 4533c9 4889442450 4533c0 } + $sequence_6 = { 488bcd ff9770020000 85c0 7f23 488b13 488bcf } + $sequence_7 = { 8d42ff 41894008 4963c1 498bca 4d899cc018030000 4d899cc0e80a0000 } + $sequence_8 = { b906000000 4c8d05d77d0000 e8???????? 488bd3 } + $sequence_9 = { 488bd7 4c8d0533e10000 83e23f 488bcf 48c1f906 488d14d2 } condition: 7 of them and filesize < 249856 @@ -83929,40 +83921,40 @@ rule MALPEDIA_Win_Matryoshka_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e67f9b00-164c-59e2-9dc8-5dd2e0d5203f" - date = "2026-01-05" - modified = "2026-01-06" + id = "fb937428-323e-544f-9cc3-77d10cbe0095" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.matryoshka_rat_auto.yar#L1-L142" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.matryoshka_rat_auto.yar#L1-L137" license_url = "N/A" - logic_hash = "e984417b389a4155a102710aa04d6d8dad2d1f007db82c883ebc84c4c1b44825" + logic_hash = "749a716a130cb8b1e5551df113ff2ffd19723d7b3814e09eb67af73d228e3912" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { b037 c3 b073 c3 } - $sequence_1 = { c3 b06f c3 b063 c3 } - $sequence_2 = { 8b46fc 8947fc 49 75ed } - $sequence_3 = { 750a 488bcb e8???????? eb0f 488bd3 488d0df7520400 } - $sequence_4 = { 7509 bb99ffffff 85db 740d 488bcf } - $sequence_5 = { 8b4648 48 48 7446 48 } - $sequence_6 = { 750a 4883c310 0fba2f11 eb27 41b807000000 488d152bb50200 } - $sequence_7 = { 8b4704 8b3491 890491 8bd6 } - $sequence_8 = { 750a 443b774c 8d4399 0f45d8 450137 } - $sequence_9 = { 750a 4883c30a 0fba2f12 eb4a 41b808000000 488d153eb50200 } - $sequence_10 = { 8b4704 8bf1 33d1 81e6ff030000 } - $sequence_11 = { 8b4660 89471c 8d4670 894724 } - $sequence_12 = { 8b4664 034668 8b4e60 03ca } - $sequence_13 = { 7509 c7412400000002 eb4c 48394130 } + $sequence_1 = { b06f c3 b063 c3 } + $sequence_2 = { 750b 488d05da2c0000 48894138 488b4940 } + $sequence_3 = { 750b 48832700 b802000000 eb7b } + $sequence_4 = { 750b 488d05d4140300 48894348 4c8b4348 } + $sequence_5 = { 8b55e4 3bf3 8b75d0 8b5dec } + $sequence_6 = { 750b 837f0402 7505 395f08 } + $sequence_7 = { 8b55e8 0345f0 894204 8b8704010000 } + $sequence_8 = { 8b55e4 8d45e8 51 51 } + $sequence_9 = { 8b55e0 8b7dec 8b5de4 394d24 } + $sequence_10 = { 8b55dc 0fb7844330270300 c1e804 8b8483a00e0300 0345a4 8945cc 83fa02 } + $sequence_11 = { 750b 488bd3 488bcf e8???????? 488bc3 } + $sequence_12 = { 750a b9b4000000 e8???????? 85f6 7507 } + $sequence_13 = { 8b55e8 2bc6 c1f802 83c420 } condition: 7 of them and filesize < 843776 @@ -83972,36 +83964,36 @@ rule MALPEDIA_Win_Silon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "77f22f8e-9f0a-5d81-b5cb-4a1b2cbd5d10" - date = "2026-01-05" - modified = "2026-01-06" + id = "247924ed-f798-5dea-a405-e1d412986e79" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.silon_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.silon_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "7b66629e0b9d8daa583e325d7e0da1ae5ba2cceda52e365df066a9ac5301a777" + logic_hash = "d3b6d3dedd8b6971c59e42395527e482df202c59ba94cd017e9c039a3ec7d6e8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 8b956cfeffff 52 e8???????? 83c40c 837d8400 } - $sequence_1 = { 898858080000 eb7c 8b55fc 8b8254080000 898514efffff } - $sequence_2 = { 83c404 8945a4 837da400 746e 8b55a8 } - $sequence_3 = { 0f868f000000 833d????????00 0f8482000000 c745e400000000 } - $sequence_4 = { 50 6a00 e8???????? 83c410 89856cfeffff 83bd6cfeffff00 } - $sequence_5 = { 8d8de8f9ffff 51 68???????? 8d95e8fbffff } - $sequence_6 = { 8b55fc 8b8254080000 8b4dfc 03815c080000 } - $sequence_7 = { 83c410 6a65 a1???????? 50 } - $sequence_8 = { 8b85c4feffff 8945d4 0fb74dcd 85c9 7e34 0fb755cd } - $sequence_9 = { 681d5b931f 6a05 e8???????? 8945fc 8b4510 50 } + $sequence_0 = { e8???????? 83c404 e8???????? c745fc02000000 8b55fc 83c232 8855f4 } + $sequence_1 = { 8b65e8 a1???????? 50 e8???????? 83c404 c745b400000000 c745fcffffffff } + $sequence_2 = { 0f84a1000000 8b4d98 51 e8???????? 83c404 8b5508 8bb258080000 } + $sequence_3 = { 755e 8b450c 50 e8???????? 83c404 8bf0 8b4d10 } + $sequence_4 = { 6a03 6a02 e8???????? 83c40c 8985c4efffff 83bdc4efffffff 7508 } + $sequence_5 = { 8b55d4 52 68???????? 8d85b4feffff 50 e8???????? 83c40c } + $sequence_6 = { e8???????? 83c404 83c001 8945f0 8b4df0 51 6a00 } + $sequence_7 = { 837dc404 0f8de9010000 6a03 6a00 8d4de0 51 } + $sequence_8 = { 83c420 8985c8f7ffff 83bdc8f7ffffff 0f84b9000000 6a00 6a00 } + $sequence_9 = { c7440a0c01000000 6a04 8b4508 50 8b4dc8 6bc924 8b15???????? } condition: 7 of them and filesize < 122880 @@ -84011,36 +84003,36 @@ rule MALPEDIA_Win_Globeimposter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "82e87f91-7017-50a0-9ca4-45151fd590f0" - date = "2026-01-05" - modified = "2026-01-06" + id = "33b6524e-7406-56b2-a2d8-675f70ff38e5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.globeimposter_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.globeimposter_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "6357ace0b94e1815a02ef2680ddeaabe7f1f4794f51d0c9008b25b79555a5d01" + logic_hash = "11c8999c9c07b15f05e9c135415c9c74b412d461a949456f00587264e6eebf39" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 837c243020 57 8bfd 7608 6ac4 58 } - $sequence_1 = { 57 83fd08 0f8205010000 8bc5 } - $sequence_2 = { 85ff 7452 8bef 8bf0 8b06 8d7604 } - $sequence_3 = { 8b4508 8b4e08 89442418 85ff 7452 } - $sequence_4 = { e8???????? 85f6 7408 8d8600bdffff } - $sequence_5 = { 3dfa000000 7205 6a0c 5f eb0d } - $sequence_6 = { 6af4 58 e9???????? 7904 } - $sequence_7 = { ff15???????? ff349f 8bf0 ff15???????? 3bf0 } - $sequence_8 = { 7505 6ac4 58 eb2f } - $sequence_9 = { 7508 6af4 58 e9???????? 7904 6af6 } + $sequence_0 = { 5e 5b 5f 5d 83c420 c20c00 } + $sequence_1 = { 8d8780000000 50 8d4f38 51 } + $sequence_2 = { 33db 8b7d04 85ff 7413 8b4508 8d04b8 83c0fc } + $sequence_3 = { 0fd4cd 0f6e6f10 0fd4d5 0f7e4f08 0f73d120 0fd4cf 0f6e6f14 } + $sequence_4 = { 42 58 3bd0 7ced 03f0 3bf8 } + $sequence_5 = { 0f6e5f04 0fd4dc 0f6e6f08 0fd4ee 0f6e670c 0fd4fc } + $sequence_6 = { 85c0 7505 6ac4 58 eb2f 56 ff750c } + $sequence_7 = { 8bc3 33560c c1e810 8bca c1e908 23c7 23cf } + $sequence_8 = { 85ff 7452 8bef 8bf0 8b06 8d7604 0119 } + $sequence_9 = { 2bf8 ff15???????? 03c7 50 ff15???????? 85c0 } condition: 7 of them and filesize < 327680 @@ -84050,36 +84042,36 @@ rule MALPEDIA_Win_Upas_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b6d6c26-b6c3-53b0-89ad-1bd740f5c4d8" - date = "2026-01-05" - modified = "2026-01-06" + id = "8746e83a-8504-5951-b8c0-fa5999e12370" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.upas_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.upas_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "bdfeabc66ac57807ea759a27698eea464658dc61ceaff524f25f379f14603f19" + logic_hash = "99460ee94c2b3fad86e6f85bd56b0094a196298cbeb9ff31126ab65acb883871" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7816 8b45f8 8b08 57 ff7508 } - $sequence_1 = { 0bcf eb10 85f6 7507 83fa05 } - $sequence_2 = { c3 55 8bec 81ec8c0b0000 53 56 } - $sequence_3 = { ff35???????? ffd6 85c0 75e7 50 e8???????? 59 } - $sequence_4 = { ff15???????? 53 ff15???????? 6800400000 ff75f8 ff75f4 ff15???????? } - $sequence_5 = { 8d4438eb 8945dd 33c0 3945f8 7517 ff75f0 } - $sequence_6 = { 7410 49 740d 83e909 7410 83e919 } - $sequence_7 = { c9 c3 56 57 8d8550faffff 50 } - $sequence_8 = { 6a08 ff750c e8???????? 33c0 } - $sequence_9 = { 8dbd20ffffff f3a5 0fb74814 8d5c0118 } + $sequence_0 = { 57 33ff eb1b 3cc2 741d 3cc3 7419 } + $sequence_1 = { 740d 83e909 7408 83e919 7403 49 } + $sequence_2 = { 33c0 49 7413 49 7410 } + $sequence_3 = { 8d45bc 50 ff7510 ff750c ff7508 } + $sequence_4 = { 6a00 e8???????? 8944b5dc 837cb5dc00 } + $sequence_5 = { ff15???????? 399d5cffffff 7484 8b4578 2b855cffffff 50 57 } + $sequence_6 = { 8bec 81ecbc070000 8d8d70ffffff e8???????? 8d8550faffff 68???????? } + $sequence_7 = { ff742408 ff742410 ff15???????? c3 33c0 } + $sequence_8 = { 8d45e0 50 6a40 8d45ec 50 } + $sequence_9 = { 8d8598faffff 50 57 ff15???????? 57 ff15???????? ff7508 } condition: 7 of them and filesize < 114688 @@ -84089,50 +84081,50 @@ rule MALPEDIA_Win_Redsalt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a92418fc-758f-521f-ba9d-200fd663af62" - date = "2026-01-05" - modified = "2026-01-06" + id = "38ca9b9b-6802-5401-aa42-05e6a1b2e287" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.redsalt_auto.yar#L1-L221" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.redsalt_auto.yar#L1-L221" license_url = "N/A" - logic_hash = "50c9943074c934238ab56a2e724604fcafa0395a42717f2167a9dcfc691be6fb" + logic_hash = "997be1bb1de75c29e38651499a7d8798303601ba762625dec8a5033b0dd702b2" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 83c414 33c9 83f8ff 0f95c1 } $sequence_1 = { 750b 68e8030000 ff15???????? e8???????? } - $sequence_2 = { 51 ffd6 85c0 7510 } - $sequence_3 = { c745d060ea0000 6a04 8d45d0 50 6806100000 68ffff0000 } - $sequence_4 = { e8???????? 85c0 750a 6a32 } + $sequence_2 = { e8???????? 85c0 750a 6a32 } + $sequence_3 = { c745d060ea0000 6a04 8d45d0 50 6806100000 } + $sequence_4 = { 51 ffd6 85c0 7510 } $sequence_5 = { 85c0 7515 c705????????01000000 ff15???????? e9???????? } $sequence_6 = { 740d 68???????? e8???????? 83c404 833d????????02 } - $sequence_7 = { 83c9ff 85f6 7c0e 83fe7f 7f09 } + $sequence_7 = { 83c9ff 85f6 7c0e 83fe7f } $sequence_8 = { 6a00 52 c744242401000000 8944242c c744243002000000 } - $sequence_9 = { 7509 80780120 7503 83c002 } + $sequence_9 = { c60100 5f 5e 33c0 } $sequence_10 = { 83c40c eb02 33c0 8b4df4 } - $sequence_11 = { c60100 5f 5e 33c0 } + $sequence_11 = { 7509 80780120 7503 83c002 } $sequence_12 = { 8d8530fcffff 50 e8???????? 83c40c } $sequence_13 = { e8???????? 83c408 6800010000 68???????? } - $sequence_14 = { c6450000 5e 5d 8911 33c0 } - $sequence_15 = { f7e7 8bea d1ed 33c0 83ef03 8a06 } - $sequence_16 = { c1fa04 c0e302 0ad3 83c004 } - $sequence_17 = { 833800 750f c705????????01000000 e9???????? } + $sequence_14 = { c0e204 0ac2 8b542410 884500 } + $sequence_15 = { 833800 750f c705????????01000000 e9???????? } + $sequence_16 = { eb03 83caff 8b442410 c0e106 0aca 884d00 } + $sequence_17 = { c0e106 0aca 884d00 45 40 89442410 8b442414 } $sequence_18 = { c644243423 c644243572 c64424367a c644243700 } - $sequence_19 = { d2cc bbe3b46b7e 6aa2 dd45ff } - $sequence_20 = { de6c58ae c8201cdd f7be5b408d58 1b7f01 d2cc } - $sequence_21 = { e8???????? 89ff 152edf0800 488b5c2440 } - $sequence_22 = { e8???????? 89fa 4989d8 4889c1 e8???????? } - $sequence_23 = { e8???????? 89f8 eb26 f6411840 7406 } + $sequence_19 = { de6c58ae c8201cdd f7be5b408d58 1b7f01 } + $sequence_20 = { d2cc bbe3b46b7e 6aa2 dd45ff } + $sequence_21 = { f7be5b408d58 1b7f01 d2cc bbe3b46b7e } + $sequence_22 = { e8???????? 89ff 152edf0800 488b5c2440 4883c430 5f c3 } + $sequence_23 = { e8???????? 8b0a 0402 0085c00f45c8 } $sequence_24 = { e8???????? 8b05???????? 0d80000000 8905???????? } condition: @@ -84143,71 +84135,71 @@ rule MALPEDIA_Win_Bankshot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c44209fc-b1c7-5402-9078-b4bcc5bc536b" - date = "2026-01-05" - modified = "2026-01-06" + id = "2c70a236-94e3-5259-b941-082d7e2a1b33" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bankshot_auto.yar#L1-L435" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bankshot_auto.yar#L1-L422" license_url = "N/A" - logic_hash = "63bc5c29766faa4a92cc1d97b03d2ca49fa1b92e737ecc0b56db090eb70af715" + logic_hash = "6c701ba5b2d49c310eb0e5f18674e309bfbde2f51321c7da0f95e63a81fae014" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 8bec 81ec48040000 a1???????? 33c5 8945f8 53 } - $sequence_1 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 } - $sequence_2 = { 68???????? ff7604 ff15???????? 81be2005000000008000 894608 751c 6a04 } - $sequence_3 = { 0f2815???????? 8bf2 2bf0 660f1f440000 0f10840de43fffff 0f28ca 660fefc8 } - $sequence_4 = { 0fb611 0fb6c0 eb17 81fa00010000 7313 8a87bce10110 } - $sequence_5 = { 83c8e0 40 0f280d???????? 8bf2 2bf0 660f1f440000 0f10840de4bfffff } - $sequence_6 = { 6a01 56 56 8975fc ff15???????? 85c0 7450 } - $sequence_7 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 } - $sequence_8 = { 8b45fc 817848b8e40110 7409 ff7048 e8???????? 59 c70701000000 } - $sequence_9 = { 57 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 } - $sequence_10 = { 81fa00010000 7313 8a87bce10110 08441619 42 0fb64101 } - $sequence_11 = { 894de4 3998c0e10110 0f84ea000000 41 83c030 894de4 3df0000000 } - $sequence_12 = { 33c0 6800000020 66898475ccfbffff 8d85ccfbffff } - $sequence_13 = { e8???????? 83c40c e8???????? 99 b907000000 f7f9 } - $sequence_14 = { 8a06 8d7601 884431ff 84c0 75f3 68???????? 8d730c } - $sequence_15 = { c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 8b4508 } - $sequence_16 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 } - $sequence_17 = { c644243b7b c644243cc1 884c243d c644243ef5 } - $sequence_18 = { 6b05????????3c 0305???????? 0fb74df4 6bd13c 0fb74df6 } - $sequence_19 = { 8b442454 50 ff15???????? b801000000 } - $sequence_20 = { 488d91f00f0000 e8???????? 41bb12000000 488d158b760000 } - $sequence_21 = { 51 8d9508f8ffff 52 ff15???????? } - $sequence_22 = { 83c20f 8955dc 8b55ec 81c2e80e0000 52 } - $sequence_23 = { 41ffcb 4183cbf0 41ffc3 488d9530010000 b904010000 44891d???????? } - $sequence_24 = { 895c242c ff15???????? b910000000 33c0 } - $sequence_25 = { 2b8534feffff 3dd0070000 7307 33c0 e9???????? 8d8d5cfeffff 51 } - $sequence_26 = { 57 e8???????? 83c40c 85c0 7506 8d4707 50 } - $sequence_27 = { e8???????? 83c408 c78424a804000000000000 c78424a404000009303b00 8d8424a4040000 6808040000 eb80 } - $sequence_28 = { c785a4fbffff00000000 682c010000 ff15???????? c705????????00000000 68???????? ff15???????? } - $sequence_29 = { ff15???????? 4885c0 0f85a7010000 448d4870 448d402e 488d15ce520000 } - $sequence_30 = { 488d55c0 488bcb ff15???????? 4885c0 0f85df020000 488d55e0 488bcb } - $sequence_31 = { 59 eb33 8b7dd0 8b45e4 8b4de8 8b0485c8887100 } - $sequence_32 = { 57 c685b8feffff00 6803010000 6a00 8d85b9feffff 50 } - $sequence_33 = { e8???????? a1???????? 0f1005???????? 898584fbffff 66a1???????? } - $sequence_34 = { c64424210d e8???????? 8b4c2410 8b542414 8b442418 890d???????? } - $sequence_35 = { c6442421cd c64424229c c64424231d c644242436 } - $sequence_36 = { 57 8db8607d0110 57 ff15???????? ff0d???????? 83ef18 } - $sequence_37 = { c644241bc4 c644241c90 c644241d9c c644241e46 c644241f7b c64424209d } - $sequence_38 = { 4803d1 ffe2 4c8b05???????? 498d5106 488bcf } - $sequence_39 = { ff15???????? 488d15a6f20000 488d4c2420 488905???????? } - $sequence_40 = { 33c0 ffc2 83fa0a 7ce4 b80b000000 c3 } - $sequence_41 = { 83c410 8d4c2460 8d542408 51 683f000f00 6a00 } - $sequence_42 = { c3 4889b424b0450000 4889bc24b8450000 4c89ac24c0450000 } - $sequence_43 = { 83c40c 8d85bcfbffff 50 6804010000 ff15???????? 8d85bcfeffff 50 } - $sequence_44 = { 57 8b3d???????? 8bf1 68???????? 89b55cf2ffff 660fd645f0 8945f8 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 } + $sequence_1 = { 8bec 81ec48040000 a1???????? 33c5 8945f8 53 } + $sequence_2 = { ff15???????? 85c0 7417 8b85d4fbffff 85c0 } + $sequence_3 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 } + $sequence_4 = { 51 50 6a00 68e9fd0000 ffd6 8bd0 } + $sequence_5 = { 59 c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 } + $sequence_6 = { ff15???????? 6689b445ecfdffff 83ef01 75a4 8d85ecfdffff 50 } + $sequence_7 = { 8b15???????? 8d85e43fffff 83c40c 89bdec3fffff } + $sequence_8 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 } + $sequence_9 = { 8b45fc 817848b8e40110 7409 ff7048 e8???????? 59 c70701000000 } + $sequence_10 = { 83fa20 724f 251f000080 7905 48 83c8e0 } + $sequence_11 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 } + $sequence_12 = { 7313 8a87bce10110 08441619 42 0fb64101 } + $sequence_13 = { 50 6a00 6805000020 ff7308 ff15???????? } + $sequence_14 = { e8???????? 83c40c e8???????? 99 b907000000 f7f9 } + $sequence_15 = { 57 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 } + $sequence_16 = { 85db 7507 c746340c7b0110 57 ff7634 } + $sequence_17 = { 894de5 894de9 894ded 66894df1 884df3 ff15???????? } + $sequence_18 = { c744242001000000 e8???????? 85c0 0f84ca010000 } + $sequence_19 = { 8b4d08 51 0fb7956cd4ffff 83c21a 52 8b4d0c } + $sequence_20 = { 83c702 57 e8???????? 83c404 8bd8 53 } + $sequence_21 = { 488bfb f2ae 48f7d1 4803f1 33d2 488bcb } + $sequence_22 = { 488bcf ff15???????? 83f8ff 0f842e010000 488d0d0f7f0000 } + $sequence_23 = { 8d83e60e0000 8bca 50 83e103 8d442448 68???????? } + $sequence_24 = { ff15???????? 898588f8ffff c78574f8ffffffffffff c78560f8ffff00000000 c7858cf8ffff00000000 6802040000 } + $sequence_25 = { 6a01 8d542414 6a04 89442418 } + $sequence_26 = { 8910 81fae7030000 7708 81c2e8030000 8910 8b0b 6a00 } + $sequence_27 = { 4889842470010000 488bfa 4c8be9 ba3c400000 b940000000 } + $sequence_28 = { 81ff00010000 7ccd 8b8b200f0000 33c0 } + $sequence_29 = { 85c0 0f846e010000 8b542444 498bcc 2bf2 } + $sequence_30 = { 0f848d010000 837f0400 0f8491000000 68???????? 8d7710 } + $sequence_31 = { 0fbe02 83f82e 743f 83bde8feffff1a } + $sequence_32 = { 83bd88f9ffff00 740c c78580f9ffff00000000 eb0a c78580f9ffff02000000 } + $sequence_33 = { 0f8d35040000 8b0d???????? 038dd8fbffff 81e10f000080 7905 } + $sequence_34 = { 89442440 e8???????? 85c0 0f84b9010000 } + $sequence_35 = { 8b05???????? 488b4c2438 8947ff 895c2420 ff15???????? } + $sequence_36 = { 8b442434 8b4c2428 8b542424 50 8b442424 51 } + $sequence_37 = { 83c414 85c0 7503 83ceff } + $sequence_38 = { 8d8dfcf3ffff 51 6a00 ff15???????? 8985ecf3ffff 83bdecf3ffff00 } + $sequence_39 = { 8bf8 ff15???????? 81ff10030000 75d6 e8???????? 85c0 740a } + $sequence_40 = { 5d c20c00 ff75ec ff75d8 e8???????? 83c40c ff75ec } + $sequence_41 = { 0f84fe010000 8b35???????? 68???????? 57 ffd6 } + $sequence_42 = { ff75d8 8d831e0d0000 ff75ec 50 e8???????? ff75ec } + $sequence_43 = { 8d542404 51 56 50 50 8b84249c000000 } + $sequence_44 = { 8b148d40904100 33d0 a1???????? 33d0 33c0 8915???????? } condition: 7 of them and filesize < 860160 @@ -84217,36 +84209,36 @@ rule MALPEDIA_Win_3Cx_Backdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c8c4fb8e-665a-53b6-8b3e-37d64668f35c" - date = "2026-01-05" - modified = "2026-01-06" + id = "1f976734-b5f0-521c-871a-e7babcb44dc6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.3cx_backdoor_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.3cx_backdoor_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "1c7c6f3ffb80a119e6e9a09aa255f11daa8a6a0cadae64c0d2cee6a1f6aea1e9" + logic_hash = "64488f3b81fcdce13d2c1526a75e497414487090bd2d24584ec7c4fe7f730e74" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8d442420 488d4d98 e8???????? 488bf8 488d542478 498bce e8???????? } - $sequence_1 = { 488b4d8f 4c8d05b77c0300 41b920000000 c744242000000000 488d15c27c0300 ff15???????? } - $sequence_2 = { 41b8ffffffff 488bd6 ff15???????? ba25000000 8d4a1b } - $sequence_3 = { 0f87ff010000 c1e60a 81c60024a0fc 03f0 eb11 8d860024ffff } - $sequence_4 = { 488bd7 498bcd e8???????? 498bc4 4c8d5c2450 498b5b40 } - $sequence_5 = { 488d0547ac0100 4a8b04f8 42f644e83801 7515 e8???????? c70009000000 e8???????? } - $sequence_6 = { 7424 488b4308 44386019 7515 6690 483b5810 750d } - $sequence_7 = { 488bc8 e8???????? 4889751f 4889752f 48897537 } - $sequence_8 = { e8???????? 85c0 0f85cd100000 e9???????? 4c8d050bae0000 ebdb 4c8d05faad0000 } - $sequence_9 = { 83b96804000002 0f8406020000 bd20000000 4c8d35e1510100 488b4310 } + $sequence_0 = { 747f 4c8d7027 4983e6e0 498946f8 eb0b 488bcb e8???????? } + $sequence_1 = { e8???????? 448bac24d0000000 488bf8 452be5 660f1f440000 e8???????? 33d2 } + $sequence_2 = { e8???????? 4c897de8 4c897df8 4c897d00 0f1000 0f1145e8 0f104810 } + $sequence_3 = { c1e116 4d03c2 33c1 458bd0 4c0fafd7 418d0c10 49c1e820 } + $sequence_4 = { 49894808 48894508 488d4d08 e9???????? 488b78f8 803f02 7534 } + $sequence_5 = { 0f85c7000000 48897c2430 48897c2440 4c89742448 41b804000000 488d1595820300 488d4c2430 } + $sequence_6 = { 4d8d143f 660f1f440000 0fb642f8 4188441208 488b02 4989441210 c642f800 } + $sequence_7 = { c3 488364242000 4c8d05c9b00100 41b9db010000 488d152cb10100 488d0d85b10100 } + $sequence_8 = { 488d1549d6feff 4803ca 813950450000 755f b80b020000 66394118 7554 } + $sequence_9 = { 0f1000 0f11450f 0f104810 0f114d1f 4c897010 48c740180f000000 } condition: 7 of them and filesize < 585728 @@ -84256,36 +84248,36 @@ rule MALPEDIA_Win_Lodeinfo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2842da77-f970-52c3-8984-a714a7915a2f" - date = "2026-01-05" - modified = "2026-01-06" + id = "9dc8c5f8-2431-5a73-8213-ffa62a6f25f5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lodeinfo_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lodeinfo_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "c6db0fe0e940f8fa6652bc4d77f8fe0b30871c4844a8eaef730ac89cf20d8f74" + logic_hash = "0d305ac28dbc9fd30d066952fa9245fc5cd5e5e1a5af4ff59dea17230301835b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85db 742a 8b4c2420 8bc3 2bcb 81f900100000 } - $sequence_1 = { 7418 8b4114 3b4614 753f 8b4118 3b4618 7537 } - $sequence_2 = { ba???????? b9???????? e8???????? 50 e8???????? 8b5c2448 83c404 } - $sequence_3 = { 8b8d34ffffff 8bfe c1ef03 0fafcf } - $sequence_4 = { 83c404 46 83fe10 75e3 5f } + $sequence_0 = { 23c7 03d8 895de4 8b7d0c 8bcf 8b5604 } + $sequence_1 = { 2bc2 8945bc b801000000 2bc2 894dc0 } + $sequence_2 = { 56 e8???????? 5e 5f 5b 8be5 5d } + $sequence_3 = { eb43 bf34000000 eb3c b91f000000 3bc8 1bff 83e7fe } + $sequence_4 = { 7533 837d0802 740a 5f 5e b81e000000 5b } $sequence_5 = { 8955e4 81faff000000 7756 8b55f8 8b4308 8b3a 47 } - $sequence_6 = { b22d e8???????? 83eb01 75f4 b22b e8???????? 50 } - $sequence_7 = { 23c7 03d8 895de4 8b7d0c 8bcf } - $sequence_8 = { 0fb65204 c1e218 d3e2 0bd3 8b5de4 eb68 c7461000000000 } - $sequence_9 = { 83c404 83f810 722b 8b4c242c 8d5001 8bc1 81fa00100000 } + $sequence_6 = { 897dec eb08 8d047f d1e8 8945ec 50 ff75f0 } + $sequence_7 = { 7509 8b55a0 47 3b7d94 75bb 8b45a4 833803 } + $sequence_8 = { 7528 0fb64d0f 0fb642ff c1e108 03c8 3b4b18 7516 } + $sequence_9 = { 8d5dbc 837dd010 0f435dbc 8a03 3c7f 0f8495000000 0f1f4000 } condition: 7 of them and filesize < 712704 @@ -84295,42 +84287,42 @@ rule MALPEDIA_Win_Blackbyte_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3f4218e0-59a8-5f1a-8491-b9f27553e507" - date = "2026-01-05" - modified = "2026-01-06" + id = "86ddcdb3-f98f-5fed-8acf-8f25a59fe9d8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackbyte_auto.yar#L1-L156" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackbyte_auto.yar#L1-L150" license_url = "N/A" - logic_hash = "0158273c319395ac538b84dc759203c353b02e7e79481c3f34491558ae9bcead" + logic_hash = "cae52a5068af3fb259038670fdc83a0ab679783080eb29a6c75f1c00c83ab95b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 498d7101 0f1f440000 4839c6 7ce0 4889c6 41b806000000 } - $sequence_1 = { 3bc1 7505 e8???????? 4883c304 } - $sequence_2 = { 3bc2 72f4 b8ffffffff 4883c420 } - $sequence_3 = { 3bc7 7ce0 eb03 488bda } - $sequence_4 = { 3bc1 7f4d 33c9 4c63c8 } - $sequence_5 = { 4983f851 7553 4c8d4002 4c39c1 } - $sequence_6 = { 4989c3 4889cf 488b4c2428 48897c2450 4c895c2468 4b8d0413 90 } - $sequence_7 = { 4983f803 0f8f66010000 90 4983f801 0f8fb6000000 } - $sequence_8 = { 3bc2 7f2f 4c63d8 85c0 } - $sequence_9 = { 0f1005???????? 4c8960e0 4533e4 4c8968d8 } - $sequence_10 = { 4983f805 0f8511020000 4c8d4304 4c39c6 } - $sequence_11 = { 493b6610 0f8626010000 4883ec70 48896c2468 488d6c2468 } - $sequence_12 = { 3bc1 7573 488d4c2448 664585c0 } - $sequence_13 = { 3bc1 7558 498bcb 6685d2 } - $sequence_14 = { 4989c3 488b8424b0000000 e8???????? 488b4c2468 } - $sequence_15 = { 493b6610 767b 4883ec38 48896c2430 488d6c2430 4889442440 49c7c500000000 } + $sequence_0 = { 3bc2 72f4 b8ffffffff 4883c420 } + $sequence_1 = { 3bd0 0f8f7f000000 4c63c2 498bcf } + $sequence_2 = { 3bc7 7ce0 eb03 488bda } + $sequence_3 = { 3bc1 7f4d 33c9 4c63c8 } + $sequence_4 = { 48ffc2 4c8b842458010000 0f1f00 4939d0 0f8feefeffff } + $sequence_5 = { 4b8d0413 90 e8???????? 488b542458 } + $sequence_6 = { 48c744247000000000 c744247800000000 c744246800000000 48c744247000000000 } + $sequence_7 = { 3bc8 757b 498bc8 6685d2 } + $sequence_8 = { 4939c9 490f4cc9 90 4939c8 } + $sequence_9 = { 3bc2 7f2f 4c63d8 85c0 } + $sequence_10 = { 4989c1 48c1e004 4c8b940400020000 4c8b9c0408020000 } + $sequence_11 = { 3bc7 7f38 33d2 4c63c8 } + $sequence_12 = { 3bc8 7708 41034908 3bc1 } + $sequence_13 = { 4989f8 4d85c9 0f8ebb000000 488b4828 } + $sequence_14 = { 4989c1 4989c8 488b842480000000 488b8c2488000000 } + $sequence_15 = { 4939c9 0f8234020000 48014840 4829cf 4929c9 4989f8 48f7df } condition: 7 of them and filesize < 9435136 @@ -84340,36 +84332,36 @@ rule MALPEDIA_Win_Ratankbapos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c30c3afc-d593-5fd1-9897-681a89fdb715" - date = "2026-01-05" - modified = "2026-01-06" + id = "98477565-9980-5358-b7f5-1a0def6b1050" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankbapos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ratankbapos_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ratankbapos_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "9d94248f5eeb0fe7fd704ad2035548b948a3d89033ce9c65e0f71221072d6968" + logic_hash = "00eb98b82d4844d3802e8954effb204297741740e3d71070c31870329e1fd40a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c5 8945f8 56 8b7508 85f6 0f8413010000 } - $sequence_1 = { ff15???????? 8bf0 8d4dcc 897304 } - $sequence_2 = { 0fbec2 0fbe8040010110 83e00f eb02 33c0 0fbe84c160010110 } - $sequence_3 = { c1f905 8b0c8de04d0110 83e01f c1e006 f644080401 } - $sequence_4 = { eb05 1bc0 83d8ff 85c0 7508 8d8646b10000 } - $sequence_5 = { 83e203 83f908 7229 f3a5 ff249590490010 } - $sequence_6 = { 40 3acb 75f9 2bc6 3bd0 72dc } - $sequence_7 = { 8b5518 50 8b4514 51 8b4d08 52 50 } - $sequence_8 = { e8???????? 8b4da4 8945c8 c6040800 } - $sequence_9 = { 0fbe8040010110 83e00f eb02 33c0 0fbe84c160010110 6a07 c1f804 } + $sequence_0 = { 743b 48 753d 8b4508 50 a3???????? ff15???????? } + $sequence_1 = { 7229 f3a5 ff249590490010 8bc7 } + $sequence_2 = { 33f6 85c0 7409 50 e8???????? 83c404 } + $sequence_3 = { ebab c745e4a4e10010 817de4b0e10010 7311 } + $sequence_4 = { 0fbe84c160010110 6a07 c1f804 59 8985a0fdffff } + $sequence_5 = { 8a8c181d010000 888808350110 40 ebe6 ff35???????? ff15???????? 85c0 } + $sequence_6 = { 8bff 56 57 33ff ffb7c03d0110 ff15???????? 8987c03d0110 } + $sequence_7 = { 56 8d34c5303c0110 833e00 7513 50 e8???????? 59 } + $sequence_8 = { 8975e4 33c0 39b810360110 0f8491000000 ff45e4 } + $sequence_9 = { 5d c3 8b04cd74300110 5d c3 0544ffffff 6a0e } condition: 7 of them and filesize < 327680 @@ -84379,36 +84371,36 @@ rule MALPEDIA_Win_Stabuniq_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4275e6d0-94cf-5d7a-8be9-58ce93adc0df" - date = "2026-01-05" - modified = "2026-01-06" + id = "a634ea5c-ec9c-5083-a532-5c81be45dad5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stabuniq_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stabuniq_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "27eb79a741b72a16cbff924e64623723e98e0bb2251ce5257f82f37046f960f7" + logic_hash = "088358b560fc62390905f45864d9b9bfa97da285fa34e5d77b30f12909697494" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a05 8b55fc 52 8b4510 } - $sequence_1 = { 8b913c020000 52 8b45ec 50 8b4df0 51 8b5508 } - $sequence_2 = { 8b4508 50 8b4df8 ff91ec000000 8945fc 8b55f0 83ea04 } - $sequence_3 = { 8b55fc 52 8b4514 05ab0e0000 50 8b4d0c 51 } - $sequence_4 = { 8b4d0c 8d9401b2170000 52 8d85f8fdffff 50 8b4d0c ff5130 } - $sequence_5 = { 50 8b8d24fdffff 51 8b5510 ff520c 6a40 } - $sequence_6 = { 85c0 7535 8b8decfbffff 6bc928 8b5510 8d840ab2170000 50 } - $sequence_7 = { c745f800000000 837dfc00 7e32 8b55f8 83c201 8955f8 8b45fc } - $sequence_8 = { 83ba8000000000 750a b801000000 e9???????? 8b45f0 8b8880000000 034d08 } - $sequence_9 = { 8b4510 8b4d18 8a9411dc0e0000 8810 8b4510 83c001 } + $sequence_0 = { 6a00 8b4d10 ff91d4000000 8b5510 52 8b85e4feffff 50 } + $sequence_1 = { 51 8b5508 52 8b450c ff90a0010000 837df401 7707 } + $sequence_2 = { 8b4d08 8b91e4010000 52 8b4508 ff90e0000000 8b4d08 8b91ec010000 } + $sequence_3 = { e9???????? b801000000 8be5 5d c20400 55 8bec } + $sequence_4 = { 8b82f0010000 50 8b4d14 ff91b8000000 8be5 5d c21400 } + $sequence_5 = { 8b450c 50 8b4d20 ff514c 50 8b550c 52 } + $sequence_6 = { c745f800000000 8a4d0c 51 8b55fc 52 8b4514 ff907c010000 } + $sequence_7 = { 51 8b5508 ff9268010000 8b45a8 50 8b4d08 ff9150010000 } + $sequence_8 = { 8b55f8 ff92d0000000 8b4dec 8901 8b55ec 83c204 8955ec } + $sequence_9 = { 8d95bcf7ffff 52 8d85f0fbffff 50 8b4d10 ff5130 8b5510 } condition: 7 of them and filesize < 57344 @@ -84418,42 +84410,42 @@ rule MALPEDIA_Win_Babuk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "77f91e38-4269-56c5-a99d-eaf5692c6027" - date = "2026-01-05" - modified = "2026-01-06" + id = "648f210d-a584-5bed-a576-a9476d0b83ea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.babuk_auto.yar#L1-L166" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.babuk_auto.yar#L1-L176" license_url = "N/A" - logic_hash = "e2bb83a66a607df7c2662bebeca5bbfe5fab26f1661308e86fffacc36a5ed578" + logic_hash = "fe511dd5c65e055ff5898d06907cceffbf099ae5163cb3c28d44ce681afc5421" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { ff15???????? 6800000100 e8???????? 83c404 } $sequence_1 = { 50 ff15???????? 83f803 7502 } - $sequence_2 = { ba08000000 6bc200 8b4d08 8b540104 52 8b0401 50 } - $sequence_3 = { 56 57 b808000000 6bc80a 8b5508 c7040a00000000 } - $sequence_4 = { 3dea000000 0f85d9000000 8b55ac 52 e8???????? 83c404 } - $sequence_5 = { c7440a0400000000 c745fc00000000 eb09 8b45fc 83c002 8945fc } - $sequence_6 = { 8b85ecfdffff 8b8de4fdffff 8b948d70fdffff 89948508fdffff 8b85ecfdffff 83c001 } - $sequence_7 = { 8b44ca04 50 8b0cca 51 e8???????? 83c408 8945f4 } - $sequence_8 = { eb02 ebbe 8b4d9c 51 ff15???????? } - $sequence_9 = { 0f83dc000000 8b4dfc 8b5508 8b44ca04 } - $sequence_10 = { 8b0401 50 e8???????? 83c408 8945ec 8955f0 b908000000 } - $sequence_11 = { c7040100000000 c744010400000000 ba08000000 6bc200 } - $sequence_12 = { 894dfc 837dfc08 7d1e 8b55fc } - $sequence_13 = { 8985c0fdffff 83bdc0fdffff00 0f84a1000000 c785ccfdffff00000000 eb0f } - $sequence_14 = { ba08000000 6bc20a 8b4d08 c7040100000000 c744010400000000 } - $sequence_15 = { 8b8c8508fdffff 51 ff15???????? eb02 } + $sequence_2 = { 8b4d08 c7040100000000 c744010400000000 ba08000000 6bc200 } + $sequence_3 = { 8b0cca 51 e8???????? 83c408 8945f4 8955f8 } + $sequence_4 = { f3a5 6a24 8b956cffffff 52 8b4598 50 ff15???????? } + $sequence_5 = { 56 57 b808000000 6bc80a 8b5508 c7040a00000000 c7440a0400000000 } + $sequence_6 = { 50 e8???????? 83c408 8945ec 8955f0 } + $sequence_7 = { 7c02 eb2c 8b5514 039578ffffff 0fb602 8b8d78ffffff 2b8d74ffffff } + $sequence_8 = { 50 6a01 8b4da8 51 ff15???????? 85c0 0f8490000000 } + $sequence_9 = { 8b9578ffffff 83c201 899578ffffff 8b8574ffffff 83c040 398578ffffff 7d39 } + $sequence_10 = { 837dfc0a 0f83dc000000 8b4dfc 8b5508 8b44ca04 50 8b0cca } + $sequence_11 = { c7040a00000000 c7440a0400000000 c745fc00000000 eb09 } + $sequence_12 = { ba04000000 d1e2 8b4508 c70410322d6279 b904000000 } + $sequence_13 = { b908000000 6bf100 8b45ec 8b55f0 b11a e8???????? } + $sequence_14 = { 8945fc 837dfc10 7d1e 8b4dfc 8b550c 8d048a } + $sequence_15 = { eb09 8b45fc 83c002 8945fc 837dfc0a 0f83dc000000 8b4dfc } condition: 7 of them and filesize < 183296 @@ -84463,36 +84455,36 @@ rule MALPEDIA_Win_Ratel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3659af5a-6903-5ae8-965b-97a9526108b3" - date = "2026-01-05" - modified = "2026-01-06" + id = "12171660-a73b-5e08-821e-0cfd0432b093" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ratel_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ratel_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "89a6fc619b74a1abf97d7e9ad932eeb9075f956a974cadff963b35627fbf078a" + logic_hash = "a88254add45ee767c7ac8b9e9f49aa0dce32fdf9cebe8343984c5fc758e5b8f0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c705????????080e4c00 e8???????? 83ec08 b9???????? c705????????01000000 c705????????94154c00 c705????????00000000 } - $sequence_1 = { 8b510c 31c0 395108 0f82dafeffff 8b01 ff5024 89c2 } - $sequence_2 = { 8b5c2420 395808 0f8c51020000 8b442454 8b4c2420 8b4004 39c8 } - $sequence_3 = { 8b4508 8b550c 890c24 8d4de0 8945d0 8955d4 e8???????? } - $sequence_4 = { 8d5601 89d8 89530c e8???????? 89c1 890c24 e9???????? } - $sequence_5 = { 8d7810 83c004 c744243200000000 890424 89542426 31d2 6689542436 } - $sequence_6 = { e9???????? 8b01 ff5024 89c3 83f8ff 0f8522fbffff c7450800000000 } - $sequence_7 = { 8b470c 894c2410 8b00 890424 e8???????? 8b4c2410 85c0 } - $sequence_8 = { e8???????? 50 891c24 e8???????? 85ff 7408 893c24 } - $sequence_9 = { 894dcc 8d4de7 8945c4 668945d2 e8???????? 83ec08 807de700 } + $sequence_0 = { 7513 8b0482 80fb04 0f8527dd0900 8908 83c408 } + $sequence_1 = { 89d9 ff5028 8b4308 8b530c e9???????? 8b03 89d9 } + $sequence_2 = { e9???????? 8b4108 3b410c 0f83e5000000 0fb738 6683ffff } + $sequence_3 = { 8b01 ff5024 0fb655ac e9???????? 8b4dc0 8855b5 } + $sequence_4 = { 894da0 8b4808 894da8 8b4804 894da4 c6400800 } + $sequence_5 = { 84d2 0f85e2000000 c744240c06000000 0fb7430e 66837b1000 7403 } + $sequence_6 = { c7450cffffffff 894108 c645c200 8b410c 394108 0f83ee060000 } + $sequence_7 = { 0fb64d98 85db 0f95c0 89ce 21c6 8b451c 830804 } + $sequence_8 = { 52 890424 e8???????? 50 8d65f4 5b 5e } + $sequence_9 = { 8d45d8 894590 8945d0 c645d800 83ff01 0f84bf010000 c744240c0d000000 } condition: 7 of them and filesize < 2174976 @@ -84503,10 +84495,10 @@ rule MALPEDIA_Win_Webc2_Ugx_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "7a191507-05f1-515e-ae93-69990858de4e" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_ugx_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_ugx_auto.yar#L1-L123" license_url = "N/A" logic_hash = "da5aed5a4142e6d6386e692fafe9cfc551187544798ccc57d23b8cb2bec2ee67" score = 75 @@ -84515,9 +84507,9 @@ rule MALPEDIA_Win_Webc2_Ugx_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -84542,10 +84534,10 @@ rule MALPEDIA_Win_Naplistener_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "a3d7d9df-de3a-516e-b81c-c3cfa9ffc96f" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naplistener" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.naplistener_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.naplistener_auto.yar#L1-L117" license_url = "N/A" logic_hash = "2510a61e053aa5f210d742699c248976270de6ea89c8a2ddd06d921dbbb47612" score = 75 @@ -84554,9 +84546,9 @@ rule MALPEDIA_Win_Naplistener_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -84580,36 +84572,36 @@ rule MALPEDIA_Win_Rorschach_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "11b24b2d-bfea-5a8c-988f-bea7ea32170c" - date = "2024-10-31" - modified = "2024-11-11" + id = "b906f634-06f7-511a-9b2f-eef594dc2174" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rorschach" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rorschach_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rorschach_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "3819d2826273a95ad95ce552fb76b197f4eb30ddd0b4d089208f0442591f4b17" + logic_hash = "5f24ac102f398836ad45a544526cfb2eb2cc4eaf86f712be52f0b9204d2e2167" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20241030" - malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4" - malpedia_version = "20241030" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f30f6f440420 f30f6f0c28 660fefc8 f30f7f0c30 418d40f0 f30f6f440420 f30f6f0c28 } - $sequence_1 = { e8???????? 8885f6050000 b261 488d8d70050000 e8???????? 8885f7050000 33d2 } - $sequence_2 = { ff15???????? 85c0 7414 488b4c2438 4c8d442444 488d5570 ff15???????? } - $sequence_3 = { eb04 33c0 8bd8 b978110000 e8???????? 488bf8 48894540 } - $sequence_4 = { 488d4d28 e8???????? 884529 33d2 488d4d28 e8???????? 88452a } - $sequence_5 = { 488d8d00010000 e8???????? 88850f010000 33d2 488d8d00010000 e8???????? 888510010000 } - $sequence_6 = { e8???????? 488d8598070000 488985b80c0000 c6454069 b273 488d4d40 e8???????? } - $sequence_7 = { 48897820 488b05???????? 4833c4 488985f0020000 bae9030000 ff15???????? 488bf0 } - $sequence_8 = { e8???????? 8885d7060000 33d2 488d8dd0060000 e8???????? 8885d8060000 b26b } - $sequence_9 = { 8885f60b0000 b23c 488d8d300b0000 e8???????? 8885f70b0000 33d2 488d8d300b0000 } + $sequence_0 = { 488d8424b8000000 482bc3 4c89b42428010000 4889442430 4c8db4249c000000 4c89bc2420010000 488d8424bc000000 } + $sequence_1 = { 888571010000 33d2 488d8d60010000 e8???????? 888572010000 b272 488d8d60010000 } + $sequence_2 = { 488d8d70050000 e8???????? 888501060000 33d2 488d8d70050000 e8???????? 888502060000 } + $sequence_3 = { 33d2 488d8d300b0000 e8???????? 8885580d0000 b23c 488d8d300b0000 e8???????? } + $sequence_4 = { 90 4d8bc4 488bd0 498bcf e8???????? 488d85d8080000 488985b80c0000 } + $sequence_5 = { 488d8da8010000 e8???????? 8885ab010000 33d2 488d8da8010000 e8???????? 8885ac010000 } + $sequence_6 = { f781c8100000e0ffffff 762c 660f1f840000000000 428b0482 42898481a4100000 41ffc0 8b81c8100000 } + $sequence_7 = { 488d8d300b0000 e8???????? 8885950c0000 33d2 488d8d300b0000 e8???????? 8885960c0000 } + $sequence_8 = { e9???????? 488d8a58040000 e9???????? 488d8af8030000 e9???????? 488d8a38050000 e9???????? } + $sequence_9 = { 90 498d542420 4903d7 488d8dc0000000 e8???????? 90 4c8d85e0000000 } condition: 7 of them and filesize < 3921930 @@ -84619,36 +84611,36 @@ rule MALPEDIA_Win_Sathurbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40f6d317-e340-5c28-bf05-1e34ed3b7c05" - date = "2026-01-05" - modified = "2026-01-06" + id = "cdf673a7-2ef8-51a2-b7fc-cddcf54ebfb9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sathurbot_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sathurbot_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "73420e104486f36b90bb2733cf04075c1d18a3e103b83a2dc2d22ad64ff4f0ae" + logic_hash = "12a6a476ceac246b505e8c1facaabf0d67abc6e9a30e866cbec6c029f57786fe" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b84b7e8b0c 0f45c3 } - $sequence_1 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 bfcc456d5f b8dd72d480 } - $sequence_2 = { e9???????? 81fe44b0cddc 7f16 81fe7313fbac 0f850dffffff be80c3aea4 e9???????? } - $sequence_3 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8d1e835c1 b93dd672c9 } - $sequence_4 = { ebd8 81fa06cfb547 7f27 81fab0570bce 7f30 81fabe1990c9 75c2 } - $sequence_5 = { ebfe 55 89e5 53 56 83ec02 a1???????? } - $sequence_6 = { eb3e 897c2408 8b450c 89442404 893424 e8???????? 8945f0 } - $sequence_7 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b8aebf6a24 0f45c3 } - $sequence_8 = { e9???????? c744240400000000 c7042401000000 89f1 e8???????? 83ec08 8b442454 } - $sequence_9 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b86e66c620 b9a93409fe } + $sequence_0 = { f6c601 ba22f8520e 0f45d0 89d7 81ff0f753531 89da 74f4 } + $sequence_1 = { ebba c70424???????? 89f1 e8???????? 83ec04 85c0 0f958424d3020000 } + $sequence_2 = { f6c101 b87f2fecea 0f45c7 3d31ee0d42 7f26 3d595adebc 742f } + $sequence_3 = { e9???????? 81fb00647d02 7f43 81fb33c3bdff bae82c8662 0f852cd1ffff a1???????? } + $sequence_4 = { f6c101 0f94c0 813d????????0a000000 0f9cc1 08c1 b831656685 b971a69e55 } + $sequence_5 = { e8???????? 83c408 83ec04 893c24 bfb5092650 89d9 e8???????? } + $sequence_6 = { e8???????? 83ec04 8b442448 89442404 893424 e8???????? 83ec08 } + $sequence_7 = { 83ec24 894de8 a1???????? 8b0d???????? 8d50ff 0fafd0 f6c201 } + $sequence_8 = { e9???????? 81f9e9b5e244 741c 81f9efb2794c bebbba1e5f 7523 8a4de2 } + $sequence_9 = { 8d7c2448 89f9 e8???????? 83ec08 897c245c b84863c320 bfdedd0bff } condition: 7 of them and filesize < 2727936 @@ -84658,36 +84650,36 @@ rule MALPEDIA_Win_Webc2_Kt3_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c279999-73dd-553b-a33f-fb7233640f4d" - date = "2026-01-05" - modified = "2026-01-06" + id = "bf03e91b-3d35-5384-9df8-afffbe1a85ef" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_kt3_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_kt3_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "43bd0b6c16f3b291b1fdceb004531872c299302c3bdde3bd6c507ecd76a92465" + logic_hash = "3850aca370467a6f4313421f7ed5d71224a0fec60d04baaad68e3c83784bdddc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c1ff 51 8b4df4 51 8b15???????? 52 } - $sequence_1 = { 51 e8???????? 83c404 8985e0fbffff 8b85e0fbffff 8985ecfbffff } - $sequence_2 = { 8b4dfc 0fbe5103 83fa3e 750f } - $sequence_3 = { 0f8408000000 0f8502000000 ebe9 c745dc00000000 } - $sequence_4 = { 8b55f8 2b55fc 8955f8 ebb7 8b4510 5f } - $sequence_5 = { 51 8b55f4 52 8d4de4 e8???????? 8b45e8 } - $sequence_6 = { 8b4dfc 83c10b 894df4 6a20 } - $sequence_7 = { 8d41fc 8b4c2404 2bc1 c3 6800000300 } - $sequence_8 = { 8dbdecfeffff 83c9ff 33c0 f2ae f7d1 83c1ff } - $sequence_9 = { 51 8b55f4 52 8d4de4 e8???????? } + $sequence_0 = { 33c0 f2ae f7d1 83c1ff 894df0 } + $sequence_1 = { 6a18 e8???????? 83c404 8985e8fbffff b906000000 } + $sequence_2 = { 8b45dc c7400cffffffff 6a00 8b4ddc } + $sequence_3 = { 7425 0fb601 0fb6fa 3bc7 7714 8b55fc 8a92c0c84000 } + $sequence_4 = { 41 41 8079ff00 0f8547ffffff 8bc6 808821d3400008 } + $sequence_5 = { 8945d0 8b4d0c 894dd4 8b550c } + $sequence_6 = { ff15???????? e9???????? 8b8de8fbffff 51 e8???????? 83c404 } + $sequence_7 = { 8d55f4 52 8d45f0 50 8b4de8 51 ff15???????? } + $sequence_8 = { 0f8502000000 ebe9 c745dc00000000 c7459844000000 } + $sequence_9 = { 7229 f3a5 ff2495c8744000 8bc7 ba03000000 83e904 } condition: 7 of them and filesize < 114688 @@ -84697,36 +84689,36 @@ rule MALPEDIA_Win_Komprogo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b83eddfd-6609-5160-bb17-24d52dab0572" - date = "2026-01-05" - modified = "2026-01-06" + id = "bdd9ee80-44ed-59fa-81f7-566a28a23a0f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.komprogo_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.komprogo_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "5f20beca4c5ecafddf1c339febd8122f816667a260edfabf9768a16c874c78f2" + logic_hash = "29eccd352001ee2f12ca67ab71a52496adf722d1d26763c656f76672b863d7d6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 68???????? 8d45f4 50 c745f400614100 e8???????? cc } - $sequence_1 = { c745ec00000000 84c0 7407 be01000000 eb15 51 e8???????? } - $sequence_2 = { 899ef6e80000 899eeca10000 8d8610700300 8986aee90000 8d861c970300 898632ea0000 } - $sequence_3 = { 8d55f0 52 8b11 8d45f4 50 52 } - $sequence_4 = { 899e876b0000 51 8b4dfc 899e9a6b0000 8d8696d20300 } - $sequence_5 = { 8d85e4f3ffff 50 8d8decfdffff 51 c78584f3ffff44000000 ff15???????? 8bf0 } - $sequence_6 = { 51 8d86a0d00300 8bcb e8???????? 83c404 84c0 } - $sequence_7 = { 8d8650e60300 8d961ef30100 898623bc0200 899634320200 8d8636a50200 898675af0200 } - $sequence_8 = { 8d8ee0920000 898e1caa0300 8d8e80720300 8d96305d0300 51 8b4df4 8d8600cf0300 } - $sequence_9 = { 89966c940300 8d9698ec0300 89964da90200 898e88aa0200 8986cbaa0200 8d860cea0300 8986f7aa0200 } + $sequence_0 = { 83c404 84c0 7451 8d8e48720300 51 8d86d2cf0300 8bcf } + $sequence_1 = { 898e73450300 8996e7410100 8d8ef4380400 898eed410100 8d8e60f10300 898e30a30300 8d96ccb80300 } + $sequence_2 = { 8d96d8be0300 899644bf0300 8d8628bf0300 89864cbf0300 8d96606a0300 89966cbf0300 } + $sequence_3 = { 8986ef470000 8d8e90160400 898eab3e0200 89be389c0000 8d8e58700300 898e93480000 8d8e90e90300 } + $sequence_4 = { 8986e0d20100 8d86e15c0300 8986c6c70000 8d8eab880100 898ee8d20100 8d9683bd0100 } + $sequence_5 = { 89861cb60300 8d8e28640300 898ed4b50300 8d9610780300 899624e80300 8d86e4970300 8986a5080100 } + $sequence_6 = { 8986f8bc0200 8d8e57540300 8d86e0710300 898e78c50300 8b4df0 50 b809000000 } + $sequence_7 = { 898605090100 8d8ef85b0300 898e76ae0000 8d9694160400 8996d9d20000 8d8628700300 8986b6ae0000 } + $sequence_8 = { 8d86e0a50300 898666cc0200 8d866c770300 898658e80300 8d868c720300 50 b812000000 } + $sequence_9 = { 8d8ea8970300 898e5f510100 8d8e50720300 89be504b0300 898ea94d0000 8d8ef0380400 } condition: 7 of them and filesize < 1045504 @@ -84736,35 +84728,35 @@ rule MALPEDIA_Win_Ryuk_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ce42c56-7196-5dab-bbf5-f82410a1858c" - date = "2026-01-05" - modified = "2026-01-06" + id = "25bfed9e-c63a-5aef-bc3b-2c7946389de1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ryuk_stealer_auto.yar#L1-L110" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ryuk_stealer_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "577b17a6c0c9d94113328d94349dd787eb11b2a9bf82279881b6744cc074e6ff" + logic_hash = "1a29a1c482d6ad47c21930458460d24d19bc663574cae29c5c89f53d73312866" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bcb e8???????? 3bc7 7552 } - $sequence_1 = { 05???????? 50 8d85b4fdffff 50 e8???????? } - $sequence_2 = { 8bcb 0f44f2 42 8d7902 } - $sequence_3 = { 83f801 7410 83ff01 755d } - $sequence_4 = { 8a443706 3c2f 7404 3c2d } - $sequence_5 = { b9a0860100 f7f9 81c2f8240100 52 ff15???????? } - $sequence_6 = { 668945ec 8945ee 668945f2 8d45e0 50 } - $sequence_7 = { 81c2f8240100 52 ff15???????? 46 } - $sequence_8 = { e8???????? 99 b9a0860100 f7f9 81c2f8240100 52 ff15???????? } + $sequence_0 = { 89442464 83c40c 66a1???????? 8bf2 } + $sequence_1 = { 66a3???????? ff15???????? 83f805 740a b9???????? e8???????? 46 } + $sequence_2 = { 0f8503070000 8d85b4fdffff 68???????? 50 e8???????? } + $sequence_3 = { 7414 6888130000 ff15???????? ff7604 ff15???????? 6810270000 } + $sequence_4 = { b9a0860100 f7f9 81c2a8610000 52 ff15???????? 46 } + $sequence_5 = { 8bcb 0f44f2 42 8d7902 } + $sequence_6 = { e8???????? 99 b9a0860100 f7f9 81c2f8240100 52 ff15???????? } + $sequence_7 = { 6685c0 75f5 6a04 6800100000 } + $sequence_8 = { 8a443701 3c2f 7408 3c2d } $sequence_9 = { 75f4 a1???????? 8907 eb38 } condition: @@ -84775,43 +84767,44 @@ rule MALPEDIA_Win_Crat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6875ef99-cb78-5d35-8902-45286f9925fd" - date = "2026-01-05" - modified = "2026-01-06" + id = "85307d05-5b0b-5d5c-9fc3-236ba5212662" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crat_auto.yar#L1-L176" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crat_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "6a558eedfed48b48235f564ba72a779c4c350ad31cd93998f4d10b79b9d23f07" + logic_hash = "af30d3bc359dc40a108feaa2eafde853c78f807e75d8cafbd55ff0880038dc9b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 488bd0 488d8d78010000 e8???????? 90 } - $sequence_1 = { 488bd0 488d8d38030000 e8???????? 90 } - $sequence_2 = { e8???????? 488bd0 488d8d28010000 e8???????? 90 } - $sequence_3 = { e8???????? 488bd0 488d4d90 e8???????? 90 488bd0 } - $sequence_4 = { e8???????? 488bd0 488d8db8000000 e8???????? 90 } - $sequence_5 = { e8???????? 488bd0 488d8d40010000 e8???????? 90 } - $sequence_6 = { e8???????? 488bd0 488d8de8000000 e8???????? 90 } - $sequence_7 = { ebd0 498bc4 48833d????????10 480f4305???????? 482bc8 } - $sequence_8 = { 33d2 c1e902 f7f1 eb02 } - $sequence_9 = { ffd0 85c0 750f ff15???????? 83f87a } - $sequence_10 = { 52 8b01 ff5004 c645fc08 8bcf 8b5648 } - $sequence_11 = { 2b460c f20f114dc0 83f810 7d0d 51 } - $sequence_12 = { 50 e8???????? 83c404 e8???????? 33d2 f7f7 81c2e8030000 } - $sequence_13 = { 52 8b01 ff5004 c645fc07 8bcf 8b5640 } - $sequence_14 = { 52 8b01 ff5004 c645fc06 8bcf 8b563c 83ea10 } - $sequence_15 = { 2b4624 83f810 7d09 51 } - $sequence_16 = { 3855e3 7408 8b4dd8 8b55dc eb04 8bce 33d2 } + $sequence_0 = { e8???????? 488bd0 488d8d28010000 e8???????? 90 } + $sequence_1 = { ebd0 498bc4 48833d????????10 480f4305???????? 482bc8 } + $sequence_2 = { 48f7c20000ffff 7523 0fb7fa 8bcf e8???????? 4885c0 7427 } + $sequence_3 = { e8???????? 488bc8 4885c0 7433 } + $sequence_4 = { e8???????? 488bd0 488d8de8000000 e8???????? 90 } + $sequence_5 = { e8???????? 488bd0 488d4d90 e8???????? 90 488bd0 } + $sequence_6 = { e8???????? 488bd0 488d8d88010000 e8???????? 90 } + $sequence_7 = { e8???????? 488bd0 488d8d78010000 e8???????? } + $sequence_8 = { ffd0 85c0 750f ff15???????? 83f87a } + $sequence_9 = { 33d2 c1e902 f7f1 eb02 } + $sequence_10 = { 52 8b01 ff5004 c645fc0b 8bcf 8b5658 83ea10 } + $sequence_11 = { 8b5648 83ea10 8d420c f00fc108 49 85c9 } + $sequence_12 = { e8???????? ffd0 8bf0 eb02 } + $sequence_13 = { e9???????? 8b45e4 8b4dd4 8945d8 } + $sequence_14 = { 8d49e8 47 897de4 8d0c48 894dd4 } + $sequence_15 = { c745fcffffffff 8b5608 83ea10 8d420c } + $sequence_16 = { c645fc00 8bcf 8b560c 83ea10 } + $sequence_17 = { 8bec 56 8bf1 57 837e0c00 751b } condition: 7 of them and filesize < 4161536 @@ -84821,36 +84814,36 @@ rule MALPEDIA_Win_Hui_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9d52a9e1-364f-5da9-98e9-94947c68e8f2" - date = "2026-01-05" - modified = "2026-01-06" + id = "bd2bd968-de61-56e0-a2ed-8786d30b1558" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hui_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hui_loader_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hui_loader_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "9aeecb9fd394041a8c28b780fedfdb6f106e3cf0d7d8dbc8dc34058d911e30dc" + logic_hash = "e8d91e0cf5de9a266b7ec6565b8eba1d9a9045f0be8f4c2b86f09eda8a9b7a59" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bc8 83e01f c1f905 56 57 8b348d60e20010 } - $sequence_1 = { 83c028 83c12c 4a 75eb b902000000 8d742454 83f901 } - $sequence_2 = { 8db604b40010 6a00 50 ff36 e8???????? } - $sequence_3 = { 75f8 42 83c628 83fa0a 7ce6 b931000000 33c0 } - $sequence_4 = { 68???????? ff15???????? 6a00 6a00 6a00 8bf0 6a04 } - $sequence_5 = { 80f95c 7408 8a48ff 48 3acb 75f3 } - $sequence_6 = { 56 ff15???????? 8bf8 85ff 7506 50 } - $sequence_7 = { 6880000000 6a03 53 6a02 6800000080 68???????? } - $sequence_8 = { ffd0 68e8030000 ffd6 8b0d???????? } - $sequence_9 = { 6a03 53 6a02 6800000080 68???????? ff15???????? } + $sequence_0 = { 7cd8 6a28 68???????? e8???????? } + $sequence_1 = { 7714 8b55fc 8a92d0b90010 089021d10010 40 3bc7 } + $sequence_2 = { 7c13 80fb78 7f0e 0fbec3 8a8050710010 } + $sequence_3 = { 8b15???????? 33c0 85d2 7e1a 8b0d???????? 8a1c01 80f320 } + $sequence_4 = { c7405040b90010 c7401401000000 c3 56 57 ff15???????? } + $sequence_5 = { 6a01 e8???????? 8906 83c408 83c604 } + $sequence_6 = { 0bc9 0f84e9000000 8b7508 8b7d0c 8d0588ce0010 83780800 754e } + $sequence_7 = { 8b348d60e20010 8d1c8d60e20010 8d3cc0 c1e702 } + $sequence_8 = { 50 a3???????? e8???????? 8db6dcb90010 bf???????? a5 a5 } + $sequence_9 = { 50 c705????????04000000 ff15???????? c20400 8b0d???????? 68???????? } condition: 7 of them and filesize < 131072 @@ -84860,48 +84853,48 @@ rule MALPEDIA_Win_Keyboy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fec012ed-67a0-5990-a09f-2adc6f6d01e1" - date = "2026-01-05" - modified = "2026-01-06" + id = "5e160c48-e34a-5517-92e8-230d3035758a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.keyboy_auto.yar#L1-L216" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.keyboy_auto.yar#L1-L209" license_url = "N/A" - logic_hash = "9b6870fb0f7fa4f14ee6296738101c3d20a040df4ce6327954399cd55fe9250f" + logic_hash = "c15a0dcb88ac9b4f1072ba3c5286b611b6bc324bd869ec34304793a506654e59" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 ff75d8 6a00 ff75c0 } - $sequence_1 = { 6a00 8945f2 8d45f8 50 6a0e } - $sequence_2 = { 5d c3 3b0d???????? f27502 f2c3 f2e953030000 } - $sequence_3 = { c705????????dbd99823 c705????????d468bcb5 c705????????2086e659 c705????????eec45abf c705????????bbee2bd1 c705????????3e20f129 } - $sequence_4 = { c705????????0caa6c89 c705????????a856701f c705????????597e743c c705????????0a9769e0 c705????????c4b85363 } - $sequence_5 = { c705????????0a9769e0 c705????????c4b85363 c705????????3abf261f c705????????890e9944 c705????????dbd99823 c705????????d468bcb5 c705????????2086e659 } - $sequence_6 = { 57 68cc020000 8d852cfdffff 8bf2 6a00 50 89b528fdffff } - $sequence_7 = { 24a0 3ca0 7518 b800080000 } - $sequence_8 = { 2408 f6d8 1ac0 24dd 88474e } - $sequence_9 = { 7207 b901000000 eb0f 3cfe 7509 } - $sequence_10 = { 6683f809 740a 6683f806 7404 32c9 eb02 } - $sequence_11 = { 7905 49 83c9f8 41 8a043e 0fbe4c8de0 3401 } - $sequence_12 = { 0fbe4c8de0 3401 0fbec0 0fafc8 80f185 880c3e } - $sequence_13 = { e8???????? 85c0 755e 83ff20 } - $sequence_14 = { f7d9 85db 0f44c2 23c8 } - $sequence_15 = { c705????????1671e665 c705????????f3106cb3 c705????????526c1ed0 c705????????5d05606c } - $sequence_16 = { ffd0 e9???????? bbfeffffff eb05 } - $sequence_17 = { 84c0 75f0 8d55ec c745ec5c417070 c745f06c655c55 } - $sequence_18 = { e8???????? 8b75c0 8bce 8b15???????? a3???????? e8???????? 8b15???????? } - $sequence_19 = { 8d46d6 99 83e23f 03c2 } - $sequence_20 = { ff15???????? 8bf8 c745f447646933 8d45f4 66c745f83200 50 } - $sequence_21 = { c745f06c655c55 8bf2 c745f470646174 66c745f86500 8a02 } + $sequence_0 = { 6a00 8945f2 8d45f8 50 6a0e 8d45e8 } + $sequence_1 = { 51 ff75d8 6a00 ff75c0 } + $sequence_2 = { c705????????3abf261f c705????????890e9944 c705????????dbd99823 c705????????d468bcb5 c705????????2086e659 } + $sequence_3 = { 5d c3 3b0d???????? f27502 f2c3 f2e953030000 55 } + $sequence_4 = { c705????????d468bcb5 c705????????2086e659 c705????????eec45abf c705????????bbee2bd1 } + $sequence_5 = { c705????????0caa6c89 c705????????a856701f c705????????597e743c c705????????0a9769e0 c705????????c4b85363 c705????????3abf261f } + $sequence_6 = { c745ec5c417070 c745f06c655c55 8bf2 c745f470646174 66c745f86500 } + $sequence_7 = { 8a043e 0fbe4c8de0 3401 0fbec0 0fafc8 } + $sequence_8 = { 24a0 3ca0 7518 b800080000 } + $sequence_9 = { 6683f806 7404 32c9 eb02 } + $sequence_10 = { 56 6a00 ff33 ff15???????? 8945f8 85c0 } + $sequence_11 = { 7207 b901000000 eb0f 3cfe 7509 } + $sequence_12 = { e8???????? 85c0 755e 83ff20 } + $sequence_13 = { 880c3e 46 3bf2 7cd6 5f 5e } + $sequence_14 = { ffd0 e9???????? bbfeffffff eb05 } + $sequence_15 = { c745e06c333200 50 ff15???????? 8bf8 } + $sequence_16 = { f7d9 85db 0f44c2 23c8 } + $sequence_17 = { 8d46d6 99 83e23f 03c2 } + $sequence_18 = { c7852cfdffff07000100 50 ff7304 ff15???????? 85c0 } + $sequence_19 = { 7e2a 8bce 81e107000080 7905 49 } + $sequence_20 = { 2408 f6d8 1ac0 24dd 88474e } + $sequence_21 = { 53 56 57 68cc020000 8d852cfdffff 8bf2 6a00 } condition: 7 of them and filesize < 2170880 @@ -84912,10 +84905,10 @@ rule MALPEDIA_Win_Alice_Atm_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "9cfa3195-b227-51b9-a69c-03c48bd5ea46" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.alice_atm_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.alice_atm_auto.yar#L1-L119" license_url = "N/A" logic_hash = "0ef9f8a95dbcda5f31fa4765cc9c970db5415f8125e940fffc88bdbab240fbed" score = 75 @@ -84924,9 +84917,9 @@ rule MALPEDIA_Win_Alice_Atm_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -84950,36 +84943,36 @@ rule MALPEDIA_Win_Pykspa_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50716d19-baac-512e-9696-08ac9e2a4a98" - date = "2026-01-05" - modified = "2026-01-06" + id = "2a537e92-21c2-5b77-a651-f4fda97a87e0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pykspa_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pykspa_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "224d3991c62a8b8f8f63073971c195da5bc5aec2fb8743f9bc32c0631a402ab6" + logic_hash = "fb0e6103eff02a84ad231a9178870bf43dde8ae715ac67e66b634a6285422703" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 32c0 eb0d 2b4508 8d443004 39450c 0f9dc0 } - $sequence_1 = { ff7524 68???????? e8???????? 83c40c 8d8500fcffff 50 8d8500d4ffff } - $sequence_2 = { 53 ff15???????? e9???????? 8d85a0feffff 68???????? 50 e8???????? } - $sequence_3 = { 8bf0 ff15???????? ff75cc 8bf8 e8???????? 3bf3 59 } - $sequence_4 = { e9???????? 6a0a 8d45b0 50 8d858ceeffff 50 e8???????? } - $sequence_5 = { 8bcb 83e107 c1e102 d3e8 a80f 7503 4b } - $sequence_6 = { 50 6aff ff36 53 53 ff15???????? ff7508 } - $sequence_7 = { 6a41 8d45bc 50 68???????? e8???????? 83c40c ff15???????? } - $sequence_8 = { 53 e8???????? 8903 8d0436 83c40c 894708 6a02 } - $sequence_9 = { 7414 8d4580 50 8d4508 50 56 ff7510 } + $sequence_0 = { 8bc6 6a02 99 59 f7f9 3bd3 8bc8 } + $sequence_1 = { 0f84dc000000 ff36 e8???????? 8bf8 85ff 59 897dec } + $sequence_2 = { 6a00 50 e8???????? 8365c800 8365e400 83c40c 6a02 } + $sequence_3 = { 3955f8 740d 8d75f8 8b7d10 a5 66a5 b001 } + $sequence_4 = { 745b 80bd50ffffff2e 0f84cb010000 8d8550ffffff 50 ff7570 8d8520feffff } + $sequence_5 = { 83c418 56 85c0 56 0f9545ff ffd7 807dff00 } + $sequence_6 = { 85c0 59 59 7404 b001 5f c3 } + $sequence_7 = { e8???????? 59 59 8bf0 ffd3 894608 eb25 } + $sequence_8 = { 8d8500f0ffff 50 8b4508 83c008 50 e8???????? } + $sequence_9 = { 6a0c 8d8540faffff 50 68???????? e8???????? 83c420 50 } condition: 7 of them and filesize < 835584 @@ -84989,50 +84982,50 @@ rule MALPEDIA_Win_Hyperssl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6f22636e-fb9b-5862-8e11-c3c097a8328b" - date = "2026-01-05" - modified = "2026-01-06" + id = "89a2e6ca-4517-566a-b48d-d52b67e127cd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hyperssl_auto.yar#L1-L220" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hyperssl_auto.yar#L1-L214" license_url = "N/A" - logic_hash = "373cb8242b6edc99bdda77d7fa35bccbbf94de7d502bb63cf5e16d60e54a0b5d" + logic_hash = "8eb5d428e7f3b76db37c3914f9ea00f56356dfef911c10922708e50871fa1caf" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 742a 8b4028 03c1 7423 56 57 b9???????? } - $sequence_1 = { 40 4f 75f2 5f 5e e9???????? } - $sequence_2 = { 0108 8b4830 3308 56 } - $sequence_3 = { 0101 014514 2bf3 8b5d0c c7472400000000 } - $sequence_4 = { 0108 3908 1bc9 f7d9 } - $sequence_5 = { e8???????? 33c0 40 5d c20c00 6a08 } - $sequence_6 = { 5d c20c00 6a08 68???????? e8???????? 8b450c } - $sequence_7 = { 8bc8 85c9 7436 8b413c 03c1 } - $sequence_8 = { 0105???????? 8d8d5cffffff 89855cffffff 898560ffffff } - $sequence_9 = { 5e e9???????? c3 55 8bec } - $sequence_10 = { 0108 894810 8b4830 3308 } - $sequence_11 = { 8a10 301401 8a10 301406 40 4f } - $sequence_12 = { 2bc8 2bf0 5f 8a10 } - $sequence_13 = { 0108 3310 c1c607 c1c210 } - $sequence_14 = { 0105???????? 8d558c 89458c 894590 } - $sequence_15 = { 33c9 46 2bc3 8944240c 8b5c241c 8d440c2c 0fb61c03 } - $sequence_16 = { 017e0c 8d4d08 e8???????? 5f } - $sequence_17 = { 01442428 8b442428 884500 45 } - $sequence_18 = { 016b08 897b04 5f 5e } - $sequence_19 = { 017e0c 395e10 740f ff7610 } - $sequence_20 = { 011d???????? 5f 8935???????? 5e } - $sequence_21 = { 017e0c 5f 8bc6 5e c20800 } - $sequence_22 = { 017e08 50 e8???????? ff0d???????? } - $sequence_23 = { 017e08 8bc3 e8???????? c20400 } + $sequence_0 = { 2bc8 2bf0 5f 8a10 } + $sequence_1 = { c20c00 6a08 68???????? e8???????? 8b450c 83f801 757a } + $sequence_2 = { 0105???????? 8d8d5cffffff 89855cffffff 898560ffffff } + $sequence_3 = { 03c1 742a 8b4028 03c1 } + $sequence_4 = { 03c1 7423 56 57 b9???????? } + $sequence_5 = { 4f 75f2 5f 5e e9???????? } + $sequence_6 = { 8a10 301406 40 4f } + $sequence_7 = { 0108 3908 1bc9 f7d9 } + $sequence_8 = { 5f 8a10 301401 8a10 } + $sequence_9 = { 0108 894810 8b4830 3308 } + $sequence_10 = { 0105???????? 8d558c 89458c 894590 } + $sequence_11 = { 33c9 46 2bc3 8944240c 8b5c241c 8d440c2c 0fb61c03 } + $sequence_12 = { 0101 014514 2bf3 8b5d0c c7472400000000 } + $sequence_13 = { 0108 8b4830 3308 56 } + $sequence_14 = { 0108 3310 c1c607 c1c210 } + $sequence_15 = { ff15???????? 8bc8 85c9 7436 8b413c 03c1 } + $sequence_16 = { 017e08 50 e8???????? ff0d???????? } + $sequence_17 = { 017e0c 5f 8bc6 5e c20800 } + $sequence_18 = { 017e08 8bc3 e8???????? c20400 } + $sequence_19 = { 016b08 897b04 5f 5e } + $sequence_20 = { 017e0c 8d4d08 e8???????? 5f } + $sequence_21 = { 017e0c 395e10 740f ff7610 } + $sequence_22 = { 01442428 8b442428 884500 45 } + $sequence_23 = { 011d???????? 5f 8935???????? 5e } condition: 7 of them and filesize < 835584 @@ -85042,42 +85035,42 @@ rule MALPEDIA_Win_Ksl0T_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "38d6ccea-2477-53a3-80c5-72d7cca1e17c" - date = "2026-01-05" - modified = "2026-01-06" + id = "2870abe6-5db4-5e5a-a968-46d1ac11caff" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ksl0t_auto.yar#L1-L172" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ksl0t_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "d56faacde84036ddaab537f194f3df4539ee4dbdadae9af8318bac8df1d8305a" + logic_hash = "e36653d3134f0d8f3891988f3daa92e765abf5eacde9d9ce4affe6397f1c8183" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 44895c2440 897c2438 89542430 894c2428 89442420 488d15a8cb0000 } - $sequence_1 = { 4885c9 7405 e8???????? 488b8ba0000000 488d057f5c0000 483bc8 7405 } - $sequence_2 = { 48894c2408 4883ec18 c744240400000000 8b4c2404 8b442428 } - $sequence_3 = { c68424e700000020 889c24e8000000 888424e9000000 c68424ea0000002d c68424eb00000002 888c24ec000000 c64424381a } - $sequence_4 = { 83c008 898424f4080000 448b05???????? 49d1e0 } - $sequence_5 = { c644243331 c644243439 c644243539 884c2436 } - $sequence_6 = { c684248600000067 88942487000000 c684248800000031 c684248900000039 c684248a00000039 } - $sequence_7 = { 488b442450 8138a0000000 7470 833d????????00 7528 } - $sequence_8 = { 6800020000 57 8d95000d0000 52 } - $sequence_9 = { 888c24fd000000 c68424b000000012 888424b1000000 889c24b2000000 c68424b300000019 c68424b400000034 } - $sequence_10 = { 889c2451020000 c684245202000073 c68424530200006c c684245402000065 c68424550200006e c684245602000000 } - $sequence_11 = { 488d0d67a70000 e8???????? 488d1556aa0000 4c8d050f3d0000 488d4c38de 41b903000000 482bd1 } - $sequence_12 = { c68424eb00000018 c68424ec0000003a c68424ed00000031 c68424ee00000020 c68424ef00000039 c68424f000000030 } - $sequence_13 = { c68424f80200006c c68424f902000073 c68424fa02000074 c68424fb02000072 } - $sequence_14 = { 390424 7d46 48630c24 488b442428 440fbe0408 4863442420 33d2 } - $sequence_15 = { 33c9 66898d60060000 6806020000 51 8d9562060000 52 e8???????? } + $sequence_0 = { 52 53 894648 ffd7 89464c 8d842468020000 50 } + $sequence_1 = { 85c0 7531 4c8d056c3d0000 488d0da6a70000 bafb020000 e8???????? 85c0 } + $sequence_2 = { ffd7 89465c 8d442438 50 53 } + $sequence_3 = { 888424d3020000 c68424d402000026 c68424d502000026 c68424d60200001c c68424d702000031 } + $sequence_4 = { 4881c22c010000 41b804000000 488d0d05e40000 ff15???????? e9???????? 488d1533c10000 } + $sequence_5 = { 488d8c2400030000 e8???????? ba18000000 488d8c24a0000000 e8???????? ba0d000000 488d8c2480030000 } + $sequence_6 = { 4883c202 488d8c24b0020000 ff15???????? 488b8c2400090000 ff15???????? } + $sequence_7 = { 8138a3000000 744c 488b442450 8138a2000000 743f 4881bc242816000000010000 } + $sequence_8 = { c684248900000039 c684248a00000039 888c248b000000 c644244438 c644244526 } + $sequence_9 = { c684246d01000027 889c246e010000 c684246f01000020 c684247001000034 c684247101000039 } + $sequence_10 = { 03c0 50 8d85000c0000 50 68???????? } + $sequence_11 = { 53 ff15???????? 85c0 0f85b6000000 6a1c 68???????? 57 } + $sequence_12 = { 68???????? e8???????? 83c40c 8b9510150000 } + $sequence_13 = { c684249500000036 c68424960000003a c684249700000031 c684249800000030 c684249900000010 } + $sequence_14 = { 488dbc2492040000 33c0 b9fe030000 f3aa 33c0 } + $sequence_15 = { 4c89442418 4889542410 48894c2408 4881ec08040000 488b05???????? 4833c4 48898424f0030000 } condition: 7 of them and filesize < 196608 @@ -85088,10 +85081,10 @@ rule MALPEDIA_Win_Klrd_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "f2ac53cd-82a8-55ea-badd-f6f1aae58f93" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.klrd_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.klrd_auto.yar#L1-L127" license_url = "N/A" logic_hash = "0fc6f030ea4bb49d87359f96c6eceeeaeffbdd94bdee42030f76f2d7ec66a19a" score = 75 @@ -85100,9 +85093,9 @@ rule MALPEDIA_Win_Klrd_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -85126,36 +85119,36 @@ rule MALPEDIA_Win_Project_Wood_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "99ac0756-7270-5092-a0e9-372c792f0f89" - date = "2026-01-05" - modified = "2026-01-06" + id = "55acbab4-1c48-5309-bcf3-d73373103210" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.project_wood" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.project_wood_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.project_wood_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "d6cbe15bf8f450c37b272bcbe4cde2ce46e9a95962a04b9a673413f1c7fe9c2a" + logic_hash = "8ca60473036e79bf973ce8be4b5d52dfd76a7459d980cb5e76559e8a2d421d7b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7404 6aff eb05 6830750000 53 8d45e8 57 } - $sequence_1 = { 57 50 ff7508 ff15???????? 85c0 7426 ff37 } - $sequence_2 = { ffd5 68???????? e8???????? 59 5e 5d 5b } - $sequence_3 = { 7422 8d4df8 b801000080 51 6819000200 57 68???????? } - $sequence_4 = { ff7508 e8???????? 83c41c 84c0 0f84abfeffff 8d8550f7ffff } - $sequence_5 = { 0f8426010000 8d45d8 50 8d85acfeffff 50 ff15???????? 8d45e4 } - $sequence_6 = { 41 83f902 72e3 a3???????? eb10 c705????????01000000 891d???????? } - $sequence_7 = { ab ab 66ab aa 8d45f0 c745f050000000 50 } - $sequence_8 = { 7222 8d85a4f7ffff 6a04 50 8d450c 50 e8???????? } - $sequence_9 = { 0f84e3feffff 57 8d45f8 ff7518 ff7514 50 8d8558f7ffff } + $sequence_0 = { 8dbead000000 68???????? 57 e8???????? 80bd25ffffff43 59 59 } + $sequence_1 = { 83c002 8945e4 50 8d8598ebffff 50 8d85e4feffff 50 } + $sequence_2 = { 6a40 33c0 59 8dbd95fdffff f3ab 66ab aa } + $sequence_3 = { 33c0 e9???????? 8bc1 53 99 2bc2 57 } + $sequence_4 = { e8???????? 81ec2c0a0000 53 56 8b7508 57 8965f0 } + $sequence_5 = { 7538 ff35???????? e8???????? 8d8500ffffff c70424???????? 50 e8???????? } + $sequence_6 = { 3c08 7508 ff8e20090000 eb1b ff8620090000 8a09 } + $sequence_7 = { 8bf1 6a3f 59 33c0 8dbdf9fdffff 80a5f8feffff00 f3ab } + $sequence_8 = { 50 8d85e0f5ffff 50 c745f828010100 e8???????? 8b45fc 83c418 } + $sequence_9 = { 42 ebf0 803a00 7504 85f6 750b 8b550c } condition: 7 of them and filesize < 31137792 @@ -85165,47 +85158,47 @@ rule MALPEDIA_Win_Redcurl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d681119a-f653-5bed-a537-3617b5c42d11" - date = "2026-01-05" - modified = "2026-01-06" + id = "0663e601-d8b5-50f4-b320-33a5dcee05d6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redcurl" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.redcurl_auto.yar#L1-L199" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.redcurl_auto.yar#L1-L210" license_url = "N/A" - logic_hash = "e9dbdef2d970be2c43c2c35ff66ca296c8c7b5f23d7ab81a2c0ef377599edc93" + logic_hash = "0491d2e009664a48ff3f0dfcc61ec94ae97a0faf3a36fbea7931e0940fef1d43" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 2bc6 48 50 56 } - $sequence_1 = { f7f9 80c261 88143e 47 } - $sequence_2 = { ff15???????? 8bd0 c7461000000000 8bca } - $sequence_3 = { 6a00 6a00 6aff 8bf8 6a00 57 } - $sequence_4 = { 6a00 6a00 50 53 ff15???????? 6a00 6a00 } - $sequence_5 = { 85ff 747a 85c0 7476 6800010000 } - $sequence_6 = { 8bf0 6a00 6a03 6a00 } - $sequence_7 = { 0f85e90b0000 eb00 f30f7e442404 660f2815???????? 660f28c8 } - $sequence_8 = { 8b4610 3bc2 726f 2bc2 } - $sequence_9 = { 3bc2 0f42d0 0fb6041a 03d3 } - $sequence_10 = { e8???????? c745e800000000 c745ec0f000000 c645d800 8d5001 8b4610 } - $sequence_11 = { 6a00 6a50 51 56 ff15???????? 8bd8 } - $sequence_12 = { 726f 2bc2 83c9ff 83f8ff 0f42c8 } - $sequence_13 = { 8d4590 c7458c00000000 894588 c6459000 e8???????? } - $sequence_14 = { c70424???????? e8???????? 8b5304 83c001 83ec0c 39d0 } - $sequence_15 = { c785acfcffff00000000 8985a8fcffff 8d8580fdffff c7442408???????? } - $sequence_16 = { 0f84f31d0000 0fb60e 83c601 3dff000000 } - $sequence_17 = { 0fb607 888598feffff 8b852cfdffff 89b594feffff } - $sequence_18 = { 0f84b70c0000 8bb538feffff 39f2 0f86c50a0000 } - $sequence_19 = { 890424 e8???????? 8b85c4fbffff 83ec08 8d9510feffff } - $sequence_20 = { 8944240c 8b856cfdffff 89442404 e8???????? 83ec10 8d8500fcffff } + $sequence_0 = { ff15???????? 8bd0 c7461000000000 8bca c746140f000000 c60600 8d7901 } + $sequence_1 = { 2bc6 48 50 56 } + $sequence_2 = { f7f9 80c261 88143e 47 } + $sequence_3 = { 6a00 6a00 6aff 8bf8 6a00 57 ff15???????? } + $sequence_4 = { c745f001000000 e8???????? c745e800000000 c745ec0f000000 } + $sequence_5 = { c645d800 8d5001 8b4610 3bc2 } + $sequence_6 = { 8b4610 3bc2 726f 2bc2 83c9ff 83f8ff 0f42c8 } + $sequence_7 = { e8???????? 8d45d8 8bce 50 e8???????? 8b55ec 83fa10 } + $sequence_8 = { 0f57c0 c745e800000000 68???????? ba???????? 660fd645e0 e8???????? } + $sequence_9 = { 837d1c10 8d4d08 6a00 0f434d08 8bf0 6a00 } + $sequence_10 = { 750f d93c24 668b0424 6683e07f 6683f87f 8d642408 0f85e90b0000 } + $sequence_11 = { c20000 55 8bec 83ec0c 8d4df4 e8???????? } + $sequence_12 = { 6a00 50 53 ff15???????? 6a00 } + $sequence_13 = { 83c10f 83e1f0 85d2 0f8546ffffff } + $sequence_14 = { 3c30 0f84b6100000 3c31 0f85aed3ffff } + $sequence_15 = { e8???????? 8b8520fdffff 8d9d28fdffff 39d8 7408 890424 } + $sequence_16 = { 85f6 741a 0fb613 8810 f7c602000000 740d } + $sequence_17 = { e8???????? 89c7 8945d0 83f80f 0f8755060000 } + $sequence_18 = { 01d8 7408 85f6 0f8471170000 899d7cfdffff 83fb0f } + $sequence_19 = { 89c6 8b03 8d7e0c 85c0 } + $sequence_20 = { 8985e8fdffff 8d8568feffff 83ec08 898560feffff } condition: 7 of them and filesize < 487424 @@ -85215,36 +85208,36 @@ rule MALPEDIA_Win_Getmail_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dbf6f885-27d8-521e-803a-d4cecec2a1f3" - date = "2026-01-05" - modified = "2026-01-06" + id = "374a7af9-c45a-5c1c-a8b8-7d78592921f8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.getmail_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.getmail_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "2b6fbdf48e4c6a7974cdc409a23649369cc0b33f0a3fc425aba3ea953c2d50db" + logic_hash = "2cea0f8bafb153941ddec4b250e7ff2492ee6e94cd595d83dce4950d94317a9d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89442428 eb07 8d4c241c 51 } - $sequence_1 = { f3a4 8b442410 395840 7463 8b704c 8b7848 a1???????? } - $sequence_2 = { e8???????? 83c40c 85c0 752d bf???????? 83c9ff f2ae } - $sequence_3 = { 56 e8???????? 83c40c 895c2430 85c0 } - $sequence_4 = { 7cf1 56 8bf1 c1e603 3b9618444100 } - $sequence_5 = { 895c244c 895c2450 8b84243c020000 8d54247c 52 53 8b08 } - $sequence_6 = { 8bfe 8bcb 33c0 f2ae f7d1 49 51 } - $sequence_7 = { 8b4d00 68???????? 51 e8???????? 83c408 85c0 } - $sequence_8 = { 8b442420 3bc3 741d 8d48ff 8a40ff 84c0 } - $sequence_9 = { 8d542418 89442408 8b442410 56 52 8b08 } + $sequence_0 = { c744243801000000 8b44241c 889c2450040000 50 8b08 8d442428 51 } + $sequence_1 = { 5e 5d 5b 83c460 c3 49 51 } + $sequence_2 = { 50 56 ff5238 8b44241c 85c0 7409 8b0e } + $sequence_3 = { ba???????? 3bc3 7402 8bd0 8b4c2420 3bcb 7505 } + $sequence_4 = { 8b15???????? 89442420 894c2424 89542428 eb07 8d44241c 50 } + $sequence_5 = { bf???????? 88442430 83c9ff 33c0 6a01 f2ae } + $sequence_6 = { 895904 895908 89590c a1???????? 8d542444 50 } + $sequence_7 = { 52 c784249800000003000000 c784249c0000001e000130 c78424a00000001e000330 c78424a40000000300150c } + $sequence_8 = { 8b44241c 89742434 89742438 8b11 8974243c 8b742418 40 } + $sequence_9 = { 83c404 8b8c24d8000000 3bcb 7449 8a41ff 84c0 740b } condition: 7 of them and filesize < 188416 @@ -85254,36 +85247,36 @@ rule MALPEDIA_Win_Dexbia_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "10b4a5d0-b360-57a4-9e4b-c6a9cc13bd8b" - date = "2026-01-05" - modified = "2026-01-06" + id = "87f93d34-dd2c-5eca-8ae6-b1c19054b7d0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexbia" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dexbia_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dexbia_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "a367731eb970680df53cbd5e2b030972026c39b111bddedbf1b2202ab2b56805" + logic_hash = "200ccc59765b5edb67993adb1a9a999ebeb62a7adbbc126f95da16f834ee9bc6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 66ab aa b9ff040000 33c0 8dbc249d260000 be???????? f3ab } - $sequence_1 = { 8d8ef8000000 8d9638010000 51 52 e8???????? 83c408 } - $sequence_2 = { 8bca 83c020 83e103 8d9424a0120000 f3a4 8d8c24a0260000 } - $sequence_3 = { 72c1 8b4508 c705????????01000000 50 a3???????? e8???????? 8db6ec894000 } - $sequence_4 = { 60 55 40 008c554000b055 } - $sequence_5 = { 81c444040000 68a00f0000 ffd5 e9???????? 53 8d8c2418100000 53 } - $sequence_6 = { e8???????? 8d942468040000 50 52 68???????? } - $sequence_7 = { 8bb42480010000 8bbc2484010000 c744241400000000 6a64 } - $sequence_8 = { 85c0 0f85e5feffff 8bd7 b9ff090000 8dbc2455040000 88842454040000 } - $sequence_9 = { 33c0 8d7c247d c644247c00 f3ab 66ab aa } + $sequence_0 = { 8d8c2460020000 6aff 51 6a00 ff15???????? 50 } + $sequence_1 = { 50 ff15???????? 85c0 755f 53 8d4c240c } + $sequence_2 = { 81c408100000 c3 ff15???????? 6a00 } + $sequence_3 = { 83c020 83e103 8d9424a0120000 f3a4 8d8c24a0260000 51 68???????? } + $sequence_4 = { c744246c01010000 89542478 66895c2470 ff15???????? 8d4c2418 } + $sequence_5 = { 85c0 750c c786a801000001000000 eb0a c786a801000000000000 } + $sequence_6 = { 8b0c8de0b04000 f644c10401 8d04c1 7403 8b00 c3 8325????????00 } + $sequence_7 = { f3a5 b918000000 8d7c2425 f3ab 66ab aa b931000000 } + $sequence_8 = { 8b0485e0b04000 8d04c8 8b0b 8908 } + $sequence_9 = { 8dac24542c0000 aa 8bfd b908000000 be???????? 83c520 } condition: 7 of them and filesize < 106496 @@ -85293,36 +85286,36 @@ rule MALPEDIA_Win_Abcsync_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "02af896d-ede7-5659-a477-3d4aaff1c995" - date = "2026-01-05" - modified = "2026-01-06" + id = "002f7fd4-286b-5e2f-9aba-7216d766188a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abcsync" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.abcsync_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.abcsync_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "1265b61a325fe240ea536a84f366a66df81cfa15aa46380fd4f4b2886a744626" + logic_hash = "cc02bfbde6fc0160d9621def0a33b6b57c4d53ef4dcc5f3473edade080b4d917" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b15???????? 41be2c010000 33c9 458bc6 ff15???????? 488b15???????? 4533e4 } - $sequence_1 = { 8d4108 410fb64c1a07 4898 422a0c18 b81f85eb51 } - $sequence_2 = { ba01000000 85c9 7e13 8bc1 0f1f840000000000 c1e204 } - $sequence_3 = { 4c63c2 488bcb 33d2 e8???????? 8b542454 418bfc 4c8b35???????? } - $sequence_4 = { 488d4c2420 c74424205c595f6a c74424245c653601 e8???????? 488905???????? 488b4c2428 } - $sequence_5 = { 2bc8 8d411c 4898 420fb60c18 410fb7441a36 662bc1 418d491d } - $sequence_6 = { 488d057d3b0100 488945e0 895128 488d0d17950000 488b45d8 488908 488d0d69200100 } - $sequence_7 = { 75d4 0f1101 498bd1 0f114110 0f114120 0f114130 0f114140 } - $sequence_8 = { 03d0 6bc232 2bc8 8d4116 420fb64c13fb 4898 422a0c18 } - $sequence_9 = { 2bc8 8d4121 420fb64c13fe 4898 422a0c18 } + $sequence_0 = { 488bd7 488b05???????? 33c9 488945ff 0f114daf c745af68000000 0f294ddf } + $sequence_1 = { 488b6c2450 488b4c2438 4833cc e8???????? 488b5c2458 488b742468 } + $sequence_2 = { 4c8be8 4885c0 0f84fa020000 8b8db0010000 488d85b4010000 44897c2448 4533c9 } + $sequence_3 = { 488b4c2470 833cb100 756f 8b5c2464 33d2 44893cb1 c1e60a } + $sequence_4 = { 03d0 6bc232 2bc8 8d411b 410fb64c1afe 4898 422a0c18 } + $sequence_5 = { 4833cc e8???????? 4883c448 c3 4883ec48 488b05???????? 4833c4 } + $sequence_6 = { 4c8d45a0 4c89742430 8bd7 4c89742428 4c89742420 c7442478ff000000 ff15???????? } + $sequence_7 = { 662bc1 418d4808 66418942f8 b81f85eb51 f7e9 418bc8 c1fa04 } + $sequence_8 = { 48c1e605 4803ee 0f1f8000000000 41b818000000 8bd3 c744242810000000 442bc3 } + $sequence_9 = { 488d0d88e10000 4183e23f 4903e8 498bf0 488b04c1 4b8d14d2 4c8b74d028 } condition: 7 of them and filesize < 348160 @@ -85332,36 +85325,36 @@ rule MALPEDIA_Win_Monero_Miner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53964e17-4946-5df0-a485-9eaee6f615c2" - date = "2026-01-05" - modified = "2026-01-06" + id = "955a70cb-c816-5b42-9b0c-1983c59598b3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.monero_miner_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.monero_miner_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "cffe54ca1957e07a44d930d7017ae2111987cffb75cbed1acab293924f2ab98e" + logic_hash = "d2f2a6810c44d021f6177132ec88906ab8d6f27abfdaa192f7272f78210ff8f2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c6043000 c744240811000000 89442404 c70424???????? e8???????? 85c0 7411 } - $sequence_1 = { e8???????? 0fb643fa 8d4e04 c7442404???????? 890c24 89442408 e8???????? } - $sequence_2 = { 8b6c240c 136c2424 8b8c24d4000000 8bbc24dc000000 89c2 8b4350 31f2 } - $sequence_3 = { e8???????? 8d9424a0000000 8d442460 b901000000 e8???????? 8d542460 8d8424a0000000 } - $sequence_4 = { 890424 e8???????? 83f8ff 0f8463050000 817c2434ff3f0000 8b442430 0f96c2 } - $sequence_5 = { 8b94247c010000 898c2448020000 899c244c020000 8b9c248c010000 89c5 0fa4d017 0fa4ea17 } - $sequence_6 = { 8db4248c000000 c60000 89442414 8b8398000000 8974240c c7442404???????? 89442410 } - $sequence_7 = { 8b542428 8354242c00 83c340 836c242040 c1e206 39542414 0f87c3feffff } - $sequence_8 = { ffd6 83f8ff 75de 81c4cc0f0000 89e8 5b 5e } - $sequence_9 = { 8906 8b7413fc 897411fc 8b7d14 89de 81c784000000 } + $sequence_0 = { 8bbc2484000000 89f5 01f0 11fa 89442470 0facfe1c 89542474 } + $sequence_1 = { 8bac2430010000 89b3fc000000 c6835802000001 89742408 c7442404???????? 892c24 e8???????? } + $sequence_2 = { 8b5c2414 8b7c2410 83fb00 7708 81ffff010000 767a 8b742410 } + $sequence_3 = { 8b4b04 894a04 8b4b04 8b730c 8911 8b6b08 8b4b14 } + $sequence_4 = { 137c2424 03442440 89ac2468050000 8b6c247c 136c2444 89b4246c050000 894c2468 } + $sequence_5 = { 0fb68532030000 0f95835d020000 888365020000 8b851c040000 85c0 0fb6854c030000 } + $sequence_6 = { 8bb424b8010000 31d5 894f74 8b8c2430030000 89ac24ac010000 897770 89cb } + $sequence_7 = { 8bac2490000000 23ac24b8010000 89b424cc010000 8bb42494000000 23b424bc010000 31d5 8b542408 } + $sequence_8 = { f20f2ac9 8974240c f20f2af8 f20f1005???????? f20f106c2438 f20f116c2418 f20f58f4 } + $sequence_9 = { f7d0 81f2ffffff7f 09c2 0f8437020000 c7432001000000 e9???????? 0fb64500 } condition: 7 of them and filesize < 1425408 @@ -85371,36 +85364,36 @@ rule MALPEDIA_Win_Arik_Keylogger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7c7e785e-68b0-5d15-8779-d3bc99c37de2" - date = "2026-01-05" - modified = "2026-01-06" + id = "b0311ca3-627a-5968-b029-012ac51a5f7c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.arik_keylogger_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.arik_keylogger_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "3dfa4619d5193e3c6023ed0580ae1b26d4332f72fbcfed50985df75f7171bee8" + logic_hash = "592a4c082fb68dfba79c1bf1a643e4af63cabe72de760074843b8d1125833f72" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { b8???????? e8???????? 83f801 0f85cb000000 8d45b8 e8???????? c745b800000000 } - $sequence_1 = { 8d55b0 e8???????? 8b55b0 8d45ac b9???????? e8???????? 8b55ac } - $sequence_2 = { e8???????? 8b45f8 80780700 740b 8d55f0 8b45f8 e8???????? } - $sequence_3 = { e8???????? 84c0 741d 6a00 6a00 68c6000000 8b45fc } - $sequence_4 = { c645f400 8b55fc b8???????? e8???????? 84c0 0f84b3010000 8b45fc } - $sequence_5 = { e8???????? 89c1 81f9ff000000 7605 e8???????? 8802 eb08 } - $sequence_6 = { e8???????? 88459c 8b45a8 48 83f804 7723 ff248590826100 } - $sequence_7 = { e8???????? c745d000000000 8d4dd0 89d8 ba07000000 8b33 ff5678 } - $sequence_8 = { 8d45e4 baffffffff e8???????? 8945f8 c645ec00 8d4dd8 8d55c0 } - $sequence_9 = { b8???????? e8???????? 84c0 741b 8b45fc 8b80a8020000 8b55f4 } + $sequence_1 = { 8d45c4 b100 ba30000000 e8???????? 803d????????00 7410 c745c42c000000 } + $sequence_2 = { db7dc0 8d55c0 8955ec c745e803000000 dd4508 db7db0 8d55b0 } + $sequence_3 = { 8975b4 897db8 8945fc 8b4508 e8???????? c745bc00000000 8d4ddc } + $sequence_4 = { 8b835c010000 39f0 0f8486000000 85f6 7430 89f2 b8???????? } + $sequence_5 = { ff92e8000000 89d8 ba0a000000 e8???????? eb17 8b8354010000 83f80a } + $sequence_6 = { ff45b8 e9???????? 8b4510 8b00 8b5580 8b0490 40 } + $sequence_7 = { ff75f8 6898010000 ff75ec e8???????? 83f8ff 7406 c645f001 } + $sequence_8 = { 7426 48 743e 48 7461 e9???????? 8b4df0 } + $sequence_9 = { ff5178 8b55d4 a1???????? 8b0d???????? 8b09 ff91c8000000 89c7 } condition: 7 of them and filesize < 4947968 @@ -85410,36 +85403,36 @@ rule MALPEDIA_Win_Yokai_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b04b80f2-53b4-5c24-9a48-b847d3a545be" - date = "2026-01-05" - modified = "2026-01-06" + id = "d032418f-b711-5d49-98ba-eb8217c86f32" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yokai" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yokai_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yokai_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "caca021b644694d243a390b5d4a331d52bc15ed81e965c2661870a1fa9d1ad5a" + logic_hash = "720424a76ddb831266cd6f10a82f12fb48b5f32781577c460137421142366554" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83780400 7f5e 8b4d14 83790400 7514 8b5514 8b4208 } - $sequence_1 = { 8945fc 837dfc00 751e 8b55fc 8955b4 8d4df4 e8???????? } - $sequence_2 = { 8b4d24 51 6a00 6a7e 68???????? 68???????? 68???????? } - $sequence_3 = { c645ac4c c645ad6f c645ae61 c645af64 c645b04c c645b169 c645b262 } - $sequence_4 = { e8???????? 6a00 6a00 6a00 8d85a0fdffff 50 6a00 } - $sequence_5 = { 0345d4 a3???????? 8b4dec 8b15???????? 2b5114 8915???????? 8b450c } - $sequence_6 = { 8945c0 8b4dc0 898d70ffffff 8d9570ffffff 52 8d45d0 50 } - $sequence_7 = { 8a11 8855ff 8b45f8 8b480c 83c101 8b55f8 894a0c } - $sequence_8 = { 8d0c50 894df8 e8???????? c5fe7f4580 8b530c 2b55ec } - $sequence_9 = { ff15???????? 3bf4 e8???????? 50 a1???????? 83c004 50 } + $sequence_0 = { 8b55e4 52 e8???????? 83c410 b801000000 8b4dfc 33cd } + $sequence_1 = { 8d4d0c e8???????? 8b45c4 e9???????? c745f000000000 } + $sequence_2 = { 837ddc00 761e 8b55e4 0fb702 85c0 } + $sequence_3 = { c745f400000000 6a0a 8d55f4 52 8b45f8 8b480c 83e901 } + $sequence_4 = { 837dec00 7505 8b45e4 eb7c ebb0 eb24 8b4de4 } + $sequence_5 = { 8b4df8 51 6a00 8b5508 52 e8???????? 83c410 } + $sequence_6 = { 1008 b102 1028 af 0210 13af02107cb2 } + $sequence_7 = { 8b55f8 83c214 52 0fb745fc 50 8b4de0 e8???????? } + $sequence_8 = { 8b45b0 83784800 7507 33c0 e9???????? 8bf4 8d8510feffff } + $sequence_9 = { 7514 8b55f8 8b4204 2500ffffff 83c801 8b4df8 894104 } condition: 7 of them and filesize < 2066432 @@ -85449,47 +85442,47 @@ rule MALPEDIA_Win_Pushdo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea9fd106-28fc-55dd-aa56-b9cc29b476a3" - date = "2026-01-05" - modified = "2026-01-06" + id = "a1ffdce5-e219-5722-859f-7352631942e0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pushdo_auto.yar#L1-L210" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pushdo_auto.yar#L1-L206" license_url = "N/A" - logic_hash = "44aafb8e474bf55b9e9061326e2ace4a0bcd7b0153f05d8cb31960fbba3d00f5" + logic_hash = "487e6aed24b5faaf6c86462f2c72494efb38c0ee89b861a714a37b5e1e9cc734" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f7f9 33c9 ba88020000 f7e2 } - $sequence_1 = { 50 ff15???????? 33d2 b9ffff0000 f7f1 } + $sequence_0 = { 50 ff15???????? 33d2 b9ffff0000 } + $sequence_1 = { f7f9 33c9 ba88020000 f7e2 0f90c1 f7d9 } $sequence_2 = { 60 8b45fc b10b d3c0 61 } - $sequence_3 = { 8a85effeffff 888415f0feffff 8b4d08 034dfc 0fbe11 } - $sequence_4 = { 81ec18010000 6800010000 6a00 8d85f0feffff 50 e8???????? } - $sequence_5 = { 8b55fc 3b5510 0f83a6000000 8b45f4 83c001 25ff000000 } - $sequence_6 = { 8b450c 0345fc 8810 e9???????? 8be5 } - $sequence_7 = { 8b55fc 83c201 8955fc 817dfc00010000 736a 8b45fc } - $sequence_8 = { 03c2 c1f808 49 79dd } - $sequence_9 = { ff15???????? 8945fc 3bc7 0f84a1010000 8d45ec 50 8d4598 } - $sequence_10 = { 7413 8d45f8 50 8d85f0fdffff 50 } - $sequence_11 = { 6a04 bb00300000 53 bf00100000 } - $sequence_12 = { 0f849f000000 8d45f8 50 6801008000 6801680000 ff75fc } + $sequence_3 = { 0fbe8c05f0feffff 8b45f4 0fbe8405f0feffff 03c8 81e1ff000000 } + $sequence_4 = { 03c8 81e1ff000000 0fbe8c0df0feffff 33d1 8b450c 0345fc } + $sequence_5 = { 8b45fc 33d2 f77518 8b4514 } + $sequence_6 = { 8b95e8feffff 8b45fc 8a8c05f0feffff 888c15f0feffff 8b55fc } + $sequence_7 = { f77518 8b4514 0fbe1410 03ca 81e1ff000000 898de8feffff } + $sequence_8 = { be???????? 56 ff75fc c745f820000000 } + $sequence_9 = { 59 6a04 8945f8 8d45f8 } + $sequence_10 = { 83ec24 33c0 8945e0 394508 0f84c1010000 } + $sequence_11 = { 33c0 85ff 743a 53 8b5d0c 85db } + $sequence_12 = { 8b4608 8945e0 8b4614 8945ec 8b460c 8945e4 } $sequence_13 = { 52 8d8588fbffff 50 e8???????? } - $sequence_14 = { 8b5508 8b02 8945f4 837df400 741a 8b4df4 } - $sequence_15 = { e8???????? 898544feffff 8b8544feffff 33d2 b90a000000 } - $sequence_16 = { 8bff 55 8bec 8b450c c1e810 } - $sequence_17 = { eb0f 8b9570fdffff 83c201 899570fdffff 83bd70fdffff14 } - $sequence_18 = { 2b4dfc 3b4dec 7307 33c0 e9???????? 8b55fc } - $sequence_19 = { e8???????? 8945b8 6a6c 8b4db8 51 e8???????? 8945b8 } - $sequence_20 = { 55 8bec 0fb6450c c1f804 83e00f 8b4d08 8a906c520009 } + $sequence_14 = { eb67 eb93 6a00 6a04 8d4de0 } + $sequence_15 = { 894de8 8b5514 0355e4 895514 8b4518 2b45e4 894518 } + $sequence_16 = { 0fbe08 85c9 0f84ba010000 8b5508 8955fc } + $sequence_17 = { 50 8b0d???????? 51 8b15???????? 52 8b854cfeffff 50 } + $sequence_18 = { 7e2d 0fbe4d08 83f930 7c09 0fbe5508 83fa39 } + $sequence_19 = { ff15???????? 898524feffff 83bd24feffff00 7552 } + $sequence_20 = { 50 e8???????? 8945b8 68???????? 8b4db8 } condition: 7 of them and filesize < 163840 @@ -85499,36 +85492,36 @@ rule MALPEDIA_Win_Tabmsgsql_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "613cbea2-b3e6-59ad-af97-1c16f24a8ca2" - date = "2026-01-05" - modified = "2026-01-06" + id = "3316ca5b-f156-5238-9310-3cd66105b50f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tabmsgsql_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tabmsgsql_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "fea9841dfc3e899e511f6e59152b7eb3a1bf8ea0929e01fae7a33a41386cf162" + logic_hash = "1efa478e85c180f07acd52f66216e5fd1332f46afb376559ab06601b9bc65831" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c404 ff15???????? 5e 33c0 5b 81c404d00700 } - $sequence_1 = { e9???????? 8b0d???????? 3bcb 0f8463feffff a1???????? 3bc3 0f8456feffff } - $sequence_2 = { 6a01 8bcb ff15???????? eb45 8b430c 83f81f 7704 } - $sequence_3 = { 83c9ff 33c0 8d951217fcff f2ae f7d1 2bf9 50 } - $sequence_4 = { 8b842430f50100 83c424 85c0 5f } - $sequence_5 = { 51 b9???????? 895dfc a2???????? e8???????? 3bc3 0f84d7000000 } - $sequence_6 = { f3a5 8bc8 33c0 83e103 f3a4 8bbc2438060000 83c9ff } - $sequence_7 = { 5b 83e103 b801000000 f3a4 } - $sequence_8 = { 3de8030000 a3???????? 7d0c c705????????e8030000 } - $sequence_9 = { 33c0 68???????? f2ae f7d1 2bf9 8d442434 8bd1 } + $sequence_0 = { 8d95c8f7ffff 51 68???????? 68???????? 52 ffd6 8b750c } + $sequence_1 = { 7530 6810270000 ff15???????? 6a00 6a00 6a00 6a00 } + $sequence_2 = { 6a00 68ff0f1f00 f3a4 ff15???????? 85c0 7437 50 } + $sequence_3 = { 81c42c050000 c3 8d442410 c744241028010000 50 } + $sequence_4 = { 52 8b560c 52 ffd3 85c0 0f84ca000000 8d9e31880000 } + $sequence_5 = { 50 68???????? ffd7 83c408 8b4c242c 85c9 } + $sequence_6 = { 0f84a9010000 398e2c800000 0f849d010000 8b2d???????? 33c0 8b4e10 49 } + $sequence_7 = { e8???????? 8bf8 8b442424 50 57 6a01 56 } + $sequence_8 = { 6a10 56 51 ffd5 83c40c 83c602 83c303 } + $sequence_9 = { 45 ff15???????? 8dbc2450010000 83c9ff 33c0 } condition: 7 of them and filesize < 163840 @@ -85538,36 +85531,36 @@ rule MALPEDIA_Win_Karagany_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3572ccbc-1c3c-5c06-9653-09cc26e9f425" - date = "2026-01-05" - modified = "2026-01-06" + id = "4ee95557-e5a1-5206-b1e1-83b7c1a03f53" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.karagany_auto.yar#L1-L111" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.karagany_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "7b1e13963414e6b2e1af9eb1a6f96423af34e9bc7a849bda8fce35a0e1356973" + logic_hash = "50c78bad2fe64d871a34de3dc803e153d15cea7a51e6b6572c4a865577163d13" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945d0 8945d8 8945e0 8945e8 8945ec 8945f4 } - $sequence_1 = { 8bf8 6a03 57 ffd6 } - $sequence_2 = { 57 8bf8 6a03 57 } - $sequence_3 = { 8945d8 8945e0 8945e8 8945ec 8945f4 } - $sequence_4 = { 6a40 6800300000 6800000300 6a00 } - $sequence_5 = { 8b4508 0526f8ffff 69c06c010000 034510 } - $sequence_6 = { 8bec 81ec60060000 53 56 57 33c0 } - $sequence_7 = { ff15???????? 6a00 53 68???????? } - $sequence_8 = { 68???????? 8d85a4fdffff 50 ffd6 68???????? } - $sequence_9 = { 8bd8 2bc7 40 50 57 } + $sequence_0 = { 56 8b35???????? 57 8bf8 6a03 } + $sequence_1 = { 894ddc 894de4 894df0 894df8 894dfc } + $sequence_2 = { 6a40 6800300000 6800000300 6a00 } + $sequence_3 = { ff15???????? 6a64 ff15???????? 5f 5e 33c0 5b } + $sequence_4 = { 8b35???????? 57 8bf8 6a03 57 ffd6 } + $sequence_5 = { 57 8bf8 6a03 57 } + $sequence_6 = { 55 8bec 81ec60060000 53 56 57 33c0 } + $sequence_7 = { 8b35???????? 57 8bf8 6a03 57 ffd6 85c0 } + $sequence_8 = { 6800300000 6800000300 6a00 ff15???????? } + $sequence_9 = { 57 8bf8 6a03 57 ffd6 85c0 } condition: 7 of them and filesize < 180224 @@ -85577,36 +85570,36 @@ rule MALPEDIA_Win_Unidentified_071_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cfbea96e-4359-5ae7-941b-244ed79d12c2" - date = "2026-01-05" - modified = "2026-01-06" + id = "ecd0bbae-703b-51a6-96ff-710f93466c00" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_071" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_071_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_071_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "2aec891397e4f33ea521c1dfdd2bf39deb44b46ee917346f946ae37d0a5d367f" + logic_hash = "a0081e0bf8b9a105d17b607848155d524344d75a493c323ca584f244280d0181" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 837c241002 740b 837c241003 7504 6a0b } - $sequence_1 = { a1???????? 0d00020000 a3???????? e8???????? } - $sequence_2 = { 56 55 e8???????? 8d4701 89742420 } - $sequence_3 = { c1e902 57 33ff 3b550c 0f47c8 85c9 7413 } - $sequence_4 = { 53 56 57 e8???????? 83c418 eb10 83f802 } - $sequence_5 = { 3bf3 7408 53 8bce e8???????? 83ed10 83eb10 } - $sequence_6 = { 0faf05???????? 53 56 8b35???????? } - $sequence_7 = { 8bec 8b550c 8b4d10 8b4214 2b4210 394110 7615 } - $sequence_8 = { c21000 e8???????? cc 8b442408 56 8b742408 } - $sequence_9 = { a3???????? a1???????? 83e040 59 a3???????? } + $sequence_0 = { 56 57 ff7510 83e910 8d7df0 8bf1 8d45f0 } + $sequence_1 = { 2bc2 0bc8 a1???????? 890d???????? } + $sequence_2 = { 56 c1f802 8bf1 50 e8???????? 84c0 7415 } + $sequence_3 = { 59 85c0 7512 53 56 ffd5 } + $sequence_4 = { 53 ff542430 59 59 85c0 751b } + $sequence_5 = { e8???????? 50 8d45c8 56 50 } + $sequence_6 = { 7474 40 50 8945f8 e8???????? 8bc8 8945fc } + $sequence_7 = { e8???????? 8b4d08 8d4704 8b5604 } + $sequence_8 = { a1???????? 59 c3 8b15???????? } + $sequence_9 = { a1???????? 83c804 890d???????? a3???????? } condition: 7 of them and filesize < 1220608 @@ -85616,36 +85609,36 @@ rule MALPEDIA_Win_Jlorat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f0bef584-e973-53d7-a046-17a467ab2308" - date = "2026-01-05" - modified = "2026-01-06" + id = "ba729196-a7d7-59f0-9c40-f4da7d10b781" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jlorat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jlorat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "6c508a88f484b849b2f103f8c11b47dfe4f6c1e48dc255ea3be8790051e1a3db" + logic_hash = "89ee6f5af4bbc0ca3930c558eb44fe3b46ffa971fd86650e68795fe094f9760a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? e9???????? 89e0 8d4d0c 8908 e8???????? 899558ffffff } - $sequence_1 = { eb00 8b4de0 83c134 c745f0ffffffff 89e0 8908 e8???????? } - $sequence_2 = { f7e2 8985d0feffff 8995d4feffff b804000000 c1e002 8b4d0c ba04000000 } - $sequence_3 = { eb00 8b8d7cffffff 8b45b0 894de0 0518040000 898574ffffff c745cc01000000 } - $sequence_4 = { e8???????? 8995c8feffff 8985ccfeffff eb00 8b8dc4feffff 8b85c8feffff 8b95ccfeffff } - $sequence_5 = { eb5f eb00 b801000000 83f800 7514 8b442438 8b00 } - $sequence_6 = { e8???????? eb00 8b4da4 83c10c c745f001000000 89e0 8d55cc } - $sequence_7 = { eb2a 8b4e14 8b5618 89e0 895004 8908 e8???????? } - $sequence_8 = { f20f1186b8010000 f20f108698010000 f20f1186d8010000 f20f108688010000 f20f108e90010000 f20f118ed0010000 f20f1186c8010000 } - $sequence_9 = { f20f1145d0 c745f001000000 89e0 8d55d0 895004 8908 e8???????? } + $sequence_0 = { f20f1085b0feffff f20f1185c0feffff 89e0 8d8dc0feffff 8908 e8???????? 899598feffff } + $sequence_1 = { eb00 eb02 ebfc 837dc000 0f94c0 a801 7502 } + $sequence_2 = { f6464501 7522 eb06 c6463b01 ebf2 8a463b 8b4e58 } + $sequence_3 = { e8???????? 8b458c 8b4de8 64890d00000000 83c478 5e 5f } + $sequence_4 = { eb00 c745f000000000 89e0 8d8d1cffffff 8908 e8???????? e9???????? } + $sequence_5 = { f20f1045d4 c745dc00000000 c745d800000000 66c745e00000 f20f1055d4 f20f104ddc 894808 } + $sequence_6 = { f7e1 898518ffffff 0f90c0 a801 753d eb20 89e0 } + $sequence_7 = { f20f1145ac f20f1045bc f20f1055ac f20f104db4 f20f118578ffffff f20f118d70ffffff f20f119568ffffff } + $sequence_8 = { f20f108620040000 f20f11863c030000 f20f108610040000 f20f108e18040000 f20f118e34030000 f20f11862c030000 88866c030000 } + $sequence_9 = { f20f10860c020000 f20f118600020000 8b08 83c144 c786680f000008000000 89e0 8908 } condition: 7 of them and filesize < 10952704 @@ -85655,34 +85648,34 @@ rule MALPEDIA_Win_Hoplight_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c82c3889-c1c1-5b5f-b045-d951cf697dce" - date = "2026-01-05" - modified = "2026-01-06" + id = "1dda98cf-88d1-57ae-ab17-7b1e0b7698d4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hoplight_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hoplight_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "64af8d5fa666e50115627ed90a11584ace05accbe5176be041c804017c028f5b" + logic_hash = "07870a85d082a7b78f6b5f75f789233b4fb923e2e92e8de9a1f411e692a20454" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b442450 c70000000000 c705????????00000100 b800000100 eb53 488b442440 4889442428 } - $sequence_1 = { 0fb6542434 488b4c2450 e8???????? 488b442450 8b80ccaf0600 488b4c2450 488d8401b8af0100 } - $sequence_2 = { 488bcb 488905???????? ff15???????? 488d158c620400 488bcb 488905???????? ff15???????? } - $sequence_3 = { 488b442428 488b8018020000 4889442428 41b820020000 33d2 488b4c2430 e8???????? } - $sequence_4 = { 4883c004 4889842418020000 8b442414 0faf442424 8944240c 8b442414 0faf442408 } - $sequence_5 = { 488b4878 e8???????? b801000000 eb76 41b800420000 33d2 488b442440 } - $sequence_6 = { 4489442418 4889542410 48894c2408 4883ec48 488b4c2450 e8???????? 89442420 } - $sequence_7 = { 482bc8 488bc1 4883f801 7d0a b814ffffff e9???????? 488b8424d0000000 } + $sequence_0 = { 4889842460080000 488b8c2460080000 e8???????? 4889442420 488d4c2440 e8???????? 4889442428 } + $sequence_1 = { 488b00 0fb600 488b4c2430 8901 488b442450 488b00 48ffc0 } + $sequence_2 = { 4c8bd8 488905???????? 4885c0 7422 488d15ed620300 488bce ff15???????? } + $sequence_3 = { 48837c243800 7411 488b442438 488b4c2430 488b4920 488908 48837c244000 } + $sequence_4 = { 338424a0000000 488b8c24b0000000 8901 8b442438 83f006 4898 488b4c2420 } + $sequence_5 = { 488d4c2422 33d2 41b8fe1f0000 6689442420 e8???????? 488b15???????? 488d0d30f30400 } + $sequence_6 = { 488b442420 488b4c2420 8b491c 8b4008 33c1 488b4c2420 894120 } + $sequence_7 = { 4898 488b4c2420 488d0481 4889842498000000 8b8424c0000000 83f005 4898 } condition: 7 of them and filesize < 765952 @@ -85692,36 +85685,36 @@ rule MALPEDIA_Win_Quarterrig_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "773e603c-b2a3-5ce5-ad18-62d70b454a9c" - date = "2026-01-05" - modified = "2026-01-06" + id = "f4b9e5a6-7c3f-5c61-bbfa-0108a537995f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quarterrig" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.quarterrig_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.quarterrig_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "e5d3fc199bcc485e4ab028e477fcfeb78c0e1cd4e9776332bb130fba34692b6a" + logic_hash = "e65cee4f8d2a2e57297a0e582469457e82b6f0c9562e8e7769cb6ba1e4d63137" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d95f0010000 488d4c2460 e8???????? 410fbaec07 4489642434 488d542460 48837c247810 } - $sequence_1 = { 7506 443a5802 7420 498bc1 492bc2 4903c0 663b10 } - $sequence_2 = { 482bd7 4a0fbeb43850140600 8d4e01 4863c1 483bc2 0f8fe4010000 83f904 } - $sequence_3 = { 4c89442418 4c894c2420 4883ec28 b95772865c e8???????? 4c8bf8 b95772865c } - $sequence_4 = { 84c0 0f85a6000000 488d5770 488d8d10010000 e8???????? 84c0 0f8588000000 } - $sequence_5 = { 80e107 c0e103 498bc5 48d3e8 43300408 49ffc0 4983f803 } - $sequence_6 = { c3 488d0d7ad90500 e8???????? 833d????????ff 75d2 66c705????????1301 } - $sequence_7 = { 498d8fc0000000 498bd1 e8???????? 90 488b55d7 4883fa10 720c } - $sequence_8 = { 80e107 c0e103 48b8fff3a94f9f372b79 48d3e8 42300402 48ffc2 4883fa07 } - $sequence_9 = { 418ac9 80e107 c0e103 49b81bf1eb35955fe34f 49d3e8 45300401 49ffc1 } + $sequence_0 = { 488b95d0020000 4883fa10 720f 48ffc2 488b8db8020000 e8???????? 4c89adc8020000 } + $sequence_1 = { 49b833bb51376f21b729 49d3e8 45300401 4d03ce 4983f919 72dd 44886819 } + $sequence_2 = { 0f29742450 488b05???????? 4833c4 4889442440 660f6f35???????? c7442430054c22c9 c7442434f04985c7 } + $sequence_3 = { 4833c4 488985d8020000 4d8bf9 4c898dc0000000 4c8985c8000000 48899590010000 488bd9 } + $sequence_4 = { 4c8d9c2410140000 498b5b30 498b7340 498be3 415f 415e 415c } + $sequence_5 = { 833d????????ff 75d2 c605????????01 0fb7442420 668905???????? 488d0d5f5b0300 e8???????? } + $sequence_6 = { b90e000000 4c8d055dc10100 488d155ec10100 e8???????? 4c8d0d6ac10100 b90f000000 4c8d0556c10100 } + $sequence_7 = { 44396def 0f8492000000 488d4da7 e8???????? 4c8bc8 44386817 742f } + $sequence_8 = { 41b3c3 0fb71424 498d0409 663b10 7506 443a5802 743e } + $sequence_9 = { e8???????? eb0d 48ffc2 488d4c2420 e8???????? 03c3 488364244800 } condition: 7 of them and filesize < 971776 @@ -85735,7 +85728,7 @@ rule MALPEDIA_Win_Bandit_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bandit_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bandit_auto.yar#L1-L134" license_url = "N/A" logic_hash = "57d98c9e72ec66c58eb155bb6176131c752f20871acb7c0dc2253a7bf7e472fd" score = 75 @@ -85770,36 +85763,36 @@ rule MALPEDIA_Elf_Satori_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2284f03a-322c-58c3-b1d9-fcae207127e0" - date = "2026-01-05" - modified = "2026-01-06" + id = "33521f35-1c00-54e1-a9d5-fe77d32afdde" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.satori_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.satori_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "62c626f34e857ae6d027e483d640bb517fea648ca7b95f5f7c3238608cc58884" + logic_hash = "d83b43d2c723fcf6b8728106de1ee89735a5d3eaab4f6c30895106a7ac2be362" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 75f0 83ec0c ebcd 8d65f8 5b 5e } - $sequence_1 = { c7411849260508 eb28 83f83e 7509 c7411851260508 eb1a 83f82a } - $sequence_2 = { 50 e8???????? 83c410 eb22 50 55 } - $sequence_3 = { 894304 e8???????? a1???????? 66897308 c7430c00000000 c6430aff 89580c } - $sequence_4 = { 0fb7c0 894704 8b441108 66c1c808 } - $sequence_5 = { e9???????? 0fbe19 b800000080 41 c744240801000000 eb12 } - $sequence_6 = { e8???????? 89e8 c7851c040000ffffffff e8???????? 83c410 e9???????? } - $sequence_7 = { 80cc08 50 6a04 ff35???????? e8???????? 8d842468090000 } - $sequence_8 = { 41 eb9b 85ed 790f } - $sequence_9 = { 83c410 807b021f 742c 8d143b 8a02 3cfd 7404 } + $sequence_0 = { ff442438 66c1c808 66894214 8b442420 66c1c808 66894102 8d4508 } + $sequence_1 = { 6a01 6a0e 56 53 e8???????? 88442456 } + $sequence_2 = { 0fa39484b8080000 0f92c0 84c0 0f84ad110000 80bd3604000000 7492 81bd2404000000040000 } + $sequence_3 = { 8d5001 895304 8b54241c 66c1c808 0fb7c0 894704 8b441108 } + $sequence_4 = { 034510 83e1fc 8d3c0e 897ddc 39c7 7628 6a00 } + $sequence_5 = { fc 8dbc2438090000 31c0 ab ab ab ab } + $sequence_6 = { 56 6a06 6a03 6a02 e8???????? 83c410 83f8ff } + $sequence_7 = { e8???????? 01c5 83c410 e9???????? 80f978 750f 8b442408 } + $sequence_8 = { 31db 42 83fe06 7f08 8a4202 41 84c0 } + $sequence_9 = { 83ec0c 57 e8???????? 83c410 83ec0c ff742414 e8???????? } condition: 7 of them and filesize < 122880 @@ -85809,36 +85802,36 @@ rule MALPEDIA_Win_Chches_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef78cd53-b90a-5608-a384-2a896eb61dd5" - date = "2026-01-05" - modified = "2026-01-06" + id = "d1e3b20f-e743-53e1-ac6e-215947ccb2a0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chches_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chches_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "b0a1cb7e042feb67b6afb2859125bb6309d891a3da8da2205204e42953893b2e" + logic_hash = "f824466dcad6d2ffdf6fb769e15d5dc2ca63b4ccfc42a7ff22172ad6dbf0523c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8b4c243c 8903 8b4534 83c408 85c0 } - $sequence_1 = { ffd2 3dfe1f0000 7608 83eb64 e9???????? 8b7c2454 } - $sequence_2 = { 03c1 50 57 e8???????? 8b96d8000000 83c408 6860ea0000 } - $sequence_3 = { c7460800000000 8b4744 56 6a00 ffd0 8b4f50 50 } - $sequence_4 = { 897c2424 897c2430 3bc7 0f856c020000 8b5d0c 3bdf 0f8404030000 } - $sequence_5 = { 0f84aa010000 8b4660 8bd1 52 ffd0 8b5644 8bd8 } - $sequence_6 = { 8d791c 81c61d051101 85ff 746e 85db 744d 8b550c } - $sequence_7 = { 50 8b4364 ffd0 8b4df8 8b938c000000 6a00 6a00 } - $sequence_8 = { 33d2 6689140f 8b7c2410 eb1e 85c0 751a 8b03 } - $sequence_9 = { ffd2 50 8b4650 ffd0 8b4dfc 51 8d7df8 } + $sequence_0 = { 745a 50 8b4660 ffd0 8b0e } + $sequence_1 = { 8b550c 8b4508 8b8ec0000000 53 6880000000 52 53 } + $sequence_2 = { 8bf0 85f6 7404 c60600 46 803b00 7424 } + $sequence_3 = { 3bc3 7412 8b5644 50 53 ffd2 50 } + $sequence_4 = { 33ff 33c0 81c61d051101 897df0 8945ec 3bcf } + $sequence_5 = { 746f 50 8b4664 ffd0 8b4c3bfc 8b4910 03c0 } + $sequence_6 = { 8b45fc 8903 8b4d10 8b45f4 894b08 8b97c4000000 8b4df0 } + $sequence_7 = { 03c0 8945ec 8d441001 2bf0 8945d8 03f3 } + $sequence_8 = { 8b17 894214 8b4508 8b4814 8b17 8b4214 53 } + $sequence_9 = { e8???????? 8b75fc 83c408 8bd8 85f6 7507 8b4f74 } condition: 7 of them and filesize < 122880 @@ -85848,36 +85841,36 @@ rule MALPEDIA_Win_Vanhelsing_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "02fe503d-2dc7-525c-81f0-efaa387cf55b" - date = "2026-01-05" - modified = "2026-01-06" + id = "4d1a343a-0c6b-5c37-9695-c6037c02d0e0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vanhelsing" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vanhelsing_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vanhelsing_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "88005107b8dd0aed04a916a851d1dfdd2e8ac36a0ef3ce82f006aaa16cb30fa5" + logic_hash = "ccbfeac61004bf4c8294fe46b3e9097ef1cf43d2830ff6b8aa99cc9635698e18" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5d c3 55 8bec 81ec9c000000 8b450c 53 } - $sequence_1 = { 8b4518 0f1000 0f1145cc 0f104010 8b01 8b4904 8945ec } - $sequence_2 = { 660f380035???????? 0f57c8 660f38000d???????? 0f29b520ffffff 0f294df0 0f28c6 660fd4c3 } - $sequence_3 = { 8b45e4 8b048598485600 8b4de0 f644082801 7515 e8???????? c70009000000 } - $sequence_4 = { 85c9 7410 8a80b4d44800 8806 46 41 897590 } - $sequence_5 = { 6a00 6a00 6800000008 ff15???????? 6a03 6a00 6a00 } - $sequence_6 = { 888570fbffff 240f 884580 8a06 888571fbffff 240f 884581 } - $sequence_7 = { 039d48ffffff 8b4dc8 138de8feffff 039df0feffff 898530ffffff 8bc3 138ddcfeffff } - $sequence_8 = { 7f4f 8d4608 50 8d85d8fbffff 68???????? 50 e8???????? } - $sequence_9 = { 0fb6cb c1e803 83e107 0fb67405dc 8d8514ffffff d3ee 83e601 } + $sequence_0 = { 8b458c 038508ffffff 1395c0feffff 03856cffffff 898524ffffff 139530ffffff 33850cffffff } + $sequence_1 = { 898d1cffffff 03ca 89b568ffffff 13b508ffffff 33d9 33c6 898d64ffffff } + $sequence_2 = { 8b45ac 0f1006 0f57c8 8b4db0 0f289580feffff 0f289d70feffff 0f1108 } + $sequence_3 = { 898d08ffffff 138568ffffff 33d9 33d0 899d68ffffff c1a568ffffff10 0facd310 } + $sequence_4 = { 898df4feffff 33c6 8b8d6cffffff 8bf0 33ca c1e610 0facc810 } + $sequence_5 = { 0bf9 8b8d44ffffff 03c2 898564ffffff 13cf 89950cffffff 33c6 } + $sequence_6 = { 8bc4 0f1045d0 83ec10 0f1100 8bc4 0f108560ffffff 0f1100 } + $sequence_7 = { 3bc8 740c 8b0cb514bd4800 46 85c9 75f0 } + $sequence_8 = { 55 8bec 8b450c ff7510 ff348544bc4800 ff7508 e8???????? } + $sequence_9 = { 83c220 03c2 83c40c 83c620 3bc7 8b459c 76db } condition: 7 of them and filesize < 2981888 @@ -85887,42 +85880,42 @@ rule MALPEDIA_Win_Misfox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7c26cb13-6097-513e-b029-4599c7648809" - date = "2026-01-05" - modified = "2026-01-06" + id = "ad4a465e-502d-557b-9df0-0d09a5d58c98" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.misfox_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.misfox_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "d0174e7f68a85bf1ff57434ec100f8da7228de9ad77dd40f610066f3391b57bd" + logic_hash = "f0284d77322fd81fc80799ff8b17c387a5c86ef9b47522a47cced1f49d8f1bd3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85f4ebffff 50 8b8528e5ffff 8b048550870110 } - $sequence_1 = { 8a0a 42 884dab 83f80b 0f877b020000 ff2485b4d30010 } - $sequence_2 = { 8947fc 894c9308 81fe00010000 7ccc } - $sequence_3 = { 85f6 75e8 8b5c2410 68???????? 8d8424e8000000 6a20 } - $sequence_4 = { 0f85a0000000 8b4c240c 8d542418 50 50 50 } - $sequence_5 = { 8b06 6a25 40 50 8d45d0 50 } - $sequence_6 = { 8d8c24a4000000 c784245003000000000000 e8???????? 8d4c246c } - $sequence_7 = { 8b4708 8d5704 8902 8b45b8 52 c70300000000 40 } - $sequence_8 = { ff15???????? 483305???????? 488d15cabc0000 488bcb } - $sequence_9 = { 442bc8 b8b1f98cb3 41f7e9 b8b1f98cb3 458d0411 41c1f80a } - $sequence_10 = { 4c897c2438 8b442440 89442430 4c897c2428 4c897c2420 4533c9 } - $sequence_11 = { 4889442450 e8???????? 488d053cf90000 488d15b56c0100 } - $sequence_12 = { 7526 4c8d3505500100 493bde 7408 } - $sequence_13 = { 803c3000 75f7 4c8bc6 488d542438 498bce e8???????? 498bc6 } - $sequence_14 = { 0f114580 f20f100d???????? f20f114d90 8b05???????? 894598 } - $sequence_15 = { e9???????? 4c8d25af510100 8bee 41bf01000000 } + $sequence_0 = { ddd8 db2d???????? b801000000 833d????????00 0f8536510000 } + $sequence_1 = { 8bf7 8906 8d7604 40 3d00010000 7cf3 c745fc00000000 } + $sequence_2 = { 8d44241c 50 6a01 8d442420 50 8d442440 50 } + $sequence_3 = { 8b0c8550870110 8b8524e5ffff f644080480 0f8475030000 8b9530e5ffff 33ff 89bd34e5ffff } + $sequence_4 = { c3 8bc1 85f6 7409 } + $sequence_5 = { 7f0a b80a000000 5e 8be5 5d c3 53 } + $sequence_6 = { ff74241c ffd6 85c0 7560 8b3d???????? } + $sequence_7 = { 83e908 8d7608 660fd60f 8d7f08 8b048d08410010 } + $sequence_8 = { 488d4dff ba00020000 c745cb00020000 448975c7 } + $sequence_9 = { e8???????? 8b430c 4c8d6708 894308 8b470c } + $sequence_10 = { 488bc3 488b5c2430 4883c420 5f c3 488d0d4c6f0100 } + $sequence_11 = { 48837d0810 4c0f434df0 488d4d10 48837d2810 480f434d10 8b4500 } + $sequence_12 = { eb15 413bc4 753e 0fb65530 0fb64531 } + $sequence_13 = { 8d41fa 83f801 7774 488b4dbf ff15???????? 83f826 } + $sequence_14 = { 488bc3 488bfb 48c1ff05 4c8d3526d20000 83e01f 486bf058 498b04fe } + $sequence_15 = { 4833c4 48894547 488d0d615f0100 ff15???????? 488d4def ba00080000 } condition: 7 of them and filesize < 266240 @@ -85932,36 +85925,36 @@ rule MALPEDIA_Win_Bitsran_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c41fb238-3a88-588a-bd64-8c79897f41cf" - date = "2026-01-05" - modified = "2026-01-06" + id = "16c55ef7-ea38-5a6e-9b03-3ffbc1490773" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bitsran_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bitsran_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "08b2b0624c9fdd6e9f5feb9b1571fe8c6b4f0a45acfb94549c3dcefd928c589e" + logic_hash = "66ad634ce1f4bbbfe736e731a2362905372751f8a16d7a77b20768e031217360" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85c0f6ffff 50 57 e8???????? 33c0 } - $sequence_1 = { 8bec 53 8bd9 833b00 } - $sequence_2 = { 85f6 741f 85c9 741b 8b13 52 6a01 } - $sequence_3 = { eb0c 8a85eefcffff 8a8deffcffff c7830c02000000000000 84c9 740a c7830c02000010000000 } - $sequence_4 = { 33f6 90 8d85f0fcffff 50 57 } - $sequence_5 = { 837e0813 7324 b801000000 8bff 8b4e08 8b148d90564100 } - $sequence_6 = { c70009000000 c747180c5e4100 e9???????? 8b45fc 8b4008 } - $sequence_7 = { ffb7b0104200 ff15???????? 8987b0104200 83c704 83ff28 72e6 5f } - $sequence_8 = { ff248d98594000 83ff03 7338 b901000000 837df800 0f848a060000 294df8 } - $sequence_9 = { 5d c3 8b4d1c c741180c5e4100 eb59 } + $sequence_0 = { 740a 8b85f4feffff 56 50 eb3a 8b0d???????? 8b15???????? } + $sequence_1 = { 8bbdf4feffff 8d4701 50 e8???????? 57 } + $sequence_2 = { 85c0 7403 8975fc 837dfc00 } + $sequence_3 = { e8???????? 8be5 5d c3 57 8bff 33c9 } + $sequence_4 = { c1f905 8b0c8da01f4200 83e21f c1e206 385c1104 7506 4e } + $sequence_5 = { 7509 c743186c5d4100 eb11 83fefc 740c c743184c5d4100 } + $sequence_6 = { 66894ddc ff15???????? 83f801 753b 8b4d0c 8b55f0 69c9e8030000 } + $sequence_7 = { 83c408 85c0 7403 8975fc 8b03 8d55cc 52 } + $sequence_8 = { 8bc1 c1f805 8bf1 83e61f 8d3c85a01f4200 } + $sequence_9 = { 8935???????? ff15???????? 50 e8???????? 8bf7 2bf3 c1fe02 } condition: 7 of them and filesize < 344064 @@ -85971,36 +85964,36 @@ rule MALPEDIA_Win_Btcware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fb79124d-5478-5d65-bb0b-b2f45f8507ae" - date = "2026-01-05" - modified = "2026-01-06" + id = "7a18e982-28a7-5c4e-872b-3a019af14d0b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.btcware_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.btcware_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "953afc4c0f32ce8172077704d80fd52c7aee0d584b7d86a36e176eb1e7df5fbe" + logic_hash = "8f989732d800f4741fbd2ada95ec42c48b7a7fedb058bc69a54423d7ddcacff7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85f4faffff 68???????? 50 ffd6 83c418 8d85f0faffff 50 } - $sequence_1 = { 8b4610 c6040800 83ff03 7ca9 8b7dd8 33db } - $sequence_2 = { e8???????? 8904bd40d04100 85c0 7514 } - $sequence_3 = { 6888d38101 68???????? 6a00 ffd3 33d2 } - $sequence_4 = { 50 ffb5a0d7ffff ff15???????? 85c0 0f8518feffff } - $sequence_5 = { 5d c3 55 8bec 83e4f8 b81c820000 } - $sequence_6 = { b880fd8101 c3 b87cfd8101 c3 53 56 } - $sequence_7 = { 897df4 3bfb 0f8e6fffffff 83c8ff eb07 8b04cdc42f4100 5f } - $sequence_8 = { c78564ffffff0f000000 c68550ffffff00 83f810 7245 8b8d38ffffff } - $sequence_9 = { 8945e0 8d8058c54100 8945e4 803800 8bc8 7435 8a4101 } + $sequence_0 = { 16 97 88bd24f1ed24 ae } + $sequence_1 = { 6bf830 8955f4 8b149540d04100 897df0 8a5c1729 80fb02 7405 } + $sequence_2 = { ffd6 6a00 8d45d8 50 6a03 ff75ec } + $sequence_3 = { 0f84b7010000 68???????? 8d85d0d7ffff 50 ffd6 85c0 0f84a1010000 } + $sequence_4 = { 0f82206fffff 83f923 0f87176fffff 8bc8 51 e8???????? } + $sequence_5 = { 83f81d 7cf1 eb07 8b0cc5ec494100 894de4 } + $sequence_6 = { 660f282d???????? 660f59f5 660f28aae03f4100 660f54e5 660f58fe 660f58fc } + $sequence_7 = { c78530ffffff00000000 c78534ffffff0f000000 c68520ffffff00 83f810 7245 } + $sequence_8 = { 8b45e0 8d4e0c 6a06 8d904cc54100 5f 668b02 8d5202 } + $sequence_9 = { e8???????? 8bf8 bad4fc8101 c645fc04 } condition: 7 of them and filesize < 458752 @@ -86014,7 +86007,7 @@ rule MALPEDIA_Win_Urlzone_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.urlzone_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.urlzone_auto.yar#L1-L126" license_url = "N/A" logic_hash = "c42481bd862ad161fd4e6a711568aaf0139280c4a77d4d9855a08ac723543c9d" score = 75 @@ -86049,36 +86042,36 @@ rule MALPEDIA_Win_Enigma_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cc26267d-179f-5094-a193-17b8c695e45b" - date = "2026-01-05" - modified = "2026-01-06" + id = "02b9934e-6302-5557-945e-51e327d5dd8c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.enigma_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.enigma_loader_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.enigma_loader_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "3dcf8ded19af004c0de0e4efb8fdefb86f8c4578eb04199c475e4c233dfc8212" + logic_hash = "34dd15dbcc2e94f07c94bb1a4b56ab8c5152debe862b2f9e87f8d933c763056e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d4da0 e8???????? 90 488d15acf80200 488bc8 e8???????? 0f1000 } - $sequence_1 = { 493bc1 0f84d9010000 4c8d4001 4c89442430 488b4910 482b0a 48c1f904 } - $sequence_2 = { 482b01 49b8ffffffffffffff1f 48c1fd03 4c8bfa 48c1f803 488bf9 } - $sequence_3 = { 488d15fb560300 488d4c2420 e8???????? cc 4053 4883ec20 488bd9 } - $sequence_4 = { e8???????? 90 c6462801 40387e29 0f85b6050000 bb00100000 488b542448 } - $sequence_5 = { 0f28c6 e8???????? 6685c0 0f8f40080000 498d4e20 488d9508020000 e8???????? } - $sequence_6 = { 4c8d4dd0 418bc4 41f7e0 c1ea05 0fbec2 6bc83a 418ac0 } - $sequence_7 = { 488d8424a8000000 4889442420 48895c2428 488933 48897308 b950000000 e8???????? } - $sequence_8 = { 83f901 752f 488bca e8???????? 448be0 eb22 } - $sequence_9 = { 57 488bec 4883ec40 448ada 488bf1 4883c120 488d55f0 } + $sequence_0 = { 488d8a40000000 e9???????? 488d8a40010000 e9???????? 488d8a20010000 e9???????? } + $sequence_1 = { 0f1005???????? 0f114597 0f100d???????? 0f114da7 8a05???????? 8845b7 448bc3 } + $sequence_2 = { ff15???????? b801000000 4c8d5c2470 498b5b10 498b6b18 498b7320 } + $sequence_3 = { 488d040a 488bf5 483bc5 480f43f0 493bf0 0f8728010000 488bce } + $sequence_4 = { 488bd9 4c8d0d48530100 33c9 4c8d0537530100 488d1538530100 e8???????? } + $sequence_5 = { e8???????? cc e8???????? cc e8???????? 90 498bd6 } + $sequence_6 = { 488bcb ffd0 418bc7 e9???????? ba3eefbb12 e8???????? 488bcb } + $sequence_7 = { 488bcb ffd0 e9???????? ba175bc35c 418bdf 8bcb e8???????? } + $sequence_8 = { 488d055e6afeff 0fb68cb8a2b10200 0fb6b4b8a3b10200 8bd9 48c1e302 4c8bc3 8d040e } + $sequence_9 = { 773b 498bc8 e8???????? 488b6c2458 4a8d0ce3 48891f 498bc6 } condition: 7 of them and filesize < 798720 @@ -86088,36 +86081,36 @@ rule MALPEDIA_Win_Pony_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1e9f1216-c41a-57fb-9136-54f943e63660" - date = "2026-01-05" - modified = "2026-01-06" + id = "07a8ce56-69f6-5c31-a7a8-69cb4e8e2459" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pony_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pony_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "9de93368584eaaab5c5e69d58fb6c6411ee417490cc0e48dc0aded17e02bd8ef" + logic_hash = "4284cc698080443fd93668ba37681bbae49776fc104539ed495c0a451f8decbc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c6400200 c6400300 c6400400 c6400505 8d45f4 50 } - $sequence_1 = { 33f9 8d9c1f051d8804 035e18 c1c317 } - $sequence_2 = { 7406 50 e8???????? c785dcf7ffff15000000 8d85d0f7ffff } - $sequence_3 = { ff750c ff35???????? e8???????? 8945f4 6a00 ff7514 ff750c } - $sequence_4 = { c1e002 31c2 89c8 c1e810 31d0 89c3 } - $sequence_5 = { 75ed 0fb646ff 83f808 7702 2bf0 2b7510 d1ee } - $sequence_6 = { 2bfb 83fb38 720e 03fb b840000000 2bc3 03f8 } - $sequence_7 = { 6800fa0000 ff75f4 ff7508 e8???????? 85c0 0f8430010000 ff75f4 } - $sequence_8 = { 68???????? e8???????? 898554ffffff 83bd54ffffff00 7445 83bd58ffffff14 723c } - $sequence_9 = { ff7518 e8???????? ff750c e8???????? d1e0 83c002 } + $sequence_0 = { 23d8 ff75f8 e8???????? ff7508 e8???????? 8bc3 5b } + $sequence_1 = { 55 8bec 83c4f8 56 833d????????00 747c 833d????????00 } + $sequence_2 = { 33fb 23fa 33fb 8d8c0f8e4379a6 034e38 } + $sequence_3 = { e8???????? 5b 89ec 5d c20800 53 8b442408 } + $sequence_4 = { e8???????? 50 50 ff7508 e8???????? e8???????? 68???????? } + $sequence_5 = { 8bec 837d0800 741c 837d0c00 7416 ff7510 ff7508 } + $sequence_6 = { 8d85c0feffff 50 683f000f00 e8???????? 0bc0 7515 83bdc0feffff00 } + $sequence_7 = { 034e0c c1c10e 03ca 8bfa 33f9 23f8 } + $sequence_8 = { 50 e8???????? 68???????? 8d45f8 50 e8???????? 53 } + $sequence_9 = { 8945e8 ff75fc ff75f8 68???????? e8???????? 8945e4 837dec00 } condition: 7 of them and filesize < 262144 @@ -86127,36 +86120,36 @@ rule MALPEDIA_Win_Doorme_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a443311b-0d69-50e1-b7af-6bea174db5b1" - date = "2026-01-05" - modified = "2026-01-06" + id = "8d547154-e1a2-595b-9326-3db98ac06250" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.doorme_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.doorme_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "9459417024dba9c22cb08f7485ab12bc8f994d94a97e4b89e9d80101a9a838df" + logic_hash = "b2bbc3b4f71ef7982997cf0fb32eb217c733939c33379893ee3d9b5cac7fb254" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 817d0063736de0 7528 48833d????????00 741e 488d0d70e50100 e8???????? 85c0 } - $sequence_1 = { 488bd8 488d9530010000 4883bd4801000010 480f439530010000 498b07 4c8d85e8000000 } - $sequence_2 = { 483bf8 7730 488d041f 48894548 488d4538 4983fe10 480f434538 } - $sequence_3 = { e8???????? 49897f10 49c747180f000000 41c60700 498b5618 4883fa10 0f82adfeffff } - $sequence_4 = { 4532d1 44881408 418d4001 440fb60c08 8d4705 4432cd } - $sequence_5 = { 488bd8 4885db 488d0571b80100 488d4f58 480f44d8 488bd3 488b5c2430 } - $sequence_6 = { 48c7c03f000000 23c1 488d0d4abb0100 f20f5904c1 f20f5804c1 660f72e406 660f73f434 } - $sequence_7 = { e8???????? 488b5c2430 4883c420 5f c3 4883ec28 4c8d0d0d660100 } - $sequence_8 = { 488d0538030300 49894408f0 488b07 4c634004 } - $sequence_9 = { 48894308 48895e40 48897e48 48896e50 488bce e8???????? 884658 } + $sequence_0 = { b908000000 488bda e8???????? 488d0d9ee90200 } + $sequence_1 = { e8???????? 90 c645a707 b063 b162 b261 } + $sequence_2 = { 41884c383a 83fa02 7211 8a03 4903d9 498b8cf480120400 } + $sequence_3 = { 488bfa 48895588 48895d88 c745b068000000 33d2 448d4260 488d4db8 } + $sequence_4 = { 48895c2460 a804 7409 488d1d01610300 eb14 a802 488d1d0e610300 } + $sequence_5 = { 0f104810 410f114d10 48897810 48c740180f000000 c60000 488b55cf 4883fa10 } + $sequence_6 = { 488d1550c80200 f6423d01 7415 e8???????? c70016000000 e8???????? } + $sequence_7 = { 488d742470 48837df000 7505 498bf7 eb1f } + $sequence_8 = { c5f1eb0d???????? 4c8d0d46c20000 c5f35cca c4c173590cc1 4c8d0d850f0100 c5f359c1 c5fb101d???????? } + $sequence_9 = { 410fb6c2 460fb6942020860300 428d04ad04000000 4983c704 } condition: 7 of them and filesize < 580608 @@ -86167,10 +86160,10 @@ rule MALPEDIA_Win_Evilconwi_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "7f652ca8-a434-5be9-ae21-4e0e49d2fcee" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilconwi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.evilconwi_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.evilconwi_auto.yar#L1-L125" license_url = "N/A" logic_hash = "212869a6ab86c4f0f11665af7cc6fecf827786dd09d766a1df9e90f9f4dd950f" score = 75 @@ -86179,9 +86172,9 @@ rule MALPEDIA_Win_Evilconwi_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -86205,36 +86198,36 @@ rule MALPEDIA_Win_Htran_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5705bf81-9a36-5bdc-a413-5dc9bbe8f8e2" - date = "2026-01-05" - modified = "2026-01-06" + id = "ddf36b57-4e92-5881-b6db-e7818b3ba097" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.htran_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.htran_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "f4c537d909874a527abd7f69551092957789e48daeb6a5277998dd498c7b0511" + logic_hash = "ebd6f0f1e7fa2f26b577cbf6c7cc9ace985d54bf916a5151466640cd16bf28b5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b942430510000 55 52 68???????? e8???????? } - $sequence_1 = { e8???????? 83c404 e9???????? 68???????? e8???????? 8b942430510000 } + $sequence_0 = { 8b542424 33c9 894c2408 52 894c2410 66c744240c0200 894c2414 } + $sequence_1 = { 33c9 894c2414 53 8b10 } $sequence_2 = { 8d3449 8d34b5f09b4000 83c00c 3bc6 7305 } - $sequence_3 = { 68???????? 6a02 e8???????? 8bb42400020000 83c408 83fe02 0f8ef0000000 } - $sequence_4 = { 5e 83c414 c3 6a05 } - $sequence_5 = { 8b8424e0420100 33c9 894c2414 53 8b10 } + $sequence_3 = { 51 52 53 ff15???????? b900010000 } + $sequence_4 = { 89742410 52 6a00 50 68???????? } + $sequence_5 = { 72f4 3bc2 7512 899c24f0010000 c78424e801000002000000 8d442458 8d8c24e4000000 } $sequence_6 = { ff15???????? 85c0 7d14 68???????? e8???????? 83c404 } $sequence_7 = { c3 6a00 6a01 6a02 ff15???????? 85c0 } $sequence_8 = { 8816 46 8a10 40 0fb6da f683c1c3400004 740c } - $sequence_9 = { 899424e8010000 89b424e8000000 899424e4000000 33c0 8d8c24e8000000 } + $sequence_9 = { 50 ff15???????? 50 68???????? e8???????? 83c40c e8???????? } condition: 7 of them and filesize < 114688 @@ -86244,36 +86237,36 @@ rule MALPEDIA_Win_Moonwalk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef8baf81-8fc1-5b8a-8169-40c37ce56608" - date = "2026-01-05" - modified = "2026-01-06" + id = "2771325f-74a7-50c7-8501-3c20ed642fc7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwalk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.moonwalk_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.moonwalk_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "41695c23cda2f92c0bf6c3a4d26b3fdee7d01afc1ec5f837be35f51c67bf067d" + logic_hash = "7c2e5fcd2bf45bfd3b926431c3efbd70d3f62793289203c0e5d7ae1631d509e8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d4c2458 4c8978d0 4533ff 4c897c2458 44897d20 e8???????? 85c0 } - $sequence_1 = { 488b0d???????? ba833fd2f8 41b8e8c5ba5b 48898140010000 488d0d17880000 e8???????? } - $sequence_2 = { 488b05???????? 4c8bb42418050000 4885c0 753c 488d8548040000 4489bd48040000 33d2 } - $sequence_3 = { 72ed 443bc2 0f844e020000 33c0 44899500020000 89456c 0f57c0 } - $sequence_4 = { 4881c4b0000000 5e c3 488b4718 488b4f20 ff5068 488d942490000000 } - $sequence_5 = { 488b4968 4c896c2438 4c896c2430 4c896c2428 4c896c2420 e8???????? 4885db } - $sequence_6 = { 488d0508ecffff 48894360 488d05bdf4ffff 48894368 488d05b2f5ffff 48894370 488d05c7f7ffff } - $sequence_7 = { 488bfa 440fb65104 440fb64908 440fb6410c } - $sequence_8 = { 4154 4155 4156 4157 488dac2458feffff 4881ecb8020000 0f1005???????? } - $sequence_9 = { 0f84b6000000 4183f81d 740a b810000000 4883c448 c3 48895c2440 } + $sequence_0 = { 4889ac24b0000000 e8???????? 85c0 7418 0f44c5 85c0 7455 } + $sequence_1 = { 7411 413910 7423 48ffc0 4983c010 483bc1 } + $sequence_2 = { b803000000 49f7f0 4889542438 420fb6040a 33d2 304303 b804000000 } + $sequence_3 = { 488d8520010000 89b520010000 4889442420 448d4e30 488b05???????? 4c8d85c0000000 33d2 } + $sequence_4 = { 488b0d???????? baf7eeca9e 41b804c31716 48894158 488d0d2c8c0000 e8???????? } + $sequence_5 = { c1e908 458bc6 49c1e818 468b948030260100 44339490303a0100 0fb6d1 410fb6ce } + $sequence_6 = { 48ff4708 837f1404 c684249000000001 752e 488d942490000000 488bcb e8???????? } + $sequence_7 = { 8bf0 7522 4d8b4320 498d8bc4030300 4c894c2428 8bd3 458bce } + $sequence_8 = { 33d2 30472a b82b000000 49f7f0 420fb6040a } + $sequence_9 = { 428bbc8030260100 33bc90303a0100 0fb6d1 400fb6ce 33bc9000060100 33bc8800120100 33fb } condition: 7 of them and filesize < 179200 @@ -86283,36 +86276,36 @@ rule MALPEDIA_Win_Warhawk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7fcbe369-7eba-5509-9f6c-bc41b0560179" - date = "2026-01-05" - modified = "2026-01-06" + id = "091af322-ae7c-5d09-aaff-96f31018a192" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warhawk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.warhawk_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.warhawk_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "44d5f6f70697925bfa262390ea7caffa63c489e29c99852e5d174229a319929a" + logic_hash = "5d9dc0c3e26460e27178cd10628ae87f7e5b2c9145f7bce8089056186ad290d9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8be5 5d c3 bb02000000 8b4dfc 8bc3 } - $sequence_1 = { 83f809 0f8799000000 ff248521b34000 ff7510 ff750c e8???????? } - $sequence_2 = { 0f8482000000 53 57 6a28 ff15???????? 8bd8 83c404 } - $sequence_3 = { 0f8473010000 8d85fcfbffff 8d5001 660f1f440000 8a08 40 84c9 } - $sequence_4 = { 0fb606 50 e8???????? 0fb60b } - $sequence_5 = { e711 a0???????? ad fb 93 9f b66c } - $sequence_6 = { 85c9 7406 8b4204 894104 8b4e08 3bd1 } - $sequence_7 = { 8b7d0c 33db 897df4 8975f8 8945fc 8a06 3a8358e94100 } - $sequence_8 = { 0fb680201c4000 ff2485001c4000 c6065c eb30 c60622 eb2b c60662 } - $sequence_9 = { 660f2fda 0f93c0 85c0 754d } + $sequence_0 = { bb0d000000 5e 8bc3 5b 8b4dfc 33cd e8???????? } + $sequence_1 = { 8b4708 897004 8b442410 8b00 89442410 e9???????? } + $sequence_2 = { 83ec24 a1???????? 33c4 89442420 33c0 c744240400000000 53 } + $sequence_3 = { 85c0 75f2 85ff 740c 8b4704 85c0 } + $sequence_4 = { e8???????? 83c418 8d85f8faffff 50 56 ffd7 8bd0 } + $sequence_5 = { 5e 8be5 5d c3 8b442414 85f6 } + $sequence_6 = { 8b4d10 85c9 74d7 85d2 74d3 3bd1 } + $sequence_7 = { 03c6 50 6a40 ff15???????? 68???????? 68???????? } + $sequence_8 = { 6804010000 ff15???????? b90f000000 c745f800000000 be???????? } + $sequence_9 = { 8b4708 85c0 7519 897708 8906 8b442410 897604 } condition: 7 of them and filesize < 2345984 @@ -86322,36 +86315,36 @@ rule MALPEDIA_Win_Purplewave_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f9a895ad-7289-518b-be54-7444bb9c0feb" - date = "2026-01-05" - modified = "2026-01-06" + id = "48f1d0d3-1aae-50c0-9a0e-1447c27c7631" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.purplewave_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.purplewave_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "2b8c8451c42e657113c26199005fb6974947a93818322a1c2e41a19d47cbd34a" + logic_hash = "88c7614aaf301d3d09a9b5b9c8e46bea5baf771b60bcbf099565877639e3d3c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bc1 c1f806 83e13f 6bc938 8b0485201e4900 80640828fe ff36 } - $sequence_1 = { 395914 7202 8b09 85f6 7410 8bd1 66833a3a } - $sequence_2 = { 59 8945c0 894dc4 8845b0 8945d8 894ddc } - $sequence_3 = { 8bec 8b5508 56 0fb67203 0fb64202 0fb64a01 c1e608 } - $sequence_4 = { 8d8d14ffffff e8???????? 68???????? 8d8d14ffffff c645fc20 e8???????? 50 } - $sequence_5 = { 51 8d4dd4 e8???????? ff734c e8???????? 59 3bc7 } - $sequence_6 = { 8b4e08 8902 894a04 895004 8911 8b4508 } - $sequence_7 = { 8d7b04 899d5cfdffff 33c0 c703???????? 83671000 c7471407000000 668907 } - $sequence_8 = { 8d8d14ffffff e8???????? 68???????? 8d8d14ffffff c645fc60 e8???????? 50 } - $sequence_9 = { e9???????? c3 8d4db0 e9???????? 8d4dbc e9???????? 8d8df8fbffff } + $sequence_0 = { c20400 e8???????? 85c0 0f8440a40000 c3 833d????????ff 7503 } + $sequence_1 = { c3 8b853cffffff 2500100000 0f8415000000 81a53cffffffffefffff 8d8d08ffffff } + $sequence_2 = { ff75d0 e8???????? eb15 807dd700 7426 8b45c4 8b4dac } + $sequence_3 = { a1???????? 83664c00 83663800 894640 a1???????? 894644 6a02 } + $sequence_4 = { 8d4da0 e8???????? 8d8d20ffffff e8???????? 8d8d18ffffff e8???????? 8d4d88 } + $sequence_5 = { e8???????? 8d8de4feffff 885dfc e8???????? 8b9544ffffff 8d8de4feffff e8???????? } + $sequence_6 = { e9???????? 8b85dcfeffff 83e001 0f8412000000 83a5dcfefffffe 8b8dbcfeffff e9???????? } + $sequence_7 = { 8b048d201e4900 5a 8854072c 8b45e4 8bf0 eb13 6a0a } + $sequence_8 = { ff75e8 ff75f0 e8???????? 8b45f4 5f 5e 5b } + $sequence_9 = { e8???????? 6a0e e8???????? 83c40c 8d8c24a8000000 8bd0 c7003519ef54 } condition: 7 of them and filesize < 1400832 @@ -86361,36 +86354,36 @@ rule MALPEDIA_Win_Acridrain_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef433885-2f79-5863-bbed-81d7d31ae677" - date = "2026-01-05" - modified = "2026-01-06" + id = "bd7afc4a-96c3-5173-9061-d80706c78002" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.acridrain_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.acridrain_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "be1111fbfc299034daf1631180c40c75225491471e67ad1cf19bc33316287e9b" + logic_hash = "b936b14efcd9e67414b3e4178fdfe38c1b2878195b522144a7e2ed6b607e702b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff8ea0000000 8bf8 897df0 83ff64 741e 83bb8400000000 7c15 } - $sequence_1 = { ff7048 e8???????? 83c404 85f6 0f85c4000000 8b4dec 8bc7 } - $sequence_2 = { f6401604 57 8b7a38 7414 8b45f0 51 03c7 } - $sequence_3 = { f20f5945d4 f20f5905???????? e9???????? 81fe56010000 7c2a 8bcf e8???????? } - $sequence_4 = { e8???????? 33c9 0fb6db 83c408 84c0 0f45d9 895c2414 } - $sequence_5 = { 8b4e08 3bcb 740d 40 83c654 3bc2 72f1 } - $sequence_6 = { ff7548 68???????? 55 e8???????? 83c40c 85c0 0f85b8010000 } - $sequence_7 = { 8b7d08 8b472c 85c0 0f84a6000000 53 8b5d0c 56 } - $sequence_8 = { ff75f4 ff750c 57 e8???????? 83c418 85c0 0f84b3feffff } - $sequence_9 = { e8???????? ff75cc 57 53 e8???????? 8b55b8 52 } + $sequence_0 = { ff37 e8???????? 83c40c 8945e4 85c0 7421 6a30 } + $sequence_1 = { ff8f00010000 8b8528ffffff 89b714010000 5f 5e 5b 8b4dfc } + $sequence_2 = { ff248d20cb4800 ff742410 ff742410 ff7008 e8???????? 83c40c 5e } + $sequence_3 = { ff742434 8b4634 57 ff760c ff742424 ffd0 83c410 } + $sequence_4 = { ff75a4 ff7584 50 57 56 e8???????? 83c420 } + $sequence_5 = { ffd0 83c414 3bc7 7406 5f 33c0 5e } + $sequence_6 = { ffd0 8b8dccfdffff 8985d4fdffff 8a85affdffff 57 ffb5d0fdffff 884146 } + $sequence_7 = { f6412210 0f85de000000 80792600 8b5724 8955e8 7569 f6c240 } + $sequence_8 = { ff770c 53 e8???????? 8bf0 8d45f4 50 ff7710 } + $sequence_9 = { 740c 50 e8???????? 8b45d8 83c404 8b5da4 f6431880 } condition: 7 of them and filesize < 2244608 @@ -86400,36 +86393,36 @@ rule MALPEDIA_Win_Ramnit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e7231016-af2a-574e-9bee-456d68202102" - date = "2026-01-05" - modified = "2026-01-06" + id = "d96e8d52-cc57-5aa2-88f2-ce7c5e262df0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ramnit_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ramnit_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "a205fea822a311ab889bb108ee1640be8e7bb55400366f3eef4a7d603b69a5db" + logic_hash = "dbfb0688e0b396c7fd0d0ba3ce0a52163ac35ef18b30375fa88877871c1a5a92" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b7d08 b000 f2ae 8bc1 } - $sequence_1 = { 5f 59 5a 5b c9 c20800 55 } - $sequence_2 = { fd 8b4d10 8b7d0c 8b7508 f3a4 } - $sequence_3 = { 3a4510 7407 b800000000 eb02 8bc7 5a } - $sequence_4 = { ba00000000 59 5f 5e 5b c9 } - $sequence_5 = { ff7514 ff7510 e8???????? 83f800 750b 4f 3b7d08 } - $sequence_6 = { fc 8b4d0c 8b7d08 b000 f3aa } - $sequence_7 = { 52 8b4508 8b5d0c 4b 23d8 83fb00 740e } - $sequence_8 = { 8bf8 037d14 3b7df8 771f 8945fc ff7514 ff7510 } - $sequence_9 = { 8bec 83c4f8 56 57 51 53 52 } + $sequence_0 = { 8b450c 83e801 89450c 8b4514 83e801 894514 } + $sequence_1 = { 57 56 fc 8b4d0c 8b7d08 } + $sequence_2 = { b800000000 eb02 8bc7 5a } + $sequence_3 = { ff7508 e8???????? 8b45fc 03450c 66bb0000 } + $sequence_4 = { f7d0 48 59 5f 5e } + $sequence_5 = { 8b4d18 8b7d08 8b7510 3b7514 7705 } + $sequence_6 = { 57 51 8b4d10 8b7d08 8b750c 8a07 3a06 } + $sequence_7 = { 761d fc 8b4d0c 8b7d08 8a4510 f2ae } + $sequence_8 = { 8945fc ff7514 ff7510 ff75fc e8???????? 83f801 7417 } + $sequence_9 = { 3b7d08 73e7 bf00000000 8bc7 5a 5b } condition: 7 of them and filesize < 470016 @@ -86439,36 +86432,36 @@ rule MALPEDIA_Win_Scavenger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d846177f-40f0-5608-9af6-8e72a353dfb4" - date = "2026-01-05" - modified = "2026-01-06" + id = "d7bdaeb0-7116-5c13-ae8f-87dbc7dfff1b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scavenger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scavenger_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scavenger_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "e670ed837cdbf1f563e9cd77410039750eec52dd374d49f9838ffc16cf920061" + logic_hash = "91030dc6d1a65f35e56bdbbd23cb5dd4e96195557b8723c0aba6b4b022191693" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb6c0 85c0 7421 488b442430 488b00 4889442458 488b442458 } - $sequence_1 = { 488b442428 48c7401800000000 488b8424a8000000 488b4010 4889442470 488b8424a8000000 4889442430 } - $sequence_2 = { 4889442420 488b8c2410010000 e8???????? 4839842420010000 7606 e8???????? } - $sequence_3 = { 4889442440 488b442430 4883c010 4889442448 } - $sequence_4 = { 4889442438 e9???????? 33d2 b80f000000 b902000000 48f7f1 488b4c2430 } - $sequence_5 = { 488b442428 48c7401800000000 488b8424a8000000 488b4010 } - $sequence_6 = { 4889442420 488b442420 4889442448 488b442420 4883c008 4889442450 } - $sequence_7 = { 4889442468 48c7442430ffffffff 488b442430 4889442478 } - $sequence_8 = { 488378180f 760a c744243001000000 eb08 c744243000000000 0fb6442430 88442420 } - $sequence_9 = { 4883ec60 488b442470 4889442448 488b442478 4889442438 488b442438 } + $sequence_0 = { 4889842480000000 488d442421 4889842488000000 0fb6442422 88442423 488b442450 } + $sequence_1 = { 488b9424f8000000 488b8c24e8000000 e8???????? 90 } + $sequence_2 = { 488bc1 0fb600 85c0 7413 } + $sequence_3 = { 488b842450010000 488b4c2430 4803c8 488bc1 488b4c2438 0fb6542420 881401 } + $sequence_4 = { 488908 488b442450 488b4c2428 488908 486b44247820 } + $sequence_5 = { 4883ec28 488b442430 4889442408 488b442430 488378180f 760a } + $sequence_6 = { 488bc1 48898424b8000000 488bbc24b8000000 488bb42448010000 488b8c2450010000 f3a4 } + $sequence_7 = { 4889442450 488b442450 4c8bc0 488b542478 } + $sequence_8 = { 488b4008 482bc1 48c1f805 4889442440 488b442440 } + $sequence_9 = { 48c744243000000000 eb35 48817c242800100000 7211 488b4c2428 e8???????? 4889442430 } condition: 7 of them and filesize < 2992128 @@ -86478,48 +86471,48 @@ rule MALPEDIA_Win_Tinyloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7c6fcb6a-6aaa-5e44-ad0b-2dda057bc513" - date = "2026-01-05" - modified = "2026-01-06" + id = "376b7f2e-2107-5f52-b370-1767c87f2f82" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tinyloader_auto.yar#L1-L224" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tinyloader_auto.yar#L1-L217" license_url = "N/A" - logic_hash = "a1e9a6fc8f29154daa76951045f8f779a6cee8d3fa483fe0d801eb90e6460914" + logic_hash = "a3b81ba1c2e006379db13f20dcf827242565b4e188d6f1f3527255376f5a7d95" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f7d2 f7d1 5b 89d0 c1c010 6689c8 90 } + $sequence_0 = { 5b 89d0 c1c010 6689c8 90 } $sequence_1 = { 8b1d???????? 90 8998f8070000 90 } - $sequence_2 = { 83ec20 48 8d0db7130000 48 } - $sequence_3 = { 90 29d8 90 31db } - $sequence_4 = { 895838 90 48 89c6 90 48 0500400100 } - $sequence_5 = { 8b5d00 66894308 6a10 ffb5a8050000 } - $sequence_6 = { 637574 6541 0050ff 15???????? c705????????00010000 68???????? 68???????? } - $sequence_7 = { 81fb04030000 730d 90 83c004 90 83c304 } - $sequence_8 = { 90 0500400100 90 31db 90 90 } - $sequence_9 = { 0500080000 894520 ffb5a0050000 6802020000 ff15???????? } - $sequence_10 = { 8998f8070000 90 48 8b1d???????? 90 } - $sequence_11 = { 48 8d0dedffffff ff15???????? 48 83c420 } - $sequence_12 = { c70000000000 c7855808000000000000 8b5d00 039d58080000 6a00 } - $sequence_13 = { 83ec20 48 c7c100000000 48 8d15e6110000 } - $sequence_14 = { 90 8bbb97114000 90 8938 90 } - $sequence_15 = { 8b8540050000 8b5d00 894308 8b85f8070000 8b5d00 894304 } - $sequence_16 = { 3b8558080000 7402 ebb3 31c0 31db 31c9 31d2 } - $sequence_17 = { 8b1d???????? 90 895830 90 8b1d???????? 90 895838 } - $sequence_18 = { 8b85f8070000 8b5d00 894304 8b5d00 81c300040000 31c0 } - $sequence_19 = { 8b4500 83c00c ffd0 31db 8b4500 8b8000040000 } - $sequence_20 = { 8d0dea0e0000 ff15???????? 48 83c420 48 8d35d90e0000 48 } - $sequence_21 = { 01da 83c20c 310a 3b8558080000 7308 83c004 } + $sequence_2 = { 6a40 6800300000 6800800200 6a00 ff15???????? 90 8b1d???????? } + $sequence_3 = { ffd0 31db 8b4500 8b8000040000 83f80c 7702 eb28 } + $sequence_4 = { c70000000000 c7855808000000000000 8b5d00 039d58080000 } + $sequence_5 = { ffb5b8050000 ff15???????? 83f8ff 7405 } + $sequence_6 = { 83ec20 48 8d0dca110000 48 8d15c3110000 } + $sequence_7 = { 90 48 895830 90 48 8b1d???????? } + $sequence_8 = { 8d3500304000 89c7 53 31c9 49 } + $sequence_9 = { 90 8bbb97114000 90 8938 90 81fb04030000 730d } + $sequence_10 = { 66894302 66c7030200 e8???????? 3935???????? } + $sequence_11 = { 83ec20 48 8d0d060f0000 48 8d152f150000 ff15???????? 48 } + $sequence_12 = { 83f80c 7702 eb28 83e80c 39c3 7321 } + $sequence_13 = { 83c420 48 83ec20 48 8d0dea0e0000 ff15???????? } + $sequence_14 = { 90 31db 90 90 } + $sequence_15 = { 31c9 90 3108 90 } + $sequence_16 = { c7c100000000 48 c7c200800200 49 } + $sequence_17 = { 656c 6c 3332 2e646c 6c 00ff 15???????? } + $sequence_18 = { 31c0 8b03 8b5d00 66894308 6a10 } + $sequence_19 = { e9???????? 018558080000 83bd580800000c 7302 ebc3 } + $sequence_20 = { 48 8d15ebffffff ff15???????? 48 83c420 } + $sequence_21 = { 8985a8050000 0500080000 894508 0500200000 894518 0500200000 } condition: 7 of them and filesize < 40960 @@ -86529,36 +86522,36 @@ rule MALPEDIA_Win_Montysthree_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "87f022dd-6806-53c4-b097-b12b0a06ec92" - date = "2026-01-05" - modified = "2026-01-06" + id = "74ddc35e-cbc4-5b52-af4b-1976c78265e5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.montysthree" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.montysthree_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.montysthree_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "49338e71bc632a417705dbca9be5623cbd05fe63eacf0615bb9fcdc5a3ff20f5" + logic_hash = "20b706b4eca6d5b02e478c400a2f0e804bf70ec4650a3c31a417eee1e6747a48" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3c09 7443 3c0d 743f 3c20 743b } - $sequence_1 = { 5f 85f6 5e 0f94c0 5b c9 } - $sequence_2 = { 8d4d08 e8???????? ff30 6a6d ebac 66395f04 7629 } - $sequence_3 = { c745f010000000 ff15???????? 85c0 8b35???????? 756e ffd6 3d16000980 } - $sequence_4 = { 83ec18 68???????? e8???????? 59 8d4de8 e8???????? } - $sequence_5 = { 68???????? e8???????? 33f6 8975fc 3935???????? 0f850a010000 56 } - $sequence_6 = { 397dc8 7427 837dc802 7421 68???????? } - $sequence_7 = { 56 57 ff7510 33ff ff750c 33f6 } - $sequence_8 = { 885d77 f6456c02 7408 8d4d3c e8???????? 385d77 } - $sequence_9 = { 8d4ddc 895dfc e8???????? 395d08 742c 53 8d45fc } + $sequence_0 = { 8d4dec e8???????? 50 68???????? e8???????? 8d45dc 50 } + $sequence_1 = { 49 49 85c0 7def 83c8ff 5e } + $sequence_2 = { e8???????? 8d4d28 e8???????? ff455c 8d8578fdffff 50 } + $sequence_3 = { 68???????? e8???????? 83c410 397d08 } + $sequence_4 = { e8???????? 59 8b45e8 894608 8b45f8 } + $sequence_5 = { eb13 57 e8???????? 53 8d4de4 } + $sequence_6 = { 7409 ff7558 ff15???????? 8b4564 f7d8 1bc0 25???????? } + $sequence_7 = { 8d45d4 50 8d4de4 e8???????? 8d4de4 e8???????? } + $sequence_8 = { 8b4520 394709 7407 c7453c01000000 } + $sequence_9 = { 6aff 6a01 6a01 ff75f0 8d4d08 } condition: 7 of them and filesize < 458752 @@ -86568,36 +86561,36 @@ rule MALPEDIA_Win_Tinyturla_Ng_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "237c3b29-3ffe-58e0-8377-deec3f9ada49" - date = "2026-01-05" - modified = "2026-01-06" + id = "47d7a009-b2e7-504c-8e54-e4b0c569585e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyturla_ng" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tinyturla_ng_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tinyturla_ng_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "053b5083da44c3f040d79aabaeaa3be9af43dd91f5cebec175c4332c307fa8d0" + logic_hash = "fbd3f9ed46994e396ed10b65e13fbdb8181672f8cd474896767774d8e2eb6b28" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4881ec90000000 488b05???????? 4833c4 4889451f 488bda 488bf1 } - $sequence_1 = { 488bcf e8???????? 33c9 eb15 } - $sequence_2 = { 488d7027 4883e6e0 488946f8 eb36 b816000000 483bf8 480f42f8 } - $sequence_3 = { c60600 8b87b8020000 8987b4020000 8b8fb4020000 ff15???????? 80bfcc02000000 0f8579fdffff } - $sequence_4 = { 85c0 0f8572010000 488b4d0f 488d45ff 41b901000000 4889442420 4533c0 } - $sequence_5 = { 4863f0 ff15???????? 488bc8 4c8d4601 33d2 ff15???????? 488bd8 } - $sequence_6 = { 8b4558 83e001 85c0 7414 836558fe 488b4d60 } - $sequence_7 = { 488b4d0f 488d45ff 41b901000000 4889442420 4533c0 488d5517 ff15???????? } - $sequence_8 = { 803c0800 75f7 488d5550 48c7c0ffffffff 48ffc0 } - $sequence_9 = { 4c8d050f92ffff 33d2 33c9 e8???????? } + $sequence_0 = { b816000000 49beffffffffffffff7f 4883fe0f 771d 488975df 4c8bc6 } + $sequence_1 = { 498bce e8???????? 488b542440 4883fa10 722e } + $sequence_2 = { 4d8d4701 488bd7 488bc8 e8???????? 48895c2440 4c897c2438 } + $sequence_3 = { 721c 4c8b41f8 4883c227 492bc8 488d41f8 4883f81f 0f8717010000 } + $sequence_4 = { 488bfa 488bf1 4032ed 4533e4 } + $sequence_5 = { ff15???????? 488d5570 488d4d30 e8???????? 498d8df8000000 488bd0 } + $sequence_6 = { 85c0 0f95c1 85c0 0f843e010000 488d96b0000000 48837a1810 7203 } + $sequence_7 = { 7203 488b1b 4883fe10 730d 0f1003 0f1145cf } + $sequence_8 = { 85c0 0f84e3000000 498bc6 4883fb10 7203 498b06 4883fe03 } + $sequence_9 = { 0f841f030000 492bfe 4883ffff 0f8417030000 0f1f4000 66660f1f840000000000 4c897dd8 } condition: 7 of them and filesize < 635904 @@ -86607,36 +86600,36 @@ rule MALPEDIA_Win_Ransoc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4231c6d-a004-5baa-86ba-cc26d508cfdf" - date = "2026-01-05" - modified = "2026-01-06" + id = "9118cf2f-c0a5-5827-a690-076592f6d7c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ransoc_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ransoc_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "3aba656893a98b7e7e042164f300a01531e4785d0c2a9f4ed3d68e27e1dc31f6" + logic_hash = "1d64ff5b7eea4ed669f12581c2241097dfe63e0febd224175945528d59667ae6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c3 57 50 6a01 e8???????? } - $sequence_1 = { 8b5034 3bd7 753e 8b7230 } - $sequence_2 = { eb02 8913 894a34 895138 8b4834 8b503c } - $sequence_3 = { 0f8487000000 56 68???????? 45 e8???????? 83c408 } - $sequence_4 = { 394134 7506 8b5034 895134 394140 7506 8b5034 } - $sequence_5 = { 8b542428 5d 894808 5b } - $sequence_6 = { 89462c a820 7406 8b4604 014804 8b462c a900080000 } - $sequence_7 = { eb07 894a34 eb02 890b 894134 894838 8b13 } - $sequence_8 = { f7402c00000001 a1???????? 890c24 7505 } - $sequence_9 = { 83c618 56 e8???????? 83c40c 5e c3 } + $sequence_0 = { 85d2 7403 894238 85c0 740f } + $sequence_1 = { c3 3dca080000 740d 3d28110000 7570 b826f0ffff } + $sequence_2 = { c3 56 ff15???????? 6aff } + $sequence_3 = { 7505 8b563c eb0a 8b4e3c 8d5e3c 85c9 7531 } + $sequence_4 = { 56 55 8954243c e8???????? } + $sequence_5 = { ff15???????? f7472c00001000 0f8480000000 8b4e30 51 ff15???????? 5d } + $sequence_6 = { 8b5138 89503c 3bd7 7406 8b5138 894240 8b5040 } + $sequence_7 = { 83c840 89462c a820 7406 8b4604 014804 8b4604 } + $sequence_8 = { 7717 8d4c2410 3bc8 720f 8bd1 3bd0 7610 } + $sequence_9 = { 8b7c240c 8d4718 6a01 50 e8???????? } condition: 7 of them and filesize < 958464 @@ -86646,36 +86639,36 @@ rule MALPEDIA_Win_Spica_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fb7e9642-1902-5334-b719-e15942756229" - date = "2026-01-05" - modified = "2026-01-06" + id = "5bf20c6d-140a-5c4a-b18b-79d1b53cf43e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spica" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spica_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spica_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ed495be78d555972a0dc5475fda2591b6a4e5ced1e014a8ddb16a1315155952a" + logic_hash = "a014ccd25d61a1f9a7e7360fbc9da38bc765ad18234001640d0c258e1a3992ef" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f3410f6f9798080000 f3410f6f9fa8080000 660f7f9b20040000 660f7f9310040000 660f7f8b00040000 660f7f83f0030000 41c687a409000001 } - $sequence_1 = { f30f7f01 e9???????? 4883fe08 488b4c2470 480f42ce 488b5c2430 4829d9 } - $sequence_2 = { ff15???????? 4885c0 0f84d9050000 4889c1 488905???????? 41b880000000 31d2 } - $sequence_3 = { eb1b 4d8b8590000000 b800020000 4c234658 b940020000 0f44c1 4533db } - $sequence_4 = { e8???????? 488d95b0000000 4889d9 e8???????? 440fb7f8 0fb74b58 4189cc } - $sequence_5 = { ff5018 4d89fd 84c0 7424 e9???????? 0f854f060000 4c89f1 } - $sequence_6 = { ff15???????? 488b0b 488b93a0000000 4885d2 741b 0fb783c0000000 3bf0 } - $sequence_7 = { 8b442458 4863cb 448bf3 4903cf 4863e8 48c1e520 ffc3 } - $sequence_8 = { ffc7 4983c670 3b7d00 7cab 4c8b742448 488b5c2440 488b6c2450 } - $sequence_9 = { ffc1 f7f1 418bc1 8bcd 442bc2 33d2 41f737 } + $sequence_0 = { ff15???????? 8065a5fb 488bdf 897d98 48895d90 897da0 807e1100 } + $sequence_1 = { ff15???????? 488b8ea0000000 4885c9 7410 66443bbec0000000 7306 4883c170 } + $sequence_2 = { e8???????? eb75 b908000000 bac8020000 e8???????? eb64 c685170a000001 } + $sequence_3 = { ff15???????? 488b0e 4885c9 743b 488b4608 48894df8 488945e8 } + $sequence_4 = { ff15???????? 4885c0 0f84de060000 4889c1 488905???????? 41b80e000000 31d2 } + $sequence_5 = { f7d9 481bc0 4883c002 4889442440 4885db 0f8498020000 4889ac24a0000000 } + $sequence_6 = { f6c101 7410 f390 f390 f390 f390 f390 } + $sequence_7 = { ff15???????? 488b83a0000000 4885c0 740e 663bbbc0000000 7305 488bf0 } + $sequence_8 = { e8???????? eb0f 488d0549931300 c64201ff 48894210 4533c0 896c2420 } + $sequence_9 = { ffc9 488b03 80786300 7405 498bc5 eb12 4863c1 } condition: 7 of them and filesize < 14034944 @@ -86685,36 +86678,36 @@ rule MALPEDIA_Win_Disk_Knight_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2e5932a4-2261-529e-8603-e7381cbcd593" - date = "2026-01-05" - modified = "2026-01-06" + id = "c3c383cd-5c27-526d-bf8a-de5ceb0bf642" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disk_knight" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.disk_knight_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.disk_knight_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "94d53be36645294fa895fc3e62b424a992d83f6ddb436852c2ddc8dd29bf34d2" + logic_hash = "977e947a6254dfcd3e69c50715f7d60676f8272c5383d355c60035f816ae6726" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 8b45c8 50 ff15???????? 8945ac eb07 c745ac00000000 } - $sequence_1 = { 8bd0 8d4dd4 ffd6 50 68???????? ffd7 8d4d8c } - $sequence_2 = { ff15???????? 8bd0 8d4da0 ffd6 8d45a4 50 ff15???????? } - $sequence_3 = { c7458001000080 33d2 8d4db0 ff15???????? ba???????? 8d4db4 ff15???????? } - $sequence_4 = { 8b16 8d8578ffffff 50 56 ff92b8070000 3bc7 7d0e } - $sequence_5 = { 8975c8 8d4db0 ff15???????? 8b4dc8 33ff 3bcf 741c } - $sequence_6 = { 83bdc4feffff00 7d23 6a58 68???????? 8b8dc8feffff 51 8b95c4feffff } - $sequence_7 = { 8d55dc 51 52 897d80 c78578ffffff00000000 89bd70ffffff ff15???????? } - $sequence_8 = { 6880000000 ff15???????? 83c41c 8b4dc8 51 8d9544ffffff 52 } - $sequence_9 = { c785bcfeffff01000000 8b4d0c 833900 7455 8b550c 8b02 66833801 } + $sequence_0 = { 8d95f8feffff 52 56 ff9100010000 dbe2 85c0 7d0e } + $sequence_1 = { c785b8fdffffd8a44400 eb0a c785b8fdffffd8a44400 8b8db8fdffff 8b11 8995c0feffff 8d45a4 } + $sequence_2 = { 8b420c 8b8db4feffff 8b1408 52 ff15???????? 50 } + $sequence_3 = { 50 8d559c 52 ff15???????? 83ec10 8bc4 8930 } + $sequence_4 = { 833f00 750c 57 68???????? ff15???????? 8b37 8d4de4 } + $sequence_5 = { 8b4dc4 83c001 0f80eb020000 2bc8 0f80e3020000 894de0 6a00 } + $sequence_6 = { 8b4db0 83c105 0f803b080000 83c105 0f8032080000 0faf4dd4 0f8028080000 } + $sequence_7 = { 8985c0feffff 8d4da4 51 8b95c0feffff 8b02 8b8dc0feffff 51 } + $sequence_8 = { 89bd70ffffff ff15???????? 8bd0 8d4dd0 ff15???????? 50 ff15???????? } + $sequence_9 = { 85c0 0f84bf010000 c745fc0d000000 c78560ffffff04000280 c78558ffffff0a000000 c78570ffffff04000280 c78568ffffff0a000000 } condition: 7 of them and filesize < 868352 @@ -86725,10 +86718,10 @@ rule MALPEDIA_Win_Unidentified_053_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "44778796-93f3-5879-994d-5e3e2324b3e0" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_053_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_053_auto.yar#L1-L122" license_url = "N/A" logic_hash = "0ba9fcbf3221aa7fe9aa16ac81cd13a3c2e0b0b30a12bf9f5e09619187f5d921" score = 75 @@ -86737,9 +86730,9 @@ rule MALPEDIA_Win_Unidentified_053_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -86763,36 +86756,36 @@ rule MALPEDIA_Win_Safenet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f291e692-0cf7-535f-829f-d3eb37065334" - date = "2026-01-05" - modified = "2026-01-06" + id = "468e41a7-11d1-5d0c-a165-3548b9b6e349" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.safenet" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.safenet_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.safenet_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "8771350f205428c4c7fbcedc7de0eba58fbdfc684579398209f093f9a759ec1a" + logic_hash = "03b9eda78e1d301aa1ef90c1c71ba073807745aedf2af16dbdfcf02e7c490ab5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4db4 50 c645fc01 e8???????? 8b4d08 } - $sequence_1 = { ff15???????? eb5a ff75fc ff15???????? } - $sequence_2 = { 8b45fc 3bc3 7504 c6461401 } - $sequence_3 = { 51 8d8d7cffffff ff7634 51 50 ffd3 85c0 } - $sequence_4 = { 68???????? 57 ff15???????? 3bc6 7505 83ceff } - $sequence_5 = { 3b1d???????? 0f8315010000 8bc3 8bcb c1f805 83e11f 8b048540174100 } - $sequence_6 = { 50 ff7638 57 ff7618 ff55f8 } - $sequence_7 = { 8d34b5d0d84000 83c00c 3bc6 7305 395004 } - $sequence_8 = { ff750c e8???????? ff75ec e8???????? ff75e8 e8???????? } - $sequence_9 = { c745bc3c000000 c745c040040000 ff15???????? 8945c4 8d85b4fdffff 8945cc } + $sequence_0 = { 57 ff7510 ff750c ff7508 ff15???????? 8bf0 56 } + $sequence_1 = { 8d3c8540174100 c1e603 8b07 03c6 } + $sequence_2 = { 5f 5e c20800 8b542404 56 8b4208 } + $sequence_3 = { e8???????? 59 8b3d???????? 6a24 e8???????? 897804 } + $sequence_4 = { 0f85b8000000 397dfc 0f84af000000 8b4508 57 ff761c } + $sequence_5 = { 75e8 ff750c e8???????? ff75ec e8???????? ff75e8 e8???????? } + $sequence_6 = { 57 ff7614 ff55f8 85c0 0f85d7000000 397df4 } + $sequence_7 = { 0f8e97000000 56 57 8d45f2 6a02 50 } + $sequence_8 = { 8d85e0f7ffff 53 50 ffd6 83c414 } + $sequence_9 = { 50 895dc8 c745d0b8024100 895dd4 895dd8 895ddc ff15???????? } condition: 7 of them and filesize < 262144 @@ -86802,36 +86795,36 @@ rule MALPEDIA_Win_Onionduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4f0df2d9-b667-583c-9035-10a88bb5a5df" - date = "2026-01-05" - modified = "2026-01-06" + id = "71e82643-c451-5cee-a54f-f2f1027d62a5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.onionduke_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.onionduke_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "489b57dff2d63e712188fb4627ba779c8167a75fd93d25f277ce49d9d63a93ef" + logic_hash = "8162ef402e46513fc9aae2241eef790e5a3e093ead89108a1e0c2f51f5d76e98" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8b7510 56 894df8 } - $sequence_1 = { 8b0f 83c404 5f 8919 } - $sequence_2 = { c645fc01 bf08000000 85c0 7417 8b4dd4 } - $sequence_3 = { c20c00 8b4d08 8b11 8b4214 56 6a01 ffd0 } - $sequence_4 = { 56 e8???????? 837de808 8bf0 720c 8b4dd4 51 } - $sequence_5 = { 8a08 40 84c9 75f9 2bc2 750e } - $sequence_6 = { ffd0 8b13 894508 8b4208 56 } - $sequence_7 = { c20400 8b03 50 e8???????? 83c404 56 ff15???????? } - $sequence_8 = { 8b4dfc 33cd e8???????? 8be5 5d c20400 837df408 } - $sequence_9 = { 8b4d08 2bd0 c1fa03 3bd1 770a 68???????? e8???????? } + $sequence_0 = { 42 3bd7 72b9 5e c6047800 5f 5d } + $sequence_1 = { 5f 895e24 5b b801000000 5e } + $sequence_2 = { 8a441103 3245ff 41 0fb6d0 6689544ffe 3bce } + $sequence_3 = { 7202 8b00 8b4d08 51 50 e8???????? } + $sequence_4 = { 8b03 7922 8b5008 56 } + $sequence_5 = { 84c9 7421 8b55fc 8a12 } + $sequence_6 = { 8b4604 8b4e08 2bc8 c1f903 3bcf 770a } + $sequence_7 = { 83c40c 33c9 eb08 8b56d0 } + $sequence_8 = { 83c404 8903 85c0 7443 } + $sequence_9 = { 33c9 c7070f000000 894ffc 880b 833e10 } condition: 7 of them and filesize < 671744 @@ -86841,36 +86834,36 @@ rule MALPEDIA_Win_Gandcrab_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5425f9cd-8fb4-510e-a39f-093e7eb655d2" - date = "2026-01-05" - modified = "2026-01-06" + id = "edf9d73e-47bb-5498-8314-d2a26c7eb915" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gandcrab_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gandcrab_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "65a176078bb1690a98a0fbd0a289d5aa1233664bdaee132644de05bfc651c8a8" + logic_hash = "8e0dc2dc5f594011ff141e52d0970e654fe224cfb5f2cb26869ab34c100952d0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 03c3 8d5e04 03d8 837f4800 741b ff7750 ff15???????? } - $sequence_1 = { ff777c ff15???????? ff7778 8bf0 ff15???????? } - $sequence_2 = { ff15???????? ff7728 8bf0 ff15???????? 03c3 8d5e04 } - $sequence_3 = { ff15???????? 03c3 8d5e04 03d8 837f3000 } - $sequence_4 = { ff15???????? ff7734 8bf0 ff15???????? 03c3 8d5e04 } - $sequence_5 = { 03c3 8d5e04 03d8 837f3000 741b } - $sequence_6 = { 5f 66894c46fe 8bc6 5e } - $sequence_7 = { ff15???????? ff7778 8bf0 ff15???????? 03c3 } - $sequence_8 = { ff15???????? 03c3 8d5e04 03d8 837f3c00 741b ff7744 } - $sequence_9 = { 741b ff777c ff15???????? ff7778 8bf0 } + $sequence_0 = { ff7744 ff15???????? ff7740 8bf0 ff15???????? 03c3 } + $sequence_1 = { ff15???????? ff7728 8bf0 ff15???????? 03c3 8d5e04 } + $sequence_2 = { ff15???????? 03c3 8d5e04 03d8 837f4800 741b } + $sequence_3 = { ff15???????? ff7740 8bf0 ff15???????? 03c3 } + $sequence_4 = { 03c3 8d5e04 03d8 837f3000 741b ff7738 ff15???????? } + $sequence_5 = { 837f7400 741b ff777c ff15???????? ff7778 8bf0 } + $sequence_6 = { ff777c ff15???????? ff7778 8bf0 ff15???????? } + $sequence_7 = { ff7738 ff15???????? ff7734 8bf0 ff15???????? } + $sequence_8 = { 741b ff7750 ff15???????? ff774c } + $sequence_9 = { 03c3 8d5e04 03d8 837f3000 741b } condition: 7 of them and filesize < 1024000 @@ -86880,36 +86873,36 @@ rule MALPEDIA_Win_Webc2_Bolid_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7b8b0f8-fb67-56c4-b24d-dcdab9f7b909" - date = "2026-01-05" - modified = "2026-01-06" + id = "716ef3b0-82d3-51b2-853d-5eec600e9585" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_bolid_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_bolid_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "a9749882fbe9a2a48ffae4420a547a6fbd11851e4362f65200b42858f5a2933e" + logic_hash = "ea324af3e8557090b9806bb3099e79345357ea9abb6340eef576f2e3b10a818a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7f31 8b8bc8000000 8b93c4000000 6a00 41 6a00 } - $sequence_1 = { e8???????? 84c0 7427 8bcf 8b7b70 8d436c 8bd1 } - $sequence_2 = { 8b55ec 8d8d54ffffff 51 52 50 8d45a0 50 } - $sequence_3 = { e8???????? 8bd8 3bde 0f8e0c060000 8a451b 56 8d8d58ffffff } - $sequence_4 = { 83c40c 8b15???????? 8d4de4 52 } - $sequence_5 = { 8b4dec 8b75e4 03c1 894508 } - $sequence_6 = { fec8 8801 eb09 51 e8???????? 83c404 8b7db8 } - $sequence_7 = { 50 c3 6a02 e8???????? 59 c3 } - $sequence_8 = { 8a01 4a 0fb6f0 f6860132410004 8807 7413 47 } - $sequence_9 = { c68424240200000d e8???????? 83ec10 8d9424a0000000 8bcc 89a424c4000000 52 } + $sequence_0 = { 7445 8b4dc4 8bd6 c1e204 03d1 8d8558ffffff 52 } + $sequence_1 = { f7d1 49 51 68???????? 8d8d78ffffff e8???????? } + $sequence_2 = { 8841ff b001 eb30 49 51 } + $sequence_3 = { 0f85db000000 6a01 8d4d88 c645fc0f e8???????? 6a01 } + $sequence_4 = { e8???????? 83c404 8b4df4 5f 5e 32c0 64890d00000000 } + $sequence_5 = { c645fc16 c6451b5c e8???????? 8d4dd0 } + $sequence_6 = { 8b4f08 3bc8 7305 e8???????? 8bcf e8???????? 8b4708 } + $sequence_7 = { 8bf1 89742408 c706???????? 8b4644 33db 3bc3 } + $sequence_8 = { 83e203 83f908 7229 f3a5 ff2495b8734000 8bc7 ba03000000 } + $sequence_9 = { 895c2434 8d4c2428 8d54244c 51 c68424000200000c 83ec10 } condition: 7 of them and filesize < 163840 @@ -86919,35 +86912,35 @@ rule MALPEDIA_Win_Taintedscribe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f6a7e40a-4fa2-5a81-9780-0a7ba8af1fba" - date = "2026-01-05" - modified = "2026-01-06" + id = "87648f3d-18fe-5762-8343-189a5c1f00dd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taintedscribe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.taintedscribe_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.taintedscribe_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "410c49d2a558db92d0096ecc5bd9fc38bcaad1e641a570b26cd7d6d98ec29d7e" + logic_hash = "6c4f3c9416e33b444a5b9632d600c2427da852f4c9d6eaaf37da3c4b768d4feb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bcf 0facd110 c1fa10 0fb65330 } + $sequence_0 = { c785a0fbffff01000000 53 eb61 e8???????? 33c9 668908 83c002 } $sequence_1 = { 5e 8be5 5d c20800 c7460c00000001 } - $sequence_2 = { 8b5358 898d88fbffff 8b4b50 0f94c0 } - $sequence_3 = { 8d5594 52 6a04 8d4590 50 56 } - $sequence_4 = { 8bd7 8b7b40 0facc218 c1f818 8a4340 } + $sequence_2 = { 8908 85db 743b 8b55d8 8b45d4 52 } + $sequence_3 = { 8b4b50 0f94c0 807b1400 899584fbffff 898d8cfbffff } + $sequence_4 = { 57 754c e8???????? 8bf0 } $sequence_5 = { 8b4dcc 894308 8b45d0 50 } - $sequence_6 = { 5b 5d c20c00 83f803 7574 } - $sequence_7 = { 898da8fbffff 8d45e8 8985b4fcffff 8b433c 8bd0 8d4ddc } - $sequence_8 = { 6a00 6a00 ff15???????? 85c0 7516 } + $sequence_6 = { 885e60 895e58 895e50 895e70 895e54 3bc3 750b } + $sequence_7 = { 8b7508 898650af0100 899648af0100 899644af0100 89964caf0100 } + $sequence_8 = { 52 8d45b8 50 ffd7 8b458c } $sequence_9 = { bb01000000 d3e3 33c0 85db 7e1e 8d4900 } condition: @@ -86958,42 +86951,42 @@ rule MALPEDIA_Win_Pteranodon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "72fb35bc-9b29-55b2-a918-b3f0192a8f01" - date = "2026-01-05" - modified = "2026-01-06" + id = "e93fb407-90ad-50a7-a006-e52b137b4dd4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pteranodon_auto.yar#L1-L175" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pteranodon_auto.yar#L1-L179" license_url = "N/A" - logic_hash = "563c856f09bd2595e0a91450a96a721d247fe131fa027b2937b641124422f09c" + logic_hash = "737916054e2b7b0c780e102a99de5e901b3673ecd792a81881d53a8e87b91d79" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83f81d 7cf1 eb07 8b0cc584d70210 894de4 85c9 7455 } - $sequence_1 = { 8bcb e8???????? 83c41c 8d85a8f6ffff 50 6802020000 ff15???????? } - $sequence_2 = { 6a00 6a00 56 68???????? ff15???????? 56 e8???????? } - $sequence_3 = { 8b049de0874300 8b4de0 f644082801 7515 } - $sequence_4 = { ff5018 8b5dd0 83e800 7409 83e801 } - $sequence_5 = { e8???????? 68???????? 8d95a8f8ffff c645fc12 8d8d60f8ffff } - $sequence_6 = { 894df8 8b048de0874300 33c9 41 897df0 } - $sequence_7 = { eb0e 6a06 c74634789f4200 59 c6463c00 5f 894e38 } - $sequence_8 = { c785fcfeffff6f002e00 c78500ffffff72007500 e8???????? 6800010000 8bf8 } - $sequence_9 = { 83c408 83f8ff bbffffffff 0f455d08 eb06 8b4dec } - $sequence_10 = { c685d8f8ffff00 e8???????? 8d85d8f8ffff c645fc22 50 } - $sequence_11 = { e8???????? 8bc8 83c404 894de8 8b01 } - $sequence_12 = { 8b55ec 8d45d8 8b4dd8 83fa10 8b75d4 0f43c1 2bf0 } - $sequence_13 = { 663b88e0e60210 740d 83c002 83f814 72ef 33c0 40 } - $sequence_14 = { 6a06 6a01 6a02 8b00 } - $sequence_15 = { 68???????? 56 ff15???????? 68b0000000 8d853cffffff 6a00 50 } + $sequence_0 = { e8???????? ff75b8 8b5db4 33c0 53 668906 ff75c0 } + $sequence_1 = { 8b049db8690310 894dfc 837c0118ff 7543 57 e8???????? } + $sequence_2 = { 0f8530ffffff b8ffff0000 0fb7c0 0fb7f0 8b55e8 83fa10 0f8288000000 } + $sequence_3 = { e8???????? 83c8ff e9???????? 6a10 } + $sequence_4 = { c1f906 56 57 6bf830 8b048db8690310 894df0 8b4c3818 } + $sequence_5 = { 25f0070000 660f28a040314300 660f28b8302d4300 660f54f0 660f5cc6 } + $sequence_6 = { ffd6 ffb5f8fdffff ffd6 33c0 e9???????? 6a00 6a00 } + $sequence_7 = { 0f57c0 6a01 50 0f1145e8 } + $sequence_8 = { 660f56fa 660fc5cc03 25ff000000 83c001 25fe010000 f20f593c8538f34200 660f122c8538f34200 } + $sequence_9 = { 751b 33c9 380d00000000 740c 8d5101 8a01 } + $sequence_10 = { 8d8d08f9ffff e8???????? 8d8da8f8ffff c645fc31 51 8bd0 } + $sequence_11 = { 8d4ea0 e8???????? 8b4690 8b4004 c74430903c0d0310 } + $sequence_12 = { 51 8bce e8???????? 83c408 56 ff15???????? 57 } + $sequence_13 = { 57 68???????? ff35???????? 8d45e4 8bf9 } + $sequence_14 = { c1f806 6bc938 8b0485e0874300 0fb6440828 83e040 5d c3 } + $sequence_15 = { c645fc07 8b85d4f8ffff c7851cf9ffff0f000000 c78518f9ffff00000000 c68508f9ffff00 83f810 7213 } condition: 7 of them and filesize < 499712 @@ -87003,36 +86996,36 @@ rule MALPEDIA_Win_Blackenergy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "62fd91e5-385e-5b2b-8f41-0f60c4fa0e69" - date = "2026-01-05" - modified = "2026-01-06" + id = "de87d6df-3bc3-54af-8716-0b1a40ecad9f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackenergy_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackenergy_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "4b4bc961d280588360830fea0a66046ffbc4c49bb89c22238ddcc6fa38fb42f9" + logic_hash = "2323ff20bbdd47a53314190f6bdf610528610937bd86fe3e5a932ddb1a136f63" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89430c 8bc3 5f 5b } - $sequence_1 = { 56 e8???????? 8bf0 85f6 7417 56 6a00 } - $sequence_2 = { e8???????? 85c0 0f848c130000 8945b4 8b7508 8b7d10 8b4d0c } - $sequence_3 = { c70200000000 8b5104 0bd2 7407 c7420800000000 5a } + $sequence_0 = { 75df 8b5d0c 3bde 0f84c2000000 8b44240c 53 ff742418 } + $sequence_1 = { 57 57 68000000c0 ff7314 ff15???????? 894318 8b4318 } + $sequence_2 = { 85c0 7512 56 e8???????? ff35???????? } + $sequence_3 = { ff15???????? 897b18 8b5b14 3bdf 7407 53 ff15???????? } $sequence_4 = { 49 8bc3 2bc1 40 5b 5f 8bd0 } - $sequence_5 = { 53 e8???????? 6a00 ffd0 8b5f3c 8365c800 } - $sequence_6 = { 47 38e0 74f1 3bca 7602 } - $sequence_7 = { ff15???????? c3 55 8bec 81ec08010000 8365fc00 57 } - $sequence_8 = { 83f905 770b c745f409000000 33c9 } - $sequence_9 = { ff75c4 51 6a00 ff7514 56 ff7508 } + $sequence_5 = { ffd0 5e 5b c9 c3 0fb6c9 } + $sequence_6 = { 83ff02 7510 689704811d 53 e8???????? 8d4dcc } + $sequence_7 = { 8d45fc 50 8d45f0 50 8d45bc } + $sequence_8 = { 8b4710 2b45fc 8b0e 890c30 83c604 } + $sequence_9 = { 74da 8b45fc 8b5818 53 6a40 895df4 } condition: 7 of them and filesize < 98304 @@ -87042,35 +87035,35 @@ rule MALPEDIA_Win_Bughatch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f21da185-8629-53ca-b1ab-60be907f0853" - date = "2026-01-05" - modified = "2026-01-06" + id = "f54e8fe3-b2e3-58d6-91be-8bf19d6c39d7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bughatch" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bughatch_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bughatch_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "8c2d742c99e41f022aebe397e085bdb9d00214c3c4ebe4e2052113f6ff7a225a" + logic_hash = "3eea01e584453a46912792e2fe951b17be860a37531047d44962733881f8f6bf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83ec10 8b4508 8945f0 8b4df0 8b5508 03513c 8955f4 } - $sequence_1 = { 8945fc 8d95f8f7ffff 52 e8???????? 83c404 8945f8 8b45f8 } - $sequence_2 = { 6a00 e8???????? 83c40c eb41 8b450c 50 68???????? } - $sequence_3 = { d1e8 8945f4 8b4d08 894df8 c745fc00000000 eb09 } - $sequence_4 = { 6a00 8d4de8 51 6a00 8b55fc } - $sequence_5 = { ba01000000 6bc200 c6840588fdffff00 837d0c00 7507 33c0 e9???????? } - $sequence_6 = { ff15???????? 8b4df8 51 ff15???????? 8b45e0 } - $sequence_7 = { 6a00 6a00 ff15???????? b904000000 } - $sequence_8 = { 68???????? 8d8d94f7ffff 51 ff15???????? 8b550c } + $sequence_0 = { 83c408 8945f8 b801000000 85c0 0f84e2000000 8d4de8 } + $sequence_1 = { eb20 8b45f4 50 e8???????? } + $sequence_2 = { e9???????? 837dfc05 740a 837dfc06 0f85db000000 6804010000 } + $sequence_3 = { 6bc800 8b550c 0fbe040a 85c0 7423 } + $sequence_4 = { 55 8bec 83ec14 c745f0c0010000 8b45f0 50 e8???????? } + $sequence_5 = { 8b5508 837a1000 7424 8b4508 } + $sequence_6 = { 0fb75116 81e200200000 7407 b805000000 eb28 8b45fc 0fb7485c } + $sequence_7 = { 7311 8b55f4 0355f8 0fb602 0345fc 8945fc } + $sequence_8 = { 7528 6a00 6a00 6a13 6a01 e8???????? 83c410 } $sequence_9 = { e9???????? 8d55f0 52 8b45e0 50 8b4de4 } condition: @@ -87081,36 +87074,36 @@ rule MALPEDIA_Win_Redpepper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d2edfb9a-1eb5-5a85-952d-b05e4e2a71cd" - date = "2026-01-05" - modified = "2026-01-06" + id = "f77416cf-57cd-5a74-bf4f-4ea580dd250c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redpepper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.redpepper_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.redpepper_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "e96cef7dbcd0aadec344d24829840e1785ca6a9324f588db92d46f4ddb824ac9" + logic_hash = "813ccacfb8c59c7843322d71d2af3cd8f1dd82fe1e6d7b898b1da1a669bc0fb5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 6a15 8d562c 6aff } - $sequence_1 = { 8b500c 41 83f904 8b12 8a540aff } - $sequence_2 = { 7405 e8???????? 8bc7 5f c9 } - $sequence_3 = { 8b460c 85c0 7432 8b442420 } - $sequence_4 = { 8b450c 2bc7 50 8d041f } - $sequence_5 = { 6a01 8bcf 8bd8 e8???????? ff75fc } - $sequence_6 = { 6a65 6a20 e8???????? 83c428 8bc5 } - $sequence_7 = { 3c0a 741e 8365f800 3c0d 7503 895df8 3b750c } - $sequence_8 = { 83c404 85c0 7411 8b4c2418 5f } - $sequence_9 = { 8d85b4feffff 50 56 ff15???????? 56 } + $sequence_0 = { 8b6c240c 56 8b742414 57 8b06 48 0f8431010000 } + $sequence_1 = { e8???????? 83c40c 85c0 7d1e 6a71 68???????? 688f000000 } + $sequence_2 = { 837e1802 7569 8b7e10 6a02 57 e8???????? 83c408 } + $sequence_3 = { 85c0 740b 6a00 56 e8???????? 83c408 56 } + $sequence_4 = { 55 8bec 83ec10 8d45f0 50 ff15???????? 33c9 } + $sequence_5 = { e8???????? 83c40c 3bc3 7520 6830010000 68???????? } + $sequence_6 = { 53 56 57 6884000000 68???????? 6a58 e8???????? } + $sequence_7 = { 6a00 ff7508 e8???????? 837dfc00 8bf8 7405 e8???????? } + $sequence_8 = { 8b742414 6a0f f7d1 49 56 8be9 e8???????? } + $sequence_9 = { e8???????? 83c414 e9???????? 8dbeb0000000 57 } condition: 7 of them and filesize < 2482176 @@ -87120,36 +87113,36 @@ rule MALPEDIA_Win_Hermeticwizard_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a90e0914-4bb5-5c18-8701-049f4c06d7e8" - date = "2026-01-05" - modified = "2026-01-06" + id = "ae1c4d83-f3a9-5827-821c-275fe76c15d8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hermeticwizard_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hermeticwizard_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "942915314ef1e17eaccf9202ed3b81b64aa22d4533742c599cd868661ae4ab21" + logic_hash = "a1ca96a6b8129a1487179e533746545191b3aac0391ae09cde6e2f54fc282474" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6800080000 50 e8???????? 83c410 85c0 } - $sequence_1 = { 1bdb 83cb01 85db 0f94c0 } - $sequence_2 = { 6685db 7415 668b5902 663b5f02 750f 83c104 83c704 } - $sequence_3 = { 6689853effffff 66898540ffffff 33c0 66898542ffffff 8b45f8 66898d16ffffff } - $sequence_4 = { 3bc7 7442 8b35???????? 83c008 50 } - $sequence_5 = { 57 8bf1 8bfa 68???????? 56 ff15???????? 85c0 } - $sequence_6 = { 894310 8b45f0 c745ec989d0110 8d1486 } - $sequence_7 = { 7410 68???????? 8bce e8???????? 59 894308 } - $sequence_8 = { 668b4104 663b4204 750b 8b4108 3b4208 7503 } - $sequence_9 = { 50 e8???????? 3b30 7533 8b45fc } + $sequence_0 = { 8b4508 57 8d3c8508e10110 8b0f } + $sequence_1 = { 66894586 8d856cffffff 50 6689957affffff } + $sequence_2 = { 6a69 58 6a43 66894dce 66894dd4 66894dda } + $sequence_3 = { 50 ff15???????? 8b45e8 8d9558feffff 8b7dd8 } + $sequence_4 = { 51 33c9 6a14 5a 41 e8???????? 59 } + $sequence_5 = { 3b550c 75e6 8b33 8b45fc 3b06 752c 8bcb } + $sequence_6 = { 6a01 56 ff15???????? 85c0 7423 } + $sequence_7 = { c3 837d08ff 0f8401070000 e9???????? e9???????? 55 8bec } + $sequence_8 = { 6a01 ff75f8 8bf1 894df4 894dfc } + $sequence_9 = { 5b 6a24 5f 84c0 } condition: 7 of them and filesize < 263168 @@ -87159,36 +87152,36 @@ rule MALPEDIA_Win_Nightsky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "49806bb3-db04-5175-bd2d-05a084f5301e" - date = "2026-01-05" - modified = "2026-01-06" + id = "22c30871-8598-5bd9-8d22-824678bee701" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nightsky_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nightsky_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "58c0a44a79ed929ad206a6701f3a4c117bf07ad9e9a507d5d3b0ad9c115c5cd3" + logic_hash = "d264e9f3d7aa5c65e2a2a650c57f8323284818798c571a7e4f26505fd97e3e02" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bda 420fb6bc3010680500 418bc3 c1e708 48c1e810 0fb6c8 420fb6843110680500 } - $sequence_1 = { 83f806 0f879c010000 488d155277ffff 4898 8b8c82948a0000 4803ca ffe1 } - $sequence_2 = { 488bd7 498bcc ff15???????? 4c8d4c2470 48895c2420 41b800000800 498bd6 } - $sequence_3 = { 4883c602 66833e00 758d 483bf5 765e 482bf5 48d1fe } - $sequence_4 = { 488905???????? 4885db 488d059af90400 488905???????? b830000000 480f44d8 486305???????? } - $sequence_5 = { 4983f940 72eb e9???????? 488d059e1f0000 48b90000000000000080 488987c8000000 488d0576900200 } - $sequence_6 = { 488d05ba8b0200 c7475001000000 48c7475804000000 48894778 488d0508520300 c7476801000000 48c7477004000000 } - $sequence_7 = { e8???????? 486305???????? 4c8d0516060500 83f814 0f8d99000000 488bc8 488d0480 } - $sequence_8 = { 458b849610710500 48c1eb18 4533848e10810500 4533848610640500 410fb6c3 49c1eb08 410fb6ca } - $sequence_9 = { 0fb64103 468b8c8710750500 0fb6943810630500 0fb64102 44338c9710640500 0fb6943810630500 } + $sequence_0 = { 72e3 488b542428 488bce ff15???????? 488d1596f00300 488bce ff15???????? } + $sequence_1 = { ff15???????? 488b7c2438 488b5c2430 488b6c2440 b801000000 4883c420 } + $sequence_2 = { 66440fbec4 488bac2490000000 48ffcf 66418bf9 400f99c7 f7d5 4d0fbfce } + $sequence_3 = { 488bd9 488d05e1b20000 488981a0000000 c7411c01000000 c781c800000001000000 c6817401000043 c681f701000043 } + $sequence_4 = { 488905???????? 488b05???????? 488905???????? e8???????? e8???????? 488d542460 48c744245000000000 } + $sequence_5 = { 442bc0 488d058c3d0100 4489742440 4c8b742450 4c8d4c2448 488d942420070000 } + $sequence_6 = { 498bcc ff15???????? e9???????? 488b0d???????? 4c89bc2420250000 8b9148010000 } + $sequence_7 = { e9???????? 33c9 ff15???????? cc 4c8bdc 53 56 } + $sequence_8 = { 8bcb 48c1e908 0fb6d1 418bc9 48c1e918 478ba485106d0500 4c897df0 } + $sequence_9 = { 488bee 4885db 0f8493000000 4533f6 0f1f4000 4885ed } condition: 7 of them and filesize < 19536896 @@ -87198,36 +87191,36 @@ rule MALPEDIA_Win_Nymaim2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9d42ecfd-461f-543d-9a58-ba44ed0f874f" - date = "2026-01-05" - modified = "2026-01-06" + id = "711d4d9f-f3c0-5fb2-b2a1-2a305dd8fe8a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nymaim2_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nymaim2_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "e64916e16c04fec69a155375e17360cf8ab01eed1bdb9780112b275d8e2ffaa7" + logic_hash = "74889619dd78c816871dcfc84b09e1f471fde562b6fe9b95bea38d361cd6226a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf9 be???????? 56 8d5f14 e8???????? 59 } - $sequence_1 = { 33c0 eb07 8b07 8b4004 03c7 83480c04 8b07 } - $sequence_2 = { ff5008 51 8d4604 8bcc 896508 50 e8???????? } - $sequence_3 = { 5b c1f805 d3e3 8d0486 0918 8b45e8 8b5df0 } - $sequence_4 = { ff4008 8b06 397808 75c2 ff400c ebbd 8b5620 } - $sequence_5 = { 885dfc e8???????? 8d4e24 e8???????? 83ec18 8bcc 8965ec } - $sequence_6 = { 8d45e4 53 50 ff15???????? 6a01 8d4de4 c645fc02 } - $sequence_7 = { 51 56 8bf1 8975f0 c706???????? 8d4e64 c745fc04000000 } - $sequence_8 = { 8b00 23c7 3b02 894514 7d58 8b5508 8d1482 } - $sequence_9 = { e8???????? 50 8d4d08 e8???????? 85c0 0f9dc3 8d4d9c } + $sequence_0 = { 037704 8d450c 50 8bce e8???????? 834dfcff 8d4d0c } + $sequence_1 = { 6806020000 8d8d6cffffff e8???????? ff762c 8bc8 897dfc e8???????? } + $sequence_2 = { 0fb6c0 8d4b04 8945f4 894dfc 8b4dfc e8???????? 84c0 } + $sequence_3 = { 89460c 8bc6 5f 5e 5b c20400 b8???????? } + $sequence_4 = { 8b4d10 50 e8???????? 50 ff15???????? 50 ff15???????? } + $sequence_5 = { 50 e8???????? 59 8d45f0 50 e8???????? 6a01 } + $sequence_6 = { c706???????? 8365fc00 8d4e08 e8???????? 834dfcff 8d4e04 e8???????? } + $sequence_7 = { 75f5 33c0 8a23 894514 8b4518 48 83f803 } + $sequence_8 = { ff15???????? ff36 8d45d4 8bcb c645fc04 } + $sequence_9 = { 834dfcff 89770c 5e 8b450c 8b4d08 85c0 7608 } condition: 7 of them and filesize < 753664 @@ -87241,7 +87234,7 @@ rule MALPEDIA_Win_Soul_Auto : FILE date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soul" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.soul_auto.yar#L1-L235" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.soul_auto.yar#L1-L235" license_url = "N/A" logic_hash = "006ca2db66b727a223c7e1c69f1643e1ec1c7be66a86b7b95f1d15a0130986f8" score = 75 @@ -87289,36 +87282,36 @@ rule MALPEDIA_Win_Xenarmor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "55610d93-1ce0-5ea9-b26e-9c8f1380484b" - date = "2026-01-05" - modified = "2026-01-06" + id = "b14dbbf7-b248-5ca7-bec1-7bf9792f172d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xenarmor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xenarmor_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xenarmor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "10c19019c6e353e0437445c705fdac1c2ec6dd84cb0e3e79b7bc1280d736134b" + logic_hash = "8461b00ea65911dc30667513375de29f713a98f01004d89e0b35bf4b96c1cd8e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f7f9 8b8d64ffffff 6640 66034616 8bd0 e8???????? f7462440010000 } - $sequence_1 = { e8???????? 8bf0 83c418 85f6 0f84ed000000 8d8584e5ffff 8d8dfcd1ffff } - $sequence_2 = { e8???????? 50 8d4d08 c645fc03 e8???????? c645fc00 8bc7 } - $sequence_3 = { e9???????? ff7304 8b53bc ff73e0 8b4d0c e8???????? 83c408 } - $sequence_4 = { ff742428 ba56000000 ff742428 e8???????? 83c40c eb33 8b542420 } - $sequence_5 = { 8bf0 e8???????? 8b5df0 8bf8 57 56 ba35000000 } - $sequence_6 = { 8d8ff8000000 e8???????? 895de8 c745e4d4ee6800 ff750c 8d4de4 895dfc } - $sequence_7 = { f6400408 0f8589000000 83783000 8b44246c 741c 85c0 7518 } - $sequence_8 = { ba74000000 e8???????? 83c40c eb37 8d4201 89416c 8d0c92 } - $sequence_9 = { 8bce e8???????? 685e010000 8bce e8???????? 8b86a8b30500 038690b30500 } + $sequence_0 = { e8???????? 8bf8 85ff 75a0 8b8ed0000000 e8???????? 8b4c2410 } + $sequence_1 = { e8???????? 59 59 85c0 7906 c70705000000 ff15???????? } + $sequence_2 = { e8???????? 8bc8 894c2408 85c9 0f847b010000 b804000000 66894108 } + $sequence_3 = { ff742474 8bcb e8???????? 83c408 ba38000000 8bcb 50 } + $sequence_4 = { ff742414 e8???????? 83c408 85c0 7412 8b5314 6861ae0000 } + $sequence_5 = { ff760c e8???????? 8b5510 83c404 8bce e8???????? 8886a4000000 } + $sequence_6 = { e8???????? 68???????? 8d86108e0500 68c8000000 50 e8???????? 68???????? } + $sequence_7 = { e8???????? 8b542448 8d8424d4000000 50 8bce e8???????? 83c404 } + $sequence_8 = { f68070306c0004 0f45ce e8???????? 85c0 0f854d020000 8d4db0 e8???????? } + $sequence_9 = { e8???????? 83c408 8944240c 8bd0 85c0 0f8492000000 85f6 } condition: 7 of them and filesize < 10894336 @@ -87328,36 +87321,36 @@ rule MALPEDIA_Win_Penco_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6aee07a7-ef18-5814-98a9-4888b78c9e4c" - date = "2026-01-05" - modified = "2026-01-06" + id = "78c68459-1e09-5cd5-b25a-b945312c5405" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.penco_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.penco_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "cbd5d55ae946f04f495d8f2278cd17d368565e9345c264d195e742a52381e75b" + logic_hash = "7039dc42acd313384438ba31b4a6ab48668a96d07ca0343300fbb60bb5bb7e97" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33349500d83400 8bcf c1e918 33348d28ec3400 8b4c2410 0fb6d1 33349500d43400 } - $sequence_1 = { 75f6 8b542410 52 ff15???????? 6800c00000 6a00 56 } - $sequence_2 = { 51 8d95ecf0ffff 52 8b85b0fdffff 8d8c05e0fdffff 51 } - $sequence_3 = { 6800300000 8b9548feffff 52 6a00 ff15???????? 8945e4 } - $sequence_4 = { ff15???????? 68???????? 8b4de4 51 ff15???????? 6a02 } - $sequence_5 = { 8d8c245c020000 51 03f0 8d142e 68???????? 52 e8???????? } - $sequence_6 = { 69c0c4020000 c784059c96ffff4d000000 e9???????? c7851c94ffff00000000 b901000000 85c9 0f8409090000 } - $sequence_7 = { 8b4508 56 8d34c5c0c23400 833e00 7513 50 e8???????? } - $sequence_8 = { 3bc6 740b 3dea000000 0f85d8000000 8b6c2410 3bee 0f84da000000 } - $sequence_9 = { 8b349528ec3400 8b542414 894c241c 8b4c2410 c1e910 0fb6f9 3334bd28e83400 } + $sequence_0 = { 83c004 895104 8b5004 83c104 83c004 5e 83c104 } + $sequence_1 = { 897dc4 b375 889d00020000 c6850102000073 b065 888502020000 b172 } + $sequence_2 = { 8b02 014110 c21400 837c240c3c 7512 8b542410 8b02 } + $sequence_3 = { 50 ffd3 85c0 752c 8b0d???????? 6aff } + $sequence_4 = { 57 e8???????? 83c414 85c0 7437 0fb64c2419 0fb6542418 } + $sequence_5 = { 6a00 8d85dcfdffff 50 8b8dbcf5ffff 51 } + $sequence_6 = { 6a00 8b850c93ffff 69c0c4020000 8d8c05889fffff 51 68???????? } + $sequence_7 = { 83f819 7ef4 b961000000 888128083500 41 40 83f97a } + $sequence_8 = { 8b8d48feffff d1e1 898d48feffff 6a04 6800300000 8b9548feffff } + $sequence_9 = { 33349500d83400 8b7c2414 0fb6d3 33349500d43400 8b542418 337008 c1eb18 } condition: 7 of them and filesize < 319488 @@ -87367,36 +87360,36 @@ rule MALPEDIA_Win_Cosmicduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3cb396e5-37a7-5104-9052-2cb8d08028c4" - date = "2026-01-05" - modified = "2026-01-06" + id = "667294d1-93ba-5cf4-adb7-c6352a178500" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cosmicduke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cosmicduke_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cosmicduke_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "c91b7a120fba1263ab464236cd77e48a69e2be7cc7ffc669f627390a309044cd" + logic_hash = "4042c496399421d8bce6159a837dd6fc589749e08d3bb625b03ef4999159b211" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895df4 53 33f6 885dfb ff15???????? 85c0 0f8591000000 } - $sequence_1 = { eb0e 68???????? 8d85c0f9ffff 50 ffd3 68???????? 8d85d0fdffff } - $sequence_2 = { 68???????? 8d85f4fdffff 50 ff15???????? 8d85ecfbffff 50 } - $sequence_3 = { 7443 68???????? 8d842448020000 50 ffd6 85c0 7438 } - $sequence_4 = { 68???????? 6a01 6a01 68???????? e8???????? ba01000080 8bc8 } - $sequence_5 = { 668b044510984200 8b4dfc 6689044e 33c0 ff4d0c 75d2 8b4dfc } - $sequence_6 = { e8???????? 8b442450 8944240c 8d44240c 50 8bfe 8d442450 } - $sequence_7 = { 68???????? 50 6801000080 e8???????? e8???????? 3d09030000 7515 } - $sequence_8 = { ff15???????? 83c410 6a00 ff742434 68???????? e8???????? c644245c00 } - $sequence_9 = { 8d442424 50 8b442424 68???????? 57 895c2448 } + $sequence_0 = { 50 68905b0100 8d8554a4feff 50 ff75f4 ff15???????? 8bd8 } + $sequence_1 = { ff5108 ebaa 837c242028 8b442414 8b08 7d33 } + $sequence_2 = { 7f4b 3bf3 7508 c744241001000000 017c2410 391d???????? 7509 } + $sequence_3 = { 8365f400 53 56 57 8bf0 8d45f8 50 } + $sequence_4 = { e8???????? 68???????? e8???????? 59 834dfcff 8b4df4 b8???????? } + $sequence_5 = { 57 e8???????? 83c40c 84c0 0f84f3020000 8b742428 d1ee } + $sequence_6 = { 8b0437 ebf2 85ff 743a 837c240400 7433 8b8680080000 } + $sequence_7 = { e9???????? 8d8568efffff 50 e8???????? c3 8db558efffff } + $sequence_8 = { 53 53 6a1c 53 ffd6 85c0 750b } + $sequence_9 = { eb8a 8b45e4 8b08 8d55e0 52 68???????? 50 } condition: 7 of them and filesize < 456704 @@ -87406,36 +87399,36 @@ rule MALPEDIA_Win_Dircrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9519422-995e-5f4b-95b5-a3519aa7df7b" - date = "2026-01-05" - modified = "2026-01-06" + id = "1c7007c2-c700-57c8-8e8a-c43caa7f1456" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dircrypt_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dircrypt_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "97e8d29d80833d84634b7be7e527266210c621226e2be34c9aa4ca8405333cc4" + logic_hash = "aea080e224686fed7ac5d661abcd9b21aacc5d6ea2b4317b71789244fc857291" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 e8???????? 6a00 e8???????? 05d6070000 50 } - $sequence_1 = { e8???????? 03f0 8d45dc 50 e8???????? } - $sequence_2 = { e8???????? 05d3070000 50 6a01 } - $sequence_3 = { 833d????????00 751a 68???????? e8???????? 05d2070000 50 e8???????? } - $sequence_4 = { 751a 68???????? e8???????? 05d2070000 50 } - $sequence_5 = { 833d????????00 7514 c705????????01000000 e8???????? } - $sequence_6 = { c705????????01000000 e8???????? e8???????? 833d????????00 7514 } - $sequence_7 = { 6801000080 e8???????? e8???????? e8???????? e8???????? } - $sequence_8 = { 05d2070000 50 e8???????? a3???????? 6a13 68???????? } - $sequence_9 = { 833d????????00 7536 c705????????01000000 e8???????? } + $sequence_0 = { 6a01 6a10 e8???????? 50 } + $sequence_1 = { e8???????? 6a00 e8???????? 05d6070000 } + $sequence_2 = { c705????????01000000 e8???????? e8???????? 833d????????00 7514 68???????? 68???????? } + $sequence_3 = { e8???????? e8???????? e8???????? e8???????? 833d????????00 7514 } + $sequence_4 = { e8???????? e8???????? 68???????? ff15???????? 833d????????00 751a } + $sequence_5 = { 751a 68???????? e8???????? 05d2070000 50 e8???????? } + $sequence_6 = { e8???????? 05d3070000 50 6a01 6a02 6a08 8d45e4 } + $sequence_7 = { e8???????? 68???????? ff15???????? 833d????????00 751a 68???????? } + $sequence_8 = { 6a06 8d45dc 50 e8???????? 8b45fc } + $sequence_9 = { e8???????? 68???????? ff15???????? 833d????????00 751a } condition: 7 of them and filesize < 671744 @@ -87445,34 +87438,34 @@ rule MALPEDIA_Win_Manitsme_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71cb4532-c54e-57eb-a20c-2765fcfa6978" - date = "2026-01-05" - modified = "2026-01-06" + id = "a4b95dfa-4e07-5ba1-9242-36486fd8cf96" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.manitsme_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.manitsme_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "f54a2de03d86d0088dd4a7debb0ef3d048ee2324f936fed5683caed7b0cf71b4" + logic_hash = "ffef6c7e066cf68fd20b34db93f83c77075effab0d9b21941f06c320d2240c5a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895c2450 ffd6 8b35???????? 8d542410 52 } - $sequence_1 = { 85c0 0f84a2000000 837c241000 766e 6a00 8d442414 50 } + $sequence_0 = { 6a00 6a00 8d4c2414 51 6a00 89742420 c744241c01000000 } + $sequence_1 = { 8d442420 50 6a00 6a00 8d4c2434 51 6a00 } $sequence_2 = { 8bc8 c1f905 8d1c8d40580110 8bf0 83e61f 6bf628 8b0b } - $sequence_3 = { d96c2416 e8???????? 83c404 85c0 7505 b8100e0000 } - $sequence_4 = { 6a02 68???????? be07000000 e8???????? } + $sequence_3 = { e8???????? 83c404 52 ff15???????? ebaf 6a00 6a01 } + $sequence_4 = { 50 e8???????? a1???????? 83c404 83f8ff 7420 } $sequence_5 = { 68???????? 32db e8???????? dc0d???????? } $sequence_6 = { 52 be04010000 8bfb e8???????? } - $sequence_7 = { ff15???????? 6a00 b801000000 e8???????? 83c404 b801000000 c20c00 } + $sequence_7 = { e8???????? 83c404 b801000000 c20c00 81ec40010000 a1???????? } $sequence_8 = { ffd3 85c0 7586 50 ff15???????? } $sequence_9 = { 7416 8bc1 83e01f 6bc028 8bd1 c1fa05 03049540580110 } @@ -87484,36 +87477,36 @@ rule MALPEDIA_Win_Pandabanker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7a6bb16-47e5-52e8-857d-352f3fc1d921" - date = "2026-01-05" - modified = "2026-01-06" + id = "2cbd3a11-94db-504c-9603-ab3934756391" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pandabanker_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pandabanker_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "7224c438b16af79be738a189a249337e2e081d636ca75e4e1c5b1122ffa5e8c5" + logic_hash = "a7307e48ca3a2720a7f9182ac5baf58dcbb474539d9915922885c16ae137f0b1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { d0c2 8ac2 d0c0 32c1 32c2 } - $sequence_1 = { 42 83fa10 72ee 8b5500 } - $sequence_2 = { 8bf2 57 8bf9 8d8df4fdffff } - $sequence_3 = { f3aa 8932 8d46f0 8b5500 } - $sequence_4 = { 895c2414 8bf1 e8???????? 84c0 746d 83caff 8bce } - $sequence_5 = { 8bf0 85f6 7414 e8???????? 8906 85c0 7509 } - $sequence_6 = { 33c0 33d2 89442418 3bfd 7359 } - $sequence_7 = { 8bce 2b0f 33448f4c 8944b74c 6a05 59 } - $sequence_8 = { 03c8 894c2434 8d5101 8bce e8???????? 85c0 } - $sequence_9 = { 75f9 2bce 5e 8d040a c3 33c0 c3 } + $sequence_0 = { 8bf1 85f6 7418 8b4e04 e8???????? } + $sequence_1 = { 8d5b04 47 3bfe 7ce8 } + $sequence_2 = { 7510 46 83fe64 72a7 32c0 5f 5e } + $sequence_3 = { 8b742418 8d3c28 8bcb f3a4 } + $sequence_4 = { 2bc1 3be8 0f8c3fffffff 8bd3 2b5704 } + $sequence_5 = { 894104 3b7708 7505 8b0e 894f08 } + $sequence_6 = { 85f6 7e26 8be8 8d831c020000 } + $sequence_7 = { 42 89848f1c020000 3bd3 7ce8 5f 5e } + $sequence_8 = { 894714 ebc2 8a06 3c22 } + $sequence_9 = { e8???????? 8bd1 6a02 59 8d1442 } condition: 7 of them and filesize < 417792 @@ -87523,36 +87516,36 @@ rule MALPEDIA_Win_Guidloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eceb0420-babc-5550-b00f-55949b1733ed" - date = "2026-01-05" - modified = "2026-01-06" + id = "534e1a6f-2457-591b-9bbb-15f45fb7dfe8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.guidloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.guidloader_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.guidloader_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "909d36bb63fb6009cd4cb0cf7912a67325d3ddd81af65c11026fd36fda233963" + logic_hash = "ed9095d4782fba48258f819f1d0768a67dce54607139e431173a7b68938ea163" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 498bd4 e8???????? 837d1000 0f8659020000 44896c2428 488d5510 4c8bcf } - $sequence_1 = { 4d2bc8 418b51fc d3ea 4c894808 895018 410fb609 } - $sequence_2 = { 83f802 7711 488b4228 49394128 418b08 0f44cf } - $sequence_3 = { e8???????? 4533c0 4c8d0dcd72ffff 498b5508 0fb60a 83e10f 4a0fbe840920460100 } - $sequence_4 = { 4c8d442448 488d1532700000 33c9 ff15???????? 488b4c2448 85c0 } - $sequence_5 = { 418807 4c852e 764f ba30000000 49b80000000000000f00 6666660f1f840000000000 488b06 } - $sequence_6 = { 4889442460 4863842420010000 4889442468 0fb6842440010000 0f298c2480000000 0f280d???????? } - $sequence_7 = { 898c9564010000 49c1e820 453bcd 75d6 4585c0 742e 8b8560010000 } - $sequence_8 = { 410f1006 0f11442430 e9???????? 488bfe 4883cf0f 483bfb 7629 } - $sequence_9 = { 894208 f6c310 740a 418b02 4983c204 89420c 807c243000 } + $sequence_0 = { 488b5160 448b8218010000 41c1e010 440b821c010000 4181f801000500 730b 4805d8000000 } + $sequence_1 = { 0f28b42490000000 4c8bb424a0000000 488bac24d0000000 488b9c24c8000000 488b4c2468 4833cc e8???????? } + $sequence_2 = { f30f7f4c2458 498bd6 488d4c2448 e8???????? 488d542448 488bce } + $sequence_3 = { 443bc8 7405 8b5590 ebad 418bdf 85ff 7418 } + $sequence_4 = { 757e 488d3da69d7601 8b4318 a90c010000 756d 0d02110000 } + $sequence_5 = { eb26 0fb739 eb21 8b5330 8bc2 488b4b20 c1e804 } + $sequence_6 = { 4c8ba0f8000000 65488b042530000000 488b4860 8b8118010000 c1e010 0b811c010000 } + $sequence_7 = { 8b50fc d3ea 448bda 4183e303 } + $sequence_8 = { 0f8c84000000 488bcf bf00800000 66853c4a 7476 488b4808 } + $sequence_9 = { 4d85c0 7437 413830 7509 } condition: 7 of them and filesize < 49251328 @@ -87562,36 +87555,36 @@ rule MALPEDIA_Win_Kimjongrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b926698-de48-5e8a-8566-c17b49269158" - date = "2026-01-05" - modified = "2026-01-06" + id = "5566b500-a4f9-59c1-9949-5a48614fe2fa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimjongrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kimjongrat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kimjongrat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "da574ab8eb91cef15d29c514535c9dc879faba86aa4b2abebc3c50264b62c499" + logic_hash = "ae4aa27f3b130f9a25de75177de58ad1ac53d730877055e018cbcb8dd9175611" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb13 ff37 6a00 ff771c 52 ff7508 e8???????? } - $sequence_1 = { 85c9 740e 51 50 e8???????? 83c408 0bf8 } - $sequence_2 = { e9???????? c6840decfbffff64 e9???????? c6840decfbffff70 e9???????? c6840decfbffff73 e9???????? } - $sequence_3 = { c6840db0abffff29 e9???????? c6840db0abffff3b e9???????? c6840db0abffff2b e9???????? c6840db0abffff3e } - $sequence_4 = { 8b43e8 0343e4 8943cc e9???????? 8d4304 50 8d73d4 } - $sequence_5 = { 8bd7 85d2 7464 8b4d08 8b4908 8b491c 8b4910 } - $sequence_6 = { beff1f0000 6685700c 8b75c8 741c 6a00 52 57 } - $sequence_7 = { 8b5d08 807b4201 0f859d000000 8a5340 f6c202 0f8491000000 8b4b10 } - $sequence_8 = { e9???????? 6a01 ff73b4 57 e8???????? ff73c4 ff73f4 } - $sequence_9 = { e8???????? 8b5d10 53 6a00 6a4f ff75f8 8bf8 } + $sequence_0 = { ffb68c010000 8d85b4f9ffff ffb688010000 57 50 e8???????? 8b8db0f9ffff } + $sequence_1 = { eb07 c605????????00 56 e8???????? 83c404 5e 5b } + $sequence_2 = { eb4e c6841528ffffff28 eb44 c6841528ffffff24 eb3a c6841528ffffff5d eb30 } + $sequence_3 = { eb03 53 6a7a 57 e8???????? 8945e4 83c410 } + $sequence_4 = { 8b4508 8b5df4 83c45c 40 50 6a48 53 } + $sequence_5 = { e9???????? c6840de8faffff23 e9???????? c6840de8faffff21 e9???????? c6840de8faffff25 e9???????? } + $sequence_6 = { ff4624 89460c 5e 5d c3 33c0 5e } + $sequence_7 = { e9???????? c6840d98a5ffff76 e9???????? c6840d98a5ffff65 e9???????? c6840d98a5ffff75 e9???????? } + $sequence_8 = { 8d45e8 50 53 ff75e0 e8???????? 8bf0 83c410 } + $sequence_9 = { e8???????? 83c404 ff750c 3b7dd4 7469 8b4514 3c25 } condition: 7 of them and filesize < 1572864 @@ -87601,36 +87594,36 @@ rule MALPEDIA_Win_Heyoka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "374fa72e-9fa9-57de-876f-40244ff261b7" - date = "2026-01-05" - modified = "2026-01-06" + id = "5ddeb363-5d6a-597c-ac5e-c8d212261d18" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.heyoka" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.heyoka_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.heyoka_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "3a5efb9930b3bae06b8a8e2c4e2b028b7e1db66cce7d680b56a42e4a7b874053" + logic_hash = "58c931ea0ec063ac7285f1fbf34f82535da284c6d83cbbb725285e4c053307f6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? ff15???????? b801000000 5d c3 55 8bec } - $sequence_1 = { 8b5118 895018 a1???????? 8b4dfc 894818 8b55fc 8915???????? } - $sequence_2 = { 0345f8 8a4df1 8848ff 8b55f8 3b550c 7c02 eb02 } - $sequence_3 = { 8bec 8b4508 33c9 8a480c 51 8b5508 83c20d } - $sequence_4 = { 8b45ec 8945f4 8b4df7 81e1ff000000 51 8b55f6 81e2ff000000 } - $sequence_5 = { 8b0d???????? 894df8 683f420f00 6a00 8b15???????? 52 e8???????? } - $sequence_6 = { 8bec 81ec18040000 57 c685f0fbffff00 b9ff000000 33c0 8dbdf1fbffff } - $sequence_7 = { 8bc3 885d0b c1e808 88450a 0fb6c0 f68061d7011004 } - $sequence_8 = { 8b7508 8b06 8945c0 3bc3 7545 8d45c0 50 } - $sequence_9 = { 8b5590 83c201 895590 8b4590 3b4510 0f87ab000000 8b4d0c } + $sequence_0 = { 8b85e4fbffff c6403500 8b8ddcfbffff 83c106 8b95e4fbffff 894a30 c785e0fbffff00000000 } + $sequence_1 = { 8b45f8 81bc906050000000100000 75dd 8b4dfc 8b55f8 8b848a64940000 8b4df8 } + $sequence_2 = { 83e030 c1f804 8d0c88 8b55f8 0355f0 880a } + $sequence_3 = { 740c 8b55fc 52 8b4de0 e8???????? eba7 837de800 } + $sequence_4 = { 52 ff15???????? 25ffff0000 8b4df4 8d54010c 8955f4 8b450c } + $sequence_5 = { 894508 8b4508 c600ff 8b4d08 c78181000000ffffffff 8b5508 c6420100 } + $sequence_6 = { 8b4d08 51 8b55f8 8b4210 50 e8???????? 83c40c } + $sequence_7 = { 0fbe45ed c1f802 83e007 0bd0 8855f4 0fbe4ded 83e103 } + $sequence_8 = { 8b55dc 83c204 52 e8???????? 83c408 8b4514 50 } + $sequence_9 = { c1e007 0fbe4df1 83e11f c1e102 0bc1 0fbe55f2 c1fa03 } condition: 7 of them and filesize < 270336 @@ -87640,36 +87633,36 @@ rule MALPEDIA_Win_Knight_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c56e315-5200-56d5-8f06-4a544e9166d5" - date = "2026-01-05" - modified = "2026-01-06" + id = "6ede2123-44fc-5e00-a980-aeb4686f20ac" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.knight" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.knight_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.knight_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "5179c3d4ae4d3eb009209c68a9fa6d8609b0788178a723a29c116931afb57a36" + logic_hash = "fc999c598d533221ddbbccee6dda79ef9ba8acb6f15a3bba510a8479e781d600" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb7a 4889bc24a8010000 4889b424b0010000 c644243700 488b9424c8010000 488b02 ffd0 } - $sequence_1 = { e9???????? e8???????? 48898424d8000000 48899c2488000000 90 488d05b9951400 e8???????? } - $sequence_2 = { eb0a 488d3555d71700 4889c7 4c8b87c0000000 4c8b8fc8000000 0f1f4000 4d85c0 } - $sequence_3 = { eb1c 4889c7 488b8c24e0230000 e8???????? 488d3dcf083000 e8???????? 6690 } - $sequence_4 = { 4d3b6610 0f86a3010000 4881eca0000000 4889ac2498000000 488dac2498000000 48bae36f8e02db14e6c7 488954241f } - $sequence_5 = { 90 e8???????? e8???????? 4889c1 4889df 488d0589551f00 488b9c2400070000 } - $sequence_6 = { eb0c 488d3da69a4c00 e8???????? e8???????? 48891d???????? 833d????????00 7509 } - $sequence_7 = { ffc2 85d2 7d10 488d057e863800 31db 31c9 e8???????? } - $sequence_8 = { ffd1 4889842438010000 48899c2490000000 488d0517dd1700 e8???????? 488b8c2490000000 48894808 } - $sequence_9 = { e8???????? f20f108424f0000000 f20f108c24c0000000 0f57d2 660f2ed0 7613 f20f101d???????? } + $sequence_0 = { e8???????? 488d3d639e2f00 0f1f00 e8???????? e8???????? 48898424081f0000 48899c24d0020000 } + $sequence_1 = { 72b8 eb1b 31c0 488d5c241a b920000000 e8???????? 488b6c2468 } + $sequence_2 = { e8???????? 4889442428 48c70000000000 488d0514eb0d00 e8???????? 4889442420 488d0583961000 } + $sequence_3 = { eb14 488b442458 488b7c2428 488b5c2440 488b4c2430 488bb020100000 4c8b8028100000 } + $sequence_4 = { 90 ff82d8000000 498b5630 31c0 488d3590215800 bf01000000 f00fb13e } + $sequence_5 = { c681e400000000 b9ffffffff 488d1514da5200 f00fc10a ffc9 85c9 7c62 } + $sequence_6 = { eb1d 440fb64c3428 4129d1 418d51e9 88543c28 418d50e9 88543428 } + $sequence_7 = { eb10 4889c7 488b8c2490000000 e8???????? 488b4c2450 48894810 833d????????00 } + $sequence_8 = { e8???????? 31db 488d0d61312300 4889c7 31c0 488bac2448010000 4881c450010000 } + $sequence_9 = { e8???????? e8???????? 4889c3 488d05e17b2700 90 e8???????? 4c89d8 } condition: 7 of them and filesize < 12149760 @@ -87680,10 +87673,10 @@ rule MALPEDIA_Win_Moure_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "24a69d15-3d57-5717-b947-e4f8b8b4c7de" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.moure_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.moure_auto.yar#L1-L125" license_url = "N/A" logic_hash = "a44a23c1ab1d27db26aa7a8c25dca384907550ea332fbf4f4e348b0d15134c0b" score = 75 @@ -87692,9 +87685,9 @@ rule MALPEDIA_Win_Moure_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -87718,41 +87711,41 @@ rule MALPEDIA_Win_Daxin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "87cbb543-e190-5544-9083-2d59abd8b683" - date = "2026-01-05" - modified = "2026-01-06" + id = "772c938d-3868-589a-bc14-4ebd023743ec" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daxin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.daxin_auto.yar#L1-L148" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.daxin_auto.yar#L1-L147" license_url = "N/A" - logic_hash = "e656f3948a2ac7b99eaa279f9e6a2040cdd5d22a79f30ee80aef3c1f7f763afa" + logic_hash = "4fc166b046dde44f28e160eae2d3c2592df8ddaeb62e1af026eff0900a31010e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 2bc2 d1f8 99 f7f9 } - $sequence_1 = { 418b5b3c 418b6b38 e8???????? 85db } - $sequence_2 = { 0fb7c0 0bc8 2b8bd0000000 85c9 0f8eec000000 } - $sequence_3 = { 488bf0 4885c0 0f8467ffffff 33d2 41b8e0000000 } - $sequence_4 = { 66f7d8 1bc0 f7d8 83c003 eb15 } - $sequence_5 = { 4533c0 498bcb e8???????? 668bd8 6641895b0a } - $sequence_6 = { 740a 8b02 23c1 23cf } - $sequence_7 = { 0f8cd8000000 ff15???????? 4c8b4f28 4533c0 884708 } - $sequence_8 = { b930000000 33c0 8bfd 66c74664ffff } - $sequence_9 = { 57 8908 894804 894808 8b15???????? } - $sequence_10 = { b930000000 33c0 8bfb 33f6 } - $sequence_11 = { 0f85d8000000 668b4702 663b442412 0f85c9000000 668b4f04 } - $sequence_12 = { 8b442412 668b4c2414 66894c2412 6689442414 } - $sequence_13 = { 03c7 894e04 8b4e1c 3bc1 c7462400000000 } - $sequence_14 = { 0bc1 8d0440 c1e003 8b88c4380f00 85c9 } + $sequence_1 = { 0fb7c1 0bd0 0fb7c6 66c1c008 0fb7c8 8bc6 } + $sequence_2 = { e8???????? 488bf0 493bc4 0f84f3000000 } + $sequence_3 = { eb59 410fb74302 4c8bc7 ba0c000000 448bc8 } + $sequence_4 = { 4183f901 7507 410fb600 4403d0 410fb7c2 } + $sequence_5 = { b201 488bf1 895808 ff15???????? 448bc3 } + $sequence_6 = { 4533c9 44394854 7632 488d5014 } + $sequence_7 = { 410fb7c2 41c1ea10 66c1c008 0fb7d0 } + $sequence_8 = { 8a4500 32c2 884500 45 4b } + $sequence_9 = { 7438 50 e8???????? e8???????? } + $sequence_10 = { e8???????? 8d83b9010000 6880000000 50 } + $sequence_11 = { 56 85c0 7421 8b701c } + $sequence_12 = { 8bf8 85ff 7538 e8???????? } + $sequence_13 = { c6420406 66c7020001 c6420504 66c742020800 894a18 } + $sequence_14 = { f7d1 23c1 8bd0 8bc8 c1ea02 } condition: 7 of them and filesize < 3475456 @@ -87762,36 +87755,36 @@ rule MALPEDIA_Win_Exaramel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9d8ef319-a5df-534f-b138-19485cbaf19b" - date = "2026-01-05" - modified = "2026-01-06" + id = "4bb5336f-6cf5-5598-9713-11e463e3be93" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.exaramel_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.exaramel_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "0034b5ba03392faf6ba4ea9ba70e440d6025311290e39d869c6ea3fe5bf2d84b" + logic_hash = "4a61478d220d51d8955dd61c5e527940bd70efb0e8e883ccfdf3ca9c3103ecf6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 7539 a3???????? c705????????01000000 ff15???????? 8b35???????? 68???????? } - $sequence_1 = { be05400080 e9???????? 8d8528f8ffff 57 50 } - $sequence_2 = { ff15???????? 85c0 746d 53 57 ff75fc 8b3d???????? } - $sequence_3 = { 8b1d???????? 660f1f440000 8b0d???????? 8d85e4fbffff 6aff 6a00 } - $sequence_4 = { 742b 8b01 8d55f8 52 51 8b4068 ffd0 } - $sequence_5 = { e8???????? c70021000000 e9???????? 894ddc c745e068a54100 e9???????? c745e064a54100 } - $sequence_6 = { c1f806 6bc930 8b048560dd4100 f644082801 7406 8b440818 5d } - $sequence_7 = { 744e 85f6 7504 33c0 eb18 56 6a00 } - $sequence_8 = { 57 e8???????? 8bf0 83c428 85f6 0f881c010000 } - $sequence_9 = { 33c0 668945e8 8b45d4 886de5 8b148560dd4100 } + $sequence_0 = { 83c404 85c0 7411 8d85ecfbffff 50 e8???????? 83c404 } + $sequence_1 = { 6685c0 0f8493000000 0fb7c0 83f876 0f8787000000 0fb680b04b4000 ff2485744b4000 } + $sequence_2 = { b857000780 5b 8be5 5d c3 8d4df0 c745e801000000 } + $sequence_3 = { 0f85ac180000 8d0d20a34100 ba1b000000 e9???????? a900000080 7517 ebd4 } + $sequence_4 = { 85c0 0f44ca 8bc1 8b4dfc 33cd 5e e8???????? } + $sequence_5 = { 8bf0 8b450c 85c0 7428 85db 7431 85ff } + $sequence_6 = { 83c410 c785b4f5ffff0c000000 8d85b4f5ffff c785b8f5ffff00000000 } + $sequence_7 = { 57 6a00 e8???????? 3d0e000780 74df 85c0 7950 } + $sequence_8 = { 6a00 8d85ecfdffff 50 ff770c e8???????? 83c404 50 } + $sequence_9 = { 837e1800 7416 6a04 8d4d08 c7450800330000 51 6a1f } condition: 7 of them and filesize < 294912 @@ -87801,42 +87794,42 @@ rule MALPEDIA_Win_Neddnloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "852b40fe-2e5d-50aa-b642-537ac76dade8" - date = "2026-01-05" - modified = "2026-01-06" + id = "6207542e-4fa7-556c-9586-03bf1612adfb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.neddnloader_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.neddnloader_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "f033318b8bebdad1df405535c03ee01ef3d70d6b1b4f8bc82d01aaedd0dfc4d8" + logic_hash = "e340f7178c887aaf79b928e388602b49d7327ca73149e06abdddfe4d4128d099" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 ff15???????? 8b4df8 56 3bc8 } - $sequence_1 = { 8d43ff 3bc8 7311 0fb702 0fb731 663bc6 } - $sequence_2 = { 8b03 8b5508 69c0b179379e c1e813 33c9 } - $sequence_3 = { 0fb731 663bc6 7506 83c102 83c202 } - $sequence_4 = { 83c204 3bcf 72f0 8d43ff 3bc8 7311 } - $sequence_5 = { eb02 0008 8b45f8 83c0f4 } - $sequence_6 = { 57 e8???????? 2b5d10 83c40c } - $sequence_7 = { 8d84241c040000 50 68???????? b900230400 } - $sequence_8 = { 4133bc8e803c0100 4133bc8680480100 418bc0 41337d20 c1e808 0fb6d0 418bc1 } - $sequence_9 = { 488d0587930000 483bc8 7405 e8???????? bf0d000000 } - $sequence_10 = { 4533948480590100 458b848c804d0100 410fb6c1 4533848480510100 45335538 410fb6c3 4533848480550100 } - $sequence_11 = { 440fb68c29804c0100 c1e810 0fb6c8 41c1e108 0fb68429804c0100 4433c8 } - $sequence_12 = { 410fb6c2 41339c8480440100 45337508 410fb6c3 41339c8480400100 } - $sequence_13 = { 4433c0 400fb6c7 420fb68420803b0100 41c1e008 } - $sequence_14 = { 4883ec28 4c8bc1 4c8d0df20effff 498bc9 e8???????? } - $sequence_15 = { 0f94c0 8944244c 488d05caef0000 4a8b14e0 41837c175000 } + $sequence_0 = { e8???????? 2b5d10 83c40c 03df } + $sequence_1 = { 8bec 83e4f8 81ec10060000 a1???????? 33c4 } + $sequence_2 = { 8b450c 8908 ff15???????? 8bc7 } + $sequence_3 = { 0fb702 0fb731 663bc6 7506 83c102 83c202 3bcb } + $sequence_4 = { 3bcf 72f0 8d43ff 3bc8 7311 0fb702 0fb731 } + $sequence_5 = { ff15???????? 8b4df8 56 3bc8 } + $sequence_6 = { 8b03 8b5508 69c0b179379e c1e813 } + $sequence_7 = { 41 8bc1 2b45fc 5f 5e } + $sequence_8 = { 498bf8 488bea 4c8be1 85c0 7e57 448d68ff 488bf2 } + $sequence_9 = { 488bce e8???????? 3bc7 7554 } + $sequence_10 = { 4881ecc0080000 488b05???????? 4833c4 488985b0070000 488bf1 } + $sequence_11 = { 488905???????? ff15???????? 488bc8 ff15???????? 488d1510410000 488bce 488905???????? } + $sequence_12 = { 0f8c05010000 837c244c00 4c8b642450 0f84c5000000 488364242000 488d0599ee0000 } + $sequence_13 = { 894ff8 e8???????? eb49 8b4704 0307 } + $sequence_14 = { ba00010000 4889442420 e8???????? 4c8d45f0 ba00010000 488bcf } + $sequence_15 = { 418b848c80510100 4189849c90b00100 418b848c80550100 4189849c90ac0100 418b848c80590100 4189849c90b80100 4903dd } condition: 7 of them and filesize < 3438592 @@ -87846,42 +87839,42 @@ rule MALPEDIA_Win_Atmii_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4bbbbf02-dbb5-50f9-89bd-68bafb7f61b1" - date = "2026-01-05" - modified = "2026-01-06" + id = "c7c01191-50b0-5ad0-a009-fd7f964091d9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.atmii_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.atmii_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "de7adb20577b33d8a8506758d2e0ffbda74b46bc9a6446d600c84a3c6b3b34c4" + logic_hash = "3f4bd7b8fd71f185a58521e204b622591bcdf21f470e6208d0e56d3beec6c1c2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f6c302 740a 83481804 8a0a 884810 } - $sequence_1 = { eb60 68???????? eb55 68???????? 8d55ac 52 } - $sequence_2 = { 56 c745f800000000 ff15???????? 85c0 0f94c0 8845ff } - $sequence_3 = { 8d95dcfbffff 52 e8???????? 83c418 6a00 } - $sequence_4 = { 50 ffd3 8a5510 8985cdf9ffff 8b450c 50 } - $sequence_5 = { 750a 8b4dfc 8b5109 ffd2 eb02 33c0 } - $sequence_6 = { 8b55fc 0355f4 8a02 8801 ebdd 8be5 } - $sequence_7 = { 8d95fcf3ffff 52 e8???????? 83c42c } - $sequence_8 = { 8d45b8 50 68???????? 68b6000000 8d8df8fcffff 68???????? 51 } - $sequence_9 = { 6a00 6a02 ff15???????? 8bf8 897dfc 83ffff 0f8456010000 } - $sequence_10 = { 8985c5f9ffff ffd7 50 ffd3 } - $sequence_11 = { 0f8419040000 53 57 6814020000 } - $sequence_12 = { 83c414 68???????? 50 68???????? 68???????? ffd7 8b4e10 } - $sequence_13 = { 8d45cc 50 eb14 68???????? 8d4dcc } - $sequence_14 = { 6a00 ff15???????? 50 ff15???????? 68???????? 68d5000000 } - $sequence_15 = { 8a8dfcfeffff 8a95fefeffff 8a8500ffffff 57 } + $sequence_0 = { 57 8b3d???????? 884dfc 8d4dfc 51 68???????? } + $sequence_1 = { be???????? 8bf8 e8???????? ffd3 } + $sequence_2 = { ff15???????? 8bf0 68???????? 85f6 0f84c8000000 6879020000 } + $sequence_3 = { 8b55f8 52 68???????? 68a0000000 } + $sequence_4 = { 8d56e0 83fa03 0f879b000000 ff249500160010 807df900 8a4dfa 740c } + $sequence_5 = { 51 e8???????? 8b5608 8b3d???????? 83c414 } + $sequence_6 = { 760c 2bca 83c104 f7d1 894ded eb08 } + $sequence_7 = { 5e 8be5 5d c3 33c0 8945dd } + $sequence_8 = { 68bd000000 8d95dcfbffff 68???????? 52 } + $sequence_9 = { 68a8000000 8d85dcfbffff 68???????? 50 ffd7 } + $sequence_10 = { 85c0 7539 68???????? 6882000000 8d8ddcfbffff 68???????? 51 } + $sequence_11 = { 83c410 8d9d00feffff e8???????? e8???????? 66a3???????? } + $sequence_12 = { 51 ffd7 85c0 750a 6a01 e8???????? } + $sequence_13 = { 752e ff15???????? 50 68???????? 688a000000 8d8ddcfbffff } + $sequence_14 = { 51 6a00 68???????? 68???????? ffd6 8b35???????? 8d95fcfeffff } + $sequence_15 = { 68???????? 8d45cc 50 eb4e 68???????? 8d4dcc } condition: 7 of them and filesize < 49152 @@ -87891,36 +87884,36 @@ rule MALPEDIA_Win_Crypto_Fortress_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57f6010b-f9b8-526f-94e4-905e1c039cff" - date = "2026-01-05" - modified = "2026-01-06" + id = "0bf71c54-09bb-59cb-b039-4d083a85e348" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crypto_fortress_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crypto_fortress_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "260674d34cb12cfd5de2f1a83904a3f49c27965fc58fd434a5b27b625cba2777" + logic_hash = "934226d21b9dd2b35a75e329b03dc3c961c618ff4cd147cc2b841d3179b65de1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 045a aa 2cff aa 2cf9 } - $sequence_1 = { 0433 aa 04fc aa 3411 } - $sequence_2 = { aa 345e aa 04af aa 2cfb aa } - $sequence_3 = { aa 040f aa 2c0f } - $sequence_4 = { aa 341b aa 2c01 } - $sequence_5 = { 894304 83c308 8345fc08 c78548ffffff9c000000 } - $sequence_6 = { 2c00 aa 0411 aa 2c51 aa 3421 } - $sequence_7 = { 2cee aa 2c01 aa 04f1 } - $sequence_8 = { 85c0 0f84d0000000 68???????? 8d85eafeffff 50 } - $sequence_9 = { 8bec 83c4f8 53 ff35???????? e8???????? 6bc004 } + $sequence_0 = { eb04 03f1 8bff 83c601 } + $sequence_1 = { 3400 aa 3412 aa } + $sequence_2 = { 75a9 a1???????? a3???????? a1???????? a3???????? 68???????? } + $sequence_3 = { 0bc0 7402 eb39 6a00 8d45ac 50 } + $sequence_4 = { 8bec 81c4a4feffff ff35???????? e8???????? 8985b4feffff ff35???????? e8???????? } + $sequence_5 = { 33c0 0442 aa 2ce1 aa 2ce7 aa } + $sequence_6 = { aa 3418 aa 3404 aa 2c53 aa } + $sequence_7 = { 2cf1 aa 04f9 aa 3447 aa } + $sequence_8 = { aa 3417 aa 3422 aa } + $sequence_9 = { b832000000 8bc8 6a00 8d45f8 50 51 68???????? } condition: 7 of them and filesize < 188416 @@ -87930,36 +87923,36 @@ rule MALPEDIA_Win_Diavol_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bc879f2f-8309-5494-be6c-2895dcf861fb" - date = "2026-01-05" - modified = "2026-01-06" + id = "936a4690-5ac9-5d21-8c9a-c174a994fda8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.diavol_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.diavol_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "46d9c76f218871fb04ea7d4fbbcd65e671198d70df944c765e3f433c4820310f" + logic_hash = "f414827922dc06560fc654a73eb6ea532dca397435e7db6cd02490afaef2402f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8be5 5d c3 8d85c8fbffff 50 56 c785c8fbffff2c020000 } - $sequence_1 = { 3bc3 72d8 8d8da0fdffff 68???????? 51 68???????? 8bd1 } - $sequence_2 = { 83f8ff 752c 6a02 53 ff15???????? 53 ff15???????? } - $sequence_3 = { 8d740004 56 e8???????? 83c404 56 8d95f8fdffff } - $sequence_4 = { 0f84d4000000 6800040000 8d95f8f9ffff 6a00 52 } - $sequence_5 = { 668b08 83c002 6685c9 75f5 8dbdf4efffff 2bc2 83c7fe } - $sequence_6 = { 56 ff15???????? 57 e8???????? a1???????? 8b4dd0 8d1448 } - $sequence_7 = { 8b8d38c2ffff 8d953cc2ffff 52 8d8540c2ffff 6a00 50 } - $sequence_8 = { 8be5 5d c3 8d8405c0fbffff } - $sequence_9 = { 8be5 5d c3 b902000000 6a50 } + $sequence_0 = { 6a01 6a02 ff15???????? 8bf0 83feff 0f849f010000 33c0 } + $sequence_1 = { 56 33db 8bf1 8d95f8efffff 57 899d30c2ffff 899d34c2ffff } + $sequence_2 = { 7412 66837dfc2a 7431 663bca 7535 83c002 } + $sequence_3 = { 83c404 84c0 0f84d3000000 6800040000 8d95f8f9ffff 6a00 52 } + $sequence_4 = { 66890c45f0114100 40 ebe8 33c0 8945e4 3d01010000 7d0d } + $sequence_5 = { 8bd0 8d9b00000000 668b08 83c002 6685c9 75f5 8dbdf4efffff } + $sequence_6 = { 8a8004064100 08443b1d 0fb64601 47 3bf8 76ea } + $sequence_7 = { 57 33ff ffb7500d4100 ff15???????? } + $sequence_8 = { c785fcefffff00000000 e8???????? 6800020000 8d85a0fdffff 6a00 } + $sequence_9 = { 83c702 6685c0 75f4 a1???????? 8d8df4efffff } condition: 7 of them and filesize < 191488 @@ -87969,36 +87962,36 @@ rule MALPEDIA_Win_Heriplor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fea80a8c-f479-5ce5-81b4-e326d3255abd" - date = "2026-01-05" - modified = "2026-01-06" + id = "5b7552ce-0a6f-5554-8e1c-028e75b3f89f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.heriplor_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.heriplor_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "bcabe5553c3788da5ec383050fc0580bed7efb49f5fdd5cfd8664f6ebd97276a" + logic_hash = "501dc12c7a297f3034e338c58303b8ac0fb2fa1dc9945a230d7fb4c7cdc4af1d" score = 75 - quality = 73 + quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 84c9 740d 80c960 01cb } - $sequence_1 = { 56 57 33c9 648b4130 8b400c } - $sequence_2 = { 7420 46 46 46 46 } - $sequence_3 = { 8a08 84c9 740d 80c960 } - $sequence_4 = { 8b0491 01f8 5f 5e 89ec 5d c20800 } - $sequence_5 = { 43 ebe6 33d2 668b13 } - $sequence_6 = { 3b5d0c 7401 40 5b 59 89ec 5d } - $sequence_7 = { 5d c20c00 55 89e5 56 57 33c9 } - $sequence_8 = { 01fb 8b32 01fe 6a01 ff750c 56 e8???????? } - $sequence_9 = { 43 ebe6 33d2 668b13 8b0491 01f8 } + $sequence_0 = { 89d1 ebe8 8b7918 8b5f3c } + $sequence_1 = { 01fb 8b32 01fe 6a01 ff750c 56 e8???????? } + $sequence_2 = { 8b480c 8b11 8b4130 6a02 ff7508 } + $sequence_3 = { 89ec 5d c20c00 55 89e5 56 } + $sequence_4 = { 89e5 51 53 33db 33c9 } + $sequence_5 = { 01f8 5f 5e 89ec 5d } + $sequence_6 = { 33d2 668b13 8b0491 01f8 5f 5e 89ec } + $sequence_7 = { 5b 59 89ec 5d c20c00 55 89e5 } + $sequence_8 = { 46 8b06 50 46 } + $sequence_9 = { 33db 33c9 8b4508 8a08 } condition: 7 of them and filesize < 49152 @@ -88008,36 +88001,36 @@ rule MALPEDIA_Win_Equationdrug_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0821a935-fb15-5c3e-bb02-07988e07b501" - date = "2026-01-05" - modified = "2026-01-06" + id = "0721b2fc-701d-52cd-abad-d5844208c546" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.equationdrug_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.equationdrug_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "33511eccd2ca8c4746b8fc7fbb9655df57173691c00d0c7d16e68bf416563316" + logic_hash = "ac135b29af3e337ca0b87d472ac1a1e3e59a03d5184d29a05b687a75ae011152" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 751f 668b5c241c 66395c240c 7420 8d4c240c 46 51 } - $sequence_1 = { 8b4604 50 e8???????? 8b542430 8b4c2434 83c404 8d048a } - $sequence_2 = { 50 e8???????? 83c404 84c0 7507 b812060000 5e } - $sequence_3 = { 89742468 e8???????? 6a40 899c24bc030000 e8???????? 83c404 89442440 } - $sequence_4 = { 8b4618 50 8944240c e8???????? 33ff 897e18 897e1c } - $sequence_5 = { 8bc5 5e 5d 5b 81c498000000 c3 5f } - $sequence_6 = { 0f8578010000 8b9424f8000000 83c9ff 8bfa f2ae f7d1 51 } - $sequence_7 = { 85c0 66a5 7409 50 e8???????? 83c404 8b4c2418 } - $sequence_8 = { 5f 8930 5e 8919 5d 33c0 5b } - $sequence_9 = { 8b4c2414 83c408 897e08 897e0c 897e10 5f 5e } + $sequence_0 = { e8???????? 8b4c242c 51 e8???????? 83c404 b805030000 5f } + $sequence_1 = { 8b442464 8b6c246c 03f8 66897c2410 33ff 6685db 7679 } + $sequence_2 = { 895c242c 895c2430 c7442474ffffffff e8???????? b807080000 e9???????? 33ff } + $sequence_3 = { 8b6c2430 668b442434 8bd3 893a 896a04 66894208 83c60a } + $sequence_4 = { 83c434 c3 8b4514 8b08 33c0 8bd1 c1e902 } + $sequence_5 = { 8b4c2410 890f 83c704 3bf8 75f3 83460804 8b4500 } + $sequence_6 = { b800060000 5b 8b4c2468 64890d00000000 83c474 c3 8b9c2488000000 } + $sequence_7 = { 03fb 81c300400000 f3a5 42 33f6 eba9 } + $sequence_8 = { 51 6880000000 8d94248c000000 6a01 52 e8???????? 83c410 } + $sequence_9 = { 51 8944241c 89542424 89742428 8944242c 89542434 89742438 } condition: 7 of them and filesize < 449536 @@ -88047,36 +88040,36 @@ rule MALPEDIA_Win_Stop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bc295ac7-db91-5568-b9e1-1d450db9b984" - date = "2026-01-05" - modified = "2026-01-06" + id = "19fcbb12-1368-567e-ae10-99dcbc872822" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stop_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stop_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "22c4b0b970b8ce1325818e94329339f1bb669a97f8cb3590d85b78790ea24a40" + logic_hash = "81145df38222bcc873b693284f9b01f90413c83d07de8d3608b91e7d8227a090" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ff15???????? 8bf8 85ff 790f } - $sequence_1 = { ff15???????? 8bf8 85ff 790f } - $sequence_2 = { 51 dd1c24 e8???????? dc4de0 } - $sequence_3 = { 56 6a00 ff7508 68???????? 6a00 } - $sequence_4 = { 33c9 eb14 8bce 8d5902 668b01 83c102 6685c0 } - $sequence_5 = { 33c9 eb14 8bce 8d5902 } - $sequence_6 = { ffd6 85c0 75e2 5f } - $sequence_7 = { 68f4010000 57 ff15???????? 57 } - $sequence_8 = { 50 ffd6 85c0 75e8 6a0a ff7304 } - $sequence_9 = { ff7508 ffd0 5d c3 8b0d???????? 33d2 } + $sequence_0 = { 8bd9 6a00 6a12 ff33 ff15???????? 8b35???????? 8b3d???????? } + $sequence_1 = { 33c9 eb14 8bce 8d5902 668b01 83c102 6685c0 } + $sequence_2 = { 8bf1 56 6a00 ff7508 68???????? } + $sequence_3 = { 8bf1 56 6a00 ff7508 } + $sequence_4 = { 50 ffd7 6a01 6a00 6a00 6a00 8d45e0 } + $sequence_5 = { 53 56 57 6a00 8bd9 6a00 6a12 } + $sequence_6 = { 50 ffd6 85c0 75e2 6a64 ff15???????? } + $sequence_7 = { ffd6 85c0 75e8 6a0a ff7304 ff15???????? } + $sequence_8 = { ff7508 ffd0 5d c3 8b0d???????? 33d2 85c9 } + $sequence_9 = { 85c0 75e2 6a64 ff15???????? } condition: 7 of them and filesize < 6029312 @@ -88086,36 +88079,36 @@ rule MALPEDIA_Win_Scanpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea54b41f-0e3e-59d0-9d34-b01116c8bd16" - date = "2026-01-05" - modified = "2026-01-06" + id = "a07580f7-6389-576a-9ad5-d1314027d856" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scanpos_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scanpos_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "d918dbccd253554c0b76ec27fc4d9c167e1c0563dfe60b916ccc540524fa3716" + logic_hash = "ae113e4d2b6ca887756ce272eb047ffee74bc1434e90d6f9f5a07797154efaa7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 64a300000000 8b4508 33d2 c745e80f000000 8955e4 } - $sequence_1 = { 3ad3 75f9 2bc1 8bd0 } - $sequence_2 = { e8???????? 83c404 8b0d???????? 8939 8b15???????? 893a } - $sequence_3 = { 8d85e8feffff 50 51 68???????? 68???????? e8???????? 83c40c } - $sequence_4 = { 53 52 ffd0 3bc3 7508 3bd7 } - $sequence_5 = { e9???????? 8db5acfeffff e9???????? 8b542408 8d420c 8b8a8cfeffff 33c8 } - $sequence_6 = { e8???????? 03c8 8b4608 2bc2 3bc8 } - $sequence_7 = { 50 8d45f4 64a300000000 8b4508 8918 8b0b } - $sequence_8 = { 3bfb 0f82b9fdffff 837de810 720c 8b4dd4 } - $sequence_9 = { 6aff 68???????? 53 ff15???????? 85c0 0f95c3 837dcc10 } + $sequence_0 = { e8???????? 83c404 84db 0f85c1010000 8d75d4 b8???????? } + $sequence_1 = { 754b 8b74183c 3bf7 7443 8b16 } + $sequence_2 = { 40 84c9 75f9 2bc2 8bf8 8d759c } + $sequence_3 = { b8???????? e8???????? 83781000 bf10000000 0f94c3 397de8 720c } + $sequence_4 = { 0f85ef000000 b208 8d642400 0fbec2 8a0c38 03c7 80f939 } + $sequence_5 = { 834de804 837de800 0f85bf000000 837f1410 720a 8b07 eb08 } + $sequence_6 = { 8b74183c 3bf7 7443 8b16 8b4204 f644300c06 7517 } + $sequence_7 = { 68???????? 8d4df4 51 c745f430124100 } + $sequence_8 = { ff15???????? 8b7508 c7465c682a4100 83660800 33ff } + $sequence_9 = { 83c004 57 e8???????? a1???????? 50 } condition: 7 of them and filesize < 229376 @@ -88125,36 +88118,36 @@ rule MALPEDIA_Elf_Blackcat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "73330468-751f-50b4-b552-0b9e2c8419d0" - date = "2026-01-05" - modified = "2026-01-06" + id = "aabcd8c5-8385-5fd6-b97f-556ef52ad420" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.blackcat_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.blackcat_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "ed5b892df40ee57ffa43026084cc0b81998de922d2939024f186c2c4f53be22e" + logic_hash = "b092fb2f5a763714b3ef2495a2697292d94b1242ea04ffa85c7ac727889fea63" score = 60 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7227 b803000000 81fa???????? 721a } - $sequence_1 = { b903000000 81fa???????? 721a b904000000 81fa???????? 720d } - $sequence_2 = { 08d9 80f901 750e 84c0 } - $sequence_3 = { 83f801 0f95c0 20c8 0fb6e8 } - $sequence_4 = { 721a b904000000 81fa???????? 720d } - $sequence_5 = { e8???????? 0f0b 90 90 90 55 53 } - $sequence_6 = { e8???????? 0f0b 90 90 90 90 53 } - $sequence_7 = { 5d c3 e8???????? 0f0b 90 90 90 } - $sequence_8 = { 762a 0fb6c8 8d1489 8d0cd1 c1e90c 6bd164 } - $sequence_9 = { 7227 b803000000 81fa???????? 721a b804000000 81fa???????? } + $sequence_0 = { 721a b904000000 81fa???????? 720d b905000000 } + $sequence_1 = { 80d3ff 660f2ec8 19ed 660f2ec1 0fb6db 0f43dd 80fbff } + $sequence_2 = { 83f801 0f95c0 20c8 0fb6e8 } + $sequence_3 = { 7227 b803000000 81f9???????? 721a } + $sequence_4 = { 5b c3 0f0b 0f0b } + $sequence_5 = { 81fa???????? 721a b804000000 81fa???????? 720d } + $sequence_6 = { b802000000 81f9???????? 7227 b803000000 81f9???????? 721a b804000000 } + $sequence_7 = { 80f965 7510 31c9 31c0 } + $sequence_8 = { b902000000 81fa???????? 7227 b903000000 81fa???????? 721a b904000000 } + $sequence_9 = { 0f0b 90 90 90 90 53 } condition: 7 of them and filesize < 8011776 @@ -88164,36 +88157,36 @@ rule MALPEDIA_Win_Winordll64_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "42d58eb8-636f-5c90-824f-a4029c096b45" - date = "2026-01-05" - modified = "2026-01-06" + id = "85a7c90b-cdd3-5f4f-befe-1252fa6fd914" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winordll64" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.winordll64_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.winordll64_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "ff8a5b9c7eb1fcfe5982c5ada9af48d2cc2fd7ebb77ddf0083a9bd3e03ee5a02" + logic_hash = "49571426084a4d98e7d1e796255ad46d85f65b701f9bba4bc55b086909208471" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b55d0 488364242000 448bc1 4c8d4d48 498bcc ff15???????? 48635538 } - $sequence_1 = { 4c8d05c8c40000 498bd4 488bcd e8???????? 85c0 } - $sequence_2 = { 75f7 488bcf e8???????? 498b0c24 4585ed } - $sequence_3 = { 488bcf ff15???????? 85c0 0f8575ffffff 488bcf ff15???????? b8c0020000 } - $sequence_4 = { e8???????? 4c8d5c2430 4c895c2420 4c8d4c2438 41b807000000 488b442440 } - $sequence_5 = { be08780000 8bce e8???????? 488bf8 4885c0 0f8422010000 48ffce } - $sequence_6 = { 488d5547 488d4def 4c895d47 e8???????? 4c8d1d9b4a0000 488d150c640000 488d4def } - $sequence_7 = { 48ffc1 483bca 72f0 458bc7 } - $sequence_8 = { 418800 49ffc0 49ffc3 41d1ea 418b03 488b6c2450 be00000080 } - $sequence_9 = { 488d542458 488d4c2428 e8???????? 4c8d1d12e50000 4c895c2428 } + $sequence_0 = { 4883c002 663910 75f5 894dc8 488d45a8 483bc3 } + $sequence_1 = { 488d8b28010000 e8???????? 48ffcf c6841f2e03000000 75f3 33d2 8bce } + $sequence_2 = { ba38020000 8bc2 48ffc8 885c05d0 75f7 8955d0 488d55d0 } + $sequence_3 = { c3 48895c2408 57 4883ec20 488d1d23ef0000 } + $sequence_4 = { ff15???????? 41894500 488b36 4885f6 7411 49ffc4 4983c504 } + $sequence_5 = { 488bf0 33d2 41be38070000 8a4c1470 880c32 48ffc2 493bd6 } + $sequence_6 = { 8a840e98010000 88040f 48ffc1 4883f906 72ed 488d8ec0010000 ff15???????? } + $sequence_7 = { 48f7e9 48d1fa 488bc2 48c1e83f 4803d0 483bd7 0f83ad000000 } + $sequence_8 = { 488bc8 ff15???????? 85c0 0f8582000000 4533f6 4533e4 443923 } + $sequence_9 = { 482bc6 c64405e000 75f6 488b55d0 488364242000 448bc1 } condition: 7 of them and filesize < 278528 @@ -88203,75 +88196,114 @@ rule MALPEDIA_Win_Collection_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ee99e95c-7900-562e-8613-68183d72bbe0" - date = "2026-01-05" - modified = "2026-01-06" + id = "3a95bb6f-1973-5327-bcff-7f611fa8bd27" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.collection_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.collection_rat_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.collection_rat_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "4a525a556c647435c47597aca6c93f4c0c1ae69ffb1c4982506b53b4f472dc0c" + logic_hash = "d6d9696aaec03ca27d8f9c1fa7ae17c4465b1b2f11b092959d6ff31d64c8bbee" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4885d2 740b 41b001 488bce e8???????? e8???????? } - $sequence_1 = { 8d7e78 448bc3 8bd7 e8???????? 448bce 4c8d442440 8d5601 } - $sequence_2 = { 488bce e8???????? e8???????? 488bc8 baa3000000 e8???????? 488b8f80000000 } - $sequence_3 = { bf18000000 448bc7 33d2 488d8c24a8000000 e8???????? 89bc24a8000000 c78424b800000001000000 } - $sequence_4 = { 410fb7cc eb4a 80f92b 7507 b93e000000 eb3e } - $sequence_5 = { e8???????? eb27 488b5950 e8???????? 488bc8 ba98000000 e8???????? } - $sequence_6 = { c3 418bc4 ebdc 4885d2 0f84aa020000 48895c2408 57 } - $sequence_7 = { 488b4c2470 e8???????? eb14 89442420 4533c9 4533c0 } - $sequence_8 = { 4183e801 7429 4183e801 741e 4183e801 740f 4183f801 } - $sequence_9 = { 4883ec20 4c8b7150 488bd9 b900100000 } + $sequence_0 = { 4c8d05d12b0200 ba00100000 e8???????? b90a000000 } + $sequence_1 = { 488d4c2420 448bc5 33d2 e8???????? 448bc5 488d8c2430010000 33d2 } + $sequence_2 = { 7431 4885c0 742c 4d85c9 7427 4d8bc1 488d4c2420 } + $sequence_3 = { 8bda e8???????? 84c0 757d 4c8d0550820100 418bd7 488bcd } + $sequence_4 = { 48898620020000 0fb7c0 66f3ab 488d3df04f0100 482bfe } + $sequence_5 = { 0f84f5000000 4183e801 0f84d2000000 4183e801 0f84af000000 4183e801 0f848c000000 } + $sequence_6 = { 0f8469030000 498b8e90000000 488b4918 e8???????? 8bf8 8d5678 498b8690000000 } + $sequence_7 = { 0f84b1010000 448bc2 488bd1 488d4c2468 e8???????? 90 8d5f68 } + $sequence_8 = { 66c7451c0005 895d10 895d18 48895d20 8d5357 8d4b01 448d4351 } + $sequence_9 = { 4889442420 4d8b4908 488b4910 e8???????? 488b0d???????? 488b5108 488b4a30 } condition: 7 of them and filesize < 397312 } +rule MALPEDIA_Win_Pixynet_Loader_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "1c64e489-8422-5e96-b81c-abb48a680769" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pixynet_loader" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pixynet_loader_auto.yar#L1-L117" + license_url = "N/A" + logic_hash = "ddc6d79927cfc6257bfd40e5990ebfc62fb7e5f2795c7c38f2f5e8ab1db4a85b" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 4c8d0d14ea0700 4183e23f 4f8d04d2 498b04c1 } + $sequence_1 = { 488d15fcf90700 488b45d0 48c1e820 85c0 } + $sequence_2 = { 4883ec20 488d1deb570100 488d3de4570100 eb12 488b03 4885c0 7406 } + $sequence_3 = { 4c89642420 448bc6 498bd7 498bce ff15???????? } + $sequence_4 = { 488bd7 4c8d054ff50700 83e23f 488bcf 48c1f906 488d14d2 } + $sequence_5 = { ff15???????? 85db 0f94c0 488b5c2470 488b742478 4883c460 5f } + $sequence_6 = { 418bf0 4c8d0d37dc0000 8bda 4c8d0526dc0000 488bf9 } + $sequence_7 = { 84c9 752f 488d1d5b2e0800 488b0b 4885c9 } + $sequence_8 = { 488d4dc0 458d442447 33d2 0f1145c0 } + $sequence_9 = { ff15???????? 85c0 0f95c0 eb11 33d2 41b800800000 } + + condition: + 7 of them and filesize < 1183744 +} rule MALPEDIA_Win_Dyepack_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "07deca3f-25ed-51d0-81b9-2a80bfd3fbb4" - date = "2026-01-05" - modified = "2026-01-06" + id = "acf82d63-472c-5242-bd0c-561547d60a01" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dyepack_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dyepack_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "c761a43cdd5c317a044dbb40e0c85464d14b22fce932fc8ee9b2120e24aa5b64" + logic_hash = "fa6e2a0b34a7272334d33b71c7ab1f13da42abbb066a8be79909ca171b6c4d86" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb04 8b4c2410 2bcd 1bc7 7815 } - $sequence_1 = { b814100000 e8???????? 53 56 57 33db b9ff030000 } - $sequence_2 = { 3bcb 765a eb04 8b4c2410 2bcd } - $sequence_3 = { 56 ff15???????? 8d442410 895c2410 50 56 } - $sequence_4 = { ff15???????? 56 ff15???????? 8d442410 895c2410 } - $sequence_5 = { 53 51 e8???????? 83c408 5d 5f } - $sequence_6 = { 53 aa 8b842434100000 53 6800000040 50 ff15???????? } - $sequence_7 = { 13fb 3bf8 7cb2 7f08 8b4c2410 3be9 } - $sequence_8 = { 53 56 ffd7 8b442414 8b4c2410 33ed 33ff } - $sequence_9 = { 7815 7f08 81f900100000 760b b900100000 895c2420 } + $sequence_0 = { 8b842434100000 53 6800000040 50 ff15???????? 8bf0 } + $sequence_1 = { ff15???????? 56 ff15???????? 8b8c2428100000 53 } + $sequence_2 = { 3be9 72ac 56 ff15???????? 56 ff15???????? 8b8c2428100000 } + $sequence_3 = { 8b442414 13fb 3bf8 7cb2 7f08 } + $sequence_4 = { 53 53 53 56 ffd7 8b442414 } + $sequence_5 = { b9ff030000 33c0 8d7c2421 885c2420 } + $sequence_6 = { 53 51 8d54242c 6a01 52 56 ff15???????? } + $sequence_7 = { 7cb2 7f08 8b4c2410 3be9 72ac 56 ff15???????? } + $sequence_8 = { 8d4c2418 53 51 8d54242c 6a01 52 56 } + $sequence_9 = { 53 52 8d44242c 51 } condition: 7 of them and filesize < 212992 @@ -88281,36 +88313,36 @@ rule MALPEDIA_Win_Manjusaka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "51e0b6e1-e568-5f67-9420-ee9d6d4c7f64" - date = "2026-01-05" - modified = "2026-01-06" + id = "99e97e96-c1f4-5f8c-921c-ea1c667365b3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.manjusaka_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.manjusaka_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "29c4c663bca03e2a4622112f8201d75001eddf5ba4fdd44c2a396a51b4263dae" + logic_hash = "d8cae82d339b95840df9e2ce574a6b8a1874ec3caad45b349183588726f1dd67" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b4110 4885c0 0f8482000000 488b31 486bf870 31db 48837c1e0800 } - $sequence_1 = { 8be9 2bef 4803fa 399c2490000000 7417 498b4d70 e8???????? } - $sequence_2 = { f048ff08 750d 488d8c2438010000 e8???????? 80bc24c801000002 740d 488d8c2440010000 } - $sequence_3 = { 85c0 750e b9667b0200 e8???????? 8bc8 ebe2 488b4b18 } - $sequence_4 = { ba08000000 e8???????? 0f0b 488d4134 c3 488d4135 c3 } - $sequence_5 = { 81fa00fc0000 7323 66c741100100 6644894112 48c1e010 4883c801 c3 } + $sequence_0 = { b802000000 f0490fb10e 488d4c2428 e8???????? 90 4883c448 5b } + $sequence_1 = { 84c0 745a 488b4f70 4c8bc7 488b17 4883c108 e8???????? } + $sequence_2 = { e9???????? 488b8c24e8030000 488b9424d8030000 e8???????? 488b442448 4c8ba858010000 488bb060010000 } + $sequence_3 = { 84c0 410f95c1 488d5c2428 4889d9 4c89ea 41b812000000 e8???????? } + $sequence_4 = { 7204 4d8b40f8 488b0d???????? 31d2 e8???????? 488b4b58 488b4360 } + $sequence_5 = { eb0f b9741a0100 e9???????? 4a8b5cfd60 0fb74318 0fb64b0c 03c2 } $sequence_6 = { e8???????? 4885d2 7415 4c39e8 7509 4c39e2 0f846a010000 } - $sequence_7 = { 8a8c0ca2000000 41300c2f 488d4d01 4889cd 4939cc 75b8 488b442440 } - $sequence_8 = { f048ff00 0f8e64050000 4889c7 b930000000 ba08000000 e8???????? 4885c0 } - $sequence_9 = { 8806 4883c440 5e c3 4889d1 4c89c2 4d89c8 } + $sequence_7 = { 8bf0 8b5b54 23de 83fb11 0f8520010000 418bc7 4503fd } + $sequence_8 = { 84db 7805 49ffc4 eb6e 89d9 83e11f 410fb6742401 } + $sequence_9 = { fec0 884322 e9???????? 8d4d01 48897308 894b28 488bc7 } condition: 7 of them and filesize < 4772864 @@ -88320,36 +88352,36 @@ rule MALPEDIA_Win_Mortis_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f1dc50d3-c8e9-5fa8-9af5-7aac8f083303" - date = "2026-01-05" - modified = "2026-01-06" + id = "dbe687bf-0b72-53ae-b169-e120ce0111c3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mortis" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mortis_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mortis_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "0e2f339d3dda0007a7d364688897ee3fa718ccca078261699c7cc12487f6f0da" + logic_hash = "34f4bf3937ac9feb2a5a10e1f9edc6ce460181f96ee77ab2ff794db89a8aa306" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6bcf38 030c95201f4400 f6412d01 7428 e8???????? c70016000000 e8???????? } - $sequence_1 = { 68???????? 51 50 51 ffb54cfdffff 8d4d98 e8???????? } - $sequence_2 = { 8d1476 c1e204 8d0476 57 03d7 8d0cc7 e8???????? } - $sequence_3 = { 8d8d40feffff 6a00 034804 33c0 394138 0f94c0 8d048502000000 } - $sequence_4 = { c645fc01 8d8da0fdffff 6a07 0f57c0 c785b0fdffff00000000 68???????? 0f1185a0fdffff } - $sequence_5 = { f20f591485d08c4300 660f5834c5e0944300 660f54c5 f20f5ce8 f20f58fa f20f10d8 f20f59c1 } - $sequence_6 = { 8b07 6a01 68???????? 51 50 51 ffb54cfdffff } - $sequence_7 = { c60000 c645fc04 8b8d3cfdffff 83f910 722f 8b9528fdffff 41 } - $sequence_8 = { 7544 ba???????? b9???????? e8???????? 8bf0 ff15???????? } - $sequence_9 = { 68???????? 0f1185e8fdffff c785fcfdffff00000000 e8???????? c645fc05 8d8d00feffff 6a0a } + $sequence_0 = { c78560ffffff90044300 e8???????? 83c404 8b4df4 64890d00000000 59 5f } + $sequence_1 = { b8aaaaaa0a c1fa02 8bca c1e91f 03ca 2bc1 894dc8 } + $sequence_2 = { ffb54cfdffff 8d4d98 e8???????? be11000000 } + $sequence_3 = { 8b4004 c7443890fcc24300 8b06 8b5004 8d4290 89443a8c e8???????? } + $sequence_4 = { 5d c3 ba???????? eb05 ba???????? b9???????? e8???????? } + $sequence_5 = { 8bce e8???????? 8b460c 83b8a800000000 750e 8b04bd201f4400 } + $sequence_6 = { 8955d8 8bd9 8b03 33ff 895de4 } + $sequence_7 = { 83c404 8b7de4 3bf7 743c 90 837e0400 } + $sequence_8 = { 8bce e8???????? c645fc04 8b4dd0 83f910 722c 8b55bc } + $sequence_9 = { 8b4df0 8b0485201f4400 8a44012b 8b4d08 3c0a 7461 85db } condition: 7 of them and filesize < 577536 @@ -88359,22 +88391,22 @@ rule MALPEDIA_Win_Neutrino_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "90362f91-7989-59b7-8491-41ee08cb7ec9" - date = "2026-01-05" - modified = "2026-01-06" + id = "c896f601-25c0-539b-9fd8-13c58148a230" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.neutrino_auto.yar#L1-L311" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.neutrino_auto.yar#L1-L333" license_url = "N/A" - logic_hash = "a2300db6491e65a144d0716ad0d9afc9f3b5ec715da52155c4f75ceb78588a52" + logic_hash = "ca2db4d3d9f11ca40a6c9db166a6cb6eef950f86892e32075b70b0777393e11e" score = 60 quality = 43 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -88382,35 +88414,37 @@ rule MALPEDIA_Win_Neutrino_Auto : FILE $sequence_0 = { ff15???????? c1e010 50 ff15???????? } $sequence_1 = { 50 6a0b 6a07 e8???????? } $sequence_2 = { 50 6a05 6a03 e8???????? } - $sequence_3 = { 0404 010404 0202 020402 } - $sequence_4 = { 50 6a00 6a00 ff15???????? 8b4dd8 } - $sequence_5 = { 010404 0202 020402 0404 0404 0404 } - $sequence_6 = { 8b4d0c 894dfc 8b55f4 0fbe02 85c0 7447 8b4df4 } - $sequence_7 = { e9???????? 6a01 ff15???????? 85c0 } - $sequence_8 = { 83c404 0fb6d0 83fa01 7531 8b45fc 83c001 8945fc } - $sequence_9 = { 51 8b5508 52 ff15???????? 83f8ff 7504 32c0 } - $sequence_10 = { 83c201 8955f4 ebaf 8b45f4 a3???????? 8b45f8 2b45f4 } - $sequence_11 = { 894d08 0fb6550c 83fa01 7509 8b4508 83c001 894508 } - $sequence_12 = { 6a00 ff15???????? 6880000000 ff15???????? } - $sequence_13 = { 0fbe02 8b4df8 0fbe11 3bc2 740b 8b45fc 83c001 } - $sequence_14 = { 8b55fc 0fbe02 85c0 750f 8b4d0c 894dfc 8b55f4 } - $sequence_15 = { 0f8440feffff 80fa05 7354 8b3b 0fb6f2 6a05 } - $sequence_16 = { f645fe20 740d 814a1804010000 8a03 884210 43 8ac3 } - $sequence_17 = { 32c0 c645ff00 895dec c645fb00 f3aa c645f810 } - $sequence_18 = { 807dfd05 eb12 807dfd04 c645fc03 0f879a000000 807dfd01 } - $sequence_19 = { 0f879a000000 807dfd01 0f8597000000 e9???????? 2d8c000000 747e 48 } - $sequence_20 = { 8b03 894210 83c304 eb13 f645fe20 740d 814a1804010000 } - $sequence_21 = { c3 8b4804 890e ff4808 897004 751e } - $sequence_22 = { 83c404 85c0 0f95c2 0fb6c2 } - $sequence_23 = { 55 8bec 81ecf80f0000 837d0800 } - $sequence_24 = { 8d85b8feffff 50 68???????? ff15???????? 8945fc } - $sequence_25 = { 83c40c 6804010000 8d85f8fdffff 50 } - $sequence_26 = { ff750c ff7508 ff15???????? 83f8ff 0f95c0 } - $sequence_27 = { 7522 be???????? ff15???????? 57 8906 ff15???????? 83c604 } - $sequence_28 = { 7507 68???????? eb05 68???????? 50 ff510c } - $sequence_29 = { 50 ff15???????? 837dfc00 0f95c0 c9 c3 } - $sequence_30 = { 7412 68???????? 50 ff15???????? f7d8 1bc0 40 } - $sequence_31 = { 50 ff15???????? 6a40 ff75f0 } + $sequence_3 = { 0404 0404 010404 0202 } + $sequence_4 = { 0fbe11 85d2 7502 eb02 ebb4 8b45f8 8945f4 } + $sequence_5 = { 51 8b5508 52 ff15???????? 83f8ff 7504 32c0 } + $sequence_6 = { 0fb608 51 e8???????? 83c404 0fb6d0 83fa01 7531 } + $sequence_7 = { 6a00 ff15???????? 6880000000 ff15???????? } + $sequence_8 = { 6a00 e8???????? 83c40c 0fb6c0 } + $sequence_9 = { 741b 8b55fc 0fbe02 8b4df8 0fbe11 3bc2 740b } + $sequence_10 = { 020402 0404 0404 0404 0404 0404 0403 } + $sequence_11 = { 894dfc 8b55f4 83c201 8955f4 ebaf 8b45f4 a3???????? } + $sequence_12 = { e9???????? 6a01 ff15???????? 85c0 } + $sequence_13 = { 85c0 7447 8b4df4 0fbe11 8b45fc 0fbe08 3bd1 } + $sequence_14 = { 837d0800 7408 8b4508 a3???????? 8b0d???????? 894df8 eb09 } + $sequence_15 = { 83fa01 7509 8b4508 83c001 894508 8b4dfc 3b4d14 } + $sequence_16 = { 0404 010404 0202 020402 0404 0404 } + $sequence_17 = { 83c120 81fae00f0000 76ea 8b0d???????? 8908 a3???????? 5f } + $sequence_18 = { 7521 6800020000 51 ff35???????? c7460480000000 ff15???????? } + $sequence_19 = { 740a 834a1804 8a03 884210 43 f645fe40 7411 } + $sequence_20 = { 43 f645fe40 7411 814a1810010000 8b03 894210 83c304 } + $sequence_21 = { 8b00 85c0 75f4 c3 8b4804 890e } + $sequence_22 = { 807dfd05 eb12 807dfd04 c645fc03 0f879a000000 807dfd01 } + $sequence_23 = { 834a1810 8b03 894210 83c304 f645fe04 7431 8b4218 } + $sequence_24 = { 0fb6f2 6a05 58 2bc6 8d1437 50 e8???????? } + $sequence_25 = { 83c404 85c0 0f95c2 0fb6c2 50 } + $sequence_26 = { 8d85b8feffff 50 68???????? ff15???????? 8945fc } + $sequence_27 = { 83c40c 6804010000 8d85f8fdffff 50 } + $sequence_28 = { ff15???????? 50 ff15???????? 837dfc00 0f95c0 c9 c3 } + $sequence_29 = { ff15???????? 85c0 7412 68???????? 50 ff15???????? f7d8 } + $sequence_30 = { 83c604 83c703 81fe???????? 7ce3 a1???????? } + $sequence_31 = { 57 33ff 393d???????? 7522 be???????? } + $sequence_32 = { be???????? ff15???????? 57 8906 } + $sequence_33 = { ff7508 ff15???????? 83f8ff 0f95c0 5d } condition: 7 of them and filesize < 507904 @@ -88420,36 +88454,36 @@ rule MALPEDIA_Win_Careto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57e5d9f7-b1a4-5fc9-9a67-0b8686d462cc" - date = "2026-01-05" - modified = "2026-01-06" + id = "df5d3b26-0b1d-526d-8e38-3fdbee514439" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.careto" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.careto_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.careto_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "e5dc00dd8daf311387d91262fca293d89a75fa8c242ab0cc183af2043a20f18b" + logic_hash = "6e411afd17e211b09b6684a5fdb23e12a3c1d4b65ab99224fe62b7bee188b4df" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895104 47 ff15???????? eb58 8d45ec 50 8d45f4 } - $sequence_1 = { eb1e ff7508 8d8568fbffff 50 } - $sequence_2 = { 85c0 0f850e020000 57 6a40 59 889ddcfdffff 8dbdddfdffff } - $sequence_3 = { 8b4b04 56 8b7308 8bc1 03f2 3bf0 8945fc } - $sequence_4 = { ff55e0 3bc6 8945e4 740b 3dea000000 0f85fd000000 8b7df4 } - $sequence_5 = { 7584 85ff 7407 57 ff15???????? 33c0 40 } - $sequence_6 = { 8b3d???????? be???????? 7579 ffd7 } - $sequence_7 = { a0???????? c3 e8???????? 84c0 740c 833d????????05 } - $sequence_8 = { 81ecb8080000 53 8b5d08 68???????? 53 c745e8d4070000 e8???????? } - $sequence_9 = { 7416 48 740c 83e804 754a 68???????? } + $sequence_0 = { ff55f4 8bf0 83feff 0f849b000000 } + $sequence_1 = { 395d6c 0f84aa000000 56 33f6 395d6c 0f869d000000 53 } + $sequence_2 = { c21400 ff7560 eb01 57 ff15???????? 33c0 ebe6 } + $sequence_3 = { ff75fc ff15???????? 8bf0 85f6 0f84d1010000 53 } + $sequence_4 = { 57 8bf8 d1ff ff05???????? 833d????????03 897df8 750e } + $sequence_5 = { 81ecb8080000 53 8b5d08 68???????? 53 } + $sequence_6 = { 663d0004 0f95c1 49 83e103 03cd } + $sequence_7 = { f3a5 8bca 83e103 f3a4 c68405edfdffff00 } + $sequence_8 = { 7522 83be8c00000001 7506 c70610000000 } + $sequence_9 = { 50 8d856cfdffff 50 ff7570 c7456804010000 895d5c } condition: 7 of them and filesize < 94208 @@ -88459,36 +88493,36 @@ rule MALPEDIA_Win_Azov_Wiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9d3c9489-8494-515f-a851-2efd685c079b" - date = "2026-01-05" - modified = "2026-01-06" + id = "f29fc5b9-eed9-5e26-a218-34787bb0c2f6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.azov_wiper_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.azov_wiper_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "7b55d48ad9f56923d371b84a7be8f9204233f80fc6507fb08d7baa3b93540774" + logic_hash = "f70ede975bc97d92f2ff4790158fb61a2e65c259baa2689cda2ca5df144d7d8c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4883ef01 75e6 488b05???????? 33c9 488b10 } - $sequence_1 = { 741e 488b05???????? bafe010000 488bcb 4c8b00 } - $sequence_2 = { 4889442420 41ff9258010000 488b8c2470080000 4885c9 7410 488b05???????? } - $sequence_3 = { 4c8b10 4883c8ff 0f1f00 66837c410200 488d4001 75f4 } - $sequence_4 = { 488d55f3 ffd0 4883ec08 48c7042400000000 } - $sequence_5 = { 488b0b 488b10 ff5250 488d5b08 4883ef01 75e6 488b05???????? } - $sequence_6 = { 488bce 4c8b10 41ff5240 4885c0 } - $sequence_7 = { 498943e0 488d055cfbffff 498943e8 488b05???????? 488bce } - $sequence_8 = { 488b3d???????? f20f10842460020000 488b4710 f20f5c4004 660f2f400c 7310 } - $sequence_9 = { 488b05???????? 498d8f00040000 48895c2430 4533c9 } + $sequence_0 = { 48894c2408 57 4883ec40 33ff 4c8bda 4883cbff 488bc3 } + $sequence_1 = { 488d5202 6685c9 75ef 488b05???????? 4c8d0551feffff 48897c2428 33d2 } + $sequence_2 = { 48897c2430 4533c0 33d2 4c8b10 } + $sequence_3 = { 8bc6 488b7c2430 488b5c2438 4883c420 } + $sequence_4 = { 8d571a 4533c9 48895c2420 4533c0 33c9 } + $sequence_5 = { 4889742418 57 4881ec60020000 33ff } + $sequence_6 = { 4885c0 7509 488b15???????? ebd6 e8???????? 0f57f6 } + $sequence_7 = { 4881ec50020000 488b4108 0f29b42440020000 48890d???????? ff5028 } + $sequence_8 = { 458bc4 ba000000c0 48c744242002000000 4c8b10 41ff5238 488bf0 } + $sequence_9 = { ff5260 4c8d9c2460020000 33c0 498b5b10 498b7320 498be3 5f } condition: 7 of them and filesize < 73728 @@ -88498,36 +88532,36 @@ rule MALPEDIA_Win_Kpot_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d1c2c52-a27f-577a-ba10-9c57d7ba8b38" - date = "2026-01-05" - modified = "2026-01-06" + id = "fc6defb2-6139-5ff2-8b9b-2b3f0cc2b77b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kpot_stealer_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kpot_stealer_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "c16845199544fc6722c4e2fc31a24b6089435ba431e0486f2fdbb3a3dff70b56" + logic_hash = "c11c81ecd7cb5aea3dd4bc707fe3704781b47972b95a6f8f03c987cc4c63398e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0bce 0fb67007 0fb64006 c1e608 } - $sequence_1 = { 8b4608 8b0e ff3481 ff15???????? 8b4608 8b4e04 } - $sequence_2 = { d1e8 8bc8 81e100000007 8bd8 } - $sequence_3 = { 8a02 3c2d 7506 33ff 47 42 eb07 } - $sequence_4 = { 59 8d4df8 51 ff75f8 } - $sequence_5 = { 57 8bf8 8b4518 0fb67005 } - $sequence_6 = { 0bd1 8bcf c1e11b d1ef } - $sequence_7 = { 8bd6 e8???????? c6043700 8bc7 5f } - $sequence_8 = { 8a07 84c0 7417 8a0c3a 47 3ac8 74f2 } - $sequence_9 = { 53 56 57 8bf8 8b4518 0fb67005 } + $sequence_0 = { 83f92f 7414 83f95c 740a 83f962 7560 c60008 } + $sequence_1 = { 57 ff15???????? 8bf8 59 85ff 750c } + $sequence_2 = { 84c9 75e4 33c0 5f 5e c3 8bc6 } + $sequence_3 = { 66890c42 40 3bc7 7cec 8b4d08 } + $sequence_4 = { ff4d0c 0f85f7feffff e9???????? 83c770 } + $sequence_5 = { 8ac3 e8???????? 84c0 7505 8b55f0 eb6b } + $sequence_6 = { 8bf2 81e600001000 0bce c1e914 81e300000600 8bf2 81e600e00100 } + $sequence_7 = { 894604 85c0 741b 50 e8???????? } + $sequence_8 = { 250f0f0f0f 33d0 c1e004 33c8 8bc2 } + $sequence_9 = { 59 8b4dfc 8345fc04 817df8???????? } condition: 7 of them and filesize < 219136 @@ -88537,75 +88571,114 @@ rule MALPEDIA_Win_Lambload_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ceafeacb-8aed-52b1-8cc4-bc13d9e4ebc5" - date = "2026-01-05" - modified = "2026-01-06" + id = "acd95014-1417-5951-843e-5a95eac49cfe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambload" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lambload_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lambload_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "bbe1c88e2fad81661a6dd79b8985da064315d8e7bbf36d0a65857b53079669fb" + logic_hash = "4d00ae1d97989bbf86335c6c50c4111923a994361de68d8062d31965cd339c87" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 6a02 8bf9 c785c0fbffff04010000 ff15???????? } - $sequence_1 = { f3a4 ffb5c4fbffff ff15???????? 8d7bfe } - $sequence_2 = { 0f8468ffffff 8d85f4fdffff 50 e8???????? } - $sequence_3 = { c70009000000 ebc5 8bc3 c1f805 8d3c8500490710 8bf3 83e61f } - $sequence_4 = { 8a00 88443dfc 8a5dfd 47 ff4508 } - $sequence_5 = { 33c9 3bc7 0f95c1 894604 8d41ff 8b4dfc 5f } - $sequence_6 = { 394510 7241 6a04 5b 7705 } - $sequence_7 = { 59 8945e0 85c0 7461 8d0cbd00490710 } - $sequence_8 = { 8bff 56 57 33ff ffb7602b0710 } - $sequence_9 = { 6685c9 75f4 8b4dfc 8bfb 8bf0 } + $sequence_0 = { 03f7 8d4601 50 ff75f4 } + $sequence_1 = { e8???????? 83c40c 85c0 7511 ffb5ecf5ffff e8???????? 59 } + $sequence_2 = { 72d0 7705 3b550c 76c9 8b450c } + $sequence_3 = { c604063d 59 8945f4 8bf7 75e6 } + $sequence_4 = { 8bf8 8bf1 a5 53 66a5 e8???????? 85c0 } + $sequence_5 = { c785f8ebffff10000000 8d8d34ecffff 8b51cc 8b31 8bc2 } + $sequence_6 = { c1e006 03048d00490710 eb02 8bc2 f6402480 7418 e8???????? } + $sequence_7 = { 8945fc 8d4601 50 ff75f4 } + $sequence_8 = { 0f859b010000 8b3d???????? 8d85e8fbffff 50 8d85ecfbffff 50 56 } + $sequence_9 = { bf???????? 8b6c242c 8d45ff 83f81d 0f87ba030000 33c9 8a88287e0310 } condition: 7 of them and filesize < 1039360 } +rule MALPEDIA_Win_Venon_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "24c2580c-eca1-5977-b2fc-90e5c8a505ba" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.venon" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.venon_auto.yar#L1-L134" + license_url = "N/A" + logic_hash = "ab9221dc0c6ec834db58d9cf65a8c800f847f199116d4cd36e82a818ab678a4f" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { eb0f 488bd6 e8???????? 8b7c2440 83f701 41b804000000 488d4c2440 } + $sequence_1 = { eb0b c784245002000000000000 8b842450020000 83e802 4898 488b4c2420 482bc8 } + $sequence_2 = { ebe3 4889542410 55 4157 4156 56 57 } + $sequence_3 = { ff5018 89c5 89e8 4881c4a8000000 5b 5d 5f } + $sequence_4 = { e9???????? 8b442420 8b4c2424 2bc8 8bc1 c1e007 488b8c2480000000 } + $sequence_5 = { e9???????? 488b09 e9???????? 41b808000000 41b908000000 e9???????? 4156 } + $sequence_6 = { e9???????? 48b80000000000000080 48898580010000 488b8d880b0000 488b85400b0000 ff5048 488bb5e00a0000 } + $sequence_7 = { eb0b 89d6 e8???????? 89f2 89c6 31c9 4531ff } + $sequence_8 = { f30f7f4210 488b8d28080000 c681d902000000 803906 7537 48c7852008000000000000 4c89ad08080000 } + $sequence_9 = { f048ff08 750d 488b45f0 488d4838 e8???????? 488b45f0 488d4858 } + + condition: + 7 of them and filesize < 19539968 +} rule MALPEDIA_Win_Ransomexx_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "094b727d-6615-5ea8-8297-ce60c4df65db" - date = "2026-01-05" - modified = "2026-01-06" + id = "6ea86412-775d-5ea3-9fa6-8c1e24027d09" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ransomexx_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ransomexx_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "88fc0fd7827f895e1a84baf4a50e5e79c472c52e50515dafeb1f3f74d8cf643c" + logic_hash = "6d160f4a9e1a1a6b6eaef39eeef60476059a4b709022cd6ad7b0f96462908057" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1eb08 81e3ff000000 333c9db07a4200 8b5dec } - $sequence_1 = { 8a10 881406 40 49 75f7 8b7df0 } - $sequence_2 = { 8b0d???????? 6a04 8d45e8 6a00 50 ffd1 } - $sequence_3 = { 6a00 ff15???????? 85c0 7415 0fb745e0 8b0d???????? } - $sequence_4 = { 8d3c8500000000 8b0417 53 50 ff15???????? eb31 } - $sequence_5 = { b801000000 8945dc 8945e0 33f2 } - $sequence_6 = { 3b45ec 729b 8b4d10 8b5104 8955fc } - $sequence_7 = { 8d5df4 8d75e0 8bc3 e8???????? 8bf0 85f6 } - $sequence_8 = { b16c c7006e74646c c740046c2e646c 884808 50 ff15???????? } - $sequence_9 = { e8???????? 83c404 85c0 7520 8b4dfc f7d9 890f } + $sequence_0 = { c3 3bc8 735c 6a04 50 ff15???????? 8bd8 } + $sequence_1 = { 897df8 3bf9 0f849d010000 eb03 8b7df8 8b5728 0fb77724 } + $sequence_2 = { 50 8d4df4 51 6a04 52 ffd6 } + $sequence_3 = { 8d8424b8010000 e8???????? 83c007 c1e803 898424b4010000 8b842454020000 2bc6 } + $sequence_4 = { 83c40c 51 ff15???????? 83c404 8b4dd8 85c9 7425 } + $sequence_5 = { 750e 8b7d10 8d742410 e8???????? 8bf0 8b0d???????? 68d8000000 } + $sequence_6 = { 7507 c7431001000000 a1???????? 6880010000 8d957cfeffff 6a00 52 } + $sequence_7 = { 33f6 3935???????? 750f e8???????? c705????????01000000 0f31 a3???????? } + $sequence_8 = { e8???????? 8bf0 83c404 85f6 0f8582030000 8b4514 85c0 } + $sequence_9 = { 3dea000000 74b7 8b4618 03c6 7454 8b4808 } condition: 7 of them and filesize < 372736 @@ -88615,36 +88688,36 @@ rule MALPEDIA_Win_Arefty_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "00e4c323-1086-5d09-b0dc-b3d3486d1cb0" - date = "2026-01-05" - modified = "2026-01-06" + id = "89a83af3-19d3-5c69-be87-f03500ded2db" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.arefty_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.arefty_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "d90c0aff72ecb08f18ac74bec7d59a72670c6515429c6fde34529cd8bd03f3d6" + logic_hash = "6767e3b44a2d7425cdc7c4d053e60f2db1b2433095ac57f7d869acf4ba5a9f7d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 e8???????? 83c404 83fbff 7407 53 } - $sequence_1 = { 50 53 ff15???????? 680000a000 e8???????? 8bf8 } - $sequence_2 = { 50 8b07 68???????? 6a03 8d04b0 50 e8???????? } - $sequence_3 = { 8b07 68???????? 6a03 8d04b0 } - $sequence_4 = { ff15???????? 680000a000 e8???????? 8bf8 } - $sequence_5 = { ff15???????? 85ff 7409 57 e8???????? 83c404 83fbff } - $sequence_6 = { 8b07 68???????? 6a03 8d04b0 50 e8???????? 46 } - $sequence_7 = { 0fb6041e 50 8b07 68???????? 6a03 8d04b0 50 } - $sequence_8 = { 50 53 ff15???????? 680000a000 e8???????? } - $sequence_9 = { 0fb6041e 50 8b07 68???????? 6a03 } + $sequence_0 = { 50 8b07 68???????? 6a03 8d04b0 } + $sequence_1 = { 57 e8???????? 83c404 83fbff 7407 } + $sequence_2 = { 57 e8???????? 83c404 83fbff 7407 53 } + $sequence_3 = { 8b07 68???????? 6a03 8d04b0 50 } + $sequence_4 = { 7409 57 e8???????? 83c404 83fbff 7407 53 } + $sequence_5 = { 50 53 ff15???????? 680000a000 } + $sequence_6 = { 0fb6041e 50 8b07 68???????? 6a03 8d04b0 50 } + $sequence_7 = { 50 53 ff15???????? 680000a000 e8???????? 8bf8 } + $sequence_8 = { 7409 57 e8???????? 83c404 83fbff 7407 } + $sequence_9 = { 8b07 68???????? 6a03 8d04b0 50 e8???????? } condition: 7 of them and filesize < 237568 @@ -88654,36 +88727,36 @@ rule MALPEDIA_Win_Chthonic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9308f91d-3793-554b-b1d0-64ba8302fadb" - date = "2026-01-05" - modified = "2026-01-06" + id = "8b64add5-ff03-5fa0-9d49-9279e42d139e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chthonic_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chthonic_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "4dc2485521a827af3e062f4f45b00520b596cc6d1b868ae843ff411ddfc73052" + logic_hash = "868310f060146371dd87c106e4ad6857182f77f3854b6b725bec1227384a4b4b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bcf d3ee 83e601 eb00 8b4df8 } - $sequence_1 = { 0f850d010000 8b4df0 eb00 894df8 } - $sequence_2 = { 8a08 32ca 80e17f 8808 b001 c3 8b442404 } - $sequence_3 = { 74cf 8345fc02 b9000d0000 3b4df8 1bc9 f7d9 014dfc } - $sequence_4 = { 894df0 e9???????? 8b4514 8b4df4 8908 33c0 3b550c } - $sequence_5 = { 5f c1ee1f e9???????? 8b041a 6a1f 8bf0 } - $sequence_6 = { 80e17f 8808 b001 c3 8b442404 } - $sequence_7 = { e9???????? 8b041a 6a1f 8bf0 83c204 5f } - $sequence_8 = { 7cf4 33f6 33d2 8bc6 f77514 8b4510 8d8cb5fcfbffff } - $sequence_9 = { 3b550c 5f 5e 0f94c0 5b c9 c3 } + $sequence_0 = { 5f c1ee1f e9???????? 8b041a 8bc8 83c204 } + $sequence_1 = { 53 ff7510 ff7508 e8???????? 85c0 7502 b301 } + $sequence_2 = { 3bc3 7cf4 33f6 33d2 8bc6 f77514 } + $sequence_3 = { 81e1ff00ff00 0bc1 89470c 5f } + $sequence_4 = { 894dfc 85ff 7459 4f 8bf0 } + $sequence_5 = { ff45f4 ff4dfc 75ec 894df4 e9???????? 8b041a } + $sequence_6 = { c1c108 81e1ff00ff00 0bc1 89470c } + $sequence_7 = { eb00 85ff 0f84bd000000 4f 8bf0 } + $sequence_8 = { 83fe02 0f850d010000 8b4df0 eb00 894df8 85ff 0f84e7000000 } + $sequence_9 = { ff751c ff7518 ff7514 53 ff7510 ff7508 e8???????? } condition: 7 of them and filesize < 425984 @@ -88693,42 +88766,42 @@ rule MALPEDIA_Win_Lambert_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "766677fc-20f5-5c4e-acc7-a5a40372da69" - date = "2026-01-05" - modified = "2026-01-06" + id = "f7df9e01-4453-533c-813f-915aa9f6b16b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lambert_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lambert_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "60e780dd4c006048bc0528824ae1f73ab836d6b104a44501df20cceb325dce70" + logic_hash = "e962fdd46748b54901f5fa4e2a5bf76c62195e73f61927694baad41b7e26a417" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4f 42 3b7d10 724d } - $sequence_1 = { 8b4d08 03481c 894de4 8b55f4 8b45e4 } - $sequence_2 = { 33ce 314de8 890a 894de4 } - $sequence_3 = { 7402 eb60 8b45fc 83c078 8945f0 8b4df0 } - $sequence_4 = { 85c0 741f 8b4df8 c1e90d 8b55f8 c1e213 0bca } - $sequence_5 = { 41 8801 41 e9???????? 6afc 2b4d10 8b5514 } - $sequence_6 = { 0f82a4000000 83fe06 0f822cffffff 8bc1 } - $sequence_7 = { 33ce 33d1 33da 8970f0 } - $sequence_8 = { 51 e8???????? 0fb7d0 0355f8 } - $sequence_9 = { 0bca 894df8 8b45fc 0fb708 51 e8???????? } - $sequence_10 = { 33c1 03c0 33c8 8bc1 c1e808 } - $sequence_11 = { 8945fc 8b4d0c 8b55fc 3b5118 } - $sequence_12 = { 2bc2 83f801 0f8208010000 803a00 } - $sequence_13 = { 4f 42 42 eb56 } - $sequence_14 = { 8b5508 031481 8955f4 8b45f4 50 e8???????? } - $sequence_15 = { f7d2 8b45f4 335004 8955f8 8b4df4 } + $sequence_0 = { 33d1 33da 8970f0 8958fc 8948f4 8950f8 5f } + $sequence_1 = { 3b7d10 0f82bd000000 3bf9 0f83b5000000 2bd9 8d4602 3bd8 } + $sequence_2 = { ebce 8b45f8 8be5 5d c20400 55 } + $sequence_3 = { 05f0000000 832000 33f2 8b55e8 } + $sequence_4 = { 0f8c1fffffff 8b07 8901 6a04 } + $sequence_5 = { 83ec1c c745ec00000000 8b4508 8945f8 8b4df8 0fb711 81fa4d5a0000 } + $sequence_6 = { 8b421c 8945f4 8b4df4 894df0 8b55f4 8b4220 } + $sequence_7 = { 8b4d0c 8b5508 035124 8955f8 c745fc00000000 } + $sequence_8 = { 8b55f8 c1e213 0bca 894df8 8b45fc 0fbe08 034df8 } + $sequence_9 = { 3bd8 0f826f010000 8a07 8801 } + $sequence_10 = { 0fb702 85c0 7428 8b4df8 } + $sequence_11 = { 8b4d08 03481c 894de4 8b55f4 8b45e4 8b4d08 } + $sequence_12 = { 3b7d10 724d 3bf9 7349 8bc3 2bc1 } + $sequence_13 = { 0f8208010000 803a00 74e6 0fb602 } + $sequence_14 = { 8955f4 8b45f4 50 e8???????? 8945e8 8b4de8 3b4d10 } + $sequence_15 = { 03f8 4e 4e 8b1f 8919 2bf0 03c8 } condition: 7 of them and filesize < 1205248 @@ -88738,36 +88811,36 @@ rule MALPEDIA_Win_Vapor_Rage_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1d14d0da-1333-54f1-9dbb-f6aece783656" - date = "2026-01-05" - modified = "2026-01-06" + id = "1e8c56d3-bc96-5685-bd56-a98ffc12ea42" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vapor_rage" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vapor_rage_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vapor_rage_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "4db758774b2d4194695ce32a1e8b4b65a9381f513267f8540ab016f72cc37d62" + logic_hash = "bcb29a40e43ca6bc0df9030dbaebb46847b85eeeed0febe0ded947e1c76a6b49" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f2e94e030000 55 8bec 5d e9???????? 55 } - $sequence_1 = { 8d450c 50 8b4d08 51 6a02 ff15???????? 85c0 } - $sequence_2 = { 6a00 8d55ec 52 8b45d4 } - $sequence_3 = { 8d55ec 52 8b45d4 50 6a05 8b4de4 51 } - $sequence_4 = { c3 3b0d???????? f27502 f2c3 f2e94e030000 } - $sequence_5 = { 6a03 6a00 6a00 0fb755b0 52 } - $sequence_6 = { 50 8b4d08 51 6a02 ff15???????? 85c0 } - $sequence_7 = { 3b0d???????? f27502 f2c3 f2e94e030000 55 } - $sequence_8 = { ff15???????? 8b4df8 81c900010000 894df8 8b55f8 81ca80000000 } - $sequence_9 = { 83c404 8945c4 8b45c4 8945d0 } + $sequence_0 = { e8???????? a1???????? 85c0 7f04 33c0 eb59 } + $sequence_1 = { eb59 48 a3???????? e8???????? 8845e4 8365fc00 } + $sequence_2 = { 8b45d4 50 6a05 8b4de4 51 ff15???????? } + $sequence_3 = { ff15???????? eb1e 8b4de4 51 } + $sequence_4 = { e8???????? c705????????01000000 e8???????? 84c0 744d e8???????? e8???????? } + $sequence_5 = { c745e400000000 6a00 6800008000 6a00 6a00 6a00 8b55d0 } + $sequence_6 = { c705????????02000000 a900000008 7454 a9???????? } + $sequence_7 = { 52 6a1f 8b45e4 50 ff15???????? } + $sequence_8 = { 81ca80000000 8955f8 6a04 8d45f8 50 6a1f } + $sequence_9 = { 6800008000 6a00 6a00 6a00 8b55d0 52 } condition: 7 of them and filesize < 296960 @@ -88777,36 +88850,36 @@ rule MALPEDIA_Win_Quickheal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "32c5b738-c920-5a30-a6ba-c9a05fe50d12" - date = "2026-01-05" - modified = "2026-01-06" + id = "22de51a1-ed31-52f9-af0c-a91611a07efc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.quickheal_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.quickheal_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "b1666ee1e28f71dc83ee325a607900259e0027addcd09d0a51064c380d4fc4c7" + logic_hash = "53805141b68340c61a2af13049147d5ea8e836b39c66694157c67a33a8c32157" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c0 8d7c2431 c78424ec0300001c010000 f3ab 66ab } - $sequence_1 = { 66898c2494040000 b940000000 f3ab c784249800000003000000 c78424cc000000058288a2 } - $sequence_2 = { 8b542414 6a07 52 895c2478 895c247c } - $sequence_3 = { 8944242c 55 e9???????? ffd6 68???????? 57 8944243c } - $sequence_4 = { 89542450 f7d1 89542454 49 8bf9 8d043f 50 } - $sequence_5 = { 7527 85ed 7523 8b4c2414 e8???????? 53 892d???????? } - $sequence_6 = { 8d5c2410 83c404 8944240c c1eb04 8d740704 e8???????? 3206 } - $sequence_7 = { ffd7 3bc3 0f845d040000 8d8c24d8150000 2bc6 } - $sequence_8 = { 23e9 f7d2 23d6 0bd5 8b6c243c 03d5 03da } - $sequence_9 = { 8b542420 c1f802 8d0440 3bd0 0f8c8e030000 8d46fc 53 } + $sequence_0 = { c3 68fc1b0000 e8???????? 8be8 83c404 } + $sequence_1 = { a1???????? 8d7c244c f7d1 49 8d74244c c1e007 } + $sequence_2 = { 8d7c245d 885c245c f3ab bf???????? 83c9ff f2ae } + $sequence_3 = { 83d8ff 85c0 740e 8b3f 85ff 75c8 8b12 } + $sequence_4 = { 81c414040000 c3 8b4c2414 e8???????? 53 } + $sequence_5 = { 23de 0bdd 8b6c2444 03dd 8d9c189979825a 8bc3 } + $sequence_6 = { 23dd 0bf3 8b5c2444 03f3 } + $sequence_7 = { f2ae 8bca 4f c1e902 f3a5 8bca 8d842490050000 } + $sequence_8 = { 8d4400fe 66898424a4000000 66898424a6000000 0fbfc0 03c2 } + $sequence_9 = { 897c2434 c1e902 f3a5 8bcd 83e103 f3a4 b907000000 } condition: 7 of them and filesize < 553984 @@ -88816,36 +88889,36 @@ rule MALPEDIA_Win_Newposthings_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c55cf5a4-9d2e-5a13-be84-37c432415503" - date = "2026-01-05" - modified = "2026-01-06" + id = "20ff82cf-2d6a-526d-a110-13e7754c9905" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.newposthings_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.newposthings_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "13f1fe8829e7836205b87c0389095410b0edec07cc2b8983a118dc935e06f45f" + logic_hash = "1e60e973792ec4bd04fc1353a5459cddbddac13982ad2b2d312fbcf2fa54e964" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83ec0c 8b4508 8b483c 01c1 813950450000 7551 8d5178 } - $sequence_1 = { 68ae520110 64a100000000 50 81ec28010000 a1???????? 33c5 } - $sequence_2 = { 8d85f0fcffff 50 6801010000 6a00 c785ecfcffff00000000 } - $sequence_3 = { ff750c e8???????? 83c404 c745200f000000 c7451c00000000 c6450c00 b801000000 } - $sequence_4 = { 8bce e8???????? c745fcffffffff ff36 e8???????? 83c404 8b4df4 } - $sequence_5 = { 833cf5c000021000 7513 56 e8???????? } - $sequence_6 = { 57 a1???????? 33c4 50 8d442420 64a300000000 68f0110210 } - $sequence_7 = { c68518ffffff00 c645fc10 837d9010 720e ffb57cffffff } - $sequence_8 = { 0fb6bc3890b70110 8bc7 c1e804 89bdc4fdffff 8bbde8fdffff 8985c4fdffff } - $sequence_9 = { 83c40c 8d842474040000 6890010000 50 6a00 ff15???????? } + $sequence_0 = { 837d3410 720b ff7520 e8???????? 83c404 } + $sequence_1 = { 6afe 8d45f0 50 68e4010210 e8???????? 83c40c 83c8ff } + $sequence_2 = { 6843120110 e8???????? 83c418 85c0 7903 c60600 83f8fe } + $sequence_3 = { 50 8d8d68ffffff c78540ffffff0f000000 c7853cffffff00000000 c6852cffffff00 c7857cffffff0f000000 } + $sequence_4 = { ffd6 8d442410 50 ffd7 6a00 6a00 53 } + $sequence_5 = { 59 48 5d c3 8b0d???????? 83c901 } + $sequence_6 = { 8b3495481d0210 8a441e04 84c0 0f8957020000 807d1302 0f846d020000 } + $sequence_7 = { 8d8d14ffffff e8???????? 83c404 c645fc07 8d4d08 51 } + $sequence_8 = { 8b06 3b4210 0f92c1 884de4 84c9 7404 8b12 } + $sequence_9 = { 75f8 8bca c1e902 f3a5 8d8508feffff 8bca 50 } condition: 7 of them and filesize < 827392 @@ -88855,36 +88928,36 @@ rule MALPEDIA_Win_Unidentified_096_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14dc2ed1-3b02-5d6b-954c-e104f03f276c" - date = "2026-01-05" - modified = "2026-01-06" + id = "02ca902e-69f3-538c-b15a-2aa5fa108962" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_096" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_096_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_096_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "ce476a34a11ac04b46490ceeeb6d4b2e968299e307b980b5713cec9af31b5ce1" + logic_hash = "8529473ef1232eb349559a0d6310063e2f83c0302dbd34f6b13714f4b0f49954" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { a2???????? 81e1ffff0000 5f 83c1f8 5e } - $sequence_1 = { 52 e8???????? 83c418 c3 8b0d???????? 51 68???????? } - $sequence_2 = { 55 6800000080 55 6800000080 } - $sequence_3 = { 68ff000000 52 ff15???????? 5f 5e 33c0 } - $sequence_4 = { 85c0 7505 5e 83c40c c3 6a0c } - $sequence_5 = { 83c03d eb3f 85ff 8ac1 7d04 } - $sequence_6 = { 85ff 7523 8b4c2420 8b54241c 8b442414 51 52 } - $sequence_7 = { b024 a2???????? eb3b b025 a2???????? } - $sequence_8 = { 7d04 0480 eb35 0470 eb31 } - $sequence_9 = { 8b400c 89410c e8???????? 83c410 56 e8???????? } + $sequence_0 = { 6a10 52 56 6803000010 53 ffd7 3b44240c } + $sequence_1 = { ffd6 0fbfc0 8944240c ff15???????? 8bf0 a1???????? 3bf0 } + $sequence_2 = { 56 8b742458 8d442424 33ed 50 c744242830000000 } + $sequence_3 = { b026 a2???????? eb20 b02a } + $sequence_4 = { 56 e8???????? 8b4c2420 8b542418 83c404 53 } + $sequence_5 = { 52 ffd7 8d442410 50 ffd3 55 } + $sequence_6 = { 8b4c2414 53 50 68ff000000 51 } + $sequence_7 = { 68???????? 25ffff0000 52 8b542418 81e1ffff0000 50 8b442422 } + $sequence_8 = { 53 51 68ff000000 52 ff15???????? 5f } + $sequence_9 = { 83c418 c3 8b0d???????? 51 68???????? e8???????? 8b15???????? } condition: 7 of them and filesize < 25648 @@ -88894,36 +88967,36 @@ rule MALPEDIA_Win_Hikit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cf2c2140-f351-5d9d-a962-449d1b05d24a" - date = "2026-01-05" - modified = "2026-01-06" + id = "e2a08143-dab9-575a-8d69-b094542a0ea9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hikit_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hikit_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "d51c1ae21b05f4f7340fe9215a9d683066cb3055762a66620984bf5bd09e28e0" + logic_hash = "2ddd83c7161ea7ab607ef111c9c849fb37dfb955d24280fdb470b6b6e4729d3b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b442408 39442418 0f84e8000000 c744240401000000 8b442408 89442428 8b442428 } - $sequence_1 = { 48 c784245001000000000000 48 c744244000000000 48 c784244801000000000000 48 } - $sequence_2 = { 68???????? 6a24 8b45f8 83c004 50 e8???????? 83c424 } - $sequence_3 = { 52 8d8c2498120000 51 33c9 03c0 8d510c } - $sequence_4 = { 7408 81f90c000140 7506 8988e0000000 ff7514 ff7510 51 } - $sequence_5 = { 0f8427020000 8d8758080000 50 ff15???????? f6460d04 7546 8b4608 } - $sequence_6 = { 48 03c1 48 89442440 48 8b842488010000 0fb600 } - $sequence_7 = { 85c0 0f8e84000000 48 8b442428 0fb7501a 48 8b4c2428 } - $sequence_8 = { 7e0c 48 8b442450 c6803201000000 48 8b442450 0fb68031010000 } - $sequence_9 = { 48 8b442420 8b5028 48 c1ea0c 48 8b442420 } + $sequence_0 = { 81ec18010000 a1???????? 33c5 894574 6810010000 8d8564ffffff } + $sequence_1 = { 8b442450 898850100000 48 8b4c2450 48 83c150 45 } + $sequence_2 = { 33c0 c705????????01000000 8b8c24c0020000 64890d00000000 59 5f 5e } + $sequence_3 = { bf40700100 8bcf c786e00000000b000140 8986bc000000 8986c0000000 ff15???????? a2???????? } + $sequence_4 = { 8908 8b45fc 8b4df4 894808 8b45fc 88581c 8b45fc } + $sequence_5 = { e8???????? 83c404 c745e400000000 c745f000000000 c745fcffffffff e9???????? c745d400000000 } + $sequence_6 = { 48 639084000000 48 8b4c2458 48 8b442450 } + $sequence_7 = { 6800200000 50 e8???????? 83c420 03f0 f644244010 7422 } + $sequence_8 = { 7429 8b55fc 8b02 3b4508 7511 8b4dfc 0fb69194000000 } + $sequence_9 = { 66894c4420 8944240c b909000000 ba???????? 8d742420 } condition: 7 of them and filesize < 573440 @@ -88933,36 +89006,36 @@ rule MALPEDIA_Win_Molerat_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d42e4503-ecb9-5c8a-a5c4-49076e4c4692" - date = "2026-01-05" - modified = "2026-01-06" + id = "dd34e6fe-166f-5992-ad77-da2eef3e6cc0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.molerat_loader_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.molerat_loader_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "fb8054083b6be147b0212c1c64a0a9853635b01e04e79803ccd8499a9a7c2505" + logic_hash = "5fb2e2aad10aacaac4a058eda16abe79ff96d35c84f0d7b23df476065493d644" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4db8 c645fc34 e8???????? 68???????? 8d4dbc c645fc35 e8???????? } - $sequence_1 = { 51 c645fc42 e8???????? 83c40c } + $sequence_0 = { 50 c645fc83 e8???????? 83c40c c645fc84 } + $sequence_1 = { e9???????? 81bd5cfeffff68494400 742d 8b4508 83c005 } $sequence_2 = { 8b08 8b11 50 8b4204 ffd0 c644243409 8b44240c } - $sequence_3 = { 56 a1???????? 33c4 50 8d84241c020000 64a300000000 6804010000 } - $sequence_4 = { 8d4c2450 c744242000000000 e8???????? 8d4c241c c644243802 e8???????? 8d442410 } - $sequence_5 = { ffb56cffffff c745fc02000000 e8???????? 3bc7 7585 56 ffb56cffffff } - $sequence_6 = { ffd0 68???????? 8d8d08feffff e8???????? 8b8508feffff 83c0f0 } - $sequence_7 = { c644241c02 8b442410 83c0f0 83c40c 8d500c 83c9ff f00fc10a } - $sequence_8 = { 83c40c 68???????? 50 8d4de0 b330 51 885dfc } - $sequence_9 = { 8b7d08 57 8d45e0 33f6 50 8975e8 } + $sequence_3 = { 8d9b00000000 8b13 8b5234 68cf070000 8d4500 50 } + $sequence_4 = { ebb4 8ad3 80c240 80fa1f 77f0 83c701 } + $sequence_5 = { 7d10 668b4c4310 66890c456c7e4400 40 ebe8 33c0 8945e4 } + $sequence_6 = { c645fc21 8b8568feffff 83c0f0 8d480c 83caff f00fc111 4a } + $sequence_7 = { 83c408 84c0 0f8430060000 51 } + $sequence_8 = { 8bcb e8???????? c645fc3e 8b45e8 } + $sequence_9 = { 83c110 890b eb0c 8b48f4 51 50 8bcb } condition: 7 of them and filesize < 688128 @@ -88972,42 +89045,43 @@ rule MALPEDIA_Win_Ncctrojan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "621539aa-975e-51db-993a-fe0f56fb0b46" - date = "2026-01-05" - modified = "2026-01-06" + id = "397c1c48-b2d6-5322-ab7d-4abc0e59c73a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ncctrojan_auto.yar#L1-L164" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ncctrojan_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "1a1a856a6ccef6fe3d5ce45ce3caa49b1b9096f7072cb08e6fd3fa9a04b80075" + logic_hash = "f4906b9455afc57b70a3cddd8bdf9cc62def116e0c480e8106b08790424df03c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83f805 7536 8b85e8feffff 85c0 750a } - $sequence_1 = { 68???????? e9???????? 83f801 750a 68???????? } - $sequence_2 = { 750a 68???????? e9???????? 83f802 } - $sequence_3 = { d1f9 8d4101 50 e8???????? 8b542410 83c404 8bca } - $sequence_4 = { 50 e8???????? 8d45f4 50 8d85e8adffff } - $sequence_5 = { c785ccbdffff00000000 668985dcbdffff 8d85ecfdffff 8985d4bdffff } - $sequence_6 = { 85d2 0f8407010000 83faff 0f84fe000000 33c0 85d2 } - $sequence_7 = { e8???????? 68???????? 6a20 68???????? e8???????? 83c418 e8???????? } - $sequence_8 = { 0f99c0 8d044501000000 5e 5d c3 3b0d???????? } - $sequence_9 = { 03c1 50 51 ff7304 } - $sequence_10 = { 837dec08 8d45d8 0f4345d8 83ec18 } - $sequence_11 = { 8965f0 6a01 8945ec 40 6a00 } - $sequence_12 = { 7e6f 8945c8 8b400c 8b7004 } - $sequence_13 = { 0f437d08 ff15???????? 50 56 } - $sequence_14 = { 50 51 8d4d08 e8???????? 56 8985c8feffff 8d4d08 } - $sequence_15 = { 02c9 2480 7403 80f11b 83ea01 } + $sequence_0 = { e9???????? 83f801 750a 68???????? e9???????? } + $sequence_1 = { 7536 8b85e8feffff 85c0 750a } + $sequence_2 = { ff15???????? 8945f0 8d45ec 6a10 } + $sequence_3 = { 6a00 50 e8???????? 83c420 56 6a00 } + $sequence_4 = { 6800400000 50 e8???????? 83c40c 837c240c00 } + $sequence_5 = { eb0c 68???????? eb05 68???????? 8d44247c 6800400000 50 } + $sequence_6 = { 745c 8b3d???????? 8d75ac 8b15???????? } + $sequence_7 = { 6a00 ff15???????? 8d85e8fdffff 50 8d85e8adffff 6800400000 } + $sequence_8 = { 0f8552ffffff eb57 6800400000 8d85d496ffff 6a00 50 } + $sequence_9 = { 50 e8???????? 8b4d08 e8???????? e9???????? 8b4d08 e8???????? } + $sequence_10 = { 6a00 50 e8???????? 0fb745b8 50 0fb745b6 } + $sequence_11 = { 8b542408 8d420c 8b8a2cf8ffff 33c8 e8???????? 8b4afc } + $sequence_12 = { 8b542408 8d420c 8b8a0cfefeff 33c8 } + $sequence_13 = { 85d2 7e10 8ac1 02c9 2480 } + $sequence_14 = { 85db 0f84b8000000 6a14 59 } + $sequence_15 = { 0fb745ac 50 8d45bc 68???????? } + $sequence_16 = { 6a00 50 e8???????? 56 8d856cfeffff 68???????? } condition: 7 of them and filesize < 1160192 @@ -89017,36 +89091,36 @@ rule MALPEDIA_Win_Doublepulsar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e360b7f1-7141-5d69-b347-a9d866ef6b2b" - date = "2026-01-05" - modified = "2026-01-06" + id = "0247b35d-b521-592e-8d7f-3d6f35d965be" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.doublepulsar_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.doublepulsar_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "459595fa25b87fbf8bb9d6bb59b89562d36c28a4b010623ea717539c5888323b" + logic_hash = "5d82302a48d4eb54b03796326ab36e042de80c6649df8e26e5c4967d2e50dd4a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 668b00 c3 81e2ffff0000 c1e202 01d1 8b09 01c8 } - $sequence_1 = { 6852445000 ff75fc 6a01 ff13 } - $sequence_2 = { 894530 8b4620 8b7d65 83c703 8907 8b4628 a902000000 } - $sequence_3 = { ff500c 85c0 748c 33c0 5f 5e 5b } - $sequence_4 = { 8b8c003cb54000 03c0 894e5c 8b9040b54000 895660 8b8844b54000 894e64 } - $sequence_5 = { 85c0 7463 8b442444 6a0e 53 50 } - $sequence_6 = { 88c8 c1e908 00c8 c1e908 00c8 c1e908 00c8 } - $sequence_7 = { 03d8 2be8 85ed 75ac } - $sequence_8 = { e8???????? a1???????? 33c4 898424a0100000 55 56 8bb424b0100000 } - $sequence_9 = { 0f85f4000000 41 83f813 0f8287010000 8b4a0b 41 8bc0 } + $sequence_0 = { 8b4d30 39f1 8b452c 7418 e8???????? 8d4604 50 } + $sequence_1 = { 7564 56 6852445000 ff75fc 6a01 } + $sequence_2 = { 7443 6833b070e1 56 e8???????? 85c0 7434 } + $sequence_3 = { 83f80f 741e 31c9 8b3c86 8b148e 39d7 7403 } + $sequence_4 = { 56 8bd8 57 8d7b0e 57 e8???????? } + $sequence_5 = { 7714 8d9080020000 39f2 720a 29c6 89b798000000 eb06 } + $sequence_6 = { 03cb 45 0fb61a 45 85db 75e9 44 } + $sequence_7 = { 7406 83c628 49 ebe9 8b460c 8b4e08 } + $sequence_8 = { 48 8b4520 48 8b4878 48 894870 48 } + $sequence_9 = { 48 31c0 48 39c1 } condition: 7 of them and filesize < 122880 @@ -89056,36 +89130,36 @@ rule MALPEDIA_Win_Defray_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c67cc17c-f08c-53a6-ada6-8bb99660ec4c" - date = "2026-01-05" - modified = "2026-01-06" + id = "91dbb208-60a5-5e96-a645-56c436179440" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.defray_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.defray_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "e0802b8bc0edda2578b1a81d41f729faf3574dbf8b45d2b645404d3734d8c95f" + logic_hash = "6b4e097237ff798ba5626d5bee417027ad739d6a04da88a35accdf2c8cd93643" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b86effffff 5e 8be5 5d c3 8d4102 8906 } - $sequence_1 = { 8be5 5d c3 8b4d08 8d041e 5f 5e } - $sequence_2 = { 0f84cf020000 83f8ff 0f84c6020000 6880000000 ffd6 50 } - $sequence_3 = { 83c40c 83601000 8b4df0 68???????? 8d4918 e8???????? 8d45ec } - $sequence_4 = { e8???????? f6450801 59 740d 68b8000000 56 } - $sequence_5 = { 66a5 8dbdbefcffff be???????? ab ab ab ab } - $sequence_6 = { 33c0 663b88f0724700 740d 83c002 83f814 72ef 33c0 } - $sequence_7 = { 33ff 393d???????? 7e79 33db 6800001000 e8???????? 8bf0 } - $sequence_8 = { a5 a5 66a5 8dbdbef6ffff be???????? ab ab } - $sequence_9 = { 0fb7c7 894de8 884dd8 8d4dd8 6a08 8945d4 c745ec0f000000 } + $sequence_0 = { 8d34ba 3bf0 741b 8bf8 2bf8 57 50 } + $sequence_1 = { 8b4dec ba10000000 8b7df0 8d49ff d3e2 8bcb } + $sequence_2 = { 8bf0 894dfc 2bf2 8d7b1f c1ef05 c1fe02 897d08 } + $sequence_3 = { 85c0 7471 8b45f0 8b4de8 8b048568f34800 f644012880 745d } + $sequence_4 = { 8bc2 8bca 83e03f c1f906 6bc030 03048d68f34800 eb05 } + $sequence_5 = { ab ab ab 66ab 33c0 8dbd74faffff a5 } + $sequence_6 = { 740b 50 ff15???????? 32c0 eb31 e8???????? 3bf0 } + $sequence_7 = { 84c0 750f 8d8d98fbffff e8???????? 84c0 7430 8d8d68f9ffff } + $sequence_8 = { c1ee02 8bfb 8bce 33c0 f3ab 8b75e8 33d2 } + $sequence_9 = { eb07 c6437600 894304 8b8544ffffff 85c0 0f8482000000 } condition: 7 of them and filesize < 1253376 @@ -89095,36 +89169,36 @@ rule MALPEDIA_Win_Veiledsignal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71866fc5-9473-559b-a801-c95ebfec50c7" - date = "2026-01-05" - modified = "2026-01-06" + id = "377c60a9-a94c-5524-afbd-9c0179e157c6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.veiledsignal" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.veiledsignal_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.veiledsignal_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "71af0216ed8c73a7deae45ea9d8e0b2ebb718fbb1957e80a9a771dea9a9d10a4" + logic_hash = "6e87ab2918cdf1f64ebbc7c49e0ef39e2382e6490d6fc1ea390a3a6343d806e5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c5f92f25???????? 0f82b1000000 48c1e82c c5e9eb15???????? c5f1eb0d???????? 4c8d0d66850000 } - $sequence_1 = { e9???????? e8???????? e9???????? 488d0514380400 } - $sequence_2 = { 0fb6552f 4c8d4d2f 4533c0 418d4814 ffd0 } - $sequence_3 = { 488d0db99a0400 e8???????? 488d0dc59a0400 e8???????? } - $sequence_4 = { 7ec4 83c8ff eb0b 4803f6 418b84f7a8140100 85c0 } - $sequence_5 = { e8???????? 4881c458010000 c3 8d8146b8ffff 83f801 } - $sequence_6 = { e8???????? 488b8890000000 48399938010000 7516 488d05c7390400 4a8b04e8 } - $sequence_7 = { ff15???????? e9???????? 8b7c2428 488bcb ff15???????? 85ff 0f844bffffff } - $sequence_8 = { 83f8ff 7425 488d1586b10400 8bc8 e8???????? 85c0 740e } - $sequence_9 = { 428844f13e 4b8b84e010e70400 42804cf03d04 38558f e9???????? ff15???????? 894597 } + $sequence_0 = { ff15???????? b960ea0000 ff15???????? e9???????? 8b7c2428 488bcb ff15???????? } + $sequence_1 = { ff15???????? b960ea0000 ff15???????? e9???????? 8b7c2428 488bcb } + $sequence_2 = { 488d3dff250000 488bc2 4c8bfa 4d0f45d9 4885d2 418d6a01 } + $sequence_3 = { e8???????? 4881c458010000 c3 83f802 7571 } + $sequence_4 = { 488d0d58030000 b801000000 48890d???????? 488b8c2440010000 4833cc e8???????? 4881c458010000 } + $sequence_5 = { 488d1d5e8d0400 488d35ff7a0400 48895c2420 488d05538d0400 483bd8 } + $sequence_6 = { b8af000000 0f05 c3 4c8bd1 b823000000 0f05 c3 } + $sequence_7 = { 7858 3b15???????? 7350 488bca 4c8d05d5280400 83e13f 488bc2 } + $sequence_8 = { 8bf9 488d157f6c0000 b906000000 4c8d054b840000 e8???????? 488bd3 8bcf } + $sequence_9 = { ff15???????? 488b4ddf 4533c0 33d2 ffd0 488b4ddf ff15???????? } condition: 7 of them and filesize < 667648 @@ -89135,10 +89209,10 @@ rule MALPEDIA_Win_Mbrlocker_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "6a472526-8a03-5ccc-a5eb-10b46b34c6da" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mbrlocker_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mbrlocker_auto.yar#L1-L119" license_url = "N/A" logic_hash = "2abe677d378843746aa6479444a4219927906b009fff2766ade4f081783dbae6" score = 75 @@ -89147,9 +89221,9 @@ rule MALPEDIA_Win_Mbrlocker_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -89173,36 +89247,36 @@ rule MALPEDIA_Win_Bamital_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e219e6ea-4608-5a74-87dd-c6cc7daca55c" - date = "2026-01-05" - modified = "2026-01-06" + id = "6556d45a-a640-5581-abda-c3eb1e80606b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bamital_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bamital_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "24d30014c19935766f45a136deb9c4126e6e7e91127fb6207f37108ee605d496" + logic_hash = "df862f37b3ea4c5c2cdc89a6575ade61bae493e342b81603f16fb985aeca0ce7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 803820 7516 83c101 83f901 7504 8bd0 } - $sequence_1 = { 2945f8 ff75f8 e8???????? 5e ff75f8 56 } - $sequence_2 = { 33c0 5e 5f 5b 5a 59 } - $sequence_3 = { 52 e8???????? 837dd800 7505 e9???????? } - $sequence_4 = { b910000000 f3ab eb0c 8bcb f3a4 011d???????? } - $sequence_5 = { 8b55fc 8945fc 0bd2 7406 52 e8???????? } - $sequence_6 = { 5b 5a 59 c9 c21000 33c0 5e } - $sequence_7 = { 83c024 6a00 50 e8???????? } - $sequence_8 = { 75f1 8d0411 33c2 5f 5e c9 } - $sequence_9 = { e8???????? 83c708 57 ff7004 e8???????? 83c708 } + $sequence_0 = { ff75f8 ff7508 e8???????? e8???????? 8b7dfc } + $sequence_1 = { f3a4 011d???????? eb04 0bdb 75bc 5b } + $sequence_2 = { 2c19 eb13 3c20 720f 3c38 } + $sequence_3 = { 035d14 ff4d08 037508 33c0 33c9 4e } + $sequence_4 = { 50 51 6a00 6a00 ff7510 ff75fc } + $sequence_5 = { 49 0bc9 7402 ebe2 } + $sequence_6 = { c745d800000000 c745f000000000 68f8070000 e8???????? 8945d4 6804010000 } + $sequence_7 = { 52 e8???????? 837dd800 7505 e9???????? } + $sequence_8 = { 83c101 51 e8???????? 8945f4 59 } + $sequence_9 = { 8807 83c701 e2d8 c9 c20800 55 } condition: 7 of them and filesize < 90112 @@ -89212,36 +89286,36 @@ rule MALPEDIA_Win_Bookcodesrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f4de16d7-c6b7-5d95-8f65-784498dd67cf" - date = "2026-01-05" - modified = "2026-01-06" + id = "4898aabc-f745-5eeb-b868-8989a59790fe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bookcodesrat_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bookcodesrat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "86df5d17676a07501443cee06a4988ba13f3d4cc771e2022b238854a7e0b8406" + logic_hash = "6a54c3bffa90c7116007b02d093cebae2be27970e91c5ba26d7c33c2fea354c6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c785f8010000097c504a 66c785fc0100004c4a c685fe0100006a 8845c8 488945c9 8945d1 668945d5 } - $sequence_1 = { 33d2 41b848090000 897c2444 897c2440 e8???????? 41ff942490000000 488d4c2444 } - $sequence_2 = { 4883c002 bf0c000000 488906 eb05 bf0b000000 488d4c2420 488bd3 } - $sequence_3 = { 33d2 41b808020000 e8???????? 0fb754245c 0fb74c2458 0fb744245a 0fb77c2456 } - $sequence_4 = { e8???????? cc 8b4b28 488b4308 498bd4 } - $sequence_5 = { 4885c9 7406 ff15???????? 4883bb7002000008 720c 488b8b58020000 e8???????? } - $sequence_6 = { 488bd0 e8???????? 89442438 41b901000000 488d8b30330000 488d542438 458d4103 } - $sequence_7 = { 66f2af 48f7d1 4c8d41ff 488d55c0 488d4d90 e8???????? } - $sequence_8 = { 488bf1 488d151bbd0200 488d0d30d50200 e8???????? 4883c9ff 488bfe 488bd8 } - $sequence_9 = { 32c2 ffc2 3433 428884058f070000 83fa14 7ce4 4863c2 } + $sequence_0 = { 488dbb40080000 66f2af 48f7d1 48ffc9 750d b960ea0000 ff9360360000 } + $sequence_1 = { 85c0 750d ff15???????? 418985a8010000 84db 7431 c744245002000000 } + $sequence_2 = { 735e 4d85ed 488b5c2420 0f8432feffff 498bdd } + $sequence_3 = { 41ffd7 8b5d10 8b7d00 4903dc 4903fc 488bf0 48833b00 } + $sequence_4 = { 48897330 ebad 48ff4b48 33c0 eb0d 488b4328 } + $sequence_5 = { ff15???????? 488d9508080000 488bcf 488983f8360000 ff15???????? 488d5598 488bcf } + $sequence_6 = { ff15???????? 488bf0 4885c0 0f8493010000 488d1556320100 488bc8 ff15???????? } + $sequence_7 = { 488d0de3780200 8905???????? 488d051ee40100 4889442458 e8???????? 488d0d09a00100 48891d???????? } + $sequence_8 = { 4053 4881ecb0030000 48c7442420feffffff 488bd9 488d8c24f0010000 488d93f0350000 41b8b8010000 } + $sequence_9 = { 498bd4 4c3b6310 720b b957000780 e8???????? cc 4863c8 } condition: 7 of them and filesize < 544768 @@ -89251,36 +89325,36 @@ rule MALPEDIA_Win_Pathwiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6716c11-1f14-5a04-8fe4-1682b0bebda9" - date = "2026-01-05" - modified = "2026-01-06" + id = "a4120d05-0d60-5fe4-b438-d6e877288f36" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pathwiper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pathwiper_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pathwiper_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "2875d616150343a511e4ca1c06e26bab19bffb8a61f2efbef223956f6da2a004" + logic_hash = "b89d67bc42562b572193bd62350239328ae540c796c12fa0d6ee1faeac0d34c9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c78540ffffff00000000 c78544ffffff0f000000 c68530ffffff00 8d8d88ebffff e8???????? 8bf8 6a00 } - $sequence_1 = { 84c0 0f84a8000000 807d3400 0f849e000000 8b950cfeffff 8b8d04feffff 8d4201 } - $sequence_2 = { 8845eb 8bc1 f7e6 6a00 68ffffff7f 52 50 } - $sequence_3 = { 8bf8 eb02 33ff 8b8518feffff 40 897dc0 50 } - $sequence_4 = { c645fc8a 50 8d8df3efffff e8???????? 8d85acf8ffff c645fc8b 50 } - $sequence_5 = { 3bf8 0f84f2010000 83c704 0f1f00 6a00 8d850cffffff 8bcf } - $sequence_6 = { e8???????? 83c408 83c718 3bbd48feffff 0f85c2feffff 8d8554feffff 898528feffff } - $sequence_7 = { 660fd68504f0ffff c785f4efffff3734d6f2 0f1f440000 8a443dd0 32c1 88843df8efffff } - $sequence_8 = { 2b85bcf6ffff 8985d8f6ffff 0f8559fcffff 8b8db8f6ffff 85c9 7445 8b3c8d7c2d4600 } - $sequence_9 = { 8b7508 8d45f4 683734daf3 50 8d45e0 8975ec 50 } + $sequence_0 = { c745e0ebccb158 668975e4 e8???????? 8b8d52ebffff 33c8 66894de6 b98fbc0000 } + $sequence_1 = { c645fc00 85c0 0f859a000000 8b45f0 83c018 8945f0 3b45ec } + $sequence_2 = { c645fc2d 8d8d24fcffff 50 51 8d4e54 e8???????? 68???????? } + $sequence_3 = { 8b85fcfeffff 8b00 50 83c008 50 8d8558ffffff 50 } + $sequence_4 = { 898534ebffff 8b4804 51 898d38ebffff 8d8dd8eaffff 50 } + $sequence_5 = { c645fc2f 50 8d8578ffffff 8d7e74 50 8bcf e8???????? } + $sequence_6 = { 8d45e0 8975ec 50 c745f037347af3 c745f41d4ae42d c745f89b1e0000 e8???????? } + $sequence_7 = { 50 8d45e0 8975ec 50 c745f03734baf3 c745f41deccda2 } + $sequence_8 = { 8d45f3 8945ec 8d45e0 50 c645f300 c645e800 e8???????? } + $sequence_9 = { c68578ffffff00 0f84b2000000 c6851cfeffff00 85c9 0f84f7010000 8b01 8d951cfeffff } condition: 7 of them and filesize < 1047552 @@ -89290,41 +89364,41 @@ rule MALPEDIA_Win_Cinobi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "21772936-199b-55b9-8c88-84909fbe932b" - date = "2026-01-05" - modified = "2026-01-06" + id = "9f8d5cab-a1d4-5e55-ad07-f749a237b295" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cinobi_auto.yar#L1-L163" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cinobi_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "3b7b598c2d1d5a6445b3767b26d122931b2d9423a26b8573ddc77c7b26c5617b" + logic_hash = "3e40e5e04d16a0012effa4f89b0d9a3d4781dd4f04d1a7fd73c189696493c163" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { c9 c3 55 8bec 51 e8???????? 58 } - $sequence_1 = { 660fbe404b 668985a0fdffff 8b45f8 660fbe4005 668985a2fdffff 8b45f8 660fbe4005 } - $sequence_2 = { 55 8bec 83ec44 53 e8???????? } - $sequence_3 = { 8845ce c645cf00 8b45c0 8a4031 } - $sequence_4 = { 6805100000 56 8b75f0 56 ff93f7000000 } - $sequence_5 = { 8365dc00 8945e0 8d45fc 8945e4 8d45f4 } - $sequence_6 = { 50 51 ff93eb000000 8b4df4 e8???????? 8bf8 } - $sequence_7 = { 57 8b7dd0 894dfc 3bcb 7504 33c0 eb2c } - $sequence_8 = { 8a4d0c 8808 ebe5 c9 c3 } - $sequence_9 = { 8845fb 8d45a4 50 ff7508 e8???????? 59 } - $sequence_10 = { 8b45f4 ff90db000000 8945ec 837decff 7513 } - $sequence_11 = { 8b4510 8945ec 8b45e4 8b4dfc 8b0481 034508 } - $sequence_12 = { 837de000 0f85ac000000 6a02 8d87c0120000 50 } - $sequence_13 = { 8a5832 885dd1 8a5834 885dd2 } - $sequence_14 = { 837de8ff 7507 32c0 e9???????? 6a00 ff75e8 8b45f4 } + $sequence_1 = { 88459e 8b45c0 8a403a 88459f 8b45c0 8a4003 8845a0 } + $sequence_2 = { ff969b000000 5f 5e 5b c9 } + $sequence_3 = { 66898f881e0000 660fbe0e 66898f8a1e0000 660fbe4e14 66898f8c1e0000 } + $sequence_4 = { 8845f8 8b45c0 8a4003 8845f9 } + $sequence_5 = { 0345b4 8985a8faffff 8b85a8faffff 660fbe00 } + $sequence_6 = { 8a4646 88442429 8a06 8844242a } + $sequence_7 = { 660fbe463a 66898768230000 660fbe463f 6689876a230000 660fbe4654 } + $sequence_8 = { 8b45c0 8a4052 8845cd 8b45c0 } + $sequence_9 = { 8bec 837d10ff 750c ff750c e8???????? 59 894510 } + $sequence_10 = { 8a4624 88442417 8a4634 88442418 8a4624 88442419 } + $sequence_11 = { ff75f4 e8???????? ff765f 8986eb000000 ffb6ef000000 57 } + $sequence_12 = { 6a02 ff75ec 8b45f8 ff90cf000000 83f801 750a } + $sequence_13 = { ff75ec 8b45f8 ff90d3000000 6a00 ff75f0 } + $sequence_14 = { 885ddd 8a584f 884dbe 8855bf 8855d8 } condition: 7 of them and filesize < 32768 @@ -89334,36 +89408,36 @@ rule MALPEDIA_Win_Newpass_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d6b059ee-c4d5-5cd3-bec7-199d16e8018e" - date = "2026-01-05" - modified = "2026-01-06" + id = "47e0f7a6-576f-55a2-9137-441eab6be471" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.newpass_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.newpass_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "68e2df4904722bca2b5d5336a84032d81343ac67dcb544535e3fd89fb775b501" + logic_hash = "d06c223e085210a8c1f4811e1dc01e77d08da433457f2862fcb60a549ddda3f8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c89642438 4c89742428 48ffc0 418bf0 4c8bf2 } - $sequence_1 = { 4c8bc3 4c8d4820 4889442420 e8???????? 488b442440 4883c028 4883c430 } - $sequence_2 = { cc 4885d2 7509 33c9 ff15???????? cc 4533c9 } - $sequence_3 = { 488b4c2430 4885c9 7417 488b11 ff5210 4885c0 740c } - $sequence_4 = { 66895d00 6685c0 7505 4c8bc3 eb0f 4c8bc7 90 } - $sequence_5 = { e8???????? 488bf8 eb03 488bfe 488d55d8 e8???????? 488bd8 } - $sequence_6 = { b850800000 e8???????? 482be0 48c7442428feffffff 48899c2470800000 4889b42478800000 488b05???????? } - $sequence_7 = { 84c0 0f84c6000000 488b03 48634804 4803cb 488d9424c8000000 e8???????? } - $sequence_8 = { 4d8d0c18 482bf9 48c1ff05 488bcf 48d1e9 498bc2 482bc1 } - $sequence_9 = { 57 4154 4155 4156 4157 488dac24d8deffff b828220000 } + $sequence_0 = { 4833c4 4889442458 418be9 498bf8 488bda 488bf1 4889542448 } + $sequence_1 = { 80781900 7521 4c8bc8 488b00 80781900 7535 0f1f8000000000 } + $sequence_2 = { 57 4883ec30 498bd9 498bf8 488be9 } + $sequence_3 = { 408829 41ff4608 eba3 80fa75 0f857d010000 33d2 4533c9 } + $sequence_4 = { 49837f1810 7205 4d8b07 eb03 4d8bc7 498d5101 488bc8 } + $sequence_5 = { 4d8d4001 32c1 ffc1 3471 418840ff } + $sequence_6 = { 720a 488b4c2470 e8???????? 48c78424880000000f000000 4889b42480000000 c644247000 48837c246810 } + $sequence_7 = { 83f90e 72e9 0fb605???????? 448805???????? 48c74424380f000000 4c89442430 4488442420 } + $sequence_8 = { 488bcf e8???????? 3c01 7409 33c9 ff15???????? } + $sequence_9 = { cc 488d7c2438 33c0 b908000000 f3aa b001 488b4c2468 } condition: 7 of them and filesize < 2654208 @@ -89373,36 +89447,36 @@ rule MALPEDIA_Win_Sykipot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e29757c6-dae5-5753-908e-00d3e87a0250" - date = "2026-01-05" - modified = "2026-01-06" + id = "1732475e-2a21-5d67-a528-ef369c4cd537" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sykipot_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sykipot_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "744def3f8deb3752311459797b4729b29083d33b4fd30373345787d25fb29e80" + logic_hash = "9abf4efd5bd135cc65ac418253b276b573f9ec6302eddf366c97d2278d36aab4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d842494030000 68???????? 50 ffd6 83c40c 85c0 0f85fd000000 } - $sequence_1 = { 8bcd 83e103 8d442410 f3a4 } - $sequence_2 = { b93f000000 33c0 8dbc2469060000 88942468070000 f3ab } - $sequence_3 = { 3bf3 89742438 751b 8d4c2424 } - $sequence_4 = { 83c408 85c0 75da 8b85e8feffff 8b8dd8feffff eb06 } - $sequence_5 = { c1e902 f3a5 8bcd 8d94248c010000 83e103 } - $sequence_6 = { aa c744241820000000 52 8d442428 50 ff15???????? 83c9ff } - $sequence_7 = { 8b94242c060000 56 8d842498000000 57 } - $sequence_8 = { 50 ffd6 83c40c 8d4c2428 51 68???????? 6a00 } - $sequence_9 = { e8???????? 83c410 68???????? ffd5 8d842488000000 50 ffd5 } + $sequence_0 = { 8944240c 85c0 750f 5f 5e b8???????? 5b } + $sequence_1 = { 894c2430 8d8c2468070000 8954243c 894c2450 8d942468040000 8d4c242c 8d842468060000 } + $sequence_2 = { c744242404000000 ffd7 8b4c2450 6a04 80c980 } + $sequence_3 = { c784249000000040000000 8bfc f3a5 6a02 8bca e8???????? 5f } + $sequence_4 = { 5f 5e 5d b80d000000 5b 81c45c180000 c3 } + $sequence_5 = { c685c0fa011000 45 be???????? b8???????? } + $sequence_6 = { 7423 8d942490020000 52 68???????? 50 ff15???????? } + $sequence_7 = { 81ec0c020000 85c0 53 55 56 } + $sequence_8 = { 83cafe 42 0f95c2 88140e 99 2bc2 d1f8 } + $sequence_9 = { 50 ff15???????? 83c42c 8b4c2410 8d942418030000 51 } condition: 7 of them and filesize < 286720 @@ -89413,10 +89487,10 @@ rule MALPEDIA_Win_Batchwiper_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "8e0f816b-f334-5f53-bde8-8c13e5a1573a" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.batchwiper_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.batchwiper_auto.yar#L1-L120" license_url = "N/A" logic_hash = "7b7cda4dab9bb8ec218294d77768f35a5d54eba78e3d583128b9f7cf9e6690f0" score = 75 @@ -89425,9 +89499,9 @@ rule MALPEDIA_Win_Batchwiper_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -89451,36 +89525,36 @@ rule MALPEDIA_Win_Medusalocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9e990ab4-0b70-5ed2-9c4d-a3d81f9ab05c" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b72d66d-a4ee-5c7f-bfd5-1998b487f49b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.medusalocker_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.medusalocker_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "1656532605d9f1886fe3ced1ab1c80cac05eec34432a579d536b1abe4c8a22b3" + logic_hash = "ce714b574ed071a3b22689fee9f7dd0fa05c9e6aa02bec727f2d694ccfe22836" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c408 8b5004 52 8b00 50 8d4dd8 e8???????? } - $sequence_1 = { e8???????? c745fcffffffff 8d4d08 e8???????? 8a45eb } - $sequence_2 = { eb24 33c9 894ddc 8d4ddc e8???????? 8945e0 } - $sequence_3 = { 05c8000000 8bc8 e8???????? 6a10 e8???????? 83c404 8945ec } - $sequence_4 = { 8d45ec 50 8b4d08 e8???????? 8b4de8 } - $sequence_5 = { ff15???????? 85c0 7575 8b45c0 } - $sequence_6 = { 8b4dfc 8b11 8b4dfc 8b4210 ffd0 8be5 5d } - $sequence_7 = { 83ec0c 894dfc 8b45fc 50 8b4d08 51 e8???????? } - $sequence_8 = { e8???????? 50 8b4dd0 e8???????? 50 } - $sequence_9 = { e8???????? 8b4df0 e8???????? c745fcffffffff 8d4d08 e8???????? } + $sequence_0 = { 7419 6a00 8b45fc 8b480c 51 } + $sequence_1 = { 83c10c e8???????? c745fcffffffff 8d4de4 e8???????? 8b4df4 64890d00000000 } + $sequence_2 = { 8b4514 50 e8???????? 83c404 50 8bcf } + $sequence_3 = { 6a00 8b4df8 83c108 51 ff15???????? } + $sequence_4 = { 894dc0 837dc01a 0f83a7000000 0fb755c0 } + $sequence_5 = { 51 8d4d08 e8???????? 83f808 7409 c745fc01000000 eb07 } + $sequence_6 = { 51 894dfc 68???????? 8b4d08 e8???????? 0fb6c0 85c0 } + $sequence_7 = { e8???????? 8945f8 8b45f8 8b4d08 3b4814 774a } + $sequence_8 = { 8b8d5cffffff e8???????? 8d55d8 899550ffffff 8b8d50ffffff e8???????? 898560ffffff } + $sequence_9 = { e8???????? 83c408 8b00 8945c4 8d4dca 51 8d55d0 } condition: 7 of them and filesize < 1433600 @@ -89490,36 +89564,36 @@ rule MALPEDIA_Win_Edam_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f4028c21-33b6-5e9f-a37a-2699bc732d08" - date = "2026-01-05" - modified = "2026-01-06" + id = "b47b2cdb-6765-54dc-ad98-ad9592609e3c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.edam" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.edam_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.edam_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "62aff47bf3ddbcb69a86cf1dabc7a43bddd2da8a74c7bd24c0bccdeef4523386" + logic_hash = "0f085cdbb3c4bf6e2f157c5702f737626ac405d8dd0cfb75233f6ff95837503a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c8ff eb1e 8b45fc 3bd6 8b0c8560b74500 0f95c0 02c0 } - $sequence_1 = { 50 8d45b0 8955d8 50 e8???????? 8d45b0 50 } - $sequence_2 = { 8bc1 83e13f c1f806 6bc930 8b048560b74500 f644082801 7406 } - $sequence_3 = { 40 c745ec603c4200 894df8 8945fc 64a100000000 8945e8 } - $sequence_4 = { 8bd1 8b42e8 8d72e8 8b4004 c74410e818654400 8b06 8b4804 } - $sequence_5 = { 50 6a01 8d4dd4 e8???????? 68???????? 8d45d4 c745d4c0634400 } - $sequence_6 = { 8b45f0 894df4 8b048560b74500 c644022a0a 0f8484000000 } - $sequence_7 = { 8d8d08fdffff c785b4fdffff0f000000 c785b0fdffff00000000 c685a0fdffff00 e8???????? 8b859cfdffff } - $sequence_8 = { 6a55 ff34f5788a4400 ff7508 e8???????? 83c40c 85c0 } - $sequence_9 = { 3bc6 7353 807d8600 8a88a87c4400 8b857cffffff 8808 } + $sequence_0 = { 740d 8a8098684400 8807 47 41 894d8c 8bcb } + $sequence_1 = { 6bf630 8b0c8d60b74500 80643128fd 5f 5e 8be5 } + $sequence_2 = { 8b048560b74500 89540818 33c0 5f 5e 5b } + $sequence_3 = { 83f904 0f8261040000 83f923 0f8758040000 8bc8 51 e8???????? } + $sequence_4 = { 7511 8b45fc 8b0c8560b74500 8a06 46 8844392c } + $sequence_5 = { e8???????? 83c40c 8d8d08fdffff e8???????? 8d8588fdffff } + $sequence_6 = { 8b5508 83e03f c1fa06 57 6bf830 8955fc 8b049560b74500 } + $sequence_7 = { 8bc8 83e03f c1f906 6bc030 03048d60b74500 50 ff15???????? } + $sequence_8 = { a1???????? 83663800 894644 5e 5d c20800 8d4104 } + $sequence_9 = { 8b0c8d60b74500 8844392b 83fa03 7511 8b45fc } condition: 7 of them and filesize < 807936 @@ -89529,36 +89603,36 @@ rule MALPEDIA_Win_Voldemort_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d125483-3b6e-5a9c-99c0-128adae803f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "d4f91bf2-546f-5cf7-ba32-91066fc835f0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.voldemort" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.voldemort_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.voldemort_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "6016b2bc3970bf978eb2d9654ea41d202d59cf54c1ab79dd97509026eb74172c" + logic_hash = "462bba4ea66471a1ec3cdd81d648ec014592e69c5cc879c552beb372ce505b19" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4803c1 48894308 e9???????? 48895c2408 } - $sequence_1 = { 48894308 e9???????? 48895c2408 57 } - $sequence_2 = { 418ac0 c3 488bc4 48895808 48896810 48897018 48897820 } - $sequence_3 = { 0f45c7 4803c1 48894308 e9???????? 48895c2408 57 4883ec20 } - $sequence_4 = { 488b5c2408 418ac0 c3 488bc4 } - $sequence_5 = { 7597 41b001 488b5c2408 418ac0 c3 488bc4 } - $sequence_6 = { 488b5c2408 418ac0 c3 488bc4 48895808 48896810 48897018 } - $sequence_7 = { 8d78fe 0f45c7 4803c1 48894308 e9???????? 48895c2408 } - $sequence_8 = { 488b5c2408 418ac0 c3 488bc4 48895808 48896810 } - $sequence_9 = { 5f c3 4c8bdc 49895b18 57 4883ec40 } + $sequence_0 = { 48894308 e9???????? 48895c2408 57 4883ec20 488b11 488bf9 } + $sequence_1 = { 5b c3 4c8bda 4c8bd1 450fb702 4d8d5202 } + $sequence_2 = { 415e 415d 415c 5f c3 4c8bdc 49895b18 } + $sequence_3 = { 7597 41b001 488b5c2408 418ac0 c3 488bc4 } + $sequence_4 = { 41c60700 b001 e9???????? 48895c2410 55 56 } + $sequence_5 = { 4803c1 48894308 e9???????? 48895c2408 57 4883ec20 } + $sequence_6 = { 41c60700 b001 e9???????? 48895c2410 55 } + $sequence_7 = { 488b5c2408 418ac0 c3 488bc4 48895808 } + $sequence_8 = { 415c 5f c3 4c8bdc 49895b18 57 4883ec40 } + $sequence_9 = { 4883c420 5b c3 4c8bda 4c8bd1 450fb702 } condition: 7 of them and filesize < 577536 @@ -89568,36 +89642,36 @@ rule MALPEDIA_Win_Wannahusky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "36a1577e-36ff-5776-bdb4-d895a2d2a50b" - date = "2026-01-05" - modified = "2026-01-06" + id = "d07bf394-315f-5a24-9069-13fbab096483" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannahusky" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wannahusky_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wannahusky_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "5ceb031e7aa4de1c7907749dee4ed5beefedb2e46a515067de310b2cbc83c4b9" + logic_hash = "48e1e3f7fa02618598c79905c2c3fa94624d56bff69420b790850e4ab59601f6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c605????????02 c705????????60b04100 c705????????18000000 c705????????04000000 } - $sequence_1 = { 7408 8bbdf0faffff 8b0f 89442404 } - $sequence_2 = { ba28020000 8d8d98fbffff e8???????? 8d8500fbffff c744240810000000 } - $sequence_3 = { 83c008 c744240401000000 890424 ff15???????? 89ca } - $sequence_4 = { c705????????04000000 c705????????a0464200 c705????????e01c4100 c705????????f0b34100 c705????????00000000 } - $sequence_5 = { c705????????04000000 66c705????????2b03 c705????????18000000 c705????????04000000 c605????????11 c705????????80bb4100 } - $sequence_6 = { c785fcfaffff00000000 8b480c e8???????? ba01000000 8d8dfcfaffff 8985fcfaffff e8???????? } - $sequence_7 = { e8???????? 8b45cc 3b45c0 7218 8b7dc0 890424 } - $sequence_8 = { 56 53 83ec6c 8955c0 807d0800 ba???????? } - $sequence_9 = { c705????????08b44100 c705????????00000000 c705????????04000000 c705????????04000000 66c705????????1903 c605????????01 } + $sequence_0 = { c7042400000000 89f1 89da e8???????? 89c3 a1???????? } + $sequence_1 = { c605????????12 c705????????00000000 c705????????28b34100 c705????????00000000 c705????????04000000 } + $sequence_2 = { c700???????? 89582c c74004???????? c74008???????? c7400c94cb4000 c74010ddcb4000 } + $sequence_3 = { c605????????11 c705????????80bb4100 c705????????00000000 c605????????02 c705????????70b24100 c705????????04000000 c705????????04000000 } + $sequence_4 = { 89d7 f3a5 8d8d98fbffff 89442404 } + $sequence_5 = { c705????????0c1e4100 c705????????f0b54100 c705????????04000000 c705????????04000000 } + $sequence_6 = { c705????????02000000 c605????????02 c705????????80b44100 c705????????a8b54100 c705????????04000000 c705????????04000000 c605????????16 } + $sequence_7 = { e8???????? ba01000000 8d8dfcfaffff 8985fcfaffff } + $sequence_8 = { c705????????f91d4100 c705????????0a000000 c605????????02 c705????????20b64100 } + $sequence_9 = { e8???????? 8b45e4 8945c4 837dc400 } condition: 7 of them and filesize < 862208 @@ -89608,10 +89682,10 @@ rule MALPEDIA_Win_Slickshoes_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "ad79f63d-1e65-5f60-a723-157797029623" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.slickshoes_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.slickshoes_auto.yar#L1-L134" license_url = "N/A" logic_hash = "d52c38b22f881790a505e094420c171449849a1fa94bb94b87565ae649a918cb" score = 75 @@ -89620,9 +89694,9 @@ rule MALPEDIA_Win_Slickshoes_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -89646,81 +89720,120 @@ rule MALPEDIA_Win_Rawdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cc76b812-17c2-5ec8-96b0-76719ad244ed" - date = "2026-01-05" - modified = "2026-01-06" + id = "274b4ab9-af69-5587-aa78-3ee43f23eb78" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rawdoor_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rawdoor_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "ec178538305c82f8b2a93ab81f9192cdc24be91763d3a20d8dccb588ac264211" + logic_hash = "96eee67acddfa86275aeb54d7c7bc661519b0c1a3e895b52247c1442fb6188f1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 030e 03d1 c1c207 4103d2 } - $sequence_1 = { 030b 4403d1 418bc8 f7d1 23ca } - $sequence_2 = { 034218 418d91051d8804 458d8a39d0d4d9 03d0 } - $sequence_3 = { 03442444 3d00040000 730e 488d4c2450 } - $sequence_4 = { 034210 418d90a9cfde4b 458d81604bbbf6 03d0 } + $sequence_1 = { 034210 418d90a9cfde4b 458d81604bbbf6 03d0 } + $sequence_2 = { 030b 4403d1 418bc8 f7d1 23ca } + $sequence_3 = { 034218 418d91051d8804 458d8a39d0d4d9 03d0 } + $sequence_4 = { 03442444 3d00040000 730e 488d4c2450 } $sequence_5 = { 034608 03d0 8b442408 4103c1 4c8b4c2410 } $sequence_6 = { 034808 4403c1 8bcb f7d1 23ca } $sequence_7 = { 034824 418bc0 4403c9 33c2 418d8be599dbe6 } - $sequence_8 = { 0101 0101 0100 0000 0001 } - $sequence_9 = { 0000 0001 0100 0001 0101 } - $sequence_10 = { 8be5 5d c3 ff15???????? 83f8ff 746f 8d85bcf8ffff } - $sequence_11 = { 0f8405010000 83e809 7415 83e803 0f8538010000 c745dc44690210 e9???????? } - $sequence_12 = { c3 68???????? 50 ff15???????? 85c0 751f 68???????? } - $sequence_13 = { 57 8b7d08 8d14dd00000000 8b0f c1e903 83e13f 894d0c } - $sequence_14 = { ffd6 ffb5e4feffff ffd6 57 85db 7439 81fb02010000 } - $sequence_15 = { 50 e8???????? 6867010000 8d8529fcffff c68528fcffff00 6a00 50 } + $sequence_8 = { 0101 0101 0100 0000 0001 0100 } + $sequence_9 = { 0000 0001 0100 0001 0101 0101 } + $sequence_10 = { 83c40c 56 ff34b8 ff15???????? 47 3b7dfc 7cd7 } + $sequence_11 = { 84c0 75f9 2bca 8d47ff 03f1 3bd8 7411 } + $sequence_12 = { ff15???????? ff7604 8b35???????? ffd6 8bf8 8d85f8feffff } + $sequence_13 = { 6a00 8985e0fbffff c785f4fbffff00000000 c785f8fbffff00000000 c785ecfbffff00000000 ff15???????? 8bd8 } + $sequence_14 = { 0f8483000000 48 744e 83e809 0f8523020000 c745d803000000 c745dce4690210 } + $sequence_15 = { 52 ebcc 8d45e4 50 681f000200 6a00 ff750c } condition: 7 of them and filesize < 445440 } +rule MALPEDIA_Win_Rustyrocket_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "43f1bcd1-44c4-5210-ba05-68e3a5d52df4" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustyrocket" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rustyrocket_auto.yar#L1-L134" + license_url = "N/A" + logic_hash = "ff3cc83b3d1dd755ceab49439ee02182c6c28d21fe475a34f3b57f76a51792f4" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 8b5008 e9???????? 56 57 53 4883ec40 4889ce } + $sequence_1 = { f048ff08 750c 488b8f48010000 e8???????? 48b80200000000000080 48394768 740c } + $sequence_2 = { ff15???????? 31c0 48898424b0010000 48c78424b801000001000000 48898424c0010000 807c243700 7452 } + $sequence_3 = { e8???????? 488bbc2480000000 448b74243c eb12 488b4c2448 488d942490000000 e8???????? } + $sequence_4 = { c3 83f909 751b 89d8 2500ff0000 0fb7c0 3d00030000 } + $sequence_5 = { eb26 483b442420 4c8b442428 0f83b3010000 486bc068 49833c0000 0f84ea010000 } + $sequence_6 = { eb10 85c0 0f849cf4ffff 4c8d8424b0000000 41c60008 488d05ac9f1400 4889442420 } + $sequence_7 = { eb33 0f10442470 0f108c2480000000 0f294c2430 0f29442420 0f10842490000000 0f108c24a0000000 } + $sequence_8 = { bd04000000 e9???????? b802000000 31ff 41bc04000000 c744242c00000000 488d150a852a00 } + $sequence_9 = { ba48000000 4c8b44d440 4d89c1 49c1e908 4d31c1 4921c1 4d31c8 } + + condition: + 7 of them and filesize < 6786048 +} rule MALPEDIA_Win_Bistromath_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3bccd3a0-c0bd-5aa2-bcab-9b1969a6c7fd" - date = "2026-01-05" - modified = "2026-01-06" + id = "54ad0f84-d78e-5bd9-a40d-420d01711b9f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bistromath_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bistromath_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "6eb59622b909c4597fcaca67234110606cdc73af8fb69989e1a6ed85248b5331" + logic_hash = "7615d632c66a152a6e4c104983d7e764f9e263d21223a9467ecf49dd7ed61bf0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff701c e8???????? ff75f8 ba17000000 8945e4 6aff 8bce } - $sequence_1 = { e8???????? 83c408 85c0 7414 8b4d08 89482c 8b4c2434 } - $sequence_2 = { e8???????? 8bf0 85f6 7533 8b4b04 8d4308 50 } - $sequence_3 = { 8bf9 8d45fc 50 8bf2 8b0f e8???????? 83c408 } - $sequence_4 = { e8???????? 8bf8 85ff 7416 ff75fc ff75f4 57 } - $sequence_5 = { 8d850cffffff 6a00 50 e8???????? 83c40c 8d85fcfeffff 50 } - $sequence_6 = { ffb594f4ffff 8bd3 8d8db8f8ffff e8???????? 83c404 8d85b8f8ffff 50 } - $sequence_7 = { ffd0 83c404 83460cff 8b06 c7461400000000 8945fc 751e } - $sequence_8 = { e8???????? 84c0 7504 33f6 eb1e 6a40 e8???????? } - $sequence_9 = { 8d8504ffffff 50 57 ffd6 8985b8feffff 8d45e0 50 } + $sequence_0 = { eb4c 8b4de8 33c0 8bd7 66894314 e8???????? 85c0 } + $sequence_1 = { e8???????? 2500030000 c3 8bff 55 8bec 668b4d0e } + $sequence_2 = { eb03 8b5dc4 8b5508 83c730 3b7de4 0f8200ffffff 33ff } + $sequence_3 = { e8???????? 3b450c 7430 8bcf e8???????? 8903 85c0 } + $sequence_4 = { eb16 84db 7406 02c3 3c62 75db 8b4d0c } + $sequence_5 = { ffd0 83c414 85c0 0f850f010000 8b4df4 8b5340 83c104 } + $sequence_6 = { eb0b 85f6 0f85c9000000 8b4508 8d34dd01000000 8bc8 8bd6 } + $sequence_7 = { ff742424 e8???????? 83c410 8b442418 c6401101 8b442440 ff4018 } + $sequence_8 = { eb09 ff7708 50 68???????? 50 53 e8???????? } + $sequence_9 = { 8bec 83ec20 803900 7506 33c0 8be5 5d } condition: 7 of them and filesize < 33816576 @@ -89730,36 +89843,36 @@ rule MALPEDIA_Win_Global_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84b4cf5c-c55a-5774-ae7f-5489c60753fa" - date = "2026-01-05" - modified = "2026-01-06" + id = "2850693d-5009-5e57-b718-f3834acaa914" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.global" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.global_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.global_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "09a9ad56bfef0ecdecd0c2b9ffb27931c564f59791efd5813a14ce69fded76ce" + logic_hash = "ea14dd93c9609c69bf04c07f48bb618e4b9aac2efebc235156c658fb25965b79" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b44243c 8d1c2a 8d341f 03c6 89442468 } - $sequence_1 = { 899634100000 8b54be3c c1c80a c1ca17 33d0 8b8610100000 c1c808 } - $sequence_2 = { 807e1400 7507 8bce e8???????? 8b5e0c 8b7730 } - $sequence_3 = { 8bc2 c1e808 884306 884b03 885307 8b4d08 8bc1 } - $sequence_4 = { 23cb 23ce 03c9 c1f91f 23ca 8b54242c c1fa1f } - $sequence_5 = { 6a01 51 e8???????? 8b8c2430020000 8bc6 5f 5e } - $sequence_6 = { 7412 8b4c2434 ff7108 57 50 e8???????? 83c40c } - $sequence_7 = { 8b8e4c100000 899678100000 8b949e00080000 c1c816 c1ca09 33d0 } - $sequence_8 = { 8db8bc4d4300 57 ff15???????? ff0d???????? 83ef18 83ee01 75eb } - $sequence_9 = { e8???????? 8d85b80c0000 50 ff75ac ff75a8 e8???????? 83c418 } + $sequence_0 = { 760c bdd0feffff 8bc5 83c023 eb35 8d040a 3bc3 } + $sequence_1 = { a810 7413 57 53 } + $sequence_2 = { 33c4 89442420 57 8bf9 807f0900 0f85b1010000 6683bf8806000000 } + $sequence_3 = { 8d4614 3918 0f8c90010000 0fb64618 8bce 50 ff75f7 } + $sequence_4 = { 89442430 8b442444 c1e807 0bd0 8b442444 c1e802 0bc8 } + $sequence_5 = { 0f44d8 0fb7462e 50 ff7604 897e30 ff36 e8???????? } + $sequence_6 = { 8bcb 2944241c 8bc3 c1f819 c1f91f 23c8 8bc1 } + $sequence_7 = { 668945fc d96dfc 9b d97dfc 0fb74dfc be000c0000 83e101 } + $sequence_8 = { b9???????? e8???????? 68cc100000 8d842428030000 6a00 50 } + $sequence_9 = { 6a5c 89442428 8d842494000000 6a00 50 897c2434 895c242c } condition: 7 of them and filesize < 475136 @@ -89769,36 +89882,36 @@ rule MALPEDIA_Win_Proto8_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a653386d-0e84-5fa0-9e05-c0a8f9e5f3b1" - date = "2026-01-05" - modified = "2026-01-06" + id = "53ad6b80-a662-5c00-8508-91dc02f84545" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.proto8_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.proto8_rat_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.proto8_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "e04ff586ad60efc989beb40a085354d9626a8059dbb86884929c6e4aa752aeb0" + logic_hash = "7c1b0a7b6ecd3ea43bc5cedec06f59d61d50c3231dd17057afc1bc9b44cd3d88" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b5a10 8b4210 83c308 83e3fa a801 7421 8b4210 } - $sequence_1 = { ba80000000 e8???????? c70302000000 4c8b8320010000 488d4318 488b9328010000 33f6 } - $sequence_2 = { 837c244801 0f8595000000 488b6c2458 8b7b30 488b4b48 488b01 ff5008 } - $sequence_3 = { 7468 3bca 8bc1 0f46c2 ffc0 4103c0 3bf0 } - $sequence_4 = { 89531c 48873cc8 4885ff 7506 8d4201 89431c 40f6c701 } - $sequence_5 = { e8???????? 448bf0 e9???????? 4c8b86a8000000 488d8e88000000 488b96b0000000 4d8bcd } - $sequence_6 = { 7636 66660f1f840000000000 8bc8 48c1e106 428b541124 85d2 } - $sequence_7 = { 8b8b64810100 897dd4 897de4 897df4 488b8378810100 488d55b0 } - $sequence_8 = { 83e801 7455 83e801 743d 83e801 740a 83f801 } - $sequence_9 = { 8b4318 3bc8 0f8e96000000 488b4b38 48894c2450 e8???????? } + $sequence_0 = { 84c0 7407 807c245000 743b 32c9 0fb6c1 488b5c2430 } + $sequence_1 = { b8ffffffff eb1a 488b8424a8000000 488901 488b02 4c897008 488b02 } + $sequence_2 = { e8???????? 90 837b3c00 7410 488b4310 488d4b28 ff5048 } + $sequence_3 = { 85c0 745c e8???????? 4c8bc6 488b8e08010000 83f803 7c1a } + $sequence_4 = { e8???????? 90 837de800 750a b901000000 e8???????? 0f2845e0 } + $sequence_5 = { 84c0 0f85d6000000 8bdf 83e301 7434 0fb6442440 4d8bce } + $sequence_6 = { 75a1 4585c9 7454 0f1f8000000000 4183f873 0f8452feffff 418bd0 } + $sequence_7 = { 7513 b8ffffffff 8905???????? 33c0 881d???????? 488b5c2430 488b742438 } + $sequence_8 = { 88442420 488bd3 498bcf e8???????? 84c0 7521 440fb68c2480000000 } + $sequence_9 = { 0f1f00 33c9 410fb6c7 85f6 0f45c8 884c2478 440fb6f9 } condition: 7 of them and filesize < 2537472 @@ -89808,36 +89921,36 @@ rule MALPEDIA_Win_Gibberish_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d0f0a81c-c436-554f-886e-c05189a90753" - date = "2026-01-05" - modified = "2026-01-06" + id = "dabe0f24-a1b2-5299-a720-964c2b47f198" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gibberish_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gibberish_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "ec3ea314ac6eedd0a24b154c568d1f6c449d7a6dabe6072547ddc0bc708507da" + logic_hash = "0fd641a87df9c560ffa0a7ce4891b10845798685bdc34c48ea50acb051b0f0b2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 894dec 8975e8 668907 894dfc 8bce c745f001000000 8d5102 } - $sequence_1 = { 8b74242c 8bd0 8944245c 8bce 8bc6 c1c90b c1c007 } - $sequence_2 = { 68???????? ff15???????? 85c0 7424 56 56 8d85fcfffdff } - $sequence_3 = { 8b0ccdf2a94700 0fb680c8a94500 330cc5f1a94700 8bc2 c1e818 0fb680c8a94500 330cc5f4a94700 } - $sequence_4 = { 330a 85d2 894b04 8d4a04 0f44ca } - $sequence_5 = { ffd3 8b45d8 8d3446 33c0 83c602 663906 75c3 } - $sequence_6 = { f30f7e05???????? 0f114c2420 0f284c2450 660f3840c8 0f10442420 0f11542470 } - $sequence_7 = { 7535 017524 297528 2bd6 8b5c242c 5f } - $sequence_8 = { 6af5 eb03 50 6af6 ff15???????? 8b04bd80b64700 } - $sequence_9 = { 33c8 8b44241c 33c6 23442414 33c6 03c8 8b442474 } + $sequence_0 = { f7d8 be???????? 57 0fb6f8 03f9 81e6ff0f0000 8d9f0c010000 } + $sequence_1 = { 0fb6c1 c1e908 895c2420 333cc5e1a14700 8b0ccde4a14700 0fb6c2 8b542410 } + $sequence_2 = { 03c6 6a00 50 e8???????? 8b45ac 83c41c 83f8fc } + $sequence_3 = { 53 8b5c2420 55 8be9 c744240800000000 56 } + $sequence_4 = { 33c8 8b442414 c1c806 33c8 8b44241c 33c6 23442414 } + $sequence_5 = { 83e904 e9???????? 83e920 e9???????? 83e920 e9???????? 83e904 } + $sequence_6 = { 85c0 7e16 8b75e8 8b7dec e9???????? f30f7e4de8 0f1045d8 } + $sequence_7 = { 50 8d0431 034588 50 8b458c 03c1 50 } + $sequence_8 = { 0f8c87000000 8d46fc 8d0490 8d4bfc 8d0c91 3bd8 } + $sequence_9 = { 8933 c7430400000000 8b4d0c 8d45dc } condition: 7 of them and filesize < 1068032 @@ -89847,36 +89960,36 @@ rule MALPEDIA_Win_Dripion_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e941fbc-0092-5680-a9f8-3d85cce1c3ca" - date = "2026-01-05" - modified = "2026-01-06" + id = "1b7a0959-3168-5e89-b85c-8e1d5508b2e7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dripion" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dripion_auto.yar#L1-L111" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dripion_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "3337814c1f32071db01b4a02df38137e3cc930cfdb33776a0eb841a83537dbda" + logic_hash = "1e5f02016ad4729cb7610176a1b8a9acc0f927201e41ecd041b4032506bd1a34" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd6 0faff8 ffd6 0faff8 } - $sequence_1 = { ffd6 0faff8 8d3c7f ffd6 } - $sequence_2 = { 740f 3ccf 740b 34cf } - $sequence_3 = { ffd6 03f8 ffd6 8bd8 ffd6 0fafd8 } - $sequence_4 = { ffd6 03f8 8d3c7f ffd6 } - $sequence_5 = { 8bf8 ffd6 0faff8 8d3c7f ffd6 } - $sequence_6 = { 7513 6a64 ff15???????? 68???????? ff15???????? } - $sequence_7 = { 8bf8 ffd6 0faff8 8d3c7f } - $sequence_8 = { ffd6 8bf8 ffd6 0faff8 8d3c7f ffd6 } - $sequence_9 = { ffd6 8bf8 ffd6 0faff8 8d3c7f } + $sequence_0 = { 03f8 7402 ffd6 ffd6 ffd6 } + $sequence_1 = { ffd6 03f8 7402 ffd6 ffd6 ffd6 } + $sequence_2 = { ffd6 8bf8 ffd6 0faff8 ffd6 } + $sequence_3 = { ffd6 0faff8 ffd6 0faff8 } + $sequence_4 = { ffd6 03f8 ffd6 8bd8 ffd6 0fafd8 } + $sequence_5 = { ffd6 8bf8 ffd6 0faff8 8d3c7f } + $sequence_6 = { 03f8 ffd6 8bd8 ffd6 0fafd8 ffd6 } + $sequence_7 = { 8bf8 ffd6 0faff8 ffd6 } + $sequence_8 = { ffd6 03f8 8d3c7f ffd6 } + $sequence_9 = { ffd6 03f8 ffd6 8bd8 ffd6 } condition: 7 of them and filesize < 90112 @@ -89886,36 +89999,36 @@ rule MALPEDIA_Win_Ascentloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4372eef6-4656-5e4d-b175-471d65d2d6f2" - date = "2026-01-05" - modified = "2026-01-06" + id = "877e94cd-ca69-5d7c-a58e-ed4a2368b32b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ascentloader_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ascentloader_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "3968524e74d1c6dce6af2edd09bc8b40e402c007d240f6b355af76ae453cb02a" + logic_hash = "18934160fbf8da018b706137019745da73f7c786e58fc4fc566b8f9dbe38c120" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b8???????? eb0a b900240000 b8???????? } - $sequence_1 = { 8b4df4 e8???????? 57 ff15???????? ff15???????? } + $sequence_0 = { 8bce e8???????? 83c41c 8945f4 83f8ff } + $sequence_1 = { 6a0a 5a 6689442428 e8???????? 53 ff15???????? } $sequence_2 = { 8bf8 897dd8 85ff 7516 83c8ff e9???????? c745e440ac4100 } - $sequence_3 = { 740b 8b55e8 8b4dfc e8???????? 8b4dfc } - $sequence_4 = { 8955fc 83b88400000000 0f86ea000000 56 8bb080000000 } - $sequence_5 = { c744243a62756700 ff15???????? 8b35???????? ffd6 } - $sequence_6 = { 57 68000000f0 6a01 33db 894de8 53 } - $sequence_7 = { 3b4814 7604 33c0 eb14 8b45fc 8b4df8 03481c } - $sequence_8 = { e8???????? 8b4d10 8bd0 8b4514 } - $sequence_9 = { 005caa40 0023 d18a0688078a 46 } + $sequence_3 = { 8d45e0 884dc9 50 57 ff15???????? 6a03 6a01 } + $sequence_4 = { 8945f4 85f6 740f 56 ff15???????? } + $sequence_5 = { 56 8d7107 57 50 8bd6 8975f8 8d4df8 } + $sequence_6 = { 57 68???????? 8bf9 ff15???????? 6a53 } + $sequence_7 = { 33c9 5a 8d4161 88440da0 } + $sequence_8 = { 6689459e 668945a4 58 668945a8 } + $sequence_9 = { 8b55f0 33c9 83faff 0f44c1 } condition: 7 of them and filesize < 253952 @@ -89925,36 +90038,36 @@ rule MALPEDIA_Win_Rincux_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fcec6357-ec7f-5319-84f9-3e3af9251503" - date = "2026-01-05" - modified = "2026-01-06" + id = "1ebc8c5d-ef18-5761-8afe-438a7a3d23e6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rincux_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rincux_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "495e2f221b3a3eaf8635ea3eb223efd9431aa4fc4e38116d5df5e0ad084dcaef" + logic_hash = "a7c555ad4c400b92307554565b2dd8f3f76414782040da1e8eee3f25b55db515" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ff15???????? 89442418 8b442410 50 ff15???????? } - $sequence_1 = { 83cafe 42 7534 8a4c2414 8a542410 c644245c01 } - $sequence_2 = { 8b8c2494a00000 5f 5e 5d 33c0 5b } - $sequence_3 = { 53 55 56 57 0f84ec150000 8b581c 85db } - $sequence_4 = { bb06000000 8b04a8 8d7804 8b07 50 ff15???????? 83c704 } - $sequence_5 = { 50 68???????? 51 ffd6 8b15???????? 83c40c 8b049508a50210 } - $sequence_6 = { 85c0 7477 ff15???????? 83f812 746c 8b6c2418 8b35???????? } - $sequence_7 = { 8d4c2424 8d5d1c 52 8d7d10 8d7518 51 53 } - $sequence_8 = { 33db 33ed 3bf0 57 89742410 89442414 } - $sequence_9 = { 5b 5e 5d c20400 5e b8???????? } + $sequence_0 = { 83c504 83c304 83c204 e9???????? 8b4c2420 8bfb 2bf9 } + $sequence_1 = { c644241a73 c644241b6b c644241c79 c644241d00 ffd6 68???????? 68???????? } + $sequence_2 = { c645e974 c645ea61 c645eb72 c645ec74 c645ed00 c645dc54 c645dd53 } + $sequence_3 = { f3a5 50 899c24a8000000 e8???????? b905000000 8d742420 8dbc2480000000 } + $sequence_4 = { 8b4c2414 a3???????? 85c0 890d???????? 7418 6a00 6a00 } + $sequence_5 = { c70315000000 894348 8b4348 85c0 7468 3be8 732f } + $sequence_6 = { 8b7218 8d1401 3bd6 7604 2bf0 8bce 8b54243c } + $sequence_7 = { 8b8c2450010000 8b1d???????? 81e1ffff0000 51 56 68???????? } + $sequence_8 = { 03e8 03d7 896e08 895614 8b4b1c 89442438 8b4308 } + $sequence_9 = { 5e 5d 5b 81c404020000 c20400 8b9c2418020000 } condition: 7 of them and filesize < 392192 @@ -89964,36 +90077,36 @@ rule MALPEDIA_Win_Putabmow_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91e8d589-44ec-5d63-963b-4d5831e9d035" - date = "2026-01-05" - modified = "2026-01-06" + id = "a9b616a0-139a-5b4a-93ea-ffaa2b56c68b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.putabmow_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.putabmow_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "b27fa1335b6a432b3b5508ab17de3d0a99cf669e0fc066f733c76db90efddfc9" + logic_hash = "01d30dc643c1d106fb037ce2688ab30e4c0d3fee3187ef5ac4f73c934b8e8d84" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6200 3100 680032006f 0033 0010 0035???????? 007b00 } - $sequence_1 = { e8???????? c645fc06 8b467c 89477c 8b8680000000 898780000000 8b8684000000 } - $sequence_2 = { 32db c78424200b000021000000 8b442418 a802 } - $sequence_3 = { c1f905 83e107 094828 8a5201 f6c204 7404 83482810 } - $sequence_4 = { 3901 61 0039 016200 3f 016300 3f } - $sequence_5 = { 8b4df8 8bd6 ff75e8 57 ff75f0 6a00 50 } - $sequence_6 = { 8d8c24b0070000 ff30 e8???????? c68424200b00004c 8d8424e0000000 50 8d8c24f8040000 } - $sequence_7 = { c684249404000000 84db 0f8493010000 f7462800004000 8d5618 7502 8b12 } - $sequence_8 = { 3bf1 7608 89442420 2bf1 eb02 33f6 8b4314 } - $sequence_9 = { 888630977300 46 ebe5 a1???????? 83c9ff f00fc108 7513 } + $sequence_0 = { 57 e8???????? 837e1800 751c 8bcf e8???????? 8b0f } + $sequence_1 = { 8d45f4 64a300000000 8b4514 8b7508 8b7d0c 8b5d10 68000000f0 } + $sequence_2 = { 8bca 81faff070000 771b c1e906 80e23f 80c9c0 80ca80 } + $sequence_3 = { 6805000080 ff15???????? 85c0 7451 837e1408 7204 8b06 } + $sequence_4 = { c1e604 8b0b 03f1 ff7508 ff37 8bd6 } + $sequence_5 = { 8bd6 7502 8b16 c78424ac01000000000000 c78424b001000000000000 c78424b00100000f000000 c78424ac01000000000000 } + $sequence_6 = { 57 e8???????? 83c404 ff75b4 ff15???????? 6a00 ff75b0 } + $sequence_7 = { 89442444 3bd1 0f83ab000000 89542420 8b54242c 3b542420 0f879d000000 } + $sequence_8 = { 8b7e14 83ff08 7204 8b06 eb02 8bc6 8a1c58 } + $sequence_9 = { e9???????? 83ec0c 8d8c24d0000000 e8???????? c684242802000003 8d442434 837c244810 } condition: 7 of them and filesize < 704512 @@ -90003,42 +90116,42 @@ rule MALPEDIA_Win_Tempedreve_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2db2cfb5-7120-5d3b-b0b8-3bdd15ee2814" - date = "2026-01-05" - modified = "2026-01-06" + id = "ece88a21-e480-5800-abd8-2425533deff9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tempedreve_auto.yar#L1-L163" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tempedreve_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "81da1ba35c5682d2618815158fab067de40d7a4b67ee1d7e4df00dcd82c55387" + logic_hash = "5adf34e13e86a9c0f9ad46673434b6e69daf91286b488d91eec438fb1e104306" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 663bfb 7407 663b7c2448 7520 0fb77804 } - $sequence_1 = { 8d5602 03d1 e9???????? 807dfe80 751e 8a4101 24f8 } - $sequence_2 = { 83c40c ab 55 8d84247c0e0000 50 } - $sequence_3 = { 0f85c8020000 0fb74314 55 56 0fb77306 } - $sequence_4 = { 740e 80fb12 7511 8a4101 24c0 } - $sequence_5 = { 8a1c1e 8d42d0 46 32c9 3c09 } - $sequence_6 = { 015308 f7d0 0bc2 33c6 } - $sequence_7 = { ff743bfc 8bcb ff743bf8 e8???????? } - $sequence_8 = { 0f85c9000000 8b542430 3bda 7320 8d4d02 } - $sequence_9 = { c0e801 7434 83d102 89c5 } - $sequence_10 = { 2bc8 894c2414 3b4c242c 0f8738010000 8b4c2410 } - $sequence_11 = { c1e903 8d440140 c20400 8b44240c } - $sequence_12 = { d1c0 33c7 0fb6b90130cb00 d1c0 } - $sequence_13 = { 3a1429 8b4c2414 bb02000000 740c 3b8e24040000 0f85c9000000 } - $sequence_14 = { 0f846b010000 83ff01 0f8650010000 8b542454 8bcf 2bcb 8d0411 } - $sequence_15 = { f7d0 8944241c 61 c20800 60 8b742424 } + $sequence_0 = { 55 56 57 33ff 6a19 } + $sequence_1 = { 83fe05 7563 f7c700000020 741c } + $sequence_2 = { 43 6685c9 75f1 895c2414 } + $sequence_3 = { 0fb6442440 50 0fb7442442 50 0fb7442444 50 ff742444 } + $sequence_4 = { 03c3 89442420 0fb7480e 0fb7400c 03c8 } + $sequence_5 = { 5d 50 ff15???????? 8b442414 } + $sequence_6 = { 85db 7442 8be9 2bee 8bfb } + $sequence_7 = { 8d55f8 6a08 8bcb e8???????? } + $sequence_8 = { 742e 8b4c2460 8b9610040000 2b542450 } + $sequence_9 = { 75ed f7d0 8944241c 61 c20800 60 8b742424 } + $sequence_10 = { 85ff 0f84e6000000 3b7c243c 0f85dc000000 8b542454 8bcf 2bcb } + $sequence_11 = { 7506 43 41 3bda 72f3 8b4c2414 } + $sequence_12 = { 01ae14040000 8d5c2bff eb3d 8b5c2458 85ff 7516 8b4c2428 } + $sequence_13 = { 8b44240c 81ec2c040000 85c0 7509 81c42c040000 } + $sequence_14 = { b8eefbeeab 33c9 57 0fb6b90030cb00 } + $sequence_15 = { 8d0411 3bc7 7602 8bc7 50 8b442414 8beb } condition: 7 of them and filesize < 155648 @@ -90048,34 +90161,34 @@ rule MALPEDIA_Win_Treasurehunter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e821ddca-c116-541d-9bd5-f7649288cdd5" - date = "2026-01-05" - modified = "2026-01-06" + id = "9d4643c7-49e5-58bd-b8b1-7e49fd71f013" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.treasurehunter_auto.yar#L1-L106" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.treasurehunter_auto.yar#L1-L95" license_url = "N/A" - logic_hash = "102e6e7f9d869ce1a995b96c3cd12e8dc18894c29a700642a08bd98f281dfbdd" + logic_hash = "95e98e7978ed2320a2dc464b0ed4e9f72a164199993dbc3b1bbd86dd2d836c48" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 56 57 6a01 6a00 e8???????? } - $sequence_1 = { 6800000020 6a2f 68???????? 57 ff15???????? 85c0 } - $sequence_2 = { 8a0e 46 84c9 75f9 2bf0 e8???????? } - $sequence_3 = { 56 57 8bf9 8bca e8???????? 8b7508 } - $sequence_4 = { 53 56 8b35???????? 8bd9 8b4d08 57 8955fc } - $sequence_5 = { 8bf1 85d2 7e0b 4a e8???????? 0fafc6 5e } - $sequence_6 = { 8903 ff15???????? 8b4dfc 57 } - $sequence_7 = { 6800040000 8d85fcfbffff 50 8d85fcf7ffff 50 e8???????? } + $sequence_0 = { 8bf8 e8???????? 68???????? 57 e8???????? } + $sequence_1 = { 8b35???????? 8bd9 8b4d08 57 8955fc e8???????? } + $sequence_2 = { 7e0b 4a e8???????? 0fafc6 } + $sequence_3 = { ff15???????? 8b4dfc 57 8901 } + $sequence_4 = { 6800000020 6a2f 68???????? 57 ff15???????? } + $sequence_5 = { 6801020000 6a00 68???????? 6802000080 } + $sequence_6 = { 41 83f921 7cf3 8b15???????? 8b0d???????? } + $sequence_7 = { 8955fc e8???????? 8bce 8bf8 } condition: 7 of them and filesize < 229376 @@ -90085,42 +90198,42 @@ rule MALPEDIA_Win_Former_First_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b32c8876-3cb4-5a83-afbc-8273b6710cbb" - date = "2026-01-05" - modified = "2026-01-06" + id = "4348ad15-5c8a-5a24-a796-399b9160e4f2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.former_first_rat_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.former_first_rat_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "993e92398130145e5edd81dd2e97cc96804b675ca01f408cd00440763a5fee35" + logic_hash = "6ef782c3635c851c61b2dd6db894c4872fd1964b0b39c53cf6ae8e908598e70f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 898dd4feffff c785e0feffff02000000 899decfeffff 899d04ffffff 8d5001 8a08 40 } - $sequence_1 = { 53 68???????? e8???????? 83c408 eb08 8bd8 899d08efffff } - $sequence_2 = { e8???????? 83c404 c744242800100000 6800100000 e8???????? 83c404 89442438 } - $sequence_3 = { 7505 e8???????? 8b15???????? a1???????? 8b0d???????? 8995c8eeffff 8b15???????? } - $sequence_4 = { 83c40c 33c0 6803010000 8d8df8feffff } - $sequence_5 = { c785d8feffff00000100 c7850cffffff00000000 89b5f8feffff 0f8455010000 8da42400000000 a1???????? 8b9508ffffff } - $sequence_6 = { c745e400040000 837d1400 8b4ddc 8d55e4 8d0433 7415 6810040000 } - $sequence_7 = { 83c404 89442468 3bc3 750d 68???????? } - $sequence_8 = { 413bc6 0f848d010000 488d542440 488d4c2450 ff15???????? } - $sequence_9 = { 488d8c24a0000000 e8???????? 4d85f6 751d } - $sequence_10 = { e8???????? eb7a 4983f8fe 7605 } - $sequence_11 = { 4885f6 7456 488b4b08 4885c9 7444 } - $sequence_12 = { 48c783900000000f000000 c6437800 48837b6010 7209 488b4b48 } - $sequence_13 = { 48894720 488d0498 48894728 b001 488b9c24a0000000 } - $sequence_14 = { 488d542420 e8???????? 90 48837c244008 7275 } - $sequence_15 = { 488d942490020000 488d4c2440 e8???????? 90 } + $sequence_0 = { 57 e8???????? 83c404 56 e8???????? 8b8504ffffff 83c404 } + $sequence_1 = { 75f8 8d85b4feffff 68???????? b90d000000 be???????? 50 } + $sequence_2 = { b93c000000 03ce 83c40c c74424241c000000 81f900100000 7e5a } + $sequence_3 = { 81c208020000 f3a5 3b44240c 75e4 } + $sequence_4 = { 2bf1 b87fe0077e f7ee c1fa08 8bf2 } + $sequence_5 = { 740a c705????????05000000 6a59 ffd6 } + $sequence_6 = { 8d8de0feffff 51 bb08000000 e8???????? 8b9df8feffff 57 e8???????? } + $sequence_7 = { 6a00 50 c645b400 e8???????? 33c0 } + $sequence_8 = { 488d4c2438 e8???????? 488bd0 488d8c24f0000000 } + $sequence_9 = { 4889040a 488b01 48637004 4803f1 } + $sequence_10 = { 4d634804 4d8b6c3928 4d85ed 7e0a } + $sequence_11 = { 4883f8ff 0f851e010000 488d158de00100 488bcf 498bf6 } + $sequence_12 = { 4883792008 7205 498b09 eb03 } + $sequence_13 = { 498bc7 4889842430010000 4c89bc2448010000 4c89bc2450010000 } + $sequence_14 = { 48c78424a00000000f000000 4883a4249800000000 c684248800000000 80bc242801000000 743a } + $sequence_15 = { 4c8da1f4010000 41383c24 7440 33d2 } condition: 7 of them and filesize < 626688 @@ -90130,34 +90243,34 @@ rule MALPEDIA_Win_Dragonforce_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "04e040d9-91b9-5636-bb88-ea712bdc46a2" - date = "2026-01-05" - modified = "2026-01-06" + id = "1817739a-91cc-53f3-919d-bf28dd19ea0a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dragonforce" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dragonforce_auto.yar#L1-L90" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dragonforce_auto.yar#L1-L90" license_url = "N/A" - logic_hash = "1983039dbcbe97b58972e2e24c645af80b3369f0d68152ff0fbf029f83aa4fd4" + logic_hash = "718aa6dbfb4ef625389210507fdc2d7ae7dea855b69bf0091e28035538d512da" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83ff01 7564 c745fc???????? bb???????? } - $sequence_1 = { 83c608 897dec 8b0481 8bc8 } - $sequence_2 = { 88943d09fdffff 47 83ff42 72d6 } - $sequence_3 = { 6690 85db 0f844ef4ffff 0fb607 } - $sequence_4 = { 8a85a9fcffff e8???????? 8985e0f5ffff 8d8d9cfcffff } - $sequence_5 = { 6a00 6a00 6a01 8d85dcfdffff } - $sequence_6 = { c6459002 c6459173 c6459202 c6459365 } - $sequence_7 = { c644243145 c64424323c c644243369 c64424343c } + $sequence_0 = { c645e67c c645e75a c645e87c c645e92a } + $sequence_1 = { 7459 8b8d8cf7ffff 8b85b8f7ffff 83c002 } + $sequence_2 = { 83c404 85c9 0f8484020000 8d4123 } + $sequence_3 = { 85d2 0f8463000000 8b8c24bc000000 b8c94216b2 } + $sequence_4 = { 8d8d98faffff c68598faffff00 c68599faffff25 c6859afaffff75 } + $sequence_5 = { 8d8424c0050000 8bcc 50 e8???????? } + $sequence_6 = { 8a4435dd 0fb6c0 6bc81a b81a000000 } + $sequence_7 = { c645bb27 c645bc6d c645bd32 c645be6d } condition: 7 of them and filesize < 879616 @@ -90167,36 +90280,36 @@ rule MALPEDIA_Win_Dnspionage_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f66d8271-cdd2-51ef-96af-74c2c2b12bda" - date = "2026-01-05" - modified = "2026-01-06" + id = "c49a2e50-0979-5de4-80a8-29fa15cfd796" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dnspionage_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dnspionage_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "e53e7ef31e7434c4327d38b1a8e0754ac09c84880301d9d6d51e12488698b367" + logic_hash = "934799e4ebb3ae7b0b17054c01db25164aa91565513b6998ead64d11f99dd244" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 99 52 50 e8???????? 83c408 8bd0 b9???????? } - $sequence_1 = { 33f6 8b4608 034604 0306 50 } - $sequence_2 = { 803d????????00 7517 c605????????01 33c0 c605????????01 5b } - $sequence_3 = { ff15???????? 83c404 33c0 5f 5e 5b 8b4df8 } - $sequence_4 = { 56 8d8500feffff 8bf1 50 e8???????? 838d0cfeffff07 8b4624 } - $sequence_5 = { eb0a 8d0492 8d144509000000 8bcf 43 } - $sequence_6 = { c7450c00000000 8d4d0c ba???????? 51 8d4df4 } - $sequence_7 = { b9???????? e8???????? 6a00 6a01 e8???????? 8bd0 b9???????? } - $sequence_8 = { 83c404 8bf8 33f6 0f1f4000 e8???????? 33d2 } - $sequence_9 = { ff15???????? 83bdf8feffff00 764a ff15???????? 85c0 7540 8b85f8feffff } + $sequence_0 = { 8bf8 85f6 7e14 8bcf } + $sequence_1 = { 2bf9 8d4e01 8a06 46 } + $sequence_2 = { c6843518feffff00 8d8500feffff 50 6a00 ff15???????? } + $sequence_3 = { 75f2 6a00 c6043300 e8???????? } + $sequence_4 = { 53 8bd9 56 57 6a28 895dfc 8903 } + $sequence_5 = { 8b01 ff5010 33c0 5b } + $sequence_6 = { 8bd7 894f20 8bcb 89470c e8???????? 85f6 7448 } + $sequence_7 = { 894f0c 894704 8d45f4 894708 eb02 } + $sequence_8 = { 8ac4 8855f8 8a55f6 8aca c0e004 c0f902 80e10f } + $sequence_9 = { 33c5 8945fc 8a4508 384120 7512 b001 8b4dfc } condition: 7 of them and filesize < 786432 @@ -90206,42 +90319,42 @@ rule MALPEDIA_Win_Fanny_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9aa21a1-9e7c-5e0d-923d-00e6b6ec80ca" - date = "2026-01-05" - modified = "2026-01-06" + id = "dbb0395a-ca15-563e-b8e4-a7ab0a53715c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fanny_auto.yar#L1-L171" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fanny_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "b1e6181f341236f9aaf561cfa6c0c3a83917a87202fe2ed6a96ef4c3d3c432e2" + logic_hash = "601e37491eb3a0e87730fa782a18e149e4d2bb3c764bdd091220d2b1382b3a57" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d4dd8 e8???????? 8b45b4 } - $sequence_1 = { 8b7d0c 8bf7 8b4508 3bc3 0f84b8020000 } - $sequence_2 = { a2???????? 8d45fc 50 8d45f0 a4 6a08 50 } - $sequence_3 = { 57 895df0 740b c1e809 894df4 c1e009 eb03 } - $sequence_4 = { 5d c3 66c78594fbffff6800 b903000000 8dbd90fbffff 8db5d0fbffff 33d2 } - $sequence_5 = { 8b4c2408 33f6 8901 8bc6 } - $sequence_6 = { 50 6808100000 56 ffd7 8b0d???????? } - $sequence_7 = { 83780c00 7422 8b4dfc 83790400 7419 8b55fc 837a0800 } - $sequence_8 = { e8???????? 8b45d0 50 8b4d08 51 } - $sequence_9 = { 894508 8b5510 83ea05 895510 eb09 } - $sequence_10 = { e9???????? 8b5508 0fb602 3d90000000 753b 8b4d08 } - $sequence_11 = { f3ab 66ab aa 8a4508 } - $sequence_12 = { 5b 5d c3 55 8bec 83ec2c 8065ff00 } - $sequence_13 = { 832700 6800800000 6a00 53 ff15???????? } - $sequence_14 = { 8b45fc 83c012 50 ffd3 8bf0 59 } - $sequence_15 = { 8913 751b c745fc01000000 ff33 ff15???????? } + $sequence_0 = { 8d4508 50 683f000f00 8d458c } + $sequence_1 = { 750e 8b55c8 0fb64201 83f825 7502 } + $sequence_2 = { aa 885c241b 895c2430 895c2444 c744243c02000000 8974242c } + $sequence_3 = { 85f6 7438 ff7604 ff15???????? 8bd8 } + $sequence_4 = { 8be5 5d c3 66c78594fbffff6600 b903000000 8dbd90fbffff 8db5d0fbffff } + $sequence_5 = { 7502 eb17 8b45fc 83c00c 50 6a40 } + $sequence_6 = { 66ab 6a32 aa ffd6 } + $sequence_7 = { 7364 8bfe 83c9ff f2ae f7d1 } + $sequence_8 = { 897dfc 740c 57 ff15???????? 8365fc00 } + $sequence_9 = { 33c0 8dbd92fbffff f3ab 66ab c7858cfbffff00000000 } + $sequence_10 = { 0f84b8020000 3bfb 0f84b0020000 83ffff 0f84a7020000 83ff01 } + $sequence_11 = { ffd3 8d45fc 897dfc 50 8d8620010000 50 8d45f8 } + $sequence_12 = { 8995dcfdffff c785d4fdffff00000000 837d1000 7417 8b4514 50 8b4d10 } + $sequence_13 = { 50 8b4d08 51 e8???????? 83c40c 894508 } + $sequence_14 = { 57 85ed c744240c00000000 0f8402010000 } + $sequence_15 = { aa 6a47 33c0 59 8dbdd5feffff f3ab 66ab } condition: 7 of them and filesize < 368640 @@ -90251,36 +90364,36 @@ rule MALPEDIA_Win_Httpsuploader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96408757-8238-57f6-8412-86b6523d9a84" - date = "2026-01-05" - modified = "2026-01-06" + id = "ca6403e8-9a23-5163-90e9-35899102e0e7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsuploader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.httpsuploader_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.httpsuploader_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "6d3671102275ad7b87147a31f1d30011248bd9c06ff651580514d36fdd35a180" + logic_hash = "300da786a4bdaa56a81ecd63847dc0a40d65ea6dcbca559fbdb850397831290b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41b8fe010000 6689bdf0020000 e8???????? 488d8df2040000 } - $sequence_1 = { 33c0 488d4c2422 33d2 41b8fe010000 } - $sequence_2 = { 458d4103 ba00000080 c744242880000000 4c89ac2498040000 } - $sequence_3 = { 03df 3bde 72ad 488b5c2448 488b7c2420 b801000000 4883c428 } - $sequence_4 = { ffca 750d 4d85c0 7408 498bc8 e8???????? } - $sequence_5 = { 40387598 e9???????? 48895c2408 4889742410 48897c2418 } - $sequence_6 = { 48897c2420 895c2440 895c2450 85d2 745e 6666660f1f840000000000 } - $sequence_7 = { e8???????? eb40 4c8d2569be0000 488b0d???????? e9???????? 4c8d2566be0000 } - $sequence_8 = { e8???????? 488d8de2000000 33d2 41b806020000 6689bde0000000 } - $sequence_9 = { 7528 48833d????????00 741e 488d0db1f40000 } + $sequence_0 = { 488d542440 bf00020000 33c9 897c2430 } + $sequence_1 = { 85c0 744d 8b442440 488b0d???????? } + $sequence_2 = { 488d4158 41b806000000 488d15a6800000 483950f0 740c 488b10 4885d2 } + $sequence_3 = { 4c8d0dfdb8ffff 458a20 4584e4 0f8547f9ffff } + $sequence_4 = { 4c8d442450 418d510e c744245003000000 48897c2460 } + $sequence_5 = { 4533c9 4c8bd3 418bc1 b908000000 660f1f440000 } + $sequence_6 = { 664189844890120100 ffc2 ebe2 8bd7 89542420 81fa01010000 7d13 } + $sequence_7 = { 4883ec20 488bd9 488d0d04820000 483bd9 723e } + $sequence_8 = { 488b0d???????? 488d1536ba0000 41b9000000a0 4183c8ff } + $sequence_9 = { 4889442430 488d442440 4889442428 488d0570d90000 4889442420 4c8b4c2450 } condition: 7 of them and filesize < 190464 @@ -90290,43 +90403,42 @@ rule MALPEDIA_Win_Advisorsbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "47285543-3eed-5a34-ac06-14b7c71920ba" - date = "2026-01-05" - modified = "2026-01-06" + id = "1e8d4637-63b3-5200-84c0-19a2b18472ee" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.advisorsbot_auto.yar#L1-L155" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.advisorsbot_auto.yar#L1-L149" license_url = "N/A" - logic_hash = "69dc9add5b159b8414559d7edfb0ea4fa61745cf82bdc631ece400efa0729506" + logic_hash = "c7db66aeebdcfe2a5ee8da20e28fa754e92fa0cbf2f8e6743aec7dc49b01edf7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bc1 2bc2 d1e8 03c2 c1e808 } - $sequence_1 = { 8bc2 33d2 c1e809 f7f1 } - $sequence_2 = { 8bc2 33d2 c1e808 f7f1 } - $sequence_3 = { b89b01a311 f7e1 2bca d1e9 03ca } - $sequence_4 = { b80923ed58 f7e1 8bc1 2bc2 } - $sequence_5 = { d1e8 03c2 33d2 c1e809 } - $sequence_6 = { 8bc2 c1e809 33d2 f7f1 } - $sequence_7 = { d1e9 03ca c1e907 2bc1 } - $sequence_8 = { d1e9 03ca c1e909 33c8 } - $sequence_9 = { d1e9 03ca 33d2 c1e908 } - $sequence_10 = { 8b442408 8b4c2408 33d2 f7f1 } - $sequence_11 = { 8bc2 33d2 c1e804 f7f1 } - $sequence_12 = { 5e 5d 0fb7c1 5b } - $sequence_13 = { 8b442414 8b4c2414 33d2 f7f1 } - $sequence_14 = { 668b4c2410 5f 5e 5d } - $sequence_15 = { 0fb7c0 0fb7c9 33d2 f7f1 } - $sequence_16 = { 0fb7c1 0fb7ca 33d2 f7f1 } + $sequence_0 = { 8bc2 33d2 c1e809 f7f1 } + $sequence_1 = { 8bc2 33d2 c1e808 f7f1 } + $sequence_2 = { b80923ed58 f7e1 8bc1 2bc2 d1e8 03c2 } + $sequence_3 = { 8bc2 c1e809 33d2 f7f1 } + $sequence_4 = { d1e8 03c2 33d2 c1e809 } + $sequence_5 = { 2bca d1e9 03ca c1e909 33c8 } + $sequence_6 = { d1e9 03ca 33d2 c1e909 } + $sequence_7 = { 8b442408 8b4c2408 33d2 f7f1 } + $sequence_8 = { d1e9 03ca c1e908 33c8 } + $sequence_9 = { 8bca f7e2 8bc1 2bc2 } + $sequence_10 = { 8bc2 33d2 c1e804 f7f1 } + $sequence_11 = { b8372dd238 f7e1 2bca d1e9 } + $sequence_12 = { 5f 5e 5d 0fb7c1 } + $sequence_13 = { 5e 5d 0fb7c2 5b } + $sequence_14 = { 0fb6c0 0fb6c9 33d2 f7f1 } + $sequence_15 = { 0fb7c1 0fb7ca 33d2 f7f1 } condition: 7 of them and filesize < 434176 @@ -90336,36 +90448,36 @@ rule MALPEDIA_Win_Koiloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e4efaa4-8409-52c6-a357-d4b16d12b604" - date = "2026-01-05" - modified = "2026-01-06" + id = "b5ec09ed-c0fe-5666-b782-1cd528ae8b2a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.koiloader_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.koiloader_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "a14056c4d5487fcde976e3de41a707b0de19ece78e34b4f5bb62e5e5638e41ed" + logic_hash = "c0d8a1479f3f85ab5b7bd961985cb49b8dd8c5f6b2fe772b8438a764dafdc8d1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3bd1 72f2 c6043100 8d5e12 668b4712 33c9 66894610 } - $sequence_1 = { 88840d80fdffff 41 83f950 72ec 8d9580fdffff 8d8d98f1ffff } - $sequence_2 = { 83c308 03ca 894dc8 8b7904 83ef08 d1ef } - $sequence_3 = { 8d8d2cfbffff e8???????? 8d8d2cfbffff e8???????? 33c9 } - $sequence_4 = { 8be5 5d c20400 56 8b35???????? 6a00 ffd6 } - $sequence_5 = { 8d8d28f5ffff e8???????? 8d8d28f5ffff e8???????? 33c9 } - $sequence_6 = { 46 807c35c000 75f8 33ff 90 e8???????? 33d2 } - $sequence_7 = { 8b7dcc 85ff 7426 8b45d0 33c9 8d1c00 85db } - $sequence_8 = { 8d4df8 51 0f47c2 50 8d8584fbffff 50 ff75f0 } - $sequence_9 = { e8???????? 33c9 66660f1f840000000000 8a840d70edffff 88840d60ffffff 41 83f950 } + $sequence_0 = { 0f1f00 8a840dc0f5ffff 88440db0 41 } + $sequence_1 = { 7421 8d343f 33c9 85f6 7412 0f1f8000000000 } + $sequence_2 = { 0fb74710 50 ff15???????? 6a06 668945ea b802000000 6a01 } + $sequence_3 = { 752d 85d2 7410 52 6a00 ff15???????? 50 } + $sequence_4 = { 6666660f1f840000000000 8b8c15acfcffff 2b8c1574feffff 8b8415b0fcffff 1b841578feffff 898c1574feffff 89841578feffff } + $sequence_5 = { 0f8404020000 83e801 0f850d020000 394508 0f8404020000 33d2 } + $sequence_6 = { 0fb64c05b0 c1e208 0bd1 89940558ffffff 83c004 } + $sequence_7 = { 8b75e8 c1f91f 23c8 8bc1 c1e01a 2bf0 } + $sequence_8 = { 72ef 8d8520feffff 50 8d55b0 8d8db8f8ffff e8???????? 83c404 } + $sequence_9 = { 8bd0 e8???????? 8bf0 83c404 85f6 7435 6804010000 } condition: 7 of them and filesize < 101376 @@ -90375,41 +90487,41 @@ rule MALPEDIA_Win_Forest_Tiger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3353c633-78cc-57c2-86be-460e3ac718ff" - date = "2026-01-05" - modified = "2026-01-06" + id = "7dd403fd-3e74-571a-a170-3cb9bf1a54f1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.forest_tiger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.forest_tiger_auto.yar#L1-L145" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.forest_tiger_auto.yar#L1-L148" license_url = "N/A" - logic_hash = "fd0aad246be00ca230351bf440cc00646056cfe6bce27189395062caee48cc7c" + logic_hash = "9f8ed0c3cad35f960bc7ad197970c301eb13c0bb34ac71e73c7684b6f442377d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 833f01 0f94c0 84c0 7407 e8???????? eb05 e8???????? } + $sequence_0 = { 833f01 0f94c0 84c0 7407 e8???????? eb05 } $sequence_1 = { 6bc930 8975e0 8db1c0084400 8975e4 } - $sequence_2 = { 4c8b4608 498bc0 488b4c2478 482bc1 } + $sequence_2 = { 6aff 8d8df4fdffff 51 52 } $sequence_3 = { 6bc00c 56 ff90f0664300 59 } $sequence_4 = { 4c8b4608 488b542478 4c2bc2 4983e0fc } - $sequence_5 = { 4c8b45c8 4c8b4dc0 f30f7f45d0 4c3955d0 } - $sequence_6 = { 6bc009 0fb68408c0724300 6a08 c1e804 } - $sequence_7 = { 4c8b4710 488bd7 488bcb 49ffc0 e8???????? eb0a } - $sequence_8 = { 4c8b45bf 488d1521350200 448bcb 488bc8 } - $sequence_9 = { 6aff ff15???????? 894604 85c0 7429 } - $sequence_10 = { 4c8b45ff 8b55db 488b4dcf e8???????? } - $sequence_11 = { 6aff 8d8df4fdffff 51 52 } - $sequence_12 = { 4c8b4750 488b33 448b7308 448b6f30 } - $sequence_13 = { 6aff 8d8dc8f4ffff 6880000000 51 } - $sequence_14 = { 6aff 8d942498010000 6880000000 52 } + $sequence_5 = { 6aff 8d942498010000 6880000000 52 } + $sequence_6 = { 6aff ff15???????? 894604 85c0 7429 } + $sequence_7 = { 6bc009 0fb68408c0724300 6a08 c1e804 } + $sequence_8 = { 4c8b4710 488bd7 488bcb 49ffc0 e8???????? eb0a } + $sequence_9 = { 4c8b4750 488b33 448b7308 448b6f30 } + $sequence_10 = { 6aff 8d8dc0f2ffff 6880000000 51 e8???????? } + $sequence_11 = { 4c8b4750 4c3b4740 741b 488b5740 } + $sequence_12 = { 4c8b4608 498bc0 488b4c2478 482bc1 } + $sequence_13 = { 4c8b45ff 8b55db 488b4dcf e8???????? 83f802 755e } + $sequence_14 = { 4c8b4918 498be8 4c8bf2 488bd9 be01000000 } condition: 7 of them and filesize < 709632 @@ -90419,36 +90531,36 @@ rule MALPEDIA_Win_Unidentified_104_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "22cbe35d-f38f-5d67-9ed1-a6824dbbad6b" - date = "2026-01-05" - modified = "2026-01-06" + id = "aad3c8e5-d3ed-53bc-9ae8-94bd65d40828" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_104" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_104_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_104_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "7237a55b9f406cfa347ef2bcf70f76cf7dbf15c7062684d829227ca0ac28ac39" + logic_hash = "9445de52bf7e66acf56781027aa78bcec480facad21f4cf8d849d071ba92e136" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b7910 488bd9 488bcf 4c8bf2 e8???????? ba20000000 498bce } - $sequence_1 = { 488bf9 498bd8 488d4c2420 e8???????? 41b804000000 488d4c2450 488bd3 } - $sequence_2 = { 48897e10 48897e18 0f1000 0f1106 0f104810 0f114e10 48897810 } - $sequence_3 = { 8bda e8???????? 4885c0 750d e8???????? 33c0 4883c420 } - $sequence_4 = { 4c8bb42490000000 498b86a0000000 4803c1 4c03d8 4933d3 4c895c2408 4c8bda } - $sequence_5 = { 4933ca 4c8b942490000000 498b82a8000000 4803c1 4c03c0 4933d0 } - $sequence_6 = { cc e8???????? 4d8d4601 488bd6 498bcf e8???????? 48891e } - $sequence_7 = { 41c1ea19 4433d0 4403742408 4503e2 8b442404 4133dc } - $sequence_8 = { e8???????? 4439b59c000000 7413 e9???????? ff15???????? cc 4489b59c000000 } - $sequence_9 = { 49c1e820 4c33c2 488b542420 4903d0 4c33ca 498bc9 } + $sequence_0 = { 4c8bf2 e8???????? ba20000000 498bce 488bf0 ff15???????? 84c0 } + $sequence_1 = { 4c8b0424 488bf1 48c1ee3f 488d0409 4833f0 498b8298000000 4903c3 } + $sequence_2 = { 48895c2408 57 4883ec20 488d1d33620100 488d3d2c620100 eb12 488b03 } + $sequence_3 = { eb10 4c8d8de0010000 488bd3 e8???????? } + $sequence_4 = { 4d85c0 0f84a7000000 488bc4 48895808 48896810 48897018 48897820 } + $sequence_5 = { 488b442410 490fafc6 4801842428010000 49634004 480faf442440 4801842428010000 } + $sequence_6 = { 4c8b6918 4489542468 8b4304 4c8d0cc0 } + $sequence_7 = { 4c03f8 41897c2408 488b7c2438 4189742414 488b742430 498d8f00000002 41895c2418 } + $sequence_8 = { 0f8423030000 488d8530040000 4889442420 4533c9 4533c0 418bd6 488b4c2448 } + $sequence_9 = { 48c1ea20 4833d3 498b9ba8000000 4803c2 4c33f0 48898424a0000000 498bce } condition: 7 of them and filesize < 263168 @@ -90458,36 +90570,36 @@ rule MALPEDIA_Win_Tollbooth_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8571d861-b206-5a28-be63-4a9911495781" - date = "2026-01-05" - modified = "2026-01-06" + id = "07e892a9-c376-57ec-8a15-730e9623c112" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tollbooth" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tollbooth_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tollbooth_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "55924965cb8b6210eb05a8f6dd43f9ad6aeae8d8c356e1fd55efb53f124eaedf" + logic_hash = "c7abc6ecdb65d6e642b0a902a8492a31574ad16fd6ad91ab9d2dbe36e2ad13a8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 4885c0 0f8428010000 488d7827 4883e7e0 488947f8 4c8b442420 } - $sequence_1 = { eb67 41baa0860100 413bea 7207 bb06000000 eb55 41ba10270000 } - $sequence_2 = { 7451 488b7d07 488b4dff 48894dbf 488bd7 482bd1 48c1fa04 } - $sequence_3 = { e9???????? 488d8ab8000000 e9???????? 488d8a68000000 e9???????? 488d8ad8000000 e9???????? } - $sequence_4 = { 4885ff 757e eb03 498bfe 807e2400 7413 e8???????? } - $sequence_5 = { 803902 7558 488b4908 488b5108 483b5110 7421 0fb645e0 } - $sequence_6 = { 48895c2450 48895c2460 48c74424680f000000 41b80a000000 488d1566350900 488d4c2450 e8???????? } - $sequence_7 = { 898b88000000 83bb8800000003 0f8286000000 8b8bf4160000 0fb69388000000 488b83f8160000 80ea03 } - $sequence_8 = { eb4d 488b8100010000 4885c0 7403 f0ff08 488d055d200300 48899900010000 } - $sequence_9 = { 83e11f 418bd7 81c101010000 41c1ef05 83e21f 418bc7 41894d7c } + $sequence_0 = { 488d15f6650800 488d8d30020000 e8???????? 90 e8???????? 90 e8???????? } + $sequence_1 = { 8845c0 488b45e8 488945c8 c645e000 48c745e800000000 488d45c0 488945d0 } + $sequence_2 = { ba20000000 eb20 498b0f e8???????? ba18000000 eb11 498b0f } + $sequence_3 = { 884c2450 483b5348 7408 880a 48ff4340 eb0e 4c8d442450 } + $sequence_4 = { 7203 488b3f 4533c9 488bd7 488b4c2448 ff15???????? 85c0 } + $sequence_5 = { 458d4605 488d1522e40900 488d8db0000000 e8???????? 90 4c89b5d0000000 0f57c0 } + $sequence_6 = { d3e8 49895008 41894018 0fb60a 83e10f 4a0fbe8409080f0b00 428a8c09180f0b00 } + $sequence_7 = { 6690 8bc7 99 f7fb 4863d2 48c1e205 48039590000000 } + $sequence_8 = { 90 4c8bc0 ba3c010000 488d4c2430 e8???????? 488d15a0350900 488d4c2430 } + $sequence_9 = { 488d8c2408020000 e8???????? 4c8bc0 4889442450 0fb68c24e8020000 0fb600 888424e8020000 } condition: 7 of them and filesize < 1907712 @@ -90497,49 +90609,49 @@ rule MALPEDIA_Win_Grease_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ecfbbfe9-c011-518f-ab9d-ed514af53077" - date = "2026-01-05" - modified = "2026-01-06" + id = "f2b51062-057e-5eef-b563-cdea44ea1c27" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grease_auto.yar#L1-L234" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grease_auto.yar#L1-L234" license_url = "N/A" - logic_hash = "7c8c14c35a0def9c37a4dcb1634bd39b69466704a6828c5b8b5cd9c96e04b3c0" + logic_hash = "83941270e610e5eda4e306c3b4b041e67042a44c47a458750ddcf9b1262cf19b" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 52 50 683f000f00 50 50 50 } - $sequence_1 = { 4053 4881ec90020000 488b05???????? 4833c4 4889842480020000 488d4c2472 } - $sequence_2 = { 4889442438 48897c2430 4533c0 c74424283f000f00 897c2420 ff15???????? 85c0 } - $sequence_3 = { 895c2420 ff15???????? 85c0 0f85e7000000 } - $sequence_4 = { 488b4c2460 ff15???????? b801000000 488b8c2480020000 4833cc e8???????? 4881c490020000 } - $sequence_5 = { 4533c0 488bd3 c744242804000000 4889442420 ff15???????? 488b4c2450 ff15???????? } - $sequence_6 = { 85c0 0f85e7000000 488b4c2460 488d442458 } - $sequence_7 = { 488d542470 41b93f000f00 4533c0 48c7c102000080 } - $sequence_8 = { 85c0 7534 488b4c2450 488d442458 41b904000000 4533c0 } - $sequence_9 = { 51 6a04 53 68???????? 52 895c2430 ffd5 } - $sequence_10 = { 68???????? 52 e8???????? 83c40c 8d84242c040000 55 50 } - $sequence_11 = { c644342064 e9???????? c644342070 e9???????? c644342073 e9???????? } - $sequence_12 = { 51 56 66899c2440010000 66899c2446010000 66c784244a0100000700 } - $sequence_13 = { e9???????? c644340c79 e9???????? c644340c77 e9???????? c644340c76 } - $sequence_14 = { 8d442424 8d5001 8a08 83c001 } - $sequence_15 = { 66899c2440010000 66899c2446010000 66899c244a010000 66899c244c010000 } - $sequence_16 = { 68???????? 52 e8???????? 83c408 8d442414 50 } - $sequence_17 = { 83c408 8d442410 50 681f000200 53 8d4c2430 } - $sequence_18 = { 6a00 50 c684241401000000 e8???????? 0fbe4c2410 56 } - $sequence_19 = { c684342406000040 eb62 c68434240600007b eb58 } - $sequence_20 = { 8dbc24490c0000 899424400c0000 be???????? f3ab 66ab } - $sequence_21 = { eb3d c6440c0c3c eb36 c6440c0c28 eb2f c6440c0c24 eb28 } - $sequence_22 = { 8d442414 6a04 50 6a04 55 68???????? 51 } + $sequence_1 = { 488b4c2460 ff15???????? b801000000 488b8c2480020000 4833cc } + $sequence_2 = { 85c0 7534 488b4c2450 488d442458 41b904000000 4533c0 488bd3 } + $sequence_3 = { ff15???????? 85c0 0f85e7000000 488b4c2460 } + $sequence_4 = { 488b4c2460 48897c2440 488d442450 4889442438 48897c2430 } + $sequence_5 = { 4533c9 4533c0 4889442420 ff15???????? 85c0 7537 } + $sequence_6 = { 48897c2440 4889442438 48897c2430 4533c0 c74424283f000f00 897c2420 } + $sequence_7 = { 488bd3 c744242804000000 4889442420 ff15???????? 488b4c2450 ff15???????? } + $sequence_8 = { 4881ec90020000 488b05???????? 4833c4 4889842480020000 488d4c2472 } + $sequence_9 = { 53 ffd5 8d442424 8d5001 8a08 83c001 3acb } + $sequence_10 = { 56 ff15???????? 8d542424 68???????? 52 } + $sequence_11 = { c68434180300005e eb26 c68434180300002f eb1c c68434180300003f eb12 c68434180300002e } + $sequence_12 = { 56 ff15???????? 8d442424 68???????? 50 e8???????? } + $sequence_13 = { bb01000000 83feff 0f84f2020000 8b2d???????? } + $sequence_14 = { eb67 c644342025 eb60 c64434202a eb59 } + $sequence_15 = { 8d8c2445050000 53 51 889c244c050000 e8???????? 83c418 } + $sequence_16 = { 0f8386000000 8bc7 8bf7 c1f805 83e61f 8d1c8560e44000 c1e603 } + $sequence_17 = { 52 ff15???????? 8b44240c 50 ffd6 } + $sequence_18 = { 8d8c2434010000 51 56 66899c2440010000 66899c2446010000 66c784244a0100000700 } + $sequence_19 = { 8a904c5e4000 ff2495785d4000 c64434206d e9???????? c644342071 e9???????? } + $sequence_20 = { c68434340a000067 e9???????? c68434340a000061 e9???????? c68434340a00007a e9???????? } + $sequence_21 = { 6689842432010000 6689842438010000 b904000000 8d442420 50 } + $sequence_22 = { e9???????? c6440c0870 e9???????? c6440c0873 e9???????? c6440c0874 } condition: 7 of them and filesize < 278528 @@ -90553,7 +90665,7 @@ rule MALPEDIA_Win_Makop_Ransomware_Auto : FILE date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.makop_ransomware_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.makop_ransomware_auto.yar#L1-L124" license_url = "N/A" logic_hash = "3c7cc3419f322a8e9eb8473ecaf54fc5da0725e8a0f35ff3f90245e28389848b" score = 75 @@ -90588,36 +90700,36 @@ rule MALPEDIA_Win_Sanny_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b4b3143-6e56-57d2-a40c-de1821af2738" - date = "2026-01-05" - modified = "2026-01-06" + id = "87344e9f-12e4-542a-9c6d-f79a99e4dcc0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sanny_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sanny_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "e2fbc4a585eb4f31f4417da33af8b6c1fed46bb262bdcc20859cec67dc3394ca" + logic_hash = "4364bd4d6d0419a65297d5dfea623a3e99e3c76950ba0b9edaa5327e2a3febf4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 56 e8???????? 8b4c2434 8b542430 51 52 } - $sequence_1 = { 8b4c240c 6a05 51 8bce } - $sequence_2 = { 8d4c241c 51 8d542444 6a00 8d4c2434 52 51 } - $sequence_3 = { 894614 83c002 50 e8???????? 8b4e14 83c404 41 } - $sequence_4 = { eb63 3c02 755f 8b861cc70000 85c0 7455 8b542408 } - $sequence_5 = { 8b542410 52 ffd5 8d442414 43 50 53 } - $sequence_6 = { 8b54244c 8d442454 8d4c240c 50 51 8d442428 52 } - $sequence_7 = { 81ec08040000 8d442400 56 8bb42414040000 50 8b842420040000 8d54240c } - $sequence_8 = { 53 57 8d3c85c4714100 bb00100000 7520 53 } - $sequence_9 = { 8d3449 2bd1 8d34b530634100 832600 83c60c 4a 75f7 } + $sequence_0 = { ffd6 a3???????? 8b8b381f0000 68???????? 51 } + $sequence_1 = { 51 e8???????? 8d54241c 8d842438020000 52 50 } + $sequence_2 = { 8bf9 8d8728040000 8a10 8a1e 8aca 3ad3 751e } + $sequence_3 = { 8bf8 83ffff 753f ff15???????? } + $sequence_4 = { 89942480000000 880a 8b942480000000 8b4c2474 4a } + $sequence_5 = { 85c0 7502 32db 8bfe } + $sequence_6 = { 741b c705????????16000000 83c8ff eb7b c705????????0c000000 ebef 890d???????? } + $sequence_7 = { c1e612 33d6 25cccc3333 33d0 8bc1 8bf1 81e1cccc3333 } + $sequence_8 = { ffd0 85c0 0f85d6000000 8d8618c50000 8bce 50 c78610c5000001000000 } + $sequence_9 = { 41 3d???????? 7cf1 56 8bf1 c1e603 3b96b8634100 } condition: 7 of them and filesize < 253952 @@ -90627,34 +90739,36 @@ rule MALPEDIA_Win_Laziok_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "79b2ce92-e42d-5fec-a687-7e4fbea19571" - date = "2026-01-05" - modified = "2026-01-06" + id = "e9928abc-9f11-57cf-bc19-77a6ab9d445a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.laziok_auto.yar#L1-L101" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.laziok_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "621f5999fd77cd3089a05c94f9c8d680d38cd15a4fe64826e89765eb3b0323fd" + logic_hash = "0fe4c25f1a5e51bff5e582b3f75e9eebde96a10c7310facfdb73513e1edafe37" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 751a ff7610 ff15???????? 56 } - $sequence_1 = { 59 85c0 740a 8b4c240c 8b742408 8901 } - $sequence_2 = { 8bc6 5e c20800 55 8bec 81ec04010000 } - $sequence_3 = { 668945f0 8b4604 8945f4 0fb74608 } - $sequence_4 = { ff74240c 33f6 ff35???????? e8???????? } - $sequence_5 = { 668945f2 8b460c 85c0 7404 8b00 eb03 } - $sequence_6 = { 7513 6a00 ff7510 ff750c ff7608 ff15???????? eb3f } - $sequence_7 = { e8???????? 59 59 85c0 740d 3bc7 } + $sequence_0 = { 8b542418 8d0c24 e8???????? 8b54241c 8d4c2404 } + $sequence_1 = { 57 ff74240c 33f6 ff35???????? e8???????? } + $sequence_2 = { 33c0 668945fc 8d85f4fdffff 50 } + $sequence_3 = { 8bf0 85f6 740b 837c240cff 8937 } + $sequence_4 = { 668945f2 8b460c 85c0 7404 8b00 eb03 8b4610 } + $sequence_5 = { ff3424 e8???????? ff742410 e8???????? } + $sequence_6 = { eb11 8b460c 85c0 751a ff7610 ff15???????? } + $sequence_7 = { 0fb74608 50 ff15???????? 668945f2 8b460c 85c0 7404 } + $sequence_8 = { 85c0 7404 8b00 eb03 8b4610 6a10 } + $sequence_9 = { 668945f0 8b4604 8945f4 0fb74608 50 ff15???????? 668945f2 } condition: 7 of them and filesize < 688128 @@ -90664,36 +90778,36 @@ rule MALPEDIA_Win_Rhadamanthys_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fbc76f02-e283-5cc2-95ab-feddb32988f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "6cde2abd-2119-5f95-be12-d52e6fe5f9f3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rhadamanthys_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rhadamanthys_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "9730ed3bce4b206712bfc32009b2e0a70bda3b8b9f39f72ed960449e1927c991" + logic_hash = "9cf4ab6e66768cc3e30be043cc6b7d66d3657cd4e6a16df188fbe4be62a010e1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff7308 03c6 50 8b03 } - $sequence_1 = { 8a01 84c0 7416 8b542408 69d293010001 } - $sequence_2 = { 33d0 41 89542408 ebe4 } - $sequence_3 = { 7416 8b542408 69d293010001 0fb6c0 33d0 41 } - $sequence_4 = { 8b542408 69d293010001 0fb6c0 33d0 41 89542408 ebe4 } - $sequence_5 = { 7416 8b542408 69d293010001 0fb6c0 33d0 } - $sequence_6 = { 84c0 7416 8b542408 69d293010001 0fb6c0 } - $sequence_7 = { 7416 8b542408 69d293010001 0fb6c0 33d0 41 89542408 } - $sequence_8 = { 84c0 7416 8b542408 69d293010001 0fb6c0 33d0 } - $sequence_9 = { 84c0 7416 8b542408 69d293010001 } + $sequence_0 = { 7416 8b542408 69d293010001 0fb6c0 33d0 41 } + $sequence_1 = { 8b542408 69d293010001 0fb6c0 33d0 41 89542408 } + $sequence_2 = { 8b4304 ff7308 03c6 50 8b03 } + $sequence_3 = { 0fb6c0 33d0 41 89542408 } + $sequence_4 = { 8a01 84c0 7416 8b542408 69d293010001 } + $sequence_5 = { 8b4c2404 8a01 84c0 7416 8b542408 69d293010001 0fb6c0 } + $sequence_6 = { 69d293010001 0fb6c0 33d0 41 89542408 } + $sequence_7 = { 8b4c2404 8a01 84c0 7416 8b542408 } + $sequence_8 = { 7416 8b542408 69d293010001 0fb6c0 } + $sequence_9 = { 7416 8b542408 69d293010001 0fb6c0 33d0 41 89542408 } condition: 7 of them and filesize < 1111040 @@ -90703,75 +90817,112 @@ rule MALPEDIA_Win_Mydoom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7e77b916-3ba2-5a80-a19d-24731b91f9bc" - date = "2026-01-05" - modified = "2026-01-06" + id = "72ea3954-2052-5e86-b290-56c79888c3a7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mydoom_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mydoom_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "35d52ce2fd0848990f084283aa4885b799e1dbfb0fb9f161e6a1a896179d7494" + logic_hash = "598fd9734b4a6a0520f259a056c664e93438dd826b58291af16cc1f6109dd0b6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 89442404 893424 e8???????? ba00000000 eb20 ba00000000 } - $sequence_1 = { 8d45f8 89442410 c744240c19000200 c744240800000000 895c2404 } - $sequence_2 = { c3 55 89e5 83ec48 895df4 8975f8 } - $sequence_3 = { e8???????? c78538feffff44000000 c78564feffff01000000 66c78568feffff0500 } - $sequence_4 = { 53 81ec94010000 c7442404???????? 8d9d38ffffff 891c24 } - $sequence_5 = { c7042401000080 e8???????? 83ec14 85c0 7547 893424 e8???????? } - $sequence_6 = { 380a 7415 42 803a00 7406 } - $sequence_7 = { 8d85c8fdffff 890424 e8???????? 83ec04 8b4508 890424 e8???????? } - $sequence_8 = { 8945cc 0fb745e6 668945ca c744240810000000 8d45c8 } - $sequence_9 = { 8b7508 8b5d0c 803b00 7414 0fbe03 } + $sequence_1 = { 89442424 895c2420 c744241c00000000 c744241800000000 c744241400000000 c744241001000000 c744240c00000000 } + $sequence_2 = { 84db 0f94c2 09d0 ba00000000 a801 0f85f6000000 } + $sequence_3 = { 890424 e8???????? 83ec08 8b856cf9ffff 890424 } + $sequence_4 = { 89e5 53 83ec54 c7442404???????? } + $sequence_5 = { 0fb6d0 89d0 8b5df4 8b75f8 } + $sequence_6 = { 893424 e8???????? 893424 e8???????? 83ec04 80bc2807feffff5c } + $sequence_7 = { 0fb705???????? 668945d0 0fb605???????? 8845d2 8d45d8 890424 e8???????? } + $sequence_8 = { 83ec08 e8???????? e8???????? e8???????? b800000000 } + $sequence_9 = { c7442404???????? 893c24 e8???????? c7042401000000 e8???????? 83ec04 c744240800000000 } condition: 7 of them and filesize < 114688 } +rule MALPEDIA_Win_Jelus_Rat_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "33681d05-24ad-57d3-8610-52ac37c38536" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jelus_rat" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jelus_rat_auto.yar#L1-L91" + license_url = "N/A" + logic_hash = "1f5b36790a1a98c8f318088448ee6df7d5fba3603773a6e0cc9156690aec9ff0" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { e8???????? 4c8d4d98 4c8d45a8 488d542460 } + $sequence_1 = { e8???????? 4c8d4d38 4c8d4540 8bd3 } + $sequence_2 = { e8???????? 4c8d4818 4c894d30 8b93f4000000 85d2 } + $sequence_3 = { e8???????? 4c8d4c2440 488bcb 4c8d442448 } + $sequence_4 = { e8???????? 4c8d4c2478 4c8bc0 488bd6 } + $sequence_5 = { e8???????? 4c8d4c2460 4c8d442468 488d542438 } + $sequence_6 = { e8???????? 4c8d4c2440 4c8d05e3261800 488d542450 } + $sequence_7 = { e8???????? 4c8d4c2420 48895c2428 4533c0 } + + condition: + 7 of them and filesize < 6474752 +} rule MALPEDIA_Win_Dimnie_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "faec140a-eb16-5876-b92f-a4f4dcf83df4" - date = "2026-01-05" - modified = "2026-01-06" + id = "a9240258-cf61-5dc2-ab4f-10013015433a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dimnie_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dimnie_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "8e390553f6468d186c93389bf0eaa300637b1e54d4adacff8f64a890d9a8be5a" + logic_hash = "70ca842d9631fe5369aa7069c32231e46ccbbfe41fbac84f3ba30d862b64c177" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb04 c645af3d 8b4d0c 8a55af 885102 837d1002 } - $sequence_1 = { 7e28 8b5508 0fb64201 83e00f c1e002 8b4d08 0fb65102 } - $sequence_2 = { 8b450c eb54 8b550c 2b5508 83fa01 751c 0f31 } - $sequence_3 = { c70201000000 8b4508 8b08 83e10f 8b5508 } - $sequence_4 = { eb54 8b550c 2b5508 83fa01 751c } - $sequence_5 = { eb61 8b4d08 3b4d0c 7605 8b450c eb54 8b550c } - $sequence_6 = { c70201000000 8b4508 8b08 83e10f 8b5508 890a } - $sequence_7 = { 8855ae eb04 c645ae3d 8b450c 8a4dae } - $sequence_8 = { b90d000000 be???????? 8d7dbc f3a5 } - $sequence_9 = { 8b4d0c 8a55af 885102 837d1002 7e13 8b4508 } + $sequence_0 = { 8b450c eb54 8b550c 2b5508 83fa01 751c } + $sequence_1 = { 8b4508 c70001000000 8b4d0c c70101000000 } + $sequence_2 = { c70101000000 8b5510 c70201000000 8b4508 8b08 83e10f } + $sequence_3 = { 750a 837d0800 7504 33c0 eb6e } + $sequence_4 = { 33c0 eb6e 8b4508 3b450c 7505 } + $sequence_5 = { c1e804 8945f4 8b4df8 83c101 8b45f4 33d2 } + $sequence_6 = { 3b450c 7505 8b4508 eb61 8b4d08 3b4d0c } + $sequence_7 = { c745fc00000000 c745f800000000 c745f850000000 8b450c 8b4dfc 894804 } + $sequence_8 = { eb61 8b4d08 3b4d0c 7605 } + $sequence_9 = { 83e10f 8b5508 890a 8b450c } condition: 7 of them and filesize < 212992 @@ -90781,36 +90932,36 @@ rule MALPEDIA_Win_Kutaki_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0ce7f5d-750c-52b1-ad8e-d94947241870" - date = "2026-01-05" - modified = "2026-01-06" + id = "48e743da-b335-5755-b568-4eed1a0848ba" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kutaki_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kutaki_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "2d6337f5a069ed263b69e96c0f4411506a5a576a0de1c3fe88d0c7f6f51b0ebe" + logic_hash = "f1fa7380a50e2743cedeaaa0693c41429b0def91858704e16479700f8e6c6e01" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8945d4 8d55d4 52 8d45cc 50 ff15???????? } - $sequence_1 = { ff15???????? 85c0 0f849b020000 8d4ddc 51 ff15???????? 50 } - $sequence_2 = { 51 e8???????? c745fc04000000 8b5510 33db 833a00 0f9ec3 } - $sequence_3 = { 8b4db4 3b4810 7309 c7458800000000 eb09 ff15???????? } - $sequence_4 = { 8d953cffffff 52 6808200000 ff15???????? 898564feffff 8d8564feffff 50 } - $sequence_5 = { ffd7 a1???????? 6685f6 0f8dfd000000 85c0 7515 68???????? } - $sequence_6 = { 50 ff15???????? 898548ffffff eb0a c78548ffffff00000000 833d????????00 751c } - $sequence_7 = { 68???????? c78570ffffff01000000 c78568ffffff02000000 ffd6 68???????? 66898560ffffff c78558ffffff02000000 } - $sequence_8 = { 8985a4feffff 83bda4feffff00 7d26 68a0000000 } - $sequence_9 = { 8b957cffffff 52 ff15???????? 898518ffffff eb0a c78518ffffff00000000 8b45c8 } + $sequence_0 = { e9???????? c745fc0a000000 c745fc0b000000 8b450c 6bc004 0f8037080000 83c002 } + $sequence_1 = { 83bd80feffff00 7d26 68a0000000 68???????? 8b9584feffff 52 8b8580feffff } + $sequence_2 = { 8d4de0 ff15???????? 8b4d08 6a00 8b11 8955c4 ffd3 } + $sequence_3 = { c7458c00000000 8b4d8c f7d9 66894db4 8d4ddc ff15???????? 8d4dd4 } + $sequence_4 = { ff15???????? 898584fcffff eb0a c78584fcffff00000000 8b9574ffffff 899564fdffff c78574ffffff00000000 } + $sequence_5 = { 66833801 7543 8b4dac 8b55d8 2b5114 899554ffffff } + $sequence_6 = { 8d9574ffffff 8d4da4 ff15???????? 8b4dc8 898d20ffffff c745c800000000 } + $sequence_7 = { 8d4598 52 50 6a03 ff15???????? 83c41c 68???????? } + $sequence_8 = { 51 ff15???????? 8d8d3cffffff ff15???????? c745fc0a000000 83bd68ffffff00 } + $sequence_9 = { e9???????? c745fc34000000 8d45ac 50 e8???????? 8bd0 8d4da8 } condition: 7 of them and filesize < 1335296 @@ -90820,36 +90971,36 @@ rule MALPEDIA_Win_Industroyer2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e868bea-ed7e-5974-96ba-660ba0f6c883" - date = "2026-01-05" - modified = "2026-01-06" + id = "ae80a211-6fc0-5b81-9389-065e77c66b8c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.industroyer2_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.industroyer2_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "af4403ef973a2e44095a1be12f63d921343b5d2fe519fbae198aa69e0c4340cd" + logic_hash = "aee94370652af7fa85a93fdfaeaeb964895ccc7f0365a0ac20fa3347e850a92a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4dfc 8b11 c6420603 8b45fc 8b08 c6410783 8b55fc } - $sequence_1 = { ebcc 8b4508 8b8848010100 8b55f4 } - $sequence_2 = { 894a0c 8b55f8 8b02 8b4d20 8b5108 895008 8b45f8 } - $sequence_3 = { 8b4508 8945fc 8b4d0c 894df8 837d0800 7414 } - $sequence_4 = { e8???????? 83c404 85c0 7636 68???????? 8b4508 } - $sequence_5 = { 52 e8???????? 8b4508 83780800 } - $sequence_6 = { 694d18a0860100 034d1c 8b55fc 894a14 8b45fc 8be5 } - $sequence_7 = { 50 e8???????? 8b4dec 894110 8b55fc 83c201 8955fc } - $sequence_8 = { a1???????? 8945e0 8b0d???????? 894de4 8a15???????? 8855e8 8d45d8 } - $sequence_9 = { e9???????? 68???????? e8???????? 50 e8???????? 83c408 6a08 } + $sequence_0 = { 8b55f0 52 8d4db8 e8???????? 8bc8 e8???????? } + $sequence_1 = { e8???????? eb20 6a00 8d55ec } + $sequence_2 = { e8???????? 50 e8???????? 83c40c e9???????? 68???????? e8???????? } + $sequence_3 = { 6a00 8b450c 50 68???????? 8b4df0 51 } + $sequence_4 = { 8b08 51 6a00 6a06 8b55fc 52 } + $sequence_5 = { 8b4508 50 6a01 8b4d08 8b9148010100 8b45f4 } + $sequence_6 = { 8b4dcc 894dc0 eb07 c745f800000000 8b55fc 3b55f0 7364 } + $sequence_7 = { 8a55d8 889146000100 eb11 8b450c c6801800010001 } + $sequence_8 = { eb0e c745e801680000 c745f800000000 8b4dfc 3b4df0 732c 837df800 } + $sequence_9 = { 740e e8???????? 8b45ec 50 } condition: 7 of them and filesize < 100352 @@ -90859,36 +91010,36 @@ rule MALPEDIA_Win_Tonerjam_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f786075c-cfe5-5b49-a6e1-4889818e7624" - date = "2026-01-05" - modified = "2026-01-06" + id = "a063fb23-ba9a-5e53-b940-9f8d06dcf4cb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonerjam" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tonerjam_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tonerjam_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "d8a6c742127525a08706ace06fd5028ecb9ea4f1402f1305542963485e91aa8b" + logic_hash = "721a76d811438eef4f5c0a728a2249138edac1453021df45751fb535ce74da26" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d4c2458 448d4218 ff15???????? 488d442458 c744247068000000 4889442448 } - $sequence_1 = { 41b804010000 ff15???????? 33d2 488d8d50010000 41b804010000 } - $sequence_2 = { 4883ec28 e8???????? 488bc8 488d15314e0100 4883c428 e9???????? 48895c2418 } - $sequence_3 = { 488d4508 458bce 4533c0 4889442420 488d1515c10100 48c7c102000080 ff15???????? } - $sequence_4 = { ff15???????? 85c0 757c 48c7c0ffffffff } - $sequence_5 = { 4903c0 660f1f840000000000 8030e5 488d4001 } - $sequence_6 = { 33d2 e8???????? 4885db 7414 488d0536d70100 483bd8 } - $sequence_7 = { 33c9 ff15???????? cc b801000000 488b8c2430010000 4833cc e8???????? } - $sequence_8 = { c3 397c2440 488b5c2448 400f95c7 8bc7 } - $sequence_9 = { 488d0dbac10100 e8???????? 48c7c3ffffffff 488d8d70020000 488bc3 0f1f4000 48ffc0 } + $sequence_0 = { 4933fa 4b87bcfe601d0200 33c0 488b5c2450 488b6c2458 } + $sequence_1 = { 4889442420 488bd3 498bce ff15???????? b801000000 } + $sequence_2 = { 4889442420 ff15???????? 85c0 7431 488b4c2458 488d442440 4533c9 } + $sequence_3 = { 83b97004000002 0f84e7010000 bd20000000 4c8d35520a0100 897350 89732c } + $sequence_4 = { 488d5560 41b808020000 ff15???????? 488d4d60 ff15???????? 660f6f05???????? } + $sequence_5 = { 448d4220 ff15???????? 660f6f05???????? 488d45a0 660f6f0d???????? } + $sequence_6 = { eb0b 4803f6 418b84f718a40100 85c0 7816 3de4000000 730f } + $sequence_7 = { 4883f8ff 74c8 488bd3 4c8d0512e80000 83e23f 488bcb } + $sequence_8 = { f30f6f40c0 660fefc8 f30f7f48c0 660f6fca f30f6f40d0 660fefc2 } + $sequence_9 = { 33d2 48897c2430 89442428 4c8d8590050000 448bcb 40883e 4889742420 } condition: 7 of them and filesize < 315392 @@ -90898,36 +91049,36 @@ rule MALPEDIA_Win_Aperetif_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1685b19d-bab9-559e-a837-4099892bca74" - date = "2026-01-05" - modified = "2026-01-06" + id = "9e3e9777-0de5-5603-a86e-a21231ce6c9a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aperetif" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.aperetif_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.aperetif_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "8b99a188c4357f2054441c5cc8823b451c95e41e20e854ee376e3b8dd6441f0d" + logic_hash = "4fc990be119c3652a5e9feb00f50b54ab7fc4e6e2793c1301bd0b50a27cbc781" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff7708 50 e8???????? 83c40c ff7708 8b442418 50 } - $sequence_1 = { f20f1186080b0000 c7452400000000 e9???????? 85c9 0f84d8050000 697528100b0000 33ff } - $sequence_2 = { 8bef 8d041b 50 8b442414 8b401c ff30 ff742424 } - $sequence_3 = { e8???????? 8d48fe b82d000000 668901 eb0c 50 8d45ee } - $sequence_4 = { e8???????? 8bf0 83c410 85f6 7511 68db020000 68???????? } - $sequence_5 = { 8bc1 c1e810 0fb6c0 c1e208 0fb68068b98700 0bd0 8bc1 } - $sequence_6 = { 8b5604 83c604 85d2 0f8421010000 8d4a01 8bc2 f00fb10e } - $sequence_7 = { f20f5ec8 0f28d1 f20f59cb f20f59542448 660f2f0d???????? 7740 f20f1005???????? } - $sequence_8 = { ff7508 8910 8b55e8 897004 895008 e8???????? c74310507c5c00 } - $sequence_9 = { eb46 8b01 52 8d55d4 c745fc00000000 52 ff5014 } + $sequence_0 = { eb14 2bf2 d1fe ebbd 2bf2 d1fe ebe7 } + $sequence_1 = { eb08 8b5c243c 8b6c2410 8b442414 8b742420 40 89442414 } + $sequence_2 = { 8b742474 8d0468 03c3 3bde 89442460 0f42f3 8b9c2484000000 } + $sequence_3 = { 8b4da4 8d04be 8b75b4 83c40c 894104 8b8d70ffffff 83ec0c } + $sequence_4 = { e8???????? 8d5f50 8d7328 56 e8???????? 83c408 85c0 } + $sequence_5 = { f0ff4108 8b0e 894de8 33c9 33ff 894d08 894dd4 } + $sequence_6 = { e8???????? 8d4dd0 e8???????? 8d4d08 e8???????? 8d4d64 e8???????? } + $sequence_7 = { eb02 33f6 8b442438 895c2414 895c2418 8b400c 85c0 } + $sequence_8 = { 8d4a01 894808 b920000000 2bcf 89700c 3bcb 72d2 } + $sequence_9 = { f20f114c2440 8b4e04 8bc1 c1e81f 83c608 03f9 660f6ec1 } condition: 7 of them and filesize < 10500096 @@ -90937,36 +91088,36 @@ rule MALPEDIA_Win_Thanatos_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "36dfbc1b-2a7c-5015-aa84-898c9ae8a989" - date = "2026-01-05" - modified = "2026-01-06" + id = "3e2efc3a-e956-5147-bca2-be28e7fdef27" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.thanatos_ransom_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.thanatos_ransom_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "0a185fa4c8cc02cde8300ce206abe6802953ff20e929d9c3889dfecd7dc1e60f" + logic_hash = "55f904d65eff08bd5088fe8e3b30d2b4ad269f8a092048bf892607e13c3f4610" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 837f1410 7240 8b4714 8b0f 40 3d00100000 722a } - $sequence_1 = { 50 e8???????? 83ec18 c645fc13 8bcc c741140f000000 c7411000000000 } - $sequence_2 = { f20f591c8580e94200 f20f592c8580e94200 03c0 660f58348590ed4200 660f5625???????? f20f58f0 } - $sequence_3 = { 6bc930 f6451402 8b0485e0774300 c644082900 } - $sequence_4 = { c64405e800 40 83f804 7cef 33f6 0f1f440000 8a4435e8 } - $sequence_5 = { c645fc14 8d4dd8 e8???????? 83c404 68???????? 8bd0 } - $sequence_6 = { 8b7508 8bce 68b8020000 68???????? c745fc00000000 } - $sequence_7 = { e8???????? 83c404 c645fc12 8b45ec c745d40f000000 c745d000000000 c645c000 } - $sequence_8 = { 43 837e1410 7204 8b06 eb02 } - $sequence_9 = { 83f81d 7cf1 eb07 8b0cc544be4200 894de4 } + $sequence_0 = { 837f1410 7240 8b4714 8b0f } + $sequence_1 = { 03048de0774300 eb05 b8???????? f6402820 } + $sequence_2 = { 0f435d3c 8bf3 8d4e01 8a06 46 } + $sequence_3 = { 03c0 660f28348570e14200 baef7f0000 2bd1 83e910 } + $sequence_4 = { 8b048de0774300 8874382b 8b048de0774300 5a 8854382c } + $sequence_5 = { 8b048de0774300 f644382848 741c 8a55ff 80fa0a 7504 8816 } + $sequence_6 = { 8d8d40ffffff e8???????? 57 e8???????? 83c404 } + $sequence_7 = { 8bce 6890000000 68???????? c745fc00000000 } + $sequence_8 = { e8???????? 8bc8 51 e8???????? 83c404 c7458c0f000000 } + $sequence_9 = { 51 e8???????? 83c404 c745fcffffffff 8b8574ffffff c7458c0f000000 } condition: 7 of them and filesize < 516096 @@ -90980,7 +91131,7 @@ rule MALPEDIA_Elf_Babuk_Auto : FILE date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.babuk_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.babuk_auto.yar#L1-L131" license_url = "N/A" logic_hash = "a4e1d4252d61243f852bbd89e2ebf51566a3485791e9905d978089b8c49c4cb9" score = 75 @@ -91015,36 +91166,36 @@ rule MALPEDIA_Win_Mediapi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "93eb6857-89ab-509f-a3db-521b6138e920" - date = "2026-01-05" - modified = "2026-01-06" + id = "baea5270-aa89-5a0c-aabe-70c86b6f59bd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mediapi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mediapi_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mediapi_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "62d55dbda71843c208580e1ce14906c348dc561d976d6517a9642b390fe58aad" + logic_hash = "5a357a60152585228c591c2602a128bb4ce3f85f33e3ab77c4780b8ae8acaae8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89c1 e8???????? 8045ff01 ebc3 } - $sequence_1 = { 4898 488d95c0010000 41b900000000 41b8d0470000 4889c1 488b05???????? ffd0 } - $sequence_2 = { 488b5510 884209 488b5510 0fb645ff 88420d } - $sequence_3 = { 8345fc01 837dfc3b 0f86cdfdffff 90 4883c420 5d c3 } - $sequence_4 = { 88420b 488b5510 0fb645ff 884207 90 4883c410 } - $sequence_5 = { 4889f1 ffd0 488b5b10 4885db 75dc 488d0d35600000 4883c428 } - $sequence_6 = { 0fb645db 0fb6c0 c1f802 83e00f 01d0 } - $sequence_7 = { 90 488d0506700000 8b00 4898 488d9540010000 41b810000000 } - $sequence_8 = { 8845de 0fb645db 0fb6c0 c1e006 89c2 0fb645dc 01d0 } - $sequence_9 = { 8b05???????? c1e010 4898 48394518 } + $sequence_0 = { 8b05???????? c1e010 4898 48394518 77e0 8b05???????? c1e010 } + $sequence_1 = { 83f804 755c 0fb645ec 0fb6c0 4898 488d155b5a0000 0fb60410 } + $sequence_2 = { 4801d0 0fb600 89c1 488b9548dd0000 } + $sequence_3 = { e8???????? 488945f8 c705????????01000000 488b45f8 4883c430 } + $sequence_4 = { e8???????? 8b85a8dd0000 4863c8 488b9548dd0000 } + $sequence_5 = { 8945f8 eb0e 8b45f8 4898 c64405d900 8345f801 } + $sequence_6 = { 89c1 e8???????? 31c6 0fb645fa } + $sequence_7 = { 89c1 e8???????? 8045ff01 ebc3 90 488b4518 } + $sequence_8 = { 7507 b800000000 eb0a 488b45f8 eb04 } + $sequence_9 = { 488b05???????? ffd0 898544010000 0fb7852e0f0000 89c1 } condition: 7 of them and filesize < 246784 @@ -91054,50 +91205,50 @@ rule MALPEDIA_Win_Winnti_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1351f8e3-6ca5-5a13-9678-9210d9ddffd2" - date = "2026-01-05" - modified = "2026-01-06" + id = "bfa16f1d-498b-534c-9dd5-b2fcc73815ee" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.winnti_auto.yar#L1-L242" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.winnti_auto.yar#L1-L239" license_url = "N/A" - logic_hash = "09cc054785791e781076cf9631fef38d07059412817f6de2934895bd3887e46e" + logic_hash = "92ce98a4d00ea3daffbf698df1cc58ea7a925bcdcca0c5e61c04ba53b8f147ad" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 56 ff15???????? 85c0 7e79 8d4c2418 8d942484000000 } - $sequence_1 = { 8dbc24c4000000 8d942410010000 f3ab 668b8424740b0000 bf???????? 66898424d2050000 83c9ff } - $sequence_2 = { 8b734c 03f8 8bc1 c1e902 f3a5 8bc8 } - $sequence_3 = { f3ab 8b8c2498010000 c644242004 51 c644242501 ff15???????? } - $sequence_4 = { ffd7 68???????? 68???????? 89460c } - $sequence_5 = { 85c0 751a 8bcb 8d142e 2bce 51 } - $sequence_6 = { e8???????? 8b4c2418 50 6800040000 } - $sequence_7 = { 8bfa 83c9ff f2ae 8b54242c } - $sequence_8 = { 0f849a000000 4c8d5b2e 660f1f440000 410fb70b 458bca } - $sequence_9 = { 8b4b1c 4803cf 8b0491 4803c7 488b5c2410 } - $sequence_10 = { 4585d2 759d 488b7db7 458bd9 44894d97 } - $sequence_11 = { 4053 4883ec40 48c74424580a000000 488b442458 4c8d442458 } - $sequence_12 = { 4863c9 e8???????? 488bd8 4c8d443710 4983781810 7203 4d8b00 } - $sequence_13 = { 75f1 408830 488d542450 4038742450 } - $sequence_14 = { 90 488bd0 488d4b28 e8???????? 90 48837dd710 7209 } - $sequence_15 = { 4863d9 4c8be3 49c1fc05 4c8d355a4f0a00 83e31f 486bdb58 } - $sequence_16 = { 48c784248800000000000000 488d942488000000 488d4c2428 e8???????? 488d05e7700100 4889442428 488d1553d80100 } - $sequence_17 = { 7517 488d0513ac0a00 488b4c2430 483bc8 7406 e8???????? 90 } - $sequence_18 = { 7511 33c0 4881c4e0000000 415f 415e } - $sequence_19 = { 4889742430 488b442440 48894310 48894b18 48897c2448 } - $sequence_20 = { 741e 837d6001 7511 488d5568 ff15???????? 488b8d00010000 ff15???????? } - $sequence_21 = { 48897c2478 488b8c2400010000 4885c9 741f 4183fe01 7513 } - $sequence_22 = { 8bd8 85c0 7848 488b8c24b0000000 } - $sequence_23 = { 488d0527eb0a00 eb04 4883c010 4883c428 c3 4883ec28 e8???????? } + $sequence_0 = { 8d7c2410 33db f3ab 8d44240c } + $sequence_1 = { 8d442418 8d8c2490000000 50 6800020000 } + $sequence_2 = { 8954242c 663dffff 0f84cf000000 83fa01 7f07 } + $sequence_3 = { 5d 8b4744 6a00 53 } + $sequence_4 = { 8b8c2470020000 2bdf 83c304 6a00 53 } + $sequence_5 = { 8bf0 b900010000 33c0 8bfe f3ab 83c404 33ff } + $sequence_6 = { 2bf9 8d5a08 8bc1 8bf7 8bfb 6a00 } + $sequence_7 = { ff15???????? b908000000 33c0 8d7c2414 8d542434 f3ab } + $sequence_8 = { 488bcf e8???????? 85c0 7442 488d15726b0000 } + $sequence_9 = { 7539 410bc0 488d542458 488d0db3210b00 8905???????? 488d05a61e0100 } + $sequence_10 = { 48ffc5 488d157cf20000 488bcd e8???????? } + $sequence_11 = { 33d2 8bc1 41f7f2 85d2 7402 2bca } + $sequence_12 = { e8???????? 4883c708 4883ff38 7cc2 488b0e } + $sequence_13 = { 4c8d4597 41b930000000 ba04822200 488bce c744242838000000 4889442420 } + $sequence_14 = { 8bc1 48897c2440 4c897c2448 41f7f0 85d2 7405 } + $sequence_15 = { 7556 833d????????02 734d 8b8db0030000 0fb7532e 488d8560010000 } + $sequence_16 = { c744242828000000 c745ff40000000 4889442420 c7450328000000 48c7450742000042 } + $sequence_17 = { 3b0d???????? 7369 4863d9 488d2d7f500a00 488bfb 83e31f 48c1ff05 } + $sequence_18 = { 2bc8 750f 488d0d6d110000 ff15???????? eb12 488d0d7e110000 ff15???????? } + $sequence_19 = { 7e22 48897b18 48897310 408833 4533c0 488d15cb550100 488bcb } + $sequence_20 = { 8b6c3301 4863c5 4883c305 4803c6 } + $sequence_21 = { 7402 8913 3bd7 410f92c3 418bc3 } + $sequence_22 = { 448be0 85c0 0f844e010000 488b4c2450 488364242000 488d055d970a00 } + $sequence_23 = { 458d60f8 4488443039 4180fd01 752e 4b8b84f900a20b00 8a4c303a 413ac8 } condition: 7 of them and filesize < 1581056 @@ -91107,72 +91258,72 @@ rule MALPEDIA_Win_Skipper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "efc6c970-e4f9-50aa-846f-5655368eb02c" - date = "2026-01-05" - modified = "2026-01-06" + id = "eef75b62-d5e7-5a7a-99b2-fadc4a28ee97" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.skipper_auto.yar#L1-L422" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.skipper_auto.yar#L1-L427" license_url = "N/A" - logic_hash = "37baa21ea468db7e2c53f174ee34fcc7e3c9a0f2d929add42b329e84f24f9a81" + logic_hash = "8dd9f4eebe57bf9260cdb56e378c7c913d7a6ef2f2daf4d22fdb1c8dd9014f56" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 6a00 6a00 6a03 68???????? 68???????? 6a50 } - $sequence_1 = { e8???????? 6804010000 e8???????? 6804010000 8bf8 } - $sequence_2 = { ff15???????? 6a00 6a00 6a00 6a00 68???????? 68???????? } - $sequence_3 = { b9???????? e8???????? 6a04 e8???????? 8bf8 57 } - $sequence_4 = { 320439 47 8847ff 4e 0f8568ffffff 8b4dfc } - $sequence_5 = { 8d95fcfeffff 03d0 8b85f8feffff 8a1a 0fb6c0 8d8dfcfeffff } - $sequence_6 = { 40 0fb60438 0fb6ca 03d8 03d9 81e3ff000080 7908 } - $sequence_7 = { 888405fcfeffff 40 3d00010000 7cf1 33db 33f6 } - $sequence_8 = { e8???????? 83c404 6a00 6a64 52 } - $sequence_9 = { 0fb645f8 8a8c05f0feffff 888deffeffff 0fb655fc 0fb645f8 } - $sequence_10 = { 48897c2420 4156 4881ec10010000 488b05???????? } - $sequence_11 = { 83c101 898ddcfeffff 8b95dcfeffff 3b5514 0f8dcf000000 8b45f8 83c001 } - $sequence_12 = { 488b05???????? 4833c4 4889842400010000 4c8b9c2440010000 33c9 } - $sequence_13 = { 0fb655fc 0fb645f8 8a8c15f0feffff 888c05f0feffff 0fb655fc 8a85effeffff 888415f0feffff } - $sequence_14 = { 8885eefeffff 8b4d10 038ddcfeffff 0fbe11 } - $sequence_15 = { 7d0d 41ffca 4181ca00ffffff 41ffc2 0fb6c1 } - $sequence_16 = { 888415f0feffff 0fb64df8 0fb6940df0feffff 0fb645fc 0fb68c05f0feffff 03d1 } - $sequence_17 = { 48 0d00ffffff 40 8945f8 8b4df8 0fb6940df0feffff } - $sequence_18 = { 41ffc8 4181c800ffffff 41ffc0 410fb6c0 } - $sequence_19 = { 450fb608 4803d0 0fb602 418800 44880a 410fb610 } - $sequence_20 = { 8d1492 03d2 2bc2 4863d0 420fb60432 } - $sequence_21 = { 0fb695e8feffff 8a85effeffff 888415f0feffff e9???????? } - $sequence_22 = { 488d1424 4c03c0 410fb6c2 450fb608 4803d0 0fb602 } - $sequence_23 = { 888deffeffff 0fb695e8feffff 8b85e0feffff 8a8c15f0feffff 888c05f0feffff 0fb695e8feffff } - $sequence_24 = { 492bfb ffc1 81e1ff000080 7d0a ffc9 } - $sequence_25 = { 83e61f c1e606 03348520b72300 8b45e4 } - $sequence_26 = { c78424a80000000f000000 c78424a400000000000000 c684249400000000 720f ffb424f4000000 e8???????? } - $sequence_27 = { 4883ec20 4863d9 488bf3 48c1fe05 4c8d3d32a50000 83e31f 486bdb58 } - $sequence_28 = { 33c5 8945fc 57 8d85f0feffff 50 } - $sequence_29 = { 488bcb 488bc3 488d15faa20000 48c1f805 } - $sequence_30 = { 8985d8feffff 6a00 6804010000 8d85f0feffff 50 8b8dd8feffff 51 } - $sequence_31 = { 7405 e8???????? 488b8ba0000000 488d05c3910000 483bc8 } - $sequence_32 = { 4885c0 7509 488d0543aa0000 eb04 4883c014 8938 e8???????? } - $sequence_33 = { 50 6a00 8b8dd4feffff 51 ff15???????? } - $sequence_34 = { 897e70 c686c800000043 c6864b01000043 c7466888a22300 } - $sequence_35 = { eb0a c785d4feffffffff1f00 8b4508 50 6a00 } - $sequence_36 = { 85f6 7447 8802 8b048d606d4100 } - $sequence_37 = { 741a 488d0579d80000 483bf8 740e 833f00 } - $sequence_38 = { 736b 488bdf 488bf7 48c1fe05 4c8d2537ae0000 83e31f } - $sequence_39 = { 6a00 8b85d8feffff 50 8b8dd0feffff 51 6a00 6a00 } - $sequence_40 = { 8b45f4 46 83fa03 750e 8b0c85606d4100 } - $sequence_41 = { 7367 4863d9 4c8d359aa40000 488bfb 83e31f } - $sequence_42 = { 488d0d86a30000 488bc2 83e21f 48c1f805 486bd258 488b04c1 } - $sequence_43 = { 59 8945e4 8b7508 c7465cd8812300 33ff } - $sequence_44 = { 8bd8 85f6 7478 8b45fc } - $sequence_45 = { 83ef80 83c410 8975f0 897dec 3bf3 } + $sequence_1 = { ff15???????? 6a00 6a00 6a00 6a00 68???????? 68???????? } + $sequence_2 = { 6804010000 e8???????? 6804010000 8bf8 6a00 } + $sequence_3 = { 6800803801 6a00 ff37 e8???????? } + $sequence_4 = { b9???????? e8???????? 83c428 53 } + $sequence_5 = { e8???????? 6804010000 6a00 50 89442430 e8???????? 6804010000 } + $sequence_6 = { b9???????? e8???????? 57 53 56 } + $sequence_7 = { e8???????? 53 6a11 68???????? b9???????? e8???????? 6a04 } + $sequence_8 = { 83c404 6a00 6a64 52 50 } + $sequence_9 = { ffc0 488d5201 3d00010000 7cf1 448bc1 448bc9 488d1c24 } + $sequence_10 = { 408832 4181f900010000 7c9a 488bdd 85ed } + $sequence_11 = { 8a95e4feffff 88940df0feffff ebd0 c785e8feffff00000000 } + $sequence_12 = { 48897c2420 4156 4881ec10010000 488b05???????? 4833c4 } + $sequence_13 = { 888c05f0feffff 0fb695e8feffff 8a85effeffff 888415f0feffff } + $sequence_14 = { eb0f 8b85e0feffff 83c001 8985e0feffff 81bde0feffff00010000 0f8d84000000 8b8de0feffff } + $sequence_15 = { 488d1424 448bd1 8bc1 0f1f840000000000 8802 ffc0 488d5201 } + $sequence_16 = { 55 8bec 81ec24010000 a1???????? 33c5 8945f4 } + $sequence_17 = { 4c03c0 410fb6c2 450fb608 4803d0 0fb602 } + $sequence_18 = { 8a85effeffff 888415f0feffff e9???????? c785dcfeffff00000000 } + $sequence_19 = { 0fb6940df0feffff 0fb645fc 0fb68c05f0feffff 03d1 } + $sequence_20 = { 410fb6c0 488d1424 41ffc1 4803d0 } + $sequence_21 = { 81bde0feffff00010000 0f8d84000000 8b8de0feffff 0fb68c0df0feffff 038de8feffff 8b85e0feffff } + $sequence_22 = { 41ffc1 4803d0 48ffc3 0fb602 } + $sequence_23 = { 4833c4 4889842400010000 4c8b9c2440010000 33c9 } + $sequence_24 = { 8b4df8 0fb6940df0feffff 0355fc 81e2ff000080 } + $sequence_25 = { 41b900300000 41b804010000 488bc8 c744242004000000 488bf8 ff15???????? 4c8d8424f0000000 } + $sequence_26 = { 6a0d 58 5d c3 8b04cdaca72300 5d c3 } + $sequence_27 = { ff15???????? 488d15c9580000 488bcb 488905???????? ff15???????? } + $sequence_28 = { 68???????? ff15???????? 8b3d???????? 85c0 0f84e4000000 6a39 } + $sequence_29 = { 8b8dd4feffff 51 ff15???????? 8985e4feffff 6a04 6800300000 6804010000 } + $sequence_30 = { 8b45e0 8b0485606d4100 f644180401 7428 57 e8???????? } + $sequence_31 = { 8d95e0feffff 52 6a00 8b85d8feffff 50 } + $sequence_32 = { bf???????? 833cf574a0230001 751e 8d04f570a02300 8938 } + $sequence_33 = { 4885c0 7507 b81a000000 eb23 488d0da39a0000 48890c03 } + $sequence_34 = { 72ed 48833d????????00 741f 488d0d4a140100 e8???????? 85c0 } + $sequence_35 = { 488d057d9f0000 740f 3908 740e 4883c010 4883780800 } + $sequence_36 = { 488d159eda0000 448d4015 488bcb e8???????? } + $sequence_37 = { e8???????? 48393d???????? 448bf0 0f85f3000000 488d0d20590000 33d2 41b800080000 } + $sequence_38 = { 8d8ddcfeffff 8d5101 8a01 41 } + $sequence_39 = { c745e4a06c4100 a1???????? 33db 43 895de0 } + $sequence_40 = { 8bbdccfeffff 8b0d???????? 890f 8b15???????? 895704 66a1???????? } + $sequence_41 = { 8b7508 c7465cd8812300 33ff 47 897e14 85c0 7424 } + $sequence_42 = { 8810 33ff 8d5001 8b048d606d4100 47 4e 807d1300 } + $sequence_43 = { 6804010000 8b85d8feffff 50 8b8de4feffff 51 ff15???????? 5f } + $sequence_44 = { 488b81f8000000 4885c0 7403 f0ff00 488d4128 41b806000000 488d158cae0000 } + $sequence_45 = { 33c0 39b8b8a62300 0f8491000000 ff45e4 83c030 } condition: 7 of them and filesize < 262144 @@ -91182,42 +91333,42 @@ rule MALPEDIA_Win_Get2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7a0226d0-f79d-5836-a967-6167cb32e47b" - date = "2026-01-05" - modified = "2026-01-06" + id = "69aad97e-9bbc-5bf2-a098-796108a06284" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.get2_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.get2_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "848d65ded147178f011a1ef08b3d4ca3bdaaa4bd6535c16bb052e44171fc3a23" + logic_hash = "112e73ecab2541c37509362074abcc2e68f60e1a8d93239668d353b9b5f009ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8b4508 8be5 5d c20400 68d0000000 b8???????? } - $sequence_1 = { 0f849e000000 807d0c00 0f859a000000 f6c104 } - $sequence_2 = { 8bf1 8975d0 33ff 8975cc } - $sequence_3 = { 8b4508 660f6ec1 f30fe6c0 c1e91f 51 51 660f6ec8 } - $sequence_4 = { 8d55d8 8d8d24ffffff e8???????? 59 8bc8 } - $sequence_5 = { 83e017 89410c 8b4910 23c8 0f849e000000 807d0c00 } - $sequence_6 = { 895dfc e8???????? c645fc02 eb0b 8d45d8 } - $sequence_7 = { 897e04 897e08 33db c745ec07000000 } - $sequence_8 = { 488d7b38 488d05a6020200 483947f0 741a 488b0f 4885c9 } - $sequence_9 = { 4863c8 488b4308 48894cd008 483b6b10 0f83ba010000 } - $sequence_10 = { 488d8c24f0020000 e8???????? 90 418bd5 488d8c2470040000 } - $sequence_11 = { 488d4c2450 e8???????? 498bcc e8???????? 4c8b642468 } - $sequence_12 = { eb0f 49394e10 720b bb02000000 895c2420 } - $sequence_13 = { 440f45e8 410fb6dd 4c8b7df0 498bcf ff15???????? eb0d } - $sequence_14 = { 488d0503b20200 488bd9 488901 f6c201 740a } - $sequence_15 = { 4c8d0510e00100 488d15c9a40100 e8???????? 488bd8 } + $sequence_0 = { 897de8 33c0 895dd4 668945d8 51 } + $sequence_1 = { 50 8bce e8???????? 6a00 6a01 8d4dc0 } + $sequence_2 = { 897dd4 893e 897e04 897e08 } + $sequence_3 = { 8bec 8b9188000000 32c0 85d2 744e 8b898c000000 85c9 } + $sequence_4 = { ff7510 8d4dc0 ff750c e8???????? 83c420 83781410 } + $sequence_5 = { 83e017 89410c 8b4910 23c8 0f849e000000 807d0c00 0f859a000000 } + $sequence_6 = { 8b01 8b4004 f644080c06 74d5 8d4d84 e8???????? 8d4584 } + $sequence_7 = { 8bce 50 e8???????? ff7508 8d55d8 } + $sequence_8 = { 33d2 4889442430 4d8d0c2e 44896c2428 41b800001000 488bcb } + $sequence_9 = { 4d8b44c908 4d2b04d1 4a8b4cf008 4803c9 49d1f8 498b14c9 } + $sequence_10 = { 488d05b90b0200 483bc8 7405 e8???????? c70301000000 } + $sequence_11 = { 4889742448 488bd0 4c896c2420 488bcb ff15???????? 85c0 } + $sequence_12 = { 4883c108 e8???????? 84c0 750b c70301000000 e9???????? } + $sequence_13 = { 488945f0 4863f2 488d053e670200 4c8bfe 458be1 49c1ff06 } + $sequence_14 = { 7430 33d2 48c7411807000000 48895110 } + $sequence_15 = { 4898 483de4000000 730f 4803c0 488d0d5a050100 } condition: 7 of them and filesize < 720896 @@ -91227,42 +91378,42 @@ rule MALPEDIA_Win_Shakti_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "46b500e9-a975-5cdc-a985-5108deee61aa" - date = "2026-01-05" - modified = "2026-01-06" + id = "1743fd4e-953a-51a5-918d-416d515e0593" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shakti_auto.yar#L1-L175" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shakti_auto.yar#L1-L175" license_url = "N/A" - logic_hash = "b5c0b26c5dc41457d9e16bd381b5ef6f5c4b5edd5ff24e7078690fca0d450c8b" + logic_hash = "97bf351c0e8aee24a7919bc62c51ec3706084eeee07b396176aa22730824e170" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 894df0 e9???????? 8b55fc 83c214 } - $sequence_1 = { 894dfc e9???????? 8b55f8 8b45d8 } - $sequence_2 = { 8945ec 8b4dec 8b55c0 0311 8955d0 8b45d0 8b4dc0 } - $sequence_3 = { 894dcc 8b55fc 83c208 8955f0 8b45cc } - $sequence_4 = { 8b4de0 8b11 8955e0 e9???????? 8b45d8 } - $sequence_5 = { 894df0 8b55fc 8b45d8 034210 8945e0 8b4de0 } - $sequence_6 = { 0311 8b45e0 8910 eb1e 8b4de0 8b55d8 0311 } - $sequence_7 = { 8955f8 8b45f8 813850450000 7502 eb0b 8b4dc0 83e901 } - $sequence_8 = { ff75f4 8b35???????? ffd6 53 ff750c 8945f4 } - $sequence_9 = { 50 ff7594 e8???????? 2b7598 ff7598 } - $sequence_10 = { 8945f8 8b801c090000 8945fc ff75f8 68edacef0d 8b45fc ffd0 } - $sequence_11 = { 894810 894808 c3 56 } - $sequence_12 = { 3b1cfdb0a24000 7409 47 897dfc 83ff17 72ee 83ff17 } - $sequence_13 = { 66837d6c01 7308 893d???????? eb14 8b07 a3???????? 833d????????ff } - $sequence_14 = { 83ec1c 53 8b1d???????? 85db 0f84dd000000 8d45e4 } - $sequence_15 = { 0f848a000000 ff750c 8d45f8 ff7508 8d4df0 e8???????? } + $sequence_0 = { 0345bc 8945bc 8b4db8 83c101 894db8 8b55b8 } + $sequence_1 = { 8b55e0 8b45d8 03420c 8945cc 8b4de0 8b55c0 } + $sequence_2 = { 8b4dc0 83e901 894dc0 ebb0 648b1530000000 8955d8 8b45d8 } + $sequence_3 = { 03513c 8955d0 8b45d0 83c078 8945ec 8b4dec } + $sequence_4 = { 0311 8955fc 8b45fc 83780c00 0f84e2000000 8b4dfc 8b55d8 } + $sequence_5 = { 0311 8955dc eb14 817de854caaf91 750b } + $sequence_6 = { 668b45c8 6683e801 668945c8 0fb74dc8 85c9 75b1 } + $sequence_7 = { 0f848b000000 8b4de0 8b5128 8955cc 8b45e0 668b4824 } + $sequence_8 = { 837dd400 a1???????? 7423 c700b8000000 } + $sequence_9 = { 33ff 8db7d0a34000 ff36 e8???????? 83c704 } + $sequence_10 = { 8d0433 50 ff759c ff15???????? 85c0 740d 837d9000 } + $sequence_11 = { 83c410 85c0 0f85a9000000 2145f8 85db 767f 8b4df8 } + $sequence_12 = { 7507 66837d6c02 eb0b 837de002 7516 } + $sequence_13 = { 8b7de4 8d45e8 50 6a40 } + $sequence_14 = { 59 e8???????? 83c40c 85c0 7408 ff75f0 e9???????? } + $sequence_15 = { 894588 8b85c0000000 be05010000 56 894584 } condition: 7 of them and filesize < 191488 @@ -91272,36 +91423,36 @@ rule MALPEDIA_Win_Racket_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f3a5d01f-f04e-5cab-9782-744a7bfd597c" - date = "2026-01-05" - modified = "2026-01-06" + id = "8027e9a0-57db-5545-b6f4-a197594f5a36" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.racket" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.racket_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.racket_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "60433cbd73972642cf68f927363d7c0cddb01db6fa6acbb68279911c92eddf9a" + logic_hash = "ceb3c93810c93af982e55b2035c8dbd907cd656125f8bee4eef7973f3a55e657" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 837e2400 750a c6460c00 8b35???????? 68???????? 57 ffd3 } - $sequence_1 = { c1e803 2401 837b0400 884303 751b 6a00 6a00 } - $sequence_2 = { 6a00 c706???????? 897e08 6a00 c7460c00000000 c7461000000000 6861080000 } - $sequence_3 = { 8945f0 56 50 8d45f4 64a300000000 8b4510 85c0 } - $sequence_4 = { 8987e4fdffff 8b86e0fdffff 8987e8fdffff 8b86e4fdffff 8987ecfdffff 8b86e8fdffff 8987f0fdffff } - $sequence_5 = { 57 53 56 8d4a1c e8???????? 5f 5b } - $sequence_6 = { 895dd0 8b7508 33ff 897dcc 8975bc 3b750c 0f8ddd070000 } - $sequence_7 = { 894dfc 394db8 0f8c37050000 8b5514 be01000000 2bd0 894df4 } - $sequence_8 = { f7c700000002 7446 8b0a 3b4a04 752a 837a1000 7517 } - $sequence_9 = { ffb548ffffff 0f57c0 c745ac00000000 8d4da4 660fd645a4 e8???????? } + $sequence_0 = { 8b4020 5d c3 84c9 7908 8b4508 8b00 } + $sequence_1 = { ffd6 8d8db8f1ffff a3???????? e8???????? 50 53 } + $sequence_2 = { 8b4804 c1eb1f 80f301 894df8 7518 6a00 } + $sequence_3 = { 68???????? ffd6 85c0 0f95c0 884719 8d85f4fdffff 50 } + $sequence_4 = { 74f1 56 ff7510 ff750c ff7508 } + $sequence_5 = { 8845f8 8d45ac 0f1145d0 50 0f2805???????? } + $sequence_6 = { 83c420 39450c 7c3c 6a00 6a00 6868080000 ff34b56cb30610 } + $sequence_7 = { 8945a8 8b0d???????? 85c9 740d 6a00 6a01 e8???????? } + $sequence_8 = { e8???????? 8d8db4f0ffff e8???????? 8d8db0efffff e8???????? 8d8decfeffff e8???????? } + $sequence_9 = { 2bcb 8955f0 c1f904 b8ffffff0f 8bd9 d1eb 2bc3 } condition: 7 of them and filesize < 985088 @@ -91311,36 +91462,36 @@ rule MALPEDIA_Win_Risepro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a15990c8-9753-5e87-a4b5-d8648a3a2e45" - date = "2026-01-05" - modified = "2026-01-06" + id = "d5601c4e-08cb-5b32-a0f4-d978d3dc415f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.risepro_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.risepro_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "27ab7b74bb4368f92b33ca48075a5bb9daa807fbe12d867a6bb9fe94c38b462c" + logic_hash = "6d0a9b7b0bef36aa287c5366b6fc1653c25cb0fb31c1a47b1f190c2896f6b738" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb04 32c0 eb02 b001 8be5 5d } - $sequence_1 = { e8???????? 50 8d4de4 e8???????? ebdc 8d4de4 } - $sequence_2 = { 8b5508 8d0c4a 8d5514 e8???????? } - $sequence_3 = { 8995f0feffff b808000000 6bc800 8b95ccfeffff 8b840a8c000000 } - $sequence_4 = { 8b4de8 0fb79180000000 52 8b4508 50 8b4de8 e8???????? } - $sequence_5 = { c745fc00000000 c745d888bd4100 8b4de8 51 8b55d8 52 8d4def } - $sequence_6 = { 8b55c8 8955b0 8d45d8 50 } - $sequence_7 = { 8bc8 e8???????? 8945f8 e8???????? 8945f4 } - $sequence_8 = { 64a300000000 894dc4 8b4dc4 83c11c e8???????? } - $sequence_9 = { 2b45f0 3b45f4 7305 e8???????? 8a45fe } + $sequence_0 = { 8945f4 8b55f8 8b4df4 e8???????? 8b4508 8b4810 894df0 } + $sequence_1 = { 687c24e453 e8???????? 8945e8 8955ec 33c0 8845df } + $sequence_2 = { 8b95f4feffff 03511c 899598feffff c785dcfeffff00000000 eb0f } + $sequence_3 = { 034dec e8???????? 8945b8 8b45bc 50 8b55b8 } + $sequence_4 = { 807c182900 741c 8d45fc 50 8b04bd00ef4100 ff741818 ff15???????? } + $sequence_5 = { 8b55f8 8911 eb1f 8b45ec 50 8b4df4 51 } + $sequence_6 = { 894df0 8b45f0 83780800 7504 33c0 eb35 c745f800000000 } + $sequence_7 = { f20f59db 660f282d???????? 660f59f5 660f28aaa0b14100 660f54e5 660f58fe 660f58fc } + $sequence_8 = { 8d4544 50 e8???????? 8b4dc8 51 } + $sequence_9 = { 52 8b4de8 e8???????? 8b45ec 50 8b4dec } condition: 7 of them and filesize < 280576 @@ -91350,72 +91501,73 @@ rule MALPEDIA_Win_Prikormka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d17b792-a768-56ab-af11-e8fba342d1c6" - date = "2026-01-05" - modified = "2026-01-06" + id = "73f6815f-df11-5f6c-8617-23b0e5bf7160" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.prikormka_auto.yar#L1-L417" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.prikormka_auto.yar#L1-L426" license_url = "N/A" - logic_hash = "ca50544df2308cc151f303c9210769038ba6545078bcd4dca147dd52915255ab" + logic_hash = "44ae1771bbcdbc8e993a8d8751c37e47e542eb2fa1fb1f18be6b42acb1d3ebc0" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d0446 50 e8???????? 83c40c 6a00 56 } - $sequence_1 = { 6a00 56 ffd3 8b2d???????? 85c0 7405 } - $sequence_2 = { 8d1446 52 e8???????? 83c40c } - $sequence_3 = { 6800020000 ff15???????? 68???????? ffd7 03c0 50 68???????? } - $sequence_4 = { 51 e8???????? 83c40c 68???????? ffd7 } - $sequence_5 = { 85f6 7420 68???????? ffd7 } - $sequence_6 = { 6a00 56 ffd3 85c0 7405 6a02 56 } - $sequence_7 = { 740e 68???????? 50 ff15???????? ffd0 } - $sequence_8 = { 7408 41 42 3bce } - $sequence_9 = { 83c40c 8d442404 50 ff15???????? 5e 85c0 } - $sequence_10 = { 59 c3 50 ff15???????? b801000000 } - $sequence_11 = { 6a00 6a00 ff15???????? 85c0 7502 59 c3 } - $sequence_12 = { 0fb7c0 6683f805 7d09 b801000000 } + $sequence_0 = { 8d0446 50 e8???????? 83c40c 6a00 } + $sequence_1 = { 6800020000 ff15???????? 68???????? ffd7 } + $sequence_2 = { 85f6 7420 68???????? ffd7 03c0 50 } + $sequence_3 = { 51 e8???????? 83c40c 68???????? ffd7 } + $sequence_4 = { 56 ffd3 8b2d???????? 85c0 7405 } + $sequence_5 = { 83c40c 6a00 56 ffd3 85c0 } + $sequence_6 = { 7405 6a02 56 ffd5 } + $sequence_7 = { 85c0 740e 68???????? 50 ff15???????? ffd0 } + $sequence_8 = { 52 e8???????? 83c40c 8d442404 50 ff15???????? 5e } + $sequence_9 = { 6a00 6a00 ff15???????? 85c0 7502 59 } + $sequence_10 = { 7408 41 42 3bce } + $sequence_11 = { 85c0 7502 59 c3 50 ff15???????? b801000000 } + $sequence_12 = { 83ec08 68???????? ff15???????? 0fb7c0 6683f805 7d09 } $sequence_13 = { c3 57 6a00 6a00 6a00 6a02 } - $sequence_14 = { 68???????? ff15???????? 0fb7c0 6683f805 } - $sequence_15 = { ff15???????? ffd0 c705????????01000000 c705????????01000000 } - $sequence_16 = { 5e 85c0 7422 68???????? 50 } - $sequence_17 = { 5e 85c0 7414 c705????????01000000 } + $sequence_14 = { ff15???????? ffd0 c705????????01000000 c705????????01000000 } + $sequence_15 = { ff15???????? 5e 85c0 7422 } + $sequence_16 = { 5e 85c0 7414 c705????????01000000 } + $sequence_17 = { 3db7000000 750e 56 ff15???????? 33c0 5e } $sequence_18 = { 33f6 e8???????? e8???????? e8???????? e8???????? e8???????? e8???????? } $sequence_19 = { 6685d2 75f5 2bce 8d1400 52 d1f9 } - $sequence_20 = { 8bf0 ff15???????? 3db7000000 751f } - $sequence_21 = { 50 e8???????? 8b2d???????? 83c40c 6a00 } - $sequence_22 = { 3db7000000 751f 56 ff15???????? 33c0 } - $sequence_23 = { 668b08 83c002 6685c9 75f5 8b0d???????? 2bc2 8b15???????? } + $sequence_20 = { 6a00 ff15???????? 8bf0 ff15???????? 3db7000000 751f 56 } + $sequence_21 = { 8b0d???????? 2bc2 8b15???????? d1f8 } + $sequence_22 = { e8???????? 8b35???????? 83c40c 68???????? ffd6 03c0 } + $sequence_23 = { 75f5 2bc6 8d0c12 51 d1f8 } $sequence_24 = { d1f8 8d7102 8da42400000000 668b11 83c102 6685d2 } - $sequence_25 = { e8???????? 8b35???????? 83c40c 68???????? ffd6 03c0 } - $sequence_26 = { 50 e8???????? b8???????? 83c40c 8d5002 } - $sequence_27 = { 6685c9 75f5 8d0c12 2bc6 51 d1f8 8d544408 } - $sequence_28 = { 75f5 2bc6 8d0c12 51 d1f8 } - $sequence_29 = { 85c0 7409 6a02 68???????? } - $sequence_30 = { 52 0fb754241c 50 0fb7442422 } - $sequence_31 = { e8???????? 83c40c eb0d 6a00 6800020000 ff15???????? } - $sequence_32 = { 68???????? 33ff 57 57 ff15???????? 8bf0 } - $sequence_33 = { 68???????? ffd6 50 68???????? 57 ffd6 03c7 } - $sequence_34 = { 75f5 2bc2 b9???????? d1f8 8d7102 668b11 } - $sequence_35 = { 83c002 6685c9 75f5 2bc6 03d2 52 } - $sequence_36 = { 6685d2 75f5 8d1400 2bce 52 d1f9 } - $sequence_37 = { d1f8 8bd0 b8???????? 8d7002 } - $sequence_38 = { b8???????? 8d7002 8da42400000000 668b08 83c002 } - $sequence_39 = { 8b1d???????? 83c40c 6a00 68???????? } - $sequence_40 = { 50 e8???????? b9???????? 83c40c 8d5102 668b01 } - $sequence_41 = { c20400 6a0c b8???????? e8???????? 33c0 8945ec } - $sequence_42 = { 6a00 8d45f8 50 8d34fd0cde0110 ff36 e8???????? } - $sequence_43 = { 50 43 6a02 43 } - $sequence_44 = { 8d4514 50 e8???????? 53 8d4d00 } - $sequence_45 = { 3bfb 7d12 8b4de4 53 } + $sequence_25 = { 50 e8???????? b8???????? 83c40c 8d5002 } + $sequence_26 = { 85c0 7409 6a02 68???????? } + $sequence_27 = { 6685c9 75f5 2bc7 8d0c12 } + $sequence_28 = { 0fb754241c 50 0fb7442422 51 } + $sequence_29 = { 83c40c 8d5002 668b08 83c002 6685c9 75f5 8b0d???????? } + $sequence_30 = { 2bc2 b9???????? d1f8 8d7102 } + $sequence_31 = { 50 68???????? 57 ffd6 03c7 50 } + $sequence_32 = { 75f5 2bc2 d1f8 8bd0 b8???????? 8d7002 } + $sequence_33 = { 83c40c 68???????? ffd6 50 68???????? 57 } + $sequence_34 = { 83c102 6685d2 75f5 8d1400 2bce } + $sequence_35 = { 50 ff15???????? 0fb74c2416 0fb7542414 } + $sequence_36 = { 83c40c eb0d 6a00 6800020000 } + $sequence_37 = { 83c002 6685c9 75f5 2bc6 03d2 52 } + $sequence_38 = { 8bd0 b8???????? 8d7002 8da42400000000 668b08 83c002 } + $sequence_39 = { 56 57 68???????? 33ff 57 57 ff15???????? } + $sequence_40 = { ffd3 8b3d???????? 85c0 7409 } + $sequence_41 = { 50 e8???????? 8b1d???????? 83c40c 6a00 68???????? } + $sequence_42 = { 7409 ff3424 ff15???????? 59 } + $sequence_43 = { 50 68???????? 68???????? ff7508 ff75f0 } + $sequence_44 = { 8bf0 3bf3 0f8c0a030000 8b45e8 3bc3 74d0 } + $sequence_45 = { 59 85c0 756a ff7708 e8???????? 59 } + $sequence_46 = { 8d442408 50 e8???????? 33c0 40 5e c25c00 } condition: 7 of them and filesize < 401408 @@ -91425,36 +91577,36 @@ rule MALPEDIA_Win_Firechili_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4b311c4-f6ac-5e5a-9826-d5ef4ea0d836" - date = "2026-01-05" - modified = "2026-01-06" + id = "28cfd257-2962-529a-a32d-592d4dcea4c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.firechili_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.firechili_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "db458f5c2a3a8ef8f27139a55fa4a245c49e387f1da157602228dcf03106d70c" + logic_hash = "54da2a2a6e07f200c250dd9cd8406105f845dc689c9290b895febdc48bbd5956" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb2d 488b4c2430 8b442440 894110 4533c9 } - $sequence_1 = { 4883ec20 488bda 488bf9 ba30000000 33c9 41b873747600 ff15???????? } - $sequence_2 = { 4c8d442430 488bcb 41ffd1 eb1b 4c8b05???????? eb23 } - $sequence_3 = { 4889bc2488000000 33ff c7450730000000 ba3f000f00 897d67 488d4d77 48897d77 } - $sequence_4 = { 4885d2 7509 4883e802 bb05000080 668938 } - $sequence_5 = { 0f8489000000 4885db 0f8480000000 488d5318 4032ff 4885d2 7462 } - $sequence_6 = { e8???????? 488d0d65370000 ff15???????? ff15???????? 33c0 4881c430020000 } - $sequence_7 = { 84c0 0f84ff000000 0fb77c2420 488b742428 8bc7 48d1e8 } - $sequence_8 = { 33ff b90d0000c0 4d85d2 0f45cf 7408 488bc2 492bc2 } - $sequence_9 = { 4889442420 488d55f7 ff15???????? 85c0 8bd8 0f49df } + $sequence_0 = { 400fb6ff 488d4c2420 84c0 410f45ff } + $sequence_1 = { c3 e8???????? 833d????????00 74e2 4c8bc3 e8???????? 488905???????? } + $sequence_2 = { 33ff 41897b10 49897b18 33c0 498943c8 498943d0 } + $sequence_3 = { ff15???????? eb07 bb0f001cc0 eb2d 488b4c2430 8b442440 } + $sequence_4 = { 4c8d05b4430000 89442434 498bc0 48894c2420 48894c242c 895c2438 } + $sequence_5 = { 488bcf ff15???????? eb10 488bd7 } + $sequence_6 = { 0f1f00 488d0440 488d34c500000000 420fb7442e10 428b542e14 0fb6c8 } + $sequence_7 = { 48894138 41807c241000 0f848d000000 4885c0 0f8484000000 4d8bc4 498bd7 } + $sequence_8 = { 4839542420 7509 33c0 663b442428 745e ff15???????? } + $sequence_9 = { 488b4908 ff15???????? 8bd8 85c0 0f881b010000 4c8d8c24a8020000 41b848020000 } condition: 7 of them and filesize < 91136 @@ -91464,36 +91616,36 @@ rule MALPEDIA_Win_Petrwrap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4231d0f2-bcca-5065-a819-dce30768f04e" - date = "2026-01-05" - modified = "2026-01-06" + id = "5a00d725-ac2b-5815-bb51-c40a9c8320c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.petrwrap_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.petrwrap_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "df938443ce3aca6f9d40529b8ac059dfa5d88a7d6127ee28afd16bed66ad9fc4" + logic_hash = "fac4da6f287d47c3e4b12460d0e0c6e49eff8634ac72b6c1281dbbb069e6d1df" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b442458 8bf9 0fa4c119 33f2 c1e019 } - $sequence_1 = { 894c241c 3bcf 763b 6845030000 68???????? 6a44 6a68 } - $sequence_2 = { 68???????? 57 e8???????? 83c408 85c0 0f89ff010000 57 } - $sequence_3 = { 3bd9 7301 47 8b442414 89700c 8b4508 33f6 } - $sequence_4 = { 50 e8???????? 83c410 ff15???????? 8945b4 b808000000 e8???????? } - $sequence_5 = { 83c430 83c20a 89542444 85d2 } - $sequence_6 = { 330c85d01c4400 8b44242c c1e818 330c85d0184400 0fb6c2 330c85d0244400 8bc3 } - $sequence_7 = { 8b4c2440 83c42c 894c241c 85c0 7507 6831020000 eb44 } - $sequence_8 = { 8b4d00 89450c 8b03 894c2424 8d04b0 2bf2 c1fe1f } - $sequence_9 = { 4a 75f5 8b0e c7460406000000 83c114 8d4900 8b01 } + $sequence_0 = { 83c46c c3 55 68???????? 57 56 e8???????? } + $sequence_1 = { c1e108 0fb680d0384400 33c8 334f04 8bc1 c1c808 2500ff00ff } + $sequence_2 = { 8d0475ffffffff 89442418 83c8ff 396f0c 0f45d0 8954241c e8???????? } + $sequence_3 = { 33c8 0fb6c3 0fb60485d01c4400 33c8 334d04 8bc1 } + $sequence_4 = { f7d7 237c2444 f7d2 23542418 33f9 8b4c2414 33d0 } + $sequence_5 = { f76500 89442418 8bca 0fa4c101 33f6 03c0 } + $sequence_6 = { 8bf0 85f6 746a 8b4610 8b6d00 } + $sequence_7 = { b8420435af 641a4157 347d 4e 46 92 } + $sequence_8 = { 7f04 8bcb eb10 51 53 e8???????? 8bc8 } + $sequence_9 = { 68???????? 6a01 6a09 e8???????? a1???????? 68da000000 68???????? } condition: 7 of them and filesize < 1024000 @@ -91503,36 +91655,36 @@ rule MALPEDIA_Win_Deadwood_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b63793f4-2418-5ad7-9269-78c13c5e655b" - date = "2026-01-05" - modified = "2026-01-06" + id = "303bb9bd-2be8-56ae-af8b-89adb9222ff3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deadwood" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.deadwood_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.deadwood_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "37c079b3ff282377b03776f4a709dbdd660de9909aaf5ffcbe15f9216992b56f" + logic_hash = "a0ccc35033fb022fdfa9ec3165249c75b83b237f1638e915ad2906afcf937a68" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b9???????? c645fcc6 e8???????? 68???????? b9???????? c645fcc7 } - $sequence_1 = { 68f0d8ffff 57 56 e8???????? 89442428 8954242c } - $sequence_2 = { e8???????? 33c0 e9???????? 8975e4 33c0 39b8a0e34600 0f8491000000 } - $sequence_3 = { c1f803 57 83f828 0f8e27010000 40 99 83e207 } - $sequence_4 = { 895e14 385d0c 7409 c745e858f54500 eb06 8b4008 8945e8 } - $sequence_5 = { 52 c745fc04000000 e8???????? 8d4dd0 8d851cffffff e8???????? } - $sequence_6 = { 57 897dfc 57 c745c801000000 ff15???????? 8bf8 897dd0 } - $sequence_7 = { 57 33db 6807020000 8d85f5fdffff 53 50 8bf1 } - $sequence_8 = { 8bc2 c1e81f 03c2 03f8 83c40c 897d14 85f6 } - $sequence_9 = { ffd5 8b4c241c 64890d00000000 59 5f 5e 5d } + $sequence_0 = { 53 ff15???????? 57 ff15???????? 8bc6 8b4df4 64890d00000000 } + $sequence_1 = { 83c404 8d8d20ffffff c745e80f000000 895de4 885dd4 885dfc e8???????? } + $sequence_2 = { 85c0 751d 8b4d08 51 68???????? 8d57ff 52 } + $sequence_3 = { 33db 895dfc 8d4dbc 895de8 e8???????? b801000000 8945fc } + $sequence_4 = { 83c40c 83bdd4feffff03 0f8580010000 895dbc 895dc0 895dc4 83ec08 } + $sequence_5 = { 8b5014 8d4c2424 51 8bce ffd2 8b7604 3bf3 } + $sequence_6 = { 85f6 0f8486000000 c7462014104600 83c7d8 c7462864b94500 b801000000 8845fc } + $sequence_7 = { 68ffff0000 ff15???????? 6a01 ff15???????? 68e8030000 ff15???????? e9???????? } + $sequence_8 = { 51 e8???????? 83c404 33d2 89bd64ffffff 899d60ffffff 66899550ffffff } + $sequence_9 = { 8b7518 85f6 742a 8d4604 83c9ff f00fc108 751e } condition: 7 of them and filesize < 1055744 @@ -91542,36 +91694,36 @@ rule MALPEDIA_Win_Powershellrunner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6a02b05b-5544-5fd8-bda1-2b73877e66ff" - date = "2026-01-05" - modified = "2026-01-06" + id = "eacdbb2c-3d66-580e-b060-7a1eb355a304" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powershellrunner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.powershellrunner_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.powershellrunner_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "150515a586587c1b339d21af473c6cacdf2854e2b8551085b1787b23d2cc9d35" + logic_hash = "1034f536f5bb3ad6524bc12ee0c30b48f5cbd5e0bda55a9c64b71b24cb4d5111" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c684243e02000036 c684243f02000014 c684244002000031 c684244102000031 } - $sequence_1 = { 488bd3 488d0d0f440200 e8???????? 33c9 85c0 480f44cb } - $sequence_2 = { 488d4c2450 e8???????? ba05000000 488d4c2448 e8???????? ba06000000 } - $sequence_3 = { b872000000 6689842452010000 b872000000 6689842454010000 b865000000 6689842456010000 } - $sequence_4 = { 8b442440 8b4c2444 03c8 8bc1 8bc8 ff15???????? 8b442424 } - $sequence_5 = { 488d4c2428 e8???????? 89442420 837c242000 7418 } - $sequence_6 = { 4889442428 eb1c 488b442420 4883c002 4889442420 488b442428 4883c002 } - $sequence_7 = { 4c8b442438 488d542420 488d4c2460 e8???????? 0fb6c0 85c0 7415 } - $sequence_8 = { 7363 488bf3 4c8d351b770100 83e63f 488beb 48c1fd06 48c1e606 } - $sequence_9 = { 488bc8 e8???????? 4c8d442440 488bd0 488b4c2448 e8???????? 488b842490000000 } + $sequence_0 = { 488b442428 4883c004 4889442428 4c8b442428 488b542430 488b4c2450 e8???????? } + $sequence_1 = { eb00 8b442440 488b8c2490010000 4833cc e8???????? } + $sequence_2 = { 488d4c2470 e8???????? 90 488d4c2428 e8???????? 89442420 837c242000 } + $sequence_3 = { 8b442458 e9???????? 4883bc243801000000 7447 0fb7442470 448bc0 } + $sequence_4 = { 4c8d05fe920000 498bce e8???????? 85c0 0f85a9000000 eb5e } + $sequence_5 = { 6689842498010000 b86e000000 668984249a010000 b876000000 668984249c010000 } + $sequence_6 = { 488b442458 4883e804 4889442458 488b4c2458 e8???????? } + $sequence_7 = { 48c7442458feffffff 488b05???????? 4833c4 4889842460040000 b824000000 66898424a0000000 b870000000 } + $sequence_8 = { 90 488d8c2490000000 e8???????? 90 488d4c2440 e8???????? 90 } + $sequence_9 = { 4889442438 4c8b442438 488d542420 488d4c2460 e8???????? 0fb6c0 85c0 } condition: 7 of them and filesize < 458752 @@ -91581,36 +91733,36 @@ rule MALPEDIA_Win_Mosaic_Regressor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6545d5ce-704c-5c00-a6cd-ec1b5c909576" - date = "2026-01-05" - modified = "2026-01-06" + id = "12062903-0c5b-511f-afcb-0d608575554b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosaic_regressor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mosaic_regressor_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mosaic_regressor_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "73c7fd14f8effd7ac9e0816b586de74eff8d0d21c8391e8e84f2921e57196fdb" + logic_hash = "dbcbd99246b6751ea732da1de8952aa64b7558dea9e793847a19e775aea061fa" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 670010 386700 1023 d18a0688078a } - $sequence_1 = { 8975e0 8db1d0a70010 8975e4 eb2a } - $sequence_2 = { 85c0 7456 8b4de0 8d0c8de0b70010 8901 8305????????20 } - $sequence_3 = { f3a4 6a1c 8d8c2480060000 51 6a00 ffd5 8d842478060000 } - $sequence_4 = { 8d442460 50 6a00 ffd5 8d442458 48 8d4900 } - $sequence_5 = { 895008 8d542458 52 88480c } - $sequence_6 = { c744241444000000 8bc8 90 8a10 } - $sequence_7 = { 6a06 89430c 8d4310 8d89c4a70010 5a } - $sequence_8 = { 8bff 55 8bec 8b4508 ff34c578a10010 ff15???????? 5d } - $sequence_9 = { 6a00 6a00 6a00 8d942498080000 } + $sequence_0 = { 4f 8a4701 47 84c0 75f8 8d84246c020000 66891f } + $sequence_1 = { 33c0 40 5f 5e c3 8324f578a1001000 } + $sequence_2 = { 8d34fd24aa0010 ff36 e8???????? 59 50 } + $sequence_3 = { 85c0 7524 a1???????? a3???????? a1???????? c705????????f01a0010 8935???????? } + $sequence_4 = { 75f9 56 57 8dbc2480080000 2bc1 8bf1 4f } + $sequence_5 = { 8b4508 ff34c578a10010 ff15???????? 5d c3 6a0c } + $sequence_6 = { 81c444010000 c3 8b8c2440010000 33cc 33c0 e8???????? } + $sequence_7 = { 0010 b857001023 d18a0688078a 46 } + $sequence_8 = { 75f8 8d842480070000 66891f 8bc8 8a10 40 84d2 } + $sequence_9 = { 83c404 83f801 0f850d030000 6a44 } condition: 7 of them and filesize < 113664 @@ -91620,36 +91772,36 @@ rule MALPEDIA_Win_Nimbo_C2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2024fcd8-73ff-5d21-84a0-faeb93ed391a" - date = "2026-01-05" - modified = "2026-01-06" + id = "9691597c-0096-578b-a97a-0e5e5616cf7d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nimbo_c2_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nimbo_c2_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "6b113df7136733641a874652387013b524eae7ec4a37b82db2a8e2b046f0820e" + logic_hash = "94208a4dd793bbfc58f1beaa6cb1a790df815bd60fa1882ddcb3318c93bc60a5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7411 488b09 ba02000000 e8???????? c6430800 4883c420 5b } - $sequence_1 = { 48c7c0fcffffff 4885d2 7407 488b02 4883e804 488d4c0210 ba04000000 } - $sequence_2 = { 498d8c24b0000000 4889c2 e8???????? 4c89e0 41c68424b800000001 4883c420 } - $sequence_3 = { 4819db 4889c1 488985c0feffff e8???????? 83e313 488d8df8feffff 4881c306000200 } - $sequence_4 = { e8???????? 90 4883c438 c3 488b05???????? 48ff20 488b05???????? } - $sequence_5 = { 7f1c 488b8df8fbffff e8???????? 4889f2 4989c7 4885c0 7432 } + $sequence_0 = { c3 4883ec38 4c8b4928 498b00 4d8b4008 4d85c9 7517 } + $sequence_1 = { 6683bd90feffff0d 488b4d10 742a e8???????? 488d8dc0feffff 4889c2 e8???????? } + $sequence_2 = { 4983c704 4d39fc 75bd 49be1111111111111111 31ed 49bd2222222222222222 49bc4444444444444444 } + $sequence_3 = { c3 4155 4154 4883ec48 4989cc 488b09 4c8d442438 } + $sequence_4 = { 410f9fc0 4901c0 31c0 4885c9 7412 488b01 eb0d } + $sequence_5 = { 741a 49837d0000 7e13 4c89e1 e8???????? 4c89ea } $sequence_6 = { 6605bb01 488b4c2450 0fb7d0 41b901000000 41b806000000 e8???????? 4889d9 } - $sequence_7 = { 4889c6 4d85f6 740d 4889fa 4c89f1 e8???????? eb07 } - $sequence_8 = { 4889c2 eb28 4d8d46ff 4c89e1 e8???????? 4c89f9 4889c2 } - $sequence_9 = { 57 56 53 4883ec20 488bb42488000000 4c8b32 4889f5 } + $sequence_7 = { c3 4157 b848800000 4156 4155 4154 55 } + $sequence_8 = { e8???????? 0fb65310 4c89e1 e8???????? 0fb65318 4c89e1 e8???????? } + $sequence_9 = { 4885c9 7407 e8???????? eb18 49634c2418 83f904 7e0e } condition: 7 of them and filesize < 1141760 @@ -91659,36 +91811,36 @@ rule MALPEDIA_Win_Crypmic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a26f518b-f54e-5798-8fd7-c3e715fae74e" - date = "2026-01-05" - modified = "2026-01-06" + id = "2fb5a5d4-5639-5151-9ecd-a14d51c7dc38" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crypmic_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crypmic_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "c8a49a63b1990f5f0d77a9fcf41412b9f9f6710da574c5641db1ab5f7eadc95a" + logic_hash = "e3f372b74e5b162e0a142ad1aca38c8e8cd788c7dafdd2731e03882c89febb3e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 55 8bec 83ec10 837d0800 8bc2 894df8 0f868c000000 } - $sequence_1 = { 740a 8d4002 46 66833800 75f6 8d3c72 33c0 } - $sequence_2 = { 8d3409 33db 0fb7143e 663bda } - $sequence_3 = { 66833800 75f6 8d3c72 33c0 } - $sequence_4 = { 0fb78c15c0fdffff 663bf1 75e8 8b75f4 } - $sequence_5 = { 8b4e08 53 6a08 ff7604 } - $sequence_6 = { 8bec 81ec70020000 8b4108 53 56 } - $sequence_7 = { 56 57 894df4 83f828 7252 83e828 } - $sequence_8 = { 50 8b4608 6a08 ff7604 ffd0 8bf8 c70728000000 } - $sequence_9 = { bb04000000 eb27 83f808 7707 } + $sequence_0 = { 6810040000 6a08 ff7104 8bfa } + $sequence_1 = { ff7104 8bfa 894dec c745e800000000 ffd0 0fb717 } + $sequence_2 = { 8bec 83ec0c 8b413c 53 8b440878 } + $sequence_3 = { 8b413c 33db 8b440878 03c1 8945fc 395818 } + $sequence_4 = { ffd0 85f6 7410 8b55f8 33c0 8bcf 66894302 } + $sequence_5 = { 8b470c 6a00 ff7704 ffd0 } + $sequence_6 = { d3e0 8d048528000000 50 8b4608 6a08 ff7604 ffd0 } + $sequence_7 = { 8b4de4 894f04 8b4de8 894f08 668b4df0 66894f0c } + $sequence_8 = { 72f0 8b45f0 5f 5e 5b } + $sequence_9 = { ffd0 c70700000000 5f 5e } condition: 7 of them and filesize < 81920 @@ -91698,36 +91850,36 @@ rule MALPEDIA_Win_Pseudo_Manuscrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6b5074a-ee80-5f17-8d10-821d108c299b" - date = "2026-01-05" - modified = "2026-01-06" + id = "a2bb2d28-922c-5165-af00-8264e9dc198d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pseudo_manuscrypt_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pseudo_manuscrypt_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "c6f7c325b24974deecc4b35c3043dbcf14d37411aa98d6d4fbada988adbed753" + logic_hash = "c1375ce99acff00af3750f77d989563b610b0d118b8fb67c014ab6172f438d65" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b45ec 8d044502000000 a3???????? 8b4dfc 33cd e8???????? 8be5 } - $sequence_1 = { 8b8594feffff 8d8df0feffff 8b9ddcfeffff 8bbdd8feffff 99 03c3 898de4feffff } - $sequence_2 = { 8bf8 ff15???????? 5e 8bc7 5f 5b 8be5 } - $sequence_3 = { 50 e8???????? 83c404 c70700000000 8b07 c7470800000000 } - $sequence_4 = { eb6b 8d45a0 50 8d4d8c e8???????? 8b4dc0 85c9 } - $sequence_5 = { 8bec 83ec14 57 8d45ec c745ec14000000 50 8bf9 } - $sequence_6 = { 7407 b801000000 5e c3 8b86c0000000 85c0 7411 } - $sequence_7 = { 390d???????? 0f94c0 c3 a1???????? c3 8bff 55 } - $sequence_8 = { ff15???????? 83c40c 8d8d1cf7ffff 51 6802000080 ff15???????? 5f } - $sequence_9 = { 56 57 8bf9 b9???????? e8???????? 8d45ac 50 } + $sequence_0 = { 8b0f 8b55f8 8b4708 2bc2 50 8d0411 50 } + $sequence_1 = { 8b36 8b4344 2bc6 85c0 7fbf 5f 5e } + $sequence_2 = { 8b5d0c 42 56 57 894df8 8d43ff 8955f0 } + $sequence_3 = { 8bf0 85f6 0f8494000000 56 e8???????? 83c404 8945cc } + $sequence_4 = { 8b4df8 03cf 833900 75c9 8b4d0c 83c114 894d0c } + $sequence_5 = { ff15???????? 8906 85c0 7440 8d4e1c 897e10 c7461400040000 } + $sequence_6 = { 53 56 8945f8 8b4510 57 8bf9 8945f4 } + $sequence_7 = { 8bec 81ecdc070000 a1???????? 33c5 8945fc 53 56 } + $sequence_8 = { 8d044502000000 50 8b45fc ff75f0 03c6 50 e8???????? } + $sequence_9 = { 85c0 7427 8d4df8 51 8d4e78 e8???????? } condition: 7 of them and filesize < 753664 @@ -91737,40 +91889,40 @@ rule MALPEDIA_Win_Atlas_Agent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "12437137-122e-5647-b916-3934d94f17a9" - date = "2026-01-05" - modified = "2026-01-06" + id = "b51a6e70-b334-5f7c-baa6-9338a4b6aeff" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atlas_agent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.atlas_agent_auto.yar#L1-L144" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.atlas_agent_auto.yar#L1-L137" license_url = "N/A" - logic_hash = "bddbc52b224832b6d1899d8a7f9c2269559750eebdc1985f06284557268eff24" + logic_hash = "21d0301899eb8a7b2730ccd9f03da22c97049443b20193264743bb5b23499f8d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 0fb60c0a 83e13c c1f902 03c1 } $sequence_1 = { 8bc1 99 b903000000 f7f9 c1e002 } - $sequence_2 = { 8a80c0ba0410 84c0 7f1f 8bce } - $sequence_3 = { 8a55fe 8810 8d4508 50 } - $sequence_4 = { 8a55f3 8855f1 0fb645f1 85c0 746c 68???????? 8d4dd8 } - $sequence_5 = { 8a5de3 8b0495e0b50410 885c012e 8b0495e0b50410 } - $sequence_6 = { 57 4883ec20 8bfa 4c8d0d517f0100 } - $sequence_7 = { 57 4883ec20 488d1daf180300 488d3da8180300 eb12 488b03 } - $sequence_8 = { 57 4883ec20 8bda 4c8d0d35810100 } - $sequence_9 = { 57 4883ec20 8bf9 e8???????? 4885c0 7509 488d0533ed0200 } - $sequence_10 = { 8a55ff 8810 8b45ec 83c001 } - $sequence_11 = { 57 4883ec20 4c8bda 488d2d5737fdff } - $sequence_12 = { 8a55ff 8811 8b45f4 50 e8???????? 83c404 8945f0 } - $sequence_13 = { 57 4883ec20 488d1ddb180300 488d3dd4180300 } + $sequence_2 = { 57 4883ec48 488d4c2420 e8???????? } + $sequence_3 = { 8b00 8945bc 8d4d88 e8???????? } + $sequence_4 = { 57 4883ec58 488b442470 488b00 488b4040 } + $sequence_5 = { 57 4883ec58 488d442438 488bf8 } + $sequence_6 = { 8b00 8945ec 8d4dd0 51 } + $sequence_7 = { 8b00 8945f0 8d4dff 51 } + $sequence_8 = { 8a95a4f8ffff 8895c3f8ffff c645fc01 8d8db8f9ffff } + $sequence_9 = { 57 4883ec50 488d442433 488bf8 } + $sequence_10 = { 8a95e8fdffff 8895fffdffff c645fc02 8d8db8feffff } + $sequence_11 = { 57 4883ec60 488b442470 4889442448 488b542478 } + $sequence_12 = { 8b00 8945bc 8b4d28 e8???????? } + $sequence_13 = { 57 4883ec50 418bd9 498bf8 8bf2 4c8d0de57f0100 } condition: 7 of them and filesize < 857088 @@ -91780,36 +91932,36 @@ rule MALPEDIA_Win_Aresloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f289d632-cafa-52d9-b441-3cf36142832f" - date = "2026-01-05" - modified = "2026-01-06" + id = "9d2c1fa3-3958-5a64-9c4f-8cab4600493b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.aresloader_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.aresloader_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "7dea272de803a78d1da18f0ee0ed5e7c3024e3919d3d811c7316d385075c0ef8" + logic_hash = "58f82387fbcd92745ef3aeb0373442e8d221e92ea1fa770970ec548b344f1b4c" score = 60 quality = 25 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895c2404 893424 e8???????? 85c0 7831 39d8 7205 } - $sequence_1 = { 39d8 7205 c6441eff00 83c41c 5b } - $sequence_2 = { 83ec1c 8b5c2434 8b742430 8b7c2438 8b6c243c 85db 7435 } - $sequence_3 = { 8b6c243c 85db 7435 85f6 7431 } - $sequence_4 = { 85f6 7431 896c240c 897c2408 895c2404 } - $sequence_5 = { 85db 7435 85f6 7431 896c240c } - $sequence_6 = { 8b5c2434 8b742430 8b7c2438 8b6c243c 85db 7435 85f6 } - $sequence_7 = { 85c0 7831 39d8 7205 } - $sequence_8 = { 7431 896c240c 897c2408 895c2404 893424 } - $sequence_9 = { e8???????? 85c0 7831 39d8 7205 c6441eff00 83c41c } + $sequence_0 = { 893424 e8???????? 85c0 7831 39d8 7205 } + $sequence_1 = { 85db 7435 85f6 7431 } + $sequence_2 = { 8b742434 8b7c2438 8b6c243c 3d???????? 741d } + $sequence_3 = { 895c2404 893424 e8???????? 85c0 7831 39d8 } + $sequence_4 = { 85db 7435 85f6 7431 896c240c 897c2408 } + $sequence_5 = { a1???????? 8b5c2430 8b742434 8b7c2438 8b6c243c 3d???????? 741d } + $sequence_6 = { 8b5c2430 8b742434 8b7c2438 8b6c243c 3d???????? } + $sequence_7 = { e8???????? 85c0 7831 39d8 } + $sequence_8 = { e8???????? 85c0 7831 39d8 7205 c6441eff00 83c41c } + $sequence_9 = { 85c0 7831 39d8 7205 c6441eff00 } condition: 7 of them and filesize < 2657280 @@ -91819,36 +91971,36 @@ rule MALPEDIA_Win_Petya_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e25f6ba-0f88-5dbc-a462-9f4861151314" - date = "2026-01-05" - modified = "2026-01-06" + id = "ad8b1090-3c52-546e-be4f-9a047ab76585" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.petya_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.petya_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "e12039168edf2e4657ffd112871fe75ec301f0f0758dfc0dfdc297a04b207216" + logic_hash = "6b15c28089beb4a70924f9a7ca06d1c72c92c993ca88b5bc9fc36431640a12b8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bc7 c1e810 88442431 8bc7 c1e808 88442432 } - $sequence_1 = { 117c2434 33f6 0facc81c c1e204 0bf0 c1e91c } - $sequence_2 = { 56 8b35???????? 33c9 57 33ff 8d0486 8bd8 } - $sequence_3 = { 83c604 3bfb 72f0 5f 5e 5b } - $sequence_4 = { 0bf1 33442424 33fe 23442420 } - $sequence_5 = { 8b4c2420 33fe 8bf0 33da 0facc80e 33d2 c1e612 } - $sequence_6 = { 8bca 88442428 8bc6 c1e810 88442429 8bc6 } - $sequence_7 = { 56 8b750c 57 83fe01 7517 } - $sequence_8 = { 8bca c1e303 0facc110 897c2424 c1e810 8bc2 884c242d } - $sequence_9 = { 8b5d0c 33c9 56 8b7508 2bde } + $sequence_0 = { 83c050 03c7 53 50 e8???????? 83c40c } + $sequence_1 = { 33ff 3b750c 0f47d9 85db 7410 8b06 85c0 } + $sequence_2 = { 53 e8???????? 8b4604 83c40c 8b4e08 } + $sequence_3 = { 33c9 57 33ff 8d0486 8bd8 2bde 83c303 } + $sequence_4 = { 03ce 13c2 03cb 894c243c } + $sequence_5 = { 53 50 e8???????? 83c40c 8d5750 8bcf e8???????? } + $sequence_6 = { 57 33ff 3b750c 0f47d9 85db 7410 8b06 } + $sequence_7 = { 68???????? 68???????? ff15???????? 50 ff15???????? 8d4df8 51 } + $sequence_8 = { 83c303 c1eb02 57 33ff 3b750c 0f47d9 } + $sequence_9 = { 85f6 7505 e8???????? 8bc7 5f } condition: 7 of them and filesize < 229376 @@ -91859,10 +92011,10 @@ rule MALPEDIA_Win_Mariposa_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "2a3a2192-1985-5afb-a3c8-457f3f4c729c" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mariposa_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mariposa_auto.yar#L1-L118" license_url = "N/A" logic_hash = "343ac33f57cd9cc9bfc1841bf1bd211734de245f417ee554220587a46ed4086f" score = 75 @@ -91871,9 +92023,9 @@ rule MALPEDIA_Win_Mariposa_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -91897,36 +92049,36 @@ rule MALPEDIA_Win_Backspace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fb0b0e7f-6932-5f0b-957b-77772fb8dfd5" - date = "2026-01-05" - modified = "2026-01-06" + id = "9f457c85-1939-5207-9938-499508c624cb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.backspace_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.backspace_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "8089ff963941257a60e744d7204434da2ea9ab918c2bf4c32b875cf83b55a865" + logic_hash = "894459d4dc8657a0ca36e5c62b7c44cb2deea535a24b419afb35d264dc79ba7b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d8578fdffff 56 50 89b579fdffff e8???????? } - $sequence_1 = { 90 745f 90 13c9 90 eb20 } - $sequence_2 = { 68???????? 50 ff15???????? 6a0a 58 } - $sequence_3 = { 6a00 68???????? 68???????? 6a50 56 e8???????? 83c420 } - $sequence_4 = { 7e1a 8b4c240c 8b442404 56 2bc1 8bf2 } - $sequence_5 = { f7f9 55 8b35???????? 8bd8 a1???????? 2b05???????? 0fafc3 } - $sequence_6 = { 66ab aa 8d8580fdffff 6800020000 50 53 } - $sequence_7 = { a1???????? 57 40 50 ff15???????? 85c0 0f8fa3000000 } - $sequence_8 = { c3 55 8bec b808200000 e8???????? 53 56 } - $sequence_9 = { 57 50 ffd6 83c418 85db } + $sequence_0 = { e8???????? 68???????? 56 e8???????? 83c428 837d1801 752e } + $sequence_1 = { 8bec b808200000 e8???????? a1???????? 53 56 } + $sequence_2 = { 83c410 8d8574feffff 50 68???????? 8d85f4feffff } + $sequence_3 = { c68544ffffff0b c68545ffffff0c c68546ffffff0d c68547ffffff0e c68548ffffff0f c68549ffffff10 c6854affffff11 } + $sequence_4 = { ff15???????? 8025????????00 8d442414 50 } + $sequence_5 = { e8???????? 8d45f8 bb40010000 50 57 53 57 } + $sequence_6 = { 8930 58 eb16 33f6 57 ff15???????? 8bc6 } + $sequence_7 = { c6853cffffff03 c6853dffffff04 c6853effffff05 c6853fffffff06 c68540ffffff07 } + $sequence_8 = { 68???????? 50 ffd6 83c40c 8d859cfcffff 50 8d8594f3ffff } + $sequence_9 = { 885dc4 885dc5 885dc6 885dc7 885dc8 885dc9 } condition: 7 of them and filesize < 131072 @@ -91936,36 +92088,36 @@ rule MALPEDIA_Win_Elirks_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43457097-ea8b-5864-bbde-86ef37584143" - date = "2026-01-05" - modified = "2026-01-06" + id = "cd911ada-2bb7-5d6c-984c-cbc6476379cc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.elirks_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.elirks_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "9b5bf7e4bf894eff89b4a5704e72b876af8697001a5b80ec9161e8abc0610ab3" + logic_hash = "06a7e02c8e6c3b7c16b98f734b079b23adfb7d12264dc7882b446e609acb76d2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 894608 5f 5e 81c40c020000 c3 } - $sequence_1 = { 0f848b010000 8b742414 8b15???????? 6a00 8d442440 50 } - $sequence_2 = { 56 8d7e08 57 8d442420 50 8d4c241c 51 } - $sequence_3 = { 52 8d5104 83c0ff 52 } - $sequence_4 = { 8d4c2414 51 8bd1 52 ff15???????? f605????????02 742c } - $sequence_5 = { 52 6a00 8bc3 e8???????? 85c0 7515 } - $sequence_6 = { 6a0c 50 b908000000 8bc7 e8???????? 8bf0 83c408 } - $sequence_7 = { 0f8592000000 f605????????08 a1???????? 53 8b1d???????? } - $sequence_8 = { 8b1d???????? 8b2d???????? 8b8120c20000 6aff 50 } - $sequence_9 = { e8???????? 85c0 7414 8b44241c 8d542410 } + $sequence_0 = { 8b4c240c 8d54240c 52 8d442418 50 51 8d942424030000 } + $sequence_1 = { 83c40c c20400 8b44241c 8b4c2410 85c9 750a } + $sequence_2 = { 33dd 03c3 8bd8 c1e304 8be8 c1ed05 } + $sequence_3 = { 51 8d94248c040000 52 ff15???????? 8bd8 83fbff 895c2410 } + $sequence_4 = { 75d1 8bc6 5e 5d 5f c3 5e } + $sequence_5 = { 55 6a02 55 55 6800000040 8d442468 50 } + $sequence_6 = { eb14 80f940 7506 c6042a1a } + $sequence_7 = { 8b542424 890a 7e19 8b4d00 80393c 740f 83c101 } + $sequence_8 = { 8d54241c 52 50 56 55 } + $sequence_9 = { 56 8bf0 8b4604 33c9 898e00600000 25ffffff00 } condition: 7 of them and filesize < 81920 @@ -91975,36 +92127,36 @@ rule MALPEDIA_Win_Lazarus_Killdisk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "51d8d349-628d-5955-8390-6050e3d90319" - date = "2026-01-05" - modified = "2026-01-06" + id = "c4e43c5d-f991-5031-a9b1-142478e9f9d1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus_killdisk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lazarus_killdisk_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lazarus_killdisk_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "0f1cb10726a24b0f5193b1d9b38bf0914806bbc39c92530769ca658a86bfb258" + logic_hash = "fda607b7f3303a1a3a81eebd8d07ff00b1e86a70959cf2815da3e1a082af0734" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d48e0 80f93f 7706 0fbec0 83c020 } - $sequence_1 = { 56 ffd7 4b 75ea 56 ff15???????? } - $sequence_2 = { 7438 8d55f0 52 68???????? } - $sequence_3 = { 57 8d4c242c 68???????? 51 e8???????? } - $sequence_4 = { 8d4402ff 0fa4c109 6a00 894df4 8d4df4 c1e009 } - $sequence_5 = { 6a00 8d85e0fdffff 50 6800020000 } - $sequence_6 = { 6a00 6800000002 ffd3 8bf0 83feff } - $sequence_7 = { eb08 8d5de8 e8???????? 8b85e4fdffff 40 83c610 8985e4fdffff } - $sequence_8 = { 8d75a6 8b06 8b4e08 8b560c 8945e8 } - $sequence_9 = { ffd7 85c0 7424 68???????? 8d95e4feffff 52 } + $sequence_0 = { 51 c685f8feffff00 e8???????? 8d95f4fdffff 68???????? } + $sequence_1 = { 8955ec 894df4 8945f0 e8???????? 807db600 0f8524ffffff 8b4df8 } + $sequence_2 = { ff15???????? 8b8db8feffff 6a00 6a00 6a00 8d45ec 50 } + $sequence_3 = { 8985d4fdffff ffd6 3b85d4fdffff 751a 6a00 8d95e0fdffff } + $sequence_4 = { 83c40c 8d4c2418 51 8d942464020000 52 } + $sequence_5 = { 894df0 8955f4 84c0 7424 3c0f } + $sequence_6 = { 53 d1ea 0500ecffff 8d4df0 } + $sequence_7 = { 51 eb08 8d942468020000 52 } + $sequence_8 = { 83d2ff 56 8945ec 8955f0 ff15???????? } + $sequence_9 = { 40 83c610 8985e4fdffff 83f804 } condition: 7 of them and filesize < 209920 @@ -92014,36 +92166,36 @@ rule MALPEDIA_Win_Punkey_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "558f1792-1bb2-5d9b-859d-0b6382b27ab5" - date = "2026-01-05" - modified = "2026-01-06" + id = "b33dbe9f-a2d5-5b11-8898-603f9e688b2e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.punkey_pos_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.punkey_pos_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "a4ee7826b83e8d1ab2e9aee9c2a1f21a3ae3a3b9d6fb52555b83791b8ed2dd78" + logic_hash = "8a2404869671c9582f68667ae44a4ef516f5f7f0be17b90050040d3476fbb3b1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff05???????? 8b0d???????? 56 57 6a00 51 ff15???????? } - $sequence_1 = { 56 ffd7 a3???????? 85c0 74ae 5f b801000000 } - $sequence_2 = { 68e7070000 50 ff15???????? ff05???????? } - $sequence_3 = { 741d a1???????? 85c0 740e 56 57 68e7070000 } - $sequence_4 = { ffd7 a3???????? 85c0 74ae 5f b801000000 } - $sequence_5 = { 50 a1???????? 50 ff15???????? 5d c20c00 } - $sequence_6 = { 85c0 7919 8b4d10 8b550c } - $sequence_7 = { a3???????? 85c0 74ae 5f b801000000 } - $sequence_8 = { ff15???????? c705????????00000000 c3 3b0d???????? 7502 f3c3 e9???????? } - $sequence_9 = { 56 57 68e7070000 50 ff15???????? ff05???????? } + $sequence_0 = { 55 8bec 8b4508 85c0 7919 8b4d10 8b550c } + $sequence_1 = { 56 ffd7 a3???????? 85c0 74e1 } + $sequence_2 = { 8b0d???????? 56 57 6a00 51 ff15???????? 5f } + $sequence_3 = { 55 8bec 8b4508 85c0 7919 8b4d10 } + $sequence_4 = { 50 ff15???????? ff05???????? 8b0d???????? 56 } + $sequence_5 = { ff15???????? 5d c20c00 75e5 56 8b7510 } + $sequence_6 = { ff05???????? 8b0d???????? 56 57 6a00 51 } + $sequence_7 = { 50 ff15???????? c705????????00000000 c3 3b0d???????? } + $sequence_8 = { 57 68e7070000 50 ff15???????? ff05???????? } + $sequence_9 = { 57 8b7d0c f7c600000040 741d a1???????? 85c0 } condition: 7 of them and filesize < 499712 @@ -92053,40 +92205,41 @@ rule MALPEDIA_Win_Flame_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9866d719-20ba-56a9-89a4-346e1b2eca8d" - date = "2026-01-05" - modified = "2026-01-06" + id = "5fe3e6d2-6698-50d6-916f-b37f13216be6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flame_auto.yar#L1-L147" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flame_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "131f2d5e5a8a0cf24fae537b61affbb5c92eae0dfe8bde03b44be173be5d9d24" + logic_hash = "8f555ca35148ecb33315122be41be7225ffb4ae39d1e9243b0934ee30005950d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83f901 7415 e8???????? c70016000000 } - $sequence_1 = { 85c9 741a 83f901 7415 } - $sequence_2 = { 7573 895dec 8d45ec 50 } - $sequence_3 = { 7428 498b5610 8b4f18 8bc3 } - $sequence_4 = { 7428 448865dc 41c1ec08 488d55dc 448865dd 8b4f18 } - $sequence_5 = { 8d45dc 33f6 6a14 50 8975f4 8975fc } - $sequence_6 = { ffd7 90 eb00 4883c430 5f 5e } - $sequence_7 = { 7429 488b4c2428 488d542450 41b8df010000 } - $sequence_8 = { 8bce 89450c e8???????? 8b06 57 } - $sequence_9 = { 894e10 8d4df0 51 6a40 6a0f 50 } - $sequence_10 = { 74ac 68???????? ff35???????? e8???????? 59 59 a3???????? } - $sequence_11 = { 6a08 59 ff7510 33c0 ff750c 8d7de0 } - $sequence_12 = { 7428 41b918000000 4533c0 488bd0 } - $sequence_13 = { 8bbb98000000 440fb7c5 4923c7 488bce 4903c4 } + $sequence_0 = { 741a 83f901 7415 e8???????? c70016000000 } + $sequence_1 = { 8bc3 442bfb 4c03e8 4533db } + $sequence_2 = { 57 50 895dd0 895dd4 e8???????? 83c40c 85c0 } + $sequence_3 = { 8bc3 488b9c2480010000 4881c450010000 415d } + $sequence_4 = { 8365fc00 e9???????? b8???????? e8???????? 83ec28 } + $sequence_5 = { ffd7 90 eb00 4883c430 5f 5e } + $sequence_6 = { 8bc3 4823c8 8b348e eb27 f6c240 0f8539020000 } + $sequence_7 = { 83fb10 741c 83fb18 740e 83fb20 7519 } + $sequence_8 = { 8bc3 482bd0 448bc3 44396710 } + $sequence_9 = { 742a ffc9 0f84f4000000 ffc9 } + $sequence_10 = { 8b721c 3bf0 7447 39420c 7442 3902 7505 } + $sequence_11 = { 8bc3 4823c2 eb22 f6c210 7547 f6c240 0f85d1020000 } + $sequence_12 = { 33c0 eb2c 6aff 56 ff15???????? 59 59 } + $sequence_13 = { 1bc0 c1ee1e f7d8 83e601 c1ef1f } + $sequence_14 = { 83f8ff 7516 8d4dd4 e8???????? 68???????? 8d45d4 } condition: 7 of them and filesize < 1676288 @@ -92097,10 +92250,10 @@ rule MALPEDIA_Win_Orangeade_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "a790e493-320f-57de-9b62-d13796c94676" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.orangeade_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.orangeade_auto.yar#L1-L116" license_url = "N/A" logic_hash = "bc9cfd6680cc4f32cd41e9edf43afa43b54975c598906df96ea95e31fa6c1612" score = 75 @@ -92109,9 +92262,9 @@ rule MALPEDIA_Win_Orangeade_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -92135,36 +92288,36 @@ rule MALPEDIA_Win_Banjori_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b7079fb2-7d83-5fd6-84aa-1cae4150d033" - date = "2026-01-05" - modified = "2026-01-06" + id = "772db84e-ddd6-5cb7-aa80-8be342d89227" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.banjori_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.banjori_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "816a568e5c1724a9f1a3d5f87d5d1a32e57fcc3fa600870ee04fd6629cdfe757" + logic_hash = "93e1a29e08c992364ad1fdc8ebe64904f6aed3a76f1538e955dbeb1bc9cf87a5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 75f1 b0ec fd f2ae 817ffd8bff558b 75f5 fc } - $sequence_1 = { ff15???????? ff75ec ff15???????? 40 50 ff75ec 6a01 } - $sequence_2 = { ff75f8 ff15???????? 8d3dac169500 57 ff15???????? 40 50 } - $sequence_3 = { 53 53 53 8d45ec 50 ff75f0 ff75f8 } - $sequence_4 = { 8985b0feffff 83f864 0f82c2000000 40 50 6a40 ff15???????? } - $sequence_5 = { 395df0 741b 53 53 53 53 53 } - $sequence_6 = { e9???????? 55 8bec 83c4f4 57 56 53 } - $sequence_7 = { 0145f4 6a42 ff75f4 ff75f8 ff15???????? 8945f8 ff75dc } - $sequence_8 = { 68f1000000 51 ff15???????? 8b4e08 e32c 894de4 895de8 } - $sequence_9 = { 7808 3d64696a6e 90 7507 e8???????? ebc7 ff35???????? } + $sequence_0 = { ff75f4 ff15???????? ff75f8 ff15???????? 8b45fc c9 c3 } + $sequence_1 = { 03c2 8945e8 03c2 8945d8 03c2 8945fc ff7508 } + $sequence_2 = { e8???????? 85c0 0f8495020000 8945f8 8bf8 8b07 85c0 } + $sequence_3 = { c745e008000000 8d45e0 50 8d45d0 50 53 53 } + $sequence_4 = { ff15???????? ff35???????? ff75a8 ff15???????? 68???????? 50 ff15???????? } + $sequence_5 = { 53 53 ffb5b4feffff ff15???????? ffb59cfeffff ff15???????? 8bc8 } + $sequence_6 = { ff15???????? 83c410 ffb598feffff ffb59cfeffff e8???????? 85c0 0f8588000000 } + $sequence_7 = { 53 53 6a01 53 68???????? ff75fc ff15???????? } + $sequence_8 = { 7512 8d05d4e79500 50 ff35???????? e8???????? 68???????? 57 } + $sequence_9 = { 885fff 56 ff75f4 ff15???????? ff75f4 ff15???????? } condition: 7 of them and filesize < 139264 @@ -92174,36 +92327,36 @@ rule MALPEDIA_Win_Mortalkombat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2926ed70-9658-5024-99d2-e9010cd78f8a" - date = "2026-01-05" - modified = "2026-01-06" + id = "40a15796-e592-56fe-a1a0-ee5a02d71653" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mortalkombat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mortalkombat_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mortalkombat_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "6719ab7cb4e15bf8e439d94e5987475ec5045761b54a9759e4f94419dacc6908" + logic_hash = "1c85be158d8c9b4f071ede26bd428997dbd3508474cf3dcd26a12b35085cb8d3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85e8feffff 50 68???????? e8???????? 85c0 0f849c020000 8d85e8feffff } - $sequence_1 = { c745e800000000 8d45d0 50 e8???????? c745b02c010000 c745ac69000000 } - $sequence_2 = { 7516 6a10 68???????? 68???????? ff7508 e8???????? } - $sequence_3 = { 7401 41 8b35???????? 8bfe 33d2 83fa10 7502 } - $sequence_4 = { 68???????? e8???????? 68???????? 6800020000 e8???????? } - $sequence_5 = { 33ce 033d???????? 33cf 03d1 81c3b979379e 8bca } - $sequence_6 = { 6a00 e8???????? ff0d???????? 6801010000 } - $sequence_7 = { 751e 68???????? 68???????? e8???????? 68???????? e8???????? c60000 } - $sequence_8 = { 837d0c01 0f85a6010000 833d????????00 7506 ff0d???????? 68???????? 68???????? } - $sequence_9 = { 0fb605???????? 83f801 7511 68???????? 68???????? } + $sequence_0 = { e8???????? 83f8ff 7452 8945ec 6a00 6a00 6a00 } + $sequence_1 = { 6a10 68???????? 6a10 68???????? e8???????? 6a10 } + $sequence_2 = { e8???????? 8bd8 57 e8???????? 03f8 47 } + $sequence_3 = { 83c4e8 b910000000 bf???????? 51 57 0f31 } + $sequence_4 = { e8???????? e8???????? c605????????00 6a01 e8???????? } + $sequence_5 = { 6a00 ff35???????? ff7520 ff751c ff7518 ff7514 ff7510 } + $sequence_6 = { c3 8945f4 ff75f0 6a00 e8???????? 0bc0 7502 } + $sequence_7 = { 68???????? 6a00 e8???????? eb13 } + $sequence_8 = { e8???????? 6a00 ff75fc e8???????? c9 c21000 } + $sequence_9 = { ff75f8 e8???????? 6a00 ff75fc e8???????? c9 c21000 } condition: 7 of them and filesize < 1224704 @@ -92213,36 +92366,36 @@ rule MALPEDIA_Win_Strifewater_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "62a3ce73-baac-56a1-82cb-c062e0eed183" - date = "2026-01-05" - modified = "2026-01-06" + id = "821abdbc-f36b-57c1-b32d-ed62442c83e9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.strifewater_rat_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.strifewater_rat_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "04a48ee28febde8895539bb526c6ef5f904eb84967ebbad205245d5d96a955aa" + logic_hash = "bd524a7aa50f701f9d826d21df3ead7d5391e4b4f29847537d8735b10bbed52d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b7c2478 4883c450 415e c3 488d151f910400 488d4c2420 e8???????? } - $sequence_1 = { 48895320 488d3d472d0800 be05000000 498bd5 8bce } - $sequence_2 = { 488b07 48634804 4803cf 85f6 741a 8b5110 0bd6 } - $sequence_3 = { 90 498b06 488b5858 488bcb e8???????? 4c8d4def 4c8d056e710500 } - $sequence_4 = { 48c7442420feffffff 48895c2440 488bf9 488d056ae70800 488901 4883c140 4533c0 } - $sequence_5 = { e9???????? 488b9540070000 4c8d0526ae0100 498bce e8???????? 85c0 } - $sequence_6 = { 488d0595ec0500 488906 eb02 33f6 4c8b05???????? 4d85c0 753c } - $sequence_7 = { 48634804 83640c48fb 4533ff eb0d 408ad7 488d4c2430 e8???????? } - $sequence_8 = { 48898424f0000000 488b4e08 4885c9 7509 488d1598330900 eb0d 488b5128 } - $sequence_9 = { 8bc3 874710 85c0 7421 8365d800 488d059ca1feff 488945e0 } + $sequence_0 = { 33c0 48894522 448d4005 488d542440 488d4d20 e8???????? 48897c2478 } + $sequence_1 = { 4883c420 5f c3 488d0d029a0800 e8???????? cc } + $sequence_2 = { 488907 488bcb ff15???????? 488bc8 e8???????? 488d15d0f50300 48894708 } + $sequence_3 = { 488d0d953d0300 48890b 488d5308 33c9 48890a 48894a08 488d4808 } + $sequence_4 = { 8d43ff 4863c8 b25d 381439 7418 488bc3 4885c0 } + $sequence_5 = { 4d8be1 33c0 498be8 4c8d0dd796faff 4c8bea f04f0fb1bcf170f40a00 } + $sequence_6 = { 33c9 48890a 48894a08 488d4808 e8???????? 488d05711c0400 488903 } + $sequence_7 = { 488d1537e4ffff 488d4d00 e8???????? 488bd8 488d8d90010000 e8???????? 488d056c0d0900 } + $sequence_8 = { 488bf1 48894c2458 4533ff 44897c2444 0fb705???????? 6689442440 8a05???????? } + $sequence_9 = { 488d1526f00500 488d4c2440 e8???????? cc ff15???????? 0fb7d0 488d4c2460 } condition: 7 of them and filesize < 1552384 @@ -92252,75 +92405,114 @@ rule MALPEDIA_Win_Anel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6aaa2dab-4b34-505d-ab57-a83be80c60ae" - date = "2026-01-05" - modified = "2026-01-06" + id = "2b7acb88-402d-5211-bd6d-affbf61f2b51" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.anel_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.anel_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "bf88932655884d72c230c9a3ca2d9886c485937f46465847549f25d9f3a65ea5" + logic_hash = "05a39d594132243176a3a78031e6f59a00dc4db05fad2f0decf83d9cacd88110" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ebc4 395dc4 7515 8b4594 83c0c8 50 8d4580 } - $sequence_1 = { 83781410 897810 7202 8b00 c60000 39bb3c020000 } - $sequence_2 = { 7403 33db 43 899fd4010000 6a01 33ff 8d750c } - $sequence_3 = { 53 8d45c4 33ff 50 895dfc 47 6802000080 } - $sequence_4 = { 7477 03fe 57 8d857cffffff 50 53 e8???????? } - $sequence_5 = { 68???????? 50 e8???????? 83c410 8d45d0 50 e8???????? } - $sequence_6 = { 6a00 8bd0 8d8c24b0000000 c684245c01000005 e8???????? 53 33ff } - $sequence_7 = { 837f1410 7202 8b3f 8d442450 50 57 e8???????? } - $sequence_8 = { 8d7dd0 a5 a5 a5 a5 8b75f0 8bfb } - $sequence_9 = { 837f1410 7204 8b07 eb02 8bc7 8d3418 56 } + $sequence_0 = { 8b08 50 ff5108 8b45a8 3bc7 7406 8b08 } + $sequence_1 = { 50 8d8514ffffff e8???????? 59 59 57 } + $sequence_2 = { 8db544ffffff e8???????? 8d9d34ffffff e8???????? eb10 68???????? ffb530ffffff } + $sequence_3 = { 6a02 50 ff15???????? 8d4604 3938 7411 } + $sequence_4 = { 57 8bf9 8b4810 894df8 7202 8b00 8b4f10 } + $sequence_5 = { 8985f8feffff 8985fcfeffff 8945fc 68???????? 8d45d0 e8???????? 8d4320 } + $sequence_6 = { 33949848080000 8bdf 23d9 039498480c0000 8b5834 335508 897d08 } + $sequence_7 = { c1c20d 69d2b179379e 2b7e28 895610 8b4624 69c08935147a 2bc8 } + $sequence_8 = { 7f05 3b78f8 7225 8b7804 89bd40feffff 3bd7 7f0f } + $sequence_9 = { 59 57 50 83c8ff 8d75c8 c645fc0e } condition: 7 of them and filesize < 376832 } +rule MALPEDIA_Win_Razr_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "ba31ce6c-e3fa-5c6f-83e7-b9b03e941205" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.razr" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.razr_auto.yar#L1-L121" + license_url = "N/A" + logic_hash = "cb885b6a0f0cc8a44331e3c7b54660df8411ce8c119c824ce6753c4063939250" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { ffd0 85c0 740c 488b85c8000000 } + $sequence_1 = { 41b801000000 ba00000080 4889c1 488b05???????? ffd0 } + $sequence_2 = { 750a b800000000 e9???????? c785bc00000000000000 eb70 } + $sequence_3 = { eb04 90 eb01 90 4881c440010000 } + $sequence_4 = { 48895588 48b84748494a4b4c4d4e 48ba4f50515253545556 48894590 48895598 48b85455565758595a00 } + $sequence_5 = { 48898dd0000000 488d057b9b0000 4889c1 e8???????? } + $sequence_6 = { 8955fc 4863d0 488b4510 4801d0 c6002d 8345f801 837df820 } + $sequence_7 = { 488d055dd00400 4889c1 488b05???????? ffd0 b800000000 4883c430 5d } + $sequence_8 = { 4881c430010000 5d c3 55 4889e5 4883ec40 c745fc00000000 } + $sequence_9 = { e8???????? 488d95d0010000 488d85c0000000 4889c1 488b05???????? ffd0 48898520030000 } + + condition: + 7 of them and filesize < 1626112 +} rule MALPEDIA_Win_Squirrelwaffle_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "870824b4-58bb-571d-92bf-60311c954be1" - date = "2026-01-05" - modified = "2026-01-06" + id = "25e83d14-1767-536b-af19-b322e71277c6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.squirrelwaffle_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.squirrelwaffle_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "ca7cf3c3a665a3fb39ef07c14cbbf782e38d67a5236157091e835f3cda65f067" + logic_hash = "fd100940c5ede4b279bbaea9050d2423e4b66eab0e732f67b450f56d1e93b2f7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f44ca 51 e8???????? 8b8690010000 47 } - $sequence_1 = { c645fc03 8d55cc 837de010 8b4b10 } - $sequence_2 = { 83c408 68???????? 6a14 6a18 } - $sequence_3 = { 40 84c9 75f9 2bc7 8d4db8 50 } - $sequence_4 = { 50 52 e8???????? 83c40c 8d7b40 ff734c ff15???????? } + $sequence_0 = { 8a01 41 84c0 75f9 6a00 2bce 8bb564f7ffff } + $sequence_1 = { 0f434508 8d8d40ffffff 6a02 50 } + $sequence_2 = { 85c0 751a 50 8b8540ffffff 8d8d40ffffff 6a02 8b4004 } + $sequence_3 = { 33f6 0f1f4000 0f1f840000000000 833d????????10 bb???????? } + $sequence_4 = { 83ceff 8b55e8 83fa10 0f8278000000 8b4dd4 42 } $sequence_5 = { 8d45ed c7855cf7ffff00000000 c78560f7ffff0f000000 c6854cf7ffff00 3bf0 740f 2bc6 } - $sequence_6 = { 0f46c2 50 e8???????? 83c404 85c0 0f848c000000 8d7023 } - $sequence_7 = { 2bc2 3bc1 0f82d4000000 837f1410 7202 } - $sequence_8 = { 50 8b4508 50 03c1 } - $sequence_9 = { 837de010 8b4b10 8b75cc 0f43d6 } + $sequence_6 = { c645c400 8d4dd4 ff75c4 6a08 e8???????? e9???????? } + $sequence_7 = { c785c0f6ffff00000000 c785c4f6ffff0f000000 c685b0f6ffff00 c645fc22 } + $sequence_8 = { 89956cf9ffff ff15???????? 83c408 898580f7ffff } + $sequence_9 = { 7230 83fa10 8db5b0f6ffff 8d4112 0f43b5b0f6ffff } condition: 7 of them and filesize < 147456 @@ -92330,57 +92522,57 @@ rule MALPEDIA_Win_Ccleaner_Backdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "afe83831-af08-566c-bd71-ab10e23239e8" - date = "2026-01-05" - modified = "2026-01-06" + id = "e8260c1e-b548-521c-a918-476d59ec0485" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ccleaner_backdoor_auto.yar#L1-L275" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ccleaner_backdoor_auto.yar#L1-L273" license_url = "N/A" - logic_hash = "be44c857d399380efa2dec8cf50305b24c9727966e69281b9da9b0167cac9243" + logic_hash = "ada2e84c2cbbbc990519610580881a1a417e954076eefea9f77cc173589a8dfe" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd6 50 ff15???????? 8b3d???????? 59 ffd7 } - $sequence_1 = { 8a11 305103 8b480c 8b09 8a5101 } + $sequence_0 = { ffd6 50 ff15???????? 8b3d???????? 59 } + $sequence_1 = { b900010000 5f c60000 40 49 } $sequence_2 = { 03c6 85c0 7f09 488b0a 488b01 ff5008 488b4b28 } - $sequence_3 = { 01442424 eb30 8b4508 897518 } - $sequence_4 = { 8d856cffffff 6a0c 50 c7856cffffff11618a64 c78570ffffff470de38d c78574ffffff27defaf2 e8???????? } + $sequence_3 = { 0f8302020000 8bc3 2bc2 83f803 0f82f1010000 } + $sequence_4 = { 012e 33c0 5f 5e } $sequence_5 = { 013e 33c0 8b16 83c410 } $sequence_6 = { 03c6 4863d0 4c8d0c12 4c8d4718 } - $sequence_7 = { 33f6 6a1c 8d45e4 59 c60000 } + $sequence_7 = { 48 03d5 49 83f902 760b 41 } $sequence_8 = { 01cc cc 48895c2408 57 } - $sequence_9 = { 03c0 894340 8b7340 418bc4 } - $sequence_10 = { 83c410 8d85fcfeffff 50 ff15???????? be00010000 } - $sequence_11 = { 8b450c 53 56 8b7508 8b5510 03c6 } - $sequence_12 = { 03cd 41 8a01 4c 03cd 8802 } - $sequence_13 = { 6844494e00 e8???????? 8365e400 8945e0 8d4508 6a04 } - $sequence_14 = { 83e805 743a 48 7409 } - $sequence_15 = { 7507 33c0 e9???????? e8???????? 6800000100 6a40 } - $sequence_16 = { 01442454 03d1 294c2450 8b4c2410 } - $sequence_17 = { 01460c 488b3f 493bfc 0f8554ffffff } - $sequence_18 = { 01461c 8b542424 85d2 7405 } - $sequence_19 = { 0fb645f8 50 8d45d8 50 } - $sequence_20 = { 012e 33c0 5f 5e } - $sequence_21 = { 00cc cc 4057 4883ec50 } - $sequence_22 = { 03c7 4863c8 488d1c4b 493bdc } - $sequence_23 = { 42 47 8a07 8802 8a4701 42 8802 } - $sequence_24 = { 014c2464 40 89542418 89442430 } - $sequence_25 = { ff15???????? 46 83fe3c 7cd0 } - $sequence_26 = { 50 56 e8???????? 8b45f8 bfa0010000 c1e008 } - $sequence_27 = { 01442418 03c8 8954242c 8b542470 } - $sequence_28 = { 00cc cc 4883ec28 488b11 } - $sequence_29 = { 8bd1 49 8bd0 41 } - $sequence_30 = { 013d???????? 8b04b5d8970210 0500080000 3bc8 } + $sequence_9 = { 8d45f8 50 e8???????? 0fb645fb 83c414 } + $sequence_10 = { 50 6a00 8d8500ffffff 6a10 50 68e0000000 } + $sequence_11 = { 03c7 4863c8 488d1c4b 493bdc } + $sequence_12 = { 6a02 ff15???????? 56 e8???????? 8d45f8 53 } + $sequence_13 = { 50 8b07 83e804 50 } + $sequence_14 = { 01442418 03c8 8954242c 8b542470 } + $sequence_15 = { 4c 03d5 48 63c8 4c 2bc9 4d } + $sequence_16 = { 014c2464 40 89542418 89442430 } + $sequence_17 = { 01461c 8b542424 85d2 7405 } + $sequence_18 = { 01442454 03d1 294c2450 8b4c2410 } + $sequence_19 = { 01442424 eb30 8b4508 897518 } + $sequence_20 = { 00cc cc 4057 4883ec50 } + $sequence_21 = { ebc2 83e10f 8b348d68c60210 23751c d36d1c } + $sequence_22 = { 01460c 488b3f 493bfc 0f8554ffffff } + $sequence_23 = { 8802 8a4701 42 47 } + $sequence_24 = { 46 83fe3c 7cd0 33c0 5e c9 c3 } + $sequence_25 = { 03c0 894340 8b7340 418bc4 } + $sequence_26 = { 8b4508 c70609000000 c7471830b30210 894620 } + $sequence_27 = { 00cc cc 4883ec28 488b11 } + $sequence_28 = { 83c0fc 8d4f08 53 50 51 } + $sequence_29 = { 013d???????? 8b04b5d8970210 0500080000 3bc8 } + $sequence_30 = { ff75f8 ff15???????? 85c0 7518 8d856cfdffff } condition: 7 of them and filesize < 377856 @@ -92390,50 +92582,50 @@ rule MALPEDIA_Win_Strelastealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8e21e6c9-b196-5772-9b5f-024320f3473e" - date = "2026-01-05" - modified = "2026-01-06" + id = "f7b662d9-32bf-5367-8f26-500397b392d0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.strelastealer_auto.yar#L1-L230" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.strelastealer_auto.yar#L1-L234" license_url = "N/A" - logic_hash = "fdd1b910b27b0b34d135da8196d66e4e45cba2823b849a416c07e1720765f896" + logic_hash = "83930b7a5402aa3096931fe0543dd89c5f32753ef96995a5e84b10a064c89883" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d0575910000 41b91b000000 4889442420 e8???????? 4883c438 } - $sequence_1 = { ff15???????? 85c0 0f854effffff 488bcb ff15???????? 4881c4d8050000 } - $sequence_2 = { 50 e8???????? 8b44242c 83c40c 53 53 } - $sequence_3 = { 08c1 20ca 80f101 89c8 } - $sequence_4 = { a1???????? 668b08 56 8d5306 55 } - $sequence_5 = { 488bc2 488d0d05c50000 0f57c0 48890b } - $sequence_6 = { 015304 eb55 4d85c0 7e27 488bd7 4c8b4dc7 4b8b8ccbc0120600 } - $sequence_7 = { 53 53 6804010000 8d94247c030000 52 } - $sequence_8 = { 488d05bd430100 488945e0 895128 488d0d87a30000 } - $sequence_9 = { 56 53 57 ff15???????? 8bf0 8b442418 8930 } + $sequence_0 = { 385e02 740b 8b7c2424 8bde e8???????? 56 } + $sequence_1 = { 4533c9 4c89a424d0050000 ba00000080 4533e4 4c89b424c8050000 } + $sequence_2 = { 01c1 b8dc8856d3 29c8 b9dd8856d3 } + $sequence_3 = { 01c7 897d14 8d1401 81c200040000 } + $sequence_4 = { 895128 488d0d87a30000 488b45d8 488908 488d0d892f0100 488b45d8 8990a8030000 } + $sequence_5 = { 08c1 0f1f440000 b810000000 e8???????? } + $sequence_6 = { e8???????? 8b4de4 83c40c 6bc930 8975e0 8db128b90010 8975e4 } + $sequence_7 = { 488b8888000000 488d053d110100 483bc8 7405 e8???????? c70301000000 488b85a0010000 } + $sequence_8 = { 08c1 08d3 89ca 80e201 } + $sequence_9 = { 68???????? ff15???????? 6a05 8bf8 e8???????? 8b15???????? } $sequence_10 = { 08c1 08da 80f201 89c8 } - $sequence_11 = { 08c1 0f1f440000 b810000000 e8???????? } - $sequence_12 = { b913000000 4c8d05d3800000 e8???????? 4885c0 7417 49ba7032d8542306ddea } - $sequence_13 = { 488d05afff0000 483bd8 74d1 488bcb } - $sequence_14 = { 8945e4 3d00010000 7d10 8a8c181d010000 888810b80010 40 } - $sequence_15 = { 03c7 751f 488b85a0010000 488b8888000000 488d0505540100 } - $sequence_16 = { 50 6819000200 53 8d8c246c010000 51 6801000080 } - $sequence_17 = { 488d4c2430 ff15???????? 488d3d2a5e0100 488bcf ff15???????? } - $sequence_18 = { 0fb6c0 eb12 8b45e0 8a8014b90010 08443b1d 0fb64601 47 } - $sequence_19 = { 01c7 897d14 8d1401 81c200040000 } - $sequence_20 = { 01c1 b8dc8856d3 29c8 b9dd8856d3 } - $sequence_21 = { 33c9 4c8d054be10000 488d154ce10000 e8???????? 4885c0 740f 488bcb } - $sequence_22 = { 305106 33d2 f7f6 0fb68220a30010 304107 } - $sequence_23 = { 08c1 08d3 89ca 80e201 } + $sequence_11 = { 015304 eb55 4d85c0 7e27 488bd7 4c8b4dc7 4b8b8ccbc0120600 } + $sequence_12 = { 4883ec20 8bd9 4c8d0d2de10000 b901000000 4c8d0519e10000 488d151ae10000 } + $sequence_13 = { 56 e8???????? 83c414 8b45fc ff34c5acb20010 53 } + $sequence_14 = { 08c1 20ca 80f101 89c8 } + $sequence_15 = { e8???????? 8b15???????? 83c404 8bf0 52 } + $sequence_16 = { 4e0fbeac18d0a80100 418d4d01 4c8b459f 4c2bc6 } + $sequence_17 = { 4c8d052fcc0000 83e23f 488bcf 48c1f906 488d14d2 498b0cc8 c644d13800 } + $sequence_18 = { 4883611000 488d056cc50000 48894108 488d0551c50000 488901 } + $sequence_19 = { 53 53 53 8d4c245c 51 8b4c242c 8d942494050000 } + $sequence_20 = { ff15???????? 8b442434 8b4c2438 53 53 } + $sequence_21 = { 53 6804010000 8d94247c030000 52 50 } + $sequence_22 = { 03c7 751f 488b85a0010000 488b8888000000 488d0505540100 } + $sequence_23 = { ff15???????? 448b4c2478 488d85c0010000 4c8b4580 } condition: 7 of them and filesize < 872448 @@ -92443,57 +92635,57 @@ rule MALPEDIA_Win_Nspx30_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b7c1fb90-4e2e-567c-b71f-a04015c19cf0" - date = "2026-01-05" - modified = "2026-01-06" + id = "b22e3e59-f319-5673-9dc0-96165ddd7704" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nspx30" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nspx30_auto.yar#L1-L307" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nspx30_auto.yar#L1-L301" license_url = "N/A" - logic_hash = "21c2ef2f3120756bc5bb636c0145196e56cf18e54f32669d823d96a566a0c7b3" + logic_hash = "fed61bebbef5d40ec95332a201d1065f73e26341d152ec810e6c95101dc32cfd" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { f3ab 66ab aa b06c } - $sequence_1 = { 0f8418030000 8b8530e5ffff 8b0485384c0410 f644060480 0f8400030000 e8???????? } - $sequence_2 = { 8903 c7831400080000000000 eb58 ff15???????? 8bc8 8b44240c } - $sequence_3 = { 6a04 6800100000 03c3 57 50 ff5508 } - $sequence_4 = { 8bf0 85db 742e 85ff } - $sequence_5 = { 66c78424d80000007300 66c78424de0000006100 66c78424e20000006f00 66c78424e60000002100 66c78424ea0000006500 66c78424ec0000007700 66c78424ee0000003a00 } - $sequence_6 = { 8b45f8 50 e8???????? 8945a8 688e4e0eec } - $sequence_7 = { 6689b4249c000000 52 be32000000 6a00 51 66c74424787b00 66c744247a3300 } - $sequence_8 = { 0f8c89010000 8b4c2410 8b11 8b420c 8b7a08 } - $sequence_9 = { 33c0 e9???????? 8b550c 52 6a14 e8???????? } - $sequence_10 = { 5e 7426 40 c60057 40 c60049 40 } - $sequence_11 = { 833800 0f8494010000 ff750c ff7508 e8???????? 8bf0 } - $sequence_12 = { 8b44240c 85c0 7460 53 ba04000000 } - $sequence_13 = { e8???????? 8b0f 8bc1 c1f805 83e11f 8b0485384c0410 c1e106 } - $sequence_14 = { 83ec0c 53 8b5c2414 56 57 6a01 } - $sequence_15 = { b843000000 66898c24c0000000 66898c24ce000000 66898c24d2000000 } - $sequence_16 = { 6689bc24fe000000 6689bc2400010000 6689b42402010000 66c78424040100004500 66c78424080100003300 66c784240a0100004500 } - $sequence_17 = { 6689444ffe 3bcb 72e7 e9???????? 8b7c2418 33c9 85db } - $sequence_18 = { bf???????? 83c9ff 33c0 6a5c } - $sequence_19 = { 8b0495384c0410 83c702 ff3418 ff15???????? 85c0 750e ff15???????? } - $sequence_20 = { 894dfc 8b55fc 8b4508 034220 8945ec } - $sequence_21 = { 8b1481 8955d8 8b4508 0345d8 eb04 eba4 } - $sequence_22 = { ffd2 c7461000000000 8b4608 53 8b5c2410 85c0 } - $sequence_23 = { 83c404 c745fcffffffff 833d????????00 8b07 } - $sequence_24 = { c7402420120010 c7402860120010 33c0 5e c20800 6879270000 ff15???????? } - $sequence_25 = { b801000000 5b 81c410030000 c20c00 5f 5e } - $sequence_26 = { 5b 754a c7002c000000 895004 895008 c7400ca0120010 } - $sequence_27 = { 83c9ff 33c0 c644240c57 c644240d69 c644240e6e c644240f64 c64424106f } - $sequence_28 = { 6a00 ff15???????? 8bfb 83c9ff 33c0 b25c f2ae } - $sequence_29 = { 7c86 5f 5d 5e 5b } - $sequence_30 = { 57 66896c2436 66896c2446 8d4c2414 bb38000000 be2d000000 } + $sequence_1 = { 8b00 3bd0 7416 83c018 7411 ff750c } + $sequence_2 = { 8d84241c010000 68ff000000 50 53 ff15???????? 8d8c241c010000 51 } + $sequence_3 = { 7577 8b35???????? 8d94241c010000 68???????? 52 ffd6 } + $sequence_4 = { 2bc1 3bd0 746e 668932 83c202 3bd0 75f6 } + $sequence_5 = { 56 57 33db b97f000000 33c0 8dbc241e010000 } + $sequence_6 = { eb1a 81f977665500 7504 8918 eb10 81f988776600 } + $sequence_7 = { 8dbc241e010000 66899c241c010000 f3ab 8d84241c010000 68ff000000 } + $sequence_8 = { 75f9 2bce 51 52 eb57 } + $sequence_9 = { 57 8bca bf???????? 33db } + $sequence_10 = { 56 57 68ff1f0000 8d85d9deffff } + $sequence_11 = { 80a0c065001000 40 3bc6 72be 5e c9 } + $sequence_12 = { 683d270000 ff15???????? 83c8ff 5e c21400 6879270000 ff15???????? } + $sequence_13 = { 50 ffd6 53 ff15???????? 50 e8???????? 83c404 } + $sequence_14 = { c784246001000004000000 ff15???????? 85c0 0f8c89010000 8b4c2410 } + $sequence_15 = { c20400 8d85d8fdffff 50 53 57 } + $sequence_16 = { e8???????? 68???????? e8???????? 83c404 c745fcffffffff 8d4508 } + $sequence_17 = { c64424336c c644243400 ffd7 83c408 } + $sequence_18 = { 5b 754a c7002c000000 895004 895008 } + $sequence_19 = { 894dec 837dec0e 7d13 8b55ec 837c959800 7507 } + $sequence_20 = { ba44000000 6a00 6689542478 66899424a2000000 66899424b0000000 66899424b2000000 8d54246c } + $sequence_21 = { 85c0 7417 8d7d9c 4f 8bff 8a4701 } + $sequence_22 = { aa 8d442404 50 51 e8???????? 83c408 85c0 } + $sequence_23 = { 0f86eb000000 8b30 8b6c2420 03f3 } + $sequence_24 = { 83e203 83f908 7229 f3a5 ff249518310010 8bc7 } + $sequence_25 = { 6a08 ff15???????? 6a40 6800300000 } + $sequence_26 = { 8a10 8816 46 eb0f 0fb6d2 f682c166001004 } + $sequence_27 = { b86e000000 b969000000 66898424c4000000 66898424d0000000 66898424e4000000 } + $sequence_28 = { 8bf0 85db 742e 85ff 742a } + $sequence_29 = { 035128 8955f8 837df800 7502 eb38 6a00 } + $sequence_30 = { 8b4d08 034878 894dfc 8b55fc 8b4508 034220 8945ec } condition: 7 of them and filesize < 3789824 @@ -92503,51 +92695,50 @@ rule MALPEDIA_Win_Warmcookie_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0026322f-2256-5880-b6f0-ee27db7c6e54" - date = "2026-01-05" - modified = "2026-01-06" + id = "ec89ed75-43ef-5e93-903d-d3f8383c90e1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warmcookie" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.warmcookie_auto.yar#L1-L234" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.warmcookie_auto.yar#L1-L228" license_url = "N/A" - logic_hash = "f9b50e12d5d001e33fbadd9cf4f5cbc2e73544c65bdcaaf5cab4e22fb22bdceb" + logic_hash = "dade3f49f004a30a420737451cd7da729d7cda1285499c65a4f74cd9aeafbe8d" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41b900000000 41b807000000 ba00000080 4889c1 } - $sequence_1 = { 48c744243800000000 c744243000000000 c744242803000000 48c744242000000000 41b900000000 } - $sequence_2 = { 41be01000000 4d85d2 0f8489010000 418b02 85c0 0f88c0060000 8d0480 } - $sequence_3 = { 4183fe03 0f87ff050000 4585f6 0f850a020000 41be01000000 4d85d2 } - $sequence_4 = { 41b902000000 41b800000000 ba00000000 4889c1 } - $sequence_5 = { 48896c2470 8944242c 48b8fffffffffdffffff 4889842480000000 31c0 6689842488000000 } - $sequence_6 = { 448b44244c 4989c4 4181f80080ffff 7470 } - $sequence_7 = { 4883c468 5b 415c c3 55 } - $sequence_8 = { 4181f80080ffff 7470 8b4c2448 4889c2 4989d9 e8???????? } - $sequence_9 = { 8b530c 85d2 0f8e1bffffff 01d0 89430c e9???????? 4157 } - $sequence_10 = { 4883ec28 e8???????? 3dff2f0000 0f97c0 } - $sequence_11 = { ba19000000 488b4c2438 ff15???????? 85c0 } - $sequence_12 = { ba18000000 4889c1 ffd3 85c0 } - $sequence_13 = { 85c0 7409 488b442428 48c1e814 } - $sequence_14 = { 488b01 ff9080000000 85c0 7815 } - $sequence_15 = { ff15???????? 25ff0f0000 8d88b80b0000 ff15???????? } - $sequence_16 = { 488b01 ff5010 ff15???????? 89f0 4883c458 } - $sequence_17 = { 8d8800040000 e8???????? 4889c3 4885c0 } - $sequence_18 = { 0fb6d1 488b0b ff15???????? 8b38 488bcb e8???????? 488b4c2448 } - $sequence_19 = { 85c0 7432 488d0c7d02000000 e8???????? 488bd8 4885c0 } - $sequence_20 = { 48ffc7 66393478 75f7 4885ff 740d 488d4c2420 } - $sequence_21 = { 440fb64101 410fb6540902 410fb6440802 4188440902 4188540802 0fb601 } - $sequence_22 = { 488bce e8???????? 488b7c2468 8bc3 } - $sequence_23 = { 4c8bc6 6683f822 744f 48ffc1 664289440420 } - $sequence_24 = { 488d542470 b901010000 ff15???????? 85c0 } + $sequence_0 = { 0f8709060000 4183fe03 0f87ff050000 4585f6 0f850a020000 } + $sequence_1 = { 85c0 0f88c0060000 8d0480 8d4441d0 418902 0fb74502 } + $sequence_2 = { 8944242c 48b8fffffffffdffffff 4889842480000000 31c0 6689842488000000 0fb706 897c2478 } + $sequence_3 = { 41b902000000 41b800000000 ba00000000 4889c1 } + $sequence_4 = { 48c744243000000000 c744242880000000 c744242003000000 41b900000000 41b807000000 ba00000080 4889c1 } + $sequence_5 = { 0f8e1bffffff 01d0 89430c e9???????? 4157 } + $sequence_6 = { 415c c3 55 4157 4156 4155 4154 } + $sequence_7 = { ba19000000 488b4c2438 ff15???????? 85c0 } + $sequence_8 = { 4883ec28 e8???????? 3dff2f0000 0f97c0 0fb6c0 } + $sequence_9 = { 85c0 7409 488b442428 48c1e814 } + $sequence_10 = { 488d4c0301 4801c9 e8???????? 4889c3 4885c0 } + $sequence_11 = { ba18000000 4889c1 ffd3 85c0 } + $sequence_12 = { 488b01 ff9080000000 85c0 7815 } + $sequence_13 = { ff15???????? 25ff0f0000 8d88b80b0000 ff15???????? } + $sequence_14 = { ff5010 b9e8030000 ff15???????? 83ef01 } + $sequence_15 = { 4b8d1c00 4889d9 e8???????? 4989d8 488944f500 } + $sequence_16 = { 488905???????? 448b06 4585c0 7416 b80a000000 } + $sequence_17 = { 488d542470 b901010000 ff15???????? 85c0 } + $sequence_18 = { 750b 488b4c2460 488b01 ff5068 488b4c2468 } + $sequence_19 = { 6642894c0c20 ffc2 4f8d0c00 410fb70c19 6685c9 75d8 4863c2 } + $sequence_20 = { ff15???????? b906000000 ba04000000 85c0 } + $sequence_21 = { 1bc9 41d1e8 81e12083b8ed 4133c8 8bc1 2401 } + $sequence_22 = { 83e2fc 83c224 89542450 83c2fc } + $sequence_23 = { 488bcf e8???????? 488b6c2460 488bce e8???????? 488b7c2468 8bc3 } condition: 7 of them and filesize < 331776 @@ -92557,44 +92748,46 @@ rule MALPEDIA_Win_Stealc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff6aaa00-958c-53cc-ab33-0d5cc117632f" - date = "2026-01-05" - modified = "2026-01-06" + id = "245d1341-6364-50d0-90ef-0c5fe082573b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stealc_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stealc_auto.yar#L1-L189" license_url = "N/A" - logic_hash = "0abba8b26d40125f184d3d439be2ae9ffb7dbc4aae103ea542b0165f4c38fedb" + logic_hash = "747c4fdb9604e7437401c238b6a026fcb6674b96b9d1bcd0b026ed4df8931e58" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? e8???????? 81c480000000 e9???????? } - $sequence_1 = { e8???????? e8???????? 83c418 6a3c } - $sequence_2 = { e8???????? 83c460 e8???????? 83c40c } - $sequence_3 = { ff15???????? 85c0 7507 c685e0feffff43 } - $sequence_4 = { 68???????? e8???????? e8???????? 83c474 } - $sequence_5 = { 50 e8???????? e8???????? 81c484000000 } - $sequence_6 = { 8d85dcf7ffff 50 8b450c 53 ff30 895df0 } + $sequence_0 = { e8???????? 83c460 e8???????? 83c40c } + $sequence_1 = { 50 e8???????? e8???????? 81c484000000 } + $sequence_2 = { 68???????? e8???????? e8???????? 83c474 } + $sequence_3 = { e8???????? e8???????? 83c418 6a3c } + $sequence_4 = { e8???????? e8???????? 81c480000000 e9???????? } + $sequence_5 = { ff15???????? 85c0 7507 c685e0feffff43 } + $sequence_6 = { 8d85dcf7ffff 50 8b450c 53 } $sequence_7 = { 8d85dcf7ffff 50 ff15???????? 85c0 0f84a1000000 } - $sequence_8 = { e8???????? e8???????? 83c47c e9???????? } - $sequence_9 = { 69c10ba31400 894d80 2bc2 66894584 } - $sequence_10 = { e9???????? 694d940ba31400 ba51754269 2bca } - $sequence_11 = { 2bca 884c0588 48ffc0 4883f808 } - $sequence_12 = { 2bc2 66894584 69c187fd701e b934eddb95 } - $sequence_13 = { 85c0 750a b043 66c745a04300 eb03 8a45a0 } - $sequence_14 = { 8bcc 8d85e8fcffff 50 e8???????? } - $sequence_15 = { 894d94 b925000000 e8???????? 0fb64d8f } - $sequence_16 = { ba51754269 2bca 69c10ba31400 894d80 } - $sequence_17 = { e8???????? 0fb64d8f 4c8be0 440fb6458e } + $sequence_8 = { 0fb67588 440fb77586 440fb77d84 894c2470 498bcc 4489442468 } + $sequence_9 = { ba51754269 2bca 69c10ba31400 894d80 } + $sequence_10 = { e8???????? 0fb64d8f 4c8be0 440fb6458e 440fb64d8d 440fb6558c } + $sequence_11 = { ff15???????? 85c0 750a b043 } + $sequence_12 = { e8???????? e8???????? 83c47c e9???????? } + $sequence_13 = { 894d80 2bc2 66894584 69c187fd701e b934eddb95 } + $sequence_14 = { 66894d86 69c90ba31400 2bca 884c0588 48ffc0 4883f808 7ceb } + $sequence_15 = { 4533c0 4889442420 33c9 418d511c } + $sequence_16 = { 4883f808 7ceb 894d94 b925000000 e8???????? 0fb64d8f } + $sequence_17 = { 8b4580 0fb65d8a 0fb67d89 0fb67588 440fb77586 } + $sequence_18 = { 8bcc 8d959cfeffff 52 e8???????? e8???????? 83c40c 85c0 } + $sequence_19 = { e9???????? 694d940ba31400 ba51754269 2bca } condition: 7 of them and filesize < 4891648 @@ -92604,36 +92797,36 @@ rule MALPEDIA_Win_Scarecrow_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4797137-49f1-5101-9dc1-24aec16a402a" - date = "2026-01-05" - modified = "2026-01-06" + id = "7fab5d70-082d-5157-9024-2dcf426a6b02" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarecrow" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scarecrow_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scarecrow_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "3c26486fac68aa14cbad0f26e91bc7559e11337af778c6912a8bda339578018a" + logic_hash = "118b6550fd678defbfd11297576eb5fee6908684c3ebc4ca9e3ce500d8361259" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c645d951 c645da70 c645db4c c645dc70 c645dd2b c645de70 c645df16 } - $sequence_1 = { c645d55b c645d678 c645d77c c645d878 c645d928 c645da78 c645db7c } - $sequence_2 = { 40 74ec 5f 5e b801000000 5b } - $sequence_3 = { 56 6a49 68d340dedd ba0f000000 8bf1 e8???????? 83c408 } - $sequence_4 = { 99 f7fb 85d2 74d8 8a06 8bde 84c0 } - $sequence_5 = { 757b b905000000 8b45fc 99 f7f9 85d2 7405 } - $sequence_6 = { be05000000 0f1f440000 8b45b8 99 f7fe 85d2 7405 } - $sequence_7 = { 59 e9???????? c745dc03000000 eb7c c745e030024300 ebbb d9e8 } - $sequence_8 = { c745e030024300 e9???????? 83e80f 7451 83e809 7443 83e801 } - $sequence_9 = { 7528 e8???????? 85c0 0f847f020000 e8???????? 6a4d } + $sequence_0 = { f7fe 85d2 7521 b905000000 8b45f4 99 f7f9 } + $sequence_1 = { 889435d5f9ffff 46 83fe0c 72d3 8d85d5f9ffff 8985e0f6ffff c685f8faffff00 } + $sequence_2 = { c6458a37 c6458b0e c6458c69 c6458d01 c6458e28 8a854dffffff e8???????? } + $sequence_3 = { f7fb 8b45f0 c1e602 8975ec 85d2 743f } + $sequence_4 = { 40 74dd a1???????? 8b4df8 5f 893401 8bc6 } + $sequence_5 = { c6458f0d 89852cffffff c6459044 8a4585 e8???????? c645e800 c645e900 } + $sequence_6 = { f7fb 8d427f 99 f7fb 889435a5faffff 46 } + $sequence_7 = { c685c0fdffff25 c685c1fdffff7c c685c2fdffff25 c685c3fdffff36 c685c4fdffff25 c685c5fdffff25 } + $sequence_8 = { 83c8fe 40 7579 b905000000 0f1f440000 8b45f4 99 } + $sequence_9 = { 6685c0 75f5 2bce d1f9 51 8d45c9 8bca } condition: 7 of them and filesize < 501760 @@ -92643,36 +92836,36 @@ rule MALPEDIA_Win_Bohmini_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ffa4356-333d-5cd0-8977-11f17aa9ceda" - date = "2026-01-05" - modified = "2026-01-06" + id = "da92bc85-489e-5577-9957-bd46d45311d5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bohmini_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bohmini_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "4b7b42d940efc962d3653e13f1a5647032ad0ceec459f0054e3c714b4efdf65b" + logic_hash = "264274befba5b4dec5d783c39befe73cb7c9560f1152508ef33a3f7d45cdfaac" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd5 85c0 7503 ff430c 8b36 85f6 } - $sequence_1 = { 8d442408 c744240824020000 50 56 e8???????? 85c0 741f } - $sequence_2 = { 57 51 6a00 6a00 ff15???????? 85c0 } - $sequence_3 = { 50 8d542424 51 52 8d442424 6aff 50 } - $sequence_4 = { 33d0 8855fc 8d742600 8b4df0 034df8 8a55fc 8811 } - $sequence_5 = { c74424080c000000 c744241000000000 8944240c ff15???????? 8b542404 } - $sequence_6 = { 85c0 7529 8d442400 56 50 e8???????? 8bf0 } - $sequence_7 = { ffd6 8b3d???????? 50 ffd7 55 6a00 } - $sequence_8 = { 837e0c0a 7e47 8b4e08 51 e8???????? 83c404 } - $sequence_9 = { 8d442418 50 56 e8???????? eb0b } + $sequence_0 = { 57 51 e8???????? 8906 8b4604 83c604 83c418 } + $sequence_1 = { 8b0d???????? 8b15???????? 53 55 56 8944241c a1???????? } + $sequence_2 = { 8be8 55 6a00 ff15???????? 50 } + $sequence_3 = { 83c420 c3 8b4c2424 56 57 8b3d???????? } + $sequence_4 = { 5f 5e b8feffffff 5b 81c430050000 c3 } + $sequence_5 = { 56 50 c744241cffffffff c744241800000000 33db ff15???????? } + $sequence_6 = { ff15???????? 8b742408 33c0 85f6 7e1c 53 8bd0 } + $sequence_7 = { 7c0e 3d50460000 7f07 ba01000000 eb02 33d2 85f6 } + $sequence_8 = { 85c0 7529 8d442400 56 50 e8???????? 8bf0 } + $sequence_9 = { 8d54242c 56 52 ff15???????? } condition: 7 of them and filesize < 139264 @@ -92682,36 +92875,36 @@ rule MALPEDIA_Win_Halfrig_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "42e8a2a1-259b-540e-bb50-a68bd513fd92" - date = "2026-01-05" - modified = "2026-01-06" + id = "2112816c-0271-5bde-a230-252c3624eee7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.halfrig" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.halfrig_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.halfrig_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "adc9aecc9470ee0c91f95fb542745149148c07ba82848cc511591fd05aa26a6e" + logic_hash = "54f2eefc07ca2891769c542d5253d31db4cfcce9bd5cb522e73feea90cd0de51" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8ea3000000 488d0daf800800 e8???????? 833d????????ff 0f858a000000 488d542420 488d8530030000 } - $sequence_1 = { 488d542420 e8???????? 488d0db8bd0700 e8???????? 40383d???????? } - $sequence_2 = { 4c893d???????? 488d8d30030000 488d05acd70200 488bd6 660f1f840000000000 488d8980000000 0f1000 } - $sequence_3 = { 3905???????? 0f8ea3000000 488d0ddf8d0700 e8???????? 833d????????ff 0f858a000000 488d542420 } - $sequence_4 = { 0f8ea3000000 488d0d2f6c0700 e8???????? 833d????????ff 0f858a000000 488d542420 4c8bc6 } - $sequence_5 = { 4983f815 72db 408835???????? 418b06 4c898b50040000 4088b358040000 3905???????? } - $sequence_6 = { 0f1003 488d542420 488bcd 0f29442420 e8???????? 0fb6d0 488d5b10 } + $sequence_0 = { 498bcf 8802 488d542420 e8???????? 488d0d64eb0700 e8???????? } + $sequence_1 = { 498bcf 8802 488d542420 e8???????? 488d0d40470700 e8???????? } + $sequence_2 = { 488d0d384f0700 e8???????? 40383d???????? 7435 488bd3 4c8bc7 43301438 } + $sequence_3 = { 40883d???????? 4c893d???????? 488d8d30030000 488d05fcf70300 488bd6 } + $sequence_4 = { 4c898ee0000000 3905???????? 7e4a 488d0df0970400 e8???????? } + $sequence_5 = { 4833d0 4981f801040000 72d8 40883d???????? 4c893d???????? 488d8d30030000 488d05ec650300 } + $sequence_6 = { 0fb600 498bcf 8802 488d542420 e8???????? 488d0d48040600 e8???????? } $sequence_7 = { 8801 418b06 3905???????? 0f8ea3000000 488d0dcf4f0700 e8???????? 833d????????ff } - $sequence_8 = { 418b06 4c898ba0040000 4088b3a8040000 3905???????? 7e4e 488d0d34700400 e8???????? } - $sequence_9 = { c705????????6990e984 c705????????3d6d27f5 e8???????? 403835???????? 4c8d0d0e7b0400 7438 } + $sequence_8 = { 8801 418b06 3905???????? 0f8ea3000000 488d0defba0700 e8???????? 833d????????ff } + $sequence_9 = { 40883d???????? 4c893d???????? 488d8d30030000 488d052cfb0400 488bd6 660f1f840000000000 488d8980000000 } condition: 7 of them and filesize < 1369088 @@ -92721,41 +92914,41 @@ rule MALPEDIA_Win_Corebot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "de56ab56-9ec7-5235-bd26-8fc91d55de2c" - date = "2026-01-05" - modified = "2026-01-06" + id = "1723e0b5-2dab-5f71-9fd6-15428095eba6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.corebot_auto.yar#L1-L168" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.corebot_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "7aa9c17958ef7c5a98a9be16ab271931413c5066734bfef2ec6f0b99a977cc0f" + logic_hash = "bddd32fd592a01329ed3fdb297d89b24412a75d1af8c5ce6d6d329923dbc9b66" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b7df0 8d55f0 e8???????? 85c0 7411 837df000 } - $sequence_1 = { c7411407000000 8d4910 89c6 01c0 c1ee07 } - $sequence_2 = { 8932 5e c3 31c0 ebfa 55 89e5 } - $sequence_3 = { 8a1c08 84db 741c 01c8 } - $sequence_4 = { 8b06 85c0 743d 8b4e04 85c9 751a 83c604 } - $sequence_5 = { 50 ff15???????? 85c0 7418 8b0e 6a00 ff750c } - $sequence_6 = { 894dd8 b907000000 0fb618 895de8 } - $sequence_7 = { 85c0 894dec 7405 8b55e8 eb2c 8b45dc } - $sequence_8 = { e8???????? 807e5800 7509 ff7654 ff15???????? 807e5000 7509 } - $sequence_9 = { ff7010 ff7014 e8???????? 8b45e0 } - $sequence_10 = { eb10 6800800000 6a00 56 } - $sequence_11 = { ff15???????? 8d4634 50 ff15???????? 8d4e0c e8???????? } - $sequence_12 = { ff15???????? 807e5000 7509 ff764c ff15???????? 8d4634 50 } - $sequence_13 = { 85ff 740f 57 ff7508 } - $sequence_14 = { ff742428 e8???????? 8b442424 8d4c2410 } + $sequence_0 = { be07000000 8d4801 894dd8 0fb600 8945e8 } + $sequence_1 = { 83e601 31c0 40 8932 } + $sequence_2 = { 31c0 83fe18 72ee 39fe } + $sequence_3 = { e8???????? 83c404 29f7 01f3 } + $sequence_4 = { 55 89e5 56 8b31 85f6 7410 89f1 } + $sequence_5 = { c745ec07000000 8d0412 84d2 8945e8 } + $sequence_6 = { 01f3 8b75ec 56 8945f0 50 57 53 } + $sequence_7 = { 50 57 53 e8???????? 83c410 83f8ff } + $sequence_8 = { eb10 6800800000 6a00 56 } + $sequence_9 = { ff764c ff15???????? 8d4634 50 ff15???????? 8d4e0c e8???????? } + $sequence_10 = { 85ff 740f 57 ff7508 } + $sequence_11 = { ff15???????? 807e5000 7509 ff764c ff15???????? 8d4634 } + $sequence_12 = { ff742420 ff742428 e8???????? 8b442424 8d4c2410 } + $sequence_13 = { 807e5800 7509 ff7654 ff15???????? 807e5000 7509 } + $sequence_14 = { ff7010 ff7014 e8???????? 8b45e0 } $sequence_15 = { 85c0 7515 8b4624 3b4620 } condition: @@ -92766,36 +92959,36 @@ rule MALPEDIA_Win_Roopirs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "48848479-790a-5ff7-91e3-208639c13d18" - date = "2026-01-05" - modified = "2026-01-06" + id = "c89f9692-42ee-5da9-92a0-ae45bd7093e7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.roopirs_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.roopirs_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "81aa2556d7e68cc4aaa84172c724098a8fdf541552ef6b7b19cd3ea7889cf5e4" + logic_hash = "8d931c27a308e8d99fa6f782510eeac284c8bc6bec6455852f791a148f7842b0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 ff15???????? 50 8d55d0 52 ff15???????? 8d4dc8 } - $sequence_1 = { 7433 c745fc3e000000 8b4dd8 51 68???????? } - $sequence_2 = { ff15???????? 898544ffffff e9???????? c745fc07000000 8d5584 52 8b45dc } - $sequence_3 = { 8d45b8 50 ff15???????? 8bd0 8d4dd0 } - $sequence_4 = { 51 8b5508 8b4234 8b4d08 8b5134 8b0a 50 } - $sequence_5 = { 8d4dcc ff15???????? c745fc0d000000 6aff ff15???????? c745fc0e000000 } - $sequence_6 = { 8d4db8 ff15???????? 0fbf55b0 85d2 7433 c745fc2f000000 } - $sequence_7 = { 52 8b45b0 50 ff15???????? 898570ffffff eb0a c78570ffffff00000000 } - $sequence_8 = { ff15???????? 8d4db8 ff15???????? c745fc16000000 8b55d8 } - $sequence_9 = { 8b550c 8d4dd8 ff15???????? c745fc02000000 6a01 8b45d8 50 } + $sequence_0 = { dbe2 8945a4 837da400 7d1d 6a64 68???????? 8b4dd4 } + $sequence_1 = { ff15???????? 83c424 8d4dac 51 8d55b0 } + $sequence_2 = { e9???????? c745fc07000000 8d5584 52 8b45dc 8b08 } + $sequence_3 = { 83bd60ffffff00 7d23 6a6c 68???????? 8b4d08 8b5134 52 } + $sequence_4 = { 8d4db8 ff15???????? c745fc0d000000 8b55d8 52 68???????? } + $sequence_5 = { c745fc06000000 8d45b0 50 8b4dd8 51 8b5508 } + $sequence_6 = { 8b55d8 52 68???????? ff15???????? 8945c0 c745b808000000 6a00 } + $sequence_7 = { 8932 ff15???????? 8d4dbc 8d55cc 51 52 } + $sequence_8 = { 8b4234 50 8b4db0 51 } + $sequence_9 = { eb0a c78538ffffff00000000 8d55b4 52 8d45b8 50 8d4dbc } condition: 7 of them and filesize < 344064 @@ -92805,36 +92998,36 @@ rule MALPEDIA_Win_Chinoxy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "78736f40-563d-5718-b05e-03a3a946c1f4" - date = "2026-01-05" - modified = "2026-01-06" + id = "852bdd8e-b44a-553a-b64a-e5e8e2d636f8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chinoxy_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chinoxy_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "c0bd3bd9ac342844eead2562e34424d0e649b578cd28d421251d6ac44bae37dc" + logic_hash = "e2910771856e90d209ab1e8ac8adc6268d284b1a2b1866fb6f57b7a5d4bc03d1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7405 394004 7538 6a3c e8???????? 83c404 89442408 } - $sequence_1 = { 897e5c 897e60 897e64 897e68 897e6c 897e70 897c2414 } - $sequence_2 = { 52 e8???????? 83c408 85c0 0f84a7000000 8b4f08 6a00 } - $sequence_3 = { 8b5918 33eb 33db 33c5 89442414 8be8 8a5c2416 } - $sequence_4 = { 743a 8b431c 8db140800200 85c0 7506 8db15c800200 8bce } - $sequence_5 = { 3bc6 8b5008 895610 75a7 e9???????? 8b85a0020000 } - $sequence_6 = { 8bde c1ef10 c1e310 0bfb 2bc6 33f8 03f1 } - $sequence_7 = { b9???????? e8???????? 85ff 740a 83c704 57 ff15???????? } - $sequence_8 = { 8bf9 c1ee18 c1e708 0bf7 2bd9 33f3 } - $sequence_9 = { 83f8ff 7409 83c004 3bc6 7602 8bf8 } + $sequence_0 = { 8be8 8b0b 85c9 7406 } + $sequence_1 = { 3bc7 7415 8b4610 89460c 8b4008 894610 } + $sequence_2 = { 7411 8bcf e8???????? 5f 5e 5d 5b } + $sequence_3 = { 7456 8b4e0c 6a00 8bc1 68???????? 2bc6 } + $sequence_4 = { 2bc6 33f8 03f1 8bef 8bc5 2bcd } + $sequence_5 = { 03de 2bc6 89442418 8be8 e9???????? } + $sequence_6 = { 03ac99480c0000 8b5928 33eb 33db 33c5 89442414 } + $sequence_7 = { 57 ff15???????? 8b4c2418 5f 5e 5d 5b } + $sequence_8 = { aa 8d842470010000 6804010000 50 } + $sequence_9 = { e8???????? 85db 897e54 740a 83c304 53 } condition: 7 of them and filesize < 1138688 @@ -92844,42 +93037,42 @@ rule MALPEDIA_Win_Valley_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e31e391b-1d98-571d-b2e1-793b94f7ca99" - date = "2026-01-05" - modified = "2026-01-06" + id = "bec0ecd6-c357-55cf-add1-dd73623586f8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.valley_rat_auto.yar#L1-L164" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.valley_rat_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "4fd91bc63ffea1277d480fd520807726f4547d3a7eff2043dfcadcbba2a797a7" + logic_hash = "67f430a23078192b7bca7660f501a4ba0ac4ea7609d171f0e09de87334fc99a7" score = 60 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 005c7e46 00847e46008a46 0323 d188470383ee } - $sequence_1 = { c785dcfbffff9b9bcc64 c785e0fbffffee6364c8 c785e4fbffff97f1dbf3 c785e8fbffff9bab9b9b c785ecfbffff25539b9b c785f0fbffff9bcdcc64 } - $sequence_2 = { 897e48 897e40 897e44 89464c 8d442408 } - $sequence_3 = { 0101 0505050505 0505050505 0505050505 0505050505 0505050505 } - $sequence_4 = { 51 8d93440a0000 52 e8???????? 83c40c } - $sequence_5 = { 0101 0101 0201 0102 } - $sequence_6 = { 0101 0101 0101 0101 0101 0505050505 } - $sequence_7 = { 0001 0101 0102 0101 } - $sequence_8 = { c78530feffff73cacd64 c78534feffffce97707a c78538fefffffefffee9 c7853cfefffff7f4f8f0 c78540feffff9b9b9b9b c78544feffff9b9b9b9b c78548feffff9b9b9b9b } + $sequence_1 = { c785a8feffffab9ba19b c785acfefffff79bf09b c785b0feffffe79bab9b c785b4feffffa19bf39b c785b8feffffe89be79b c785bcfeffffab9ba19b c785c0fefffff79bff9b } + $sequence_2 = { 00bcaf4500c5af 45 00f8 af } + $sequence_3 = { 0101 0101 0201 0102 } + $sequence_4 = { 0101 33c0 8be5 5d } + $sequence_5 = { c785a8faffff02246d9b c785acfaffff9b9b6c64 c785b0faffff10e8c398 c785b4faffffee6310de c785b8faffff63f1911b c785bcfaffff59d7ab8d c785c0faffff02c56c65 } + $sequence_6 = { c78598f8ffffbffbf34c c7859cf8ffffe6c5e373 c785a0f8ffff7f9f9b9b c785a4f8ffff64efbfdb c785a8f8ffff12dfbff7 c785acf8fffff3531fa1 c785b0f8ffffaa73499f } + $sequence_7 = { c785e4f6ffff9d9b9b64 c785e8f6ffffefbfa312 c785ecf6ffffdfbfdff3 c785f0f6ffffe81bd39d c785f4f6ffff73149d9b } + $sequence_8 = { 68a0120000 6a00 68???????? e8???????? } $sequence_9 = { 0101 33c0 5e 5b } - $sequence_10 = { 8b15???????? 6800300000 52 50 ff15???????? 8b0d???????? 51 } - $sequence_11 = { c785c0f6ffff8173599d c785c4f6ffff9b9bcbf3 c785c8f6ffffe384bbe4 c785ccf6ffff12dfbfab } - $sequence_12 = { e8???????? 8b0d???????? 83c418 890d???????? 891d???????? } - $sequence_13 = { 00bcaf4500c5af 45 00f8 af } - $sequence_14 = { c785e8f7ffffdf10dfbf c785ecf7ffffe7f1dbcd c785f0f7ffff64ebb7c8 c785f4f7ffff64cfbfa3 c785f8f7ffff10d7bfe7 c785fcf7ffff121fbf13 c78500f8ffff9b9b9b64 } - $sequence_15 = { 0101 33c0 8be5 5d } + $sequence_10 = { 0101 0505050505 0505050505 0505050505 0505050505 0505050505 } + $sequence_11 = { 3c58 770f 0fbec2 0fbe80186e0110 } + $sequence_12 = { 0001 0101 0102 0101 } + $sequence_13 = { c7857cf6ffffa864a050 c78580f6ffffe584942c c78584f6ffffa9185999 c78588f6ffff1865fae9 c7858cf6ffff9d1a5d7b c78590f6ffff649b9bf2 c78594f6ffff64189b9b } + $sequence_14 = { 0101 0101 0101 0101 0101 0505050505 } + $sequence_15 = { 8d4dcc c74508???????? e8???????? 68???????? 8d45cc 50 c745ccf0860110 } condition: 7 of them and filesize < 2256896 @@ -92889,36 +93082,36 @@ rule MALPEDIA_Win_Scieron_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "33fc8152-5e48-52c8-ac9b-34f4ee2aaa91" - date = "2026-01-05" - modified = "2026-01-06" + id = "2f1de20a-5ab2-5747-aa2e-fb47d4243e84" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scieron" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scieron_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scieron_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "dfba23a630ecd443346ae8a23831b1a493de37d653bee925abed5860ba8acc68" + logic_hash = "06165082fd4214f2aa00119cd4d27b0ae6e19c0c34325fda319e46eccf421b03" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd0 85ff 7411 833d????????00 } - $sequence_1 = { 8b442424 33ff 217c241c 0144241c ff442410 6a10 58 } - $sequence_2 = { 57 eb6b 8b7c2410 3bfd } - $sequence_3 = { ffb614400010 83c718 ffb618400010 8d443c30 50 } - $sequence_4 = { c9 c3 55 8bec 51 e8???????? e8???????? } - $sequence_5 = { 7542 50 50 0fb78604020000 } - $sequence_6 = { ffd7 ffd0 6a04 8d442414 } - $sequence_7 = { e9???????? 81ec8c020000 53 8b1d???????? 55 33c0 57 } - $sequence_8 = { 8d85d8fdffff 50 ffd6 85c0 7409 } - $sequence_9 = { 53 6a40 ffd7 85c0 7414 } + $sequence_0 = { ff742418 ff15???????? 85c0 0f8472020000 f686????????10 7415 } + $sequence_1 = { 55 6a01 6800000080 83c008 50 ff15???????? 8bf8 } + $sequence_2 = { 57 33ff 397d10 742e } + $sequence_3 = { 685cee0000 8935???????? ff15???????? 68???????? 8d85e0feffff } + $sequence_4 = { 817c2410c8000000 756b 33c0 40 5f } + $sequence_5 = { 85c0 75b2 57 ff15???????? } + $sequence_6 = { 6a02 56 6a01 894df4 8b5804 83c008 6800000040 } + $sequence_7 = { 8bf0 e8???????? 83c40c 8bf0 eb02 } + $sequence_8 = { 3bfe 7419 8d4574 50 57 56 } + $sequence_9 = { 8bec 56 8d470c 50 6a40 } condition: 7 of them and filesize < 100352 @@ -92928,36 +93121,36 @@ rule MALPEDIA_Win_Gacrux_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "08e3a0a1-da81-5882-b134-65281af51162" - date = "2026-01-05" - modified = "2026-01-06" + id = "9733cb49-68a2-5c86-8977-728c1a5d72e1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gacrux" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gacrux_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gacrux_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "6278ae90a5acb1d1e22aec25afba6eadcc43cdc1399d5403571d5596bb5e391d" + logic_hash = "374a0770604f45cb64227913029acc0e7a67ac6c7a3ffdfc3a6a671ab2cdc04a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c9 743c 6548 8b0425???????? 80780201 7428 48 } - $sequence_1 = { 33db e8???????? 48 8bf8 48 85c0 742f } - $sequence_2 = { 3900 75f4 48 63c2 85d2 740a 48 } - $sequence_3 = { 740b 41 81cb00900000 45 895821 40 f6c610 } - $sequence_4 = { e8???????? 4c 8bc3 33d2 48 8bcf ffd0 } - $sequence_5 = { 3c40 755f 41 0fbaea1e 40 8ac7 c0e803 } - $sequence_6 = { 0fb6c3 44 3bc8 0f850f010000 44 0fb66d67 43 } - $sequence_7 = { 75f6 e8???????? 48 83c428 c3 48 } - $sequence_8 = { eb02 33db 8b4c2460 0337 392f 75a5 eb5d } - $sequence_9 = { 83e801 7463 83e801 7457 83e802 744b } + $sequence_0 = { b8f892c087 e9???????? 837c242010 0f82cc000000 ba01000000 41 b84f0df9f3 } + $sequence_1 = { 8aee 45 88700d 41 8ace } + $sequence_2 = { 3c7c 7518 48 63cd e8???????? } + $sequence_3 = { 3bc8 48 0f47ce eb1e 45 0fb70a 41 } + $sequence_4 = { 48 85f6 743b ba01000000 41 b84e323bf7 e8???????? } + $sequence_5 = { b8e697a595 e8???????? 4c 8bc5 } + $sequence_6 = { 40 53 48 83ec20 ba01000000 41 b8817dda68 } + $sequence_7 = { 8d4b40 83631000 ba40000000 48 } + $sequence_8 = { 49 8bce ffd0 48 833f00 } + $sequence_9 = { 8b0d???????? 8bd5 44 0fb605???????? 44 8b0d???????? } condition: 7 of them and filesize < 122880 @@ -92967,42 +93160,42 @@ rule MALPEDIA_Win_Pslogger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7125bcf7-61fe-59fe-bcb6-1726a032b5b5" - date = "2026-01-05" - modified = "2026-01-06" + id = "03c1b153-a72c-57c3-af9d-51415d4f4bc2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pslogger_auto.yar#L1-L166" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pslogger_auto.yar#L1-L175" license_url = "N/A" - logic_hash = "f827a0de7cefc58a148c7605b546e1b2c29f64eac98a4dd15fd09ff9985d232c" + logic_hash = "1abf9100000b1e962c500e057cb6b60580965322939cb04d072db1579dfd4fa0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8bc8 e8???????? 4863f0 } - $sequence_1 = { 4885c9 7406 ff15???????? 4883c318 } - $sequence_2 = { 8d4601 4863e8 488bcd e8???????? } - $sequence_3 = { 483bc8 740e 4885c9 7406 } - $sequence_4 = { ff15???????? b801000000 488b8c2488000000 4833cc e8???????? } - $sequence_5 = { 498bcc e8???????? 33d2 41b8b80b0000 498bcc } - $sequence_6 = { c3 488b0d???????? 33d2 ff15???????? 488b0d???????? 33d2 ff15???????? } - $sequence_7 = { b910000000 ff15???????? 6685c0 7910 b914000000 ff15???????? 6685c0 } - $sequence_8 = { 895c2414 ff35???????? ffd6 e9???????? 85c9 } - $sequence_9 = { 8bf0 83c408 85f6 0f84e8000000 8bce 8d5101 } - $sequence_10 = { 85c0 7e25 66660f1f840000000000 8894373d1c0000 b801000000 } - $sequence_11 = { 393b 0f45f8 33c9 89bd58fbffff 0f1f4000 } - $sequence_12 = { 6bc830 8b049588b14200 f644082801 7414 8d4508 8945fc 8d45fc } - $sequence_13 = { 68???????? 50 e8???????? 8d842470030000 68???????? 50 e8???????? } - $sequence_14 = { 85c0 0f8568fcffff 668b8594fbffff 83431810 } - $sequence_15 = { 58 668906 8b048d88b14200 6a0a 8854382a } + $sequence_0 = { 488bf9 483b5908 7418 488b0b 4885c9 7406 ff15???????? } + $sequence_1 = { 8bc8 e8???????? 85c0 743b 4863f0 } + $sequence_2 = { 7406 ff15???????? b801000000 488b8c2488000000 4833cc e8???????? 4c8d9c2490000000 } + $sequence_3 = { 488b0e 483bc8 740e 4885c9 7406 } + $sequence_4 = { e8???????? e9???????? 4c8bc5 33d2 488bc8 e8???????? } + $sequence_5 = { 7406 ff15???????? 48891e 488bd3 } + $sequence_6 = { 8b5308 8b4b14 412bc8 448b4b10 } + $sequence_7 = { 7511 0f1f00 e8???????? 803d????????00 74f2 33c0 } + $sequence_8 = { 50 e8???????? 83c40c 8d842460030000 6804010000 } + $sequence_9 = { c787a4af0600a8794200 8894373c1b0000 8d87b41e0000 33f6 8945d8 33d2 } + $sequence_10 = { ba08000000 90 668950fc 8d4018 66ff87f40f0000 668950e8 } + $sequence_11 = { 8b04bd88b14200 c644102901 eb2e 0c80 88441628 8b04bd88b14200 c644102902 } + $sequence_12 = { 6a0a 8854382a 8b048d88b14200 8874382b 8b048d88b14200 5a } + $sequence_13 = { 68???????? 50 e8???????? 897de8 56 68???????? } + $sequence_14 = { 83c410 8bf2 668b02 83c202 6685c0 75f5 2bd6 } + $sequence_15 = { 8d45dc 50 0f1145e0 e8???????? 85db 7407 } condition: 7 of them and filesize < 475136 @@ -93012,36 +93205,36 @@ rule MALPEDIA_Win_Boldmove_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3bdf90c7-36e1-5e06-8df9-776b6e88680a" - date = "2026-01-05" - modified = "2026-01-06" + id = "fb4a2759-1b2e-5ff5-b378-bcca574f0870" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.boldmove_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.boldmove_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "3d258453779af88e427ea6662db58aa1b287b8846df27e0a7720298a0095c401" + logic_hash = "456546fae78eb1eba848500e10643ada4127a40c12ab9cae5c0f123ab6aa09f5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4308 890424 ff15???????? 50 50 8b4308 890424 } - $sequence_1 = { 83e104 89442454 894c2418 0f852f0e0000 } - $sequence_2 = { 56 53 83ec20 e8???????? a1???????? dd5df0 83780c00 } - $sequence_3 = { d9ee 8b5c245c 8944245c 83c701 dbe9 897c2434 } - $sequence_4 = { 8b449908 85c0 7415 890424 e8???????? a1???????? c744980800000000 } - $sequence_5 = { c7042404000000 e8???????? c7434000000000 89433c e8???????? dd5b08 0fb617 } - $sequence_6 = { 8d85c8fbffff c744240c07000000 89442408 c744240400040000 893424 e8???????? 8b85c8fbffff } - $sequence_7 = { 66250045 663d0005 0f84f3040000 6681e2ff7f } - $sequence_8 = { 39f0 b800000000 0f47d0 8d440b04 01d9 89442404 89542408 } - $sequence_9 = { d905???????? d9c1 d8c1 d9cb dbf3 dddb 0f87a7030000 } + $sequence_0 = { 895df0 31da 8b5de0 31ce c1c210 c1c607 } + $sequence_1 = { c744243801000000 8b442440 895c2404 892c24 89442410 8b442448 8944240c } + $sequence_2 = { 89442404 8b85c4fbffff 897c2410 8d8405e8fbffff 890424 e8???????? } + $sequence_3 = { eb14 f6431402 740e 895d08 83c410 5b 5e } + $sequence_4 = { 894c2418 0f852f0e0000 8b542454 85d2 0f8599000000 f7c500060000 } + $sequence_5 = { 890f bf10000000 99 f7ff bf04000000 0fb63406 89c8 } + $sequence_6 = { 89c2 31c0 c745c45f244762 89d7 f3ab 8b4508 8d7a44 } + $sequence_7 = { c744247401000000 8b542458 c744246400000000 85d2 0f88e4050000 8b44244c 85c0 } + $sequence_8 = { 0f8715130000 8db42600000000 8d04b6 83c701 8d7442d0 0fb617 8d4ad0 } + $sequence_9 = { c744247cffffffff 39c6 0f8cfbf1ffff e9???????? 8b442430 8b4004 83c001 } condition: 7 of them and filesize < 242688 @@ -93051,36 +93244,36 @@ rule MALPEDIA_Win_Kurton_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d9353d3d-fdf8-56bf-b9b4-d5c14e22748b" - date = "2026-01-05" - modified = "2026-01-06" + id = "9218ba89-d90e-5a9b-b8c0-02ddc17f8779" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kurton_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kurton_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "070c043684321322d3719fa588bcbbaeb820fca4094babc856258c0a6bac0e61" + logic_hash = "04f8fb4e13528ed01ba163c5b7384c9ede8dd74692bdabb6ed979f09a3db2fb3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 57 e8???????? 68???????? e8???????? 83c404 } - $sequence_1 = { 52 ff15???????? 8b44241c 3bc3 7407 50 } - $sequence_2 = { 57 7355 8bc1 c1f805 8d3c85a05b0210 8bc1 } - $sequence_3 = { 8d4c240c 50 51 6a1f 52 } - $sequence_4 = { 83e103 f3a4 8d4c240c e8???????? 8d4c2448 } - $sequence_5 = { 8bce e8???????? 84c0 0f84d4000000 8bce e8???????? 84c0 } - $sequence_6 = { 0f8498feffff bf???????? 83c9ff 33c0 } - $sequence_7 = { 33c0 c68414c400000000 8bac24c8020000 f2ae f7d1 } - $sequence_8 = { 3ac3 0f84d9000000 3cff 0f84d1000000 fec8 } - $sequence_9 = { 57 55 8d5e10 8974241c 8bcb 8803 e8???????? } + $sequence_0 = { 8d4c2418 e8???????? bf???????? 83c9ff 33c0 8b54241c f2ae } + $sequence_1 = { eb23 33c0 8a8718cc0110 668b9486760a0000 66d3e2 660996b0160000 83c103 } + $sequence_2 = { 84c0 7431 8b4704 3bdd b9???????? 761b } + $sequence_3 = { 33c0 8dbc2465040000 889c2464040000 f3ab 3bf3 66ab } + $sequence_4 = { e8???????? 3d00040000 8d4c2414 7618 e8???????? } + $sequence_5 = { e8???????? 83c424 8d442404 68???????? } + $sequence_6 = { c70000000000 6844030000 c7450000000000 e8???????? 8bb42430010000 8bd8 b984000000 } + $sequence_7 = { 896f0c 8a542413 8d4e30 55 c644242801 8811 e8???????? } + $sequence_8 = { 83c130 e9???????? 8b4df0 83c150 e9???????? 8b4df0 83c160 } + $sequence_9 = { 8b8694000000 50 ffd7 8bce e8???????? } condition: 7 of them and filesize < 344064 @@ -93090,36 +93283,36 @@ rule MALPEDIA_Win_Cookiebag_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a1b2ec8f-a75e-5a6d-8c41-80da5c8e831c" - date = "2026-01-05" - modified = "2026-01-06" + id = "87d27153-8f18-5b36-9a3a-a5abbe3f0aad" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cookiebag_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cookiebag_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "2cb20734fcd81a355448bc2557be61a5fdc54ceb6b9b3a4d3d93ee10aa49b59c" + logic_hash = "1a63e2ea29f8b1a9865d0cb00e0963b38339d2f8a4e6be6ac3679ce75b1bf949" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? bf???????? 83c9ff 33c0 c644247403 f2ae f7d1 } - $sequence_1 = { 83e00f eb02 33c0 0fbe84c1a0e24100 c1f804 83f807 } - $sequence_2 = { 2bc2 83f801 8a5cbc2c 7705 } - $sequence_3 = { 896c2458 896c245c 741d 8d48ff 8a40ff 84c0 740a } - $sequence_4 = { e9???????? 49 51 e8???????? 83c404 e9???????? 8a8c2484000000 } - $sequence_5 = { 47 83f80b 0f8777020000 ff248509c44100 80fb31 7c0c } - $sequence_6 = { e8???????? 8b4c242c 8b442428 45 83c710 e9???????? 50 } - $sequence_7 = { 8bd8 8dbe98000000 6a01 53 8bcf e8???????? 84c0 } - $sequence_8 = { 8bf8 8d9e04010000 6a01 57 8bcb e8???????? 84c0 } - $sequence_9 = { 889c24b8000000 e8???????? 8d44242c 8d4c241c 50 8d542460 51 } + $sequence_0 = { 6a01 56 e8???????? 84c0 741d 8b4c2418 } + $sequence_1 = { e8???????? 83c404 8b8c2408010000 89bc24f8000000 3bcf 89bc24fc000000 89bc2400010000 } + $sequence_2 = { 85c0 7505 b8???????? 8078fffe 732e 6a01 8bcf } + $sequence_3 = { e8???????? 84c0 7427 8b442414 8b7c2430 8bc8 be???????? } + $sequence_4 = { eb0a 49 51 e8???????? 83c404 8b742414 89ac249c000000 } + $sequence_5 = { 85c0 7509 47 3bfd 75eb 8bf7 eb29 } + $sequence_6 = { 7431 8a46ff 84c0 742a 3cff 7426 6a01 } + $sequence_7 = { 68???????? e8???????? 8a4c2478 56 884c241c 8d4c241c c644247401 } + $sequence_8 = { 895c2448 7505 b8???????? 8b4c241c 8d542448 52 51 } + $sequence_9 = { 50 e8???????? 8b442444 c684243001000002 3bc3 899c24d0000000 7505 } condition: 7 of them and filesize < 311296 @@ -93129,36 +93322,36 @@ rule MALPEDIA_Win_Unidentified_070_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bc99ca5b-4d55-52a4-9778-97da0dfa2869" - date = "2026-01-05" - modified = "2026-01-06" + id = "e81b9034-d929-56ab-8b33-49c1a7c26337" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_070" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_070_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_070_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "2ece2222d59166146594c492cc62e3c6aa195983d54a5768c5b3c1160f95e1d0" + logic_hash = "049fbea13aee48486180306bb1d113b5d1a27da0106a4aeee2c9384c85dca5ff" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 6a00 6a00 6a04 50 ff15???????? 8945fc } + $sequence_0 = { 33c0 c20400 3b0d???????? 7502 } $sequence_1 = { 6a04 50 ff15???????? 8945fc 85c0 } - $sequence_2 = { 6a00 6a00 6a04 50 ff15???????? 8945fc 85c0 } - $sequence_3 = { 6a00 6a04 50 ff15???????? 8945fc 85c0 } - $sequence_4 = { 6a00 6a04 50 ff15???????? 8945fc } - $sequence_5 = { 33c0 c20400 3b0d???????? 7502 } - $sequence_6 = { 6a00 6a00 6a04 50 ff15???????? 8945fc } - $sequence_7 = { 83f8ff 50 0f95c3 ff15???????? 8d85f4fdffff } - $sequence_8 = { 6a00 6a00 6800200000 6a01 8d8424e8000000 } - $sequence_9 = { 6a00 6a00 68???????? 8d85f4fdffff 50 6a00 } + $sequence_2 = { 6a00 6a00 6a00 6a04 50 ff15???????? 8945fc } + $sequence_3 = { 6a00 6a00 6a04 50 ff15???????? 8945fc } + $sequence_4 = { 6a00 6a04 50 ff15???????? 8945fc 85c0 } + $sequence_5 = { 6a00 6a00 6a04 50 ff15???????? 8945fc 85c0 } + $sequence_6 = { 6a00 6a04 50 ff15???????? 8945fc } + $sequence_7 = { 6a02 6a00 68ff000f00 ff742424 ff15???????? 85c0 74c3 } + $sequence_8 = { 57 56 ff15???????? 56 ffd3 57 ff15???????? } + $sequence_9 = { 50 ff15???????? 83c40c eb17 68???????? 50 ff15???????? } condition: 7 of them and filesize < 90112 @@ -93168,36 +93361,36 @@ rule MALPEDIA_Win_Lynx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f38e4f00-aaca-5bf9-869c-83083f4fee5c" - date = "2026-01-05" - modified = "2026-01-06" + id = "a8c2e8e4-1e25-5395-ba73-0899a1aaaff5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lynx" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lynx_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lynx_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "830d0c044d086e873e93b41654d3296d5d83edd7251c856a6c1b1da8daa3d504" + logic_hash = "bab44f060b9b5efea69bf50173db5b1b2f8a0083493710fc1b1fad1912b32e5e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4dec 0f1145ec e8???????? b90f000000 8d87bf000000 } - $sequence_1 = { 23d1 8b7df4 8bde 8955dc 81f3ffffff03 8b55f0 f7d3 } - $sequence_2 = { 038580fcffff 038574fdffff 898548fdffff 8d0433 898528fdffff 8b8558fdffff } - $sequence_3 = { e9???????? 83bb6801000000 8b4320 894308 8b4324 c7433400000000 89430c } - $sequence_4 = { 8d4010 83fa0a 72dc 8b8d0cffffff 2b0f 8b8510ffffff 1b4704 } - $sequence_5 = { ff15???????? 50 ff15???????? 85c0 0f84db000000 8b5dc0 } - $sequence_6 = { 41 81f901010000 7ced 8a8619834200 88843319010000 46 81fe00010000 } - $sequence_7 = { 89957cfcffff 899578fcffff 899de4fcffff 81bd3cfdffff80020000 8bbd1cfdffff 89b5e8fcffff 8bb538fdffff } - $sequence_8 = { c1e10e 0b8d28fdffff 318d68fdffff 8b8d74fcffff c1e112 0b8d24fdffff } - $sequence_9 = { ff750c 57 6a01 53 ff15???????? 50 53 } + $sequence_0 = { ff7014 ff15???????? f0ff05???????? 8b8c24ec010000 5f 5e 5b } + $sequence_1 = { 8d8d60ffffff 0f1185d0fdffff 0f108570ffffff 0f1185e0fdffff } + $sequence_2 = { 239d40fdffff 8bc6 23852cfdffff 8bd6 33d8 c1ea0e } + $sequence_3 = { 57 ff15???????? be???????? 660f1f840000000000 } + $sequence_4 = { 50 a1???????? 56 ffd0 8bce e8???????? 56 } + $sequence_5 = { 0f118570ffffff 8d85d0fbffff b924000000 0f104220 8dbdd8fbffff 898528fbffff f3a5 } + $sequence_6 = { e8???????? 83a6708f420000 59 83c604 81fe00020000 72dd b001 } + $sequence_7 = { 50 ff15???????? 8bf8 85ff 7511 50 } + $sequence_8 = { 018568fdffff 3b9d70fcffff 1bc0 f7d8 018568fdffff 3bca 8b9568fdffff } + $sequence_9 = { 56 ff15???????? 85c0 0f845cffffff 837c242401 } condition: 7 of them and filesize < 363520 @@ -93207,54 +93400,53 @@ rule MALPEDIA_Win_Spedear_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1d005a15-ef8d-569f-a767-c6e1e72829d4" - date = "2026-01-05" - modified = "2026-01-06" + id = "bc74395a-f867-5375-b1a4-3194ab3faef7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spedear_auto.yar#L1-L271" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spedear_auto.yar#L1-L258" license_url = "N/A" - logic_hash = "fdde63af58dfc9054af7189054546d8fc5a45deaed146cfe4323b2ae3cb67aa8" + logic_hash = "8ad71d71fef6d799b3c4103e4255891e4d1c676677fc2e42c68cbbb5bc612621" score = 75 quality = 71 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83e207 03c2 c1f803 83c40c 85c0 } - $sequence_1 = { 53 50 e8???????? 8b7e0c 895e10 } - $sequence_2 = { 8b4718 8a5f06 50 894608 e8???????? } - $sequence_3 = { 6a00 6a00 57 8bd8 ffd6 6a00 8d442414 } - $sequence_4 = { 894618 ffd7 89461c 5f } - $sequence_5 = { e8???????? 83c404 3bc5 740a c700???????? 8bd8 eb02 } - $sequence_6 = { 8906 8b44241c 5e 33d1 5d } - $sequence_7 = { 8b4604 8b571c 83c410 83c120 53 e8???????? 3bdd } - $sequence_8 = { 85c0 7536 85f6 742c 833e00 741e 8b5608 } - $sequence_9 = { 6a00 68???????? e8???????? 83c40c 68d0070000 } - $sequence_10 = { 741a 6a00 6a00 ff7608 ff5604 6800800000 6a00 } - $sequence_11 = { 394878 7456 39487c 7451 } - $sequence_12 = { 8bc7 5e 5f 5b 5d c3 6a08 } - $sequence_13 = { 83450c04 33c7 ff4d08 8b7dfc } - $sequence_14 = { c745fc12000000 33ff 895d08 8b5d0c 0fb61c19 c1e708 } - $sequence_15 = { 4c8bda 418b10 498d6b44 498bd9 498bf8 } - $sequence_16 = { 8b4610 3998a0000000 760f 3998a4000000 7607 57 56 } - $sequence_17 = { 3b0d???????? 7329 4863d1 488d0dd0ab0000 } - $sequence_18 = { ff15???????? 4c8d5c2440 488d1571020100 492bd3 410fb60b 410fb60413 } - $sequence_19 = { c744243004010000 e8???????? 488b4c2438 4c8d5c2430 488d842450010000 488d15f0bd0000 4c895c2428 } - $sequence_20 = { 8d6a12 41be04000000 4d2be3 0f1f00 448bc2 } - $sequence_21 = { 68???????? 8d45f0 50 c745f0f0d12300 e8???????? } - $sequence_22 = { 488bcb e8???????? 85ff 7e33 } - $sequence_23 = { 8b4310 33c9 56 57 394878 } - $sequence_24 = { 895f10 488b4f18 4885c9 740c e8???????? } - $sequence_25 = { 3bf2 7cc1 034004 8b4804 } - $sequence_26 = { 4883c308 483bdf 72ed 48833d????????00 741f 488d0dc6ef0000 e8???????? } - $sequence_27 = { 85c0 752c ff7508 68???????? } + $sequence_0 = { 99 83e207 03c2 c1f803 83c40c } + $sequence_1 = { 8b4718 8a5f06 50 894608 } + $sequence_2 = { 53 50 e8???????? 8b7e0c 895e10 } + $sequence_3 = { 83c408 c20800 51 53 } + $sequence_4 = { 83fe12 7cd7 8d754c bb04000000 bf80000000 } + $sequence_5 = { 5f 8b4c2428 33cc e8???????? 83c42c c20800 56 } + $sequence_6 = { 6a00 68???????? e8???????? 83c40c 68d0070000 } + $sequence_7 = { 0fb6d9 894c2414 0fb6e8 c1e808 8bc8 } + $sequence_8 = { 894618 ffd7 89461c 5f } + $sequence_9 = { 8b4718 894608 8b4f1c 51 e8???????? 894604 } + $sequence_10 = { ff7608 ff5604 6800800000 6a00 } + $sequence_11 = { 8bc7 5e 5f 5b 5d c3 6a08 } + $sequence_12 = { 833e00 741a 6a00 6a00 ff7608 } + $sequence_13 = { 394878 7456 39487c 7451 } + $sequence_14 = { 53 50 89b5d8fbffff e8???????? 8b3d???????? } + $sequence_15 = { 6a00 50 8906 e8???????? 83c410 c3 } + $sequence_16 = { 83c8ff e9???????? 4c8bfb 4c8bf3 488d0540d30000 } + $sequence_17 = { 4863d9 4c8be3 49c1fc05 4c8d2d56ab0000 83e31f } + $sequence_18 = { 7cc1 034004 8b4804 8b10 03d1 } + $sequence_19 = { 4889842480040000 488bd9 33ff 488d8c2471030000 } + $sequence_20 = { 4c8d4c2440 488d542448 41b820000000 488bcf 48c744242000000000 ff15???????? } + $sequence_21 = { 448ba088000000 488b4110 4c896c2410 4c89742408 468b74201c 468b6c2024 428b6c2020 } + $sequence_22 = { 8b4d08 8945f0 8b450c 8945f4 8b4514 40 c745ec2dba2300 } + $sequence_23 = { 89430c 8d4310 8d89bc182400 5a 668b31 668930 83c102 } + $sequence_24 = { 0fb7444b10 6641898448b81c0100 ffc2 89542420 ebe2 8bd7 89542420 } + $sequence_25 = { 480fbec5 420fbe8c0870b30000 83e10f eb03 } + $sequence_26 = { b964000000 ff15???????? 48ffc3 4883ef01 75db } condition: 7 of them and filesize < 188416 @@ -93264,36 +93456,36 @@ rule MALPEDIA_Win_Unidentified_042_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ae890a66-8da7-5772-a89f-ab1d2760fae8" - date = "2026-01-05" - modified = "2026-01-06" + id = "c75e52e9-dfdd-54d9-9fef-bcc12eba6502" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_042_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_042_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "782ff3cf4462e323a29ec1ed58b2c131a4c6b0f31ed36cc79b62c6515d0facd2" + logic_hash = "04747e04bc8d0c9a49c029c2ad4b9af0895855ed01472136f24c3c48dd40b81e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8bf0 8b4508 8b00 57 8bf9 c70600000000 } - $sequence_1 = { 53 8bd8 56 b800200000 33f6 66858350020000 7410 } - $sequence_2 = { 8a1430 40 8855ff 33d2 8d7801 33c9 8955f4 } - $sequence_3 = { 66858f50020000 0f8532ffffff c60616 8a977e010000 885601 8a877f010000 884602 } - $sequence_4 = { 53 56 8bf0 a1???????? 33db 57 895df8 } - $sequence_5 = { 895df4 8d75e8 e8???????? 8bc7 5f 5e } - $sequence_6 = { 57 ffd6 a3???????? 85c0 0f8489020000 8d95d7fcffff 52 } - $sequence_7 = { c78518f9ffff356c656e c7851cf9ffff636a5a44 c78520f9ffff49577a32 c78524f9ffff59725a56 c78528f9ffff4362620d c7852cf9ffff0a626671 c78530f9ffff73752f38 } - $sequence_8 = { 0175f0 c1cf02 89b5ccfeffff 89bdd4feffff 8bfa } - $sequence_9 = { 88480a 66859350020000 7548 8b7b18 8d700b 6a41 8bce } + $sequence_0 = { 81e200ff0000 81e3000000ff 33cb 33ca 338ff0054300 83c704 3348d8 } + $sequence_1 = { b8b9feffff 5e c3 66838e5202000001 b8ccfeffff 5e } + $sequence_2 = { 8b4304 0fb708 03f1 83c40c c6043701 f6835202000010 7407 } + $sequence_3 = { 6a01 6a16 51 52 53 8bd7 8bce } + $sequence_4 = { c78570ffffff3af54fa5 c78574ffffff7f520e51 c78578ffffff8c68059b c7857cffffffabd9831f c7458019cde05b e8???????? 83c404 } + $sequence_5 = { e8???????? 8be5 5d c3 3d14001500 75e4 8db5e2efffff } + $sequence_6 = { 33d6 8955f8 33d1 035044 8d943a0c38e5fd 8b7df8 c1c217 } + $sequence_7 = { 8bfe e8???????? 83c408 85c0 7881 8b03 8b7508 } + $sequence_8 = { 33df 8bfe c1cf12 c1ce07 33fe 8bb5ccfeffff } + $sequence_9 = { c78424f80100001f964e7f c78424fc010000d15d9ed8 c78424000200002872522d bb02000000 c78424040200001b02a94a c78424080200009753aab1 c784240c020000680f208c } condition: 7 of them and filesize < 516096 @@ -93303,36 +93495,36 @@ rule MALPEDIA_Win_Rugmi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "56dfd636-865d-5e6b-99e2-82ed18d11802" - date = "2026-01-05" - modified = "2026-01-06" + id = "fa80078d-a0c0-5807-b050-54f5c1a74936" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rugmi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rugmi_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rugmi_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "6414237b4a37eccf99db6de8d88a3ab9402e6945fd1a3f91716e86d56c16f3fa" + logic_hash = "89048014201b3c23aeb4b5345e94eb65234f04de3882329a0c258d4184d5cf44" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33db 395d08 0f94c3 8b4518 8b4d08 8908 8bc3 } - $sequence_1 = { 8b7704 eb14 85c0 0f8535010000 56 57 e8???????? } - $sequence_2 = { 3bcb 726f 8b7514 8b5d10 8bc1 0bc2 7508 } - $sequence_3 = { 7507 b8074c0000 c9 c3 8d45e0 50 68???????? } - $sequence_4 = { 894d08 8d56bc 0f45fa 68???????? 03f9 e8???????? 8b7510 } - $sequence_5 = { 5d c3 837d08ff 0f84b4090000 e9???????? 55 8bec } - $sequence_6 = { 395e3c 7520 85ff 0f841c010000 6a0a 68???????? } - $sequence_7 = { 88834d020000 8b84b350010000 83f8ff 7413 50 53 57 } - $sequence_8 = { 8955e4 c645fc00 8d4dcc e8???????? c745fcffffffff 8d8d70ffffff } - $sequence_9 = { 56 c687cf0c000000 68???????? e9???????? 6a02 59 6a17 } + $sequence_0 = { c60020 40 8a08 84c9 75f1 385df4 74d6 } + $sequence_1 = { 6806010000 8d85a0fdffff 50 ff75fc 8d85a8feffff 50 e8???????? } + $sequence_2 = { 05d0050000 e9???????? 8b4510 ff30 8b4508 05d4050000 } + $sequence_3 = { 898724010000 0f846cfaffff 50 ff15???????? 898728010000 59 85c0 } + $sequence_4 = { 59 59 85c0 7430 8b4e24 bf???????? 85c9 } + $sequence_5 = { 80be0402000000 0f848c000000 8b8398010000 8b96b8000000 6a20 59 80784700 } + $sequence_6 = { 740d 80b84302000000 7504 8bc1 eb02 33c0 83e800 } + $sequence_7 = { 56 e8???????? 83c410 85c0 0f84e5000000 8a55ff } + $sequence_8 = { 59 85c0 7525 8b868c020000 f6404002 7411 ff750c } + $sequence_9 = { 57 e8???????? 6a02 57 e8???????? 83c428 e9???????? } condition: 7 of them and filesize < 950272 @@ -93342,36 +93534,36 @@ rule MALPEDIA_Win_Lockfile_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce8b9f2d-3289-5da5-8ae6-f5695e030c37" - date = "2026-01-05" - modified = "2026-01-06" + id = "bd2815c9-f0d4-5e6a-ac59-7f8b5622f6e2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lockfile_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lockfile_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "aad82c712a5f767aa5023ac75b23ae49a83688df028acae164a8fa13e666e8c1" + logic_hash = "8ee706fbef80f56d51cc417aea7b798f4101c5e772f6f45d61ddc8fb2a17000b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48f76328 498d0c00 488b4630 493bc8 4883d200 4c03e2 488955f7 } - $sequence_1 = { 48896c2418 56 4156 4157 4883ec30 498be9 4d8bf0 } - $sequence_2 = { c784249000000002000000 4c8bc7 488bd7 488d4c2420 e8???????? 90 4c8d4318 } - $sequence_3 = { 4898 488d0d74280700 8b542438 ffc2 8bd2 4c8b442430 418b1490 } - $sequence_4 = { e8???????? cc 4057 4883ec20 488b5110 } - $sequence_5 = { 498b4348 493bc8 4883d200 4c03e2 48895587 48f76650 4c8d0401 } - $sequence_6 = { 48f76118 4c894df0 4c8bea 488d0c03 483bcb 488b5d50 4983d500 } - $sequence_7 = { 4433d5 41c1c802 4403d0 81c59979825a 4503d3 448bda 4533d8 } - $sequence_8 = { 488d059fdf0700 bf04000000 48895c2450 4c8be1 8bd7 488d4c2460 6666660f1f840000000000 } - $sequence_9 = { 418bcd 4103d4 c1c90d 448b2424 4103d0 418bc5 4403e2 } + $sequence_0 = { 4881c488000000 c3 488d1520580600 488d4c2420 e8???????? 90 488d542420 } + $sequence_1 = { 4983d100 48894120 488b4d50 498b4328 4f8d040a 48f721 4d8d1c00 } + $sequence_2 = { 488d056aba0300 4889442420 488d4c2468 e8???????? 90 4c8d4718 488bd3 } + $sequence_3 = { 4889542428 488955d8 4c8945e8 66660f1f840000000000 4c8921 4c896108 4c896110 } + $sequence_4 = { 8b44243c c1e808 8944243c 0fb644243c c1e003 4898 488d0dff390700 } + $sequence_5 = { 4c8d0de9e10400 4533c0 418d501a 488d4db7 e8???????? 0f1000 0f1145d7 } + $sequence_6 = { 4c3b4597 4c8b458f 4883d700 483bc1 4983d000 493bd1 4c13c7 } + $sequence_7 = { 48c1fa05 488bc2 48c1e83f 4803d0 488bca 48d1e9 488bc7 } + $sequence_8 = { c645d64b c645d750 c645d83f c645d987 40887dda 0fb64580 0fb6440d80 } + $sequence_9 = { 89442438 0fb6442438 488d0d6a320700 488d04c1 b901000000 486bc901 ba01000000 } condition: 7 of them and filesize < 1163264 @@ -93381,36 +93573,36 @@ rule MALPEDIA_Win_Jolob_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e26fb753-78dd-5e02-86f5-44abfa0b6e1a" - date = "2026-01-05" - modified = "2026-01-06" + id = "721dfc29-3d7a-50b0-b764-61d802bd0c74" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jolob_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jolob_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "95fc52fc444139dde815965f9b3fdbca25ad1f5fb52fadd80f33a59c158da935" + logic_hash = "4150b0410a36ec9d51a01ff653e14685bef906d672dd1b0e0c49b7b207630fa5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a64 ff15???????? e9???????? 8b431c e8???????? ff7318 e8???????? } - $sequence_1 = { ff15???????? 50 ff15???????? 8d85ecfeffff 50 ff15???????? 85c0 } - $sequence_2 = { 3bc2 75ec 834710f8 8d75dc e8???????? ff75f4 ff15???????? } - $sequence_3 = { 832600 59 8bb720080000 8b2d???????? 85f6 7415 } - $sequence_4 = { 8945e4 e8???????? 8b5de4 8b4f0c 53 } - $sequence_5 = { 8a45ff 88043e 46 83fe04 7c1f 807c3efc0d 7518 } - $sequence_6 = { 8bc6 5e c20400 832700 85f6 7410 8b4618 } - $sequence_7 = { 8d7df4 e8???????? 8b45f4 8906 5f c9 c3 } - $sequence_8 = { 3b4e30 72e9 8918 8b463c } - $sequence_9 = { 3bc3 7407 50 e8???????? 59 895e14 895e10 } + $sequence_0 = { 743a 397e28 7435 8d7e10 } + $sequence_1 = { 56 ff742408 ff15???????? 8bf0 85f6 740e 56 } + $sequence_2 = { c7461804000000 8b8f28080000 8b09 6a01 50 51 894e24 } + $sequence_3 = { 8a8df9feffff 40 40 03c6 8808 0fbed1 8d7801 } + $sequence_4 = { 5d c20400 ff15???????? 83f840 e9???????? 8b4c240c } + $sequence_5 = { c644041400 75f8 8d442420 50 ff730c e8???????? 85c0 } + $sequence_6 = { 8975f8 ff15???????? 33c0 40 5f 5e c9 } + $sequence_7 = { 84db 7431 2b4c2410 8b542410 } + $sequence_8 = { e8???????? 89460c 8b06 0faf4604 59 8b4e2c 894608 } + $sequence_9 = { 8b4dfc 03c1 740d 6a00 } condition: 7 of them and filesize < 196608 @@ -93420,36 +93612,36 @@ rule MALPEDIA_Win_Radrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8cc3544a-ed32-5550-b925-dec2c9f06198" - date = "2026-01-05" - modified = "2026-01-06" + id = "1c27b074-be21-5c7f-8ea6-5afa829a892c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.radrat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.radrat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "fb8c6f115f4d653cbab2ab642c199fa84b318ba0571f54841296153652a76219" + logic_hash = "dc8f541fb37ec4acde3ed3a7445628cc2d8faf9fbdea529d1c9437a132a74a84" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c645fc06 8d9578ffffff 52 83ec28 8bc4 89a520ffffff 8d4dcc } - $sequence_1 = { 8b55d8 894a54 837df010 7404 0cff eb7b 8b45d8 } - $sequence_2 = { 8d8db4c3ffff e8???????? e9???????? 83bd54ffffff46 0f8570110000 6a01 8d953cc3ffff } - $sequence_3 = { e8???????? c3 8d8d8ccdffff e8???????? c3 8d8dac95ffff e8???????? } - $sequence_4 = { e8???????? c3 8d4d80 e8???????? c3 8d8d18fdffff e8???????? } - $sequence_5 = { e8???????? c745c000000000 eb09 8b45c0 83c001 8945c0 8b4dc0 } - $sequence_6 = { c745fc00000000 8b45c0 50 8b4dc8 e8???????? c745fcffffffff 8d4dcc } - $sequence_7 = { c68522ffffff00 c68524ffffff00 c645fc07 8b550c 52 8d8decfeffff e8???????? } - $sequence_8 = { e8???????? 83c410 8845fc 8b4dfc 81e1ff000000 85c9 7411 } - $sequence_9 = { e8???????? c645fc08 8b8d6cfbffff 83c108 e8???????? c645fc04 8d8ddefdffff } + $sequence_0 = { 8d8d60feffff e8???????? f7d8 1bc0 40 25ff000000 85c0 } + $sequence_1 = { e8???????? c645fc01 8d8d5cffffff e8???????? 8b4508 e9???????? 6a00 } + $sequence_2 = { e8???????? 83c40c c645fc02 8d8d50ffffff e8???????? 8d8d78ffffff e8???????? } + $sequence_3 = { e8???????? 83c40c 8b5508 8b4210 8b4ddc 8b55fc 891488 } + $sequence_4 = { e8???????? 8b8d54fdffff 83c901 898d54fdffff c645fc01 8d8d3cffffff e8???????? } + $sequence_5 = { e8???????? c645fc08 8b8d6cfbffff 83c108 e8???????? c645fc04 8d8ddefdffff } + $sequence_6 = { 8b4808 6bc928 8b5508 8b4204 03c1 8985dcfdffff e9???????? } + $sequence_7 = { c3 55 8bec 83ec14 8b4508 8b481c 894df4 } + $sequence_8 = { 8d8dc4dbffff e8???????? 6a00 8b8d44dbffff e8???????? 50 8d8dc4dbffff } + $sequence_9 = { e9???????? 83bd54ffffff07 0f85b3020000 6a01 8d8db8e9ffff 51 8b4d08 } condition: 7 of them and filesize < 2080768 @@ -93459,36 +93651,36 @@ rule MALPEDIA_Win_Vendetta_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bcdb1310-b09c-513a-b41a-f75320f7a85e" - date = "2026-01-05" - modified = "2026-01-06" + id = "0f853cd1-ec5c-595b-80ef-003b976fe7fe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vendetta" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vendetta_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vendetta_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "5c2304aa47000d3a15dbc6575084e1756c9655c08eb53d8a6e39024d5b55c108" + logic_hash = "28ce5d7459a4cd2c704db28dc1a30ac0bb5ebc901e2a1febdd7ad61186e9eb9e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? c745e0e8924100 e9???????? c745e0d4924100 } - $sequence_1 = { 8bf1 83caff bf00040000 0fb60e } - $sequence_2 = { 40 c745ec7c994000 894df8 8945fc 64a100000000 8945e8 } - $sequence_3 = { 83ef01 75d4 f7d2 5f 8bc2 5e } - $sequence_4 = { 53 8d85f0f7ffff 50 56 ff15???????? } - $sequence_5 = { 84c0 0f843b010000 8d770c 6a2c } - $sequence_6 = { 8b85e0feffff 03b40518ffffff 03b0acb04100 03b5f8feffff } - $sequence_7 = { 238df4feffff 8b85e0feffff 03b40508ffffff 03b09cb04100 8bc3 03b5dcfeffff 01b5f8feffff } - $sequence_8 = { 3385ecfeffff 23c2 3385f8feffff 03f0 8b85e0feffff 03b40514ffffff 03b0a8b04100 } - $sequence_9 = { 7f0e 7c08 81fa00000080 7704 } + $sequence_0 = { 8b04c5e06f4100 5d c3 33c0 5d } + $sequence_1 = { 83c408 84c0 0f845d010000 6a00 51 0bf9 } + $sequence_2 = { 68???????? 56 ffd7 85c0 7433 } + $sequence_3 = { 83a500fcffff00 51 8d8df8fbffff e8???????? 898500fcffff } + $sequence_4 = { 8b4508 dd00 ebc6 c745e0d8924100 e9???????? c745e0e0924100 } + $sequence_5 = { 6a30 eb27 3bcb 7f0e 7c08 81fa0000800c 7704 } + $sequence_6 = { 7309 8b04c5e06f4100 5d c3 33c0 5d c3 } + $sequence_7 = { 85c0 7433 8bce e8???????? 8bf8 } + $sequence_8 = { 33c9 8bc1 3914c5b89b4100 7408 40 83f81d 7cf1 } + $sequence_9 = { 7c08 81fa00002003 7704 6a30 eb27 } condition: 7 of them and filesize < 296960 @@ -93498,36 +93690,36 @@ rule MALPEDIA_Win_Expiro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6fa4b0d5-e65d-5709-9429-c535e22a563a" - date = "2026-01-05" - modified = "2026-01-06" + id = "3b754d9e-996f-579e-8c17-ded693dca2f4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.expiro_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.expiro_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "e9646f75b21b41c42f31fadf4efd1887628909c4616d1866a9062fcf7c528d57" + logic_hash = "f4e438889636789298f7b90a8ac2db296a690b4a66ec98873c33cd13152101c7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 e8???????? 83c404 385c2413 0f85ddfdffff b8???????? 8d4c2414 } - $sequence_1 = { 02abd9737373 739b 057d737313 7173 7373 7373 } - $sequence_2 = { 8d7558 c684244802000002 33c0 c7461407000000 895e10 668906 } - $sequence_3 = { 367bf8 337ffa 36871b 49 16 62639b } - $sequence_4 = { 56 6a00 6a00 ff15???????? b932000000 8bc3 33ed } - $sequence_5 = { 8b06 33d2 5f 668910 8bc6 5b c20800 } - $sequence_6 = { 668906 57 83c8ff 8bd6 e8???????? 897c2420 } - $sequence_7 = { 8b4c241c 33cc b001 e8???????? 83c420 c3 6aff } - $sequence_8 = { 50 8d7c247c c68424f802000003 e8???????? 83c404 c68424f402000002 837c243808 } - $sequence_9 = { 83c8ff b9???????? 8d542450 89742464 897c2460 e8???????? } + $sequence_0 = { 7373 7373 7373 735d 07 16 0b07 } + $sequence_1 = { e9???????? 8b542408 8d82f4f6ffff 8b8af0f6ffff } + $sequence_2 = { 33c4 50 8d442448 64a300000000 837f0c00 0f84d8000000 33c0 } + $sequence_3 = { eb02 8bc6 3bd8 7244 83f908 7204 } + $sequence_4 = { 85ff 746d 837e1408 722e 8b06 eb2c 85ff } + $sequence_5 = { 56 e8???????? 8bc6 c1f805 8b0485409d4100 } + $sequence_6 = { 83c404 33c0 6689442430 6a07 b8???????? 8d742434 c744244807000000 } + $sequence_7 = { 7373 7373 7373 137373 b35d 0116 } + $sequence_8 = { 5d 59 c20800 5b 8bc6 33d2 5f } + $sequence_9 = { 85c0 0f84d3000000 33c0 6689842464020000 } condition: 7 of them and filesize < 3776512 @@ -93537,36 +93729,36 @@ rule MALPEDIA_Win_Cryptic_Convo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "66ff4a00-02d0-5dfa-b2f7-7b3271a8876d" - date = "2026-01-05" - modified = "2026-01-06" + id = "8dbf121b-9ff3-5ba2-8d1f-da98a7bae029" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cryptic_convo_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cryptic_convo_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "e28456acfbd5652f4b94b426affd2f208681769134e3003d7681a2d2c78d8e5f" + logic_hash = "4113d8b664e6d2a1d0a41a66f1a1f9fb43a842a3c19a39d6e4cb907e2e71368b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 57 8bf1 e8???????? ff7674 8b3d???????? 6a01 } - $sequence_1 = { 2b459c ff7674 2bc7 40 99 2bc2 } - $sequence_2 = { c3 6800090000 6a00 e8???????? } - $sequence_3 = { 034d08 bb00300000 663bd3 7505 } - $sequence_4 = { 8b450c 53 8985ecfcffff 8b4514 56 8985f0fcffff 57 } - $sequence_5 = { 6a5c 85f6 7403 56 } - $sequence_6 = { 7905 4a 83cafe 42 7510 ff85b4feffff 8b95b4feffff } - $sequence_7 = { 8b85ecfcffff 8b95f4fcffff 53 ff7510 89540134 50 } - $sequence_8 = { 50 e8???????? 83c40c 33c0 8a88b0664000 888c05dc010000 } - $sequence_9 = { 3b85d4fcffff 750e 8b4610 03461c 8985a8fdffff eb0b } + $sequence_0 = { b8???????? a4 8bf0 8a08 40 84c9 75f9 } + $sequence_1 = { 8945e0 8d4584 6a00 50 } + $sequence_2 = { 59 7e2d 8b4d8c 8b5584 49 4a } + $sequence_3 = { 8b45a0 2b4598 2bc3 40 99 2bc2 } + $sequence_4 = { 50 e8???????? 83c410 53 ff15???????? 59 8b4dfc } + $sequence_5 = { ff15???????? 53 57 894588 ff15???????? } + $sequence_6 = { be???????? 8d7dc8 a5 a4 8d7dc8 } + $sequence_7 = { 397510 7e36 ff15???????? 6a19 59 99 f7f9 } + $sequence_8 = { be???????? 8d7dc8 a5 a4 8d7dc8 83c40c } + $sequence_9 = { 83c008 50 ff33 ff15???????? 8b37 } condition: 7 of them and filesize < 97280 @@ -93577,10 +93769,10 @@ rule MALPEDIA_Win_Carrotball_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "93abea8a-2155-53fb-92a0-ba3485bf7552" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotball" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.carrotball_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.carrotball_auto.yar#L1-L115" license_url = "N/A" logic_hash = "c456cd5c607eeb3fd6729b04660b73d440499731727e6676847cfbec1800428f" score = 75 @@ -93589,9 +93781,9 @@ rule MALPEDIA_Win_Carrotball_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -93615,36 +93807,36 @@ rule MALPEDIA_Win_Plaintee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c56b0cbf-9d5e-5f6b-9ab4-e8b2c0f5e971" - date = "2026-01-05" - modified = "2026-01-06" + id = "52fa009e-021f-5f1a-9282-83e6fbee3849" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.plaintee_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.plaintee_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "ab35f3cc5b4d32bf6576e8cbf7b0de583ee4e81c86ef4d1d809f91568ce439ac" + logic_hash = "8fe4a70c10f32bce1c211ecedc1a07d2230b093ba80d58d60a893a69d57fc4d5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c408 ff15???????? 99 b932000000 8b742410 f7f9 8b4c240c } - $sequence_1 = { ffd0 8b4c2400 33c0 83f905 0f94c0 } - $sequence_2 = { 7e0f 53 8a1c31 32da } - $sequence_3 = { e8???????? 8bf0 eb02 33f6 8bce e8???????? 8a8669010000 } - $sequence_4 = { 51 6a00 52 56 50 ff15???????? 83f85a } - $sequence_5 = { 8b8d4c010000 83c25a 51 50 } - $sequence_6 = { b932000000 8b742410 f7f9 8b4c240c } - $sequence_7 = { 6802020000 ff15???????? 85c0 740a b001 } - $sequence_8 = { 56 8b74240c 50 8b44240c } - $sequence_9 = { 51 8b4c241c 51 ff15???????? } + $sequence_0 = { 50 8d853c010000 50 8b8538010000 6a5a 52 } + $sequence_1 = { 50 ff15???????? 83f85a 721a 8a16 } + $sequence_2 = { 5b 8b542418 8b442414 52 50 6a00 56 } + $sequence_3 = { 881c31 41 3bc8 7cf3 5b } + $sequence_4 = { 51 52 ffd0 8b4c2400 33c0 83f905 0f94c0 } + $sequence_5 = { 83c408 ff15???????? 99 b932000000 8b742410 } + $sequence_6 = { 8b54240c 56 8b74240c 50 8b44240c 51 6a00 } + $sequence_7 = { 8bc8 83e103 8d853c010000 f3a4 8b8d4c010000 } + $sequence_8 = { 83c438 68???????? ff15???????? 8b400c 8b08 8b11 52 } + $sequence_9 = { 84c0 7416 85f6 74c6 } condition: 7 of them and filesize < 73728 @@ -93654,36 +93846,36 @@ rule MALPEDIA_Win_Ice_Ix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "923bfba5-fc64-5bcc-9e18-fd2e69647e54" - date = "2026-01-05" - modified = "2026-01-06" + id = "3971da01-8501-5ba0-8d5a-dc36a272dee6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ice_ix_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ice_ix_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "88c417db4270d272cced0c61349b1fd36aad8c36a3945176ae9dc99a2eba0afc" + logic_hash = "297f8752913927ba432b9de91965d7e2bc2305cd2fc61a756292f8224e68d59e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 56 6a47 8945f0 } - $sequence_1 = { 8db508ffffff 58 e8???????? 6a63 8d7598 58 e8???????? } - $sequence_2 = { 6a08 6a00 8d45f4 50 e8???????? 8db5d8feffff b89b000000 } - $sequence_3 = { 6a2d 58 e8???????? ff75d0 ff15???????? } - $sequence_4 = { 85ff 0f8403020000 8a1408 80fa0d } - $sequence_5 = { 833d????????04 8b7c2414 1bc0 f7d8 68cc000000 83c034 e8???????? } - $sequence_6 = { 6a3f 8d75b8 58 e8???????? 8b4df4 8bc6 50 } - $sequence_7 = { c20400 55 8bec 83ec20 56 6a5c } - $sequence_8 = { 741d 48 7416 83e80b 740d 83e805 7404 } - $sequence_9 = { 57 ff15???????? 8b4640 3bc3 0f84a8000000 6800000010 68254e0000 } + $sequence_0 = { 897c2414 6a78 8d74243c 58 e8???????? 8b44240c 8b08 } + $sequence_1 = { 7564 6a62 8db550ffffff 58 } + $sequence_2 = { 8d75dc b893000000 e8???????? 8d45fc } + $sequence_3 = { f645f404 7433 6a4a 8d75cc } + $sequence_4 = { 6a00 8d45f4 50 e8???????? 8db5d8feffff b89b000000 } + $sequence_5 = { 6836084923 e8???????? 8945e8 85c0 7506 40 e9???????? } + $sequence_6 = { 56 ff5008 8b7df8 68cc000000 6a36 58 e8???????? } + $sequence_7 = { 7641 8d1438 8a0a 80f926 7505 } + $sequence_8 = { e8???????? 6a0a 8d7c2438 58 e8???????? 8b4508 8b00 } + $sequence_9 = { eb04 897c241c 6a77 8d742454 } condition: 7 of them and filesize < 327680 @@ -93693,36 +93885,36 @@ rule MALPEDIA_Win_Nimplant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a344304a-2438-58e4-b960-8890c3f03181" - date = "2026-01-05" - modified = "2026-01-06" + id = "870b5109-701b-5d4f-8a26-34c2122520c5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimplant" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nimplant_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nimplant_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "3bcc7f38e2b9ac77c0e1b998e8b9b2d2ae5abbf7ef3c4a3072bece45de56739e" + logic_hash = "7a7e7b774774c259400a940032df06cc3e28ab52483cbaf161ce0c62a938050b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8d05a49c0400 e8???????? 4885db 740f 48b80000000000000040 488503 } - $sequence_1 = { 4d85e4 0f8886000000 410fb6443c08 89c2 83e2fd 80fa3c 7404 } - $sequence_2 = { 4d29dd 4801fe 488d4802 4839d1 7c16 4801d2 4883c003 } - $sequence_3 = { 744a 488d4c2430 4c89ea e8???????? 488b7c2430 0fb62b 4c89e9 } - $sequence_4 = { 4c8b11 4c8b5908 488b02 4c89c3 4c8b4208 4c8d6c2430 4989d4 } - $sequence_5 = { 498b4708 420fb6440807 3c5c 744d 3c2f 7449 ba01000000 } - $sequence_6 = { 4c89fa 4c89c9 4c894c2438 e8???????? 0fb63b 4c8b7c2458 4c8b4c2438 } - $sequence_7 = { 48897c2438 0f8093030000 4885c0 0f88c2050000 488d7c2470 4889c2 488dac2480000000 } - $sequence_8 = { 4c894c2448 4c895c2440 e8???????? 4c8b5c2440 4c8b4c2448 4d01d9 0f8050020000 } - $sequence_9 = { e8???????? 0fb62b 4084ed 0f85d6fdffff 89f0 488d9424f0000000 c744242001000000 } + $sequence_0 = { e8???????? 4889c3 4883fffe 0f8d63010000 f30f6f0d???????? 488d9424f0000000 41b8e1ca4f41 } + $sequence_1 = { 4c8d0d8e570500 4c8b10 488b83b0000000 894c2428 894c2420 48c744243000000000 4883c008 } + $sequence_2 = { 83f907 0f87b3090000 89d1 4401c0 01d2 48c1e10d 899424c0000000 } + $sequence_3 = { 4c89e1 4801ea e8???????? 4c8b5c2478 4c8b542470 4c8b8c2490000000 4d85c9 } + $sequence_4 = { b901000000 31d2 4c89542468 49b8ffffffffffffff7f 48c1e13f e8???????? 4c8b5c2468 } + $sequence_5 = { 4c8da42480000000 48c784248000000000000000 48c784248800000000000000 4c89e1 e8???????? 4c89e1 48c784248000000000000000 } + $sequence_6 = { 807d0000 0f84dffeffff e9???????? 4889542440 4c894c2428 e8???????? 807d0000 } + $sequence_7 = { 803b00 488b8424f0010000 488b9424f8010000 0f855a3d0000 4c8b5c2428 4c8b542458 4989f0 } + $sequence_8 = { 4c89c2 e8???????? 4c8b442438 4c8b4c2440 4d85c0 0f8e98feffff 4c894c2438 } + $sequence_9 = { 4c8b542438 4989c1 4c01d7 0f802a050000 4e8d4c2f08 4989fa 4c89d0 } condition: 7 of them and filesize < 1811456 @@ -93732,36 +93924,36 @@ rule MALPEDIA_Win_Mydogs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b817b5f-5d7c-595b-8c97-271eb59c1e4c" - date = "2026-01-05" - modified = "2026-01-06" + id = "b989aaa7-d34d-519d-9c59-6710c6965ce3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mydogs_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mydogs_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "fb82bf24d6c6bbbb3b47474367cfbe1a36e1fd31146eb3759ae00c840dc8a44d" + logic_hash = "6e058dbb50fc6ed6613febe0720caf0b2c1916b21a630f65ff86e24b3ea8743b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 88040a 8d4901 84c0 75f4 6808020000 e8???????? } - $sequence_1 = { 2bca 51 8d85e8fcffff 50 6a01 6a00 53 } - $sequence_2 = { 50 8b8544f8ffff 33c9 038d48f8ffff 83d000 50 0fb78582f9ffff } - $sequence_3 = { 83fe20 750f 57 6a01 6a01 68???????? e9???????? } - $sequence_4 = { 61 9d a1???????? f30f7e05???????? } - $sequence_5 = { 33d2 8945d8 b901000000 8930 } - $sequence_6 = { e8???????? 0fb64608 88450b 6a01 8d450b 50 8bcf } - $sequence_7 = { 6860ea0000 ff15???????? 68???????? 6a00 68???????? 68???????? } - $sequence_8 = { 69c005840808 40 894704 898560fbffff c1e818 33c6 25ff000000 } - $sequence_9 = { c785f0eeffff00000000 e8???????? 8bf8 83c408 85ff } + $sequence_0 = { 50 e8???????? 50 6800080000 53 89442434 } + $sequence_1 = { ffb588fcffff e8???????? ffb580fcffff e8???????? } + $sequence_2 = { 53 6808020000 ff15???????? 57 6a00 68???????? } + $sequence_3 = { 83c430 8d4f01 8a07 47 84c0 75f9 2bf9 } + $sequence_4 = { 8945d8 83fb1e 7ccf 8b7dd4 5e 8d4714 b91e010000 } + $sequence_5 = { 50 8bce e8???????? 33c0 5f 5e 8be5 } + $sequence_6 = { 8d7b30 c7433489674523 c70778563412 c7433890785634 8b33 85f6 7414 } + $sequence_7 = { 85c0 742e 8d8554f8ffff 50 57 68???????? 8d8588f9ffff } + $sequence_8 = { 50 ffd7 8d8c2448030000 e8???????? } + $sequence_9 = { 50 8985d8eeffff 8bf9 ff15???????? } condition: 7 of them and filesize < 313344 @@ -93771,58 +93963,58 @@ rule MALPEDIA_Win_Icedid_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7cb01d8c-6ddc-5faf-a2d7-b352678038d8" - date = "2026-01-05" - modified = "2026-01-06" + id = "e3feaa9e-d97b-5f74-9f3e-a5fa4f0b6f05" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.icedid_auto.yar#L1-L300" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.icedid_auto.yar#L1-L299" license_url = "N/A" - logic_hash = "80a642e8024f176494bc232a2f8ca8c27a08e0dff1dc2e9038b4b5cccdea7c2e" + logic_hash = "ed1ed091ec9117c7c218c9d403fcd5fa7b3597478582b7d813b2c339022a1341" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 85c0 7511 56 57 ff15???????? } - $sequence_1 = { 7411 40 50 6a08 ff15???????? } - $sequence_2 = { 50 ff15???????? 8bf7 8bc6 } - $sequence_3 = { 7413 ff36 6a08 ff15???????? } - $sequence_4 = { 85f6 742c 803e00 7427 6a3b 56 ff15???????? } - $sequence_5 = { 85ff 7418 c60700 47 57 ff15???????? } - $sequence_6 = { 68???????? 6a00 ff15???????? 33c0 40 } - $sequence_7 = { 6a3b 56 ff15???????? 8bf8 85ff 7418 } - $sequence_8 = { e8???????? 8bf0 8d45fc 50 ff75fc 6a05 } - $sequence_9 = { 5f 743f 8d5808 0fb713 } - $sequence_10 = { 03c2 eb5c 8d5004 89542414 8b12 85d2 7454 } - $sequence_11 = { 0132 47 83c302 3bfd 72c4 8b542414 } - $sequence_12 = { 85d2 7454 8d6af8 d1ed } - $sequence_13 = { 8d5808 0fb713 8954241c 66c16c241c0c } - $sequence_14 = { 8d4508 50 0fb6440b34 50 ff740b28 } - $sequence_15 = { 2345fc 8be5 5d c3 55 8bec ff7518 } - $sequence_16 = { ff15???????? 85c0 750a b8010000c0 e9???????? } - $sequence_17 = { 8a4173 a808 75f5 a804 } + $sequence_0 = { 50 ff15???????? 33c0 40 eb11 } + $sequence_1 = { 83e800 7439 83e801 741f 83e801 } + $sequence_2 = { 7511 56 57 ff15???????? 50 } + $sequence_3 = { 0fb705???????? 50 51 0fb60d???????? } + $sequence_4 = { 7427 6a3b 56 ff15???????? 8bf8 } + $sequence_5 = { be01000080 50 56 ff15???????? } + $sequence_6 = { 7413 ff36 6a08 ff15???????? 50 } + $sequence_7 = { ff15???????? 50 ff15???????? 8bf7 8bc6 eb02 } + $sequence_8 = { 8bf0 8d45fc 50 ff75fc 6a05 } + $sequence_9 = { 3bfd 72c4 8b542414 0302 833800 } + $sequence_10 = { 8954241c 66c16c241c0c 0fb7d2 c744241000100000 663b542410 7215 } + $sequence_11 = { 743f 8d5808 0fb713 8954241c 66c16c241c0c } + $sequence_12 = { 3b7820 72d1 5b 33c0 } + $sequence_13 = { 8b12 85d2 7454 8d6af8 } + $sequence_14 = { 2345fc 8be5 5d c3 55 8bec ff7518 } + $sequence_15 = { 57 33ff 397820 7633 } + $sequence_16 = { ff15???????? 85c0 750a b8010000c0 } + $sequence_17 = { a808 75f5 a804 7406 } $sequence_18 = { ff5010 85c0 7407 33c0 e9???????? } - $sequence_19 = { 89442408 0fb70424 8b4c2408 03c8 } - $sequence_20 = { 48 8b523c e8???????? 48 89433c 48 85c0 } - $sequence_21 = { 48 8945b8 48 85c0 0f84db000000 8b4324 48 } - $sequence_22 = { 4c 8b15???????? 48 8d442450 44 } - $sequence_23 = { 49 8943d8 ff15???????? 85c0 } - $sequence_24 = { 4c8bc3 33d2 488bc8 ff15???????? 488bb590020000 } - $sequence_25 = { 3b7b1c 72d7 8b430c 4803c6 0f845affffff 488bcd } - $sequence_26 = { 488d5702 488bce ff15???????? ba22000000 488bce ff15???????? 4885c0 } - $sequence_27 = { 4289448440 488b5c2428 4c3b5c2430 7307 4c8b742420 } - $sequence_28 = { 488bd8 4885c0 0f84cb000000 488bb590020000 41ba01000000 } - $sequence_29 = { 488bb590020000 488b7c2438 33c9 33d2 } - $sequence_30 = { 80bb8000000040 0f8577ffffff 488d8b81000000 488d542450 e8???????? 85c0 } - $sequence_31 = { 75b9 4883c314 e9???????? ff15???????? 33c0 } + $sequence_19 = { 8be9 49 8bd9 b901000000 49 8bf8 } + $sequence_20 = { 3b13 7309 ebea 41 c70601000000 } + $sequence_21 = { 0f8493000000 44 0fb6441309 48 8d442440 48 } + $sequence_22 = { 741f 81fbee1607d8 7410 81fbc46469f1 b803000000 } + $sequence_23 = { ff15???????? 85c0 7507 b806000000 eb11 8b442438 f7d8 } + $sequence_24 = { 488bf2 488bd9 ff15???????? 4885c0 7504 } + $sequence_25 = { 4883ff04 0f8210010000 4883ef04 48897c2430 4885db } + $sequence_26 = { 7504 33c0 eb7e 488d15550d0000 488bc8 ff15???????? 488bf8 } + $sequence_27 = { 443bc9 7458 4585d2 7420 } + $sequence_28 = { ff15???????? 4c8bc3 33d2 488bc8 ff15???????? 488bb590020000 4885f6 } + $sequence_29 = { 741e 498b1f 4885db 7414 ff15???????? 4c8bc3 } + $sequence_30 = { 74e4 4533c9 48895c2420 4533c0 33c9 418d511a ff15???????? } + $sequence_31 = { ff15???????? ffc7 3b7b1c 72d7 8b430c 4803c6 0f845affffff } condition: 7 of them and filesize < 303104 @@ -93832,22 +94024,22 @@ rule MALPEDIA_Win_Phorpiex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ce70e39-752b-5d3f-89f2-76accce1eb4a" - date = "2026-01-05" - modified = "2026-01-06" + id = "1d354567-9f59-5789-85ab-bc6421356506" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.phorpiex_auto.yar#L1-L274" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.phorpiex_auto.yar#L1-L289" license_url = "N/A" - logic_hash = "46ea47179a9ad601c3537e5e9a3e48103f2b8131777a3f05f545f317a9791487" + logic_hash = "8a18b4fa1b41f6fd5fa83c797ce891de8d2d28d05c11921b76b5a67e4c3f417c" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -93855,33 +94047,34 @@ rule MALPEDIA_Win_Phorpiex_Auto : FILE $sequence_0 = { 6a00 ff15???????? ff15???????? 50 e8???????? } $sequence_1 = { ff15???????? 85c0 740f 6a07 } $sequence_2 = { ff15???????? 85c0 741f 6880000000 } - $sequence_3 = { 6a00 6a20 6a00 6a00 6a00 8b5508 } - $sequence_4 = { e8???????? 83c410 6a00 6a02 6a02 6a00 } - $sequence_5 = { 6a01 6a00 68???????? e8???????? 83c40c 33c0 } - $sequence_6 = { e8???????? 99 b90d000000 f7f9 } - $sequence_7 = { 50 e8???????? 83c404 e8???????? e8???????? ff15???????? } - $sequence_8 = { 68???????? ff15???????? 8d85f8fdffff 50 68???????? } - $sequence_9 = { 6a00 ff15???????? 85c0 7418 ff15???????? } + $sequence_3 = { 6a00 6a00 6a20 6a00 6a00 6a00 8b5508 } + $sequence_4 = { e8???????? 83c410 6a00 6a02 6a02 6a00 6a00 } + $sequence_5 = { 50 e8???????? 83c404 e8???????? e8???????? ff15???????? 6a00 } + $sequence_6 = { 6a01 6a00 68???????? e8???????? 83c40c 33c0 } + $sequence_7 = { 68???????? ff15???????? 8d85f8fdffff 50 68???????? } + $sequence_8 = { 6a00 6a00 682a800000 6a00 } + $sequence_9 = { 52 683f000f00 6a00 68???????? 6802000080 ff15???????? 85c0 } $sequence_10 = { 6a01 ff15???????? ff15???????? b001 } - $sequence_11 = { 6a00 682a800000 6a00 ff15???????? } - $sequence_12 = { 52 683f000f00 6a00 68???????? 6802000080 ff15???????? 85c0 } - $sequence_13 = { 7416 8b4df8 51 ff15???????? 8b55fc 52 e8???????? } + $sequence_11 = { ff15???????? 6a00 ff15???????? 85c0 7418 ff15???????? } + $sequence_12 = { 8811 8b4508 83c001 894508 e9???????? 8b4d08 c60100 } + $sequence_13 = { 68???????? ff15???????? e9???????? 8d45fc 50 } $sequence_14 = { f7f9 81c210270000 52 e8???????? } - $sequence_15 = { 85c0 752b 8b8510ffffff 83c001 } - $sequence_16 = { 6a01 ff15???????? 8945f8 837df800 7429 8b45f8 } - $sequence_17 = { 68???????? ff15???????? e9???????? 8d45fc } - $sequence_18 = { 50 e8???????? 59 59 85c0 7573 } - $sequence_19 = { 3d00010000 7504 83c8ff c3 } - $sequence_20 = { 7508 6a00 ff15???????? 6804010000 } - $sequence_21 = { 6a21 50 e8???????? c60000 } - $sequence_22 = { 52 e8???????? 99 b960ea0000 f7f9 } - $sequence_23 = { 56 ff15???????? b001 5e 81c408020000 } - $sequence_24 = { 68???????? 8d942410010000 6804010000 52 e8???????? } - $sequence_25 = { 40 84c9 75f9 8b0cb3 2bc2 50 } - $sequence_26 = { 41 663bc2 72f7 53 33c0 } - $sequence_27 = { 56 57 68e8030000 ff15???????? e8???????? be???????? } + $sequence_15 = { 0fb745fc 0fb74dc4 0fb6540dc8 0fb64405c8 33c2 0fb74dfc } + $sequence_16 = { 837dfc00 7416 8b4df8 51 } + $sequence_17 = { 837df800 7429 8b45f8 50 ff15???????? 8945fc 837dfc00 } + $sequence_18 = { f7f9 52 ff15???????? 6a00 6a00 6a00 } + $sequence_19 = { 7508 6a00 ff15???????? 6804010000 } + $sequence_20 = { 6a21 50 e8???????? c60000 } + $sequence_21 = { 50 e8???????? 59 59 85c0 0f85c0000000 } + $sequence_22 = { 3d00010000 7504 83c8ff c3 } + $sequence_23 = { 75de eb0a 85ff 740e 803e00 } + $sequence_24 = { c744241400000000 e8???????? 6880000000 8d4c2438 6a00 } + $sequence_25 = { 803800 7412 50 8d44242c 50 e8???????? } + $sequence_26 = { 52 e8???????? 99 b960ea0000 } + $sequence_27 = { 663bc2 72f7 53 33c0 56 } $sequence_28 = { 50 8d45ec 50 6805000020 } - $sequence_29 = { 8d45f8 50 8d45e4 50 6805000020 } + $sequence_29 = { 57 68e8030000 ff15???????? e8???????? be???????? } + $sequence_30 = { 8d45f8 50 8d45e4 50 6805000020 } condition: 7 of them and filesize < 2490368 @@ -93891,36 +94084,36 @@ rule MALPEDIA_Win_Himan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ed257a76-43f6-55c0-abc7-4725d6aa2228" - date = "2026-01-05" - modified = "2026-01-06" + id = "8c829562-7044-56b8-811b-98f54b6ad19e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.himan_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.himan_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "ca6405bd6a0987e5f551c0a2e97e9d04936f65f5adde6e64c734768ea5c267b3" + logic_hash = "ed6a4111984e184b0533cea4b8fe970e4b691563ee529f1e3a322f50986e6715" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4608 57 57 57 50 } + $sequence_0 = { ff15???????? 85c0 0f84ba040000 8b5d0c } $sequence_1 = { 33d5 8bee 81e5ff000000 c1ee08 3314adbcba6e00 8b28 } - $sequence_2 = { 8bf9 85c0 7505 e8???????? 8b442418 8b4c2414 } - $sequence_3 = { 8a83bc986e00 2bc8 8a11 eb02 32d2 8ac2 8aca } - $sequence_4 = { c1e604 0bce 7c0b 83f940 } - $sequence_5 = { ffd5 85c0 74d4 8b442438 85c0 74cc 03f0 } - $sequence_6 = { c1ee10 8bd7 81e6ff000000 c1ea08 8b2cb5bca16e00 81e2ff000000 } + $sequence_2 = { 8b6810 81e7ff000000 33d5 8bee 89542424 8bd3 c1ea10 } + $sequence_3 = { 84c9 7424 33c0 33d2 8a87bc986e00 8a15???????? 03c2 } + $sequence_4 = { 8b7808 33f7 c1ea10 8b1c9dbcb56e00 81e2ff000000 c1e908 } + $sequence_5 = { 55 8bec 81ec380c0000 33c0 53 } + $sequence_6 = { 8d85a0fcffff 50 ff15???????? 8da594d4ffff 5f 5e 5b } $sequence_7 = { 8d4c2414 50 51 52 ff15???????? 85c0 7478 } $sequence_8 = { 83c408 85c0 7451 8d8c24e0000000 68???????? 51 } - $sequence_9 = { f3ab 8d44241c 50 ff15???????? 8d4c2418 68???????? 51 } + $sequence_9 = { 83c424 c20800 85ff 7623 8b4c2410 8d442438 50 } condition: 7 of them and filesize < 139264 @@ -93930,36 +94123,36 @@ rule MALPEDIA_Win_Mindware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23a8487f-e2c7-545b-81cb-6372e4caaae2" - date = "2026-01-05" - modified = "2026-01-06" + id = "c86aeed0-b9d2-56f0-b3d0-3bd38d91ec6c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mindware_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mindware_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "c1e547ffdf51514bc4e27c57582e862eb5175ec80e05ba2145cb8dfa6653e95b" + logic_hash = "2b17c3402bd1282ee9b7ed17348fc92bd71db495e4f4cc59410475f36444cfb3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? e8???????? 83c40c 8b4dfc 8b7dfc 83c72c } - $sequence_1 = { 50 8b4d08 8b5108 8b4508 8b12 8b4808 } - $sequence_2 = { c7855cecfffff8d44300 c78560ecffff00d54300 c78564ecffff0cd54300 c78568ecffff18d54300 c7856cecffff24d54300 c78570ecffff2cd54300 c78574ecffff34d54300 } - $sequence_3 = { c1e810 83e03f c1e918 83e13f 8b0c8d603a4400 330c8520394400 8bc2 } - $sequence_4 = { 33148dc0bc4400 8bcb c1e918 33148dc0c44400 8b4df0 } - $sequence_5 = { e8???????? 8b4dfc 51 e8???????? 8b55fc c7423000000000 8b45fc } - $sequence_6 = { c78540f1ffffbce04300 c78544f1ffffc4e04300 c78548f1ffffcce04300 c7854cf1ffffd4e04300 c78550f1ffffe0e04300 c78554f1ffffece04300 c78558f1fffff4e04300 } - $sequence_7 = { 83e03f 330c8520384400 330c95e03c4400 8bd3 33f1 c1ca04 33576c } - $sequence_8 = { 8b4dfc 8b7dfc 83c72c 32c0 8b4928 } - $sequence_9 = { 0fb689f0d84400 c1e108 33d1 8b4df0 c1e908 0fb6c9 c1e208 } + $sequence_0 = { 894104 6a28 e8???????? 83c404 8945dc 837ddc00 } + $sequence_1 = { c78520edffffdcd64300 c78524edffffe4d64300 c78528edffffecd64300 c7852cedfffff4d64300 c78530edfffffcd64300 c78534edffff04d74300 } + $sequence_2 = { 83e03f 330c85603b4400 330c95e03e4400 8b9708010000 33d9 } + $sequence_3 = { c785b8f2ffffa8e44300 c785bcf2ffffb4e44300 c785c0f2ffffc0e44300 c785c4f2ffffc8e44300 c785c8f2ffffd4e44300 c785ccf2ffffdce44300 c785d0f2ffffe4e44300 } + $sequence_4 = { 8d954cffffff 8955fc 8b45fc 83c002 8945e4 8b4dfc 668b11 } + $sequence_5 = { 8955d4 8955d8 8b4508 83c02c 50 ff15???????? } + $sequence_6 = { 330c85603b4400 330c95e03e4400 8b9728010000 33d9 } + $sequence_7 = { c78524f9ffff5cf54300 c78528f9ffff6cf54300 c7852cf9ffff74f54300 c78530f9ffff7cf54300 } + $sequence_8 = { c78524f3ffffd0e54300 c78528f3ffffd8e54300 c7852cf3ffffece54300 c78530f3fffff8e54300 c78534f3ffff00e64300 c78538f3ffff08e64300 c7853cf3ffff10e64300 } + $sequence_9 = { c785e8f7ffff90f24300 c785ecf7ffff98f24300 c785f0f7ffffa0f24300 c785f4f7ffffa8f24300 c785f8f7ffffc0f24300 c785fcf7ffffccf24300 c78500f8ffffd4f24300 } condition: 7 of them and filesize < 661504 @@ -93969,36 +94162,36 @@ rule MALPEDIA_Win_Tetra_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "85991250-1047-5fcf-96eb-85da5fe13b43" - date = "2026-01-05" - modified = "2026-01-06" + id = "1c625553-724e-525e-9ee7-a022250930d5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tetra_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tetra_loader_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tetra_loader_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "aeb4a8ec8acfdc787245eb94a88275106cbf235fc1e5fc83f04d972b90088a86" + logic_hash = "dbddce53c8e24875fcc1a5f6c02bfe74e9aa61db71b8b7e3763133b833081b40" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 440fb74204 4181f074350000 4109c8 0f8480050000 3302 0fb74a04 81f174360000 } - $sequence_1 = { 66f7e6 0f8010010000 89c2 6601ea 410f92c6 31c0 81fdffff0000 } - $sequence_2 = { e8???????? 0f0b 4c8d059f8a0100 b901000000 4c89d2 e8???????? 0f0b } - $sequence_3 = { 4531db 81f9ffff0000 7715 6666666666662e0f1f840000000000 41bc03000000 4c89f2 } - $sequence_4 = { 7521 c6851717000000 488d8db8160000 488d154ce70200 e8???????? 488bb5c0160000 66c746023b00 } - $sequence_5 = { 48ffc7 4c89f0 4d89fb bd00000000 4885c0 0f856bffffff ebb4 } - $sequence_6 = { 488901 b001 f6c201 7513 488b4110 488b4820 488b4028 } - $sequence_7 = { 483b7df0 75bc eb8d 4489e1 83e11f 450fb64701 4183e03f } - $sequence_8 = { 4883c1fe 3d00010000 89d0 73a1 0fb64500 8845d0 0f2845e0 } - $sequence_9 = { 488b4de8 48c744243000000000 c744242880000000 c744242003000000 ba00000080 41b801000000 4531c9 } + $sequence_0 = { 4c89642458 4931cf 4c897c2460 4c31cd 49c1c120 4931e9 488d7c2430 } + $sequence_1 = { eb13 4883cd05 eb0d 4983cb06 eb04 4983cb07 4c89dd } + $sequence_2 = { b8ff000000 e9???????? 488d154b370000 488d0d2c370000 e8???????? c705????????02000000 eb08 } + $sequence_3 = { 4883ec48 488daa80000000 660f7f742430 488b9580000000 4885d2 740f 488b4d78 } + $sequence_4 = { 57 53 4883ec48 488daa80000000 488b4d68 488b4570 4883780800 } + $sequence_5 = { 66440f38dedb 66440f38dede 66440f38deda 66440f38ded9 66440f38dfd8 f30f6f00 } + $sequence_6 = { 80f9f0 722d 0fb64e03 4883c604 83e007 c1e012 } + $sequence_7 = { 0f8524010000 4189f0 4d39c4 0f854dffffff ff15???????? 83f87a 0f8533010000 } + $sequence_8 = { 0f83b0010000 48ffcb 49ffc6 e9???????? 4531c9 4484cd 0f859a030000 } + $sequence_9 = { 49b800000f0f00000f0f 4c21c0 4889c1 48c1e104 4809c1 4c31c9 48898c2490020000 } condition: 7 of them and filesize < 847872 @@ -94008,36 +94201,36 @@ rule MALPEDIA_Win_Protonbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2a60cbb5-df76-51a1-aa18-1e35bc0d84b0" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b025874-4033-5dff-ba6c-b1bc09e6c801" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.protonbot_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.protonbot_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "dd56b01eb6c4f05df12eaa91d84ffe14ac197bb00fbf288295bd9f5385f33352" + logic_hash = "1ef6a3fa336c600e22de5ca6f4efe226302d7cc2884963a0b59278f8f4892c3b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? ffb5f4feffff ff15???????? 8d8dfcfeffff } - $sequence_1 = { ffd3 85ff 8bbdf4fffeff 7f8d 5e } - $sequence_2 = { 51 52 8d8da4feffff e8???????? 6a00 6aff 6a00 } - $sequence_3 = { 83bda0feffff10 8d8d8cfeffff 56 0f438d8cfeffff 6a00 51 6a00 } - $sequence_4 = { 6a00 8b18 899df8fffeff e8???????? 83c410 } - $sequence_5 = { ff7508 e8???????? 83c410 5d c3 6a1c b8???????? } - $sequence_6 = { 57 50 8d45f4 64a300000000 8d8dbcfeffff e8???????? } - $sequence_7 = { 837e1410 8955a0 8bc6 7202 8b06 8d1438 8b45a0 } - $sequence_8 = { e8???????? 83c418 c645fc01 8d85bcfeffff } - $sequence_9 = { ff15???????? 56 85c0 7404 ffd7 eb02 ffd3 } + $sequence_0 = { c745c800000000 8975ec 8d45dc c645fc03 50 68???????? 57 } + $sequence_1 = { 8bf1 6a04 c745fc01000000 e8???????? 83c404 } + $sequence_2 = { ffd3 85ff 8bbdf4fffeff 7f8d 5e } + $sequence_3 = { 8d85d4fdffff c645fc03 50 6a00 ff15???????? } + $sequence_4 = { c6858cfeffff00 8d7101 8a01 41 } + $sequence_5 = { c7859cfeffff00000000 0f4395bcfeffff 8bca c785a0feffff0f000000 c6858cfeffff00 8d7101 } + $sequence_6 = { c3 6a1c b8???????? e8???????? 8b7508 8365fc00 837d2400 } + $sequence_7 = { 8bce e8???????? 8bc6 8b8c24b4010000 5e } + $sequence_8 = { ffb5f4feffff ff15???????? 8d8dfcfeffff c7461000000000 c746140f000000 8d5101 } + $sequence_9 = { 57 50 8d45f4 64a300000000 8d8dbcfeffff e8???????? } condition: 7 of them and filesize < 1073152 @@ -94047,42 +94240,42 @@ rule MALPEDIA_Win_Rokrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "72ccb458-56ca-5321-9a37-7df4cd9fbcb3" - date = "2026-01-05" - modified = "2026-01-06" + id = "45d209f1-21c7-5333-8499-20e5f04e72a3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rokrat_auto.yar#L1-L158" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rokrat_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "5cd57f30b8bc2958324b2df203589daea09f2ea7985ac5d6acd0baa6db2468f2" + logic_hash = "33fd0151c91e3dd62a334a078049239bcae0d7df9bb05b06ddc91a4d060e74c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 e8???????? 6a04 33c0 } - $sequence_1 = { 668945c0 e8???????? c645fc03 8b45bc } - $sequence_2 = { 50 e8???????? 6a10 33c0 } - $sequence_3 = { 50 e8???????? 8d8e0c010000 8d4550 3bc8 } - $sequence_4 = { 0fb7c1 50 0fb74208 c1e910 51 50 0fb74212 } - $sequence_5 = { 50 ff15???????? e8???????? 40 } - $sequence_6 = { 50 e8???????? 6a18 33c0 } - $sequence_7 = { 68???????? e8???????? 837e1408 7204 8b06 eb02 8bc6 } - $sequence_8 = { 50 e8???????? 8d8edc000000 8d4520 } + $sequence_0 = { 50 e8???????? 8d8ef4000000 8d4538 3bc8 } + $sequence_1 = { 50 e8???????? 8d8e0c010000 8d4550 3bc8 } + $sequence_2 = { 50 8bcf e8???????? 8d4538 3bd8 } + $sequence_3 = { 68???????? e8???????? 837e1408 7204 8b06 eb02 8bc6 } + $sequence_4 = { 668945c0 e8???????? c645fc03 8b45bc 83f808 } + $sequence_5 = { 6a00 50 8bcb e8???????? 8d4550 } + $sequence_6 = { 50 ff15???????? e8???????? 40 50 } + $sequence_7 = { 0fb74208 c1e910 51 50 0fb74212 } + $sequence_8 = { 50 e8???????? 8d4568 8d4e60 } $sequence_9 = { ff15???????? 50 e8???????? 59 6a64 } - $sequence_10 = { 897dfc e8???????? 68???????? 8d4dd8 e8???????? } - $sequence_11 = { 89442410 7e34 8d9b00000000 56 } - $sequence_12 = { 89442410 807c244400 7558 85db 7454 68d3010000 } - $sequence_13 = { 89442410 80f925 0f859d030000 3808 } - $sequence_14 = { 89442410 7c7c 8b7758 8b9f8c000000 81c630010000 } - $sequence_15 = { 89442410 7e19 68110b0000 68???????? } + $sequence_10 = { 897dfc e8???????? 68???????? 8d4dd8 } + $sequence_11 = { 89442410 3beb 7420 68830a0000 } + $sequence_12 = { 89442410 3d00010000 7620 68bd0b0000 } + $sequence_13 = { 89442410 3beb 7435 f6870001000080 } + $sequence_14 = { 89442410 41 83f904 894c2414 } + $sequence_15 = { 89442410 3bea 742e f7870001000000010000 7519 68cc080000 68???????? } condition: 7 of them and filesize < 2932736 @@ -94092,42 +94285,42 @@ rule MALPEDIA_Win_Lurk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "42f43514-1d0a-5f85-8b4c-4d2eb84cb8ec" - date = "2026-01-05" - modified = "2026-01-06" + id = "fa4366de-91cc-5757-94f8-be54cc8c4145" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lurk_auto.yar#L1-L168" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lurk_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "d1c263745e96efcdbb8910da6861ed00bbaa0d8e2de63a2bd4a743972e1ce722" + logic_hash = "a5093383e9e4765e1b828d40f2a2a0877ecb9058811a10f3021dbf85b93da1f6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { ff7508 ff15???????? 8b35???????? 50 ff7508 } $sequence_1 = { 8b4508 5b 5f 5e c9 c3 55 } - $sequence_2 = { 8908 8b4514 85c0 7407 8b4e28 03cf } - $sequence_3 = { 0f84e0000000 8b45fc 8b4dd8 03480c 51 ff55f4 } - $sequence_4 = { 8955f4 837df404 7325 8b4df0 } - $sequence_5 = { 80780500 8d45fc 7404 6a00 eb02 6a01 50 } - $sequence_6 = { 5f 5e c9 c20400 a1???????? 32c9 384802 } - $sequence_7 = { eb29 837d0803 7504 6a03 eb08 837d0804 7519 } - $sequence_8 = { c9 c3 6afe eb02 6afd } - $sequence_9 = { 8945cc 8b45fc 83c008 8945f0 } - $sequence_10 = { 8945fc e8???????? c745f801000000 2975f8 } - $sequence_11 = { a1???????? 385805 744f 53 53 } - $sequence_12 = { 8945d0 8b45f8 895dd4 8945d8 8b3d???????? } - $sequence_13 = { 8955f0 8b45f4 8b4814 c1e11f c1f91f 7412 } - $sequence_14 = { 8955f0 e9???????? 8b55fc 8b45ec } - $sequence_15 = { 8945d4 837dd400 7513 8b45d8 } + $sequence_2 = { 8b55f8 66894a06 85c0 7437 8b45e0 8b4dd8 } + $sequence_3 = { 83c008 8945f0 8b45cc 8b4dcc 49 894dcc 85c0 } + $sequence_4 = { f6c302 7560 0fb711 c1e210 40 40 } + $sequence_5 = { 8b4d0c 832700 832100 58 } + $sequence_6 = { 99 5b f7fb 8a5415ec 32140e 47 8811 } + $sequence_7 = { c1f910 8b55f4 66890a e9???????? 0fb745fc 83f804 0f85b6000000 } + $sequence_8 = { 8b4d0c 51 8b55ec 52 e8???????? 8945fc } + $sequence_9 = { e8???????? 83c410 85c0 759a } + $sequence_10 = { 8b4d0c 6bc928 030d???????? 898d24fdffff } + $sequence_11 = { 51 ff55f4 8945c0 8b45fc } + $sequence_12 = { 837c240801 750a ff742404 e8???????? 59 33c0 } + $sequence_13 = { 8b4d0c 51 e8???????? 85c0 750a } + $sequence_14 = { 894628 eb71 8b5d10 8b4e0c } + $sequence_15 = { 8d4636 57 50 e8???????? 59 6a0a 8bc8 } condition: 7 of them and filesize < 5316608 @@ -94137,36 +94330,36 @@ rule MALPEDIA_Win_Banpolmex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09c8ccaf-8f5a-5f11-8d59-2eeae879be55" - date = "2026-01-05" - modified = "2026-01-06" + id = "615e802a-8df7-5575-a079-acd6808fdb3b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.banpolmex_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.banpolmex_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ca7f23e428ff171c615716f21966c01f85ab62bd4b01db41e41afe5b6847958b" + logic_hash = "38962cc0f0f0a8a7c1533745d72aedf3a7068ff8b5fcfb7e1fe3ae08181ba77a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bcf e8???????? e9???????? 3d4c494b50 7515 488d4c2430 4c8bc7 } - $sequence_1 = { 488b4d07 4885c9 7406 ff15???????? 4183fd04 7512 488d1560960200 } - $sequence_2 = { 418bc0 c1e808 0fb6c8 418b848a20de0800 250000ff00 33d0 } - $sequence_3 = { 8944246c 8bf8 ff15???????? 488bd8 4885c0 0f847e010000 8d4e40 } - $sequence_4 = { 410fb6c5 45338487000c0000 4433460c 418bc0 c1e810 0fb6d0 418bc1 } - $sequence_5 = { 0f47d0 8915???????? 488d0d42130900 e8???????? 4c8b6c2468 4c8b642470 488bac24a0000000 } - $sequence_6 = { 7439 4883c420 5b c3 488d91d0000000 41b840000000 e8???????? } - $sequence_7 = { 4885ff 7406 89aee4000000 4885db 7406 89aee0000000 33c0 } - $sequence_8 = { 488d542440 4c8bc3 488bc8 488bf8 c744244000000400 e8???????? 33ed } - $sequence_9 = { 488bd3 488bcf e8???????? 85c0 78ba 8b03 803c3805 } + $sequence_0 = { 488d05bd9c0700 0f1f440000 837afc00 7406 66833a00 7512 4883c206 } + $sequence_1 = { 488b0f 85c0 488d55e0 410f45de e8???????? 488b0f 85c0 } + $sequence_2 = { 41bd04000000 488945f7 488d4577 4c8d45f7 488d557f 458bcd 4883c9ff } + $sequence_3 = { 4d8bc5 2bde 413bde 410f4fde 4903cf 8d5302 e8???????? } + $sequence_4 = { 0f85c7010000 498b4e08 448bff e8???????? 4d8b4e58 498b4650 4c8b23 } + $sequence_5 = { 85c0 0f857e020000 4885db 741f 488b4b18 4c8d86c0000000 488d9680000000 } + $sequence_6 = { 488d4c2440 e8???????? 807c242200 0f848e000000 488d4c2440 e8???????? 8bd8 } + $sequence_7 = { 4883ec20 b9d0000000 e8???????? 488bd8 4885c0 7430 33d2 } + $sequence_8 = { 897b08 33c0 4c8b6c2438 4c8b642440 4883c448 415f 415e } + $sequence_9 = { 5e 5d 5b e9???????? 83fe0e 7324 85ed } condition: 7 of them and filesize < 1555456 @@ -94177,10 +94370,10 @@ rule MALPEDIA_Win_Maudi_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "1d89cb82-59a5-5a2e-ac6c-c7d75443bace" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.maudi_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.maudi_auto.yar#L1-L122" license_url = "N/A" logic_hash = "d20863b5f36f8cd108ded6d29f5c3bed96160b9b4abc34b0d10161e337344d4d" score = 75 @@ -94189,9 +94382,9 @@ rule MALPEDIA_Win_Maudi_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -94215,36 +94408,36 @@ rule MALPEDIA_Win_Unidentified_069_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "afe1465e-cfb7-567e-8fc3-f22e1927c9fa" - date = "2026-01-05" - modified = "2026-01-06" + id = "e7f8d315-b2d8-54d0-bd21-0a28259dcd65" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_069" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_069_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_069_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "83336718c29f0a03822d261021a531779ab99e146839ff186b37823c6377f602" + logic_hash = "a8b2cf0eff3dfce70207714db6d3d0356526006df79477a45e41f582a0b8edaf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4564 e8???????? 84c0 747b 807d6802 7558 } - $sequence_1 = { 3975fc 0f824dffffff 5f 5b 8b450c 5e c9 } - $sequence_2 = { ff15???????? 8b7d08 8b37 e8???????? 83f8ff 0f84a8010000 8b0d???????? } - $sequence_3 = { 8b75f4 f6450804 741a 85f6 7616 8b7d0c 8d4477fe } - $sequence_4 = { 7fae ff36 885dff ff15???????? 59 8a45ff 5f } - $sequence_5 = { 8bda d1eb 23df 8b1c9da81d4000 81e3ffffff01 03c0 } - $sequence_6 = { c20400 8b462c 85c0 7638 83f820 7411 57 } - $sequence_7 = { 7505 895dd8 eb11 0fb7c0 03c7 50 83c8ff } - $sequence_8 = { e8???????? 8bf8 85ff 0f8e97000000 8bca e8???????? } - $sequence_9 = { ff15???????? 85c0 7419 6a00 68???????? 6a05 ba???????? } + $sequence_0 = { 3b45fc 72eb ff75f8 ff15???????? 5e c9 c20c00 } + $sequence_1 = { 837dec03 0f8556ffffff c6461c00 837ddc00 7417 8b7dc0 } + $sequence_2 = { e8???????? 4e 75f7 eb60 57 e8???????? 57 } + $sequence_3 = { e8???????? 8ac3 eb02 32c0 5f 5b 8be5 } + $sequence_4 = { 750b 50 6892e8ffff e9???????? 3944240c 7409 83feff } + $sequence_5 = { 68???????? b812939384 e8???????? b001 8be5 5d c20400 } + $sequence_6 = { 8b5c0108 85db 0f848c000000 803b00 } + $sequence_7 = { 8b4de4 8bf0 8975e0 e8???????? 84c0 0f8492010000 33db } + $sequence_8 = { 6603c1 660fb6ca 6603c1 8b4d08 6683c003 0fb6f2 0fb7f8 } + $sequence_9 = { 7902 33c0 8b4dd4 2bca 7902 33c9 2945d0 } condition: 7 of them and filesize < 434176 @@ -94254,36 +94447,36 @@ rule MALPEDIA_Win_Nosu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "44d00c94-691a-5086-98b8-273bd29fa9af" - date = "2026-01-05" - modified = "2026-01-06" + id = "87a7c331-4fc8-531f-8c0e-b4f2be921443" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nosu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nosu_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nosu_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "83643ba3003fff83421e0f7b019711e99b216991f08f5d871e4aa2d5ab6fc03f" + logic_hash = "1adf3314d9aa76b79fcc42dd68812de3d4dd29a38770e39291304cf984cd90d1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8455010000 8d442438 50 8d442424 50 6a02 6a01 } - $sequence_1 = { 50 6a00 8d54246c e8???????? 83c40c 84c0 0f8477020000 } - $sequence_2 = { 33d2 8bcb ff742420 55 56 ff74242c 56 } - $sequence_3 = { 8844240a 84c0 7416 b201 8bce e8???????? 8b4514 } - $sequence_4 = { 399688010000 7432 3996d8050000 742a 8b8ef8070000 ff7514 } - $sequence_5 = { 8d86e0020000 85c0 740d 6a5c 59 } - $sequence_6 = { 89b658080000 50 56 b201 8bcf e8???????? 83c414 } - $sequence_7 = { 83c520 55 6a08 ff15???????? 50 ff15???????? } - $sequence_8 = { c9 c3 57 8bfa 3b4c2408 740d 8bd1 } - $sequence_9 = { 83c01e 03c7 0101 ff414c 8d4c2418 e8???????? 5f } + $sequence_0 = { 8bd5 50 51 6a00 6a00 53 bb01000080 } + $sequence_1 = { 50 50 50 8d442420 50 8d8424b4000000 50 } + $sequence_2 = { 59 59 84c0 7448 8d85f8f7ffff } + $sequence_3 = { ff74241c ff36 e8???????? 83c40c 88442404 8d4c2408 e8???????? } + $sequence_4 = { 8b4d08 50 ff7524 ff742414 ff742428 ff751c ff7518 } + $sequence_5 = { 8bf2 8d442410 8b5508 8bf9 50 89742410 e8???????? } + $sequence_6 = { 8bce e8???????? 8d97e0c80300 8d4c2418 e8???????? 8d9718b40300 8d4c2418 } + $sequence_7 = { ff742408 50 8d87d8000000 50 } + $sequence_8 = { 50 56 ff15???????? 85c0 0f95c1 884c2413 85c0 } + $sequence_9 = { 50 56 ff15???????? 85c0 7535 85f6 } condition: 7 of them and filesize < 513024 @@ -94293,36 +94486,36 @@ rule MALPEDIA_Win_Ghost_Secret_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25fa3485-ffb3-5411-9ac6-ae7f05225e3c" - date = "2026-01-05" - modified = "2026-01-06" + id = "bd0d63e2-7d86-5f53-8145-6864c57b7635" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_secret" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ghost_secret_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ghost_secret_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "80ab2d045d82b27f499fbd18dbe91dc4f32ae725e1e1075459fc83c90e8a3488" + logic_hash = "53de7f86819415b8d8bfe9d6c1c8278a3f27d8aea023f90af25ee0b0b93326eb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c408 50 56 ff15???????? 8d8c24a4050000 6a13 } - $sequence_1 = { c68424eb02000040 c68424ec02000017 c68424ed02000034 c68424ee020000da c68424ef020000f8 c68424f002000003 c68424f1020000c7 } - $sequence_2 = { 85c0 55 7518 68beb60000 e8???????? 83c408 5f } - $sequence_3 = { c68424c8070000a6 c68424c9070000c9 c68424ca0700004e c68424cb07000072 c68424cc07000008 c68424cd070000dc c68424ce0700007b } - $sequence_4 = { 6689442460 50 8b44247c c744242400000000 50 6a00 } - $sequence_5 = { c684243e04000031 c684243f040000cb c68424400400006c c68424410400006c c684244204000075 } - $sequence_6 = { 8d54244c 57 52 50 ff15???????? 85c0 } - $sequence_7 = { 75dc 5f 5e 5d b890f0ffff 5b c3 } - $sequence_8 = { c68424b7070000d1 c68424b40400004b 888c24b5040000 c68424b60400007e c68424b704000049 c68424b80400006e c68424b904000070 } - $sequence_9 = { 8b440e08 83f809 0f87cf000000 ff248520ae4000 6a07 8d542444 e9???????? } + $sequence_0 = { 33ed 8b4c2410 8b94241c080000 6a00 51 } + $sequence_1 = { c68424850000005e c684248600000002 c68424870000005a c6842488000000f0 c6842489000000f8 888c248a000000 c684248b00000031 } + $sequence_2 = { 8bc8 53 83e103 f3a4 8d4c2410 51 e8???????? } + $sequence_3 = { 50 56 ff15???????? 8d8c2434030000 6a0e 51 a3???????? } + $sequence_4 = { 8d9424d4010000 6a0d 52 a3???????? e8???????? 83c408 50 } + $sequence_5 = { c1ea18 c1e008 0bd0 8bc2 8996c4d34100 } + $sequence_6 = { c644242553 c6442426ba c644242758 c64424280e c6442429b7 c644242a1a c644242b0a } + $sequence_7 = { c68424400400006c c68424410400006c c684244204000075 889c2443040000 c68424d00000004e c68424d10000004a c68424d200000058 } + $sequence_8 = { 6a10 50 56 ff15???????? 8b4f04 8d542408 52 } + $sequence_9 = { 5b 83c408 c20800 8b542414 } condition: 7 of them and filesize < 278528 @@ -94332,36 +94525,36 @@ rule MALPEDIA_Win_Fuwuqidrama_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fa930744-5999-561a-b1cf-4c1122391afe" - date = "2026-01-05" - modified = "2026-01-06" + id = "a3f3d41d-24b4-5d7c-8766-3866a2562f3d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fuwuqidrama_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fuwuqidrama_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "76d62a17f159b8ceb3cf4ce032c2e526c9b8417f56a11565dc77a48334fec771" + logic_hash = "0c7085be9fd9d273484982dd22dd5198579a2c74b3e5651117221c035b9d1248" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 8bcf e8???????? 8d9424d4020000 6a04 52 8bcf } - $sequence_1 = { 83c10c 48 894c2434 89442418 75bd 8b742444 8b06 } - $sequence_2 = { c1fa05 8bc2 c1e81f 03d0 895508 8d4d08 6a04 } - $sequence_3 = { 33d2 eb16 8b4e08 2bc8 b815024d21 f7e9 c1fa06 } - $sequence_4 = { fec8 5f 8841ff 8bc5 5e 5d 5b } - $sequence_5 = { b90b000000 8bf0 8bfa 83c02c f3a5 8b4c2420 83c22c } - $sequence_6 = { 23ee 8b742428 23f7 8bd9 0bee 8b74241c c1c305 } - $sequence_7 = { 8db5f4000000 8d9d14010000 c744241800000000 e8???????? 8b442410 85c0 0f8c08010000 } - $sequence_8 = { 83c410 48 894720 53 ff15???????? 5f 5e } - $sequence_9 = { 03ee 8b742410 c1c71e 8db42ea1ebd96e 8b6930 33691c 33df } + $sequence_0 = { 893e 8b4e2c 8b4630 51 50 50 } + $sequence_1 = { 85c0 7529 85d2 750a } + $sequence_2 = { e8???????? 68???????? 8bce e8???????? eb56 68???????? 8bce } + $sequence_3 = { 50 51 8d4c245c c684242401000001 e8???????? 8b542454 52 } + $sequence_4 = { 52 8bce c644241b20 e8???????? 8b5c2424 6a00 8dbbcd000000 } + $sequence_5 = { 57 88442414 bf???????? 83c9ff 33c0 33db 6a01 } + $sequence_6 = { 50 8bcd c644246003 e8???????? 8b8f88000000 8d542458 894c2458 } + $sequence_7 = { c1e91f 03d1 3bc2 0f83d2000000 8b5604 8b442414 83c9ff } + $sequence_8 = { 83c104 4a 75ee 53 e8???????? 8b4e70 83c404 } + $sequence_9 = { 8b442434 33f6 3bc6 7505 a1???????? 50 } condition: 7 of them and filesize < 245760 @@ -94371,75 +94564,75 @@ rule MALPEDIA_Win_Terminator_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a907b97c-e30c-569d-92f6-e3c29e0c0bce" - date = "2026-01-05" - modified = "2026-01-06" + id = "7a158d8c-c6d9-5c92-856a-16a73f404791" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.terminator_rat_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.terminator_rat_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "65d625611fed0b10063c05f198c3f84077666921d947cf7651a55c8e71d92a0f" + logic_hash = "c9b1255fac643df0e5cda4fb80908f3bb02eb08ddb6ad96fab0d1632d61ced3c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffb7e8feffff 8d854d010000 8987e8feffff 8b8541010000 c1e006 } - $sequence_1 = { c0c003 3441 c0c003 3452 c0c003 3443 } - $sequence_2 = { 6a04 bb00040000 57 53 6a00 } - $sequence_3 = { 53 56 8b7708 ff77fc ffb51d010000 8f47f4 } - $sequence_4 = { 8d4618 50 8b8539010000 03c1 50 e8???????? 8b4610 } - $sequence_5 = { 50 e8???????? 83f8ff 7408 81c400040000 } - $sequence_6 = { 8b4b0c ac 3459 c0c803 3448 c0c803 } - $sequence_7 = { 8f87f0fbffff 5e 5b 81c410040000 } - $sequence_8 = { e9???????? ff7610 8b8d35010000 8d4618 50 8b8539010000 03c1 } - $sequence_9 = { ff5541 50 ff5569 8bf0 } + $sequence_0 = { c7450400000000 8be8 eb06 50 } + $sequence_1 = { 56 ff7708 e8???????? 8bc6 eb03 } + $sequence_2 = { 395e0c 752f 6a40 6800100000 } + $sequence_3 = { 8b743578 03f5 56 8b7620 03f5 } + $sequence_4 = { 50 e8???????? 83f8ff 750a c7852901000001000000 81c400040000 } + $sequence_5 = { ff5539 81c490010000 c3 c20400 57 8bfc 81ec04040000 } + $sequence_6 = { bee0030000 8d8720fcffff 56 50 } + $sequence_7 = { e8???????? 8b852d010000 b9f8030000 c70020000000 8b852d010000 2b08 } + $sequence_8 = { c3 57 8bfc 81ec00040000 8d8700fcffff } + $sequence_9 = { 33c0 50 ff5539 56 } condition: - 7 of them and filesize < 73728 + 7 of them and filesize < 8192 } rule MALPEDIA_Win_Dharma_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e4f9cff7-2b7e-5614-97de-e64666dbaa6b" - date = "2026-01-05" - modified = "2026-01-06" + id = "4720aa65-06c6-5947-9f64-0e6e4c6fa6b3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dharma_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dharma_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "ed48c8d46095165b3771ad3d606dd9e4c3ca951524311f4024cd2a8039cd375d" + logic_hash = "b0b6d51a97d98215c57e3431ac6a9847a7b10c82ae7c50a6f3e8fdae2224bb3f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 8b5510 52 8b450c 50 8b4df0 c1e105 } - $sequence_1 = { c1ea10 81e2ff000000 8b048db8b34000 330495b8b74000 } - $sequence_2 = { 50 e8???????? 83c408 c785c4fdffff01000000 8b8dd4fdffff 51 e8???????? } - $sequence_3 = { 51 8b55fc 52 ff15???????? 8b4df8 89048db8864100 8b55f8 } - $sequence_4 = { 8b4508 8b4d08 8908 c745f801000000 8b5510 c70201000000 8b45f8 } - $sequence_5 = { 51 6a00 8b55ec 52 e8???????? 83c40c 8b45ec } - $sequence_6 = { 8b45fc 50 e8???????? 50 6a00 } - $sequence_7 = { 50 8b4d10 51 8d95e0fdffff 52 e8???????? 83c410 } - $sequence_8 = { 8b4d08 0fb6548121 8b8590feffff 0b9485b8feffff 8b8d90feffff 89948db8feffff } - $sequence_9 = { 68feff0000 e8???????? 83c404 8945ac e8???????? 8945d0 6a02 } + $sequence_0 = { 8b5508 52 e8???????? 83c410 8945e8 8b45fc 83c001 } + $sequence_1 = { 51 e8???????? 83c404 8b5508 8b4a04 8b5508 8b12 } + $sequence_2 = { 8b0c88 51 e8???????? 83c404 8b55f0 83c202 8955f4 } + $sequence_3 = { 8b55b4 83ca01 8955b4 8b45f8 50 } + $sequence_4 = { 894dec eba3 837df800 7e0a } + $sequence_5 = { 8d8d5cfeffff 51 8d9550feffff 52 e8???????? 83c40c } + $sequence_6 = { 894df8 eb02 eb02 ebc7 33d2 8b45f4 668910 } + $sequence_7 = { 8b55ec 8b4208 c1e002 50 e8???????? 83c404 8b4dec } + $sequence_8 = { 8b55f8 c1ea10 81e2ff000000 8b0c95b8bf4000 81e10000ff00 33c1 8b55f8 } + $sequence_9 = { 83ec20 c745e400000000 c745f400000000 8b450c 8945f8 8b4d10 894df0 } condition: 7 of them and filesize < 204800 @@ -94449,36 +94642,36 @@ rule MALPEDIA_Win_Unidentified_088_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b80a2357-b2b4-5f14-a95d-1e325e626d53" - date = "2026-01-05" - modified = "2026-01-06" + id = "c8dd38f7-2f5b-53c1-8f19-dc2507fc97d7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_088_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_088_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "78ec2fb1a46515f7a2bd494609b3c1be4370bea522de5daa065ff46bd4f8b68d" + logic_hash = "cbea8f3b6cb908b2a9badd154b17f41d2ac4ca0bd30bca86b2ea205aae510ed2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b0e e8???????? 89c7 31c0 85f6 7402 8b06 } - $sequence_1 = { 8b0a 0faf0e 01c6 e9???????? 3b5de0 0f8f78010000 8b470c } - $sequence_2 = { c74424085b040000 8b4dd4 ba???????? c7442404???????? c70424???????? e8???????? 83ec0c } - $sequence_3 = { 8b08 e8???????? 8945a0 8b4508 8b00 8b00 85c0 } - $sequence_4 = { c78564ffffff00000000 eb62 76bb 89c7 890424 c1ff1f c744241017000000 } - $sequence_5 = { b8a1b0b912 8b4dd0 83cbff 8901 85f6 0f849a000000 8b16 } - $sequence_6 = { c745d400000000 31db 8945bc 8b4dbc 394dd4 7c17 } - $sequence_7 = { e8???????? eb2e 898554ffffff e8???????? 8b8554ffffff 83f816 7ed2 } - $sequence_8 = { c21000 55 b9???????? 89e5 83ec08 e8???????? b9???????? } - $sequence_9 = { 83ec0c e8???????? 8b4dc0 8b5dc4 8d75d8 } + $sequence_0 = { c705????????58024200 c705????????04000000 c705????????04000000 c605????????16 c705????????a0a34200 c705????????704c4000 c705????????18000000 } + $sequence_1 = { 31c0 85d2 7402 8b02 3b45d0 0f8450ffffff b9???????? } + $sequence_2 = { e8???????? 51 51 8b06 39c7 0f848b000000 85c0 } + $sequence_3 = { c705????????04000000 c605????????18 c705????????20ac4200 c705????????14254100 c605????????01 c705????????00000000 c705????????e0ab4200 } + $sequence_4 = { 8b45b0 e8???????? 84c0 7405 e8???????? 8b45c4 b903000000 } + $sequence_5 = { 66c705????????1903 c605????????01 c705????????10000000 c705????????40a74200 c705????????01e04100 } + $sequence_6 = { 85c0 0f85be020000 e9???????? 8b55c4 8d4ddc e8???????? } + $sequence_7 = { 8d4de0 890424 8b45c8 89542404 8b55cc 894c2408 e8???????? } + $sequence_8 = { 41 e8???????? ba???????? 89c7 e8???????? 8b5318 e8???????? } + $sequence_9 = { 7631 89f0 c7442410ffc99a3b c1f81f c744241400000000 c744240800000000 } condition: 7 of them and filesize < 919552 @@ -94488,36 +94681,36 @@ rule MALPEDIA_Win_Cotx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7eae7fd5-fe09-5035-acc7-8021961f04a4" - date = "2026-01-05" - modified = "2026-01-06" + id = "dc4ec83b-2cb5-5d9d-921f-92f64e164cb9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cotx_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cotx_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "1c95a0f1a2e7fb0ee9c8ab7674fdf844ade84df8607e565506c61944d3da6b96" + logic_hash = "66a0f678779c542cab0386555a0b8bd37d55428900fb460307d314271aafd36b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c40c 8d45e0 50 ff15???????? 0fb745ee } - $sequence_1 = { c705????????69e053a4 c705????????120d934e c705????????b0b65443 c705????????4df9e511 c705????????0e9a3f4b } - $sequence_2 = { 83e103 f3a4 8dbd98faffff 4f } - $sequence_3 = { c705????????9cb95b4c c705????????2d494a94 c705????????8db133d4 c705????????8e220b1d c705????????6825794d c705????????4506ce62 } - $sequence_4 = { 8d85bcf3ffff 50 ff15???????? 8bf0 } - $sequence_5 = { c705????????f0e91f15 c705????????9cb95b4c c705????????2d494a94 c705????????8db133d4 c705????????8e220b1d } - $sequence_6 = { 68???????? 56 e8???????? 6800f00000 81c690ef0000 68???????? } - $sequence_7 = { c785b8faffff39313044 c1e902 f3a5 8bca } - $sequence_8 = { 6800040000 8d8598f6ffff 6a00 50 e8???????? 83c40c 8d8598feffff } - $sequence_9 = { e8???????? 6890ef0000 8d7760 68???????? } + $sequence_0 = { 897704 0fb74316 c1e80d 83e001 894714 0fb74316 } + $sequence_1 = { 0f1185a8faffff c785b8faffff74726f6c 66c785bcfaffff6c65 c685befaffff72 e8???????? 83c424 ff15???????? } + $sequence_2 = { 83c438 8d8500f8ffff 6a00 50 68???????? ff15???????? 8b0d???????? } + $sequence_3 = { 84c0 75f8 0f2805???????? 8d85bdfaffff 8bca c785b8faffff39313044 } + $sequence_4 = { c785c8fcffff74726f6c c785ccfcffff6c65722e 66c785d0fcffff6578 c685d2fcffff65 e8???????? 83c448 c785c0fdffff52617354 } + $sequence_5 = { 6800f00000 81c690ef0000 68???????? 56 e8???????? 6800f00000 81c600f00000 } + $sequence_6 = { f3a5 8bca c685bcfaffff2d 68db030000 83e103 0f118598faffff } + $sequence_7 = { f3a4 50 0f1185a8faffff e8???????? 83c40c 8d45a0 6a40 } + $sequence_8 = { ff15???????? 8d85bcf3ffff 50 ff15???????? 8d85bcf3ffff 6a2e 50 } + $sequence_9 = { e8???????? 8b15???????? 8b4dfc a3???????? e8???????? } condition: 7 of them and filesize < 1171456 @@ -94527,36 +94720,36 @@ rule MALPEDIA_Win_Lunchmoney_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba6c488f-494f-59a0-832f-5ecc104022f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "277f90a2-3135-5ec3-8a77-6614557936f0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lunchmoney_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lunchmoney_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "6300f50e09ecd16cc8482866a3984ff2f46b18e4b4ec53df6a00261299e6917f" + logic_hash = "d1a4a2b80be0520c1b33306269406a6ad78ba8c181288c038ea2087ddb9ff427" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 8d4da8 e8???????? 89759c } - $sequence_1 = { 214610 c7461407000000 668906 68???????? c645fc0b e8???????? } - $sequence_2 = { c1e106 8b048550914200 88540804 8b0f } - $sequence_3 = { 3b4e04 7411 57 8bf8 } - $sequence_4 = { 8b9df0efffff 2b7008 037004 6a00 8b049d50914200 5b f644010480 } - $sequence_5 = { e9???????? 8365e500 8d45e4 6a0a 50 57 } - $sequence_6 = { 8b5584 0500040000 41 3bc2 76f6 8bf1 } - $sequence_7 = { 83c410 8b048550914200 3b740128 0f85b9010000 3b54012c 0f85af010000 } - $sequence_8 = { e8???????? 83c430 3c01 0f8584000000 83ec18 } - $sequence_9 = { 85c0 757c 837dec00 7476 8b55f4 8b049550914200 f644180448 } + $sequence_0 = { 6a24 b8???????? e8???????? 8d45d4 81c160090000 50 } + $sequence_1 = { 56 e8???????? 83ec0c 8bcc 56 e8???????? } + $sequence_2 = { 89a5ecfeffff 53 e8???????? 83ec18 c645fc05 8bcc 56 } + $sequence_3 = { 59 c1e006 0304b550914200 59 5e eb05 b8???????? } + $sequence_4 = { 3bf7 7461 56 8d4dd8 e8???????? c645fc03 8d4dd8 } + $sequence_5 = { 8bec 83e4f8 51 53 56 8bf1 bb???????? } + $sequence_6 = { 03c7 ebc6 5f 5e 5b 8be5 5d } + $sequence_7 = { e8???????? 56 8bd3 8bc8 e8???????? 59 } + $sequence_8 = { 6a00 f3a4 50 e8???????? 8bb5e0feffff 59 } + $sequence_9 = { 7405 e8???????? dbe2 5d c3 b8???????? c705????????e1244100 } condition: 7 of them and filesize < 373760 @@ -94566,36 +94759,36 @@ rule MALPEDIA_Win_Chainshot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c772e981-fe05-5ad7-89cb-7e4d2195fea3" - date = "2026-01-05" - modified = "2026-01-06" + id = "e6a623a6-51a1-526c-b036-269102d2c414" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chainshot_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chainshot_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "d57daacb16b1510f9da9be332e06c34916e951db79264a72675c1b37600885e5" + logic_hash = "895ce727910ca018cab8e624372096c4811de959dfe297f8bccb68ea9fac731e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffc9 7433 ffc9 7438 ffc9 742b ffc9 } - $sequence_1 = { 7427 83e803 0f844a110000 83f802 0f857b0f0000 } - $sequence_2 = { 7708 7519 66892c5e eb13 66892c5e bf7a000780 eb08 } - $sequence_3 = { eb23 8b4520 8906 eb1c b90b000080 eb05 } - $sequence_4 = { 83c705 c7041f4c8b4424 c6441f0418 83c705 c7041f4c8b4c24 } - $sequence_5 = { e8???????? 89442420 85c0 7826 } - $sequence_6 = { ffd0 8905???????? b90b000080 894c2420 e9???????? } - $sequence_7 = { 747a ffc8 7461 83e802 } - $sequence_8 = { 7408 ffd1 8905???????? b84b000080 } - $sequence_9 = { 0f8599000000 c705????????0b000000 e9???????? b902000000 } + $sequence_0 = { ffc9 7438 ffc9 742b ffc9 741e } + $sequence_1 = { 84c0 7507 b901050080 ebbd b901020000 e8???????? e8???????? } + $sequence_2 = { 7408 ffd1 8905???????? bf7e000080 } + $sequence_3 = { b8ffff0000 663bc5 7513 bb17000080 eb33 } + $sequence_4 = { 7408 ffd0 8905???????? b849000080 e9???????? } + $sequence_5 = { b849890000 668901 c7410348894c24 c6410708 c7410848895424 } + $sequence_6 = { e9???????? 83e827 0f844e0e0000 ffc8 0f84d8110000 } + $sequence_7 = { 33d2 84c0 b900050080 7405 b908020000 } + $sequence_8 = { 33d2 b902060080 e8???????? 32db } + $sequence_9 = { 7408 ffd0 8905???????? bb65000080 } condition: 7 of them and filesize < 802816 @@ -94605,36 +94798,36 @@ rule MALPEDIA_Win_Derohe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4840f450-01b9-530f-9f3a-ae1edecbe97a" - date = "2026-01-05" - modified = "2026-01-06" + id = "434a885e-8e92-5aa7-985f-e71f68687d2b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derohe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.derohe_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.derohe_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "d33bdd1d4e902dd1e401bdb13051180ed9ff9ef53abcf198b2156206eaf60cc4" + logic_hash = "ed9208fba8956003aedc36bcbfd217c25ffef2beebb65a02ae271d4e2d86cbfd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd0 8b542404 c6042443 8b02 ffd0 8b542404 c60424c9 } - $sequence_1 = { ffd0 8b542404 c604247d 8b02 ffd0 8b542404 c60424b7 } - $sequence_2 = { e8???????? 5a 85c0 0f846b050000 8b742428 31c0 8b1f } - $sequence_3 = { ffd0 8b542404 c60424fe 8b02 ffd0 8b542404 c6042424 } - $sequence_4 = { ffd0 8b542404 c60424d4 8b02 ffd0 8b542404 c6042464 } - $sequence_5 = { ffd0 8b542404 c60424ae 8b02 ffd0 8b542404 c6042435 } - $sequence_6 = { ff702c ff15???????? 0fb7431c 897318 83e00a 83c410 6683f80a } - $sequence_7 = { ffd0 8b542404 c604245f 8b02 ffd0 8b542404 c60424f5 } - $sequence_8 = { ffd0 8b542404 c60424ba 8b02 ffd0 8b542404 c60424c5 } - $sequence_9 = { e8???????? 8b542414 8b4318 2982d4000000 8b4718 89c1 81e110900000 } + $sequence_0 = { ffd0 8b542404 c6042455 8b02 ffd0 8b542404 c6042408 } + $sequence_1 = { ffd0 8b542404 c60424b2 8b02 ffd0 8b542404 c6042486 } + $sequence_2 = { ffd0 8b542404 c60424df 8b02 ffd0 8b542404 c6042416 } + $sequence_3 = { ffd0 8b542404 c604248f 8b02 ffd0 8b542404 c60424d2 } + $sequence_4 = { e8???????? e9???????? 89542430 895c242c 896c2438 8d0540a56c62 890424 } + $sequence_5 = { ffd0 8b542404 c604243f 8b02 ffd0 8b542404 c60424b3 } + $sequence_6 = { ffd0 8b542404 c60424aa 8b02 ffd0 8b542404 c604245c } + $sequence_7 = { ffd0 8b542404 c6042497 8b02 ffd0 8b542404 c6042440 } + $sequence_8 = { ffd0 8b542404 c60424a0 8b02 ffd0 8b542404 c6042481 } + $sequence_9 = { ffd0 8b542404 c604240a 8b02 ffd0 8b542404 c6042468 } condition: 7 of them and filesize < 35788800 @@ -94644,36 +94837,36 @@ rule MALPEDIA_Win_Kerrdown_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "da236d92-1fe9-5457-946f-9d7f9613f9af" - date = "2026-01-05" - modified = "2026-01-06" + id = "213f82db-5ae7-5e3d-9821-ae03a5143b6c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kerrdown_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kerrdown_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "2d8b506b753eb11d1ef360ccc2cec767f65cb094a11e4e8ce42bcebdfc177559" + logic_hash = "becbe53019117d3a8945751ae441d69526cd85d3d23f4bb7c75a7425c51998e2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85f6 743f 83ff10 b8???????? 0f43c1 85f6 } - $sequence_1 = { 8d45f8 50 68004a0000 68???????? } - $sequence_2 = { 741b 56 68???????? 50 e8???????? } - $sequence_3 = { 75b2 83ff10 8935???????? b8???????? 0f43c1 5e } - $sequence_4 = { 5f 85c0 7543 50 6880000000 } - $sequence_5 = { 8bd3 2bd6 8a0e 8d7601 } - $sequence_6 = { 8935???????? b8???????? 0f43c1 5e } - $sequence_7 = { 884de5 02c2 33f6 8845e6 0fb64435e4 50 } - $sequence_8 = { b8???????? 0f43c1 03c2 3d???????? 762a ff750c 83ff10 } - $sequence_9 = { 80e203 c0e004 02d1 8855e4 8a55ea 8aca } + $sequence_0 = { 83feff 7438 6a00 8d45f8 50 68004a0000 68???????? } + $sequence_1 = { e8???????? 8b3d???????? 8b0d???????? 85f6 743f } + $sequence_2 = { f3a5 68???????? 66a5 ff15???????? 5f 85c0 7543 } + $sequence_3 = { ff15???????? e8???????? 8d4c2404 e8???????? 83ec18 } + $sequence_4 = { 8d45f8 50 68004a0000 68???????? 56 ff15???????? } + $sequence_5 = { 8a441de8 83ec08 8845ec 8d45ec 50 } + $sequence_6 = { c745fc00000000 ff7518 6a00 ff15???????? } + $sequence_7 = { 0f848f000000 33c0 83f804 0f83a2000000 c64405e800 40 } + $sequence_8 = { ddd8 db2d???????? b802000000 833d????????00 0f85400a0000 } + $sequence_9 = { 68???????? 56 ff15???????? 56 ff15???????? 6a01 68???????? } condition: 7 of them and filesize < 278528 @@ -94683,36 +94876,36 @@ rule MALPEDIA_Win_Lobshot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6f20fbff-d088-55ca-8131-38feba325236" - date = "2026-01-05" - modified = "2026-01-06" + id = "3aedc20c-8fcd-5f2e-8950-262fe5205985" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lobshot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lobshot_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lobshot_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "319a86adb13eb9e86d16d75f8640b06a3709c7236ca49379440781ba36dcddcb" + logic_hash = "bcec013374c9453f37ec62b298554ce41d2a5197eff32b1fed483a5323372e4a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4e08 8a86b1160000 eb10 85c0 7e12 8b5608 8b4e14 } - $sequence_1 = { 0f8c89040000 85db b98a000000 6a07 58 0f45c8 33c0 } - $sequence_2 = { 5f c3 53 56 85c9 7462 } - $sequence_3 = { 6685c9 740a 83f92e 7405 } - $sequence_4 = { 8945e8 66d3e0 660b86b0160000 0fb7c0 8945f8 6a10 58 } - $sequence_5 = { 8b7d18 33c9 6a0f 41 58 39b48d78ffffff 7505 } - $sequence_6 = { 8b4764 8a5401ff 8b8f98160000 8b879c160000 66893448 8b8798160000 8b8f90160000 } - $sequence_7 = { ff35???????? 6801000080 ff15???????? 85c0 0f851e010000 55 8b2d???????? } - $sequence_8 = { 8b8b4c140000 8b83580b0000 8b55ec 89848b540b0000 8bcb e8???????? } - $sequence_9 = { 83ec30 8b4204 8945d8 8b4208 53 8b1a 56 } + $sequence_0 = { c744241800000000 c744241c00000000 ff15???????? 8bf8 } + $sequence_1 = { 46 8b94b1540b0000 8b4dfc 0fb70499 } + $sequence_2 = { 8b35???????? 8d44240c 50 57 c744241457545351 c744241875657279 } + $sequence_3 = { 50 ff15???????? 8bd8 85db 7477 8b3d???????? } + $sequence_4 = { 6a00 56 ff15???????? 85c0 7417 50 ff15???????? } + $sequence_5 = { 7571 8b4c2414 33d2 668911 8d4c244c 51 } + $sequence_6 = { 33ed 66893c01 8b0d???????? 88540102 83c003 3b05???????? 7291 } + $sequence_7 = { 8a5a01 8d5202 80eb61 85ff 7417 c0e004 2c10 } + $sequence_8 = { 894d08 66890c70 8b5740 8b4f3c } + $sequence_9 = { 88040a ff4614 33c0 2186b4160000 668986b0160000 5e c3 } condition: 7 of them and filesize < 247808 @@ -94722,47 +94915,44 @@ rule MALPEDIA_Win_Lockbit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4ed7dbc7-3585-5c20-a9ac-479c38ded866" - date = "2026-01-05" - modified = "2026-01-06" + id = "5c6422b0-f5f6-5ada-8794-3fbfa8bb0f30" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lockbit_auto.yar#L1-L210" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lockbit_auto.yar#L1-L184" license_url = "N/A" - logic_hash = "d83c3bb6fdeb9666252e892916a121a76bca2329b4383b39f3b9be802c917095" + logic_hash = "fe351b76c08a90e0cbfdfd5b9c9686cd14ebb4db877e9231f0cd6b58e70997d7" score = 75 - quality = 73 + quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 66ad 90 6683f841 720b 6683f85a 7705 } - $sequence_1 = { 7407 3d9bb4840b 7518 8b4e0c 03cb } + $sequence_0 = { 33c0 8d7df0 33c9 53 0fa2 8bf3 5b } + $sequence_1 = { 8b733c 03f3 0fb77e06 8db6f8000000 } $sequence_2 = { 6a00 6a00 6800000040 ff75d4 } - $sequence_3 = { 8bec 81ec7c030000 53 56 57 8d9d84fcffff } - $sequence_4 = { 66b82000 f266af 85c9 7512 } - $sequence_5 = { 8d8550fdffff 50 6a00 ff15???????? } - $sequence_6 = { 33c0 8d7df0 33c9 53 } - $sequence_7 = { 660f73f904 660fefc8 0f28c1 660f73f804 } - $sequence_8 = { 50 8d45fc 50 ff75fc ff75f4 } - $sequence_9 = { 33d0 8bc1 c1e810 0fb6c0 c1e208 } - $sequence_10 = { 5b 8907 897704 894f08 89570c f745f800000002 740c } - $sequence_11 = { 47 4e 85f6 75d2 5d 5f 5e } - $sequence_12 = { 03d0 90 85c0 75e1 8bc2 5e 5a } - $sequence_13 = { 89570c f745f800000002 740c 5f 5e b801000000 } - $sequence_14 = { 57 8d9d84fcffff b900c2eb0b e2fe e8???????? 53 } - $sequence_15 = { ff759c 8d858cfeffff 50 ff7610 51 e8???????? 83c628 } - $sequence_16 = { 8d45f4 50 6a00 6a00 ff15???????? } - $sequence_17 = { 8bfb 895830 33fe 897834 8bf7 } - $sequence_18 = { 894f64 33d6 8b7510 895768 8bda } - $sequence_19 = { 740b 83e904 8b040e 89040f } - $sequence_20 = { 740b 83e902 0fb7040e 6689040f f6c204 7409 83e904 } + $sequence_3 = { 4a 87d1 894dfc 8b7d0c f366a5 } + $sequence_4 = { f745f800000002 740c 5f 5e b801000000 5b } + $sequence_5 = { 0f28c8 660f73f904 660fefc8 0f28c1 } + $sequence_6 = { e9???????? 6683f841 720c 6683f846 7706 6683e837 eb26 } + $sequence_7 = { 53 56 57 33c0 8d7df0 33c9 } + $sequence_8 = { 8b7d0c f366a5 6633c0 66ab eb13 } + $sequence_9 = { 2af1 8bc8 d3ca 03d0 } + $sequence_10 = { 33d0 8bc1 c1e810 0fb6c0 c1e208 } + $sequence_11 = { 8d45f8 50 8d45fc 50 ff75fc ff75f4 } + $sequence_12 = { 6683f830 720c 6683f839 7706 6683e830 eb05 } + $sequence_13 = { 8a441500 3007 8a541d00 86540d00 88541d00 fec1 } + $sequence_14 = { 5b 8907 897704 894f08 89570c f745f800000002 740c } + $sequence_15 = { 8d8550fdffff 50 6a00 ff15???????? } + $sequence_16 = { 660fefc8 0f28c1 660f73f804 660fefc1 } + $sequence_17 = { 33c0 8b550c 8b7508 b961000000 66ad 90 } condition: 7 of them and filesize < 2049024 @@ -94772,36 +94962,36 @@ rule MALPEDIA_Win_Webc2_Yahoo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "363fee5b-028a-51bb-ae8e-5e88e615a60a" - date = "2026-01-05" - modified = "2026-01-06" + id = "2fc058de-6d5f-5c60-81f5-4193549093c9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_yahoo_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_yahoo_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "cbf24b20d63128f54b5e31c01d6a0853cc228489290e6c3462d1dc4838163313" + logic_hash = "4ad24bd7ff9fee66deba8da127ecf4abd522b7fb0504e19aca30f8a2064c5573" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d443802 50 e8???????? 56 e8???????? ff750c } - $sequence_1 = { ffb69c841e00 ff15???????? 85c0 7506 53 } - $sequence_2 = { e8???????? 015d0c 03f3 83c428 } - $sequence_3 = { ffb694841e00 ffd3 57 e8???????? 59 } - $sequence_4 = { 83ec64 8b4d08 56 57 68???????? 6a01 } - $sequence_5 = { e8???????? 6a04 68???????? ff750c ff15???????? } - $sequence_6 = { 85c0 0f84b4000000 8d85fcfeffff 56 50 8d85fcfeffff } - $sequence_7 = { 8d85c8fdffff 56 50 e8???????? 83c418 } - $sequence_8 = { 8b7518 83c414 8d85fcd7ffff 8bcb } - $sequence_9 = { b838280000 e8???????? 53 56 } + $sequence_0 = { 8d85f4feffff ff75fc 50 ff15???????? } + $sequence_1 = { 8b742414 2bf7 8d840e14e75e00 8bfd 99 f7ff } + $sequence_2 = { ff75f8 8d85e8fbffff 50 ffd7 59 8d85e8fbffff } + $sequence_3 = { 53 0f8497feffff e8???????? 59 8d45fc } + $sequence_4 = { 83ef38 0345e4 50 8d4580 68???????? 50 ff15???????? } + $sequence_5 = { e8???????? 59 33db b8???????? 53 } + $sequence_6 = { 50 8bcb ff7508 e8???????? 6a64 } + $sequence_7 = { 53 89450c bb04110000 6a64 e8???????? } + $sequence_8 = { ff15???????? 802000 68???????? 68???????? 8d85c8feffff 68???????? 50 } + $sequence_9 = { 8a1e 881a 8a17 8816 } condition: 7 of them and filesize < 8060928 @@ -94811,36 +95001,36 @@ rule MALPEDIA_Win_Cryptowall_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50af5d84-6bf2-5e21-963e-da71c1d0aa83" - date = "2026-01-05" - modified = "2026-01-06" + id = "dc78d245-24cd-591d-b72d-3679e05b94d1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cryptowall_auto.yar#L1-L108" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cryptowall_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "44ba25f2c9e3be57522d3914736a7aa98c9dc8885fa529ce3340a46dbf9f3527" + logic_hash = "71d5fcaf3ecd458e914e51862d2af5ce473fc62a262bc845fad2db5196372327" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 e8???????? 8b482c ffd1 6a00 } - $sequence_1 = { 83ec08 837d0800 7502 eb4f 6a08 6a00 } - $sequence_2 = { e8???????? 83c408 99 b91a000000 } - $sequence_3 = { 894dfc 837df805 752d 837dfc00 } - $sequence_4 = { 83ec18 56 8b450c 50 } - $sequence_5 = { 99 b91a000000 f7f9 83c261 8b45f4 } - $sequence_6 = { e8???????? 83c408 8b0d???????? 898114010000 } - $sequence_7 = { b861000000 668945ee b963000000 66894df0 } - $sequence_8 = { 52 e8???????? 8b400c ffd0 } - $sequence_9 = { 6880000000 6a00 8d4de8 51 } + $sequence_0 = { 6a00 6a40 6a01 6a01 6a00 6a00 8d55e8 } + $sequence_1 = { 8b4d0c 8b11 8b45f8 8d4c0202 51 8b5508 } + $sequence_2 = { 7461 c745dc18000000 c745e000000000 c745e800000000 c745e400000000 } + $sequence_3 = { 99 b91a000000 f7f9 83c261 8b45f4 } + $sequence_4 = { 55 8bec 51 837d0800 7441 837d0c00 } + $sequence_5 = { 52 e8???????? 83c408 8b0d???????? 894124 } + $sequence_6 = { 8945fc b909000000 85c9 7463 6a08 } + $sequence_7 = { 52 e8???????? 83c408 8b0d???????? 8981ec000000 } + $sequence_8 = { 894dfc 837df805 752d 837dfc00 } + $sequence_9 = { e8???????? 83c408 8b0d???????? 8981ec000000 } condition: 7 of them and filesize < 417792 @@ -94850,36 +95040,36 @@ rule MALPEDIA_Win_Mimic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a8de2e30-a540-5075-b183-0c7273ee4c55" - date = "2026-01-05" - modified = "2026-01-06" + id = "00a16a7c-48b3-5f0e-88a8-89ba47d815a4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mimic_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mimic_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "1c66a1ded66595b3251cf8ee2e17251126ee2cc563185ec6b8bc5f5c9095e6bc" + logic_hash = "7761e5895ed8b8755b4c4387f41077aecea128dfbbd599f5bbf827d143614f9a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 51 50 ff36 ff15???????? 85c0 0f84a30a0000 } - $sequence_1 = { 0fb6c3 8b5f30 330c8508fa5b00 8d0411 8b542420 33d0 8b442410 } - $sequence_2 = { 898554feffff 85c9 7436 8b9534feffff 8bc1 2bd1 81fa00100000 } - $sequence_3 = { 83c40c 56 ff15???????? e9???????? 52 51 } - $sequence_4 = { a0???????? 83ec0c 84c0 7404 8be5 5d c3 } - $sequence_5 = { ff15???????? 8b460c ff748604 ff15???????? 837e4800 7440 0f1f8000000000 } - $sequence_6 = { 3d???????? 740d 8bc8 e8???????? 8b0d???????? 8b5104 8b82f4d55e00 } - $sequence_7 = { 8d85b4f9ffff 50 56 ffd7 85c0 746c 8b8db8f9ffff } - $sequence_8 = { 50 51 8d8de0feffff e8???????? 6a18 68???????? 51 } - $sequence_9 = { ff75b8 0f4345a8 50 e8???????? 33c9 0f1000 0f11854cffffff } + $sequence_0 = { 0fb6c1 33148508ee5b00 8bc7 c1e810 33d3 0fb6c8 33de } + $sequence_1 = { 7429 83e804 83f86c 77e8 0fb680147a4d00 ff24850c7a4d00 2d86000000 } + $sequence_2 = { 83ec14 8b4518 8b5508 53 8bd9 8945f0 } + $sequence_3 = { 53 56 57 8d442414 c744241400000000 50 51 } + $sequence_4 = { 0f84c1010000 8b45ec 33c9 3b45e0 0f85b3010000 3b4de4 0f85aa010000 } + $sequence_5 = { 8975dc c745e400000000 837f1410 8b5f10 7202 8b3f e8???????? } + $sequence_6 = { c70700000000 b801000000 e9???????? ff15???????? 50 68???????? } + $sequence_7 = { 0f8483000000 eb7d 8b1c9de8a75c00 6800080000 6a00 53 ff15???????? } + $sequence_8 = { 50 6a00 ff75ec 0f1145dc ff15???????? 85c0 0f8878ffffff } + $sequence_9 = { 663930 75f2 85c0 7523 3bd7 7405 83ea02 } condition: 7 of them and filesize < 4204544 @@ -94889,36 +95079,36 @@ rule MALPEDIA_Win_Grager_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a70321f6-0139-51d8-af48-e9ddd6504bcd" - date = "2026-01-05" - modified = "2026-01-06" + id = "1bc9a272-1b3e-551b-bd63-19cd30b07ffa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grager" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grager_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grager_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "d7bfc13c167a32046dd8425d3e3ec521c6bca90fe7d99db8d3d9dc97a5192526" + logic_hash = "62d728d32a724fb46ad05088a140ca84ed9c9cbef52f9dc857e15a723a05e882" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48898534020000 4c8bc7 89853c020000 8b83d0200000 898520020000 c7852402000004000010 } - $sequence_1 = { 4c8d35a5e6ffff 0f1f440000 84c9 0f84d1010000 48ffc7 } - $sequence_2 = { bb01000000 e9???????? 8b4a08 33db 488bbfc8050000 81c113fcffff 488b7218 } - $sequence_3 = { 48890b 488d5308 488d4808 0f1102 e8???????? 488d058cdb0100 } - $sequence_4 = { 0fb605???????? 88814e050000 33c0 89814f050000 888153050000 33ff 4889b958050000 } - $sequence_5 = { 488bf9 488d1584a10100 b904000000 e8???????? 8bd3 488bcf } - $sequence_6 = { 4c8d0d45c80000 f20f101d???????? f20f100d???????? f20f59da } - $sequence_7 = { 4c8bc3 8d040e 488d8d44030000 898540030000 e8???????? 488d0dd61bfeff } - $sequence_8 = { 5d c3 8bc7 4883c470 415f 415e 415c } - $sequence_9 = { 4883ec20 8bd9 4c8d0d21eb0000 b904000000 4c8d050deb0000 488d1586c20000 e8???????? } + $sequence_0 = { 83e10f 4a0fbe840188560200 428a8c0198560200 482bd0 8b42fc d3e8 49895108 } + $sequence_1 = { 7417 488d0538c50100 483bc8 740b 83791000 7505 } + $sequence_2 = { 4c8d050efeffff 488983b8050000 33d2 897c2420 33c9 ff15???????? } + $sequence_3 = { 488b742448 4883c610 4c8b3e 48b85555555555555505 } + $sequence_4 = { e8???????? 488d4590 0f1f4000 48ffc3 803c1800 75f7 488d4d90 } + $sequence_5 = { 4883c0f8 4883f81f 7728 e8???????? 33c0 488b8d802f0000 4833cc } + $sequence_6 = { 418bd9 498bf8 8bf2 4c8d0de5e90000 488be9 4c8d05d3e90000 488d15d4e90000 } + $sequence_7 = { 8d0c02 49894830 410fb609 83e10f 4a0fbe841988560200 428a8c1998560200 } + $sequence_8 = { eb44 488d041b 488d8df8050000 482bc8 482bd1 660f1f440000 4d85f6 } + $sequence_9 = { ba04000000 8bc2 448bd0 448bc8 448bd8 ffc8 83e801 } condition: 7 of them and filesize < 487424 @@ -94928,36 +95118,36 @@ rule MALPEDIA_Win_Apocalypse_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b5a0679d-3efc-5c9d-b682-041d8a2aacea" - date = "2026-01-05" - modified = "2026-01-06" + id = "ad891b9e-e1cd-5ed1-93ef-39d387aa690e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.apocalypse_ransom_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.apocalypse_ransom_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "8cee33b1e4eac4c1405375639b552a991305017c9df19464c32f3823d3e5b8e7" + logic_hash = "39a62a0acb7148bc3f258940de1185618dbea7a7beb1240cf85415684f0c9465" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6800010000 6a00 6a00 6a00 8d4c2424 51 6880000000 } - $sequence_1 = { 8d4c2414 51 ffd7 03c0 50 8b442414 } - $sequence_2 = { 8bc3 e8???????? 6a04 6800100000 68ff7f0000 6a00 } - $sequence_3 = { 8b2d???????? 52 ffd5 8d442410 } - $sequence_4 = { ff15???????? 6a03 56 ff15???????? 56 ff15???????? 5f } - $sequence_5 = { 51 68???????? 6801000080 ffd6 8b3d???????? 8d542414 52 } - $sequence_6 = { 8d542444 52 56 68???????? 8d842474020000 50 eb13 } - $sequence_7 = { 6a00 6880000000 6a03 6a00 6a01 6800000080 8d4c2440 } - $sequence_8 = { 6801000080 ffd6 8b3d???????? 8d542414 52 ffd7 8b4c2410 } - $sequence_9 = { 743b 56 68???????? ffd5 83c408 6a00 6a00 } + $sequence_0 = { 56 ff15???????? 56 ff15???????? 8bc3 e8???????? } + $sequence_1 = { 6a03 6800000040 52 ffd6 8bf0 85f6 } + $sequence_2 = { 6a00 6a01 6800000080 8d4c2440 51 } + $sequence_3 = { 83c408 5e 8be5 5d c3 ff25???????? } + $sequence_4 = { 33c9 83f803 0f94c1 56 8d94246c020000 } + $sequence_5 = { 743b 8b94242c020000 6a00 6800000002 6a03 6a00 6a03 } + $sequence_6 = { 57 68ff000000 8d44242c 50 68???????? ff15???????? 8b35???????? } + $sequence_7 = { 68???????? 6a00 ffd7 68???????? 50 ff15???????? } + $sequence_8 = { 752c ff15???????? 68???????? 8d84240c040000 50 ff15???????? 85c0 } + $sequence_9 = { 6a6d 50 c744243006000000 c74424346d000000 c7442438e03b4000 } condition: 7 of them and filesize < 40960 @@ -94967,42 +95157,42 @@ rule MALPEDIA_Win_Httpbrowser_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ae4ee866-262a-554a-b946-19e1882a583d" - date = "2026-01-05" - modified = "2026-01-06" + id = "d7d6a17e-ebd2-59b6-a30a-dfc4732a0f4f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.httpbrowser_auto.yar#L1-L169" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.httpbrowser_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "fe5c658a5d4b7829560ab47b5951aa60c2bf887992bf53e66e96f138e4aa0991" + logic_hash = "696e89d51eb9474a706e4786e941195bddaba051903e7f09c73fe589e5785ea6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 751d 68???????? ffb5f0fdffff ff15???????? ffb5f0fdffff ff15???????? 56 } - $sequence_1 = { 6800010000 8d85f8feffff 50 ff15???????? 8d85f8feffff } - $sequence_2 = { 8bec 81ecac020000 a1???????? 33c5 8945fc 57 8d8558fdffff } - $sequence_3 = { eb3c 8b85e4fdffff 8985f4fdffff 3bc6 74ec 53 } - $sequence_4 = { 33db 56 8985e8eeffff 8d85fdeeffff 53 50 8bf9 } - $sequence_5 = { 6a04 8d85a0feffff 50 6a13 } - $sequence_6 = { ffd6 83bd6453ffff14 7552 8d85c855ffff 50 } - $sequence_7 = { 8d85fefdffff 50 e8???????? ffb5f4edffff } - $sequence_8 = { 8b7508 8d4dec 6a00 8d55fc 51 } - $sequence_9 = { 33c0 8dbdb2fcffff 668995b0fcffff f3ab } - $sequence_10 = { 56 e8???????? 8bf8 83c408 85ff 7422 66891f } - $sequence_11 = { 5d 9d 5d 8b4dfc 51 } - $sequence_12 = { 50 8b4508 51 50 52 } - $sequence_13 = { e8???????? 83c410 8b4d08 6a00 68???????? } - $sequence_14 = { ff15???????? b940000000 33c0 8dbdfcfeffff } - $sequence_15 = { 8d741202 56 e8???????? 8bd0 83c404 85d2 8955f8 } + $sequence_0 = { 8d85fcfdffff 50 68???????? 53 } + $sequence_1 = { 8d85eefdffff 56 50 e8???????? 8d85ecfdffff 50 } + $sequence_2 = { 8985f0edffff ffd7 83c41c 89b5f8edffff 39b5f0edffff 0f8eb1000000 } + $sequence_3 = { a5 a5 a5 a5 a4 6a07 59 } + $sequence_4 = { be???????? 8dbda8fcffff a5 a5 } + $sequence_5 = { 8945f0 85db 0f8489010000 85c0 0f8481010000 } + $sequence_6 = { 757e 6a04 5f ff15???????? } + $sequence_7 = { 53 53 ffb5f8fdffff ffd6 85c0 757e } + $sequence_8 = { c3 50 50 9c b80a000000 51 b932000000 } + $sequence_9 = { 6a5c 52 66c7000000 e8???????? 50 } + $sequence_10 = { 8b4510 8b55f0 8b4d14 03c2 3bc1 894510 } + $sequence_11 = { 9d 58 8b45f8 50 ff15???????? 8b45f4 } + $sequence_12 = { 33c0 8dbda1edffff 8895a0edffff f3ab 66ab } + $sequence_13 = { 81ec04020000 53 56 57 33d2 } + $sequence_14 = { 7422 66891f 83c702 57 } + $sequence_15 = { ff15???????? 8b750c 68000000a0 8d9514f5ffff 50 } condition: 7 of them and filesize < 188416 @@ -95012,36 +95202,36 @@ rule MALPEDIA_Win_Regin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2a1f14e6-74a8-59d6-b749-05fe8ab02b70" - date = "2026-01-05" - modified = "2026-01-06" + id = "a1cb1e4e-ea57-57da-8035-cea9e62b8eb8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.regin_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.regin_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "c115cb715f448d4a7161dd2f6e1e57adc27409e679a96be3c8017531a1cc0da9" + logic_hash = "091fb04af94706b8fbe2a391afd54e9835ec0bf475e2ed1c52d68af6529e0a7e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48 8bd3 e8???????? 40 32ff 48 8b5c2450 } - $sequence_1 = { 41 ffc0 48 8d4c2470 41 b904000000 } - $sequence_2 = { 85c0 740d 48 8d3551070000 } - $sequence_3 = { 48 0f45c7 4c 3be1 } - $sequence_4 = { 7408 33db 895c2460 eb7c 48 } - $sequence_5 = { 7505 e8???????? e8???????? 85c0 7518 e8???????? } - $sequence_6 = { 3beb 7406 ff15???????? 8ac3 48 8b9c2490000000 } - $sequence_7 = { 83ec28 83c8ff 48 85c9 } - $sequence_8 = { 89442478 48 85c0 0f84e8000000 } - $sequence_9 = { 4c 8d4008 48 8d5010 e8???????? 3ac3 } + $sequence_0 = { 3ac3 7456 44 8b842498000000 8bd7 48 8bbc2488000000 } + $sequence_1 = { 0f84e8000000 33ff 33f6 8b0d???????? 3bf9 } + $sequence_2 = { 8d4804 e8???????? 85c0 751a 48 8b0d???????? 83caff } + $sequence_3 = { 7438 3de8000000 7431 b9f4010000 } + $sequence_4 = { 44 0f45f8 e8???????? 3ac3 7456 } + $sequence_5 = { e8???????? eb0b 44 3beb } + $sequence_6 = { 4c 8be7 48 8978c0 8978c8 48 } + $sequence_7 = { 897c2420 ff15???????? 48 3bc7 48 } + $sequence_8 = { 895c2440 e8???????? 3ac3 7434 48 } + $sequence_9 = { 750d 48 8d0dff000000 ff15???????? 48 8d152a030000 48 } condition: 7 of them and filesize < 49152 @@ -95051,40 +95241,79 @@ rule MALPEDIA_Win_Logpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "738ffd15-c890-5ce3-8158-aad7627bd488" - date = "2026-01-05" - modified = "2026-01-06" + id = "ccc411d0-4a28-5636-8829-b297c6321960" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.logpos_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.logpos_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "b0bb7c96824becdbd2b84481288798e82499176f0ad872177caf0cac7c2bcced" + logic_hash = "42754e0e1d5540f36df0248841a5248dbde66e4c8e8f9e59a2bf5868e8aa5ab1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 55 89e5 60 31c0 31c9 fc 8b7508 } - $sequence_1 = { e8???????? 894328 681c429282 ff33 ff736c } - $sequence_2 = { 83fa00 0f852c000000 8d4001 8945f8 8a00 } - $sequence_3 = { 48 83ec38 53 56 57 41 52 } - $sequence_4 = { 8b90d8000000 48 85d2 7410 48 394a08 7505 } - $sequence_5 = { c744241001000000 c744240c00000000 8b442450 89442414 } - $sequence_6 = { 8344242401 48 8344243001 837c243800 7406 48 } - $sequence_7 = { 4c 8d0570040000 49 8b88d8000000 48 } - $sequence_8 = { 83f82f 0f8549000000 8b45fc c680a360400000 8b45fc } - $sequence_9 = { 68ba917bf6 ff33 ff7370 53 e8???????? 89433c } + $sequence_0 = { 0f841c000000 8b8560ffffff 50 8b45f8 50 8d45e4 50 } + $sequence_1 = { 8b85f4fbffff 50 e8???????? 83f801 0f8583000000 e9???????? } + $sequence_2 = { 0145f8 8b45f8 0fb600 83f83d 0f8409000000 83f844 } + $sequence_3 = { 8b480c 09580c 85d9 7435 ff44241c eb2f } + $sequence_4 = { 5d c3 55 89e5 83ec04 c745fc00000000 eb33 } + $sequence_5 = { f7f9 8955c4 83fa00 7507 b801000000 eb05 } + $sequence_6 = { 8b5008 8954241c 8b5820 8b00 } + $sequence_7 = { ff5324 85f6 7408 85c0 0f8498000000 8975ec } + $sequence_8 = { 8b45f8 8b5508 8b4a10 8b5a14 894808 89580c 8b45f8 } + $sequence_9 = { ff55f8 83f800 0f840d000000 837dfc00 7407 b801000000 eb05 } condition: 7 of them and filesize < 57344 } +rule MALPEDIA_Win_Regphantom_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "4fd1b40c-c84f-5f70-86d8-1cc93b62ccb1" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regphantom" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.regphantom_auto.yar#L1-L132" + license_url = "N/A" + logic_hash = "1065aaffb23ab98c1e55164453e8d73634186ae637ebd218f1488fb56fb9be31" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 488b4508 488b08 4883c101 488b4508 488908 8b0d???????? 8b05???????? } + $sequence_1 = { 83e101 83f900 0f94c2 83f80a 0f9cc0 08c2 b833fbe6de } + $sequence_2 = { 89c1 488b4508 8908 488b4510 c70000000000 8b0d???????? 8b05???????? } + $sequence_3 = { b98706d3f6 f6c201 0f45c1 8945c0 e9???????? 488b45d8 } + $sequence_4 = { 4889e2 488955f0 488908 48b84282cd736822e120 480305???????? 488d0d32faffff 4883ec20 } + $sequence_5 = { 2da9f8c8c5 0f8429020000 e9???????? 8b45b0 2d8ac76fc9 0f845e020000 e9???????? } + $sequence_6 = { 88450e 8b0d???????? 8b05???????? 89ca 83ea01 0fafca 83e101 } + $sequence_7 = { b8805d9d8d b9aadb55d5 f6c201 0f45c1 8945c0 e9???????? } + $sequence_8 = { ffd0 4883c420 c745e8e3f795bc e9???????? 488b0d???????? 488b05???????? 4831c1 } + $sequence_9 = { 2d2795afa3 0f84f40a0000 e9???????? 8b45a4 2d2e173da4 0f8447080000 e9???????? } + + condition: + 7 of them and filesize < 123904 +} rule MALPEDIA_Win_Unidentified_073_Auto : FILE { meta: @@ -95094,7 +95323,7 @@ rule MALPEDIA_Win_Unidentified_073_Auto : FILE date = "2022-08-05" modified = "2022-08-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_073" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_073_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_073_auto.yar#L1-L125" license_url = "N/A" logic_hash = "8100472ca712d569bbcdb570af72e3f13986092b4d8ee8e3873da55bef76232d" score = 75 @@ -95129,36 +95358,36 @@ rule MALPEDIA_Win_Cheesetray_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9541e7b5-55cf-5f67-8b69-be87df55796a" - date = "2026-01-05" - modified = "2026-01-06" + id = "0f9c31bc-6e4c-5957-8328-7964b82037be" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cheesetray_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cheesetray_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "8cd561aadd1b5e2f7790bac0781a0595445a0cbe8294d61c87c9d05b79f48756" + logic_hash = "8cf46f52f456b2b1ef3257774f88a6c406f46d28b5d167cb3590be290b3a7699" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83b8a400000000 894d10 7666 8b88a0000000 8b0419 03cb 85c0 } - $sequence_1 = { 8b0c8d80ce4400 83e01f c1e006 8d440124 8b4d10 8a10 } - $sequence_2 = { 75f7 03c0 50 8d4dfc 51 52 e8???????? } - $sequence_3 = { 8b8c24a4000000 83c40c 6a02 51 68???????? ba1f000000 } - $sequence_4 = { 81ec84000000 56 6880000000 6a00 8d4580 50 e8???????? } - $sequence_5 = { 56 6800100000 6a03 56 6a03 6800000080 57 } - $sequence_6 = { 8b5318 52 e8???????? 8b4314 50 e8???????? 83c414 } - $sequence_7 = { 40 8945fc 3b85f8feffff 72ad 8b4508 6a00 6a00 } - $sequence_8 = { 720e 8b4c2410 3b4c2420 0f83b1000000 8b3d???????? 8d9b00000000 68ff1f0000 } - $sequence_9 = { 8d4df4 51 56 e8???????? 6a04 8d9594fdffff } + $sequence_0 = { e8???????? 83c40c 68c0d40100 6880000000 8d8500ffffff 50 57 } + $sequence_1 = { e8???????? 83c434 85c0 0f84c7000000 68c0d40100 6800080000 8d85b8eeffff } + $sequence_2 = { e8???????? 83c410 85c0 0f856affffff 8bc3 5e 5b } + $sequence_3 = { 5b 8be5 5d c3 33f6 ebd5 } + $sequence_4 = { c70600000000 8b5d10 89465c 85db 0f8489000000 83f8fc 0f8480000000 } + $sequence_5 = { 8bc3 897358 e8???????? 83c408 83f8ff 7457 } + $sequence_6 = { 7403 50 ffd6 8b442430 3bc7 7403 50 } + $sequence_7 = { 8bc8 c1f905 8b0c8d80ce4400 83e01f c1e006 8d440124 8b4d10 } + $sequence_8 = { e8???????? 8b45f8 83c40c 53 53 8d4dec 51 } + $sequence_9 = { 83fe15 7454 85c0 744e 833d????????00 7505 e8???????? } condition: 7 of them and filesize < 8626176 @@ -95168,75 +95397,114 @@ rule MALPEDIA_Win_Miuref_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1b96c0a2-4f7f-5dba-b4cc-c39446b366ca" - date = "2026-01-05" - modified = "2026-01-06" + id = "b336ee94-9da0-5e33-a775-7f1d3caeebd3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.miuref_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.miuref_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "9f0c33a604555481ceaef6b71f9838cb9fae83fec546a9a4bdc6479d8cf9ac8a" + logic_hash = "913d762ad4796e031c609fe4719452713481e30eb4e037000680f101f2550080" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b750c 81fe00020000 7204 33c0 eb73 53 bb00200000 } - $sequence_1 = { e8???????? 59 b9???????? 3b01 7445 83c104 81f9???????? } - $sequence_2 = { 50 ff742418 e8???????? ff742420 8bf0 56 e8???????? } - $sequence_3 = { 8d45a8 83ec58 50 e8???????? ff7510 8d45a8 ff750c } - $sequence_4 = { 8d45cc 50 ff15???????? 8b45fc 8b08 50 ff9180000000 } - $sequence_5 = { e8???????? ff75f4 e8???????? 8b45e8 83c418 } - $sequence_6 = { 7704 50 51 eb27 837d1400 750c 57 } - $sequence_7 = { 3bc3 7320 894508 8b450c 8b4d08 8d4c08c1 56 } - $sequence_8 = { e8???????? 59 6a00 8bf0 8d45fc 50 57 } - $sequence_9 = { e8???????? 53 e8???????? 33f6 56 e8???????? } + $sequence_0 = { 59 59 8945fc 85f6 760e 803c072e 7418 } + $sequence_1 = { 68???????? 68ff0f0000 e8???????? 83c428 c9 c3 55 } + $sequence_2 = { e8???????? 894534 6a02 8d4528 50 68???????? ff757c } + $sequence_3 = { 6a20 50 e8???????? 8d45f4 6a3b 50 } + $sequence_4 = { 891e 895e04 897e08 7411 8d043f 50 ff742414 } + $sequence_5 = { 894534 6a02 8d4528 50 68???????? ff757c e8???????? } + $sequence_6 = { 85c0 7611 8b7510 660fbe3431 6689344a } + $sequence_7 = { 50 57 e8???????? 0fbe442420 53 50 8b07 } + $sequence_8 = { c7807c020000d9874d93 a1???????? c7808002000022a944ac a1???????? c78084020000146a6d8c a1???????? c7808802000083c1f01c } + $sequence_9 = { 8903 e8???????? 83c420 894510 85c0 7463 8d45d8 } condition: 7 of them and filesize < 180224 } +rule MALPEDIA_Win_Unidentified_124_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "1e195d92-1436-5453-8133-621d28999f98" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_124_auto.yar#L1-L134" + license_url = "N/A" + logic_hash = "897043e2ece6f42de8cc6f5bf54f809807e1152ae2b4d097776126ea6e52de0c" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { e8???????? c744247010001000 48833d????????00 751f ba2e621aaa b988030612 e8???????? } + $sequence_1 = { c7851405000032525844 c785180500009d913a04 c7851c0500004c688982 b881430000 c7852005000028010b56 6689854c060000 c78524050000fb30fdcd } + $sequence_2 = { e8???????? 488905???????? 488bc8 e8???????? 488bcf e8???????? 8bc3 } + $sequence_3 = { 3b5c2430 72ec 488d542420 488bcf e8???????? 33c0 488b5c2470 } + $sequence_4 = { 8d4a12 c745b05f02fb84 c745b4fdc8b9c6 c745b8ba755a57 c745bcdc929897 c745c09d09bf0f c745c46269c3c1 } + $sequence_5 = { e8???????? 33f6 4d85ff 740f 488d5540 498bcf e8???????? } + $sequence_6 = { e8???????? 48c705????????00000000 488bc7 488bbc2490000000 488b8c2480000000 4833cc e8???????? } + $sequence_7 = { 8bf9 65488b042530000000 488b4830 8b5148 488b0d???????? 488b01 483bc1 } + $sequence_8 = { b99a45ec02 e8???????? 488905???????? 488bc8 e8???????? 4c8d85a0090000 33d2 } + $sequence_9 = { c744242804000000 488908 488d0db8fb0500 442bf1 8975f7 498d48ff 4c897507 } + + condition: + 7 of them and filesize < 1437696 +} rule MALPEDIA_Win_Getmypass_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14973234-1738-56b7-9223-d08c6bb175b6" - date = "2026-01-05" - modified = "2026-01-06" + id = "43e07883-9436-5127-bff0-b4844120de44" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.getmypass_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.getmypass_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "e0df53beaa529f0daff55ba7793f7f6ede1e6ce78673fcc88efeed0e172026bc" + logic_hash = "1514c3628fbfee491bf6737b96c8cd49f88ce7d269aed90821e72c7b8e7a9228" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c404 85c0 0f8444010000 8b4508 50 e8???????? } - $sequence_1 = { 3b4d10 7d12 8b550c 0355fc 8b4508 0345fc 8a08 } - $sequence_2 = { 8b45e0 0fbe08 83f944 0f8535010000 837de400 750b 8b55e0 } - $sequence_3 = { 55 8bec 83ec08 c745fc00000000 8d45fc 50 68???????? } - $sequence_4 = { 55 8bec 83ec08 833d????????04 721d a1???????? } - $sequence_5 = { 0f8400010000 837de400 750b 8b45e0 } - $sequence_6 = { 8b4d0c 51 e8???????? 83c40c 8d95d8f5ffff 52 8b4508 } - $sequence_7 = { 8b45fc 50 6a00 ff15???????? 8985f4fbffff } - $sequence_8 = { 8a55f8 8811 ebe1 c745f400000000 8b45f4 8945ec } - $sequence_9 = { 83f944 0f85b4020000 837d9819 0f86aa020000 c745a400000000 8b55e0 83ea01 } + $sequence_0 = { 55 8bec a1???????? 50 8b0d???????? 51 8b15???????? } + $sequence_1 = { 8b11 8b4508 50 8b4a10 ffd1 68280a0000 8d95d8f5ffff } + $sequence_2 = { 8b45f4 8b4d08 0fb71441 83fa2c 7538 33c0 } + $sequence_3 = { 83c404 0fb6c8 85c9 0f8430010000 8b5508 52 e8???????? } + $sequence_4 = { c785ccfdffff00000000 83bdbcfdffff00 0f86d6000000 83bdccfdffff00 7414 8b8dccfdffff 81c100400600 } + $sequence_5 = { 8a45ff eb26 8b450c 50 8b4d08 } + $sequence_6 = { 898dccfdffff eb0c 8b95b0fdffff 8995ccfdffff c7859cfdffff00000000 } + $sequence_7 = { 8d95d8f5ffff 52 e8???????? 83c408 68280a0000 8d85d8f5ffff } + $sequence_8 = { 7505 e9???????? c785acfdffff00000000 6a0a ff15???????? } + $sequence_9 = { 8b550c 2b55a4 89550c eb19 8b45a4 8b4d08 8d1441 } condition: 7 of them and filesize < 49152 @@ -95246,36 +95514,36 @@ rule MALPEDIA_Win_Saigon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4227170-8c19-5a53-bfab-480d4b1c0eee" - date = "2026-01-05" - modified = "2026-01-06" + id = "5c219dba-79ac-5e6b-8b06-1981705aeb25" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.saigon_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.saigon_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "ca28ac861d15b6053acaf9126995909d99adf4b549ed8bfb0a57ebb9988cee44" + logic_hash = "9a7d28f467a6c3f78efa353c4e242537cdf939f610ed03d1a386bdc6442e8409" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 85c0 0f85f4000000 488b0d???????? 33d2 41b800100000 } - $sequence_1 = { 33db 488bf2 4533c9 448d4303 } - $sequence_2 = { 418bd5 89542440 4533c9 4533c0 488bc8 895c2420 } - $sequence_3 = { 0f859d000000 488bcb ff15???????? 488b0d???????? 33d2 448d440034 ff15???????? } + $sequence_0 = { 488bf1 488d4c2420 488bd5 e8???????? } + $sequence_1 = { 448bc7 895c2420 e8???????? 488d842450010000 4c8d842420040000 488d9424b0040000 488d8c2400030000 } + $sequence_2 = { 488364243000 4533c0 488bd3 33c9 c744242800000008 8364242000 c784248000000068000000 } + $sequence_3 = { 488d442454 4c8d442470 418d5112 488bcb 4889442420 ff15???????? } $sequence_4 = { 488d842470020000 4c8d842440050000 488d942490030000 488d8c24c0000000 448bcb 895c2428 } - $sequence_5 = { e8???????? 488d8f88000000 ff15???????? f08387b000000001 488d8f88000000 ff15???????? 440fb65f66 } - $sequence_6 = { 0f8592000000 f60302 0f8589000000 448b6b08 } - $sequence_7 = { 4533c9 488bd0 498bce e8???????? 488b0d???????? 33d2 } - $sequence_8 = { 4885c9 740c 33d2 e8???????? 4c8be0 eb03 4533e4 } - $sequence_9 = { ff5038 85c0 781c 488b4c2430 4533c0 } + $sequence_5 = { 488d542430 488d4c2430 895c2420 e8???????? 4c8d842470020000 } + $sequence_6 = { 488b8c2498000000 4c8d842490000000 33d2 488b01 } + $sequence_7 = { e8???????? bf26000000 3bc6 0f44c7 8bd8 e9???????? } + $sequence_8 = { 488b0d???????? 33d2 ff15???????? 488b0d???????? 4d8bc4 33d2 } + $sequence_9 = { 8b9424b0000000 eb52 8364242800 488d442460 } condition: 7 of them and filesize < 147456 @@ -95285,36 +95553,36 @@ rule MALPEDIA_Win_Albaniiutas_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6944bcab-7fa1-5041-889b-6d1c7305340e" - date = "2026-01-05" - modified = "2026-01-06" + id = "7576d55b-8c1a-56d2-a305-70b0e9d93923" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.albaniiutas_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.albaniiutas_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "ae4d05366f3510708fa40872966a48e3078a4c97e3d0950cdaf94819ee9ab7c6" + logic_hash = "f0ce7156363e9f55705594f0ad98ace6af8ca2f5dd6dd6c3f3373d9f6c18ee19" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745e410000000 c705????????02000000 c745e802000000 c745ec07000000 c745f000000000 } - $sequence_1 = { 03048d90df0210 50 ff15???????? 5d } - $sequence_2 = { 83c40c 5d c20c00 e9???????? 55 8bec ff7508 } - $sequence_3 = { 56 8b048d90df0210 57 8b7d10 } - $sequence_4 = { 8b049590df0210 f644082801 7421 57 e8???????? 59 50 } - $sequence_5 = { 8975ec 0fb70445b01a0110 66894c4774 8bcf } - $sequence_6 = { 0f8e6fffffff 83c8ff eb07 8b04cd4c6b0110 } - $sequence_7 = { 8b4508 c740183c1b0110 c74104513f0000 e9???????? } - $sequence_8 = { 8b4508 c74018241c0110 e9???????? 8b550c c74104473f0000 83fa06 0f8430070000 } - $sequence_9 = { c74048c0a40110 8b4508 6689486c 8b4508 } + $sequence_0 = { 85c0 7404 b301 eb06 c70600000000 } + $sequence_1 = { be???????? 8b02 8d7a04 f3a5 } + $sequence_2 = { 7416 8b4508 c74018641b0110 c74104513f0000 } + $sequence_3 = { 8b4508 c74018d81a0110 c74104513f0000 e9???????? 83fe10 732d } + $sequence_4 = { 7441 8b4508 c74018a81c0110 c74104513f0000 e9???????? } + $sequence_5 = { 03c2 50 68???????? e8???????? 83c408 85c0 } + $sequence_6 = { 81e1ff000000 8b1c8dc0200110 331c85c0240110 8bc2 c1e818 331c85c01c0110 } + $sequence_7 = { 8b55f8 83c704 3b5e18 72da } + $sequence_8 = { c745e0183e0110 c745e4583e0110 8945e8 eb28 b801010000 c745e0983d0110 } + $sequence_9 = { 8d7f08 8b048d64700010 ffe0 f7c703000000 7413 } condition: 7 of them and filesize < 566272 @@ -95324,36 +95592,36 @@ rule MALPEDIA_Win_Tiny_Turla_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "461da2a0-bc71-5807-a972-eaee61f0fc07" - date = "2026-01-05" - modified = "2026-01-06" + id = "8752fe1c-22d7-5405-88a5-47f6bf440f8c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tiny_turla_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tiny_turla_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "3923b1794e00bdddc4d622e58d3337c930d14bfa9ca9a2022fc0085649294c88" + logic_hash = "323b3060cb5ee4def1d929ab89f7f824d4cd610755aae9632cfa7e7c863ca3ba" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c705????????04000000 488bc8 ff15???????? 85c0 742c 488bcb } - $sequence_1 = { 85c0 742c 488bcb e8???????? 488b0d???????? } - $sequence_2 = { 4883ec20 488b1a 488d15e0ffffff 488bcb } - $sequence_3 = { c705????????01000000 4883c420 5b 48ff25???????? } - $sequence_4 = { 4883ec20 488b1a 488d15e0ffffff 488bcb ff15???????? 488905???????? 4885c0 } - $sequence_5 = { 488bcb ff15???????? 488905???????? 4885c0 744a } - $sequence_6 = { c705????????01000000 4883c420 5b 48ff25???????? 4883c420 } - $sequence_7 = { 488d15e0ffffff 488bcb ff15???????? 488905???????? 4885c0 } - $sequence_8 = { ff15???????? 85c0 742c 488bcb e8???????? 488b0d???????? } - $sequence_9 = { ff15???????? 85c0 742c 488bcb e8???????? } + $sequence_0 = { 4053 4883ec20 488b1a 488d15e0ffffff 488bcb ff15???????? } + $sequence_1 = { c705????????04000000 488bc8 ff15???????? 85c0 742c 488bcb e8???????? } + $sequence_2 = { 488bcb ff15???????? 488905???????? 4885c0 744a } + $sequence_3 = { c705????????04000000 488bc8 ff15???????? 85c0 742c 488bcb } + $sequence_4 = { c705????????01000000 4883c420 5b 48ff25???????? 4883c420 } + $sequence_5 = { 488b1a 488d15e0ffffff 488bcb ff15???????? 488905???????? 4885c0 } + $sequence_6 = { 488b1a 488d15e0ffffff 488bcb ff15???????? 488905???????? } + $sequence_7 = { 488d15e0ffffff 488bcb ff15???????? 488905???????? } + $sequence_8 = { ff15???????? 85c0 742c 488bcb e8???????? } + $sequence_9 = { 488b1a 488d15e0ffffff 488bcb ff15???????? } condition: 7 of them and filesize < 217088 @@ -95363,36 +95631,36 @@ rule MALPEDIA_Win_Outlook_Backdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a3c9e166-1016-5506-93a9-19667db3083c" - date = "2026-01-05" - modified = "2026-01-06" + id = "25cc6be4-aee4-5214-b5d7-8c9f1dc8c5a6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.outlook_backdoor_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.outlook_backdoor_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "1c69545b2fc9583e56f8f6f93522f6191f76f6718f05e9ec7b5fbf60b049d689" + logic_hash = "842c87c24f07bbae0fd91c260c830edf0fa4abc10a9d19fdfaac30d66518fcca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 0f8412fdffff ff442410 ff4c2418 837c241800 7fdb e9???????? 56 } - $sequence_1 = { eb0a 8b7508 e8???????? 8bc6 8b4df4 5f 5e } - $sequence_2 = { 7708 c6063f 46 c6063d 46 8bc6 2b45e0 } - $sequence_3 = { c645fc00 e8???????? 8b4df4 8b4508 64890d00000000 5e c9 } - $sequence_4 = { e9???????? 33db 895c2414 8d442414 50 6a01 } - $sequence_5 = { 8bf0 8d442418 8bcb e8???????? 8b08 8b4004 } - $sequence_6 = { e8???????? 53 56 8d4dd8 eb29 } - $sequence_7 = { 8365fc00 6bc01c 03818c000000 56 8b7508 50 } - $sequence_8 = { 8b4d08 83c410 8d5104 8bc1 3bca 7412 } - $sequence_9 = { 50 e8???????? 8bf0 59 8d8528ffffff 50 e8???????? } + $sequence_1 = { 6a11 53 ff7004 ff30 53 51 ff5214 } + $sequence_2 = { 5f 8d45e4 50 56 897de4 e8???????? eb23 } + $sequence_3 = { 40 83f80c 72f5 8b4d08 8d45ec 50 e8???????? } + $sequence_4 = { 8bf0 c645fc06 e8???????? 6a00 6a01 8d4dcc 894308 } + $sequence_5 = { eb3a 8ad0 80ea21 80fa5d 77f0 3c3d } + $sequence_6 = { 83c618 3bc3 7419 57 8b4808 3b4d08 7509 } + $sequence_7 = { 8bce e8???????? 8d45c4 50 ff7664 8d45a8 8d4e48 } + $sequence_8 = { 83ec10 56 57 8d442408 e8???????? 8b30 8b7804 } + $sequence_9 = { e8???????? 81ec88000000 8365ec00 56 8d856cffffff 50 } condition: 7 of them and filesize < 2912256 @@ -95402,36 +95670,36 @@ rule MALPEDIA_Win_Rover_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "451be843-c1b6-533c-b0b3-7d3bb00747ec" - date = "2026-01-05" - modified = "2026-01-06" + id = "a94fb808-7e56-5492-98ac-632fdf016e39" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rover_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rover_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "31c11b80e1502485f7e7215f291e9c4bbf44558d14836234edb24070e18bf1ca" + logic_hash = "a753dd562e4da41a9541695181d1e9b32b384eb5d0fad8b4827765d59d5a523e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7478 8b4c2474 8d442434 50 68ff3f0000 8d83f4050000 50 } - $sequence_1 = { eb03 83c604 56 ff15???????? 33c9 83c404 84c0 } - $sequence_2 = { 8b0d???????? 50 51 6a02 6a1c 8d9424dc000000 52 } - $sequence_3 = { 8b5b10 8b44241c 8d4bfc 3bc1 745c 8928 83c004 } - $sequence_4 = { eb6a 80bc241d01000000 7409 51 ff15???????? eb57 80bc241e01000000 } - $sequence_5 = { 85c0 740c 8b0d???????? 8b5140 50 ffd2 8d442428 } - $sequence_6 = { 83beb000000000 0f846d030000 83bb5802000000 742c 83bb4087000000 7523 8b8e94000000 } - $sequence_7 = { 33ff 837d3805 89442410 894c2414 897c240c 750e 8bc6 } - $sequence_8 = { 897c2424 83ffff 0f84e8060000 8b2d???????? } - $sequence_9 = { ff25???????? 8d8d48ffffff ff25???????? 8b542408 8d8230ffffff 8b8a2cffffff 33c8 } + $sequence_0 = { 8b85ec030000 51 8d9570020000 52 89859c020000 e8???????? 83c408 } + $sequence_1 = { 8b750c 68???????? e8???????? 83c404 85c0 } + $sequence_2 = { e8???????? 83c408 83ff27 770f 8b04bd585f4400 50 68???????? } + $sequence_3 = { 53 8b5c2408 8915???????? 8b15???????? } + $sequence_4 = { 52 ff15???????? 8bf0 83c408 85f6 7404 c60600 } + $sequence_5 = { 8bc3 e8???????? 89442420 33c0 89442414 8d9b00000000 8b542420 } + $sequence_6 = { 85ed 0f8422010000 807d0000 0f8418010000 55 68???????? e8???????? } + $sequence_7 = { 8b4c241c 51 ff15???????? 83c404 8bc6 e9???????? 8b542410 } + $sequence_8 = { 894708 85c0 75d9 5d 5b 5f b81b000000 } + $sequence_9 = { 8bd5 2bd0 52 50 8b442418 50 ff15???????? } condition: 7 of them and filesize < 704512 @@ -95441,36 +95709,36 @@ rule MALPEDIA_Win_Thumbthief_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c9938a2-b3ca-5fff-a79c-43d76c2643f6" - date = "2026-01-05" - modified = "2026-01-06" + id = "119c50df-c6b9-510a-b871-09b6cbb7f2f2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.thumbthief_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.thumbthief_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "95f6f620d5e728800926363598aae4fbd4980628ff69ddd3ce6426d2d79b4cfc" + logic_hash = "9214f7ec9734ebabc4620a25adb885559fd46e484e1cc442a202f9d3a37fb417" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff7604 e8???????? 83c410 895e04 5f 8bc6 5e } - $sequence_1 = { ff7010 e8???????? 0fb74612 8d4dc8 50 68???????? e8???????? } - $sequence_2 = { e8???????? c645fc03 85f6 7526 68???????? 68???????? 8d8d2cffffff } - $sequence_3 = { e8???????? 8d742440 8d7c2414 a5 8d442414 6a01 50 } - $sequence_4 = { e9???????? 8b542434 395608 8b542428 0f85b1000000 8b4c2430 898c24c0000000 } - $sequence_5 = { e8???????? 8d8c24bc010000 e8???????? 8d4314 50 68a0000000 53 } - $sequence_6 = { ff15???????? 68???????? ff75dc ffd7 50 8d8dd8feffff e8???????? } - $sequence_7 = { ff248580c94200 8b4508 b901000000 6689481c 33c0 5f 5e } - $sequence_8 = { f20f1045c4 83c408 f20f1187b8010000 8bc6 5f 5e 5b } - $sequence_9 = { ff75f4 e8???????? 83c414 8bd6 8bcb e8???????? 837d1000 } + $sequence_0 = { 8d4de0 e8???????? 668bc6 e8???????? c20c00 6a70 b8???????? } + $sequence_1 = { e9???????? 8d8da8f5ffff e9???????? 8d8d0cf6ffff e9???????? 8d8d34f6ffff e9???????? } + $sequence_2 = { e8???????? c645fc03 bf???????? 897df0 c645fc04 c745f004645800 c645fc05 } + $sequence_3 = { ff74244c 8b542468 8bce e8???????? 8b442450 83c404 3b463c } + $sequence_4 = { 8d542444 b986000000 e8???????? ffb424a8000000 8d4c2434 e8???????? 6a01 } + $sequence_5 = { ff7018 ff7004 ffb53cffffff ffb538ffffff e8???????? 8b9d18ffffff 8bc8 } + $sequence_6 = { 8d8d4cfdffff e8???????? e8???????? c20400 68???????? 68???????? e9???????? } + $sequence_7 = { ff75dc 50 56 ff15???????? 85c0 7421 8b4510 } + $sequence_8 = { ff928c000000 33c0 40 eb02 33c0 5f 5e } + $sequence_9 = { ff7008 8bc8 e8???????? 8d8d28ffffff e8???????? 8b8580feffff 83c0bf } condition: 7 of them and filesize < 4235264 @@ -95480,36 +95748,36 @@ rule MALPEDIA_Win_Wannacryptor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "01aa6919-6be4-5745-a8e3-92d4cccf9097" - date = "2026-01-05" - modified = "2026-01-06" + id = "1452a822-68f1-555c-a131-812c2b3d3b47" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wannacryptor_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wannacryptor_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "7ff7fdcfef87dab5f03024d09ebe3e1d6a9751642113edcd42b1cf950ced5962" + logic_hash = "4e95f36de2f2a8220a615ebdc12f79bdab2eac9d47b80bff14057dcba87bcc3d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 85c0 7403 8b4004 50 8b442428 } - $sequence_1 = { c744243802000000 e8???????? 55 8d4c2420 b303 50 51 } - $sequence_2 = { 8d7e44 85c0 755f 8b17 8d4c241c 6a01 51 } + $sequence_0 = { 56 8bf1 50 e8???????? 8b4c240c 8b542410 51 } + $sequence_1 = { 7d14 8b4204 85c0 7c0d 3b4154 7d08 } + $sequence_2 = { 8b5500 03cf 8a0417 50 } $sequence_3 = { 7d0d 8b5168 8b7960 03d7 } - $sequence_4 = { c644243404 e8???????? 8d4c241c 885c2430 } - $sequence_5 = { 8d542418 c744243005000000 8b41f8 8b4e74 2bc1 } - $sequence_6 = { 8a02 8bcf 88442418 e8???????? 8b542410 c744243000000000 } - $sequence_7 = { c7442430ffffffff e8???????? e9???????? 85c0 754b } - $sequence_8 = { 88442418 e8???????? 8b542410 c744243000000000 52 50 8d442420 } - $sequence_9 = { 89442418 0f8c42ffffff 8b442438 5f 85c0 } + $sequence_4 = { 83ec54 56 8bf1 57 8a4658 } + $sequence_5 = { 8d78c0 0fafd7 8916 8b796c } + $sequence_6 = { 8b4620 6821010000 6a00 6a00 } + $sequence_7 = { 50 51 885c243c e8???????? } + $sequence_8 = { 8bd8 8b5500 03cf 8a4411ff 8bcd 50 57 } + $sequence_9 = { 7507 8bce e8???????? 8d54241c } condition: 7 of them and filesize < 540672 @@ -95519,42 +95787,42 @@ rule MALPEDIA_Win_Nachocheese_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0d1d5a3a-67ce-5c34-82de-43ee9a1b9d3b" - date = "2026-01-05" - modified = "2026-01-06" + id = "c77c87ec-b0dd-5c2b-a9cb-f7c0c612c618" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nachocheese_auto.yar#L1-L158" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nachocheese_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "cb72c9411818be36907dbdd85a36216d8cf0f5bc33a5604f0609af1c56f21889" + logic_hash = "f328df7f382cd43b276cc286e4395c64b848f18d096f9fa29e4a726f16397526" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 2bfa 8d47fd 3901 8901 } - $sequence_1 = { 3d2cc00000 7f18 3d2bc00000 7d1b } - $sequence_2 = { 33c4 89842498210000 833d????????02 53 56 } - $sequence_3 = { 3d9c000000 7c07 3d9f000000 7e0d } - $sequence_4 = { 8b5f18 85f6 7504 33c0 eb1e } - $sequence_5 = { 83c404 8975fc 8d4900 e8???????? 8bf0 85f6 } - $sequence_6 = { 8d4813 894dec 8955fc 53 } - $sequence_7 = { 3d2bc00000 7d1b 3d9c000000 7c07 } - $sequence_8 = { 81fb80000000 7305 83c302 eb29 81fb00010000 7305 } - $sequence_9 = { 5b 8be5 5d c20400 8d4508 50 681d002000 } - $sequence_10 = { 33c8 894710 8b4708 33c1 } - $sequence_11 = { 33c0 c3 05d13fffff 83f801 } - $sequence_12 = { 83ec0c 53 56 57 33f6 6a03 } - $sequence_13 = { 8b4508 8d55a8 52 33c9 50 } - $sequence_14 = { 52 89bddcf9ffff e8???????? 83c404 } - $sequence_15 = { 3d9f000000 7e0d 33c0 c3 } + $sequence_0 = { 83f817 7532 8b7710 8b5f18 85f6 } + $sequence_1 = { 3d2bc00000 7d1b 3d9c000000 7c07 } + $sequence_2 = { 8a540305 32d1 88143e 8a4805 02ca 880c3e } + $sequence_3 = { 33c8 894710 8b4708 33c1 } + $sequence_4 = { ff15???????? 85c0 7473 8b55f4 } + $sequence_5 = { 3d9f000000 7e0d 33c0 c3 05d13fffff 83f801 77f3 } + $sequence_6 = { 33f6 397508 0f8ec9000000 b8???????? 48 } + $sequence_7 = { 7305 83c302 eb29 81fb00010000 } + $sequence_8 = { 3d2cc00000 7f18 3d2bc00000 7d1b } + $sequence_9 = { 7305 83c303 eb1c 81fb00000100 7305 83c304 eb0f } + $sequence_10 = { c3 8d85ecfaffff 68???????? 50 } + $sequence_11 = { 55 8bec 8b4508 50 81c10e010000 6804010000 } + $sequence_12 = { 8b4508 8b4dfc 6a00 8d55f8 } + $sequence_13 = { 2bfa 8d47fd 3901 8901 } + $sequence_14 = { 68???????? eb38 8dbc24a0010000 8bce e8???????? 8bd7 52 } + $sequence_15 = { 3d9c000000 7c07 3d9f000000 7e0d } condition: 7 of them and filesize < 1064960 @@ -95564,36 +95832,36 @@ rule MALPEDIA_Elf_Persirai_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71dd969e-17c7-51f6-8baa-f5813c4b7618" - date = "2026-01-05" - modified = "2026-01-06" + id = "8f41a5d8-eee7-5846-8dc0-add30ed5cc27" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.persirai_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.persirai_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "8b3f4b08e462bfefa6597fd60f192d2977efdf6597eab8ae390529732ac3b197" + logic_hash = "29bb51aca07b20ef5152921753dd0e49613e61042ccf5ac4068c21ca622e998d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d680c 8b400c 83e0fe 85c0 75e6 } - $sequence_1 = { 51 e8???????? 8d5c2424 89f1 89df 89e8 fc } - $sequence_2 = { 7423 0fbed0 a1???????? 8854243b 85c0 0f84f9000000 8810 } - $sequence_3 = { 52 8b5020 53 50 ff5208 83c410 } - $sequence_4 = { 6648 759f 53 53 57 8d44244c 50 } + $sequence_0 = { 57 56 53 81ec0c280000 8bac2428280000 81bc2424280000ff270000 7779 } + $sequence_1 = { 31c0 81c4a4000000 5b 5e c3 89e2 } + $sequence_2 = { 894108 c7411420000000 5b 5e c3 } + $sequence_3 = { 57 56 53 83ec0c 89c7 be???????? } + $sequence_4 = { 53 e8???????? 66c744241c0200 83c410 eb16 66833b02 7410 } $sequence_5 = { 56 53 83ec0c 89c7 be???????? } - $sequence_6 = { 89d0 5a 59 5b c3 8b442404 8b542408 } - $sequence_7 = { eb0c 89c2 8b02 39c1 75f8 8b01 8902 } - $sequence_8 = { e8???????? 89c3 8bb098000000 85f6 751c 50 50 } - $sequence_9 = { 84c0 742a 8d7600 46 3c25 742b 0fbed0 } + $sequence_6 = { 83ec10 8b5c2418 ff74241c 53 e8???????? 83c410 83caff } + $sequence_7 = { 89c3 8b8424b4000000 8944241c 8b8424b8000000 89442420 8b8424bc000000 89442424 } + $sequence_8 = { 8b542418 89d0 83c41c c3 56 53 83c8ff } + $sequence_9 = { d1fa 0fb68292810508 c3 55 57 56 53 } condition: 7 of them and filesize < 229376 @@ -95604,10 +95872,10 @@ rule MALPEDIA_Win_Interception_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "f1a298d5-70e2-5f27-b6ee-691574cd9abf" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.interception" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.interception_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.interception_auto.yar#L1-L118" license_url = "N/A" logic_hash = "3520af3329a4b24d818d777e1e8f70b92d9cafa69a1f58bf6db64da9ed00530f" score = 75 @@ -95616,9 +95884,9 @@ rule MALPEDIA_Win_Interception_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -95642,36 +95910,36 @@ rule MALPEDIA_Win_Pipemon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "641a9fef-3a8d-534e-bfa2-dfb8a6acf672" - date = "2026-01-05" - modified = "2026-01-06" + id = "57703f36-b066-5bf1-aaf8-6d75b0f37b8f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pipemon_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pipemon_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "e491e9d37fd535256d0dbfcb98468cb6b5a0e8d2ca1e4782bf7c27cb6ebbc39b" + logic_hash = "3d352e4f6a1c43361acce172d46166f6c8a25abf0d03914db928ce944bd4b157" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 4883ec20 488bf9 4c8d0df8c50000 b903000000 4c8d05e4c50000 } - $sequence_1 = { 488bec 4883ec40 488d45e8 48894de8 488945f0 488d15c0a80000 b805000000 } - $sequence_2 = { 488d0d620b0000 e8???????? e8???????? 488d15794a0100 488d0d524a0100 } - $sequence_3 = { 81f95d68fa3c 0f85a3000000 4d8b5620 41bfffff0000 } - $sequence_4 = { 895128 488d0d6fa90000 488b45d8 488908 } - $sequence_5 = { 4533ff 443b432c 723d 450fb75a06 410fb7d7 66453bfb 732b } - $sequence_6 = { 4c8d442458 488d4c2438 e8???????? 4c8d4820 4889442420 4c8bc3 488d5588 } - $sequence_7 = { 488bd8 483b5c2440 e9???????? c644243000 488d8570060000 4889442428 4c8d4c2450 } - $sequence_8 = { 48894a08 488d4c2420 e8???????? 488d05ce3a0100 488903 488bc3 } - $sequence_9 = { cc 4883ec48 488bd1 488d4c2420 e8???????? 488d15dcdc0100 } + $sequence_0 = { 488bc2 488d0d1d450100 48890b 488d5308 } + $sequence_1 = { c745b038020000 488d55b0 488bc8 ff15???????? 85c0 7440 } + $sequence_2 = { 4839b938010000 7516 488d05f3370100 4a8b04e8 42387c3039 } + $sequence_3 = { 0f1f00 8d4601 25ff000080 7d09 ffc8 0d00ffffff } + $sequence_4 = { 4c8d0d349b0000 f20f5cca f2410f590cc1 660f28d1 660f28c1 4c8d0dfb8a0000 } + $sequence_5 = { 488b18 483bd8 0f84f7010000 448b4320 488d15e4fb0100 } + $sequence_6 = { 48894310 33c9 e8???????? 48894318 c6432000 b910000000 e8???????? } + $sequence_7 = { 4983c302 6685db 0f856cffffff 4c89642428 } + $sequence_8 = { 5b c3 4883ec38 488d05f5960000 41b91b000000 4889442420 e8???????? } + $sequence_9 = { 4489a500020000 488d442460 488985f8010000 ba01000000 488d4c2460 } condition: 7 of them and filesize < 389120 @@ -95681,36 +95949,36 @@ rule MALPEDIA_Win_Cargobay_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d6e48bf6-04f2-5926-86cf-d6b3d1d19c9e" - date = "2026-01-05" - modified = "2026-01-06" + id = "d1c395b9-93cb-55d6-a8a1-d5d9301250e6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cargobay_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cargobay_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "78bad24f78416452973bfe57bb2d3dc8c78eea72265f4a6384a2c196eab74e59" + logic_hash = "535fe4668c33a2d7c01573f2e50f9f413ad5d474304a9cec1def23e30f2c89b6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 0f0b 4883ec28 4889c8 488d0d735d0e00 48894c2420 41b900010000 } - $sequence_1 = { e8???????? 48894308 b801000000 ebd3 4881ec88000000 488d442428 488910 } - $sequence_2 = { e8???????? 4889f1 89c2 4883c420 5e e9???????? 56 } - $sequence_3 = { e8???????? 488d9424a0000000 440f294a10 440f2902 4c8db424e0000000 4c89f1 4989f8 } - $sequence_4 = { e9???????? 89f9 4429e1 488b742430 8d5601 4585e4 410f94c0 } - $sequence_5 = { 4c8ba424c8000000 4889f1 e8???????? 4885c0 7446 4989d0 4c89f1 } - $sequence_6 = { eb0d 488908 e9???????? 440fb76734 4929d4 488d7738 31ed } - $sequence_7 = { 49c1e104 31c0 4939c1 740b 41833c0000 488d4010 74f0 } - $sequence_8 = { c6455e00 4c8d05ed010900 4889e9 488d5548 e8???????? 31ff 4885f6 } - $sequence_9 = { e8???????? 4889e9 4c89ea e8???????? e9???????? 488d1512bb1200 488dbc24f0020000 } + $sequence_0 = { 5e 415c 415d 415e 415f c3 488b8424e8010000 } + $sequence_1 = { e8???????? 488b9c24b0000000 488b4308 0fb64808 48ffc9 4883f902 7304 } + $sequence_2 = { 89ca 80e21f 0fb6d2 0fb67001 83e63f 80f9df 763c } + $sequence_3 = { e8???????? e9???????? 56 57 4883ec48 4889ce 488b4110 } + $sequence_4 = { e8???????? 4c8bbd90000000 488bbd98000000 4d89fe 4929fe 4d89f0 4929d8 } + $sequence_5 = { e9???????? b91f000000 31d2 e8???????? 0f1005???????? 0f1100 0f1005???????? } + $sequence_6 = { 4c8d05cf070b00 488db42470020000 41b92c000000 4889f1 e8???????? 4889df 4883c710 } + $sequence_7 = { f6c101 755a 89d5 4c8bb42480000000 488bbc2488000000 4c39f7 7416 } + $sequence_8 = { e8???????? 4c8d05f3e20c00 ba0b000000 4889f9 e8???????? 4989d0 4489f9 } + $sequence_9 = { eb5e 41b800001c00 eb56 41b800001d00 eb4e 41b800001e00 eb46 } condition: 7 of them and filesize < 3432448 @@ -95720,42 +95988,42 @@ rule MALPEDIA_Win_Grabbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "73c12bd4-295c-5729-9e60-823ca8abaa15" - date = "2026-01-05" - modified = "2026-01-06" + id = "80bedd71-05e5-5d45-bc8d-074a3e4f2c9d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grabbot_auto.yar#L1-L168" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grabbot_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "c79f2285c80f8ba1c50729904e8ec53f7fa2031a70a10d12a2683fdce4ed7a23" + logic_hash = "35e407c1959bada62cd493118ce1f0a617fd8c20cd3b6e1a49dd990333d5e682" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83f85a 770b 83f841 7206 83c020 0fb7c0 83c202 } - $sequence_1 = { 83f85a 770d 83f841 7208 83c020 } - $sequence_2 = { 50 6a04 ff75e8 ff75dc } - $sequence_3 = { 813850450000 7523 0fb75004 bb64860000 663bd3 7506 } - $sequence_4 = { b905000000 3907 7707 83c704 e2f7 } - $sequence_5 = { 663907 7566 8b473c 03c7 813850450000 } - $sequence_6 = { c3 68d0035c09 e8???????? 50 e8???????? ffe0 } - $sequence_7 = { e8???????? 59 81c480000000 50 8bf1 e8???????? e8???????? } + $sequence_0 = { 770b 83f841 7206 83c020 0fb7c0 } + $sequence_1 = { 0fb702 83f85a 770b 83f841 } + $sequence_2 = { 770d 83f841 7208 83c020 } + $sequence_3 = { 50 e8???????? ffe0 c3 686541fba7 e8???????? } + $sequence_4 = { 55 8bec 83ec08 b84d5a0000 56 57 } + $sequence_5 = { 8b463c 03c6 813850450000 7523 0fb75004 } + $sequence_6 = { 7407 58 034508 ab ebe3 } + $sequence_7 = { 663bca 0f850c010000 8b8890000000 85c9 } $sequence_8 = { 56 ffd0 33c9 66894c37fe } - $sequence_9 = { 7428 8b0d???????? 8908 8b0d???????? 894804 8b0d???????? } - $sequence_10 = { 894808 8b0d???????? 89480c e9???????? 33c0 } - $sequence_11 = { 8d45f0 99 52 50 8b451c 99 } - $sequence_12 = { 57 8d7c000c 57 e8???????? } - $sequence_13 = { e8???????? 85c0 56 0f9fc3 e8???????? 83c414 } - $sequence_14 = { 50 ff15???????? a3???????? 85c0 7505 83c8ff } - $sequence_15 = { 8bf0 85f6 741d 8d4601 } + $sequence_9 = { 8b0d???????? 894808 8b0d???????? 89480c e9???????? } + $sequence_10 = { 7428 8b0d???????? 8908 8b0d???????? 894804 8b0d???????? } + $sequence_11 = { 89480c e9???????? 33c0 e9???????? } + $sequence_12 = { ff15???????? 50 ff15???????? a3???????? 85c0 7505 83c8ff } + $sequence_13 = { 33f6 ff15???????? 85c0 741b 8d440002 50 e8???????? } + $sequence_14 = { 6840420f00 6a00 ff15???????? a3???????? } + $sequence_15 = { 0f9fc3 e8???????? 83c414 5e } condition: 7 of them and filesize < 1335296 @@ -95765,42 +96033,42 @@ rule MALPEDIA_Win_Smominru_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba1df8df-398d-5a15-b32f-32308ade7ab2" - date = "2026-01-05" - modified = "2026-01-06" + id = "5560f5a4-6d36-52e8-b0a3-87600a32da71" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.smominru_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.smominru_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "0db1d77f56494f7e7d1098f916a45decdc9bada94ceb297ac850baf6e6d6e3b1" + logic_hash = "b59a8daa7966062e2a126c7667de606ff71ee610130b33d75a8ff84bd6a35409" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 894634 8b4718 894638 8b471c 89463c 8b4720 894640 } - $sequence_1 = { 8b5604 0fa5d0 8907 83c604 } - $sequence_2 = { 8b55fc ff5704 837b0c08 7549 } - $sequence_3 = { 8d6c2400 6aff 68b0f3e877 ff7508 } - $sequence_4 = { c9 c20c00 57 5f 55 54 } - $sequence_5 = { 8b55fc f76a14 c1e002 50 8b45fc } - $sequence_6 = { 8b5604 81e2ffffff7f 03c2 8bd0 } - $sequence_7 = { 8b5604 81ca00000002 33c9 8a8b15020000 } - $sequence_8 = { e8???????? 33c0 894704 894708 89470c 894710 894714 } - $sequence_9 = { ff15???????? 85c0 0f8c5f37ac7b 33c0 40 } - $sequence_10 = { 8b5604 59 e8???????? 85c0 } - $sequence_11 = { 8b5604 3bfa 7372 8b1e } - $sequence_12 = { 8b55fc ff560c 8b450c ff00 } - $sequence_13 = { 8bc6 5e c9 c20800 8d7f00 55 } - $sequence_14 = { 5f 55 8d6c2400 8b450c } - $sequence_15 = { 8975e0 8975dc 8975c0 8975c8 39750c 0f841948ab7b } + $sequence_0 = { 8b55fc f76a14 8bd0 c1e202 } + $sequence_1 = { 0f843537ac7b 8bc8 81e103000010 83f903 } + $sequence_2 = { 8bc6 5e c9 c20800 8d7f00 55 } + $sequence_3 = { 8b55fc e8???????? eb18 8d45ec } + $sequence_4 = { 8b4e1c 89481c 8b4e20 894820 8b4e24 894824 8b4e28 } + $sequence_5 = { 8b55fc e8???????? f645fb02 740c } + $sequence_6 = { 8b55fc e8???????? f7c600040000 742c } + $sequence_7 = { 0f8478a6aa7b 8b7514 85f6 0f84d9a4aa7b 8bce e8???????? 3d00010000 } + $sequence_8 = { 89461c 8b85f0fdffff 894620 8bc3 5b 8b4dfc 33cd } + $sequence_9 = { 0f850647c07b c745e400000000 8b37 8975e0 85f6 0f842bfebb7b 83feff } + $sequence_10 = { 8b55fc ff560c 8b450c ff00 } + $sequence_11 = { 50 ff15???????? 81fe200100c0 0f84f32db37b 33c0 } + $sequence_12 = { 8b55fc f76a14 c1e002 50 } + $sequence_13 = { 8b55fc f6427001 0f848c000000 8b55dc } + $sequence_14 = { 8945f8 e8???????? 8b401c 6a00 } + $sequence_15 = { 8b55fc e8???????? e9???????? a1???????? 8b00 80787c00 0f84a7000000 } condition: 7 of them and filesize < 8167424 @@ -95810,36 +96078,36 @@ rule MALPEDIA_Win_Akdoortea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "273d2f0d-acc7-5ac9-9a11-3e8564a6c5a7" - date = "2026-01-05" - modified = "2026-01-06" + id = "9b16cffd-6265-57a3-83a4-1036ed97c511" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.akdoortea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.akdoortea_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.akdoortea_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "2fa5ad11741a8504cc8c2573ed395ff2e4f2dd319c182aa1bdba253b5a1bde31" + logic_hash = "455869af8b08654ec5550748a201428e6107c11190a89ae97296d39277f6f836" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 006118 40 007019 40 00411a } - $sequence_1 = { 7641 8d85f0feffff 8d5001 0f1f8000000000 8a08 } - $sequence_2 = { 8d8df0f9ffff 8d5002 e8???????? 8bf0 83c420 85f6 } - $sequence_3 = { 8bec 83ec0c 53 8bda 56 8bf1 57 } - $sequence_4 = { 50 8b04bdf8204200 ff741818 ff15???????? 85c0 0f95c0 eb02 } - $sequence_5 = { 7439 8d56ff 8a4201 8d5201 84c0 75f6 } - $sequence_6 = { 90 85f6 740b 83feff 0f859a000000 eb6c 8b1c8d10a24100 } - $sequence_7 = { e8???????? 83c414 ebe1 8b55ec 8b4de8 8b0495f8204200 807c082800 } - $sequence_8 = { 83c418 c745f803010000 8d45f8 50 8d4304 50 ff15???????? } - $sequence_9 = { ffd6 68f4010000 8bf0 ff15???????? 85ff 740e } + $sequence_0 = { 6bd038 8955e0 8b048df8204200 f644102801 74ba } + $sequence_1 = { 50 e8???????? 83c418 c7850cecffff04010000 } + $sequence_2 = { 6a00 50 e8???????? 83c40c c7873404000000000000 8d442410 c7873804000000000000 } + $sequence_3 = { 57 8d85fcf7ffff 56 50 e8???????? 83c418 } + $sequence_4 = { 0f852c010000 8b0485f8204200 8bcb 83c02e } + $sequence_5 = { 8b049554dd4100 898588f8ffff 85c0 0f84ad000000 3bc3 } + $sequence_6 = { 03f7 83c40c 81c120030000 8bf9 } + $sequence_7 = { 8d95f0f9ffff c785ecf9ffff00000000 8d4a01 0f1f8000000000 8a02 42 84c0 } + $sequence_8 = { ffb568fdffff 8d85f4fdffff ffb564fdffff ffb560fdffff 68???????? } + $sequence_9 = { 75f0 8b4dfc 5f c78634040000b8220000 } condition: 7 of them and filesize < 305152 @@ -95849,36 +96117,36 @@ rule MALPEDIA_Win_Ratankba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6a3f1f15-dacb-52cd-b11b-5a08568d4510" - date = "2026-01-05" - modified = "2026-01-06" + id = "da0fbba9-fc73-50f1-87c7-283cc6939327" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ratankba_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ratankba_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "245ded0bb432e91f4a3aadcb5c1a265abfb5f2ea6a66bf5a1e4eebc1e9edd031" + logic_hash = "ae22411873875d782153de3713e1e2e1d5df4e5c948248c54a93d9d12f33a88c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b17 8d0c8500000000 51 6a00 52 e8???????? 8b06 } - $sequence_1 = { c745fcffffffff 899edc000000 899ee0000000 39bdd0d5ffff 720f 8b8dbcd5ffff 51 } - $sequence_2 = { 8d8db4feffff 53 51 c785b4feffff00000000 e8???????? 8bd8 } - $sequence_3 = { 751b 8b45f8 3bc3 7409 50 e8???????? 83c404 } - $sequence_4 = { 8b9510ffffff 85f6 744d 8b8ddcfeffff bb10000000 395914 7202 } - $sequence_5 = { 8b5304 6a18 8944ca04 e8???????? 8bf0 85f6 0f8837ffffff } - $sequence_6 = { e8???????? 8b5004 8b45e4 8b4cd004 51 e8???????? } - $sequence_7 = { 8986b8010000 8986bc010000 899eb0010000 c786b401000060ea0000 8bc6 8b4df4 } - $sequence_8 = { 48 3bc7 7224 b857000780 e8???????? 8bc7 e8???????? } - $sequence_9 = { 83c404 898394000000 85c0 0f847d000000 8b8d10efffff 51 } + $sequence_0 = { 720a b857000780 e8???????? 8b4b04 5f 8944d104 } + $sequence_1 = { 7407 50 ff15???????? 80bd2fefffff00 0f8421080000 8bb528efffff 8b83dc000000 } + $sequence_2 = { 2bf7 d1fe 8d3473 8930 } + $sequence_3 = { 8be5 5d c20800 6a10 e8???????? 894508 } + $sequence_4 = { 75f9 2bc2 50 8d459c 8d8de4feffff e8???????? } + $sequence_5 = { 85f6 744d 8b8ddcfeffff bb10000000 395914 7202 8b09 } + $sequence_6 = { 8b7dd0 8b450c 33f6 3975cc 7636 8b5014 } + $sequence_7 = { 33c0 5b 5d c20400 893e 8b4e0c 8d7e0c } + $sequence_8 = { e8???????? 83c408 85c0 0f85e50e0000 6a04 b8???????? } + $sequence_9 = { 8d4d84 51 8d957cfdffff 52 68???????? 8d8574fbffff } condition: 7 of them and filesize < 303104 @@ -95888,42 +96156,42 @@ rule MALPEDIA_Win_Microbackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d034a3c6-ae16-5b99-83b8-8b1af34e1631" - date = "2026-01-05" - modified = "2026-01-06" + id = "2b2908cd-6655-5e02-93d7-7005a043c66a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.microbackdoor_auto.yar#L1-L174" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.microbackdoor_auto.yar#L1-L179" license_url = "N/A" - logic_hash = "aab22f804c7581af6f351afbab65356d1b51594dabf7c74f24bb9a35b014fbaa" + logic_hash = "0a513a7de44a9667b235a624c68cdce9b5a9c79e64875e766c3d89bd61f0b348" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c9 8d45f0 50 51 6a3a } - $sequence_1 = { ffd7 eb06 ff15???????? 8bc6 eb06 } - $sequence_2 = { eb42 0fb6442431 3c5a 7520 837c243400 7419 66837c243200 } - $sequence_3 = { 488dac2410feffff 4881ecf0020000 8bd9 33c9 440fb7ea e8???????? } - $sequence_4 = { 418bce 0fb7de ff15???????? 488d15ea390000 488d4c2450 4c8bc0 } - $sequence_5 = { 66896c2420 ff15???????? 8bce 89742424 } - $sequence_6 = { 59 56 ff15???????? eb06 ff15???????? 8b75f4 } - $sequence_7 = { ff15???????? 488d0d01290000 eb68 488d542430 41b800010000 488bcb e8???????? } - $sequence_8 = { 7412 488d0dfa700000 448bc0 488bd6 e8???????? 03df } - $sequence_9 = { ff15???????? 85c0 0f8599feffff 8d4508 33db 50 } - $sequence_10 = { eb57 4d03c9 498bd7 498bce 43ff54cd08 } - $sequence_11 = { 448bc6 488bd0 488bcf e8???????? 8bf8 85c0 } - $sequence_12 = { 3bfe 7cdd 33c0 40 } - $sequence_13 = { 895d08 e8???????? 83c410 85c0 7467 } - $sequence_14 = { ff15???????? ff75fc ff15???????? ff7508 ff15???????? eb0e ff15???????? } - $sequence_15 = { 8975fc 50 56 56 6a19 ff75f8 ff15???????? } + $sequence_0 = { 56 ffd7 6810270000 ff15???????? } + $sequence_1 = { 90 0fb7841120840000 488d4902 6689840dae010000 6685c0 75e7 0f1f8000000000 } + $sequence_2 = { 8bec 83ec18 56 57 33c0 c745fc14000000 8d7de8 } + $sequence_3 = { 5d c3 55 8bec ff750c ff15???????? 50 } + $sequence_4 = { 0f84f1010000 0f1f00 8b8578020000 85c0 7548 488b4c2458 488d9568020000 } + $sequence_5 = { 4156 4881ec58020000 4c8bf1 ba0000a000 b940000000 ff15???????? } + $sequence_6 = { 8bce 0fb7811c100010 6689840dbcfbffff 03cb 6685c0 } + $sequence_7 = { ff750c 57 ff15???????? 57 ff7508 e8???????? } + $sequence_8 = { 8bd0 e8???????? 33c0 4881c438010000 5b 5d c3 } + $sequence_9 = { 833f0a 7207 33c0 e9???????? 53 33db 56 } + $sequence_10 = { 33db 56 8b750c 43 85f6 0f84a9010000 } + $sequence_11 = { 488b4c2430 ff15???????? eb0e 488d0d8b490000 8bd0 e8???????? } + $sequence_12 = { ff15???????? 488d442458 488d9510010000 4889442448 } + $sequence_13 = { 8d45fc 50 ff15???????? 8b3d???????? 8bf0 85f6 } + $sequence_14 = { 664489642440 6689442442 ff15???????? 85c0 0f855b030000 418bce } + $sequence_15 = { ff15???????? 8b4b34 85c9 0f848e000000 ffc9 746a } condition: 7 of them and filesize < 123904 @@ -95933,34 +96201,36 @@ rule MALPEDIA_Elf_Bashlite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bbeb65b7-8b2b-54dc-9314-a8bcbc56853e" - date = "2026-01-05" - modified = "2026-01-06" + id = "c9940f00-6c43-5002-9447-8efca13b4de7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.bashlite_auto.yar#L1-L94" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.bashlite_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "98d7f6d0b73040daa4a477a42fca0025382c8a865bb2020813f6076b3c9fb152" + logic_hash = "26dcb3c65c33de0c43264568648256276d33d93e2ed88faf5f7b3de2e4e9c903" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 750c c785ecefffff01000000 eb0a c785ecefffff00000000 } - $sequence_1 = { f7d0 21d0 3345fc c9 c3 } - $sequence_2 = { e8???????? 8945ec 837dec00 750b } - $sequence_3 = { 89c2 89d0 c1e81f 01d0 } - $sequence_4 = { 83f8ff 750c e8???????? 8b00 83f873 } - $sequence_5 = { 760f e8???????? c7001c000000 31c0 } - $sequence_6 = { eb0a c785ecefffff00000000 8b85ecefffff c9 } - $sequence_7 = { eb19 e8???????? c70016000000 e8???????? c70016000000 } + $sequence_0 = { 8b85ecefffff c9 c3 55 } + $sequence_1 = { 83f8ff 750c e8???????? 8b00 83f873 } + $sequence_2 = { e8???????? c70016000000 e8???????? c70016000000 } + $sequence_3 = { e8???????? 8945ec 837dec00 750b 8b45ec } + $sequence_4 = { 31c0 eb19 e8???????? c70016000000 } + $sequence_5 = { 31c0 eb19 e8???????? c70016000000 e8???????? c70016000000 83c8ff } + $sequence_6 = { 8945ec 837dec00 750b 8b45ec } + $sequence_7 = { 21d0 3345fc c9 c3 55 } + $sequence_8 = { 89c2 89d0 c1e81f 01d0 } + $sequence_9 = { 750c c785ecefffff01000000 eb0a c785ecefffff00000000 } condition: 7 of them and filesize < 2310144 @@ -95970,36 +96240,36 @@ rule MALPEDIA_Win_Agendacrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4966f69d-c40f-52c7-ab6b-916949adbb8d" - date = "2026-01-05" - modified = "2026-01-06" + id = "f32548e8-d6b6-5ddb-8fba-1bbeef55cbbc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.agendacrypt_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.agendacrypt_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "0e351b6d1fd5e325b27b4cca5ef7ee4f990f5eb0183c139b2c6519ec640c4f6c" + logic_hash = "f293479bb07328906630a1bbbaedfa64198cff7a5f05989036ed1c27febacd22" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 85c0 0f8409010000 f30f7e05???????? 0f280d???????? 89442428 c744243404000000 } - $sequence_1 = { 8b75d4 89500c 85f6 7516 eb38 8b45e8 8b5804 } - $sequence_2 = { 89c3 81fba3030000 8955d8 0f84e9000000 660f1f840000000000 81fb00001100 0f8420ffffff } - $sequence_3 = { 8d4c2424 8d542470 e8???????? e9???????? b9???????? eb63 c744247006000000 } - $sequence_4 = { 8d4dec e8???????? 8b55f4 8b45ec 66c7045000ff 42 8955f4 } - $sequence_5 = { e8???????? 837dcc02 7211 a1???????? ff75d0 6a00 ff30 } - $sequence_6 = { e8???????? 8b7de8 8b75f0 8b4510 66c704772200 46 8975f0 } - $sequence_7 = { c745d000000000 8945f0 8d45f0 c745f490b04100 8945d8 c745dc01000000 8d45c8 } - $sequence_8 = { c1c20e 894dc0 8b4db4 c1c619 31d0 89fa 31f0 } - $sequence_9 = { f20f1145b0 894db8 742c f20f1045bc f20f104dc4 f20f114de4 f20f1145dc } + $sequence_0 = { c1ef14 0fa4d001 81e7ff070000 25ffff1f00 83c6ff 81d3ffff0f00 897c2404 } + $sequence_1 = { e8???????? 83c40c 8b45ec 8907 895f04 c7470801000000 837dbc00 } + $sequence_2 = { eb2d 31c9 837d1000 894df0 0f852efdffff c745e000000000 8b45e8 } + $sequence_3 = { 8d8c2490000000 0fb69c24d0000000 8b442468 8b74246c 0fa4c609 c1e009 8d3cdd00000000 } + $sequence_4 = { 895008 5d c3 55 89e5 8b4508 f20f100d???????? } + $sequence_5 = { 8d4c3bff 39d1 0f83c4030000 8d47ff 8954240c 897c2414 89442428 } + $sequence_6 = { c1e808 83f81f 7f1e 85c0 743d 83f816 0f85fe000000 } + $sequence_7 = { ff30 e8???????? e9???????? 8b442434 f20f1044242c f20f1054241c f20f104c2424 } + $sequence_8 = { a1???????? ff75d0 6a00 ff30 e8???????? 83c438 5e } + $sequence_9 = { c745dca8935600 c745e001000000 c745e400000000 c745ec50675600 c745f000000000 68???????? 56 } condition: 7 of them and filesize < 3340288 @@ -96009,42 +96279,42 @@ rule MALPEDIA_Win_Moker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cb9352b8-7986-51d0-bfba-8cdb83b8b9cc" - date = "2026-01-05" - modified = "2026-01-06" + id = "69bbf83d-0ab5-5acb-b2d7-513d1190be4e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.moker_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.moker_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "7734cc9477f43c35a46e19994290fc756278e602b0dee6674db4466771e526fb" + logic_hash = "aa8088f026aef50ec0840174b29fe27672f04ec00cf10e28a3ac1c6b80820555" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 0302 8945d4 8b4dd4 83c102 } - $sequence_1 = { 0301 8945e0 e8???????? 8b55e8 } - $sequence_2 = { 0100 83c414 85c0 7502 eb0a } - $sequence_3 = { 0302 8945e8 eb09 8b45e8 } + $sequence_1 = { 0302 8945e8 8b4df8 8b55fc } + $sequence_2 = { 6a00 8b4584 50 e8???????? 83c408 894590 837d0800 } + $sequence_3 = { 0100 83c414 85c0 7502 } $sequence_4 = { 0302 8945dc 8b45dc 83c002 } - $sequence_5 = { 0302 8945e8 8b4df8 8b55fc } - $sequence_6 = { 6a00 8b15???????? 52 6a1e 6a3c } + $sequence_5 = { 0100 0101 0001 0101 0001 0101 } + $sequence_6 = { 0301 8945e0 e8???????? 8b55e8 } $sequence_7 = { 0302 50 e8???????? 83c404 3b450c 750b 8b4df0 } - $sequence_8 = { 034508 8078fe5c 740d c6005c c6400100 } - $sequence_9 = { 50 6800800000 6a00 ff7508 ff15???????? e8???????? 9d } - $sequence_10 = { 39f7 7410 fc 39fe } - $sequence_11 = { 730c 8b420c 29c6 8b4214 01c6 eb06 83c228 } - $sequence_12 = { eb82 8b86b8000000 40 8d5002 83aec400000004 } - $sequence_13 = { 75eb 59 5e 5f c9 c21000 } - $sequence_14 = { 51 8b4510 48 ff4514 } - $sequence_15 = { 8d5001 52 8d5580 52 e42b } + $sequence_8 = { d0838b3f8d57 1c8d 8bae03000029 d1894a018d57 318d8bd20700 } + $sequence_9 = { 89442408 48 85c0 0f8409010000 41 c6042401 } + $sequence_10 = { 8f86b0000000 ff7108 8f86b4000000 31c0 48 5e } + $sequence_11 = { 6887000000 ed 713d 8907 } + $sequence_12 = { 50 ff15???????? ed 8408 ebe4 } + $sequence_13 = { 8b450c 2580000000 83f800 741d } + $sequence_14 = { 48 5e 5f 5b c9 c20400 b800000000 } + $sequence_15 = { 31c0 40 59 5a c9 } condition: 7 of them and filesize < 1761280 @@ -96054,35 +96324,35 @@ rule MALPEDIA_Win_5T_Downloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4a370ca-6c61-5c78-8868-cd8df81cd00c" - date = "2026-01-05" - modified = "2026-01-06" + id = "0ab45afc-a375-507f-9f9b-8207d0d5861a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.5t_downloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.5t_downloader_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.5t_downloader_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "584a19ffb7b53f3b149aeb982ecf23155ae77e2c2b57bc23c34103eb885f8cf5" + logic_hash = "d63109b9465c501c9171596ca61e05b19ae0a788ab6deab75bb698128d50000e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7403 5d ffe1 83c8ff } - $sequence_1 = { 55 8bec 8b4508 85c0 7416 83781400 7510 } + $sequence_0 = { 8b4508 85c0 7416 83781400 } + $sequence_1 = { 85c9 7409 83781800 7403 5d } $sequence_2 = { 8b4508 85c0 7416 83781400 7510 } - $sequence_3 = { 83781800 7403 5d ffe1 } + $sequence_3 = { 55 8bec 8b4508 85c0 7416 83781400 7510 } $sequence_4 = { 85c9 7409 83781800 7403 5d ffe1 83c8ff } - $sequence_5 = { 85c9 7409 83781800 7403 5d ffe1 } - $sequence_6 = { 83781800 7403 5d ffe1 83c8ff } + $sequence_5 = { 83781800 7403 5d ffe1 83c8ff } + $sequence_6 = { 8bec 8b4508 85c0 7416 83781400 7510 } $sequence_7 = { 85c9 7409 83781800 7403 } - $sequence_8 = { 85c0 7416 83781400 7510 } + $sequence_8 = { 8bec 8b4508 85c0 7416 83781400 } $sequence_9 = { 7409 83781800 7403 5d } condition: @@ -96097,7 +96367,7 @@ rule MALPEDIA_Win_Webc2_Div_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_div_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_div_auto.yar#L1-L122" license_url = "N/A" logic_hash = "fd0dce640f74e7a720d2663bbcad05a022471937161b3c94d0276bbf1eb69f1b" score = 75 @@ -96132,36 +96402,36 @@ rule MALPEDIA_Elf_Mirai_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4a94410d-6aba-512a-9a6d-b6363b222e3b" - date = "2026-01-05" - modified = "2026-01-06" + id = "dfd324ab-3884-55bd-a95c-3bb92553cda0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.mirai_auto.yar#L1-L109" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.mirai_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "95cccaf1db437d04c6a57d106a32e35fecc8afe8a0ffd0ae0c2e8cb3aa402bb4" + logic_hash = "e2e7693ad9a3cb1569f8d0c25c2d84e001f8490aebf2a17804ba9c0f26975142" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 66894104 7406 66c741064000 c6410911 } - $sequence_1 = { c1ea03 89d0 c1e005 01d0 89ca 29c2 } - $sequence_2 = { 66c1e808 d0e8 8d04c0 28c2 } - $sequence_3 = { e9???????? e8???????? 66894304 e9???????? } - $sequence_4 = { 6689432a e8???????? c7433400000000 894330 c6433801 c6433903 c6433a03 } - $sequence_5 = { 8b1408 895310 8b54080c 66895314 } - $sequence_6 = { 89d0 c1e005 01d0 89ca } - $sequence_7 = { 3c19 7705 8d42e0 8801 } - $sequence_8 = { c1e005 01d0 89ca 29c2 } - $sequence_9 = { e9???????? e8???????? 66894314 e9???????? } + $sequence_0 = { e9???????? e8???????? 66894314 e9???????? } + $sequence_1 = { 66c1e808 d0e8 8d04c0 28c2 } + $sequence_2 = { c1ea03 89d0 c1e005 01d0 89ca } + $sequence_3 = { c1e005 01d0 89ca 29c2 } + $sequence_4 = { 807c242b00 66894304 7406 66c743064000 c643092f } + $sequence_5 = { c7433400000000 894330 c6433801 c6433903 } + $sequence_6 = { c1ea03 89d0 c1e005 01d0 89ca 29c2 } + $sequence_7 = { 66c1c808 807c242b00 66894304 7406 66c743064000 c643092f } + $sequence_8 = { 894330 c6433801 c6433903 c6433a03 c6433b06 } + $sequence_9 = { 6689432a e8???????? c7433400000000 894330 } condition: 7 of them and filesize < 2228224 @@ -96171,96 +96441,133 @@ rule MALPEDIA_Win_Remexi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a43f5f53-342c-554e-8dee-8b775f5bb787" - date = "2026-01-05" - modified = "2026-01-06" + id = "d8633079-b621-5520-8ad7-535ada6d6eda" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.remexi_auto.yar#L1-L285" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.remexi_auto.yar#L1-L269" license_url = "N/A" - logic_hash = "9706deaac2e1169c2e84699b44e0890d8108f6f9e0cb051afcf90fb12b3b28d6" + logic_hash = "a9e8da1b3a009686668e2d3e1da19dafc09f7beeddc307847ba66c59fe4b8748" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 56 c706ffffffff e8???????? 83c404 } - $sequence_1 = { 890d???????? 68???????? 41 50 a3???????? c705????????02000000 890d???????? } - $sequence_2 = { 68???????? 50 ff15???????? 8b0d???????? 8b35???????? 890d???????? 68???????? } - $sequence_3 = { 6a10 8d4ddc 8bf0 51 } - $sequence_4 = { 6a00 6a02 c785ccfeffff28010000 ff15???????? } - $sequence_5 = { 5f c3 56 ff15???????? 57 8b3d???????? } - $sequence_6 = { 8945e4 8945e8 b802000000 51 } - $sequence_7 = { 56 6824000100 50 57 ff15???????? } - $sequence_8 = { a3???????? c705????????02000000 890d???????? ffd6 6a00 6a00 6a00 } - $sequence_9 = { 6828010000 8d8dccfeffff 6a00 51 } - $sequence_10 = { 50 6a02 ff15???????? 6a10 8d4ddc } - $sequence_11 = { 7513 8b45d8 8b4818 8b5104 } - $sequence_12 = { 89470c 57 894710 ff15???????? 6a00 6a00 6a01 } - $sequence_13 = { c705????????ffffffff c705????????01000000 c705????????00000000 ffd6 83ffff } - $sequence_14 = { 52 6a00 68ffff1f00 ffd7 8bf0 } - $sequence_15 = { 015518 8b5d14 85db 0f8565fbffff } - $sequence_16 = { 488d542450 488d4c2420 e8???????? 488d442420 4889442440 488d542420 } - $sequence_17 = { 015330 41 894b0c e9???????? } - $sequence_18 = { 488bc3 c60000 44897320 41b901000000 488d1529f30100 488bcf } - $sequence_19 = { 016b24 89e8 83c44c 5b } - $sequence_20 = { 4898 4885c0 7515 4883fb06 7305 } - $sequence_21 = { 015930 3b542408 0f8d10ffffff 8d3c52 } - $sequence_22 = { 488bcf e8???????? 4885db 0f8428010000 48837f1810 7227 } - $sequence_23 = { 7468 48c74424380f000000 48897c2430 c644242000 4983c9ff } - $sequence_24 = { 015330 e9???????? 8b5314 3b5318 0f8d23020000 } - $sequence_25 = { 014b30 bf???????? b903000000 8b742418 } - $sequence_26 = { e8???????? 48837f1810 48895f10 7205 488b07 eb03 } - $sequence_27 = { c3 4053 4883ec20 488d0d73340100 ff15???????? 488d1586340100 } - $sequence_28 = { 015330 8a10 eb84 8a5001 } - $sequence_29 = { 016b04 83c41c 5b 5e } - $sequence_30 = { 0f8540010000 488d1583310100 488bcb e8???????? 4c8bf0 4885c0 0f8421010000 } + $sequence_1 = { 50 ff15???????? 8b0d???????? 8b35???????? 890d???????? } + $sequence_2 = { ff15???????? 6a10 8d4ddc 8bf0 51 56 ff15???????? } + $sequence_3 = { 41 50 a3???????? c705????????02000000 890d???????? ffd6 } + $sequence_4 = { e8???????? 83ec1c 8bcc 89642430 6aff 53 } + $sequence_5 = { 8945e8 b802000000 51 668945dc } + $sequence_6 = { 8b45d8 8b4818 8b5104 50 8955e0 } + $sequence_7 = { 8907 894704 894708 6a01 89470c } + $sequence_8 = { ff15???????? 8bf0 85f6 7513 8b45d8 } + $sequence_9 = { 53 50 ff15???????? 3dffffff00 } + $sequence_10 = { 53 83cbff 57 8b3d???????? } + $sequence_11 = { c705????????ffffffff c705????????01000000 c705????????00000000 ffd6 83ffff 7407 } + $sequence_12 = { 8945e0 8945e4 8945e8 b802000000 } + $sequence_13 = { 014b30 bf???????? b903000000 8b742418 } + $sequence_14 = { 488d058da00100 c3 4053 4883ec20 488bd9 488d0d7ca00100 483bd9 } + $sequence_15 = { 015330 41 894b0c e9???????? } + $sequence_16 = { 015330 e9???????? 8b5314 3b5318 0f8d23020000 } + $sequence_17 = { 015930 3b542408 0f8d10ffffff 8d3c52 } + $sequence_18 = { 488b8c24a0000000 e8???????? 48c78424b80000000f000000 4c89bc24b0000000 c68424a000000000 } + $sequence_19 = { 488b4c2470 e8???????? 48c78424880000000f000000 48c784248000000000000000 c644247000 41b806000000 488d151b3d0200 } + $sequence_20 = { 016b04 83c41c 5b 5e } + $sequence_21 = { 488d15c7780200 480f45d0 881f 381a 740e 4883cbff 90 } + $sequence_22 = { 015518 8b5d14 85db 0f8565fbffff } + $sequence_23 = { 488b09 488d41ff 4883f8fd 7714 ff15???????? 85c0 750a } + $sequence_24 = { 015330 8a10 eb84 8a5001 } + $sequence_25 = { 7532 b902010209 e8???????? 90 48837b1810 7208 } + $sequence_26 = { 438d0401 4c8d1d31490100 418bca 99 2bc2 } + $sequence_27 = { 016b24 89e8 83c44c 5b } + $sequence_28 = { 488b01 8a08 880a 33c9 488d1c32 4c8d05c71a0100 } condition: 7 of them and filesize < 614400 } +rule MALPEDIA_Win_Ashen_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "0fc5b2f9-aec1-5a06-bfaa-a6b158587020" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ashen" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ashen_auto.yar#L1-L121" + license_url = "N/A" + logic_hash = "d3c0aa4d4ef3923d3818ee23b8448c766cdcf2447bd25b0bc5e88ebd1c918d67" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 488bc1 4c8d15d6a0feff 4983f80f 0f870c010000 666666660f1f840000000000 } + $sequence_1 = { ba00080000 b940000000 ff15???????? 488b4dd8 488bd8 } + $sequence_2 = { 41ffc2 8d0c92 03c9 2bc1 4898 } + $sequence_3 = { 488b01 488b5050 ffd2 85c0 0f88eafeffff 488b4d28 488b01 } + $sequence_4 = { 48ffc1 e8???????? 488bd3 488bc8 488bf8 e8???????? 4863d8 } + $sequence_5 = { 488bc1 4c8d15d6a0feff 4983f80f 0f870c010000 666666660f1f840000000000 478b8c8250ff0100 4d03ca } + $sequence_6 = { 488bce e8???????? 488bd8 4885c0 746b 482bde } + $sequence_7 = { 4c8d050d3b0100 488d150e3b0100 e8???????? 8bcb 4885c0 } + $sequence_8 = { 488d7b38 488d05d24b0100 483947f0 741a 488b0f 4885c9 } + $sequence_9 = { 488b07 4c8b80a0000000 41ffd0 85c0 } + + condition: + 7 of them and filesize < 348160 +} rule MALPEDIA_Win_Nokoyawa_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5fa67854-5271-511e-bc7c-fd346224ae86" - date = "2026-01-05" - modified = "2026-01-06" + id = "3efcc07f-e3b6-54eb-8699-5f22617d2f80" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nokoyawa_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nokoyawa_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "d0e099f2b3c7d0be14ed25c33931a83caac7b50df6157dc4628f695a1c582f8e" + logic_hash = "5dad59cd3af209cfed4997d22aad606c81681470c137ef79e7ca231793b096fc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 88040a 8b442420 83c010 4898 8b4c2420 83c12c 4863c9 } - $sequence_1 = { e8???????? 488905???????? c744243000000000 eb0a 8b442430 ffc0 89442430 } - $sequence_2 = { 89448c30 4863442420 8b4c2420 c1e102 } - $sequence_3 = { c1e01e 8b4c2408 c1e902 0bc1 89442408 33c0 85c0 } - $sequence_4 = { 33d2 488b442430 488b4850 e8???????? } - $sequence_5 = { 8bca 8b942438010000 03d1 8bca 8d84089979825a 8b4c2410 } - $sequence_6 = { 85c0 7411 488b542468 488b4c2460 e8???????? eb0a 488b4c2460 } - $sequence_7 = { 486bc000 488b4c2440 8b542420 39540114 7326 b804000000 486bc001 } - $sequence_8 = { e8???????? 85c0 742a 4c8b8c24c8000000 4c8b8424c0000000 488b9424b8000000 } - $sequence_9 = { c644242b61 c644242c6e c644242d64 c644242e20 c644242f31 c644243036 c64424312d } + $sequence_0 = { 85c0 7414 4c8d442428 488b542460 488b4c2460 e8???????? eb86 } + $sequence_1 = { 0bc1 89442404 33c0 85c0 0f8541ffffff b804000000 486bc000 } + $sequence_2 = { 0bc1 898424a4000000 b804000000 486bc00f 8b8c24a4000000 894c0420 8b442408 } + $sequence_3 = { 898424dc000000 b804000000 486bc00d 8b8c24dc000000 894c0420 8b44240c 8b4c2408 } + $sequence_4 = { 8b4c240c c1e902 0bc1 8944240c 33c0 85c0 0f8528ffffff } + $sequence_5 = { 0bd1 8bca 8b94248c000000 03d1 8bca 8d8408a1ebd96e 8b4c2414 } + $sequence_6 = { 8bc1 8b4c2404 8b542414 23d1 8bca 0bc8 8bc1 } + $sequence_7 = { 8b0424 488b4c2420 833c8100 7402 eb0a 8b0424 ffc0 } + $sequence_8 = { 488b442430 488b4848 e8???????? 488b4c2430 e8???????? 488d05e1760000 } + $sequence_9 = { 8b542408 c1e205 0bd1 8bca 8b542474 03d1 8bca } condition: 7 of them and filesize < 92160 @@ -96270,36 +96577,36 @@ rule MALPEDIA_Win_Zenar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "33657347-5dc4-5466-88de-08ba2a4ff542" - date = "2026-01-05" - modified = "2026-01-06" + id = "15f4f19e-93d0-543d-b13f-3732f71299df" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zenar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zenar_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zenar_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "b1dde475bc16460bb8f7878e012acfd9a678e7c83f20d6fc1c96df7645d0898c" + logic_hash = "12fedde670fd3740a00bd9e0c9f8d52e18015072cb065854a4696b910eb92176" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4d8c 51 50 e8???????? 59 } - $sequence_1 = { 751a 83f8ff 740f 83f8fe 740a 6bcf38 030c9598ae4300 } - $sequence_2 = { 83c801 50 6800000080 ff7508 e8???????? 5d } - $sequence_3 = { 56 ff7508 e8???????? 83c40c e9???????? 8b048d98ae4300 807c022800 } - $sequence_4 = { 68???????? eb0c 68???????? eb05 68???????? e8???????? 39be90000000 } - $sequence_5 = { 8bf1 57 ff750c 33ff 8975fc 8d4e0c c706???????? } - $sequence_6 = { c3 6857000780 68???????? 8d4df0 e8???????? 68???????? 8d45f0 } - $sequence_7 = { 8945fc 56 ff750c 8b7508 8d45fa 50 8975c8 } - $sequence_8 = { 3bfe 72f3 33c0 66890472 8bc3 } - $sequence_9 = { 48 6a5c 5e 8d0442 eb0d 6683f92f 740f } + $sequence_0 = { 85c9 740c 8b01 51 ff5008 899f90000000 } + $sequence_1 = { e8???????? 83c420 8bf0 c645fc02 ffd7 50 56 } + $sequence_2 = { 83e801 0f8595010000 c745e484cc4200 e9???????? 894de0 c745e484cc4200 e9???????? } + $sequence_3 = { 8935???????? 8935???????? e8???????? 8b45ec c705????????03000000 c705????????24000000 } + $sequence_4 = { 8944242c ff15???????? 6800040000 8bf0 8d84248c040000 6a00 50 } + $sequence_5 = { ff7514 e8???????? 59 c9 c21400 55 } + $sequence_6 = { 68???????? c785b8f7ffff00000000 c785bcf7ffff0f000000 c685a8f7ffff00 } + $sequence_7 = { 85f6 750a 8bc7 e8???????? c20c00 8d45d8 53 } + $sequence_8 = { 83c420 8bf0 c645fc05 ffd7 50 56 8d8d40ffffff } + $sequence_9 = { 33c0 c785c0feffff00000000 68???????? c785c4feffff07000000 668985b0feffff e8???????? 8d8580feffff } condition: 7 of them and filesize < 519168 @@ -96309,36 +96616,36 @@ rule MALPEDIA_Win_Mulcom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "796c69f9-5b53-545d-88e3-bfd165a4b278" - date = "2026-01-05" - modified = "2026-01-06" + id = "09655f2b-d953-5d03-baa9-575581128519" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mulcom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mulcom_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mulcom_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "2762a73c90997100242e2050e0b97b2b7a616be77c2385bca6805b6497e289e6" + logic_hash = "9733e7a9e4e5437ee5a80cbfac6cb397c8e493e73025651b189b9c886e64a155" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? b801000000 488b8d70050000 4833cc e8???????? 4c8d9c2480060000 498b5b28 } - $sequence_1 = { 488d4b27 4883c8ff 483bcb 480f46c8 e8???????? 488bc8 4885c0 } - $sequence_2 = { 488d4398 483bc6 75c8 488b5c2430 488b4c2440 482bcb 48b80dc3300cc3300cc3 } - $sequence_3 = { 0f86cd000000 8bc6 4c8d3440 4c8b7c2438 4c8d4dff } - $sequence_4 = { 488b03 48634804 4803cb 4533c0 8bd7 e8???????? 90 } - $sequence_5 = { 488d4c2440 e8???????? 488d5530 48837d4810 480f435530 8b5d40 448bc3 } - $sequence_6 = { eb73 4c8d442430 ba0e000000 488bcf ff15???????? 85c0 750b } - $sequence_7 = { 55 488bec 4883ec70 488b05???????? 4833c4 488945f0 488955d0 } - $sequence_8 = { 498b4110 d020 c3 81fa80000000 731e 4183f804 7318 } - $sequence_9 = { 751f 488b0d???????? 488d1d55e80200 483bcb 740c e8???????? 48891d???????? } + $sequence_0 = { 83b97004000002 0f8493010000 83cfff 488d2d8b2f0200 897350 89732c e9???????? } + $sequence_1 = { 488b8188000000 488d8810020000 83b81807000005 480f45cf 48894dc0 8b1a 4c8b4a08 } + $sequence_2 = { 488955b7 48894daf 8a456f 88442430 488b7577 4c8b757f } + $sequence_3 = { e9???????? 488d8a90000000 e9???????? 488d8a70010000 e9???????? 488b8a70000000 e9???????? } + $sequence_4 = { 89542430 488d1575e40300 4489542428 44895c2420 e8???????? 488bc3 488b4df0 } + $sequence_5 = { 443be5 7c07 453bdd 450f4cc1 488b5c2440 } + $sequence_6 = { ff5030 488d55bf 488d4ddf e8???????? 488b55d7 4883fa10 } + $sequence_7 = { 4288bc0592010000 49ffc0 4983c104 4584d2 75ba 4584d2 } + $sequence_8 = { 448938 488d0586e50400 488907 4c897f68 896f70 498bc6 488b5c2478 } + $sequence_9 = { 7227 488d4e27 483bce 490f46cc e8???????? 4885c0 0f8415010000 } condition: 7 of them and filesize < 867328 @@ -96348,36 +96655,36 @@ rule MALPEDIA_Win_Snowflake_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f7453706-1ba2-5bd7-a0a7-c5c6de296895" - date = "2026-01-05" - modified = "2026-01-06" + id = "c0b96cf9-e624-56f3-823a-f283f32ffd30" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snowflake_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.snowflake_stealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.snowflake_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "c1c0789100e95962556dcffebd1be08f13443b80c1f6c738a94979e3119de2a7" + logic_hash = "eb4c7359191bec957d1c92cb77cda613c742d7f8051b1e8b99c514eca893bd9b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff750c 6a5c 53 e8???????? 8b6c2448 56 ff7504 } - $sequence_1 = { ff742428 e8???????? 83c414 eb88 3dab000000 7530 837c243400 } - $sequence_2 = { ff3408 ff742444 e8???????? 8b7c2440 83c414 89442410 85c0 } - $sequence_3 = { e8???????? 59 59 8b4c243c 85c9 7409 51 } - $sequence_4 = { ff7640 e8???????? 83c42c 85c0 7533 6a08 8d442418 } - $sequence_5 = { ff742444 ff742440 50 e8???????? 8bf0 83c414 85f6 } - $sequence_6 = { c744240c01000000 eb08 3c2b 0f8593000000 46 8a0e 0fb6c1 } - $sequence_7 = { e8???????? 59 59 85c0 7507 8b4510 2138 } - $sequence_8 = { c744240800000000 29f1 89c6 1b7c2414 f7de c1fe1f 01f1 } - $sequence_9 = { ff743234 ff7524 ff742428 53 e8???????? 8b542428 83c414 } + $sequence_0 = { e8???????? 83c40c eb14 f30f7e00 f20f104808 f20f114c1008 660fd60410 } + $sequence_1 = { f3a5 66899880000000 66899082000000 8d8c24b0000000 832000 e8???????? e9???????? } + $sequence_2 = { f7472400100000 740c ff36 e8???????? 59 85c0 7504 } + $sequence_3 = { f644242407 5f 5e 5d 5b 740a ff74241c } + $sequence_4 = { f20f108424c0000000 f20f108c24c8000000 8d8c2490000000 8d7c2418 896f08 f20f114908 f20f1101 } + $sequence_5 = { e9???????? 89f9 8d9424a4000000 e8???????? 807c243809 0f844ffdffff 8dbc2400010000 } + $sequence_6 = { ff74241c e8???????? e9???????? f6450408 8b4d1c 745c 8b9c24b4000000 } + $sequence_7 = { ff700c 57 e8???????? 83c40c 8b442450 8b4c2434 49 } + $sequence_8 = { f6c301 750f c6463800 eb09 f6c301 0f84903c0000 b101 } + $sequence_9 = { ff15???????? 688cb50000 ff761c 68???????? 50 680a180000 894614 } condition: 7 of them and filesize < 6196224 @@ -96387,36 +96694,36 @@ rule MALPEDIA_Win_Udpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c21182e3-9948-53fb-ba16-989de2eeeef7" - date = "2026-01-05" - modified = "2026-01-06" + id = "038e4775-6bed-53fc-8d9b-799c1b1ca9c2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.udpos_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.udpos_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "fe240fae257bb918a1862a5669b32e668e7cda4beef5a9f9bbf562c291941f24" + logic_hash = "607b779683ee1c2102e62c5fb6ec21a3f6ff834ce0823989194cfb03af34d208" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c414 8d55c4 52 ffd7 } - $sequence_1 = { 53 56 52 ffd7 } - $sequence_2 = { 83c408 3bf3 7ea8 8b5d08 2bde } - $sequence_3 = { 8985f4feffff 8985f8feffff 3905???????? 7e09 a1???????? 8b30 eb06 } - $sequence_4 = { 7510 c78598feffff01000000 8b9d98feffff 47 83fb01 75b4 85db } - $sequence_5 = { 8b8110020000 301408 8b9110020000 0fb6140a } - $sequence_6 = { 83c40c 57 6a02 ff15???????? 8d8dd0fdffff 8bf0 } - $sequence_7 = { 51 a3???????? e8???????? 83c40c 68ff000000 8d95fcfdffff 52 } + $sequence_0 = { ffd6 c705????????01000000 68fe010000 53 68???????? } + $sequence_1 = { 6a00 50 e8???????? 6a29 8d8d6cffffff 6a00 51 } + $sequence_2 = { 0f841a010000 8d85d4fbffff 50 8d8ddcfbffff 51 } + $sequence_3 = { 8a4c0df0 4e 880e 8bc8 } + $sequence_4 = { 8b8da4feffff 88540101 79da 8b4dfc 33cd e8???????? 8be5 } + $sequence_5 = { b903000000 2bcf 0fb63c06 03c9 03c9 } + $sequence_6 = { 8bff 660fbe1431 6689944d5cf5ffff 41 3bc8 7cee 33c9 } + $sequence_7 = { 3bc8 7cee 33c9 6a64 51 8d95b4f7ffff 52 } $sequence_8 = { 53 e8???????? 83c404 8b95e4fbffff 52 ff15???????? 5b } - $sequence_9 = { 83e60f 0fb65c35e8 0fb671fd 8858fd } + $sequence_9 = { 3bc3 7443 68???????? 899dc4fbffff } condition: 7 of them and filesize < 163840 @@ -96426,36 +96733,36 @@ rule MALPEDIA_Win_Nautilus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "77d46a5b-ac0a-5fed-b7dc-730469f1a198" - date = "2026-01-05" - modified = "2026-01-06" + id = "12b63073-89cd-53ef-a8ce-aa8e16743d23" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nautilus_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nautilus_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "75449a89b7fb4754deadb905e528b81ef0ad7c932b9a665933340397cfc77449" + logic_hash = "77958bdbf06b9c7e86d771c8b09dd74435c29e435d9ecf2b197ccdea69a21688" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? eb0b 0f28ce 488bcb e8???????? 660f2efe 7a02 } - $sequence_1 = { e8???????? 410fb7445c0a 498bce 0fb61406 448b0487 e8???????? 410fb7445c0c } - $sequence_2 = { e9???????? 413bfc 0f84c7000000 41be20000000 eb09 413bfc 0f84b6000000 } - $sequence_3 = { f20f5ccd eb08 f20f59ce f20f58ce 4885d2 7407 0f570d???????? } - $sequence_4 = { eb19 443bc3 7f14 c1e917 4103c8 3bd9 7f0a } - $sequence_5 = { 85c0 751b 488d4b18 8d5001 e8???????? 85c0 750b } - $sequence_6 = { 7459 41ffca 740a b800bfffff 4883c458 c3 488b842498000000 } - $sequence_7 = { 7520 488d7eff 488d55b0 488d4dc8 4885ff 756b e8???????? } - $sequence_8 = { 83f815 0f842b010000 83f816 74ba 83f817 745e 7e3c } - $sequence_9 = { 7424 bafeffff7f 33c9 e8???????? 8bcb 8bd0 488b4730 } + $sequence_0 = { ba0a000000 488bcb e8???????? 488bcb e8???????? 4885ff 0f8542ffffff } + $sequence_1 = { e8???????? 443bf6 7646 4d8b4d38 4c8b45e7 488d55df 4889542430 } + $sequence_2 = { 85c0 0f85ad000000 4c8bc6 488bd3 488bcb e8???????? e9???????? } + $sequence_3 = { e9???????? 4983c202 4d3bd3 0f8406ffffff 418a4a01 84c9 750e } + $sequence_4 = { 3da0010000 0f87e2000000 40f6c707 0f85d8000000 488d5948 488d1503370400 41b800100000 } + $sequence_5 = { ba01000000 41b800020000 e8???????? 488907 488d4310 488b5c2430 4883c420 } + $sequence_6 = { eb03 418bca 4863c2 4863c9 488d14c8 420fbe940aa0e50700 c1fa04 } + $sequence_7 = { 8a4742 a840 7420 24bf 884742 488b5c2430 488b6c2438 } + $sequence_8 = { 41bf01000000 488b4b10 ff15???????? 4585ff 7509 418d7f14 e9???????? } + $sequence_9 = { 85c0 7508 8d4603 e9???????? 488d55e0 488d0db0e00500 e8???????? } condition: 7 of them and filesize < 1302528 @@ -96465,36 +96772,36 @@ rule MALPEDIA_Win_Ralord_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "55aeafd0-036d-55da-b447-46a69b58ad1c" - date = "2026-01-05" - modified = "2026-01-06" + id = "8f3a6578-91a7-5024-89bf-18f109157cdf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ralord" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ralord_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ralord_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "0ae32be56308293e8dfe3d78f9cfa5ac160d76644a256ed6b1f7ab39bfe6b399" + logic_hash = "d43461015f8e50fb26d9df4c96d2c71c5033b8d47331e6463c6ace60b20aa4c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7473 66813e4250 488d05d0a30100 7465 66813e5246 488d05c1a30100 7457 } - $sequence_1 = { 490b8818080000 756c 4c89c1 4889c6 e8???????? 4889f0 eb5c } - $sequence_2 = { 4929d0 0f82c9000000 4939fc 0f87d2000000 4c01f2 4889f1 e8???????? } - $sequence_3 = { 4801f0 4829d0 4839f0 0f83bb020000 4d8d7b01 410fb60406 4138040e } - $sequence_4 = { 48837d2000 7406 807d2f00 7409 4883c428 5b 5f } - $sequence_5 = { 752a 488b4e20 488b4628 488d15522b0100 41b801000000 ff5018 89c1 } - $sequence_6 = { 0f80de010000 4839fa 7550 4c8b4dd0 4c89c8 48f7d8 0f80c9010000 } - $sequence_7 = { 4889f1 eb27 89442430 488d0551850200 4889442420 488d15a0850200 488d4c2440 } - $sequence_8 = { 488d0daf640100 ba10000000 e8???????? 41b601 84c0 0f85b7000000 48c70600000000 } - $sequence_9 = { 400f90c6 430fb6141a 83c2d0 83fa09 0f87aa090000 } + $sequence_0 = { 488945a0 48c745a801000000 48c745b008000000 0f57c0 0f1145b8 488d15cf400200 488d4da0 } + $sequence_1 = { e8???????? 4885f6 0f94c0 08c3 0f84ddfcffff e8???????? 4885c0 } + $sequence_2 = { c3 488d05a3570100 488945d0 48c745d801000000 48c745e008000000 0f57c0 0f1145e8 } + $sequence_3 = { 488d4df8 48894c2428 488d0d27670200 48894c2420 488d155b670200 41b808000000 4889c1 } + $sequence_4 = { 0fb645e0 4885c9 0f8443020000 0fb6c0 0fb655e7 c1e210 440fb745e5 } + $sequence_5 = { ba04000000 4883da00 4c01c2 4c8945b0 488955b8 } + $sequence_6 = { cd29 0f0b 488b4530 488b00 4885c0 7406 488b4d20 } + $sequence_7 = { 7518 eb34 48894520 4885c9 742b 666666662e0f1f840000000000 41b802000000 } + $sequence_8 = { 0f80de010000 4839fa 7550 4c8b4dd0 4c89c8 48f7d8 0f80c9010000 } + $sequence_9 = { ba28000000 e8???????? eb11 488b4dc8 488b55d0 c645ff00 e8???????? } condition: 7 of them and filesize < 798720 @@ -96508,7 +96815,7 @@ rule MALPEDIA_Win_Hermes_Ransom_Auto : FILE date = "2021-10-07" modified = "2021-10-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hermes_ransom_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hermes_ransom_auto.yar#L1-L125" license_url = "N/A" logic_hash = "2bb9637b7e3ee9fcdd4e957eade001e8c8132e1b7c987ea6727ab44eda025915" score = 75 @@ -96543,71 +96850,74 @@ rule MALPEDIA_Win_Ryuk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "63f1751f-d521-53f6-9b97-173de48e208c" - date = "2026-01-05" - modified = "2026-01-06" + id = "75cb4b40-711f-5b5a-862d-9387c9bf7d28" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ryuk_auto.yar#L1-L403" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ryuk_auto.yar#L1-L430" license_url = "N/A" - logic_hash = "4db40c45399c6db29cb64a2d888825a95bd14e7ba242fbbfeb5e1735cc3c9e5b" + logic_hash = "f14ed999d7ba109b133508addf88d74c1277ef9ae6d42a80308ce488a3b7811b" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 68???????? 6a01 6a00 6814010000 } - $sequence_1 = { ff15???????? 85c0 7508 6a01 ff15???????? 68???????? 6a01 } - $sequence_2 = { 6a08 6a18 68???????? 68???????? 68???????? ff15???????? 85c0 } - $sequence_3 = { 81b8????????50450000 754c b90b010000 66398818000035 } - $sequence_4 = { b90b010000 66398818000035 753e 8b4508 } - $sequence_5 = { ff15???????? 85c0 7407 b801000000 eb0b eb04 } - $sequence_6 = { e8???????? 68e8030000 ff15???????? 68???????? e8???????? } - $sequence_7 = { b801000000 eb0b eb04 33c0 eb05 b801000000 } - $sequence_8 = { c1e100 817c0dd8ff000000 0f8696000000 ba04000000 6bc200 } - $sequence_9 = { 99 89459c 8955a0 8b55a0 3b55f8 0f870b020000 } - $sequence_10 = { eb09 8b45f0 83c001 8945f0 8b45f0 99 8b4d08 } - $sequence_11 = { 50 8b4de8 0fb6512c 52 e8???????? } - $sequence_12 = { c1e200 8b45fc c6041000 c745d800000000 c745dc00000000 c745e000000000 } - $sequence_13 = { ff15???????? b811000000 e9???????? e9???????? } - $sequence_14 = { 6a00 6814010000 ff7508 ff35???????? ff15???????? } - $sequence_15 = { ff15???????? 833d????????00 6a10 6a18 } + $sequence_1 = { 85c0 7508 6a01 ff15???????? 68???????? 6a01 } + $sequence_2 = { 6a08 6a18 68???????? 68???????? 68???????? } + $sequence_3 = { 66398818000035 753e 8b4508 b9???????? } + $sequence_4 = { 85c0 7525 6a08 6a18 } + $sequence_5 = { 68???????? ff15???????? 85c0 7578 6a10 } + $sequence_6 = { a1???????? 81b8????????50450000 754c b90b010000 66398818000035 753e } + $sequence_7 = { e8???????? 68e8030000 ff15???????? 68???????? e8???????? } + $sequence_8 = { 7407 b801000000 eb0b eb04 33c0 } + $sequence_9 = { 3b4508 735f 8b4d08 2b4df4 394dfc } + $sequence_10 = { 720e 8b4dac 8b5594 3b11 } + $sequence_11 = { 33d2 b908000000 f7f1 8955f4 c745f800000000 } + $sequence_12 = { 0fb60c10 b8ff000000 2bc1 c1e008 c1e008 99 } + $sequence_13 = { 51 6a01 68???????? e8???????? 83c410 } + $sequence_14 = { 394dfc 7312 ba01000000 8b4dfc d3e2 0b55f8 } + $sequence_15 = { ff15???????? b811000000 e9???????? e9???????? } $sequence_16 = { 7407 48 85c0 7ff0 } - $sequence_17 = { ff15???????? b803000000 eb05 b805000000 } - $sequence_18 = { 751b ff35???????? ff35???????? 6a01 68???????? e8???????? } - $sequence_19 = { 2bf0 33c0 66890473 83ffff } - $sequence_20 = { 56 ff15???????? 8bcb 8d5102 } - $sequence_21 = { eb0b 8bc1 99 f7fe } - $sequence_22 = { 7212 81f9d0070000 770a 85d2 } - $sequence_23 = { 85d2 7714 7212 81f9d0070000 } - $sequence_24 = { e8???????? 488bc3 4883c430 5b c3 48895c2408 48896c2410 } - $sequence_25 = { f3a4 8d7afe 668b4702 8d7f02 } - $sequence_26 = { 68???????? 53 d1fe e8???????? 83c408 8d5002 } - $sequence_27 = { 4883c428 c3 48895c2408 57 4883ec30 8364242000 b908000000 } - $sequence_28 = { 0f9fc0 5d c3 8bff 55 8bec 8b4508 } - $sequence_29 = { d1fa 2bca 33c0 6689444bfe e9???????? } - $sequence_30 = { 488b7c2408 498bc1 c3 4053 4883ec20 8bc1 498bd8 } - $sequence_31 = { 6685c0 75f5 8d7bfe 2bd6 8d5f02 668b4702 } - $sequence_32 = { 2bd6 8d5f02 668b4702 83c702 6685c0 75f4 } - $sequence_33 = { 6685c9 75f5 2bf2 68???????? 53 d1fe } - $sequence_34 = { 7510 488bcb ff15???????? b802000000 } - $sequence_35 = { 4533c0 c744242003000000 ba00000040 ff15???????? 488bd8 ff15???????? } - $sequence_36 = { 8bc1 2bc2 d1e8 03c2 c1e806 6bc05a } - $sequence_37 = { 7516 66837f0254 750f 66837f0641 7508 } - $sequence_38 = { 488bf8 4885c0 7410 ff15???????? } - $sequence_39 = { 48897c2430 488d4c2440 c744242802000000 4533c9 4533c0 c744242003000000 ba00000040 } - $sequence_40 = { 8b5c3050 ff15???????? 41b900300000 c744242040000000 } - $sequence_41 = { e8???????? 488bcf ff15???????? 8d4301 e9???????? } - $sequence_42 = { ff15???????? 66833f4e 7516 66837f0254 } - $sequence_43 = { 41b900300000 c744242040000000 448bc3 488bd6 } - $sequence_44 = { 84c0 746c e8???????? 488d0d63080000 e8???????? } + $sequence_17 = { 6a00 6814010000 ff7508 ff35???????? ff15???????? } + $sequence_18 = { ff35???????? ff15???????? 833d????????00 6a10 } + $sequence_19 = { 751b ff35???????? ff35???????? 6a01 } + $sequence_20 = { 2bf0 33c0 66890473 83ffff } + $sequence_21 = { ff15???????? b803000000 eb05 b805000000 } + $sequence_22 = { 85d2 7714 7212 81f9d0070000 770a } + $sequence_23 = { 56 ff15???????? 8bcb 8d5102 } + $sequence_24 = { eb0b 8bc1 99 f7fe } + $sequence_25 = { 8d7bfe 2bd6 8d5f02 668b4702 83c702 6685c0 75f4 } + $sequence_26 = { 2bf2 68???????? 53 d1fe e8???????? 83c408 8d5002 } + $sequence_27 = { 66f3ab 488b7c2408 498bc1 c3 4053 4883ec20 8bc1 } + $sequence_28 = { d1fa 2bca 33c0 6689444bfe e9???????? } + $sequence_29 = { 4883c020 4883c428 c3 48895c2408 57 4883ec30 8364242000 } + $sequence_30 = { 668b02 83c202 6685c0 75f5 8d7bfe } + $sequence_31 = { 488bc3 4883c430 5b c3 48895c2408 48896c2410 4889742418 } + $sequence_32 = { 83c602 6685c9 75f5 2bf2 68???????? 53 } + $sequence_33 = { 8bc8 83e103 f3a4 8d7afe 668b4702 8d7f02 } + $sequence_34 = { 0f9fc0 5d c3 8bff 55 8bec 8b4508 } + $sequence_35 = { e8???????? 99 2bc2 d1f8 85c0 } + $sequence_36 = { 8bd9 ba32000000 488d4c2440 ff15???????? 33ff } + $sequence_37 = { 48897c2430 488d4c2440 c744242802000000 4533c9 4533c0 c744242003000000 ba00000040 } + $sequence_38 = { 66833f4e 7516 66837f0254 750f 66837f0641 7508 } + $sequence_39 = { 4889442420 4c8bc6 488bd3 488bcf ff15???????? } + $sequence_40 = { 8bc8 8905???????? e8???????? b988130000 8bd8 ff15???????? } + $sequence_41 = { ff15???????? 41b900300000 c744242040000000 448bc3 488bd6 488bcf } + $sequence_42 = { 33c9 ff15???????? 448b442468 33d2 b9ffff1f00 ff15???????? } + $sequence_43 = { ff15???????? 83f820 7510 488bcb } + $sequence_44 = { 8bc1 2bc2 d1e8 03c2 c1e806 6bc05a } + $sequence_45 = { 746c e8???????? 488d0d63080000 e8???????? e8???????? } + $sequence_46 = { 44896c2448 418d45ff 0fb68c82d2d10100 0fb6b482d3d10100 8bd9 8bf8 } + $sequence_47 = { eb71 48c744243000000000 c744242800000000 488b442458 } condition: 7 of them and filesize < 7450624 @@ -96617,36 +96927,36 @@ rule MALPEDIA_Win_Matrix_Banker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e56425b-5f6b-5ff1-8380-5d5609da8da8" - date = "2026-01-05" - modified = "2026-01-06" + id = "bab55a6d-2dcc-5afe-96e2-70a49215c103" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.matrix_banker_auto.yar#L1-L111" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.matrix_banker_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "c882b53f487e75c9405f3f1fd8e8a700ef1f2f55c75fbbd05eae09bdd19de300" + logic_hash = "f7f46da74e992b75a8679c2f80e84cb69176fe3f7580a4e67d17206df75d8a33" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 80f905 7705 80c2a9 eb0b 8d4abf 80f905 } - $sequence_1 = { 80f905 7704 04a9 eb0a } - $sequence_2 = { eb16 8d489f 80f905 7704 } - $sequence_3 = { 66890d???????? 66030d???????? 66890d???????? e8???????? } - $sequence_4 = { 8d48bf 80f905 7702 04c9 } - $sequence_5 = { 8d4abf 80f905 7703 80c2c9 } - $sequence_6 = { 8d489f 80f905 7704 04a9 } - $sequence_7 = { eb0a 8d48bf 80f905 7702 04c9 8d4ad0 80f909 } - $sequence_8 = { 04a9 eb0a 8d48bf 80f905 7702 } - $sequence_9 = { 80f905 7705 80c2a9 eb0b 8d4abf } + $sequence_0 = { 7705 80c2a9 eb0b 8d4abf } + $sequence_1 = { 7705 80c2a9 eb0b 8d4abf 80f905 7703 } + $sequence_2 = { 8d4a9f 80f905 7705 80c2a9 } + $sequence_3 = { 80f905 7704 04a9 eb0a } + $sequence_4 = { eb18 8d4a9f 80f905 7705 80c2a9 eb0b } + $sequence_5 = { 80f905 7705 80c2a9 eb0b 8d4abf 80f905 } + $sequence_6 = { 7705 80c2a9 eb0b 8d4abf 80f905 7703 80c2c9 } + $sequence_7 = { 80f905 7702 04c9 8d4ad0 80f909 } + $sequence_8 = { eb18 8d4a9f 80f905 7705 80c2a9 } + $sequence_9 = { 04a9 eb0a 8d48bf 80f905 7702 } condition: 7 of them and filesize < 422912 @@ -96656,36 +96966,36 @@ rule MALPEDIA_Win_Sienna_Purple_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c3c6fac-b35f-5f08-8ac2-d022904e5031" - date = "2026-01-05" - modified = "2026-01-06" + id = "8f472cd6-bdb2-5139-b94c-106a2662100e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_purple" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sienna_purple_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sienna_purple_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "8adbc4e03be709562af32b6e6ccf0666aff8c85f72382f2d72c386abf2d917ba" + logic_hash = "8c4e4b97a374adb59fce01582b86646d832e8c684fa39718b2059fd1028c8d1b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? c645fc05 e9???????? 83ff11 0f85b6000000 6a74 8d8560ffffff } - $sequence_1 = { 8955f8 894514 3b45dc 0f8c41ffffff 5f 5e 5b } - $sequence_2 = { 8d86d4000000 50 8d86fc000000 50 8d45dc 50 e8???????? } - $sequence_3 = { 8d4ddc e9???????? 8d4dc8 e9???????? 8d8d28ffffff e9???????? 8d8d14ffffff } - $sequence_4 = { 99 0bfe f7fb c1e708 0fb60c0a 8d4201 99 } - $sequence_5 = { e8???????? 8bf0 83c410 85f6 0f858b050000 c785b8ebffffe05e4300 eb24 } - $sequence_6 = { 8d8d98fdffff f7d8 1bc0 05b1040000 50 e8???????? 8d45d4 } - $sequence_7 = { e8???????? 83c40c 85c0 0f85fa000000 50 8d45c8 50 } - $sequence_8 = { e8???????? e9???????? 0f57c0 c745e800000000 8d4dd0 660fd645e0 f30f7f45d0 } - $sequence_9 = { e8???????? 8b8d74feffff 8d855cffffff 53 50 e8???????? 8d85dcfeffff } + $sequence_0 = { c7833405000000000000 8b8b24050000 85c9 740f e8???????? c7832405000000000000 8d8b54010000 } + $sequence_1 = { eb6b 80f9ff 7566 807f01fe 7560 807f0200 755a } + $sequence_2 = { ff35???????? a3???????? ffd6 833d????????00 a3???????? 745a } + $sequence_3 = { c1e918 8845d6 884dd7 8b8d60ffffff 8bc1 c1e808 8845d9 } + $sequence_4 = { e8???????? 84c0 0f8499000000 85ff 7415 57 8d85f0feffff } + $sequence_5 = { d1ff 8bc7 897584 89bd6cffffff c7459c00000000 c7458c70105000 251f000080 } + $sequence_6 = { ba01000000 894608 8d04fd00000000 2bc7 c1e002 2bd8 8b4604 } + $sequence_7 = { e8???????? 33c0 85f6 0f855bffffff 85c0 740f 50 } + $sequence_8 = { c3 3d2d4f0000 7557 833d????????00 0f8599070000 50 e8???????? } + $sequence_9 = { e8???????? 83c40c ff75e0 e8???????? 83c404 8bc6 8b4df4 } condition: 7 of them and filesize < 2930688 @@ -96695,36 +97005,36 @@ rule MALPEDIA_Win_Tendyron_Dropper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "08b15c69-b6bb-5f67-94b5-3ede90043914" - date = "2026-01-05" - modified = "2026-01-06" + id = "c576ac00-7d4b-56e8-af71-3f7dc0929767" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tendyron_dropper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tendyron_dropper_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tendyron_dropper_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "94561d7c039213b2f4a4b8b35e59d5ff0543e6273d6a081dce691bd5357ae7eb" + logic_hash = "d4b918c926af3873c2636f059945fc04fb5d6de81022d27d743b1e276a754fca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6639430e 750f 6817070000 ff15???????? 33c0 } - $sequence_1 = { 81ec84000000 53 56 57 6a44 8bd8 } - $sequence_2 = { bf00200000 57 8945f0 e8???????? 59 6a00 57 } - $sequence_3 = { 85c0 7d0b 3b7d68 7501 } - $sequence_4 = { 56 33db 8d85b0feffff 53 50 e8???????? } - $sequence_5 = { 59 3bf3 0f84f3feffff 8b45fc 53 68d3000000 } - $sequence_6 = { 84c9 75f9 2bf2 8bce 8b75fc 33d2 f3a6 } - $sequence_7 = { 72ee 83f81e 77e9 833d????????00 } - $sequence_8 = { 68???????? c70614010000 ff15???????? 50 ff15???????? } - $sequence_9 = { 8a01 3429 0429 8801 41 4e } + $sequence_0 = { 68???????? 53 53 891d???????? 895de8 ff15???????? } + $sequence_1 = { 0145f8 6a00 6a04 8d45f8 } + $sequence_2 = { 50 ff15???????? 8bd8 85db 74ea 6a18 } + $sequence_3 = { 4e 75f4 8d45d8 50 57 } + $sequence_4 = { 66894598 8d459a 81e6ffffff7f 037578 50 e8???????? } + $sequence_5 = { 85c0 7506 0fb7c7 89457c 8b7d7c } + $sequence_6 = { 399decfdffff 7420 68???????? ffb5ecfdffff e8???????? 59 59 } + $sequence_7 = { ff75d4 ffd0 85c0 0f85fc010000 8b45f4 6a40 6800300000 } + $sequence_8 = { eb04 32c2 02c2 8801 41 4e } + $sequence_9 = { ff15???????? 85c0 0f84b0010000 33c0 8945f8 394714 } condition: 7 of them and filesize < 58368 @@ -96734,36 +97044,36 @@ rule MALPEDIA_Win_Stormwind_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5af12011-3b11-5340-9f55-c2d59a09e295" - date = "2026-01-05" - modified = "2026-01-06" + id = "a8201349-f1b3-5f54-a633-be4c25ea5016" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stormwind" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stormwind_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stormwind_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "0edc5101ea908b3c6d0ede012ca9b7d0ba4e1d8697013b724d36791523c87635" + logic_hash = "e0acea9cdfedc7d121604bc91ea573c499c2b2be2e578cb618248ba1668e32f9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb87 85db 7483 8b7d08 8d7308 } - $sequence_1 = { 83663800 83630800 e8???????? e8???????? c3 833d????????00 746e } - $sequence_2 = { eb5c 8b45f4 8b0c85d8310510 f644190448 7437 8a06 } - $sequence_3 = { 8908 8d5602 8d4d0c e8???????? 8d4df0 83c404 } - $sequence_4 = { 8b06 83c41c 8bc8 8d7901 } - $sequence_5 = { e9???????? c745dca43e0410 8b4508 8b7510 dd00 dc4df8 } - $sequence_6 = { 8b7510 85f6 0f847f010000 8b5e14 85db 0f8874010000 } - $sequence_7 = { 53 e8???????? 8bf0 83c404 8975e8 6a00 6a00 } - $sequence_8 = { 751b 8b450c 891f 8918 8bc7 8b4df4 } - $sequence_9 = { 8bf8 59 83ffff 7407 8b34bd286c0410 56 e8???????? } + $sequence_0 = { 85f6 0f849b010000 8b5e14 85db 0f8890010000 8b7e10 85ff } + $sequence_1 = { 3bc8 1bc0 23c1 83c008 5d c3 8b04c524e60410 } + $sequence_2 = { 0fb606 0fbe80c0f10410 85c0 7510 e8???????? c7002a000000 e9???????? } + $sequence_3 = { 68???????? ff15???????? 68???????? 8d442418 6804010000 } + $sequence_4 = { 8b4804 8b30 894dfc 50 } + $sequence_5 = { 8d8f80000000 c745fc00000000 e8???????? 8bf0 } + $sequence_6 = { 89542420 83faff 0f8462010000 8d9b00000000 8b5c2438 83c9ff } + $sequence_7 = { 8d45f8 c745f8???????? 50 8d4de0 e8???????? c745e04c0c0410 8d45e0 } + $sequence_8 = { 8bf9 897df0 83ec08 c70700000000 c7470400000000 8d8f80000000 } + $sequence_9 = { 50 e8???????? f6c102 7474 } condition: 7 of them and filesize < 741376 @@ -96773,36 +97083,36 @@ rule MALPEDIA_Win_Skyplex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b9600ce3-b74e-5061-ac1d-1291ed2f5256" - date = "2026-01-05" - modified = "2026-01-06" + id = "087dca5f-d631-5612-bd75-82c0d735f793" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.skyplex_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.skyplex_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "30e30eac39bd800313b58f678b351c49e62a23e2940a68311cb3c8e508d044fd" + logic_hash = "b55412a36eabe71f96854517e823836caf1f285d3ff56ec8f8e1708327797508" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 0f84c8000000 68???????? 8d8538f7ffff 50 e8???????? 83c408 } - $sequence_1 = { c1f805 57 8d3c85c0af4100 8b07 83e61f c1e606 03c6 } - $sequence_2 = { 6bc930 8975e0 8db1709c4100 8975e4 eb2a } - $sequence_3 = { f7bd1cf7ffff 8b849520f7ffff 50 8d8d40fbffff 51 ff15???????? } - $sequence_4 = { 85c0 7430 68???????? 8d8d38f7ffff 51 } - $sequence_5 = { 6a01 ff15???????? c78544f6ffff01000000 eb0f 8b8d44f6ffff } - $sequence_6 = { e8???????? 83c404 99 f7bdc0f6ffff 8b9495c4f6ffff } - $sequence_7 = { 33f6 33c0 0fbe84c158564100 6a07 c1f804 } - $sequence_8 = { 755b e8???????? 0fb6c8 85c9 } - $sequence_9 = { 8b02 8b4df0 51 8b502c ffd2 8945fc 837dfc00 } + $sequence_0 = { 52 e8???????? 83c408 85c0 7430 68???????? } + $sequence_1 = { 68???????? 8d9538f7ffff 52 e8???????? 83c408 85c0 0f8490000000 } + $sequence_2 = { 8d45fc 50 8d8d30ffffff 51 ff15???????? 8d9530ffffff 52 } + $sequence_3 = { 85c0 0f85d0000000 68???????? 8d85b0f9ffff 50 e8???????? } + $sequence_4 = { 89430c 8d4310 8d89649c4100 5a 668b31 } + $sequence_5 = { 8d95b0f9ffff 52 e8???????? 83c408 85c0 } + $sequence_6 = { 83c201 88953ff6ffff 8d8d38f6ffff e8???????? 0fb6853ff6ffff } + $sequence_7 = { 752b e8???????? 0fb6d0 85d2 } + $sequence_8 = { 8b36 8bce c1f905 8b0c8dc0af4100 83e61f c1e606 89040e } + $sequence_9 = { c7851cf7ffff04000000 c78520f7ffffb0454100 c78524f7ffffe8454100 c78528f7ffff30464100 c7852cf7ffff80464100 } condition: 7 of them and filesize < 262144 @@ -96812,36 +97122,36 @@ rule MALPEDIA_Win_Sagerunex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3bc17e45-f6b5-56f7-b7ea-e25c9e23d339" - date = "2026-01-05" - modified = "2026-01-06" + id = "31ca12b9-5fde-5f6f-9082-f650f20522e0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sagerunex_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sagerunex_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "da6b189b8ae26a86626e8770a2d7d0803155a13ac9a34b2d4bbc9044c0ab3fcc" + logic_hash = "c1e12e0e32073778914faf79dfeb0160f7d08b447bf0dc11191b315eee3d58c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 0fb74b02 4803cb e8???????? 8d7701 ba04010000 e9???????? } - $sequence_1 = { 8bc7 ffc7 3d00010000 0f8f2a030000 488bcb e8???????? 85c0 } - $sequence_2 = { 4156 4157 4881ec60020000 488b05???????? 4833c4 4889842450020000 4d8bf1 } - $sequence_3 = { 448bc3 e8???????? 33c0 c744242801234567 c744242c89abcdef c7442430fedcba98 c744243476543210 } - $sequence_4 = { b801000000 488b8c2490000000 4833cc e8???????? 488b9c24d8000000 4881c4a0000000 5f } - $sequence_5 = { 41b8000c0000 c744247001000000 48ffc3 4889442478 48894580 c744245001000000 4889442458 } - $sequence_6 = { 488bcf 7512 e8???????? 85c0 751e 488d0d6e500300 eb8a } - $sequence_7 = { 4983d300 4d034838 4d3b4838 4d894838 4983d300 4983c040 49ffcf } - $sequence_8 = { f0ff00 488d4128 41b806000000 488d1560db0100 483950f0 740b 488b10 } - $sequence_9 = { 03d8 41bc67666666 41b80d000000 f20f11450a f20f1005???????? 418bc4 4c8d4d90 } + $sequence_0 = { 488bbc2468010000 488d4510 660f1f440000 c60000 488d4001 48ffcb 75f4 } + $sequence_1 = { e8???????? bb40000000 498d9698000000 448bc3 498bce 49c70600000000 41c7460801234567 } + $sequence_2 = { b85c000000 6689844d40030000 48ffc9 4885c9 7fe0 33d2 488d8dc2000000 } + $sequence_3 = { 0fbaef11 eb2b 488d1535e90000 41b807000000 488bcb e8???????? 85c0 } + $sequence_4 = { 771b 7216 4883e808 48ffca 75e9 eb17 483bc2 } + $sequence_5 = { 33d0 8bc1 418bcf c1e80a 33d0 418bc7 c1c10e } + $sequence_6 = { 4833c4 488985a0070000 458bf8 4c8bf2 488bd9 e8???????? 4533ed } + $sequence_7 = { 7509 4883e908 49ffc8 75f2 488b4310 bd40000000 4e8b0cc0 } + $sequence_8 = { 0f1f4000 660f1f840000000000 488b06 493bee 498bfe } + $sequence_9 = { 8bcf e8???????? 8d4b01 418bc4 0fafcb f7e9 c1fa02 } condition: 7 of them and filesize < 619520 @@ -96851,36 +97161,36 @@ rule MALPEDIA_Win_Cryptoshuffler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "998eec42-f040-507e-9bef-931d28600d2d" - date = "2026-01-05" - modified = "2026-01-06" + id = "9bcf7f30-84a7-5f1e-bbfe-33547b661189" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cryptoshuffler_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cryptoshuffler_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "2eb7cd664cf23b0f4478f6fc772120b42235dfe3815c8e843a34a2664a62760c" + logic_hash = "84eb7a2f1c25b369f8a146b42d23b5de35e8d435e42edd57dc921316b7517e98" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 660f282d???????? 660f59f5 660f28aa20a50210 660f54e5 660f58fe } - $sequence_1 = { 8d0486 894304 5f 8933 } - $sequence_2 = { f6c11f 0f85ad040000 8b41fc 3bc1 0f83a2040000 } - $sequence_3 = { 83f85b 757d 8b06 8b4e08 3bc1 } - $sequence_4 = { 837e4c29 8ad8 0f85fd000000 8b06 8b4e08 3bc1 } - $sequence_5 = { c7401c00000000 c7402000000000 8906 894604 8b4508 89460c 8bc6 } - $sequence_6 = { 8b4508 83c020 50 ff15???????? 5d c3 6a0a } - $sequence_7 = { e8???????? 8bce e8???????? 837e4cff b101 0f8555fcffff } - $sequence_8 = { 8d45b4 89458c 8d458c 51 50 51 e8???????? } - $sequence_9 = { 6685c0 0f84e7000000 6a00 8d4e24 } + $sequence_0 = { c745e05c4c0210 e9???????? c745e0644c0210 e9???????? } + $sequence_1 = { 8b7508 57 8b7d0c 8955f8 894dd4 } + $sequence_2 = { 8bc7 894de4 399828e10210 0f84ea000000 41 83c030 } + $sequence_3 = { 8b5d08 8b550c 8b7510 c745dc00000000 } + $sequence_4 = { 660fd645e8 85ff 742f 8bd7 85d2 } + $sequence_5 = { 8bf1 e8???????? 8bd0 0f57c0 83c404 8955fc } + $sequence_6 = { c745fc00000000 833d????????00 8945e0 897de4 897dd4 c745e800000000 } + $sequence_7 = { 0f84bc000000 6aff 53 8d45d0 50 8d4d08 } + $sequence_8 = { e8???????? c7460c00000000 6a00 8bce c745fc00000000 e8???????? } + $sequence_9 = { 7502 d9e0 833d????????00 0f85d9670000 } condition: 7 of them and filesize < 425984 @@ -96890,36 +97200,36 @@ rule MALPEDIA_Win_Bleachgap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "273003cf-3dbb-5afb-a5ea-bb6d27dae595" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b7104e7-d882-5b97-bb84-47dba5454a43" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bleachgap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bleachgap_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bleachgap_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "e20e0cd9d2a699ef9480dfe92d72685e3d909ce98e8e306df6822787c7e8d012" + logic_hash = "69e5613692d72f85c8f8f372fde97f28793e3e61fc475bd026973cd7cf7dca02" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4110 89500c 8b4110 894210 8b442410 895110 894a0c } - $sequence_1 = { 8d8d80fdffff e8???????? 8d8d48feffff e8???????? 8ac3 8b4df4 64890d00000000 } - $sequence_2 = { c78514fdffff00000000 c78524fdffff00000000 c78528fdffff00000000 0f1000 0f118514fdffff f30f7e4010 660fd68524fdffff } - $sequence_3 = { 83f81f 0f8783010000 51 52 e8???????? 83c408 8b8d5cffffff } - $sequence_4 = { 52 e8???????? 83c408 8a85bffeffff eb61 8b55bc 83ff10 } - $sequence_5 = { 83c404 83ee01 7839 0f1f00 56 57 e8???????? } - $sequence_6 = { 6859040000 68???????? 68db000000 e9???????? 55 e8???????? 83c404 } - $sequence_7 = { 46 8ac8 84c0 75dc 84c0 0f845b020000 e9???????? } - $sequence_8 = { 8b542424 8b4c2440 89450c 03ca 8b44243c 894d10 8b04b8 } - $sequence_9 = { 8945d0 8d4344 8945d4 8d434c 8945d8 8d4354 8945dc } + $sequence_0 = { 33f6 894d08 85ff 7426 0f1f8000000000 8b01 8b5010 } + $sequence_1 = { 83f810 7231 8b954cfeffff 8d4801 8bc2 81f900100000 7214 } + $sequence_2 = { 894b28 f30f7e462c 660fd6432c 8b4e34 5f 5e 894b34 } + $sequence_3 = { 83c404 85c0 78c6 74c1 56 895c2418 c7461401000000 } + $sequence_4 = { 8b4c2448 83c40c 49 83f903 0f878f000000 ff248d28235000 53 } + $sequence_5 = { 33c8 330c9508065f00 8b5734 33d9 33d6 33d5 33d3 } + $sequence_6 = { 85c0 745e 8b477c 6878020000 68???????? 89b014020000 8b477c } + $sequence_7 = { c1e804 6a02 0fb680d8675c00 8844241c 0fb681d8675c00 8844241d 8d44241c } + $sequence_8 = { 85c0 7508 8986f84b6100 eb21 50 e8???????? 50 } + $sequence_9 = { 85f6 0f8488020000 8b461c 56 6a00 c746602e000000 896e5c } condition: 7 of them and filesize < 4538368 @@ -96929,49 +97239,49 @@ rule MALPEDIA_Win_Dyre_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71a1cda5-bbc1-5437-8a4b-d424fa7e7598" - date = "2026-01-05" - modified = "2026-01-06" + id = "879fa518-5ec4-5357-9185-f9232454f0a1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dyre_auto.yar#L1-L228" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dyre_auto.yar#L1-L219" license_url = "N/A" - logic_hash = "af535d590e4b9fb30bcfd8419a9c576a8fa6a184366164dc5fc0ce71c5e82236" + logic_hash = "2b303cca8d128a9a4485286d6382ca7c5e74c54a7012acc9a782dd63fd41e54f" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6800004000 6800000400 ff15???????? a3???????? 85c0 } - $sequence_1 = { 747c 8d4602 50 e8???????? 8bf8 } - $sequence_2 = { 33c8 894304 895308 894b10 c745ec10000000 837df400 0f84f7000000 } - $sequence_3 = { 59 85c0 740d 8d4801 3b4d14 } - $sequence_4 = { 742e 53 8bc7 e8???????? 8bd8 } - $sequence_5 = { 81ec14010000 8364240400 53 56 57 } - $sequence_6 = { 59 83f8ff 7549 33ff 83f8ff 7542 } - $sequence_7 = { 33d2 f7f3 3bd6 7409 } - $sequence_8 = { 4883ec20 488bd9 b910270000 ff15???????? 488bcb } - $sequence_9 = { 488bcd ff15???????? 488b5c2460 8bc7 4883c440 } - $sequence_10 = { 4883ec20 488b0d???????? 33d2 ff15???????? } - $sequence_11 = { 488b4c2458 488d442450 8d5301 4533c9 4533c0 4889442420 895c2450 } - $sequence_12 = { 488bd9 83fa04 763b 0f1f00 0fb74b02 ff15???????? } - $sequence_13 = { 4883ec20 448b4124 33ff 488bf2 428d04c500000000 488bd9 014120 } - $sequence_14 = { 488bcb ff15???????? ffc7 034310 8d740627 413bfc 7cdf } - $sequence_15 = { 488bcd 897c2470 48897c2420 ff15???????? 85c0 } + $sequence_0 = { 6800004000 6800000400 ff15???????? a3???????? } + $sequence_1 = { 32c0 5d c3 55 8bec 56 8bf0 } + $sequence_2 = { 6801010000 ff15???????? 8b4d18 663901 } + $sequence_3 = { 7707 0fbec0 2bc1 eb1e 8d58bf } + $sequence_4 = { 0540060000 c3 8d440064 c3 55 8bec } + $sequence_5 = { 50 ff75f8 ff75f4 ff36 } + $sequence_6 = { 32c0 5e 5d c3 8bc6 } + $sequence_7 = { 0fb7c0 0bc1 c9 c3 } + $sequence_8 = { 4433c0 418bc4 418bd3 c1c806 4433c0 8bc5 } + $sequence_9 = { 4883ec40 488bc2 33ff 4c8be1 48897c2430 4533c9 } + $sequence_10 = { 6689442444 33c0 498bf8 488bf2 } + $sequence_11 = { 488bd9 83fa04 763b 0f1f00 0fb74b02 ff15???????? 440fb7d8 } + $sequence_12 = { 23cd 418bc5 c1c806 8bd3 4433c0 } + $sequence_13 = { 488bd9 b910270000 ff15???????? 488bcb } + $sequence_14 = { 4433c0 418bc4 4123c5 33c8 8bc3 4403c1 418bcb } + $sequence_15 = { 443bdf 7725 663933 7432 } $sequence_16 = { 668b1401 668910 83c002 4e 75f3 } - $sequence_17 = { 85db 7416 57 8bfa 2bfe 90 } - $sequence_18 = { 8bd8 56 8bf1 85db 7416 } - $sequence_19 = { 50 a1???????? 6a08 50 ff15???????? 8bd8 } - $sequence_20 = { ff15???????? 8bf0 8d85d4fdffff 50 } - $sequence_21 = { 90 ff15???????? 8a0437 8806 46 4b } - $sequence_22 = { 833d????????00 751b 6a00 6800004000 6800000400 } + $sequence_17 = { 90 ff15???????? 8a0437 8806 46 4b } + $sequence_18 = { 56 8bf1 85db 7416 } + $sequence_19 = { 57 8bfa 2bfe 90 ff15???????? 8a0437 } + $sequence_20 = { 85db 7416 57 8bfa } + $sequence_21 = { 751b 6a00 6800004000 6800000400 } + $sequence_22 = { a1???????? 6a08 50 ff15???????? 8bd8 } condition: 7 of them and filesize < 590848 @@ -96981,42 +97291,42 @@ rule MALPEDIA_Win_Supper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "15a5fdcc-983f-545a-acdb-1425e0080fb1" - date = "2026-01-05" - modified = "2026-01-06" + id = "11bfb9bd-ab25-5cc8-a82c-5152cb4eb0b8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.supper_auto.yar#L1-L164" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.supper_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "609470a8924c4445e40bf6082d5cbc00c8d1a1556bb0036cf2444493aad439fc" + logic_hash = "cee6c174bad91802505247d507e413520713973fe880f3548b05a034ef8b99f8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { baffffffff 89cb 488b0d???????? ff15???????? } - $sequence_1 = { 74ed 8844242f e8???????? 0fb644242f 48c705????????00000000 4883c438 } - $sequence_2 = { 488905???????? e8???????? 84c0 7407 4883c438 5b } - $sequence_3 = { 488905???????? ffd6 48891d???????? 488905???????? } - $sequence_4 = { 4889cb 31c9 ffd6 4531c0 31d2 31c9 } - $sequence_5 = { 488905???????? 31c0 4883c428 5b 5e c3 } - $sequence_6 = { ba01000000 4c8b25???????? 41ffd4 85c0 } - $sequence_7 = { 4531c0 488b4b08 ba01000000 41ffd4 85c0 } + $sequence_0 = { 0fb610 83ea01 0fb6d2 ff15???????? 8b00 } + $sequence_1 = { 4885c9 74ed 8844242f e8???????? 0fb644242f 48c705????????00000000 } + $sequence_2 = { 4531c0 488b4b08 ba01000000 41ffd4 85c0 } + $sequence_3 = { 488b04d8 4885c0 7408 488338ff } + $sequence_4 = { 4885c0 740d 48833800 7407 89d9 e8???????? 4883c301 } + $sequence_5 = { 4885c0 7416 488b4008 4885c0 } + $sequence_6 = { 89d3 4889ce baffffffff 488b0d???????? } + $sequence_7 = { 31d2 4889cb 31c9 ffd6 4531c0 31d2 } $sequence_8 = { e8???????? 488b4510 488b00 4885c0 } - $sequence_9 = { 0fb700 0fb7d0 488b85c0000000 4883c004 4189d0 } - $sequence_10 = { 66894510 c645ff00 488b05???????? baffffffff } - $sequence_11 = { 4883bdc000000000 750a b800000000 e9???????? 488b85c0000000 } - $sequence_12 = { ba04000000 4889c1 e8???????? 488b85e0000000 } - $sequence_13 = { 4889c1 e8???????? 8b45dc 89c0 4889c1 e8???????? } - $sequence_14 = { c744242004000000 4989d1 41b801000000 ba06000000 4889c1 e8???????? } - $sequence_15 = { c3 55 4881ec50010000 488dac2480000000 48898de0000000 488b85e0000000 0fb7400c } + $sequence_9 = { 488b4518 8b00 8945d4 488d55b0 488d45d0 4883c004 } + $sequence_10 = { e8???????? 4881c440020000 5d c3 55 } + $sequence_11 = { e8???????? 488b8580010000 48c74018ffffffff 488b8580010000 488b4008 4883f8ff } + $sequence_12 = { 80bddb00000000 757b 8b85d4000000 4898 488d148500000000 } + $sequence_13 = { 48c74010ffffffff 488b4510 488b00 4883f8ff 741a 488b4510 } + $sequence_14 = { 4889c1 e8???????? 85c0 747b 488b45f0 } + $sequence_15 = { 83bde400000002 750d c785ec00000002000000 eb01 90 8b85ec000000 4881c478010000 } condition: 7 of them and filesize < 517120 @@ -97026,36 +97336,36 @@ rule MALPEDIA_Win_Socksbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "faec2b10-b495-5749-b587-f624aaef83b1" - date = "2026-01-05" - modified = "2026-01-06" + id = "aea4f75d-d361-5623-8f67-158321d8b4bd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.socksbot_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.socksbot_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "369cd58dedba09e8aa40e9db282016f7a46ee224d612c8da35e03725828fb9df" + logic_hash = "e214018a7295947bd0c22d61e6fd1424442fee71cd48e9553a4a5bd1d1011c60" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a0d 50 8945fc e8???????? 8bf8 } - $sequence_1 = { 8d85acfeffff 50 51 c785acfeffff01000000 899db0feffff 894df0 c745f400879303 } - $sequence_2 = { 33c0 5f c9 c20400 55 8bec 81ec0c030000 } - $sequence_3 = { 324415bc 320439 32c3 880439 } - $sequence_4 = { 33c1 c1e002 33c1 c1e002 } - $sequence_5 = { c3 8b400c 8b00 ff30 ff15???????? 85c0 74eb } - $sequence_6 = { 03f3 eb6d 8b460c 03c3 } - $sequence_7 = { 8b55f8 43 8802 8b35???????? 33c0 3bdf } - $sequence_8 = { 880e 4a 75f7 5f 5e 5d c3 } - $sequence_9 = { a3???????? c605????????00 5b c9 c3 } + $sequence_0 = { 4e 83ce80 46 47 } + $sequence_1 = { c3 e8???????? e8???????? e8???????? 6a08 68???????? } + $sequence_2 = { 8d85bcfeffff 50 ff15???????? 40 } + $sequence_3 = { 83fe08 7cf0 eb1e 8bc6 69c00c000100 33d2 ff740804 } + $sequence_4 = { c745f400879303 ff15???????? 8b7df8 85c0 } + $sequence_5 = { eb16 8d45d0 50 53 e8???????? eb0a } + $sequence_6 = { ff15???????? 8b45fc 48 03f0 8d45fc } + $sequence_7 = { e8???????? 8b75fc 83c40c e9???????? 8d45b0 50 68???????? } + $sequence_8 = { ff15???????? 85c0 0f8583010000 53 57 803d????????00 0f8572010000 } + $sequence_9 = { 8b5d08 81c3a0860100 895d08 81fb40420f00 7e18 bb40420f00 } condition: 7 of them and filesize < 73728 @@ -97065,36 +97375,36 @@ rule MALPEDIA_Win_Gearshift_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5cb12abd-628a-5169-a5df-e2c33952153a" - date = "2026-01-05" - modified = "2026-01-06" + id = "3d63cf91-17d7-5a6a-9d1d-b27b1e5f74cb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gearshift_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gearshift_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "e8d3111d44f6324e90544c2ebdde13a938df2e4a9f50331b57f760f4ee12b3d4" + logic_hash = "637a6702d268d4bd9cab6e76f4de20ea36be87939de1600665a2e21687ff9d0c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4883ec20 85c9 7871 3b0d???????? 7369 4863d9 488d2dff1a0300 } - $sequence_1 = { 48895c2408 4889742410 48897c2418 498bf8 8bda 488bf1 443bca } - $sequence_2 = { e8???????? e9???????? 488b442450 488d0db7350300 488b04c1 41f644070840 } - $sequence_3 = { 4883c310 48ffce 75d4 488d1def070300 } - $sequence_4 = { 8b4ffc 41b940000000 41b800100000 488bd0 4903ce 488bd8 } - $sequence_5 = { 488b4c2430 4885c9 7406 ff15???????? 8bc7 eb02 } - $sequence_6 = { e8???????? 33c9 3d00040000 7510 e8???????? b801000000 4883c430 } - $sequence_7 = { 4883c328 0fb74806 443bf9 0f8c50ffffff 488b4500 8b4828 } - $sequence_8 = { 0f84ca020000 488d05d13b0300 4a8b04e0 41f644070880 0f84b3020000 e8???????? 33db } - $sequence_9 = { 488d542434 8bc8 ff15???????? 33c0 488d542438 } + $sequence_0 = { ff15???????? 85c0 0f84a3000000 8b8db0010000 e8???????? } + $sequence_1 = { 85c0 7589 8d7801 488bcb } + $sequence_2 = { 488bd8 4885c0 7424 ff9608010000 3db7000000 7517 488bcb } + $sequence_3 = { 4c8d258e140300 488b0d???????? eb7c 4c8d2576140300 488b0d???????? eb6c e8???????? } + $sequence_4 = { 4c8be8 4885db 7510 488d0d5db00000 ff15???????? 488bd8 } + $sequence_5 = { 4883c440 5f e9???????? 488b5c2450 488b742458 4883c440 } + $sequence_6 = { 488bd8 ff15???????? 488d15d4a90000 488bcb 488905???????? ff15???????? } + $sequence_7 = { 488bd8 ff15???????? 488d15e2bc0000 488bcb 488905???????? } + $sequence_8 = { 57 4154 4156 4157 488dac2488feffff 4881ec78020000 33c0 } + $sequence_9 = { 488d05481f0300 4c3bd0 7405 e8???????? } condition: 7 of them and filesize < 540672 @@ -97104,36 +97414,36 @@ rule MALPEDIA_Win_Nailao_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e45fdbac-42d1-5920-9b35-9a9e44ef7d5d" - date = "2026-01-05" - modified = "2026-01-06" + id = "f4c7e8c8-8aa6-5e33-a918-59530a460f83" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nailao_locker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nailao_locker_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nailao_locker_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "b259eb4feabff6fee143b3ad97a8691b9630885ab19604f45e8a846a4deaff46" + logic_hash = "f78b85817e2074b7551f2d50266d0de829d714ef0f0e69cc60951820f6d3314c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 4c8d4c2474 488bcb 4c8d44246c 488d542464 ff15???????? } - $sequence_1 = { 488bc5 4c8d0551650100 488bcd 48c1f906 83e03f 498b0cc8 488d14c0 } - $sequence_2 = { 488bd8 4885c0 7560 488bc7 4c8d35104cffff 498784f620120200 } - $sequence_3 = { e8???????? 4c8d458c 488bd7 85c0 7411 448bc8 488d0ddd7a0100 } - $sequence_4 = { 48c744242000000000 488bce ff15???????? 85c0 741d 41ffc6 } - $sequence_5 = { c705????????01000000 b808000000 486bc000 488d0d19d80100 8b542430 48891401 } - $sequence_6 = { 488d0ddd7a0100 e8???????? eb58 488d0d1f7b0100 eb47 488d1596790100 488bcb } - $sequence_7 = { e8???????? 488d156f870100 488d4c2420 e8???????? } - $sequence_8 = { ff15???????? 85c0 750d 4c8d442450 488bd7 e8???????? 83eb01 } - $sequence_9 = { 488985d0070000 49895b20 488bfa 498973e8 4d896bd8 4d8be8 } + $sequence_0 = { 488b45d8 488908 488d0d99560100 488b45d8 8990a8030000 } + $sequence_1 = { 8a4118 4188440830 4881ff01010000 7ce8 488d05043d0100 482bd8 4a8d0c0a } + $sequence_2 = { 4b8b84eb100e0200 420fb64cf83e 460fbea41910d90100 41ffc4 418bc4 2bc2 8945af } + $sequence_3 = { 488d4c2460 ff15???????? 48894340 4885c0 7508 ff15???????? eb08 } + $sequence_4 = { e8???????? 4889442450 488d9570010000 0f57c0 } + $sequence_5 = { 4889442450 488d0d00760100 0f57c0 488905???????? } + $sequence_6 = { e8???????? 33d2 488d7b0c 0fb7c2 4c8d0d2a3c0100 48895304 4c8bc3 } + $sequence_7 = { 443935???????? eb0d 6683fb03 7509 443935???????? 755b } + $sequence_8 = { ff15???????? 3d04010000 7c0a b8ce000000 e9???????? 48899c2400030000 } + $sequence_9 = { 33d2 488d7b0c 0fb7c2 4c8d0d2a3c0100 48895304 4c8bc3 48899320020000 } condition: 7 of them and filesize < 512000 @@ -97143,36 +97453,36 @@ rule MALPEDIA_Win_Rusty_Claw_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8fc75c4e-ba70-59d2-9f38-a3aed8cf6b13" - date = "2026-01-05" - modified = "2026-01-06" + id = "9bbbdbd2-fe97-535f-ad66-6931dd10ebe1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rusty_claw" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rusty_claw_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rusty_claw_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "75f315fae698621629456c9a1f27e13b2e79a7325d19df3b6033848f0862def4" + logic_hash = "e007cc04a88eb89873d51e1a1ceba9e1e68fbd2d8432ebd503905b4d49a2dd9e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 56 83ec08 8b5c241c 8b7c2418 89e0 8d742404 } - $sequence_1 = { 5b 5d c3 8b4e10 ba???????? 6a04 e8???????? } - $sequence_2 = { 037904 034108 89d1 c1c60d c1ea0a c1c10f 31ce } - $sequence_3 = { 8b5664 e8???????? b001 8b8eb0050000 64890d00000000 8d65f4 5e } - $sequence_4 = { 29c2 29ca 85d2 7409 4a 803ec0 8d76ff } - $sequence_5 = { 0fb7c2 01c8 c3 89d0 354718c32c c1c002 31d0 } - $sequence_6 = { 8dbe850ab727 8974245c 89442408 8d81fc6d2c4d 8b4c2458 89442450 8b442430 } - $sequence_7 = { 6a0a 5a f7e2 89c3 0f90c2 01cb 0f92c0 } - $sequence_8 = { 8b6c241c 8974240c 89de 894c2444 89542438 89442420 894c2424 } - $sequence_9 = { 8d043b 99 2bc2 8bf0 d1fe 6a55 ff34f5b8444300 } + $sequence_0 = { 8b942494000000 8b8c24a0000000 89542418 894c241c 8b542458 8b4c246c 891424 } + $sequence_1 = { 89cf 891424 f7db 31ed 4d 8d042b } + $sequence_2 = { 8a18 0fb6d3 84db 0f899b000000 8d7002 83e21f 897104 } + $sequence_3 = { 31d2 8d4d9c 42 e8???????? 58 8b45a4 8b4ddc } + $sequence_4 = { 83610c00 e8???????? 89c8 89d1 89c2 e8???????? 53 } + $sequence_5 = { eb31 8d5630 89461c 897e10 c786d804000007000000 8d8ec8000000 832200 } + $sequence_6 = { 89442420 894c2424 89542428 894c2444 89442434 8974242c 89e9 } + $sequence_7 = { 0f299424b0020000 0f298c24a0020000 0f284c2450 0f298c24c0020000 50 8d8424c4020000 50 } + $sequence_8 = { 85c0 0f45da 0f45f8 89da 85ed 7445 8b5e04 } + $sequence_9 = { e8???????? a801 7458 89d1 80c1d0 80f90a 721a } condition: 7 of them and filesize < 518144 @@ -97182,42 +97492,42 @@ rule MALPEDIA_Win_Xpertrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a2a3325a-1f3d-5b66-85b8-5585a72bc5f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "ba3a6b4f-dabd-5198-a8f0-bcecdc7a8cd1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xpertrat_auto.yar#L1-L155" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xpertrat_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "aded1ec389d65d20277f2fe9db776abf2f31c80bf4b4d804698ab1524e2b5a6d" + logic_hash = "46ada561a557d5653f02082143df27ce692fd4a3b6839f44225d1aa292544237" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { ff08 40 0430 ff0a 4c 000c00 } - $sequence_1 = { 045c ff4d40 ff08 40 } - $sequence_2 = { 006c70ff 0808 008f38001b26 001b 0d002a2364 ff08 } - $sequence_3 = { 0870ff 0d80000700 0474 ff0478 } - $sequence_4 = { 0808 008a3800cc1c 5e 006c70ff 0808 008f38001b26 } - $sequence_5 = { ff05???????? 000d???????? 0878ff 0d98000700 6e } - $sequence_6 = { 6c 70ff 0808 008a3800cc1c } - $sequence_7 = { ff0a 250004003c 6c 70ff } - $sequence_8 = { ff15???????? 81c480000000 8d55c0 52 ff15???????? 8d4588 } - $sequence_9 = { ff15???????? 81c6a4000000 50 56 } - $sequence_10 = { ff15???????? 81e600020000 33c9 81fe00020000 } - $sequence_11 = { ff15???????? 81c608030000 8d45e8 56 } - $sequence_12 = { ff15???????? 81c608030000 8d8568ffffff 56 } - $sequence_13 = { ff15???????? 81e600200000 33d2 81fe00200000 } - $sequence_14 = { ff15???????? 81c480000000 8d8df8fcffff 51 } - $sequence_15 = { ff15???????? 833d????????00 7505 dc7dc0 } + $sequence_1 = { 008a3800cc1c 5e 006c70ff 0808 008f38001b26 001b 0d002a2364 } + $sequence_2 = { 001b 0d002a2364 ff08 0800 } + $sequence_3 = { ff05???????? 000d???????? 0878ff 0d98000700 6e 74ff } + $sequence_4 = { 000d???????? 0870ff 0d80000700 0474 ff0478 } + $sequence_5 = { 0000 ae 045c ff4d40 ff08 40 } + $sequence_6 = { 0000 00a1cc004400 0bc0 7402 } + $sequence_7 = { 6c 70ff 0808 008a3800cc1c } + $sequence_8 = { ff15???????? 83bbd800000001 8d83fc000000 898534f6ffff } + $sequence_9 = { ff15???????? 83bd1cffffff00 7505 e9???????? } + $sequence_10 = { ff15???????? 83bd8cfeffff00 0f84b0050000 c745fc0a000000 } + $sequence_11 = { ff15???????? 83bd8cfeffff00 7405 e9???????? } + $sequence_12 = { ff15???????? 83bd70ffffff00 0f84ca010000 c745fc1a000000 } + $sequence_13 = { ff15???????? 83bbd800000001 0f8546010000 8d4dd8 } + $sequence_14 = { ff15???????? 83bc24a000000005 7c0c 5f } + $sequence_15 = { ff15???????? 83bb9400000001 8d83b8000000 89853cf6ffff 8985b4fcffff c785acfcffff03400000 0f8533010000 } condition: 7 of them and filesize < 8560640 @@ -97227,36 +97537,36 @@ rule MALPEDIA_Win_Orcarat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f18bd4e3-b820-5b26-a4b2-4899e6f773ec" - date = "2026-01-05" - modified = "2026-01-06" + id = "04f42415-7fcb-5efc-9ffe-e9c2ead1bdb6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.orcarat_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.orcarat_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "267a82fd5372f110668cffe923381f6f74a52ece9ba8a9c79d169c7d32552337" + logic_hash = "94c36648eb707ecafb5b03dd70ef0419078170d69bed84996d811c45ff7795a7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a0d???????? 8a15???????? 346f 80f170 8844245e a1???????? 884c245c } - $sequence_1 = { 85c0 755a 57 8dbbb0010000 83c9ff 8d9534020000 } - $sequence_2 = { 51 68???????? 53 56 ffd5 85c0 } - $sequence_3 = { 8bcd 6a00 e8???????? 85c0 7507 5f } - $sequence_4 = { c21000 8d442420 6a00 8d4c2418 50 51 } - $sequence_5 = { 6a01 8bcd c7432801000000 896c241c e8???????? } - $sequence_6 = { 8b942408080000 56 8bf1 57 8bfa 83c9ff 33c0 } - $sequence_7 = { 5e 81c404080000 c20400 8d54240e 8bce 52 } - $sequence_8 = { f3a5 8bc8 83e103 f3a4 8d4c241c 51 e8???????? } - $sequence_9 = { 0f84d1000000 80bc241c0400003f 0f8488000000 8bc3 8d94241c040000 2bc2 8dbc241c040000 } + $sequence_0 = { 8d442420 52 50 6a01 8bcf e8???????? 85c0 } + $sequence_1 = { 8d8424405a0000 52 50 a1???????? 8d8c2438020000 } + $sequence_2 = { 52 f3a4 8d7c2424 83c9ff f2ae f7d1 8d842428050000 } + $sequence_3 = { f7d1 2bf9 8d54241c 8bc1 8bf7 8bfa c1e902 } + $sequence_4 = { 2bf1 56 52 50 e8???????? 8b84242c500000 } + $sequence_5 = { c3 ff25???????? 55 8bec 837d100a } + $sequence_6 = { c6043000 8b4324 85c0 7451 } + $sequence_7 = { 51 52 6813000020 56 c744242801000000 c744243404000000 } + $sequence_8 = { 8b442410 85c0 7661 c68404240c000000 8d8424240c0000 6a00 50 } + $sequence_9 = { 89bbfc020000 8b834c030000 3bc7 7409 50 } condition: 7 of them and filesize < 114688 @@ -97266,36 +97576,36 @@ rule MALPEDIA_Win_Nemim_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2fcca9e2-b8f3-5d83-84fc-b2e40aa4f4f9" - date = "2026-01-05" - modified = "2026-01-06" + id = "fcfedf5a-fd39-574b-8232-dc0014f50a81" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nemim_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nemim_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "24d9011f0ff0bebf263a930abe315373fb7838840fe9989752df0056ff714df5" + logic_hash = "0147de1266d1ce6fc2086c96ae81ebead4d2a5462b33eec8ccb6805b4df88107" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c002 53 55 56 57 8d742410 bf10000000 } - $sequence_1 = { 52 6801000080 ff15???????? 8d442418 8d4c2454 50 8b442418 } - $sequence_2 = { 56 ff15???????? 8b442410 3d97010000 0f84ae000000 6800040000 } - $sequence_3 = { 888424e7000000 e8???????? 83c404 8d9424b4000000 68???????? 6819000200 6a00 } - $sequence_4 = { 8bd1 8dbc2450020000 c1e902 f3ab 8bca } + $sequence_0 = { a1???????? 50 e8???????? 83c420 55 e8???????? } + $sequence_1 = { b001 53 8845f0 8845f1 b004 } + $sequence_2 = { 0f8793010000 ff2485c7574000 8b4510 66834808ff 66c7000b00 e9???????? } + $sequence_3 = { 8bc8 83e01f c1f905 56 57 8b348d40604300 8d1c8d40604300 } + $sequence_4 = { c1e704 8b6c2410 0bc7 8bfe 03c1 33f9 } $sequence_5 = { 52 e8???????? 8d442458 50 e8???????? 8b15???????? 8d4c245c } - $sequence_6 = { 8b6c2440 8dbc3839d0d4d9 8bc7 c1e81c c1e704 0bc7 8bfe } - $sequence_7 = { 8bf0 750b c1e602 8b8628274300 eb09 c1e602 } - $sequence_8 = { 83fe10 7cde c605????????00 b90b000000 be???????? 8dbc2410010000 } - $sequence_9 = { 68e8030000 e8???????? 83c404 85f6 } + $sequence_6 = { c786d4000000648d4200 57 c786d8000000488d4200 53 c706???????? } + $sequence_7 = { c1e102 89bc8944744300 8b0d???????? c1e102 89848948744300 a1???????? c1e002 } + $sequence_8 = { 8b8424cc000000 48 7467 48 0f85b1000000 8b8c24bc000000 6a00 } + $sequence_9 = { 8844244c e8???????? 68???????? e8???????? 68???????? 8bf0 } condition: 7 of them and filesize < 499712 @@ -97305,36 +97615,36 @@ rule MALPEDIA_Win_Vskimmer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d60a06ab-73b2-5007-b9fd-d7fdf53f6d46" - date = "2026-01-05" - modified = "2026-01-06" + id = "aa40e705-b39d-58b0-8775-3b56bc47a736" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vskimmer_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vskimmer_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "fbde08601554269a17787c3ffa7dabc4bf8a82c0fe588e8a82f4a23b193dab38" + logic_hash = "f25f3f6146e6b91dd03692618e8cb587f926d46f49faa026e8804368e3ca4b7b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb74624 6685c0 7413 50 ff75fc 8d8f2c020000 } - $sequence_1 = { 8d8dd4f7ffff e8???????? 83bdccf7ffff10 8b85b8f7ffff c645fc11 7306 } - $sequence_2 = { 7629 8d7e04 ff75e8 ff37 ff15???????? 85c0 } - $sequence_3 = { c645fc0a ff15???????? 3bc7 0f8eeb030000 bb???????? be???????? 8d85f0f7ffff } - $sequence_4 = { 8b8324020000 8bc8 81e101010000 83f901 0f84e1020000 } - $sequence_5 = { 3b8314020000 0f84cc010000 56 8bcb } - $sequence_6 = { e8???????? 83c418 8d85b4feffff 50 8d8d88f6ffff } - $sequence_7 = { 8d85ecfeffff 68???????? 50 e8???????? ffb5c4f8ffff 8d85ecfeffff } - $sequence_8 = { 33c0 8945f0 394510 7417 c706???????? c74610c4d54100 } - $sequence_9 = { 59 c3 8bff 55 8bec 51 f6430c40 } + $sequence_0 = { 895dfc e8???????? 6a01 e8???????? 83c420 53 6a01 } + $sequence_1 = { 47 3810 751f ebe7 3b7d18 } + $sequence_2 = { 53 8b1f 8d4301 56 8b7508 8945f8 8b4614 } + $sequence_3 = { 85c0 0f84ba000000 57 8b3d???????? 8d45ec 50 } + $sequence_4 = { ff15???????? 50 ff15???????? 8d45cc 50 68???????? 6a00 } + $sequence_5 = { 3bf3 7408 8b451c 8906 897e14 } + $sequence_6 = { 59 50 57 68???????? 8d8d38f7ffff e8???????? ffb5c4f6ffff } + $sequence_7 = { 836df804 83c604 3b45f4 0f8253ffffff } + $sequence_8 = { 6a01 8d8dc8fcffff e8???????? e8???????? c3 6a08 } + $sequence_9 = { 751c 85c9 7508 c70703000000 eb37 83f901 7504 } condition: 7 of them and filesize < 376832 @@ -97344,36 +97654,36 @@ rule MALPEDIA_Win_Isaacwiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a82e3ec4-c6b5-5b3d-9ab0-3064ec3e836c" - date = "2026-01-05" - modified = "2026-01-06" + id = "8b07c7aa-1138-5bb6-b193-0c825a3e98fc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.isaacwiper_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.isaacwiper_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "8d7d093defd2064582c177175fbd158891b23ac1a28e0ebb5ab5f45a7b73a475" + logic_hash = "4b0dacbf2562698736242d25b33b286fee192f0056990080203cfe77f1c8ccca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3bc8 737f 2bf9 8b4c2430 3bcf 0f8245020000 } - $sequence_1 = { 03c2 3bc3 8b5df4 72d5 eb37 83f802 } - $sequence_2 = { 83e03f c1f906 6bf038 03348de8670310 837e18ff 740c 837e18fe } - $sequence_3 = { 83c408 3bc3 8d48ff 0f46c1 014658 837e5815 7368 } - $sequence_4 = { 8b03 51 c744243007000000 8bcb 7445 ff501c 8d442430 } - $sequence_5 = { 50 c7460800000000 c7461000000000 c7461400000000 e8???????? 83c404 } - $sequence_6 = { 3914c598c00210 7408 40 83f81d } - $sequence_7 = { e8???????? 8ac8 83c404 46 83c768 84c9 75e4 } - $sequence_8 = { 8b4d0c 83d900 8945e0 894ddc c745f800000000 897dd8 895df4 } - $sequence_9 = { 69c9dfb00899 33ca 338c8634060000 890c86 40 3de3000000 72cf } + $sequence_0 = { 6683bdccfdffff00 7409 83c002 66833800 75f7 8d8dccfdffff 8bd3 } + $sequence_1 = { 8b01 56 8d7178 8b4004 c7443088d0270310 } + $sequence_2 = { 8be5 5d c3 8bc3 c1e802 8d3c82 } + $sequence_3 = { f20f59148580f90210 660f5834c590010310 660f54c5 f20f5ce8 f20f58fa f20f10d8 } + $sequence_4 = { 8b08 85c9 742a 8b5630 8b1a } + $sequence_5 = { 53 8b5d08 8b0485e8670310 56 57 8bfb } + $sequence_6 = { 8b4008 8b34b8 85f6 75d3 85db 7413 8d4df8 } + $sequence_7 = { 03fb 897dfc c7473000000000 c7470800000000 c7471000000000 c7471401020000 c7471806000000 } + $sequence_8 = { 56 ff15???????? 83f801 7521 8b45f4 } + $sequence_9 = { 3b4d10 5f 5e 0f95c0 5b 8be5 5d } condition: 7 of them and filesize < 467968 @@ -97383,41 +97693,41 @@ rule MALPEDIA_Win_Runningrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7ed2390-7d31-581c-a1e4-fdb77337ca48" - date = "2026-01-05" - modified = "2026-01-06" + id = "d4ae73e1-77c4-5c6d-b90f-aa390aa93cd3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.runningrat_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.runningrat_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "4ddbc260dd07c2863631004b7f152c53ea1c57a6d19004876f01cbe090f0559f" + logic_hash = "af9c36c6cd0f2b297fc8137fa03b7170757e2be4dbf1da23b237e62f33931186" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 ff15???????? 56 ff15???????? 8b8c2418010000 } - $sequence_1 = { 891481 ff4608 e9???????? 83fa12 750a c744242c07000000 eb07 } - $sequence_2 = { 5d 83c408 c3 8b442434 8b4c242c 56 } - $sequence_3 = { dec1 dee9 def9 dc0d???????? } - $sequence_4 = { 50 03cb 51 e8???????? 8b542428 0fb74206 47 } - $sequence_5 = { f3a4 ff15???????? 5f 5e 5d 33c0 } - $sequence_6 = { 8b4764 50 e8???????? 33c0 83c404 8bcf 894764 } - $sequence_7 = { 03c8 40 8a0c29 884c03ff 8b4e04 } - $sequence_8 = { 8be8 83c404 83fdfd 7515 } - $sequence_9 = { 8dbc24a4010000 f3ab 8d8c2408020000 51 } - $sequence_10 = { 83c204 89542420 3bce 741f 8b948c8c000000 8b9c242c010000 } - $sequence_11 = { 6a00 6a00 8b82a8000000 50 68???????? 6a00 } - $sequence_12 = { 50 e8???????? 8b5644 68a2aedeac 68ce9a32f7 68c9600000 52 } - $sequence_13 = { 7336 8d642400 837c241c00 0f84cc020000 0fb613 ff4c241c } - $sequence_14 = { 8bd1 83e201 d1e9 895618 83f903 0f8761060000 } + $sequence_0 = { ff15???????? 56 ff15???????? 8b8c2418010000 } + $sequence_1 = { e8???????? 8a4c2420 6a18 c744241c00000000 } + $sequence_2 = { e8???????? 85c0 7402 b301 8d4c240c e8???????? } + $sequence_3 = { 68???????? 68???????? ffd3 8b2d???????? 50 ffd5 68???????? } + $sequence_4 = { eb08 2bd1 8bc2 89542420 } + $sequence_5 = { a1???????? 33c4 89842464040000 53 56 } + $sequence_6 = { 85c0 7559 8b442418 8b4c2430 40 } + $sequence_7 = { 56 8bf1 8b4e34 8b6e1c 57 8bf8 } + $sequence_8 = { b914000000 e8???????? 8b54241c 8bf0 8b442418 b914000000 } + $sequence_9 = { 8b542424 3902 0f84e2000000 8b4c2434 8b542430 56 } + $sequence_10 = { 81c4f8020000 c20400 8b35???????? 6800000100 6a40 ffd6 8bd8 } + $sequence_11 = { 33c0 5b c3 b8feffffff } + $sequence_12 = { e8???????? 8d44241c 83c40c 48 8d4900 } + $sequence_13 = { 8b442424 c70100000000 8b4c2428 57 c70200000000 } + $sequence_14 = { d3e8 2be9 8b4e0c 89442414 8b4608 891481 ff4608 } condition: 7 of them and filesize < 275456 @@ -97427,36 +97737,36 @@ rule MALPEDIA_Win_Remcos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3ceadbea-888c-55f4-a47d-fc201de9516f" - date = "2026-01-05" - modified = "2026-01-06" + id = "9ab4d05d-55c1-575c-83fd-f7cbd0985de6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.remcos_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.remcos_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "53c8db12d7a75d44b5d7d131da62120ba8cecf14ac635a0e0b17a53e5078529b" + logic_hash = "d1742a74ceabd8a848acff11b2563ed54ab268932204cdadaeab9496a89c8d91" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 7410 6a00 ff35???????? } - $sequence_1 = { ff15???????? 50 ff15???????? 8d45f0 33f6 } - $sequence_2 = { 51 51 8d45f8 c745f808000000 50 ff15???????? ff15???????? } - $sequence_3 = { ff15???????? 50 ff15???????? 8d45f0 33f6 50 } - $sequence_4 = { 85c0 7410 6a00 ff35???????? ff15???????? } - $sequence_5 = { 50 6a28 ff15???????? 50 ff15???????? 8d45f0 33f6 } - $sequence_6 = { 7410 6a00 ff35???????? ff15???????? } - $sequence_7 = { 8d45f8 50 ff15???????? ff7508 } - $sequence_8 = { 51 8d45f8 c745f808000000 50 ff15???????? ff15???????? } - $sequence_9 = { 8d45f8 50 ff15???????? ff7508 ff15???????? } + $sequence_0 = { 50 ff15???????? 8d45f0 33f6 } + $sequence_1 = { 7508 ff15???????? 33c0 5f 5e } + $sequence_2 = { ff15???????? 50 ff15???????? 8d45f0 33f6 } + $sequence_3 = { 6a09 ff35???????? ff15???????? ff35???????? ff15???????? } + $sequence_4 = { 51 8d45f8 c745f808000000 50 ff15???????? ff15???????? 2b45fc } + $sequence_5 = { 8d45f8 50 ff15???????? ff7508 ff15???????? } + $sequence_6 = { ff35???????? ff15???????? 85c0 7410 6a00 } + $sequence_7 = { 50 ff15???????? 8d45f0 33f6 50 } + $sequence_8 = { 85c0 7410 6a00 ff35???????? ff15???????? } + $sequence_9 = { 50 6a28 ff15???????? 50 ff15???????? 8d45f0 33f6 } condition: 7 of them and filesize < 1054720 @@ -97466,36 +97776,36 @@ rule MALPEDIA_Win_Swen_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "01c07f06-713c-58de-abb2-d741b6b7f019" - date = "2026-01-05" - modified = "2026-01-06" + id = "643c94ee-d414-519f-856e-aab2365c3e39" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.swen" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.swen_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.swen_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "c23034223b381f25ac775fe21bfc90a4b7d7644747556b010494835d089cdb6c" + logic_hash = "df34358c4a02cbfeba9bbd82fdf44532ec7b5490727ac9260ef8022f3cf54ff4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 8d85e0fdffff 50 e8???????? 59 59 53 } - $sequence_1 = { 895dfc 68c8000000 53 68???????? e8???????? 83c40c 891d???????? } - $sequence_2 = { 8d8564ffffff eb03 8d45c8 50 8d8540feffff 50 e8???????? } - $sequence_3 = { 85c0 740a e8???????? e9???????? 8d85bcfcffff 50 } - $sequence_4 = { 0f84f8020000 8d7801 803f79 750a c78574feffff01000000 8818 8d8581feffff } - $sequence_5 = { 85c0 0f85ccfdffff 6820bf0200 e8???????? 59 8bf8 89bd1cfeffff } - $sequence_6 = { 83c40c 85c0 750c 834dfcff 6a01 58 e9???????? } - $sequence_7 = { 680000aa00 ff15???????? 8945d0 6a08 ff15???????? 50 ff75a8 } - $sequence_8 = { 57 6a01 68???????? bb???????? 53 bf02000080 57 } - $sequence_9 = { 7456 6a02 53 53 57 ff15???????? ff7508 } + $sequence_0 = { 81c6d0750000 56 ff15???????? ff35???????? ff15???????? 5e } + $sequence_1 = { 56 6a03 bf000000c0 57 68???????? 8d850cffffff 50 } + $sequence_2 = { 50 57 e8???????? 6a71 57 e8???????? be???????? } + $sequence_3 = { 894dcc 3bcb 0f8415ffffff 8bc1 2b45e4 8945e0 } + $sequence_4 = { 0f8452020000 6a04 8d85448affff 50 8bce e8???????? } + $sequence_5 = { 6a10 68???????? 50 6a00 ff15???????? 68b0040000 ff15???????? } + $sequence_6 = { 3bc6 7403 802000 57 e8???????? 59 8945e4 } + $sequence_7 = { 50 50 ff15???????? 898578ffffff 3bc3 740b 53 } + $sequence_8 = { 7415 6a21 6814040000 ff7510 ff36 e8???????? 3bc3 } + $sequence_9 = { 59 6a25 e8???????? 59 85c0 7407 68???????? } condition: 7 of them and filesize < 286720 @@ -97505,42 +97815,42 @@ rule MALPEDIA_Win_Friedex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "87cac36d-65df-59c3-8519-a2beb3554903" - date = "2026-01-05" - modified = "2026-01-06" + id = "d2b00e14-e6fa-5551-aeaf-2f0f4681123e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.friedex_auto.yar#L1-L178" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.friedex_auto.yar#L1-L177" license_url = "N/A" - logic_hash = "63043516012ac32e3e6d0450f407dc7719100d4d30f90ebfdb7b7cb46cef3e98" + logic_hash = "2a1e410ded990de72d163ace024d3e6d9a680fcd432c565f5e3bbafe389a6806" score = 75 - quality = 73 + quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 85c0 7403 53 ffd0 6880000000 33db } - $sequence_1 = { 5f 5e 5d 5b 59 c20400 8b4c2404 } - $sequence_2 = { e8???????? 6a2f 8bc8 e8???????? 6a62 8bc8 e8???????? } - $sequence_3 = { 55 56 57 6a2a 5f 6a3f 5b } - $sequence_4 = { 7410 6a3f 5a 663bfa } - $sequence_5 = { 5e 5d c20c00 51 51 53 55 } - $sequence_6 = { ff760c ffd0 8b442408 5e c20400 } - $sequence_7 = { 897c2414 5d eb16 0fb730 } - $sequence_8 = { 83c414 5b 5d c3 8b45f0 8b0c850440a500 8b55f8 } - $sequence_9 = { c7424004000000 c7424458270000 c7424800100100 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc } - $sequence_10 = { 8955dc e8???????? 8d0de830a500 890424 894c2404 e8???????? } - $sequence_11 = { 8d155e30a500 83ec04 891424 8945e8 } - $sequence_12 = { 55 89e5 8d055a23a500 5d c3 } - $sequence_13 = { 891424 894c2404 8945f8 e8???????? 8d0d4430a500 31d2 890c24 } - $sequence_14 = { 56 57 53 83ec54 8d055a23a500 } - $sequence_15 = { 890424 894c2404 e8???????? 8d0d4430a500 31d2 8b75f8 89462c } + $sequence_0 = { eb16 0fb730 663bf7 7416 663bf2 7405 663bf3 } + $sequence_1 = { c3 53 55 56 57 8bd9 bf00020000 } + $sequence_2 = { 03cd 0fb711 6685d2 75c1 6a2a 5f } + $sequence_3 = { 663910 7431 8bd8 8d7102 eb1d 32c0 eb39 } + $sequence_4 = { 7408 8bce 8bc3 03f5 eb04 03c5 03cd } + $sequence_5 = { eb1d 32c0 eb39 663bfa 7410 6a3f 5a } + $sequence_6 = { 6a62 8bc8 e8???????? 57 8bc8 e8???????? 56 } + $sequence_7 = { 6a2a 5f 6a3f 5b 6a02 } + $sequence_8 = { 8d0dd830a500 890424 894c2404 e8???????? } + $sequence_9 = { 83ec44 8b4508 8d0d3030a500 31d2 890c24 } + $sequence_10 = { 890c24 c744240400000000 8955e8 e8???????? 8d0dbc30a500 } + $sequence_11 = { 894c2404 e8???????? 8d0d4430a500 31d2 8b75f8 89461c 890c24 } + $sequence_12 = { 891424 894c2404 8945f8 e8???????? 8d0d4430a500 31d2 890c24 } + $sequence_13 = { c7424458270000 c7424800100100 8b7de4 c787cc00000000000000 c787c800000000000000 } + $sequence_14 = { 8955e0 e8???????? 8d0dd830a500 890424 } + $sequence_15 = { c744240400000000 8945f4 8955f0 e8???????? 8d0da030a500 } condition: 7 of them and filesize < 204800 @@ -97550,36 +97860,36 @@ rule MALPEDIA_Win_Icondown_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52465a95-defc-5467-a071-e9d8d0b66fd6" - date = "2026-01-05" - modified = "2026-01-06" + id = "56c796aa-5be4-5e51-9ab3-a706a3665c10" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icondown" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.icondown_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.icondown_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "ff2f5c555fcd472199db73f9b56f95ccfa2dde0f7fa2e7a52a938cbd42967fd9" + logic_hash = "6ffec7d7bc8d3d60657be0a2f8145ec147295e9b9c3506a13856c59a033b0c39" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8b4608 8d542414 52 } - $sequence_1 = { 8bcf e8???????? 85c0 7415 8b4c2418 8b10 } - $sequence_2 = { c7466c01000000 8b4b1c 51 ff15???????? 5f 5e 5d } - $sequence_3 = { e8???????? 8d966c020000 52 68e9030000 57 e8???????? 8d8670020000 } - $sequence_4 = { 8b8690000000 8b48f8 85c9 740d 8b4e64 50 51 } - $sequence_5 = { 894e54 8b15???????? 895658 a1???????? 89465c 8b0d???????? } - $sequence_6 = { 46 f680c11c450004 741c 837d1000 } - $sequence_7 = { 895658 a1???????? 89465c 8b0d???????? 894e60 8b15???????? 895664 } - $sequence_8 = { 52 8b481c 51 ff15???????? 8b442404 6a01 } - $sequence_9 = { 740d 8b01 6a01 ff10 8b4e10 } + $sequence_0 = { c64424272e c644242865 c644242978 c644242a65 885c242b 885c242c } + $sequence_1 = { 50 8d4c241c c744241400000000 e8???????? 85c0 740c 8b442418 } + $sequence_2 = { bf01000000 e8???????? 8b0d???????? 8b4004 8b742440 6a00 } + $sequence_3 = { 5e 5d 5b 81c40c010000 c3 e8???????? } + $sequence_4 = { 55 56 33d2 57 8a11 8b3b 0fafd7 } + $sequence_5 = { 0f8759010000 ff24851f7c4300 017d1c 8a043b } + $sequence_6 = { 5b 81c45c0b0000 c3 8b44241c 83f805 0f8721030000 ff2485bc2f4000 } + $sequence_7 = { c786bc00000078024400 c786c00000004c024400 c786c40000002c024400 c786c800000014024400 c786cc000000f4014400 c786d0000000e0014400 } + $sequence_8 = { 8d047f 8d04c560044500 50 ffd3 5f } + $sequence_9 = { 6a00 6a00 6804130000 50 ff15???????? 3bf8 } condition: 7 of them and filesize < 5505024 @@ -97589,75 +97899,72 @@ rule MALPEDIA_Win_Darkpulsar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3d640e6f-45ff-5f50-abb3-96bc1483119a" - date = "2026-01-05" - modified = "2026-01-06" + id = "ccd830d3-72cd-5246-8e27-2b001f73e19f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkpulsar_auto.yar#L1-L456" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkpulsar_auto.yar#L1-L428" license_url = "N/A" - logic_hash = "e92897322c1f7ba92ed602b9b405ecfc3237bf769ff600554b34202d8fb12746" + logic_hash = "754b48166252c5a6eefb845247365376c73d931ced0f356cd5855ea2bd876568" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c21000 ff25???????? ff25???????? ff25???????? 33c0 40 } - $sequence_1 = { 33c0 40 c20c00 68???????? 64ff3500000000 } - $sequence_2 = { 3a01 1bc0 83e0fe 40 } - $sequence_3 = { 8b35???????? 57 8b7d08 eb09 803f00 } - $sequence_4 = { ffd6 8bd8 8b450c 0fbe00 50 ffd6 } - $sequence_5 = { ffd6 59 59 3bd8 74e0 } - $sequence_6 = { 47 ff450c 0fbe07 50 ffd6 8bd8 8b450c } - $sequence_7 = { 3bd8 74e0 0fb607 8b4d0c 3a01 } + $sequence_0 = { ff25???????? ff25???????? 33c0 40 c20c00 68???????? } + $sequence_1 = { 5b c21000 ff25???????? ff25???????? ff25???????? 33c0 } + $sequence_2 = { c20c00 68???????? 64ff3500000000 8b442410 } + $sequence_3 = { 3a01 1bc0 83e0fe 40 } + $sequence_4 = { 50 ffd6 59 59 3bd8 74e0 } + $sequence_5 = { ff450c 0fbe07 50 ffd6 } + $sequence_6 = { 3bd8 74e0 0fb607 8b4d0c 3a01 1bc0 } + $sequence_7 = { 8b35???????? 57 8b7d08 eb09 803f00 742e } $sequence_8 = { 5e c9 c3 56 8b742408 85f6 7412 } - $sequence_9 = { ff75fc ff75f4 e8???????? 59 59 83f8ff } - $sequence_10 = { 33d2 56 57 33c0 } - $sequence_11 = { 8d45cc 50 57 e8???????? 83c410 85c0 } - $sequence_12 = { ffd7 59 5f 5e c3 8b4c2404 } - $sequence_13 = { 50 ff7618 ff15???????? 59 59 85c0 } - $sequence_14 = { 8945fc 8b450c 53 8b5d08 56 57 8945e8 } - $sequence_15 = { 83c410 83f8ff 0f95c1 49 8bc1 } - $sequence_16 = { 59 1bc0 59 40 c3 e9???????? } - $sequence_17 = { 6a01 ff15???????? 8bf0 59 59 3bf7 } - $sequence_18 = { 33d2 c3 8bff 55 8bec b863736de0 } - $sequence_19 = { 53 8b5d10 56 8b7508 33d2 } - $sequence_20 = { 56 e8???????? 59 85c0 7625 } - $sequence_21 = { 8d4601 6a01 50 ff15???????? 8bf8 } - $sequence_22 = { eb03 83c8ff 5f 5e c3 56 } - $sequence_23 = { 59 5e 8b45fc c9 c3 } - $sequence_24 = { e8???????? 8bf0 46 56 ff15???????? 59 59 } + $sequence_9 = { 8d4601 6a01 50 ff15???????? 8bf8 } + $sequence_10 = { 59 5e 8b45fc c9 } + $sequence_11 = { 83c410 83f8ff 0f95c1 49 } + $sequence_12 = { 33d2 c3 8bff 55 8bec b863736de0 394508 } + $sequence_13 = { 53 33d2 56 57 33c0 } + $sequence_14 = { 50 ff7618 ff15???????? 59 59 85c0 } + $sequence_15 = { ffd7 59 5f 5e c3 8b4c2404 85c9 } + $sequence_16 = { e8???????? ff7514 89460c e8???????? } + $sequence_17 = { 8bc1 c3 8b442404 85c0 7501 } + $sequence_18 = { ff760c ff7608 ff36 e8???????? 8bf8 } + $sequence_19 = { e8???????? 8bf0 46 56 ff15???????? 59 59 } + $sequence_20 = { 8d45cc 50 57 e8???????? 83c410 85c0 } + $sequence_21 = { 6a01 ff15???????? 8bf0 59 59 3bf7 } + $sequence_22 = { ff75fc ff75f4 e8???????? 59 59 83f8ff } + $sequence_23 = { f7d8 59 1bc0 59 40 c3 e9???????? } + $sequence_24 = { 56 e8???????? 59 85c0 7625 } $sequence_25 = { e8???????? 59 5e 83f8ff } - $sequence_26 = { 5f 5e c3 8b442404 85c0 7503 } - $sequence_27 = { 56 57 8b7d10 7e05 83c220 eb03 } - $sequence_28 = { 6a7f 58 33f6 83e107 46 d3e6 85f0 } - $sequence_29 = { 8bf8 85ff 750f 50 50 8d45f4 } - $sequence_30 = { 50 ffd7 f6450801 5f 7409 56 e8???????? } - $sequence_31 = { 33ff 895dfc 3bc7 7509 8b0b } - $sequence_32 = { e8???????? 83c40c 83f8ff 740e ff75e4 ff15???????? } - $sequence_33 = { eb28 57 8d45f4 56 50 e8???????? } - $sequence_34 = { ff742410 ff742410 ff15???????? 33c9 } - $sequence_35 = { c20400 8b4508 8b10 8b4008 8d4e08 51 } - $sequence_36 = { 8b7d08 837f3c04 7405 33c0 5f 5d } - $sequence_37 = { 8b7d14 8975f4 3b37 7734 8b750c } - $sequence_38 = { ff25???????? c3 8b442404 c705????????00102500 c705????????10102500 } - $sequence_39 = { 56 ff15???????? 83f8ff 7433 33c0 } - $sequence_40 = { 0f841b010000 3bf0 0f8413010000 394708 0f840a010000 894608 } - $sequence_41 = { 8b442408 884101 c1e808 8801 8d4102 } - $sequence_42 = { ddd9 f6c444 7b09 ddd8 b8???????? eb5b 51 } - $sequence_43 = { 33ff 8945f4 8945f8 e8???????? 83c404 8945fc } - $sequence_44 = { 8945fc bacdab0000 8d45f4 52 50 } - $sequence_45 = { 894588 7404 40 894588 83659800 85c0 0f8610010000 } - $sequence_46 = { 00db 7309 7515 8a1e } - $sequence_47 = { 85f6 7425 3b4d10 0f8394010000 8b7514 } - $sequence_48 = { e8???????? dc1d???????? 83c410 dfe0 f6c444 } + $sequence_26 = { 8b5d10 56 8b7508 33d2 } + $sequence_27 = { 894dfc 33c9 66894e02 668906 8b55e8 8b45f0 } + $sequence_28 = { 00db 7313 752f 3b742404 0f830b010000 } + $sequence_29 = { 6aff 50 33f6 ff15???????? 85c0 8d4603 7502 } + $sequence_30 = { 6888130000 ff15???????? 8b4e08 68???????? 6a05 51 e8???????? } + $sequence_31 = { 83f808 7718 ff2485a4344000 8b4634 50 83c64c } + $sequence_32 = { ff742408 ff15???????? 33c0 c3 55 8bec } + $sequence_33 = { 83f8ff 7433 33c0 663b03 754a 57 50 } + $sequence_34 = { 33c5 8945fc bacdab0000 8d45f4 } + $sequence_35 = { 52 52 64ff37 648927 8dbd6dffffff 56 83c608 } + $sequence_36 = { 3bc3 7e1f ff75e4 ff75dc 57 e8???????? } + $sequence_37 = { 8b5008 eb02 33d2 85c0 7405 8b400c } + $sequence_38 = { 50 ff758c e8???????? 0fb606 50 } + $sequence_39 = { 83ff40 7ce8 5f 5e 8bd5 5d 8bc3 } + $sequence_40 = { 884806 8a4dff c1ee18 885004 887005 884807 5e } + $sequence_41 = { 00db 7313 75e1 3b742404 0f8318010000 } + $sequence_42 = { 00db 7309 75f4 8a1e 46 10db } + $sequence_43 = { 884803 c1ea10 c1e918 885001 } + $sequence_44 = { 85f6 75d2 8d47ff f7d8 } + $sequence_45 = { 8b0f 8b5708 51 52 50 } condition: 7 of them and filesize < 491520 @@ -97667,36 +97974,36 @@ rule MALPEDIA_Win_Unidentified_013_Korean_Malware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d60dc930-c78c-5d42-af04-60f16f7605c1" - date = "2026-01-05" - modified = "2026-01-06" + id = "2273887d-2ee6-5b1f-bc86-c401f41b8119" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_013_korean_malware_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_013_korean_malware_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "9a5847dac5275d9c2120b30f47a61dd30ccc7df5d5dee4cad62b8a046a1148d9" + logic_hash = "01aabed0398c5a716a2c88a1b7f757552c7c50a374413c4d770a63060a967eed" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6888130000 4f ffd6 e8???????? 85c0 74eb bfb4000000 } - $sequence_1 = { eb20 8d4604 c60000 eb18 8bc2 c604083f 897e14 } - $sequence_2 = { e8???????? 8d842454030000 50 83ec1c 8bcc 899c2480060000 } - $sequence_3 = { 837c242401 0f85be000000 0fb6542e04 3bd1 7412 } - $sequence_4 = { e8???????? 83c404 837c243410 7221 8b442420 } - $sequence_5 = { 8b4c2410 51 57 50 8944243c ff15???????? 8bf0 } - $sequence_6 = { e8???????? 81c41c010000 c3 55 6a00 6a00 } - $sequence_7 = { 50 8d842458060000 64a300000000 68???????? 68???????? 68???????? } - $sequence_8 = { 8b842420010000 53 56 57 } - $sequence_9 = { 395c2440 7304 8d44242c 8a1c38 0fb6cb } + $sequence_0 = { ff15???????? 8bf0 85f6 740e 8d54240c 52 ff15???????? } + $sequence_1 = { 8b542408 52 e8???????? 83c404 8b8c2420070000 8bc6 } + $sequence_2 = { 837c242401 0f85be000000 0fb6542e04 3bd1 7412 } + $sequence_3 = { 40 84c9 75f9 2bc2 8d6801 8d4501 3944241c } + $sequence_4 = { 83c414 6a00 6a00 6a00 8d4c2460 51 68???????? } + $sequence_5 = { 894808 80f34d 33c9 89500c 85ff 7c17 7f04 } + $sequence_6 = { 803c337f 8944242c 0f840f010000 3bd8 0f8307010000 0fb6543301 } + $sequence_7 = { c744240c08000000 eb22 8b44241c 8d542410 52 56 } + $sequence_8 = { 43 803c337f 0f85f1feffff 33ff 5b 5d 3bf7 } + $sequence_9 = { ff15???????? 5e 85c0 7406 881d???????? 5b } condition: 7 of them and filesize < 204800 @@ -97706,34 +98013,34 @@ rule MALPEDIA_Win_Dropshot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "346ce58d-bd06-5f2e-8d2b-941cfe3b7a37" - date = "2026-01-05" - modified = "2026-01-06" + id = "87699bdb-edfc-575f-84fa-ee00dfb94f28" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dropshot_auto.yar#L1-L100" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dropshot_auto.yar#L1-L96" license_url = "N/A" - logic_hash = "e0a96c7028a31f8096e80273f88669f127d961f8172465734bc77ab98df7c7f9" + logic_hash = "bf961b98e54ded0f03e3fd667cf51139573a4a56db29e385cefb89595124eabf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a05 ff15???????? ff15???????? 6a00 6a00 6a00 } + $sequence_0 = { 6800100000 6804010000 6a00 ff15???????? } $sequence_1 = { ff15???????? 5d c3 3b0d???????? f27502 } $sequence_2 = { 6a64 ff15???????? 6800800000 6a00 } - $sequence_3 = { e8???????? eb05 e8???????? 68e8030000 ff15???????? } - $sequence_4 = { 6a00 6a00 ff15???????? 6a00 6a00 68???????? } - $sequence_5 = { ff15???????? 6a04 6800100000 6808020000 } - $sequence_6 = { e8???????? 83c40c 6a04 6800100000 6804010000 6a00 } - $sequence_7 = { ff15???????? 6a00 ff15???????? 6a05 ff15???????? ff15???????? } + $sequence_3 = { e8???????? 83c40c 6a04 6800100000 6804010000 } + $sequence_4 = { 6a00 ff15???????? 6a05 ff15???????? ff15???????? 6a00 } + $sequence_5 = { 6a00 6a00 ff15???????? 6a00 6a00 68???????? } + $sequence_6 = { ff15???????? 6a04 6800100000 6808020000 } + $sequence_7 = { e8???????? eb05 e8???????? 68e8030000 } condition: 7 of them and filesize < 483328 @@ -97743,36 +98050,36 @@ rule MALPEDIA_Win_Gamotrol_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2b2204da-4f22-547c-9de3-80e2483d6d42" - date = "2026-01-05" - modified = "2026-01-06" + id = "97e0272d-6cb9-53e9-90b7-0c03f9b512a0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gamotrol_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gamotrol_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "0a158c049548339723eb169f446010e4bcdbd33e0805ca045362a8d262920ab1" + logic_hash = "6cbc073e125c3bb77d773efbb6de32ec3baf3a8b0e72330eeeb1aa7f5e080b80" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 90 55 90 } - $sequence_1 = { eb82 55 8bec 83ec20 56 33f6 39750c } - $sequence_2 = { 83c40b 83ec0b 68b4c2ffff 83c410 83c4f0 6aff 68???????? } - $sequence_3 = { c1c804 8945fc 61 8b45f4 } - $sequence_4 = { 83ec0b 83c40f 83c4f1 83c45b 83ec5b 90 90 } - $sequence_5 = { cc 8b442404 a3???????? c3 8b442404 a3???????? a3???????? } - $sequence_6 = { 5d 85c0 7709 33c0 5f 5e } - $sequence_7 = { 8945e4 90 90 55 8bec } - $sequence_8 = { 81ec00020000 8d6c24fc a1???????? 33c5 898500020000 6a0c b8???????? } - $sequence_9 = { 6aff 6a00 68???????? 6a00 ff15???????? } + $sequence_0 = { ff15???????? 55 90 90 8bec 83c40b } + $sequence_1 = { 83ec51 85f6 90 90 } + $sequence_2 = { 57 8b39 742e 39510c } + $sequence_3 = { 833cb8ff 8d04b8 7409 8b08 } + $sequence_4 = { 397e0c 7e23 8d9b00000000 8b4608 833cb8ff } + $sequence_5 = { ff75e0 e8???????? 8b4de0 8945ec } + $sequence_6 = { 81ec00020000 8d6c24fc a1???????? 33c5 898500020000 6a0c b8???????? } + $sequence_7 = { 40 5e c3 e9???????? 6aff } + $sequence_8 = { 56 57 90 55 } + $sequence_9 = { 83c40f 83c4f1 83c45b 83ec5b 90 90 8be5 } condition: 7 of them and filesize < 376832 @@ -97782,74 +98089,75 @@ rule MALPEDIA_Win_Zloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c82bdc7a-19f8-5960-9bcc-6c492cb6c67f" - date = "2026-01-05" - modified = "2026-01-06" + id = "cc92105d-eeb7-5d05-a0d8-12e25c0b3c7f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zloader_auto.yar#L1-L439" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zloader_auto.yar#L1-L440" license_url = "N/A" - logic_hash = "7399a4c9ef7efb487c077e3212ee75c6de9b99417941b9d003194efb50454bdf" + logic_hash = "b2a97408c6db24138c9a9d427202ea42f6b02df9431f518e8b3c088794dd6b2a" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 e8???????? 83c40c 84c0 740b } - $sequence_1 = { 6a00 e8???????? 83c408 56 6a08 } - $sequence_2 = { 53 e8???????? 83c404 89c6 8d0436 50 53 } - $sequence_3 = { 0fb7c0 57 50 53 e8???????? 83c40c 89f1 } - $sequence_4 = { 55 89e5 8b4d08 e8???????? 6aff 50 68???????? } + $sequence_0 = { 0fb7c0 57 50 53 e8???????? } + $sequence_1 = { 57 6a01 56 ffd0 89f7 } + $sequence_2 = { 50 ff7508 53 e8???????? 83c40c 66c7047b0000 } + $sequence_3 = { 31db 8d8df0feffff e8???????? 89d8 81c404010000 5e 5f } + $sequence_4 = { 51 e8???????? 83c40c 84c0 740b } $sequence_5 = { 0fb7450c 8d9df0feffff 53 50 ff7508 e8???????? } - $sequence_6 = { 31db 8d8df0feffff e8???????? 89d8 81c404010000 } - $sequence_7 = { 53 e8???????? 83c40c 66c7047b0000 89f0 5e 5f } + $sequence_6 = { 56 8b750c ff7508 e8???????? 83c404 } + $sequence_7 = { 56 8b7d0c 57 e8???????? 83c404 } $sequence_8 = { 56 50 a1???????? 89c1 } - $sequence_9 = { e8???????? 89c1 89f0 99 } - $sequence_10 = { e8???????? 4889c1 ba01000000 e8???????? a801 } - $sequence_11 = { ffd0 83f800 0f9dc0 2401 } - $sequence_12 = { ffd0 b001 2401 0fb6c0 } - $sequence_13 = { e8???????? eb00 eb00 eb00 eb00 eb00 } - $sequence_14 = { ffd0 83f800 7505 e9???????? } - $sequence_15 = { e8???????? a801 7502 eb0d } - $sequence_16 = { 41b802000000 e8???????? a801 7505 } - $sequence_17 = { eb00 eb00 e9???????? eb00 e8???????? } - $sequence_18 = { 57 56 50 8b4510 31db } - $sequence_19 = { 59 84c0 7432 68???????? } - $sequence_20 = { 7432 68???????? ff742408 e8???????? 59 } - $sequence_21 = { 8bc3 5b c3 8b44240c 83f8ff 750a ff742408 } - $sequence_22 = { ff742410 ff742410 6a00 e8???????? 83c414 c3 56 } - $sequence_23 = { 03c0 6689442438 8b442438 83c002 } - $sequence_24 = { 7cf5 5f c6043000 5e c3 56 } - $sequence_25 = { 6aff 50 e8???????? 8d857cffffff 50 } - $sequence_26 = { 5e c3 56 57 8b7c2414 83ffff } - $sequence_27 = { 8d442418 99 52 50 8d44243c 99 52 } - $sequence_28 = { 50 89542444 e8???????? 03c0 6689442438 } - $sequence_29 = { 50 56 56 56 ff7514 } - $sequence_30 = { 83c414 c3 56 ff742410 8b74240c ff742410 } - $sequence_31 = { c7462401000000 c7462800004001 e8???????? 89460c } - $sequence_32 = { e9???????? ff4c2408 7406 33c0 } - $sequence_33 = { e8???????? 83c414 c3 8b542404 85d2 7503 } - $sequence_34 = { 89e5 53 57 56 81eca8020000 } - $sequence_35 = { 83c1fc 894c2404 890424 e8???????? } - $sequence_36 = { 89b42430010000 8b842430010000 8b842430010000 890424 c74424041c010000 e8???????? c74424101c010000 } - $sequence_37 = { 68???????? ff742410 e8???????? 6823af2930 56 ff742410 e8???????? } - $sequence_38 = { 33f6 e8???????? ff7508 8d85f0fdffff 68???????? } - $sequence_39 = { 53 56 57 ff750c 33db 68???????? } - $sequence_40 = { 5f 5e 5b c3 8bc2 ebf8 53 } - $sequence_41 = { 8d8578fdffff 50 68???????? 6804010000 ff7508 e8???????? } - $sequence_42 = { 50 6a72 e8???????? 59 } - $sequence_43 = { 33db 68???????? 6880000000 50 e8???????? 83c410 } - $sequence_44 = { 50 e8???????? 8d4580 50 8d8578fdffff 50 68???????? } - $sequence_45 = { ebf7 8d442410 50 ff742410 ff742410 ff742410 e8???????? } - $sequence_46 = { e8???????? 68???????? 56 e8???????? 8bf0 59 } - $sequence_47 = { c3 56 8b742408 6804010000 68???????? } + $sequence_9 = { 486bd228 4801d1 8b490c 4801c8 } + $sequence_10 = { 4531c9 c744242003000000 c744242800000004 48c744243000000000 ffd0 } + $sequence_11 = { 4889442420 c744242804000000 e8???????? 2401 0fb6c0 } + $sequence_12 = { 4531c9 ffd0 83f800 0f94c0 2401 } + $sequence_13 = { 486bd228 4801d1 8b4914 4801c8 } + $sequence_14 = { 4889442420 e8???????? 88c1 31c0 } + $sequence_15 = { 4531c0 e8???????? a801 7505 e9???????? } + $sequence_16 = { 41b800000210 89442420 e8???????? 2401 } + $sequence_17 = { e8???????? 59 84c0 7432 68???????? } + $sequence_18 = { 8bc3 5b c3 8b44240c 83f8ff 750a ff742408 } + $sequence_19 = { 7432 68???????? ff742408 e8???????? 59 59 } + $sequence_20 = { 56 50 8b4510 31db } + $sequence_21 = { 5f c6043000 5e c3 56 57 8b7c2414 } + $sequence_22 = { 6689442438 8b442438 83c002 668944243a } + $sequence_23 = { e8???????? 03c0 6689442438 8b442438 } + $sequence_24 = { 6a00 e8???????? 83c414 c3 56 ff742410 } + $sequence_25 = { 6aff 50 e8???????? 8d857cffffff } + $sequence_26 = { 50 8d44243c 99 52 50 } + $sequence_27 = { 50 89542444 e8???????? 03c0 } + $sequence_28 = { 50 56 56 56 ff7514 } + $sequence_29 = { e8???????? 83c414 c3 8b542404 85d2 7503 } + $sequence_30 = { 83c408 5e 5d c3 55 89e5 57 } + $sequence_31 = { c7460488130000 c7462401000000 c7462800004001 e8???????? } + $sequence_32 = { 8d442450 99 89442448 83c40c 8d442444 50 89542444 } + $sequence_33 = { 89e5 53 57 56 81eca8020000 } + $sequence_34 = { 57 56 83ec18 89d6 89cf 8d0476 8945ec } + $sequence_35 = { 5d c3 51 64a130000000 } + $sequence_36 = { 8b842430010000 890424 c74424041c010000 e8???????? c74424101c010000 893424 } + $sequence_37 = { 5e 5b c3 8bc2 ebf8 53 } + $sequence_38 = { 33db 68???????? 6880000000 50 e8???????? 83c410 } + $sequence_39 = { 57 50 e8???????? 68???????? 56 e8???????? } + $sequence_40 = { 57 ff750c 33db 68???????? } + $sequence_41 = { e8???????? ff7508 8d85f0fdffff 68???????? 6804010000 50 } + $sequence_42 = { ebf8 53 8b5c240c 55 33ed 66392b 7506 } + $sequence_43 = { 50 6a72 e8???????? 59 } + $sequence_44 = { 68???????? ff742410 e8???????? 6823af2930 56 ff742410 } + $sequence_45 = { 83c40c 5e 8bc3 5b c3 8b4c2404 } + $sequence_46 = { 8d8578fdffff 50 68???????? 6804010000 ff7508 e8???????? } + $sequence_47 = { e8???????? 8d4580 50 8d8578fdffff 50 68???????? } + $sequence_48 = { c3 56 8b742408 6804010000 68???????? } condition: 7 of them and filesize < 5360640 @@ -97859,39 +98167,39 @@ rule MALPEDIA_Win_Tinba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9e77c24-46b9-5cf7-a828-2a850fe6f2a6" - date = "2026-01-05" - modified = "2026-01-06" + id = "e390b693-114f-5257-9e11-b03fbbf2963c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tinba_auto.yar#L1-L142" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tinba_auto.yar#L1-L143" license_url = "N/A" - logic_hash = "374a170ff41ebad47f064bc534bfadb5eb7ba02780fab8542e6fa86bf64ae9a3" + logic_hash = "23f2c81c3b66f37b4f88bb87fe29530de259e1c8ca3564bc5a3b6b2fa42795fb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b7508 ad 50 56 } - $sequence_1 = { 8b4510 aa 8b450c ab } - $sequence_2 = { 6a00 6a00 ff750c 6a00 6a00 ff7508 } - $sequence_3 = { 8a241f 88240f 88041f 41 } - $sequence_4 = { 7416 66b80d0a 66ab b8436f6f6b ab b869653a20 } - $sequence_5 = { 7437 b912000000 48 8d3db0010000 807a180f } - $sequence_6 = { 72ee 87ce 89f8 29ce f3a4 29fe } - $sequence_7 = { bb0a000000 31d2 f7f3 52 41 } - $sequence_8 = { 3c0a 7304 0430 eb02 0437 aa c14d0804 } - $sequence_9 = { 40 eb12 ff7514 ff7510 ff750c } - $sequence_10 = { 85c0 741b 66b80d0a 66ab b855736572 } - $sequence_11 = { 8d7a33 f6c304 740a 834a3540 66a5 } - $sequence_12 = { 8b0e 3b4d10 7603 8b4d10 51 57 ff750c } + $sequence_0 = { 8b4510 aa 8b450c ab } + $sequence_1 = { 8b7508 ad 50 56 } + $sequence_2 = { 8a241f 88240f 88041f 41 } + $sequence_3 = { 6a00 6a00 6a00 ff750c 6a00 6a00 ff7508 } + $sequence_4 = { ab 48 83ec20 4c 89f1 48 c7c240000000 } + $sequence_5 = { b82d416765 ab b86e743a20 ab } + $sequence_6 = { 8b7d0c 83c707 8b4508 83e00f } + $sequence_7 = { 834a3504 80f903 7430 3c04 752c } + $sequence_8 = { 7304 0430 eb02 0437 aa c14d0804 } + $sequence_9 = { 7403 b073 aa b83a2f2f00 ab 4f } + $sequence_10 = { 8b4114 83f8fd 7506 8b4108 8b4014 } + $sequence_11 = { 7407 814a3500020000 f6c320 7407 814a3500080000 4c 29c6 } + $sequence_12 = { 7442 8a4218 24f8 3cb8 7514 807a0801 750e } condition: 7 of them and filesize < 57344 @@ -97902,10 +98210,10 @@ rule MALPEDIA_Win_Eagerbee_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "7a126278-7eb1-5d08-9b25-74b27f2a3312" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.eagerbee_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.eagerbee_auto.yar#L1-L128" license_url = "N/A" logic_hash = "a3d744962e3184242280e8a1606b8e9d39f3a62e4bfb278481827290e0059489" score = 75 @@ -97914,9 +98222,9 @@ rule MALPEDIA_Win_Eagerbee_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -97940,36 +98248,36 @@ rule MALPEDIA_Win_Darkdew_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "915d3fba-ccdb-58ec-bef5-fbfe3e57f2e5" - date = "2026-01-05" - modified = "2026-01-06" + id = "f5713b05-d68d-5a96-8b8b-3746cbaf2177" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkdew" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkdew_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkdew_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "2001511710881b4d822d294ff1446e10aa21b9b50a4d4e2fae3fc5a2bc0825b8" + logic_hash = "11e20ec5dc70dfd13de9b6788add5450b8305995cd717588a944e82f9fc44478" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d7e01 3bfb 7ed0 83c8ff eb07 8b04f55c710110 5f } - $sequence_1 = { 7214 8b49fc 83c223 2bc1 83c0fc 83f81f 0f87860f0000 } - $sequence_2 = { b991000000 8dbd70e2ffff 8bf2 f3a5 b991000000 } - $sequence_3 = { 6804010000 8d85b4fcffff 6a00 50 e8???????? 83c40c } - $sequence_4 = { 83fe10 8bbd68ffffff 0f43cf 8d5101 } - $sequence_5 = { c745e807000000 668945d4 83fa10 722c 8b4d9c 42 8bc1 } - $sequence_6 = { 8d85e4f7ffff f3a5 50 8d8528faffff b991000000 8bf3 8dbd18f9ffff } - $sequence_7 = { 8d9534fcffff 0f43ce 2bd1 8a01 8d4901 88440aff 84c0 } - $sequence_8 = { 83c404 83781408 7202 8b00 50 6a00 } - $sequence_9 = { eb07 8b0cc5645c0110 894de4 85c9 7455 8b4510 } + $sequence_0 = { 83e801 0f8595010000 c745e4545d0110 e9???????? 894de0 c745e4545d0110 } + $sequence_1 = { 8d4d9c 0f43c8 83ff0b 754d ba???????? } + $sequence_2 = { 50 ff15???????? 48 b991000000 f7d8 1bc0 697df844020000 } + $sequence_3 = { 50 ff15???????? 837db010 8d459c 6a06 0f43459c 50 } + $sequence_4 = { 83e13f c1f806 6bc938 8b0485a0f30110 0fb6440828 } + $sequence_5 = { 2bc1 83f801 7218 8d4101 83fa10 8945c8 8d45b8 } + $sequence_6 = { 84c0 75f9 2bca 83fe10 8d55dc 51 } + $sequence_7 = { 0f8723010000 8d040a 8bcb 3bc3 } + $sequence_8 = { e8???????? 83c40c 33c0 6689047e 8b7db4 eb18 } + $sequence_9 = { 2bf9 8b8d5cffffff 8bc2 2bc1 } condition: 7 of them and filesize < 279552 @@ -97979,36 +98287,36 @@ rule MALPEDIA_Win_Dorkbot_Ngrbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "95e01109-549b-5610-b7bb-c1343e7b4ee5" - date = "2026-01-05" - modified = "2026-01-06" + id = "40ac6e00-a500-517c-8ccd-ea97b189e649" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dorkbot_ngrbot_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dorkbot_ngrbot_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "ea5d98b6b45b739ecbab0036be4d19cc99f655fde99b26bfe861c5599dba1365" + logic_hash = "63ca81ee65976da32d14a7f4db9541249613a563992e053a81f7d12ece273b64" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 740c 8b8cb51cffffff 51 ffd0 eb0d 8b94b51cffffff } - $sequence_1 = { 85f6 0f84a8020000 6a00 6800040000 8d9578fbffff } - $sequence_2 = { ff15???????? 85c0 0f8c9f000000 8b4508 85c0 0f8494000000 8b4dfc } - $sequence_3 = { e8???????? 8bf0 83c408 85f6 0f84dc000000 6a06 68???????? } - $sequence_4 = { 51 7416 68???????? 52 50 e8???????? 83c410 } - $sequence_5 = { 8b4d0c 51 50 6a00 ff15???????? 50 ff15???????? } - $sequence_6 = { 8d85f1feffff 6a00 50 c685f0feffff00 e8???????? 8b4d14 83c40c } - $sequence_7 = { 8d8500f8ffff 50 ff15???????? 8b550c 8b4508 8d8d00f8ffff 51 } - $sequence_8 = { 8d55f0 52 68???????? e8???????? 83c40c 85c0 7530 } - $sequence_9 = { b8???????? 5b 8be5 5d c3 ff15???????? 5e } + $sequence_0 = { 25ff000000 038c8604040000 53 6a00 51 e8???????? } + $sequence_1 = { e8???????? 83c41c a3???????? e8???????? 68???????? 68???????? e8???????? } + $sequence_2 = { 52 ff15???????? 6a00 8d85f8feffff 50 68???????? e9???????? } + $sequence_3 = { 51 6a1b e8???????? 50 ff15???????? 5e 85c0 } + $sequence_4 = { b8???????? 8b08 51 56 e8???????? 83c408 3bc3 } + $sequence_5 = { 33f6 8da42400000000 a1???????? 6a00 53 57 } + $sequence_6 = { 837d1000 7507 33c0 5b 8be5 5d c3 } + $sequence_7 = { 8b550c 50 8b04b508643a02 51 52 50 68???????? } + $sequence_8 = { 85c0 0f8419010000 8b4e24 8b5618 6a00 51 50 } + $sequence_9 = { 8b4508 68???????? 50 e8???????? 83c408 f7d8 1bc0 } condition: 7 of them and filesize < 638976 @@ -98018,36 +98326,36 @@ rule MALPEDIA_Win_Backswap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0b4784b7-cd96-5e54-a073-0338b4b75481" - date = "2026-01-05" - modified = "2026-01-06" + id = "481c73e9-95c8-592a-b1b4-7cb19ed77176" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.backswap_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.backswap_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "2b5d3806ddf0898828d393c845cc1b722a49353e80ebab2271198eaec3b3ad5a" + logic_hash = "4addfbc2af9d175b6796b609739159332a36e91eb4793c17e5384191c866e055" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c9 e9???????? b32a 397d14 7412 47 8a07 } - $sequence_1 = { f366a5 59 5f 5e c9 c20c00 55 } - $sequence_2 = { eb04 8bc6 91 41 5e 5f } - $sequence_3 = { 74c4 3c2a 7508 8bdf 897508 4e ebb8 } - $sequence_4 = { 33d2 8bdf 4b eb1c 85c9 7508 3bdf } - $sequence_5 = { 7482 8b7508 ff4508 8bfb 3bd3 0f8572ffffff 33c9 } - $sequence_6 = { 7404 8bce 8bd3 397d14 0f8e99000000 39750c 7e7b } - $sequence_7 = { d1e9 f366a5 59 5f 5e } - $sequence_8 = { e8???????? 74ed 33c0 eb04 } - $sequence_9 = { 33c9 e9???????? b32a 397d14 } + $sequence_0 = { 3c2a 7508 8bdf 897508 } + $sequence_1 = { f366a5 59 5f 5e c9 } + $sequence_2 = { 7482 8b7508 ff4508 8bfb 3bd3 } + $sequence_3 = { 33c9 33d2 8bdf 4b eb1c 85c9 } + $sequence_4 = { 4b eb1c 85c9 7508 3bdf 7404 } + $sequence_5 = { c9 c21000 83f0ff 5e 5f 5a } + $sequence_6 = { e8???????? 74ed 33c0 eb04 8bc6 91 } + $sequence_7 = { 7404 8bce 8bd3 397d14 0f8e99000000 39750c } + $sequence_8 = { 8bfb 3bd3 0f8572ffffff 33c9 } + $sequence_9 = { 55 8bec 56 57 51 fc } condition: 7 of them and filesize < 122880 @@ -98057,75 +98365,114 @@ rule MALPEDIA_Win_Poscardstealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53d91898-d02d-53b9-9813-59bf55e7c619" - date = "2026-01-05" - modified = "2026-01-06" + id = "93381abe-05cc-5861-8a9d-79af1fc11ddc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.poscardstealer_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.poscardstealer_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "8ad471a582e54a99878737b3b5b570978ce78744521ef98846f72f0bfe800fbd" + logic_hash = "0e2c0b695090149a314e3640c533f832c1baa01c7b5cdf940bb738b4a06f3aef" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b5610 8955e4 8b4614 8945e8 897e10 897e14 837dcc10 } - $sequence_1 = { 6aff 6a00 50 8bce c645fc02 e8???????? 837de810 } - $sequence_2 = { e8???????? 83c404 397de8 0f82f6000000 } - $sequence_3 = { 51 e8???????? 83c420 50 8d8d74ffffff } - $sequence_4 = { 8901 c9 c3 3b0d???????? 7502 } - $sequence_5 = { 8bbd90edffff 40 898570edffff 3bc7 0f8ceffbffff 8b0d???????? } - $sequence_6 = { 7305 83c8ff eb08 33c0 83fe01 0f95c0 3bc7 } - $sequence_7 = { 8d45f4 64a300000000 8b35???????? c745fc00000000 8975ac 3b35???????? } - $sequence_8 = { c645fc01 e8???????? 6aff 40 50 8d559c 52 } - $sequence_9 = { c645fc0e e8???????? c645fc05 397de8 720c 8b4dd4 51 } + $sequence_0 = { 33c0 668b4d08 663b88600a4200 740d 83c002 } + $sequence_1 = { 64a300000000 8b35???????? 8975ac 3b35???????? 0f84fc000000 } + $sequence_2 = { 8917 83c704 89bd80edffff eb68 8b8d84edffff 3bd1 } + $sequence_3 = { 8b45b0 56 50 51 ff15???????? 8b5590 8bcf } + $sequence_4 = { 83ff0c 7e79 8bc7 f7d8 8945c8 eb03 8b45c8 } + $sequence_5 = { 50 8d45f4 64a300000000 8b7508 8b4528 } + $sequence_6 = { 8bce c645fc12 e8???????? 837de810 c645fc01 } + $sequence_7 = { 68???????? 50 e8???????? 83c40c 3bc7 7514 83fe01 } + $sequence_8 = { 8d34c5f05b4200 833e00 7513 50 e8???????? 59 85c0 } + $sequence_9 = { 8b45e0 8a8064614200 08443b1d 0fb64601 } condition: 7 of them and filesize < 362496 } +rule MALPEDIA_Win_Astarion_Rat_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "8d9eb3c4-eb44-59c0-a510-1aa8f6d16eb2" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.astarion_rat" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.astarion_rat_auto.yar#L1-L129" + license_url = "N/A" + logic_hash = "b688494e5660adbde71574cd27307fc450493b8cd768be8ac6dc24b5a472c85d" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { e8???????? 488b4f48 e8???????? 488bcf e8???????? 4c8b642448 488b6c2458 } + $sequence_1 = { 85c0 7506 8885f0010000 8b4c2478 488d542450 ff15???????? 85c0 } + $sequence_2 = { 0f2805???????? 0f298de0000000 0f280d???????? 66898518010000 0fb605???????? 0f298520010000 0f2805???????? } + $sequence_3 = { 488945f8 48b843004d0044000000 48894550 488d4558 c745a068000000 66897de0 c745dc01010000 } + $sequence_4 = { 4c8d053b880100 488d153c880100 e8???????? 4885c0 740f 488bcb 4883c420 } + $sequence_5 = { e8???????? 488bce e9???????? ff15???????? 488b442460 4533c9 } + $sequence_6 = { e8???????? eb1c 4533c9 488bd7 4533c0 } + $sequence_7 = { ff15???????? 85c0 0f8862010000 ba02000000 4489642428 8bca } + $sequence_8 = { eb08 468bbc0d28010000 488bce ff15???????? 418bcf ff15???????? } + $sequence_9 = { 488b4e48 e8???????? 488b4e50 e8???????? 488b4e58 e8???????? 488b4e60 } + + condition: + 7 of them and filesize < 462848 +} rule MALPEDIA_Win_Hotwax_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8f2ed895-b1d8-5520-8ccc-967359fd3764" - date = "2026-01-05" - modified = "2026-01-06" + id = "e7883842-4ab7-56d4-bdc0-e343dca93854" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hotwax_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hotwax_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "d7cd386e473b27344ee89ce7aa7064b521c3dfeec69fed7db0108e253da6990c" + logic_hash = "eaf252828d91fc78ae2ff8650e17192fb78acb3462494b34fd0114c903c1e1d4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 807d580a 4c8d05737dffff 740f eb07 4c8d05687dffff 448823 48ffc3 } - $sequence_1 = { 488d542448 488d8c2400020000 e8???????? 488b5c2448 85c0 740b ff15???????? } - $sequence_2 = { 4889842410030000 488bf9 488d8c2401020000 33d2 41b803010000 c684240002000000 } - $sequence_3 = { 488d15edd30000 488bcb 488905???????? ff15???????? 488d15bed30000 } - $sequence_4 = { 4533db 488d9424f0000000 41b803010000 44895c2440 4c895c2448 ff15???????? 833d????????00 } - $sequence_5 = { 486bd258 490394c1a04b0100 f6423880 742c } - $sequence_6 = { c785080500004c647247 c7850c05000065745072 c785100500006f636564 c7851405000075726541 c7851805000064647265 } - $sequence_7 = { 0f84da000000 488b9424b0000000 8bd8 410fb7f6 4803da 488d3c0a 488b0b } - $sequence_8 = { 488b0d???????? eb7c 4c8d256a830000 488b0d???????? eb6c e8???????? } - $sequence_9 = { 33c0 e9???????? 48895c2408 4c63c1 488d1d45770000 4d8bc8 } + $sequence_0 = { 85c9 743f 83f902 7605 } + $sequence_1 = { 4863d9 488d2d57960000 488bfb 83e31f 48c1ff05 } + $sequence_2 = { 488d05f9b70000 c3 4053 4883ec20 } + $sequence_3 = { 418b8790000000 85c0 0f8491010000 488d2c02 } + $sequence_4 = { 48c1f805 4c8d0573710000 83e11f 486bc958 498b04c0 80640808fe } + $sequence_5 = { 49c1ff05 83e61f 4b8b8cf9a04b0100 486bf658 8a443108 a801 } + $sequence_6 = { b81a000000 eb76 33c9 488d158bb70000 } + $sequence_7 = { 8b430c 8905???????? 8bd7 4c8d0518b4ffff 89542420 } + $sequence_8 = { 41b803010000 c644243000 e8???????? 488bcb } + $sequence_9 = { 8a45d9 4b8b8cf8a04b0100 88443139 4b8b84f8a04b0100 8854303a } condition: 7 of them and filesize < 198656 @@ -98135,36 +98482,36 @@ rule MALPEDIA_Win_Lyposit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c947693c-fdb4-5804-b039-d3be391d589e" - date = "2026-01-05" - modified = "2026-01-06" + id = "360fd5e9-d7e3-5b77-bfd7-7b52a55de395" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lyposit_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lyposit_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "1aae27919b7142f3a956ce5a03df97f5716bf7d507962564bd1a349d0184cbbf" + logic_hash = "add1692578208a2f3d2172c89a4fcf2fc563e6f1edafc0585c04a7058afb0964" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? e8???????? 8b5d10 8365fc00 6a1c 6a40 ff15???????? } - $sequence_1 = { 53 ff15???????? 85c0 742a 6aff ff75c0 ff15???????? } - $sequence_2 = { 83c410 85c0 7424 8b4ddc 8a01 3c31 7504 } - $sequence_3 = { 8b0f e8???????? 59 59 0337 } - $sequence_4 = { 52 50 ff91d0000000 8d45e4 50 ff15???????? ebd3 } - $sequence_5 = { 66a3???????? 8be5 5d c3 6a14 68???????? e8???????? } - $sequence_6 = { 84d2 7407 838b0c02000020 807dff00 7407 } - $sequence_7 = { ff75e4 ff7604 ff36 ff7508 e8???????? } + $sequence_0 = { 8945f8 83c004 3b45f0 72c5 e9???????? 8b75f4 0fb64c3204 } + $sequence_1 = { 53 53 53 6837010000 e8???????? 83c410 ff75e4 } + $sequence_2 = { 6804010000 8d85ecfdffff 56 50 e8???????? 83c40c 3bde } + $sequence_3 = { 40 8945f4 3b45f0 72ce 8b477c 8b4f08 3bc1 } + $sequence_4 = { ff15???????? 5e 5f c3 55 8bec a1???????? } + $sequence_5 = { 0f8444030000 8b45f4 0fb600 8b4dfc 83650800 ff4df0 } + $sequence_6 = { 7d0b 834dfcff 33c0 e9???????? } + $sequence_7 = { e8???????? e8???????? 3bf7 740b 56 e8???????? 59 } $sequence_8 = { 8b45fc ebd0 53 55 33db 33ed } - $sequence_9 = { ff75e4 ff15???????? 85c0 7425 6a0b 56 ff75d8 } + $sequence_9 = { 837de005 75b9 57 ff15???????? 57 ff15???????? 837de006 } condition: 7 of them and filesize < 466944 @@ -98174,36 +98521,36 @@ rule MALPEDIA_Win_Socelars_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3509baee-4e8c-59b5-b156-e68f4beae715" - date = "2026-01-05" - modified = "2026-01-06" + id = "14b33d3e-b7e0-523a-891e-f2f9219b866d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.socelars_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.socelars_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "a3ac10f2bb04512e9390a5496d935cded9fb0eddb2b0634c3c4f320efa071722" + logic_hash = "550b65253807db57d977ec04916a448a1c8a4719f770b98d03136ee54954d35f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b8b88000000 394830 7f1c 8b542430 8bcb 6a00 52 } - $sequence_1 = { 8b432c 035514 40 837d1800 89432c 8b4f04 894c2424 } - $sequence_2 = { e8???????? 83c40c 894590 8b4d90 51 8d4d98 e8???????? } - $sequence_3 = { 8b55b8 83c202 3b5524 7735 8b4520 0345b8 0fbe08 } - $sequence_4 = { e8???????? c745fc00000000 8b5510 2b550c 8955d4 837dd400 766d } - $sequence_5 = { ff15???????? 83c404 8b4e68 85c9 7414 0fb7868c000000 3bf8 } - $sequence_6 = { ffd0 83c404 85c0 7417 b80a000000 5f 5e } - $sequence_7 = { ff75f4 03c6 89461c ff712c 50 e8???????? 8b4dfc } - $sequence_8 = { e9???????? 83cbff 8b4db8 83790400 0f8579ffffff c745a000000000 c7410401000000 } - $sequence_9 = { 8b7c2448 99 03f8 13ca 83c70a 897c2448 83d100 } + $sequence_0 = { 89548804 897c8808 c744880c00000000 c744881000000000 8b9388000000 85d2 7e16 } + $sequence_1 = { eb07 c745ec0e000000 8b45ec 8945e8 8b4de8 894de4 8b55e4 } + $sequence_2 = { ff742424 ba7b000000 8bce e8???????? 83c40c e9???????? 8b7c241c } + $sequence_3 = { ff77f4 8b57d4 8bcb e8???????? 8bc8 894fd4 83c404 } + $sequence_4 = { 8bc8 837d0c00 894df4 0f8485000000 807f0700 7514 8b55e0 } + $sequence_5 = { 8b7020 0fce 3b742438 0f87a2050000 8b4c243c 8bc1 } + $sequence_6 = { ff7510 ff750c c6411401 8bcf ff74244c e8???????? 83c424 } + $sequence_7 = { e8???????? 8bf0 8b54240c 8b4c2410 6a00 6a00 ff74242c } + $sequence_8 = { ff742420 1bd2 ff742430 81c2a2000000 e8???????? 8b44243c 83c414 } + $sequence_9 = { e9???????? 8b45fc 8b4d10 8988c8030000 8b55fc 8b4514 8982cc030000 } condition: 7 of them and filesize < 2151424 @@ -98213,42 +98560,42 @@ rule MALPEDIA_Win_Satellite_Turla_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db4c3339-c415-5711-a90e-cee07a736590" - date = "2026-01-05" - modified = "2026-01-06" + id = "380bb34a-b441-5469-b067-9a330cefb4ab" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.satellite_turla_auto.yar#L1-L159" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.satellite_turla_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "1f8986d8ff44bcaea791aed8e9d7780e6a84fb5d73ce994c684beebfa03d07bc" + logic_hash = "7d3f52e1205d8c60b6cabcd56aa5d1c15cddf10acd1230d433c9234ed0035bb0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0108 833e00 7c1f 8b542410 } - $sequence_1 = { 0105???????? 81c3b0020000 2945e0 75ae 837dd400 } + $sequence_0 = { 0105???????? 81c3b0020000 2945e0 75ae 837dd400 } + $sequence_1 = { 0108 833e00 7c1f 8b542410 } $sequence_2 = { 0105???????? 83c410 29442418 75a9 } - $sequence_3 = { 0108 833e00 7fc7 db46fc } + $sequence_3 = { 50 e8???????? 83c410 5f 5e 8d45fb } $sequence_4 = { 0105???????? 83c410 29442420 75aa } $sequence_5 = { 0108 833a00 7c23 8b442428 } - $sequence_6 = { 51 8d951cffffff 52 eb2b 8b4d20 } + $sequence_6 = { 0108 833e00 7fc7 db46fc } $sequence_7 = { 0108 833e00 7cc7 7e39 } - $sequence_8 = { 66ab aa 8b3d???????? 8d85f0feffff 56 } - $sequence_9 = { ffd7 53 56 ff15???????? 6a02 53 56 } - $sequence_10 = { ff15???????? ff45fc 817dfc88130000 7cb7 } - $sequence_11 = { c645d205 c645d337 c645d418 c645d51d c645d614 c645d722 } - $sequence_12 = { e8???????? ff75fc 8945f8 53 50 e8???????? } - $sequence_13 = { 57 ffd6 a3???????? 6a71 8d45d0 } - $sequence_14 = { c645b816 c645b927 c645ba30 c645bb34 c645bc21 c645bd30 } - $sequence_15 = { 8d45c4 885dcf 50 57 } + $sequence_8 = { a3???????? 6a28 8d45c4 6a0c 50 } + $sequence_9 = { 8d85ecfdffff 6804010000 50 53 ff15???????? 53 53 } + $sequence_10 = { 56 57 e8???????? ff15???????? 6a40 } + $sequence_11 = { 53 ff15???????? 6a04 6a03 53 } + $sequence_12 = { 56 ff15???????? 56 56 ff15???????? ff15???????? 56 } + $sequence_13 = { 53 56 56 ff15???????? 53 53 } + $sequence_14 = { c6459f02 c645a009 c645a11e c645a21f c645a30e c645a418 c645a52a } + $sequence_15 = { 57 ffd6 a3???????? 6a55 8d45b8 6a0c } condition: 7 of them and filesize < 1040384 @@ -98258,36 +98605,36 @@ rule MALPEDIA_Win_Charon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "01b8556c-ee40-53b7-952a-8e2b8282fe20" - date = "2026-01-05" - modified = "2026-01-06" + id = "ba7f61e1-20f8-5a1b-a920-eb2b184a6a30" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.charon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.charon_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.charon_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "b28dd8515b960c3adbfdc7b51b8085f45af8b6d7308fa151efcf52d4fa2fa9ad" + logic_hash = "b598f6a92625e1a420ae9769010cbdb9620b00ca9e122ec89fe53d450382c38a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4c2420 8d0c8d01000000 4863c9 88440c50 b803000000 2b442420 4898 } - $sequence_1 = { 050b020000 8bc0 488b8c2460020000 8b0481 038424f8010000 8b8c24fc010000 8b942400020000 } - $sequence_2 = { 480bc1 48c1f802 4825ffffff01 b908000000 486bc901 488b542408 } - $sequence_3 = { 486bc000 488b8c2460020000 8b840140100000 c1e00a b904000000 486bc900 488b942460020000 } - $sequence_4 = { 48c1e108 480bc1 b901000000 486bc90e 488b542410 0fb60c0a 48c1e110 } - $sequence_5 = { c784249c00000000000000 8b0424 8b4c2408 03c8 } - $sequence_6 = { 488b942460020000 8b8c0a40100000 c1e916 0bc1 898424d8010000 b804000000 486bc00f } - $sequence_7 = { 050f020000 8bc0 488b8c2460020000 8b0481 03842438020000 8b8c243c020000 8b942440020000 } - $sequence_8 = { 0bc1 89442448 b804000000 486bc004 488b8c2460020000 0fb6840100100000 88442443 } - $sequence_9 = { 48c744243000000000 8b8424c0000000 89442428 488b842430010000 4889442420 448b8c24f0000000 } + $sequence_0 = { 890424 8b442420 390424 0f8db2000000 48630424 488b4c2428 488b04c1 } + $sequence_1 = { 89842488000000 b804000000 486bc00a 488b8c2460020000 8b840100100000 c1e018 b904000000 } + $sequence_2 = { 89840a40100000 8b0424 0509020000 8bc0 488b8c2460020000 8b0481 c1e017 } + $sequence_3 = { 8b8c24dc000000 33c8 8bc1 8b8c24e0000000 03c8 8bc1 8b0c24 } + $sequence_4 = { 833c240a 7365 8b0424 8b0c24 488b542420 4c8b442428 } + $sequence_5 = { 8b4c2408 03c8 8bc1 0384249c000000 89442410 8b442424 8b4c243c } + $sequence_6 = { 89442468 b804000000 486bc008 488b8c2460020000 8b840100100000 c1e018 b904000000 } + $sequence_7 = { 4889040a b808000000 486bc001 488b4c2410 48630401 48d1e0 } + $sequence_8 = { 8b442418 ffc0 4898 8b84c4a0010000 03442408 03842484010000 89442410 } + $sequence_9 = { 48894c2408 4881ec58020000 488b842460020000 8b8080100000 25ff010000 890424 } condition: 7 of them and filesize < 254976 @@ -98297,36 +98644,36 @@ rule MALPEDIA_Win_Nevada_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d851b978-3df8-538e-b0a6-f5a42a4c41f2" - date = "2026-01-05" - modified = "2026-01-06" + id = "dd945406-d76e-5a64-a7a3-25dc9f81e6d4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nevada" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nevada_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nevada_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "5d586f59dca860d1839b19790bc7f7be57e580648d77868dbbba465dd7726682" + logic_hash = "039061a87d5b2715f05ce587085775dc26f2cd6ca08570e45d99b5e058440eb0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4889ea e8???????? 0f0b 4c8d0515c10200 ba00100000 4889e9 e8???????? } - $sequence_1 = { 4d89f8 664585e4 0f8597feffff e9???????? 4981fe01010000 0f834a010000 0f57c0 } - $sequence_2 = { e8???????? 4c8da42450020000 4c89e1 4889fa 4d89f8 e8???????? 488db42478020000 } - $sequence_3 = { 4839ce 74c4 803ea0 72bf eb3e 4839ce 4889d7 } - $sequence_4 = { 438a443cff 3c2f 7438 3c5c 7434 e9???????? 41813f5c5c3f5c } - $sequence_5 = { 415f c3 4c8d642430 488dac24b0000000 eb26 488b8424c0000000 48035c2420 } - $sequence_6 = { 4080fd02 0f8510010000 488d6901 4c39c5 0f83fe000000 803c2abf b301 } - $sequence_7 = { 0f821affffff 8b442428 4189442434 8a442427 4188442438 31ed e9???????? } - $sequence_8 = { 48837f1000 0f859c010000 4d89c4 4989d7 488d4710 488945e8 48c74710ffffffff } - $sequence_9 = { 4c8d3559910200 4c39c9 7317 0f1f840000000000 4885db 740a 803c0b45 } + $sequence_0 = { 8bd9 4c8d0de5f00100 b904000000 4c8d05d1f00100 488d15c2da0100 e8???????? 8bcb } + $sequence_1 = { 4885f6 488b5d28 0f8540020000 48c7431000000000 488b33 4889f1 baffffffff } + $sequence_2 = { e8???????? 807d6000 7515 807d6101 0f84e3feffff 488d4df8 e8???????? } + $sequence_3 = { 488945c0 48c745c800000000 488d05067c0300 488945f0 48c745f801000000 48c7450000000000 488d05835a0300 } + $sequence_4 = { 49896f48 488b6c2420 49896f50 488b6c2460 49896f58 488b6c2458 49896f60 } + $sequence_5 = { 4c39d1 7613 4889c8 4829d0 757c e9???????? 4c8d52f0 } + $sequence_6 = { 0fb6473a 3c03 0f84b3010000 4138c4 0f8677feffff e9???????? 807c242700 } + $sequence_7 = { 488b8c24a0000000 488bbc2498000000 488d0439 48898424c8020000 4c8b4c2430 4b8d0431 48898424d0020000 } + $sequence_8 = { 4901ff 488db5a0050000 660f1f840000000000 4c39ff 0f840c020000 488b95b0050000 483b95a8050000 } + $sequence_9 = { bf10000000 480f45f8 488d442450 41bd20000000 4c0f45e8 80fa01 777b } condition: 7 of them and filesize < 1063936 @@ -98336,36 +98683,36 @@ rule MALPEDIA_Win_8T_Dropper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "35feb768-d2e4-5049-96a0-91c968df3b4f" - date = "2026-01-05" - modified = "2026-01-06" + id = "8127494f-aa60-50e7-9519-377aadf951ea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.8t_dropper_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.8t_dropper_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "feebe835113f0d32e29c6ca8b7fd1bfa62958e168ff440bb0def00a1fd456e8d" + logic_hash = "381260db79cd8ba4813029caefecf260e49d9c8ad853e09f44a370f9fca8e4d3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c644240c00 f3ab 66ab aa bf???????? 83c9ff } - $sequence_1 = { 8d4c2408 51 683f000f00 50 52 6801000080 } - $sequence_2 = { 8bf0 83c408 85f6 741b 56 6800700000 6a01 } - $sequence_3 = { c6440c0d75 c6440c0e6e 8d4c2408 51 683f000f00 50 52 } - $sequence_4 = { 85c0 7559 8b4c2408 51 ff15???????? 8d942410010000 6804010000 } - $sequence_5 = { 8b442418 68???????? 50 ff15???????? 85c0 7559 8b4c2408 } - $sequence_6 = { 7559 8b4c2408 51 ff15???????? 8d942410010000 } - $sequence_7 = { c6440c0e6e 8d4c2408 51 683f000f00 50 } - $sequence_8 = { 51 ff15???????? 8d942410010000 6804010000 } - $sequence_9 = { f7d1 49 c6440c0c52 c6440c0d75 c6440c0e6e 8d4c2408 } + $sequence_0 = { bf???????? 83c9ff f2ae f7d1 49 c6440c0c52 } + $sequence_1 = { f2ae f7d1 49 c6440c0c52 } + $sequence_2 = { 51 68???????? 6a02 50 8b442418 } + $sequence_3 = { 33c0 8d7c240d c644240c00 f3ab 66ab aa bf???????? } + $sequence_4 = { f7d1 49 c6440c0c52 c6440c0d75 c6440c0e6e } + $sequence_5 = { 50 ff15???????? 85c0 7559 8b4c2408 } + $sequence_6 = { 741b 56 6800700000 6a01 } + $sequence_7 = { 51 ff15???????? 8d942410010000 6804010000 52 68???????? } + $sequence_8 = { 7559 8b4c2408 51 ff15???????? 8d942410010000 6804010000 } + $sequence_9 = { ff15???????? 8d942410010000 6804010000 52 } condition: 7 of them and filesize < 147456 @@ -98375,36 +98722,36 @@ rule MALPEDIA_Win_Bangat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "05c414bb-9422-5f0e-974d-c56fdab166b4" - date = "2026-01-05" - modified = "2026-01-06" + id = "14b87df6-1a5d-573e-84a2-a72cf611cde2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bangat_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bangat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "5cb16644073e6088f8c102fdd3bad27fec482e34ef437064c8f923550a4b4259" + logic_hash = "fbfdd47cd27782446c2c0400214f91dab49628d6837be3d7e86e33309a4cb9ea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 8d45fc 50 e8???????? 8b4508 8325????????00 83c418 } - $sequence_1 = { 3bc7 7d02 8bc7 50 ff75d8 68???????? 56 } - $sequence_2 = { 8a8888f44000 ff248d30f44000 8b5e6c 5f 8bc3 5e 5b } - $sequence_3 = { 33c9 8a4c2432 8a9950ec4700 33c9 8aa850ec4700 8bfb } - $sequence_4 = { 6859020000 68???????? 68fc000000 6a77 6a14 e8???????? } - $sequence_5 = { 8b348d50e84700 33c6 8d7720 8bbff0000000 33c5 d1ff 4f } - $sequence_6 = { 83c40c 6a0a 53 53 8d45f4 53 } - $sequence_7 = { ff15???????? 85c0 742d 8d85d4feffff 50 8d85d4f5ffff 68???????? } - $sequence_8 = { 895c2424 897c2428 e8???????? 83c414 e8???????? 53 } - $sequence_9 = { 85c0 749b 6803002e00 6a00 6812030000 68ffff0000 } + $sequence_0 = { 7fa1 3b0cb5b82b4900 7c98 3b0cb5d82b4900 7f8f 46 83fe06 } + $sequence_1 = { 0fbe80704b4700 83c010 c3 f6c4ff 740e c1e808 0fbe80704b4700 } + $sequence_2 = { ff248ddc434400 8bc8 4f c1e918 880f 8bd0 4f } + $sequence_3 = { 59 3bc7 59 894634 7414 ff762c ff761c } + $sequence_4 = { ff75ec ffd6 ff75f4 ff15???????? ff45e8 83c72c 8b45e8 } + $sequence_5 = { 6a01 50 ff15???????? 03f0 83c410 3b75fc } + $sequence_6 = { 56 57 8b7d08 33d2 3bfa 0f8483070000 8b771c } + $sequence_7 = { 83e10f 8a89b0254900 8808 40 46 3bf3 7cba } + $sequence_8 = { bb???????? bf00010000 ff75fc ff15???????? ff75fc 8945dc } + $sequence_9 = { 83c40c 8d4df0 e8???????? 50 ffb5bcfeffff ffb5c4feffff } condition: 7 of them and filesize < 1228800 @@ -98414,36 +98761,36 @@ rule MALPEDIA_Win_Applejeus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c7de82bf-02e2-54ab-8e92-30ad8fa19555" - date = "2026-01-05" - modified = "2026-01-06" + id = "8bd8cf4a-706a-51e1-a3a4-39313e63d490" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.applejeus_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.applejeus_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "7da7577e0a48835aa3f87ca6b5019a6bd26bede335ed264656ca8273c5cb6ea4" + logic_hash = "9ddf6ec9baeb6448a804b5c4ce2b51ba1d2b3520b576f13a64f77cc06fd9f75f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bb540eeffff 56 ff15???????? 56 ffd7 ffb5e0edffff ffd7 } - $sequence_1 = { 8bc8 51 e8???????? 83c404 c7460800000000 c7460400000000 ff36 } - $sequence_2 = { 8b75e4 83c410 0bf0 c745d8d4b24500 8d45dc 50 e8???????? } - $sequence_3 = { 8bf8 ffd6 ffb5b0fdffff 8bb588feffff 8bc8 b8ed73484d } - $sequence_4 = { 897008 e8???????? 8d8dd8ecffff e8???????? 8d8dd4efffff e8???????? 6a64 } - $sequence_5 = { 6a08 c645fc16 e8???????? 83c404 8985e4f6ffff 898568f4ffff c700???????? } - $sequence_6 = { 0f84d3000000 8b048d74db4500 8985a4f8ffff 85c0 0f8498000000 83f801 0f84b5000000 } - $sequence_7 = { 8bf0 6a0c 8975e4 8975d0 0f114604 c706???????? f30f7e45c4 } - $sequence_8 = { 8885fcfcffff 8b85dcfcffff 041d 83f05c 8885fdfcffff 8b85dcfcffff } - $sequence_9 = { 8b4308 33ff 807e2c00 8945c4 0f842e010000 8b4808 0f57c0 } + $sequence_0 = { 0f84f2000000 8b07 0f57c0 8b4f08 8b570c 894594 8b4704 } + $sequence_1 = { 8b0f 8901 ffd6 8b4f04 0f57c0 660fd645e0 c745e000000000 } + $sequence_2 = { ffd0 84c0 7406 8b06 8bce eb04 } + $sequence_3 = { 8b4e08 81f2490f0000 c745fcd5030000 81f289060000 8b01 0345fc 8901 } + $sequence_4 = { e9???????? 8d8de4ecffff e9???????? 8d8df8eeffff e9???????? 8d8d3cefffff e9???????? } + $sequence_5 = { 6a08 0f118560eeffff c78590efffff00000000 8b7008 8b7804 660fd68580efffff c78594efffff00000000 } + $sequence_6 = { 5e 8b0a 8908 c70200000000 5d c3 83f802 } + $sequence_7 = { 8b7e04 894604 8b45e8 8906 c745fc00000000 85ff 7421 } + $sequence_8 = { c68548ffffff1b c68549ffffff3e c6854affffff2b c6854bffffff3e c6854cffffff03 c6854dffffff13 c6854effffff30 } + $sequence_9 = { 8d8dc0feffff e9???????? 8d8dc4feffff e9???????? 8d8dc8feffff e9???????? 8d8dc0feffff } condition: 7 of them and filesize < 1245184 @@ -98453,36 +98800,36 @@ rule MALPEDIA_Win_Cohhoc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eea8dd21-8908-5be8-a2a6-255fd0ffd6ca" - date = "2026-01-05" - modified = "2026-01-06" + id = "31c35e17-4ef0-5ab8-a1be-c805b263c882" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cohhoc_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cohhoc_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "722fe87316c37305b3652db78bba219c2fd88a714a6565f0318a82058c8a1b30" + logic_hash = "910ea9f36b7ea4043b73c78a4c4c5d942f52600457e380ccbdfc5af90ccf4ad1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b9c242c3c0000 66ab aa b9000f0000 33c0 8d7c2420 c745008d000000 } - $sequence_1 = { 57 33c0 bf???????? 83c9ff f2ae } - $sequence_2 = { 50 68???????? 68???????? c74424200c000000 895c2424 c744242801000000 ffd6 } - $sequence_3 = { 8d7c244c 83c9ff 33c0 83c420 f2ae } - $sequence_4 = { 8b4c2420 8b542424 8b6c2428 8b5c242c 6a08 } - $sequence_5 = { be???????? 8d7c2410 33ed f3a5 8b4c245c } - $sequence_6 = { 8d442410 53 50 68???????? 68???????? c74424200c000000 } - $sequence_7 = { 894c2410 89442414 0f85f5feffff b801000000 5f 895d08 } - $sequence_8 = { 8944242c 0f85b5feffff 8bce e8???????? 668b5702 50 } - $sequence_9 = { 8b0d???????? 891d???????? 51 c705????????02000000 e8???????? 83c420 } + $sequence_0 = { 50 6804010000 ff15???????? 8b8c240c010000 8d542404 51 6a00 } + $sequence_1 = { 83e103 f3a4 8b4c241c 03c8 894c241c 8b4c2420 e8???????? } + $sequence_2 = { c705????????01000000 c705????????84000000 891d???????? 891d???????? } + $sequence_3 = { f3ab 8b436c 33f6 3bc6 c744241401000000 } + $sequence_4 = { 6804010000 ff15???????? 8b8c240c010000 8d542404 } + $sequence_5 = { 75dc 33c0 eb05 1bc0 83d8ff 85c0 0f84ba000000 } + $sequence_6 = { 8dbc2468010000 33c0 8d542420 f2ae f7d1 2bf9 } + $sequence_7 = { 8b442408 8bc8 80e107 f6d9 1bc9 } + $sequence_8 = { 57 6a0f ff15???????? 8b4c2458 8bf8 8d442414 50 } + $sequence_9 = { 83e203 c1f904 83e10f c1e204 8d4c0c10 } condition: 7 of them and filesize < 253952 @@ -98492,36 +98839,36 @@ rule MALPEDIA_Win_Varenyky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d2bf30dc-4373-5dce-a9a9-0dfa02ec7d8e" - date = "2026-01-05" - modified = "2026-01-06" + id = "b02c2a5a-b676-50b6-aaf1-69e32b01ea2f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.varenyky_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.varenyky_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "80f9f91b6d82bcfc676dfe7703a76fa743f54b58e262b45f8642f9e3f2fdc01d" + logic_hash = "5b941a9b54248f9dae43db0241b815af9c7b007835bd2ee5ac23d33ed795c82c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 1bc0 83d8ff 85c0 0f8467010000 8d8c2490000000 51 6804010000 } - $sequence_1 = { 85c0 0f8ef7010000 8b15???????? a0???????? 6a00 } - $sequence_2 = { bf697a0000 3bc3 7411 90 69ff81000000 } - $sequence_3 = { 8d8c2454010000 68???????? 51 e8???????? 8d84245c010000 83c40c 8d5001 } - $sequence_4 = { 83c40c 8d4c2418 51 8d94244c030000 } - $sequence_5 = { 57 e8???????? 83c404 3c33 } - $sequence_6 = { 8d84244d030000 53 50 c744242404010000 889c2454030000 e8???????? } - $sequence_7 = { 0f8c0b0a0000 8ac2 2c20 3c58 7711 0fbec2 0fbe8030c24000 } - $sequence_8 = { 3bc3 7411 90 69ff81000000 41 } - $sequence_9 = { 8b84241c010000 83c40c 50 33d2 80bc242602000001 b905000000 0f95c2 } + $sequence_0 = { 6803010000 8d4c244d 6a00 51 c644245400 } + $sequence_1 = { 6803010000 8d842485020000 53 50 889c248c020000 e8???????? } + $sequence_2 = { 399c24ec0a0000 7417 8d8c24d0000000 51 68???????? 8d9424e0010000 } + $sequence_3 = { 8b03 50 55 ffd6 85c0 0f8eb5010000 8b3d???????? } + $sequence_4 = { 8945e4 83f805 7d10 668b4c4310 66890c45ac0bfd00 } + $sequence_5 = { 56 e8???????? 8bc6 c1f805 8b0485401efd00 83e61f } + $sequence_6 = { 5e 33cc e8???????? 81c47c020000 c3 be???????? 8bd7 } + $sequence_7 = { 50 68???????? 8d8c24e0010000 51 e8???????? } + $sequence_8 = { 6830750000 50 ff15???????? 8b4c2410 51 } + $sequence_9 = { 7e09 8bce e8???????? eb0b 6860ea0000 } condition: 7 of them and filesize < 24846336 @@ -98532,10 +98879,10 @@ rule MALPEDIA_Win_Hdmr_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "d7c2af72-912d-5503-a152-e44806d38df1" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hdmr_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hdmr_auto.yar#L1-L121" license_url = "N/A" logic_hash = "ee139c0aa91276df8e246776ac0e0dc9525d3fadc5574673ef7224c9dd7d71ea" score = 75 @@ -98544,9 +98891,9 @@ rule MALPEDIA_Win_Hdmr_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -98571,10 +98918,10 @@ rule MALPEDIA_Win_Pgift_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "5134e180-c701-504d-b27b-1f2a37782304" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pgift_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pgift_auto.yar#L1-L122" license_url = "N/A" logic_hash = "86543d2a9c2965bb35bf9078bd182bce16bae717918e12d47f187ce1755d9b8f" score = 75 @@ -98583,9 +98930,9 @@ rule MALPEDIA_Win_Pgift_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -98609,36 +98956,36 @@ rule MALPEDIA_Win_T34Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5720d10-2fbe-56e7-a983-268d042c48b1" - date = "2026-01-05" - modified = "2026-01-06" + id = "d9f754c4-3f1b-5282-a982-a666f4b254d3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.t34loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.t34loader_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.t34loader_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "ec0cde05ce06de31a82d86f3a54c045f2d69d36946c25715e1f108cf44d303ce" + logic_hash = "409ead522e948ccd1d7b96eb38b4fbbd6b0cbb5cc3d36b64d40c2ffacfc18982" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7424 88542438 eb1e 4885c0 7505 4585ff 7414 } - $sequence_1 = { e8???????? 488d542420 488bcb e8???????? 488bcb e8???????? 84c0 } - $sequence_2 = { 743f 803d????????00 7436 48ffc0 4d8d1443 488b4587 48ffc0 } - $sequence_3 = { e8???????? 488b5710 488bc8 4889542420 4c8bcb } - $sequence_4 = { 418ac0 884708 488b542440 488bcf e8???????? 84c0 0f84e6feffff } - $sequence_5 = { 4c8bc7 488d4c2430 488bd6 e8???????? 488d4c2430 e8???????? } - $sequence_6 = { 0f845e010000 488b0f 33db 4885c9 7441 488b4138 483918 } - $sequence_7 = { e8???????? 488bd0 488d4d20 e8???????? 488bd3 488d4d30 e8???????? } - $sequence_8 = { 488d4138 41b806000000 488d15b1370200 483950f0 740c 488b10 4885d2 } - $sequence_9 = { 5f 5e 5d c3 4c8d05d3b50200 498b14e8 8a44fa38 } + $sequence_0 = { 4c8bc2 4c3bd2 4d0f46c2 498bcb e8???????? 488b5508 488d145502000000 } + $sequence_1 = { 4c8bc1 488bca e8???????? 498bc8 488bd8 e8???????? 488bc8 } + $sequence_2 = { 41898a3cf6ffff 4883eb01 75c4 4d8d91500d0000 bb8c010000 458b1a 418bc3 } + $sequence_3 = { 488d05bf280300 488bd9 488901 f6c201 740a ba18000000 e8???????? } + $sequence_4 = { 4889442420 4c8b4d00 e8???????? 488d052faf0100 483be8 0f8c7bffffff 85ff } + $sequence_5 = { 741c 420fb71c36 498bcd ff15???????? 488bc8 8bd3 ff15???????? } + $sequence_6 = { 4889442420 e8???????? 84c0 0f84ee000000 488d4c2440 e8???????? 4885c0 } + $sequence_7 = { 488d4530 48837d4808 480f434530 663908 7508 8ada eb04 } + $sequence_8 = { c744242822000000 c744242004000000 f20f11742450 488d0d0e4f0100 4c8b442450 } + $sequence_9 = { 488b4df0 ff15???????? b001 eb02 32c0 488b5c2460 488b742470 } condition: 7 of them and filesize < 1212416 @@ -98648,36 +98995,36 @@ rule MALPEDIA_Win_Rook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "260fb3cd-c612-5c83-b4f7-79756559f934" - date = "2026-01-05" - modified = "2026-01-06" + id = "7e9a00fa-9e37-5ee8-b49d-e7d22fd8a3c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rook_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rook_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "c73a208061affa8ef6930cc993d1e8f8eb5228d371bb421012877d9aae5cbf16" + logic_hash = "4f6e306547a8e1ee48d3e89d6bd542536f9fe68149b73057a1b43a088743f030" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffc3 4883c708 83fb22 72df 498bd6 488bcd ff15???????? } - $sequence_1 = { 0f8521ffffff 44882b eb7b 488b9540070000 4c8d05979e0000 498bce } - $sequence_2 = { 33d2 ff15???????? 488b0d???????? 4d8bc7 33d2 ff15???????? 833d????????00 } - $sequence_3 = { ff15???????? 488bce e8???????? 488d542440 488bcd ff15???????? 85c0 } - $sequence_4 = { 4883ec38 488d05f5990000 41b91b000000 4889442420 e8???????? 4883c438 c3 } - $sequence_5 = { 498bd6 4d8d8115cc0400 4d03c4 0f1f4000 410fb64410ff 3cff 740b } - $sequence_6 = { c605????????63 4c8d250099ffff b8ff000000 4d8d4901 } - $sequence_7 = { 498bcd 4c89bc2458270000 ff15???????? 488b0d???????? 4d8bc5 33d2 4c8be0 } - $sequence_8 = { 8bd9 4c8d0dddce0000 b904000000 4c8d05c9ce0000 488d15b2bb0000 e8???????? } - $sequence_9 = { 4863c8 4c8d4c2450 48894c2420 e8???????? 488d4c2450 ff15???????? } + $sequence_0 = { eb07 488d1d1a030200 4883a4249800000000 4084f6 } + $sequence_1 = { 33d2 33c9 448d4207 ff15???????? 488d4c2440 ff15???????? 8b442460 } + $sequence_2 = { 488bd3 4533c0 498bcc ff15???????? } + $sequence_3 = { 488d0dbebb0400 4c89642420 e8???????? 498bcd ff15???????? 448bc0 8905???????? } + $sequence_4 = { 488987a8000000 488d05749c0200 c7879800000001000000 48c787a000000004000000 48894760 488d055c990200 } + $sequence_5 = { 4883eb01 7582 4183c9ff 41b801000000 498bd4 8bcf ff15???????? } + $sequence_6 = { 48897c2420 ff15???????? 4863d8 488bcb e8???????? 498bce } + $sequence_7 = { c5f1eb0d???????? 4c8d0d169f0000 c5f35cca c4c173590cc1 4c8d0de58e0000 } + $sequence_8 = { 7407 e8???????? eb09 488b4918 e8???????? ffc3 } + $sequence_9 = { 488d54246c 488bcd ff15???????? f644244010 0f851f020000 488d153bab0400 488d4c246c } condition: 7 of them and filesize < 843776 @@ -98687,36 +99034,36 @@ rule MALPEDIA_Win_Rustock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "81c11374-a224-57b2-ae9d-b05ee172db6b" - date = "2026-01-05" - modified = "2026-01-06" + id = "9a8b0fe4-50b0-59df-be38-58cf8d212755" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rustock_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rustock_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "f23c8787fe5677c0679006ea20fcb161a3a7545dab517b9c25455040e02f455c" + logic_hash = "34f90c25c94dd0e21a7528269430b21667dbe875070ad68127009457b3c8376b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8945c0 85c0 7504 33f6 eb21 ff751c } - $sequence_1 = { f7d1 8b15???????? 8d6424fc 893424 5a 31c6 } - $sequence_2 = { 7403 46 ebd4 0fb60e 46 83f92d 8bd1 } - $sequence_3 = { 29f8 83cbff f7d3 b8670e0100 8d0dc8680100 01d0 } - $sequence_4 = { 53 ffd6 68ad020000 53 a3???????? ffd6 689d020000 } - $sequence_5 = { df7809 60 9f 79c1 7cc2 } - $sequence_6 = { 68d44f0100 59 0315???????? 21fb 031d???????? 31f1 83f2ff } - $sequence_7 = { 57 68e1030000 ff550c 68d1030000 } - $sequence_8 = { 8bc7 e9???????? 897dcc 33db 897dc8 397d08 7508 } - $sequence_9 = { 8d04bd04000000 50 e8???????? 8bd8 } + $sequence_0 = { 0f848b000000 8365fc00 83c003 83e0fc } + $sequence_1 = { 8b0d???????? 09fe f7d1 b9???????? 29d1 } + $sequence_2 = { 29c3 051c3367d0 29d8 29cb 83c1ff ebb5 } + $sequence_3 = { ff15???????? 85c0 7471 8b7de0 8d45b8 50 ff15???????? } + $sequence_4 = { 7404 802700 47 ff06 8b5d0c } + $sequence_5 = { da81e53a558c b9157556b8 af 44 42 } + $sequence_6 = { 8067ff00 8365fc00 803800 0f84d6000000 8a08 80f920 7405 } + $sequence_7 = { 57 ff15???????? 3bc6 7407 50 ff15???????? } + $sequence_8 = { 7409 ff75d0 e8???????? 59 395de0 7409 } + $sequence_9 = { 8d6424fc c70424bc070100 5e 8d6424fc 891c24 5b } condition: 7 of them and filesize < 565248 @@ -98726,36 +99073,36 @@ rule MALPEDIA_Win_Fusiondrive_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ca3c35ba-09cb-56c8-bbe3-749cd9839eab" - date = "2026-01-05" - modified = "2026-01-06" + id = "0ce7a9aa-5d99-5c05-8f4b-280ccb0e8063" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fusiondrive" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fusiondrive_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fusiondrive_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "5e3043a82407e5acc0770d68c274349d0da53277a8b1605e4ac140328403150c" + logic_hash = "e239186926d40c82f194866b0d20ef6b848e5c79bb5307422cef86e746cb8829" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33db 4c8d35e14effff 4885db 750d 488bc7 498784f660de0100 eb1e } - $sequence_1 = { 4883ec28 488d0d75c60100 e8???????? 488d0da9f50000 4883c428 e9???????? } - $sequence_2 = { 660f6f05???????? f30f7f442470 66c745806557 c6458200 488d542470 488bc8 ff15???????? } - $sequence_3 = { 488dac2450feffff 4881ecb0020000 488b05???????? 4833c4 488985a0010000 4032ff } - $sequence_4 = { 4883c907 33ed 483bcf 7606 } - $sequence_5 = { 41894018 0fb60a 83e10f 4a0fbe8409a8150100 428a8c09b8150100 482bd0 8b42fc } - $sequence_6 = { e8???????? 488d0da9f50000 4883c428 e9???????? 4053 } - $sequence_7 = { 488d5202 83f902 72ea c605????????00 } - $sequence_8 = { 776a e8???????? 85c0 7428 85db 7524 488d0d92a30100 } - $sequence_9 = { 4c8d05e3e90000 83e23f 488bcf 48c1f906 488d14d2 498b0cc8 c644d13800 } + $sequence_0 = { 83f909 72ea c605????????00 c3 803d????????00 7426 } + $sequence_1 = { 452bc4 418bd4 4903d6 4c8d4c2458 41ff5218 397c2458 7605 } + $sequence_2 = { 428a8c11b8150100 482bd0 8b42fc 49895108 d3e8 41894120 } + $sequence_3 = { c705????????01000000 b808000000 486bc000 488d0da6a00100 8b542430 48891401 488d0da7e20000 } + $sequence_4 = { 448be7 897c2458 488b4b20 4c8b11 } + $sequence_5 = { 4d8be1 498be8 4c8bea 498b84ff00da0100 } + $sequence_6 = { 428a8c19b8150100 482bd0 8b42fc d3e8 41894024 } + $sequence_7 = { 488d0d0b9b0000 e8???????? 488b4308 833800 750e } + $sequence_8 = { 488bca 4c8d0511060100 83e13f 488bc2 48c1f806 488d0cc9 } + $sequence_9 = { eb0b 4803f6 418b84f708560100 85c0 7816 3de4000000 } condition: 7 of them and filesize < 290816 @@ -98765,36 +99112,36 @@ rule MALPEDIA_Win_Hzrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "67019030-b140-578f-bd57-ed696d61f957" - date = "2026-01-05" - modified = "2026-01-06" + id = "fc3df8bc-ec7a-56e4-b1ff-2aa1a378adac" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hzrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hzrat_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hzrat_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "e02b803e3f8c380d72f2cad18c6b29e368b4a184be0cb897b06c0987d88951d3" + logic_hash = "6407ce8ac3e6295664c9580f0c55c2d3626eeae6cd31a1855374c5712853f375" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83fa10 7202 8b3e a1???????? 89040f c6440f0400 eb20 } - $sequence_1 = { 8b46e6 3b42e6 7462 0faee8 0fb67ee6 0fb642e6 2bf8 } - $sequence_2 = { 33c0 85c9 0f9fc0 8d0c45ffffffff 85c9 0f8559030000 8b461c } - $sequence_3 = { 8b450c 85c0 7416 8b5508 0fb64c02ff 80b91002420000 } - $sequence_4 = { 57 6a00 ff15???????? 57 85c0 0f859b000000 } - $sequence_5 = { 0f1106 ff15???????? 85c0 0f8484010000 0fb74704 50 ff15???????? } - $sequence_6 = { 8b45ec 8d4e14 83c40c 8b7d08 8b55f0 83c72c c645fc01 } - $sequence_7 = { 8b4dec 8d0411 8b4de8 33d2 } - $sequence_8 = { 8d4123 3bc1 0f86e6000000 50 0faee8 e8???????? 83c404 } - $sequence_9 = { 8b450c 50 e8???????? 8bc8 83c40c 894df8 } + $sequence_0 = { e8???????? e8???????? cc 55 8bec 8b450c 85c0 } + $sequence_1 = { 56 57 8d3c853cf64200 8b07 83ceff 3bc6 742b } + $sequence_2 = { cc 8bff 55 8bec 8b4d08 33c0 3b0cc5a0234200 } + $sequence_3 = { 3bc8 7654 51 0faee8 e8???????? } + $sequence_4 = { 0f47c1 8d4e2c 8945ec 40 50 e8???????? 8b4df0 } + $sequence_5 = { 0faee8 0fb67ee8 0fb642e8 2bf8 7410 33c9 85ff } + $sequence_6 = { 83e801 0f84ca0f0000 83e801 0f84a70f0000 } + $sequence_7 = { 66c785c4feffffbd42 e9???????? ffb584feffff ff9568feffff ffb588feffff 8bb58cfeffff 8bce } + $sequence_8 = { 8b45a8 8955dc 8945e8 8bf0 8d7dac 8b45e0 8945ec } + $sequence_9 = { 8b4dfc 894814 eb4d 0faee8 ff771c 53 } condition: 7 of them and filesize < 409600 @@ -98804,39 +99151,39 @@ rule MALPEDIA_Win_Lock_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "66d7719a-09f7-5449-96c8-7a2badb35721" - date = "2024-10-31" - modified = "2024-11-11" + id = "893a3119-7d49-55c4-9fa3-6ebbdd6f9bec" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lock_pos_auto.yar#L1-L147" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lock_pos_auto.yar#L1-L141" license_url = "N/A" - logic_hash = "68264cf97fe11e22f20de5aa9fd8236aae89e24686e8c6b06c621f87466b5d04" + logic_hash = "11ce3da69eddf99fa75931b4f3065c1115c1ccb78ef2820da5235e4566f8ae4d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20241030" - malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4" - malpedia_version = "20241030" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bec 8b4508 8b0d???????? 8b0481 } + $sequence_0 = { 55 8bec 8b4508 8b0d???????? 8b0481 } $sequence_1 = { 8bec 837d0800 7704 33c0 } - $sequence_2 = { 6a00 6a23 6a00 ff15???????? 8d8df8fdffff } + $sequence_2 = { 8d85f8fdffff 50 6a00 6a00 6a23 } $sequence_3 = { 55 8bec 81eca4040000 56 } - $sequence_4 = { 8d85f8fdffff 50 6a00 6a00 6a23 } - $sequence_5 = { 6a00 32db e8???????? 8bf8 59 59 85ff } - $sequence_6 = { 8b450c 85c0 740a 8b55f8 8911 8b4dfc 8908 } - $sequence_7 = { ff15???????? 85c0 7555 57 6a04 8d45e4 50 } - $sequence_8 = { 8b4de4 034804 894de4 8b55f0 8b45f0 034204 8945f0 } - $sequence_9 = { 6a04 8b4508 50 8d4dec 51 e8???????? 83c40c } - $sequence_10 = { 8908 837df400 740b 8b55f4 } - $sequence_11 = { 837dfc00 7414 8b450c 50 8b4d08 51 } - $sequence_12 = { 8b45dc 83e801 8945dc 85d2 0f843a010000 8b4df4 668b11 } + $sequence_4 = { 6a00 6a23 6a00 ff15???????? 8d8df8fdffff } + $sequence_5 = { 50 e8???????? 83c404 8945f0 837df000 741b } + $sequence_6 = { 3b4d0c 7332 8b5508 0355fc 0fbe02 } + $sequence_7 = { 037df8 ff15???????? 394708 7415 8d5f0c 53 } + $sequence_8 = { 53 8bd8 56 8bcb e8???????? 8bd0 03d2 } + $sequence_9 = { 8b45fc 8b4de4 0308 894de8 8b55fc 8b4204 83e808 } + $sequence_10 = { 0f847b010000 57 6a04 5f 8d75b4 } + $sequence_11 = { 8945c8 8955cc 8b550c 33c0 } + $sequence_12 = { 99 8945e0 8955e4 6a04 8d4dc8 } condition: 7 of them and filesize < 319488 @@ -98846,36 +99193,36 @@ rule MALPEDIA_Win_Moonwind_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b9622b32-c792-5aeb-a059-5721d1f27a2f" - date = "2026-01-05" - modified = "2026-01-06" + id = "1041560a-82e8-5446-a4d2-998ea5c14e36" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.moonwind_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.moonwind_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "6d3886946e413d262cc391b5e8605e5201d1334018954f9d8c7fe7ffb4921df3" + logic_hash = "c7d796397da6e928fc158bf0b98bdc7e0c4b36ff553dd6b2d6f959216357cd38" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b90f000000 f3ab 83c308 b800000000 } - $sequence_1 = { 83c404 03d8 895dec 8965e8 6828000000 8b45f0 50 } - $sequence_2 = { 3965a8 740d 6806000000 e8???????? 83c404 50 8b5da4 } - $sequence_3 = { 83c404 8b45ec 50 8b1d???????? 85db 7409 53 } - $sequence_4 = { e8???????? 83c428 8945ac 8b45ac 50 8b5dd8 53 } - $sequence_5 = { 68000000c0 ff750c e8???????? a3???????? 833d????????ff 0f84b2000000 e8???????? } - $sequence_6 = { 6824000000 e8???????? 83c404 a3???????? 8bd8 8bf8 } - $sequence_7 = { 8b5d08 8b1b 83c304 895dfc 8965f8 6805000000 8b5dfc } - $sequence_8 = { 53 8903 8bd8 c70300000000 c7430400000000 5b 8b5d08 } - $sequence_9 = { 51 8d542478 8944247c 6a00 52 40 6a00 } + $sequence_0 = { 7409 53 e8???????? 83c404 837dcc00 0f84250b0000 } + $sequence_1 = { 8b5b38 83c304 895dbc 8b5d08 8b1b 83c308 895db8 } + $sequence_2 = { 52 b805000080 0fa2 8945c8 895dcc 894dd0 } + $sequence_3 = { 6802000000 bb60020000 e8???????? 83c41c e9???????? 6804000080 6a00 } + $sequence_4 = { 3965ec 740d 6806000000 e8???????? 83c404 8b5d10 668903 } + $sequence_5 = { 8bc8 53 e8???????? 8b8424e4010000 83f804 7509 c7450405000000 } + $sequence_6 = { 8bf8 83c708 8b45d0 c1e002 03f8 8b45d8 57 } + $sequence_7 = { c3 55 8bec 81ec34000000 6808000000 e8???????? 83c404 } + $sequence_8 = { 5e ab b909000000 f3a5 ad 56 57 } + $sequence_9 = { 33c0 bf???????? 8d3452 f3ab c1e604 aa 8d9ed8444700 } condition: 7 of them and filesize < 1417216 @@ -98885,36 +99232,36 @@ rule MALPEDIA_Win_Fengine_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cef733ce-bf96-5266-a850-204ef84184a0" - date = "2026-01-05" - modified = "2026-01-06" + id = "54899521-9e34-51d4-8028-9f421a171687" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fengine" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fengine_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fengine_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "507e9d8622f7849f14197935caec762eb3952f2b4dfc87cf038f7351547ec88d" + logic_hash = "b0ccddedcefd3ddacffbc8efd6657272553bb0264532ceba3220bca91f4b21b0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 85c0 0f84c5020000 68???????? 53 e8???????? } - $sequence_1 = { 57 ff32 ff15???????? f7d8 1bc0 5e } - $sequence_2 = { 57 8d8decefffff 51 50 8d85fcf7ffff 50 } - $sequence_3 = { 50 e8???????? 8d5590 83c40c 8d4a01 8d642400 } - $sequence_4 = { c705????????01000000 e8???????? 48 f7d8 } - $sequence_5 = { 833d????????00 53 57 8bda 8bf9 7511 } - $sequence_6 = { 8b3e 83c328 0fb74706 8955e0 894ddc 3945f8 0f8c5affffff } - $sequence_7 = { 8d85f0efffff 50 53 ff15???????? 85c0 } - $sequence_8 = { 7410 8b4c3012 03c8 8d4616 } - $sequence_9 = { 3b45e4 7740 8d45ec 50 8b45e8 51 } + $sequence_0 = { 47 83c628 897dfc 3bf8 7d19 8b7df4 } + $sequence_1 = { 8b852ce5ffff 8b048560514100 ff3406 ff15???????? 85c0 } + $sequence_2 = { c7472470314000 c7472880314000 c7472ca0314000 c7473400000000 8b85bcfeffff } + $sequence_3 = { e8???????? 8b0d???????? ba01000000 85c0 0f45ca 68???????? 53 } + $sequence_4 = { e9???????? 6a10 68???????? e8???????? 6a07 e8???????? } + $sequence_5 = { 53 8d4e04 6800080000 51 } + $sequence_6 = { 7424 8b45ec 03f0 85c0 7413 6a00 6a00 } + $sequence_7 = { 7473 8b85f4efffff 85c0 7469 8d3c30 81ffe8030000 7749 } + $sequence_8 = { 85c0 747a 56 8b35???????? } + $sequence_9 = { 53 8b5d08 56 57 6824010000 33f6 8d85d0faffff } condition: 7 of them and filesize < 210944 @@ -98924,36 +99271,36 @@ rule MALPEDIA_Win_Tuoni_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d6fe1657-0ba1-5787-bb02-c66c2de38004" - date = "2026-01-05" - modified = "2026-01-06" + id = "36fc364c-9cb3-5328-8f63-30c51c40d7e3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tuoni" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tuoni_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tuoni_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "1e49c2155d5f2354628f8bc71b59233071caabc76e3825284e0656eaaabf9b91" + logic_hash = "f653978f00063dabfe4477460512f3d716f8d3cd7dc968eba11319c01fdfd420" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 84c0 7427 3c07 7423 8b4108 c6401c01 c7401816000000 } - $sequence_1 = { 894604 e8???????? 894604 8bc6 59 e8???????? c20400 } - $sequence_2 = { e8???????? b8???????? e9???????? 8d4dd8 e9???????? 8b45d0 83e001 } - $sequence_3 = { e8???????? 8d8daffbffff c645fc0a 51 8b08 e8???????? 8b8db4fbffff } - $sequence_4 = { 7429 6a08 59 33c0 83ec18 8bfe f3ab } - $sequence_5 = { 894c2414 8d0c28 89442420 8974241c 894c2418 55 7630 } - $sequence_6 = { e8???????? 83c40c 6b45e430 8945dc 8d80602a4500 8945e4 803800 } - $sequence_7 = { 85c0 7422 ff75e0 e8???????? ff75e4 e8???????? 53 } - $sequence_8 = { 0f848a030000 51 51 8bcc 8d45d8 50 8919 } - $sequence_9 = { e8???????? 83c40c 8d85a8fbffff 6a08 50 ff15???????? 85c0 } + $sequence_0 = { 8b4508 8bc8 83e03f c1f906 6bd038 8b0c8d30464500 } + $sequence_1 = { e9???????? 8b4330 8b4804 894dcc 8b01 ff5004 8365fc00 } + $sequence_2 = { 8d45f4 64a300000000 894df0 8b8578040000 8b3d???????? 894548 } + $sequence_3 = { 59 8945e4 c645fc04 85c0 7416 6a40 56 } + $sequence_4 = { 53 ff7500 85c0 7515 e8???????? 59 59 } + $sequence_5 = { 7510 6a01 ff15???????? 6a01 ff15???????? 8d45e0 50 } + $sequence_6 = { 7443 ff750c 8d4df8 56 e8???????? 8b45fc ff4604 } + $sequence_7 = { e8???????? 83ec18 c745fc01000000 8d4520 8965f0 8bcc 50 } + $sequence_8 = { 66894608 895e20 895dfc 895e24 8d4e28 c645fc01 e8???????? } + $sequence_9 = { 031c8d30464500 eb0c 8bc8 8bd0 c1f906 8bdf 83e23f } condition: 7 of them and filesize < 734208 @@ -98963,42 +99310,42 @@ rule MALPEDIA_Win_Mirage_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c8a9a712-bc3f-5690-a472-64df6910b6ba" - date = "2026-01-05" - modified = "2026-01-06" + id = "813398a6-3711-515c-9ac9-8411b782d9bd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mirage_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mirage_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "4e4af3295967c47493f17386d2e75f998cb14d5de0104dd5de1d503e94b2b46e" + logic_hash = "efb9857223c67ed9db4dc7057f43c79e6ea4a93ea767644ffaf1234715df36cf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 6801000080 ff15???????? 85c0 7556 } - $sequence_1 = { 68???????? c745f804010000 ff75fc ff15???????? ff75fc } - $sequence_2 = { 0f84d1000000 57 e8???????? 8d7c0302 c70424???????? } - $sequence_3 = { 55 8bec b82c410000 e8???????? 53 56 } - $sequence_4 = { 8d45f4 50 53 68???????? c745f804010000 } - $sequence_5 = { e8???????? b8???????? 8d8d90feffff 50 8945e8 e8???????? 3bc3 } - $sequence_6 = { 0f86a0000000 bf14410000 8d8568bbffff 57 53 } - $sequence_7 = { 3bf3 0f85a9000000 381f 0f84a1000000 8d85ecfeffff 68???????? 50 } - $sequence_8 = { 6a01 6a06 c645ff01 ff7620 } - $sequence_9 = { 80c261 88543724 46 83fe1f 7ce8 80643e2400 } - $sequence_10 = { e9???????? 83fe04 0f859afdffff 56 8d4508 } - $sequence_11 = { 66218514fbffff b981000000 8dbd16fbffff c745ec01000000 f3ab 66ab 8d45f4 } - $sequence_12 = { e8???????? 83c410 56 8d8514fbffff 6a00 } - $sequence_13 = { ab ab 33c0 8dbda6ebffff 6689b5a4ebffff } - $sequence_14 = { c3 53 e8???????? 59 ff75f0 ff15???????? } - $sequence_15 = { ffd7 85c0 7547 8d8514fbffff 85c0 } + $sequence_0 = { 6801000080 ff15???????? 85c0 7556 } + $sequence_1 = { 85c0 7541 0fb68799010000 50 } + $sequence_2 = { 83f8ff 8945fc 0f84d0000000 be14410000 8d85d4beffff 56 } + $sequence_3 = { 33ff 50 57 ff15???????? 85c0 0f84f4000000 8d85c0feffff } + $sequence_4 = { 8b8534ffffff 5e c1e814 40 } + $sequence_5 = { b8???????? e8???????? 81ec64030000 53 56 57 } + $sequence_6 = { 50 ff35???????? e8???????? 83c424 8935???????? ff75fc } + $sequence_7 = { 33c0 8d7dc9 80a41dc4f6ffff00 f3ab } + $sequence_8 = { c745f804010000 ff75fc ff15???????? ff75fc } + $sequence_9 = { 53 68???????? c745f804010000 ff75fc } + $sequence_10 = { 53 68???????? 6801000080 894df0 c745fc04000000 881f 899948010000 } + $sequence_11 = { 59 3bde 0f84dd000000 8d4701 } + $sequence_12 = { 8d45f0 50 8bce e8???????? 8bf7 } + $sequence_13 = { 8b4df0 8d0441 69c0f4010000 50 ff15???????? ff45f0 } + $sequence_14 = { ffd3 6683a550faffff00 b981000000 33c0 8dbd52faffff f3ab 66ab } + $sequence_15 = { 743e 8d8500ebffff 50 e8???????? } condition: 7 of them and filesize < 1695744 @@ -99008,36 +99355,36 @@ rule MALPEDIA_Win_Troll_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40759ced-a25e-5434-bc7c-501cfe15d47a" - date = "2026-01-05" - modified = "2026-01-06" + id = "67042aa4-f987-59a8-b96f-b4f01d92e092" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troll_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.troll_stealer_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.troll_stealer_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "5f0403028aceb1e51ecaa890b1a7ca49efec2e1c71ccfd760d9d2619abef354a" + logic_hash = "3be2ef26e31631418580720590e6e7731c9fbf927b6cd6fe13353bb3ad220d21" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 49895008 6699 49894010 0fb7d5 9c c0f2b0 66d3f2 } - $sequence_1 = { d0ca 80c2f3 f9 f8 d0c2 4432ca f7c465491a38 } - $sequence_2 = { f7d2 f9 d1c2 4153 41ffc3 311424 415b } - $sequence_3 = { 4181eb2315e85c 313424 458bdd 49c7c33109c930 } - $sequence_4 = { 81d9d83d744a f6d2 80c253 0fbfc8 d2cd d0c2 } - $sequence_5 = { 313c24 480fbafbc6 c1eb14 480fb7da 5b 4863ff f8 } - $sequence_6 = { 453bf3 4153 311424 664181eb996f 415b f9 4863d2 } - $sequence_7 = { 4d8d141a 48bd0000000002000000 4d8d142a 410fc1f9 4c8bc4 4881ec80010000 450fbfc8 } - $sequence_8 = { 403ad4 81f6a540bf26 f7d6 f5 d1c6 f8 f7d6 } - $sequence_9 = { 4112eb 418910 4080dd61 40fec5 660bef 418b2b 4981c304000000 } + $sequence_0 = { 0fca 4084d7 453ad6 81f22940ac2d f7d2 f8 41f6c0a2 } + $sequence_1 = { 410fcb 99 410f90c0 48c1c992 41c1c303 66440f4ecc f6d0 } + $sequence_2 = { 53 f9 d3c3 d2cf 310c24 66d3c3 5b } + $sequence_3 = { fecb 6681ebec79 310c24 66440fbbc3 0fbfdd 5b 4863c9 } + $sequence_4 = { f8 f5 d1cd 6641f7c77652 664181fef414 f8 4150 } + $sequence_5 = { 3adf 4184c1 f9 4153 490fbae3a3 4d0f4fdd 310c24 } + $sequence_6 = { c0f328 0adc 410fbfdd 80f18c 80e954 48c1dba3 f6d9 } + $sequence_7 = { d1c8 f9 4084e0 4151 490fbaf94d 310424 } + $sequence_8 = { 40f6c49f 81c11f68a01e f8 f7d1 f8 0fc9 } + $sequence_9 = { 4963fe 311c24 40c0e73d 40d2ef 5f f8 } condition: 7 of them and filesize < 45868032 @@ -99047,36 +99394,36 @@ rule MALPEDIA_Win_Snatchcrypto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "606aa04d-2534-5b9c-a7ea-236168d717b6" - date = "2026-01-05" - modified = "2026-01-06" + id = "ad55c4a9-4803-51eb-ad9f-ea987e6ced5b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.snatchcrypto_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.snatchcrypto_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "821ad44e204c834b4eeced1dd22888563234f9fd380bbb4b883fee2940f1717e" + logic_hash = "992c06b0380aa6e1f6295a696221d2907200369a9f414a719b52f5b1e236fce7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 4889ae60030000 488b9330060000 488d0d6e0a0300 e8???????? 4889442460 } - $sequence_1 = { e8???????? 488d4d81 33d2 41b803010000 c6458000 e8???????? 488d8db1020000 } - $sequence_2 = { c1c80b 410bca 458bc2 4433c8 4123ce 418bc4 c1c806 } - $sequence_3 = { 740d 4c39b380010000 0f858b000000 bfc4feffff 488b4310 4c8b7c2470 4c8b6c2478 } - $sequence_4 = { 7499 488d1597280600 488bcf e8???????? 85c0 7486 488d158c280600 } - $sequence_5 = { 0fb605???????? 4188440f02 48635320 4c634324 48039590020000 4183c703 418bcf } - $sequence_6 = { 4889742418 57 4881ece0010000 488b05???????? 4833c4 48898424d0010000 488b7908 } - $sequence_7 = { 8bd8 85c0 0f85d3000000 4885f6 7416 488bce e8???????? } - $sequence_8 = { 0fb78b94030000 0fb7937e020000 410fb7c0 450fb7c8 c1e904 83e101 66c1e80a } - $sequence_9 = { 410fb6cb e8???????? 85c0 7547 448d4005 0fb6d3 410fb6cb } + $sequence_0 = { 0f842e010000 488b542460 448d4301 488d4c2470 ff15???????? b920040000 41b806020000 } + $sequence_1 = { 4c8b8fb0000000 488bcf 448bc0 4883feff 741b 488d155a570100 4889742420 } + $sequence_2 = { 4885d2 750f 488d0d98ff0200 ff15???????? eb18 803a3c 488d0d2a5f0300 } + $sequence_3 = { 4053 4883ec20 488bd9 4881c128050000 488d15b1000300 4c8b4170 c7818c00000000000000 } + $sequence_4 = { 488d159afe0200 e8???????? eb38 488d1574fe0200 4d8bcc e8???????? eb27 } + $sequence_5 = { 33db 4585e4 7467 0f1f4000 488b0d???????? 488bd6 e8???????? } + $sequence_6 = { 4883ec10 8bb1f0000000 4d8bf0 488bf9 d1ee 83fe07 0f87a6050000 } + $sequence_7 = { 4885c0 0f8411ffffff 488b5348 488bc8 c743680a000000 e8???????? 8bf8 } + $sequence_8 = { 0f86d9000000 418bad90000000 418d5613 4803e8 488bcd ff5640 85c0 } + $sequence_9 = { 4889542420 488d15eaef0100 488bcf e8???????? 8bc3 488b5c2450 488b742460 } condition: 7 of them and filesize < 1400832 @@ -99086,44 +99433,36 @@ rule MALPEDIA_Win_Gpcode_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2b18987b-bc80-5fc9-83bb-027c69a960bd" - date = "2026-01-05" - modified = "2026-01-06" + id = "50bfd644-f402-586e-af37-d00c7482792b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gpcode_auto.yar#L1-L176" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gpcode_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "05e954eda4e4590590475795b2183e3631e7aeea469ee6afc7d69c80e137d118" + logic_hash = "78a9fe7499367c086cf77654f29d71743f30de267024176b1f2f33e1f9835620" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { a1???????? a3???????? 6800001000 68???????? ff35???????? } - $sequence_1 = { 68???????? e8???????? 91 6a00 } - $sequence_2 = { e8???????? e8???????? c705????????01000000 c3 55 8bec } - $sequence_3 = { 68f4010000 e8???????? 833d????????01 75ed e8???????? } - $sequence_4 = { 0f840d020000 a3???????? 68???????? ff35???????? e8???????? 85c0 } - $sequence_5 = { a1???????? eb18 8b1d???????? 53 } - $sequence_6 = { ff7508 6aff 68???????? ff75f4 ff15???????? } - $sequence_7 = { e8???????? 85c0 0f8447020000 a3???????? 68???????? } - $sequence_8 = { 23d8 741f 80c141 880d???????? } - $sequence_9 = { e8???????? 6a0a 68???????? 6a00 e8???????? 0bc0 7504 } - $sequence_10 = { 75dc 85c9 7415 85c0 } - $sequence_11 = { a0???????? 2c30 a2???????? eb0a } - $sequence_12 = { 53 ff7508 56 50 6802010000 } - $sequence_13 = { e9???????? ff75f4 6a08 ff35???????? ff15???????? } - $sequence_14 = { 47 46 8a06 84c0 8975f4 } - $sequence_15 = { 8bfb 2b7df4 837decff 8955bc 8955c4 } - $sequence_16 = { 50 57 ff15???????? 8d45e4 50 } - $sequence_17 = { 740c 803f29 7507 c6020f } + $sequence_0 = { ff35???????? e8???????? e8???????? c705????????01000000 c3 55 8bec } + $sequence_1 = { ff35???????? e8???????? a1???????? a3???????? 6800001000 68???????? } + $sequence_2 = { ff35???????? e8???????? e8???????? c705????????01000000 c3 55 } + $sequence_3 = { ff35???????? e8???????? e8???????? c705????????01000000 c3 } + $sequence_4 = { 68???????? e8???????? 91 6a00 } + $sequence_5 = { ff35???????? ff35???????? ff35???????? e8???????? a1???????? a3???????? 6800001000 } + $sequence_6 = { a1???????? a3???????? 6800001000 68???????? ff35???????? 6a00 } + $sequence_7 = { e8???????? a1???????? a3???????? 6800001000 68???????? } + $sequence_8 = { e8???????? a1???????? a3???????? 6800001000 68???????? ff35???????? 6a00 } + $sequence_9 = { c3 ff35???????? e8???????? e8???????? c705????????01000000 } condition: 7 of them and filesize < 761856 @@ -99134,10 +99473,10 @@ rule MALPEDIA_Win_Ground_Peony_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "801058db-7b66-5372-8745-75ac698daed8" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ground_peony" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ground_peony_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ground_peony_auto.yar#L1-L113" license_url = "N/A" logic_hash = "e6e32f0220bb10dd7446439a2221f39d91c5ad68ccd69dfaaf804fe3b4efdc99" score = 75 @@ -99146,9 +99485,9 @@ rule MALPEDIA_Win_Ground_Peony_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -99172,36 +99511,36 @@ rule MALPEDIA_Win_Bart_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "69293053-9c73-5e85-bfc8-1bda4f3480af" - date = "2026-01-05" - modified = "2026-01-06" + id = "d2327e66-cf48-5288-8c2a-da9b02aa482b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bart_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bart_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "3bd63c0862e680fa10847ed0fefa7078e2170f430f6b6047eb709673a0606c78" + logic_hash = "3340de8d10c7d34ef3611a7d6a25210f7340a68ec77b0f7d681e8adfde06b306" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 74d1 68ffffff00 50 8d45d8 8bce 50 e8???????? } - $sequence_1 = { 8d4dbc e8???????? 8b8558ffffff 8d8d7cffffff 8b9550ffffff 0fb600 } - $sequence_2 = { 8d4dd4 eb55 84db 755a 6a02 5a 8d4de4 } - $sequence_3 = { 48 0fb7c0 6683f801 7e7e } - $sequence_4 = { 53 56 57 8d45b8 8955ec 8bf9 50 } - $sequence_5 = { ffb63c010000 53 ffd7 83c40c 3b461c 75e1 33c0 } - $sequence_6 = { 8bfa 8bd9 384601 7e11 } - $sequence_7 = { 8bec 53 56 8bd9 57 33ff 397b48 } - $sequence_8 = { 0f840c010000 57 ff15???????? 6800ff0000 ffd3 8bf8 85ff } - $sequence_9 = { 50 8b83b0000000 ffd0 8b95c8feffff 8b8db8feffff 53 56 } + $sequence_0 = { 50 8bd0 e8???????? 8d45bc 50 8d857cffffff 50 } + $sequence_1 = { 8b18 8b4004 8b37 8945e8 3bd8 751a 8b5f04 } + $sequence_2 = { 03c2 8bd3 c1f805 50 e8???????? 83c404 85c0 } + $sequence_3 = { eba6 8b4dfc 5f 5e 33cd 5b e8???????? } + $sequence_4 = { 50 8b4598 8b80b0000000 ffd0 8b4598 8d4d9c } + $sequence_5 = { 64890d00000000 8be5 5d c3 55 8bec ff750c } + $sequence_6 = { 8945e8 8945f4 ff15???????? 8d4dac 51 50 } + $sequence_7 = { 4f 758c 8a857bffffff 84c0 7e0e 8bbd74ffffff 8d75dc } + $sequence_8 = { 81ce???????? 8b45ec 85c0 7402 8930 8b4508 85c0 } + $sequence_9 = { 57 8b7d10 895db4 0fb607 50 56 e8???????? } condition: 7 of them and filesize < 163840 @@ -99211,36 +99550,36 @@ rule MALPEDIA_Win_Reaver_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7725038c-885d-586e-9f95-5e06e196979a" - date = "2026-01-05" - modified = "2026-01-06" + id = "882687b3-ba73-50ff-8719-4591738f9f0a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.reaver_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.reaver_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "83dafe6f8435f2ac84b6d9a74f3f9ba4ae0b3ddc0578ba5a08e90d4a03423ef1" + logic_hash = "393dbf0df32d0be5f77f920c0e408d154697ac3de941dd81bf619f79e3a9b112" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3d14050000 7504 33c0 c9 c3 } - $sequence_1 = { 7453 8d45f4 50 ff7508 6a00 ff15???????? } - $sequence_2 = { ff15???????? 85c0 7440 8b45f4 6a00 } + $sequence_0 = { 83ec1c 8d45fc 50 68ff010f00 ff15???????? } + $sequence_1 = { 50 68ff010f00 ff15???????? 50 ff15???????? 85c0 7453 } + $sequence_2 = { 8d45f4 50 ff7508 6a00 ff15???????? 85c0 7440 } $sequence_3 = { ff15???????? 85c0 7453 8d45f4 } $sequence_4 = { 50 ff15???????? 85c0 7453 8d45f4 50 ff7508 } - $sequence_5 = { ff15???????? 85c0 740d ff15???????? 3d14050000 7504 33c0 } - $sequence_6 = { 85c0 7453 8d45f4 50 ff7508 } - $sequence_7 = { 50 ff7508 6a00 ff15???????? 85c0 7440 } - $sequence_8 = { 6a00 ff15???????? 85c0 7440 8b45f4 6a00 } - $sequence_9 = { 50 c6467430 e8???????? 83c634 } + $sequence_5 = { ff7508 6a00 ff15???????? 85c0 7440 8b45f4 } + $sequence_6 = { ff15???????? 3d14050000 7504 33c0 c9 c3 ff75fc } + $sequence_7 = { 3d14050000 7504 33c0 c9 } + $sequence_8 = { 6a00 ff15???????? 85c0 7440 8b45f4 6a00 8945e8 } + $sequence_9 = { 85c0 7440 8b45f4 6a00 8945e8 8b45f8 } condition: 7 of them and filesize < 106496 @@ -99250,41 +99589,41 @@ rule MALPEDIA_Win_Duuzer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce410d90-c1fc-5e24-b6fe-acbef7b75a62" - date = "2026-01-05" - modified = "2026-01-06" + id = "1d70d45e-4c61-5501-b7a6-f549148858fa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.duuzer_auto.yar#L1-L150" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.duuzer_auto.yar#L1-L151" license_url = "N/A" - logic_hash = "dfa72f297db77226dddcb2a3a6d903c9c88217f92848aed80d0a5daab8159948" + logic_hash = "a44245289af9a7bf3278a7eb8b5431b21dd01b56f454601d0c11fdac9e273028" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 83f804 7408 83c8ff e9???????? } - $sequence_1 = { 5e c3 397170 74e4 83b9f800000008 48895c2458 } - $sequence_2 = { c78598fdffff288c3a55 c7859cfdffff83a89c49 c785a0fdffff9ace29e0 c785a4fdffff5652b72b } - $sequence_3 = { b8a2000000 5e 8b4dfc 33cd } - $sequence_4 = { 5f c3 4585ff 74d9 4489a70c170000 } - $sequence_5 = { c785f0fefeff20964000 c785f4fefeff40964000 c785f8fefeff60964000 c785fcfefeff80964000 c78500fffeffd0964000 } - $sequence_6 = { 5f 5d c3 488d0529230100 } - $sequence_7 = { 51 56 e8???????? 6a78 8d4de8 } - $sequence_8 = { ffd6 a3???????? 85c0 7413 8d8509ffffff } - $sequence_9 = { 8d86a4000000 c7465000000100 89464c 837dfc00 752f } - $sequence_10 = { 5f 5e 5d c3 488d542470 8bcb } - $sequence_11 = { 5e c3 488b4e38 48895c2468 } - $sequence_12 = { 5f c3 4585f6 74db } - $sequence_13 = { 50 8d0c1e 51 52 } - $sequence_14 = { 5f 5d 5b c3 33c9 4c897c2460 } + $sequence_1 = { 448d4808 4c8bc7 488bcb e8???????? 488b4c2428 } + $sequence_2 = { 895de4 83bf9c00000008 7523 83bfa000000000 753e } + $sequence_3 = { 83c414 eb09 57 56 33c9 } + $sequence_4 = { 0fb7442424 668947fe e8???????? 448bd8 } + $sequence_5 = { 6a00 3d4fffffff 0f8552040000 bf???????? e9???????? } + $sequence_6 = { 8bd5 488bcf e8???????? 488bd3 } + $sequence_7 = { 410fb6c1 c1e208 41b117 0bd0 89942460030000 } + $sequence_8 = { 6833150000 8d84248b030000 6a00 50 c68424c4010000e6 e8???????? } + $sequence_9 = { 53 33db 85ff 7412 8bdf } + $sequence_10 = { 6804010000 50 ff15???????? 85c0 74d4 6803010000 } + $sequence_11 = { 7516 488d05d4ba0100 488b4c2430 483bc8 } + $sequence_12 = { 48f7d1 48ffc9 7437 488d5c2420 90 } + $sequence_13 = { e8???????? 8bbdaceeffff 33c0 83c418 } + $sequence_14 = { c785c40300007064fefd c785c80300000c6d8b9b c785cc030000a19f601f c785d00300004d341cbb c785d40300004a097855 } condition: 7 of them and filesize < 491520 @@ -99294,42 +99633,42 @@ rule MALPEDIA_Win_Doppeldridex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "daa7948f-1af7-5dc7-b72c-52142db6eff9" - date = "2026-01-05" - modified = "2026-01-06" + id = "ced8a78a-6ad2-5841-bcfe-93ef4e5f8449" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.doppeldridex_auto.yar#L1-L180" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.doppeldridex_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "c03ed87815d6a97d4f986f8009113427e6594093f0809ec3f0f49a2c2120349d" + logic_hash = "e97f34858f91b22015eeed214768462d60fe5ddb269feac9b9f5d517cceb6eca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf0 33c0 48 8bfe 8bda 2bf8 2bd8 } - $sequence_1 = { e8???????? e9???????? 55 83ec68 33d2 42 } - $sequence_2 = { 8b74243c 6a30 8b2f 56 8d4c2408 c6450000 e8???????? } - $sequence_3 = { 6880000000 ffb4249c010000 ffb424b4010000 ffb42498000000 56 8d4c2428 8d91e0000000 } - $sequence_4 = { 33c0 48 2bc8 2bd0 0bca 0f84b1000000 8d9424a4010000 } - $sequence_5 = { 8b02 40 8902 83f80a 0f85fefdffff e9???????? c784249000000000000000 } - $sequence_6 = { ff742410 50 6a00 52 ff742428 } - $sequence_7 = { 2bf8 2bd8 0bfb 0f8443030000 8d942490000000 8b02 } - $sequence_8 = { eb2b 31c0 8b4d88 83c104 } - $sequence_9 = { 0f92c4 8a6db3 20cd 20e5 f6c501 8955b4 7518 } - $sequence_10 = { 8b458c 8944240c 8b55a4 ffd2 83ec10 } - $sequence_11 = { 894de4 e8???????? 83f800 8945e0 74c2 } - $sequence_12 = { e8???????? 31c0 8945e8 eb51 31c0 } - $sequence_13 = { 01de 8b06 8bb550ffffff 8b5e08 8b4da8 01f9 890c24 } - $sequence_14 = { 6683ff00 89d3 8945b8 8955d0 8975d4 895ddc } - $sequence_15 = { 8b4df0 39c8 8945dc 72d2 ebb6 55 89e5 } + $sequence_0 = { ffb424a0010000 8d5380 e8???????? 8b842494010000 } + $sequence_1 = { 8b9998010000 895c2410 8ba984010000 896c2414 660fd6442418 660fd6442420 e8???????? } + $sequence_2 = { 89442404 660fd6442408 895c2410 8bb980000000 0fb602 897c2414 89442418 } + $sequence_3 = { 8b760c 89842494010000 89b424a8010000 6a00 8d8c24b0000000 } + $sequence_4 = { c78424a401000000000000 83c4d8 660fefc0 893424 } + $sequence_5 = { 50 8d4890 e8???????? 8b8424a4010000 8d9c24e8010000 } + $sequence_6 = { 33c0 48 8bfe 8bda 2bf8 2bd8 0bfb } + $sequence_7 = { 8d8c248c010000 e8???????? 8d8c24d0010000 e8???????? 8d8c24c8010000 } + $sequence_8 = { e8???????? 8b4588 2b45f0 8b4da8 890c24 89442404 } + $sequence_9 = { 83f800 8945f4 894df0 8955ec 752b } + $sequence_10 = { 8955ec 752b 8b45ec 83c418 5b 5d } + $sequence_11 = { 8b45d4 0fb708 8b55dc 83c201 } + $sequence_12 = { 8b0d???????? 8945c8 ffd1 8b4dec } + $sequence_13 = { 83fe00 0f94c3 39ce 0f94c7 08fb f6c301 8975d8 } + $sequence_14 = { 8b4508 b902000000 8d55cc bed092c50d 31ff c745f0d08ec50d } + $sequence_15 = { 57 83ec44 8b4508 31c9 ba00100000 beb0af4e67 c745f0b09f4c67 } condition: 7 of them and filesize < 360448 @@ -99339,44 +99678,44 @@ rule MALPEDIA_Win_Rcs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "88c200d0-341d-5e6f-ae92-f6d74505595f" - date = "2026-01-05" - modified = "2026-01-06" + id = "5ca1a655-24be-5110-a034-a84d0784f907" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rcs_auto.yar#L1-L178" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rcs_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "3382bc9aa5e79b7f4a031deda04f3ba8bd2d1a1f1a24d3ec268d1e68154c00c2" + logic_hash = "31a459c09073ceebbb7d66e919c21a9c57d42a560faacd9023ea1dcd912f520e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c430 6aff 68???????? } - $sequence_1 = { 89442456 8944245a 8944245e 89442462 89442466 8944246a } - $sequence_2 = { ff15???????? 5f 5e 5d 5b 33c0 } - $sequence_3 = { 85ff 0f84d4000000 57 e8???????? } - $sequence_4 = { 40 68???????? 50 e8???????? 83c40c eb0d } - $sequence_5 = { 6a00 6880000000 6a01 6a00 6a05 } - $sequence_6 = { 83fd03 7c89 8b7c243c 33ed } - $sequence_7 = { 6a20 6a01 6a0a 6a11 ff5660 8bbedc000000 } - $sequence_8 = { 8bbedc000000 8bbf14120000 89da 81e2ffff0000 c1e204 } - $sequence_9 = { 89473c 8b7d08 8b37 81c6a1010000 } - $sequence_10 = { e8???????? 83c41c 8d4d80 83c8ff } - $sequence_11 = { c9 c3 55 89e5 81ec04020000 } - $sequence_12 = { 81f2be387d15 e9???????? 8be5 c1cead } - $sequence_13 = { 83fd02 7c2d 8b07 8d54300c 3b11 7350 03c6 } - $sequence_14 = { 898528f4fbff 8b86dc000000 833800 0f94c0 83e001 } - $sequence_15 = { 81f2d141ed35 f8 f5 d1ca } - $sequence_16 = { 817deca4000000 72c2 56 e8???????? } - $sequence_17 = { ffb56cf4fbff ffb584f4fbff ffb5a0f9fbff 8b86dc000000 8b5020 03905c020000 52 } + $sequence_0 = { 8944245a 8944245e 89442462 89442466 8944246a } + $sequence_1 = { 85ff 0f84d4000000 57 e8???????? } + $sequence_2 = { 6a00 6880000000 6a01 6a00 6a05 6800000040 } + $sequence_3 = { e8???????? 83c430 6aff 68???????? } + $sequence_4 = { ff15???????? 5f 5e 5d 5b 33c0 } + $sequence_5 = { 40 68???????? 50 e8???????? 83c40c eb0d } + $sequence_6 = { 8b37 81c604010000 56 ff75fc ff5704 } + $sequence_7 = { 0508070000 50 ff96b8000000 898554f4fbff 85c0 } + $sequence_8 = { 83fb03 7413 83fb0c 740e } + $sequence_9 = { 8b86dc000000 ffb06c020000 ff5658 8b86dc000000 833800 0f94c0 } + $sequence_10 = { 81f2ab278738 6681f90e53 8d92d531ed6c a94c72b42b 85fe 33da } + $sequence_11 = { 81f2b716590f f8 f5 33da } + $sequence_12 = { ff5670 ffb58cf4fbff 50 ff5604 } + $sequence_13 = { c1e704 8b8d48f4fbff 83c103 0fb78c8870020000 } + $sequence_14 = { 8b75f0 8b3cbe 037df8 897ddc 6a0e 6a00 } + $sequence_15 = { f7e1 898530f4fbff 8b8534f4fbff 8b9530f4fbff 8b0402 8945f8 8945f0 } + $sequence_16 = { 47 81ffe8030000 72d7 68a00f0000 } + $sequence_17 = { 83fb03 5b 7516 68???????? } condition: 7 of them and filesize < 11501568 @@ -99386,36 +99725,36 @@ rule MALPEDIA_Win_Buzus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "51e8e3ea-5fd9-5a65-8632-fc964a25884b" - date = "2026-01-05" - modified = "2026-01-06" + id = "84cc3e01-bbd0-5bc2-9173-9fdc0de50043" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.buzus_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.buzus_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "45f59120d6ee3fd13d7fe4ef65dc14248ca6854e32422138403891c6247259ef" + logic_hash = "9bb9e183d3e45fd5f8a6ca9a1a6dae090d02d4c89d1d9cc9c484a91a382cc272" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85d8faffff 50 ffd6 6804010000 8d85ccfdffff ff75a0 50 } - $sequence_1 = { 4e 46 897508 ebbd 803e2a 750b 83f801 } - $sequence_2 = { 59 7413 ff751c 68???????? ff36 56 e8???????? } - $sequence_3 = { 891d???????? 68???????? ffd5 85c0 740a c705????????01000000 } - $sequence_4 = { b8???????? ba???????? 89858cfcffff 8985a0fcffff b8???????? 57 c785fcfbffffc8c94000 } - $sequence_5 = { 8b742410 33db 33ed 3bf3 7e58 } - $sequence_6 = { 53 8d5904 57 6a00 ffd6 59 } - $sequence_7 = { c78574feffffa8cf4000 c78578feffff9ccf4000 c7857cfeffff90cf4000 c78580feffff84cf4000 c78584feffff54cf4000 c78588feffff44cf4000 c7858cfeffff2ccf4000 } - $sequence_8 = { 44 1573d2446b 68ded17fda ca426b 68dddb1ffb 06 9f } - $sequence_9 = { 5f c9 c3 e8???????? 68a5040000 ff15???????? ebee } + $sequence_0 = { 53 53 6a02 53 53 8d85ccfdffff 6800000040 } + $sequence_1 = { 59 1bc0 59 83e007 e9???????? ff7508 be04010000 } + $sequence_2 = { 50 e8???????? 8dbc0606010000 8b35???????? 57 } + $sequence_3 = { ff15???????? 8bc6 59 69c018020000 } + $sequence_4 = { e8???????? 8a85b0faffff 59 3a05???????? 59 0f85a0000000 } + $sequence_5 = { 8d45c8 50 56 e8???????? 57 56 } + $sequence_6 = { 6a01 58 eb60 50 ff36 e8???????? 59 } + $sequence_7 = { 68???????? 68???????? e9???????? 8d851cfdffff 50 6804010000 } + $sequence_8 = { 57 ff15???????? 83f8ff 0f84e5060000 56 6889000000 68???????? } + $sequence_9 = { ff760c 8945cc ff15???????? 83c40c 83f803 8945b8 } condition: 7 of them and filesize < 679936 @@ -99425,42 +99764,42 @@ rule MALPEDIA_Win_Reactorbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1f9dea8e-61fb-5c9c-9443-ee6383884e21" - date = "2026-01-05" - modified = "2026-01-06" + id = "4655650a-c24e-5848-9e67-49f0a752ad4b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.reactorbot_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.reactorbot_auto.yar#L1-L158" license_url = "N/A" - logic_hash = "701fb8c7491a0d723c5845d4d6cce6ffa47155dd0df2cecad8bd6a0e42ab031b" + logic_hash = "ff171c08eb3d99e1db9fc775e00a58387c90f546379a4da228edb0903024af0e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4804 894dfc 8b55fc a1???????? } - $sequence_1 = { c745e400000000 a1???????? 8945e0 8b4d08 } - $sequence_2 = { 50 ff15???????? 8b55f4 52 ff15???????? 8b45ec 8be5 } - $sequence_3 = { ff15???????? 8945f8 837df800 7449 8b55fc 52 } - $sequence_4 = { 8d8590fdffff 50 ff15???????? 8d8d90fdffff 51 } - $sequence_5 = { 8d9580f9ffff 52 ff15???????? 8945ec 837decff } - $sequence_6 = { a1???????? 8982b8000000 83c8ff 8be5 } - $sequence_7 = { 8b4508 50 6804010000 8d8d78f7ffff 51 e8???????? 8d9578f7ffff } - $sequence_8 = { 7402 eb0c c705????????b80b0000 eb0a c705????????e8030000 } - $sequence_9 = { ff15???????? e8???????? 833d????????00 7509 833d????????00 } - $sequence_10 = { 83c005 99 b905000000 f7f9 } + $sequence_0 = { 81ec980c0000 c745f400000000 c745e800000000 c745e400000000 a1???????? } + $sequence_1 = { 8bec 833d????????00 7418 6aff a1???????? 50 ff15???????? } + $sequence_2 = { 8945ec 837decff 7505 e9???????? 837de800 } + $sequence_3 = { 6804010000 8d8d88fbffff 51 e8???????? 8b9590fdffff } + $sequence_4 = { 51 ff15???????? 8b55f0 3b55fc } + $sequence_5 = { a1???????? 8945e0 8b4d08 51 ff15???????? } + $sequence_6 = { 52 e8???????? 8d85bcfdffff 50 6804010000 } + $sequence_7 = { 7420 8b0d???????? 51 8b15???????? 52 } + $sequence_8 = { 6bc005 83e803 99 b999000000 } + $sequence_9 = { 7402 eb0c c705????????b80b0000 eb0a } + $sequence_10 = { 83e101 f7d9 81e12083b8ed 33c1 } $sequence_11 = { 69c0b13a0200 99 83e203 03c2 } - $sequence_12 = { 6bc005 83e803 99 b999000000 f7f9 } - $sequence_13 = { 83e101 f7d9 81e12083b8ed 33c1 } - $sequence_14 = { 837c246000 0f8562010000 c744245400000000 c744247400100000 } - $sequence_15 = { 48837c245000 0f8417040000 4c8d0da2b30000 41b804000000 488d15ed7e0000 488b4c2450 } + $sequence_12 = { 83c005 99 b905000000 f7f9 } + $sequence_13 = { e8???????? 833d????????00 7509 833d????????00 740b } + $sequence_14 = { 05add92400 89442424 8b442424 ffc0 99 b907000000 } + $sequence_15 = { c744247800000000 c744245000000000 c744247c00000000 c744246000000000 } condition: 7 of them and filesize < 1032192 @@ -99470,36 +99809,36 @@ rule MALPEDIA_Win_Woodyrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff2403f4-80f5-5a92-a716-69463c81a517" - date = "2026-01-05" - modified = "2026-01-06" + id = "2d5f6ac3-96e3-5256-bc78-54c79df807f1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woodyrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.woodyrat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.woodyrat_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "0875a91df86b2a6e691c8414a33ce11802859bc8c34fd58e245e57021b392621" + logic_hash = "4fd5b7d584093599c052d873ff587647494e2e99699b5fe7a4a91f3b84030d17" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? c745fcffffffff 83c404 8b4db0 8bf8 85c9 7411 } - $sequence_1 = { c7473400000000 c7473800000000 0f104624 0f114724 f30f7e4634 660fd64734 66894624 } - $sequence_2 = { 2bc1 c1f803 69f0abaaaaaa b8aaaaaa0a 8bce d1e9 2bc1 } - $sequence_3 = { 0f57c0 c707???????? 0f43c8 660fd64704 8d4704 c745a800000000 50 } - $sequence_4 = { ff15???????? 0f57c0 c78558ecffff00000000 660fd68550ecffff 6800010000 c78554ecffff20000000 c78558ecffff00010000 } - $sequence_5 = { 0f114630 e9???????? 8bc1 b9feffff7f 83c807 3dfeffff7f 0f47c1 } - $sequence_6 = { 7409 50 e8???????? 83c404 837dd000 8b45cc 7704 } - $sequence_7 = { 40 894dc8 50 ff75e0 51 e8???????? 8b45c0 } - $sequence_8 = { 50 8d8de4f9ffff e8???????? 8bbd10f9ffff 8d8dd8f9ffff 8b7f08 89bd10f9ffff } - $sequence_9 = { 899d44ffffff 50 52 c78540ffffff00000000 ff15???????? 6898000000 8d8558ffffff } + $sequence_0 = { 8d4dec e8???????? 83ec18 8d4598 8bcc 50 } + $sequence_1 = { d9ec d9c9 d9f1 833d????????00 0f855c74ffff 8d0db00c4500 ba1b000000 } + $sequence_2 = { c7466800000000 c7466c07000000 8b4670 8b4e74 894770 894f74 8b4678 } + $sequence_3 = { c7461000000000 c746140f000000 c60600 8b7d1c 8d4d08 8b5508 8d5d08 } + $sequence_4 = { 3bca 7322 8d4101 894310 8bc3 83fa08 7202 } + $sequence_5 = { 50 8bce e8???????? 50 8d45d0 c645fc02 50 } + $sequence_6 = { e8???????? 8b45ec 83c408 84c0 8d4508 7479 8b551c } + $sequence_7 = { 2bc2 8d8da4fdffff d1f8 50 8d85e0fdffff 50 e8???????? } + $sequence_8 = { 6a00 56 c645fc01 e8???????? 83c410 8bce e8???????? } + $sequence_9 = { 56 68???????? 8d4db4 668975ac c745c80f000000 c645b400 e8???????? } condition: 7 of them and filesize < 785408 @@ -99509,36 +99848,36 @@ rule MALPEDIA_Win_Roadsweep_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6c093c47-8e58-51ee-ae4c-89b38c2f042b" - date = "2026-01-05" - modified = "2026-01-06" + id = "457a8e82-690e-5c1c-a05d-57aa290d990e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roadsweep" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.roadsweep_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.roadsweep_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "0d07cae12c5491ee120ce765fa753d2699b968376031bccf1e21a7a431677bd5" + logic_hash = "2131496e6ed42ed2d60d74238181574c33222c59aa35c635fff777007237206e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89542404 e8???????? 3955cc 89c3 c745b800000000 } - $sequence_1 = { e9???????? c7442404???????? c7042404010000 e8???????? 83ec08 e9???????? c744240404010000 } - $sequence_2 = { 8b45e8 85d2 0f885d010000 85d2 0f8ea6010000 } - $sequence_3 = { 00d2 8b5d08 83d903 8db534ffffff c744240c00000000 29f9 baffffffff } - $sequence_4 = { 56 ba01000000 53 83ec50 8b7508 8d742600 8dbc2700000000 } - $sequence_5 = { c744241000000000 89542404 893424 e8???????? 8bbd6cffffff } - $sequence_6 = { c745cc04100800 891424 e8???????? 83ec04 85c0 } - $sequence_7 = { e8???????? 891c24 8d9578fbffff 89542404 c68578fbffff25 c68579fbffff73 c6857afbffff63 } - $sequence_8 = { 890424 e8???????? 89b564ffffff 31c9 48 899d6cffffff } - $sequence_9 = { 3d???????? 7207 3d???????? 7216 } + $sequence_0 = { 53 83ec1c 8b7d08 8b5d14 8b470c 29d8 8d58ff } + $sequence_1 = { 4b 75f6 ebdd 8b0d???????? } + $sequence_2 = { 85c0 7512 8b15???????? 85d2 7808 89ec } + $sequence_3 = { 83e101 01c9 e9???????? 85c0 7e5b 89442404 8d55c8 } + $sequence_4 = { c7442408???????? c744240403010000 891c24 e8???????? 8b15???????? 8d8db8f9ffff } + $sequence_5 = { 8d448001 89c7 e9???????? 837d0cfe b801000000 74ee 8b4d14 } + $sequence_6 = { 8b15???????? 85d2 7415 89442404 8b5a10 891c24 } + $sequence_7 = { a1???????? c745d441414141 893424 8945e4 a1???????? 8945e8 } + $sequence_8 = { 807df300 7406 8b17 01d0 8b00 8d1438 8b03 } + $sequence_9 = { 0fbe45da 0fbe55d9 25c0000000 83e20f c1f806 0fb68c90b0914000 8b4508 } condition: 7 of them and filesize < 160768 @@ -99548,36 +99887,36 @@ rule MALPEDIA_Win_Grapeloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb279ded-b2c5-5f10-9bdf-71ce0cb379f9" - date = "2026-01-05" - modified = "2026-01-06" + id = "f5ab39c2-1300-545c-8c81-f7e9b5653368" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grapeloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grapeloader_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grapeloader_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "9956347475bad3c02131a3202e37348872c31d719ae25d5814bb41f19904ddf4" + logic_hash = "de87bdd9b66bdb12bd07268f6afe34cf2bc628703489f68b489f0e6f83373986" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 88542417 48894c2408 48c7042400000000 48833c2414 731e 8a542417 } - $sequence_1 = { 0fbe4c2429 0fb7442410 01c8 6689442410 0fb644241b 0faf442420 89442420 } - $sequence_2 = { eb00 488b8580000000 4889e1 488d95c4020000 48895120 48c7c1ffffffff 488d95d0020000 } - $sequence_3 = { 5b c3 4883ec28 4c8d0d85b60000 33c9 4c8d0578b60000 488d1579b60000 } - $sequence_4 = { 4883ec38 4889542430 48894c2428 488b4c2428 48894c2420 48c7015c000000 } - $sequence_5 = { 03442438 89442438 0fb744243c 05876c0000 668944243c 8b442438 03442424 } - $sequence_6 = { 29c8 88442413 0fbf44243a 69c0be000000 668944243a 0fbf4c243a } - $sequence_7 = { 4889442428 f6401c01 7412 488b4c2428 c6411c00 4883c108 e8???????? } - $sequence_8 = { 488d8d08030000 e8???????? 488d8d38030000 e8???????? c7850003000000000000 488d8ddf020000 } - $sequence_9 = { eb00 488b9590010000 488b8d80010000 e8???????? 48898578010000 eb00 } + $sequence_0 = { 488b45e0 488b8d40060000 ffd0 eb00 488d8d00020000 e8???????? 488d8d30020000 } + $sequence_1 = { 3dd58c0000 0f839b000000 c7442414c0738358 0fb64c243b 0fb744243c 29c8 668944243c } + $sequence_2 = { 89442454 8b44244c 2de1ab2bee 8944244c 66c7442416f43f 0fbe442423 } + $sequence_3 = { 69c088000000 6689442432 8b4c2438 0fbf44243c 01c8 668944243c } + $sequence_4 = { 4c8d0dd4d60000 33c9 4c8d05c3d60000 488d15c4d60000 e8???????? 4885c0 } + $sequence_5 = { 488d8d5f040000 488d9560040000 e8???????? eb00 488d8d60040000 e8???????? 488985a8000000 } + $sequence_6 = { 488d9550060000 e8???????? eb00 488d8d50060000 e8???????? 48898578010000 } + $sequence_7 = { eb00 488d8db0020000 e8???????? 488d8dd8020000 e8???????? 488b8d60050000 488b9520030000 } + $sequence_8 = { 488b45f8 b910270000 ffd0 eb00 488d8d40010000 e8???????? 488d8d70010000 } + $sequence_9 = { 7510 488b442428 488b4030 4889442460 eb1a eb00 488b442430 } condition: 7 of them and filesize < 397312 @@ -99587,75 +99926,75 @@ rule MALPEDIA_Win_Remsec_Strider_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db849346-fdc8-5458-b09f-0ed961302034" - date = "2026-01-05" - modified = "2026-01-06" + id = "93d7c134-a0ad-5c16-bc89-30d185388895" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.remsec_strider_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.remsec_strider_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "c3432e8fc924d7004cd90cb89b83a8a788a294cbc5555d3841fb9abcee97c26b" + logic_hash = "29e44d38af97db95f11e8c59f54ea320dd3b7845ed8c783c342cceb626aed10b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? c700???????? c74024282d8000 897828 8b481c c7412003000000 89782c } - $sequence_1 = { e8???????? 8bc8 6a01 8bc3 e8???????? 83c40c 83c8ff } - $sequence_2 = { 2345fc d3e8 0fb74de2 03c1 8b4e4c 8b0481 8bc8 } - $sequence_3 = { 6a04 59 83460810 8b55f4 0fb75a02 8b4608 0fb7d3 } - $sequence_4 = { ff4dfc 75d1 8bc6 e8???????? 8bf8 8d4701 3dffffff3f } - $sequence_5 = { 5e 5b c3 8b4010 80781501 750d } - $sequence_6 = { 8b4628 8b4e14 8bfb eb0c 8b5008 3bfa 7302 } - $sequence_7 = { 8bd8 8b4310 8b4844 56 3b4840 7205 e8???????? } - $sequence_8 = { 0f859af6ffff 8b44240c dd16 c1ef0e 8d84b80400f8ff 6a03 } - $sequence_9 = { e9???????? 8b06 834008f0 8b36 b8ffff0000 66014634 8bc7 } + $sequence_0 = { 59 59 85c0 742e 8b4608 } + $sequence_1 = { c6862b0400003e c6862f0400003f c6863d04000000 8bc6 } + $sequence_2 = { 83f90a 7cf2 68ff000000 8dbe00040000 6880000000 } + $sequence_3 = { eb07 c7400804000000 5f 5e } + $sequence_4 = { 8b4724 894644 eb16 8b4724 89466c eb0e } + $sequence_5 = { eb0a dec9 eb06 dee9 eb02 dec1 } + $sequence_6 = { ff37 ffd6 50 ff15???????? 8bf0 } + $sequence_7 = { 6800040000 50 ff15???????? 83c410 33c0 5f 5e } + $sequence_8 = { 83661c00 83661400 8bce 5e e9???????? } + $sequence_9 = { ff750c e8???????? 83c410 ff75fc ff15???????? 59 } condition: - 7 of them and filesize < 327680 + 7 of them and filesize < 344064 } rule MALPEDIA_Win_Yayih_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "20c4d84b-adf0-50ee-81d6-f74bed13f2d6" - date = "2026-01-05" - modified = "2026-01-06" + id = "aec83ef4-fb94-50db-adab-7a699b47a0a9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yayih_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yayih_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "ccf9d220b177854895c46141d0b55d3d71e3c288e2342d7f6d4b5f34327dab2f" + logic_hash = "aafd7c2bb115cb3bcd296e69da2dce32e17a0f5f2839e2bd74cef145944e3c50" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a01 8d459c 5f 6689b548ffffff 50 } - $sequence_1 = { ff75f8 ff15???????? 8d85bcd8ffff 50 e8???????? 80bc05bbd8ffff3e } - $sequence_2 = { 8a1c33 80eb03 ff4508 8819 49 } - $sequence_3 = { e8???????? 59 59 8d85f0fdffff 68???????? } - $sequence_4 = { 7517 ff45e0 817de050c30000 0f8cecfdffff 33f6 e9???????? 6a44 } - $sequence_5 = { 83650800 8b550c 8d78ff 59 85ff } - $sequence_6 = { 8d8570fdffff 68???????? 50 ff15???????? 83c410 3bc3 894508 } - $sequence_7 = { 50 56 ff15???????? bf04010000 } - $sequence_8 = { c785f0feffff28000000 6a0c 8d45d0 56 50 e8???????? 6801200000 } - $sequence_9 = { 68???????? 50 e8???????? 59 8d85c0feffff 59 50 } + $sequence_0 = { 50 56 ff75fc 56 6a65 e8???????? 83c414 } + $sequence_1 = { 50 e8???????? 80bc05bbd8ffff20 59 745f } + $sequence_2 = { 898574ffffff ffd7 8bf8 56 2b7dd8 } + $sequence_3 = { ff75f8 ebd0 8d85bcd8ffff 50 } + $sequence_4 = { 8d85e8faffff 56 50 e8???????? 8d85b8b8ffff } + $sequence_5 = { 53 e8???????? 56 ff75dc 56 56 } + $sequence_6 = { bf???????? 7512 8b7508 68???????? 56 e8???????? 59 } + $sequence_7 = { 50 e8???????? 8d854cf6ffff 68???????? 50 e8???????? 8d85f0fcffff } + $sequence_8 = { 6a06 ff35???????? ff15???????? 8b45f4 } + $sequence_9 = { 0fafca 0fb65002 03ca 890d???????? 0fb64803 69c960ea0000 } condition: 7 of them and filesize < 57344 @@ -99665,36 +100004,36 @@ rule MALPEDIA_Win_Mutabaha_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f534e66a-bdb8-5a1d-bf5c-73ff5eac186f" - date = "2026-01-05" - modified = "2026-01-06" + id = "17acaff4-0527-5476-a4b8-44d527c49c3a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mutabaha_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mutabaha_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "4a43ad552d1d544452880d565c27a595efcac7dc1e5e985992d3dce7571f7838" + logic_hash = "7bd797e29f72979881873637319f3de377a3b639beda6274238d17fac09b0b70" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4610 c6040808 ff4610 8b4610 c6040100 e9???????? 8b4610 } - $sequence_1 = { eb18 2bf9 8d145501000000 2bc1 8bcb c1e905 2bd9 } - $sequence_2 = { 53 e8???????? 83c41c 85c0 0f8543050000 8b4320 8d55f0 } - $sequence_3 = { 68???????? ff15???????? 898530fdffff 85c0 0f8441010000 68???????? 8d8d6cfdffff } - $sequence_4 = { 56 8bf1 8d4de8 57 8bfa e8???????? 83781408 } - $sequence_5 = { 0fafce 3bc1 731b 8bf9 b900080000 2bce c1e905 } + $sequence_0 = { 50 8d4da8 e8???????? 837dbc08 8d45a8 8d8d78ffffff 0f4345a8 } + $sequence_1 = { 50 e8???????? 83f8ff 743b 8b7dd4 90 8b5f10 } + $sequence_2 = { 8954c804 8b06 031cc8 1354c804 41 3b4e14 72e7 } + $sequence_3 = { 50 e8???????? 83c410 ba00020000 68feffff7f ff35???????? 51 } + $sequence_4 = { 8bc8 e8???????? 85c0 7812 8b45f0 5f 5e } + $sequence_5 = { 3b45ec 75cb 85d2 75c7 85ff 7c62 7f04 } $sequence_6 = { e8???????? c7465400000000 8bc6 8b4df4 64890d00000000 59 5e } - $sequence_7 = { c7856cfdffff07000000 66898558fdffff 8b8554fdffff c78568fdffff00000000 83f808 7213 40 } - $sequence_8 = { 8bf9 c745f82e000000 e8???????? 40 8bcf 50 8d45f8 } - $sequence_9 = { 8b8d40efffff 85c9 7414 8b11 8d851cefffff 3bc8 0f95c0 } + $sequence_7 = { 83c414 8d85f0fbffff 68???????? ffb5f0e5ffff 68???????? 6800020000 50 } + $sequence_8 = { 894de8 8b0490 8b55e0 3bc6 7324 8bc8 c1e105 } + $sequence_9 = { 668945cc e8???????? 8d55cc c645fc01 8d4db4 e8???????? 68???????? } condition: 7 of them and filesize < 1220608 @@ -99704,36 +100043,36 @@ rule MALPEDIA_Win_Bumblebee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "51e7861d-d3b9-5cdb-81c5-a532ba2bf356" - date = "2026-01-05" - modified = "2026-01-06" + id = "fcabed15-826a-58a0-9aa5-37a161dc97ae" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bumblebee_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bumblebee_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "55275cb4405b1783096501f885fe54bb72513b66b06e891fc6760c0a6547ff81" + logic_hash = "51f10901371c82ccab1deedf84072acf217910bc6976ff85b18f0760119b2ee1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bd5 4889442428 498bce 488364242000 } - $sequence_1 = { 85c0 783c 488b9508030000 4885d2 } - $sequence_2 = { 4885c0 0f84b5000000 488d4c2430 41b900100000 48894c2420 4c8bc3 498bce } - $sequence_3 = { 33d2 488b4dc8 e8???????? 488b4dc8 } - $sequence_4 = { 90 ba38000000 488bcb e8???????? 90 } - $sequence_5 = { 4885f6 0f84ff000000 488b05???????? 4885c0 0f84ef000000 488d4c2430 41b900100000 } - $sequence_6 = { 488364242000 ffd7 8bc8 ffd3 } - $sequence_7 = { 488bd8 ff15???????? 488bcf 488945e5 } - $sequence_8 = { 488364242000 ffd7 8bc8 ffd3 4c8d5c2460 498b5b20 498b6b28 } - $sequence_9 = { ff15???????? 488d4c2438 33d2 48894c2420 448d4f30 } + $sequence_0 = { 0f849b010000 be80030000 488d4c2470 448bc6 } + $sequence_1 = { 8bc8 41ffd7 8bd8 488b4d48 4885c9 7408 4d85f6 } + $sequence_2 = { 31c0 89c1 31d2 4c8b842478020000 } + $sequence_3 = { 6623d1 740d 0fbe470d b90d000000 2bc8 } + $sequence_4 = { 48894c2420 4c8d442470 498bce 448bce } + $sequence_5 = { 84c0 7512 488b03 482b4308 } + $sequence_6 = { 48c1e106 4881f900100000 7225 488d4127 483bc1 7706 e8???????? } + $sequence_7 = { c744242800000008 4c8d45d0 488975d8 8d4640 488975e0 ba1f000f00 8945e8 } + $sequence_8 = { 85c0 0f88cc000000 4863533c 488b05???????? 4803d6 4885c0 0f84b5000000 } + $sequence_9 = { ffd0 85c0 0f880c010000 488b7580 4885f6 0f84ff000000 } condition: 7 of them and filesize < 4825088 @@ -99743,36 +100082,34 @@ rule MALPEDIA_Win_Cerber_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4c9d39f2-1f37-54c9-9401-1cacb9319069" - date = "2026-01-05" - modified = "2026-01-06" + id = "54d5986a-5891-50f0-b298-faa9dc92f46a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cerber_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cerber_auto.yar#L1-L106" license_url = "N/A" - logic_hash = "b9dc28e7f8f56d5aa5c92d6f0da2514b7004d6b05c357e6e1f8548cb64132bf7" + logic_hash = "5fcd413923440d43bb304c96f57fe00738e1b31d910a6f707b556f0ccf85e9d5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8345fc04 8901 ff45f8 8b45f8 } - $sequence_1 = { 8b5508 2bd7 8955f4 8975fc } - $sequence_2 = { 59 84c0 7413 8b450c 56 ff7508 8b7510 } - $sequence_3 = { 833c8100 7505 85c0 75f1 c3 40 } - $sequence_4 = { 8b550c 8b4510 b900100000 2b8e7c3b0000 33db 2b55fc 1bc3 } - $sequence_5 = { 7709 39450c 0f86dc000000 8b550c 8b4510 } - $sequence_6 = { 6a00 50 e8???????? 8b4df0 83c40c 85c9 7e58 } - $sequence_7 = { 7433 8b7d0c 8b5508 2bd7 8955f4 8975fc } - $sequence_8 = { 762e 85d2 7838 8b4508 8b04b8 83651400 837d1420 } - $sequence_9 = { 3b7d0c 72d2 85d2 780a } + $sequence_0 = { 33da 8b9034ffffff 235054 89b840010000 8bb8b8000000 23b8a0000000 899844010000 } + $sequence_1 = { 59 8b45ec ff4de8 836df004 8345e004 836dec04 837de800 } + $sequence_2 = { 51 33c0 53 3bf0 } + $sequence_3 = { 0bf2 0fa4ce10 c1e110 99 0bc8 8b4524 } + $sequence_4 = { 7504 6a05 ebee 394508 } + $sequence_5 = { 83c704 ff4dfc 75dd 8b4510 5f 5e 5b } + $sequence_6 = { 33da 8b9044ffffff 235064 894de0 8b88d4000000 894de4 } + $sequence_7 = { 33da 8b902cffffff 23504c 89b838010000 8b7de8 23fe 8b75ec } condition: 7 of them and filesize < 573440 @@ -99782,36 +100119,36 @@ rule MALPEDIA_Win_Satan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "68d44cab-535c-5e80-af20-cc11a23f278f" - date = "2026-01-05" - modified = "2026-01-06" + id = "43903542-1ee0-51a5-99b2-d03e528c4cb4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.satan_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.satan_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "d0b3d89d021ce91fc4570ebd9fe46022bd9b8c1b3f3581186971725c2d3f1922" + logic_hash = "858b41195101add30ed55c00458d00ec5c092216e35426a3c0b5b9b662c3ac4d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b02 c1f806 8b4d0c 8b11 83e23f 6bca30 8b148540e04700 } - $sequence_1 = { 8d4db8 c745fcffffffff e8???????? 8d45b8 c745fc10000000 50 8d45e4 } - $sequence_2 = { 8945cc c645d300 c745c8ffffffff 83cbff 895dc4 c745d800000000 c745dc00000000 } - $sequence_3 = { 3305???????? b904000000 6bd124 8982d0d14700 68???????? 8b45fc 50 } - $sequence_4 = { 660f123d???????? 25ff010000 83c001 25fe030000 f20f592c85c01a4700 f20f591485c01a4700 660f5834c5d0224700 } - $sequence_5 = { 7511 3d00200000 740a be06000000 33c9 8975c0 894dc8 } - $sequence_6 = { f20f5cc3 03c0 03c0 03c0 03c0 660f289800334700 660f2835???????? } - $sequence_7 = { c745fc00000000 33c9 8b751c ba02000000 46 8bc6 f7e2 } - $sequence_8 = { 8bff 55 8bec 83ec10 8b4508 8d0c8598e24700 51 } - $sequence_9 = { e8???????? 8d45b8 c745fc10000000 50 8d45e4 b9???????? 50 } + $sequence_0 = { 8b45ec 6a2c 6a01 ff7004 e8???????? 83c40c 6a00 } + $sequence_1 = { 890e 8b45f0 8b7004 395e08 } + $sequence_2 = { 7417 85f6 7404 3bd6 750f c70000000000 8b01 } + $sequence_3 = { 8d4dac c6470c01 e8???????? 8d4de0 e8???????? 8bc7 } + $sequence_4 = { 8d4dd4 c745fc05000000 e8???????? 8d4dd4 e8???????? 8ac3 } + $sequence_5 = { 48 894108 51 ff7514 8b4de0 e8???????? 8d4d0c } + $sequence_6 = { c1fa06 8b45fc 8b08 8b01 83e03f 6bc830 8b149540e04700 } + $sequence_7 = { c7432400000000 0f8238010000 8b4314 e9???????? 8b4104 3b4808 7505 } + $sequence_8 = { 85f6 7456 83fe01 7251 837f1810 8d4704 894508 } + $sequence_9 = { 837dfc00 7d04 33c0 eb69 8b4dfc 8b14cd24e44600 8955f8 } condition: 7 of them and filesize < 1163264 @@ -99822,10 +100159,10 @@ rule MALPEDIA_Win_Minipocket_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "4bfe3841-9649-5ffe-8c95-c50da79d5d8c" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minipocket" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.minipocket_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.minipocket_auto.yar#L1-L121" license_url = "N/A" logic_hash = "f99d6584928c86c24bca7d34fc6463d62a033b67ff2c46d0cd8c512898739c50" score = 75 @@ -99834,9 +100171,9 @@ rule MALPEDIA_Win_Minipocket_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -99860,36 +100197,36 @@ rule MALPEDIA_Win_Milum_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "072a5425-70d6-5cbe-aab8-850ca665ab19" - date = "2026-01-05" - modified = "2026-01-06" + id = "b616f8b7-a4ff-5ae8-af3f-b4ab1e03480d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.milum_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.milum_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "9236edc24d0ffb81128dcba2f9b72495a7a041ad4784e9ea16fcd910b2720b0b" + logic_hash = "c3b6caac222f5fac684046c54fc5137cad44cbd03938cb226326721364da6349" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f85c1000000 8b7608 385e44 751c c6424401 c6464401 8b5104 } - $sequence_1 = { 53 8d9424bc000000 c741140f000000 895910 52 8819 e8???????? } - $sequence_2 = { 89a570feffff 6aff 53 8d5508 897114 895910 52 } - $sequence_3 = { 8b4214 2b4644 8b5218 8945e4 03c1 3bc2 7605 } - $sequence_4 = { 8b5604 52 c645fc06 e8???????? bf10000000 eb1b bf10000000 } - $sequence_5 = { 895e18 885e08 8b4df4 64890d00000000 59 5e 5b } - $sequence_6 = { 50 ba???????? e8???????? 8b850cfcffff a804 7414 8d4dc8 } - $sequence_7 = { 7e16 8b4d08 8b55d8 c741180d000000 89511c 83791800 7509 } - $sequence_8 = { c645fc17 50 8d4dc8 e8???????? c645fc03 8d8d04ffffff e8???????? } - $sequence_9 = { c745e000000000 c645d000 397e14 7314 8b4610 40 50 } + $sequence_0 = { 81e1ff000080 7908 49 81c900ffffff 41 8bb48df0fbffff 89b405fcfbffff } + $sequence_1 = { 8bda 899d38ffffff 6a00 e8???????? 83c404 2b8544ffffff 1b9548ffffff } + $sequence_2 = { 53 51 52 ffd0 84c0 0f8592000000 c645fc03 } + $sequence_3 = { 8b450c 8b55bc 8938 895004 8b4df4 64890d00000000 59 } + $sequence_4 = { c645fc05 c645fc04 8dbd58ffffff e8???????? c645fc06 8bcc 89a528feffff } + $sequence_5 = { 50 8d442468 64a300000000 8b7d08 8bcf e8???????? 84c0 } + $sequence_6 = { e8???????? 668b500e 66c1ea0a f6c201 7430 } + $sequence_7 = { 8d450c 50 8d4d80 e8???????? c785e8feffffb8b44600 c785e8feffffc0b44600 c645fc0c } + $sequence_8 = { 39b42490000000 720d 8b54247c 52 e8???????? 83c404 8b442418 } + $sequence_9 = { 8b45f8 8b4de8 52 50 51 } condition: 7 of them and filesize < 1076224 @@ -99899,36 +100236,36 @@ rule MALPEDIA_Win_Unidentified_105_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a3e23fc-74b8-538e-83ea-6f636ca69973" - date = "2026-01-05" - modified = "2026-01-06" + id = "f2025884-bdde-5892-a153-091931b9af22" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_105" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_105_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_105_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "f4fc15196e62980ff75ec5048526dde4db7767af139fed75b0b1419b85a6dee5" + logic_hash = "18a1bd6dfaab243848121d17520bc7bf66bbc668f3356ff46f34ae2dff2b80ea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 6800100000 8bf0 57 56 } - $sequence_1 = { 6a00 8d8dd0feffff 51 8d95fcfeffff } - $sequence_2 = { e8???????? 8bd8 83c404 53 8bce } - $sequence_3 = { e8???????? 6800002000 8bf8 6a00 57 897df4 } - $sequence_4 = { 8a08 40 84c9 75f9 2bc2 6a02 8d4c30fe } - $sequence_5 = { 85c0 750d 68???????? e8???????? 83c404 8b8df0efffff } - $sequence_6 = { 8b742414 83c404 b9???????? 8bc6 8d642400 } - $sequence_7 = { 8b3d???????? 8d45e4 50 33f6 } - $sequence_8 = { eb13 83f801 750e a1???????? } - $sequence_9 = { 8b85f4efffff 83c40c 6a00 8d8decefffff 51 6800100000 } + $sequence_0 = { 50 e8???????? a1???????? 6800020000 } + $sequence_1 = { 6800002000 e8???????? 6800002000 8bd8 57 53 e8???????? } + $sequence_2 = { 8bd0 a1???????? 8d7801 8a08 40 84c9 75f9 } + $sequence_3 = { c785a8feffff00040000 e8???????? 6800040000 8985c0feffff c785c4feffff00040000 } + $sequence_4 = { 7410 8d9560ffffff 52 ffd0 } + $sequence_5 = { e8???????? 8b85f8feffff 8b8de0feffff 83c40c 8901 3d00002000 } + $sequence_6 = { a1???????? 89421c eb14 83f801 } + $sequence_7 = { 40 84d2 75f9 8d542414 52 } + $sequence_8 = { 75f9 2b55f0 8d45f8 50 53 52 } + $sequence_9 = { eb13 83f801 750e a1???????? 8b0d???????? } condition: 7 of them and filesize < 253952 @@ -99942,7 +100279,7 @@ rule MALPEDIA_Win_Transferloader_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.transferloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.transferloader_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.transferloader_auto.yar#L1-L121" license_url = "N/A" logic_hash = "c6b3fd0089b61d2c316b9ea19bd98256a6361edd3a6f033006f4e490787182fc" score = 75 @@ -99977,36 +100314,36 @@ rule MALPEDIA_Win_Redyms_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef628f44-574a-5627-8d8b-734217cd0062" - date = "2026-01-05" - modified = "2026-01-06" + id = "2f69e704-8c2b-5e98-9c61-935ce0d086c9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.redyms_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.redyms_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "332ef19bb997044700a2b380446c47adf654ddb5c63453028d068b88131edb5b" + logic_hash = "7def7132508b19206ce192505b0bb1dcfc36d60dc042f3be374902228186de08" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745d800000000 8b7dd8 56 6a00 ff15???????? } - $sequence_1 = { 53 03f7 56 57 e8???????? 83c40c } - $sequence_2 = { 2bf7 03c7 83ee02 56 8d540802 52 53 } - $sequence_3 = { b8???????? ffd0 898590feffff 85c0 } - $sequence_4 = { 8b856cfdffff 50 ff15???????? 6a09 8d8d74feffff 51 68???????? } - $sequence_5 = { 8b0f 014b2c 8b4b2c 85c0 7571 } - $sequence_6 = { 85ff 7433 8b95ecfeffff 83c2fc } - $sequence_7 = { 740b 50 53 ff15???????? 50 ffd6 8b45d4 } - $sequence_8 = { 6a00 68???????? 68???????? 51 56 } - $sequence_9 = { 8bf0 85f6 740c 8b550c 57 52 56 } + $sequence_0 = { a1???????? 8d7828 57 894518 ffd3 83c8ff 8bce } + $sequence_1 = { 8945f8 ffd3 83c9ff 8bd6 f00fc10a 85c9 } + $sequence_2 = { 8a0431 3c10 7506 c604312d eb05 0441 880431 } + $sequence_3 = { 8bc7 83f05b 014508 47 3bfb 72ca 8d4b04 } + $sequence_4 = { 8d1c9d10000000 833c0b00 0f85b2feffff 5e 5b 8be5 5d } + $sequence_5 = { 50 56 ff15???????? 8975f8 85f6 747b 8b450c } + $sequence_6 = { 8b35???????? 8d4dec 8bd1 33c0 c645eb00 2bf2 8a140e } + $sequence_7 = { 8d7828 57 8945f8 ffd3 83caff 8bc6 f00fc110 } + $sequence_8 = { 50 ff15???????? 57 ff15???????? 8b4dfc 8b1d???????? 51 } + $sequence_9 = { 8d7828 57 c745bce479f403 8bf0 ffd3 8d45a8 } condition: 7 of them and filesize < 98304 @@ -100016,36 +100353,36 @@ rule MALPEDIA_Win_Terra_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "234ed187-f851-554b-a630-3727e334e709" - date = "2026-01-05" - modified = "2026-01-06" + id = "124924eb-8733-53ef-8986-8b12f071ae98" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.terra_stealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.terra_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ba7828bda62d9e0272e6a0dfd1c69067ed7e871d009d7d515799e6dd5814f419" + logic_hash = "d50bf2f196f7161b4d6c1b2e83a16e07f83bdb3d8e1bf759ae6a81b465853475" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 0f8523030000 488b0f 4885c9 7405 e8???????? 4180fc05 } - $sequence_1 = { e8???????? 488983f0120000 4885c0 7456 41b80f000000 488d15302f0900 488bcb } - $sequence_2 = { eb04 4c8b7d28 4533c9 4533c0 488d1525861d00 488d4c2478 ff15???????? } - $sequence_3 = { ffca 84c0 7425 8bc8 410fb600 420fb6843840061f00 4238843940061f00 } - $sequence_4 = { 0f8c6effffff 4533c9 418b5708 498bc1 8b7e08 85d2 498bcc } - $sequence_5 = { ffc0 84c9 75e9 4863c8 4881f9f4010000 0f8339070000 488d8550010000 } - $sequence_6 = { eb24 498b4e10 4885c9 7415 0f1f00 8b4164 2403 } - $sequence_7 = { eb07 896b2c c6430144 488bc3 488b5c2478 4883c430 415d } - $sequence_8 = { e9???????? 488d8ae80f0000 e9???????? 488d8a00100000 e9???????? 488d8a18100000 e9???????? } - $sequence_9 = { e9???????? 488b5308 488d05d334f3ff 48ff42f8 4c8b4318 488b3b 4981f8ffffff7f } + $sequence_0 = { e8???????? eb05 4c8b7c2460 41807f6700 7421 498b8f60010000 488d1509a31300 } + $sequence_1 = { e8???????? 83f875 0f858e020000 488bcb e8???????? 83f8ff 0f848f020000 } + $sequence_2 = { f6430466 0f841a010000 397708 0f84df010000 48635708 4c8d3d9c90e7ff 48035508 } + $sequence_3 = { f644c81220 7407 814e6400180000 488b4608 6642891460 498b07 803871 } + $sequence_4 = { e8???????? 48894558 e9???????? 488d0dafdf0a00 ff15???????? 48894550 4885c0 } + $sequence_5 = { eb0d e8???????? 488bf0 4889442428 33ff 4983e7f0 4c03fe } + $sequence_6 = { e8???????? 48897c2450 488b8c2428010000 4885c9 0f84f6030000 8bd5 498bcc } + $sequence_7 = { c785a40400001f2f535b c785a804000024011905 c785ac040000052f2a38 c785b00400003c2f303b c785b40400002b090321 c785b80400005d09391b c785bc04000018225e0c } + $sequence_8 = { e9???????? 488b8a60000000 e9???????? 488b8a00010000 e9???????? 488b8a08010000 e9???????? } + $sequence_9 = { e8???????? 8be8 4885f6 7452 4c8b4670 41f6403420 743f } condition: 7 of them and filesize < 4621312 @@ -100055,36 +100392,36 @@ rule MALPEDIA_Win_Tclient_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "650e8891-ed90-5136-bd2f-e9d9bc478c30" - date = "2026-01-05" - modified = "2026-01-06" + id = "591e1c56-3c76-53f9-a688-f311b650ab6e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tclient_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tclient_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "8cec1eb16073a2ac15195a2fb3f4612d56f52a89cef4787143a34f4035169950" + logic_hash = "786b00ff98122aadf50a4ee3367b9930a20b391637977101bfcb83b7f7a482a3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffb5f0fdffff ff95e4fdffff 8bf0 83c40c 85f6 0f85ec020000 8b85f0fdffff } - $sequence_1 = { 6a00 50 e8???????? 83c40c c70340000000 8bcb e8???????? } - $sequence_2 = { 8d4508 8bcc 50 e8???????? 8d4dcc 885dfc e8???????? } - $sequence_3 = { 0f8521feffff 837d1001 0f857a010000 85f6 745f 8b4e04 57 } - $sequence_4 = { ff7508 8bd7 8bce e8???????? 59 59 5f } - $sequence_5 = { 8bf1 57 84d2 756a b800020000 66858620030000 755c } - $sequence_6 = { 8d45c8 50 8d7730 56 8d5750 8d4de8 e8???????? } - $sequence_7 = { 8b049dc0a04700 0fb6440828 83e001 0f848d000000 b8ffffff7f 3b4510 1bc0 } - $sequence_8 = { 3bd8 7e2c 8d95b0feffff 8d8d60faffff e8???????? 8b9da8faffff 8bf8 } - $sequence_9 = { 33c0 66898625030000 89862a030000 888627030000 888622030000 884660 88467c } + $sequence_0 = { f7d0 03d7 0bc2 8955f4 33c7 03461c 8db1827e53f7 } + $sequence_1 = { eb83 83a68c00000000 8bce e8???????? 8bc7 eb05 b853ffffff } + $sequence_2 = { c1c105 33c7 034b34 8b5da8 03c8 03ce c1c31e } + $sequence_3 = { 0fb7c2 42 c6440804c0 0fb7c2 42 c644080414 0fb7c2 } + $sequence_4 = { bbff00ff00 c1c008 c1ce08 23c3 81e600ff00ff 0bf0 8b4204 } + $sequence_5 = { e8???????? 83c40c 85db 7e38 8b953cffffff 8bce 6a0d } + $sequence_6 = { 6800080000 53 8d85f4f4ffff 50 e8???????? 83c430 8d85fcfdffff } + $sequence_7 = { 5d c3 55 8bec 85c9 7429 85d2 } + $sequence_8 = { 8be5 5d c3 55 8bec 85c9 7435 } + $sequence_9 = { 7405 e8???????? b81c010000 8d8efc010000 8819 41 83e801 } condition: 7 of them and filesize < 1063936 @@ -100094,42 +100431,42 @@ rule MALPEDIA_Win_Brambul_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4ed55462-e49e-50fe-a0d1-6f0e1f85cf77" - date = "2026-01-05" - modified = "2026-01-06" + id = "b876c689-d83b-5dec-b921-bfe452e3308e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.brambul_auto.yar#L1-L172" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.brambul_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "938c39a82f375c34fe26abb1fc00229e1aa1c5407e38b617fd73b29996474592" + logic_hash = "10ed389e06d32ea2cb75b4e9c1e8e63ca5a2399f331b65c0200a902b07d067b2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4e03 2bee 8a01 8ad8 80e30f c0e804 } - $sequence_1 = { a3???????? 68???????? 68???????? e8???????? 83c408 50 } - $sequence_2 = { 8d8c2438020000 51 ff15???????? 8bac2428090000 83c9ff 8bfd } - $sequence_3 = { 33c0 8d94240c010000 f2ae f7d1 2bf9 6a00 8bc1 } - $sequence_4 = { 8b4c241c 40 3bc1 89442418 0f8cfefeffff 8b442414 } - $sequence_5 = { 83c40c 8b5514 833a00 0f84db000000 837decfe 0f8ed1000000 c745e401000000 } - $sequence_6 = { 8985a849ffff 8985c05dffff 8985c45dffff 8945f8 895df0 } - $sequence_7 = { 8b4002 8985b049ffff c785ac49ffff02000000 e9???????? f6c140 0f8428010000 f6c120 } - $sequence_8 = { 42 bf08000000 89542410 c6041600 85ed } - $sequence_9 = { 48 234508 8d0440 8d0441 0fb64801 } - $sequence_10 = { 8913 5f d3e7 3bc8 7316 } - $sequence_11 = { 46 6a00 8d849db84dffff 56 } - $sequence_12 = { 0f8e5b020000 68???????? 68???????? 8d54242c 68???????? 52 } - $sequence_13 = { 03f3 8bd9 8dbc379979825a 8bf7 } - $sequence_14 = { 81c404010000 c3 56 8d542414 68???????? } - $sequence_15 = { c1ee17 c1e709 0bf7 33ce 8bf9 33fa } + $sequence_0 = { 730d 8d8d887fffff 2bc1 48 } + $sequence_1 = { 83c40c 83f8ff 0f840d020000 a0???????? 3c34 7404 } + $sequence_2 = { 68???????? 55 e8???????? 83c40c 83f8ff 0f8488010000 6800040000 } + $sequence_3 = { 8bd7 33d1 035054 8d9c13f87ca21f 8bd3 c1ea10 } + $sequence_4 = { 894d08 85c9 0fb64a01 0f8429010000 d3ee } + $sequence_5 = { 8bb4247c010000 b980000000 8d5624 c6460873 8bfa f3ab } + $sequence_6 = { 8dbc37604bbbf6 8bf7 c1ee10 c1e710 0bf7 } + $sequence_7 = { 33c9 8a4e01 8bf9 8d5703 } + $sequence_8 = { 8d942474010000 57 52 8bf0 ff15???????? } + $sequence_9 = { 56 57 ff15???????? 8b7c2420 8b5c241c } + $sequence_10 = { 8d95887fffff 8dbd887fffff 3bd0 730d } + $sequence_11 = { 2bdf 2bcb 395df8 7612 295df8 8a11 } + $sequence_12 = { 66898dc0f5ffff 8d8dc4fdffff 8955dc 8945e0 51 8d9598e3ffff 68???????? } + $sequence_13 = { 8d85887fffff 2bd0 8955fc 837dfc00 } + $sequence_14 = { 8d542464 c744246400020000 52 f3a5 e8???????? } + $sequence_15 = { 8b442424 8b4c2428 8d9d28030000 6804010000 53 } condition: 7 of them and filesize < 188416 @@ -100139,36 +100476,36 @@ rule MALPEDIA_Win_Tropidoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8fc3955f-94d9-559f-8d24-ed4a0dad546e" - date = "2026-01-05" - modified = "2026-01-06" + id = "ffe1a294-ea4c-57ba-a27c-8431b3acddd9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tropidoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tropidoor_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tropidoor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "0cca80e99bb2477fcd1d7242d291a5d298649d488754cf8d2858779b90f27265" + logic_hash = "8f65e16d0371ac7f428566001d7f8566fb848fcd04bef1ac66b2c183fb096312" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b8d88010000 488b01 ff5010 488b8d80010000 e9???????? 6644897508 897510 } - $sequence_1 = { ff15???????? 0fb74c2420 b8b2070000 663bc8 731a ba01000000 } - $sequence_2 = { 488d9520020000 498bcf e8???????? 4d8b8598000000 4d85c0 0f84a2000000 ba04010000 } - $sequence_3 = { ffd0 85c0 7564 8b459c 83c0fe 413bc5 7725 } - $sequence_4 = { 488bcb ff15???????? 418bc4 4883c470 415e 415c 5f } - $sequence_5 = { ff15???????? e9???????? 8b542478 4c8d8510050000 c744243002000000 488d8db0000000 897c2428 } - $sequence_6 = { 33d2 41b801010000 e8???????? 418bc6 4d8d4c2410 4c8d1d75920300 41be04000000 } - $sequence_7 = { 83ff01 0f85d2000000 84c0 740a 458b949b3cb90a00 eb08 458b949b04b90a00 } - $sequence_8 = { 8b8c8220060200 4803ca ffe1 488b4c2430 418bc4 488b0cc1 48894c2458 } - $sequence_9 = { 4c8d4d40 4c8d052b630900 488d4db0 e8???????? 48897de0 488d45d0 4983fd10 } + $sequence_0 = { 75f6 488d95e0010000 488bce e8???????? 488d0d90330900 ff15???????? 4c8bf0 } + $sequence_1 = { 48c7c3ffffffff 488945a0 e9???????? 498b06 48c7c3ffffffff 488945a8 e9???????? } + $sequence_2 = { 66314c458a 48ffc0 4883f817 7306 0fb74d88 ebec 488b05???????? } + $sequence_3 = { ffd0 85c0 743f 4c8d054beb0800 488d85100f0000 6683bd100f000000 4c0f45c0 } + $sequence_4 = { c74424605d005700 c744246475006700 c744246874005000 c744246c63006f00 c744247067005f00 6689742474 0fb705???????? } + $sequence_5 = { 488b4c2440 488d4590 4889442428 4c8d4d94 488d85f0030000 4533c0 488d159f440900 } + $sequence_6 = { 48895c2448 4d8bf1 498bf0 448bfb 4c8d6bff f30f7f442450 4c8b642450 } + $sequence_7 = { ffd0 85c0 7418 0f104558 0f1186a8000000 f20f104d68 f20f118eb8000000 } + $sequence_8 = { e8???????? 42c6043300 eb13 4c89742420 4d8bcf 498bd6 488bce } + $sequence_9 = { 0f8446010000 4889742440 488d85b0030000 4489642438 4c8d85a0010000 488d4d90 4889442420 } condition: 7 of them and filesize < 1826816 @@ -100178,36 +100515,36 @@ rule MALPEDIA_Win_Cabart_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f125e8a4-ec32-5390-8552-f2a98b622d63" - date = "2026-01-05" - modified = "2026-01-06" + id = "98977e9f-b2c4-56e6-a102-a9eb5ae50cfb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cabart_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cabart_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "61ecd8ce7a25b1013cbbef59f59ac25a4742d00a8fbf8c91414650d5dc932d94" + logic_hash = "53d84c0bbb56596faaf50bbda94ff2ce8efa151937066e2d9cd54eca8a35fc2c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 57 be04010000 8d85d8fbffff 56 } - $sequence_1 = { 5f 40 5e c9 c21000 53 } - $sequence_2 = { 55 a3???????? ffd6 68???????? ff742414 a3???????? ffd6 } - $sequence_3 = { 395d10 740f 6800800000 53 ff7510 } - $sequence_4 = { ff15???????? ff15???????? 57 3db7000000 } - $sequence_5 = { 761e 8b450c 8930 8b4510 eb16 } - $sequence_6 = { 8d85fcfeffff 68???????? 6804010000 50 ff15???????? 83c410 6a10 } - $sequence_7 = { 3bf3 0f8499000000 53 53 53 53 } - $sequence_8 = { 57 ff15???????? 83c428 33c0 5f } - $sequence_9 = { 6a02 57 6a01 6800000040 8d85fcfbffff } + $sequence_1 = { ff15???????? ff35???????? 83c712 68???????? 56 57 } + $sequence_2 = { 895df8 ff15???????? 8b45f8 8d0c30 3bcf 7732 } + $sequence_3 = { 761e 8b450c 8930 8b4510 eb16 } + $sequence_4 = { 8d85fcfeffff 68???????? 6804010000 50 ff15???????? 83c410 6a10 } + $sequence_5 = { 3bf3 0f8499000000 53 53 53 53 } + $sequence_6 = { ff15???????? 85c0 750a 68ee030000 } + $sequence_7 = { 6a02 57 6a01 6800000040 8d85fcfbffff } + $sequence_8 = { 6a04 bf00100000 57 bb00020000 53 6a00 ffd6 } + $sequence_9 = { 56 8b35???????? 8bd8 33c0 57 8bd1 85c9 } condition: 7 of them and filesize < 32768 @@ -100217,36 +100554,36 @@ rule MALPEDIA_Win_Anatova_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0fa9d6b-6c59-5a94-9c37-0c291299bb78" - date = "2026-01-05" - modified = "2026-01-06" + id = "99b5620c-2809-5718-a8d2-ffcd23ba1221" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.anatova_ransom_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.anatova_ransom_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "08ba2b5584d7af06c3ea6ab9e9a7449efbced637b501a285d62a4734bce8c105" + logic_hash = "bab7007d43a9262ad7ed85d1f30bb567a3a4c3cf4ff5544e602218a6885ef00a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c89da 4c8b1d???????? 41ffd3 488b45d8 4989c3 } - $sequence_1 = { 4989c2 4c89d1 4c89da e8???????? 488b05???????? 4881c000020000 8b0d???????? } - $sequence_2 = { 0f8405000000 e9???????? 48b80000100000000000 e9???????? 488b45e8 48b90000000000000000 48894c2420 } - $sequence_3 = { 488985c0feffff 488b85c0feffff b938020000 8908 488b85c0feffff 4989c3 } - $sequence_4 = { e8???????? 0fb645ff 83f800 0f846f020000 } - $sequence_5 = { 8845fe 0fb645fe 83f800 0f840d010000 } - $sequence_6 = { 488b4d10 4801c1 8b45fc 4863c0 } - $sequence_7 = { 488b05???????? 4883f800 0f848f010000 488b05???????? 4883f800 0f847e010000 488b05???????? } - $sequence_8 = { b800000000 898574ffffff 8b8574ffffff 83f810 0f8dd3000000 } - $sequence_9 = { 48b80f00000000000000 4989c0 b800000000 4989c3 488d45b1 4989c2 4c89d1 } + $sequence_0 = { 83f800 0f8454010000 488d85d4fdffff 4989c3 488d058f410000 } + $sequence_1 = { 4c89d1 4c89da 4c8b1d???????? 41ffd3 e9???????? 48b80000000000000000 c9 } + $sequence_2 = { 4989c2 4c89d1 4c89da 4c8b1d???????? 41ffd3 0fb6c0 488b45a8 } + $sequence_3 = { 488d058f410000 4989c2 4c89d1 4c89da 4c8b1d???????? 41ffd3 83f800 } + $sequence_4 = { b807000000 884590 b809000000 884591 b80e000000 884592 b803000000 } + $sequence_5 = { 488d0513300000 488945a0 488d0517300000 488945a8 } + $sequence_6 = { 4c89da e8???????? 488d053ffdffff 488d0dc8a0ffff 29c8 488d4de0 4989c9 } + $sequence_7 = { b814010000 4889442428 488d056e570000 4889442420 b800000000 4989c1 488d058e580000 } + $sequence_8 = { 0fbe01 83f005 8801 ebdb 488b45e8 4989c2 4c89d1 } + $sequence_9 = { 4889c1 83c001 8945d4 ebe1 b800000000 4889442428 48b80000000000000000 } condition: 7 of them and filesize < 671744 @@ -100256,36 +100593,36 @@ rule MALPEDIA_Win_Juicy_Potato_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "874d6ec6-fd0c-5bd7-9c40-0556815f8763" - date = "2026-01-05" - modified = "2026-01-06" + id = "84a4407a-99f0-5710-abf4-abb943de48d7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.juicy_potato_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.juicy_potato_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "1027b6a0329ebee66fff8afc52e7ac6bf20b1db9537e47f298642e3fe872d860" + logic_hash = "3ee4e46af149d5e35c17ac679fe71d89a45dde816af90c430a29bfe439fef7a5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8521ffffff 44882b eb7b 488b9540070000 4c8d05d7b20200 } - $sequence_1 = { e8???????? 488d1548380300 488d4c2420 e8???????? cc 488d4c2420 e8???????? } - $sequence_2 = { 0fb7d0 488d8de0000000 81ca00000780 85c0 0f4ed0 e8???????? 488d15a8350200 } - $sequence_3 = { 488d054ab1ffff 4889442438 488d4c2428 e8???????? } - $sequence_4 = { e8???????? eb98 488d4c2420 e8???????? 488d15fee90200 488d4c2420 } - $sequence_5 = { 4889442430 8b442478 89442428 488b442470 4c8b11 4889442420 } - $sequence_6 = { 488901 488d05660b0100 48894110 f6c201 740a ba90000000 e8???????? } - $sequence_7 = { 4885c0 7509 488d056f200400 eb04 4883c024 8938 e8???????? } - $sequence_8 = { 4883ec20 488bd9 488bc2 488d0d9dc10000 48890b } - $sequence_9 = { 44016f6c 48875308 4c396b08 7521 8364242800 488d0560acfeff 4889442430 } + $sequence_0 = { 4883ec20 488d05c3d20100 488bd9 488901 } + $sequence_1 = { 488b8b20010000 e8???????? 488db328010000 bd06000000 488d7b38 488d05aecf0300 483947f0 } + $sequence_2 = { 57 4883ec20 418be8 4c8d0d52090300 } + $sequence_3 = { 488907 488d057f740100 48894710 33c0 80a727010000fc 48898700010000 48898708010000 } + $sequence_4 = { 4885c0 7509 488d0527200400 eb04 } + $sequence_5 = { 488d4b30 4c8bc3 488d15075bffff e8???????? 488b5b28 } + $sequence_6 = { 488bc8 488d152e9c0100 ff15???????? 4885c0 0f842c030000 488bc8 } + $sequence_7 = { 83f8ff 7504 32c0 eb1b 488d15fa8a0400 8bc8 } + $sequence_8 = { 488d0d41240400 e8???????? 488d45f0 4889442428 89742420 4c8bcf 4c8d0595efffff } + $sequence_9 = { 4889442430 488d542468 c744242801000000 4533c0 33c9 48895c2420 } condition: 7 of them and filesize < 736256 @@ -100295,55 +100632,53 @@ rule MALPEDIA_Win_Beepservice_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4c53131-cb7f-5347-a9b9-cf736a2ce9c3" - date = "2026-01-05" - modified = "2026-01-06" + id = "d0b2d35c-7151-5641-b116-a0b3724c7616" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beepservice" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.beepservice_auto.yar#L1-L282" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.beepservice_auto.yar#L1-L269" license_url = "N/A" - logic_hash = "689010a7eaeffaf34a3ec3394a2430b997d2d5b1ebae027e3c89a6f3e221798c" + logic_hash = "96eed46803cdcdaba4a22cade7e8e847250bcc2e47b4a1e919f61f3d3c0a4034" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b0d???????? 68???????? ffd6 8bc8 } - $sequence_1 = { ffd6 8bc8 ff15???????? 50 ff15???????? } - $sequence_2 = { 683f000f00 6a00 68???????? ff15???????? } - $sequence_3 = { e8???????? 83f801 7505 e8???????? 68???????? 68???????? } - $sequence_4 = { 7512 6888130000 68???????? e8???????? 83c408 } - $sequence_5 = { 83c408 e9???????? 68???????? e8???????? 83c404 6a00 6a00 } - $sequence_6 = { 8d85fcfdffff 56 56 6a02 56 56 } - $sequence_7 = { 6a20 57 bf???????? 57 } - $sequence_8 = { 68???????? e8???????? ff7608 e8???????? 83c40c } - $sequence_9 = { ff7614 e8???????? 50 ff7614 57 e8???????? 83c42c } - $sequence_10 = { 6a02 50 55 e8???????? ff7610 e8???????? 50 } - $sequence_11 = { e8???????? 83c444 8d442410 6a02 } - $sequence_12 = { 85f6 7403 56 ffd7 53 ffd7 5f } - $sequence_13 = { b90a000000 a3???????? bf???????? a3???????? } - $sequence_14 = { 8b5c240c 8b3d???????? 85f6 7403 } - $sequence_15 = { 741e 45 83fd0a 7ce0 eb23 ff15???????? } - $sequence_16 = { ffd7 8d442414 50 56 } - $sequence_17 = { c785f8fdffff00240000 6a00 8d95f4fdffff 52 8b85f8fdffff 50 } - $sequence_18 = { 83f81e 720a b801000000 e9???????? 8b450c 8b480c } - $sequence_19 = { 8b85f8fdffff 50 68???????? 8b8dfcfdffff 51 ff15???????? } - $sequence_20 = { 8b5108 52 68???????? e8???????? 83c40c 6a02 } - $sequence_21 = { 50 e8???????? 83c404 c3 6a00 6a00 } - $sequence_22 = { a1???????? 85c0 746b a1???????? 85c0 7562 } - $sequence_23 = { 48 83f804 0f8795000000 ff248548144000 6888130000 6a01 6a00 } - $sequence_24 = { 85c9 668935???????? 7e15 b299 8a9874304000 32da } - $sequence_25 = { 83c414 e8???????? 6a00 6a00 b907000000 6a00 } - $sequence_26 = { 57 33f6 8975d8 8975e0 8975e4 8975dc 8975fc } - $sequence_27 = { 83c404 c3 8b0d???????? 6aff 51 } - $sequence_28 = { 6a03 e8???????? 83c414 e9???????? a1???????? } + $sequence_0 = { 8b0d???????? 68???????? ffd6 8bc8 ff15???????? 50 ff15???????? } + $sequence_1 = { e8???????? 83f801 7505 e8???????? 68???????? 68???????? } + $sequence_2 = { 7512 6888130000 68???????? e8???????? } + $sequence_3 = { 83c408 e9???????? 68???????? e8???????? 83c404 6a00 6a00 } + $sequence_4 = { 7516 ff15???????? 50 68???????? e8???????? 83c408 eb0d } + $sequence_5 = { 683f000f00 6a00 68???????? ff15???????? } + $sequence_6 = { 55 56 ff15???????? 85c0 7513 ff15???????? 50 } + $sequence_7 = { 57 53 e8???????? 6a20 57 bf???????? 57 } + $sequence_8 = { 55 e8???????? 6a28 bb???????? 57 } + $sequence_9 = { 57 ff760c ff15???????? 33ff } + $sequence_10 = { ff7610 53 e8???????? ff7614 e8???????? } + $sequence_11 = { 50 68???????? eb43 56 8d45fc } + $sequence_12 = { ff7618 68???????? e8???????? 59 59 ff761c e8???????? } + $sequence_13 = { 8b5318 8bfa f2ae f7d1 49 } + $sequence_14 = { 8bd0 33c0 a3???????? b90a000000 a3???????? bf???????? } + $sequence_15 = { ff15???????? 85c0 742b 817c240400240000 7521 } + $sequence_16 = { 8b4d0c 8b5104 52 68???????? e8???????? 83c408 eb0a } + $sequence_17 = { b801000000 e9???????? 8b4d0c 8b5114 } + $sequence_18 = { e8???????? 83c404 83f820 7314 8b450c 8b481c 51 } + $sequence_19 = { ff15???????? 85c0 a3???????? 7510 ff15???????? 50 e8???????? } + $sequence_20 = { c3 6888130000 6a03 6a00 6a00 } + $sequence_21 = { 6a03 e8???????? 83c414 e9???????? a1???????? 85c0 } + $sequence_22 = { 668b0d???????? 51 ff15???????? 668bf0 } + $sequence_23 = { eb08 c744240c2a040000 8b54242c 8d4c2400 89542414 8b15???????? } + $sequence_24 = { 6a00 56 57 ff15???????? 8b45e4 85c0 } + $sequence_25 = { 89442414 8b442434 51 52 } + $sequence_26 = { c744240010000000 89442404 83e802 f7d8 1bc0 83e007 89442408 } condition: 7 of them and filesize < 253952 @@ -100353,36 +100688,36 @@ rule MALPEDIA_Win_Jaff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e0c41ef8-0a92-555f-b34f-5db2f4589c45" - date = "2026-01-05" - modified = "2026-01-06" + id = "71fa5994-b9a0-5e00-9ced-b86be314efbe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jaff_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jaff_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "6a4dc9720f78e5a6e283d3b622047ad1fb4dc38cefeb255d404c0bdb257eb37c" + logic_hash = "4009234f773ed8cdae97f604ab9b26fce98b074f42d589764ff12d4e5dae64f4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 395604 760b 8b36 0fb73456 8975f4 } - $sequence_1 = { 8b55c8 33c0 8bca 85d2 7419 8b75c4 66833c4600 } - $sequence_2 = { 8b4de0 8b3d???????? 51 6a00 ffd7 50 } - $sequence_3 = { 668b144a 66891448 41 3b4e04 72f0 8b4e04 } - $sequence_4 = { ffd7 50 ffd3 8b7d0c 8b4f04 } - $sequence_5 = { 50 6a00 ffd7 50 ff15???????? 5f 8bc6 } - $sequence_6 = { 56 8945f8 ffd3 8945fc 83f808 7705 } - $sequence_7 = { 41 3b4df8 76a8 8b4d08 80790c00 740d 8b5510 } - $sequence_8 = { 8b4ddc 8b3d???????? 51 6a00 ffd7 50 ffd3 } - $sequence_9 = { 0fb70448 eb02 33c0 0fbff0 2b45f4 0fbffa 03f7 } + $sequence_0 = { 50 6a08 894e04 897e08 } + $sequence_1 = { ffd7 8b55d8 52 6a00 ffd3 } + $sequence_2 = { 6a01 56 ff15???????? 8b45f8 } + $sequence_3 = { 50 ff15???????? 85db 746a } + $sequence_4 = { 47 83c40c 4e 83ff29 7cd6 017df8 395df4 } + $sequence_5 = { 8d8570fbffff 68???????? 33f6 50 8975e8 c645f001 c645fd00 } + $sequence_6 = { 72ed 8b45e8 50 6a00 ffd3 } + $sequence_7 = { 6a08 ff15???????? 50 ff15???????? 8bd8 85db 743c } + $sequence_8 = { 85f6 7419 33c0 0fb7d0 8bc2 c1e210 0bc2 } + $sequence_9 = { 8b4508 8b7804 8d043f 50 6a08 c745c800000000 } condition: 7 of them and filesize < 106496 @@ -100392,36 +100727,36 @@ rule MALPEDIA_Win_Mbrlock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "278f7834-90b2-5397-9ece-a797760d8d62" - date = "2026-01-05" - modified = "2026-01-06" + id = "eb8e2df1-984c-5f86-8bd4-8d779a366ceb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mbrlock_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mbrlock_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "f922ef8df18c5fa1824f3d97da8882716cabf76bff393f438d1827b2c64b4a0e" + logic_hash = "b2f93d4a5e591e5e58ed44ab9a60d3776066ea9803e689e088d4eaf676fb5d07" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 663d0500 7445 668bce 668bd0 66c1e90a 66c1ea0a } - $sequence_1 = { 8965f0 8b4708 8975ec 85c0 c745fc00000000 7422 50 } - $sequence_2 = { e8???????? 8d4d8c c745fcffffffff e8???????? b801000000 8b4df4 64890d00000000 } - $sequence_3 = { 6685d2 740c 33c9 663bf0 0f94c1 } - $sequence_4 = { 85f6 7407 8d4608 85c0 7517 8d442410 } - $sequence_5 = { 6a00 52 57 50 ff5624 8bf8 85ff } - $sequence_6 = { 83c410 8b45ec 8d4e24 50 53 } - $sequence_7 = { c744242044764a00 8d4c2420 6a01 8d542444 51 52 8bce } - $sequence_8 = { 5b 0f94c0 81c480010000 c3 5f 5e 33c0 } - $sequence_9 = { 7409 53 e8???????? 83c404 68010100a0 6a00 } + $sequence_0 = { 0f84c3010000 c744241400000000 c7442410c8664a00 8b4c2474 03ef 03ce c744246802000000 } + $sequence_1 = { eb9e 8b45e8 40 8945e8 e9???????? 8b4d08 51 } + $sequence_2 = { 5e 8801 83c414 c3 3d01050080 772f 741b } + $sequence_3 = { 8b4708 85c0 7455 8b08 49 7425 83e902 } + $sequence_4 = { 5e c60200 83c414 c3 dd06 e8???????? 8b4c241c } + $sequence_5 = { 83c40c 2bf8 8d8c4690000000 83ff02 894d10 7c3c 68c0540110 } + $sequence_6 = { 8b4c2408 51 52 ff15???????? f7d8 1bc0 40 } + $sequence_7 = { 83c418 85ff 747e 8b5de4 8b560c 8d4dec } + $sequence_8 = { 8965e8 c785c4feffff00000000 6a00 6a00 6a03 6a00 6a01 } + $sequence_9 = { 6801000000 bb???????? e8???????? 83c410 8945f4 6800000000 bb???????? } condition: 7 of them and filesize < 2031616 @@ -100431,36 +100766,36 @@ rule MALPEDIA_Win_Comlook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "248fcbac-27be-588f-a9f5-d4bcd5003e90" - date = "2026-01-05" - modified = "2026-01-06" + id = "2b3d7016-3cfd-5cd3-b4c2-33ea82172f34" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.comlook" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.comlook_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.comlook_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "342d3eba65a3a3eb715f8cb01d2789f76a6de2adfe9c491e43fe2b64805812f2" + logic_hash = "4e4f5dbf4914c1a3584dd149285bd789e3ba7925f5046364fe53452451d12bad" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd2 3bf4 e8???????? b807000000 e9???????? 837db000 741f } - $sequence_1 = { ff15???????? 83c404 3bf4 e8???????? 8b4508 c7400800000000 33c9 } - $sequence_2 = { e9???????? 8b55f8 83ba5007000000 750a 837dbc00 0f8438020000 c78554ffffff00000000 } - $sequence_3 = { e9???????? 68df010000 68???????? 6a0c 6a05 e8???????? 8b87c4000000 } - $sequence_4 = { eb0a c785c8feffff44f72010 8b5508 83ba7403000000 7411 8b4508 8b8874030000 } - $sequence_5 = { c745f000000000 6a00 e8???????? 83c404 8945e8 8955ec c745e400000000 } - $sequence_6 = { eb03 894dbc 8b4de4 8b55d0 8bc2 83f910 7303 } - $sequence_7 = { eb0a c785b4eeffff518c1e10 837d1400 740c c785b0eeffff70191e10 eb0a c785b0eeffff518c1e10 } - $sequence_8 = { e9???????? 6a02 68???????? 6a01 8b5508 52 e8???????? } - $sequence_9 = { eb11 8b5518 8b4510 33c9 3b4218 0f9fc1 894ddc } + $sequence_0 = { e8???????? 83c408 85c0 746a 8bcd c744241400000000 3bcf } + $sequence_1 = { 8d8d70ffffff e8???????? 6a0d 68???????? 8d4d90 e8???????? 6a0a } + $sequence_2 = { e9???????? 8db5ecfeffff e9???????? 8db52cffffff e9???????? 8b85bcfdffff 83e001 } + $sequence_3 = { ff15???????? 83c404 3bf4 e8???????? 8b5508 c7425000000000 33c0 } + $sequence_4 = { e9???????? 8d7dd0 e9???????? 8d7dc4 e9???????? 8d4de0 e9???????? } + $sequence_5 = { 8b4d08 89816c030000 e9???????? 8b55f8 8995ecfeffff 8b85ecfeffff 8b8decfeffff } + $sequence_6 = { eb54 837d8c00 762e 8b4524 8b4d20 50 51 } + $sequence_7 = { a900040000 0f846a020000 83fd02 7d14 68eb050000 68???????? 68a0000000 } + $sequence_8 = { ffd2 8ac3 e9???????? 68???????? 8d4dd0 e8???????? 8d45a4 } + $sequence_9 = { e9???????? 83bd30ffffff00 747c 81bd30ffffff12030900 7470 8bf4 8d4dcc } condition: 7 of them and filesize < 4553728 @@ -100470,41 +100805,41 @@ rule MALPEDIA_Win_Opachki_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e10cd0eb-a431-57d1-b7ee-f206637aeb79" - date = "2026-01-05" - modified = "2026-01-06" + id = "91723bbd-49de-5d2e-9be8-af9d048d21cd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.opachki_auto.yar#L1-L158" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.opachki_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "9a87a4a85fda49db5f8b260ce2dd4c073885fccbbbb43ca421b7fe7db663b448" + logic_hash = "4aabf4efe9abba6e7cdae995643de9ca627f9e08d6b1e7789a916de78aad53ac" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb69 8b5508 8b4904 53 } - $sequence_1 = { 57 6a0d 68???????? 8d4ddc e8???????? 68ff000000 } + $sequence_0 = { 7452 8b5204 85d2 744b 2bf0 897508 7441 } + $sequence_1 = { 53 8bd8 7413 8b4704 03c8 53 } $sequence_2 = { c3 55 8bec 81ec00010000 ff7508 } - $sequence_3 = { ff15???????? 8d8500ffffff 50 ff7508 e8???????? 59 59 } - $sequence_4 = { 034604 50 ff15???????? 8b4708 } - $sequence_5 = { 57 8b7d0c 8a0f 894508 84c9 744d 8a10 } - $sequence_6 = { 894708 c6040800 5b 5f } - $sequence_7 = { 33c0 c706???????? 894608 89460c 894604 e8???????? 8bc6 } - $sequence_8 = { 2b442424 aa 8944241c 61 } - $sequence_9 = { ebc1 3c67 7507 884705 b301 ebb6 } - $sequence_10 = { 00f0 8a0c01 f6c101 0f84b9000000 ac 884708 88c5 } - $sequence_11 = { 31db 99 b125 f3aa } - $sequence_12 = { 83c140 eb0a 3ca0 7206 } - $sequence_13 = { 08db 752b 46 88470c 88c4 c0ec06 } - $sequence_14 = { 08db 7409 80fe06 750b } + $sequence_3 = { ff15???????? 8b450c 8b4808 3bcb 7617 8b4004 53 } + $sequence_4 = { 8bc3 2b45f8 ebf2 55 8bec } + $sequence_5 = { 51 8b450c 56 8b7108 } + $sequence_6 = { 8d4701 50 ff7604 89460c ff15???????? 59 59 } + $sequence_7 = { 6a02 53 53 56 ff15???????? 8b450c } + $sequence_8 = { 7514 08db 7409 80fe06 } + $sequence_9 = { b201 ebc1 3c67 7507 } + $sequence_10 = { 898389838983 898389838585 858585858585 878593859a9a } + $sequence_11 = { f6c140 7412 08d2 7408 } + $sequence_12 = { 4e 80ff01 7504 ac 884717 } + $sequence_13 = { 30ff 08ed 7514 08db } + $sequence_14 = { 7502 b704 4e 80ff01 } condition: 7 of them and filesize < 122880 @@ -100514,36 +100849,36 @@ rule MALPEDIA_Win_Onhat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c03e9aab-ceb3-5936-af60-a6f47c0b4822" - date = "2026-01-05" - modified = "2026-01-06" + id = "6dce6c1d-a93f-5ee5-a8df-5c366e8725c5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.onhat_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.onhat_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "2683ee8ac88dff088a6e9025d3b65f7d07e7b813a5d7aa89913a323bd3055d20" + logic_hash = "5052a02b00a0f491dbaa34d01141432dea6bf40f962a86bc547bf1288bc0e657" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c684248c00000025 c684248d00000064 c684248e00000000 ffd6 83c40c } - $sequence_1 = { c644242956 885c242a c644242b50 c644242c4f c644242d52 } - $sequence_2 = { c644242761 c644242874 88442429 c644241c4e c644241d6f c644241e48 } - $sequence_3 = { 33d2 8a542432 8acf 50 51 } - $sequence_4 = { 66ab aa 55 8d442458 6a64 50 51 } - $sequence_5 = { 89442424 0f8404020000 8b4c2414 50 } - $sequence_6 = { 33c0 5e 83c414 c3 8b4c240c 51 } - $sequence_7 = { 55 8d442458 6a64 50 51 e8???????? } - $sequence_8 = { 6689542412 e8???????? 83f8ff 7507 33c0 5e 83c410 } - $sequence_9 = { 56 e8???????? b14f 83c408 884c2411 b020 884c241a } + $sequence_0 = { 53 68???????? e8???????? 8b44244c 83c42c } + $sequence_1 = { 6689442432 e8???????? 83c414 85c0 } + $sequence_2 = { 888c24a8010000 c68424a901000020 889424aa010000 c68424ac01000073 c68424ad01000020 c68424ae01000041 } + $sequence_3 = { b020 884c241a b253 b145 88442417 } + $sequence_4 = { e8???????? 85c0 7f0e 5f b803000080 5e 81c404010000 } + $sequence_5 = { c68424ed0000004e c68424ee00000054 c68424ef00000041 c68424f000000048 889c24f1000000 c68424f200000045 c68424f30000004e } + $sequence_6 = { 0f87bc010000 ff2485c8444000 8b542444 6685d2 } + $sequence_7 = { 81c40c010000 c3 8b842420010000 8b8c241c010000 25ffff0000 } + $sequence_8 = { 8d7c2409 88542408 f3ab 8b8c240c200000 88542406 66ab } + $sequence_9 = { c3 b814110000 e8???????? 8b8c2420110000 b8d34d6210 f7e1 } condition: 7 of them and filesize < 57344 @@ -100553,83 +100888,83 @@ rule MALPEDIA_Win_Cobra_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fd128616-d78e-5906-a1c5-ca71a64ca5ee" - date = "2026-01-05" - modified = "2026-01-06" + id = "28396fc8-933a-5055-b840-50f6859eee4b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cobra_auto.yar#L1-L492" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cobra_auto.yar#L1-L487" license_url = "N/A" - logic_hash = "e8cb467ce58a2dce4e2587c1e891472f04ba426ad5841eddc54e114fd734ddcf" + logic_hash = "190dbd89513c4070f5233bbce54f74bc6448ce742b30d8856f3a800dcc2e47cc" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? } $sequence_1 = { c20c00 ff25???????? 53 56 57 8bd9 33f6 } - $sequence_2 = { 5e 5b c3 83fb01 7405 83fb02 7537 } - $sequence_3 = { 7514 391d???????? 754d 33c0 } - $sequence_4 = { 8b442438 85c0 757f 8b05???????? } - $sequence_5 = { 751c 8bcf ff15???????? 8d8fe8030000 8bf9 } - $sequence_6 = { ff25???????? 8b442408 85c0 750e 3905???????? 7e2c } - $sequence_7 = { 5b c3 85db 7405 83fb03 753b } - $sequence_8 = { 757f 8b05???????? 85c0 0f8e8c000000 83e801 8905???????? } + $sequence_2 = { 85c0 0f8e8c000000 83e801 8905???????? } + $sequence_3 = { 85c0 750e 33ff 8bc7 } + $sequence_4 = { 83f801 75f1 b900010000 e8???????? } + $sequence_5 = { c3 85db 7405 83fb03 } + $sequence_6 = { 5b c3 83fb01 7405 83fb02 } + $sequence_7 = { 7514 391d???????? 754d 33c0 } + $sequence_8 = { 5f 5e 5b c3 85ff 7418 } $sequence_9 = { e8???????? 8bf8 83fb01 751d 85ff } - $sequence_10 = { 5f 5e 5b c3 85ff 7418 } + $sequence_10 = { ff25???????? 8b442408 85c0 750e 3905???????? 7e2c ff0d???????? } $sequence_11 = { 33d2 b9e8030000 f7f1 83f805 } $sequence_12 = { 813c0850450000 7503 33c0 c3 } - $sequence_13 = { e8???????? ff463c 57 e8???????? } - $sequence_14 = { ff15???????? 53 ff7714 8bf0 ff571c 59 } - $sequence_15 = { 7407 33c0 e9???????? ff15???????? e9???????? } - $sequence_16 = { 8b742408 837e0c00 7507 b865005921 5e c3 837e2800 } + $sequence_13 = { 7407 33c0 e9???????? ff15???????? e9???????? } + $sequence_14 = { eb1a 89730c e8???????? 257f000080 } + $sequence_15 = { e8???????? 8d4644 50 e8???????? 8b4508 8930 } + $sequence_16 = { ff15???????? 59 ff75f8 ff15???????? 5f 8bc6 5e } $sequence_17 = { 7f07 e8???????? eb26 83c0ff } - $sequence_18 = { e8???????? 33db 3bc3 741a } - $sequence_19 = { e8???????? eb6d e8???????? 85c0 7564 } - $sequence_20 = { ebe4 4533f6 413bee 75f4 } - $sequence_21 = { 7564 488b0b 488b01 83385c 7e4b 4c8b505c } - $sequence_22 = { e8???????? 498bce 85c0 750e } - $sequence_23 = { 7548 488b05???????? 4885c0 743c 488b8c24a0000000 } - $sequence_24 = { e8???????? 498bce e8???????? 48832700 } + $sequence_18 = { eb6d e8???????? 85c0 7564 } + $sequence_19 = { e8???????? 33db 3bc3 741a } + $sequence_20 = { 750e e8???????? 48832700 e9???????? 488b2e } + $sequence_21 = { e8???????? 498bce 85c0 750e } + $sequence_22 = { 85c0 750b e8???????? 48832700 } + $sequence_23 = { 7564 488b0b 488b01 83385c 7e4b } + $sequence_24 = { ff5064 488b0e 4883c108 e8???????? 488b5c2430 488b6c2438 488b742440 } $sequence_25 = { 7504 33c0 eb05 b865005921 } $sequence_26 = { 83781400 750a b865005921 e9???????? } - $sequence_27 = { 663bcb 75f4 8b15???????? 8b0d???????? 8910 8b15???????? } - $sequence_28 = { ff15???????? 83f87a 740b 3d230000c0 } - $sequence_29 = { 51 e8???????? 33c0 83c43c } - $sequence_30 = { 6689440ffc 6685c0 75ee f685c003000010 } - $sequence_31 = { ff15???????? eb03 8b7d0c 3bfb } - $sequence_32 = { 51 6a00 6a00 56 ff15???????? 56 } - $sequence_33 = { 6a03 68000000c0 50 ff15???????? 8bf0 83feff 7505 } - $sequence_34 = { 83feff 7505 33c0 5e 5d c3 8b4d08 } - $sequence_35 = { 50 6a00 6aff e8???????? 85c0 7405 } - $sequence_36 = { 8bec 56 6a00 6880000000 6a03 6a00 6a03 } - $sequence_37 = { 5d c3 8b4d08 57 51 6a00 } - $sequence_38 = { b914000000 84c0 0f45f9 488bce 8bd7 ff15???????? 85c0 } - $sequence_39 = { 4584ff 7518 33c0 4881c4480d0000 } - $sequence_40 = { 8d8588feffff 68???????? 50 ff15???????? 83c42c } - $sequence_41 = { 4533e4 4c8bf1 488bda 488d8d10060000 33d2 41b808020000 4489a5800c0000 } - $sequence_42 = { 4c89642448 488d4c2468 48894c2440 4c89642438 } - $sequence_43 = { 33d2 488bc8 ff15???????? 488bcf ff15???????? 41b701 } - $sequence_44 = { 56 4154 4156 4157 488dac24b8f3ffff } + $sequence_27 = { 83c0fe 668b4802 83c002 663bcb 75f4 8b15???????? 8b0d???????? } + $sequence_28 = { c3 8b4d08 57 51 6a00 } + $sequence_29 = { 6689440ffc 6685c0 75ee f685c003000010 } + $sequence_30 = { 6a18 8d45e8 50 6a00 6aff e8???????? 85c0 } + $sequence_31 = { 8908 8b0d???????? 895004 894808 33c0 } + $sequence_32 = { 83feff 7505 33c0 5e 5d c3 8b4d08 } + $sequence_33 = { ff15???????? 83f87a 740b 3d230000c0 } + $sequence_34 = { 8bec 56 6a00 6880000000 6a03 6a00 6a03 } + $sequence_35 = { 68???????? 51 ffd6 83c40c 6a28 } + $sequence_36 = { 6a03 68000000c0 50 ff15???????? 8bf0 83feff 7505 } + $sequence_37 = { 8b7d0c 3bc3 7508 3bfb } + $sequence_38 = { 33d2 488bc8 ff15???????? 488bcf ff15???????? 41b701 } + $sequence_39 = { 4c89642448 488d4c2468 48894c2440 4c89642438 } + $sequence_40 = { 4533e4 4c8bf1 488bda 488d8d10060000 33d2 41b808020000 4489a5800c0000 } + $sequence_41 = { 56 4154 4156 4157 488dac24b8f3ffff } + $sequence_42 = { 84c0 0f45f9 488bce 8bd7 ff15???????? 85c0 } + $sequence_43 = { 33c0 4881c4480d0000 415f 415e 415c 5e 5b } + $sequence_44 = { 8d8588feffff 68???????? 50 ff15???????? 83c42c } $sequence_45 = { 7507 32c0 e9???????? c745b818000000 } - $sequence_46 = { 668b08 83c002 6685c9 75f5 2bc2 d1f8 66837c43fe5c } - $sequence_47 = { 33f6 03c2 13ce 51 50 } - $sequence_48 = { 0f8456feffff 807c241301 6800080000 0f8544020000 } - $sequence_49 = { 05a1000000 50 8d84249c0d0000 68???????? } - $sequence_50 = { 05a2000000 50 8d8c249c0d0000 68???????? } - $sequence_51 = { 0f84100f0000 6800080000 57 56 } - $sequence_52 = { 0f8431ffffff 8b4d08 5f 8931 } - $sequence_53 = { 05a2000000 50 8d94249c0d0000 68???????? } - $sequence_54 = { 85c0 740a b8050000c0 e9???????? } - $sequence_55 = { 668cc8 c3 53 50 } - $sequence_56 = { c745d000000000 c745d400000000 8d45c0 50 e8???????? } + $sequence_46 = { 6685c9 75f5 2bc2 d1f8 66837c43fe5c } + $sequence_47 = { 33f6 03c2 13ce 51 } + $sequence_48 = { 05a2000000 50 8d8c249c0d0000 68???????? } + $sequence_49 = { 0f8431ffffff 8b4d08 5f 8931 } + $sequence_50 = { 0f8456feffff 807c241301 6800080000 0f8544020000 } + $sequence_51 = { 05a2000000 50 8d94249c0d0000 68???????? } + $sequence_52 = { 0f84100f0000 6800080000 57 56 } + $sequence_53 = { 05a1000000 50 8d84249c0d0000 68???????? } + $sequence_54 = { 668cc8 c3 53 50 } + $sequence_55 = { 85c0 740a b8050000c0 e9???????? } + $sequence_56 = { c745d438390100 66c745f81200 66c745fa1400 c745fc???????? c745a018000000 } condition: 7 of them and filesize < 1368064 @@ -100639,42 +100974,42 @@ rule MALPEDIA_Win_Tigerlite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "119827aa-8530-5cae-8d65-e56592a0b2d2" - date = "2026-01-05" - modified = "2026-01-06" + id = "6542912a-20c4-5fea-bb22-19f999e30548" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tigerlite" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tigerlite_auto.yar#L1-L169" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tigerlite_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "b688ea808508193aa1c7d4aa7527d4ad25741bc4cd2a88205c0fc518db087920" + logic_hash = "b32a203b18e11ae8126ad3ad045d7c873462db9436fa3220f1aa5ced7c8fc82e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bf8 4883f8ff 7520 488d15e1c50100 488bce e8???????? } - $sequence_1 = { 4885c0 0f84a9010000 488bc8 ff15???????? 488d1520ad0000 } - $sequence_2 = { 803c0700 75f7 488d4f01 4d8bce } - $sequence_3 = { 2bca 8d95e0f9ffff 8d7201 8a02 42 } - $sequence_4 = { 50 e8???????? 83c40c c645f400 833d????????00 c745f500000000 } - $sequence_5 = { e8???????? 4c8d4530 8d5614 488d0defa70100 897530 e8???????? 8b5530 } - $sequence_6 = { ff15???????? 8bf8 e9???????? 8b8528e5ffff 8b0c85489d4100 8b8524e5ffff } - $sequence_7 = { 0fbec2 0fbe80d8214100 83e00f eb02 33c0 } - $sequence_8 = { 8d859cf2ffff 03c1 8b8d24e5ffff 50 8b8528e5ffff 8b0485489d4100 ff3401 } - $sequence_9 = { 50 8b0495489d4100 ff3418 ff15???????? 85c0 750a } - $sequence_10 = { 488bfa 488bd9 488d0549e90000 488981a0000000 83611000 } - $sequence_11 = { 8a06 46 88441905 8b45f4 83fa02 7c11 8b0c85489d4100 } - $sequence_12 = { ff742414 8b442420 03c6 57 } - $sequence_13 = { 785b 8bc3 2503000080 7d07 } - $sequence_14 = { 0fb605???????? 488bf9 88442428 e8???????? 4885c0 0f8422010000 } - $sequence_15 = { c3 33d2 41b800040000 488bc8 } + $sequence_0 = { 0fb6c0 eb17 81fa00010000 7313 8a8798894100 } + $sequence_1 = { 89442420 ff15???????? 4885c0 0f84cb010000 ba88130000 488bc8 ff15???????? } + $sequence_2 = { 8d85e9fdffff c685e8fdffff00 6a00 50 e8???????? 6807020000 } + $sequence_3 = { c1f905 c1e706 8b0c8d489d4100 c644390400 85f6 740c } + $sequence_4 = { 488905???????? 488d0517410000 48890d???????? 488905???????? 488d058a410000 488905???????? 488d057c350000 } + $sequence_5 = { 48894610 4c8bc3 48894618 e8???????? } + $sequence_6 = { 48ffc3 803c1e00 75f7 e9???????? } + $sequence_7 = { 488d8d91000000 33d2 41b8ff030000 c6859000000000 e8???????? 488d1502c10100 } + $sequence_8 = { 3b1d???????? 7370 488bc3 488bfb 48c1ff05 4c8d2570790100 83e01f } + $sequence_9 = { c1e106 83c10c 8b0485489d4100 03c1 50 ff15???????? 5d } + $sequence_10 = { 6a10 8d85d0f1ffff 50 56 } + $sequence_11 = { 488bc8 ff15???????? 488d1508ad0000 488bcb 488905???????? ff15???????? } + $sequence_12 = { 83c404 56 ff15???????? b864000000 5f } + $sequence_13 = { 4803c8 0fb601 884414ff 448809 48ffcf 75bb } + $sequence_14 = { 6a01 6a02 668985eaf7ffff ff15???????? 8bf0 } + $sequence_15 = { 75f3 53 e8???????? 56 e8???????? 57 e8???????? } condition: 7 of them and filesize < 349184 @@ -100684,42 +101019,42 @@ rule MALPEDIA_Win_Buer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "89828c66-91da-5c73-b764-daf37491e283" - date = "2026-01-05" - modified = "2026-01-06" + id = "1e1a5820-8fa5-59b2-b595-8d73a32e8028" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.buer_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.buer_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "841b3dfa43e2148141873077b2e81e7484da2dab92e27c89fccfead95f717524" + logic_hash = "921395bce477c1b9ecd1dcd4c857b8de2c037c952a81b027cd27325054ab3709" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b45dc 03c6 89414c 8b45fc 03c7 894150 8b45ec } - $sequence_1 = { 8b55e8 015158 8b55d8 894148 } - $sequence_2 = { 8b00 8b4010 8945fc 61 8b45fc } - $sequence_3 = { 3bc7 7d0f 8a0c46 880c18 40 } - $sequence_4 = { 8b7b50 8b4340 0345f8 8b5b54 } - $sequence_5 = { 8b45f4 03c1 8bcb 894144 8b45f0 } - $sequence_6 = { 64a130000000 8b400c 8b4014 8b00 8b4010 } - $sequence_7 = { 8bc2 eb19 33c0 85d2 7e13 3bc7 7d0f } - $sequence_8 = { 01cf 29ce 75a7 e9???????? } - $sequence_9 = { 01de 39d6 0f8384000000 8b742414 } - $sequence_10 = { 01c7 0fa5da d3e3 8b4c2444 } - $sequence_11 = { 0facd313 884e04 8b74247c 8bc6 8b4c2440 } - $sequence_12 = { 0fb617 47 89f9 83e23f eb11 } - $sequence_13 = { 01fe 68???????? e8???????? a1???????? } - $sequence_14 = { 0f82d1000000 83f8fe 0f83d1000000 89d6 } - $sequence_15 = { 01de 39c1 0f47c1 89c1 89442420 662e0f1f840000000000 39f9 } + $sequence_0 = { 8b5348 8b734c 8b7b50 8b4340 0345f8 } + $sequence_1 = { 894154 5b c9 c3 } + $sequence_2 = { 7e13 3bc7 7d0f 8a0c46 880c18 40 3bc2 } + $sequence_3 = { 6a04 50 8945f8 ff15???????? } + $sequence_4 = { 5f 5e 894154 5b } + $sequence_5 = { 8b45f0 03c2 8b55e8 015158 8b55d8 } + $sequence_6 = { 894148 8b45dc 03c6 89414c 8b45fc 03c7 894150 } + $sequence_7 = { 33c0 85d2 7e13 3bc7 } + $sequence_8 = { 0fb613 8d7b01 49 897d00 894c2408 894d04 897c2404 } + $sequence_9 = { 01cf 0f92c1 08f9 751d 89c6 0fb6cb 45 } + $sequence_10 = { 0fa4c208 c1e008 09c1 89c8 } + $sequence_11 = { 01fe 68???????? e8???????? a1???????? } + $sequence_12 = { 0f84d7010000 8b442418 8b5c2404 8b54242c } + $sequence_13 = { 0facd108 c1ea08 eb14 8b0e 01e9 57 53 } + $sequence_14 = { 01c7 0fa5da d3e3 8b4c2444 89f8 895c241c } + $sequence_15 = { 01de 39c1 0f47c1 89c1 } condition: 7 of them and filesize < 3031040 @@ -100729,36 +101064,36 @@ rule MALPEDIA_Win_Telepowerbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4bff86f2-d32a-5469-938e-31ce8cf733ec" - date = "2026-01-05" - modified = "2026-01-06" + id = "6a670aa4-82f2-5d56-b340-6d045946c034" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.telepowerbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.telepowerbot_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.telepowerbot_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "80a377e11ec6e9ac3641490e489c4670d07e0d249413d61709ebf14e5db777cd" + logic_hash = "ad3491afd1877d739cf855c165837933b28aa6df33266251abfa4c2c994c4a1c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a01 68???????? 6a01 50 68???????? ff75f8 ffd6 } - $sequence_1 = { 817848d0924100 7409 ff7048 e8???????? 59 } - $sequence_2 = { ff348518234100 52 51 e8???????? 83c40c } - $sequence_3 = { 43 03c3 03c7 ff348518234100 52 51 e8???????? } - $sequence_4 = { eb55 0fb607 0fbe8800914100 41 894dd4 3bca 0f8f9e010000 } - $sequence_5 = { f20f59db 660f282d???????? 660f59f5 660f28aaf05e4100 660f54e5 660f58fe 660f58fc } - $sequence_6 = { eb07 8b04f5cc4e4100 5f 5e 5b } - $sequence_7 = { 8b8d84f8ffff 85c9 0f84b5050000 8b048d5c3d4100 8985a8f8ffff } - $sequence_8 = { c1ff06 6bd838 8b04bdf09d4100 f644032801 7444 837c0318ff } - $sequence_9 = { 85c9 0f84b5050000 8b048d5c3d4100 8985a8f8ffff 85c0 7562 } + $sequence_0 = { c705????????d0924100 c705????????f8954100 c705????????f0944100 e8???????? } + $sequence_1 = { 0f8eb1000000 8b45d4 0fb644012e 0fbe8000914100 40 } + $sequence_2 = { 85c9 0f84b5050000 8b048d5c3d4100 8985a8f8ffff 85c0 } + $sequence_3 = { 74bc 83f807 77c7 ff24852d374000 8bce e8???????? } + $sequence_4 = { 0fb63485c73c4100 8bf9 898598f8ffff c1e702 57 } + $sequence_5 = { 885c012e 8b0495f09d4100 804c012d04 46 } + $sequence_6 = { ff75f8 ffd6 85c0 7550 ff75fc ffd7 } + $sequence_7 = { 83e03f c1f906 6bc038 03048df09d4100 } + $sequence_8 = { eb56 8b0485341b4100 6800080000 6a00 50 8945fc ff15???????? } + $sequence_9 = { 897de4 8365fc00 8b049df09d4100 8b4de0 } condition: 7 of them and filesize < 237568 @@ -100768,36 +101103,36 @@ rule MALPEDIA_Win_Yarat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c5e6c743-0bb4-5ded-85f6-7e273a746dba" - date = "2026-01-05" - modified = "2026-01-06" + id = "63e758ee-e47a-5b6d-9f31-91407ed4d575" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yarat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yarat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yarat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "9bcd9db0a35387b5ff289ffde342821469357bc27585eec725313cf57fac8b79" + logic_hash = "6cc12e2858c68d08ba1de7d1ffb11d2d35640e8a6b2fe791f291535d676fe1a6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b07 51 03f0 52 56 e8???????? 8b8564feffff } - $sequence_1 = { 8b7d08 33f6 33db 85ff 7439 8bf7 8d4e01 } - $sequence_2 = { c1ca03 663bf5 84eb 81f21b6f5a16 f7da f5 81fede018b2e } - $sequence_3 = { 8b3f 85ff 75d7 837c241c00 8b3d???????? 754f 6804010000 } - $sequence_4 = { f5 81c702000000 6685f1 0fadc2 f6d0 0f42c5 0fc8 } - $sequence_5 = { b90a000000 5f 5e 89889c0a0000 8bc3 5b 8be5 } - $sequence_6 = { e8???????? 83c408 eb02 33c0 898388050000 80be3e10000000 8945f8 } - $sequence_7 = { 8bec 8b4d08 85c9 7413 8b8148050000 8b4024 85c0 } - $sequence_8 = { e8???????? 8bc6 83c418 0b45e8 0f858d000000 eb78 6a02 } - $sequence_9 = { 869d56f9247d 9e 2490 7f7c ec 96 ac } + $sequence_0 = { 8bc8 83be1c01000002 7515 83f814 7410 68???????? 56 } + $sequence_1 = { 8b8dc4feffff 51 8b4108 894634 a1???????? 8b4040 ffd0 } + $sequence_2 = { c1e81f 03c2 8d5518 894518 69c0e8030000 2bc8 69c1e8030000 } + $sequence_3 = { c645fc08 8bc8 83781410 7202 8b08 83781004 7534 } + $sequence_4 = { f9 81c504000000 33c3 f8 c1c003 48 6681fd2a15 } + $sequence_5 = { 8d45d4 50 6819270000 57 e8???????? 68???????? 682c4e0000 } + $sequence_6 = { 8b4dc8 8b45e4 0b45dc 7528 8bc1 0bc2 7522 } + $sequence_7 = { 8b7508 8bc2 c1e804 2401 88868e0d0000 f6c210 7406 } + $sequence_8 = { 8bf8 83c40c 85ff 0f8527020000 83bdd8feffff00 7529 68???????? } + $sequence_9 = { 8b4510 85c0 8b4d0c 8b5514 53 8b5d08 56 } condition: 7 of them and filesize < 8692736 @@ -100807,42 +101142,42 @@ rule MALPEDIA_Win_Phandoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "155e4267-136b-55b4-90bd-1c218e8670a7" - date = "2026-01-05" - modified = "2026-01-06" + id = "1b11bc3e-003f-5029-8915-77f4f54f1101" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.phandoor_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.phandoor_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "527334a4bd04f39c9bfefa050c6438c0d4a556c8a31f02edf88789f46c6d4efd" + logic_hash = "35db9dcc3fa7ff656d1f966774540de481dc9976f8c91b3fb898d01a152f03cc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b36 e8???????? 83c404 eb25 e8???????? } - $sequence_1 = { ffd6 833d????????00 a3???????? 0f8482000000 833d????????00 7479 833d????????00 } - $sequence_2 = { 83c418 803f53 755f 807f015e } - $sequence_3 = { 8bd8 c1eb08 8bd1 895df8 8bd9 c1ea08 } - $sequence_4 = { 22da 22d9 8bc8 c1e910 224df8 } - $sequence_5 = { 890d???????? 8b96bc010000 8915???????? 33ff 399e90010000 763b } - $sequence_6 = { e8???????? 8b1d???????? 50 ffd3 8bf8 3bfe 8b35???????? } - $sequence_7 = { 0f8438010000 833d????????00 0f842b010000 833d????????00 0f841e010000 833d????????00 0f8411010000 } - $sequence_8 = { 741c 8b0d???????? 68???????? 51 c705????????04000000 } - $sequence_9 = { 83c404 8bf7 85ff 75e6 5f c7430800000000 } - $sequence_10 = { 43 84c0 7409 8803 } - $sequence_11 = { 6a03 d1ea 8d85e8efffff e8???????? } - $sequence_12 = { 741c 56 8b35???????? 3acb 740e } - $sequence_13 = { 3acb 740e 50 ffd6 } - $sequence_14 = { 6a03 d1ea 8bc3 e8???????? 8bc8 85c9 } - $sequence_15 = { 57 68???????? 50 c705????????03000000 ffd6 8b0d???????? 33ff } + $sequence_0 = { 8ad1 d1e9 33f6 57 } + $sequence_1 = { 32d8 32da 8b550c 881c16 } + $sequence_2 = { 837df000 750f 837dec00 7509 b801000000 8be5 } + $sequence_3 = { eb74 8b96b0010000 8915???????? 8b86b4010000 a3???????? 8b8eb8010000 890d???????? } + $sequence_4 = { 83f8ff 7525 50 ff15???????? 33c0 8b4df4 64890d00000000 } + $sequence_5 = { e8???????? 8be5 5d c3 0fb70f bab70b0000 663bca } + $sequence_6 = { 53 e8???????? 47 83c40c 83c302 3bbe90010000 } + $sequence_7 = { c1e910 224df8 8955f0 8ad0 2255ff 32d9 } + $sequence_8 = { 3acb 740e 50 ffd6 8a08 } + $sequence_9 = { 741c 56 8b35???????? 3acb } + $sequence_10 = { 83c404 8bf7 85ff 75e6 5f c7430800000000 } + $sequence_11 = { 741c 8b0d???????? 68???????? 51 } + $sequence_12 = { 6a03 d1ea 8bc3 e8???????? } + $sequence_13 = { 43 84c0 7409 8803 } + $sequence_14 = { 6a03 c60700 ff15???????? 8bf0 f7de 1bf6 } + $sequence_15 = { 80f95c 7510 803830 750b c60300 50 } condition: 7 of them and filesize < 2124800 @@ -100853,10 +101188,10 @@ rule MALPEDIA_Win_Coinminer_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "dd71a564-9751-5c18-a6bf-b9b0587239f2" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.coinminer_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.coinminer_auto.yar#L1-L121" license_url = "N/A" logic_hash = "c6e378240c8214f1ad0ec61fc8d57006e837b16f1716923b20f2ac30be5b248c" score = 75 @@ -100865,9 +101200,9 @@ rule MALPEDIA_Win_Coinminer_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -100891,36 +101226,36 @@ rule MALPEDIA_Win_Flawedgrace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "38c84019-ad8d-570b-aa3f-e7acbb9a406b" - date = "2026-01-05" - modified = "2026-01-06" + id = "6f950a4b-f50d-5bf4-9839-dd2d0367a532" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flawedgrace_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flawedgrace_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "c317abd86b3ba4cb04110fcc0785854b53fd3854465be9cdca5825ec671c6c3a" + logic_hash = "59a872e135f9eae0947671cfc9a77340e428a38ee452a5294702c6eab9545dee" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bcf e8???????? 83c404 85c0 0f84a8010000 0f31 52 } - $sequence_1 = { 0fb6c0 894dec 8bcb c1e918 8b0485e0bb4500 33048de0bf4500 894510 } - $sequence_2 = { c6853bf5ffff00 c6853cf5ffffff c6853df5ffff25 c6853ef5ffff30 c6853ff5ffff20 c68540f5ffff40 c68541f5ffff00 } - $sequence_3 = { c6858ddaffff33 c6858edaffff00 c6858fdaffff00 c68590daffff00 c68591daffff00 c68592daffff00 c68593daffff00 } - $sequence_4 = { c68565f2ffff00 c68566f2ffff85 c68567f2ffffc0 c68568f2ffff74 c68569f2ffff3a c6856af2ffff81 c6856bf2ffff7d } - $sequence_5 = { 7416 8b85ccc0ffff 50 6a00 ff15???????? } - $sequence_6 = { 8b0495b8d34600 f644082801 7421 57 e8???????? 59 50 } - $sequence_7 = { c685abfdffff00 c685acfdffff00 c685adfdffff00 c685aefdffff00 c685affdffff00 c685b0fdffff00 c685b1fdffff00 } - $sequence_8 = { 3934bdb8d34600 7531 e8???????? 8904bdb8d34600 85c0 7514 6a0c } - $sequence_9 = { c685d3c8ffff05 c685d4c8ffff00 c685d5c8ffff00 c685d6c8ffff00 c685d7c8ffffe8 c685d8c8ffff48 c685d9c8ffff0f } + $sequence_0 = { 83c414 8d4df8 e8???????? 8b4df8 3b4f24 7591 57 } + $sequence_1 = { c68503e4ffff00 c68504e4ffff19 c68505e4ffffa0 c68506e4ffff3e c68507e4ffffa0 c68508e4ffff66 c68509e4ffffa0 } + $sequence_2 = { 0fb6c0 85c0 741f 8b8de4c0ffff 8b5108 8995ccc0ffff 8b95e4c0ffff } + $sequence_3 = { c6853ec3ffff00 c6853fc3ffff00 c68540c3ffff10 c68541c3ffff00 c68542c3ffff00 c68543c3ffff00 c68544c3ffff00 } + $sequence_4 = { c685f9c9ffffe8 c685fac9ffffda c685fbc9ffff0a c685fcc9ffff00 c685fdc9ffff00 c685fec9ffff48 c685ffc9ffff83 } + $sequence_5 = { 0fb6c3 330c85e0934500 334f48 894de4 c1eb18 8b45ec c1e810 } + $sequence_6 = { c6857de1ffff00 c6857ee1ffff00 c6857fe1ffff00 c68580e1ffff00 c68581e1ffff00 c68582e1ffff00 c68583e1ffff00 } + $sequence_7 = { c68580e4ffff00 c68581e4ffff00 c68582e4ffff00 c68583e4ffff00 c68584e4ffff00 } + $sequence_8 = { 8b4e04 8b45e8 8d0441 eb06 8b4604 0345e8 8945d8 } + $sequence_9 = { 0fb6c0 330c85e0d74500 0fb6c2 330c85e0d34500 338f90000000 8b879c000000 33d9 } condition: 7 of them and filesize < 966656 @@ -100930,77 +101265,78 @@ rule MALPEDIA_Win_Konni_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f5f4e6b0-9bc7-5563-95be-e81e34e13947" - date = "2026-01-05" - modified = "2026-01-06" + id = "84d969e7-a871-55b8-b082-18756d62e7f9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.konni_auto.yar#L1-L466" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.konni_auto.yar#L1-L474" license_url = "N/A" - logic_hash = "848a6314b768526873d5e9f7192d61992e122b75278ca60f0df452953ea07af0" + logic_hash = "dd15dd039209be86a9efe874502578bd52abca85bcb81b0c502bc00066547414" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 50 8b45e8 0fb6cc 51 0fb6d0 52 } - $sequence_1 = { 85c0 7527 0fb655eb 0fb645ea } - $sequence_2 = { 03c0 334604 03c0 334608 03c0 33460c 03c0 } - $sequence_3 = { 83c418 8b45e4 50 ff15???????? } - $sequence_4 = { a1???????? 33c5 8945fc 8b0d???????? 8a15???????? 33c0 } - $sequence_5 = { 57 8b7d10 8985f4feffff 33f6 } - $sequence_6 = { 85c0 0f84f1000000 0f88eb000000 83f801 7508 } - $sequence_7 = { 7908 49 81c900ffffff 41 8a940df8feffff } - $sequence_8 = { 83f801 750a c705????????01000000 890d???????? } - $sequence_9 = { 33c9 83f802 7508 890d???????? } - $sequence_10 = { eb1e 83f804 740f c705????????02000000 } - $sequence_11 = { 6a01 ff15???????? 50 a3???????? } + $sequence_0 = { 8945f4 8945f8 8d45e4 50 6a01 6a00 } + $sequence_1 = { 300c07 40 3b4514 7c93 } + $sequence_2 = { 0fbef1 83e601 8970f4 d0f9 0fbef1 } + $sequence_3 = { 884c15f4 8970e8 42 83c020 83fa03 7c98 } + $sequence_4 = { ff15???????? e8???????? 8b4dfc f7d8 5f } + $sequence_5 = { 7cf1 33c9 8bc1 99 f7bdf4feffff 8a9c0df8feffff 0fb6c3 } + $sequence_6 = { 6a3d 68???????? 53 e8???????? 53 } + $sequence_7 = { 56 57 8b7d10 8985f4feffff } + $sequence_8 = { 7508 890d???????? eb1e 83f804 } + $sequence_9 = { 6a01 ff15???????? 50 a3???????? e8???????? } + $sequence_10 = { 33c9 83f802 7508 890d???????? } + $sequence_11 = { eb1e 83f804 740f c705????????02000000 83f801 750a c705????????01000000 } $sequence_12 = { 68b6030000 6a0d 50 ff15???????? } - $sequence_13 = { 7508 890d???????? eb1e 83f804 } - $sequence_14 = { eb02 33c9 e8???????? 8bf8 } - $sequence_15 = { 68???????? ffd6 83c8ff 5f 5e 5b 8b4dfc } - $sequence_16 = { 0fb6591c 88581c 0fb6591d 88581d 0fb6591e } - $sequence_17 = { ffd6 8b4d08 51 ffd6 53 ffd6 } - $sequence_18 = { 68???????? 8d8df0faffff 51 ffd6 8b35???????? 8d95f0faffff } - $sequence_19 = { 8d8df8feffff 51 8d95f0fcffff 52 6a00 6a00 } - $sequence_20 = { 4c89742420 ff15???????? 488bd8 4885c0 744f } - $sequence_21 = { 8db768020000 8916 56 e8???????? 8a8c30dec44600 } - $sequence_22 = { 660f1f440000 498bc8 ba04000000 0f1f840000000000 0fb601 4883c104 48ffca } - $sequence_23 = { 8d8df4fdffff 51 ff15???????? 85c0 755b 57 } - $sequence_24 = { 52 6a00 6a00 ff15???????? 68d0070000 ff15???????? 8b4dfc } - $sequence_25 = { ff15???????? 8b3d???????? be0a000000 68e8030000 ffd7 } - $sequence_26 = { 6a00 8d8df8feffff 51 8d95f0fcffff } - $sequence_27 = { d3ea 33c9 56 e8???????? 8a8c30a6c44600 } - $sequence_28 = { e8???????? 8a8c30dec44600 5e bb01000000 83c604 d3e3 } - $sequence_29 = { 8a8664020000 8b9cae68020000 33d2 56 e8???????? 8a9435dec44600 5e } - $sequence_30 = { e8???????? 8a9435dec44600 5e 84c0 8bfa 7476 83ff03 } - $sequence_31 = { e8???????? 8a8c30a6c44600 5e 8b442414 03ca } - $sequence_32 = { ff15???????? 488bcb ff15???????? 488d8c24e0000000 33d2 } - $sequence_33 = { 57 6804010000 8d95f8feffff 52 } - $sequence_34 = { 488945c0 488d45b8 482bf0 6666666666660f1f840000000000 ba04000000 6666660f1f840000000000 0fb6040e } - $sequence_35 = { 33db 56 e8???????? 8a9c30c2c44600 5e 83f908 } - $sequence_36 = { 41b850000000 4533c9 488bd3 488bc8 c744242803000000 } - $sequence_37 = { 68???????? 8d95f8feffff 52 ffd6 6804010000 8d85f0fcffff 50 } - $sequence_38 = { bbedffffff 03dd 81eb00200200 83bd9404000000 899d94040000 } - $sequence_39 = { 8d3c85e0a30010 8bc3 80c901 83e01f 884d0b 8d34c0 8b07 } - $sequence_40 = { 8d0c9de0a30010 8d9080040000 8901 3bc2 7318 80600400 } - $sequence_41 = { bb???????? 7539 e8???????? 68???????? 53 } - $sequence_42 = { 4963cb 41ffc1 48ffc3 0fb6040c 8843ff 40883c0c } - $sequence_43 = { 80a0a0a1001000 40 41 41 3bc6 72bf } - $sequence_44 = { 4963ca 0fb6040c 4288040c 44881c0c 420fb60c0c 4103cb 81e1ff000080 } - $sequence_45 = { 7468 488d44246c 4c8d8c2480010000 4c8d442430 488d15b1190100 } - $sequence_46 = { 66c705????????0100 837e0811 7509 66c705????????0100 837e0856 7514 66833d????????01 } - $sequence_47 = { 8b348de0a30010 8d1c8de0a30010 8d3cc0 c1e702 03f7 837e0800 } - $sequence_48 = { 4c8bb42480180000 4c8ba42488180000 488bbc2490180000 4889742458 } - $sequence_49 = { 418bf1 8bea 458bda 418bc2 488d0c24 0f1f8000000000 8801 } - $sequence_50 = { 85c0 0f85e0feffff 488bbc2430010000 488b9c2420010000 4c8ba42438010000 } + $sequence_13 = { eb02 33c9 e8???????? 8bf8 } + $sequence_14 = { e8???????? 83c408 85c0 7552 8b560c 68???????? 52 } + $sequence_15 = { 8d3c10 8b95f0feffff 8995e4feffff 8b95f8feffff } + $sequence_16 = { 56 57 50 e8???????? 83c40c 6820010000 e8???????? } + $sequence_17 = { 885a08 0fb641f0 3245f9 83c110 8801 0fb6460c 3245fa } + $sequence_18 = { ff15???????? 8d95f8feffff 52 ff15???????? 8b3d???????? } + $sequence_19 = { 6a00 6a00 8d8df8feffff 51 8d95f0fcffff 52 6a00 } + $sequence_20 = { 33c0 8db768020000 8916 56 e8???????? 8a8c30dec44600 } + $sequence_21 = { 49ffc0 49ffc9 75d5 0fb645bd 0fb64db9 8845b9 0fb645c1 } + $sequence_22 = { 2bcb 81e2ffffff00 d3ea 33c9 56 e8???????? 8a8c30a6c44600 } + $sequence_23 = { e8???????? 8a9435dec44600 5e 84c0 8bfa } + $sequence_24 = { e8???????? 8a8c30dec44600 5e bb01000000 83c604 } + $sequence_25 = { 899d94040000 0f85d7030000 8d85a0040000 50 ff95b50f0000 898598040000 8bf0 } + $sequence_26 = { 450fb60424 450fb65c24ff 410fb67c2402 450fb6542401 410fb6d0 440fb6cf } + $sequence_27 = { 4c89742420 ff15???????? 488bd8 4885c0 744f } + $sequence_28 = { 5d bbedffffff 03dd 81eb00200200 83bd9404000000 899d94040000 } + $sequence_29 = { 33db 56 e8???????? 8a9c30c2c44600 5e 83f908 7232 } + $sequence_30 = { 6a00 50 c685f4fdffff00 e8???????? 83c40c 6804010000 } + $sequence_31 = { 50 038594040000 59 0bc9 89851a040000 61 7508 } + $sequence_32 = { 7524 a1???????? a3???????? a1???????? c705????????58214000 } + $sequence_33 = { 51 ffd6 8b35???????? 8d95f0faffff } + $sequence_34 = { 33c0 4883c9ff 498bfb f2ae 48f7d1 488d51ff } + $sequence_35 = { 004044 40 00644440 0023 } + $sequence_36 = { 41b850000000 4533c9 488bd3 488bc8 } + $sequence_37 = { 488bd6 e8???????? 4885c0 740a } + $sequence_38 = { 8d95f8feffff 52 50 ff15???????? 8d85f8feffff 50 ff15???????? } + $sequence_39 = { 52 8d85f8feffff 50 ffd6 } + $sequence_40 = { e8???????? 59 3bc7 59 a3???????? 741e } + $sequence_41 = { e8???????? 488d8d60050000 33d2 41b800040000 c744244000040000 } + $sequence_42 = { 48899c2420010000 4889bc2430010000 4c89a42438010000 4533e4 0f1f00 } + $sequence_43 = { 488d442440 488d1579180100 4533c0 4889442420 } + $sequence_44 = { a3???????? 85c0 59 bf???????? } + $sequence_45 = { 99 f7fd 4863c2 420fb60c20 4403d9 4403df } + $sequence_46 = { 8d0500a00010 83780800 753b b0ff 8bff } + $sequence_47 = { 56 53 e8???????? 57 68???????? e8???????? } + $sequence_48 = { e8???????? 4533f6 41b919000200 4c8be8 488d442448 4533c0 488bd3 } + $sequence_49 = { e8???????? 4c8d4d08 4c8d442448 488d156d140100 488d4c2448 } + $sequence_50 = { c1f905 8d04c0 be00800000 8b0c8de0a30010 8d548104 8a4c8104 } + $sequence_51 = { c1f905 83e01f 8b0c8de0a30010 8d04c0 8d0481 eb05 } condition: 7 of them and filesize < 2361344 @@ -101010,36 +101346,36 @@ rule MALPEDIA_Win_Turnedup_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f4a24578-5335-5053-b07f-943404877172" - date = "2026-01-05" - modified = "2026-01-06" + id = "d1e3652e-f6cb-5172-92fd-6a726754e024" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.turnedup_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.turnedup_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "70af128b8d10ec8ac1a0ea6deea907b76cc81c6db7a8cb227ddf71385e7b13b6" + logic_hash = "7b32f1929faf7814f44af9530d1e35b6bdec6a7b8c8c71756471d909ad6f0aac" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a0d c741140f000000 c7411000000000 68???????? 8945a8 c60100 } - $sequence_1 = { 85db 7417 8d4df4 8bf3 } - $sequence_2 = { 7f0d 0fbed0 0fbec1 8d4a05 } - $sequence_3 = { c70600000000 c6460401 807e0530 0f8cf1000000 807e0400 7538 8b0e } - $sequence_4 = { 740f e8???????? 8b4dbc 8801 } - $sequence_5 = { 8d44244c 50 e8???????? dd542448 8b442434 } - $sequence_6 = { 7405 884305 eb06 c70300000000 c6430401 8a4b05 884dbb } - $sequence_7 = { ffd3 83ec1c 8bcc 6a0d c741140f000000 c7411000000000 68???????? } - $sequence_8 = { c60100 e8???????? c3 56 } - $sequence_9 = { 8945fc 8d45fc 50 8d4df0 e8???????? 68???????? } + $sequence_0 = { 8b3481 837e1410 720b 8b16 52 } + $sequence_1 = { 50 ff15???????? 8d8534ffffff 8d5001 8bff } + $sequence_2 = { 391d???????? 757d 6a01 53 8d450c 50 } + $sequence_3 = { 40 ff45a8 8945bc 8b7db4 8bf3 e8???????? } + $sequence_4 = { 837dd400 750a 8b55c0 8b45c4 } + $sequence_5 = { 830802 eb08 8b45a4 0f95c2 8810 8b4d0c 8b45a8 } + $sequence_6 = { 8d4c2428 897c2418 e8???????? 8b4704 83f8ff 7304 } + $sequence_7 = { 3906 7613 8a15???????? 53 } + $sequence_8 = { e8???????? 8b4704 83f8ff 7304 40 894704 8d4c242c } + $sequence_9 = { f6c202 7515 8b45e8 8d8800000080 83f9ff } condition: 7 of them and filesize < 892928 @@ -101049,36 +101385,36 @@ rule MALPEDIA_Win_Sysget_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d2f0576d-1441-54f4-9c7c-cf1f813e0f5e" - date = "2026-01-05" - modified = "2026-01-06" + id = "a846d722-cc47-53de-a316-73685751a6e5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sysget_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sysget_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "089522db1c40ede3965799cc3ef7759b59f64889024e8b66531171fe0f366f21" + logic_hash = "087e1989b67f1382444fa064da44e53abfc8c8d2760af691374044fd34024cca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? bf???????? 83c424 c60000 } - $sequence_1 = { 668b08 83c002 6685c9 75f5 8dbdecf1ffff 2bc6 83ef02 } + $sequence_0 = { 7415 8d8decfdffff 03da 668901 0fb703 03ca 83f80a } + $sequence_1 = { 50 ff35???????? ff15???????? 85c0 0f8487000000 8b06 0385f4fbffff } $sequence_2 = { 8325????????00 5e c3 55 8bec 83ec34 a1???????? } - $sequence_3 = { 8985c4f9ffff 052c010000 50 e8???????? 83c40c 6800800000 } - $sequence_4 = { a3???????? 57 6a11 59 6a7c 8d4580 } - $sequence_5 = { 8d85fcf7ffff 50 e8???????? 59 33c0 } - $sequence_6 = { 8b85f8fbffff 8d8df4fbffff 51 50 8d85fcfbffff } - $sequence_7 = { 8b35???????? 57 6a10 58 50 6a01 } - $sequence_8 = { ff15???????? 8bc6 8bd6 668b08 83c002 663bcb } - $sequence_9 = { 8d853cffffff 50 ff35???????? ff15???????? a1???????? } + $sequence_3 = { a5 a5 a5 a5 6a08 66a5 58 } + $sequence_4 = { e8???????? 33c0 8d7df4 ab 33f6 } + $sequence_5 = { 8d85ecf1ffff 83e103 50 f3a4 } + $sequence_6 = { 59 8bc8 85d2 7407 c60100 } + $sequence_7 = { 50 899dccf9ffff 899dd0f9ffff e8???????? 8b85d0f9ffff 83c032 50 } + $sequence_8 = { 66a5 e8???????? 59 85c0 } + $sequence_9 = { 56 57 ff15???????? 57 e8???????? 59 5f } condition: 7 of them and filesize < 352256 @@ -101088,36 +101424,36 @@ rule MALPEDIA_Win_Taidoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba437ab9-6c90-576a-83d2-5801ebb87e42" - date = "2026-01-05" - modified = "2026-01-06" + id = "6466f22c-0b00-505e-b64e-32f53ef48121" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.taidoor_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.taidoor_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "7b8ed6f15654e580fefed39d2d4fea0473e69a1fd6a98339a075f2fbcf4be749" + logic_hash = "e006483c2129750da1aa51f6fa5cfac197d44461bcd6a9098b7427f213c519a3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7433 ff750c 889c05f4fbffff 50 8d85f4fbffff 6a01 50 } - $sequence_1 = { 395d10 7e1b 56 8b450c } - $sequence_2 = { 897df0 50 56 e8???????? 8b3d???????? 83f86f 750c } - $sequence_3 = { 83a00401000000 b001 c9 c20800 8b8104010000 } - $sequence_4 = { 7e24 8a0406 fec0 3c3a 8845ec } - $sequence_5 = { 57 a0???????? c745fc01000000 8ac8 f6d9 1bc9 33db } - $sequence_6 = { b940420f00 f7f9 8d45e0 52 ff35???????? ff35???????? } - $sequence_7 = { e9???????? 8d4de0 e8???????? 8d8588f7ffff 50 ff35???????? ffd6 } - $sequence_8 = { ff75ec 8d4df0 e8???????? 8b450c 46 3b70f8 7cdc } - $sequence_9 = { 53 50 53 c7458844000000 } + $sequence_0 = { 7cf5 c745fcfcffffff 33ff 33db } + $sequence_1 = { 8b1d???????? 8d45e0 57 50 8d45e4 897de4 } + $sequence_2 = { 8bd8 3bdf 895de8 7508 } + $sequence_3 = { 7e24 8a0406 fec0 3c3a 8845ec } + $sequence_4 = { 0fbe01 48 48 0f8472030000 48 0f8447030000 } + $sequence_5 = { 66ab aa 895dfc ffd6 40 85c0 7e29 } + $sequence_6 = { 50 ff7508 56 57 ff15???????? 8b45ec 8d4df0 } + $sequence_7 = { b940420f00 f7f9 8d45e0 52 ff35???????? ff35???????? } + $sequence_8 = { e9???????? 8d4de0 e8???????? 8d8588f7ffff 50 ff35???????? ffd6 } + $sequence_9 = { 53 6a02 8d85f4feffff 68000000c0 } condition: 7 of them and filesize < 49152 @@ -101127,36 +101463,36 @@ rule MALPEDIA_Win_Miancha_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fc1eda3c-bd5f-5571-91d7-7aefaea33797" - date = "2026-01-05" - modified = "2026-01-06" + id = "b659b2b4-b118-599f-a2b8-d8efdaaa2eb6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.miancha_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.miancha_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "f932de22bd95ab60efbbe4e694e46f3915e7f38800c91edc1e731744ddf1fb94" + logic_hash = "d175e6ce8f513a1b2f0d3a140e699b3e994f18bc865c2aae2194d11acd09e9c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c744242000000000 ff15???????? 50 ff15???????? 8bf0 85f6 } - $sequence_1 = { 56 8b35???????? 6a02 6a00 68???????? } - $sequence_2 = { ffd6 85c0 741a 837c241800 7413 } - $sequence_3 = { 68???????? c744242000000000 ff15???????? 50 ff15???????? 8bf0 85f6 } - $sequence_4 = { 8b0d???????? 895008 8a15???????? 89480c } - $sequence_5 = { 52 6803000080 ff15???????? 85c0 741f } - $sequence_6 = { 8910 8b15???????? 894804 8b0d???????? 895008 8a15???????? 89480c } - $sequence_7 = { 85c0 741a 837c241800 7413 } - $sequence_8 = { ff15???????? 8bf0 85f6 7412 8d542418 } - $sequence_9 = { 40 50 56 8b35???????? 6a02 6a00 } + $sequence_0 = { c744242000000000 ff15???????? 50 ff15???????? 8bf0 85f6 7412 } + $sequence_1 = { 50 68???????? 6a01 6a00 68???????? 51 } + $sequence_2 = { 8b35???????? 6a02 6a00 68???????? } + $sequence_3 = { 50 56 8b35???????? 6a02 6a00 68???????? 52 } + $sequence_4 = { 68???????? 68???????? c744242000000000 ff15???????? 50 } + $sequence_5 = { ff15???????? 50 ff15???????? 8bf0 85f6 7412 8d542418 } + $sequence_6 = { 8bf0 85f6 7412 8d542418 } + $sequence_7 = { 8910 8b15???????? 894804 8b0d???????? 895008 8a15???????? } + $sequence_8 = { 8b15???????? 894804 8b0d???????? 895008 8a15???????? 89480c } + $sequence_9 = { 8d542418 52 ff15???????? 50 ffd6 } condition: 7 of them and filesize < 376832 @@ -101166,36 +101502,36 @@ rule MALPEDIA_Win_Mayberobot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c92428ca-450d-55ec-a6b0-19554a59efc9" - date = "2026-01-05" - modified = "2026-01-06" + id = "79d19f8c-dcdd-52d9-a0c4-951f84080c4d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mayberobot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mayberobot_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mayberobot_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "7a87fd7bc03b1a4ed615fd0a81f85d5bd0e66326980b2da4e2257c81318fa9fe" + logic_hash = "a529fe1f04b613106e97061d0ab38d73c83d613d3478abbf5f4405a1c13ee353" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4883ec28 803d????????00 754c 488d0da8270100 } - $sequence_1 = { 45390a 7449 496312 4803d5 0fb60a 83e10f 4a0fbe843110440100 } - $sequence_2 = { 4885c0 7509 488d05233a0100 eb04 } - $sequence_3 = { 90 8bdf 8b05???????? 48895c2420 3bf0 7c36 4c8d3da9080100 } - $sequence_4 = { 4c8d058afb0000 488b4318 4839b838010000 750f 498b04d0 42387ce839 0f84d3000000 } - $sequence_5 = { 488d0d8a0b0100 e8???????? 4883c428 c3 } - $sequence_6 = { e8???????? 85c0 7420 4c8b442430 } - $sequence_7 = { 488d151fc50000 b903000000 4c8d050bc50000 e8???????? 488bd3 } - $sequence_8 = { 4183f90f 7779 428b8c8e78f80000 4803ce ffe1 660f73fa01 eb65 } - $sequence_9 = { 488bd1 488bc1 48c1f806 4c8d05b4060100 } + $sequence_0 = { 41894120 418b00 49895108 41894124 0fb60a 83e10f 4a0fbe841910440100 } + $sequence_1 = { 4883ec28 4885c9 7411 488d05b8a70100 } + $sequence_2 = { 415d 415c 5f c3 488bc3 4c8d358d2affff 498784f6f0060200 } + $sequence_3 = { 4883ec20 488bd9 488bc2 488d0df9010100 0f57c0 48890b 488d5308 } + $sequence_4 = { 428a8c3920440100 482bd0 8b42fc d3e8 443bc8 } + $sequence_5 = { e8???????? 8bc7 eb8a 4863d1 4c8d0562080100 } + $sequence_6 = { 8945d0 7413 8b04f1 488d0df9d2feff 4803c1 488945d8 } + $sequence_7 = { 8b442430 8bc8 cd29 488d0daec40100 e8???????? } + $sequence_8 = { 33f6 4c03cf 4533c0 8bd5 410fb609 83e10f 4a0fbe843110440100 } + $sequence_9 = { 488d1dff860100 488d3df8860100 eb12 488b03 } condition: 7 of them and filesize < 307200 @@ -101205,36 +101541,36 @@ rule MALPEDIA_Win_Shifu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "94131f96-f004-59ab-be06-e4302b4af25a" - date = "2026-01-05" - modified = "2026-01-06" + id = "c6732e45-69b6-5aa9-a3c3-afe85d22034b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shifu_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shifu_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "c03c0d8c15de6f3e31605e542d8b0452407c2c6c3eb4ca0055ffada2d5d050db" + logic_hash = "459ce266282fc5d0a1b62f17f4b09a8a8f0527b9db5b7ce74fcd5dc6cff68d36" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895dfc 6a08 58 e8???????? 8bc4 85c0 7411 } - $sequence_1 = { 56 e8???????? 85c0 0f848d010000 ff7508 683a041000 e8???????? } - $sequence_2 = { 83c420 f644242010 741c 6a04 6a00 ff742418 e8???????? } - $sequence_3 = { 83c604 833e00 75a3 83c714 8b470c 85c0 0f8573ffffff } - $sequence_4 = { 6800200000 57 57 6a02 ff15???????? 8bd8 3bdf } - $sequence_5 = { 7516 6aff 53 ff15???????? 83f8ff 7408 53 } - $sequence_6 = { 85c0 7540 3945f4 7447 ff15???????? 8b75f8 8365f400 } - $sequence_7 = { 50 68060000c8 56 c7442430b907a225 c744243660468ee9 c744243a76e58c74 66c744243e063e } - $sequence_8 = { 50 ff15???????? 6a10 58 e8???????? 8bc4 3bc7 } - $sequence_9 = { e8???????? 50 ffd6 893d???????? 3bc7 740a c705????????01000000 } + $sequence_0 = { 8bf3 f3a5 8b4d08 898134010000 e9???????? b800000100 } + $sequence_1 = { e8???????? 85c0 7415 ff35???????? 68???????? 68???????? e8???????? } + $sequence_2 = { 0fb65906 33d8 23da c1e808 33049df8ce3602 0fb65907 33d8 } + $sequence_3 = { 89430c 85c0 0f84b0030000 c16dfc0e 836d080e 83630800 c70304000000 } + $sequence_4 = { 72ee 85c9 0f84dc000000 8bdf 894df4 8b45ec 803c0302 } + $sequence_5 = { ff15???????? 85c0 745d 8b75f8 e8???????? 8945fc 3bc7 } + $sequence_6 = { e8???????? 8b4d08 c1e110 03f1 85c0 751b 8d4508 } + $sequence_7 = { 6a03 53 53 ff75f0 ff75e4 50 ff15???????? } + $sequence_8 = { 33c0 5e c9 c20c00 55 8bec 85c9 } + $sequence_9 = { ff15???????? 895e08 a1???????? 8906 c74604???????? 897004 57 } condition: 7 of them and filesize < 344064 @@ -101244,36 +101580,36 @@ rule MALPEDIA_Win_Revc2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a9d168dd-7c35-55c3-a239-5afaaa4e5d1b" - date = "2026-01-05" - modified = "2026-01-06" + id = "4c95db96-0a02-5216-ab93-0489734f34c6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revc2" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.revc2_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.revc2_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "940c1d8169d85582e91801f5b035bb96d22b7337aecd24f108d64e53de46b408" + logic_hash = "9766a2dda3a35ffc17577c5196440407523e45a8c26acb0e07f70d0974815690" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4701 458bca 458bec 0f45f8 be01000000 8364244000 4183e21f } - $sequence_1 = { e8???????? 498946b0 488bc3 49894500 486307 4c6bf068 410fb6842434010000 } - $sequence_2 = { 90 488d8d90000000 e8???????? 90 488d4dd0 e8???????? 90 } - $sequence_3 = { ff15???????? e9???????? 488b0e 488b11 0fb74214 a804 0f84ab010000 } - $sequence_4 = { c5fe6f27 c5fe6f15???????? c5fe6f2d???????? c5fd71d404 c5fddbca c4e24d00d9 c5eddbc4 } - $sequence_5 = { eb12 4863c6 488d0c40 488b8388000000 488d04c8 895008 418d7701 } - $sequence_6 = { e8???????? 4c8b8424b8000000 498b38 4885ff 0f84fa010000 418bdd 4c8d0dca611200 } - $sequence_7 = { 4c894dc0 4889542450 4889442458 4c895c2440 895c2430 895c2470 895da0 } - $sequence_8 = { e8???????? 90 4c8bc0 488d4d50 e8???????? 488bf8 488d542450 } - $sequence_9 = { e8???????? 488bc3 488b5c2450 488b7c2458 4883c440 5d c3 } + $sequence_0 = { eb4b ba01000000 eb44 488d054a031600 41b980620100 4c8d0581fe1500 4889442420 } + $sequence_1 = { 90 488b8da8010000 4833cc e8???????? 4c8d9c24d0020000 498b5b30 410f2873f0 } + $sequence_2 = { e8???????? 8bd8 488b07 488b7c2440 488906 85db 750b } + $sequence_3 = { e9???????? 488d050e011700 bb0b000000 8bcb 4889442420 41b942300100 4c8d0539fc1600 } + $sequence_4 = { bf04000000 eb2d 4183f864 720b bf03000000 448d5f61 eb1c } + $sequence_5 = { e8???????? 488bf0 4885c0 0f8488000000 0f57c0 33c0 0f1106 } + $sequence_6 = { 4d8bd8 0f85b7020000 498b08 4c3bc9 0f85ce000000 498b4810 80791800 } + $sequence_7 = { e8???????? 488bd8 48894508 8b45e4 8945e4 0fb6463f 884588 } + $sequence_8 = { ba07000000 488995b0080000 664489bd98080000 488b4c2440 488b01 4c8931 4885c0 } + $sequence_9 = { 8b4530 03c9 3345fc 0bf1 33451c 418bcf 334504 } condition: 7 of them and filesize < 5108736 @@ -101283,36 +101619,36 @@ rule MALPEDIA_Win_Coronavirus_Ransomware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6151d4f1-97cc-5312-ae6b-4a65c017356c" - date = "2026-01-05" - modified = "2026-01-06" + id = "719d3563-ce29-55ee-9992-97c33fcb6fe3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coronavirus_ransomware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.coronavirus_ransomware_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.coronavirus_ransomware_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "12ada14137bab3268f52ca487b70dc117c439c16c715b2ea437f3cb7436cd1a9" + logic_hash = "f487de07a5f7f58c27402d2d7ff35536e962af3e08eb0d7196f340d2ce8610fb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b7dbc 2bfb 1bc6 8945d0 8b4dc8 8d140b } - $sequence_1 = { 83c404 85f6 746a 803e00 7465 33c0 33d2 } - $sequence_2 = { 8b35???????? 83c404 85f6 746a 803e00 } - $sequence_3 = { 90 8b55ec 8b45f0 6a00 b9???????? 81e9???????? } - $sequence_4 = { e8???????? 83c404 6a00 6a00 0fb60d???????? 8b148d78954100 52 } - $sequence_5 = { 33f6 56 56 6a03 56 6a03 56 } - $sequence_6 = { ffd0 6800200000 8d85f8deffff 50 ff15???????? } - $sequence_7 = { 85db 0f84cd010000 c745fc01000000 8975e4 } - $sequence_8 = { b8???????? e8???????? 8d4df0 51 8d55a0 52 } - $sequence_9 = { ff15???????? 8b35???????? 83c418 68???????? ffd6 68???????? ffd6 } + $sequence_0 = { 33d2 6689959c9fffff 68fe1f0000 52 8d859e9fffff 50 } + $sequence_1 = { 68fe1f0000 50 8d8d9edfffff 51 e8???????? 83c424 } + $sequence_2 = { 8a4601 84c0 7423 0fb6d0 0fb68280fa4000 0fb615???????? } + $sequence_3 = { 68???????? 50 ff15???????? 83c41c 6a00 6a00 6a00 } + $sequence_4 = { 83ff0f 7330 eb13 6a44 } + $sequence_5 = { 0f841e030000 66833d????????00 bb???????? 0f840b030000 8bc3 8d5002 8d9b00000000 } + $sequence_6 = { 85c0 7406 8b55d0 880417 8b45c8 50 } + $sequence_7 = { 52 ff15???????? a1???????? 8b1d???????? 50 8d8df8deffff } + $sequence_8 = { 8d4900 66833f00 0f8407010000 57 ff15???????? 83f803 7413 } + $sequence_9 = { 68???????? 68???????? 6a15 b8???????? e8???????? 50 } condition: 7 of them and filesize < 235520 @@ -101322,36 +101658,36 @@ rule MALPEDIA_Win_Zardoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50308ee9-1428-5d6c-b40d-321fe9c765a2" - date = "2026-01-05" - modified = "2026-01-06" + id = "1e92978b-4a0b-544e-8ff4-2c32e212f8b1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zardoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zardoor_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zardoor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "491b0a08b4b203499d0503a262d51ee8a6400f1ce6bac152bdcd0f18d092424e" + logic_hash = "e7b04bc720af6c18148a76af65f5a9bdd071392f16a184f59447036aba92cea0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 740d c7442428ac070000 e9???????? f687d005000080 8b442468 410f44c1 81fa03030000 } - $sequence_1 = { f6c210 752c eb0a f6c220 7405 4584c0 7920 } - $sequence_2 = { e8???????? 4889442448 4885c0 0f85c9000000 c74424201d010000 4c8d0d264f0b00 8d5566 } - $sequence_3 = { ffc3 895c2430 e8???????? 3bd8 0f8c2cfeffff b801000000 488b9c2488000000 } - $sequence_4 = { 488d1572b10900 488bcd e8???????? 85c0 0f8e29020000 488b13 4885d2 } - $sequence_5 = { e8???????? 4883c9ff 660f1f440000 48ffc1 803c0800 75f7 83c10d } - $sequence_6 = { e8???????? 488906 4885c0 0f85ab000000 83c8ff 488b742458 488b5c2460 } - $sequence_7 = { e8???????? 4885c0 8bde 0f95c3 e8???????? 85db 488b9c2440010000 } - $sequence_8 = { 8bc3 448bcb 488bf9 448bc3 488bcb 4883f838 7317 } - $sequence_9 = { e8???????? 85c0 0f84d1000000 4d8b8d90000000 488bd3 4c8b442440 488bcb } + $sequence_0 = { eb13 4489542450 eb0c 448954244c eb05 4489542448 448b542428 } + $sequence_1 = { 741e 4533c0 4c8d4c2438 418d5025 e8???????? 83cbff 83f801 } + $sequence_2 = { e8???????? 48894348 4885c0 7542 4c8d0db6bf0c00 c744242055000000 baf5000000 } + $sequence_3 = { e8???????? 488b4c2448 e8???????? 4c8b6c2458 488bc7 4c8b642460 488b6c2468 } + $sequence_4 = { e8???????? 85c0 0f8e95010000 4c8d053f710e00 488bcb 488d15e3150b00 e8???????? } + $sequence_5 = { 660f73d908 66490f7ec9 4983f902 0f824b010000 4c8b442460 4983e902 410fb64001 } + $sequence_6 = { 8b842490000000 488b742478 41396d38 0f8501010000 85c0 0f84f9000000 488b8c2480000000 } + $sequence_7 = { 7709 493bd1 0f83a2000000 483bd9 7709 493bd3 0f8394000000 } + $sequence_8 = { e8???????? 85c0 0f9fc3 e9???????? 4c8d0d361c1100 448bc6 488bcd } + $sequence_9 = { e8???????? 4c8bc7 488d15649e1000 b902000000 e8???????? 83c8ff e9???????? } condition: 7 of them and filesize < 4376576 @@ -101361,36 +101697,36 @@ rule MALPEDIA_Win_Funksec_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9193fd51-0ac6-5db6-9635-e6eb925df3d1" - date = "2026-01-05" - modified = "2026-01-06" + id = "ea8df678-b347-5866-9532-54e6fe25b51e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funksec" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.funksec_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.funksec_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "06f95012988e8bb48797f6f8504bd1b10c3653d29a2d1e0983bf3fe910630ecb" + logic_hash = "295467c18b944fb09944a901e783dbbba9dffb3c056bc94460c476e9b4c73249" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 4c8bb550020000 440fb68d58020000 48b80a00000000000080 4939c6 0f85a9020000 4489e1 } - $sequence_1 = { e8???????? 66c7060101 c7460401000000 488d05b2591e00 48894608 48c7461001000000 0f57c0 } - $sequence_2 = { e9???????? 488b8528110000 48898520110000 4c8d0564cf2c00 ba80000000 e8???????? e9???????? } - $sequence_3 = { ba21000000 e8???????? 488d0ddb081100 4c8d056c091100 ba1f000000 e8???????? 488d0d73091100 } - $sequence_4 = { e8???????? 84c0 89fb 0f84f6000000 488b0d???????? 488b4138 4885c0 } - $sequence_5 = { e9???????? 4489f0 83e01f 410fb65701 83e23f 4180fedf 7664 } - $sequence_6 = { e9???????? 488d05f6d11400 488985a0000000 48c785a800000001000000 48c785b000000008000000 0f57c0 0f1185b8000000 } - $sequence_7 = { e8???????? ebde 498b07 4885c0 0f84c3010000 48c1e003 488d1440 } - $sequence_8 = { e8???????? 4c8bad30360000 4d8db518010000 41b828030000 4c89f1 4889da e8???????? } - $sequence_9 = { ebd0 49ffc3 49ffc9 4d8918 4d894808 488d05cdf81000 488945d8 } + $sequence_0 = { eb32 410fb6411c 450fb64101 410fb65102 410f104103 0f2985c0050000 450fb6511b } + $sequence_1 = { eb3f c6858f00000000 c6858e00000000 4c8d05cf7a2300 4c89f1 e8???????? eb20 } + $sequence_2 = { e9???????? 48c1e808 488b7de8 4939f6 0f8288feffff 4c8d054bf31000 4c89f1 } + $sequence_3 = { f3410f6f4c0d10 660fefd2 660ff8d0 660fdad0 660fefc0 660ff8c1 660fdac1 } + $sequence_4 = { f04c0fb137 0f8428020000 4183fd06 b806000000 410f42c5 b901000000 4585ed } + $sequence_5 = { e8???????? 4889c3 4885c0 7453 0f1005???????? 0f1103 c6431072 } + $sequence_6 = { f3420f6f0433 66440fd7d0 4983c310 4585d2 74e6 f3450fbcd2 4d01f2 } + $sequence_7 = { eb4d 4983c403 c1e10c 09ca 4189d5 4181fd00010000 7338 } + $sequence_8 = { e8???????? c7451000000000 488b5dd0 4c8b65d8 41bd04000000 4c8d7510 488b75e0 } + $sequence_9 = { ff5018 488b45f0 488b8010020000 4885c0 7416 f048ff08 7510 } condition: 7 of them and filesize < 10986496 @@ -101400,36 +101736,36 @@ rule MALPEDIA_Win_Pulsartea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "492a2a3f-efe7-5dcc-8ea0-f274f56c1d7a" - date = "2026-01-05" - modified = "2026-01-06" + id = "4d37acc9-5642-57c2-9a68-2b712495533a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pulsartea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pulsartea_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pulsartea_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "e947490c744b727dc99593cdd46b11ea245b6efcca5c96db4f4a6ac92a6b6da4" + logic_hash = "1283444ee5c11c862dc325444d0e920ad28f24b52db62ee4758f2ba200dfbf58" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745bc00000000 418bde 488b0f 488d55c0 e8???????? } - $sequence_1 = { 4889542420 488bcb e8???????? 4d8d870c020000 488d15a6500200 } - $sequence_2 = { 488d41f8 4883f81f 0f8789000000 498bc8 e8???????? 4c896e10 48c746180f000000 } - $sequence_3 = { 4c8d4d80 4533c0 8bd0 488d8d20060000 ff15???????? 440fb745a4 4533c9 } - $sequence_4 = { 418b048e 4133c1 8983a4000000 458842ff 4883ed01 } - $sequence_5 = { 488bc8 ff15???????? 85c0 0f84be000000 488b4c2440 488d442448 41b92c010000 } - $sequence_6 = { 48c74424480f000000 4088742430 498b442410 4883f810 0f823b0b0000 4883c0f0 41b804000000 } - $sequence_7 = { e8???????? 33db 8bf8 85c0 0f8454020000 4c8d25646e0100 448bf3 } - $sequence_8 = { 4c897f10 488bc7 48837f1810 7203 488b07 c60000 488b4f10 } - $sequence_9 = { c1e806 83e001 418986380c0000 83ff17 756d 0f57c0 448d4f4d } + $sequence_0 = { 458bf5 eb03 448b30 4883ff10 7231 488d5701 488bc3 } + $sequence_1 = { eb0c c745b400000000 bbffffffff 4c8b37 488d5560 498bce e8???????? } + $sequence_2 = { 0f114c2440 0f1005???????? 0f11442450 f20f100d???????? f20f114c2460 8b05???????? 89442468 } + $sequence_3 = { 4c8b8df8000000 448944241c 4c8b85d8000000 4c896518 4c89442440 4c894c2448 0f1145e0 } + $sequence_4 = { 488b05???????? 4833c4 48894570 4c8be9 4533e4 4c8965f8 48c745000f000000 } + $sequence_5 = { 488bec 4883ec40 488d45e8 48894de8 488945f0 488d154cb20000 b805000000 } + $sequence_6 = { 895f2c 41896c2408 8bc6 412b0424 410144240c 49893424 498bd4 } + $sequence_7 = { 410f1106 bb0f000000 eb7d 498bdf 4883cb0f 48b8ffffffffffffff7f 483bd8 } + $sequence_8 = { e8???????? 488bc8 4885c0 0f84bd030000 4883c027 4883e0e0 488948f8 } + $sequence_9 = { 4155 4156 4157 4883ec20 448bf9 4c8d350633feff 4883cfff } condition: 7 of them and filesize < 520192 @@ -101439,42 +101775,42 @@ rule MALPEDIA_Win_Cryptomix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "66a42334-0f35-544f-b73c-0df7b8e22035" - date = "2026-01-05" - modified = "2026-01-06" + id = "efd95819-510c-51fc-a4b8-e52f024c6ab7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cryptomix_auto.yar#L1-L177" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cryptomix_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "02f656068f4f76c12e869f1af5a2e63ec8e44cb4db7dffbbf055e2899960d03b" + logic_hash = "f258ed562da7e58f0dceda9b5b65599b8deab0b74902695859cb608fb36cb5e5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? ffd0 683e8d61be 6a06 } - $sequence_1 = { ffb580efffff ff15???????? 56 68???????? ff15???????? 68???????? 68???????? } - $sequence_2 = { 85c0 0f87e0000000 68???????? 56 e8???????? 59 59 } - $sequence_3 = { 8be5 5d c3 3dc0ede0b7 } - $sequence_4 = { ffb5e0fbffff ff15???????? ff85e8fbffff 8d85e4fbffff 50 68???????? } - $sequence_5 = { 59 ff742408 ff742408 ffd0 c3 68c142487b 6a01 } - $sequence_6 = { 8b30 57 8b7dfc 68dee70218 6a05 e8???????? } - $sequence_7 = { 68???????? 8d85e8fbffff 50 ffd7 8d85c4f9ffff 50 8d85e8fbffff } - $sequence_8 = { 8bf9 e8???????? 83c40c 8d85e0fbffff 50 8d85f4fdffff 50 } - $sequence_9 = { c785e4fbffff04010000 ff15???????? 8d85e4fbffff 50 56 } - $sequence_10 = { 7571 b801000000 8b4dfc 33cd e8???????? 8be5 } - $sequence_11 = { 55 8bec 83ec10 57 33ff 6822ded78a } - $sequence_12 = { 6802f1f808 6a01 e8???????? 83c430 56 6880000000 } - $sequence_13 = { 33c0 8d95f4fdffff 6685c9 0f8465010000 0fb7c9 c1c007 } - $sequence_14 = { ff75f4 6a40 e8???????? 8bd8 } - $sequence_15 = { 59 8d4dfc 51 683f020f00 56 bb???????? 53 } + $sequence_0 = { 85c0 7507 55 e8???????? 59 6852244332 } + $sequence_1 = { 57 6a01 57 ff75e4 ffd0 85c0 7428 } + $sequence_2 = { 6a00 68???????? e8???????? 8b3d???????? 83c40c 56 68???????? } + $sequence_3 = { 56 57 8bf2 8bd9 6a01 } + $sequence_4 = { ff15???????? 6a00 ff7508 ba???????? 8bcb e8???????? 83c408 } + $sequence_5 = { 83feff 0f843c010000 8b8d8cefffff e8???????? 85c0 } + $sequence_6 = { f7e1 c1ea06 69d2e8030000 2bca 750c ffb5e4fbffff ff15???????? } + $sequence_7 = { 33c0 33ff 6805ad890d 47 57 8945f0 8945f8 } + $sequence_8 = { 85c0 0f852b010000 68???????? 68???????? } + $sequence_9 = { 7557 b801000000 8b4dfc 33cd e8???????? 8be5 5d } + $sequence_10 = { 6a00 ffd0 6896000000 ff15???????? 68???????? ff15???????? } + $sequence_11 = { c3 68c8390324 6a01 e8???????? 59 59 } + $sequence_12 = { 7404 3bc3 7534 8bfb eb5d } + $sequence_13 = { e8???????? 59 59 53 ffd0 56 57 } + $sequence_14 = { 59 59 8b4df8 8d4c0902 } + $sequence_15 = { ffd0 5d c3 68e4559fda 6a05 e8???????? } condition: 7 of them and filesize < 188416 @@ -101484,36 +101820,36 @@ rule MALPEDIA_Win_Lockergoga_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c3b2e831-52cd-5711-8143-4c283c706434" - date = "2026-01-05" - modified = "2026-01-06" + id = "ef55b580-deae-574e-aeb6-215a7787a1d8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lockergoga_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lockergoga_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "679ed446af7bd76c538308594efebe8a71cc5f0a66dc5648e19b704e8ba83810" + logic_hash = "b81c63d854905ac724012dc3f2ac11841a483d241590896f20a783ccf57cc1a9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c718 83c618 897dec 3bf3 75eb 8bc7 } - $sequence_1 = { 84c0 7405 8b7608 eb4e 8b8564ffffff 80780d00 743a } + $sequence_0 = { 64a300000000 c745e000000000 8b7508 c7461000000000 c746140f000000 c60600 8b4d0c } + $sequence_1 = { 8b4b54 8b75e8 8b5358 3bce 7425 8bfa 32c0 } $sequence_2 = { c645fc1b e8???????? 8d4db4 c645fc0e e8???????? 8b4d9c 8b06 } - $sequence_3 = { 56 83c0c8 50 e8???????? 837d9000 c745a800000000 0f8691000000 } - $sequence_4 = { 57 8d4d9c e8???????? 8b7da0 8b45cc c645fc0b } - $sequence_5 = { 8365ec00 ff75ec e8???????? 59 0fb6c0 85c0 7408 } - $sequence_6 = { 51 50 e8???????? 8b45ec 83c408 c7461000000000 c746140f000000 } - $sequence_7 = { 895108 50 8bce e8???????? 8b560c 8d4508 50 } - $sequence_8 = { 6a08 8975ec c7450800000000 c70600000000 c7460400000000 c7460800000000 c7460c00000000 } - $sequence_9 = { 8b4da0 c6400100 8808 e9???????? b8ffffff7f 2bc1 83f801 } + $sequence_3 = { 8bd0 8b45d4 891408 8b4e04 8b55d0 8b0c08 83e201 } + $sequence_4 = { ff36 8bce e8???????? eb20 50 ff36 8bce } + $sequence_5 = { 8d4de0 e9???????? 8d4da4 e9???????? 8d8d24ffffff e9???????? 8d4da4 } + $sequence_6 = { c7470400000000 8d7708 c745fc00000000 8bce 8975ec c70600000000 c7460400000000 } + $sequence_7 = { 83430418 eb08 50 8bcb e8???????? 837dec10 8d45d8 } + $sequence_8 = { c745fc01000000 c707???????? 8b4b54 897d0c 894f04 85c9 7405 } + $sequence_9 = { 8b4d0c 010cd0 8354d00400 837d1000 0f84cc000000 8b5348 8b4b44 } condition: 7 of them and filesize < 2588672 @@ -101523,57 +101859,56 @@ rule MALPEDIA_Win_Tinynuke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "26956b4b-2451-5deb-9643-68612b9d6236" - date = "2026-01-05" - modified = "2026-01-06" + id = "be3f3308-f3c9-557b-ac2f-03d1f80231c1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tinynuke_auto.yar#L1-L293" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tinynuke_auto.yar#L1-L280" license_url = "N/A" - logic_hash = "19ead60aa2eb3196f69ad300611cd24757349dd6202d9e3aa3460ca7368338a0" + logic_hash = "09cd6a4560e87039ad2e5d4645c08ca1af989c447e7d88147d0663fa6070fc94" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { c3 55 8bec 817d0c00040000 } - $sequence_1 = { ff15???????? ff35???????? 8b7dfc 57 a3???????? ff15???????? ff35???????? } - $sequence_2 = { 5e 85c0 753c 56 8d45f8 } + $sequence_1 = { 8d8530f6ffff 50 6802020000 ff15???????? } + $sequence_2 = { ff7508 ff15???????? 53 8bf0 8d45fc 50 ff750c } $sequence_3 = { 8945f4 8d85d4feffff 50 ff15???????? } - $sequence_4 = { 83c418 a3???????? 5f 5e 5b c9 c3 } - $sequence_5 = { 8d8530f6ffff 50 6802020000 ff15???????? } - $sequence_6 = { 53 56 57 33c0 33db 6a07 } - $sequence_7 = { 6a03 53 53 6800000080 50 ff15???????? a3???????? } + $sequence_4 = { 51 53 56 57 8d45fc 50 bb3f000f00 } + $sequence_5 = { ff15???????? 8bc3 5b 5f 5d c3 55 } + $sequence_6 = { 85c0 7526 56 8d45f8 50 56 } + $sequence_7 = { 50 ff15???????? ff35???????? 8d85a4feffff 50 ff15???????? } $sequence_8 = { ff75ec ff75fc e8???????? 83c40c 5f } - $sequence_9 = { 50 ff15???????? ff35???????? 8d85a4feffff 50 ff15???????? } - $sequence_10 = { a3???????? 68e2010000 68???????? 68???????? e8???????? } - $sequence_11 = { 8b02 8a00 3c0a 7409 3c0d } - $sequence_12 = { 6a2a 50 8945fc ff15???????? } - $sequence_13 = { ff15???????? a3???????? ff35???????? ff75ec ff15???????? } - $sequence_14 = { a3???????? ff35???????? ff75f8 ff15???????? } - $sequence_15 = { c70604000000 e8???????? eb18 83f803 7519 } - $sequence_16 = { 59 8d85d0fcffff 50 8d85d8feffff 50 ff15???????? ff35???????? } - $sequence_17 = { 8d45dc 50 ff15???????? 8d85d0fcffff 50 e8???????? } - $sequence_18 = { 8d85d4fdffff 50 ff15???????? ff35???????? 8d85d4fdffff 50 ff15???????? } - $sequence_19 = { ff15???????? 8b35???????? 8d430c 50 } - $sequence_20 = { e8???????? 8945fc 8b0f 83ec08 85c9 75d6 } - $sequence_21 = { c70424???????? e8???????? 83ec08 85c0 75d6 } - $sequence_22 = { 85c0 7422 8b0cb2 83ec08 03cf ba???????? } - $sequence_23 = { 891c24 89442408 e8???????? 0fb76f06 } - $sequence_24 = { c785e4fdffff00000000 c785e0fdffff01000000 f3ab ff15???????? 8d85e8fdffff 6804010000 } - $sequence_25 = { e8???????? 83ec08 89c3 c7042400000000 e8???????? } - $sequence_26 = { 5b c20800 891c24 e8???????? 83ec04 } - $sequence_27 = { 89bdb8fdffff ff15???????? 83bdbcfdffff01 7477 8b85c4fdffff } - $sequence_28 = { 83ec0c 31c0 83c43c 5b 5e } - $sequence_29 = { 837c243401 7537 c744241400000000 c744241000000000 c744240c00000000 c7442408???????? c744240400000000 } - $sequence_30 = { 85c0 75d6 31db 8d742600 c70424???????? } + $sequence_9 = { ff15???????? a3???????? ff35???????? ff75f8 ff15???????? } + $sequence_10 = { 6a2a 50 8945fc ff15???????? } + $sequence_11 = { 8a00 3c0a 7409 3c0d } + $sequence_12 = { a3???????? 68e2010000 68???????? 68???????? } + $sequence_13 = { e8???????? eb18 83f803 7519 } + $sequence_14 = { a3???????? ff35???????? ff75ec ff15???????? } + $sequence_15 = { 59 50 68???????? 68???????? ff15???????? } + $sequence_16 = { ff75fc 8d85f0fdffff 50 e8???????? 59 50 } + $sequence_17 = { 8d7de0 f3ab 8d45dc 50 ff15???????? 8d85d0fcffff 50 } + $sequence_18 = { ff15???????? 8b35???????? 8d430c 50 } + $sequence_19 = { 83c404 85c0 0f847c010000 5f 5e 5b } + $sequence_20 = { 7ee1 31db 8b049d1410e26e 85c0 7402 ffd0 } + $sequence_21 = { 8d50f8 d1ea 7432 8d4608 } + $sequence_22 = { 8344241814 8b442418 8b400c 85c0 75a4 } + $sequence_23 = { eb5d 8b54240c 81fa80000000 7c0e 0fba25????????01 0f82de1f0000 } + $sequence_24 = { 61 8b8decfeffff 8b95e8feffff 038dd0feffff } + $sequence_25 = { 89442418 8b400c 85c0 745c } + $sequence_26 = { 8bb0a0000000 2b6834 01de 8b16 85d2 7449 8b4604 } + $sequence_27 = { 837c243401 7537 c744241400000000 c744241000000000 c744240c00000000 c7442408???????? } + $sequence_28 = { 0f48c2 83c704 83c504 89442404 e8???????? 8945fc 8b0f } + $sequence_29 = { 732e 8b5304 b904000000 8d820000e06e } condition: 7 of them and filesize < 1196032 @@ -101583,36 +101918,36 @@ rule MALPEDIA_Win_Fatal_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6ffdc4b6-3750-513f-882d-601b90060611" - date = "2026-01-05" - modified = "2026-01-06" + id = "ec19e1f9-e8cd-5f88-872b-ba05d62d5b04" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fatal_rat_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fatal_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "3b6c3f51dd6f327df47fc74ff663d2bedf14223af4a9dd48f5c4c4ee2763ed08" + logic_hash = "24febda351895f7660661e4345fe2bbb902ae75dcd74ecdb9a8cb74f1cd5fd28" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5d c3 55 8bec 8b4508 8b4d0c 2d00803ed5 } - $sequence_1 = { c3 55 8bec 81ec04020000 53 57 6a7f } - $sequence_2 = { 68???????? 89470c ff7508 ffd6 8b4f0c 894710 } - $sequence_3 = { ff15???????? 85c0 894508 0f84e9000000 8b35???????? 68???????? 50 } - $sequence_4 = { 8d85a4fdffff 56 50 8935???????? ff15???????? 83c40c 6a0a } - $sequence_5 = { 59 740d 6a00 68???????? ff15???????? c9 c3 } - $sequence_6 = { 83c310 ebaf 8d4dc0 c645fc01 } - $sequence_7 = { 57 6a00 ff7508 ffd6 } - $sequence_8 = { 750c 57 ff15???????? e9???????? 53 8d45fc } - $sequence_9 = { 50 ff15???????? ff75f4 8946f8 6a00 50 ff15???????? } + $sequence_0 = { ff15???????? 50 ffd6 85c0 7503 2145fc } + $sequence_1 = { 8d45e0 50 c645e26c c645e36d c645e46f c645e56e } + $sequence_2 = { 7405 83c8ff eb02 8bc3 5f 5e 5b } + $sequence_3 = { 50 ff15???????? 8bf0 3bf3 8975f8 0f840b010000 33ff } + $sequence_4 = { e8???????? 56 e8???????? ffb630af0100 8b8e40af0100 8b5510 894508 } + $sequence_5 = { 803900 75fa 56 57 8b7d10 8bd7 } + $sequence_6 = { ff75ec ffd6 53 6a01 57 ff75ec ffd6 } + $sequence_7 = { 833901 7407 b800000800 eb0c 8b4904 50 ff750c } + $sequence_8 = { 6685c0 741f 83ffff 7e1a 83fe40 7e15 83fe5d } + $sequence_9 = { 0f86ec000000 8365f000 8945ec df6dec dc0d???????? dc05???????? e8???????? } condition: 7 of them and filesize < 344064 @@ -101622,36 +101957,36 @@ rule MALPEDIA_Win_Aurora_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cb6e66dc-0b30-52d7-abd2-183f4137b9af" - date = "2026-01-05" - modified = "2026-01-06" + id = "51ed4883-29c7-5db1-ae37-e45ef237ed01" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.aurora_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.aurora_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "736e5133ae609420c62fd5eab55e12d52695b2d2a929e74285f1e9a94056c135" + logic_hash = "096cba69160414cb93810db5641c0d92338473a05bdca2545ec054e9ad37243c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 8d4dc0 e8???????? 68???????? c645fc01 e8???????? } - $sequence_1 = { 6a1f 68???????? c745d40f000000 c745d000000000 c645c000 e8???????? c645fc01 } - $sequence_2 = { 0f8259ffffff 8d4de4 e8???????? 8bc6 8b4df4 64890d00000000 59 } - $sequence_3 = { 75f9 2bca 51 53 8d4dd0 e8???????? } - $sequence_4 = { 0f45c2 50 e8???????? 8bfb } - $sequence_5 = { 68???????? 8d8de4f1ffff c785f8f1ffff0f000000 c785f4f1ffff00000000 c685e4f1ffff00 e8???????? } - $sequence_6 = { c785b8efffff0f000000 c785b4efffff00000000 c685a4efffff00 e8???????? 8d8dbcefffff } - $sequence_7 = { 0f8483000000 c1e706 03f8 83c106 894ddc 7869 8bc7 } - $sequence_8 = { 68???????? 8d8d24f1ffff c78538f1ffff0f000000 c78534f1ffff00000000 } - $sequence_9 = { a1???????? 33c5 50 8d45f4 64a300000000 c745ec00000000 83ec18 } + $sequence_0 = { 50 e8???????? 8bb5c8feffff 56 ffd3 46 03f0 } + $sequence_1 = { 8d8db4f1ffff c785c8f1ffff0f000000 c785c4f1ffff00000000 c685b4f1ffff00 e8???????? } + $sequence_2 = { 0f57c0 83c608 660fd645e8 83ef01 0f856cffffff } + $sequence_3 = { e8???????? 6a03 68???????? 8d8d7cf0ffff c78590f0ffff0f000000 c7858cf0ffff00000000 c6857cf0ffff00 } + $sequence_4 = { e8???????? ff75e8 837dec10 8d45d8 6a00 0f4345d8 8d4da8 } + $sequence_5 = { 6a02 68???????? 8d8de4eeffff c785f8eeffff0f000000 } + $sequence_6 = { 52 8d4dd8 e8???????? c645fc01 8d4dc0 } + $sequence_7 = { 3c2f 0f85aa000000 837f1410 7204 8b07 eb02 } + $sequence_8 = { 837e1410 8955c4 895610 7202 } + $sequence_9 = { 47 8d85d8feffff 50 8d8df8feffff } condition: 7 of them and filesize < 827392 @@ -101661,36 +101996,36 @@ rule MALPEDIA_Win_Rustonotto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c96a83b8-aab4-55d7-a6bc-2f4705409146" - date = "2026-01-05" - modified = "2026-01-06" + id = "15abc477-d851-5dfb-b220-8c9208492544" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustonotto" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rustonotto_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rustonotto_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "1a2f2499fd9c35d46eb281cf2189d5af496ab41ea2f40681381bfb3d9321a241" + logic_hash = "65ca2e6702959df21644c6b75936481ebda3164f1edd2df59ea9fbcb8d0d437c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 4889fa 84c0 0f84befdffff 488b0d???????? 488b4138 4885c0 } - $sequence_1 = { e8???????? 4983c4f9 488d8528010000 0f1f4000 4c8b30 450fb7aed2030000 498d742401 } - $sequence_2 = { eb02 31c0 66897d08 6689750a 488945f8 488d05a4751800 48894500 } - $sequence_3 = { eb0f b908000000 ba18000000 e8???????? 0f0b 90 4889542410 } - $sequence_4 = { 84c0 0f85d8feffff c6470101 e9???????? c685c700000000 e8???????? 84c0 } - $sequence_5 = { 740f 488d4d60 488b5550 4c8b4558 ff5020 90 4883c430 } - $sequence_6 = { e8???????? 0fb64520 3c03 751f 4183bf1801000001 0f858d000000 66c7060305 } - $sequence_7 = { e8???????? 8b8580040000 83f802 7432 83f803 0f84ba1d0000 a801 } - $sequence_8 = { 747b 8b514c 448b8990000000 4101d1 b801000000 7058 0f88f4010000 } - $sequence_9 = { c6858f04000001 c6858e04000000 8b8578040000 88858d040000 c6858c04000001 c6858b04000001 488d0d2f2a1000 } + $sequence_0 = { 755f ba010000c0 f00fc111 81c2010000c0 81fa00000040 72a4 e8???????? } + $sequence_1 = { c3 488d0523461b00 4889ce 4889c1 e8???????? 4889f1 89c2 } + $sequence_2 = { 83f902 0f83e1040000 488b0f c6850f04000001 e8???????? 84c0 0f84d2040000 } + $sequence_3 = { c6859309000001 0f28742440 0f287c2430 4883c458 5b 5f 5e } + $sequence_4 = { f00fb04e10 7566 b901000000 31c0 f0480fb10e 0f94c1 7534 } + $sequence_5 = { e8???????? e9???????? 4c8d05e5491b00 4889f1 4889fa e8???????? e9???????? } + $sequence_6 = { ba35000000 e8???????? eb68 48899da8010000 4c89adb0010000 4c897d68 4889b5b8010000 } + $sequence_7 = { 7408 488908 e9???????? 6641c746220100 6641895624 4c8b7c2430 488b542438 } + $sequence_8 = { 7714 4489c0 83e003 4983f804 7343 4531db e9???????? } + $sequence_9 = { 85c0 0f8462fbffff 488b0d???????? e8???????? 89c2 84c0 0f859afeffff } condition: 7 of them and filesize < 5989376 @@ -101700,36 +102035,36 @@ rule MALPEDIA_Win_Kikothac_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a1785b6-f597-5e86-8c4e-a3c4c36845cf" - date = "2026-01-05" - modified = "2026-01-06" + id = "1fa78b73-bb1f-57f6-a8e9-b622d8e0ede4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kikothac_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kikothac_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "783b1a1a8c3b3dc323ec01428cfa46b90f3abf925fa4bb401d1a6455aac8c5f6" + logic_hash = "b02af1756199e51401b4155e33587ee753667afd908709121e8fdd68d090d98d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 668945de e8???????? 83f8ff 0f84c2000000 803d????????00 } - $sequence_1 = { 80ce63 3485 80f601 041b 660fbdd0 } - $sequence_2 = { 8b140e 52 8d5dfc e8???????? 83c404 84c0 7509 } - $sequence_3 = { 57 8bc2 c1f805 8b0485c0514100 8bfa 83e71f } - $sequence_4 = { 660fbae309 8a46ff c1da07 f6c3a7 28d8 51 } - $sequence_5 = { 5b 8b7708 8b7f04 84c0 751a e8???????? 84c0 } + $sequence_0 = { 9c 688f9a75da 668910 c60424cd } + $sequence_1 = { 660fb6f2 66c704242554 0fb6f1 9c 894c2420 ff742404 } + $sequence_2 = { 59 59 8b7508 8d34f5e0214100 391e } + $sequence_3 = { 9c 8f442444 9c 89742444 5e 66f7d6 8db3afd65e6a } + $sequence_4 = { 48 9c 40 00749c40 } + $sequence_5 = { 8d34e5363be8b1 8b742458 882c24 66c744240865f2 } $sequence_6 = { f5 f6d8 9c 28c3 f9 } - $sequence_7 = { 8b4df4 03c2 668b55f8 8908 8a4dfa 66895004 884806 } + $sequence_7 = { 89742424 60 894c2440 660fbef0 660fce } $sequence_8 = { c64424080e 50 38c6 98 } - $sequence_9 = { 660fb6f3 8db30307ad85 c744244800000000 8db7ec8bddf1 8b742474 9c ff3424 } + $sequence_9 = { 9c 8d64242c e9???????? f6dc 8b4500 d2d6 } condition: 7 of them and filesize < 581632 @@ -101739,47 +102074,47 @@ rule MALPEDIA_Win_Lumma_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "18aafe26-24fd-5a9a-bbc9-ae4c88d965fc" - date = "2026-01-05" - modified = "2026-01-06" + id = "f2244960-3b18-5468-827a-79d29ee0dbef" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lumma_auto.yar#L1-L194" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lumma_auto.yar#L1-L195" license_url = "N/A" - logic_hash = "5ba9e6acd0a483b46312a1312db0d7f170a01587be01ff146763c3e3b48ae6c9" + logic_hash = "0e65c60ec7841d9a3110bc5423f06dcbfbc8da401420dfec59cc9b0939489cdf" score = 75 - quality = 73 + quality = 71 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 ff767c ff7678 ff7644 } - $sequence_1 = { ffd0 83c40c 894648 85c0 } - $sequence_2 = { 894604 8b461c c1e002 50 } - $sequence_3 = { ff7678 ff7644 ff563c 83c414 } + $sequence_0 = { 57 53 ff767c ff7678 ff7644 } + $sequence_1 = { 894614 8b461c c1e002 50 } + $sequence_2 = { ff7678 ff7644 ff563c 83c414 } + $sequence_3 = { ffd0 83c40c 894648 85c0 } $sequence_4 = { 833800 740a e8???????? 833822 } $sequence_5 = { 66894316 0fb7560e 0fb74e0c e8???????? } - $sequence_6 = { 66894338 8b4626 89433c 8b462a } - $sequence_7 = { 8b4610 894320 8b4614 894328 } - $sequence_8 = { e8???????? 83c40c 6a02 6804010000 e8???????? } - $sequence_9 = { 017e78 83567c00 017e68 83566c00 } - $sequence_10 = { 83f900 75f1 83ec04 8b4508 e8???????? 89ec 5d } - $sequence_11 = { 31c0 837e3808 0f94c0 294628 } - $sequence_12 = { 0f94c3 89d5 09cd 0f95c7 } - $sequence_13 = { 0f95c7 30df 7514 837e6c00 } - $sequence_14 = { 8b5204 45 8b4208 45 8b4a0c 49 83fe04 } + $sequence_6 = { 8b4610 894320 8b4614 894328 } + $sequence_7 = { 66894338 8b4626 89433c 8b462a 894340 } + $sequence_8 = { 017e78 83567c00 017e68 83566c00 } + $sequence_9 = { 83c40c 6a02 6804010000 e8???????? } + $sequence_10 = { 01c9 39dd ba00000000 19c2 } + $sequence_11 = { 234608 7418 8b8684000000 29f8 } + $sequence_12 = { 01dc 41 5d 41 } + $sequence_13 = { 0f94c3 89d5 09cd 0f95c7 30df 7514 837e6c00 } + $sequence_14 = { 31c0 837e3808 0f94c0 294628 } $sequence_15 = { 01e8 56 ff742424 50 } - $sequence_16 = { 50 57 ff7618 e8???????? 83c40c 894618 } - $sequence_17 = { 01c9 39dd ba00000000 19c2 72f1 } - $sequence_18 = { 234608 7418 8b8684000000 29f8 } - $sequence_19 = { 31ed 89ae88000000 c7868c00000000000000 899e80000000 833e00 } - $sequence_20 = { 8b550c 6bd204 89d1 83e904 8b5510 8b1c0a } + $sequence_16 = { 49 c7c600000000 44 8b5510 44 8b750c } + $sequence_17 = { 50 57 ff7618 e8???????? 83c40c 894618 } + $sequence_18 = { 56 41 57 41 54 41 } + $sequence_19 = { 30df 7514 837e6c00 750e 8b6e68 837c242804 } + $sequence_20 = { 50 55 e8???????? 83c40c 8b4b04 } condition: 7 of them and filesize < 1115136 @@ -101790,10 +102125,10 @@ rule MALPEDIA_Win_Poison_Rat_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "7c6f2ea3-14d0-5bd3-b5de-002b01a6e4ac" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.poison_rat_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.poison_rat_auto.yar#L1-L113" license_url = "N/A" logic_hash = "3e3b3a6380a6de226db390b398cafc3338e9d953c2f6c73b523494bf22932b99" score = 75 @@ -101802,9 +102137,9 @@ rule MALPEDIA_Win_Poison_Rat_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -101828,42 +102163,42 @@ rule MALPEDIA_Win_Netrepser_Keylogger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f772ff80-f7e1-59f5-b4f9-deba38267db2" - date = "2026-01-05" - modified = "2026-01-06" + id = "d0a04d1e-f3ab-5636-a5b0-3700ec467df3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.netrepser_keylogger_auto.yar#L1-L174" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.netrepser_keylogger_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "13abde176c0dbe626f8e6b9e0859b33d03f906fc80a16b44518b3026f31a5776" + logic_hash = "380da314ab8805ac99e8194e064dd48f99629e0d13aef467283afe384726f354" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 ff15???????? 8b550c 8902 8b450c 833800 742b } - $sequence_1 = { 51 8b5510 8b02 50 e8???????? 83f8ff 7507 } - $sequence_2 = { 895108 8b4538 89410c 8b553c 895110 8b4528 50 } - $sequence_3 = { 8b45e4 8945c0 eb07 c745c000000000 } - $sequence_4 = { 833d????????00 0f85ab000000 c645dc53 c645dd48 } - $sequence_5 = { 81ec3c010000 6804010000 8d85e0feffff 50 6a00 ff15???????? } - $sequence_6 = { 8d4310 8d89245b4100 5a 668b31 41 668930 41 } - $sequence_7 = { e9???????? c645cc44 c645cd41 c645ce54 } - $sequence_8 = { 8b701c 8bcf e8???????? 8b4c240c 0fb711 } - $sequence_9 = { c74424104c6f6164 c74424144c696272 c744241861727941 8974241c ff15???????? 8bc8 } - $sequence_10 = { 8b4d18 8d7520 e8???????? 83c418 85c0 } - $sequence_11 = { 8b0d???????? 51 e8???????? 8b442430 8b542414 8910 83c404 } - $sequence_12 = { ff15???????? a3???????? 8b542448 6a40 6800300000 52 6a00 } - $sequence_13 = { 3bc5 7d08 5d 33c0 5b 83c418 } - $sequence_14 = { 85c0 750d 8b442418 e8???????? 85c0 } - $sequence_15 = { 81c408010000 c3 8bff 55 8bec } + $sequence_0 = { 0fb78decfeffff 51 0fb795eafeffff 52 0fb785e6feffff 50 } + $sequence_1 = { e8???????? 83c408 8b55f8 52 a1???????? 8b4840 ffd1 } + $sequence_2 = { b801000000 e9???????? 6a10 8d55f0 } + $sequence_3 = { 7420 8b4508 0345fc 0fbe08 85c9 7413 8b55fc } + $sequence_4 = { 83c001 8945f8 8b4df8 3b4dfc 737d 8b550c } + $sequence_5 = { 52 8d8530f8ffff 50 8d8d88f8ffff 51 6a00 6a10 } + $sequence_6 = { 83e10f c1e102 0fb655ea 81e2c0000000 c1fa06 } + $sequence_7 = { 6a00 6a02 6800000040 8d8df0feffff 51 } + $sequence_8 = { c744240846726565 c744240c5265736f c744241075726365 c744241400000000 ff15???????? } + $sequence_9 = { 8904bd70584000 8b4c2448 5e 5b } + $sequence_10 = { e8???????? 83c418 85c0 7662 50 } + $sequence_11 = { ff15???????? 8b442414 6683f809 7505 bd02000000 5b e8???????? } + $sequence_12 = { 7537 3905???????? 7509 57 } + $sequence_13 = { 8975fc 3bc6 0f84f0010000 3bde 0f84e8010000 397570 0f84df010000 } + $sequence_14 = { 89551c c6452000 6a3f 6a00 } + $sequence_15 = { 51 8d561a 52 c64619b8 e8???????? 83c448 c6461eff } condition: 7 of them and filesize < 303104 @@ -101873,36 +102208,36 @@ rule MALPEDIA_Win_Ati_Agent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7923380a-3a79-5e9d-9e37-869ed5e218b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "ded4446c-c0be-525f-aed0-b70c11b9927f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ati_agent_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ati_agent_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "6ad1a7df4d93d69034a0d3b89b3f7bb98b02a7b32cfc4a510150a1520d075ff9" + logic_hash = "d4579777905ef21fa280a29752c734303caeb82a23519ee3bf80894204b98d58" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4885c0 7404 f0440108 488d4158 41b806000000 488d1532cf0000 } - $sequence_1 = { c3 48895c2408 4889742410 57 4883ec70 8bf2 } - $sequence_2 = { 48895c2408 57 4883ec20 488d1d67870000 } - $sequence_3 = { 488d4158 41b806000000 488d1594c50000 483950f0 740b } - $sequence_4 = { 4883ec40 488b05???????? 4833c4 4889442438 498bf0 488bfa } - $sequence_5 = { 7d16 4863cf 8a84191d010000 42888401e0e80000 ffc7 ebde } - $sequence_6 = { 4c8bef 49c1fd05 4c8d3528e20000 83e31f 486bdb58 } - $sequence_7 = { e8???????? 4883c448 c3 4053 4883ec40 8bd9 } - $sequence_8 = { 48890d???????? c3 4883ec28 4c8bc1 } - $sequence_9 = { e8???????? b9ff000000 e8???????? 488bfb 4803ff 4c8d2df1790000 49837cfd0000 } + $sequence_0 = { 8bd7 89542420 81fa01010000 7d13 4863ca 8a44191c 42888401d0e70000 } + $sequence_1 = { 7326 e9???????? 8a03 488d152dc00000 ffc7 } + $sequence_2 = { 48c1f805 486bc958 48030cc2 eb07 488d0dc4690000 f6410820 7417 } + $sequence_3 = { 4883ec48 488b05???????? 4833c4 4889442438 e8???????? 4c8bd8 } + $sequence_4 = { 48897c2418 4154 4883ec20 4c8d25a8c70000 33f6 } + $sequence_5 = { 4883ec28 e8???????? 4885c0 7509 488d058fc70000 eb04 4883c010 } + $sequence_6 = { 4c8d253b6a0000 493bdc 7408 488bcb } + $sequence_7 = { f0800c2400 e9???????? 48895c2408 4889742410 48897c2418 4154 } + $sequence_8 = { 33c0 ebdb 48895c2418 55 56 57 } + $sequence_9 = { 488d0da07b0000 483bd9 723e 488d05247f0000 } condition: 7 of them and filesize < 172032 @@ -101912,36 +102247,36 @@ rule MALPEDIA_Win_Nighthawk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f73d8e8e-0e22-5d8b-a28a-19526ca65051" - date = "2026-01-05" - modified = "2026-01-06" + id = "1ea956b0-be8c-5890-911a-c393aa58e8a5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nighthawk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nighthawk_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nighthawk_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "83ca7d457445609b911357175ebed2dd8acc41dfcf066ffda805bb2cf527d439" + logic_hash = "4b751c3e5abba245cd70e3ad89ca9e58ef5b2ca9415a570dd8fcbbbd6942fa59" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4885c9 7405 e8???????? 4883631000 48c743180f000000 c60300 4883c320 } - $sequence_1 = { e8???????? 488b4810 4883781810 7203 488b00 4885c9 7425 } - $sequence_2 = { 4c89b5a0010000 4c89bda8010000 4488b590010000 48399dc8010000 7211 488b8db0010000 4885c9 } - $sequence_3 = { 4c89742430 4c89742440 48c74424480f000000 41b814000000 488d15deaf0500 488d4c2430 e8???????? } - $sequence_4 = { 4c8b43f8 4d85c0 742b 4883c8ff 48ffc0 44382407 75f7 } - $sequence_5 = { 4c8b32 492bee 488bc5 48c1f803 480fafc1 4885ed 7473 } - $sequence_6 = { 488d542420 488bce e8???????? 90 eb2b 4c892e 41be0f000000 } - $sequence_7 = { 57 4883ec40 488360f000 488bf1 83601800 488d0da9db0700 8bda } - $sequence_8 = { e9???????? 83fa06 0f8553010000 8d7209 443821 742e 4c8965e0 } - $sequence_9 = { eb05 448974246c 4889b580020000 4889b590020000 4889bd98020000 41b823000000 488d1537f50700 } + $sequence_0 = { 740e 83e901 7412 83f901 0f858b000000 f6838000000010 eb07 } + $sequence_1 = { e8???????? 90 48897597 488975a7 4c896daf 41b81d000000 488d15d3020800 } + $sequence_2 = { 7211 488b8d40080000 4885c9 7405 e8???????? 4889b550080000 4889bd58080000 } + $sequence_3 = { 4c89642448 6644897c2430 e8???????? 4c8d442430 488b5320 e8???????? 85c0 } + $sequence_4 = { 4c2bc7 4803d7 488d8c2430010000 e8???????? 90 4c3ba424a0000000 744f } + $sequence_5 = { e8???????? 85c0 0f8517010000 80fb2c 0f840e010000 80fb5d 0f8405010000 } + $sequence_6 = { 90 83ff03 0f85d1040000 8bfb 488b5c2440 488d4c2430 48837c244808 } + $sequence_7 = { c3 e8???????? 90 cc 4883ec28 488b09 4885c9 } + $sequence_8 = { 4c896e20 6644897e08 4883c660 488d4ec8 483bcd 0f856affffff 488b5c2450 } + $sequence_9 = { 743f 0fb7d9 81cb00000780 85c9 0f4ed9 eb2f 488b8de8000000 } condition: 7 of them and filesize < 1949696 @@ -101951,36 +102286,36 @@ rule MALPEDIA_Win_Xxmm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "800c8101-0763-52f5-a1e9-65fcf4499abd" - date = "2026-01-05" - modified = "2026-01-06" + id = "8925137d-0454-5308-8167-8499dccc38ba" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xxmm_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xxmm_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "b2b78d64096201d10c34f38aaeb6c676ad8ec13dc60f928c2884568102dbff1f" + logic_hash = "64701b9777df6a51d947f49047cbe004510d236a53d10ce39dfec60da2ae0f29" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895d08 47 81e7ff000080 7908 } - $sequence_1 = { 8a0408 8b55fc 320432 8806 46 ff4d08 759b } - $sequence_2 = { 23c3 013c08 eb1e 6683ff01 } - $sequence_3 = { 8b45f4 83c704 85c0 7406 } - $sequence_4 = { 7580 8b45f8 2b4634 83bea400000000 8945fc 0f8481000000 8b96a0000000 } - $sequence_5 = { 8d040f 0fb610 035510 81e2ff000080 7908 } - $sequence_6 = { 3bc1 0f8568feffff 8b733c 6a40 6800300000 03f3 ff7650 } - $sequence_7 = { 23c3 66013c08 8b45e0 8345f402 85c0 } - $sequence_8 = { 77b7 8b45f0 8b5dfc 33c9 394de4 7414 } - $sequence_9 = { 8945fc e8???????? 8b45fc 6800240000 bf???????? 03c3 57 } + $sequence_0 = { 8b00 03c1 8945e4 eb31 81fbaafc0d7c } + $sequence_1 = { 33d2 8bc6 f7750c 8b4508 0fb60402 0fb6140e 03d8 } + $sequence_2 = { 57 bf00010000 880408 40 } + $sequence_3 = { 394de0 740f 394dec 740a } + $sequence_4 = { 56 57 33ff 8bf0 397d08 0f84bc000000 397d10 } + $sequence_5 = { 4a 75f7 8b5dfc 83c728 } + $sequence_6 = { 33db 33f6 33d2 8bc6 } + $sequence_7 = { 6683ff02 750a 668b7dfc 23c3 66013c08 } + $sequence_8 = { e8???????? 8bd8 895dfc b84d5a0000 663903 7517 8b433c } + $sequence_9 = { 8b540e1c 8d0482 03c1 81fb8e4e0eec } condition: 7 of them and filesize < 540672 @@ -101990,36 +102325,36 @@ rule MALPEDIA_Win_Godzilla_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "be70f5e8-f454-5cf5-9a53-9b79088ce98e" - date = "2026-01-05" - modified = "2026-01-06" + id = "a74e0a1b-f808-5b53-ab17-5665661bd877" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.godzilla_loader_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.godzilla_loader_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "192fb36ce99cb3fd5c305739a3550413e1aac5f25669dd240cdac235353c820b" + logic_hash = "bd48c81366cacd5f1be99dc6efce1d79832d533030e0f846d63edccabeaa85bc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 57 ff7508 ff15???????? 8bf0 56 } - $sequence_1 = { 8d45fc 50 57 6a01 56 ff7508 } - $sequence_2 = { 6a00 8bf8 8d45fc 50 57 6a01 56 } - $sequence_3 = { 6a01 56 ff7508 8975fc } - $sequence_4 = { 53 53 53 6800000088 } - $sequence_5 = { a5 ff512c 85c0 756c } - $sequence_6 = { a5 50 a5 ff512c 85c0 756c } - $sequence_7 = { 8b08 50 ff11 85c0 7527 } - $sequence_8 = { 8bec 51 56 57 ff7508 ff15???????? 8bf0 } - $sequence_9 = { 53 53 53 53 6800000088 } + $sequence_0 = { 8b08 53 50 ff91f0000000 } + $sequence_1 = { 56 57 ff7508 ff15???????? 8bf0 56 } + $sequence_2 = { 51 56 57 ff7508 ff15???????? 8bf0 } + $sequence_3 = { 8d45fc 50 57 6a01 56 ff7508 } + $sequence_4 = { 8bf8 8d45fc 50 57 6a01 56 } + $sequence_5 = { 8d45fc 50 57 6a01 56 ff7508 8975fc } + $sequence_6 = { 6a01 56 ff7508 8975fc } + $sequence_7 = { 6a00 6a00 8bf8 8d45fc 50 57 } + $sequence_8 = { 3bc3 7409 8b08 50 ff9180000000 } + $sequence_9 = { 57 6a01 56 ff7508 8975fc ff15???????? } condition: 7 of them and filesize < 155648 @@ -102029,81 +102364,120 @@ rule MALPEDIA_Win_Splitloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1a1cb38c-8464-5fc4-a742-33ff9af7dc5d" - date = "2026-01-05" - modified = "2026-01-06" + id = "921d3356-2722-53ac-8250-dd0cc7ea5e5b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.splitloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.splitloader_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.splitloader_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "16d8d2ed74e30686bcfb5a681aebf6245d42317682bf1d1bc1fbb6f6c4392dc3" + logic_hash = "d6a390b70948f794f39be9da944fc8149cfb46ac0abcc61ba408624052ca713e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c6817401000043 c681f701000043 488d0524910000 488981b8000000 b90d000000 e8???????? } - $sequence_1 = { 8bca 418984240cab0000 48014d10 85c0 790a b8fdffffff } - $sequence_2 = { 8b430c 8905???????? 8bd7 4c8d05f073ffff 89542420 83fa05 } - $sequence_3 = { 488bcf 4889742420 ff15???????? 4533c9 } - $sequence_4 = { 488be9 41be08000000 4d85e4 750e 418d46f6 4883c460 415e } - $sequence_5 = { 48897c2418 4154 4883ec20 4c8d25fc970000 33f6 } - $sequence_6 = { 750e 0f1f4000 4883c702 6644391f 74f6 } - $sequence_7 = { 8905???????? 8b430c 8905???????? 8bd7 4c8d05f073ffff 89542420 } - $sequence_8 = { eb9a 488d15df660000 488d0dc0660000 e8???????? 488d15dc660000 } + $sequence_0 = { 418b8424f82a0000 4129b424fc2a0000 297518 01751c 418b8c24fc2a0000 03c6 } + $sequence_1 = { ffc2 4183f802 7514 81fa04010000 730c 4885c9 } + $sequence_2 = { 4883c108 48ffcb 7409 488b05???????? ebe6 4533c0 488d1593970000 } + $sequence_3 = { ff15???????? 85c0 7445 4863ef 488d0dfcb20000 } + $sequence_4 = { 4883c002 66443918 74f6 0fb708 85c9 7467 } + $sequence_5 = { 7436 90 66413bc1 742f } + $sequence_6 = { 488b442470 4c2bdb 4c8918 41f6c209 0f8432010000 4585e4 0f8829010000 } + $sequence_7 = { ff15???????? 448b5c2440 41bc08000000 8bd6 458bd4 448bce } + $sequence_8 = { eb0a 4883c002 41ba22000000 0fb708 6683f922 7438 90 } $sequence_9 = { 6644391f 750e 0f1f4000 4883c702 } condition: 7 of them and filesize < 174080 } +rule MALPEDIA_Win_Chrysalis_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "2c7dc2a2-5283-53b6-a21c-10eed633f453" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chrysalis" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chrysalis_auto.yar#L1-L129" + license_url = "N/A" + logic_hash = "cbe5b3de7508fb1aafcc019e676ab361b14786c785157476dc210525386a2ae6" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { e8???????? 8bbdb0fdffff 83bdccfdffff10 8d85b8fdffff 56 0f4385b8fdffff ffb5acfdffff } + $sequence_1 = { 0f1001 0f11040f f30f7e4110 660fd6440f10 } + $sequence_2 = { 83f81f 0f87aa000000 52 51 e8???????? 83c408 8b55a0 } + $sequence_3 = { 0f92c1 f7d9 0bc8 51 ffb59cf6ffff e8???????? 0f108578f6ffff } + $sequence_4 = { e9???????? 8b5710 8bc1 8b4dd8 8b0c81 3bca 7218 } + $sequence_5 = { 66898536fdffff 8d4a5e e8???????? ba15000000 66898538fdffff 8d4a60 e8???????? } + $sequence_6 = { 2bc1 83c0fc 83f81f 7734 e9???????? 52 } + $sequence_7 = { 6a00 68e9fd0000 ffd1 8b85a0f6ffff 8b0d???????? 898580f6ffff } + $sequence_8 = { ba20000000 6689854efdffff e8???????? 668b0d???????? ba21000000 66898550fdffff e8???????? } + $sequence_9 = { 6633f0 6689745c38 43 83fb05 0f8252ffffff 8b15???????? 33c0 } + + condition: + 7 of them and filesize < 2514944 +} rule MALPEDIA_Win_Teslacrypt_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b939144-964e-5aba-aac8-37aa145cbdf7" - date = "2026-01-05" - modified = "2026-01-06" + id = "03f2d18c-3357-52fc-9fa0-40e744bb403c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.teslacrypt_auto.yar#L1-L176" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.teslacrypt_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "de3676df661439e8c55092a036c1132b34328a8e3d35af949d4b63145f8cc259" + logic_hash = "4882fcf0c6bb762947a761e825d36c7e0e26056417cb52f713b39ae2b4309735" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 31f7 897d04 31f9 894d08 } - $sequence_1 = { 31f7 89bdc4000000 31f9 898dc8000000 31ca 8995cc000000 89d0 } - $sequence_2 = { 31f9 894d08 31ca 89550c 89d0 } - $sequence_3 = { 33451c 89453c 51 52 89f2 c1c808 0fb6c8 } - $sequence_4 = { 31f7 89bda4000000 31f9 898da8000000 31ca 8995ac000000 89d0 } - $sequence_5 = { 3345f4 894514 3345f8 894518 3345fc 89451c 51 } - $sequence_6 = { 335d04 334d08 33550c 81ffa0000000 0f8452030000 81ffc0000000 0f84ac010000 } - $sequence_7 = { 334500 335d04 8b6c2418 894500 895d04 897508 897d0c } - $sequence_8 = { 83fa00 89442418 894c2414 89542410 7d23 8b442410 } - $sequence_9 = { 8b54244c 8916 c7460804000000 89442448 ffd1 83ec10 8b4c2448 } - $sequence_10 = { 8b442438 c70001000000 8b442428 c70002000000 } - $sequence_11 = { 894c243c 74b0 e8???????? 89e1 8901 c74104???????? e8???????? } - $sequence_12 = { 8b4c2460 ffd1 83ec08 8944240c } - $sequence_13 = { 8b4c2434 8b11 8b742438 29d6 8b7c243c } - $sequence_14 = { e8???????? 31c9 89c2 83c218 } - $sequence_15 = { 89442408 885c2407 88742406 7428 8b442408 83c001 } + $sequence_0 = { 33457c 89859c000000 51 52 89f2 c1c808 0fb6c8 } + $sequence_1 = { 3345fc 89451c 51 52 } + $sequence_2 = { 3345f8 894518 3345fc 89451c } + $sequence_3 = { 334500 335d04 83c510 8b7508 } + $sequence_4 = { 3345f4 894514 3345f8 894518 } + $sequence_5 = { 0f84ac010000 81ffe0000000 740a b8ffffffff e9???????? } + $sequence_6 = { 334500 335d04 334d08 33550c 81ffa0000000 0f8452030000 } + $sequence_7 = { 33550c 81ffa0000000 0f8456030000 81ffc0000000 0f84ae010000 } + $sequence_8 = { 7456 8b44241c 8b08 83f1ff 8908 390d???????? 7529 } + $sequence_9 = { 89542418 756a 8b442418 83f0ff 890424 e8???????? 83f800 } + $sequence_10 = { 8b12 8915???????? 83f2ff 8bb1c4000000 8916 89442424 } + $sequence_11 = { 8b44241c 668b4824 8b5028 89c6 83c610 8b7c2434 397810 } + $sequence_12 = { 0fb77214 01f1 89442420 894c241c eb2c 8b442428 } + $sequence_13 = { 8916 89442424 e9???????? 8b442434 8b08 81f9050000c0 894c2420 } + $sequence_14 = { 8b91b8000000 8b742428 39d6 8944241c } + $sequence_15 = { 83f6ff 8932 89442424 eb15 8b442430 890424 } condition: 7 of them and filesize < 1187840 @@ -102113,36 +102487,36 @@ rule MALPEDIA_Win_Chaperone_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5d73acaa-0673-57ad-848f-864644fbbeea" - date = "2026-01-05" - modified = "2026-01-06" + id = "3066427d-87e8-5913-b7f1-f941f10f276f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chaperone_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chaperone_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "891c6d4b90ff2712f27f9dbb971bf9587d22b60dd85391f9a0f86beba2f74383" + logic_hash = "4e322f47e0a918b2877ba0917282a9cd49fff775f9a9c6b3cc2bc03f73873c67" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b442458 4839442428 0f8dd0000000 0fb6442421 83c001 } - $sequence_1 = { ff15???????? 48898424902b0000 488d742470 488bbc24902b0000 b990180000 } - $sequence_2 = { b9ffff1f00 ff15???????? 4889842450020000 4883bc245002000000 0f842b020000 4c8d842458020000 baff010f00 } - $sequence_3 = { 48898424c0020000 837c243400 746b 4c8b842490000000 8b542434 488b8c24c0020000 } - $sequence_4 = { 488d7c2450 488d35fba70000 b926000000 f3a4 } - $sequence_5 = { 4889542410 48894c2408 4883ec48 488b442460 0fb68000010000 88442421 } - $sequence_6 = { 488b0424 480590180000 48890424 ebb7 488b442420 } - $sequence_7 = { 85c0 750a b801000000 e9???????? 488d442440 4889842498030000 488d842460030000 } - $sequence_8 = { 4533c9 4533c0 33d2 33c9 e8???????? 488d158a090100 } - $sequence_9 = { 488bd9 448d6eff 443bd7 754f 4c8d0565ce0000 458bcd ba00010000 } + $sequence_0 = { 0f8557010000 488dbc2428050000 488d35aca90100 b92a000000 f3a4 488d8c2428050000 e8???????? } + $sequence_1 = { 488d1591c80000 448bc7 8bcf ff15???????? } + $sequence_2 = { e8???????? 4863942440010000 4c8d442430 488b4c2420 e8???????? 488b8c2458010000 4833cc } + $sequence_3 = { 488d7b58 be06000000 488d05d5bd0100 483947f0 } + $sequence_4 = { 89442424 448b442424 33d2 b900040000 ff15???????? 4889442470 48837c247000 } + $sequence_5 = { 837c243000 740a 83bc24a00700001f 7545 488d442434 4889442428 8b8424a0070000 } + $sequence_6 = { 48898424c0020000 837c243400 746b 4c8b842490000000 8b542434 488b8c24c0020000 e8???????? } + $sequence_7 = { 488d8c24b0440000 e8???????? 4885c0 0f8441030000 488d8c24b0440000 e8???????? } + $sequence_8 = { 4533c0 33d2 33c9 e8???????? 4c8d050c0a0100 498bd5 488bcf } + $sequence_9 = { 4889442450 488b8424a8000000 4889442448 488b8424a0000000 4889442440 } condition: 7 of them and filesize < 373760 @@ -102153,10 +102527,10 @@ rule MALPEDIA_Win_Covid22_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "99a02a74-d0a3-533c-b448-35480cff51fc" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.covid22" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.covid22_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.covid22_auto.yar#L1-L119" license_url = "N/A" logic_hash = "968cf98e2e8c36cdb3ce45b1a5e5186c5425f3f25bc15cd333cdcc77eeba73ef" score = 75 @@ -102165,9 +102539,9 @@ rule MALPEDIA_Win_Covid22_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -102191,36 +102565,36 @@ rule MALPEDIA_Win_Neutrino_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "76543c5c-a591-5d27-b69f-6b94d6c2d536" - date = "2026-01-05" - modified = "2026-01-06" + id = "51a42915-47d4-559c-b162-ea1b913cc434" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.neutrino_pos_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.neutrino_pos_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "46f9a8dea2672570990106785d46980fe0790f0009b06412248bdd52d22cb9a1" + logic_hash = "74ad34f402d754cc4b93479599d16abc9ed9cb70c2d75745ebc9b8e2717e55e7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a61 6689955cffffff 5a 6a6e 5f 6a75 5e } - $sequence_1 = { 8b45d8 8d443001 50 53 e8???????? 8bd8 } - $sequence_2 = { 56 57 e8???????? 59 59 8d4df8 51 } - $sequence_3 = { 51 53 33ff 57 ffd0 85c0 7433 } - $sequence_4 = { ff75fc ffd0 8945fc 3bc7 0f8580000000 } - $sequence_5 = { 8945e8 83f8ff 0f84a4000000 3bc3 0f849c000000 687823b2ff 56 } - $sequence_6 = { 5a 6a61 6689955cffffff 5a 6a6e } - $sequence_7 = { 66898d56ffffff 66898d58ffffff 66898d5affffff 66898d5cffffff 66898d5effffff 66898d60ffffff 66898d62ffffff } - $sequence_8 = { 58 6a43 8bc8 66898d4effffff 59 6a65 66898d50ffffff } - $sequence_9 = { 6a6e 66898558ffffff 58 6a62 6689855affffff 58 } + $sequence_0 = { 83f802 7504 6a07 ebe0 83f801 7504 6a06 } + $sequence_1 = { 57 8d4df0 51 57 57 56 56 } + $sequence_2 = { 6a69 66898568ffffff 58 6a53 6689856affffff 58 6a6e } + $sequence_3 = { 58 8bc8 66898d70ffffff 66898d72ffffff 66898d74ffffff 66898d76ffffff 66898d78ffffff } + $sequence_4 = { 66899568ffffff 8bd1 6689956affffff 5a 6a73 6689956cffffff 5a } + $sequence_5 = { 66898d64ffffff 59 6a74 8bf1 6689b566ffffff 5e 6a61 } + $sequence_6 = { 59 59 6888130000 56 ffd0 ff75e8 e8???????? } + $sequence_7 = { c785dcfdffff3529636b c785e0fdffff6b070707 c785e4fdffff07070707 c785e8fdffff07070707 c785ecfdffff07070707 c785f0fdffff07070707 c785f4fdffff07070707 } + $sequence_8 = { e8???????? 33db 68fbd5fba3 43 } + $sequence_9 = { 6a01 e8???????? 59 59 6a00 ffd0 53 } condition: 7 of them and filesize < 188416 @@ -102230,36 +102604,36 @@ rule MALPEDIA_Win_Norobot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "81ee252e-ea83-5b53-acab-35755b04ba71" - date = "2026-01-05" - modified = "2026-01-06" + id = "d64f00eb-ea09-58b8-8deb-e767f434adae" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.norobot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.norobot_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.norobot_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "cfe0160692facfa8b89f040016e3df094319abbfbfe52416eb1da1d5fe06ee4b" + logic_hash = "301bc368a5f3a3efd68d3ce5fddd9c6ac9a49ce5d23ceec5450ce7bae0f401cc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c6400800 488b442408 c3 48894c2408 4883ec28 488b442430 488bc8 } - $sequence_1 = { 4883c420 5b c3 4883611000 488d0520b20100 48894108 488d0505b20100 } - $sequence_2 = { 4d3bc4 0f84ba000000 8b7500 498b9cf620c60300 90 4885db 740e } - $sequence_3 = { 4883ec68 488b05???????? 4833c4 4889442450 4883bc248000000000 7f07 } - $sequence_4 = { 4c8d4c2428 4c8d442430 488bd0 488b4c2450 e8???????? 488b442450 } - $sequence_5 = { 4883bc248800000000 0f8482000000 33c0 83f801 } - $sequence_6 = { 4c8d0576750000 41f644400201 7405 0fb6c9 eb25 0fb6d1 } - $sequence_7 = { 7536 488d15db130300 488b8c24c0100000 e8???????? 8b442440 83c801 89442440 } - $sequence_8 = { 4c8d057b1a0100 488d157c1a0100 b912000000 e8???????? 4885c0 741d 49ba7073d836192e55f3 } - $sequence_9 = { e8???????? 0fb6c0 85c0 7448 48837c245000 7507 837c245801 } + $sequence_0 = { 8945d0 7413 8b04ca 488d15298cfdff 4803c2 } + $sequence_1 = { 4c8bda 488bf9 f6c304 7424 410fb60a 83e10f 4a0fbe843160b80200 } + $sequence_2 = { 7706 ff15???????? 488364243000 488d0ddcc60000 8364242800 41b803000000 4533c9 } + $sequence_3 = { 488bb424a0000000 4c8d159b6a0100 4533db 488d3d09e60000 4d85c9 488bc2 4c8be2 } + $sequence_4 = { e8???????? 4889842488000000 488d8c24a8000000 e8???????? 488b8c2488000000 4803c8 } + $sequence_5 = { 4883c807 4889442428 488b442460 4839442428 7607 } + $sequence_6 = { 488b4c2458 ff15???????? 4889442450 48837c245000 7536 488d1540150300 } + $sequence_7 = { 7502 eb26 baffffffff 488b4c2450 ff15???????? 488b4c2450 } + $sequence_8 = { 4c8d0540effeff 4a0fbe840160b80200 420fb68c0170b80200 482bd0 8b42fc d3e8 898424c0000000 } + $sequence_9 = { 48896c2418 57 4883ec20 4863d9 488d0d076c0100 488bd3 } condition: 7 of them and filesize < 545792 @@ -102269,36 +102643,36 @@ rule MALPEDIA_Win_Bandook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "49488c81-393e-59b5-ae7a-2a41b9e495a2" - date = "2026-01-05" - modified = "2026-01-06" + id = "2411d708-642e-57d7-a6bf-2bdb78b552df" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bandook_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bandook_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "aa9d013de87f3f2f49289f0a80f6ab44faf8f44b73388fb66ee1528c334b1487" + logic_hash = "0d15f4bfa38ad4643428b43f0275e1498f715d2e6cf5d275eaf798dc57c9b780" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b85f0bfffff 8985a0beffff 89b598beffff 899d94beffff } - $sequence_1 = { 8d95f4fbffff 83c414 e8???????? 8b4df8 33cd 5e e8???????? } - $sequence_2 = { 8b45f0 0fb640f8 0fb680789d1c13 3334c5a3c31e13 8bc2 c1e818 0fb688789d1c13 } - $sequence_3 = { 83c404 89442414 68c0d40100 e8???????? 83c404 8bf8 } - $sequence_4 = { 8945fc 803d????????01 8b4508 753a ff30 ba???????? } - $sequence_5 = { 8bc8 e8???????? 83c408 8d4704 c707???????? c700???????? 8b4df4 } - $sequence_6 = { 58 6bc000 c7805cd11e1302000000 6a04 58 6bc000 8b0d???????? } - $sequence_7 = { 64a300000000 8bf9 897dac c745fc00000000 897d98 c745a800000000 0f2805???????? } - $sequence_8 = { e8???????? 8bf0 83c404 8975e0 6a00 8bce c645fc01 } - $sequence_9 = { 0fb708 8d4002 66894c02fe 6685c9 75f0 8d8c24c00d0000 } + $sequence_0 = { 6a08 8d4dd4 e8???????? 8b75b8 8b7db4 8b55b0 8bc6 } + $sequence_1 = { 68???????? 8d85fcfdffff 68???????? 50 e8???????? 83c410 8d85fcfdffff } + $sequence_2 = { e8???????? 83c404 8d95f4fdffff b902000080 56 e8???????? 8b9decfbffff } + $sequence_3 = { 0fb6c1 c1e908 894c2414 331f 8b04c592bb1e13 334704 c1e908 } + $sequence_4 = { 51 e8???????? 83c408 c645fc1d 8b5580 c78534ffffff00000000 c78538ffffff0f000000 } + $sequence_5 = { 8a4e04 884f08 8b4e08 894f0c c682f900000000 } + $sequence_6 = { d9c9 d9f1 833d????????00 0f859c110000 8d0d10131d13 ba1a000000 e9???????? } + $sequence_7 = { c645fc06 8d4f04 c703???????? c74304???????? c7431c54ab1d13 897b08 } + $sequence_8 = { 68???????? 50 e8???????? 83c414 8d442410 6a00 } + $sequence_9 = { c6041f00 85db 7431 297dfc 0f1f00 ff75f8 ff15???????? } condition: 7 of them and filesize < 23088128 @@ -102308,36 +102682,36 @@ rule MALPEDIA_Win_Sunorcal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6c432810-e8f0-5844-8d29-cb8f4d1dde8c" - date = "2026-01-05" - modified = "2026-01-06" + id = "2ca4af99-ff58-5c1d-8fe8-8ff53497248d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sunorcal_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sunorcal_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "5b9405aaca8472dd7d7babc873d4fa797ade7b01d47ace52674d0f1fda5d55c6" + logic_hash = "b7f006aa3a8516c69b0596eb00ccfaf1238c353f5118fda16727098aecdc9e15" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5b c21000 8b442404 8b00 813863736de0 752a 83781003 } - $sequence_1 = { 6a03 e8???????? cc 55 8bec 83ec0c } - $sequence_2 = { 6a03 e8???????? cc 55 8bec 83ec0c a1???????? } - $sequence_3 = { 68b7000000 ff15???????? 6a64 68???????? 6a67 } - $sequence_4 = { 68???????? ff15???????? 33c0 c3 c3 55 8bec } - $sequence_5 = { ff15???????? 68b7000000 ff15???????? 6a64 68???????? } - $sequence_6 = { ff15???????? 6a03 e8???????? cc 55 8bec 83ec0c } - $sequence_7 = { c21000 8b442404 8b00 813863736de0 752a 83781003 7524 } - $sequence_8 = { c21000 8b442404 8b00 813863736de0 } - $sequence_9 = { 7c02 eb0e e8???????? e8???????? 85c0 } + $sequence_0 = { 5b c21000 8b442404 8b00 813863736de0 752a } + $sequence_1 = { 68???????? ff15???????? 33c0 c3 c3 55 } + $sequence_2 = { ff15???????? 6a03 e8???????? cc 55 8bec 83ec0c } + $sequence_3 = { c21000 8b442404 8b00 813863736de0 752a 83781003 7524 } + $sequence_4 = { eb0e e8???????? e8???????? 85c0 } + $sequence_5 = { 5e 5b c21000 8b442404 8b00 } + $sequence_6 = { 8bc6 5e 5b c21000 8b442404 8b00 813863736de0 } + $sequence_7 = { 7c02 eb0e e8???????? e8???????? 85c0 } + $sequence_8 = { 68b7000000 ff15???????? 6a64 68???????? } + $sequence_9 = { 68???????? ff15???????? 33c0 c3 c3 55 8bec } condition: 7 of them and filesize < 172032 @@ -102347,36 +102721,36 @@ rule MALPEDIA_Win_Astralocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "61f3cae7-a5fe-5b6d-bea1-61609c1203ae" - date = "2026-01-05" - modified = "2026-01-06" + id = "9ad416f5-464a-5615-9fdb-3338eed0cf4e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.astralocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.astralocker_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.astralocker_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "b238aeedb1c86d89326b9be21dc83bdad9113ec500a78f62720bc92f0fb68cd1" + logic_hash = "0895282ca7e9682531923fdc1ee5095e4f9a56bb477d3bc2a677ebaf9800a0f7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33d2 33f6 891401 89740104 b808000000 6bc800 8b5508 } - $sequence_1 = { 51 8b14d0 52 e8???????? 83c408 8945f4 8955f8 } - $sequence_2 = { 891401 89740104 b808000000 6bc800 } - $sequence_3 = { 891401 89740104 b808000000 6bc800 8b5508 8b440a04 } - $sequence_4 = { 8955f0 ba08000000 6bf200 8b45ec } - $sequence_5 = { ba08000000 6bf200 8b45ec 8b55f0 b11a } - $sequence_6 = { 6bc80a 8b5508 33c0 33f6 89040a } - $sequence_7 = { 6bc20a 8b4d08 33d2 33f6 891401 89740104 } - $sequence_8 = { 8b5508 8b440a04 50 8b0c0a 51 e8???????? } - $sequence_9 = { 8b4508 8b4cd004 51 8b14d0 52 e8???????? 83c408 } + $sequence_0 = { 8b440a04 50 8b0c0a 51 e8???????? } + $sequence_1 = { 8b4dfc 83c102 894dfc 837dfc0a 0f83dc000000 } + $sequence_2 = { 8b5508 33c0 33f6 89040a 89740a04 c745fc00000000 eb09 } + $sequence_3 = { 891401 89740104 b808000000 6bc800 8b5508 8b440a04 50 } + $sequence_4 = { 50 8b0c0a 51 e8???????? 83c408 8945ec } + $sequence_5 = { c745fc00000000 eb09 8b4dfc 83c102 } + $sequence_6 = { 8b5508 8b440a04 50 8b0c0a 51 } + $sequence_7 = { 8945ec 8955f0 ba08000000 6bf200 } + $sequence_8 = { e8???????? 83c408 8945ec 8955f0 ba08000000 6bf200 8b45ec } + $sequence_9 = { 8b4d08 33d2 33f6 891401 89740104 b808000000 6bc800 } condition: 7 of them and filesize < 191488 @@ -102386,36 +102760,36 @@ rule MALPEDIA_Win_Gratem_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ab5cab4a-386c-5ff0-b7ae-5f5f77749cf9" - date = "2026-01-05" - modified = "2026-01-06" + id = "39e4b7fa-cb1e-558e-a3c1-898c2f1d94ee" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gratem_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gratem_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "faae71a2a37b93e3d77306cf98fe40a8f8f60859a11449c5f85889b06fd54fb4" + logic_hash = "1065bb2e98023fbfca2a244eed1cca397cf6e69cb43c64edf47cc545c8854662" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 55 8bec 8b4508 56 8d34c5c0b84000 833e00 7513 } - $sequence_1 = { c6040400 8d1424 52 ff15???????? 8b8c2408010000 33cc } - $sequence_2 = { 8945fc 85c0 742f 8b0e 8b5710 51 52 } - $sequence_3 = { 0fb7048d64bc4000 41 6685c0 75e4 32c0 88460f c3 } - $sequence_4 = { ff15???????? 8945fc 85c0 742f 8b0e } - $sequence_5 = { 0fb6c0 eb12 8b45e0 8a803cb44000 08443b1d } - $sequence_6 = { 663bc2 0f84e6020000 0fb7048d64bc4000 41 6685c0 } - $sequence_7 = { 0fb7c0 baa3170000 663bc2 0f84e6020000 0fb7048d64bc4000 41 6685c0 } - $sequence_8 = { 0f84de030000 0fb7048d64bc4000 41 6685c0 75e4 } - $sequence_9 = { 0f8469010000 0fb7048d64bc4000 41 6685c0 75e4 } + $sequence_0 = { 85f6 751b 83c8ff 5e 8b8c24d0070000 } + $sequence_1 = { 68???????? 89742428 c74424489ca24000 8974244c } + $sequence_2 = { 0f8461020000 0fb7048d64bc4000 41 6685c0 75e4 } + $sequence_3 = { 50 68???????? e8???????? 68f4010000 8bce } + $sequence_4 = { 56 ffd5 6a04 894714 } + $sequence_5 = { 89442438 ffd6 68???????? 57 8944243c ffd6 68???????? } + $sequence_6 = { 8945e4 8b7508 c7465c38984000 33ff 47 897e14 85c0 } + $sequence_7 = { ba6bc10000 663bc2 0f84bc010000 0fb7048d64bc4000 41 6685c0 } + $sequence_8 = { ff15???????? 50 ff15???????? 89442418 85c0 745b 8b442414 } + $sequence_9 = { 53 56 ff15???????? 89442414 85c0 } condition: 7 of them and filesize < 155648 @@ -102425,36 +102799,36 @@ rule MALPEDIA_Win_Virdetdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bddd89ab-b028-56e4-8a65-8d3729c122ca" - date = "2026-01-05" - modified = "2026-01-06" + id = "c88d5f93-08a2-54dc-81ed-f298f4a96885" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.virdetdoor_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.virdetdoor_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "57c5b5ddcc0bcf4c5308e3cdd78b8a805ec821f22a4427e25f940eedfad4c1ef" + logic_hash = "79443a6987dffba0f5b6f6b3f9ae30b6ccf78b546a1343b7d31d4f2653fcd4ab" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c40c 83feff 7502 33f6 } - $sequence_1 = { 0fb74714 50 ff15???????? 0fb7c0 50 } - $sequence_2 = { 59 3945fc 7e4e 397dfc 7e49 8b35???????? 68???????? } - $sequence_3 = { 53 56 57 8bf9 c745f810270000 33db 33c9 } - $sequence_4 = { 6a0c 50 52 51 ff15???????? } - $sequence_5 = { 8b7d10 57 7434 8b35???????? ffd6 50 8d45cc } - $sequence_6 = { c6010b e9???????? c6010c e9???????? c6010d e9???????? } - $sequence_7 = { 83c40c 83c01c 50 6a08 ff15???????? } - $sequence_8 = { 3bc1 75ec 3903 74d2 ebe6 85ff 75cc } - $sequence_9 = { ff35???????? ff15???????? 8bc8 85c9 7450 6a5c } + $sequence_0 = { eb05 7e0b 8d7eff 3bfb 7dd2 33c0 eb07 } + $sequence_1 = { 8be5 5d c3 8bc7 ebf5 53 56 } + $sequence_2 = { ff15???????? 8945f0 85c0 0f84a6000000 8b35???????? 8d480c } + $sequence_3 = { 8365fc00 8db334020000 56 ffd7 8bbb30020000 } + $sequence_4 = { e8???????? 8bf0 85f6 7422 6a18 6a00 56 } + $sequence_5 = { 8d45e0 8975e0 50 e8???????? 8b55e0 59 8b4de4 } + $sequence_6 = { 8d442424 50 8d442410 8bd7 } + $sequence_7 = { eb43 33db 897df8 83fe28 7237 0fb74f04 83c6d8 } + $sequence_8 = { 8b55e0 59 8b4de4 eb51 33f6 8bfb } + $sequence_9 = { 8bcb e8???????? ff07 8b0f 8b55f8 } condition: 7 of them and filesize < 106496 @@ -102468,7 +102842,7 @@ rule MALPEDIA_Win_Darkpink_Auto : FILE date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpink" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkpink_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkpink_auto.yar#L1-L116" license_url = "N/A" logic_hash = "ae61fd7de2751bb38bc52ea4bef7ef6d5cc9562894ba78123146d52f1f8217ba" score = 75 @@ -102503,42 +102877,42 @@ rule MALPEDIA_Win_Stresspaint_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "60972f0d-5b32-562d-b7a1-4042f30f34cb" - date = "2026-01-05" - modified = "2026-01-06" + id = "77a09e52-ba1a-5b26-a188-9dce41401fa4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stresspaint_auto.yar#L1-L150" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stresspaint_auto.yar#L1-L179" license_url = "N/A" - logic_hash = "d56631be02335c29e6f4a5ef8e07a5da331d1e0c248639e3a06714253e875bf3" + logic_hash = "d6dbc3c23e69b2d59e500bf4ed8b4f058e66ee34d00940b32963b98b6f4f94d2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d542478 51 52 e8???????? 8b44244c } - $sequence_1 = { 8d542478 c6042b00 3bda 7505 } - $sequence_2 = { 0103 014510 294514 83665800 } - $sequence_3 = { 0106 83560400 837d1c00 7494 } - $sequence_4 = { 0103 014510 294674 8b4674 } - $sequence_5 = { 8d542901 52 6a1e 56 } - $sequence_6 = { 0107 115f04 3bcb 7508 } - $sequence_7 = { 8d542478 52 57 e8???????? 83c408 } - $sequence_8 = { 8d542478 f3ab 8b8c24a4000000 8b8424a0000000 } - $sequence_9 = { 0107 83570400 85c9 7508 } - $sequence_10 = { 8d542478 898c2498010000 8d8c2494010000 52 } - $sequence_11 = { 010b 8945fc 8bc2 83530400 } - $sequence_12 = { 0103 ebaa 8b442408 56 } - $sequence_13 = { 8d542474 51 55 52 8bce e8???????? } - $sequence_14 = { 0108 8b8e44010000 114804 8b4f18 } - $sequence_15 = { 8d542901 52 6a1f 56 } + $sequence_0 = { 6a04 5e 897010 894818 89481c 894820 c740140c4e4100 } + $sequence_1 = { 8b0f 6a00 8b5e0c 0fbf5322 } + $sequence_2 = { 5b c3 85f6 740f 8b542414 5f } + $sequence_3 = { 0f85a6000000 8bce e8???????? e9???????? 8b4608 83e01c } + $sequence_4 = { 83c40c e9???????? 8b442414 8b542424 2bc2 eb29 } + $sequence_5 = { 57 33db 53 68???????? 56 e8???????? 83c40c } + $sequence_6 = { ff75e0 8b4d14 e8???????? 47 ff45f8 ebbc 2b45f4 } + $sequence_7 = { 0f8548010000 8b7e44 8b4648 2bc7 b9???????? 3bc1 } + $sequence_8 = { 85c0 7512 8b4e10 53 } + $sequence_9 = { 8b5324 6a10 51 52 57 } + $sequence_10 = { ff15???????? 33c9 6a02 83c003 5a f7e2 0f90c1 } + $sequence_11 = { 88410b 5d 33c0 5b 59 } + $sequence_12 = { 8b4e04 51 53 53 53 57 } + $sequence_13 = { e8???????? 83c414 0fbf5622 8b4c2424 47 83c104 3bfa } + $sequence_14 = { 56 57 8b7c240c 57 8bf1 e8???????? 8d4704 } + $sequence_15 = { 6a65 8b06 56 ff501c 8bf8 8d4dd4 e8???????? } condition: 7 of them and filesize < 1155072 @@ -102548,36 +102922,36 @@ rule MALPEDIA_Win_Trochilus_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e944258-6f12-5085-8358-b91fb7dc5a09" - date = "2026-01-05" - modified = "2026-01-06" + id = "2e831772-6c8c-5863-8fd8-e64f28ac5f9b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.trochilus_rat_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.trochilus_rat_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "dca7f9603da83736d27e78d66d52610b99014fe1a1d949a52b24e5b787c59a8a" + logic_hash = "eaa68b64d4e901ed652b6419a36d2dc071cb93d5ec91aff94878b446c8325eb0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8410010000 8b3d???????? 6894e40010 53 ffd7 85c0 0f84fa000000 } - $sequence_1 = { 7405 6a02 5e ebc6 e8???????? eb25 e8???????? } - $sequence_2 = { 2bf9 f7df 1bff 23f8 0f849a000000 8b4708 } - $sequence_3 = { 53 57 8d4e2c 8bf8 2bf9 f7df 1bff } - $sequence_4 = { 56 8bf1 c706d0d10010 e8???????? f6450801 7407 56 } - $sequence_5 = { 8b4dfc 8b06 b201 d2e2 081438 663b5d0c 740e } - $sequence_6 = { 50 6a06 8d85ecfbffff 50 8bcf } - $sequence_7 = { ff7510 8b01 ff750c ff5034 6a00 ff7508 8bfe } - $sequence_8 = { 8bce e8???????? eba2 55 8bec 83ec0c 56 } - $sequence_9 = { a1???????? c705????????90897e00 8935???????? a3???????? ff15???????? a3???????? } + $sequence_0 = { 83930402010000 33cd 33c0 e8???????? c9 c3 55 } + $sequence_1 = { 3bc1 7f7f 3dc01f0000 7f78 8b4704 8bf0 8d4b2c } + $sequence_2 = { 83be08010100ff 0f8557ffffff 85ff 740b 57 bee81d0110 e8???????? } + $sequence_3 = { 56 ff15???????? 6a02 58 5e 5b c9 } + $sequence_4 = { 0d00e0ffff 40 8d448118 833800 7415 ff7508 8b30 } + $sequence_5 = { ff15???????? 399dd8fbffff 741a ffb5d8fbffff ff15???????? eb0c ff15???????? } + $sequence_6 = { 51 53 56 57 8bf8 8d5f24 53 } + $sequence_7 = { e8???????? 85c0 7524 68???????? 6a02 6871010000 68???????? } + $sequence_8 = { 8b8730020100 894670 8b8734020100 894674 8b8738020100 894678 8b873c020100 } + $sequence_9 = { 8b877c010100 99 bfe8030000 f7ff 66894602 890b } condition: 7 of them and filesize < 630784 @@ -102587,36 +102961,36 @@ rule MALPEDIA_Win_Svcready_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e83853f3-e66b-52ee-ae09-132965a1cb28" - date = "2026-01-05" - modified = "2026-01-06" + id = "23952440-4166-5c87-a2af-6c2454c061a6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.svcready_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.svcready_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "70f5a6e47586d208a50ef25a32145ee8864e4794b50daca718026585b6e54bc9" + logic_hash = "0b76e616680d1c72127b9b11b783819879641edc5773223f12c35aa6787dbd65" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895c2410 8bc7 896c2418 f7d2 33c6 0bfa 21542410 } - $sequence_1 = { eb02 33f6 895d28 8d4702 } - $sequence_2 = { 89442410 33c0 89742414 896c2418 895c241c ab } - $sequence_3 = { 66c7070100 885f02 891e 885e04 895e08 895e0c 895dfc } - $sequence_4 = { 8b442428 40 50 57 51 } - $sequence_5 = { 8b01 8902 83c204 83c104 894dec 8b45e8 ebea } - $sequence_6 = { 50 ff74241c ff15???????? 33c0 8d7c2408 ab } - $sequence_7 = { 8bca 8dbefc600000 f3ab 8bca } - $sequence_8 = { 2bd1 8b7c2414 2bf1 c1fa02 c1fe02 3bfa 7678 } - $sequence_9 = { 3c58 7504 897c2414 52 51 e8???????? 89442430 } + $sequence_0 = { 8365fc00 8b7508 3b750c 7411 0fb606 50 8bcf } + $sequence_1 = { 51 e8???????? 83c408 8b7508 8d4514 } + $sequence_2 = { 8bce e8???????? 014610 115e14 8b4710 } + $sequence_3 = { 8b0438 03c7 ffd0 0faf45dc 50 e8???????? } + $sequence_4 = { 894c2410 8be9 c1ce03 33d7 89742414 8bc6 } + $sequence_5 = { 8b4dd8 85c9 741a 8b45e0 2bc1 83e0fc 50 } + $sequence_6 = { c645fc01 8d45d8 ff7508 53 6a10 83ec18 8bcc } + $sequence_7 = { 7449 57 e8???????? 6a05 5f 3bc7 7239 } + $sequence_8 = { 5f 5e 5b c9 c21400 51 ff750c } + $sequence_9 = { 8b5c2414 8b742410 6a0b 59 0fb6440c1c 0fa4f308 99 } condition: 7 of them and filesize < 1187840 @@ -102626,36 +103000,36 @@ rule MALPEDIA_Win_Sendsafe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14b9e6b6-2043-58da-b1e8-265e07b21f6c" - date = "2026-01-05" - modified = "2026-01-06" + id = "22ecadd0-d25d-581d-9d09-ca00bea39407" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sendsafe_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sendsafe_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "1cc8bf83d06a8d8be9a015120fbe9f24392bb542d1a6aed7e6e2573904d5eeb5" + logic_hash = "ff3c7f30f228fce4b7d080e3cae62a8acf0fb6447b41041ce3863f984ead4db4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b5508 52 8d45bc 50 e8???????? 83c40c 8d4dbc } - $sequence_1 = { eb07 c745dc00000000 0fb645dc 85c0 0f842f010000 8b4dfc 83c110 } - $sequence_2 = { ffd2 83c408 e9???????? 8b4508 8b08 c741146d000000 8b5508 } - $sequence_3 = { b904000000 6bd10e 8b4dfc 33441110 3345f4 8945f4 8b55f4 } - $sequence_4 = { 8b952cfdffff 837a1410 721c 8b8564fcffff 898524fdffff 8b8d2cfdffff 8b11 } - $sequence_5 = { e8???????? 83c414 85c0 0f84e1010000 ff7518 8d4704 57 } - $sequence_6 = { e8???????? 83c408 8b4dfc 89411c 8b5508 8b8214010000 c1e003 } - $sequence_7 = { e9???????? e8???????? 8bd0 89542434 85d2 7511 684f060000 } - $sequence_8 = { eb1e 8b55f4 833a00 7406 c645fe01 eb04 c645fe00 } - $sequence_9 = { ff15???????? 8d5508 52 8b4dfc 83c104 e8???????? 8945f8 } + $sequence_0 = { 8d8dfcfdffff 51 e8???????? 83c40c 8d95fcfdffff 52 e8???????? } + $sequence_1 = { ff15???????? 85c0 7409 c745cc01000000 eb07 c745cc00000000 8a4dcc } + $sequence_2 = { eb5c 8b55cc 8b4230 8b4dc8 8b1488 837a2c00 744a } + $sequence_3 = { eb1a b816020000 25ffff0000 0d00000700 0d00000080 898578f6ffff 8b8d78f6ffff } + $sequence_4 = { eb0f 8b4df4 51 e8???????? 83c404 8945e8 8b55e8 } + $sequence_5 = { 8b8894000000 51 8d55dc 52 e8???????? 83c408 8d45dc } + $sequence_6 = { e8???????? 8b45e8 898574ffffff 8b4d10 8b9574ffffff 8b01 3b4210 } + $sequence_7 = { c741144d000000 8b5508 8b02 b904000000 6bd100 8b4dfc 894c1018 } + $sequence_8 = { 83c40c 8d95fcfeffff 52 8b85f4faffff 50 8b8df8faffff e8???????? } + $sequence_9 = { 8b8df0feffff 668901 e9???????? 8b95dcfeffff 83ea01 8995dcfeffff 8b4508 } condition: 7 of them and filesize < 3743744 @@ -102665,42 +103039,42 @@ rule MALPEDIA_Win_Boatlaunch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5b0d65d7-386e-5181-abff-96bda8de10ae" - date = "2026-01-05" - modified = "2026-01-06" + id = "1b685555-05d0-517f-8be6-015660e1acc5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boatlaunch" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.boatlaunch_auto.yar#L1-L171" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.boatlaunch_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "adf615ca940a4845de7b709cb5b628615811519e57950596633d26b59f2f2942" + logic_hash = "33b2fc09aa3c8d462647029ac3c92b50b48e4e738d2a9426832c53e11c3570e9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c7430c00000000 c7431000000000 c7431400000000 8d45f0 50 8d45d8 } - $sequence_1 = { 8345e802 4b 85db 75af eb05 e9???????? } - $sequence_2 = { 0f84b1000000 8b4878 85c9 0f84a6000000 894dec 03cf 894df0 } - $sequence_3 = { 7502 48ab 488bfe ffcb 85db } - $sequence_4 = { 488b4dd0 e8???????? 488b45d8 488d6528 415b } - $sequence_5 = { 8b45e4 03701c 2b75ec 0375e4 ad 85c0 7407 } - $sequence_6 = { 448b45fc e8???????? 48894500 48c7c105000000 } - $sequence_7 = { 488d6c2430 48c745f800000000 488d35901e0000 488bfe bb40000000 } - $sequence_8 = { 488905???????? 48c7c001000000 488d6500 5d } - $sequence_9 = { c745f800000000 8d5ddc c70318000000 c7430400000000 } - $sequence_10 = { 8d85e0eeffff 50 e8???????? 83c404 53 } - $sequence_11 = { 5a 59 5b 5d c3 48894c2408 4855 } - $sequence_12 = { ff75f8 e8???????? 81fb02010000 7507 c745fc01000000 8b45fc 5f } - $sequence_13 = { c7431400000000 8d45f4 50 8d45dc 50 68ff0f1f00 } - $sequence_14 = { 48c7c164000000 e8???????? e9???????? 488d6500 } - $sequence_15 = { 4150 4151 4152 4153 4881ec78110000 488dac2480000000 48c745e800000000 } + $sequence_0 = { 56 57 4883ec38 488d6c2430 48c745f800000000 488d35901e0000 } + $sequence_1 = { 85c0 0f8440010000 8b75f4 ad 85c0 7505 } + $sequence_2 = { e8???????? 488945c8 488b8d50110000 488b55d8 } + $sequence_3 = { 488b75e0 48ad 4885c0 7505 e9???????? 488bf8 } + $sequence_4 = { 6a00 ff35???????? e8???????? 8b45fc 5f 5e 5a } + $sequence_5 = { e8???????? 83c404 53 8d85e0eeffff 50 6aff } + $sequence_6 = { 7430 4c8d45f4 41c7004833c0c3 488b4df8 49c7c104000000 } + $sequence_7 = { d1e0 50 ff733c 6aff } + $sequence_8 = { 5b 5d c3 48894c2408 89542410 } + $sequence_9 = { 0f84a6000000 894dec 03cf 894df0 8b487c } + $sequence_10 = { 488b8580000000 48894510 48c7451800000000 488d4de0 c70130000000 4883610800 } + $sequence_11 = { 8345e802 4b 85db 75af eb05 e9???????? } + $sequence_12 = { 83c404 ff733c e8???????? 83c404 d1e0 50 } + $sequence_13 = { 83c404 59 50 51 6aff e8???????? } + $sequence_14 = { 48c7c1ffffffff 488d15a1190000 e8???????? e8???????? } + $sequence_15 = { e8???????? 85c0 0f84fc000000 488d8df0000000 e8???????? } condition: 7 of them and filesize < 33792 @@ -102710,36 +103084,36 @@ rule MALPEDIA_Win_Quickmute_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "82702de0-3ec3-5174-97b3-ecd07741028d" - date = "2026-01-05" - modified = "2026-01-06" + id = "5c849e44-acd1-51b9-b726-d3f916023f4f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickmute" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.quickmute_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.quickmute_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "a1fe14ff6e270ce43f084b7c17d9cfec20868bf0fcb227ce38e0547341f7d58e" + logic_hash = "4b32b83d8e038504eeda8b7b08cc8cf59bd3c2beb1dc25544e09aed36b939cec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { c78550ffffff7265616c c78554ffffff6c6f6300 391d???????? 750f 8d8550ffffff 50 } - $sequence_1 = { 6a00 52 ff15???????? 83c40c 6a10 8d45ec 6a00 } - $sequence_2 = { 8b75fc 85f6 740c 56 } - $sequence_3 = { 0f8410020000 837dec00 755e 837df000 7558 837df400 } - $sequence_4 = { ffd7 a3???????? 833d????????00 c68560ffffff47 889d61ffffff c78562ffffff74537461 c78566ffffff72747570 } - $sequence_5 = { 8b7508 c7465ca89b4000 83660800 33ff 47 897e14 } - $sequence_6 = { 8d45b4 50 56 ffd7 a3???????? 833d????????00 } - $sequence_7 = { 8d7c2410 e8???????? 803d????????00 756b } - $sequence_8 = { 66c7855affffff656e 889d5cffffff c7855dffffff69616c73 c68561ffffff00 750f 8d954cffffff 52 } - $sequence_9 = { 6a0d 58 5d c3 8b04cd74c14000 5d c3 } + $sequence_1 = { 6a01 6a00 ff15???????? 8906 85c0 7507 b802000000 } + $sequence_2 = { 0f87bd010000 8d45ec 50 ff15???????? } + $sequence_3 = { c645b200 750c 8d55a0 52 } + $sequence_4 = { eb2e 33c0 ebaa f6c102 7407 } + $sequence_5 = { a3???????? c78568ffffff63616c6c 66c7856cffffff6f63 889d6effffff 391d???????? 750f } + $sequence_6 = { 7409 be01000000 d3e6 0bd6 49 } + $sequence_7 = { 889d17ffffff 66c78518ffffff6d6f c6851affffff74 889d1bffffff 66c7851cffffff5468 } + $sequence_8 = { 8b4508 ff34c550c04000 ff15???????? 5d c3 6a0c } + $sequence_9 = { c78554ffffff77007300 c78558ffffff20004e00 c7855cffffff54002000 c78560ffffff36002e00 c78564ffffff33003b00 } condition: 7 of them and filesize < 146432 @@ -102749,36 +103123,36 @@ rule MALPEDIA_Win_Keylogger_Apt3_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96f37009-369b-5f17-a68b-4eb5c0d4026d" - date = "2026-01-05" - modified = "2026-01-06" + id = "d33c2b85-787e-541f-9400-5df612b3aa4b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.keylogger_apt3_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.keylogger_apt3_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "023590d599979615d817aedf4414560e8504e62badef12c9dd3c7d358dc03318" + logic_hash = "6102ee57c506d5db7dd70ae6ac99c0dc6361d469876fe034b7dac0d3c10af3d8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ffd7 8b4e08 6a08 51 ffd7 } - $sequence_1 = { 8b9c2430040000 55 8bac2430040000 56 57 8bbc2434040000 6800010000 } - $sequence_2 = { 52 ffd7 8b0d???????? 8d442424 50 51 } - $sequence_3 = { 8d45f0 50 e8???????? cc e8???????? 8b4004 c3 } - $sequence_4 = { e8???????? 55 e8???????? 68???????? e8???????? 8b8c2440020000 83c40c } - $sequence_5 = { 52 ffd7 a1???????? 896844 8b9eac010000 85db 742e } - $sequence_6 = { 52 e8???????? 8d862c020000 50 8d4c242c 68???????? 51 } - $sequence_7 = { 8d7c00ff 3bc7 89442418 0f8dc6000000 8b542414 8bd8 69db14010000 } - $sequence_8 = { 68???????? 52 ffd7 8b0d???????? 8d442438 50 } - $sequence_9 = { e8???????? 83c404 8b442414 6a00 6a00 6a10 8d54244c } + $sequence_0 = { 885c041a 88540c18 0fb654041b 03f2 } + $sequence_1 = { e8???????? a1???????? 53 50 e8???????? 8b4c2420 8b15???????? } + $sequence_2 = { 52 a3???????? ff15???????? 8b0d???????? 8d44240c 50 } + $sequence_3 = { e8???????? 83c40c 6a00 ff15???????? 6a0f ff15???????? 6a00 } + $sequence_4 = { e8???????? 83c404 8b542424 68???????? } + $sequence_5 = { 51 e8???????? 8b542430 6a00 52 55 e8???????? } + $sequence_6 = { 7e25 be???????? 90 837e04ff 750e 8b0e 394c2414 } + $sequence_7 = { 6a00 8bf0 6a0f c70628010000 e8???????? } + $sequence_8 = { 53 8bf8 57 56 55 ff15???????? } + $sequence_9 = { 83c404 a3???????? a3???????? 83784000 } condition: 7 of them and filesize < 761856 @@ -102788,36 +103162,36 @@ rule MALPEDIA_Win_Shujin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "20008e73-1b75-5617-9f42-c7c9bccd7072" - date = "2026-01-05" - modified = "2026-01-06" + id = "23c4cd11-62d9-5a6f-9f51-3b0bc6f2eb28" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shujin_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shujin_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "498da53687cd17478c7025106c84cdcc0e6118bdb951cd75112ef2c2e9026da6" + logic_hash = "a366c54bdbbb64c930d2d7ea4ef12485689e12ad01192abe31bd506ab9c3a737" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff35???????? 8f442404 68dd5d08ae 60 ff3424 } - $sequence_1 = { 56 68???????? 53 53 ff15???????? 8984bdfcfeffff 47 } - $sequence_2 = { 660fa3ff f8 3529af0800 9c c7858cfcffffcccccccc 9c f8 } - $sequence_3 = { 6814050000 53 68???????? e8???????? 83c40c 891d???????? } - $sequence_4 = { 8b742410 57 6a08 5f 8b4cfe50 } - $sequence_5 = { c1ea02 8a92506c4000 8811 83e003 c1e004 8bd6 c1ea04 } - $sequence_6 = { 8bda 23d8 0fb69be8a54000 33fb 8b5d08 337b04 8b5d0c } - $sequence_7 = { c0f305 f9 6a04 87ce 9c 0fbec9 660face902 } - $sequence_8 = { 885c2404 887c2404 8d642410 e8???????? 9c 668b3424 } - $sequence_9 = { 8d45ec 50 68000f0050 8d8e74040000 57 e8???????? 6a05 } + $sequence_0 = { 7412 6aff 6a01 8d85fcfeffff 50 57 } + $sequence_1 = { 8930 83c004 49 75f5 ff742410 } + $sequence_2 = { eb03 8b75e0 8d85dcfeffff 50 ff15???????? 837df000 } + $sequence_3 = { 55 8d6c2490 81ec98000000 56 57 ff757c 8d45d8 } + $sequence_4 = { e8???????? be???????? 8d8d10fcffff 89b5d0fbffff e8???????? 8d8d50fcffff 89b510fcffff } + $sequence_5 = { 83c40c 395df8 72e2 8b45e8 } + $sequence_6 = { 8b442414 c7442414e8854000 8144241404210000 8b6818 8bd5 896c2410 83c010 } + $sequence_7 = { 8b46f8 8b56fc 8bd8 8945ec 8bc2 c1f81f c1e806 } + $sequence_8 = { 8d85acfcffff 6a14 8d9ddcfdffff 89454c 59 8b4578 8dbd7cfbffff } + $sequence_9 = { 8944244c 9c 66893c24 66894c240c 882c24 ff742450 c25400 } condition: 7 of them and filesize < 172032 @@ -102827,36 +103201,36 @@ rule MALPEDIA_Win_Nagini_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96b62be7-f485-5281-9063-fa2aa017f19b" - date = "2026-01-05" - modified = "2026-01-06" + id = "c917a97a-6134-5cef-aced-755d70d91e3e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nagini_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nagini_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "7611b927095df92b3b5eaffee00806b1be3b736d512ae6422738ca1d97180738" + logic_hash = "10ea04b2bdec458688b3ecc832aa1fb22d74acb15a2509a88053f0983f73e99d" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 080c08 07 0d0807110c 0916 100b } - $sequence_1 = { 83781408 7202 8b00 50 e8???????? 83c404 837c245808 } - $sequence_2 = { 0f835ffbffff 03f3 03d3 83fb1f 0f8715040000 ff249da0c64000 8b46e4 } - $sequence_3 = { 0404 0406 0404 06 0404 06 0404 } - $sequence_4 = { 0536240538 27 06 37 260537260535 230434 2203 } - $sequence_5 = { 07 0505080606 0907 07 } - $sequence_6 = { 6a14 8d0440 3d860a0000 756c 6a32 68a0000000 } - $sequence_7 = { 6454 48 68584c6959 4d 6f 5f 53 } - $sequence_8 = { 06 0806 06 0907 } - $sequence_9 = { 89441928 8b45f0 8954192c 8b4df4 8b148dc0914200 } + $sequence_0 = { 8b0495c0914200 f644180448 7423 6a0a } + $sequence_1 = { 83c40c 8d442468 6804010000 6a00 50 e8???????? 83c40c } + $sequence_2 = { 07 0b03 040b 03040b } + $sequence_3 = { ffd3 6a00 6a00 6801040000 ff35???????? ff15???????? } + $sequence_4 = { c7400469526d6f 66c740085400 68007f0000 6a00 c745b030000000 c745b400000000 } + $sequence_5 = { 363429 363429 363429 3432 27 302e } + $sequence_6 = { 0536240538 27 06 37 } + $sequence_7 = { 8b85ecefffff 8b8ddcefffff 8b95f4efffff 8b0485c0914200 } + $sequence_8 = { c1e606 8b0cbdc0914200 f6440e0401 743d 833c0eff } + $sequence_9 = { 0f43442418 50 e8???????? 83c408 85c0 0f857c010000 } condition: 7 of them and filesize < 12820480 @@ -102866,36 +103240,36 @@ rule MALPEDIA_Win_Unidentified_108_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "523cac0e-068e-567f-9b67-256b819ee9a9" - date = "2026-01-05" - modified = "2026-01-06" + id = "34b87816-cd9a-5b74-90e0-e07fc9bfe007" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_108" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_108_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_108_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "ff49cd548bd3e2342145a6556aab556577d4c1ad014ed5644df8b6ae901a1a52" + logic_hash = "0445a99f67a74766c9cc6af05bc62590694686270ed850a6744b269b66b3bbce" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8d05a21d0100 488bf9 488d15a01d0100 b904000000 e8???????? 8bd3 } - $sequence_1 = { 48c1fe06 4c8d2d0a5b0100 83e03f 4c8d24c0 498b44f500 } - $sequence_2 = { 488d15e7f30000 83e03f 4d8bfd 49c1ff06 41b90a000000 488d3cc0 } - $sequence_3 = { 742e 488d5510 0f1f840000000000 803201 } - $sequence_4 = { 8b0d???????? 458bc5 f20f1005???????? 488bf8 } - $sequence_5 = { 488d5201 41ffc0 488d4520 498bcc } - $sequence_6 = { 4c8d15e0f40000 83e03f 498bd5 48c1fa06 } - $sequence_7 = { 736e 488bc3 488bf3 48c1fe06 4c8d2d4ef70000 83e03f } - $sequence_8 = { 486bc000 488d0d5ed50100 8b542430 48891401 488d0dd7250100 e8???????? } - $sequence_9 = { 48894dff 83e03f 458be9 488d0dd066ffff 4c8945e7 } + $sequence_0 = { 83e03f 458be9 488d0dd066ffff 4c8945e7 4d03e8 48895df7 4c8be3 } + $sequence_1 = { 4889742410 57 4883ec20 418bf0 4c8d0d9fea0000 } + $sequence_2 = { 488d95a0000000 4c896c2450 488d4c2450 e8???????? 4c8d4c2458 41b800040000 } + $sequence_3 = { 3b1d???????? 736e 488bc3 488bf3 48c1fe06 4c8d2d4ef70000 83e03f } + $sequence_4 = { 4c8d05a8310100 83e23f 488d14d2 498b04c0 f644d03801 } + $sequence_5 = { 0f84d9000000 8b7500 498b9cf640f90100 4885db } + $sequence_6 = { 741f 488b4c2438 488d1542f80000 ff15???????? 4885c0 } + $sequence_7 = { 488d15e2890000 f20f1014c2 c5eb58d5 c4e2c9b905???????? } + $sequence_8 = { 488d4570 458bc5 498bcc 0f114570 } + $sequence_9 = { 498bc4 0f114540 48ffc0 44380401 } condition: 7 of them and filesize < 307200 @@ -102905,36 +103279,36 @@ rule MALPEDIA_Win_Matsnu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ac7d48b9-a967-5b74-8534-0fe3b275eb93" - date = "2026-01-05" - modified = "2026-01-06" + id = "77ba7342-7ed0-52c8-8d40-4a99c7747a95" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.matsnu_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.matsnu_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "5be086cc43b82632d1f6dd9c773840652ffd11fa9db4f5cb2927e6c0f81579b4" + logic_hash = "e18ac59e7a7b0bd1a2eecd0174cc3111cc94b19c8026ba0cc315f9422e7d24ab" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8985bcfbffff 83bdb0fbffff01 0f8588000000 8b85bcfbffff 8985c4fbffff 8b85c0fbffff } - $sequence_1 = { c645f700 c645f800 c645f90d c645fa0a c645fb00 } - $sequence_2 = { 750f c785a4fbffff02000000 e9???????? 8985bcfbffff 83bdb0fbffff01 } - $sequence_3 = { 8b75fa 01c6 8b4604 48 0145de ff45c6 } - $sequence_4 = { 0f8229010000 c745ea00000000 8b45e6 c1e004 8b75fa } - $sequence_5 = { 751d ff75ba ff7510 e8???????? 8945f6 } - $sequence_6 = { 884db8 807db800 7503 ff45be } - $sequence_7 = { c745f600000000 c745fa00000000 e8???????? 5b } - $sequence_8 = { 837d1800 7405 8b7d18 8907 b820000000 } - $sequence_9 = { 31c0 8985bcfbffff ffb5c4fbffff e8???????? 83f800 } + $sequence_0 = { 85c0 0f840b010000 8945f8 68000000f0 6a01 6a00 6a00 } + $sequence_1 = { 8b7604 3975ea 7327 8b45e6 } + $sequence_2 = { 81ec18020000 c785e8fdffff00000000 c785ecfdffff00000000 c785f0fdffff00000000 c785f4fdffff00000000 c785f8fdffff00000000 c785fcfdffff00000000 } + $sequence_3 = { 8b4704 3b45ba 751d ff75ba ff7510 e8???????? 8945f6 } + $sequence_4 = { 807db800 7503 ff45be ff45ea e9???????? 817de6ff000000 7f0d } + $sequence_5 = { 8d95f4fdffff 52 e8???????? 83f800 750c } + $sequence_6 = { 0375de 3975ba 0f8229010000 c745ea00000000 8b45e6 } + $sequence_7 = { c745e200000000 8b7dfa 817de2ff000000 7f1c } + $sequence_8 = { 8b4604 48 0145de ff45c6 8b4dc2 b801000000 d3e0 } + $sequence_9 = { 837d1800 7405 8b7d18 8907 b820000000 eb02 31c0 } condition: 7 of them and filesize < 606992 @@ -102944,42 +103318,42 @@ rule MALPEDIA_Win_Killdisk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c433beb-dada-5b26-9857-13f0bee328ff" - date = "2026-01-05" - modified = "2026-01-06" + id = "01ce24ac-2c12-538b-a3a7-492e0c9469f6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.killdisk_auto.yar#L1-L164" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.killdisk_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "50990d6a3b9890877b878363fc44a7021b275eb6d67ceb6edc1c960b038217f1" + logic_hash = "ac404c07c1133d2b33943d3a9a261a1ec36ead25c1d19408d14c9adf6caf5592" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8945e4 8b7508 c7465c904c4200 33ff } - $sequence_1 = { 75f7 2bca 8d7c243c 8bf2 8bd1 } - $sequence_2 = { 881c24 e8???????? d2cd 80d213 66c1e204 8b5500 f8 } - $sequence_3 = { eb09 8b442430 2bc1 c1f802 8d3c8500000000 57 } - $sequence_4 = { c604243a 9c 8d642434 e9???????? } - $sequence_5 = { 84c0 75c1 8d442404 50 } - $sequence_6 = { e9???????? 66894500 66897c240c 882c24 } - $sequence_7 = { 0f8482000000 55 e8???????? 8b1d???????? } - $sequence_8 = { e8???????? 881438 e8???????? 9c c6442408cf 894508 e9???????? } - $sequence_9 = { 6800100000 51 8bf0 ff15???????? } - $sequence_10 = { 46 66892c24 9c 8d64244c e9???????? 9c } - $sequence_11 = { 88442408 50 8d642434 e9???????? } - $sequence_12 = { 3b54242c 0f84d5000000 b83092c201 33ff e8???????? 85c0 } - $sequence_13 = { e9???????? 883424 ff742420 8f4500 9c } - $sequence_14 = { f5 88742408 c70424ba7bbfa4 660fbae408 662dca11 e8???????? 881438 } - $sequence_15 = { 8b542438 6888130000 52 ff15???????? } + $sequence_0 = { e9???????? 883424 ff742420 8f4500 9c 51 } + $sequence_1 = { 57 8dbc2444030000 2bc1 8bf1 } + $sequence_2 = { d1924dbeb698 760a d035???????? d6 d487 ce } + $sequence_3 = { 8b4c2424 2bc8 894c244c 8b4c2430 2bc8 89542414 } + $sequence_4 = { 8f44241c c64424148e c644240426 e8???????? 4e e8???????? 54 } + $sequence_5 = { 7415 b907010000 8d7c2468 f3a5 8b431c } + $sequence_6 = { 88742408 c70424ba7bbfa4 660fbae408 662dca11 e8???????? 881438 } + $sequence_7 = { e8???????? 83c40c 6802040000 8d942484020000 6a00 52 } + $sequence_8 = { 50 51 e8???????? 4e 80fcd7 } + $sequence_9 = { 28d8 882424 e9???????? 66894500 66897c240c 882c24 } + $sequence_10 = { 9c 6689742404 8d642450 e9???????? 89442424 } + $sequence_11 = { 7407 56 ff15???????? 56 ff15???????? 85c0 } + $sequence_12 = { 8d4c2404 51 b9???????? e8???????? 8bf0 e8???????? } + $sequence_13 = { 0f8402020000 8b442418 85c0 0f84f6010000 } + $sequence_14 = { 8b1495a098c201 8d440224 802080 884dfd 8065fd48 } + $sequence_15 = { e9???????? 9c 9c 66894504 57 60 } condition: 7 of them and filesize < 10817536 @@ -102989,36 +103363,36 @@ rule MALPEDIA_Win_Kk_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d3a867fb-765c-587c-976d-8b832133ea92" - date = "2026-01-05" - modified = "2026-01-06" + id = "79291885-85fb-5a77-8dbf-2c220d758ab5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kk_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kk_rat_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kk_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "f46ada63a222e5519816a10f8a2e3c2cfb8e81915e639c45c54d3595ef668e74" + logic_hash = "c23e0931edfbb07c0f52ba542598531acaac2db7d50ece50da5c69134a8a5ceb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a4510 53 56 8bf1 57 8b7d08 8886d4000000 } - $sequence_1 = { 8d85f4fdffff 68???????? 50 e8???????? 8d85f8feffff 50 8d85f4fdffff } - $sequence_2 = { bb01000000 8b461c 83782c00 7421 8b4614 3bc2 761a } - $sequence_3 = { 7524 a1???????? a3???????? a1???????? c705????????24961010 8935???????? } - $sequence_4 = { 51 8b4508 b94d5a0000 66c7004d5a 663908 7404 33c0 } - $sequence_5 = { ff15???????? 53 50 8985ecfdffff 899de8fdffff ff15???????? } - $sequence_6 = { 741c 8d45cc 50 c745cc0b000000 c745f03ce51210 e8???????? 85c0 } - $sequence_7 = { 885dda c78504ffffff5245475f c78508ffffff45585041 c7850cffffff4e445f53 66c78510ffffff5a00 c78574ffffff5245475f c78578ffffff44574f52 } - $sequence_8 = { 897dfc 8b3d???????? ffd7 6a01 ff35???????? 8d8dbc60ffff ff35???????? } - $sequence_9 = { 8bf1 837e1410 57 7202 8b0e 8b450c } + $sequence_0 = { 0f84030d0000 0fb602 ff4dfc 8bce d3e0 42 83c608 } + $sequence_1 = { b8???????? e9???????? 8d8de0fdffff e9???????? 8b542408 8d420c 8b8adcfdffff } + $sequence_2 = { 33d2 8bc1 5f f7f7 8bc1 83e01f 85d2 } + $sequence_3 = { 83fb20 750a bf???????? e9???????? 83fb09 750a bf???????? } + $sequence_4 = { 58 8985c0fdffff 8985bcfdffff 8d85c8fdffff 50 8d45cc } + $sequence_5 = { 8b10 8bc8 ff5208 8845fc 56 8b7508 57 } + $sequence_6 = { c7459475654100 8d4588 50 8d45d4 50 } + $sequence_7 = { 6a08 e8???????? c74628a0e51210 8b4620 a900800000 7408 0d00400000 } + $sequence_8 = { 39be200e0000 7431 57 c745ece8d31310 e8???????? 8bd8 895df0 } + $sequence_9 = { 7d08 8bc3 c1f810 8807 47 837dfc02 7d08 } condition: 7 of them and filesize < 3516416 @@ -103028,36 +103402,36 @@ rule MALPEDIA_Win_Nullmixer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "07ba7e58-2a57-502b-80f6-37285125f4cb" - date = "2026-01-05" - modified = "2026-01-06" + id = "53d3fed6-4623-5ac9-9538-a44c9abd6b59" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nullmixer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nullmixer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nullmixer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ef3e886b25db0cbcc96c6b82a5addac8533ba94ae036aa8c2ef621bf053010dc" + logic_hash = "a2cb4acecc7a6bf96d714bc680e05cb2cc8dcefda96673ef9b926be25c4d5bd9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85f6 0f8ed1000000 894c2418 8b7b68 c1e603 31d2 895c241c } - $sequence_1 = { e9???????? 8b4500 89e9 ff5028 8b442418 8b7c2454 8b5804 } - $sequence_2 = { 89ce 0f8586010000 38d0 0f84b9010000 0fb7442464 8b4c2460 6683f8ff } - $sequence_3 = { 8b45bc 85c0 0f8536020000 807dc001 0f842c020000 8b4520 31c9 } - $sequence_4 = { 83ec08 0fb6442420 8b7c2428 c7042400000000 8b542430 88442407 8b442424 } - $sequence_5 = { e8???????? 8b44243c b925000000 8b10 8b5218 81fa???????? 0f842bffffff } - $sequence_6 = { ff5210 0fbe17 89e9 89c3 8b4500 83ec04 891424 } - $sequence_7 = { e8???????? b902000000 89c6 89c3 f3a6 0f97c0 1c00 } - $sequence_8 = { 0f85baf9ffff 0fb7550c 8d4508 e8???????? 89c3 0fb64610 e9???????? } - $sequence_9 = { 8b842488000000 8b942494000000 8b00 894c2404 8954240c 8b8c2480000000 8b942490000000 } + $sequence_0 = { 8b04bb 8b0486 890424 e8???????? 8b4de0 8904b9 83c701 } + $sequence_1 = { 0f85ac020000 807dc000 740a f75dc8 8355cc00 f75dcc 8b5d20 } + $sequence_2 = { 55 89e5 56 53 51 81ecbc020000 e8???????? } + $sequence_3 = { 8b45cc 31d2 8b480c 394808 0f8207fdffff 89c1 8b00 } + $sequence_4 = { 0f9fc2 01c7 0855bb 8345cc01 8b4108 3b410c 0f8301030000 } + $sequence_5 = { 83c701 39f9 75f0 89bc24ac000000 896c2440 8b6c2444 90 } + $sequence_6 = { 0fb645b2 8b4d08 8845b1 8b4108 3b410c 72ac 8b01 } + $sequence_7 = { 8b4108 3b410c 0f8384000000 0fb700 31d2 6683f8ff 0f856ffcffff } + $sequence_8 = { 83ec2c 8b44244c 8b542440 8b742454 8b5c2450 0fbe4c2444 8b7c2448 } + $sequence_9 = { 8b4d14 89c7 8b450c c7470400000000 8b00 c707???????? c7470800000000 } condition: 7 of them and filesize < 2351104 @@ -103067,36 +103441,36 @@ rule MALPEDIA_Win_Rawpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1ae7866b-5a11-5ecd-acc1-985240e6eeca" - date = "2026-01-05" - modified = "2026-01-06" + id = "953e9958-d149-5fc7-9d47-80442b5b13c5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rawpos_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rawpos_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "db91ad955030d7923a8e659a49a2b9f0e663571d73f741166c9c17758223d91f" + logic_hash = "c25d6d34739f7ea2f739778585e7ad14c15e952ff86d0c0172ae04f9628b3005" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 59 85c0 757b 0fbe4604 50 e8???????? 59 } - $sequence_1 = { 8bf8 33c0 8a07 83f845 7c05 b845000000 83f83b } - $sequence_2 = { 5d c3 55 8bec 83c4dc 33c0 33d2 } - $sequence_3 = { e8???????? 83c408 85c0 0f842e070000 8b4520 8d4df4 50 } - $sequence_4 = { 8bc3 f7d8 83f803 750a bb08000000 e9???????? } - $sequence_5 = { 837df400 7507 8bf7 e9???????? 803f10 7526 } - $sequence_6 = { c646ff10 c60601 46 8a45d0 8806 46 } - $sequence_7 = { 8a13 80c2d3 80ea02 720f 80c2fe 80ea02 7207 } - $sequence_8 = { 53 8b4510 83c6ff 50 57 52 e8???????? } - $sequence_9 = { eb03 83c8ff 5f 5e 5b 59 5d } + $sequence_0 = { 7503 47 eb03 83c705 8b4de0 8079013f 0f8560feffff } + $sequence_1 = { 0fbec3 83e07f 80b874f5420001 740e ff4df0 8b55f0 85d2 } + $sequence_2 = { 8bd3 83fa58 7f18 7440 83ea29 744d 83ea04 } + $sequence_3 = { 803f22 0f94c2 83e201 83c703 8955e4 } + $sequence_4 = { 59 8945e0 837de0ff 8bd8 0f848b070000 f6c380 } + $sequence_5 = { 55 8bec 53 8b5d08 6a00 6a00 6a00 } + $sequence_6 = { 33d2 53 56 57 8b7514 33ff } + $sequence_7 = { 833c9000 7d08 8b4b2c 2bce 41 eb13 8b4304 } + $sequence_8 = { 53 56 8b5510 8b4d0c 8b4508 8a18 80eb0c } + $sequence_9 = { 0f85c4fdffff ff45e0 e9???????? 8b55f0 83c203 03fa e9???????? } condition: 7 of them and filesize < 466944 @@ -103110,7 +103484,7 @@ rule MALPEDIA_Win_Unidentified_063_Auto : FILE date = "2022-11-21" modified = "2022-11-25" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_063" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_063_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_063_auto.yar#L1-L124" license_url = "N/A" logic_hash = "14c180eecdf0e6fbf2b936d6c444ad58c2e649e1fa770106e8719057ee1aefbd" score = 75 @@ -103145,36 +103519,36 @@ rule MALPEDIA_Win_Webbytea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "af3cfaf5-47ae-5df3-b1d3-9a9fcbf06c59" - date = "2026-01-05" - modified = "2026-01-06" + id = "54a85005-dc61-5466-8f64-ad5658b9c66f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webbytea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webbytea_auto.yar#L1-L110" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webbytea_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "f1288f1b53f639ade5d87a2ce49a70d5b29a0fbdd563d1f0066de9197507a949" + logic_hash = "d491d30ef5dc343235866a9238b4d84cb5dbf778ca8632a319283f3924886196" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8901 488d542430 488b4c2420 ff15???????? } - $sequence_1 = { 8901 488d542430 488b4c2420 ff15???????? 85c0 } - $sequence_2 = { ff15???????? 85c0 7422 41b904000000 } - $sequence_3 = { ff15???????? 85c0 7444 41b904000000 } - $sequence_4 = { c68424f000000043 c68424f100000072 c68424f200000065 c68424f300000061 c68424f400000074 } - $sequence_5 = { ffc0 488b8c2488020000 8901 488d542430 488b4c2420 ff15???????? 85c0 } - $sequence_6 = { 4803c8 488bc1 48c744243000000000 c744242800000000 } - $sequence_7 = { c68424f100000072 c68424f200000065 c68424f300000061 c68424f400000074 c68424f500000065 } - $sequence_8 = { 8b00 ffc0 488b8c2488020000 8901 } - $sequence_9 = { c68424f100000072 c68424f200000065 c68424f300000061 c68424f400000074 } + $sequence_0 = { 891481 488b842488020000 8b00 ffc0 488b8c2488020000 8901 488d542430 } + $sequence_1 = { 4803c8 488bc1 48c744243000000000 c744242800000000 4889442420 } + $sequence_2 = { 488bf9 488bf2 8bc8 f3a4 } + $sequence_3 = { e9???????? c744242000000000 4533c9 4533c0 33d2 33c9 ff15???????? } + $sequence_4 = { 488b8c2480020000 8b542438 891481 488b842488020000 8b00 } + $sequence_5 = { 488b842488020000 8b00 ffc0 488b8c2488020000 } + $sequence_6 = { 8901 488d542430 488b4c2420 ff15???????? } + $sequence_7 = { 488bc1 48c744243000000000 c744242800000000 4889442420 } + $sequence_8 = { 8b00 ffc0 488b8c2488020000 8901 488d542430 } + $sequence_9 = { ffc0 488b8c2488020000 8901 488d542430 488b4c2420 ff15???????? 85c0 } condition: 7 of them and filesize < 552960 @@ -103184,36 +103558,36 @@ rule MALPEDIA_Win_Cadelspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "239b2d97-ceb8-5e5b-be90-aeb9b9fcf209" - date = "2026-01-05" - modified = "2026-01-06" + id = "09d1758f-a520-5c0d-81b5-c2deb27a970c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cadelspy_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cadelspy_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "b4d9cbb0d8867220f80a8ce48db839eded436dcbd892904385e6486261b96542" + logic_hash = "fce9390a5d669b33d92b5af3d935821f8b211b393683ce55eed8363c1b662d0d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3d01010000 7d0d 8a4c181c 888840360110 40 ebe9 } - $sequence_1 = { 7413 50 8b44241c 56 e8???????? 8bf8 59 } - $sequence_2 = { 89742424 e8???????? 33c0 bf06020000 57 6689842484040000 8d842486040000 } + $sequence_0 = { 03c7 66890c43 47 eb08 85ff 7e02 } + $sequence_1 = { ff750c be04010000 8bce e8???????? 8b550c 59 } + $sequence_2 = { 2b34bd004c0110 c1fe06 8bc7 c1e005 03f0 8975e4 837de4ff } $sequence_3 = { 8d9c2464020000 e8???????? 68???????? 8d9c2464020000 e8???????? } - $sequence_4 = { 8d859e000000 50 e8???????? 83c40c 56 8d859c000000 50 } - $sequence_5 = { 89742424 89742428 8974242c 89742430 89742434 89742438 e8???????? } - $sequence_6 = { 56 57 33ff 8db7b03e0110 ff36 e8???????? } - $sequence_7 = { ff742414 ffd3 8bc6 e8???????? 33c0 40 eb02 } - $sequence_8 = { 40 8b8d94260000 5f 5e 33cd 5b e8???????? } - $sequence_9 = { 39742414 0f84d3000000 397508 7474 8b4508 } + $sequence_4 = { ff15???????? 50 ff15???????? c9 c3 a1???????? } + $sequence_5 = { 83658000 8d4584 53 50 e8???????? 0fbe4584 } + $sequence_6 = { 68???????? eb44 837d8c06 7543 68???????? eb37 8d856c030000 } + $sequence_7 = { 8bcf 8d950cf9ffff e8???????? 33c0 } + $sequence_8 = { bf04010000 57 8d8504f7ffff 50 53 } + $sequence_9 = { 8d7902 668b31 41 41 6685f6 } condition: 7 of them and filesize < 204800 @@ -103223,36 +103597,36 @@ rule MALPEDIA_Win_Zerocleare_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "44db0221-dc66-5a41-bbf8-146a25155baf" - date = "2026-01-05" - modified = "2026-01-06" + id = "aaffbb51-ae5a-5a33-af37-f6ca4beb1006" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zerocleare_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zerocleare_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "e4821dd22695093410a23835df9e39372b43fe15a2de70debfb45b9cb2592dab" + logic_hash = "e2a432e71bba9b73c9875d571cdcfbba9fb777bd921eb709f6641897385aefd0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d45d0 837de408 68???????? 0f4345d0 68000000c0 50 e8???????? } - $sequence_1 = { ff249d01c04000 8b46e4 3b42e4 744f 0fb6f8 0fb642e4 2bf8 } - $sequence_2 = { 8b049d40fd4400 f644082801 7469 56 } - $sequence_3 = { 8b0cb540fd4400 83c410 8985f4efffff 8bc2 8b95f4efffff } - $sequence_4 = { 6a05 e8???????? 83c404 6a00 ff74f704 ff34f7 } - $sequence_5 = { 56 8b7508 ff34b5109f4300 e8???????? 50 ff34b52c9f4300 8d4dec } - $sequence_6 = { 7cde 68???????? e8???????? 8b8504f8ffff } - $sequence_7 = { 83c404 89460c 83fa08 722e } - $sequence_8 = { 833d????????00 0f852ce4ffff 8d0dc0524400 ba1b000000 e9???????? a900000080 } - $sequence_9 = { c7401000000000 c7401407000000 668908 c645fc04 8b9530f7ffff 83fa08 727f } + $sequence_0 = { 83e03f c1f906 6bc038 8b0c8d40fd4400 } + $sequence_1 = { 83bdd4f7ffff08 6a00 0f4385c0f7ffff 51 50 ffd7 } + $sequence_2 = { 894304 8b45ec 03c1 894308 } + $sequence_3 = { 8d04c1 894304 8b45ec 03c1 894308 8b03 } + $sequence_4 = { 8d04c1 894304 8b45ec 03c1 894308 } + $sequence_5 = { 59 6a05 c74048b0d24400 8b4508 6689486c } + $sequence_6 = { 8b07 8b5610 83c03d c745e801000000 } + $sequence_7 = { 85c0 751f ff15???????? 50 8d4c2408 e8???????? 68???????? } + $sequence_8 = { 85c0 0f84d5460000 c3 833d????????ff 7503 33c0 } + $sequence_9 = { 0f94c1 fec9 8b148540fd4400 80e102 8a44172d 24fd 0ac8 } condition: 7 of them and filesize < 42670080 @@ -103262,36 +103636,36 @@ rule MALPEDIA_Win_Zlob_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "05847610-c838-5d32-b338-8d5b68ddc2fc" - date = "2026-01-05" - modified = "2026-01-06" + id = "1b045870-3579-5b37-8649-8502496e8dd8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zlob" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zlob_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zlob_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "540ffbf034a9c137ad7d038d10b65fce4aa537a82bbe9b720e7907a3d6dfd9c7" + logic_hash = "53c3fe91e6079d14e63606f225d38c0173ddfe4ceefd38ebdb6c4dc75eee82af" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8944241c c70424e8030000 e9???????? ffd3 ffd3 ffd6 } - $sequence_1 = { 0f8436010000 ffd5 ffd5 ffd6 ffd7 } - $sequence_2 = { ffd7 ffd6 ffd7 ffd6 ffd6 ffd7 8d842440020000 } - $sequence_3 = { 50 ffd6 85c0 750d 6a08 6a01 57 } - $sequence_4 = { c685f5fdffff31 c685f6fdffff65 c685f7fdffff30 c685f8fdffff2d c685f9fdffff64 c685fafdffff65 } - $sequence_5 = { 8d4c242c e8???????? 8b442448 89442410 eb05 834c2410ff 8d4c241c } - $sequence_6 = { 742e 6a03 ff75f0 ff15???????? 85c0 751f 6a03 } - $sequence_7 = { c644241301 ff742414 ff15???????? 8b3d???????? ff742418 ff15???????? } - $sequence_8 = { 6a0c a3???????? e8???????? 59 85c0 } - $sequence_9 = { 895104 e8???????? c20400 56 57 8b7c240c 8bc7 } + $sequence_0 = { ff15???????? 83c40c ffd3 ffd3 ffd6 ffd7 } + $sequence_1 = { ffd6 ffd6 ffd5 6a10 8d442420 6a00 50 } + $sequence_2 = { ffd6 ffd7 ffd6 ffd6 ffd7 8d85f0feffff 50 } + $sequence_3 = { ffd7 ffd6 ffd6 ffd7 ffb4242c010000 ff15???????? } + $sequence_4 = { eb5b 807c241c00 7408 3b4510 7303 894510 ffd3 } + $sequence_5 = { ffd7 8d45c4 50 ff15???????? 85c0 7511 8d45c4 } + $sequence_6 = { 83c504 8b4500 8bcd ff5018 85c0 0f8ee8000000 } + $sequence_7 = { c68503ffffff30 c68504ffffff66 c68505ffffff38 c68506ffffff2d c68507ffffff39 c68508ffffff34 c68509ffffff34 } + $sequence_8 = { 83c424 6a00 6800000080 6a03 6a00 6a01 68000000c0 } + $sequence_9 = { f645fc20 7504 b001 c9 c3 32c0 c9 } condition: 7 of them and filesize < 98304 @@ -103301,36 +103675,36 @@ rule MALPEDIA_Win_Fireball_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a3428bf8-96e6-53b5-b02d-f9e2f263c340" - date = "2026-01-05" - modified = "2026-01-06" + id = "134aaca1-fed7-50ba-99e6-c35fcb34af08" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fireball_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fireball_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "0f22d443c5f81dd9534cb92d3695167967ab7b76ab570ebe6d321bfdbed116f0" + logic_hash = "f41f7e819b09c5fb96f2b4b77af5e9c9c0d8d50925493c69bae722c4022b21cf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 837c242008 c78424c800000007000000 c78424c400000000000000 66898424b4000000 } - $sequence_1 = { 8d842484000000 50 8d9424d0000000 8d8c24a8010000 c68424cc01000009 e8???????? } - $sequence_2 = { 83c404 33c0 83bc249800000008 c744246807000000 c744246400000000 } - $sequence_3 = { 83bc24b000000008 c784248000000007000000 c744247c00000000 668944246c 7228 } - $sequence_4 = { 8b0e e8???????? eb2a ff750c } - $sequence_5 = { 5e c3 55 8bec 8b4508 ff34c5a8f52400 } - $sequence_6 = { 3a503a 683a783a7c 3a803a843a98 3a9c3aa03ab83a } - $sequence_7 = { 0f43842480000000 6a00 50 ffd7 8d442464 50 } - $sequence_8 = { e9???????? 8d8d44fbffff e9???????? 8d8d44fbffff e9???????? 8b542408 8d823cfbffff } - $sequence_9 = { 80bda7fdffff00 8b5d1c 8b7d18 8b7508 741d 57 8d4508 } + $sequence_0 = { b101 e8???????? 83c418 85c0 744f 6a01 } + $sequence_1 = { e8???????? 56 e8???????? 83c404 33c0 83bc247001000008 c78424a001000007000000 } + $sequence_2 = { 8bb42444010000 8d4c240b e8???????? 51 e8???????? 8d4c240b e8???????? } + $sequence_3 = { eb76 56 e8???????? 59 8365fc00 8b049d000a2500 f644380401 } + $sequence_4 = { 668906 83c602 eb33 58 668906 8b0c95000a2500 } + $sequence_5 = { 8bf7 2b349d000a2500 c1fe06 8bc3 c1e005 03f0 } + $sequence_6 = { 8b45f4 59 7471 8b0c85000a2500 f644190480 7463 8d45e0 } + $sequence_7 = { 6800100000 8d85fcefffff 6a01 50 e8???????? 83c410 33d2 } + $sequence_8 = { e8???????? 83c410 85c0 7560 8d642400 57 6800100000 } + $sequence_9 = { 64a300000000 6a01 33c0 68???????? 8d8c2404010000 c784241801000007000000 c784241401000000000000 } condition: 7 of them and filesize < 335872 @@ -103340,36 +103714,36 @@ rule MALPEDIA_Win_Pathloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e986434-599f-5205-bbd3-c4644fef6a44" - date = "2026-01-05" - modified = "2026-01-06" + id = "1d6ea3d6-75e6-543d-af49-90acc1dad5eb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pathloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pathloader_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pathloader_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "7556d740969ba30806ff23ef7c71f55747c108deea39b5487e7d46d63a258306" + logic_hash = "e8275a457d5a8c2740af5a98f9a61f097bbf8757b3b029afa0b2fadd2cd2878d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7742 498bc8 e8???????? 4c897710 48c747180f000000 } - $sequence_1 = { 41ffd0 498986d8000000 488d55c8 48837de008 480f4355c8 4533c9 450fb786a0000000 } - $sequence_2 = { 7524 488d0d5e940200 e8???????? 85c0 7510 488d0d66940200 e8???????? } - $sequence_3 = { 488d15ea240100 e8???????? 8bcb 4885c0 740c } - $sequence_4 = { 0fb705???????? 6689442460 0fb605???????? 88442462 448bc1 4183ff02 } - $sequence_5 = { 4c63d2 488bd9 498bc2 458bf1 48c1f806 488d0dc0a20100 } - $sequence_6 = { 57 4883ec20 e8???????? 488b05???????? 488d1d2ffe0100 4885c0 480f45d8 } - $sequence_7 = { 488bfa 488bd9 49894ba8 498953b0 4533f6 45897398 } - $sequence_8 = { 410fb641ff 440f47c2 4533c2 4569d093010001 84c0 75d7 4181fad26d58ad } - $sequence_9 = { e8???????? 84c0 0f8422ffffff 44383d???????? f20f1005???????? 0fb705???????? } + $sequence_0 = { ffd0 49898688000000 4885c0 0f8577030000 0f1005???????? 0f11442468 0fb705???????? } + $sequence_1 = { eb56 4883f810 7350 4883f910 724a 488b3b 4c8d4501 } + $sequence_2 = { 44887580 488d15a6bc0200 49c7c5ffffffff 4d8bc5 49ffc0 } + $sequence_3 = { 488d4827 483bc8 490f46cd e8???????? 4885c0 } + $sequence_4 = { 488bda 488bf9 48894de7 488955ef 4c8945f7 4533ed 44896db7 } + $sequence_5 = { ffd0 488bc8 4c8d45c8 488d45c0 41b940000000 488d55b0 } + $sequence_6 = { ffd3 eb00 e8???????? 90 cc 33c0 4c8d0deb4b0100 } + $sequence_7 = { 0f1f4000 660f1f840000000000 b809cb3d8d 4d8d4901 41f7e8 4103d0 c1fa05 } + $sequence_8 = { 7462 8b7e20 0f1f4000 0f1f840000000000 41ffca 418bda } + $sequence_9 = { 488bc8 e8???????? 66660f1f840000000000 498b8f90000000 488d55d4 41ff9718010000 85c0 } condition: 7 of them and filesize < 464896 @@ -103379,36 +103753,36 @@ rule MALPEDIA_Win_Spygrace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3c99942d-74fe-50f1-a9c2-d735c42e0b85" - date = "2026-01-05" - modified = "2026-01-06" + id = "1c1fe014-1102-5578-bc7d-079a9011a6e2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spygrace" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spygrace_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spygrace_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "4d1aafea2b2d6148a5221a777c3a4ed202ce4fd229ea04549615dae7ae9b5684" + logic_hash = "6e55f9093d424c6d2765e46b0480ae56daf5fc27c377637de7ac7a628aa7f53f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 742a 488bc5 4c8d05d90c0300 488bcd 48c1f906 83e03f } - $sequence_1 = { 488bc3 48397b18 7203 488b03 48894c2430 4889442428 48c744242013000000 } - $sequence_2 = { bb01000000 4533e4 448d4b5b 6644394c48fe 7440 483bca 731c } - $sequence_3 = { 488d4db0 48837dc808 480f434db0 ffd2 85c0 0f85b0010000 4d8d86a0020000 } - $sequence_4 = { 490f42c0 488d4dd0 48837de808 480f434dd0 4c2bc0 4c8945e0 4e8d044502000000 } - $sequence_5 = { 488d4d1f e8???????? 90 488b4b10 48b8ffffffffffffff7f 482bc1 4883f807 } - $sequence_6 = { 4c8b4110 488bf1 4d85c0 b901000000 490f45c8 488be9 } - $sequence_7 = { e8???????? e9???????? 49638dd0330000 e8???????? 4889442448 498bce be10000000 } - $sequence_8 = { 488d05bbc60200 4889442460 488d05c7c60200 4889442468 488d05cbc60200 4889442470 488d05cfc60200 } - $sequence_9 = { 498bc8 e8???????? 4883a31004000000 488bcb 48c783180400000f000000 c6830004000000 4883c420 } + $sequence_0 = { 488d8a30000000 e9???????? 488d8a90000000 e9???????? 488d8ae8000000 e9???????? 488d8aa8000000 } + $sequence_1 = { eb1e 488bc3 498784f640380600 4885c0 7409 488bcb ff15???????? } + $sequence_2 = { 7203 488b12 488bcb e8???????? 488d93c0020000 48396a18 7203 } + $sequence_3 = { c645df00 488b5517 4883fa10 722e 48ffc2 488b4dff 488bc1 } + $sequence_4 = { 488b55a0 483bd7 0f829e050000 48ffc2 488b4d88 } + $sequence_5 = { 44887c2468 488b542458 4883fa10 722e 48ffc2 488b4c2440 488bc1 } + $sequence_6 = { 48035708 0fb60a 83e10f 4c8d05e8b8fdff 4a0fbe8401d8510400 420fb68c01e8510400 482bd0 } + $sequence_7 = { 90 488d4dcf e8???????? 8bc3 488b4d0f 4833cc e8???????? } + $sequence_8 = { 488d542478 488d4d40 e8???????? 488b5590 483bd6 7232 } + $sequence_9 = { f30f7f4537 c6452700 488365c700 660f7f45d7 c645c700 488365e700 } condition: 7 of them and filesize < 865280 @@ -103418,48 +103792,48 @@ rule MALPEDIA_Win_Simplefilemover_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "01e3a38c-ca1c-54f8-8b63-a6fb5042b331" - date = "2026-01-05" - modified = "2026-01-06" + id = "fe7f1173-936a-59a5-be67-c1759f3eaafe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.simplefilemover" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.simplefilemover_auto.yar#L1-L220" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.simplefilemover_auto.yar#L1-L219" license_url = "N/A" - logic_hash = "127d7e5e1cb1879a98229e20253c6e3598e5576a92a3becd73c38551f6d4a8f9" + logic_hash = "e98482deeb7c570cb88ff9037be4fb890cd449b80eb64a7d927279cdad8d5053" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 8bfc f3a5 e8???????? 81c420020000 } - $sequence_1 = { 7d07 33c0 e9???????? 6820020000 ff15???????? } - $sequence_2 = { e8???????? 81c420020000 85c0 7407 68???????? eb05 68???????? } + $sequence_1 = { 33c0 e9???????? 6820020000 ff15???????? } + $sequence_2 = { 81c420020000 85c0 7407 68???????? eb05 68???????? } $sequence_3 = { b988000000 8bf3 8bfc f3a5 } - $sequence_4 = { 57 668b01 33f6 33db 33ff } - $sequence_5 = { 750f c78508daffff00000000 e9???????? 6a04 8d8d54daffff } - $sequence_6 = { 3bc3 0f8ec7020000 0145ec 397dec 7416 8b45ec } - $sequence_7 = { 7433 8bcb 663d5c00 7503 } - $sequence_8 = { 56 8b74241c 57 8a8800010000 8a9001010000 33ff 884c2408 } - $sequence_9 = { 8b742424 53 81e1ff000000 55 81e6ff000000 } - $sequence_10 = { 3bfb 0f8c54ffffff 8a4c242c 5d 5b 5f } - $sequence_11 = { 895df4 eb03 8b7df0 8d4601 be00010000 99 } - $sequence_12 = { 8b7c2418 8b5c2428 47 897c2418 0fbfff 3bfb 0f8c54ffffff } - $sequence_13 = { 8b7c2424 b940000000 f3a5 83c40c } - $sequence_14 = { e8???????? 83c410 e9???????? 83bd24daffff00 7e0c c78508daffff00000000 } - $sequence_15 = { 83c102 42 6685c0 75ea 85f6 7417 8b4c2414 } - $sequence_16 = { 0f8eda000000 8b4c2408 8b742424 53 } - $sequence_17 = { ebca ebc8 ebc6 ebc4 ebc2 } - $sequence_18 = { 50 8d85b0ddffff 50 e8???????? 8b45f4 03c0 } - $sequence_19 = { 6a00 6a00 6a04 6a00 6a02 6800000040 8d85f8fdffff } - $sequence_20 = { 50 ff15???????? 898510daffff 6a00 } - $sequence_21 = { 51 8b9554faffff 52 ff15???????? 898508daffff 83bd08daffffff } + $sequence_4 = { 7908 4b 81cb00ffffff 43 885c242c 8a5c241c 8b74242c } + $sequence_5 = { 6a00 8b8504daffff 50 ff15???????? 898510daffff 6a00 } + $sequence_6 = { e8???????? 8d85a4ddffff 57 50 8d45f8 } + $sequence_7 = { 7518 6a00 6a00 8d8554daffff 50 8b8d04daffff } + $sequence_8 = { 8b742410 57 56 50 51 } + $sequence_9 = { 6a00 6a00 8d8d28daffff 51 } + $sequence_10 = { 6685c0 7433 8bcb 663d5c00 } + $sequence_11 = { 8bfa 46 668b4102 83c102 42 6685c0 75ea } + $sequence_12 = { 6a00 ffd7 ff7508 8d4302 50 ff15???????? ff7604 } + $sequence_13 = { 8b7c2418 8b5c2428 47 897c2418 0fbfff 3bfb 0f8c54ffffff } + $sequence_14 = { 8d8d00ffffff 51 e8???????? 83c404 50 } + $sequence_15 = { bf00010000 99 f7ff 0fb6c2 8945f0 } + $sequence_16 = { 8a4c242c 5d 5b 5f 889000010000 888801010000 } + $sequence_17 = { 85f6 7417 8b4c2414 8d447b02 50 } + $sequence_18 = { 888801010000 5e 83c410 c3 5f 888800010000 } + $sequence_19 = { 83c404 c78508daffff00000000 e9???????? 6a00 } + $sequence_20 = { 6a10 50 ff75fc ffd6 83f8ff 7558 ff15???????? } + $sequence_21 = { 6a01 6a00 8b8508daffff 2b85fcd9ffff 50 } condition: 7 of them and filesize < 57344 @@ -103469,41 +103843,41 @@ rule MALPEDIA_Win_Sage_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ee390467-2b1f-5dff-a025-ffcdbd989eda" - date = "2026-01-05" - modified = "2026-01-06" + id = "3a539e9d-a70e-5ad2-9b0e-112b996f2a74" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sage_ransom_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sage_ransom_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "f697fb2bbef92176cedab9ef91a434357e32fdc073b94b3d51cf50581ce561f1" + logic_hash = "2d47f12a7cf9280840e859322435f629337f5cf352768d420cf4b487a986726d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 01442410 ff15???????? 8bc8 8b442410 2b4c2438 } - $sequence_1 = { 755b 6683780200 7554 6aff ff15???????? 85c0 } - $sequence_2 = { c1e910 0fb74c4c18 c1e010 0bc8 8bd1 } - $sequence_3 = { 837c241000 750b 837c241400 0f84d8000000 8b442410 be00000200 3bc6 } - $sequence_4 = { bbfdffffff 8d4c240c 51 e8???????? 8d54241c 52 } - $sequence_5 = { 56 57 6af5 ff15???????? 8b15???????? 83c204 52 } - $sequence_6 = { 6a41 56 52 e8???????? 56 } - $sequence_7 = { 8bf1 33d2 3bf7 732a 8a06 } + $sequence_0 = { 56 e8???????? 83c410 33c0 85ff 7419 803c302b } + $sequence_1 = { 6a20 83c620 8d442408 56 50 e8???????? } + $sequence_2 = { 56 ff15???????? 83f8ff 7515 56 ff15???????? 6a11 } + $sequence_3 = { 8d4c2440 51 8d542464 52 e8???????? 8b84243c010000 83c020 } + $sequence_4 = { 894e04 8b502c 8d4c3f02 51 8916 } + $sequence_5 = { e8???????? 83c404 bbfdffffff 8d4c240c 51 e8???????? 8d54241c } + $sequence_6 = { ff15???????? 5f 33c0 5e 59 c3 56 } + $sequence_7 = { 51 e8???????? 83c41c 85c0 7907 83c8ff } $sequence_8 = { 014110 8b4314 014114 8b4318 } $sequence_9 = { 014108 8b430c 01410c 8b4310 } - $sequence_10 = { 01410c 8b4310 014110 8b4314 } - $sequence_11 = { 891c24 89442404 e8???????? 8d964ba20000 c744240879020000 } - $sequence_12 = { 014114 8b4318 014118 8b431c } - $sequence_13 = { 013c13 83c102 46 ebd3 } - $sequence_14 = { 0101 8b4304 014104 8b4308 014108 } + $sequence_10 = { 014114 8b4318 014118 8b431c } + $sequence_11 = { 891c24 89442404 e8???????? 891c24 c744240467000000 e8???????? } + $sequence_12 = { 013c13 83c102 46 ebd3 } + $sequence_13 = { 0101 8b4304 014104 8b4308 014108 } + $sequence_14 = { 01410c 8b4310 014110 8b4314 } $sequence_15 = { 0119 117104 83c110 83c210 } condition: @@ -103514,36 +103888,36 @@ rule MALPEDIA_Win_Screencap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "379c64a1-3968-5838-b405-32978ebeeb34" - date = "2026-01-05" - modified = "2026-01-06" + id = "c330655e-8db1-503c-b0f5-bd3d36e3ae9c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.screencap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.screencap_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.screencap_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "2175ebdcdf09489a5c3e9d1a0443dafe26fb70adb28f0b3b4f8cf2a642f56129" + logic_hash = "e2fba7936b94145a817d72ed995b006b5ea28dbc59b8ee8eeb93132ef484504e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 750d 6800000080 6a06 ff15???????? } - $sequence_1 = { 488d0d1aba0000 e8???????? cc 488b4118 } - $sequence_2 = { 488d1557c90000 eb2b 488d153ec90000 eb22 } - $sequence_3 = { 488d156cd90000 488d8d90020000 4d8bc7 e8???????? 488d9580010000 488d4c2470 4533c9 } - $sequence_4 = { 48895c2408 57 4881ecb0000000 488d054cffffff 33db ba007f0000 33c9 } - $sequence_5 = { 4c8d442460 33d2 33c9 41d1e9 896c2428 4889742420 } - $sequence_6 = { eb4e 8d4306 39842420100000 7640 6a04 687c334700 55 } - $sequence_7 = { e9???????? 488d1554ca0000 e9???????? 498bd7 e9???????? 488d1570c60000 e9???????? } - $sequence_8 = { e9???????? 4c8bfb 4c8be3 488d055eeb0000 49c1fc05 4183e71f 4a8b0ce0 } - $sequence_9 = { 83c40c 8945a4 8975c8 897dcc 8975d0 8975d4 c645d800 } + $sequence_0 = { b900040000 ff15???????? 488bf8 4885c0 747f 488d4c2452 } + $sequence_1 = { 488bcb 666666660f1f840000000000 0fb68431a8f70000 48ffc1 88440c77 84c0 } + $sequence_2 = { 4533c9 ff5018 85c0 0f88a4000000 488b0d???????? } + $sequence_3 = { ff15???????? 488d0d3e380100 33d2 e8???????? 488d0d30380100 85c0 740c } + $sequence_4 = { e8???????? 482be0 488b05???????? 4833c4 488985a01d0000 ff15???????? 483b05???????? } + $sequence_5 = { e9???????? 488d1560ca0000 e9???????? 488d15eccb0000 e9???????? 488d15d0cb0000 e9???????? } + $sequence_6 = { 8d8424c8000000 6854334700 50 e8???????? ffb424ec220000 8d8424da000000 } + $sequence_7 = { 488b05???????? 4833c4 4889842400010000 488b0d???????? } + $sequence_8 = { 488bd5 8bdf e8???????? 85ff 741c } + $sequence_9 = { 4c8d4308 488d442420 4c2bc0 0fb610 420fb60c00 2bd1 } condition: 7 of them and filesize < 1391616 @@ -103553,36 +103927,36 @@ rule MALPEDIA_Win_Crypt0L0Cker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "36a9a672-4992-57ea-891c-f29c4225a913" - date = "2026-01-05" - modified = "2026-01-06" + id = "337d44b2-46d4-5e7e-a734-714781e16443" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crypt0l0cker_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crypt0l0cker_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "b3cddc973c5366c89b799135e4693f1cb6d7cd129335c29ced490dcf89284e44" + logic_hash = "40b3f8f2093afa8cd8dce91e0fb7ec88299be59a2ac261908fb18d2d6bc2373b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bcb e8???????? eb05 bf03000000 56 6a01 682f5b5412 } - $sequence_1 = { 53 e8???????? 59 59 85c0 0f84bbfeffff 8b45f8 } - $sequence_2 = { 8bcf e8???????? 8b4c2418 e8???????? 85f6 740f 56 } - $sequence_3 = { 0f8e85000000 53 ff75fc 8d45a8 50 8bd0 8d4dbc } - $sequence_4 = { 33c1 894ee8 8946ec 8d042e c1f802 8b4c8314 8bc1 } - $sequence_5 = { 68???????? bac8cfa6d0 8bce e8???????? 83c404 85c0 0f85b2000000 } - $sequence_6 = { e8???????? 83c40c 68fd010000 53 85f6 7506 } - $sequence_7 = { 3bf2 7301 47 03d8 895de8 3bd8 } - $sequence_8 = { 8be5 5d c3 55 8bec 83ec18 8bc2 } - $sequence_9 = { 0f8520080000 c74424143c000000 55 8d4900 837e3400 0f8505080000 833e01 } + $sequence_0 = { 7447 8802 42 8b048d0028a900 4e 807d1301 6a02 } + $sequence_1 = { 3bc1 7717 50 8b45f4 ff75f8 03c6 50 } + $sequence_2 = { e8???????? 83c404 85c0 0f8576010000 68???????? ba57a597ab 8bce } + $sequence_3 = { 49 898d2cfdffff 85c0 0f84cc040000 8b8530fdffff ffb524fdffff 40 } + $sequence_4 = { 8bc8 894dec 85c9 0f8433010000 8b45f8 3bf8 7f61 } + $sequence_5 = { 833e00 75f6 6a24 e8???????? 83c404 8906 85c0 } + $sequence_6 = { 52 8b55fc a5 50 } + $sequence_7 = { c1e210 c1e810 03fa 03c8 897de8 } + $sequence_8 = { 50 8d542420 e8???????? 83c408 85c0 0f84ce000000 } + $sequence_9 = { 57 e8???????? 83c40c 56 8b75f8 57 8d4610 } condition: 7 of them and filesize < 917504 @@ -103592,36 +103966,36 @@ rule MALPEDIA_Win_Ddkong_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "18188be3-073f-50a3-9f50-97e094dccbb5" - date = "2026-01-05" - modified = "2026-01-06" + id = "91b7da66-9170-5306-b4ea-42fbe396c863" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ddkong_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ddkong_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "91db8e15d23c634005ba3b638556ede7055d1f867550b80fb7edc67358abbb64" + logic_hash = "0ef7fe80c2fc5b891afce198259ccc63a9d363920ceb0f9c18270ef26ba4025a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8065d300 8d45c0 50 53 ffd6 50 ffd7 } - $sequence_1 = { c644241561 c64424166c c644241746 c644241b00 ff15???????? 50 ff15???????? } - $sequence_2 = { ebcd 53 53 53 } - $sequence_3 = { bb???????? 50 53 c645a457 c645a561 c645a669 } - $sequence_4 = { 8d8500ffffff 50 53 ffd7 } - $sequence_5 = { 56 8b35???????? 8d45ec 57 bb???????? 50 53 } - $sequence_6 = { c645b474 8d45ac c645b541 50 8d45f0 } - $sequence_7 = { 8d45a4 bb???????? 50 53 } - $sequence_8 = { 7427 837d08ff 7421 8d45dc 6a10 50 ff7508 } - $sequence_9 = { 50 ffd6 898504ffffff 8d45c4 } + $sequence_0 = { 894508 7447 56 50 } + $sequence_1 = { 03c7 03eb 8928 8b4104 42 83e808 } + $sequence_2 = { 6a04 e8???????? 8065ec00 8065c400 } + $sequence_3 = { 885c2426 c644242746 c644242872 88442429 8844242a c644242b00 ffd6 } + $sequence_4 = { c645f172 c645f276 c645f369 c645f463 c645f565 c645f653 c645f774 } + $sequence_5 = { ffd6 8985ecfeffff 8d4594 50 8d45f0 } + $sequence_6 = { c645d261 c645d364 8d45c8 50 } + $sequence_7 = { 898574ffffff 8d45e4 50 68???????? c645e443 c645e572 c645e665 } + $sequence_8 = { c645f854 c645f968 c645fa72 c645fb65 c645fc61 c645fd64 ff15???????? } + $sequence_9 = { c645d54e c645d661 c645d76d c645d865 c645d941 ffd7 } condition: 7 of them and filesize < 81920 @@ -103631,36 +104005,36 @@ rule MALPEDIA_Win_Sobig_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f2079ef3-4c71-5dab-833c-5773ab6ef02f" - date = "2026-01-05" - modified = "2026-01-06" + id = "e3b61d69-b3b3-5107-871c-ab9a56977e6b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sobig_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sobig_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "0c745bccdca469dd967ba05a41b0d6b9484e837d88e70b86ce4dd51c26e4309d" + logic_hash = "df29896bef76ef85128a23e0a2929cae7dc7c292e0c773e515891b8846b960c8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c645fc01 e8???????? 56 8d4dc8 885dfc e8???????? 834dfcff } - $sequence_1 = { 48 85c9 742e 53 40 57 } - $sequence_2 = { 50 e8???????? 83ec10 8d45b0 8bcc 8965c4 50 } - $sequence_3 = { 034e18 83c418 c645fc03 51 } - $sequence_4 = { 7ced 85f6 7e15 8bce 8d75c0 8bc1 8bfb } - $sequence_5 = { 8d4ddc e8???????? 85c0 0f84a0000000 68???????? 8d4ddc } - $sequence_6 = { 7505 b8???????? 50 8d8544fbffff 68???????? 50 ff15???????? } - $sequence_7 = { e8???????? e9???????? 6a10 8d45ac 6a00 50 e8???????? } - $sequence_8 = { 83c320 3b7e04 7cee 5b ff36 e8???????? 59 } - $sequence_9 = { 3b7e08 7ce6 83c8ff 5f 5e 5b c20400 } + $sequence_0 = { 5f 64890d00000000 c9 c21000 f605????????01 7507 800d????????01 } + $sequence_1 = { 4f 75cf 8d4dcc c645fc01 e8???????? 6a01 5e } + $sequence_2 = { eb7b 68???????? e8???????? 59 8b4d10 50 68???????? } + $sequence_3 = { 8d4dc8 e8???????? 8b470c c745fc06000000 8b00 ff30 e8???????? } + $sequence_4 = { e8???????? 8b4508 53 56 57 8d7104 } + $sequence_5 = { 6683e100 0fb7c0 0bc8 bb???????? 890f 895ddc } + $sequence_6 = { e8???????? 8d8e80000000 c645fc01 e8???????? bf???????? 57 } + $sequence_7 = { 5b c9 c20800 56 8b742408 57 8bf9 } + $sequence_8 = { 80fb7a 7ed5 5e 5b 5f c9 c3 } + $sequence_9 = { 8bc6 c1f905 83e01f 8b0c8d20bc4100 8d04c0 8d0481 8b4dfc } condition: 7 of them and filesize < 262144 @@ -103670,36 +104044,36 @@ rule MALPEDIA_Win_Chairsmack_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b93b15a-7734-556f-a7b1-b4512d41aa64" - date = "2026-01-05" - modified = "2026-01-06" + id = "e80fc748-d8f4-5cbd-82ba-b945f81f35aa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chairsmack" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chairsmack_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chairsmack_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "1d38706ad5291374964e24dbf3b78379e0e5a0a84fd9338e0e05cc9f4e1d7fa2" + logic_hash = "ab6ef85d698b2a803b6d5555fc474274ae1cdbbc2f505b305e2c76656f31c8a4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a01 41 84c0 75f9 2b4dac 8d450c 6a00 } - $sequence_1 = { c7462000000000 c7462400000000 c7462800000000 c7462c00000000 e8???????? 6819020000 68???????? } - $sequence_2 = { 8d44241c 50 e8???????? 50 c684248c00000002 e8???????? } - $sequence_3 = { 8b8dd0fdffff 83e11f c1e106 030c85d06d4a00 898d30fdffff eb0a c78530fdffff78474a00 } - $sequence_4 = { 50 e8???????? 83c404 8d8580feffff 68b8000000 6a00 50 } - $sequence_5 = { 68???????? e8???????? 83ec1c c68424b80300009f 8bcc 68???????? e8???????? } - $sequence_6 = { 837dc800 7526 68???????? 68???????? 6a00 68de000000 68???????? } - $sequence_7 = { ff15???????? 8b4d08 8b148dcc504a00 83e202 740d 8d85e4dfffff 50 } - $sequence_8 = { 0fb745ec eb5a 8d45ec 8d4dc8 3945c0 7579 8d4594 } - $sequence_9 = { 7207 8b16 895518 eb03 897518 83f810 7204 } + $sequence_0 = { 56 8b7508 57 8b7d0c 894df0 3bf7 7451 } + $sequence_1 = { e8???????? 8d8424a8010000 50 8d8c24c4020000 e8???????? 68???????? 8d4c244c } + $sequence_2 = { c7466080834800 c745fc00000000 8b06 c745f001000000 } + $sequence_3 = { 8d8c24a0000000 e8???????? 68???????? 8d8c24a0000000 c684248403000067 e8???????? } + $sequence_4 = { e8???????? 6aff 6a00 8d842488000000 50 8d4c2454 e8???????? } + $sequence_5 = { c684242801000015 e8???????? 68???????? 8d8c24dc000000 e8???????? 6aff } + $sequence_6 = { 6a00 6a50 56 50 ff15???????? 8bf0 85f6 } + $sequence_7 = { c1fa05 8b85f0efffff 83e01f c1e006 8b0c95d06d4a00 837c013000 } + $sequence_8 = { 894618 33c0 c7471807000000 c7471400000000 66894704 8bc6 5f } + $sequence_9 = { 51 8b4dfc e8???????? 8b45fc 8be5 5d c21000 } condition: 7 of them and filesize < 1974272 @@ -103709,36 +104083,36 @@ rule MALPEDIA_Win_Evilgrab_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "262a5f1e-fc32-5e23-bc68-1916bf6229d5" - date = "2026-01-05" - modified = "2026-01-06" + id = "78b875d0-c278-57eb-a4d1-772f95abb9eb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.evilgrab_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.evilgrab_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "f2b39911d0e0c2e89edee53b595cd7abbfb96f83612f1946b2208648a7f155b2" + logic_hash = "53d033c43e309a437bb6e2c1678a19cd27063fb420c703c5ba3318adbdb25ac0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b08 50 ff5108 83c8ff e9???????? 8b442410 50 } - $sequence_1 = { ff15???????? 894320 83f8ff 741e c785dce6ffff00000000 c6431601 6a46 } - $sequence_2 = { 0f8437feffff 8b442418 50 ff15???????? 5f 5e } - $sequence_3 = { 68ff000000 e8???????? 8bd0 b93f000000 33c0 8bfa f3ab } - $sequence_4 = { 55 56 3bc2 57 bd01000000 0f84ef010000 } - $sequence_5 = { c78514f6ffff00000000 b8???????? c3 8b8df0f5ffff 8b5124 89951cf6ffff b8???????? } - $sequence_6 = { ff8db4adffff 0f856dffffff 8d8dc0d2ffff 51 8bcb e8???????? e9???????? } - $sequence_7 = { 57 8d8de8adffff 51 8d95dcadffff 52 8d85e0adffff 50 } - $sequence_8 = { 33db 3bfb 7469 8b771c 3bf3 7462 395f20 } - $sequence_9 = { 83f802 0f84ca000000 83f801 7567 3be8 750b 56 } + $sequence_0 = { 0f842b010000 68???????? 8bcb e8???????? 50 6a01 68ff0f1f00 } + $sequence_1 = { e8???????? 8b542414 83c404 33c9 8bf8 85d2 } + $sequence_2 = { 83e103 f3a4 8b35???????? 8b95a4adffff 8bfa 83c9ff 33c0 } + $sequence_3 = { 8b4528 8d1490 83c9ff 33c0 f2ae f7d1 2bf9 } + $sequence_4 = { 68ff000000 e8???????? 8bf0 b93f000000 33c0 8bfe f3ab } + $sequence_5 = { 741d 8b8d15ebffff 51 8b13 81c2f2000000 52 8b4b10 } + $sequence_6 = { 8d7c2434 50 50 f3ab 8b4c2434 8d44243c 6800080000 } + $sequence_7 = { f7d1 49 51 68???????? 6a07 50 68???????? } + $sequence_8 = { 50 ff15???????? c7431cffffffff c6431500 e9???????? 8b8d15ebffff 81e1ff000000 } + $sequence_9 = { ff4324 8b854cfeffff 50 ff15???????? ff45ec } condition: 7 of them and filesize < 327680 @@ -103749,10 +104123,10 @@ rule MALPEDIA_Win_Topinambour_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "248239f8-95b8-583c-8553-e48d7a46283a" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.topinambour" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.topinambour_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.topinambour_auto.yar#L1-L118" license_url = "N/A" logic_hash = "3b116af57ab25dd36210660cdcf34a024e37c1d655144c3fd22d92727ae67613" score = 75 @@ -103761,9 +104135,9 @@ rule MALPEDIA_Win_Topinambour_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -103787,36 +104161,36 @@ rule MALPEDIA_Win_Logtu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f949c271-e440-5637-a6d2-753c8d4bcb2d" - date = "2026-01-05" - modified = "2026-01-06" + id = "dc6e5ba7-10fb-5dc5-b57b-8f1a97da4dc4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.logtu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.logtu_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.logtu_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "2b9e09a38ca4475522d0fb0fcb3945e7a2b5d830b8dfe7602d8b21ba629f63c3" + logic_hash = "19aa01b3ced6bb4c284af458418953eab621cc66b4afe06f91e20fcfd95f3d25" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a64 6a00 ff15???????? 85c0 7509 8b45bc } - $sequence_1 = { ff15???????? 85c0 7509 8b45bc } - $sequence_2 = { ff15???????? 6a01 8bf0 8d85a4fdffff 68???????? 50 } - $sequence_3 = { 81ec98050000 a1???????? 33c5 8945fc 53 56 57 } - $sequence_4 = { 6800080000 50 8d85fcf7ffff 50 e8???????? } - $sequence_5 = { 50 8d85fcf7ffff 68???????? 50 e8???????? 8d85fcf7ffff } - $sequence_6 = { 8d8578faffff 50 8d8584faffff 50 } - $sequence_7 = { 8d8578faffff 50 8d8584faffff 50 8d8574faffff } - $sequence_8 = { 6a01 8bf0 8d85a4fdffff 68???????? 50 ff15???????? 83c40c } - $sequence_9 = { 68???????? 50 e8???????? 8d85fcf7ffff 6800040000 50 } + $sequence_0 = { 50 8d8584faffff 50 8d8574faffff 50 8d8534ffffff } + $sequence_1 = { 6a64 6a00 ff15???????? 85c0 7509 } + $sequence_2 = { 8d8584faffff 50 8d8574faffff 50 8d8534ffffff } + $sequence_3 = { ff15???????? 6a64 ff15???????? 66a1???????? } + $sequence_4 = { 50 ff15???????? 6a01 8bf0 8d85a4fdffff 68???????? 50 } + $sequence_5 = { 50 8d8578faffff 50 8d8584faffff 50 8d8574faffff 50 } + $sequence_6 = { 50 8d8584faffff 50 8d8574faffff } + $sequence_7 = { 50 8d85fcf7ffff 68???????? 50 e8???????? 8d85fcf7ffff } + $sequence_8 = { 47 3b7d08 7cd1 5f } + $sequence_9 = { 0fb64605 50 68???????? 8d85a4fdffff } condition: 7 of them and filesize < 924672 @@ -103826,42 +104200,42 @@ rule MALPEDIA_Win_Hlux_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4c2052b-0cd7-527b-912e-2b962734b611" - date = "2026-01-05" - modified = "2026-01-06" + id = "28ebfc66-b36a-5b32-9f44-3572498887c2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hlux_auto.yar#L1-L158" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hlux_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "779cc27c2a832f57ff4dea76d2b777f85d6a15f93d14c3ef1d8885e9224660be" + logic_hash = "e9222c023df7fd2f3b9e4049ffc25496a4c78e57da3831eefa238e14364a3c6e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7406 899d44ffffff 09c9 7506 898d9cfeffff 83ffd6 } - $sequence_1 = { 7503 895598 8b9decfeffff 8d0b 09db } + $sequence_0 = { 83f99c 7429 8955e8 895de8 8d91c966fec6 8975d8 } + $sequence_1 = { 83f873 0f8580000000 83f8cb 757b ba11d8778b } $sequence_2 = { 0009 1b4e01 e405 9d } - $sequence_3 = { 0088aa4b0023 d18a0688078a 46 018847018a46 } - $sequence_4 = { 0000 008365f0fe8b 4d 0883c108e918 } - $sequence_5 = { 0130 8b13 8b08 85d2 } - $sequence_6 = { 33db 81f926edf50a 742f 8d144b 8d8c8b9948a5f2 8955f0 83f909 } - $sequence_7 = { 7534 85c9 7430 83f9f4 } - $sequence_8 = { bba43c0cdb 8b15???????? 8955c4 895de0 83f8c1 7503 8945d8 } - $sequence_9 = { 010f 840f 0000 008365f0fe8b } - $sequence_10 = { 0104bb 8d1447 89542418 e9???????? } - $sequence_11 = { 0101 c9 c3 6a10 } - $sequence_12 = { 0104b9 33c9 83c408 85c0 } - $sequence_13 = { 898d84feffff 8b0d???????? 8b1d???????? 899d0cffffff } - $sequence_14 = { 83f8a6 7406 89851cffffff 8b1d???????? 895df4 8b3d???????? } - $sequence_15 = { 89bd64ffffff 09c0 750b 83f8c1 7406 } + $sequence_3 = { 8945d0 8b7d08 33c0 894dd4 8bf7 } + $sequence_4 = { 0f8476010000 8d0452 897da0 33f6 } + $sequence_5 = { 8d08 83f946 7508 83f9ff 7403 } + $sequence_6 = { 56 33d2 33f6 8975cc 8955cc 57 bec97b4de2 } + $sequence_7 = { 898d1cffffff 899564ffffff 53 b81da2c0bb } + $sequence_8 = { 010f 840f 0000 008365f0fe8b } + $sequence_9 = { 0101 c9 c3 6a10 } + $sequence_10 = { 0088aa4b0023 d18a0688078a 46 018847018a46 } + $sequence_11 = { 895de8 85c9 7503 894df0 ff4de4 } + $sequence_12 = { 0000 008365f0fe8b 4d 0883c108e918 } + $sequence_13 = { 0104bb 8d1447 89542418 e9???????? } + $sequence_14 = { 0104b9 33c9 83c408 85c0 } + $sequence_15 = { 0130 8b13 8b08 85d2 } condition: 7 of them and filesize < 3147776 @@ -103871,36 +104245,36 @@ rule MALPEDIA_Win_Blackmagic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9637b230-6b90-5402-8df5-d6a9a08385b0" - date = "2026-01-05" - modified = "2026-01-06" + id = "1a3db675-9d15-543a-835b-6ac8572bf497" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmagic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackmagic_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackmagic_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "0682a81f91c82180ece20284a26ec164fbede145e670a9eec1710d6febfbedfc" + logic_hash = "5e36397521485ae84ce7a6e8714efc0d3e35275dbebb6f9861b99aa63d859029" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8d05aa2c0200 e8???????? 488bf0 4885c0 7412 488bc8 ff15???????? } - $sequence_1 = { 488bd7 488d8c2430010000 e8???????? 90 33d2 41b810010000 488d8c24e0010000 } - $sequence_2 = { 33db 49895bb8 885c2470 448d4317 488d15898a0400 498d4ba8 e8???????? } - $sequence_3 = { 488d4dd7 e8???????? 90 41b84d000000 488d159b810400 e8???????? 90 } - $sequence_4 = { 0f284587 488d154d1b0300 488d4d87 660f7f4587 e8???????? 488d5587 488d4c2440 } - $sequence_5 = { e8???????? 4885c0 7411 8a0e 488d1597120300 488910 884808 } - $sequence_6 = { 90 488d05437a0600 4889442428 488d4c2460 488d542468 488b442468 } - $sequence_7 = { 488b05???????? 488945d0 488b75f0 488975b8 488975d8 33c0 488985c0000000 } - $sequence_8 = { e8???????? 488bd8 488bc3 4883c430 415e 5f 5e } - $sequence_9 = { 488905???????? ff15???????? 483305???????? 488d1560360300 488bcb 488905???????? ff15???????? } + $sequence_0 = { 4c2bf1 49897be0 33d2 4d897bd0 4c03f5 498bc0 48d1e8 } + $sequence_1 = { eb04 48ff4518 4801bb80000000 4829bb88000000 48017b38 48017b40 4533f6 } + $sequence_2 = { 48b8ffffffffffffff03 483bf0 0f87d3000000 488bce 48c1e106 4881f900100000 7223 } + $sequence_3 = { 49894620 49895e08 41886e10 41884611 49894618 488d05355e0500 498906 } + $sequence_4 = { 4433c0 41c1e008 8bc2 c1e808 0fb6c8 420fb68409c0120700 4433c0 } + $sequence_5 = { 4889442440 48c78424b00000000f000000 4889b424a8000000 c684249800000000 4c8bcf 4533c0 488b942460010000 } + $sequence_6 = { 488b03 488bcb ff5068 4c8b08 488d542428 488bc8 41ff5110 } + $sequence_7 = { 89442438 3bc3 77c8 488b5c2430 03c5 488b6c2440 } + $sequence_8 = { 4c8d4d90 4903c9 8b4110 83c802 8bd0 83ca04 } + $sequence_9 = { e8???????? 90 498d48ff 4803ca 4d85c0 741f 498d40ff } condition: 7 of them and filesize < 1416192 @@ -103910,36 +104284,36 @@ rule MALPEDIA_Win_Winos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ab76e8bd-21bc-5539-b1fb-f47fdb274949" - date = "2026-01-05" - modified = "2026-01-06" + id = "43b83a96-8dab-5aba-ab26-050a40e2448c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.winos_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.winos_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "e8eeb814a2c5b4ab9f10ee5708c1f0bfd3c156bc0fa60e8429c570c21e8f598c" + logic_hash = "a68822c4e7fe8a236d5e547c69555e9f67fb9650712fbb3b3f2f59da98143c5a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 66890c70 5e 8bc7 5f 5b 5d c20800 } - $sequence_1 = { eb0d 8d95bcfbffff 52 ff15???????? 8b85bcfbffff b906000000 663bc8 } - $sequence_2 = { 8d8de0fcffff 57 51 e8???????? 8b1d???????? } - $sequence_3 = { 83c40c 899c2460040000 33db 8d4c243c 51 89bc246c040000 } - $sequence_4 = { 2bd6 c1fa02 899530feffff 3bdf 7563 8bc3 } - $sequence_5 = { 8d4db8 50 8b853cffffff 50 } - $sequence_6 = { 8b442418 53 52 6a03 6a00 56 } - $sequence_7 = { c70009000000 e8???????? ebda 8bc3 c1f805 8d3c8540310310 8bf3 } - $sequence_8 = { 5d c3 55 8bec 8b4e10 } - $sequence_9 = { db45cc d84dc8 e8???????? 8b7dbc 8bf0 8945c4 6a4c } + $sequence_0 = { e8???????? 83c40c 68???????? 8d5702 68ff000000 52 c60701 } + $sequence_1 = { 6683f881 7412 6683f801 740c c705????????00000000 eb1e c705????????01000000 } + $sequence_2 = { 895008 8b8b2c040000 89480c 8b9334040000 895018 89442424 } + $sequence_3 = { 83c40c 837b0800 7510 8b4b04 } + $sequence_4 = { 8945f8 53 8b5d08 56 33f6 57 8975a0 } + $sequence_5 = { 50 ff15???????? 0fb74c2438 0fb7542436 0fb7442434 51 0fb74c2436 } + $sequence_6 = { ff15???????? 8b35???????? 50 ffd6 50 8945b8 ff15???????? } + $sequence_7 = { 8d8dfaf7ffff 894624 51 668985f8f7ffff } + $sequence_8 = { 6a00 68???????? 68???????? c705????????3c000000 8b08 8b5128 6a14 } + $sequence_9 = { 52 6a00 50 c745dc00000000 } condition: 7 of them and filesize < 457728 @@ -103949,42 +104323,42 @@ rule MALPEDIA_Win_Quantloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6fbe65e-ef8a-5bc4-b8a9-95dfb59d427c" - date = "2026-01-05" - modified = "2026-01-06" + id = "ae57b248-a53f-59f8-b81a-d804e5e3959c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.quantloader_auto.yar#L1-L174" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.quantloader_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "bf8a50a2e031ac2dab43be4a697ae58f19b78ab51aef8ac12657d4c13c8a8701" + logic_hash = "cd92bfc2a3027ce29f376783c02426bf9e29d9f2b3e79e34d6d065800037bab5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945f8 837df800 7405 8b45f8 ffd0 c9 c3 } - $sequence_1 = { e8???????? c744240800000000 c7442404???????? 8b4508 890424 e8???????? 85c0 } - $sequence_2 = { 8b45f8 40 8945f0 eb13 } - $sequence_3 = { c785d4f7ffff00000000 e9???????? c744241400000000 c744241000000084 c744240c00000000 c744240800000000 8b4508 } - $sequence_4 = { c70424???????? e8???????? 83ec08 8b450c } - $sequence_5 = { 837df400 750f c785d4f7ffff00000000 e9???????? } - $sequence_6 = { c70424???????? e8???????? 85c0 0f8eaa000000 } - $sequence_7 = { e8???????? 89442404 c70424???????? e8???????? c7442408???????? c7442404???????? c7042402000080 } - $sequence_8 = { 33c0 66ad 66a90030 7408 } - $sequence_9 = { c3 8b7d74 6a04 6800100000 57 6a00 ff5510 } - $sequence_10 = { 60 8bf3 03763c 8bb680000000 85f6 } - $sequence_11 = { c7457c00000000 81c243e15762 8b4d74 8bfe 837d6400 7403 017564 } - $sequence_12 = { 7410 b904000000 48 7408 b940000000 48 7400 } - $sequence_13 = { 8bf8 f3a4 e8???????? 48 } - $sequence_14 = { 51 50 54 6a04 51 57 ff550c } - $sequence_15 = { 33c0 39411c 74f7 ff711c 8f4550 e8???????? 8f411c } + $sequence_0 = { 890424 e8???????? 89c2 c744241000000000 8d45fc 8944240c } + $sequence_1 = { 890424 e8???????? 83ec04 c745f401000000 eb17 8b45f8 } + $sequence_2 = { 8b4510 8845ff c745f8ffffffff c745f400000000 817d08???????? 7470 } + $sequence_3 = { e8???????? 85c0 0f8512010000 c744240800000000 } + $sequence_4 = { e8???????? 83ec14 8d85d8f7ffff 890424 e8???????? } + $sequence_5 = { 890424 e8???????? 8d85f8fdffff 890424 e8???????? 0fb6c0 83f801 } + $sequence_6 = { 83ec08 8945ec 837dec00 750a e8???????? 8945f8 } + $sequence_7 = { c7442404???????? 8b4508 890424 e8???????? 89442408 c744240401000000 8b4508 } + $sequence_8 = { 59 8d442404 51 52 50 ff30 } + $sequence_9 = { 8b3424 b909000000 e8???????? 8bfe } + $sequence_10 = { 03c2 e2fc 59 c3 8b7d74 } + $sequence_11 = { 8900 e8???????? 58 ff6050 55 e8???????? } + $sequence_12 = { 48 7400 8bc1 59 } + $sequence_13 = { 6a08 ff551c 8bd8 54 53 ff5534 } + $sequence_14 = { 6a04 51 57 ff550c } + $sequence_15 = { ff550c ff550c 5a 59 58 58 85c9 } condition: 7 of them and filesize < 155648 @@ -103994,36 +104368,36 @@ rule MALPEDIA_Win_Nightclub_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25a4cb0b-5988-50b4-b9d7-c4130dae5827" - date = "2026-01-05" - modified = "2026-01-06" + id = "937b722b-651c-56ba-b5c7-4f024c9cb8f8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightclub" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nightclub_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nightclub_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "15f8ebb368b37ab60005cfeccfb61f1f120d9d4f8ce48162386ff7677923e6da" + logic_hash = "60417de16009e8b881c5dfd286409532e83e459a12973d53e45031e48f397d39" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 8d45f4 64a300000000 8b4508 8d75d4 c745ec00000000 e8???????? } - $sequence_1 = { 889d5ffeffff ff15???????? 8d855efeffff c645fc05 50 } - $sequence_2 = { c645fc0c ff15???????? 85c0 0f8827010000 8b0d???????? 8b11 52 } - $sequence_3 = { 83c404 85c9 7517 33c0 8b450c 8d0442 5f } - $sequence_4 = { 8bff 8d45d4 8bcf e8???????? 50 c745fc01000000 8b4e08 } - $sequence_5 = { ff15???????? 83c610 3bf7 75f1 8b4304 50 ff15???????? } - $sequence_6 = { 83f806 7753 0fb69058720010 ff249550720010 ba???????? 8bc7 8d742430 } - $sequence_7 = { eb03 8945fc a1???????? 8b08 51 6a00 8d4e74 } - $sequence_8 = { 834dec01 85c0 7505 a1???????? 8bf0 8d4900 } - $sequence_9 = { 72e6 b892010000 5f 5e 8b4df8 33cd e8???????? } + $sequence_0 = { 8b8578ffffff 895dc4 895dc0 c745b4dc440110 89bd70ffffff 3bc3 740a } + $sequence_1 = { 8b06 8b5008 68???????? ffd2 6a78 } + $sequence_2 = { ff15???????? 68???????? e8???????? 83c404 56 68???????? b9???????? } + $sequence_3 = { ffd3 8b8d08fcffff 51 ffd3 8b950cfcffff 52 ffd3 } + $sequence_4 = { f7d9 0bc8 51 ff15???????? 8bd8 8b4608 } + $sequence_5 = { 33c0 668903 8b16 8b4204 83c404 53 8bce } + $sequence_6 = { ebf3 c6043000 89850cfcffff 8bbdccfbffff 85ff 0f8489080000 } + $sequence_7 = { 384dfa 0f94c0 83c00a 8b4dfc 33cd e8???????? 8be5 } + $sequence_8 = { 0bc8 51 ff15???????? 8bf0 c70600000000 8b07 } + $sequence_9 = { c1e81f 03c2 8945f0 83f801 7707 c745f001000000 } condition: 7 of them and filesize < 247808 @@ -104033,36 +104407,36 @@ rule MALPEDIA_Win_Stealhook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b998f829-6a22-55c4-913b-e54119474a49" - date = "2026-01-05" - modified = "2026-01-06" + id = "296f5aee-ffa1-5f36-a21a-4cf73eb93c5f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealhook" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stealhook_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stealhook_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "50f44fb127afc2237096592b9ec06ad6fce68e47e81e08acb0de7cd16e206d85" + logic_hash = "43462dcbe834192ff5f679907343d7b590d011b91e19ec61f90c0466a187568e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 410fb6868e000000 41884705 410fb6868f000000 41884704 410fb68690000000 4188470b 418b8690000000 } - $sequence_1 = { e8???????? 48833b00 488d0dd7170500 480f450b } - $sequence_2 = { 4a0fbe8419389a0600 428a8c19489a0600 4c2bd0 418b4048 418b52fc d3ea 03c2 } - $sequence_3 = { 83e10f 480fbe8411389a0600 8a8c11489a0600 4c2bc0 418b40fc d3e8 4d894708 } - $sequence_4 = { 4d8bf8 4c896910 4c8bc6 4c896918 488bee e8???????? 458be5 } - $sequence_5 = { 33d2 4903c1 49f7f1 49837e1807 488d0451 498bce 7603 } - $sequence_6 = { 488b4590 48634804 4c896c0d90 488b4590 } - $sequence_7 = { e8???????? 90 488d542450 48837c24680f 480f47542450 41b8e8030000 488d4c2470 } - $sequence_8 = { 66480f6ec8 660f2f25???????? 0f82df000000 48c1e82c 660feb15???????? 660feb0d???????? 4c8d0dd4fd0000 } - $sequence_9 = { 4c8b5577 488d05d9350300 0f1000 4c8bd9 488d4c2430 } + $sequence_0 = { f20f59ee f20f5ce9 f2410f1004c1 488d1536f50000 f20f1014c2 f20f1025???????? f20f59e6 } + $sequence_1 = { 33d2 e8???????? 48894720 488d0d34550400 807b5604 7704 488b4b40 } + $sequence_2 = { 48894c2428 4533ff 488d15ff220700 33c9 e8???????? 488b4310 48837b1807 } + $sequence_3 = { 4883ec20 488d0537f50200 488bda 4a8b04c0 483902 7416 8b81a8030000 } + $sequence_4 = { 4533c0 45894320 488d056ac60600 488901 4c8981b8000000 4c8981c0000000 448981c8000000 } + $sequence_5 = { 488b8c2428010000 e8???????? 4c8d842470180000 bae8030000 488d8c2480040000 e8???????? 33db } + $sequence_6 = { 488d05fa930600 49894408f0 488b07 4c634004 458d48f0 45894c08ec 488d05de920600 } + $sequence_7 = { 488b07 4c634004 488d05fa930600 49894408f0 488b07 4c634004 } + $sequence_8 = { 722b 410fb609 41ffc0 83e10f 4a0fbe8431389a0600 428a8c31489a0600 4c2bc8 } + $sequence_9 = { 4c896c2428 4c897c2420 e8???????? 84c0 0f8493feffff 4c8d25ed540200 49391f } condition: 7 of them and filesize < 1129472 @@ -104072,36 +104446,36 @@ rule MALPEDIA_Win_Lpeclient_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "74413435-5011-52f6-9527-2aa5c727e8b5" - date = "2026-01-05" - modified = "2026-01-06" + id = "ed468359-8a6c-5420-8935-bb3cc2d9c3fd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lpeclient" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lpeclient_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lpeclient_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "b5d510f66f1063fb0bc5e208227e246c4a78a2503ab8649007e1796f9f802e10" + logic_hash = "1360a18946c868384f1c07028b440cf94010345038a030702533208c54c9851d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d5c3e04 b8fcffffff 2bc7 8b7c2430 03f8 81ff00100000 } - $sequence_1 = { 488d05ddf80000 483947f0 7412 488b0f 4885c9 740a } - $sequence_2 = { c7450c74006900 c745106f006e00 c745143a002000 c745184b006500 c7451e70002d00 c7452241006c00 } - $sequence_3 = { 488d0518f90000 483bc8 741a 83b96001000000 7511 e8???????? 488b8b58010000 } - $sequence_4 = { 4c8d0da1fd0000 33c0 498bd1 448d4008 3b0a 742b ffc0 } - $sequence_5 = { 48c1e814 488d0dbfd2ffff 83e00f 339481a0a40100 } - $sequence_6 = { 488bcf ff15???????? 488b8c2400030000 4833cc e8???????? 488b9c2420030000 } - $sequence_7 = { 7508 42807c120122 7427 41ffc0 48ffc2 443bc1 } - $sequence_8 = { 33d2 48f7d1 83e903 85c9 7e1c 6690 42803c123a } - $sequence_9 = { 0f84b8010000 488d2d15e70000 41bc14030000 4c8d0528800000 488bcd 418bd4 e8???????? } + $sequence_0 = { 488dbd30100000 66f2af 488d442448 4c8d4d30 } + $sequence_1 = { 48898550070000 b84f000000 488d542450 33c9 6689442420 } + $sequence_2 = { 48895c2420 55 4883ec50 498bd9 498be8 4c8bd1 } + $sequence_3 = { b801000000 eb64 488d4dd0 488d45d0 } + $sequence_4 = { 4533ed e8???????? 448ba42490000000 418bf5 } + $sequence_5 = { 48ffc2 3bc3 7cf3 eb02 } + $sequence_6 = { 488d15f9d9ffff 448bee 8bfe 0f1f4000 } + $sequence_7 = { 488b85400b0000 33ff 48894dc0 488945b8 488b85480b0000 448944245c } + $sequence_8 = { baa00f0000 ffc6 488d0c80 488d0582e00000 488d0cc8 48890f ff15???????? } + $sequence_9 = { 3b3d???????? 736e 488bdf 4c8bef 49c1fd05 4c8d35481d0100 83e31f } condition: 7 of them and filesize < 289792 @@ -104111,36 +104485,36 @@ rule MALPEDIA_Win_Blackmatter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f72bfe88-212a-5b08-bbca-50aa064e9cc7" - date = "2026-01-05" - modified = "2026-01-06" + id = "8fb07ecc-59bc-528d-9517-6ce58f13ccd9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackmatter_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackmatter_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "e535a5032543c492ff373af34088a44c3884afdd41efbf279f3f7738c128e9a0" + logic_hash = "33aa4691828fe37209d097653927c1487f111daf75ed97a898031afbea83e706" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? ebe7 837dd400 7408 ff75d4 } - $sequence_1 = { 807eff2e 7502 eb02 eb05 } - $sequence_2 = { 8d45f4 50 ff15???????? 83c40c 6a0a } - $sequence_3 = { 0f858c000000 83bdacfdffff00 7509 83bdb0fdffff00 747a } - $sequence_4 = { 740e ff75f0 ff15???????? 5b 8be5 } - $sequence_5 = { ff15???????? 85c0 753a 64813d34000000b7000000 } - $sequence_6 = { c745f000000000 ff7508 ff15???????? 83c404 85c0 0f848a010000 } - $sequence_7 = { 66ab 648b1d30000000 ff731c ff15???????? 8b7310 8d4638 ff35???????? } - $sequence_8 = { 85f6 745e 687c010000 56 ff75e8 ff15???????? } - $sequence_9 = { 85c0 7510 807eff2d 7406 807eff2e 7502 eb02 } + $sequence_0 = { 8bd8 8d045d02000000 50 57 8d0477 50 ff15???????? } + $sequence_1 = { 837dfc00 7402 eb0b 8b09 } + $sequence_2 = { ff15???????? 85c0 754f c745f801000000 c745f480000000 8d45f4 } + $sequence_3 = { 75df 8bc2 5e 5a 5d } + $sequence_4 = { c745fc00000000 8d8532ffffff 50 e8???????? } + $sequence_5 = { eb18 ff75f0 ff15???????? ff75f0 e8???????? c745f000000000 } + $sequence_6 = { 03f3 03fb ad 03c3 ff75f4 } + $sequence_7 = { 7409 83f802 0f857c010000 e8???????? } + $sequence_8 = { 75bf ff75f8 ff15???????? 837df400 7408 ff75f4 } + $sequence_9 = { 83c40c 56 e8???????? 8b75e8 64a130000000 8b80d4010000 } condition: 7 of them and filesize < 194560 @@ -104150,36 +104524,36 @@ rule MALPEDIA_Win_Maui_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c8e2f403-ec0e-5c62-bc65-b773780a2de5" - date = "2026-01-05" - modified = "2026-01-06" + id = "24021aed-eb43-5ae6-9fab-1db01943c23f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maui" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.maui_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.maui_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "7f30138f7904f9e137800e0205092628d325a3b69e4098e86eb63774c736d746" + logic_hash = "b071f47101cb7b693027fc2730fdb291c60196211c622012cdbfa644201e236d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85ff 7505 49 85c9 7ff2 894e04 5f } - $sequence_1 = { 85f6 7479 6a00 e8???????? 8d4c240c 51 89442410 } - $sequence_2 = { 241c 51 57 e8???????? 83c418 85c0 } - $sequence_3 = { 50 53 e8???????? 83c408 85c0 0f84a2000000 83c602 } - $sequence_4 = { 68d7020000 68???????? 6886000000 68a3000000 6a06 c7450000000000 e8???????? } - $sequence_5 = { 894c2420 0fb60f bd07010000 897c241c 66852c48 7431 0fb64f01 } - $sequence_6 = { 41 57 51 e8???????? 83c40c 85c0 0f84d9000000 } - $sequence_7 = { e8???????? a3???????? e8???????? 85c0 7d09 e8???????? 85c0 } - $sequence_8 = { 8b5c2410 55 8b6c241c 57 8b7c241c 81fd00000040 724e } - $sequence_9 = { 3bca 741f 8b4624 3bc2 7418 894c2418 895620 } + $sequence_0 = { 68???????? f7de 1bf6 6a13 6a06 f7de e8???????? } + $sequence_1 = { e8???????? c787f8000000b01a4200 83c40c 33c9 83fe02 0f95c1 } + $sequence_2 = { a1???????? 33c4 890424 8b442408 85c0 7421 85c9 } + $sequence_3 = { 68???????? 6889000000 e9???????? 83c002 807c241300 89442414 0f8561010000 } + $sequence_4 = { 8b15???????? 894808 668b0d???????? 89500c 8b15???????? 6aff 52 } + $sequence_5 = { 8b542410 55 56 57 50 8d4c2410 } + $sequence_6 = { eb09 0fb6c0 8a8040db4a00 46 0fb6c0 84c9 7850 } + $sequence_7 = { 8b06 8b4868 85c9 751c 6844040000 68???????? 6a42 } + $sequence_8 = { 8b30 8b7b14 8b7614 33f7 23f1 33fe 897b14 } + $sequence_9 = { 8bf0 85f6 7520 68fe000000 68???????? 6a41 68a5000000 } condition: 7 of them and filesize < 1616896 @@ -104189,36 +104563,36 @@ rule MALPEDIA_Win_Fickle_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6879e197-d2fb-581d-9f88-69c75afc2e63" - date = "2026-01-05" - modified = "2026-01-06" + id = "42e737a7-f4fc-50a6-8925-f1dc38a01c5e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickle" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fickle_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fickle_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "f140341d28c7aeaf4e7af75fed2cbbb86f7c4fb7ead43c1713a0301f74177602" + logic_hash = "5e781f6156778b05e35959a6f60367c538ed176bdf7360432c86b921f974bfe5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 80f12a 884c241e 0f280424 0f29442470 0f1044240f 0f1144247f 8dbc24a0000000 } - $sequence_1 = { 660f7f442440 89542450 897c2454 894c2458 8b44240c 8944245c 803e04 } - $sequence_2 = { 8b913b148901 33540804 89540c04 83c104 83f918 72ea 8a401c } - $sequence_3 = { 8d3449 8d0cb2 81c10c010000 8d14f2 8918 c7400400000000 897808 } - $sequence_4 = { e8???????? 83c40c 8b442418 8944246c 895c2470 8b44240c 89442474 } - $sequence_5 = { 8d742450 89442450 89f1 e8???????? 89d9 e8???????? 85c0 } - $sequence_6 = { 8d9c24b4000000 89d9 8d942498000000 57 e8???????? 83c404 89d9 } - $sequence_7 = { e8???????? 8b1e 8b7e04 53 ff17 83c404 837f0400 } - $sequence_8 = { 8d0440 8b4c2464 8b7c8104 8b448108 897c240c 31ed 85c0 } - $sequence_9 = { 8b54247c 8bbc2480000000 f30f7e442448 660fd6442468 8b442450 89442470 8d8c24d8000000 } + $sequence_0 = { c7042400000000 e9???????? c7042400000000 c744240400000000 b800000000 e9???????? 89542418 } + $sequence_1 = { d1c0 31d0 0fb7c0 01c8 c3 b87b8b0e06 29d0 } + $sequence_2 = { e8???????? 8b4704 8b4f08 8d9620010000 8902 894a04 895614 } + $sequence_3 = { ff35???????? ff15???????? c683a201000000 80bba301000000 742e 8b8b74010000 8b9378010000 } + $sequence_4 = { e8???????? 55 53 57 56 50 8b5c2418 } + $sequence_5 = { c7863801000002000000 8d8e90000000 89560c 57 e8???????? 83c404 c7863801000006000000 } + $sequence_6 = { c744242830297f01 8974242c c744243030297f01 89542434 8d542424 8d74244c c7442438e03f7f01 } + $sequence_7 = { f7e1 891424 89442438 89f0 f7e1 89d1 030424 } + $sequence_8 = { ff35???????? ff15???????? 837c241800 8db42400010000 7412 ff74241c 6a00 } + $sequence_9 = { e8???????? 85c0 7421 8b4c240c 8938 894804 89f1 } condition: 7 of them and filesize < 1646592 @@ -104228,36 +104602,36 @@ rule MALPEDIA_Win_Gotohttp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d06cfe0-00c5-5a49-9ea7-3f35cccfbcba" - date = "2026-01-05" - modified = "2026-01-06" + id = "4d73d042-977d-54b3-bcb2-b3959355e61e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gotohttp" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gotohttp_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gotohttp_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "eca21e603241e81fa8edd82e734587340b272e9a197c8dfdde2af1790f4487f3" + logic_hash = "98746cb0408acf10b282440607da701d6e0ab8a21cd9fcb2addef6498325f79b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb46 41f6401001 7412 0fb64c2428 ba01000000 66d3e2 66412350f8 } - $sequence_1 = { f30f590d???????? f30f5905???????? f30f58cc f30f58c4 f30f59c8 730a f30f1005???????? } - $sequence_2 = { eb05 ffc0 894334 488bcb e8???????? 488bcb 4c8bf8 } - $sequence_3 = { 89442454 488bd3 33c9 ff15???????? 488b87e0030000 8b4860 8d0c8d01000000 } - $sequence_4 = { e8???????? 488bf8 4885c0 7445 488d5010 488910 4863c5 } - $sequence_5 = { 83fb02 0f85ee010000 4585ed 741d 448b4d5c 488b9590000000 488b4d40 } - $sequence_6 = { e9???????? b920000000 e8???????? 488bd8 4885c0 741a 48897008 } - $sequence_7 = { ff5010 488d4b18 ff15???????? c7430800000000 40f6c601 7408 488bcb } - $sequence_8 = { eba3 488b8c2480000000 4881c150050000 488b842480000000 48898888000000 488b8c2480000000 488b842480000000 } - $sequence_9 = { eb17 41389efb020000 751f c64705c2 bb02000000 4885f6 7411 } + $sequence_0 = { f00fc105???????? 4533c0 eb03 498bf0 4489842408010000 4538af24070000 7508 } + $sequence_1 = { 66450ffec1 4c8bb424a8000000 660ffaf5 660f70ce8d 66410f7f0e 4983c610 4c89b424a8000000 } + $sequence_2 = { eb1a 483d7c2e0000 7e12 41838000060000fe eb08 4183800006000002 418b8800060000 } + $sequence_3 = { eb2c 833d????????01 7f1e 4c8d0d8f3b2800 488d15403b2800 41b8b1000000 b901000000 } + $sequence_4 = { eb11 c6832401000000 c783f000000001000000 80bb2401000000 7410 80bb0101000000 7507 } + $sequence_5 = { f30f104908 f30f104208 f30f59c9 f30f59c0 f30f5cc8 f30f58d1 0f2fd6 } + $sequence_6 = { ff15???????? 4c8be0 4883bfd802000000 0f852b010000 33d2 41b8d0030000 488d8c24b0000000 } + $sequence_7 = { eb05 b901000000 41bd06000000 4489add8000000 85c0 7534 4c8bada8020000 } + $sequence_8 = { 8b8f90370000 81f9e8030000 7518 8b4750 41b8401f0000 413bc0 7564 } + $sequence_9 = { e8???????? 48ffc6 ffc7 4881c3c8000000 493bf4 7ca5 33c0 } condition: 7 of them and filesize < 6266704 @@ -104267,42 +104641,42 @@ rule MALPEDIA_Win_Webmonitor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4edd58bc-84aa-57fd-8483-88f5d1911dcf" - date = "2026-01-05" - modified = "2026-01-06" + id = "3732efb2-6b36-5e6c-94ac-9c96812b2d01" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webmonitor_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webmonitor_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "f03f08c033bc99c38a9a7047c1ab4dd8b784015d4b2f1d48ed5a63b916e4918d" + logic_hash = "b3dfe96ce488790f0298ba915da8d471590e953d80de53d7b6c6de96cdf61598" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c9 c1eb0a 41 0fb7c3 } - $sequence_1 = { 04f0 fd ff01 04f0 fd } - $sequence_2 = { 50 51 e8???????? 83c418 807c242000 } - $sequence_3 = { 0fb6c0 6a09 33f0 e8???????? } - $sequence_4 = { 2b49fc e9???????? 55 8bec f30f104508 ff750c } - $sequence_5 = { 0f4345d8 0fbe0408 03d8 e9???????? 03da 8a043b } - $sequence_6 = { 0080cd41009c d34100 e8???????? a3???????? 41 } - $sequence_7 = { 1b4300 38644400 44 8a4100 } - $sequence_8 = { 2503fd006c ff1e e00e 000e } - $sequence_9 = { 03c6 53 c1e008 6a0e 8945e0 e8???????? } - $sequence_10 = { 04c8 fe04fc fd 04f8 fd ff01 } - $sequence_11 = { 41 00baa4f34100 b9???????? ffe1 ba???????? b9???????? ffe1 } - $sequence_12 = { 04f8 fd 0512002413 000d???????? 04f4 } - $sequence_13 = { 33cd e8???????? c9 c3 68???????? e8???????? } - $sequence_14 = { 33c9 6800900100 668908 8bcf } - $sequence_15 = { 61 0043ec fe04ec fe05???????? 000d???????? 04c8 } + $sequence_0 = { 000d???????? 04e4 fd 0468 ff05???????? 000d???????? 04b8 } + $sequence_1 = { 03c1 99 f7fb 47 } + $sequence_2 = { ffe1 ba???????? b9???????? ffe1 ba???????? } + $sequence_3 = { fe04e4 fd 04e0 fd ff01 04e0 fd } + $sequence_4 = { 04c8 fe04ec fd 04e8 fd ff01 } + $sequence_5 = { 0f5ac0 50 51 51 f20f110424 e8???????? d91b } + $sequence_6 = { 0f434520 50 ff75c8 ff15???????? } + $sequence_7 = { 0f437520 ff15???????? 8d044501000000 50 } + $sequence_8 = { 0fb6c0 d3e0 8b4de0 03c8 } + $sequence_9 = { 2bf0 8bc1 99 83e203 03c2 c1f802 2bf8 } + $sequence_10 = { 3001 a3???????? 30ff 9e 6c 68ff080800 } + $sequence_11 = { 9e 6c 68ff080800 8a3401 a3???????? 0800 8a30 } + $sequence_12 = { 38644400 44 8a4100 047e } + $sequence_13 = { 00e8 17 42 0048a5 } + $sequence_14 = { 49 81c900ffffff 41 898f04040000 } + $sequence_15 = { 0f4305???????? 33c9 6800900100 668908 } condition: 7 of them and filesize < 1984512 @@ -104312,36 +104686,36 @@ rule MALPEDIA_Win_Kasperagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5bc59f22-b9b3-5766-9e08-5c129dbebf50" - date = "2026-01-05" - modified = "2026-01-06" + id = "5d103818-a24d-57d8-a953-8d86615e05a7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kasperagent_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kasperagent_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "8d5948eeb8ffe48e5f1f32cc1b2e0326c959eb92c3d2c7a0786033f96cdcbcd0" + logic_hash = "149c14d9f1dc141ac24a0c3ce90f722742b57d231c75ec2af7e4d87b916079b3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd0 c645fc03 8b45bc 83c0f0 8d480c 83caff } - $sequence_1 = { 83c002 47 3bce 75eb 8bc3 3b5c2410 } - $sequence_2 = { 84db 7524 8b4500 83e810 ba01000000 } - $sequence_3 = { 663b54243a 7516 668b460c 663b44243c 750b b801000000 5f } - $sequence_4 = { 0fb74c2418 81c26c070000 40 668916 } - $sequence_5 = { 2bc6 0bd0 b301 7d08 56 8bcd e8???????? } - $sequence_6 = { 56 57 33ff 66837c24182d 897c2414 7472 } - $sequence_7 = { 89442408 8d742410 8d442408 c7470800000000 } - $sequence_8 = { ff500c 837d0800 75cc 5b 5d c20400 8bff } - $sequence_9 = { 57 56 ff15???????? 33c9 894c2430 894c2434 894c2438 } + $sequence_0 = { c645fc1d e8???????? 33c9 85c0 0f95c1 85c9 750a } + $sequence_1 = { 8b08 8b11 50 8b4204 ffd0 8d4db0 8975fc } + $sequence_2 = { 89542408 3bc2 734d 53 } + $sequence_3 = { 33c9 85c0 0f95c1 85c9 7517 } + $sequence_4 = { 663b542420 7428 8bd3 2bd0 d1fa } + $sequence_5 = { 7cda 33f6 eb02 8bf0 834dfcff 8d8dd0fdffff } + $sequence_6 = { 2bc1 0bd0 7d0a 51 8b4c242c } + $sequence_7 = { 8b5500 33c0 66890472 8b442414 5f } + $sequence_8 = { 668b5602 663b542432 7537 668b4606 663b442436 752c } + $sequence_9 = { 85c0 740e 33c0 894708 } condition: 7 of them and filesize < 1605632 @@ -104351,36 +104725,36 @@ rule MALPEDIA_Win_Kuluoz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e333e81d-6ddf-5afb-9076-c2e07a86e601" - date = "2026-01-05" - modified = "2026-01-06" + id = "9d547d06-c5c9-5c5d-9b60-e3f04bcaaf51" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kuluoz_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kuluoz_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "8a6d421ab9f7554479240c31c714fda22b910eb903ffdf797f53667a783e223f" + logic_hash = "559ed6389e34cb8d9e52cf9d35806fb91f16b49944f5ee56fee4ca5cecb87d2e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4de8 83790c00 0f84e3000000 8b55e8 } - $sequence_1 = { 8bff 55 8bec 51 8b4508 8945fc 8b4d0c } - $sequence_2 = { 8b8da0fbffff 898df0fbffff 8b95a4fbffff 8995f4fbffff eb6f 8d85f8fbffff 50 } - $sequence_3 = { 85c0 740b 8b4df0 83c101 894df0 ebd7 8b55f0 } - $sequence_4 = { 8bff 55 8bec 51 56 c745fc00000000 eb09 } - $sequence_5 = { e8???????? 8b08 898d5cfbffff 8b5004 899560fbffff 8b4008 } - $sequence_6 = { 8b4508 054a050000 8b4d08 3b814a2d0000 7504 b001 eb02 } - $sequence_7 = { 50 e8???????? 8945f4 837df4ff 7405 8b45f4 eb4b } - $sequence_8 = { 0fbe5508 83fa0a 7409 0fbe4508 83f80d 7504 b001 } - $sequence_9 = { 8955f0 8b45f0 3b45e0 734e } + $sequence_0 = { 894dfc 6a40 6800300000 8b55fc 8b4250 50 8b4dfc } + $sequence_1 = { eb14 837dec00 740e 6a00 6a00 8b45cc 50 } + $sequence_2 = { 83c201 a1???????? 8910 8d8decfbffff 51 } + $sequence_3 = { 750d 8b4d08 c7814a12000004000000 c645ff00 8b5508 83ba4e12000001 7558 } + $sequence_4 = { 8b4008 898564fbffff 8b8d5cfbffff 898decfbffff 8b9560fbffff 8995f0fbffff } + $sequence_5 = { 8945f0 8b4de8 894df4 8b55ec 8955f8 8b45f0 } + $sequence_6 = { 8b4508 e9???????? 8b550c 8b02 8b4d0c 034104 8945f0 } + $sequence_7 = { 8945fc e8???????? 0fb64508 85c0 } + $sequence_8 = { e8???????? 89852cfeffff 8b852cfeffff 50 } + $sequence_9 = { 8b4dfc 894df4 8b55f4 813a436d644c 7514 8b45f4 817804696e653a } condition: 7 of them and filesize < 65536 @@ -104390,36 +104764,36 @@ rule MALPEDIA_Win_Postnaptea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "51c689b3-106f-5456-8a81-c39f4d1222d0" - date = "2026-01-05" - modified = "2026-01-06" + id = "2c2d9707-07ad-5243-85f1-210116caa2a9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.postnaptea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.postnaptea_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.postnaptea_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "cbc31a40430b61bd28460ce500d3e6052f8e6a6f9e1d2c25674ed00c58ea2b2d" + logic_hash = "5c2b930508b20d9de8e8f9b631eefff2fbcc2a62f0d5a8b36c9dc821d8d4ca8a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? ffd0 448bc0 488d542430 488bb590000000 488bce e8???????? } - $sequence_1 = { c745c8d4f6ccf6 41bf60090000 c745cc95f695f6 c745d086f6cdf6 c745d4c6f6c7f6 660f1f840000000000 4863c2 } - $sequence_2 = { c785060800000af50cf5 c7850a08000012f50ef5 c7850e08000009f505f5 c7851208000003f511f5 c7851608000009f54df5 c7851a0800001af507f5 c7851e08000015f551f5 } - $sequence_3 = { c7459418f513f5 c7459819f51bf5 c7459c5ff5baf5 c745a0a1f50000 4533c0 418bd0 660f1f840000000000 } - $sequence_4 = { e8???????? 0fb64b08 0fb7430a 663b4509 7416 84c9 750c } - $sequence_5 = { c744247c01f516f5 c7458018f515f5 c7458453f517f5 c745881af518f5 c7458c03f51df5 c7459017f50ef5 c7459408f55cf5 } - $sequence_6 = { c7451830f51bf5 c7451c0bf5e8f5 c74520eef5e6f5 c74524a3f5e1f5 c74528fdf5e3f5 c7452ce4f5fdf5 c74530fdf5e3f5 } - $sequence_7 = { ff15???????? 85c0 7498 83f857 7493 4533c0 418bc8 } - $sequence_8 = { ffc3 41b401 488b0f 4885c9 7441 488b4138 4c3928 } - $sequence_9 = { ff15???????? 4c8bf0 4885ff 0f84a90a0000 4885c0 0f84a00a0000 c74424400af532f5 } + $sequence_0 = { e8???????? eb05 e8???????? 488d5550 488d4df0 e8???????? c1e81f } + $sequence_1 = { c745c40cf511f5 c745c815f546f5 c745cc0af50df5 c745d004f508f5 c745d40ef51ef5 c745d81ef506f5 c745dc06f500f5 } + $sequence_2 = { c7459410f511f5 c7459806f505f5 c7459c11f50df5 c745a015f516f5 c745a402f552f5 c745a877f574f5 33c0 } + $sequence_3 = { c7459059f540f5 c745945bf50000 660f1f840000000000 4863c2 488d4c2450 488d0c41 0fb7c2 } + $sequence_4 = { c785e005000010f552f5 c785e405000015f51df5 c785e805000019f513f5 c785ec05000057f51ef5 c785f005000018f513f5 c785f405000017f519f5 c785f805000019f55ef5 } + $sequence_5 = { 0f871b010000 488bce e8???????? 90 4983fd08 0f8208ffffff 4a8d146d02000000 } + $sequence_6 = { c7851c0b00000ef50bf5 c785200b000017f51ff5 c785240b00005df548f5 c785280b000020f504f5 c7852c0b00004bf539f5 c785300b00001ef50bf5 c785340b000055f50000 } + $sequence_7 = { e8???????? 488905???????? 498b4f18 ffd0 48898540010000 488b8dd8000000 488b01 } + $sequence_8 = { e8???????? 8bd6 488d4bd8 e8???????? 33d2 41b808020000 488d8d90050000 } + $sequence_9 = { e9???????? 4883fa10 722d 48ffc2 488b4d80 488bc1 4881fa00100000 } condition: 7 of them and filesize < 2457600 @@ -104429,36 +104803,36 @@ rule MALPEDIA_Win_Beardshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0fef5153-0695-5651-88d6-fa2574fcc87d" - date = "2026-01-05" - modified = "2026-01-06" + id = "e5705008-2d0d-5908-a5da-71f225affd6b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beardshell" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.beardshell_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.beardshell_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "104b3d19aef271122113e5b1a20be0ecaabcd5f4198f381800365cc8cf878c7b" + logic_hash = "b0ca4ee127af48ffbd53604c7a7a1b25b077c2eed891f295d5e08e8a0c96eecc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d55c0 498bcc 488b4038 ff15???????? 410fbaed0e 4183cd20 44896c243c } - $sequence_1 = { 8a44246f 4c8b4c2460 488b542460 448a442440 88442420 e8???????? 4889442470 } - $sequence_2 = { e8???????? 488b4c2430 4c8d442460 4983c008 488d542458 e8???????? 488b4c2470 } - $sequence_3 = { e9???????? 488b8424b8000000 4889842488000000 4c8b442458 48634c2448 31c0 4829c8 } - $sequence_4 = { 488b4010 4883e00f 4889442448 48837c244800 0f84ce000000 488b442450 } - $sequence_5 = { 0fbf1448 c1ea02 b901000000 84d1 7510 837d4004 7594 } - $sequence_6 = { 410f104500 f30f7f4587 48897c2420 440fb74c2440 4c8d4587 488d55b7 488bce } - $sequence_7 = { e9???????? c644245f31 8b442460 83e87f 89442458 488b842480000000 483b842488000000 } - $sequence_8 = { 4889c1 488b442430 48894c2440 488b4c2450 48894810 66448b44245e 488b542450 } - $sequence_9 = { e8???????? e9???????? 488b4c2448 e8???????? 488b4c2430 6689c2 e8???????? } + $sequence_0 = { e8???????? 488b4c2430 668944242e 488b542448 e8???????? 668b4c242e 668908 } + $sequence_1 = { e8???????? 488b4c2440 4c8b442450 4983c001 488b542430 e8???????? 488b8c2480000000 } + $sequence_2 = { 48894c2428 e8???????? 4889442438 488d0565db0500 4889442430 4c8b442438 488d4c2448 } + $sequence_3 = { 4531c0 e8???????? 488d4c2458 e8???????? 4889c1 488d542466 e8???????? } + $sequence_4 = { 4889542410 55 4883ec20 488daa80000000 488d8db0020000 e8???????? 90 } + $sequence_5 = { 4c894030 4c8d4520 4c894028 48c7402000000000 4c8d4508 41b918010000 e8???????? } + $sequence_6 = { e9???????? 488d4d20 e8???????? 8a00 884517 8b4530 c1e804 } + $sequence_7 = { 488b8424e8000000 488b4c2478 4829c8 4883f805 0f8d2a000000 488b4c2438 c78424e400000084000000 } + $sequence_8 = { e8???????? 837c244000 0f8e54000000 488b8424a8000000 4889842480000000 4c8b8c2480000000 488d0d43340b00 } + $sequence_9 = { e9???????? f644245701 0f842f000000 48b80000000000000800 4839442438 0f851a000000 488d05905b0c00 } condition: 7 of them and filesize < 2416640 @@ -104468,36 +104842,36 @@ rule MALPEDIA_Win_Minibike_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b4e41190-0fa0-5a7c-a07b-bb3addd5d6da" - date = "2026-01-05" - modified = "2026-01-06" + id = "10124ed0-b566-59f4-839b-dc3adb3c3225" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibike" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.minibike_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.minibike_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "d63c47c9b294af645af17048597f95704ec7db4dff6a776da81f783cf994a29a" + logic_hash = "5dae1b7452b39b6b25306df7f4da2442d46ae244502091f8a813559b8422aac1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 0f434520 6800008004 6a00 6a00 6a00 51 } - $sequence_1 = { 2bc2 3bc8 0f8758010000 8d040a 8bce 3bc6 0f43c8 } - $sequence_2 = { 75bd 8b5508 8b451c 83f810 7227 8d4801 8bc2 } - $sequence_3 = { 8975b4 a801 742b e8???????? 6a00 c7461000000000 8bce } - $sequence_4 = { 8985b4fdffff 51 0f57c0 c785ecfdffff00000000 8d8588fdffff 660fd685e4fdffff 0f2805???????? } - $sequence_5 = { 2bc6 8bbda4feffff c1f802 898decfcffff 8985f8fcffff 85c0 7441 } - $sequence_6 = { 8b85c8fdffff 33c9 8bb5c4fdffff 2bc6 8bbdd0fdffff c1f802 898df4fcffff } - $sequence_7 = { c7431000000000 c7431407000000 85c0 7568 50 68???????? 8bcb } - $sequence_8 = { eb06 8b95acfcffff 83fa08 7235 8b8d98fcffff 8d145502000000 8bc1 } - $sequence_9 = { 83f81f 0f87e5020000 51 56 e8???????? 83c408 c745b800000000 } + $sequence_0 = { c645fc03 8bd8 83781408 7202 8b18 8b5010 8b45d4 } + $sequence_1 = { 72dc 8b75e4 85ff 7437 8b45e0 2bc7 c1f802 } + $sequence_2 = { 83c123 2bc7 83c0fc 83f81f 0f87a6130000 51 57 } + $sequence_3 = { b8abaaaa2a c7858cfeffff00000000 f7e9 c78584feffff00000000 c1fa02 8bc2 c78588feffff00000000 } + $sequence_4 = { 8d4da8 c745bc07000000 668945a8 e8???????? c645fc11 807ef800 } + $sequence_5 = { 57 ff95d8fdffff 83bdd4fdffff00 8bb508feffff 0f85d8fdffff 53 e8???????? } + $sequence_6 = { 83c123 2bc3 83c0fc 83f81f 0f874c010000 51 } + $sequence_7 = { 83f81f 0f877e080000 51 56 e8???????? 83c408 } + $sequence_8 = { 50 51 8d8dc4fdffff 0f1185b4fcffff } + $sequence_9 = { 0f2805???????? 50 51 8d8df4f3ffff c78568f3ffff05000000 0f118558f3ffff e8???????? } condition: 7 of them and filesize < 574464 @@ -104507,42 +104881,42 @@ rule MALPEDIA_Win_Glupteba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f0d5e7d7-1d32-5f42-920b-16ebe0ccac58" - date = "2026-01-05" - modified = "2026-01-06" + id = "c1764f6c-0ab7-55fd-8726-9fa2d5fc7276" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.glupteba_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.glupteba_auto.yar#L1-L151" license_url = "N/A" - logic_hash = "833c38370ca2666b80daaec86c0f2af9a38d0d465a2faa6f122cd9317cf83227" + logic_hash = "2ca789e079688597b37b728f87ec7f3e38f359b4649c39c4231635daf63ef356" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81e680800000 895de4 0bfe 8b75fc c1ee07 c1e709 } - $sequence_1 = { 742f 68???????? 50 c705????????04000000 ff15???????? 833d????????04 } - $sequence_2 = { 83c40c ff750c 66c745f00200 ff15???????? 668945f2 6a10 } - $sequence_3 = { ff15???????? 83c444 ff750c ff7508 e8???????? 8bf0 } - $sequence_4 = { 68???????? 57 895d0c ff15???????? } - $sequence_5 = { 8b4c2404 c1e802 d1e9 0ac1 8ac8 } - $sequence_6 = { 03c0 33c8 8bc1 3500630000 c1e808 33c1 } - $sequence_7 = { 895f04 894f08 83c710 837d0824 897d0c 7285 8bf9 } - $sequence_8 = { 005e3e 46 00ff 3e46 } + $sequence_0 = { a3???????? 74bd 68???????? ff35???????? ffd6 3bc7 a3???????? } + $sequence_1 = { 746c 80a5dcefffff00 33c0 66837dfb04 } + $sequence_2 = { ebd9 a1???????? 68???????? ff35???????? } + $sequence_3 = { 51 ff742408 8364240400 e8???????? 85c0 } + $sequence_4 = { 0bca 8b55fc c1ea07 c1e109 } + $sequence_5 = { f3a5 66a5 ff35???????? ff15???????? } + $sequence_6 = { 6bf61b 8b5df8 c1e708 0b7dfc } + $sequence_7 = { 884f0b 8a4b0c 88430b 8a460c 32c8 } + $sequence_8 = { 0101 03d3 8b4620 8bcb } $sequence_9 = { 00cd 3e46 005e3e 46 } $sequence_10 = { 0107 eb4d 8b02 89442418 } - $sequence_11 = { 00ff 3e46 0012 3f } - $sequence_12 = { 0101 03d3 8b4620 8bcb } - $sequence_13 = { 0106 830702 392e 75a0 } - $sequence_14 = { 00f1 3d46005e3e 46 00cd } - $sequence_15 = { 0012 3f 46 008bff558bec } + $sequence_11 = { 0012 3f 46 008bff558bec } + $sequence_12 = { 0106 830702 392e 75a0 } + $sequence_13 = { 005e3e 46 00ff 3e46 } + $sequence_14 = { 00ff 3e46 0012 3f } + $sequence_15 = { 00f1 3d46005e3e 46 00cd } condition: 7 of them and filesize < 1417216 @@ -104552,36 +104926,36 @@ rule MALPEDIA_Win_Eternal_Petya_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0622b1c6-50a1-59bf-9c9e-674c89b8f214" - date = "2026-01-05" - modified = "2026-01-06" + id = "40a6a56b-461a-5089-9b9a-08826cf36bea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.eternal_petya_auto.yar#L1-L112" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.eternal_petya_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "dc100556655eac63f6dd0a579c598175f64f6a920c350da1549a31a39dd0acc6" + logic_hash = "fc744f5a17b2ef749985f7e1eeb306b67917e723717039c9efe8a81d1eb305ff" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4644 50 53 6a02 } - $sequence_1 = { 8bec 51 57 68000000f0 6a18 33ff } - $sequence_2 = { 68f0000000 6a40 ff15???????? 8bd8 } - $sequence_3 = { 57 68000000f0 6a18 33ff } - $sequence_4 = { 55 8bec 51 57 68000000f0 } - $sequence_5 = { 55 8bec 51 57 68000000f0 6a18 } - $sequence_6 = { 53 8d4644 50 53 } - $sequence_7 = { 55 8bec 51 57 68000000f0 6a18 33ff } - $sequence_8 = { 51 57 68000000f0 6a18 } - $sequence_9 = { 53 68f0000000 6a40 ff15???????? } + $sequence_0 = { 51 57 68000000f0 6a18 } + $sequence_1 = { 51 57 68000000f0 6a18 33ff } + $sequence_2 = { 53 68f0000000 6a40 ff15???????? 8bd8 } + $sequence_3 = { 8d45fc 50 56 6a01 56 } + $sequence_4 = { 53 6a21 8d460c 50 } + $sequence_5 = { 53 8d4644 50 53 6a02 } + $sequence_6 = { 8bec 51 57 68000000f0 6a18 33ff } + $sequence_7 = { 8bec 51 57 68000000f0 6a18 } + $sequence_8 = { 57 68000000f0 6a18 33ff } + $sequence_9 = { 53 8d4644 50 53 } condition: 7 of them and filesize < 851968 @@ -104591,36 +104965,36 @@ rule MALPEDIA_Win_Downdelph_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4f6b1d19-3f1f-5f81-9e45-1d0b60961ede" - date = "2026-01-05" - modified = "2026-01-06" + id = "61a35037-d1c6-592f-a410-db3ec76010bc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.downdelph_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.downdelph_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "eae4c367be0b783aacccaf67139d8191ef5e286d3c53b64319eee5bb00fa728e" + logic_hash = "a7c550aa5f23edbdf645cd157e6bc2a7a55cfb141cb7d6bdaab9602651fd4832" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b0d???????? ba???????? e8???????? 8b55d4 8d45d8 } - $sequence_1 = { 8d45f0 e8???????? 8d45e4 33c9 ba08000000 e8???????? 8b45f4 } - $sequence_2 = { 8d45f4 ba02000000 e8???????? 8d45fc 8b15???????? } - $sequence_3 = { 7c66 46 33db 8d45c0 } - $sequence_4 = { 8b14b0 8d45e0 b9???????? e8???????? 8b55e0 8d45e4 e8???????? } - $sequence_5 = { 8d45f8 e8???????? 8b55f8 8d45fc 8b4dfc e8???????? 8bc3 } - $sequence_6 = { 7409 8b12 50 e8???????? 58 83e808 e8???????? } - $sequence_7 = { 33c9 ba04010000 e8???????? 8d45f8 } - $sequence_8 = { 81ce00ffffff 46 0fb68c35bcfeffff 884df7 889435bcfeffff } - $sequence_9 = { 8d45e4 ba03000000 e8???????? 8b55e4 8d45fc } + $sequence_0 = { ba02000000 e8???????? 8d45f0 8b15???????? e8???????? 8d45f4 ba03000000 } + $sequence_1 = { 49 ba01000000 8b45f8 e8???????? 8b55c8 } + $sequence_2 = { 7405 83ef04 8b3f 56 8d45d8 } + $sequence_3 = { 6a00 6a00 e8???????? a3???????? 833d????????00 7402 b301 } + $sequence_4 = { 0345e8 33c9 e8???????? 837df401 7e7f 83450804 ff4df4 } + $sequence_5 = { 8b55cc 8d45f8 e8???????? 837df800 750d } + $sequence_6 = { 837de800 740a 836de808 8b45e8 8b7804 8b45f8 } + $sequence_7 = { 8945f0 33c0 43 81e3ff000080 7908 4b } + $sequence_8 = { 4e 75d6 8b45dc 89470c } + $sequence_9 = { 8d45f8 33c9 ba06000000 e8???????? } condition: 7 of them and filesize < 172032 @@ -104630,36 +105004,36 @@ rule MALPEDIA_Win_Unidentified_068_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "00ed8246-d247-5890-b70c-9dc2bd82550a" - date = "2026-01-05" - modified = "2026-01-06" + id = "55000b1d-a5a1-57c5-97ad-b14947920605" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_068" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_068_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_068_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "fa30d57049b9c1bba68e7061433a03b7496f06c6df4edaee3b08ded2533d6885" + logic_hash = "4107a258b8ace596144ac4b1f845cf0ee61299238aa04509f24f86a6f57892f9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d3403 8bd6 c1fa06 8bce 83e13f 6bc930 8b049518c94500 } - $sequence_1 = { 51 ff5008 ffb56cffffff e8???????? 59 8d8d2cffffff e8???????? } - $sequence_2 = { 894dfc 57 8bd1 33ff 53 8d8dfcfeffff e8???????? } - $sequence_3 = { 897de8 8945d8 8b458c 2b8564ffffff 8945dc 6a08 e8???????? } - $sequence_4 = { 85c9 7904 33c0 5d c3 ff7510 } - $sequence_5 = { 0fafc1 3bf0 7314 8bf8 b800080000 2bc1 c1e805 } - $sequence_6 = { 83bf304b000002 744d 8b4d1c 85c9 7422 8b473c 2b4744 } - $sequence_7 = { e8???????? 6a10 83faff 8d4f28 58 0f45c2 } - $sequence_8 = { b800080000 2bc2 c1e805 03c2 66894312 6a02 eb14 } - $sequence_9 = { 6a2a 8d4dcc e8???????? 57 ff75cc 8d4dec e8???????? } + $sequence_0 = { 8b5dd0 03c8 d1e9 3b14cb 7511 8bf3 8b5cce04 } + $sequence_1 = { 663bf8 7512 8a4603 eb46 8bf2 85c0 75d8 } + $sequence_2 = { 5e 8d4802 f7d8 1bc0 23c1 c3 33c0 } + $sequence_3 = { c746040a000000 8b7604 57 ff15???????? 5f 8bc6 5e } + $sequence_4 = { 7410 8b4dec 33c0 0345f0 8902 83d100 894a04 } + $sequence_5 = { c74114f80c4500 894120 894124 894134 894140 894148 894158 } + $sequence_6 = { 2bc8 8b45f4 66890c58 0bd3 83faff 0f8425010000 8b4dc8 } + $sequence_7 = { 014d0c 294dfc 8945ec 8b4510 0108 8b4728 8b4f20 } + $sequence_8 = { 8bbd70ffffff 8b4584 2bc7 897de8 8945d8 8b458c } + $sequence_9 = { 740e 8a8277fb4400 8a8a97fb4400 eb0c 8a8257fb4400 8a8ab7fb4400 } condition: 7 of them and filesize < 862208 @@ -104669,36 +105043,36 @@ rule MALPEDIA_Win_Parallax_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8bc5e4c5-7297-58f6-93c7-d7e053396899" - date = "2026-01-05" - modified = "2026-01-06" + id = "98cac655-227e-5acb-baab-c2e2746f0c8f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.parallax_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.parallax_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "048041cd9476ccea336d154c3ff8a8cb0591d12b8f4809a446240e8afe220643" + logic_hash = "5e5e2c88f7bd752b4c96e4bbaa3ddc408c042d60dccf4f7d601aec2a77df50fe" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff96fc000000 6a04 68???????? 6a0a 68???????? e8???????? 6a04 } - $sequence_1 = { 837d0801 7548 8d35f4ec4000 8d3d04f14000 b908020000 f3a4 6a04 } - $sequence_2 = { ff7634 52 ff750c e8???????? 6a00 ff750c ff7508 } - $sequence_3 = { 3d02800000 7510 ff7514 ff7510 e8???????? e9???????? 3d03800000 } - $sequence_4 = { 5d c20c00 55 8bec 8b7d08 } - $sequence_5 = { 5d c20800 e8???????? 5e 662bf6 8b15???????? 3315???????? } - $sequence_6 = { 895f1c 8bc3 5f 5e 8be5 5d c20800 } - $sequence_7 = { 89463c 68ff1f0000 e8???????? 8b563c } - $sequence_8 = { ff751c 8f4614 ff7520 8f461c 5d c21c00 } - $sequence_9 = { 8b4648 8945f4 ff75f8 ff75f0 ff75f4 e8???????? eb28 } + $sequence_0 = { e8???????? 83f801 751c 8b15???????? 6a00 ff75f4 6815800000 } + $sequence_1 = { 8b0d???????? ff9180000000 6800200000 6a00 6a00 } + $sequence_2 = { 75f7 668b01 668902 83c102 83c202 } + $sequence_3 = { 8b7d08 8b0d???????? ff9180000000 894720 ff75f4 ff75f0 e8???????? } + $sequence_4 = { 7523 8b7508 8b15???????? 6a00 ff7508 681a800000 } + $sequence_5 = { 85c0 7418 8bf8 8b35???????? b8ffffffff f0874704 50 } + $sequence_6 = { 5d c21000 55 8bec 8b5508 33c0 bb01000000 } + $sequence_7 = { 6a00 ff35???????? ff5760 83be8800000000 7411 ffb688000000 } + $sequence_8 = { ffb7c4000000 ff9288000000 83f8ff 0f8483000000 8987f8000000 8945fc } + $sequence_9 = { b8ffffffff 8be5 5d c21800 ff7508 e8???????? } condition: 7 of them and filesize < 352256 @@ -104708,36 +105082,36 @@ rule MALPEDIA_Win_Graphdrop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "237c51dc-e941-5d7c-b6d3-2562536d7e1c" - date = "2026-01-05" - modified = "2026-01-06" + id = "a502dee4-58c2-59e8-8295-f05130617fd5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdrop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.graphdrop_auto.yar#L1-L106" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.graphdrop_auto.yar#L1-L107" license_url = "N/A" - logic_hash = "0e6707eb4bbec74f1d6caa5a7e229009514fcba8c763f4b645f99a1b6c93d629" + logic_hash = "84b8556ecbf36b2bc9b51ab9373b0c80a8b0c6c009d13b3f5d43f619d36fc014" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4155 0f77 53 90 } - $sequence_1 = { 4155 49c7c501000000 4150 4152 415a 4158 } - $sequence_2 = { 0f77 4157 90 415f } - $sequence_3 = { 0f77 0f77 415d 90 } - $sequence_4 = { 50 58 5a 49ffc9 } - $sequence_5 = { 0f77 0f77 5b 0f77 } - $sequence_6 = { 90 0f77 415c e9???????? } - $sequence_7 = { 49c7c501000000 4150 4152 415a } - $sequence_8 = { 4150 4152 415a 4158 } - $sequence_9 = { 0f77 4155 0f77 4150 } + $sequence_0 = { 4150 4152 415a 4158 } + $sequence_1 = { 49c7c501000000 4150 4152 415a } + $sequence_2 = { 90 415f 90 415d } + $sequence_3 = { 4154 90 415c 90 } + $sequence_4 = { 50 90 53 0f77 } + $sequence_5 = { 4150 4152 415a 4158 49ffcd } + $sequence_6 = { 4155 0f77 415d 90 } + $sequence_7 = { 4155 49c7c501000000 4150 4152 415a } + $sequence_8 = { 0f77 4157 90 415f } + $sequence_9 = { 52 50 58 5a 49ffc9 } condition: 7 of them and filesize < 4186112 @@ -104747,36 +105121,36 @@ rule MALPEDIA_Win_Cuegoe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c8a706e-da68-55ba-a4ca-eaa50b244652" - date = "2026-01-05" - modified = "2026-01-06" + id = "ff6a6411-9fc2-53c9-bcd6-17b55366aeea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cuegoe_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cuegoe_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "f45425f55dbbdbdba945f538455e47f9972b3b43f177d31d74ee7524c51ab351" + logic_hash = "1896c3a77b34ee44dfcf57c4b1b5d2256baf5f56cd4b8e2f1d5e8cc492c98b22" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8985500c0000 8b432c 8b4b24 57 } - $sequence_1 = { 57 8db55c030000 e8???????? 53 57 8db59c030000 e8???????? } - $sequence_2 = { 8bff 8b4500 83780400 0f84961a0000 8b30 0fb636 8b551c } - $sequence_3 = { 894740 8b454c 894744 8b4550 894748 8b4554 89474c } - $sequence_4 = { 0f8554020000 57 83ec18 8bc4 89654c 53 50 } - $sequence_5 = { 8b149580cf0310 c1e006 8d440224 802080 884dfd 8065fd48 884dff } - $sequence_6 = { 894310 5e 5f c20400 6a04 } - $sequence_7 = { b8???????? e8???????? 8b7508 8365f000 c706???????? c746581c520310 } - $sequence_8 = { ff5004 0fb7c0 6a01 50 ff7528 8d758c ff7524 } - $sequence_9 = { 897dc4 50 c745fc02000000 e8???????? 33c0 c745c401000000 c745ec07000000 } + $sequence_0 = { 8bf1 897534 8d4500 33ff 50 897dfc e8???????? } + $sequence_1 = { 8b06 8b4004 c70406???????? c745fc04000000 8b06 8b4004 c70406???????? } + $sequence_2 = { 39742460 740a ff742460 e8???????? 59 ff742454 89742464 } + $sequence_3 = { 50 57 e8???????? 8b450c 894730 8b4544 89473c } + $sequence_4 = { 5f 8b4508 8903 8b450c 894304 8bc3 5e } + $sequence_5 = { 8b80c8000000 c3 8bff 55 8bec 81ec28030000 } + $sequence_6 = { b8f8ffffff 5b 83c430 c21800 83fe04 7415 8d44240c } + $sequence_7 = { 7467 3d00010000 7414 56 ff7510 8d7db0 ff751c } + $sequence_8 = { 50 e8???????? 5e 5f 5b c9 c3 } + $sequence_9 = { 8b10 8955f8 85db 7614 52 ff75fc 8bc3 } condition: 7 of them and filesize < 540672 @@ -104786,36 +105160,36 @@ rule MALPEDIA_Win_Luca_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "962fd693-32a3-53ad-92cd-b5debbabca20" - date = "2026-01-05" - modified = "2026-01-06" + id = "81eb348b-f124-5d26-b1c2-7e3e37f1bf20" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.luca_stealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.luca_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "41100df83b0cacd06b9716ae5b8e2710b883cf9f1a3da041c06d57097240cc33" + logic_hash = "220473227abc72c99d81b0cfabfdcee10a55ec183eac9d22662cf4b5b2976137" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb0a f6471280 7504 6683e914 4d85f6 7416 6641395e10 } - $sequence_1 = { e8???????? 85c0 7428 85db 7524 488d0daee71600 e8???????? } - $sequence_2 = { e9???????? 4156 56 57 53 4883ec28 83791803 } - $sequence_3 = { e8???????? 4c8d4768 4889f1 ba03003000 e8???????? 4883c770 4889f1 } - $sequence_4 = { eb06 492130 412131 488b5c2430 8bc6 488b742438 488b7c2440 } - $sequence_5 = { 8d507e 448d4301 e8???????? 8b442458 448d4301 448bce 89442420 } - $sequence_6 = { e9???????? 48b8af39a3b04c5dea12 c3 56 4883ec20 4889ce 89f0 } - $sequence_7 = { ff15???????? 4438bfa8010000 740c 488b8fe8010000 e8???????? 488bcf e8???????? } - $sequence_8 = { e8???????? 488d8d60110000 e8???????? 488d8d501f0000 e8???????? 488d15683a2c00 488db560110000 } - $sequence_9 = { e9???????? 488d542468 48c70205000000 e9???????? 488d542468 48c70202000000 eb7d } + $sequence_0 = { ffca 4889f9 41b805000000 e8???????? 488d0d7f3d2a00 31c0 4883f813 } + $sequence_1 = { e8???????? b900040000 4885c9 7411 488903 48895308 4883c310 } + $sequence_2 = { e8???????? 498bcc 8bd8 e8???????? 448ba42488000000 85db 790e } + $sequence_3 = { e9???????? 48895c2408 4889742410 57 4883ec20 488b5930 488bf9 } + $sequence_4 = { ff15???????? 33f6 48894310 4885c0 0f844e020000 488d4db0 4533c9 } + $sequence_5 = { e9???????? 48898fd0020000 48898fd8020000 388f2c020000 745f 488daf30020000 488bcd } + $sequence_6 = { c1e804 22c3 8887560e0000 f6c110 7406 83e1ef 83c902 } + $sequence_7 = { f348a5 837d0003 4889e9 0f84330e0000 4889ce e8???????? 48c70603000000 } + $sequence_8 = { e8???????? 4885c0 0f85c5210000 488d4c2460 4889da e8???????? 48837c246000 } + $sequence_9 = { 8bd8 488dbeb8020000 740d 834f1002 eb07 488dbeb8020000 85c0 } condition: 7 of them and filesize < 9285632 @@ -104825,43 +105199,43 @@ rule MALPEDIA_Win_Xsplus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e1cc002-aafa-57a5-ac8f-12fca4d9f30a" - date = "2026-01-05" - modified = "2026-01-06" + id = "3f0d7ffb-6d2b-54bb-93e8-b91caf3d74ed" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xsplus_auto.yar#L1-L182" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xsplus_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "dcc5687f917495ecca687c74006688a8948f135325a7531bf3c5206fe8cc2299" + logic_hash = "d1e503d1ee9e4435450731001eb709a9b8a9f116bfcacb3f4b0a409fd6faef6b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b761c 8b4608 8b7e20 8b36 66394f18 75f2 } - $sequence_1 = { 8bec 83ec18 8b4518 8945f0 8b4d14 } - $sequence_2 = { 8b55ec 8b01 3b4210 0f83af000000 6a01 8d4df8 51 } - $sequence_3 = { 8b5520 8955f8 8b451c 8945e8 8b4d10 83e102 85c9 } - $sequence_4 = { 83c201 8955f8 8b4514 8945f4 } - $sequence_5 = { aa a0???????? 8885c8fbffff b940000000 33c0 8dbdc9fbffff } - $sequence_6 = { 85c0 7524 a1???????? a3???????? a1???????? c705????????04264000 8935???????? } - $sequence_7 = { 8b8db4fdffff 81e9cd860100 898db4fdffff 83bdb4fdffff03 } - $sequence_8 = { 898da8feffff 8b95a8feffff 52 8b85ccfeffff 50 8d4de0 } - $sequence_9 = { 6804010000 8d85fcfeffff 50 6a00 ff15???????? 6804010000 8d8df0fcffff } - $sequence_10 = { 8985b8fdffff 81bdb8fdffff10010000 7723 81bdb8fdffff10010000 } - $sequence_11 = { 8b5508 89510c 8b45ec 8b4d0c 894808 8b55ec c7421000000000 } - $sequence_12 = { c74668e0a34000 6a0d e8???????? 59 8365fc00 ff7668 ff15???????? } - $sequence_13 = { 8d85d0fcffff 50 8d8dc8fbffff 51 e8???????? } - $sequence_14 = { 0355fc 0fb602 33c1 8b4d0c 034dfc 8801 } - $sequence_15 = { 8a8c181d010000 888808a74000 40 ebe6 } - $sequence_16 = { 50 ff15???????? b801000000 e9???????? 8d95c4fdffff } + $sequence_0 = { 8b761c 8b4608 8b7e20 8b36 66394f18 } + $sequence_1 = { 39b810a84000 0f8491000000 ff45e4 83c030 } + $sequence_2 = { 8945fc 837dfc00 7502 eb4c } + $sequence_3 = { 8b8db4fdffff 81e9cd860100 898db4fdffff 83bdb4fdffff03 0f87c5000000 } + $sequence_4 = { 83c201 8955f8 8b4514 8945f4 8b4df4 83c101 } + $sequence_5 = { 8985e8fdffff 83bde8fdffff00 0f8c9d000000 8b5508 } + $sequence_6 = { ff15???????? 83c408 85c0 7463 8b4d08 51 ff15???????? } + $sequence_7 = { 8b4508 0345fc 8a08 880a c745f800000000 } + $sequence_8 = { 8945f4 8b55fc 8b02 8b4dfc 51 ff5008 } + $sequence_9 = { 8955e4 8b45e4 3b45d8 0f8d24010000 8b4de4 } + $sequence_10 = { ff15???????? c745e0b4924000 c745dc58020000 8d55d4 52 6a00 6860100000 } + $sequence_11 = { b801000000 e9???????? 6a00 ff15???????? b801000000 } + $sequence_12 = { 8b55c8 52 e8???????? 83c408 85c0 0f85f8000000 } + $sequence_13 = { 8b85a8feffff 898590feffff 8b8d90feffff 51 } + $sequence_14 = { 8bec 81ec2c050000 57 c785f0fdffff04010000 } + $sequence_15 = { c74668e0a34000 6a0d e8???????? 59 } + $sequence_16 = { 8b5118 c1ea10 8b4508 8910 8be5 5d c20800 } condition: 7 of them and filesize < 597872 @@ -104871,36 +105245,36 @@ rule MALPEDIA_Win_Regretlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50b9971a-330e-56d2-b756-71f28fc91f9f" - date = "2026-01-05" - modified = "2026-01-06" + id = "135f1a93-7e2d-5296-9a4b-be03a4e18e0e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.regretlocker_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.regretlocker_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "ead6b2d4c6df817cb3c1a72366d53d238049299ae52f7c46e3aa685242a44978" + logic_hash = "9777e5904ea5a6b774091664f33e342a9046198235aa4a1e946e06eeea9adb21" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d4d8f e8???????? 8bf8 6a20 58 ff35???????? } - $sequence_1 = { 7202 8b09 6a00 51 e8???????? 83f8ff } - $sequence_2 = { 8d8560feffff 8bce 50 e8???????? 84c0 746b } - $sequence_3 = { e9???????? 8b4df0 83c12c e9???????? 8d4dd8 e9???????? b8???????? } - $sequence_4 = { eb4c 8b08 80790d00 7439 8b4804 80790d00 } - $sequence_5 = { 8b01 8945ec 3bc1 0f84c5000000 8855e8 33ff 8855e4 } - $sequence_6 = { a5 a5 8d7dec ab ab } - $sequence_7 = { 56 57 8b7d08 8bf1 3bf7 742b 8d4718 } - $sequence_8 = { 8bc1 2b45cc 99 f7fb c645fc02 8bf0 8b45c4 } - $sequence_9 = { 5b 85c0 0f8569ffffff 8b4df4 8bc6 5f 5e } + $sequence_0 = { 8bd6 83e03f c1fa06 6bc830 8b049558d74600 f644082801 7414 } + $sequence_1 = { 84c0 753b 837e1410 7202 8b36 56 68???????? } + $sequence_2 = { e8???????? 8d4da0 e8???????? 8d8de8feffff c645fc08 e8???????? 8b4db8 } + $sequence_3 = { 83e63f c1f806 6bce30 8945f4 8b048558d74600 894df0 8a440129 } + $sequence_4 = { 57 e8???????? 837e1408 8bce 7202 } + $sequence_5 = { 8d4f20 e8???????? 8d4dd4 e8???????? 8b4df4 5f } + $sequence_6 = { 75ca eb07 33ff eb03 83ceff 893b 807df400 } + $sequence_7 = { 51 8d1c42 e8???????? 53 ff7508 8945f0 } + $sequence_8 = { e8???????? 83a55cffffff00 8d96b0010000 8bca c78560ffffff0f000000 c6854cffffff00 8d4101 } + $sequence_9 = { 8d4de0 e8???????? 8d4d0c e8???????? e9???????? 837d2008 } condition: 7 of them and filesize < 1021952 @@ -104910,36 +105284,36 @@ rule MALPEDIA_Win_Broler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1cf91de0-5126-5e8f-b11c-1d3db3402e61" - date = "2026-01-05" - modified = "2026-01-06" + id = "eb6df9f0-2da3-5a4e-8f19-bc9c64435ce5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.broler" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.broler_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.broler_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "fcd117231e6be08bdf633689556086666ed79e35ac782c6838a07603ffb215e5" + logic_hash = "db1febc359ff2ef3b46431432b39f10a7c85b60f194ad8eed00b389b369e2de8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 51 6a01 53 ff15???????? 8bf0 ff15???????? 3bf3 } - $sequence_1 = { 68e9fd0000 ff15???????? 8bc6 c6043e00 8d5001 } + $sequence_1 = { 8a08 880c02 40 84c9 75f6 3975b0 } $sequence_2 = { c785c0feffff0f000000 899dbcfeffff 889dacfeffff 39b5a4feffff } $sequence_3 = { 8bf0 8d45d4 3bc6 7461 837de810 720c 8b4dd4 } $sequence_4 = { 57 8d8da8feffff e8???????? 83c408 33c0 8a4c05f0 8888f8cd4100 } $sequence_5 = { 8b3d???????? 53 ffd7 56 ffd7 8d8d70fdffff } - $sequence_6 = { b8???????? 8db554ffffff c78568ffffff0f000000 e8???????? 8d8570ffffff } + $sequence_6 = { e9???????? bf2a000000 b8???????? 8db5acfdffff c785c0fdffff0f000000 899dbcfdffff 889dacfdffff } $sequence_7 = { 8bdf c1fb18 c1f818 81e3ff000000 3283085a4100 8b5d0c } $sequence_8 = { 3299085a4100 c1fe08 81e6ff000000 8bca c1f908 88580d } - $sequence_9 = { 83fb10 7305 8d5508 8bca 2bc6 83e819 50 } + $sequence_9 = { c20400 5e 83c8ff 5b 5d } condition: 7 of them and filesize < 275456 @@ -104949,49 +105323,49 @@ rule MALPEDIA_Win_Soraya_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a07d2ec9-21c3-51d7-8a6a-aaea120dc635" - date = "2026-01-05" - modified = "2026-01-06" + id = "14bbde5d-15cc-5025-8b24-26e133addab2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.soraya_auto.yar#L1-L232" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.soraya_auto.yar#L1-L226" license_url = "N/A" - logic_hash = "67d5293b43a7462b9bb676c8134e4e8a6a8c166af85a6bac43befacfaf313c24" + logic_hash = "b2e9247a6dd1093d6971a6ef5da72b47d313966f90239a9370fea94dbcd381d2" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { ff15???????? 8d48bf 80f919 77f2 } - $sequence_1 = { 488d4dd0 488bd0 488bd8 ff15???????? 458bc7 33d2 } - $sequence_2 = { 833800 7411 c1d30b 8b18 0fbdc1 8b45e4 } - $sequence_3 = { 2bfa 037d0c 3bc7 72cd 8b4510 33c1 } - $sequence_4 = { ba02c10d00 33c8 2bfa 2bca 0faff9 eb46 } - $sequence_5 = { ffd0 85c0 7536 8b75ec 83feff 742e } - $sequence_6 = { 488bce ff15???????? 488bcd ff15???????? 498bce ff15???????? } - $sequence_7 = { 488bcf ff15???????? 83f801 753b } - $sequence_8 = { 6a04 6800300000 6a0a 56 ff15???????? 8b3d???????? } - $sequence_9 = { 52 8d45d8 50 8b45f8 33c6 } - $sequence_10 = { a1???????? 69c941370000 8bfa 33d2 f7f3 33d2 } - $sequence_11 = { ffd7 68???????? 8d85f8fdffff 50 ffd6 e8???????? 50 } - $sequence_12 = { 4885c0 0f84b8000000 488364242000 4c8d442430 41b930000000 } - $sequence_13 = { 7511 488bc5 81e1ff0f0000 482b4630 4a010411 8b4a04 } - $sequence_14 = { e8???????? 68???????? ff15???????? 8b3d???????? 8bd8 68???????? 53 } - $sequence_15 = { 488d4550 4c8d442450 4183c9ff 33d2 33c9 } - $sequence_16 = { 8d41f2 66898552ffffff 83c016 66898554ffffff } - $sequence_17 = { 72c8 4c891d???????? 488d0d1fe0ffff ff15???????? 488bc8 e8???????? 488d0dfadfffff } - $sequence_18 = { 8b45fc 8b7508 33c3 2bc7 } - $sequence_19 = { 3bf0 72e4 eb03 8b55fc } - $sequence_20 = { 8b45ec 41 3bc8 72e8 8b7df4 8b45f0 } - $sequence_21 = { 8b4dcc 8365f400 894dfc 0fb74b06 2bc7 49 } - $sequence_22 = { 6a0c 58 e8???????? 59 85c0 0f849e000000 2b75fc } + $sequence_1 = { 0301 8b4c2410 3901 0f87a1fdffff } + $sequence_2 = { e8???????? 8b45fc 33c6 2bc3 50 } + $sequence_3 = { ff15???????? 037df8 3975f8 75db 8b4514 33c9 } + $sequence_4 = { ff4d3c 7580 8b451c 8b4d24 014dfc c745d03223f000 } + $sequence_5 = { 8bec 51 51 837d1800 747b } + $sequence_6 = { ff75ec e8???????? 8b4df0 8b45f4 8d440801 8945fc 8d45d8 } + $sequence_7 = { 8b4508 8a08 884d0b 8a4d0b 8b55f8 0fb6c9 } + $sequence_8 = { 8d85ecfdffff 50 ffd6 a1???????? 0540010000 50 8d85ecfdffff } + $sequence_9 = { 8b4d0c 8b5520 33ce 8b8c118e40f2ff 8b10 8b18 } + $sequence_10 = { 59 68???????? 53 ffd7 5b 85c0 } + $sequence_11 = { ff15???????? 488b0d???????? 488364242000 488d5150 4c8d45d0 448bc8 } + $sequence_12 = { 8b5254 48 f7d0 23d0 8b45f4 } + $sequence_13 = { 488bcb ff15???????? 488d1563f0ffff 488bcf } + $sequence_14 = { 744f ba0c000000 4c8d8c24b0020000 488bce 448d4234 } + $sequence_15 = { 33c0 66390f 0f8515010000 8b4f3c 03cf 813950450000 } + $sequence_16 = { 4533c0 488bd5 498bcf ff15???????? 498bce } + $sequence_17 = { 488bd0 488bd8 ff15???????? 488d15d9f0ffff 488bcf ff15???????? } + $sequence_18 = { 0fb6c0 2bcb 3bc1 0f8462010000 } + $sequence_19 = { 8b4804 83e908 f7c1feffffff 763b 8b4dfc } + $sequence_20 = { 8d740650 8b02 0306 8b742418 } + $sequence_21 = { 4d2bc6 0fb701 6641398408a0010000 7530 ffc2 48ffc1 } + $sequence_22 = { 4533c0 418d5064 ff15???????? 4883c430 5b } condition: 7 of them and filesize < 188416 @@ -105001,43 +105375,45 @@ rule MALPEDIA_Win_Clop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4854a8b5-e52e-5b4e-a6a6-3c1168d9d798" - date = "2026-01-05" - modified = "2026-01-06" + id = "8e6566b7-d723-5b0d-89e0-5f2bf908dee7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.clop_auto.yar#L1-L181" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.clop_auto.yar#L1-L182" license_url = "N/A" - logic_hash = "65d38e339958842c1ae82c8f06911cc6fa67bb1b5d7a3308dc697dc71c286d31" + logic_hash = "67b2ff23adffc2b6265bd7b4e4e96c9d6922727e827fa3ba5d417b1f80738cfd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 6a04 6800300000 6887000000 6a00 } $sequence_1 = { 83c40c 6860070000 6a40 ff15???????? } - $sequence_2 = { 57 6a00 ff15???????? 68???????? 8bd8 } - $sequence_3 = { ff15???????? 8bf0 56 53 ff15???????? 50 ff15???????? } + $sequence_2 = { 8bf8 ff15???????? 8bf0 56 6a40 } + $sequence_3 = { 6a00 ff15???????? 68???????? 8bd8 } $sequence_4 = { 50 ff15???????? 56 53 8bf8 } - $sequence_5 = { 53 8bf8 ff15???????? 8bf0 56 6a40 } - $sequence_6 = { 668b0424 6683e07f 6683f87f 8d642408 0f85fd0b0000 eb00 f30f7e442404 } + $sequence_5 = { 8bf0 56 53 ff15???????? 50 ff15???????? } + $sequence_6 = { 833d????????00 0f842e0c0000 83ec08 0fae5c2404 8b442404 25807f0000 3d801f0000 } $sequence_7 = { 50 ff15???????? 83c40c 6860070000 } - $sequence_8 = { 03d1 0fb6ca 8b55fc 0fb60c01 300c17 47 8a550b } - $sequence_9 = { 8ab800010000 8a9001010000 57 33ff 8975f8 85f6 744e } - $sequence_10 = { 744e fec7 0fb6f7 8a1c06 02d3 88550b 0fb6d2 } - $sequence_11 = { 47 8a550b 3b7df8 72c7 5f 8aca 88b800010000 } - $sequence_12 = { ffd0 c3 8bff 55 8bec 83ec1c 8d4de4 } - $sequence_13 = { 8d85bcefffff 50 ff15???????? 68???????? } - $sequence_14 = { 68???????? 68???????? e8???????? 83c424 6aff } - $sequence_15 = { ff15???????? 68???????? 8d85dcf7ffff 50 } - $sequence_16 = { 6a00 e8???????? 83c408 6aff ff15???????? 33c0 } + $sequence_8 = { 8b1d???????? 8d85d4f7ffff 68???????? 50 ffd3 8d85d4f7ffff 50 } + $sequence_9 = { ffd0 c3 8bff 55 8bec 83ec1c 8d4de4 } + $sequence_10 = { 0f85aa010000 68???????? 8d442450 50 } + $sequence_11 = { ff15???????? 68???????? 8d85dcf7ffff 50 } + $sequence_12 = { 68???????? 68???????? e8???????? 83c424 6aff } + $sequence_13 = { 6888130000 ffd7 6a00 6a00 } + $sequence_14 = { 8d85bcefffff 50 ff15???????? 68???????? } + $sequence_15 = { 6a00 e8???????? 83c408 6aff ff15???????? } + $sequence_16 = { 83c424 53 50 ffd6 } + $sequence_17 = { 83c40c 33f6 85ff 7428 } + $sequence_18 = { 6aff ffd7 8b4dfc 33c0 } condition: 7 of them and filesize < 796672 @@ -105047,36 +105423,36 @@ rule MALPEDIA_Win_Pirpi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a7077df7-231e-50c6-a30a-b0c867545de5" - date = "2026-01-05" - modified = "2026-01-06" + id = "7181ea42-e19a-5e12-ba7b-9d6b1e35ab43" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pirpi_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pirpi_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "e76dba310cd3f8d181253104bae884733437724bbd7b8a3e7170c860a0db32f8" + logic_hash = "72a48ba0aba5945f7b53e0e1d7a9142f3ecdcec0fff3d84436ae9e1c918d7370" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8bf8 8d4610 50 8d4c2424 6a0c } - $sequence_1 = { bf???????? 8bf0 33db c70200000000 f3a7 745c b904000000 } - $sequence_2 = { 0f849e000000 8d7c2434 83c9ff 33c0 f2ae f7d1 49 } - $sequence_3 = { 8bca 8b5510 83e103 52 f3a4 } - $sequence_4 = { 8b542404 57 85d2 c705????????00000000 7461 8bfa } - $sequence_5 = { 8bac24f0000000 8d7c241c 2beb 8b07 } - $sequence_6 = { 83fbff 742b b941000000 33c0 8d7c2420 85f6 f3ab } - $sequence_7 = { ff15???????? 8bf0 85f6 897508 7545 8b5d0c } - $sequence_8 = { 81ec10020000 8bd1 b940000000 33c0 57 8dbc2414010000 } - $sequence_9 = { 81c41c020000 c3 8bb42430020000 85f6 0f841dffffff b941000000 8d7c2420 } + $sequence_0 = { b802000000 890e 5f 5e 5b 8be5 5d } + $sequence_1 = { f3a4 8b4d10 8d5408ff 8955f4 } + $sequence_2 = { 4f 41 3bca 897df4 7ce2 } + $sequence_3 = { c0e104 0ad1 8a4c2416 8856fb 8a542415 } + $sequence_4 = { c20400 53 55 57 8d7e18 b926120000 33c0 } + $sequence_5 = { 56 f3ab 8d44241c 68???????? 50 c744241c00000000 c744242002000000 } + $sequence_6 = { 8b442404 81ec44010000 57 33ff 85c0 } + $sequence_7 = { 3bc7 8901 761f 5f } + $sequence_8 = { 8bca be90000000 99 f7fe 895c2408 894c240c } + $sequence_9 = { 8b8324200000 5f 40 5e 898324200000 } condition: 7 of them and filesize < 327680 @@ -105086,36 +105462,36 @@ rule MALPEDIA_Win_Megumin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4a2dcf8-4894-5cef-ac41-bcc9553ffc60" - date = "2026-01-05" - modified = "2026-01-06" + id = "c406e2e6-ad08-5c42-b07a-0d46a0df3645" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.megumin_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.megumin_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ea7444cfb1798579fc346f04ef83b325fb03cf7f61d5558430123962ac8f5635" + logic_hash = "c683aff04bae9dadba06438a1553cc52b63fca2f76e9547da5776897d27f9da7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c418 c745fc04000000 bb1f000000 83781410 899de0feffff 7202 } - $sequence_1 = { c1e81f c78570ffffff0f000000 c6855cffffff00 f20f5804c540814600 f20f5885f8feffff f20f1185f8feffff e8???????? } - $sequence_2 = { 3bc2 0f827a0c0000 2bce 2bc2 83c1fe 3bc1 0f42c8 } - $sequence_3 = { 6a03 68???????? 8d8da4fdffff e8???????? 83bdb8fdffff10 8d95a4fdffff ffb5b4fdffff } - $sequence_4 = { 8d4dc0 c645fc03 8bf0 e8???????? 85f6 0f844f010000 8b95e0fdffff } - $sequence_5 = { 68???????? e8???????? 8d7db8 8d4f01 0f1f4000 8a07 47 } - $sequence_6 = { c7461000000000 0f42bde0feffff 83bde4feffff10 57 0f438dd0feffff 51 c746140f000000 } - $sequence_7 = { 8d9570fbffff 2bd1 8a01 8d4901 88440aff 84c0 } - $sequence_8 = { 8bcf ffb5c4fbffff 6a05 e8???????? 8bf8 c785bcfbffff00000000 c785c0fbffff00000000 } - $sequence_9 = { 0f8700010000 c1e003 3d00100000 721f 8d4823 3bc8 0f86f0000000 } + $sequence_0 = { 83ec18 c645fc2b 8bf4 8965c8 b9???????? 6a0e e8???????? } + $sequence_1 = { 53 56 57 33f6 c78524f8ffff00000000 56 56 } + $sequence_2 = { 8d4dd8 e9???????? 8d4db8 e9???????? 8b542408 8d420c 8b8a2cfeffff } + $sequence_3 = { 8d4dd8 c645fc01 e8???????? 83ec10 8d8dc0fdffff 68???????? e8???????? } + $sequence_4 = { 8d8d70ffffff c745840f000000 c68570ffffff00 6a07 68???????? e8???????? 8d9570ffffff } + $sequence_5 = { 53 56 8bf1 57 8b4608 2500010000 7414 } + $sequence_6 = { 8d8dd4fbffff 6a08 68???????? c785e4fbffff00000000 c785e8fbffff0f000000 c685d4fbffff00 e8???????? } + $sequence_7 = { 0f82cc0a0000 2bc6 83c9ff 83f8ff 0f42c8 837de810 8d45d4 } + $sequence_8 = { 8b1f 53 56 e8???????? ff7514 ff75f0 ff75f8 } + $sequence_9 = { 51 ff7668 e8???????? ff7658 8bce 66c746640000 c6467401 } condition: 7 of them and filesize < 1007616 @@ -105125,36 +105501,36 @@ rule MALPEDIA_Win_Aytoke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c3996e13-6441-5e12-8e21-a4d953c38877" - date = "2026-01-05" - modified = "2026-01-06" + id = "39bf8de3-7737-55a3-9f66-3004c8cf8c87" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.aytoke_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.aytoke_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "0f3d6db514704761aece6f3ecc8a4a906e89108d57be9f7f2ba95aab9464ffc7" + logic_hash = "46f5b2cb8de02b95d7e25f12ff635b05a8410abd31c30d35c4b45772db77405e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b450c 8b4d10 56 57 8b7d08 8d95dcfbffff } - $sequence_1 = { a1???????? 8b0d???????? 8b15???????? 8985a8f9ffff } - $sequence_2 = { ffd2 8b8594f9ffff 50 ff15???????? } - $sequence_3 = { 4d 4d 0b0c0d0e0f1011 1213 1415 } - $sequence_4 = { 7407 c6854feeffff01 6a14 ff15???????? 6890000000 ffd3 } - $sequence_5 = { 83c414 8d45c8 48 8a4801 40 } - $sequence_6 = { 881438 46 47 ebd7 8b8dd8fbffff } - $sequence_7 = { 8d55ec 52 b902000000 56 8945f0 66894dec ff15???????? } - $sequence_8 = { 4d 4d 0b0c0d0e0f1011 1213 1415 16 17 } - $sequence_9 = { 8bc6 c1f805 8b048500c44100 83e61f c1e606 8d443004 } + $sequence_0 = { 8d95f4f7ffff 56 52 e8???????? 83c404 50 e8???????? } + $sequence_1 = { 56 57 33ff ffb770874100 ff15???????? 898770874100 83c704 } + $sequence_2 = { 75f8 8b0d???????? 8a15???????? 8908 885004 8bc7 } + $sequence_3 = { e8???????? e8???????? b8???????? 8d5001 8d4900 8a08 } + $sequence_4 = { e8???????? 83c404 be4f000000 8d9b00000000 } + $sequence_5 = { 50 e8???????? 83c404 b001 8b4dfc 33cd e8???????? } + $sequence_6 = { 52 e8???????? b8???????? 83c404 2d???????? bb01000000 8945f4 } + $sequence_7 = { 8bc8 c1f905 8b0c8d00c44100 83e01f } + $sequence_8 = { 83e01f c1f905 8b0c8d00c44100 c1e006 8d440104 } + $sequence_9 = { c1fe05 c1e106 030cb500c44100 eb02 } condition: 7 of them and filesize < 425984 @@ -105164,34 +105540,34 @@ rule MALPEDIA_Win_Mikoponi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "de82eebe-f707-5dc6-9c33-0ae7d7821633" - date = "2026-01-05" - modified = "2026-01-06" + id = "191cc0a1-4e26-57f5-9a19-0f1d92e18f76" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mikoponi_auto.yar#L1-L107" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mikoponi_auto.yar#L1-L104" license_url = "N/A" - logic_hash = "8f3a24b96a22a4d512e188ba3c40bc90dbbbc4bf56cf9ed6cddde59c392fa78b" + logic_hash = "ab9b563b08639c6105c595652098abc7798bef9bb0cf43c1e3f9c3fc6a9fa527" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b07 50 e8???????? 83c404 5e 5b 5d } - $sequence_1 = { 57 e8???????? 2bc7 d1f8 8d742420 } - $sequence_2 = { e9???????? 68f4010000 56 ff15???????? 8bf8 e8???????? e9???????? } - $sequence_3 = { ff15???????? 8b442468 89442414 89442418 33c0 89442430 } - $sequence_4 = { b9???????? 8d442440 668b10 663b11 751e } - $sequence_5 = { e8???????? 83c408 8d4c2414 51 57 } - $sequence_6 = { 81c470040000 c3 68???????? 68???????? ff15???????? 50 ff15???????? } - $sequence_7 = { e8???????? 68???????? e8???????? 68???????? e8???????? 8b7c2420 57 } + $sequence_0 = { 881d???????? 881d???????? eb54 6683f863 } + $sequence_1 = { e8???????? 83c40c 84c0 7508 83c6ff } + $sequence_2 = { 8d742448 e8???????? 8bce ba02000000 83c408 } + $sequence_3 = { a3???????? 33c0 8945e4 83f805 7d10 668b4c4310 66890c45e0674200 } + $sequence_4 = { 53 89442440 894c2444 ff15???????? 837c243c00 c744241800000000 0f862c010000 } + $sequence_5 = { 5e 8b8c2428060000 5f 5d 5b 33cc e8???????? } + $sequence_6 = { 8d442424 50 ff15???????? 8d4c2444 } + $sequence_7 = { 33c0 e9???????? 8975e4 33c0 39b8f85a4200 0f8491000000 ff45e4 } condition: 7 of them and filesize < 330752 @@ -105201,36 +105577,36 @@ rule MALPEDIA_Win_Miniblindingcan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2e31c245-b31c-5b1f-badb-b374294b1a0c" - date = "2026-01-05" - modified = "2026-01-06" + id = "f214879d-739e-57b2-a68d-dbf4545e3571" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.miniblindingcan_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.miniblindingcan_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "f1bc6c8d1c138b9d3da736626c3c3e7c154dc57584230d14e9675b4385ae575b" + logic_hash = "e6766a841610f22d39169ab97524cdd6c4e6776e0503922f6cba75e01b90a41c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 81fbba470000 7513 488d0511350000 488905???????? e9???????? 81fb63450000 } - $sequence_1 = { 488bc6 488d1523dd0100 83e11f 48c1f805 486bc958 48030cc2 eb07 } - $sequence_2 = { 48893d???????? eb1b 488b0d???????? 488d15bf980100 ff15???????? 488905???????? 4183fc0a } - $sequence_3 = { 7478 488b03 83e20f 488907 488b4308 4803de 48894708 } - $sequence_4 = { 8bc0 41890c86 498b0c24 490fafc8 48c1e934 8bc9 418b048e } - $sequence_5 = { 8d4af3 ff15???????? 41be4c000000 498bcf 488bd0 458bc6 488be8 } - $sequence_6 = { 488b8a50000000 e9???????? 4055 4883ec40 488bea 488d4540 4889442430 } - $sequence_7 = { b835000000 0f05 c3 4c8bd1 b836000000 0f05 } - $sequence_8 = { 448bc7 488bce 488bd0 4c8be0 e8???????? 3bc5 7412 } - $sequence_9 = { 488b4c2458 c744244802000000 488d442454 4889442440 } + $sequence_0 = { 488d1585730100 488905???????? ff15???????? 488b0d???????? 488d1582730100 488905???????? } + $sequence_1 = { ff15???????? 83cbff 85c0 7527 488d85f0050000 4c8d45e0 448bcb } + $sequence_2 = { 488d052e4a0000 488905???????? e9???????? 81fbd73a0000 7513 488d05084a0000 } + $sequence_3 = { ff15???????? 488d0d4e790100 488bd0 488bf8 e8???????? } + $sequence_4 = { ff15???????? 85c0 7517 ff15???????? 3dea000000 7404 33c0 } + $sequence_5 = { 488d6c24b9 4881ecc0000000 488b05???????? 4833c4 48894537 33c0 488bd9 } + $sequence_6 = { 89742440 e8???????? 488d4de1 33d2 41b8ff010000 } + $sequence_7 = { e9???????? 4c8d4daf 4c8d45bf 488d4dcf 8bd3 } + $sequence_8 = { 488bcb ff15???????? 488b4c2458 ff15???????? b801000000 488b8da0050000 4833cc } + $sequence_9 = { 488905???????? e9???????? 81fb634a0000 7513 488d05ef310000 488905???????? e9???????? } condition: 7 of them and filesize < 453632 @@ -105240,75 +105616,114 @@ rule MALPEDIA_Win_Iispy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4e322e5f-cd33-52bd-bbf3-6439753e827c" - date = "2026-01-05" - modified = "2026-01-06" + id = "deb63250-fcc0-5cfe-be30-ff47ced8d3d1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iispy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.iispy_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.iispy_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "a87fdac5aecf4afd1bb012fec4f493869a7cd5fec753856e83872c6436c79acf" + logic_hash = "a71e9708e64937fd85e928d51eb078aab35675e0d1194499d40fdb1e597ac38a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 837c242400 8bf8 740c ff742428 e8???????? 83c404 } - $sequence_1 = { 03d8 eb49 b8d34d6210 f7e3 8bca 8b5514 c1e906 } - $sequence_2 = { 50 8d4110 50 8d4129 50 } - $sequence_3 = { 8b048528cf0210 0fb6440828 83e040 5d c3 e8???????? c70009000000 } - $sequence_4 = { 84c0 0f8429010000 8b4c2408 83c620 8b01 c1e005 } - $sequence_5 = { b81f85eb51 f7eb 5f c1fa05 8bca c1e91f 03ca } - $sequence_6 = { 6a01 53 ff15???????? ebe0 b80d000780 5f 5e } - $sequence_7 = { 68000000c0 57 ff15???????? 8bf8 83ffff 74c5 8b4dec } - $sequence_8 = { 3245f0 32ec 3245e4 3245e0 3245e8 3245d0 3245ff } - $sequence_9 = { 50 e8???????? 83a628cf021000 59 83c604 81fe00020000 72dd } + $sequence_0 = { 85c0 7514 8b75c0 8bd6 8b4dbc } + $sequence_1 = { 8a044dc1820210 8806 8d4601 5f 5e 5b 8be5 } + $sequence_2 = { 8b17 8bd8 6a20 8bcf 895dc4 ff5248 } + $sequence_3 = { 85c0 742b 8bf0 3b4708 7414 8b7008 50 } + $sequence_4 = { 8b4c2410 8d044502000000 50 ff5248 33d2 8944243c } + $sequence_5 = { 89480c 84db 7466 c6025c 8b16 8b4a0c } + $sequence_6 = { 03c2 c1c005 03c6 8901 8bc1 8b4808 8bd1 } + $sequence_7 = { 8b0f 85c9 0f843b040000 85c0 750a b808000780 e9???????? } + $sequence_8 = { 8a65f7 32c6 32c4 894dc8 3245f9 8aee 3245fb } + $sequence_9 = { 0fb7ff 81cf00000780 e9???????? 8d45c4 50 6a00 6a04 } condition: 7 of them and filesize < 397312 } +rule MALPEDIA_Win_Earthworm_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "f464d0d5-2848-5f1d-b0da-be4baede011b" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.earthworm" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.earthworm_auto.yar#L1-L134" + license_url = "N/A" + logic_hash = "7914f56bbea8d8d38e0c4986096d097094f54727a3ceb9106fff83fd37dd59b4" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 41b99a010000 4c8d0543500500 ba02000000 b928020000 e8???????? 488bd0 488d4c2420 } + $sequence_1 = { 837c243800 753a 488d057c2a0c00 4889442428 488d0578980b00 4889442420 4533c9 } + $sequence_2 = { eb0f 488d05a5150a00 4889842480000000 488b842480000000 4889842488000000 48c744244800000000 48c744247800000000 } + $sequence_3 = { eba0 488b842498010000 488b4010 448b08 488b842498010000 4c8b4008 488d942428010000 } + $sequence_4 = { e8???????? eb1e 488d0de2680700 e8???????? eb10 488d0ddc680700 e8???????? } + $sequence_5 = { e8???????? 488bd0 488d8c24e0020000 e8???????? 90 e8???????? 85c0 } + $sequence_6 = { 488b942418090000 488d4c2428 e8???????? 90 8b442420 2500800000 85c0 } + $sequence_7 = { 488b4008 4889442430 488b442470 488b4008 488b00 488b4018 4889442428 } + $sequence_8 = { 753a 488d057fa60900 4889442428 488d05ab910900 4889442420 4533c9 41b884060000 } + $sequence_9 = { 89442424 488b442470 8b00 39442424 7d5b 8b442478 39442424 } + + condition: + 7 of them and filesize < 2659328 +} rule MALPEDIA_Win_Mars_Stealer_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5d89ff0c-708d-5cb2-bdc2-6969544672dc" - date = "2026-01-05" - modified = "2026-01-06" + id = "04af9ed7-2d9e-5360-80af-fa3aa460164b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mars_stealer_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mars_stealer_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "cc94c9b32aabf5299f34d05641ffdf1640d29fa168f4cb92b657b3f5122a585c" + logic_hash = "254bc3623d2636776bba0a572fac67f665e7a99051a9deca972297da4d6702b5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c404 8945fc 837dfc00 744c 6a00 } - $sequence_1 = { e8???????? 83c404 85c0 7443 833d????????00 751e } - $sequence_2 = { 0f90c1 f7d9 0bc8 51 ff15???????? 83c404 8945f4 } - $sequence_3 = { 8985fcfdffff c745fcc0270900 6a04 8d45fc 50 6a02 } - $sequence_4 = { 51 e8???????? c78548fcffff94000000 8d9548fcffff } - $sequence_5 = { 8bec 81ecc8040000 56 57 c78548fcffff00000000 6890000000 6a00 } - $sequence_6 = { 8d85e8d7ffff 50 e8???????? 6888130000 8d8d78ecffff } - $sequence_7 = { 8b55f0 52 ff15???????? 83c404 8b45e8 } - $sequence_8 = { 8d8d78ecffff 51 e8???????? 8d95e4d7ffff 52 8d85e0d7ffff 50 } - $sequence_9 = { 50 ff15???????? 83c404 8985dcf7ffff 8b85dcf7ffff } + $sequence_0 = { 50 ff15???????? 8b0d???????? 51 8d95f8f9ffff 52 ff15???????? } + $sequence_1 = { 50 ff15???????? 034518 038558e6ffff 50 e8???????? } + $sequence_2 = { 8d4df4 51 ff15???????? 5f 5e 8be5 } + $sequence_3 = { 52 6a00 6a00 ff15???????? 8d85e8feffff 50 ff15???????? } + $sequence_4 = { 8d9598faffff 52 8d85a8fcffff 50 ff15???????? 8b4d1c } + $sequence_5 = { eb24 8b8d78deffff c6840d80deffff00 8d9580deffff } + $sequence_6 = { 8b55f0 8b02 8945f4 8b4df4 51 ff15???????? } + $sequence_7 = { 52 8d85a0fbffff 50 e8???????? 83c418 8b4d1c } + $sequence_8 = { 52 e8???????? 83c410 8d85b0fdffff 50 8b8df4feffff 51 } + $sequence_9 = { 8bec b8c81f0000 e8???????? c745f0a01f0000 c745ec00000000 c78544e0ffff9e304100 } condition: 7 of them and filesize < 219136 @@ -105318,36 +105733,36 @@ rule MALPEDIA_Win_Badflick_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1951cb0e-a0c5-59e1-834b-292c5e2f8f2a" - date = "2026-01-05" - modified = "2026-01-06" + id = "fceced45-8094-5113-8eb3-7bc1d5398974" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.badflick_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.badflick_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "49a5abd3151b3eb74bfd8f8adfc99feeac10f3374c938c8bdf06a9faa4f988f8" + logic_hash = "fbdfd77327186af6e19cb8f650d1c36dd5d48aceb4ff34052d597d2f91793407" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bd8 ff37 ff15???????? 50 e8???????? 50 ff7508 } - $sequence_1 = { ff35???????? ff750c ff75fc ff33 e8???????? 8b7d10 83c418 } - $sequence_2 = { 55 8bec ff7508 6a2b } - $sequence_3 = { 807d1000 59 5f 5e } - $sequence_4 = { be00f00000 56 e8???????? 59 53 8d4df8 51 } - $sequence_5 = { 8b4904 03c8 81f9fe34012c 7509 83f805 } - $sequence_6 = { 6a3d e8???????? 8bf0 8a4508 59 59 884605 } - $sequence_7 = { a5 a5 eb02 33c0 50 6a00 } - $sequence_8 = { 8d8548f3ffff 50 ffd7 8d856cf9ffff 50 8d8560f7ffff } - $sequence_9 = { a5 a5 e8???????? 59 6a00 } + $sequence_0 = { 8bd8 59 391d???????? 7d22 a1???????? 3bc7 } + $sequence_1 = { 59 a3???????? 891d???????? ff750c e8???????? 50 } + $sequence_2 = { 51 51 8b4d0c 8b4101 } + $sequence_3 = { ff75e8 ff15???????? ff75e8 ff15???????? 33db 43 ff75e8 } + $sequence_4 = { 8bec 83ec2c 8d45d4 50 ff15???????? 8d45f8 } + $sequence_5 = { 23c7 5f c9 c3 55 8bec } + $sequence_6 = { 6683bdf8fdffff00 56 8db5f8fdffff 7431 56 ff15???????? 50 } + $sequence_7 = { ffd6 59 59 eb03 83c702 66833f00 75f7 } + $sequence_8 = { ff75f8 ff75e4 ff15???????? ebce 55 8bec 56 } + $sequence_9 = { 8901 83f8ff 750b 57 e8???????? } condition: 7 of them and filesize < 81920 @@ -105357,36 +105772,36 @@ rule MALPEDIA_Win_Boaxxe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5fdff2c4-9858-5230-8586-66650c6fe95c" - date = "2026-01-05" - modified = "2026-01-06" + id = "2bb67af8-b6d9-5c00-ad9d-f90436b618be" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.boaxxe_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.boaxxe_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "124ce2238ea4b514d8960c521e2c44f0db9f5af3376e938bf1e4f0bfa769f279" + logic_hash = "dcea11ec1796e63ef451ec3784868ff54b455a28065fd15b91434a046d8b3def" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bc3 e8???????? 8d55d8 66b89a01 e8???????? ff75d8 68???????? } - $sequence_1 = { 8b542404 8bc7 e8???????? 8bce 03c9 8b442404 8d1458 } - $sequence_2 = { 85c0 7410 8bc3 8bd4 b905010000 e8???????? eb0d } - $sequence_3 = { 6a01 e8???????? 8bd8 bd80000008 85f6 740d 81ff00040000 } - $sequence_4 = { 64ff30 648920 8b55f0 a1???????? e8???????? 8b55f0 a1???????? } - $sequence_5 = { 8b4078 85c0 7420 8b54240c 8d0402 89442408 8bc6 } - $sequence_6 = { 8b5df8 03de 8a1b 8b7dfc 03f9 301f 46 } - $sequence_7 = { 7411 803c24ac 7507 807c240110 7404 33c0 5a } - $sequence_8 = { e8???????? 8d45d8 8b55ec e8???????? 8d45d8 8b4df4 8b55f8 } - $sequence_9 = { 83c9ff 32c0 f2ae f7d1 5f 92 f2ae } + $sequence_0 = { 8b4de4 8b55e8 8b45e0 e8???????? 84c0 742e 8b45f0 } + $sequence_1 = { 59 e8???????? b808000000 e8???????? 83c005 69c0e8030000 e8???????? } + $sequence_2 = { 8b00 ff5020 85c0 0f8517010000 b9???????? ba???????? 8b45f0 } + $sequence_3 = { e8???????? 8d45dc e8???????? 8d45e8 e8???????? 8d45ec e8???????? } + $sequence_4 = { 69c0e8030000 50 8b45fc 8b4058 50 e8???????? } + $sequence_5 = { e8???????? 89c2 5f 5b c3 51 } + $sequence_6 = { 50 8d45dc e8???????? 8bcb 5a e8???????? e9???????? } + $sequence_7 = { e8???????? 85db 746f 895c240c 8b4c240c 890c24 8b0424 } + $sequence_8 = { ff30 68???????? 8d45f8 ba07000000 e8???????? 8d459c 8b55f8 } + $sequence_9 = { 50 57 e8???????? 83f801 1bc0 40 } condition: 7 of them and filesize < 1146880 @@ -105396,36 +105811,36 @@ rule MALPEDIA_Win_Adylkuzz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4eb10972-cae7-59fc-a870-eebdff70e8df" - date = "2026-01-05" - modified = "2026-01-06" + id = "ca8dca20-e3d7-5d06-90fd-034768625e2b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.adylkuzz_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.adylkuzz_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "de5f91809dc8ef12371c16bfe87d826bfdd622a4d5fefa4fc686464cb89ee65c" + logic_hash = "2df82c6d65aebe8e209b022c559158db7c65d3182ae1b0a804c91d82c76f6903" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1c002 3bec f5 33d8 03f8 e9???????? 668b442500 } - $sequence_1 = { e8???????? 8b35???????? b9???????? 89d8 8b7b08 89f2 e8???????? } - $sequence_2 = { f8 81c508000000 f5 f9 8901 660fc1c0 81ee04000000 } - $sequence_3 = { f6c32d 3bce d2e8 6689442504 0fbfc2 660fb6c5 0fc8 } - $sequence_4 = { f7d8 33d8 663bd2 f5 03f8 ffe7 660fb6442500 } - $sequence_5 = { c7042400000000 b90b000000 89fa 89d8 e8???????? 85c0 7482 } - $sequence_6 = { df6c2428 eb77 837c241c08 0f8595020000 f744242000008000 7504 df2e } - $sequence_7 = { f7d0 8b06 f5 6685fb 33c3 f9 663bf0 } - $sequence_8 = { 8b5034 39d1 0f47ca f6c740 7408 8b5038 39d1 } - $sequence_9 = { e8???????? 8b5e08 83fb03 7518 8b16 b9fbffffff 89e8 } + $sequence_0 = { eb41 83f805 7529 8b4310 8b4804 8d5104 83faf6 } + $sequence_1 = { e8???????? 89c6 eb18 85f6 7914 897c2408 c744240469060000 } + $sequence_2 = { 98 86e4 9c 6623c7 0fbaf814 8f442500 66f7d0 } + $sequence_3 = { e8???????? ebf2 8b4314 c1e80a eb4b 8b4314 25ff030000 } + $sequence_4 = { ff510c 8b4618 85c0 7428 807e0700 7f22 c1e003 } + $sequence_5 = { b801000000 7522 8b06 0fb74006 89442404 8b442420 890424 } + $sequence_6 = { 8b442420 f644241480 894350 8a442425 884354 8a442426 884355 } + $sequence_7 = { f9 35281d135f f8 c1c803 81fda95ea722 f8 663bfb } + $sequence_8 = { f7d0 85ed f6c637 f5 f7d8 c1c003 f7d8 } + $sequence_9 = { c3 8b442408 8b542404 c7400400000000 895008 8d500c 8910 } condition: 7 of them and filesize < 6438912 @@ -105435,36 +105850,36 @@ rule MALPEDIA_Win_Wonknu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5d7ac694-4f51-5dc8-9ab7-ab21fb225c95" - date = "2026-01-05" - modified = "2026-01-06" + id = "d18bd145-0632-575b-aad6-f5b84d15c5d7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wonknu_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wonknu_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "e2ca1c08f61486fefbae5d981f9ebfcfe0d01c7d31c8206cfd558443ffe8ed91" + logic_hash = "cc859c0a62443cb8320463f351fbea93e20037d8abb9d720d882940a21005072" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 56 57 6804140000 } - $sequence_1 = { f3a5 8bcb e8???????? 803b00 } - $sequence_2 = { 8bfc b901050000 f3a5 8bcb e8???????? 803b00 } - $sequence_3 = { e8???????? 8bfc b901050000 f3a5 8bcb e8???????? } - $sequence_4 = { e8???????? 8bfc b901050000 f3a5 8bcb e8???????? 803b00 } - $sequence_5 = { c6840550ffffff00 8d8550ffffff 50 e8???????? } - $sequence_6 = { 8bfc b901050000 f3a5 8bcb e8???????? } - $sequence_7 = { 8d7e28 57 ff15???????? 8b4608 } - $sequence_8 = { b901050000 f3a5 8bcb e8???????? 803b00 } - $sequence_9 = { eb08 c6840550ffffff00 8d8550ffffff 50 e8???????? } + $sequence_0 = { c6840550ffffff00 8d8550ffffff 50 e8???????? } + $sequence_1 = { 8d7e28 57 ff15???????? 8b4608 } + $sequence_2 = { e8???????? 8bfc b901050000 f3a5 8bcb e8???????? } + $sequence_3 = { e8???????? 8bfc b901050000 f3a5 8bcb } + $sequence_4 = { 8bfc b901050000 f3a5 8bcb e8???????? } + $sequence_5 = { eb08 c6840550ffffff00 8d8550ffffff 50 e8???????? } + $sequence_6 = { e8???????? 8bfc b901050000 f3a5 } + $sequence_7 = { b901050000 f3a5 8bcb e8???????? } + $sequence_8 = { e8???????? 8bfc b901050000 f3a5 8bcb e8???????? 803b00 } + $sequence_9 = { 8bfc b901050000 f3a5 8bcb e8???????? 803b00 } condition: 7 of them and filesize < 540672 @@ -105474,34 +105889,34 @@ rule MALPEDIA_Win_Isspace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e2eec2f1-7baf-5dcc-a6aa-a2a11e65c5fc" - date = "2026-01-05" - modified = "2026-01-06" + id = "cee0f7b2-771c-5493-a04f-2917456fc72d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.isspace_auto.yar#L1-L103" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.isspace_auto.yar#L1-L101" license_url = "N/A" - logic_hash = "c1331a8a4f2f7f8169497cb9d4ae59c19406daa94f505a8ed56551a7b1886f8a" + logic_hash = "7a00c35d76916c5c0ff642cf87ac0c48812a05a07dbcb287f464461afdcd1867" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a23 eb04 6a00 6a2b 68???????? 6a00 } - $sequence_1 = { 6800200300 a3???????? e8???????? 6800200300 } - $sequence_2 = { 33c5 50 8d45f0 64a300000000 8965e8 c745fc00000000 ff15???????? } - $sequence_3 = { eb19 6a00 6a1c eb0a 6a00 6a23 } - $sequence_4 = { 6a00 68???????? 68???????? 68???????? 53 ff15???????? 8bf0 } - $sequence_5 = { 50 50 6a03 6a02 ff15???????? 894604 } - $sequence_6 = { e8???????? 6800010000 8d8600010000 6a00 } - $sequence_7 = { 6a00 6a00 6800010000 53 6aff } + $sequence_0 = { 56 e8???????? 6800010000 8d8600010000 6a00 50 e8???????? } + $sequence_1 = { 7507 68???????? eb04 83c007 } + $sequence_2 = { 83c404 6683f809 740c 6683f806 7406 } + $sequence_3 = { 7411 68???????? 50 ff15???????? a3???????? 6a00 } + $sequence_4 = { e8???????? 85c0 750e 6810270000 ffd6 83ff03 } + $sequence_5 = { c78548ffffff9c000000 e8???????? 8ad8 c745fc00000000 8d8548ffffff } + $sequence_6 = { 6800020000 68???????? ff15???????? 85c0 } + $sequence_7 = { 68???????? 68???????? 64a100000000 50 81eca8000000 a1???????? } condition: 7 of them and filesize < 434176 @@ -105511,36 +105926,36 @@ rule MALPEDIA_Win_Sepsys_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c07920dc-ecf4-5d0c-836a-1794c74b71bf" - date = "2026-01-05" - modified = "2026-01-06" + id = "c12c3537-3fd8-5ecf-8dd9-67f4624ff20f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sepsys_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sepsys_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "50eb49ac3d5f5dfe611a451c1ec48caa70453cd380c122b00dd8d016e6744ba5" + logic_hash = "a2b2408899bb537ebfeb6b18425a18b6df17445171aaa35588bfa6271032b916" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8b542430 488b4c2470 e8???????? 668944243c 0fb744243c 83f805 } - $sequence_1 = { e8???????? 4889842490000000 e9???????? 488b8424e8000000 4889842458010000 488b8424f0000000 4889842460010000 } - $sequence_2 = { 49f7d0 4d01e0 4883e003 7424 31c9 0f1f840000000000 8d140f } - $sequence_3 = { e8???????? 488955b8 488945b0 eb00 c6450700 4889e0 488b4db8 } - $sequence_4 = { 8b5511 8b5d14 895518 895d1b c6460802 8b11 8b4903 } - $sequence_5 = { 8b1488 448b85f4050000 488d8518040000 488985500a0000 488b8d500a0000 89957c010000 44898578010000 } - $sequence_6 = { e8???????? eb00 488d8d80000000 488d95a0000000 e8???????? eb00 8b8580000000 } - $sequence_7 = { e9???????? 4c8d4c243f 4c8d44243c 488b942450020000 488b842450020000 488b4810 e8???????? } - $sequence_8 = { e9???????? 807c243400 4c8b6c2440 0f8437020000 4889f9 4889f2 e8???????? } - $sequence_9 = { d3e0 488b4c2448 8b4c8c50 0bc8 8bc1 89442444 8b442420 } + $sequence_0 = { eb43 488b442430 488b4c2470 488908 488b442430 8b4c2478 894808 } + $sequence_1 = { c744244000000800 eb23 837c244001 7d0a c744244000400000 eb12 817c244000040000 } + $sequence_2 = { c645f701 488b4110 488945e0 0f1001 0f2945d0 488b4dc8 e8???????? } + $sequence_3 = { e8???????? 89442420 837c242000 7406 8b442420 eb0c eb08 } + $sequence_4 = { eb00 e8???????? 8845e0 eb00 488b45f8 8a4def 8808 } + $sequence_5 = { e8???????? 4889942418010000 4889842410010000 488b842410010000 4885c0 0f95c1 0fb6d1 } + $sequence_6 = { e8???????? eb54 48837c246000 7421 488b442460 488b8c2488000000 48894828 } + $sequence_7 = { e8???????? 488945b8 eb00 488b4db8 e8???????? 488945b0 eb00 } + $sequence_8 = { 8b442420 25ff000000 8bc8 e8???????? b901000000 486bc902 488b542460 } + $sequence_9 = { eb08 c744246401000000 0fb6442464 88442420 0fb6442420 85c0 7415 } condition: 7 of them and filesize < 4538368 @@ -105550,36 +105965,36 @@ rule MALPEDIA_Win_Pvzout_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a2ef17b-53cd-553c-9129-4e623095fe72" - date = "2026-01-05" - modified = "2026-01-06" + id = "03af0307-cabf-5ac8-8f15-270ed93c9948" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pvzout_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pvzout_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "a07bc946194cd01a9387c49797743aad8628a2824c8c9c6f1536148459ed0ba4" + logic_hash = "081a8c66d717fda0c1eae119a5af9854413daeff31e48b4b0a69e363cbed36d6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { d4a1 0e 75a8 43 } - $sequence_1 = { bf95f6810e 75a8 43 1dea50873a d4a1 0e } - $sequence_2 = { 43 1dea50873a d4a1 0e 75a8 43 1dea50873a } - $sequence_3 = { 1dea50873a d4a1 0e 75a8 43 1dea50873a } - $sequence_4 = { 3089f33d80f3 48 e21c 3e3f 19e9 } - $sequence_5 = { 18830d88a01c 51 ab 25b53ae778 f3bd95ab4ed8 } + $sequence_1 = { 9c b3d7 5a bf95f6810e 75a8 43 } + $sequence_2 = { 19e9 73f8 dca10ebd24e8 252b0026cb 9e } + $sequence_3 = { 48 e21c 3e3f 19e9 } + $sequence_4 = { 43 1dea50873a d4a1 0e } + $sequence_5 = { 1dea50873a d4a1 0e 75a8 43 1dea50873a } $sequence_6 = { 1dea50873a d4a1 0e 75a8 } - $sequence_7 = { 19e9 73f8 dca10ebd24e8 252b0026cb 9e } - $sequence_8 = { d4a1 0e 75a8 43 2f 3089f33d80f3 } - $sequence_9 = { 5a bf95f6810e 75a8 43 } + $sequence_7 = { ab 25b53ae778 f3bd95ab4ed8 fb } + $sequence_8 = { 5d bbedffffff 03dd 81eb00d00200 83bd8804000000 899d88040000 0f85cb030000 } + $sequence_9 = { e21c 3e3f 19e9 73f8 dca10ebd24e8 252b0026cb 9e } condition: 7 of them and filesize < 573440 @@ -105589,42 +106004,42 @@ rule MALPEDIA_Win_Ramsay_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "591a738b-88c1-5449-9137-a45c1c5654e9" - date = "2026-01-05" - modified = "2026-01-06" + id = "e6edc58e-43aa-5ae2-b0a5-efe65294a862" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ramsay_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ramsay_auto.yar#L1-L175" license_url = "N/A" - logic_hash = "cc560e807fba4f127cf57dd3774af95181c3332f30b4eada50d5d158e9717780" + logic_hash = "c1db16ba01ae43f530bdade3b5cb5ff3a259b4374dda207d368ba03b07a3715c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7514 ff15???????? 83f820 7502 eb07 } + $sequence_0 = { 7514 ff15???????? 83f820 7502 eb07 33c0 } $sequence_1 = { ff15???????? 85c0 7502 eb02 ebb1 } - $sequence_2 = { 85c0 744c c745e800000000 eb09 8b45e8 83c001 } - $sequence_3 = { 8b4d08 83c101 51 6a00 8b55f8 } - $sequence_4 = { 85c0 751a 8b4df8 51 ff15???????? 8b55fc } - $sequence_5 = { 8b5508 8b4508 8a481c 884a0b 8b5508 8b4508 } - $sequence_6 = { 837de806 7d34 8b4d08 034de8 0fbe4101 } - $sequence_7 = { 884a01 ebbd b801000000 8b4df8 33cd e8???????? } - $sequence_8 = { e8???????? 83c404 8945f8 8b45f8 8945fc 8b4d0c } - $sequence_9 = { 8955e8 eba5 8b45f4 8be5 } - $sequence_10 = { ff15???????? 33c0 e9???????? e8???????? 85c0 } - $sequence_11 = { 488d8c24ec040000 ff15???????? 4885c0 7415 488b8c2420090000 } - $sequence_12 = { 488d8c24f0020000 e8???????? 4889842420050000 8b842420050000 } - $sequence_13 = { 488d8c24f0010000 ff15???????? 488d8c24f0010000 ff15???????? } - $sequence_14 = { 488d8c24ec040000 ff15???????? 85c0 7402 } - $sequence_15 = { 488d8c24f0010000 ff15???????? 4898 488d84047e040000 } + $sequence_2 = { d1e2 52 6a00 8b45fc 50 } + $sequence_3 = { c745fc00000000 c745f800000000 8b4508 83c001 50 e8???????? 83c404 } + $sequence_4 = { ff15???????? 85c0 751a 8b4df8 51 } + $sequence_5 = { c785c0fdffff00000000 6a00 6a02 e8???????? 8985c4fdffff 83bdc4fdffffff 7507 } + $sequence_6 = { c745f800000000 eb09 8b55f8 83c201 8955f8 837df808 731e } + $sequence_7 = { eb09 8b45e8 83c001 8945e8 837de806 7d34 8b4d08 } + $sequence_8 = { c785c8fdffff2c020000 8d85c8fdffff 50 8b8dc4fdffff 51 e8???????? 85c0 } + $sequence_9 = { 8b45f8 3b450c 7316 8b4d08 034df8 8b55e8 0355f8 } + $sequence_10 = { ff15???????? 33c0 e9???????? e8???????? 85c0 7507 33c0 } + $sequence_11 = { 488d8c24e0080000 ff15???????? 488d9424f00f0000 488d8c24e0080000 } + $sequence_12 = { 488d8c24e0080000 ff15???????? 4889842440120000 4883bc2440120000ff 745f 488d842450120000 488d8c24f00f0000 } + $sequence_13 = { 488d8c24e0080000 ff15???????? 488d9424f00a0000 488b8c24e00f0000 } + $sequence_14 = { 488d8c24e0090000 ff15???????? 488d8c24e0090000 ff15???????? } + $sequence_15 = { 488d8c24e0090000 ff15???????? 4533c0 488d9424e0090000 } condition: 7 of them and filesize < 2031616 @@ -105634,42 +106049,42 @@ rule MALPEDIA_Win_Flusihoc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "70e43055-e110-5f44-83f7-dea02c83279f" - date = "2026-01-05" - modified = "2026-01-06" + id = "aa1d30fd-9a5f-5977-b1cf-b323ea3cbb49" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flusihoc_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flusihoc_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "03055e982040b1f87a417ce4ea912aa6346f4a9287782a46033bfb1539ddc34d" + logic_hash = "6c1029f65d4facbc15d18f2f2d2ef3e91bd264c4306a1959142efaef5eb93d4d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 740b 40 8816 8a1408 46 } - $sequence_1 = { 8b442410 6aff 50 ff15???????? 8b4c2410 } - $sequence_2 = { 57 6a40 8d442428 6a00 50 c744242c44000000 e8???????? } - $sequence_3 = { f3a5 c684246402000000 e8???????? 68d6000000 } - $sequence_4 = { 7507 80864d01000004 83f822 7506 fe8e42010000 } - $sequence_5 = { 8bec 83e4f8 81ece40b0000 a1???????? 33c4 898424e00b0000 53 } - $sequence_6 = { 8d7c2428 50 f3a5 c684246401000000 } - $sequence_7 = { 33c0 888c045e010000 8a4c042c 40 } - $sequence_8 = { 8b8c24ec0b0000 5f 5e 5b 33cc 33c0 e8???????? } - $sequence_9 = { ff15???????? 8b4c2410 51 ffd6 8b542414 52 ffd6 } - $sequence_10 = { fe06 fe461e 3d68010000 7505 fe06 fe4e17 } - $sequence_11 = { 52 ffd6 6a0a ff15???????? } - $sequence_12 = { 8b8df4feffff 6804010000 8d85f8feffff 50 6a01 } - $sequence_13 = { 8b95f4feffff 52 ff15???????? 8b4dfc 33cd 33c0 } - $sequence_14 = { 51 6a00 ff15???????? 8d95f4feffff 52 6806000200 } - $sequence_15 = { 6a00 68???????? 6802000080 ff15???????? 85c0 752f } + $sequence_0 = { 8db42459010000 6a00 6a01 6a02 } + $sequence_1 = { 3d68010000 7505 fe06 fe4e17 83f834 } + $sequence_2 = { ffd6 8b542414 52 ffd6 6a0a ff15???????? } + $sequence_3 = { 3d88010000 7505 fe06 fe461e 3d68010000 7505 } + $sequence_4 = { 53 56 57 6a40 8d442428 6a00 50 } + $sequence_5 = { 41 84c0 75f1 8d45f0 50 e8???????? } + $sequence_6 = { 33c0 888c045e010000 8a4c042c 40 80f92f } + $sequence_7 = { 50 ff15???????? 8b4c2410 51 ffd6 8b542414 52 } + $sequence_8 = { 6a00 50 c744242c44000000 e8???????? } + $sequence_9 = { ffd3 8b442410 6aff 50 ff15???????? } + $sequence_10 = { 83e4f8 81ece40b0000 a1???????? 33c4 } + $sequence_11 = { 7416 8d4de8 3c7c 740f 3c0a } + $sequence_12 = { b854160000 e8???????? a1???????? 33c4 89842450160000 53 } + $sequence_13 = { 8b95f4feffff 52 ff15???????? 8b4dfc 33cd 33c0 e8???????? } + $sequence_14 = { ff15???????? 8d95f4feffff 52 6806000200 6a00 68???????? } + $sequence_15 = { 752f 8b8df4feffff 6804010000 8d85f8feffff 50 6a01 6a00 } condition: 7 of them and filesize < 319488 @@ -105679,36 +106094,36 @@ rule MALPEDIA_Win_Htbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "39a927d2-1945-5991-992e-cc87b6814598" - date = "2026-01-05" - modified = "2026-01-06" + id = "34a1c769-cdc9-5b0c-a56d-b749e888cc7a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.htbot_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.htbot_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "d80214a974c7da7b11a6b3decefcabbf12f30dbe8a8667d77b9a26c8d44a14ba" + logic_hash = "e89f5030a64d3c876947cb664a5c2978a6964eb783bc714e92de04e9d306847a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6857000780 e8???????? 83c601 8d4e0a 3bcd 0f8db6000000 85f6 } - $sequence_1 = { 83c002 6685c9 75f5 2bc2 d1f8 0f88ce020000 } - $sequence_2 = { 8d7c241c 8d442420 c644246003 e8???????? 85c0 0f84e1000000 8d4900 } - $sequence_3 = { c68424b410000004 e8???????? 8b442430 8b00 8b8c24b8100000 8d542448 } - $sequence_4 = { 8b11 50 8b4204 ffd0 c64424340a 8b44241c } - $sequence_5 = { 51 8b4ef0 8b11 8b4210 83c6f0 89642428 8bdc } - $sequence_6 = { 8b4c2414 51 ff15???????? 8d54241c 52 } - $sequence_7 = { 8b11 8b4204 57 ffd0 83c510 896c2414 } - $sequence_8 = { 384802 7550 384803 744b 83c004 3808 7418 } - $sequence_9 = { 2bc1 d1f8 83f8ff 755c 3959f4 } + $sequence_0 = { 3bcf 7d05 803800 75f1 83c001 8bc8 } + $sequence_1 = { ff15???????? 8bc8 69c9fd430300 81c1c99e2600 f6c101 890d???????? 895c2428 } + $sequence_2 = { 68???????? 8d442420 50 e8???????? 8b442418 51 83c0f0 } + $sequence_3 = { ffd0 8d4c2424 51 8bcd e8???????? c784245804000002000000 8b08 } + $sequence_4 = { 64a300000000 8b5c2428 c744241c00000000 c744241000000000 a1???????? } + $sequence_5 = { 0f8c14010000 51 50 e8???????? 83c408 3bc6 0f8402010000 } + $sequence_6 = { 7f0b 8b4d00 8b01 8b5004 55 ffd2 8b5c2428 } + $sequence_7 = { 56 ffd0 83c510 c644246407 8b442424 892b e9???????? } + $sequence_8 = { ffd0 8b74240c 6a00 6a00 56 68???????? 68???????? } + $sequence_9 = { c744241800000000 740d 8b4c2420 8d4708 50 e8???????? } condition: 7 of them and filesize < 196608 @@ -105718,42 +106133,42 @@ rule MALPEDIA_Win_Fudmodule_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8e6e3f32-6e1c-5a24-9698-45bfa215e2d1" - date = "2026-01-05" - modified = "2026-01-06" + id = "9482c0b3-e233-5fbb-b7f9-15eeefb47cbe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fudmodule_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fudmodule_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "4035950c3484d09b89067be960d8e0c73dab8587b168d82e14a4974f9d87cb3f" + logic_hash = "598ae8f286914fa01f5c87db15072d98763fc039c41db282c8e23ad8eab8fdd6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 660fb3e9 53 f6dd 660fbbe2 57 } - $sequence_1 = { 4801e3 fec8 66c1cf03 d2e8 } - $sequence_2 = { 498b8c24e0090000 e8???????? 4983bc24d809000000 488bb42480000000 488b5c2478 } - $sequence_3 = { f9 4801e3 e9???????? 660fbec2 58 e9???????? f5 } - $sequence_4 = { 41ffd5 85c0 782d 488bd6 } - $sequence_5 = { 30db 80db4a 00eb 83c101 fec3 } - $sequence_6 = { e8???????? 498bcc e8???????? 8d7514 } - $sequence_7 = { 4963c3 488d4c2458 8b540460 4c8d440460 } - $sequence_8 = { 0fb6c3 f6d0 0f9cc0 58 e9???????? } - $sequence_9 = { 488bce e8???????? 85c0 7403 83cf08 488bce } - $sequence_10 = { 488d3c01 ff15???????? 488d55b0 488bc8 488d442440 } - $sequence_11 = { 4883c420 b37a e9???????? 0f855b73ffff 66d3fe } - $sequence_12 = { 488d8c246ed9e517 f5 f8 4889c3 488d3ced1b6cb3bd } - $sequence_13 = { 4889542420 4c8d442430 41b908000000 488bd3 488bc8 } - $sequence_14 = { c745b073734e6f c745b474696679 c745b8526f7574 c745bc696e6545 66c745c07800 } - $sequence_15 = { fecb 4889e8 b377 b301 660fa3d2 0fbae207 } + $sequence_0 = { 4883c701 d2d8 fec0 f6d0 } + $sequence_1 = { 440fb74318 488d4c2420 4803d3 e8???????? 488d4c2420 e8???????? } + $sequence_2 = { 488d4c1005 493bce 7503 41ffc1 453bc8 7e27 } + $sequence_3 = { 488d6c24c9 4881ecd0000000 488b05???????? 4833c4 48894527 33c0 4533ed } + $sequence_4 = { 4889fa 66d3d1 66c1d90f 660fadc9 4889d9 f5 } + $sequence_5 = { 488d15cc390000 488bce 488905???????? ff15???????? } + $sequence_6 = { 6641398320010000 7664 8bce 4863c1 488d542434 440fb7440460 } + $sequence_7 = { 660fabf3 18c3 4883c420 660fb6da 4889c3 } + $sequence_8 = { d2e5 488b7518 660fa4f109 6689f1 88d5 66b937f3 } + $sequence_9 = { c7459c72546872 c745a065616400 ff15???????? 488d542448 488bc8 488bd8 } + $sequence_10 = { 488d442458 41b932000000 4c8bc7 4889442420 } + $sequence_11 = { f6c413 f5 84c0 e9???????? f5 } + $sequence_12 = { 0f878cb40100 f5 69d20a000000 f6c63b f9 } + $sequence_13 = { 7329 4863d1 488d0d40bc0000 488bc2 83e21f 48c1f805 } + $sequence_14 = { 66f7d6 6631fe 4889e6 66f7c12173 f9 } + $sequence_15 = { 6685f5 f6dd 8b8e8c000000 f8 6685fd e9???????? 660fa3c1 } condition: 7 of them and filesize < 795648 @@ -105767,7 +106182,7 @@ rule MALPEDIA_Win_Cerbu_Miner_Auto : FILE date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cerbu_miner_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cerbu_miner_auto.yar#L1-L134" license_url = "N/A" logic_hash = "e4927a587588bc11053fcbade5bb9500364c9a656d383eb318cc8486464f3cce" score = 75 @@ -105803,10 +106218,10 @@ rule MALPEDIA_Win_Strikesuit_Gift_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "07a5f9ca-40c1-5bef-81cd-9b2edfb79941" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strikesuit_gift" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.strikesuit_gift_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.strikesuit_gift_auto.yar#L1-L118" license_url = "N/A" logic_hash = "38158a27b97c948ddd0e7a00ce8b9fd84a0eeadae064b8c5755cc04130a6bdf7" score = 75 @@ -105815,9 +106230,9 @@ rule MALPEDIA_Win_Strikesuit_Gift_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -105842,10 +106257,10 @@ rule MALPEDIA_Win_Kazyloader_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "8e63e9d7-0aa3-54bc-8958-5bb44d9fbb2a" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazyloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kazyloader_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kazyloader_auto.yar#L1-L124" license_url = "N/A" logic_hash = "34cc9a0cb8805c010ff93ad518256fe67686f6553b5dc947370b69715033db6f" score = 75 @@ -105854,9 +106269,9 @@ rule MALPEDIA_Win_Kazyloader_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -105880,36 +106295,36 @@ rule MALPEDIA_Win_Minitypeframe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dc23eb24-7d5a-5aeb-a61b-eb29d1fabf92" - date = "2026-01-05" - modified = "2026-01-06" + id = "dafa01cc-12f5-5959-a5a8-112bddaf9413" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minitypeframe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.minitypeframe_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.minitypeframe_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "649cd851124eccf39a4d1794ac9ee18b8f663aea1274862230eac021ea9eebf8" + logic_hash = "d2ac69d8f3f2d13991b264b6359d8643129ea3b1d735c1a6bce3fb0ef4022af8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 6a0c 6a05 f3a4 e8???????? 8b8dd8000000 8d442430 } - $sequence_1 = { 83c414 85c0 750a 68bf080000 e9???????? 8b563c 8b7a04 } - $sequence_2 = { 8b4c2444 8039a6 0f8504010000 894c2464 8d4c2420 50 8d542420 } - $sequence_3 = { 8b1c9d78060910 81e300ff0000 33fb 8bda c1eb18 8b1c9d780e0910 81e3000000ff } - $sequence_4 = { e8???????? 83c40c 85c0 751a 6a4b 68???????? } - $sequence_5 = { 83c408 e9???????? 668b15???????? 66c744245c0200 52 ff15???????? 8d4c245c } - $sequence_6 = { c644240416 884c2405 c6442406ba c644240708 c644240898 c644240958 c644240ac1 } - $sequence_7 = { 51 52 e8???????? 8d442414 6a08 } - $sequence_8 = { 6854050000 68???????? 6a44 689b000000 6a14 e8???????? 83c418 } - $sequence_9 = { e8???????? 8bf8 83c404 3bfb 0f8e07020000 c74634d0210000 895e44 } + $sequence_0 = { 85c0 7c3e 8b85bc000000 89b0ac000000 8b442434 33c9 8a08 } + $sequence_1 = { c644247163 c6442472e0 c644247401 c644247525 } + $sequence_2 = { 751d 6a74 68???????? 6a41 68bd000000 6a14 } + $sequence_3 = { 68???????? 6a0c 6a09 e8???????? 8b4510 56 50 } + $sequence_4 = { 89442434 8a08 40 8bf9 8b4d28 85c9 897c242c } + $sequence_5 = { 7417 3d00010000 7540 b80a000000 8b048550c30a10 8906 } + $sequence_6 = { 3bcd 742c 8b86d0000000 89bc24fc000000 3bc5 898424f8000000 898c2400010000 } + $sequence_7 = { 8b349d780e0910 81e10000ff00 81e6000000ff 33ce 8bf2 c1ee18 81e2ff000000 } + $sequence_8 = { 83c408 85c0 7479 8b442434 8b4d00 03c7 81f9fffe0000 } + $sequence_9 = { e8???????? 8bf8 83c40c 3bfb 0f8e42030000 395e6c } condition: 7 of them and filesize < 1589248 @@ -105919,91 +106334,91 @@ rule MALPEDIA_Win_Smokeloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "112e04c3-8f0e-5c11-855c-ae74057a323a" - date = "2026-01-05" - modified = "2026-01-06" + id = "34674938-8508-5728-a57c-8fd0efea74ff" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.smokeloader_auto.yar#L1-L575" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.smokeloader_auto.yar#L1-L566" license_url = "N/A" - logic_hash = "527784088a3890e68087680c97defe31324facf44f4c2545f19c39a5e952f5fd" + logic_hash = "10126359df3bba88e276199db318a47f6f0b923ed7ed151dd087ad76f3976898" score = 75 - quality = 44 + quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { ff15???????? 8d45f0 50 8d45e8 50 8d45e0 50 } - $sequence_1 = { 50 6a00 53 ff15???????? 8d45f0 50 } - $sequence_2 = { ff15???????? 8bf0 8d45dc 50 6a00 53 } + $sequence_1 = { 50 8d45e0 50 56 ff15???????? 56 ff15???????? } + $sequence_2 = { 8d45dc 50 6a00 53 ff15???????? } $sequence_3 = { 57 ff15???????? 6a00 6800000002 6a03 } - $sequence_4 = { 50 8d45e0 50 56 ff15???????? 56 ff15???????? } - $sequence_5 = { 740a 83c104 83f920 72f0 } - $sequence_6 = { e8???????? 8bf0 8d45fc 50 ff75fc 56 6a19 } - $sequence_7 = { 0fb64405dc 50 8d45ec 50 } - $sequence_8 = { 50 56 681f000f00 57 } - $sequence_9 = { ff15???????? bf90010000 8bcf e8???????? } - $sequence_10 = { 56 8d45fc 50 57 57 6a19 ff75f8 } - $sequence_11 = { 6800a00f00 50 a3???????? ff15???????? } - $sequence_12 = { 7507 33c0 e9???????? e8???????? b904010000 } - $sequence_13 = { 668ce8 6685c0 7406 fe05???????? } + $sequence_4 = { 740a 83c104 83f920 72f0 } + $sequence_5 = { ff15???????? bf90010000 8bcf e8???????? } + $sequence_6 = { 0fb64405dc 50 8d45ec 50 } + $sequence_7 = { e8???????? 8bf0 8d45fc 50 ff75fc 56 } + $sequence_8 = { 53 53 6803800000 ff75f4 } + $sequence_9 = { 56 8d45fc 50 57 57 6a19 } + $sequence_10 = { 50 56 681f000f00 57 } + $sequence_11 = { 33c0 e9???????? e8???????? b904010000 } + $sequence_12 = { 668ce8 6685c0 7406 fe05???????? } + $sequence_13 = { 83ec24 8d45f4 53 56 57 } $sequence_14 = { 56 ff15???????? 50 56 6a00 ff15???????? } - $sequence_15 = { 8b07 03c3 50 ff15???????? } - $sequence_16 = { 03c8 81e1ff000000 8a440c18 30042b 43 3b9c241c010000 } - $sequence_17 = { 8bc3 c745ec25303258 885df0 8945fc } - $sequence_18 = { ffb43108010000 8b84310c010000 03c7 50 8b843104010000 03c5 } - $sequence_19 = { 50 53 e8???????? 8d8decfdffff 8d95f0fdffff c70200000000 6800800000 } - $sequence_20 = { 8db5f8fdffff c60653 56 6a00 } - $sequence_21 = { 8985ecfdffff ffb5f0fdffff 50 53 } - $sequence_22 = { 8d85f0fdffff 8b750c 8b7d10 50 57 56 } - $sequence_23 = { 89c6 6804010000 56 57 } - $sequence_24 = { 31c0 66894603 8d8de8fdffff 50 50 } - $sequence_25 = { 50 50 50 51 50 50 56 } - $sequence_26 = { e8???????? 2500300038 005800 2500300038 } - $sequence_27 = { fc 5f 5e 5b } - $sequence_28 = { 89c6 89cf fc b280 31db a4 } - $sequence_29 = { 30d0 aa e2f3 7505 } - $sequence_30 = { 89e5 81ec5c060000 53 56 } - $sequence_31 = { 01c2 31c0 ac 01c2 } - $sequence_32 = { e8???????? 41b919000200 4533c0 4c8bf0 488d4540 } - $sequence_33 = { 4c8d4580 488b01 33d2 ff5060 } - $sequence_34 = { 48895c2418 48897c2420 89542410 55 488bec 4883ec60 488bf9 } - $sequence_35 = { 8b7b24 4c 01c7 668b0c4f 41 8b7b1c 4c } - $sequence_36 = { ac 01c2 85c0 75f0 } - $sequence_37 = { 4885c0 7428 80383c 7423 } - $sequence_38 = { 55 89e5 81ec54040000 53 } - $sequence_39 = { 4f 8d1c10 41 8b4b18 45 8b6320 4d } - $sequence_40 = { eb08 4863433c 8b7c1828 488bcb e8???????? 4863d7 498bcc } - $sequence_41 = { 4c 01c7 8b048f 4c } - $sequence_42 = { 8b6320 4d 01c4 ffc9 49 8d3c8c } - $sequence_43 = { 8b957cffffff 895164 6814318b23 8b45e4 50 } - $sequence_44 = { 895118 8b4584 8b4db8 89481c 8b5584 8b45b4 } - $sequence_45 = { 688dbdc13f 8b45e4 50 e8???????? 8945d8 8b4da0 } - $sequence_46 = { 56 57 007508 bbb84340c1 4a } - $sequence_47 = { 50 8b4dfc 51 e8???????? 85c0 7589 8b55fc } - $sequence_48 = { c1e002 03471c 8b0428 01e8 5e c3 } - $sequence_49 = { 56 89c2 8b453c 8b7c2878 } - $sequence_50 = { aa e2f3 7506 7404 } - $sequence_51 = { 894ddc c745e000000000 8b55e4 3b55dc 0f8327010000 c745e801000000 } - $sequence_52 = { 5b c9 c20800 55 89e5 83ec04 } - $sequence_53 = { 8945cc 8b4da0 8b55cc 895144 68d770a437 } - $sequence_54 = { 58 29c6 d1ee 037724 0fb7442efe c1e002 03471c } - $sequence_55 = { c1c108 3208 40 803800 75f5 31d1 } - $sequence_56 = { 6bc963 8b4508 33d2 f7f1 } - $sequence_57 = { 8946fc ad 85c0 75f3 c3 56 } - $sequence_58 = { 8b45e4 50 e8???????? 89459c 8b4da0 8b559c 895158 } - $sequence_59 = { 8b7c2878 01ef 8b7720 01ee 56 ad 01e8 } - $sequence_60 = { 5d 5d 2e3f 3438 } - $sequence_61 = { 9d d418 a1???????? 0da20e09d8 } - $sequence_62 = { b0b6 49 92 06 4e 55 } - $sequence_63 = { 00556c 9d d418 a9d61049d4 5c d6 2851d6 } - $sequence_64 = { 5d 5d 5d 5d 285b29 59 } + $sequence_15 = { d1e8 50 8b01 03c5 } + $sequence_16 = { 8b07 03c3 50 ff15???????? } + $sequence_17 = { 57 ff15???????? 43 83fb0f } + $sequence_18 = { 8b7d10 50 57 56 53 e8???????? } + $sequence_19 = { 8db5f8fdffff c60653 56 6a00 6a00 } + $sequence_20 = { 01d4 8d85f0fdffff 8b750c 8b7d10 50 57 } + $sequence_21 = { 89c6 6804010000 56 57 } + $sequence_22 = { c70200000000 6800800000 52 51 } + $sequence_23 = { 8d8de8fdffff 50 50 50 50 51 50 } + $sequence_24 = { ffb5f0fdffff 50 53 e8???????? 8d8decfdffff 8d95f0fdffff c70200000000 } + $sequence_25 = { 31c0 66894603 8d8de8fdffff 50 } + $sequence_26 = { 60 89c6 89cf fc b280 31db } + $sequence_27 = { 30d0 aa e2f3 7505 } + $sequence_28 = { 55 89e5 81ec5c060000 53 56 } + $sequence_29 = { fc 5f 5e 5b } + $sequence_30 = { 668b0c4f 41 8b7b1c 4c 01c7 8b048f } + $sequence_31 = { 89d0 c1e205 01c2 31c0 } + $sequence_32 = { 55 89e5 81ec54040000 53 } + $sequence_33 = { 8d1c10 41 8b4b18 45 } + $sequence_34 = { 01c2 31c0 ac 01c2 85c0 75f0 } + $sequence_35 = { ffc3 488d7f04 4863c3 4883f814 72ea } + $sequence_36 = { 4803d3 ff15???????? 488b15???????? 4883c9ff } + $sequence_37 = { 8b4b18 45 8b6320 4d } + $sequence_38 = { 458af8 488bfa e8???????? 84c0 0f8493020000 4c8db762030000 } + $sequence_39 = { 4c 01c7 668b0c4f 41 8b7b1c } + $sequence_40 = { 8b6320 4d 01c4 ffc9 49 8d3c8c 8b37 } + $sequence_41 = { 488bf0 488d4530 4533c0 4889442428 488d45e0 } + $sequence_42 = { 448bc3 498bcf e8???????? 488bf8 4885c0 7428 } + $sequence_43 = { 8bec 83c4d0 1e 53 } + $sequence_44 = { 56 57 007508 bbb84340c1 4a } + $sequence_45 = { 8bec 81ec90000000 e8???????? 8945a0 e8???????? 8945e4 68706586b1 } + $sequence_46 = { 5b c9 c20800 55 89e5 83ec04 } + $sequence_47 = { 7513 8b5510 6bd203 0355e4 8b45fc } + $sequence_48 = { 89481c 8b9578ffffff 8b45b4 894220 eb10 8b8d78ffffff } + $sequence_49 = { c3 56 89c2 8b453c 8b7c2878 01ef 8b7720 } + $sequence_50 = { 33d2 f7f1 8945f8 8b4df8 0faf4df8 8b4510 } + $sequence_51 = { aa e2f3 7506 7404 } + $sequence_52 = { 2d10bf3400 8b4d08 c1e103 33d2 f7f1 } + $sequence_53 = { 895104 6823f9359d 8b8578ffffff 50 e8???????? } + $sequence_54 = { 8b7720 01ee 56 ad 01e8 } + $sequence_55 = { c1e002 03471c 8b0428 01e8 5e c3 60 } + $sequence_56 = { 895130 68b0066a90 8b45e4 50 e8???????? 8945b0 8b4da0 } + $sequence_57 = { 75ec 58 29c6 d1ee 037724 } + $sequence_58 = { d1ee 037724 0fb7442efe c1e002 03471c 8b0428 } + $sequence_59 = { 6800100000 8b4d9c 51 e8???????? ebd3 } + $sequence_60 = { a2???????? d89d52d9f05d 5d 5d dc22 } + $sequence_61 = { a2???????? 78a2 28ada20e611a b6c5 a2???????? } + $sequence_62 = { 245d 2e5d 295d38 5d 305d01 } + $sequence_63 = { 5d 5d de9959f7b6b3 b508 5d 5d } + $sequence_64 = { b657 11dc b354 47 5d 5d } condition: 7 of them and filesize < 245760 @@ -106013,36 +106428,36 @@ rule MALPEDIA_Win_Blackpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a3030926-9034-5a42-987b-de9e78e9dde5" - date = "2026-01-05" - modified = "2026-01-06" + id = "480daddf-0a94-566b-9d99-881d157b1dc2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackpos_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackpos_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "c4a32b4f82fccb65e36ace8eee5711333479f2ae865afb2d6f3c995c606d80a9" + logic_hash = "6aa63c4c13818dfe1f58a305a21b22a07f4bb230ff3bcb4f55a4db5b7c852e81" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8d85d0fcffff 50 56 ff15???????? } - $sequence_1 = { 837e1400 0f8e94010000 83a5f8fffdff00 8b7e08 83661400 } - $sequence_2 = { 8d7de0 f3a5 a4 be00020000 } - $sequence_3 = { 8365bc00 8365c000 8945b4 8d45b4 50 } - $sequence_4 = { 53 50 889db8fcffff e8???????? 57 68???????? } - $sequence_5 = { f7f9 8b4dfc 5f 5e 5b 8bc2 } - $sequence_6 = { 8a843dfefffdff 3ac1 7211 3c3a } - $sequence_7 = { 803e00 7522 8d041f 6a01 8d8405e5fbffff 50 56 } - $sequence_8 = { 8bc8 83e01f c1f905 c1e006 03048d60c45800 eb02 8bc2 } - $sequence_9 = { 899dbcfaffff c785c0faffffa0bb0d00 c785c4faffff90854100 ffd7 8d85c4faffff 50 } + $sequence_0 = { 03048d60c45800 eb05 b8???????? f6402480 7414 e8???????? } + $sequence_1 = { e8???????? 83c414 ff05???????? 6a05 } + $sequence_2 = { 8a0419 3c30 0f82a6030000 3c39 7610 } + $sequence_3 = { 59 59 50 6a01 be???????? } + $sequence_4 = { 57 8d85d0faffff 56 50 e8???????? } + $sequence_5 = { 50 e8???????? 6a44 5e 56 8d45b8 53 } + $sequence_6 = { 33c0 8945e4 3d00010000 7d10 8a8c181d010000 888888f24100 40 } + $sequence_7 = { 50 e8???????? 59 83f805 7307 33c0 e9???????? } + $sequence_8 = { 0fb687e0e34100 50 e8???????? 3205???????? 47 } + $sequence_9 = { 6a00 ff15???????? a3???????? 85c0 7502 c9 } condition: 7 of them and filesize < 3293184 @@ -106052,36 +106467,36 @@ rule MALPEDIA_Win_Hawkball_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "233d17b2-2f85-5e81-980e-94af1bd07bc8" - date = "2026-01-05" - modified = "2026-01-06" + id = "5a4c26b4-67cf-5654-9417-85a039cc4de7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkball" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hawkball_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hawkball_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "9b3366bae76271a5cf9e32b5f0daa7b3fc0e06cb94c8f54801829ffbaa6e0521" + logic_hash = "1c4ae0e608fcad935ce5aa1c02cb8c9772f11b713d4df1193a7f08b35349b7d5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 50 53 6a00 68e9fd0000 } - $sequence_1 = { c3 6a59 ff15???????? 85c0 0f84b4000000 be???????? 8bc6 } - $sequence_2 = { 56 8b7508 833e00 7f0a be04000000 e9???????? } - $sequence_3 = { ff75f8 c745fc00000000 ffd6 8b45fc 8b1d???????? 40 50 } - $sequence_4 = { 56 f30f7f4588 57 660f6f05???????? 8b3d???????? f30f7f4598 } - $sequence_5 = { 50 668945dc 0f57c0 668985acf7ffff 8d85aef7ffff 50 c745d801000000 } - $sequence_6 = { ff15???????? 8b4309 83f801 751c 8b5508 8d85f8fdffff 50 } - $sequence_7 = { 85c0 741e 8d85fcfeffff 68???????? 50 e8???????? } - $sequence_8 = { ffd6 50 ffd3 ff0d???????? 33c0 5f } - $sequence_9 = { 6a08 ffd3 50 ff15???????? 8bf0 8d8578ffffff 50 } + $sequence_0 = { 50 8d45b4 50 ff15???????? 8d85e4fcffff 50 } + $sequence_1 = { ff15???????? 8d48fe 83f902 775d 8806 8d45f8 } + $sequence_2 = { 85c0 740e 894344 8d4324 } + $sequence_3 = { 57 8b3d???????? 85ff 7468 ff37 } + $sequence_4 = { e8???????? 85c0 74c1 6a0a 8d55fc e8???????? 8bd8 } + $sequence_5 = { ff15???????? 8bf0 53 895e05 8d4e09 8b5df8 } + $sequence_6 = { f7d8 5b 8be5 5d c3 5e 5f } + $sequence_7 = { 837dfc00 751d 33d2 b943000000 e8???????? 8b4df8 e8???????? } + $sequence_8 = { 50 ff15???????? 8b55f8 8b4dfc } + $sequence_9 = { 8be5 5d c3 6a59 ff15???????? 85c0 } condition: 7 of them and filesize < 229376 @@ -106091,36 +106506,36 @@ rule MALPEDIA_Win_Pterois_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3320c746-a1fd-5d65-8bd9-a08cf7741ea4" - date = "2026-01-05" - modified = "2026-01-06" + id = "910461f2-a3e6-50bc-a626-f723a8c8ae53" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pterois" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pterois_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pterois_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "40d01f41f8c6ab0bf9862ea3d2722b533235ff4ec8c712399aa15cc1e9f9196b" + logic_hash = "b7ce2a8f8845eb7fbdf4556f57ab206b63751b7511422612a4dd9df00e0607df" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f82ff620000 4981f800001800 730d 4981f800200000 0f83c9620000 c5fe6f02 c4a17e6f6c02e0 } + $sequence_0 = { ba1f9e5797 e8???????? 488905???????? 488b0d???????? ba524aaa5b e8???????? 488905???????? } $sequence_1 = { 33c9 4c8d057c180100 488d154d6a0100 e8???????? 4885c0 7415 49ba7030525e472705d3 } - $sequence_2 = { c744243000000000 8b442430 89442424 488b4c2440 4831e1 e8???????? 8b442424 } + $sequence_2 = { 83c0d0 83e80a 0f8229000000 e9???????? } $sequence_3 = { 75dd 488d055b500100 483bd8 74d1 488bcb e8???????? ebc7 } - $sequence_4 = { c7401808000000 488b4c2468 488d442470 4829c1 488b442458 48034810 } - $sequence_5 = { 4829c4 8b842498100000 8b842490100000 488b05???????? 4831e0 4889842460100000 4c894c2458 } - $sequence_6 = { 48890d???????? e8???????? 4c8d0d91ce0100 4c8bc0 b201 b9fdffffff e8???????? } - $sequence_7 = { e8???????? 488b05???????? 4889442430 488d8c24600c0000 e8???????? 4889c1 } - $sequence_8 = { e8???????? 83f800 0f851c000000 488b05???????? 488b4c2440 } - $sequence_9 = { e8???????? 4889442420 48837c242000 0f840c000000 488b442420 c7401802000000 488b442420 } + $sequence_4 = { bafbdc7061 e8???????? 488905???????? 488b0d???????? bafa6fbeac e8???????? 488905???????? } + $sequence_5 = { 488b442438 48833800 0f8411000000 488b4c2438 488b442438 488b00 48894808 } + $sequence_6 = { 4883ec48 4889542438 48894c2430 48c744242800000000 48837c243000 0f850e000000 48c744244000000000 } + $sequence_7 = { 4889442438 488b442440 488b00 4889442440 e9???????? 48837c244800 0f8422000000 } + $sequence_8 = { e9???????? 48837c247000 0f860e000000 488b442470 4883e801 4889442460 e9???????? } + $sequence_9 = { 488b442430 488b4820 488b442430 48894838 488b442430 48c7402000000000 48837c244800 } condition: 7 of them and filesize < 528384 @@ -106130,36 +106545,36 @@ rule MALPEDIA_Win_Crytox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b9e5c6f9-e0d6-531a-8dd0-a7fad4a513e9" - date = "2026-01-05" - modified = "2026-01-06" + id = "750e8534-4dcc-5f53-8e93-9c2caa2cd5fa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crytox_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crytox_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "79e78c490080a0e53c534d80effb4ddfe05889d0a54f29415d47f44d77b2adb2" + logic_hash = "625cd8ec00382ded383a379bc4203346a875e5cc99a859a19bf6d57c77001f77" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 81fb07100000 0f84fcfcffff e9???????? 81fb0c000200 0f86ebfcffff e9???????? } - $sequence_1 = { f72424 897c2414 8b7c2404 69cf182d0700 89c6 b867fb0900 01ca } - $sequence_2 = { e8???????? 8945c8 8b45c8 c1f809 89c2 8b45cc c1f809 } - $sequence_3 = { e8???????? 395c2430 75e5 8b7c2460 8b442434 31d2 8b5c2430 } - $sequence_4 = { c705????????a9bc6600 e9???????? e8???????? 0fb6c0 8983d0470000 8b03 e8???????? } - $sequence_5 = { e8???????? 8b4c2418 894104 8b4104 8938 8b4104 c7400400000000 } - $sequence_6 = { e8???????? 31c0 eb17 891c24 e8???????? 837d0c00 89f0 } - $sequence_7 = { e8???????? 89442404 8b55d8 8b4208 890424 e8???????? 83f80f } - $sequence_8 = { e9???????? c744240477bf6600 891c24 e8???????? 85c0 750f c705????????05000000 } - $sequence_9 = { e8???????? e9???????? 807b0300 0f84a7000000 a1????????85c07533 e8???????? 480f8eff010000 } + $sequence_0 = { e8???????? 8d5640 8d4320 896c2404 891424 89442408 8954241c } + $sequence_1 = { f20f70daff 660ffde0 660ffdd8 660f67e4 660f67db 660f7e20 660f7e1c08 } + $sequence_2 = { df0448 d8cd dec1 df0450 8b9424d4000000 d8cb dec1 } + $sequence_3 = { e8???????? 8d742600 ff15???????? bfffffffff c70016000000 ebca ff15???????? } + $sequence_4 = { dddc ddd8 ddd8 ddd8 d9c9 db7c2430 d91424 } + $sequence_5 = { dec1 d95c247c e8???????? d9c0 d9fa dbe8 d944242c } + $sequence_6 = { d835???????? b40c 6689442424 dec9 d96c2424 db5c2420 d96c2426 } + $sequence_7 = { e8???????? 8b4310 8b6b0c 83f807 89442418 89c7 0f8efe000000 } + $sequence_8 = { e8???????? 85c0 0f8583010000 e8???????? 83f804 7e14 c7442404b0966600 } + $sequence_9 = { e8???????? d99c9e98000000 83c301 83fb04 75c6 d94704 30db } condition: 7 of them and filesize < 6156288 @@ -106169,36 +106584,36 @@ rule MALPEDIA_Win_Ddkeylogger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a67b64ba-3a24-5b03-97bb-6fa1fd617831" - date = "2026-01-05" - modified = "2026-01-06" + id = "b919b02c-00ef-5f37-ad38-3d116fc0ee48" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ddkeylogger_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ddkeylogger_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "35bb77ee32a1ee4cf41a3e8133dabb1263e352712bd1dfe36cdbb7e1ce08650b" + logic_hash = "2696cbe1473eb4ace8c92a6d0c6e7fce7cc43e80005bef9a8faf13e2e5b02469" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 88140e 0fb611 feca 88140f 83c102 48 } - $sequence_1 = { c1eb06 03de 0fb61493 885102 } - $sequence_2 = { 0fb7f1 57 bfffff0000 c745f400000000 } - $sequence_3 = { 83c418 8d8de7faffff c745fcffffffff e8???????? 85f6 0f8f14feffff 8b85e0faffff } - $sequence_4 = { 8bce eb99 53 8b1d???????? 6a00 ffd3 } - $sequence_5 = { 83c8ff e9???????? 8bc6 c1f805 8bfe 53 8d1c8580ee4500 } - $sequence_6 = { 83f801 8bc7 7508 8a4c0bff 884c3bff c6043b00 5f } - $sequence_7 = { c1fa05 8b149580ee4500 c1e006 8d440224 } - $sequence_8 = { 7448 f7c200f00000 7420 f7c200c00000 740c f7c200800000 0f95c0 } - $sequence_9 = { 56 ff15???????? 56 8bf8 ff15???????? 3b3d???????? } + $sequence_0 = { 8d45cc 50 c745cce0184100 e8???????? } + $sequence_1 = { 56 e8???????? 83c408 c60000 68???????? 68???????? } + $sequence_2 = { ff15???????? 8b85e0faffff 8b08 8b5108 50 ffd2 } + $sequence_3 = { ff15???????? 6800040000 8d8d4cf3ffff 6a00 51 e8???????? 0fb79548efffff } + $sequence_4 = { 8b5804 8d140b 0fb70a 56 8b700c 0fb70c4e 0fb7f1 } + $sequence_5 = { 83c40c 8b55e8 8b45f0 8955dc 8bf9 8945e4 8bde } + $sequence_6 = { f7c200020000 0f95c0 0409 c3 } + $sequence_7 = { 885004 33c0 8d642400 8a8c05f8feffff 888c05e4fcffff } + $sequence_8 = { 7409 f6c208 0f95c0 0403 c3 } + $sequence_9 = { 8d8de5fcffff 6a00 51 8985e0fcffff } condition: 7 of them and filesize < 808960 @@ -106208,42 +106623,42 @@ rule MALPEDIA_Win_Underminer_Ek_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25419d82-2049-52ba-8173-e803bede2897" - date = "2026-01-05" - modified = "2026-01-06" + id = "478c25cf-e188-5b79-8aeb-6935a8b536f7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.underminer_ek_auto.yar#L1-L168" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.underminer_ek_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "cef777a253424ada6724fda25a7a7fc2a7d290e0894ee3bdc7ea6fd0d09bd9ea" + logic_hash = "4786465e315c0c23f824b89be267cb511060061f2cde5a1665c6404f963bc60b" score = 75 - quality = 75 + quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 e8???????? 83c404 53 e8???????? 83c404 8b551c } - $sequence_1 = { 25ffff0000 3d4ee640bb 7404 3bc1 7501 } - $sequence_2 = { 83c40c 66394e06 894d10 7630 83c710 8b07 } - $sequence_3 = { 03c3 8901 eb18 3daafc0d7c } - $sequence_4 = { 7463 8b55f4 8b0495582c4300 f644382848 } - $sequence_5 = { 8ad0 8adc 88550f 807e0700 7417 0fb6813051fa7e 8a4dff } - $sequence_6 = { 6a06 53 ff7508 53 ff55f0 85c0 7c07 } - $sequence_7 = { 0f8535010000 83bd88feffff00 0f85a4040000 807d9a01 } - $sequence_8 = { 885c012e 8b0495582c4300 804c012d04 46 } - $sequence_9 = { c745f800000000 0f8444040000 837d3000 0f843a040000 } - $sequence_10 = { 0f8776050000 52 51 e8???????? 83c408 c745c000000000 } - $sequence_11 = { c745fc20000000 eb21 8bd0 83e220 } - $sequence_12 = { 3e58 3e7f3e 98 3e4a } - $sequence_13 = { 47 8d5101 0f1f8000000000 8a01 41 84c0 } - $sequence_14 = { 66895dc0 ff7508 895dec ab ff760c 895df8 ab } - $sequence_15 = { e8???????? 83c410 eb03 8d041a 5b 5d c3 } + $sequence_0 = { 8a450f 884708 0fb6450b 89470c e9???????? 3cc8 } + $sequence_1 = { 3d40420f00 734f 83ec18 8bcc 68???????? e8???????? 8d4dc8 } + $sequence_2 = { 8904bd582c4300 85c0 7514 6a0c 5e 8975e4 c745fcfeffffff } + $sequence_3 = { c3 ff742408 8b442408 ff10 c3 } + $sequence_4 = { 897df8 6681384d5a 0f85bd000000 8b703c 03f0 } + $sequence_5 = { 6a00 50 ff5604 8d460c 6a00 50 ff16 } + $sequence_6 = { 0fb6560b c1e008 0bc2 8be8 8d470c 3bc8 7278 } + $sequence_7 = { 8b75c8 8d4de0 ff75d8 8b55f0 83ff10 0f43c6 } + $sequence_8 = { 47 884607 897df4 c745f04a50fa7e eb18 3ca0 7214 } + $sequence_9 = { 8d45e0 50 8d8d08ffffff e8???????? 8b55f4 83fa10 } + $sequence_10 = { 3bd8 3be2 3bf3 3bf8 } + $sequence_11 = { 7473 3bc3 c7450c32000000 7538 8b35???????? bf1453fa7e } + $sequence_12 = { c7431000000000 8d5101 c743140f000000 c60300 0f1f8000000000 8a01 } + $sequence_13 = { 8b450c 0fb684c848914200 c1e804 c9 c20800 8bff } + $sequence_14 = { 3836 42 3653 3658 } + $sequence_15 = { 03c8 3b4de8 7751 395de0 7440 83c00d 50 } condition: 7 of them and filesize < 466944 @@ -106253,36 +106668,36 @@ rule MALPEDIA_Win_Lethic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3babd57d-d49b-5fd8-b851-cfcf000e34be" - date = "2026-01-05" - modified = "2026-01-06" + id = "c5abd507-e893-537c-9240-e67fd35d8382" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lethic_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lethic_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "b68d77c1a72e1fca1c5c9d72302fcacf09ed698f69d0c7903522cd1a657700c5" + logic_hash = "4f9773d5466d0c23fec4c50addb0d48c81571af08d3ee69d962c40824c670ee9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b550c 8955f8 8b45f8 034510 8945f4 } - $sequence_1 = { c7823410000001000000 6a10 8b450c 50 8b4dfc 83c108 51 } - $sequence_2 = { 8945fc 8b4dfc 894df0 8b550c } - $sequence_3 = { ffd1 33c0 eb42 6a10 } - $sequence_4 = { 8b08 890a 8b55fc 8b02 8945fc 8b4df4 51 } - $sequence_5 = { 8b55fc 83c208 52 8b45fc 8b4818 51 } - $sequence_6 = { 33c0 e9???????? 8b45fc 8b4d10 894804 8b55fc c7823410000001000000 } - $sequence_7 = { 890a 8b55fc 8b02 8945fc 8b4df4 51 8b55f8 } - $sequence_8 = { 894df8 8b55fc 3b55f8 7411 8b45fc c60000 } - $sequence_9 = { 8b55fc c7823410000001000000 6a10 8b450c 50 8b4dfc 83c108 } + $sequence_0 = { 8b550c 8955f8 8b45f8 034510 8945f4 8b4df8 } + $sequence_1 = { 8b550c 8955f8 8b45f8 034510 8945f4 } + $sequence_2 = { 8b55fc 3b55f8 7411 8b45fc } + $sequence_3 = { 837df800 7418 8b45f8 50 8b4dfc } + $sequence_4 = { 8b4dfc 83c101 894dfc ebe7 8b4508 8be5 } + $sequence_5 = { 034d0c 894df8 8b55fc 3b55f8 7411 8b45fc } + $sequence_6 = { 7418 8b45f8 50 8b4dfc 51 8b55fc } + $sequence_7 = { 50 8b4dfc 83c108 51 8b55f4 } + $sequence_8 = { 83c201 8955fc 8b45f8 83c001 8945f8 ebda } + $sequence_9 = { 8b11 3b55f4 740a 8b45fc 8b08 894dfc } condition: 7 of them and filesize < 81920 @@ -106292,42 +106707,36 @@ rule MALPEDIA_Win_Heloag_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8ed63d6a-bd5d-5cf3-8c24-b83f34a89c57" - date = "2026-01-05" - modified = "2026-01-06" + id = "f6195c18-5155-55b4-8463-55011564110c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.heloag_auto.yar#L1-L168" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.heloag_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "2f5a3d733baee006935f8eba431242cec5f8a5f8274d648625719943963ee673" + logic_hash = "fd2642915a590b0fde7950dbbf25053c0c19b4717c654b8abb7177c922c57232" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c0 f3a5 8a0d???????? 8dbdadfdffff 888dacfdffff } - $sequence_1 = { a1???????? 6889130000 68???????? 8b4810 51 e8???????? 83f8ff } - $sequence_2 = { 3bc2 7e7f 33f6 ff15???????? 257f000080 7905 } - $sequence_3 = { 90 90 8b45e4 b919000000 25ffff0000 99 } - $sequence_4 = { 83c261 52 99 f7f9 8d85dcfdffff 83c261 52 } - $sequence_5 = { 50 68???????? ff15???????? 50 ffd3 8d8dd8fcffff } - $sequence_6 = { 99 f7f9 8b45c8 25ffff0000 } - $sequence_7 = { 8b0d???????? 8b15???????? 8985e0faffff 66a1???????? } - $sequence_8 = { 8b4e0c 3bcd 8b07 89442410 7464 } - $sequence_9 = { 50 53 8bcd ff15???????? 6a00 6a00 8bcd } - $sequence_10 = { 7505 a1???????? 894304 8b5608 895308 } - $sequence_11 = { f2ae f7d1 49 51 56 68???????? } - $sequence_12 = { 8b11 8bcf 52 6a00 50 } - $sequence_13 = { ff15???????? 8a4c2413 6a00 884c244c 8d4c244c } - $sequence_14 = { 53 68???????? 8d4c2420 ff15???????? } - $sequence_15 = { ff15???????? 84c0 7420 8b7d04 } + $sequence_0 = { eb0a c745ec98c00010 8b75ec 8b1d???????? 68???????? } + $sequence_1 = { b001 68???????? 6a00 884105 6a00 895134 884130 } + $sequence_2 = { 895f0c 5f 5e 5d 5b c3 8b4104 } + $sequence_3 = { 8b442420 c7842444010000ffffffff 3bc3 741d } + $sequence_4 = { 8b5508 f7d1 49 2bc2 8bf1 3bc6 } + $sequence_5 = { 8b442410 8d0cc500000000 2bc8 c1e104 8b9100d00010 8b4c241c 3bcb } + $sequence_6 = { 33c0 895c2418 895c241c 895c2420 } + $sequence_7 = { 8b742414 8b00 57 8bf9 8b4e08 897c2410 } + $sequence_8 = { 754c fec8 53 8841ff 8bcd ff15???????? 5f } + $sequence_9 = { e8???????? 59 c3 8b8ddcfeffff ff25???????? b8???????? e9???????? } condition: 7 of them and filesize < 401408 @@ -106337,36 +106746,36 @@ rule MALPEDIA_Win_Lightlesscan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b826b58a-58c7-58d3-8203-4697848cdc57" - date = "2026-01-05" - modified = "2026-01-06" + id = "10e80abb-dba5-5bb5-8fa2-f63fbafbc5c9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lightlesscan_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lightlesscan_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "5d3e853bb474af272be8c5d451244aad6d1bade1283c3318141a0ba65106022e" + logic_hash = "cb3fef930f62b3f9de3e04845ee7aa006ee74022653dad375fdd7f5f3404bb05" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83fb02 0f8539020000 33c0 4585ed 0f84bb010000 448b442464 488945b0 } - $sequence_1 = { 4885db 745a 488d0dda770400 e8???????? 4c8d4c2450 458bc4 488bd6 } - $sequence_2 = { 4c8d4c2478 4533c0 418d5001 488b4d28 ffd0 } - $sequence_3 = { 8b442434 eb8c 85c0 0f858c060000 33db 4d8be7 8bfb } - $sequence_4 = { e8???????? 488d4c2454 4c89642428 48894c2420 488b4c2458 4533c9 4533c0 } - $sequence_5 = { b904010000 498bc3 66443938 740b 4883c002 48ffc9 75f1 } - $sequence_6 = { 4883c9ff 48897c2430 33c0 488bfb 488bd6 f2ae 48f7d1 } - $sequence_7 = { e8???????? 488bcb ffd0 488b0d???????? 488b1d???????? c60107 40382b } - $sequence_8 = { 4c8d8de0030000 4c8d05306f0500 440fb7d8 488d8dd0010000 ba04010000 44895c2420 e8???????? } - $sequence_9 = { 498be3 415c 5f 5d c3 48895c2418 48896c2420 } + $sequence_0 = { 48894c2428 488d8d10040000 488d15fcd80400 48894c2420 488b4c2450 4533c0 ffd0 } + $sequence_1 = { 33d2 41b806020000 6689bd90010000 e8???????? 488d8da2030000 33d2 41b806020000 } + $sequence_2 = { 488bcb ff15???????? 488d15d4670400 41b802000000 498bcc e8???????? 4c8d0517ce0400 } + $sequence_3 = { 90 0f1045c0 0f298590000000 f20f104dd0 f20f118da0000000 b918000000 e8???????? } + $sequence_4 = { 4983c002 48ffc9 75dd 4983e802 33c0 66418900 8d4101 } + $sequence_5 = { 49ffc8 75e7 448bcf 4c8d1d79370600 85db 742b } + $sequence_6 = { 41b802000000 488bce 48c744242000000000 ffd0 488d0dcf800400 e8???????? 4533c9 } + $sequence_7 = { c745f040000000 e8???????? 488d4df0 ffd0 488b4df8 488d95b0060000 48c1e914 } + $sequence_8 = { 488d442478 4d8be8 488bf2 c744243000000000 4889442428 458d4101 33d2 } + $sequence_9 = { 488bf0 b807452ec2 f7eb 448d2c13 41c1fd10 418bcd c1e91f } condition: 7 of them and filesize < 1399808 @@ -106376,36 +106785,36 @@ rule MALPEDIA_Win_Xfsadm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4e0da958-d7db-5cd3-9845-58c1ee1ba55b" - date = "2026-01-05" - modified = "2026-01-06" + id = "552d6194-4917-5d44-9757-a3d6f70fd0c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xfsadm_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xfsadm_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "b8085f6961208dfb9003a24568de62da647e6cb5e982bfeaf61525cbc63ec421" + logic_hash = "0bd192351fc03846117b638fe2e0016827c857e0d506d55fb4904ab3035a6f66" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 740f 83f8fe 740a 6bce38 030c95f8d84200 f6412d01 7414 } - $sequence_1 = { 8d7301 80fa78 7577 385903 } - $sequence_2 = { 895e04 eb03 8b5e04 893c83 ff4634 } - $sequence_3 = { 83c404 8b5d0c c7461000000000 c7461400000000 c7461800000000 8d4b01 8a03 } - $sequence_4 = { 6a03 6808020000 ff15???????? 68???????? ff75e0 ff75dc } - $sequence_5 = { 8b12 8b42f8 2b4afc 2bc7 0bc8 } - $sequence_6 = { 894df0 83c104 50 e8???????? 8bf8 85ff 0f84cb000000 } - $sequence_7 = { a3???????? 85c0 0f8475010000 68???????? ff35???????? ffd6 a3???????? } - $sequence_8 = { 8b7b20 8b7324 6a00 ff10 8b06 8bce 53 } - $sequence_9 = { f20f593c85604f4200 660f122c85604f4200 03c0 660f28348570534200 } + $sequence_0 = { 84c9 7410 c60720 47 8a06 46 8807 } + $sequence_1 = { 8975cc 8975d0 8975e0 8d1c85fcffffff c745e4d8254200 } + $sequence_2 = { 6a00 ffd7 85c0 740c 6a00 6a00 } + $sequence_3 = { 6a26 58 0fb60c858e174200 0fb634858f174200 8bf9 8985b0f8ffff c1e702 } + $sequence_4 = { e8???????? 83c414 57 e8???????? a1???????? 83c404 } + $sequence_5 = { e8???????? 68f80f0000 8bf8 6a00 } + $sequence_6 = { 75d3 8b4d08 ff7718 6a00 51 8b4f04 6a0a } + $sequence_7 = { 57 6a00 6a00 6a00 6a00 6a00 680cfeffff } + $sequence_8 = { ff5008 8bd0 c702???????? 8b45fc 8b4d0c 894204 } + $sequence_9 = { c7463800000000 8d4608 c7463c00000000 c7464000000000 c7464400000000 c7464800000000 } condition: 7 of them and filesize < 566272 @@ -106415,36 +106824,36 @@ rule MALPEDIA_Win_Fancyfilter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "975f685e-f179-537e-9fa3-85eadc815e28" - date = "2026-01-05" - modified = "2026-01-06" + id = "dd64c9df-3d65-5a08-b61a-5df0312953c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fancyfilter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fancyfilter_auto.yar#L1-L111" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fancyfilter_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "d344d0526413aed72b15674c72f5f795f13d63b4791189f46999d274791cb577" + logic_hash = "5cadb1f8ab298e605eeb127c47efdb29e8d3aca2e82a477cbb6686ffba2aeb2d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 891d???????? 891d???????? b001 5b } - $sequence_1 = { ff15???????? 83c420 83f803 7409 } - $sequence_2 = { 66833800 7404 b001 eb02 } - $sequence_3 = { 740f 8d4f20 51 50 ff15???????? } - $sequence_4 = { 83f80a 7305 83c030 eb03 83c057 8801 } - $sequence_5 = { 51 50 ff15???????? 8b36 } - $sequence_6 = { a1???????? 83c012 50 ff15???????? } - $sequence_7 = { 8d4f20 51 50 ff15???????? 8b36 } - $sequence_8 = { b805400080 c20400 56 8b742408 8b4618 85c0 } - $sequence_9 = { 83c030 eb03 83c057 8801 49 } + $sequence_0 = { ff15???????? 83c420 83f803 7409 } + $sequence_1 = { a1???????? 83c012 50 ff15???????? } + $sequence_2 = { 8d4f20 51 50 ff15???????? 8b36 } + $sequence_3 = { 8b472c a801 7406 83c804 } + $sequence_4 = { ff15???????? 85c0 750d 8b472c a801 7406 83c804 } + $sequence_5 = { 33f6 ff15???????? 83c414 83f803 } + $sequence_6 = { 85c0 740a 66833800 7404 b001 } + $sequence_7 = { a1???????? 83c012 50 ff15???????? a1???????? } + $sequence_8 = { b805400080 c20400 56 8b742408 8b4618 } + $sequence_9 = { 83c420 83f803 7409 83f806 } condition: 7 of them and filesize < 169984 @@ -106454,36 +106863,36 @@ rule MALPEDIA_Win_Ranbyus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "54de3fda-fe2a-5da1-b66d-8d3ced40b618" - date = "2026-01-05" - modified = "2026-01-06" + id = "fa46bde6-8519-5600-a467-27cb6615af7e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ranbyus_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ranbyus_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "82fa28b1862a5e88eb758d7dfc3440cfe7dde7bd4fcf686642cc7b0948f4efb1" + logic_hash = "080c222bec9184866b517d0097b882847daacdfc7391ff3a8a87d15d9fcbc664" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? e8???????? 83c40c 33c0 eb03 83c8ff 5f } - $sequence_1 = { 59 85ff 743e 56 6a01 } - $sequence_2 = { 83661800 33c0 5e c3 56 } - $sequence_3 = { 89460c 8b06 59 894604 } - $sequence_4 = { 55 8d6c2490 81ec28010000 56 } - $sequence_5 = { 3b4c2404 7504 83601800 33c0 40 eb11 50 } - $sequence_6 = { 6801200000 e8???????? 8bf0 59 } - $sequence_7 = { 83c605 e9???????? 47 e9???????? 0fb64e01 } - $sequence_8 = { e8???????? 85c0 7504 83c8ff c3 c7402401000000 33c0 } - $sequence_9 = { c706???????? eb07 8bce e8???????? 837e0400 75f3 } + $sequence_0 = { 8b442404 85c0 741b 8b4c2408 85c9 7413 8b4004 } + $sequence_1 = { 89410b 8b4605 39780b 7407 } + $sequence_2 = { a3???????? 8b45e4 a3???????? 8a4576 a2???????? } + $sequence_3 = { 85c0 745f 837c240400 7458 } + $sequence_4 = { 8b44240c 85c0 745f 837c240400 7458 57 ff74240c } + $sequence_5 = { 8b742408 85f6 7505 83c8ff 5e c3 57 } + $sequence_6 = { 803845 7504 8bf0 ebeb 6a03 } + $sequence_7 = { 89410b 8b4605 39780b 7407 c7401301000000 } + $sequence_8 = { e9???????? 47 e9???????? 0fb64e01 } + $sequence_9 = { 740b 3c7d 7407 6ae4 } condition: 7 of them and filesize < 638976 @@ -106493,36 +106902,36 @@ rule MALPEDIA_Win_Graftor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "138ca116-cc68-528f-bf0e-7fb64c51da51" - date = "2026-01-05" - modified = "2026-01-06" + id = "d9d0bea0-ccef-5861-9dfa-fac7d2ebaa34" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.graftor_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.graftor_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "a96a22ad70eb991290928c1f214241d1fdeb4091277b5b5fb893f50f8f3393f5" + logic_hash = "41346109b754abff09dd11cdd6f40f3cab21175caffb94b2808010c24f0a709f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 393d???????? 7523 8d85fcbfffff 50 57 57 6a29 } - $sequence_1 = { 57 e8???????? 85c0 743f 8365fc00 8d45fc 50 } - $sequence_2 = { c3 53 8b5e14 57 8bf8 3bdf 771d } - $sequence_3 = { 5e 5d c20400 6a50 b8b69f4c00 e8???????? 8b7d10 } - $sequence_4 = { e8???????? 6800aa4d00 8db5ecbeffff c645fc04 e8???????? 8b8d58bfffff 33ff } - $sequence_5 = { e8???????? 845df0 740b 6a00 53 8d4db8 e8???????? } + $sequence_0 = { 8bec 56 8bf1 8b4608 c706fcbb4c00 85c0 7408 } + $sequence_1 = { 762b 57 8b7e14 03fb 6a00 8bc6 e8???????? } + $sequence_2 = { e8???????? 53 6a01 8db424d0000000 e8???????? 33c0 } + $sequence_3 = { 8d8598fdffff 50 c645fc28 e8???????? 83c410 6aff } + $sequence_4 = { f605????????01 7517 830d????????01 68d49e4d00 ff15???????? a3???????? a1???????? } + $sequence_5 = { 5e 8bc7 5d c20400 55 8bec 837d0801 } $sequence_6 = { 741c 50 ff15???????? 85c0 7511 8b4604 3d58b74e00 } - $sequence_7 = { c68424a8030000fc 8d84244c020000 8bf4 89a424c4000000 50 e8???????? c68424a8030000fa } - $sequence_8 = { e8???????? 83c418 84c0 747f 66d16dc8 0fb745c8 } - $sequence_9 = { 897dac e8???????? 660fbe00 6a05 8d53bf 59 } + $sequence_7 = { b033 c0c745 ec 07 0000 00894de86689 45 } + $sequence_8 = { c684245403000077 e8???????? c684245003000078 83bc24f001000010 8b8424dc010000 7307 8d8424dc010000 } + $sequence_9 = { ffd6 89857cbdffff 3bc3 0f8451010000 8d8548bdffff 50 8d8540bdffff } condition: 7 of them and filesize < 294912 @@ -106532,36 +106941,36 @@ rule MALPEDIA_Win_Remcom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "01102b96-17a1-5040-b86b-1c004c22e442" - date = "2026-01-05" - modified = "2026-01-06" + id = "b84a5801-d1f4-541d-b920-cf3ad03c0258" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.remcom_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.remcom_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "6c8707261db4e6b23e09ce2152b2182b004699b6aaba00688b2722f030d121d2" + logic_hash = "61721121a39328b4af77849b64350fb63cb71d11024eb5238a5552f7f0ba7bd5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a02 68???????? ffd7 8d4df4 51 6aff 6a00 } - $sequence_1 = { 033485e0fc4000 c745e401000000 33db 395e08 7536 6a0a e8???????? } - $sequence_2 = { e8???????? 8be5 5d c3 53 56 8d95f8feffff } - $sequence_3 = { 56 8b7508 57 8b7d0c 6a44 } - $sequence_4 = { ff15???????? 6a00 6a00 6a01 8d4de0 } - $sequence_5 = { 33c0 57 8945f8 8945fc 6a01 8d45e0 } - $sequence_6 = { 8b7508 57 8b7d0c 6a44 8d85a0feffff } - $sequence_7 = { 8bf8 3bfb 746a 56 68ff010f00 68???????? } - $sequence_8 = { ffd7 8945f0 eb51 33db 391e 763d } - $sequence_9 = { 50 6814120000 8d8de8edffff 51 56 } + $sequence_0 = { 895de8 c745ec32000000 33f6 885df4 885df5 } + $sequence_1 = { 5b 8be5 5d c3 8b3d???????? 51 } + $sequence_2 = { 85c0 75f2 e8???????? 8b0d???????? 51 ff15???????? 5e } + $sequence_3 = { 50 e8???????? 8d8da0feffff 51 56 } + $sequence_4 = { a3???????? 52 ff15???????? 85c0 7506 ff15???????? } + $sequence_5 = { 8b0d???????? 51 ff15???????? 8b15???????? 33c0 } + $sequence_6 = { 8d4310 8d8974eb4000 5a 668b31 } + $sequence_7 = { ff15???????? 8b750c 8b7d08 814e2c00010000 83c8ff } + $sequence_8 = { 51 6a08 8d95e0edffff 52 } + $sequence_9 = { 83e01f c1f905 8b0c8de0fc4000 c1e006 03c1 f6400401 7524 } condition: 7 of them and filesize < 155648 @@ -106571,35 +106980,35 @@ rule MALPEDIA_Win_Deltas_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71773355-27de-50f9-b937-a4b31a08be87" - date = "2026-01-05" - modified = "2026-01-06" + id = "651c47a4-494c-5b0e-9a44-7f4b72ec3742" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.deltas_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.deltas_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "110bf37db48ce7c93aacf644fe14f61a7699258651c7d440500f0fe2335e7ad7" + logic_hash = "dd329283c0d15128b8000f7c3f5a12c6c97c7d39b49fa0d60d59e05ec9ff7edc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 55 56 8bf1 57 b940000000 33c0 } - $sequence_1 = { 55 53 ff15???????? 85c0 7419 } - $sequence_2 = { 66ab 8d8c247c010000 6804010000 51 c64424146d } - $sequence_3 = { eb45 8b8c249c000000 8d442454 8d7c2454 bd10000000 8d7102 } - $sequence_4 = { 85c0 0f8485010000 8b9884000000 8b8888000000 81c38c000000 83f906 0f8733010000 } - $sequence_5 = { c1ef14 c1e10c 0bf9 8b4828 03fe 894c2438 8bcf } - $sequence_6 = { 8b7824 03f3 897c241c 8bfe 23ee f7d7 } - $sequence_7 = { 88442423 8d442408 b164 b261 50 c644240c6b c644240e72 } - $sequence_8 = { 3bc3 7413 8d542438 52 8b542444 53 53 } + $sequence_0 = { 6a00 68???????? 51 c744242418020000 ff15???????? 8b542408 8bf0 } + $sequence_1 = { 03d8 85ff 7fa3 8b442424 } + $sequence_2 = { 83e103 8b549608 c1e103 d3ea } + $sequence_3 = { 8b8870040000 52 8b9084040000 51 8b8878040000 52 } + $sequence_4 = { 747f 8d542418 52 ff15???????? 85c0 89442410 7405 } + $sequence_5 = { 8d542420 52 ffd7 8bf0 85f6 } + $sequence_6 = { 03f3 8d8c0e91d386eb 8bb42498000000 8b5e08 } + $sequence_7 = { a1???????? 5f 85c0 0f8402010000 a1???????? } + $sequence_8 = { 687e660480 52 c744241400000000 ff15???????? } $sequence_9 = { 750e 8d4c2464 51 ffd6 898424c0000000 8d9424b0000000 52 } condition: @@ -106610,42 +107019,42 @@ rule MALPEDIA_Win_Attor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9165df3a-0588-5937-bb39-c85fa6fb26bb" - date = "2026-01-05" - modified = "2026-01-06" + id = "878b7d7d-19ac-5620-924f-8f1358c548bf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.attor_auto.yar#L1-L164" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.attor_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "0c87726814bf53a9906b73b9a1468bc9095c79fe1e564f252fa0222653b1264a" + logic_hash = "9405921e13008b6f1e976a5e392e42f99fbc06698dbfbe3019a18ea4faf8a658" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 83f801 7411 3d81000000 740a } - $sequence_1 = { 488bea 4c8be1 4889742440 4885c9 } - $sequence_2 = { 0f84aa000000 4885d2 0f84a1000000 48895c2448 488d5a08 } - $sequence_3 = { 498bcd e8???????? 4c8b6c2448 4d85e4 } - $sequence_4 = { 48896810 488970e0 488978d8 33db 4c8970d0 4532e4 33f6 } - $sequence_5 = { 4885c9 7427 488b842490000000 48899c2490000000 } - $sequence_6 = { 4889442430 e8???????? 48399c2480000000 0f84ef000000 } - $sequence_7 = { 4c8b6c2448 4d85e4 740f 33c9 e8???????? } - $sequence_8 = { 83c404 83e103 f3aa 8b442414 85c0 } - $sequence_9 = { 8bcf 8b7c2414 8bd1 33c0 c1e902 } - $sequence_10 = { 740a 83f808 7405 83f811 } - $sequence_11 = { 33ff 3bf7 c644241300 897c2418 897c241c 897c2414 0f8423010000 } - $sequence_12 = { ff15???????? 89442420 8d442414 8d4c2420 50 51 } - $sequence_13 = { 7411 6a00 e8???????? 56 ff15???????? 83c408 8b442430 } - $sequence_14 = { 57 ffd6 83c408 8b7c2428 85ff 740d } - $sequence_15 = { e8???????? 83c40c 3bc7 8944241c 0f84f3000000 } + $sequence_1 = { 48894718 8d5001 48894720 ff15???????? } + $sequence_2 = { 488b742458 4d85ed 7404 41895d00 418ac4 } + $sequence_3 = { 488958a8 48895808 4885c9 0f8427030000 4885d2 } + $sequence_4 = { 488d4c2440 4889442440 e8???????? 48395c2430 } + $sequence_5 = { 4a8d6c2808 488bcd e8???????? 488d942490000000 488d4c2438 4889442438 } + $sequence_6 = { 7411 33c9 e8???????? 488b4c2430 e8???????? } + $sequence_7 = { 55 4883ec78 48897010 488978e8 4c8960e0 } + $sequence_8 = { 83c40c 85c0 0f84ef000000 6a01 e8???????? } + $sequence_9 = { e8???????? 57 ffd6 83c408 8b442440 } + $sequence_10 = { 83c40c 3bc7 8944241c 0f84f3000000 8b4c2424 8d6908 55 } + $sequence_11 = { 740a 83f808 7405 83f811 } + $sequence_12 = { 83c404 83e103 f3aa 8b442418 85c0 0f8422020000 } + $sequence_13 = { 8b542444 89442434 8b44242c 8d741008 56 } + $sequence_14 = { ffd5 85c0 0f8433010000 8b74243c 33c0 8bce 6a01 } + $sequence_15 = { 8b44241c 83c40c 3bc7 7465 6a01 } condition: 7 of them and filesize < 2023424 @@ -106655,35 +107064,35 @@ rule MALPEDIA_Win_Lightbunny_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dde384fa-2d37-5576-aebe-de172bd52692" - date = "2026-01-05" - modified = "2026-01-06" + id = "491abd88-264d-5174-b68e-6a49e576be31" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightbunny" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lightbunny_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lightbunny_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "df215a5e4e34e2b6ef794199d12d5fa957ff647111af41e6077ed16529a01062" + logic_hash = "3bfa9381ef16fc7f71576ea10bafafbc4e1a2b451ef40236a4ce0ffb3b23b53f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c9 b8???????? 90 3910 7412 0524100000 } - $sequence_1 = { e8???????? 8b55f4 83c404 b906000000 e8???????? e9???????? } - $sequence_2 = { 6a32 ff15???????? 8bcf e8???????? 8bf0 85f6 75e2 } - $sequence_3 = { 8d0485586e4100 50 8d8590faffff 03c7 50 e8???????? } - $sequence_4 = { ff36 894608 68???????? e8???????? 83c408 } - $sequence_5 = { 83b81810000000 0f85defeffff 83b82010000000 0f85d1feffff 6a00 } + $sequence_0 = { 837d0803 8b450c 56 57 7d0c ff30 68???????? } + $sequence_1 = { 2bf0 03f8 85f6 7fe1 ff15???????? a3???????? 8b45ec } + $sequence_2 = { e8???????? 83c404 85c0 740f c70600000000 } + $sequence_3 = { 52 68???????? e8???????? 83c40c 6a02 ff7608 } + $sequence_4 = { 7420 6bc618 57 8db840b04100 57 } + $sequence_5 = { 51 ba02000000 e8???????? 83c404 } $sequence_6 = { ff75f4 68???????? e8???????? 8b4df4 83c40c } - $sequence_7 = { c1f906 53 6bd830 56 8b048d20ae4100 } - $sequence_8 = { 69f224100000 81c6???????? 7410 c7460404000000 ff15???????? } + $sequence_7 = { 89bdf4fcffff c785f0fcffff01000000 8d85e4fcffff 89bdfcfeffff } + $sequence_8 = { 8bf1 ff15???????? 894614 83f8ff 751e 68???????? e8???????? } $sequence_9 = { 8b148520ae4100 8a4c1a2d f6c104 7419 8a441a2e 80e1fb } condition: @@ -106694,36 +107103,36 @@ rule MALPEDIA_Win_Jackpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "705d47f5-8c33-5d05-9f3c-cd8693aecd05" - date = "2026-01-05" - modified = "2026-01-06" + id = "51d29ba6-64fb-55ed-a0ec-0843caf32e88" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jackpos_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jackpos_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "aebd9f3ce681adad20f8842dd1ad147a46f77997d7d0dde94d3c3be1cf2f594d" + logic_hash = "7c74d663791b3468974253228471fae6d65fa0f9057ebf1fa30ad119e09d7b20" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945e4 83f805 7d10 668b4c4310 66890c45f8124200 40 ebe8 } - $sequence_1 = { 57 8bf8 8b450c 397518 0f86a4000000 8b4508 83c008 } - $sequence_2 = { 8b7508 56 c745fc04000000 e8???????? 83c404 837e7010 } - $sequence_3 = { d1ff 57 8b7d14 57 } - $sequence_4 = { c60700 80780100 7e04 40 8945c4 8a00 3c7f } - $sequence_5 = { 8b10 83c40c 51 52 8d4594 50 } - $sequence_6 = { 03c9 51 8b4df8 8d1459 52 e8???????? 8b4614 } - $sequence_7 = { 85db 0f86f8000000 57 8b7e14 } - $sequence_8 = { ff15???????? 6aff 6a00 8bc6 8bcb e8???????? } - $sequence_9 = { c645fc01 50 c745f001000000 e8???????? c745fc02000000 bb03000000 57 } + $sequence_0 = { e8???????? 83c404 50 33ff 57 6800001000 } + $sequence_1 = { 0fbe4d0c 8b5508 53 51 } + $sequence_2 = { 8d75d0 e9???????? 8d75b4 e9???????? 8db57cffffff e9???????? 8d4d98 } + $sequence_3 = { 85c0 7408 8d4804 e8???????? 8b4df4 64890d00000000 59 } + $sequence_4 = { 8938 8b5620 c70200000000 8b4630 d1ff } + $sequence_5 = { e8???????? 68???????? 8d542408 52 c744240c24c74100 e8???????? f6c102 } + $sequence_6 = { 1bc0 83e0fe 40 85c0 751a b803000000 3bf8 } + $sequence_7 = { 3975d0 720c 8b4dbc 51 e8???????? 83c404 8bc7 } + $sequence_8 = { c786d0000000e0aa4100 c786ac00000001000000 33c0 8b4dfc 5f 5e } + $sequence_9 = { 037214 ebc4 5f 5e 5d } condition: 7 of them and filesize < 319488 @@ -106733,36 +107142,36 @@ rule MALPEDIA_Win_Blind_Edr_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "763f7b33-d005-5632-bc6e-32cbbb43afd8" - date = "2026-01-05" - modified = "2026-01-06" + id = "3842aad4-eb94-54b7-abe6-216272c8dbaf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blind_edr" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blind_edr_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blind_edr_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "af78d8eedd7874fd051e4e2d0675f6cbdce3ecade2c26f196e0f08521ce6dfb2" + logic_hash = "676fafb96eca9486bd8875d8e81417af1ac3a8b13ac59cd5ace11dfe23d74203" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bcf e8???????? 488bc5 e9???????? 498b6e18 488bcf e8???????? } - $sequence_1 = { 483b442468 75d7 85db 7e58 } - $sequence_2 = { 498b84ffe0fc0100 90 493bc6 0f84ae000000 4885c0 0f85a7000000 4d3bc1 } - $sequence_3 = { 488d8c24b0000000 41b808000000 488bd3 e8???????? 4883c308 4883ef01 0f8560ffffff } - $sequence_4 = { 488d542450 4533c9 41b802000000 488d4b02 e8???????? 6639742450 747a } - $sequence_5 = { 488d4b10 4533c9 41b808000000 488d542448 } - $sequence_6 = { 745e 4883c108 4c89b424a8000000 4533c9 488d9424a8000000 } - $sequence_7 = { 4883ec20 488bda 4c8d0d20fd0000 8bf9 488d1517fd0000 } - $sequence_8 = { e8???????? 4533c9 4c89742460 41b808000000 } - $sequence_9 = { 4c8d0503fd0000 e8???????? 488bd3 8bcf 4885c0 7408 ff15???????? } + $sequence_0 = { e8???????? 488b4c2458 488d542468 4883c108 48897c2468 4533c9 } + $sequence_1 = { 33f6 b918000000 e8???????? 488bd8 } + $sequence_2 = { 7525 3df4650000 7508 41bd40010000 eb25 3d5d580000 b930010000 } + $sequence_3 = { 89842470010000 418b7720 418b6f24 4803f1 418b4f1c 4903ee } + $sequence_4 = { 488bd9 4c8d0dbcfd0000 33c9 4c8d05abfd0000 488d15acfd0000 e8???????? 4885c0 } + $sequence_5 = { 4c8d0d069f0000 c5f35cca c4c173590cc1 4c8d0dd58e0000 c5f359c1 } + $sequence_6 = { 4883c110 48897538 4533c9 41b808000000 e8???????? 488b4538 ffc3 } + $sequence_7 = { 488bd0 488bc8 482bd3 33c0 } + $sequence_8 = { 4885c0 0f849b000000 4889742430 488d0d3d0e0100 c744242880000000 } + $sequence_9 = { 4885d2 0f847d000000 488b442448 4c8d0dfabf0100 418bce 41b801000000 } condition: 7 of them and filesize < 299008 @@ -106772,36 +107181,36 @@ rule MALPEDIA_Win_Agfspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4e342af2-55f5-5fdc-91a0-c4e1164ec1ad" - date = "2026-01-05" - modified = "2026-01-06" + id = "3354a5d3-02b5-57cc-8609-7576fd817a74" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.agfspy_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.agfspy_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "2c968cb953938166f8c4bb13e44158b837061eedd931abcb024c0888547d30a4" + logic_hash = "38550b3fd6fc17deb203085aed2d62ac879ee866ac3497eca0694cbea2fdea30" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8901 8b0b 85c9 7405 8b01 ff5010 8933 } - $sequence_1 = { 8bc6 8b4d0c 890e 8b4d10 5f 894e04 5e } - $sequence_2 = { c744c81000000000 8d2cc8 8b4c241c c7451400000000 0f1001 0f114500 f30f7e4110 } - $sequence_3 = { 8bc8 6a01 ff12 8d4d98 e8???????? 0f57c0 c745e800000000 } - $sequence_4 = { b801000000 eb40 83ec08 c6462401 50 e8???????? 8945d0 } - $sequence_5 = { 5e 5b 8be5 5d c20400 8b470c 33f6 } - $sequence_6 = { 3c0a 7409 6a0a 8bce e8???????? 837f3c10 8d4728 } - $sequence_7 = { b001 c6460401 e9???????? 8b01 ff5018 83f8ff 7405 } - $sequence_8 = { e8???????? 0fb7ff eb16 0fb77c2410 8d4c2414 e8???????? 0fb7ff } - $sequence_9 = { 8bcf e8???????? 8bc8 e8???????? 8bc8 e8???????? 83ec18 } + $sequence_0 = { 7527 83fefd 7431 8a4101 3a4201 751a 83fefe } + $sequence_1 = { 8b7d08 33c9 8b4510 8b5d0c 897de4 c745f000000000 c7471000000000 } + $sequence_2 = { 83c404 8bce ff5204 8935???????? 8d4dd0 e8???????? 8bc6 } + $sequence_3 = { 33f6 8b9564ffffff 83fa10 722b 8b8d50ffffff 42 8bc1 } + $sequence_4 = { 833800 7469 8b512c 8b02 85c0 7e60 48 } + $sequence_5 = { c7464c00000000 5e c3 f7465000000004 74c2 8b4e28 } + $sequence_6 = { 8a461c 88421c 5e 8917 5f 5d c3 } + $sequence_7 = { 0fabd0 8801 8bce e9???????? 52 8d4e24 e8???????? } + $sequence_8 = { c745fc00000000 c745f001000000 8b07 6a00 8b4004 c70407???????? } + $sequence_9 = { c20800 83ec08 c6432c01 51 8bcb e8???????? 8ac8 } condition: 7 of them and filesize < 1482752 @@ -106811,36 +107220,36 @@ rule MALPEDIA_Win_Edr_Silencer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91d15ce1-a998-5572-89fb-85a860af50f1" - date = "2026-01-05" - modified = "2026-01-06" + id = "0770d014-47f8-5163-8630-b0a0dcd51e6f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.edr_silencer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.edr_silencer_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.edr_silencer_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "36fd2a9fad325810fcce7416a9019a99b9100292037753c9fbfd0fd06391d993" + logic_hash = "aaba25479491aa73e0d67ffa4884a0eee48f83b2c8cc3ae697f837d8db881ce7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 898524030000 83bd2403000000 0f84b1000000 83bd2403000005 } - $sequence_1 = { e8???????? 85c0 0f84b7000000 4183ee57 4189fd 6690 } - $sequence_2 = { 488d154a7b0000 89442420 488d4c243e 480f44da 4c89e2 } - $sequence_3 = { 4889c1 488b05???????? ffd0 b801000000 4883c450 } - $sequence_4 = { 488b85d8010000 488b00 488b4008 4885c0 } - $sequence_5 = { e8???????? b801000000 e9???????? e8???????? 85c0 750a b801000000 } - $sequence_6 = { 4889c1 e8???????? 8945f8 837df800 7416 8b45f8 } - $sequence_7 = { b900000000 e8???????? 8945f8 837df800 7416 8b45f8 } - $sequence_8 = { 48894558 488b8518030000 488d4db0 488d5510 4989c9 } - $sequence_9 = { 488b05???????? ffd0 89c2 488d0d5fc70000 } + $sequence_0 = { e8???????? 488d0d28cb0000 e8???????? 488d0d5ccb0000 } + $sequence_1 = { e8???????? 898588040000 83bd8804000000 7416 } + $sequence_2 = { b801000000 eb34 488b45f8 4889c1 } + $sequence_3 = { 6683f809 0f87f3060000 4183fe03 0f87e9060000 4585f6 0f850a020000 41be01000000 } + $sequence_4 = { 4889c2 488d0d6dcc0000 e8???????? eb14 } + $sequence_5 = { 488b5df0 b901000000 488b05???????? ffd0 4989d8 488b5520 4889c1 } + $sequence_6 = { 8985ac010000 83bdac01000000 740b 8b85ac010000 e9???????? b910000000 e8???????? } + $sequence_7 = { 4881c418050000 5f 5d c3 55 57 } + $sequence_8 = { 488d0d16c90000 e8???????? 488b45e0 4889c1 488b05???????? ffd0 b800000000 } + $sequence_9 = { 48898d00020000 48899508020000 4c898510020000 4883bd0002000000 740a } condition: 7 of them and filesize < 744448 @@ -106850,36 +107259,36 @@ rule MALPEDIA_Win_Bootwreck_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c86e0360-3c55-5b68-af4c-6642481fbd38" - date = "2026-01-05" - modified = "2026-01-06" + id = "1378c9fb-61e2-5eb0-9121-77bd373bc04f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bootwreck_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bootwreck_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "a7d19ddda34fd585dce842e8452aa3b90378f4a99b150c5642a8436fb2a84d1d" + logic_hash = "7afa6ef33adc76004c8c91f2c6154bc64f62f404c6ab0afbfa8361808ddef3dd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 9e 3ec9 307dd6 14cc 7466 d59d } - $sequence_1 = { c60424de 57 9c 875c242c ff742404 54 9c } - $sequence_2 = { fd 7919 87c1 0e d9574e 6d 7db2 } - $sequence_3 = { 8b8020334500 c60424ef 60 8d8090b42a7f 8d642434 0f8f702c0000 687b1f6def } - $sequence_4 = { 660fb6db 89f3 660fbef1 5e 660fce 8b742440 88442404 } - $sequence_5 = { 70e8 32ff 46 33e2 41 2eb910b0f8ab 828dc6785b1254 } - $sequence_6 = { e8???????? f6d2 8b5620 60 9c ff742404 89542424 } - $sequence_7 = { 60 e7c6 45 14bb aa 11fe 1d0a3b6a57 } - $sequence_8 = { b6d1 0206 82535e09 3909 a6 ae 57 } - $sequence_9 = { 660fb6c9 660bf9 0fb7cf 8b7d10 894d0c 2acb 32c8 } + $sequence_0 = { f9 66d3ef 660fcf 0fb738 f8 29db } + $sequence_1 = { 97 4e 1db48b7a71 f8 8766ad fa 2976a7 } + $sequence_2 = { 8dac246971318a 8dada1cd3823 66f7d5 5d 689c422a44 9c 60 } + $sequence_3 = { 9c 8d642428 e9???????? 9c 8d642410 e8???????? 28c3 } + $sequence_4 = { 60 67b41b 4f b666 6d 5a } + $sequence_5 = { 397dfc 0f847affffff 0fb6d2 3b55f8 7523 8b8c88380c0000 6a03 } + $sequence_6 = { 8b742420 9c 8a7c2404 8da9483b0901 66bb2520 890f c644241c95 } + $sequence_7 = { 5a 3d1eff0e9c 5d 22812152a18e 33dd fa 7599 } + $sequence_8 = { 88642404 8d64243c e8???????? 80d988 8b4dfc 9c 60 } + $sequence_9 = { 5a 7df3 293f bd5b0c762c 8400 47 f77e54 } condition: 7 of them and filesize < 10821632 @@ -106889,36 +107298,36 @@ rule MALPEDIA_Win_Krdownloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8928305b-67d0-5595-b543-162ed3d8a500" - date = "2026-01-05" - modified = "2026-01-06" + id = "9b4c2382-c7c9-51bb-a270-db7f3b8fdc18" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.krdownloader_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.krdownloader_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "b190fd97a74e2ef74cfd54dab7101c2dd88a9538032e0c3b3bee219ca7927a46" + logic_hash = "e426897d5051d34441bbf890d389e196e8737ba70d93e788b3dc9bdf9efdea1d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb26 8b4dfc 034df4 0fb6512c 52 68???????? 8b45f0 } - $sequence_1 = { 83ec34 894df8 c745fc00000000 8b450c } - $sequence_2 = { c745ec00000000 c745f400000000 c745d810000000 c745e000000000 c745d000000000 c745f800000000 c745e800000000 } - $sequence_3 = { 83c40c 8b45f8 50 ff15???????? eb26 } - $sequence_4 = { c745fc00000000 6a00 6822020000 ff15???????? } + $sequence_0 = { 8b0a 2b08 8bc1 99 b904050000 f7f9 } + $sequence_1 = { 8d95e9fbffff 52 e8???????? 83c40c 8b45fc 2b45f4 50 } + $sequence_2 = { 6840004004 8d45f4 50 68???????? 68???????? } + $sequence_3 = { e8???????? 8945ac 8b4dd8 0fbe540de8 52 8b45d4 0fbe4c05e8 } + $sequence_4 = { 83c408 837d1000 7509 c745f801000000 eb07 } $sequence_5 = { 6a00 6840004004 8d45f4 50 68???????? 68???????? } - $sequence_6 = { 83c40c c745f400000000 8d85f4f7ffff 50 8b4dfc 81c1640d0300 } - $sequence_7 = { ffd1 8b55fc 83ba540d030000 7415 8b45fc 8b88540d0300 51 } - $sequence_8 = { c740040f000000 8b4dfc 51 8b55f8 52 8d85e4ebffff } - $sequence_9 = { 50 8d85f0fbffff 50 8b4df8 51 e8???????? } + $sequence_6 = { 837dec00 0f850a010000 8b4df8 894dfc 837dfc00 0f84fa000000 } + $sequence_7 = { 894df8 c745fc00000000 c745f400000000 eb0c 8b45f8 8b4df4 034804 } + $sequence_8 = { 50 680000a000 8b4dec 51 6a00 } + $sequence_9 = { c745bc00000000 c745e002000000 c745e8983a0000 8b45e8 50 } condition: 7 of them and filesize < 352256 @@ -106928,41 +107337,41 @@ rule MALPEDIA_Win_Zeus_Sphinx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cc60ac31-7ae9-5152-95ad-d09a0d909f1a" - date = "2026-01-05" - modified = "2026-01-06" + id = "2971158e-43c7-599c-a8f0-006e83f3393f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zeus_sphinx_auto.yar#L1-L157" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zeus_sphinx_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "aa5ca92258dc544d26d29bb94ea2e9b532df6b20bb95794e6914a3376629593d" + logic_hash = "002c140e4789a20845fa01c12dfbf259e54313649e048f059289e75b7090b2b5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 e8???????? 891c24 89c6 e8???????? 83c410 8d65f4 } - $sequence_1 = { 50 e8???????? 83c410 e8???????? 8d65f8 } - $sequence_2 = { 52 53 57 e8???????? ff4750 83c410 } - $sequence_3 = { 50 e8???????? 83c420 48 } - $sequence_4 = { 50 e8???????? 83c430 85c0 7e0c } - $sequence_5 = { 50 e8???????? 83c418 68???????? 68???????? } - $sequence_6 = { 50 e8???????? 84c0 745f 8d442414 } - $sequence_7 = { 50 e8???????? 83c414 68???????? e8???????? c70424???????? } + $sequence_0 = { 50 e8???????? 83c410 c785b8fdffff00000000 85c0 750d 83eb02 } + $sequence_1 = { 50 e8???????? 83c410 e9???????? 0fb77712 f7c620000000 } + $sequence_2 = { 52 53 57 e8???????? ff4750 } + $sequence_3 = { 50 e8???????? 83c410 ff07 8b5708 8d04f500000000 } + $sequence_4 = { 50 e8???????? 83c410 e8???????? 8d65f8 89f0 } + $sequence_5 = { 50 e8???????? 83c410 eb31 833d????????00 7408 } + $sequence_6 = { 50 e8???????? 83c410 eb6f 81f9ff0f0000 7e1e } + $sequence_7 = { 50 e8???????? 83c410 eb32 83ec0c 53 } $sequence_8 = { 01fc eb98 035e14 8ade } - $sequence_9 = { 010d???????? 60 5a 98 } - $sequence_10 = { 0303 50 ff550c 8b3e } - $sequence_11 = { 020a 42 1af6 af } - $sequence_12 = { 0162c9 cf 0c06 3c3e } - $sequence_13 = { 003b c09bdbe23ea11c 695600663ec700 de07 } - $sequence_14 = { 010c02 3bf7 0f85f0f50000 e9???????? } + $sequence_9 = { 0303 50 ff550c 8b3e } + $sequence_10 = { 010d???????? 60 5a 98 } + $sequence_11 = { 0162c9 cf 0c06 3c3e } + $sequence_12 = { 003b c09bdbe23ea11c 695600663ec700 de07 } + $sequence_13 = { 010c02 3bf7 0f85f0f50000 e9???????? } + $sequence_14 = { 020a 42 1af6 af } $sequence_15 = { 0008 d7 9f b2d3 } condition: @@ -106973,36 +107382,36 @@ rule MALPEDIA_Win_C0D0So0_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aea7e5c4-8703-5b4f-a55a-e1b218098e9e" - date = "2026-01-05" - modified = "2026-01-06" + id = "4d5f14be-55bb-5899-b6ef-5d7393399909" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.c0d0so0_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.c0d0so0_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "0dd75833152df4b63946cc86c2ac389a4374b8155ffb49a46f2ef69869ec191b" + logic_hash = "0f4e979cbe3d76aff927aa6e7e1b3d6c448a2b5066b0887f652f80cce15e3c72" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a04 bf00200000 57 ff7350 ff7334 ffd6 } - $sequence_1 = { 837d0c00 7404 0006 eb02 2806 0fb6c0 } - $sequence_2 = { ff15???????? eb46 8d0c4e 8d0c4f } - $sequence_3 = { ff15???????? 85c0 7423 6683780802 } - $sequence_4 = { 33c0 5d c3 8b503c 813c1050450000 75f0 8bd7 } - $sequence_5 = { 7421 8345f814 8b45f8 6a14 83c0f0 50 } - $sequence_6 = { c1ea10 ff4dfc 8813 43 837dfc00 7fe7 8b5508 } - $sequence_7 = { 741f 4a 7417 4a 740f } - $sequence_8 = { eb62 8d45f4 50 57 8d45fc } - $sequence_9 = { 85c0 740f 8b00 47 89048e 41 } + $sequence_0 = { 50 ff15???????? 8945fc 8d4df8 83c012 51 } + $sequence_1 = { ffb56cfdffff 8b35???????? 6a00 ffd6 50 } + $sequence_2 = { 8a4902 ebf2 8a4901 ebed 8a4902 } + $sequence_3 = { 50 ff15???????? 85c0 0f8435ffffff eb04 } + $sequence_4 = { 0f8399000000 53 56 57 8d5924 8b13 8bca } + $sequence_5 = { 7503 50 eb44 8d856cfdffff 50 53 ff9568fdffff } + $sequence_6 = { 7511 8d45f0 50 ff75f0 56 ff75f8 } + $sequence_7 = { c3 2b05???????? 56 57 33ff ba???????? 8b32 } + $sequence_8 = { ff9568fdffff 85c0 7531 8bc3 8b8894010000 } + $sequence_9 = { 56 e8???????? eb1d 8a4902 ebf2 8a4901 } condition: 7 of them and filesize < 450560 @@ -107012,46 +107421,42 @@ rule MALPEDIA_Win_Elise_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "08b1c424-ccca-5509-994b-c3215e83e8dc" - date = "2026-01-05" - modified = "2026-01-06" + id = "e9450a6f-39e8-5559-8ea2-38a29ab7f193" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.elise_auto.yar#L1-L199" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.elise_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "70b08762b10b71d08f89704ff70572a2b0da8c94488cb175a27749246468d125" + logic_hash = "5ded95c4439812b9f226de5926faad139bbac5d5faba8fe45353b300b601040b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 1bc0 83e0fe 83c00b 8945f8 8b45f4 40 50 } - $sequence_1 = { 4b 8d3470 75ed 5b } - $sequence_2 = { ab 75d2 5f 5e 5b c3 } - $sequence_3 = { 7cf5 33c9 888f00010000 888f01010000 } - $sequence_4 = { 8b491c 83c60c 83c110 8945fc } - $sequence_5 = { 8d1c58 d3e0 0945f4 ff45f8 } - $sequence_6 = { c3 55 8bec 51 51 53 8d5f10 } - $sequence_7 = { 888f00010000 888f01010000 8bf7 8945f8 } - $sequence_8 = { 57 6a22 50 894608 ff15???????? } - $sequence_9 = { 034e3c b800030000 d3e0 33c9 6a02 } - $sequence_10 = { 56 57 b99a000000 8d7510 } - $sequence_11 = { e8???????? 83c40c 8d4580 50 8d4588 } - $sequence_12 = { 33c0 e9???????? 833d????????00 7405 e8???????? 83c8ff } - $sequence_13 = { ff75ec 0fb6843794010000 99 53 52 50 } - $sequence_14 = { 0145f0 6a00 6800010000 ff75ec 1155f4 53 } - $sequence_15 = { 5b 85ff 7415 0fb616 33d0 23d1 c1e808 } - $sequence_16 = { 50 ff7580 e8???????? 85c0 } - $sequence_17 = { 6a20 e8???????? 59 8bd8 } - $sequence_18 = { 59 59 33c0 e9???????? 8b35???????? 6a04 } - $sequence_19 = { 8bd7 c1ea03 53 0fb61e 33d8 23d9 c1e808 } + $sequence_0 = { e8???????? 85c0 0f8484000000 53 57 } + $sequence_1 = { 8b01 294104 8b5104 8bf2 c1ee1f f7de } + $sequence_2 = { 8901 8b4108 8b5008 56 8b30 } + $sequence_3 = { 5f c3 56 be4d5a0000 663931 7534 } + $sequence_4 = { 034e0c 0111 8b7dfc 47 3b7df8 897dfc 7cc6 } + $sequence_5 = { 7cf5 33c9 888f00010000 888f01010000 8bf7 } + $sequence_6 = { c1e006 8d5828 c745f406000000 8d0433 8d0447 } + $sequence_7 = { 66894202 57 8bc3 c1e310 } + $sequence_8 = { 8b481c 8b5814 03ca 33d2 42 2b5010 7816 } + $sequence_9 = { d1e8 33c2 eb02 d1e8 4e 75f1 } + $sequence_10 = { 8b7df4 8d4e01 81e1ff000080 7908 49 81c900ffffff } + $sequence_11 = { 46 4f 75eb f7d0 } + $sequence_12 = { 8a8800010000 8a9001010000 0f8e93000000 53 } + $sequence_13 = { 83c8ff b9ff000000 83ff08 0f82a1000000 8bd7 } + $sequence_14 = { 0145f0 6a00 6800010000 ff75ec 1155f4 } + $sequence_15 = { 0fb6d2 03d7 81e2ff000080 7908 4a 81ca00ffffff 42 } condition: 7 of them and filesize < 204800 @@ -107061,36 +107466,36 @@ rule MALPEDIA_Win_Zupdax_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "de5aa4fa-5f17-5443-8ded-540bc4f1be04" - date = "2026-01-05" - modified = "2026-01-06" + id = "6422642c-ca0a-547b-b9a7-56850329e422" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdax" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zupdax_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zupdax_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "eb046345ff3af30eb975f6808cc5770691e59266f20f528282b1aa4111a1c56b" + logic_hash = "38cddd88ba5cfe2c04dbd9ca80f5282e5e779a0290e6e18141d54b5e589caa5b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c408 8b06 50 895e0c 895e10 } - $sequence_1 = { 8b4c2408 8b7e28 51 e8???????? 8b5624 52 e8???????? } - $sequence_2 = { 56 57 33c9 33f6 33ff 394c2414 } - $sequence_3 = { 7522 e8???????? 8b0d???????? 51 8b0d???????? } - $sequence_4 = { e8???????? 83c408 8b4618 50 895e24 } - $sequence_5 = { 51 e8???????? 83c418 8bc6 c3 } - $sequence_6 = { 895e2c e8???????? 8b460c 83c404 3bc3 } - $sequence_7 = { 52 e8???????? 83c408 8b06 50 895e0c 895e10 } - $sequence_8 = { 3bc3 7419 8b4c2408 8b7e28 51 } - $sequence_9 = { 8d4618 6a00 50 c706ffffffff } + $sequence_0 = { 8bd6 8bc8 2bd1 8bff 0fb708 } + $sequence_1 = { 895e2c e8???????? 8b460c 83c404 } + $sequence_2 = { 4e 81ce00ffffff 46 8a1c06 881c01 881406 0fb61c01 } + $sequence_3 = { 895618 894718 33db 83c61c } + $sequence_4 = { c706ffffffff c74604ffffffff e8???????? 68c8000000 8d4e7c 6a00 } + $sequence_5 = { 895e10 894704 894f08 8b4f14 89570c } + $sequence_6 = { 8b4c2408 8b7e28 51 e8???????? 8b5624 } + $sequence_7 = { 8bf0 8bc7 8d5001 8a08 40 } + $sequence_8 = { 33db 57 3bc3 7419 8b4c2408 8b7e28 51 } + $sequence_9 = { 52 e8???????? 83c408 8b06 50 } condition: 7 of them and filesize < 1032192 @@ -107100,36 +107505,36 @@ rule MALPEDIA_Win_Ployx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "61ab771e-15a5-5bf0-85c3-97759fe60e6e" - date = "2026-01-05" - modified = "2026-01-06" + id = "fec73e07-e8b3-57ed-9bd4-5b2b5278fd29" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ployx_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ployx_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "cb7aed624d5d0c844199f7121f6160ab6100f3d910b00c22bede0a77fbaeb62d" + logic_hash = "fb83e724df677046924044ac86f8d1935494d3b6ca0dc7e2ae112ead877f554a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85a4feffff 68???????? 50 e8???????? 8d85a4feffff 68???????? 50 } - $sequence_1 = { 81f9???????? 7ce7 5b 8bc6 5f 5e c20400 } - $sequence_2 = { 83c418 8945f4 85c0 746f 50 e8???????? 50 } - $sequence_3 = { e8???????? 8bf8 8b4d08 47 47 8d0437 50 } - $sequence_4 = { 0f8584000000 8d45d4 50 e8???????? } - $sequence_5 = { 03c1 99 f7f9 8bf2 83c608 85f6 7e42 } - $sequence_6 = { 33ff 99 59 f7f9 8bc2 03c1 99 } - $sequence_7 = { aa 53 8d442414 50 ff15???????? 8d442410 68???????? } - $sequence_8 = { 880c30 40 0fb64dfc 8a89d8302700 880c30 40 0fb6ca } - $sequence_9 = { 83c42c 0005???????? bd???????? bb04010000 55 53 } + $sequence_0 = { e8???????? 59 59 ff7528 8d7508 8d8500ffffff } + $sequence_1 = { 8bc6 c1f905 83e01f 8b0c8d007d2700 8d04c0 f644810401 741d } + $sequence_2 = { 8901 83c213 83c104 4e 75ed 5e } + $sequence_3 = { 7cf1 393d???????? 7520 53 b9???????? b800020000 } + $sequence_4 = { 3c2f 7404 3c2d 7513 8b4df4 03cb 8801 } + $sequence_5 = { e8???????? 85c0 744c 8b400c 6a04 } + $sequence_6 = { e8???????? 83f8ff 8945f8 0f8498010000 68???????? } + $sequence_7 = { 50 e8???????? 59 8d8500ffffff 59 ff7508 8bce } + $sequence_8 = { 3b0d???????? 57 7358 8bc1 c1f805 8d3c85007d2700 8bc1 } + $sequence_9 = { 47 83f80b 0f8777020000 ff248534e32600 80fb31 7c0c 80fb39 } condition: 7 of them and filesize < 229376 @@ -107139,36 +107544,36 @@ rule MALPEDIA_Win_Contopee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "271fdd0d-6160-55c0-9abb-0c6806deb383" - date = "2026-01-05" - modified = "2026-01-06" + id = "2bf0f1e6-9717-50fa-9903-a8a0e1dfe7c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.contopee_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.contopee_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "0ddd8fa512c666b7cb8e2d0e6704c228e8798333540020ddb32d384a50fcb44c" + logic_hash = "790f812cd9c84ee7362105ba0ebd24a0076fd34b2aa8dd207748817bf8a44a6c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b35???????? 8d4c2414 6a5c 51 } - $sequence_1 = { 8d4c2414 6a5c 51 ffd6 83c410 85c0 7411 } - $sequence_2 = { 84c0 752f a0???????? 84c0 7409 } - $sequence_3 = { c1ea18 33c3 8b1c9530ea0010 33c3 8b1c8d30f60010 33c3 } - $sequence_4 = { c3 68b80b0000 ff15???????? e8???????? 8bd8 85db 0f8514010000 } + $sequence_0 = { 83c410 55 53 6a03 6a00 68???????? 51 } + $sequence_1 = { ff5208 8b17 8b842420010000 8b0e 52 50 } + $sequence_2 = { 8d542410 51 52 8d842470040000 6a00 } + $sequence_3 = { 51 e8???????? e9???????? 56 8d542414 53 52 } + $sequence_4 = { 8d0480 6a00 8d0c80 8a842428010000 c1e103 84c0 894c2410 } $sequence_5 = { c1e807 33d2 8a9094130110 8bc2 66ff848688090000 8b869c160000 8b96a0160000 } - $sequence_6 = { 668b88780a0110 898a8c000000 33c9 668b887c0a0110 898a90000000 33c9 668b887e0a0110 } - $sequence_7 = { 5b 81c418010000 c3 56 68???????? 6a00 } - $sequence_8 = { 7563 8b4c2410 8d442400 56 50 8d1409 8b4c2414 } - $sequence_9 = { b980000000 33c0 8d7c241c 6a1e } + $sequence_6 = { 8b542420 8b442424 89542418 8944241c eb0a ff15???????? 89442410 } + $sequence_7 = { 6a00 ff15???????? 8d85f8feffff 6883000000 } + $sequence_8 = { 8d4c2424 50 53 53 51 ff15???????? 83c410 } + $sequence_9 = { 8b9c2428020000 6685db 0f84b7000000 6a06 6a01 } condition: 7 of them and filesize < 180224 @@ -107178,42 +107583,42 @@ rule MALPEDIA_Win_Cutwail_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cbc2bf28-da14-5ea8-8af9-9a0a97c6e135" - date = "2026-01-05" - modified = "2026-01-06" + id = "eea8ff8c-659d-53c6-ba40-7e6c1cb830a4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cutwail_auto.yar#L1-L159" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cutwail_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "9ba6db86559b6188867d3264363e179bc81f3f3f5481bc0c2638242b1cc71cd8" + logic_hash = "64a1d594a214511f18b2a6e40609e44221969e5f0d57684c53fed96318491e02" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f849d000000 ff7510 e8???????? 59 } - $sequence_1 = { eb14 8b55fc 0355f8 8955fc } - $sequence_2 = { 59 7506 891d???????? 53 57 } - $sequence_3 = { 833800 7511 837df800 7e0b } - $sequence_4 = { 6a66 8d8d90f1ffff e8???????? 03c3 } - $sequence_5 = { 57 ff755c 03c8 51 e8???????? } - $sequence_6 = { 895104 8b8550feffff c7400800c02004 6a00 6a00 } - $sequence_7 = { e8???????? 894604 8b4610 57 } - $sequence_8 = { 8bec 81ecc4010000 8d8570feffff 50 6802020000 e8???????? 85c0 } - $sequence_9 = { 51 e8???????? 83c410 8985ecfdffff } - $sequence_10 = { 1bc0 f7d0 234554 e9???????? } - $sequence_11 = { 6bc912 56 ff742428 8981feb71513 } - $sequence_12 = { 8b95e4fdffff 52 8d85f8fdffff 50 e8???????? 83c408 } - $sequence_13 = { 53 53 6a02 e8???????? 894558 } - $sequence_14 = { c7854cfeffff00000000 eb0f 8b954cfeffff 83c201 89954cfeffff 83bd4cfeffff03 0f8db5000000 } - $sequence_15 = { 0f8d23010000 6800020000 6a00 8d95f8fdffff 52 } + $sequence_0 = { 6a01 6a19 8b85e8fdffff 8b0c8500f62004 51 e8???????? } + $sequence_1 = { 7d04 32c0 eb7d c745fc00000000 837d1000 } + $sequence_2 = { 5e 5b c20800 837c24140c 752f } + $sequence_3 = { 6a38 8d4dae 8d7c031c e8???????? 83c004 } + $sequence_4 = { 894500 8bc2 c1e808 23c6 } + $sequence_5 = { 52 e8???????? 83c408 6a0c e8???????? 83c404 } + $sequence_6 = { 837d0800 745e 837d0c00 7458 c745f800000000 eb09 } + $sequence_7 = { 81ec28020000 c745fc00000000 c745f803000000 c785f4fdffff00000000 eb0f 8b85f4fdffff 83c001 } + $sequence_8 = { 83c41c 3bfb 751d 68ca000000 } + $sequence_9 = { 8b5508 52 e8???????? 8945f8 837d1800 } + $sequence_10 = { 8b08 83c41c ff75e0 6848ec6814 } + $sequence_11 = { 33f6 897524 897538 c6455d00 e9???????? } + $sequence_12 = { 8945fc 8b4dfc 833900 0f84ba000000 c745f000000000 817df096000000 0f87a6000000 } + $sequence_13 = { c3 57 8b7810 53 } + $sequence_14 = { 8b4df8 3b4d0c 7d2e 8d55f0 52 } + $sequence_15 = { c3 50 ffd6 ff35???????? } condition: 7 of them and filesize < 262144 @@ -107223,42 +107628,42 @@ rule MALPEDIA_Win_Hookinjex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e24b7d8d-57d5-5a71-8e95-7d0e69957252" - date = "2026-01-05" - modified = "2026-01-06" + id = "6385dde8-624c-514b-bb96-9ff5cf533f59" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hookinjex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hookinjex_auto.yar#L1-L153" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hookinjex_auto.yar#L1-L151" license_url = "N/A" - logic_hash = "26e9369b12553b0bff21d81ce8a2563735cb73daf51c3e0b22c3fdadcf7df76a" + logic_hash = "8b5978d841c2c299aa3bc46f09ebde613570c1399a00f3fbd52b2f8b830a15d9" score = 60 quality = 25 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? b80a020000 eb02 33c0 } - $sequence_1 = { e8???????? 85c0 750f b9ab480100 } - $sequence_2 = { e8???????? b95b730100 e8???????? e9???????? } - $sequence_3 = { e8???????? 833d????????00 7411 b903000000 e8???????? 488905???????? } - $sequence_4 = { e8???????? 85c0 740f b907b60000 } - $sequence_5 = { e8???????? b964000000 ff15???????? 0fb705???????? } - $sequence_6 = { e8???????? 833d????????00 7411 b906000000 e8???????? 488905???????? } - $sequence_7 = { e8???????? 85c0 740c b913e40000 } - $sequence_8 = { 4883780800 7512 488b442450 8b00 } - $sequence_9 = { 0f843d010000 488b442440 488b4c2470 488b4920 } - $sequence_10 = { 25ff9fffff 89442420 8b442420 89442448 } - $sequence_11 = { 03442460 488b4c2468 8901 e9???????? 488b542470 488d4c2430 } - $sequence_12 = { 25ffe7ffff 0fbae80b 8944243c 8b44243c } - $sequence_13 = { 25ffe7ffff 0fbae80b 89442420 8b442420 89442468 } - $sequence_14 = { 25ff0f0000 89442448 488b0d???????? 48894c2450 } - $sequence_15 = { 25ffe7ffff 0fbae80b 8944245c 8b44245c } + $sequence_0 = { e8???????? 85c0 750f b948560100 } + $sequence_1 = { e8???????? 833d????????00 7411 b906000000 e8???????? 488905???????? } + $sequence_2 = { e8???????? 85c0 740f b98ce50000 } + $sequence_3 = { e8???????? b95b730100 e8???????? e9???????? } + $sequence_4 = { e8???????? 833d????????00 7411 b903000000 e8???????? 488905???????? } + $sequence_5 = { e8???????? 85c0 740c b913e40000 } + $sequence_6 = { e8???????? 85c0 7408 803b00 } + $sequence_7 = { e8???????? b964000000 ff15???????? 0fb705???????? } + $sequence_8 = { 4889442470 488d442478 4889842490000000 488d8424b0000000 } + $sequence_9 = { 483908 7451 ba03000000 488d4c2444 } + $sequence_10 = { 4889442470 488b8c24b0000000 e8???????? 488b8c24b8000000 } + $sequence_11 = { 0f8c75020000 488b05???????? 0fbe00 83f85a } + $sequence_12 = { 4889442470 488b8c2490000000 e8???????? 90 488b4c2470 } + $sequence_13 = { 4889442478 41b020 488d9424d8000000 488d4c2460 } + $sequence_14 = { 4883780800 7512 488b442450 8b00 } + $sequence_15 = { 4889442470 488d542430 488b8c24c0000000 e8???????? } condition: 7 of them and filesize < 6545408 @@ -107268,36 +107673,36 @@ rule MALPEDIA_Win_Rerdom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "241210bd-111a-5707-8897-9f53944f382f" - date = "2026-01-05" - modified = "2026-01-06" + id = "501fef49-f4ef-5ba3-9b54-b6efe6f3e9cd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rerdom_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rerdom_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "e2884a0afa7a1b2f6c9a54d86366aeef6787f3f56ae7efd9ba84c1b1c522c12e" + logic_hash = "4950604860bcc15ae559947ccedcc1cf6898fc775c612ba18d8a65acb58eb3d9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 72f0 8bc3 e8???????? 8d45e4 50 ff15???????? 8b4510 } - $sequence_1 = { 7406 c70003010000 85db 740f 53 ff742408 e8???????? } - $sequence_2 = { 754d 8b4604 3bc3 7346 3b4608 7341 } - $sequence_3 = { 743d 83fb09 7338 8d4704 56 50 8945fc } - $sequence_4 = { 894618 85c0 0f84c8000000 a1???????? 85c0 7522 68???????? } - $sequence_5 = { 750a 8d75ec e8???????? ebb8 b001 5e } - $sequence_6 = { b8???????? 8bcb e8???????? 3bc6 0f8419ffffff 57 b8???????? } - $sequence_7 = { 05???????? 50 8d44247c 50 e8???????? 8b442420 2b442424 } - $sequence_8 = { 8b45fc c9 c20c00 55 8bec 56 8d4508 } - $sequence_9 = { 0f849c000000 e8???????? 8bf8 85ff 0f8489000000 8b44240c 8b88f0000000 } + $sequence_0 = { 83ec50 53 56 8bf2 33db 8bd1 8d45dc } + $sequence_1 = { 5a 66891448 5e 5d 5b c3 33c0 } + $sequence_2 = { 8b864c010000 6a00 ff3407 ff15???????? 8b864c010000 ff3407 ffd3 } + $sequence_3 = { 55 8bec 81ec1c020000 53 8b5d10 33d2 33c0 } + $sequence_4 = { 53 68a5000000 6805020000 ff75f8 8d45ac 50 } + $sequence_5 = { 85c0 7421 8b8fd4000000 33d2 42 89560c 83f9ff } + $sequence_6 = { 83c404 5e 5d c22400 55 8bec } + $sequence_7 = { 56 8d8578feffff eb0b 6800010000 8d858cfeffff 57 50 } + $sequence_8 = { 33c0 40 ebf8 8b15???????? 56 85d2 742b } + $sequence_9 = { 6a02 8975f4 895df8 ff15???????? 2bc7 7412 48 } condition: 7 of them and filesize < 352256 @@ -107307,36 +107712,36 @@ rule MALPEDIA_Win_Graphican_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "306b4097-e66d-555f-a881-23bb9c0b513c" - date = "2026-01-05" - modified = "2026-01-06" + id = "76413713-6e90-5650-baea-04a93c9b93bf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.graphican_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.graphican_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "4ea64380581d8093475f0f95452d6256bbd394365c1616fdf688ce08e91d23e0" + logic_hash = "cb6e78f9c38a663086f503ccea9d5f7e35a7ef66358191371f08c149c20e5232" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bbed0030000 8b5dfc 2bf8 8d04fa 8b51fc 8b7de8 899486e8010000 } - $sequence_1 = { 757b 8b4d0c 57 8b7d08 8955fc 894d08 85c0 } - $sequence_2 = { 57 c785f0dfffff00000000 ff15???????? 8b85ecdfffff 8b8df0dfffff 53 50 } - $sequence_3 = { 8b7de8 899486e8010000 8b45ec 40 43 } - $sequence_4 = { 897dc0 3c30 7c04 3c39 7e4b 8b5d08 397318 } - $sequence_5 = { 746d 53 8d9ef4030000 807e0400 8bc3 7428 33d2 } - $sequence_6 = { 5e c3 33c0 33d2 85c0 5f 0f94c0 } - $sequence_7 = { 8b4148 ffd0 8b7dc0 33f6 895dc8 895dc4 } - $sequence_8 = { 8b10 50 8b4208 ffd0 8b45c8 3bc3 } - $sequence_9 = { 83c40c 50 e8???????? 8bf8 83c404 } + $sequence_0 = { 56 57 8d7818 8b4710 2b470c 83f810 7d05 } + $sequence_1 = { ffd0 85c0 7846 8b85d0efffff 8b08 8d95c8efffff 52 } + $sequence_2 = { 837e1800 7521 8bd7 e8???????? 837e1800 7514 8b07 } + $sequence_3 = { 68???????? 68???????? e8???????? 83c40c c7431809000000 89731c 837b1800 } + $sequence_4 = { 7517 8b45fc ff07 40 8945fc 83f804 } + $sequence_5 = { 83c408 85c0 7428 53 e8???????? 83c404 83bde8efffff10 } + $sequence_6 = { 3c30 7c24 3c39 7f1a 0fbec0 83e830 8945e0 } + $sequence_7 = { 8bec 53 8b1d???????? 6a00 6a00 6a00 6a00 } + $sequence_8 = { 5f b001 5e c3 8bd7 83fe04 } + $sequence_9 = { e8???????? 83c40c c7431809000000 89731c } condition: 7 of them and filesize < 362496 @@ -107346,36 +107751,36 @@ rule MALPEDIA_Win_Jinxloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bf4fed28-9df0-5c07-919b-e147a3bf2a61" - date = "2026-01-05" - modified = "2026-01-06" + id = "9a48b65c-2235-59b3-8d49-b7effc0193d2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jinxloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jinxloader_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jinxloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "a80dddab53cddfaf6005da20443003f999792e56e65e502c4cb3050695796046" + logic_hash = "e33765fa3afc3e11787f91585502fa4d2b6c43343e17837b2868a920a5a99129" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c3 0f10442440 90 488b8c2488000000 0f1101 0f10442450 0f114110 } - $sequence_1 = { e8???????? 488b942498000000 498913 488910 48c7401802000000 4c8d0521e42000 4c894010 } - $sequence_2 = { e8???????? 488b9424c8020000 498913 488d5818 488bb080000000 49897308 488bb424c0020000 } - $sequence_3 = { eb21 488d7e58 90 eb1a 488d7e38 eb14 488d7e38 } - $sequence_4 = { c3 31c0 4889fb 4889f1 4881c408010000 5d c3 } - $sequence_5 = { b801000000 4881c430010000 5d c3 488b8424f0000000 4883c010 488b4c2450 } - $sequence_6 = { e8???????? 833d????????00 750a 488b8c2448170000 eb10 e8???????? 488b8c2448170000 } - $sequence_7 = { eb0d e8???????? 488b542440 498913 48895018 488d1d78464b00 4889c1 } - $sequence_8 = { f20f11442428 f20f104808 f20f114c2420 e8???????? 488b442458 488b5c2418 e8???????? } - $sequence_9 = { e8???????? 488d8424d0000000 488b9c2408020000 488b4c2458 488bbc2418020000 e8???????? 488d8424d0000000 } + $sequence_0 = { e8???????? 488b542460 488b7a08 488b7210 4c8b4218 90 4889f8 } + $sequence_1 = { 55 4889e5 4883ec38 48ba75739294b2366a91 488954242a 48ba6a917288a2a5d16f 4889542430 } + $sequence_2 = { e8???????? 48895c2418 48898424f0000000 90 488d0542f42500 6690 e8???????? } + $sequence_3 = { 90 e8???????? 488b4c2478 4839c8 7351 488b4c2440 8b5104 } + $sequence_4 = { ffd7 488b4c2418 48ffc1 488b442470 488b542438 488b5c2478 488bb42488000000 } + $sequence_5 = { 89f7 31d6 8d3430 8d76b4 4883fa1d 7337 440fb644141b } + $sequence_6 = { eb03 4889ca 4889942418040000 488b942400030000 4889942420040000 488d8c2418040000 bf01000000 } + $sequence_7 = { e8???????? 4889c1 4889df 488d05eea11700 488b9c24b8000000 e8???????? 488b8424c8000000 } + $sequence_8 = { b871000000 ffd1 488b08 4889c2 b88effffff ffd1 488b08 } + $sequence_9 = { e8???????? 8b4c2458 8908 488b4c2450 48894c2438 4889442430 488b4c2460 } condition: 7 of them and filesize < 20364288 @@ -107385,36 +107790,36 @@ rule MALPEDIA_Win_Blister_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fe50a609-9d69-50d8-9407-cc1bb662c99e" - date = "2026-01-05" - modified = "2026-01-06" + id = "fbc2d920-5fb8-5ad9-bf2e-3af31da9e4af" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blister_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blister_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "bbff3501a1abd67d694ed63bda3afb810ae6150a68deb6d717b382978b46ad0d" + logic_hash = "7de3c9a41a790075aafc1fd0e94df558567f780f07ee3eb42ee4b4d7869861df" score = 60 quality = 25 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 8b5d10 56 8b750c 57 33ff 6a02 } - $sequence_1 = { 50 c745c03c000000 c745c400020000 c745cce4301717 c745dc05000000 ff15???????? } - $sequence_2 = { 7507 bf0e000780 eb34 8365f400 ff750c 33c0 } - $sequence_3 = { 7d06 33c0 33ff eb03 8b45f4 8945fc } - $sequence_4 = { 50 8d8584fcffff 50 ffb580fcffff 8d856cfcffff ffb578fcffff 50 } - $sequence_5 = { ff32 ff15???????? 83f8ff 7507 b805400080 eb02 33c0 } - $sequence_6 = { ff7508 6813100000 ff36 ffd7 6a03 58 8945d4 } - $sequence_7 = { e8???????? 57 8bce 894508 e8???????? 5f 5e } - $sequence_8 = { 85f6 7507 b857000780 eb45 832600 6a38 8d45c8 } - $sequence_9 = { e8???????? 8bce e8???????? 8bd8 85db 7d0f } + $sequence_0 = { 750b 8b450c 832000 33c0 40 eb02 33c0 } + $sequence_1 = { 89b5a4f7ffff ff37 ff77fc e8???????? 3bc6 8985a8f7ffff } + $sequence_2 = { 50 ff75ec ff75f8 ff75f0 ff15???????? 85c0 7507 } + $sequence_3 = { 8b8c3d2cf7ffff 8d85a0f7ffff 50 ffb5a4f7ffff e8???????? 3bc6 8985a8f7ffff } + $sequence_4 = { 8b4004 ff34b8 8d45f4 ff75f0 50 e8???????? } + $sequence_5 = { 0fb700 ff750c 50 ff15???????? 47 3b7e24 7ce5 } + $sequence_6 = { 8d4dec e8???????? 8d4de4 e8???????? 8d4df4 e8???????? 53 } + $sequence_7 = { 56 b800010000 57 8bf8 eb28 ff750c ff7508 } + $sequence_8 = { ab 895dd0 894dd4 894ddc ab 395e0c } + $sequence_9 = { 8b00 eb02 33c0 3985a4f7ffff 0f8dcd000000 8d85ccfbffff 50 } condition: 7 of them and filesize < 1822720 @@ -107424,36 +107829,36 @@ rule MALPEDIA_Win_Webc2_Qbp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9750d3af-ce6a-5fd6-82be-e974a57fe309" - date = "2026-01-05" - modified = "2026-01-06" + id = "06ba101e-9797-5160-8466-c700bf70efc4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_qbp_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_qbp_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "29a4c00125a8c7fc3f2d53e8e3fdae1793d32ea093da5da3654341cbb647aaec" + logic_hash = "cb136ce0e6dd81740d74a10fce0e11de9647a6f524e85eac23a0cac8bc2b19b2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7f12 8b4508 0345fc 33c9 8a08 83e930 894df4 } - $sequence_1 = { 25ffff0000 2500800000 c1f80f 8be5 5d c3 55 } - $sequence_2 = { 8b5508 52 ff15???????? 8d85f0feffff 50 } - $sequence_3 = { 0fbf94414c520000 81fa00100000 7505 e9???????? 0fbf4508 8b4df8 } - $sequence_4 = { 81e1ff000000 51 8b4de4 e8???????? } - $sequence_5 = { aa 837d0800 7564 6800010000 6a00 8d85ecfdffff 50 } - $sequence_6 = { 66898c5038770000 0fbf55f0 8b45ec 668b8c50907e0000 66894df8 } - $sequence_7 = { 668b9176830000 668955fc 8b45f8 668b8876830000 66d1e1 8b55f8 } - $sequence_8 = { 66050100 668945f4 e9???????? 66c745f80000 66c745f43a01 eb18 } - $sequence_9 = { 0fbf5508 0fbf45fc 8b4df8 8b75f8 668b945648100000 6689944148100000 } + $sequence_0 = { e9???????? 8b85f0feffff 8d4c0001 898dd8fcffff } + $sequence_1 = { 668b84464e720000 6689844a4e720000 0fbf4df0 8b55ec 668b45f4 6689844a4e720000 0fbf4d08 } + $sequence_2 = { 83c404 33c0 e9???????? 8b85d8fcffff } + $sequence_3 = { 8b4df0 83e901 894df0 837df000 7e21 8b55f8 83e201 } + $sequence_4 = { 6a03 68???????? 8b4508 50 ff15???????? 83c40c 85c0 } + $sequence_5 = { 8b75ec 668b84464e720000 6689844a4e720000 0fbf4df0 8b55ec } + $sequence_6 = { ff15???????? 8945e4 837de4ff 7511 8b4de8 51 ff15???????? } + $sequence_7 = { 66898c504a300000 eb1e 0fbf55fc 8b45e8 0fbf8c504c520000 } + $sequence_8 = { 81c173020000 0fbf55fc 8b45f4 66898c50907e0000 0fbf4dfc 8b55f4 668b45fc } + $sequence_9 = { 0fbf5508 8b45ec 668b8c501c7c0000 66894d08 0fbf5508 8b45ec 668b8c504e720000 } condition: 7 of them and filesize < 630784 @@ -107464,10 +107869,10 @@ rule MALPEDIA_Win_Darkmoon_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "39d28dd7-0564-597d-bdac-de621314fd7d" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkmoon_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkmoon_auto.yar#L1-L122" license_url = "N/A" logic_hash = "b873ed88e28a76ea623543146de01af6abe20197674c7ea051692aae659c4969" score = 75 @@ -107476,9 +107881,9 @@ rule MALPEDIA_Win_Darkmoon_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -107502,35 +107907,35 @@ rule MALPEDIA_Win_Shadowpad_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c1faf29-7964-56d7-af15-c1e6eca3ddc5" - date = "2026-01-05" - modified = "2026-01-06" + id = "95e6e021-1160-5a82-b243-e0bd486f08d2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shadowpad_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shadowpad_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "f49d5d94105b284c3bf5a2bc14ecce3430da1255366e6df534c457baba4feead" + logic_hash = "1156ccfa88c008fbc9b2060defadcc28f5235ebeeee5fdeaa68e1a029546b728" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf0 e8???????? 50 ffd7 8d75d0 8945ec } - $sequence_1 = { a80f 0f85c4000000 68f40f0000 8d45ec 50 8d4b0c } - $sequence_2 = { 3b450c 0f8d85000000 41 51 8d45e0 e8???????? } - $sequence_3 = { 53 56 33db 57 33d2 eb2d } - $sequence_4 = { 894df8 890e 3803 7439 8b06 } - $sequence_5 = { 88144b 8a0408 8b560c c0e804 046a 88444a01 } - $sequence_6 = { c20400 55 8bec 53 57 ff7508 ff15???????? } - $sequence_7 = { 8bec 51 8a4201 8845ff } - $sequence_8 = { 33c0 8d4de8 e8???????? 8b7de0 8bc3 50 } + $sequence_0 = { 8b400c 83ec0c 53 56 33db } + $sequence_1 = { ff75f4 50 e8???????? 8d45e0 50 ff75e8 } + $sequence_2 = { 8d75c0 e8???????? 8d4590 50 8d45c0 } + $sequence_3 = { 7cae ff7514 8d45d8 50 8975d8 } + $sequence_4 = { 47 3bfe 72e5 8d45bc 50 } + $sequence_5 = { 50 6a04 5f e8???????? 85c0 75ae 8d4310 } + $sequence_6 = { 83ec24 53 56 57 33ff 393d???????? } + $sequence_7 = { e8???????? 8b45e8 6a02 5b } + $sequence_8 = { 8b7508 33c0 50 83c648 8945c0 } $sequence_9 = { 32d1 46 8810 3b7508 0f8c74ffffff 5f } condition: @@ -107541,75 +107946,114 @@ rule MALPEDIA_Win_Session_Manager_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0581ea0a-3bb4-5759-b879-c839f5bdbdad" - date = "2026-01-05" - modified = "2026-01-06" + id = "3ac5c176-1ce7-5216-9a06-a6ce933fc3b7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.session_manager" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.session_manager_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.session_manager_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "02f9d1668e1984de7209fb8203b706bf8fb13f2ad60ed57c78494704eeede860" + logic_hash = "57955d7da820e57ef7256c18ada79aa30b0281e111c371329681872a8912a1af" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bca 4c8d0579970100 83e13f 488bc2 } - $sequence_1 = { 4c89b8701c0000 4c89b8781c0000 4c89b8801c0000 4c89b8881c0000 4c89b8901c0000 4c89b8981c0000 4c89b8a01c0000 } - $sequence_2 = { 4c89b8c01a0000 4c89b8c81a0000 4c89b8d01a0000 4c89b8d81a0000 4c89b8e01a0000 4c89b8e81a0000 } - $sequence_3 = { 0f84d6000000 4c8d155b7e0100 41b90a000000 4b8b04fa } - $sequence_4 = { 4c89b8981d0000 4c89b8a01d0000 4c89b8a81d0000 4c89b8b01d0000 4c89b8b81d0000 4c89b8c01d0000 } - $sequence_5 = { 488b45d8 488908 488d0d6d720100 488b45d8 8990a8030000 488b45d8 48898888000000 } - $sequence_6 = { 4c89b850130000 4c89b858130000 4c89b860130000 4c89b868130000 } - $sequence_7 = { 90 4c8d4001 41b901000000 488d1592df0100 488d4dd7 e8???????? } - $sequence_8 = { 488d1559e10100 488bcf ff5018 48c7452f0f000000 48897527 } - $sequence_9 = { 4c89b818080000 4c89b820080000 4c89b828080000 4c89b830080000 4c89b838080000 4c89b840080000 } + $sequence_0 = { ff15???????? 488d0df01d0200 ff15???????? 488d0d3b1c0200 ff15???????? ff15???????? } + $sequence_1 = { 53 4883ec20 488d1d8cd40100 488b0b } + $sequence_2 = { 4c89b8b8070000 4c89b8c0070000 4c89b8c8070000 4c89b8d0070000 4c89b8d8070000 4c89b8e0070000 } + $sequence_3 = { 4c89b818080000 4c89b820080000 4c89b828080000 4c89b830080000 4c89b838080000 } + $sequence_4 = { 7819 498b06 498bce ff5018 488b10 488bc8 ff9290000000 } + $sequence_5 = { 488bda 488bf9 48894c2470 4883791810 7203 } + $sequence_6 = { 41b800040000 488d8d10010000 e8???????? 488bd8 488d8510010000 } + $sequence_7 = { 4c89b8f00a0000 4c89b8f80a0000 4c89b8000b0000 4c89b8080b0000 } + $sequence_8 = { 418bdf 4c8d0dc254ffff 4885db 750d 488bc7 498784f1e0820200 eb25 } + $sequence_9 = { 4c89b830060000 4c89b838060000 4c89b840060000 4c89b848060000 } condition: 7 of them and filesize < 372736 } +rule MALPEDIA_Win_Arcane_Stealer_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "deec17f9-1753-58d2-ae1d-69e668170595" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arcane_stealer" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.arcane_stealer_auto.yar#L1-L130" + license_url = "N/A" + logic_hash = "446259c594d7c1601e598908e728329533aa47fb79167a90a870bb65dc3dd7c7" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 44894c2474 e8???????? ba07010000 488dbc2400100000 4889f9 4c8d05f9b50000 48895c2458 } + $sequence_1 = { 415e 415f c3 4c8b4c2468 0f57c0 0f11442428 4c89642420 } + $sequence_2 = { 4989c7 4801c0 4939ef 72f5 4c89f1 4c89fa } + $sequence_3 = { ba20000000 4889f1 e8???????? eb07 488d35bae30000 4889f1 ff15???????? } + $sequence_4 = { 41b840040000 4889d9 31d2 e8???????? 4889f9 31d2 4531c0 } + $sequence_5 = { 488b4c2448 31d2 ff15???????? 488d4c2450 e8???????? 488d4c2430 e8???????? } + $sequence_6 = { 89542430 89442428 894c2420 ba40000000 488d8c24b0030000 4c8d0549f80000 e8???????? } + $sequence_7 = { 74ed 4c89f1 e8???????? 4989c7 4889d9 4c89f2 4989c0 } + $sequence_8 = { 7420 4a8b8c3430010000 4885c9 74ea e8???????? } + $sequence_9 = { 85c0 7442 488b8424a0000000 448b4808 8b400c 410fb7c9 } + + condition: + 7 of them and filesize < 346112 +} rule MALPEDIA_Win_New_Ct_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df99256a-ac37-54eb-b09f-1730ead584e4" - date = "2026-01-05" - modified = "2026-01-06" + id = "88f07530-97d0-5f7a-b346-d7d071307942" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.new_ct_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.new_ct_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "9eac271e285948f56968d4730b1030e87fbe78a87c978d4507ea0ec6208dc34d" + logic_hash = "3492ecd8e5da3fc8983fe7c0434cdd459b4e24bb77a5e66e6ae4cc8a816fdc7f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7428 a1???????? 8d8c2478020000 50 68???????? 68???????? } - $sequence_1 = { 83fe06 0f8f1f010000 83fe03 0f8e16010000 8b4508 803805 0f850a010000 } - $sequence_2 = { 81ec00040000 53 56 6888030000 33db } - $sequence_3 = { 8b8680030000 8d542414 52 03c7 6800400000 50 53 } - $sequence_4 = { 68???????? 8bce e8???????? 89b5b0f3ffff 89b5b4f3ffff 85f6 7410 } - $sequence_5 = { 8944242c 8d542430 89442430 51 89442438 52 89442440 } - $sequence_6 = { 50 68???????? 6a10 68???????? ffd3 } - $sequence_7 = { f3a4 8dbdccfdffff 83c9ff 33c0 f2ae f7d1 49 } - $sequence_8 = { 8b5508 8b420c 85c0 740f 8985c8f6ffff 50 } - $sequence_9 = { f3a4 b900010000 8dbc2470020000 f3ab } + $sequence_0 = { e8???????? 8dbc2470020000 83c9ff 33c0 f2ae f7d1 } + $sequence_1 = { c684245801000000 f3ab 66ab aa b97f000000 33c0 8dbc2459010000 } + $sequence_2 = { 52 ff15???????? 8985c4fbffff 83f8ff } + $sequence_3 = { 89b5e4efffff 899de8efffff 8b520c 85d2 740f } + $sequence_4 = { 8b02 8b08 894c2414 ff15???????? 668944240e 8b4604 } + $sequence_5 = { 85db 7507 bf???????? eb1b 83fb01 } + $sequence_6 = { 5b 81c40c060000 c20c00 8bbc2420060000 83c9ff } + $sequence_7 = { 89742420 f2ae f7d1 8d442430 49 50 89742430 } + $sequence_8 = { 50 6a00 6a00 68???????? 6a00 68???????? ff15???????? } + $sequence_9 = { 5b 81c4680f0000 c21400 8b4c2410 8d1409 899684030000 eb11 } condition: 7 of them and filesize < 122880 @@ -107619,36 +108063,36 @@ rule MALPEDIA_Win_Fakerean_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b6d4199-0c17-5326-ad0f-5be4f4e0c769" - date = "2026-01-05" - modified = "2026-01-06" + id = "45156ef6-1ddc-53be-a40e-9a09b692be93" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fakerean_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fakerean_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "697015d76e682efb24cb879c686000a5c02640696936de86fa6c90584950d55f" + logic_hash = "3a37dfdb60cc89dc2591ac6f557cc84926b59d10e42bfe03813160b85d0b1324" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff7508 898348030000 ff15???????? 5f 5e 5b c9 } - $sequence_1 = { 50 e8???????? 83c40c 8b4640 2b4638 85c0 7f1c } - $sequence_2 = { ff15???????? a1???????? 8b08 6a01 ff35???????? 50 ff5128 } - $sequence_3 = { 8845f8 84c9 7419 8b4508 0345fc 0fb6d9 } - $sequence_4 = { 8d45f0 50 ff7608 ff15???????? 83f801 743e 83f802 } - $sequence_5 = { e8???????? 83c428 8935???????? 5f 5e c9 c3 } - $sequence_6 = { 8b45f0 eb03 8b45ec 8945f8 eb1d 8b45fc ebf6 } + $sequence_0 = { 53 6a06 6a04 53 6a01 68000000c0 } + $sequence_1 = { 7506 89968c040000 0fb7c1 399e88040000 740e bac8000000 } + $sequence_2 = { 8975fc 56 6a02 ff15???????? 8bf0 83feff 7465 } + $sequence_3 = { 384dda 753b 83bdc4feffff05 751a 83f802 752d } + $sequence_4 = { 53 bbeb010000 53 50 ff15???????? 53 ff35???????? } + $sequence_5 = { 0f84d6feffff 6a12 e9???????? 83fe7b 0f8512ffffff 8b9358010000 8bc7 } + $sequence_6 = { c3 53 57 8d8608290100 50 } $sequence_7 = { 8bc2 ab ab ab ab 6a08 59 } - $sequence_8 = { c6450f30 eb0f 83fe01 0f95c0 fec8 2420 0441 } - $sequence_9 = { f7fb 83c230 668911 03cf 397d0c 7512 85c0 } + $sequence_8 = { 33c0 398bf0030000 eb38 83fe6f 750f 8bb3f8030000 f7de } + $sequence_9 = { ff15???????? 85c0 0f84ac000000 8b45ec } condition: 7 of them and filesize < 4071424 @@ -107658,36 +108102,36 @@ rule MALPEDIA_Win_Atlantida_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "449807de-c2d1-5bb0-a23b-6b1bb9a18e58" - date = "2026-01-05" - modified = "2026-01-06" + id = "d0ff3011-2574-579c-b095-c8e52ea9b664" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atlantida" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.atlantida_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.atlantida_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "5a71a5b3ff4a38d6154af29c3b9c4fd13de9adafd3282b12a56385b9c3f01092" + logic_hash = "6618f7d3df9f19fc9e20bc9d09a7f245a55b15399a81cb4ebcd6bce5c256b3a8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f7d8 33d9 03f1 c1f2eb c1b454002000f03f 668b840780fd47a1 0fb68c54002000f0 } - $sequence_1 = { e9???????? f7d2 66d1e8 0fca 0f81cb3a0a00 33da 59 } - $sequence_2 = { f6d9 d0c9 80e9b9 fec0 fec0 c1c20c 32d9 } - $sequence_3 = { f7da fec0 f6d0 42 6698 e8???????? 0f34 } - $sequence_4 = { f7d2 66898c8706fefdff 0fbeca 8b144f f6d8 0fabc0 d2c1 } - $sequence_5 = { ffc7 6641 d1c7 6645 0fc1d5 48 99 } - $sequence_6 = { ff5315 14a8 6292bfc572de 1ad7 381d???????? 50 a9dac0aaf7 } - $sequence_7 = { e8???????? 8b442500 ba90b9872b 80e298 8d0c55ad51af3f 8b8c55e48cf0a8 661bd2 } - $sequence_8 = { fec0 33d3 6633c9 2d0066b83d 35a05ea552 42 f7da } - $sequence_9 = { f7d8 33d8 0fca 66c1f90b 0f878f9f1200 03f0 660fa3d1 } + $sequence_0 = { d0c2 80f20a 0bc1 33c8 f6da 32da 23c0 } + $sequence_1 = { ffe2 8b17 b8ae3fbb95 660fb60c22 66894c2702 0fbfc8 8b8c314ec0ffff } + $sequence_2 = { ffe6 f7d9 f7d1 41 0fbef5 4a c7843c6ceb46ec07f22abc } + $sequence_3 = { e9???????? d3840c9e29cbff 8994483c5396ff 8bd1 23ca 5a 8b940da629cbff } + $sequence_4 = { ff742400 9d 48 8d642408 e8???????? b9336dacca f7d9 } + $sequence_5 = { e8???????? 4a 51 66c1f8a7 89840c0600a1e9 f7d2 13d0 } + $sequence_6 = { ffe0 8a943a1e001185 f6d0 0fa3c9 51 66194c2410 f6d2 } + $sequence_7 = { ffce 51 0f8f9f51eaff 8bbc1c7c69e2ac e8???????? ffc7 81e292291ace } + $sequence_8 = { ffc7 4a 8d8c361e280a7a 4e 23ac6c92feadb6 4e 898c6ca2feadb6 } + $sequence_9 = { ff75e8 c645cc00 ff75cc 51 8d4dd0 e8???????? 46 } condition: 7 of them and filesize < 13793280 @@ -107697,36 +108141,36 @@ rule MALPEDIA_Win_7Ev3N_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "005aa5f2-162b-5bf7-ad49-b9d7ff2db13f" - date = "2026-01-05" - modified = "2026-01-06" + id = "3907c549-d041-5de8-8230-42e446fd2be2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.7ev3n_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.7ev3n_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "4eede98c5fa06e7258d260c1c452e6214bfc253858a007d8970063a1ca550ad3" + logic_hash = "9b1cec25991aa76acf3290f27738c6cabf019f382df7a9f2fac1318754b8e765" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 8d85f0d9ffff 50 8d8dd0cdffff e8???????? 8bce 2bcf } - $sequence_1 = { 2bcf 3bc1 0f84e2910000 8dbd50dcffff 8d4f02 0f1f840000000000 } + $sequence_0 = { 66898560fbffff f30f7e05???????? 660fd68560feffff 0fb705???????? 66898568feffff f30f7e05???????? 660fd6854cfbffff } + $sequence_1 = { 660fd685c0f3ffff 0fb705???????? 668985c8f3ffff f30f7e05???????? 660fd685b4f3ffff 0fb705???????? 668985bcf3ffff } $sequence_2 = { 2bcf 3bc1 0f8412490000 8dbdcce7ffff 8d4f02 0f1f840000000000 668b07 } - $sequence_3 = { e8???????? 8bce 2b8d00cbffff 3bc1 0f84ce070000 8dbd50d9ffff 8d4f02 } - $sequence_4 = { e8???????? 8bce 2bcf 3bc1 0f84427a0000 8dbdf8eeffff 8d4f02 } - $sequence_5 = { 6a00 8d85a0e3ffff 50 8d8dd0cdffff e8???????? 8bce 2bcf } - $sequence_6 = { 6a00 6800000080 50 ff15???????? 898520ffffff 85c0 7509 } - $sequence_7 = { 83c702 6685c0 75f5 2bf9 d1ff 6a00 8d8500edffff } + $sequence_3 = { 50 8d8dd0cdffff e8???????? 8bce 2b8de8caffff 3bc1 0f848e040000 } + $sequence_4 = { 0fb78100084500 8d4902 6689440dda 6685c0 75ec eb5e } + $sequence_5 = { 6a00 8d8518e7ffff 50 8d8dd0cdffff e8???????? 8bce 2bcf } + $sequence_6 = { 75de 33c0 eb05 1bc0 83c801 85c0 0f84b0fdffff } + $sequence_7 = { 660fd68570fbffff 0fb705???????? 66898578fbffff f30f7e05???????? 660fd68570ddffff a1???????? 898578ddffff } $sequence_8 = { f30f7e05???????? 660fd68564e6ffff 0fb705???????? 6689856ce6ffff f30f7e05???????? 660fd68558e6ffff 0fb705???????? } - $sequence_9 = { d1ff 6a00 8d85acfbffff 50 8d8dd0cdffff e8???????? 8bce } + $sequence_9 = { ff15???????? b902000000 e8???????? be01000000 85c0 740d 8d4e01 } condition: 7 of them and filesize < 803840 @@ -107736,36 +108180,36 @@ rule MALPEDIA_Win_Pcshare_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7a2279a4-a61d-58a7-97d7-adf12e2edb7d" - date = "2026-01-05" - modified = "2026-01-06" + id = "01321e27-2fca-51ad-b07e-588e71179cda" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pcshare_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pcshare_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "2997345c16432720db338f1e799076d538b35e40830e87863ce57c0bb0f81979" + logic_hash = "8fbab9d498887a46bb70ba398619d56b260bb2c48da4678a55861c40e7aa5ea0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 803c3800 75db 8b16 33c0 8a0c3a 5f 84c9 } - $sequence_1 = { 8db60c2c0610 6a00 50 ff36 e8???????? } - $sequence_2 = { 8b442450 3bc3 7425 33f6 8b0c06 } - $sequence_3 = { 81e20000ffff c7401400000000 0bca 89480c 8b4c2440 8b542438 } - $sequence_4 = { 8b4c242c 85c9 7510 3b5c2430 746b 43 } - $sequence_5 = { 8b01 03f8 8b5640 8b6e24 52 51 8bcc } - $sequence_6 = { 8b5b04 03d8 c60300 8b442428 50 } - $sequence_7 = { 8d0480 8d0c80 8d048a 3d35c83301 0f8cea000000 68???????? } - $sequence_8 = { 8b16 8d441a02 50 55 ff15???????? 85c0 890437 } - $sequence_9 = { 8b4548 8b4c241c 8b1408 8b442420 8b4c020c 8d44020c } + $sequence_0 = { 50 68???????? e8???????? 83c408 85c0 740d 8b16 } + $sequence_1 = { 7425 0fb601 0fb6fa 3bc7 7714 8b55fc 8a9250220610 } + $sequence_2 = { 2bee 85c9 750e 8d442eff 8932 894204 } + $sequence_3 = { 50 e8???????? 8b4c2440 e9???????? 83f8fe 0f85effbffff 8b4c2414 } + $sequence_4 = { 8b442444 c7462800000000 895e38 897e34 85c0 741d 8d48ff } + $sequence_5 = { 3bc6 7505 b8???????? 6a05 68???????? 50 e8???????? } + $sequence_6 = { 56 8918 e8???????? 89742410 } + $sequence_7 = { 8b4c242c 85c9 7510 3b5c2430 746b 43 895c241c } + $sequence_8 = { 8d4c2438 50 89442430 e8???????? } + $sequence_9 = { c7413c00000000 895134 c20c00 6aff 68???????? } condition: 7 of them and filesize < 893708 @@ -107775,36 +108219,36 @@ rule MALPEDIA_Win_Flagpro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df493d50-e377-536e-a031-d239af918cf3" - date = "2026-01-05" - modified = "2026-01-06" + id = "915d8413-1c94-59a3-8fec-750c0ee27459" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flagpro_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flagpro_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "8734d591635985c73e20c9ca4d9912448a0aab9867cea544ed16d714554a9f18" + logic_hash = "49eb586758a32a8a5d12bf3563d420340cbcbdeefe3a9c2a1a81b3bdbd08a0ee" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4501 50 e8???????? 8bf8 83c420 } - $sequence_1 = { 8b03 eb02 8bc3 55 8d2c3f } - $sequence_2 = { ffd5 68???????? e8???????? 8b44241c } - $sequence_3 = { c684249400000002 8b442448 8b08 8d542428 52 50 8b4120 } - $sequence_4 = { 8b9180000000 50 ffd2 8b442418 } - $sequence_5 = { 8b4e18 53 57 8bf8 8d5e04 83f908 7204 } - $sequence_6 = { ffd2 47 3b7c243c 897c2450 0f8c03feffff e9???????? 8b44241c } - $sequence_7 = { c744244400000000 a1???????? 8b500c b9???????? ffd2 8d7010 8974241c } - $sequence_8 = { f7e2 8bea c1ed06 45 68e8030000 } - $sequence_9 = { e8???????? 33f6 eb06 8b1d???????? b8???????? 8d5002 } + $sequence_0 = { 8d47f0 c7442444ffffffff 8d480c 83caff } + $sequence_1 = { 0f8412010000 396c2458 720d 8b542444 52 e8???????? 83c404 } + $sequence_2 = { 8b4de4 83c40c 6bc930 8975e0 8db160d64100 8975e4 eb2a } + $sequence_3 = { 8b55fc 8b75fc c1fa05 8b1495c0cf4500 83e61f c1e606 f644320480 } + $sequence_4 = { e8???????? 83c404 8d842404010000 e8???????? 8d942404010000 } + $sequence_5 = { 8b4508 56 8d34c550d84100 833e00 7513 50 } + $sequence_6 = { 8b4508 8bc8 83e01f c1f905 8b0c8dc0cf4500 c1e006 8d44010c } + $sequence_7 = { c20800 b8???????? a3???????? c705????????1b004100 c705????????cfff4000 } + $sequence_8 = { 57 8d3c85340d4200 833f00 bb00100000 7520 53 e8???????? } + $sequence_9 = { 894c2434 6a00 8d4c2438 51 ffd5 85c0 0f841c010000 } condition: 7 of them and filesize < 1411072 @@ -107814,36 +108258,36 @@ rule MALPEDIA_Win_Bubblewrap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8af5c082-aa6b-50c2-beb7-d15cea5a0e28" - date = "2026-01-05" - modified = "2026-01-06" + id = "c9795e02-95d7-5442-9070-f9a0c5f4982a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bubblewrap_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bubblewrap_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "9768a3ec06517eeb8d4ed3cf1b68ed17318c56d44232a674eb24375a5c01ec8d" + logic_hash = "d74e10554100c1ec73d09a66d5e9986a75edafc5264ddea5e24e42a0aa8ee395" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c9ff f2ae f7d1 49 c605????????ee c605????????03 } - $sequence_1 = { c21000 55 68???????? 6a01 6a00 ff15???????? } - $sequence_2 = { 8915???????? 8b15???????? a3???????? 66a1???????? 880d???????? b910000000 } - $sequence_3 = { 8bca 89442414 83e103 55 } - $sequence_4 = { 83e103 f3a4 8dbc24ac000000 83c9ff } - $sequence_5 = { e8???????? 83c408 be???????? b8???????? 8a10 } - $sequence_6 = { c1e902 f3a5 8bca 83e103 f3a4 be???????? b8???????? } - $sequence_7 = { 8bc1 894c2414 3bc5 0f821cffffff 8b6c2424 b967010000 33c0 } - $sequence_8 = { 8b0d???????? 8b15???????? 894c0435 b920000000 8d742434 bf???????? } - $sequence_9 = { 8b15???????? f2ae f7d1 49 bf???????? } + $sequence_0 = { 55 56 57 668908 } + $sequence_1 = { 84c0 0f84e5010000 e8???????? 8b842420020000 be???????? 8a10 } + $sequence_2 = { bf???????? 33f6 68???????? 68???????? } + $sequence_3 = { 8db434b00a0000 894c2434 8bc1 c1e902 } + $sequence_4 = { 33ed 51 52 896c2428 896c2420 } + $sequence_5 = { 8bca 4f c1e902 f3a5 8bca b8???????? 83e103 } + $sequence_6 = { 8bc8 83e103 f3a4 8bcb 8b5c2414 } + $sequence_7 = { ffd6 68???????? ffd6 68b80b0000 ffd5 e9???????? 8b0d???????? } + $sequence_8 = { ffd6 68???????? ffd6 8b5c241c } + $sequence_9 = { 50 52 ffd6 8d442408 6a10 50 68???????? } condition: 7 of them and filesize < 57136 @@ -107853,36 +108297,36 @@ rule MALPEDIA_Win_Atomsilo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a4d686f-c99d-5c01-b555-7095e6b70c0c" - date = "2026-01-05" - modified = "2026-01-06" + id = "d56ff9dc-c6da-5ce3-9866-a0f92a265c16" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.atomsilo_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.atomsilo_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "8aed315237abd1e84c2f2f4a7b7891e44774fb638cce5cdf1ee6cabd913c51c4" + logic_hash = "eedf190699e5a77790aa9c1a48c90800f4843755894a15aa3c5dc95df93d79e0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48c7c03f000000 23c1 488d0d7a8d0100 f20f5904c1 f20f5804c1 660f72e406 660f73f434 } - $sequence_1 = { 90 488d4f78 488d542458 e8???????? 488bd8 488b4c2470 48394c2468 } - $sequence_2 = { 4053 4883ec20 488d054b400800 488bd9 488901 488d052e420800 48894108 } - $sequence_3 = { 480134c7 0f8593010000 ffc1 8bc1 493bc0 72ed 488b5318 } - $sequence_4 = { 48c7442458ffffffff 4c89742460 4d85f6 7505 498bef eb0b 498bce } - $sequence_5 = { 4183cf08 44897c2420 4c8d4c2458 4c8bc6 488d55b8 488d4d88 e8???????? } - $sequence_6 = { 4103c7 c1ca02 448b7c2408 03c8 4403c9 4433ff } - $sequence_7 = { 8bc9 488b542430 8b0c8a c1e908 0fb6c9 488d1554b50500 } - $sequence_8 = { 488d0dda730900 8b542440 83c202 8bd2 4c8b442430 418b1490 c1ea10 } - $sequence_9 = { 488bd0 488bcb e8???????? 4103f5 413bf4 72c1 488b45a7 } + $sequence_0 = { e8???????? 90 84db 0f84e3000000 ba01000000 488d4de0 } + $sequence_1 = { 33ed 896808 40382d???????? 750c e8???????? c605????????01 488d05824c0600 } + $sequence_2 = { 4889442458 33c9 894c2460 48c70001000000 48894808 c744243004000000 488b4e18 } + $sequence_3 = { 498bc3 49f7e9 4c8bfa 49c1ff05 498bc7 48c1e83f 4c03f8 } + $sequence_4 = { 90 488bd0 488d4e60 e8???????? 90 488b4d60 48394d58 } + $sequence_5 = { 8844245a 8b442450 0407 83f04f 8844245b 8b442450 } + $sequence_6 = { 7235 488b8990000000 48ffc2 4881fa00100000 721c 4883c227 488b79f8 } + $sequence_7 = { e8???????? 90 4584ff 7454 488bce e8???????? 8bf8 } + $sequence_8 = { ba01000000 e9???????? 837dd801 0f84c8000000 833d????????01 0f8485010000 488b45c8 } + $sequence_9 = { 4c2b5c2438 498d7d01 4c8b9424d0000000 488d3cfe 4c8b642430 4c2beb 4c2bde } condition: 7 of them and filesize < 1785856 @@ -107892,36 +108336,36 @@ rule MALPEDIA_Win_Ehdevel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a1927287-a7a0-56db-9215-479d35c403c1" - date = "2026-01-05" - modified = "2026-01-06" + id = "984bd635-af48-5da1-a8a5-4bfcce742be3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ehdevel_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ehdevel_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "684d7241cee866804960efb3b0b6928989858b77ba794c784761214d04fdf763" + logic_hash = "5ff4316411781d7e133ec32c087889a6849399ade69523276554e1d188aefd1c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c5 8945fc 57 8bf9 8d85ece7ffff 50 8d8dfcf7ffff } - $sequence_1 = { 85c0 7524 a1???????? a3???????? a1???????? c705????????d22f0110 8935???????? } - $sequence_2 = { 51 e8???????? 83c40c 56 8d95e8fbffff 6804010000 } - $sequence_3 = { 8b3d???????? c60301 ffd7 56 ff15???????? 56 ffd7 } - $sequence_4 = { 8985e8f7ffff 897e10 897e14 c645fc03 399d94f7ffff 720f 8b8d80f7ffff } - $sequence_5 = { 8d8dfcf7ffff 51 e8???????? 83c410 84c0 7502 32db } - $sequence_6 = { 8b8dd48bffff 6a00 6880000000 6a04 6a00 6a00 6a04 } - $sequence_7 = { eb19 8b4c2414 8b4904 8b440c4c 8d4c0c14 f7d8 } - $sequence_8 = { 33d2 8955fc 3bca 7458 33f6 52 c7411407000000 } - $sequence_9 = { c745f463006f00 c745f86d000000 e8???????? 3c01 7441 } + $sequence_0 = { 897e14 c645fc03 399d94f7ffff 720f 8b9580f7ffff } + $sequence_1 = { 3bc6 0f84effeffff 6a07 59 3bc1 0f87c8090000 ff24853ad50110 } + $sequence_2 = { 68???????? 8d85e8fbffff 6804010000 50 e8???????? 83c40c 57 } + $sequence_3 = { 6800040000 8d8c2420040000 51 eb26 68???????? 6800040000 8d942420040000 } + $sequence_4 = { 85f6 0f84c5000000 6a00 6a50 8d8df8f7ffff 51 } + $sequence_5 = { 8b06 8bd0 83e01f c1fa05 8b1495a0ae0310 c1e006 } + $sequence_6 = { 33d2 8955fc 3bca 7458 33f6 52 c7411407000000 } + $sequence_7 = { 57 e8???????? 83c404 68???????? e8???????? 83c404 } + $sequence_8 = { 8d8424a8090000 50 ff15???????? 85c0 742d 43 } + $sequence_9 = { 8d8424c4010000 6800040000 50 e8???????? 83c424 } condition: 7 of them and filesize < 524288 @@ -107931,36 +108375,36 @@ rule MALPEDIA_Win_Meterpreter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6f1771a-05aa-5edf-806e-8f4646e6de38" - date = "2026-01-05" - modified = "2026-01-06" + id = "2c41841a-115f-57ba-8a48-27de045e5a55" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.meterpreter_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.meterpreter_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "b31b408f14a6efeb814ec89850c20aeb2f6b49daa7fba766082bcbe19d74b589" + logic_hash = "006a69c6441f656537729cba192b77787504b6e91bb113c3cfc9e307a9df755b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7b5d c7400800000000 8b561c c7420c00000000 } - $sequence_1 = { c07d14eb 8b542472 8cd0 f733 ce } - $sequence_2 = { 56 e8???????? 85d9 f5 } - $sequence_3 = { e04f 1089471c8b8e 48 e600 00ee } - $sequence_4 = { 0000 68ffff0000 52 ffd7 8b2410 } + $sequence_0 = { 5e 88c3 90 90 90 90 90 } + $sequence_1 = { 51 d2d7 838f54ebdaa118 c1400133 d28a168b088a 0451 } + $sequence_2 = { 836e0c50 ff15???????? 33e4 f1 } + $sequence_3 = { 8b35???????? 25d6859b0f 94 41 0100 } + $sequence_4 = { 3ddc4e0000 7d15 8b84fe8b550c51 52 50 a3???????? 83c42d } $sequence_5 = { 02c0 8bf7 b94c000061 f3ab 8b4573 8b4d0c 8bbdfc89068b } - $sequence_6 = { 57 57 897810 57 } - $sequence_7 = { 8d919248b299 40 93 49 722f } - $sequence_8 = { 8b3c87 1485 c9 896375 8b3b } - $sequence_9 = { d040f3 27 c0eb80 d440 0075cc b8???????? } + $sequence_6 = { c3 8d23 d352e8 d7 } + $sequence_7 = { eb02 33c0 8b4e0c 4e 2a9dc052ff77 } + $sequence_8 = { c88b2804 0800 001b c285f7 } + $sequence_9 = { b90e00d000 f3ab 8b666a 00536a 32445014 8e0e 8b5183 } condition: 7 of them and filesize < 188416 @@ -107970,42 +108414,42 @@ rule MALPEDIA_Win_Fobber_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "910b3d1e-c7a6-55ab-b1c2-4f8035f4a57d" - date = "2026-01-05" - modified = "2026-01-06" + id = "6b10b0b7-aac9-5b0d-999e-cef97191d4ff" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fobber_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fobber_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "3cf9174005b14188a8f0ba63481f290f2ae0ab907becb2c7edb09c680f60ed5d" + logic_hash = "116b887c67ba2a8cdb51d9e66252babb8d46a5aed6610b6604df9d6e868cdbe7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b750c 8b4d10 39f7 760e } - $sequence_1 = { 57 51 8b7d08 30c0 31c9 f7d1 } - $sequence_2 = { 8d0431 39f8 7607 49 01cf } - $sequence_3 = { 57 e8???????? 85c0 740f 89c1 } - $sequence_4 = { 8d4d08 51 ff31 ffd0 } - $sequence_5 = { 55 89e5 ff750c 6800300000 } - $sequence_6 = { 0453 42 e2f6 59 } - $sequence_7 = { f2ae 31c0 e303 4f } - $sequence_8 = { 8981efc00700 0081efe82300 0081c7371300 0081c7546900 0081c7397d00 00e9 } - $sequence_9 = { 0f85196e0100 807dfc00 7407 8b4df8 836170fd 5e } - $sequence_10 = { 4d fc 02e9 5a a2???????? 92 b4ff } - $sequence_11 = { 0f8423050000 ff7508 e8???????? 59 59 8b4508 } - $sequence_12 = { 43 7706 6205???????? 294a75 f2149c } - $sequence_13 = { 6a52 686bb7ade9 e8???????? 83c408 } - $sequence_14 = { 3bc3 7524 8b451c 3bc3 } - $sequence_15 = { 33db 57 3bcb 0f8499840100 3bf3 0f84a2840100 } + $sequence_0 = { 0fb066f5 75f6 66b80100 660fc146f9 } + $sequence_1 = { 740f 8d4d08 51 ff31 ffd0 } + $sequence_2 = { 89e5 ff750c 6800300000 ff7508 } + $sequence_3 = { 7607 49 01cf 01ce 41 } + $sequence_4 = { 8b750c 8b4d10 39f7 760e } + $sequence_5 = { ff7510 ff750c ff7508 e8???????? 85c0 7407 50 } + $sequence_6 = { 760e 8d0431 39f8 7607 49 } + $sequence_7 = { 31c9 f7d1 fc f2ae f7d1 49 89c8 } + $sequence_8 = { 05b05ec972 0100 0000 6a08 e8???????? 59 } + $sequence_9 = { 38d7 6a00 bc711fb37c 0474 04f0 } + $sequence_10 = { c072e458 c072c458 c072a458 c0728458 } + $sequence_11 = { 3bd6 7409 668b08 66890a 83c202 ff07 6a22 } + $sequence_12 = { 6802000080 ff15???????? 8d45f8 50 68???????? 6805000080 } + $sequence_13 = { ebd8 8bff 55 8bec 837d0800 56 8bf1 } + $sequence_14 = { 6300 0081efe2c5fe ff81c7c34c00 0081efc52500 0081efb55100 0081ef272400 } + $sequence_15 = { 81c6e9140000 81eefa360000 81eef8e4ffff 81c6507c0000 81eeb77a0000 81ee0b690000 81c6cf450000 } condition: 7 of them and filesize < 188416 @@ -108015,36 +108459,36 @@ rule MALPEDIA_Win_Kazuar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ccff8922-162c-572c-8893-65e66a285e05" - date = "2026-01-05" - modified = "2026-01-06" + id = "c4456b1a-9a2d-5498-860f-aed8b8f72e28" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kazuar_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kazuar_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "e795bcf133e170c8cc0011c1658f28fb0b95178f81911116117a7619cede54b7" + logic_hash = "f3465926116135563d59f857ea69bf0157f71e7ee10025cb20918f41dc519108" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7452 83b98c00000000 7449 4c01de 31db 8b6e20 448b6618 } - $sequence_1 = { 83c002 c744240400000000 668945f2 8d45ec c7042400000000 8944240c 8d45f0 } - $sequence_2 = { e8???????? 89c3 e8???????? 01c0 895df4 } - $sequence_3 = { 31c0 4885c9 4989cb 89d7 7463 4863493c } - $sequence_4 = { 8b0402 4c01d8 eb07 48ffc3 ebc8 31c0 } - $sequence_5 = { 8d8b00030000 894c2408 8d4b08 894c2404 ff522c 83ec18 } - $sequence_6 = { 6685c9 7417 e8???????? 0fb7c0 41ffc1 } - $sequence_7 = { 31c0 4885db 7428 4989db 498b4b40 e8???????? 3d88ae6393 } - $sequence_8 = { 7425 e8???????? 39f8 751c 8b4624 4801db } - $sequence_9 = { 8d8b00030000 894c2408 8d4b08 894c2404 ff522c } + $sequence_0 = { 8b0402 4c01d8 eb07 48ffc3 } + $sequence_1 = { 5d 415c c3 4883ec48 e8???????? } + $sequence_2 = { 31c0 4885c9 4989cb 89d7 7463 } + $sequence_3 = { 8d8b00030000 894c2408 8d4b08 894c2404 } + $sequence_4 = { 7463 4863493c 4c01d9 8bb188000000 85f6 7452 } + $sequence_5 = { 740a 81ea00204000 01d0 eb02 31c0 5d c3 } + $sequence_6 = { 41ffc1 4131c0 4569c097010001 ebdd } + $sequence_7 = { 55 57 56 53 4883ec20 31c0 4885c9 } + $sequence_8 = { 4863493c 4c01d9 8bb188000000 85f6 } + $sequence_9 = { 8b10 894c2414 8d8b00020000 890424 894c2410 } condition: 7 of them and filesize < 81920 @@ -108054,36 +108498,36 @@ rule MALPEDIA_Win_Jssloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7148d41e-3b6b-5706-b0f5-a23188997a17" - date = "2026-01-05" - modified = "2026-01-06" + id = "c2dfb866-307f-54fc-a93b-1459534d3593" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jssloader_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jssloader_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "ffccc96c8251d57f1e22bfb5c0a6de3c234295ba8c011aea9715fb2c8123c39a" + logic_hash = "0c3f13c685066a735b5bd23ece29387da4f47270047d27c85f2f68d54bf6b421" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3d55555515 0f846b010000 8b4b08 8d7001 2bcf b8abaaaa2a f7e9 } - $sequence_1 = { c645cc00 898570feffff 3bf0 7432 8bbd64feffff 8b4de4 03cf } - $sequence_2 = { 8d4de4 e8???????? 8a75d7 8b75e8 8b5dec 8b45c4 } - $sequence_3 = { 7e0f 803c0f22 0f84d6000000 41 3bc8 7cf1 33c0 } - $sequence_4 = { c785bcfdffff00000000 c785c0fdffff0f000000 c685acfdffff00 83fa10 722f 8b8d64fdffff 42 } - $sequence_5 = { 83c404 85c0 0f844a010000 8d7823 83e7e0 8947fc eb13 } - $sequence_6 = { c7805413440002000000 6a04 58 6bc000 8b0d???????? 894c05f8 6a04 } - $sequence_7 = { c745c800000000 c645fc02 3b4dec 741a 33d2 33f6 8911 } - $sequence_8 = { 8875d7 3bf9 7408 8817 47 897de8 eb13 } - $sequence_9 = { b8abaaaa2a 2bcf 895df0 f7e9 8b4b04 c1fa03 2bcf } + $sequence_0 = { 83f81f 0f8703060000 51 56 e8???????? 83c408 c745d800000000 } + $sequence_1 = { 8b4804 8d41f8 89840d70feffff 8d85dcfeffff } + $sequence_2 = { 68???????? c78568fdffff00000000 c7856cfdffff0f000000 c68558fdffff00 e8???????? c645fc16 } + $sequence_3 = { 64a300000000 8b4508 89859cfeffff 8985b8feffff } + $sequence_4 = { 8d8da0feffff c785b0feffff00000000 c785b4feffff0f000000 c685a0feffff00 e8???????? 8d85a0feffff } + $sequence_5 = { 8b45fc 8b7008 8b5004 8b08 c7400800000000 c7400400000000 } + $sequence_6 = { 8d8d20ffffff 6a06 68???????? c78530ffffff00000000 c78534ffffff0f000000 c68520ffffff00 e8???????? } + $sequence_7 = { 7408 8817 47 897de8 } + $sequence_8 = { 51 6a01 6a00 68???????? 52 ff15???????? 8d4b04 } + $sequence_9 = { 8b04bd701d4400 834c0318ff 33c0 eb16 e8???????? c70009000000 e8???????? } condition: 7 of them and filesize < 581632 @@ -108093,42 +108537,42 @@ rule MALPEDIA_Win_Magniber_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2010ff15-6b80-529a-a5cd-f6820259a96c" - date = "2026-01-05" - modified = "2026-01-06" + id = "0cb0b6c1-39c6-5d9e-995d-70d951f232a2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.magniber_auto.yar#L1-L174" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.magniber_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "40cc2b100a2166758d1bade12df1107c6219e6f30fc93c01403c3eb3fe63bfd1" + logic_hash = "a3bcc4e913cd05b5bf104f18fcfc7a62f9a3f50652665cc48fe3160149c110fe" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c78514fdffff38994000 c78518fdffff40994000 c7851cfdffff48994000 c78520fdffff54994000 c78524fdffff60994000 c78528fdffff68994000 } - $sequence_1 = { 83c404 8945fc 837dfc00 0f84d7000000 68???????? 8b45fc } - $sequence_2 = { 8b45f8 8b8c8548ffffff 51 8b55f0 52 } - $sequence_3 = { 0f8462010000 8b55ec 52 ff15???????? 83f801 } - $sequence_4 = { c785fcfcffff08994000 c78500fdffff10994000 c78504fdffff18994000 c78508fdffff20994000 c7850cfdffff28994000 c78510fdffff30994000 } - $sequence_5 = { 7505 e9???????? 8b4df8 3b4df0 7307 } - $sequence_6 = { 6a00 6a03 6800000080 8b4d10 51 } - $sequence_7 = { 55 8bec 51 8b4508 83b86804000000 741b 8b4d08 } - $sequence_8 = { d331 4e4e54 70ac 52 f8 a6 } - $sequence_9 = { 097934 50 5e 5a 3558e9e633 } - $sequence_10 = { bb72657959 a1????????ba30f7a3 873428 de9d164df944 ee aa } - $sequence_11 = { 7f4c c82cd1c6 1a32 b636 } - $sequence_12 = { 21746c2e 4834b0 184026 e221 a1????????05eef081 e0f8 } - $sequence_13 = { 4baa 055457541d e9???????? bc12819787 bbdd81d473 ba2326dc05 645f } - $sequence_14 = { 32cb 5a b3b1 3e6c 21746c2e 4834b0 184026 } - $sequence_15 = { 283d98b7a0e5 7f9b 0b733e fd 6acb 199335632362 } + $sequence_0 = { 8b8270040000 3b45f8 733c b902000000 6bc9ff 8b55f8 } + $sequence_1 = { b820000000 668945ba b92f000000 66894dbc ba4d000000 668955be } + $sequence_2 = { 50 ff15???????? 8d4dd4 51 8d9564f7ffff } + $sequence_3 = { c74580e89e4000 c74584f89e4000 c74588009f4000 c7458c089f4000 c74590109f4000 c74594189f4000 } + $sequence_4 = { 83ea01 69d27c030000 0355e4 52 e8???????? 83c40c } + $sequence_5 = { c785e0feffff949d4000 c785e4feffff9c9d4000 c785e8feffffa49d4000 c785ecfeffffac9d4000 c785f0feffffb49d4000 c785f4feffffbc9d4000 } + $sequence_6 = { 6a02 6800000040 8b55f4 52 } + $sequence_7 = { 66894dec ba65000000 668955ee b878000000 668945f0 b965000000 66894df2 } + $sequence_8 = { 2c07 15ce8930e7 9b 283d98b7a0e5 } + $sequence_9 = { 4834b0 184026 e221 a1????????05eef081 e0f8 } + $sequence_10 = { 097934 50 5e 5a } + $sequence_11 = { 32cb 5a b3b1 3e6c 21746c2e 4834b0 } + $sequence_12 = { a1????????ba30f7a3 873428 de9d164df944 ee aa } + $sequence_13 = { 87f2 4baa 055457541d e9???????? bc12819787 bbdd81d473 ba2326dc05 } + $sequence_14 = { 199335632362 7c8f d3762a 258bdb888d } + $sequence_15 = { d2e2 5a 0bb96e327b31 d8df } condition: 7 of them and filesize < 117760 @@ -108138,36 +108582,36 @@ rule MALPEDIA_Win_Dusttrap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6dc8c0b6-03e4-543a-8235-ad282f751715" - date = "2026-01-05" - modified = "2026-01-06" + id = "29cc0216-aa2a-54fb-9ffa-8619e8199fdd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dusttrap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dusttrap_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dusttrap_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "99d0157bbc57f142e4b3ca02f7a6fc667dbe8aaf793dc492ed4ef3b4577c5d17" + logic_hash = "d98a8b457f48c54124d7726cdd363a8850e6b5462ebf7caaa15c3f04d9405b59" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4133c0 c1e008 33c2 4389848c40ec0200 c1c008 } - $sequence_1 = { 492bf4 75a9 488b9c24b80a0000 488bbc24a80a0000 4c8bbc24980a0000 4c8bac24a00a0000 488bb424b00a0000 } - $sequence_2 = { 478b9c8240dc0200 48c1e918 45339c9240e80200 41c1ef08 410fb6d7 4c8d3d5257ffff 45339c8a40d80200 } - $sequence_3 = { 4c8bf9 33d2 488b0d???????? 8bf5 488b89f8000000 e8???????? } - $sequence_4 = { 488bbc24a80a0000 4c8bbc24980a0000 4c8bac24a00a0000 488bb424b00a0000 4d85f6 743f 488b0d???????? } - $sequence_5 = { e8???????? 8bf0 85c0 0f85f4000000 0f57c0 } - $sequence_6 = { 498d4e30 4533c0 baa00f0000 e8???????? 488b05???????? 4c8d0539810100 488bd5 } - $sequence_7 = { 448bf6 4903df 4981c600ffffff 33d2 41b820030000 4c03f3 e8???????? } - $sequence_8 = { 89442420 488b8988010000 448d4204 e8???????? 488b0d???????? 488d8424d0000000 48896c2458 } - $sequence_9 = { 488b4108 488d4908 488902 488d5208 } + $sequence_0 = { 482b8b9a020000 4885c9 418bc5 0f94c0 85c0 0f8481000000 } + $sequence_1 = { 48897810 33ed 4c896020 488bfa 4c8978d8 4533c0 4c8bf9 } + $sequence_2 = { ff15???????? 488b4c2448 85c0 7429 488d15b1eb0000 ff15???????? } + $sequence_3 = { 48895c2430 448d4209 0f11442460 488b4950 48895c2428 48895c2420 e8???????? } + $sequence_4 = { 488bc7 403828 750f ffc1 48ffc0 83f906 72f1 } + $sequence_5 = { 4533c0 8b9c24a0000000 33d2 488b89f8000000 e8???????? 488b0d???????? 33d2 } + $sequence_6 = { 0f1005???????? c7442470f79dfa5d c7442474e5c9c7e4 0f114510 c74424784b60067f 66c744247c34dc 0f114d58 } + $sequence_7 = { 488b0d???????? bab0070bfe 41b866d25e3e 48894140 488d0d62010200 e8???????? } + $sequence_8 = { 488907 e9???????? 33d2 4c89ac24b8000000 0f57c0 498d5c2402 } + $sequence_9 = { 4c8d8d80070000 4889442420 33d2 458d442402 488b8950010000 e8???????? } condition: 7 of them and filesize < 421888 @@ -108177,169 +108621,187 @@ rule MALPEDIA_Win_Dreambot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53f43e42-1768-565e-8f9c-297b1c07d8f4" - date = "2026-01-05" - modified = "2026-01-06" + id = "2de818ef-c84e-5cfa-8a13-b7a48698bd00" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dreambot_auto.yar#L1-L872" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dreambot_auto.yar#L1-L1009" license_url = "N/A" - logic_hash = "cddaa00c4f6e4bc7a58bc64756492fafadc3729bcd6bcbd8f6bc9664c264e892" + logic_hash = "c2311d1299fce8a46776fde9086c46e8c7b2b3646f39c99a659f6dbd2079add8" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 8b4f30 83e140 0b4b18 83671800 } - $sequence_1 = { 85c0 751f ff15???????? 8bf8 81ffe5030000 751a } - $sequence_2 = { ff7320 ff15???????? 50 ff7320 56 ff5710 } - $sequence_3 = { ff15???????? 85c0 7410 ff742410 33ff e8???????? 8b7d0c } - $sequence_4 = { ffd6 8b44240c 894320 68???????? ff7320 ff15???????? } - $sequence_5 = { 751a 395d10 7413 8b4618 e8???????? eb09 } - $sequence_6 = { 68???????? 68???????? ff7320 e8???????? 8bf8 } - $sequence_7 = { 0f84cd000000 8d442410 50 8d442410 } - $sequence_8 = { 3bf3 0f8481000000 395d0c 747c 6a03 ebcc 3bf3 } - $sequence_9 = { 3bc2 480f45ca 488bc1 4883c438 c3 488bc4 } - $sequence_10 = { 395d0c 0f848d000000 6a07 ebdd 3bf3 0f8481000000 } - $sequence_11 = { a1???????? 85c0 7520 3bf3 741c 837d0c04 } - $sequence_12 = { 837d0c04 7516 ff7510 ff36 68???????? e8???????? 8bf8 } - $sequence_13 = { ebcc 3bf3 7474 395d0c 746f 6a0d ebbf } - $sequence_14 = { 746f 6a0d ebbf ff7510 53 68???????? eb54 } - $sequence_15 = { 8b7d08 eb24 a1???????? 85c0 } - $sequence_16 = { 56 68???????? e8???????? 894508 8b7d08 eb24 } - $sequence_17 = { 413bc5 7528 493bfd 7423 41b904000000 } - $sequence_18 = { c3 4053 4883ec20 4c8b4108 488bd9 } - $sequence_19 = { e8???????? e9???????? 493bfd 0f84b5000000 413bf5 0f84ac000000 } - $sequence_20 = { 4c8bc5 e8???????? 8bd8 83fbff 7508 } - $sequence_21 = { bb57000000 e8???????? 413bc5 7446 } - $sequence_22 = { 7464 413bf5 745f 8bd6 488bcf bb57000000 } - $sequence_23 = { 33d2 ff15???????? 4c8d5c2470 8bc7 } - $sequence_24 = { 747c 41b80d000000 eba7 33d2 } - $sequence_25 = { e8???????? eb2c 8b05???????? 413bc5 } - $sequence_26 = { e9???????? 8bd6 488bcf e8???????? e9???????? 4c392d???????? 740c } - $sequence_27 = { 46 8945f8 85c0 7551 } - $sequence_28 = { 8b450c 33db 895dfc e8???????? 8945f8 33ff } - $sequence_29 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 } - $sequence_30 = { e8???????? 4885db 7417 488b0d???????? 4c8bc3 33d2 } - $sequence_31 = { ff7310 ff15???????? 33d2 89b7184a0000 } - $sequence_32 = { 488bcb e8???????? f7d0 eb07 8b8424c8000000 3dcad2b74e } - $sequence_33 = { 8db4083089b9ed 57 8d45f4 50 8b450c 33db 895dfc } - $sequence_34 = { 8945f8 33ff eb03 8b750c ff75f8 69f60d661900 } - $sequence_35 = { 85c0 7551 ff33 50 } - $sequence_36 = { 7427 488b5308 488bc8 ff15???????? 4c8b472c 488b0d???????? } - $sequence_37 = { 8b463c 488b1e 2b471c 4489742478 448974247c 488b542478 } - $sequence_38 = { 8b87184a0000 56 33f6 46 8945f8 } - $sequence_39 = { 8b424c a801 0f840f010000 8b424c a806 740e e8???????? } - $sequence_40 = { 8a07 2c41 3c05 8a07 7704 2c37 eb0a } - $sequence_41 = { 89442440 488bf9 e8???????? 488d542438 33c9 ff15???????? 448b5c2438 } - $sequence_42 = { 488bf0 0f84a3000000 8b942490000000 4c8b442440 } - $sequence_43 = { 33d2 ff15???????? 8bc6 488b9c24c0000000 } - $sequence_44 = { ff15???????? 8945fc 85c0 741a 6804010000 8d4f10 51 } - $sequence_45 = { 89750c 8d750c e8???????? 8bf0 } - $sequence_46 = { ff15???????? 4883f8ff 488bf8 7445 488d842488000000 } - $sequence_47 = { 69f60d661900 ff75f4 81c65ff36e3c 89750c 8d750c } - $sequence_48 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? } - $sequence_49 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 } - $sequence_50 = { 7551 ff33 50 6810040000 ff15???????? 8945fc 85c0 } - $sequence_51 = { 48895f2c 8b464c a802 7410 8b464c } - $sequence_52 = { 488d4c2440 ff15???????? 0fb74c2442 b856555555 } - $sequence_53 = { 4c8bc3 33d2 ff15???????? 4c8b442478 488b0d???????? 33d2 } - $sequence_54 = { ff75fc e8???????? 8b45f0 40 c745e801000000 } - $sequence_55 = { ff742404 a3???????? e8???????? 85c0 7551 ff742404 e8???????? } - $sequence_56 = { ff35???????? ff15???????? eb22 ff7518 } - $sequence_57 = { e8???????? 85c0 0f849b000000 8d45f4 50 } - $sequence_58 = { 3bc6 7551 a1???????? 8b4014 85c0 } - $sequence_59 = { 493bce 753a 8b05???????? 488b0d???????? } - $sequence_60 = { e8???????? e9???????? 3bf3 0f8435010000 395d10 0f842c010000 } - $sequence_61 = { 8be5 5d c20400 8325????????00 6a00 68???????? 6a01 } - $sequence_62 = { e8???????? 8bf8 3bfb 0f857c040000 } - $sequence_63 = { 83ffff 0f843b010000 81ff02010000 0f8499000000 } - $sequence_64 = { 4183c501 443b2e 730a eba9 4533f6 eb08 } - $sequence_65 = { ff15???????? 85c0 7412 4881c720010000 4183c501 443b2e 730a } - $sequence_66 = { 81ff02010000 0f8499000000 f605????????08 6aff 68806967ff 56 7408 } - $sequence_67 = { 5b c9 c20800 55 8bec 81ec1c010000 8d4807 } - $sequence_68 = { 83cfff 443bd3 7349 448bdf 452bda } - $sequence_69 = { 498d5c2478 e8???????? 4e8b4cb61e 4e8b44b616 33c9 } - $sequence_70 = { 81ff02010000 0f8495000000 8b3d???????? 6aff 68806967ff } - $sequence_71 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 } - $sequence_72 = { 493bed 75a1 488bb42480000000 4c8b742470 } - $sequence_73 = { 83c40c 83c01e 50 ffd7 ff35???????? } - $sequence_74 = { 41 f00fc108 a1???????? 83c01e 50 ff15???????? } - $sequence_75 = { 5b 8be5 5d c3 0fb708 6683f902 } - $sequence_76 = { 85c0 0f85b7000000 56 ff742428 ffd7 8bf8 } - $sequence_77 = { ff15???????? 8bc3 e9???????? 48895c2408 4889742410 57 } - $sequence_78 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? } - $sequence_79 = { 83a78c00000000 33c0 c3 51 e8???????? 0558020000 } - $sequence_80 = { 50 ff742428 89542464 ffd3 56 57 } - $sequence_81 = { 56 ff742468 ffd7 85c0 0f85b7000000 } - $sequence_82 = { 56 0f84e9000000 ff74241c ffd7 } - $sequence_83 = { ff15???????? 85c0 743f 66ba2e00 498bcf ff15???????? 4885c0 } - $sequence_84 = { 5b c20800 51 53 57 } - $sequence_85 = { ff742414 e8???????? 813d????????58876837 7525 6a01 e8???????? 6a01 } - $sequence_86 = { 8bfb 8898d8fdffff e8???????? 448bac2400030000 440fb7db 4183fd25 } - $sequence_87 = { a3???????? bf???????? 33f6 8b8618c60310 e8???????? 8947fc } - $sequence_88 = { 8b483c 66f74401160020 7408 c744244c8e85be03 e8???????? } - $sequence_89 = { 89b31c70be03 740a 83c304 83fb14 72c9 eb12 } - $sequence_90 = { 85c0 0f849d010000 395c244c 7407 68???????? } - $sequence_91 = { 894df8 894dec c745e0e724be03 8945d8 751b f605????????01 7412 } - $sequence_92 = { e42c d08b19ec3bc2 14e1 32ec } - $sequence_93 = { f3ab e8???????? 8bf0 3bf3 0f85d4020000 } - $sequence_94 = { 8bd8 83fbff 0f843d010000 81fb02010000 0f8496000000 } - $sequence_95 = { 46 33048d1062be03 85ff 75cf f7d0 eb02 33c0 } - $sequence_96 = { 0fb6b120d00310 0fb6b9a0d00310 0fb68c0632900000 0fb7b470928a0000 894df4 8b4844 d3e6 } - $sequence_97 = { ffd6 ff742414 ff742414 57 e8???????? } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 834f3001 8b4720 2b4310 8b37 } + $sequence_1 = { 8b44240c 894320 8b442410 894310 836730f9 } + $sequence_2 = { 8b4320 be???????? 56 89442410 ff15???????? 56 } + $sequence_3 = { 894f30 8b4f30 f6c140 751e 85c0 740e 8bf8 } + $sequence_4 = { ff15???????? 56 ff742410 89442418 ff15???????? 85c0 7410 } + $sequence_5 = { 8b4618 e8???????? eb09 ff7618 ff15???????? 33ff } + $sequence_6 = { 50 8b4734 e8???????? 85c0 } + $sequence_7 = { 6a00 ff35???????? ffd6 897b20 } + $sequence_8 = { e8???????? e9???????? 3bf3 0f8496000000 395d0c } + $sequence_9 = { 0f848d000000 6a07 ebdd 3bf3 0f8481000000 395d0c } + $sequence_10 = { 745c 395d0c 7457 53 ff750c } + $sequence_11 = { 53 68???????? eb54 3bf3 } + $sequence_12 = { e9???????? 3bf3 0f84b7000000 395d0c } + $sequence_13 = { 741c 837d0c04 7516 ff7510 ff36 68???????? } + $sequence_14 = { 6a03 ebcc 3bf3 7474 395d0c 746f 6a0d } + $sequence_15 = { a1???????? 85c0 7520 3bf3 741c 837d0c04 } + $sequence_16 = { 4c896c2420 e8???????? 4c8b442468 488b0d???????? } + $sequence_17 = { 488b542460 4533c9 488bc8 41ff5318 } + $sequence_18 = { 448bc6 488bd7 e8???????? eb2c 8b05???????? } + $sequence_19 = { 493bfd 7423 41b904000000 413bf1 7518 8b17 } + $sequence_20 = { 488b9424a8000000 4533c9 4533c0 ff5028 } + $sequence_21 = { 0f84b5000000 413bf5 0f84ac000000 41b807000000 ebd7 } + $sequence_22 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 4d85c0 } + $sequence_23 = { 493bfd 0f849b000000 413bf5 0f8492000000 41b803000000 ebbd 493bfd } + $sequence_24 = { eb5a 493bfd 7464 413bf5 745f 8bd6 488bcf } + $sequence_25 = { 492bd0 4803542460 41ff5220 4c8b442460 e9???????? } + $sequence_26 = { 493bfd 0f84d9000000 413bf5 0f84d0000000 } + $sequence_27 = { e8???????? 4c8b1d???????? ba0d000000 41834b3401 } + $sequence_28 = { 0f8481000000 413bf5 747c 41b80d000000 eba7 } + $sequence_29 = { e9???????? 493bfd 0f84b5000000 413bf5 } + $sequence_30 = { 488d5e10 4533f6 488b0b 2580000000 } + $sequence_31 = { 49ffc7 418d5620 498bcf ff15???????? 4c8bf0 } + $sequence_32 = { 488bce 4c63c0 ff15???????? 488bce } + $sequence_33 = { 48c7c101000080 ff15???????? 85c0 7568 4c8d8c24d0000000 4c8d8424c8000000 } + $sequence_34 = { 8945f8 85c0 7551 ff33 50 6810040000 ff15???????? } + $sequence_35 = { 33d2 ff15???????? 48895f2c 8b464c a802 7410 8b464c } + $sequence_36 = { 4883f8ff 488bf8 7445 488d842488000000 } + $sequence_37 = { 0f8431010000 81f97acff109 0f840f010000 81f9eb6bfb0d 0f84de000000 } + $sequence_38 = { 53 c1e010 56 8db4083089b9ed 57 8d45f4 50 } + $sequence_39 = { 0f85bd000000 33c0 89942498000000 899424a8000000 8984249c000000 } + $sequence_40 = { 33d2 ff15???????? 8bc6 488b9c24c0000000 4881c480000000 } + $sequence_41 = { 8b05???????? 35fc5585cf 4533c9 4533c0 418bd6 33c9 8905???????? } + $sequence_42 = { ff15???????? 8945fc 85c0 741a 6804010000 8d4f10 51 } + $sequence_43 = { 33f6 46 8945f8 85c0 } + $sequence_44 = { ff75f8 69f60d661900 ff75f4 81c65ff36e3c } + $sequence_45 = { 50 8b450c 33db 895dfc e8???????? 8945f8 33ff } + $sequence_46 = { ff75f4 81c65ff36e3c 89750c 8d750c e8???????? 8bf0 3bf3 } + $sequence_47 = { 33db eb0b 8b842498000000 c6041800 44897c2430 } + $sequence_48 = { 33ff eb03 8b750c ff75f8 69f60d661900 } + $sequence_49 = { ff7310 ff15???????? 33d2 89b7184a0000 } + $sequence_50 = { 4d8bc4 33d2 ff15???????? 488bf8 } + $sequence_51 = { 2b471c 4489742478 448974247c 488b542478 894640 33c0 } + $sequence_52 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? } + $sequence_53 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 } + $sequence_54 = { e8???????? 488b5c2428 85c0 753e 8b9424c8000000 85d2 7421 } + $sequence_55 = { 33ff 3bc7 7528 83bc241001000003 740a 83bc241001000001 7514 } + $sequence_56 = { 0b4724 44897630 89464c 8b464c a840 } + $sequence_57 = { 41b825000000 e8???????? 4885db 7417 488b0d???????? } + $sequence_58 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 } + $sequence_59 = { 4533c9 8bd6 488bcf e8???????? 488b4c2430 448d4b03 } + $sequence_60 = { 0f840b010000 395d10 0f8402010000 6a03 eb13 3bf3 0f84f6000000 } + $sequence_61 = { 8d85a0fcffff 68???????? 50 ff15???????? 83c41c 53 } + $sequence_62 = { 740e 44893d???????? 44893d???????? 488d442440 4c8d4c2440 } + $sequence_63 = { 8945d0 3dea000000 7554 ff75fc 53 ff35???????? } + $sequence_64 = { 895c2414 895c2410 895c240c 3bfe 0f86ea000000 } + $sequence_65 = { 8975f8 e8???????? 8945ec 3bc3 } + $sequence_66 = { 4c8bc6 ff15???????? 488bd8 493bc7 } + $sequence_67 = { ff15???????? 8bf0 8d4601 50 8975f8 e8???????? } + $sequence_68 = { 395d10 7423 6a01 ff75fc e8???????? 3bc3 7518 } + $sequence_69 = { 493bc5 742f 488d4810 ff15???????? } + $sequence_70 = { 8b45fc 0fb700 8bc8 81e100f00000 } + $sequence_71 = { 5b 8be5 5d c20400 8325????????00 6a00 68???????? } + $sequence_72 = { 488b0d???????? 4885c9 7405 e8???????? 4883c428 c3 4053 } + $sequence_73 = { 4d3bef 7415 498bd5 4883c9ff ff15???????? } + $sequence_74 = { 8b4778 034774 39477c 0f834effffff } + $sequence_75 = { c1ed04 83c004 81f91e010000 894f74 } + $sequence_76 = { a1???????? 8b35???????? 83c01e 50 ffd6 } + $sequence_77 = { e8???????? 488b0d???????? 4883c12e ff15???????? 4c8b05???????? 448d7b02 } + $sequence_78 = { 8b4036 85c0 75ec 8b06 } + $sequence_79 = { 5f 5b 8be5 5d c3 0fb708 6683f902 } + $sequence_80 = { 66b90100 4889442420 e8???????? 3bc3 0f859b000000 } + $sequence_81 = { 83a78c00000000 33c0 c3 51 e8???????? } + $sequence_82 = { 7505 8d5857 eb15 488b05???????? 89702a } + $sequence_83 = { ffd7 8b1d???????? 6a3a b8???????? 56 ff35???????? a3???????? } + $sequence_84 = { eb14 a1???????? 89701a 8b4508 8938 } + $sequence_85 = { 83c01e 50 ff15???????? c20400 a1???????? 56 83c004 } + $sequence_86 = { 33d2 e8???????? 44892d???????? 33c9 44892d???????? e8???????? 488bcf } + $sequence_87 = { 4883c12e ff15???????? 448b05???????? 488bd3 b92ab5f293 } + $sequence_88 = { 8b45e8 8d4de8 8945f4 3bc1 0f851ffeffff } + $sequence_89 = { 0f8e2a040000 8a05???????? 4238042b 7521 448bc2 } + $sequence_90 = { c9 c20800 55 8bec 81ec1c010000 8d4807 83e1f8 } + $sequence_91 = { 33c0 e8???????? 8bd8 a1???????? 83c036 83c9ff } + $sequence_92 = { 488b0d???????? 4883c12e ff15???????? 488b15???????? 488b8c24b0000000 488b12 } + $sequence_93 = { c1ed03 0fb70442 6683e107 66898c4788000000 } + $sequence_94 = { 88040a 8b8314170000 83432801 b910000000 2ac8 } + $sequence_95 = { 488bd8 488b05???????? f0834056ff 4885db } + $sequence_96 = { 8a8310170000 88040a 83432801 8a8311170000 } + $sequence_97 = { 897004 5f 5e 5b c20800 51 53 } + $sequence_98 = { c9 c21000 a1???????? 83c01e 50 ff15???????? eb08 } + $sequence_99 = { c744242800010000 89442420 e8???????? 488b0d???????? 413bc6 480f454c2458 } + $sequence_100 = { ff15???????? 57 ff15???????? 8906 33ff } + $sequence_101 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? } + $sequence_102 = { 83c01e 50 ff15???????? 8ac3 5b c20400 53 } + $sequence_103 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 } + $sequence_104 = { 8b4778 034774 3bc8 0f86a4000000 } + $sequence_105 = { c1e804 46 33048d1062be03 85ff 75cf } + $sequence_106 = { ff742410 57 e8???????? 8bd8 83fb02 } + $sequence_107 = { 56 8b35???????? 6a00 ffd6 ff742414 ff742414 57 } + $sequence_108 = { 894dec c745e0e724be03 8945d8 751b f605????????01 7412 8b7e08 } + $sequence_109 = { 08ee 2ad2 50 3a1c07 } + $sequence_110 = { 48 55 395002 cd60 } + $sequence_111 = { 8b4508 8945e4 8b00 c745e820320410 } + $sequence_112 = { ff75e8 ffd7 eb08 ff15???????? } + $sequence_113 = { ff15???????? a1???????? 8d480c 33ed 83c42c 3929 } + $sequence_114 = { 8bd8 3bde 0f85df020000 e8???????? 8bd8 3bde } + $sequence_115 = { e8???????? ff75ec 8b3d???????? 8bd8 ffd7 ff75e8 } condition: - 7 of them and filesize < 778240 + 7 of them and filesize < 802816 } rule MALPEDIA_Win_Orchard_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c398118-a219-5655-a01d-698db312ac7e" - date = "2026-01-05" - modified = "2026-01-06" + id = "7de940d5-584d-5aff-b2d4-7e170a44e5c9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.orchard_auto.yar#L1-L159" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.orchard_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "ef8c17e904478cac826167cfa0e1c29f054430dec351151f351e3917ccca81f2" + logic_hash = "8c12838db4bcb3ee6f62a3b1ff1db7a8af267b58c9ff94be80b506ff6195c762" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b49fc 83c223 2bc1 83c0fc 83f81f 0f877e030000 52 } - $sequence_1 = { 83c028 895de0 8b5de8 894348 } - $sequence_2 = { 8b75a8 46 56 e8???????? 8bf8 } - $sequence_3 = { 89542420 f7e1 8bc8 8954240c } - $sequence_4 = { 56 ff15???????? ff15???????? 50 6a00 } - $sequence_5 = { 8d442410 50 ff15???????? 6685c0 } - $sequence_6 = { 6a05 c70600000000 c7461000000000 c746140f000000 68???????? } - $sequence_7 = { f7f9 81c2d0070000 52 ffd6 } - $sequence_8 = { 0f877e030000 52 51 e8???????? 83c408 } - $sequence_9 = { 50 ff15???????? 83f805 7507 } - $sequence_10 = { c645fc08 e8???????? 894604 83c404 8d4718 897034 8d5804 } - $sequence_11 = { 83c404 e8???????? 99 b95b000000 f7f9 } - $sequence_12 = { 89542428 8b54240c 83d200 03c1 } - $sequence_13 = { e8???????? 894604 83c318 897730 } + $sequence_0 = { 83c028 895de0 8b5de8 894348 } + $sequence_1 = { 6a05 c70600000000 c7461000000000 c746140f000000 } + $sequence_2 = { 8d442410 50 ff15???????? 6685c0 } + $sequence_3 = { e8???????? 8b55e0 8b7de8 8955e0 8b02 } + $sequence_4 = { 83c404 e8???????? 99 b95b000000 } + $sequence_5 = { 8b75a8 46 56 e8???????? } + $sequence_6 = { 8bc6 89542420 f7e1 8bc8 8954240c } + $sequence_7 = { 56 ff15???????? ff15???????? 50 6a00 68ffff1f00 } + $sequence_8 = { 8945e0 c7437000000000 c7839000000000000000 c7839400000000000000 } + $sequence_9 = { f7f9 81c2d0070000 52 ffd6 } + $sequence_10 = { 6a0c 57 e8???????? 83c408 c645fc01 } + $sequence_11 = { 7214 8b49fc 83c223 2bc1 83c0fc 83f81f 0f877e030000 } + $sequence_12 = { 50 ff15???????? 83f805 7507 } + $sequence_13 = { c645fc08 e8???????? 894604 83c404 } $sequence_14 = { 8bc8 8bc7 8d9d48ffffff c645fc03 } - $sequence_15 = { 8bc8 8bc7 8d5c2460 c68424a800000001 e8???????? 50 } + $sequence_15 = { 8bc8 8bc7 8d5c2460 c68424a800000001 e8???????? } condition: 7 of them and filesize < 4716352 @@ -108349,36 +108811,36 @@ rule MALPEDIA_Win_Xbot_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "940e14dd-221d-5819-92eb-1310f719add8" - date = "2026-01-05" - modified = "2026-01-06" + id = "58cb2f91-1102-5908-a6e2-fe98a17e22ae" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xbot_pos_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xbot_pos_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "535bdd8a229ae04e062f9eb15912ae47549a3a824b333a9bb79944aa1215914b" + logic_hash = "ec373b97e40b3a7bb938649541ea98b350494940cf5081f6a9f461b68b77d517" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c685d3fcffff00 c745fcffffffff 8d4dd0 e8???????? } - $sequence_1 = { 6bc230 03048de0465600 b901000000 c1e100 c644082a0a 807dff01 } - $sequence_2 = { eb0a c78558fcffff01000000 8a9558fcffff 88959ffdffff } - $sequence_3 = { 005f56 4d 005f56 4d 0026 56 4d } - $sequence_4 = { e8???????? c685bbfdffff01 c745fcffffffff 8d8da8feffff e8???????? 8a85bbfdffff 52 } - $sequence_5 = { 4c 005166 4c 004566 4c 007566 4c } - $sequence_6 = { 743e 83ec0c 8bc4 89a5ecfeffff 6a00 50 8d4d0c } - $sequence_7 = { 83e13f 6bd130 8b0485e0465600 0fb64c1028 83e140 740f } - $sequence_8 = { c68583f9ffff01 eb07 c68583f9ffff00 8a8d83f9ffff 888dcbfbffff 8b45e8 8a8dd7fbffff } - $sequence_9 = { e8???????? 83c404 83e03f 6bc830 030cb5e0465600 894de4 eb07 } + $sequence_0 = { 83c40c e9???????? 8b4514 3b4508 7753 8b45ec 50 } + $sequence_1 = { 833800 7621 8b4dec e8???????? 8985e8feffff 8b85e8feffff 8b08 } + $sequence_2 = { 8b8518f1ffff 898514f1ffff c645fc0f 8b8d14f1ffff 51 8d9554f1ffff } + $sequence_3 = { 8b0c8de0465600 89443120 89543124 e9???????? } + $sequence_4 = { 89951cf1ffff c645fc0e 8b851cf1ffff 50 8d8db4fbffff 51 8d9578f1ffff } + $sequence_5 = { 000f 50 4c 001c50 4c 0029 } + $sequence_6 = { 837dec00 7418 8b45ec 8985a8feffff 8b8da8feffff 51 } + $sequence_7 = { 83ca01 899558feffff c645fc00 8d4db0 e8???????? } + $sequence_8 = { 83c41c 83ec0c 8bcc 89a5c0feffff 8d45d8 50 } + $sequence_9 = { c745f030b65300 8b4df0 51 8d55e0 52 8d4de8 } condition: 7 of them and filesize < 3031040 @@ -108388,36 +108850,36 @@ rule MALPEDIA_Win_Nemty_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cdf39d25-7035-553c-816d-fe9d35a19962" - date = "2026-01-05" - modified = "2026-01-06" + id = "b096c28c-62cf-5b76-9cea-a4a47cf581e2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nemty_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nemty_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "3672eaf2e9c4783f20e7f6ec877d618670612c5d8376e42a0d5a0e87ba0dbd7a" + logic_hash = "afb2d01d491036b9746dc0ecbfc2c482240d2255977e6e394f054f4c1a86a43a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6bf61c 8b45e8 03f0 897308 6bff1c } - $sequence_1 = { e8???????? 53 8d75e0 e8???????? 8b4dfc 5f 5e } - $sequence_2 = { e8???????? 6a01 33ff 8d7508 e8???????? 8b4dfc } - $sequence_3 = { 83c61c 3bd8 72c0 68???????? } - $sequence_4 = { ff15???????? 53 8d459c 50 ff35???????? } - $sequence_5 = { e8???????? 33db 43 53 33ff 8d75e0 e8???????? } - $sequence_6 = { c20400 8b4f04 53 8bd8 56 } - $sequence_7 = { 5f f7ff 43 83c61c 3bd8 72c0 } - $sequence_8 = { 837d3810 8bf8 8b4524 59 7303 8d4524 837d3810 } - $sequence_9 = { 50 56 6806000200 6a01 56 56 68???????? } + $sequence_0 = { 730e 8d4d24 eb09 80392b 7503 c6012e } + $sequence_1 = { 7405 e8???????? 83c61c 897510 83c31c 895d08 } + $sequence_2 = { a1???????? 33c5 8945fc 8d85f4fdffff 50 33c0 } + $sequence_3 = { 85c0 7453 83ec1c 03cb } + $sequence_4 = { 83c410 834dfcff 8b4304 8945e4 8b0b } + $sequence_5 = { ff15???????? 53 8d459c 50 ff35???????? } + $sequence_6 = { 8bc3 e8???????? eb23 ff759c } + $sequence_7 = { 8db5b4fcffff e8???????? 53 8db57cfcffff } + $sequence_8 = { 7507 be???????? eb2b 83f802 7507 be???????? eb1f } + $sequence_9 = { 837d3810 8bf8 8b4524 59 7303 8d4524 837d3810 } condition: 7 of them and filesize < 204800 @@ -108427,58 +108889,58 @@ rule MALPEDIA_Win_Andromeda_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aedaa52d-9d6c-5053-8164-d65674aef5c3" - date = "2026-01-05" - modified = "2026-01-06" + id = "b2db6139-0ee4-5e8d-86e7-2ff7173b97ea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.andromeda_auto.yar#L1-L305" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.andromeda_auto.yar#L1-L313" license_url = "N/A" - logic_hash = "20401b03708a6c3a0bc1e9efb5c1e1d85a9de75bca8501a792bc92bf7f214fb5" + logic_hash = "05ee29e80de3d90a97ea2b212851cd6156ac3e7bdf52b5dc9978b3709eae2c9a" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 02d6 81e2ff000000 368a942a00ffffff 301439 41 } - $sequence_1 = { 8b7508 33db 368a942900ffffff 02c2 } - $sequence_2 = { 7408 43 3b5d0c 74cf ebcf 33c0 } - $sequence_3 = { 55 8bec 81c400ffffff 60 b940000000 8d7dfc b8fcfdfeff } - $sequence_4 = { fec0 368a942800ffffff 02da 368ab42b00ffffff 3688b42800ffffff 3688942b00ffffff 02d6 } - $sequence_5 = { e2f8 fc 33c0 8b7508 } - $sequence_6 = { 368ab42800ffffff 3688b42900ffffff 3688942800ffffff fec1 } - $sequence_7 = { 8d7dfc b8fcfdfeff fd ab 2d04040404 e2f8 } - $sequence_8 = { 60 e8???????? 5d 81ed???????? 33c9 } - $sequence_9 = { 0fb64601 84c0 7905 0d00ffffff } - $sequence_10 = { 0f9ec1 33d2 3c41 0f9dc2 85ca 7404 0420 } - $sequence_11 = { 8a06 33c9 3c5a 0f9ec1 33d2 3c41 } - $sequence_12 = { 8d45d0 50 6a01 ff7508 } - $sequence_13 = { 50 e8???????? 83c40c 6800000100 e8???????? } - $sequence_14 = { 68???????? 50 ff15???????? 83c40c 56 6880000000 } - $sequence_15 = { 689f010000 6811010000 57 68???????? ff15???????? 50 } - $sequence_16 = { 68401f0000 e8???????? 668945e2 c745e400000000 } - $sequence_17 = { c745e400000000 6a00 6a00 6a00 6a06 6a01 6a02 } - $sequence_18 = { c7459c44000000 8945d4 8945d8 8945dc 66c745cc0000 c745c801010000 8d458c } - $sequence_19 = { 7457 33c0 8d7d9c b944000000 f3aa 6a00 6a00 } - $sequence_20 = { e8???????? ff75f4 e8???????? 68???????? 6801010000 e8???????? } - $sequence_21 = { 6a02 e8???????? 8945f0 83f8ff 7479 } - $sequence_22 = { e8???????? 8945f8 83f800 0f8458010000 } - $sequence_23 = { 6804010000 ff75fc 6a00 e8???????? 6a00 ff75f8 } - $sequence_24 = { 81fb5267a723 0f843fffffff 56 ff7514 } - $sequence_25 = { 0faff8 69f677adcc8a 81ffd02eaced 0f84a1feffff e9???????? 803beb } - $sequence_26 = { 81e604002402 81e747af3c96 81ce00008000 81c760345938 } - $sequence_27 = { 8b4574 833800 0f846c010000 6af5 ff5510 } - $sequence_28 = { ff5614 8bd8 81f392be3437 81ff64e62722 0f8418010000 8365f000 6850020000 } - $sequence_29 = { ff5638 314508 ff560c 8b7d04 0bd8 81fbb599839e 7503 } - $sequence_30 = { 81f99cd8b976 7417 85db 7c73 } - $sequence_31 = { ff5518 33f8 81f6acec75ce 81ff45ee1de6 0f84ce000000 837d4800 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 3b5d0c 74cf ebcf 33c0 33db } + $sequence_1 = { 3688b42800ffffff 3688942b00ffffff 02d6 81e2ff000000 368a942a00ffffff 301439 41 } + $sequence_2 = { 8bec 81c400ffffff 60 b940000000 8d7dfc b8fcfdfeff fd } + $sequence_3 = { 8b7d10 fec0 368a942800ffffff 02da 368ab42b00ffffff 3688b42800ffffff } + $sequence_4 = { 41 3b4d14 75c3 61 } + $sequence_5 = { e2f8 fc 33c0 8b7508 33db 368a942900ffffff } + $sequence_6 = { b8fcfdfeff fd ab 2d04040404 e2f8 fc 33c0 } + $sequence_7 = { 020433 368ab42800ffffff 3688b42900ffffff 3688942800ffffff fec1 7408 43 } + $sequence_8 = { 60 e8???????? 5d 81ed???????? } + $sequence_9 = { 50 e8???????? 83c40c 6800000100 e8???????? } + $sequence_10 = { 6a00 6a30 8d45d0 50 6a01 ff7508 } + $sequence_11 = { 8a06 33c9 3c5a 0f9ec1 } + $sequence_12 = { 0fb64601 84c0 7905 0d00ffffff } + $sequence_13 = { 33d2 3c41 0f9dc2 85ca 7404 0420 8806 } + $sequence_14 = { 56 ff7508 c745f805000000 c745fc40000000 e8???????? } + $sequence_15 = { 6a02 ffd3 6a32 ffd6 57 57 } + $sequence_16 = { 6a10 8d45e0 50 ff75f0 e8???????? } + $sequence_17 = { 83f800 0f8458010000 6804010000 ff75f8 68???????? e8???????? } + $sequence_18 = { c745e400000000 6a00 6a00 6a00 6a06 } + $sequence_19 = { 6a00 6a00 68???????? 6a00 e8???????? eba9 6a00 } + $sequence_20 = { 8945d8 8945dc 66c745cc0000 c745c801010000 8d458c } + $sequence_21 = { 6a00 6a06 6a01 6a02 e8???????? 8945f0 83f8ff } + $sequence_22 = { 0f8476010000 6804010000 6a00 ff35???????? e8???????? 8945f8 } + $sequence_23 = { e8???????? 6804010000 ff75fc 6a00 } + $sequence_24 = { 83656000 ff560c 0fafd8 ff5638 33f8 81ffb19e42da } + $sequence_25 = { 81ef21181d2d 81c6daf05740 894568 8b4568 81efe681e610 81ce9e5aef4c } + $sequence_26 = { 0f859c000000 81f639913fa9 81e7ca3b0a91 81fe12cdd543 0f84d6fdffff 8d45e0 50 } + $sequence_27 = { 0bf8 81f66cfd417a 81ff6ef42c67 0f84ec070000 } + $sequence_28 = { ff75d4 35ebb0598f 50 ff75cc e8???????? } + $sequence_29 = { 64a130000000 89456c ff5634 2bd8 81ef54666d24 81fb0965812b 0f8406010000 } + $sequence_30 = { ff5630 2bd8 8b4558 81cf23aceabc 39456c 7519 8bc7 } + $sequence_31 = { 69ff903caf90 ff55f4 0faff0 81febed4f06f 0f844bf7ffff 8d45e0 } condition: 7 of them and filesize < 204800 @@ -108488,47 +108950,49 @@ rule MALPEDIA_Win_Batel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce5297ec-2628-56fe-90d3-14a58de70bd5" - date = "2026-01-05" - modified = "2026-01-06" + id = "c91d0b1c-2fe0-51d7-a49d-7d6cffcd2786" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.batel_auto.yar#L1-L219" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.batel_auto.yar#L1-L231" license_url = "N/A" - logic_hash = "be5c7cfc92fc63831f946ba5608b114c38a6759dff1e1a478b017b493c38ecb1" + logic_hash = "a9cd956e2178bd46c61a7442a0a8fdeafc2cb5e9b8c9fa3dfaa648b03338c845" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 33c0 5b c21000 3b0d???????? 7502 } - $sequence_1 = { eb35 a1???????? 81b80000230050450000 75eb b90b010000 66398818002300 } - $sequence_2 = { 7412 ffd0 56 ffd3 68005c2605 ffd5 47 } - $sequence_3 = { 8bec 81eca0020000 68ee020000 ff15???????? 689d020000 } - $sequence_4 = { 85f6 7422 68???????? 56 ff15???????? 85c0 7412 } - $sequence_5 = { 57 6a40 6800100000 689e020000 } - $sequence_6 = { 68005c2605 ffd5 47 83ff5a 7ccd 5f 5e } - $sequence_7 = { 55 8b2d???????? 56 57 68a00f0000 ffd5 8b1d???????? } - $sequence_8 = { 33c9 b8???????? 8a10 88940d60fdffff } - $sequence_9 = { 6868212300 e8???????? 33db 895de4 8d4594 50 ff15???????? } - $sequence_10 = { 8935???????? 68d0202300 68c4202300 e8???????? 59 59 } - $sequence_11 = { 66a5 ffd0 5f 5e } - $sequence_12 = { e9???????? 6894152300 e8???????? a1???????? c704242c302300 ff35???????? } - $sequence_13 = { ff15???????? 689d020000 8d8561fdffff 6a00 50 } - $sequence_14 = { 50 c68560fdffff00 e8???????? 83c40c 33c9 } - $sequence_15 = { 41 3d???????? 7cec 56 57 } - $sequence_16 = { 8b1d???????? bf01000000 8d642400 68???????? ff15???????? 8bf0 85f6 } - $sequence_17 = { c745fc00000000 6800002300 e8???????? 83c404 85c0 } - $sequence_18 = { 689e020000 6a00 ff15???????? 8bf8 b9a7000000 8db560fdffff f3a5 } - $sequence_19 = { c3 8bff 56 b858212300 be58212300 57 } - $sequence_20 = { 7419 ffd0 56 ffd3 68404c5827 ff15???????? 47 } + $sequence_1 = { 68ee020000 ff15???????? 689d020000 8d8561fdffff 6a00 50 } + $sequence_2 = { 6868212300 e8???????? 33db 895de4 } + $sequence_3 = { 83c003 41 3d???????? 7cec 56 57 } + $sequence_4 = { 56 ffd3 68005c2605 ffd5 47 } + $sequence_5 = { 8b4508 2d00002300 50 6800002300 e8???????? 83c408 85c0 } + $sequence_6 = { ff750c ff7508 6862102300 6800302300 e8???????? } + $sequence_7 = { 83c40c 33c9 b8???????? 8a10 88940d60fdffff 83c003 } + $sequence_8 = { ff15???????? 8bf0 85f6 7429 68f4202300 } + $sequence_9 = { ff15???????? 85c0 7412 ffd0 56 ffd3 } + $sequence_10 = { 85f6 7422 68???????? 56 ff15???????? 85c0 7412 } + $sequence_11 = { 6a00 50 c68560fdffff00 e8???????? 83c40c 33c9 } + $sequence_12 = { ffd5 47 83ff5a 7ccd } + $sequence_13 = { 8db560fdffff f3a5 66a5 ffd0 5f 5e } + $sequence_14 = { 56 57 68a00f0000 ffd5 8b1d???????? } + $sequence_15 = { 7505 e8???????? 33c0 5d c20400 685f142300 ff15???????? } + $sequence_16 = { a1???????? 85c0 752c 8935???????? 68d0202300 } + $sequence_17 = { 8b1d???????? bf01000000 8d642400 68???????? ff15???????? 8bf0 } + $sequence_18 = { ff15???????? 8b1d???????? bf01000000 8da42400000000 68e0202300 ff15???????? } + $sequence_19 = { 8bec 81eca0020000 68ee020000 ff15???????? } + $sequence_20 = { 7cec 56 57 6a40 6800100000 689e020000 } + $sequence_21 = { 83ff5a 7ccd 5f 5e 5d 33c0 5b } + $sequence_22 = { 8bf8 b9a7000000 8db560fdffff f3a5 } condition: 7 of them and filesize < 49152 @@ -108538,36 +109002,36 @@ rule MALPEDIA_Win_Zeus_Openssl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d31ed497-e4a7-5163-b5e5-7492582406ac" - date = "2026-01-05" - modified = "2026-01-06" + id = "75c91c8f-660c-5fd9-8ded-04a7820bc535" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zeus_openssl_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zeus_openssl_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "16a4630d182e49d69e9e6276c110ddae0774c12808dbb665512c7a33855cd109" + logic_hash = "e7fd00690390e7987498d7d27486b95194c61ca2651f4f0e4767f4d9ca928e08" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf8 05fffeffff 4e 03c6 } - $sequence_1 = { 0181a8160000 837de000 7419 8b75e0 8b45f0 0fb7443002 8b75f8 } - $sequence_2 = { 2bc3 8bda 8b55c4 83c005 894304 8b45f0 2bd6 } - $sequence_3 = { 6a1c 8945f0 8845ff 8bfa 32c0 59 } - $sequence_4 = { 8bec 83ec10 53 56 57 8b3d???????? 33db } - $sequence_5 = { 83ec0c 56 57 8bf2 8bf9 e8???????? } - $sequence_6 = { 83c408 8b87bc160000 894df8 83f810 7530 8b4f14 } - $sequence_7 = { 743b 83ef50 7412 83ef75 742a } - $sequence_8 = { 89475c e8???????? 8b0f 33c0 394110 5f } - $sequence_9 = { 8b45fc 48 50 8d9694000000 8bce } + $sequence_0 = { 745a 837b4000 7454 837b4400 744e 85d2 } + $sequence_1 = { 8bf9 8b8fbc160000 83f90d 7e52 8b5708 56 } + $sequence_2 = { 85d2 744a 8bc6 d1e8 8bcf 8d0442 8983a4160000 } + $sequence_3 = { 0f8547160000 83390b 7506 c7010c000000 8b500c } + $sequence_4 = { 2bf0 0181c41b0000 8955f8 8b4140 8981c81b0000 c70116000000 } + $sequence_5 = { 83feff 750a 8b1d???????? 33f6 eb03 } + $sequence_6 = { 83c608 03d0 895dfc 8955f8 897df0 3b75cc 72dc } + $sequence_7 = { 0f84c0000000 0fb74014 8b4e14 894d08 } + $sequence_8 = { 6a01 50 8bce e8???????? 8b466c } + $sequence_9 = { 726d 8b8ea0160000 8b86a4160000 8a5660 bf01000000 66893c48 8b86a0160000 } condition: 7 of them and filesize < 4546560 @@ -108577,36 +109041,36 @@ rule MALPEDIA_Win_Mole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "95af4ae3-464a-5d8e-afd4-0a11f6d0106b" - date = "2026-01-05" - modified = "2026-01-06" + id = "f4675281-1c27-589e-9c74-7ddeefc0bdef" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mole_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mole_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "8a4687261d47d17fe0f3216955f42cc9f1da6596391fc3e1935f901a9405d6fa" + logic_hash = "44af167042295f11247abf2257f521989211d24592efa54abaa895c2392af2c3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 81bdf0fdffffc7a4d005 0f846a6a0000 81bdf0fdffffcba4d005 0f8478790000 e9???????? 81bdf0fdffffd0a6d005 } - $sequence_1 = { 8d85f0ebffff 03c1 8b8d14e5ffff 50 8b8530e5ffff 8b048578f64100 } - $sequence_2 = { ff15???????? c745f800000000 c745fc00000000 6a00 6a18 68???????? } - $sequence_3 = { 52 ff15???????? 83c41c 6a01 8d85ecf0ffff 50 } - $sequence_4 = { 0f873b5a0000 8b8df0fdffff 0fb69130cd4000 ff249518cd4000 8b85f0fdffff } - $sequence_5 = { 898570faffff 83bd70faffffff 7431 6a00 8d8d44faffff 51 8b955cfaffff } - $sequence_6 = { 83bde8feffff02 750c c785dcfeffff07000000 eb46 83bde4feffff06 7515 83bde8feffff03 } - $sequence_7 = { 0fb6822cb64000 ff24850cb64000 81bdf0fdffff596ad005 7746 81bdf0fdffff596ad005 0f848d5a0000 } - $sequence_8 = { 7d0d 8a441918 888168c44100 41 ebe8 } - $sequence_9 = { 0f8473590000 e9???????? 81bdf0fdffffc360d305 7725 81bdf0fdffffc360d305 } + $sequence_0 = { c745ec00000000 c745fc00000000 c745f400000000 8d45fc 50 6a08 ff15???????? } + $sequence_1 = { 8d8dc8f9ffff 51 8d95ecfbffff 52 ff15???????? 8b4514 50 } + $sequence_2 = { 81bdf0fdffffcde5d405 0f8458400000 81bdf0fdffff41e6d405 0f849e440000 81bdf0fdffff44e6d405 0f84742c0000 e9???????? } + $sequence_3 = { 6a00 ff15???????? 8d85b0f9ffff 50 68???????? 8d8dc0fdffff 51 } + $sequence_4 = { 55 8bec b8d81d0000 e8???????? a1???????? 33c5 8945fc } + $sequence_5 = { 81bdf0fdffffd164d205 0f84cd630000 e9???????? 81bdf0fdffff4b67d205 0f84226b0000 e9???????? 81bdf0fdffff4668d205 } + $sequence_6 = { 81bdf0fdffffd220d505 0f84f34a0000 81bdf0fdffffb318d505 7735 81bdf0fdffffb318d505 } + $sequence_7 = { 7810 3de4000000 7309 8b04c548834100 5d c3 33c0 } + $sequence_8 = { e8???????? 68ff000000 e8???????? 59 59 8b7d08 833cfd48cc410000 } + $sequence_9 = { 6a00 6a00 8d95b0f9ffff 52 6a00 ff15???????? } condition: 7 of them and filesize < 297984 @@ -108616,77 +109080,77 @@ rule MALPEDIA_Win_Portstarter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e44ac3aa-4f26-585d-bdee-c9904fdae8c9" - date = "2026-01-05" - modified = "2026-01-06" + id = "0cb0de91-0f00-504b-b858-4628740872a9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.portstarter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.portstarter_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.portstarter_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "73b0c7ed74c72cbbc30b57a6a611882f5357bf630e7fd50ae5a5939e6bfc7459" + logic_hash = "3f78ba69db52b055c0289e4eb33d8701a119eb5c4a41f7ae830f18ba08059434" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8b9c24a8010000 4c89442448 7507 4d8b4c2408 } - $sequence_1 = { 4c8b8c24d8000000 4d8b5918 4d8b6318 4d8b6b08 4d8b1b 4d39e5 0f8645050000 } - $sequence_2 = { 4c8b9c24b8000000 498d3c03 488b842410010000 4c89d1 4c89c6 90 } - $sequence_3 = { 4c8b942468010000 4d21fa 4d09d5 49c1ed3f 4f8d1404 4d01ea } - $sequence_4 = { 4c8d6424f0 4d3b6610 0f8660030000 4881ec90000000 4889ac2488000000 488dac2488000000 } - $sequence_5 = { 4c8b9424d8000000 4c8ba42400010000 4c896310 4c895318 } - $sequence_6 = { 4c8b9424d8000000 4d39e2 0f8745010000 0f8734010000 } - $sequence_7 = { 4c8d6424d0 4d3b6610 0f8610020000 4881ecb0000000 } - $sequence_8 = { 41b800de1b00 488d15d02f0000 488d4c2420 e8???????? } - $sequence_9 = { 4863442430 486bc010 488d0de3061c00 4803c8 } - $sequence_10 = { 4883ec48 8b442458 89442424 48c744242800000000 41b800de1b00 } - $sequence_11 = { 488d0de3061c00 4803c8 488bc1 48634c2434 } + $sequence_0 = { e8???????? 488b7c2448 4c8b442430 c644247000 48c744247800000000 440f11bc2480000000 31c0 } + $sequence_1 = { e8???????? 488b542460 4c8ba42498000000 418b44d408 488b8c24e8000000 4839c1 0f863d030000 } + $sequence_2 = { e8???????? 488b542460 4c8ba42498000000 418b4cd408 488b9424c0000000 488b9c24c8000000 } + $sequence_3 = { e8???????? 4889d8 4889f1 e8???????? 4c89c8 } + $sequence_4 = { e8???????? 488b8c24a0000000 48894808 833d????????00 750d 488b942400010000 488910 } + $sequence_5 = { e8???????? 4889f7 488b4f08 833d????????00 } + $sequence_6 = { e8???????? 488b542418 488b7c2430 48895758 } + $sequence_7 = { e8???????? 488b7c2450 48894f10 833d????????00 6690 7505 488907 } + $sequence_8 = { 4863442430 486bc010 488d0de3061c00 4803c8 } + $sequence_9 = { 41b800de1b00 488d15d02f0000 488d4c2420 e8???????? } + $sequence_10 = { 488d0de3061c00 4803c8 488bc1 48634c2434 } + $sequence_11 = { 4883ec48 8b442458 89442424 48c744242800000000 41b800de1b00 } condition: - 7 of them and filesize < 14216192 + 7 of them and filesize < 14221312 } rule MALPEDIA_Win_Ceeloader_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "33871f14-7cee-5da9-9ebd-8890978a4d51" - date = "2026-01-05" - modified = "2026-01-06" + id = "1d7ad03f-5aa9-5141-8e52-1a82b7d122e4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ceeloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ceeloader_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ceeloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "4d0387a20d12583a262adee6bbac65a30e624cee690a9f69b13de10eb064ad76" + logic_hash = "bad566af8c3d90e70d1988225922395e6938287b80a820f071028582a7a804e4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0bd3 3bce 8bf5 23fd 0bda 8bde 0bd3 } - $sequence_1 = { 48c744242000000000 e8???????? 89842438020000 488b8c2440020000 e8???????? c784249402000000000000 8944243c } - $sequence_2 = { 4883ec20 8bd9 4c8d0dc9f60700 b904000000 4c8d05b5f60700 488d15f6d80700 e8???????? } - $sequence_3 = { c7842424060000043b0000 c7842420060000660d0000 c784241c060000a2780000 c784241806000079050000 c784241406000042520000 c78424100600002b350000 c784240c06000015070000 } - $sequence_4 = { 89ca 2315???????? 8915???????? 0faf0d???????? 030d???????? 8b15???????? 448b05???????? } - $sequence_5 = { 83393f 0f837c030000 31c0 89c1 b820000000 89c2 41b800100000 } - $sequence_6 = { 89842444090000 8b842444090000 357a620000 89842488070000 c7842484070000d86c0000 c7842480070000e3710000 c784247c070000c1470000 } - $sequence_7 = { 448984242c010000 e9???????? 488b8424e8000000 488b00 8b8c24f0000000 } - $sequence_8 = { 89842400060000 8b8424dc0b0000 4189c1 4181e1ff010000 44898c242c0d0000 448b8c242c0d0000 41c1e106 } - $sequence_9 = { 898424800c0000 ff15???????? 89842488040000 8b8424780c0000 0b84247c0c0000 898424800c0000 8b8424800c0000 } + $sequence_0 = { 89d6 81e635913d02 89b424ec030000 8bb424ec030000 c1e601 89b424e8030000 44039c24e8030000 } + $sequence_1 = { 4c8d0562cd0a00 488d1563cd0a00 b901000000 e8???????? 488bd8 4885c0 7417 } + $sequence_2 = { ff15???????? 898424f80a0000 66c78424f60a00000000 66c78424f40a00000000 48c78424e80a000000000000 4c8b8424e80a0000 668b9424f40a0000 } + $sequence_3 = { c784249002000075380000 c784248c020000c5360000 c78424880200005a380000 c7842484020000ff6f0000 c7842480020000123e0000 c784247c02000043360000 c78424780200001f220000 } + $sequence_4 = { 488945cf 488945d7 488d05cc660700 488945ff 488d05d1660700 4889450f 488d05d6660700 } + $sequence_5 = { 8bc6 0bda 8bde 0bd3 3bce 33f5 0bc3 } + $sequence_6 = { 41c1ea05 44899424f4040000 442b8c24f4040000 44898c24f0040000 448b8c24f0040000 4189c2 4181e2b1524402 } + $sequence_7 = { 0fbe05???????? 83f06c 88c1 884c2445 0fbe05???????? 83f06f 88c1 } + $sequence_8 = { 41c1e405 4489a42458040000 4403bc2458040000 4489bc2454040000 448bbc2454040000 4589dc 4181e45d386101 } + $sequence_9 = { 44698424a0090000ab000000 448984249c090000 448b84249c090000 41c1e80c 4489842498090000 446b84249809000003 4489842494090000 } condition: 7 of them and filesize < 2321408 @@ -108696,36 +109160,36 @@ rule MALPEDIA_Win_Combos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cc69e396-00ed-59a2-ba11-780fc1f2665b" - date = "2026-01-05" - modified = "2026-01-06" + id = "0fc120d2-6213-5d13-b8ed-e7573d6552f8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.combos_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.combos_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "197be11859075969cf043a035f09c4b79bbdaf0b1f0ee080745a9acd79282960" + logic_hash = "a2108d4b57b9f4a8fbe6693087fb932791a19ebd1cb49ceb2f83454ee1bbc1b1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f3ab c1e604 aa 8d9e50120110 803b00 8bcb } - $sequence_1 = { 899ddcfeffff 899dd4feffff 895dfc 8b4508 } - $sequence_2 = { e8???????? 8b35???????? 83c408 6a0a ffd6 a1???????? } - $sequence_3 = { 81ec00020000 57 b93f000000 33c0 8d7c2405 } - $sequence_4 = { 0bc5 33c1 8b848600ffffff 0bc7 5f 5e } - $sequence_5 = { 6800010000 51 57 ffd6 8d542408 } - $sequence_6 = { 33ff 89bdccfeffff 89bdc8feffff c785a0feffff24000000 c785a4feffff03000100 c785a8feffff08000000 8d85c8feffff } - $sequence_7 = { 6a00 56 8b74243c 56 ffd3 83c428 } - $sequence_8 = { 80c120 888800190110 eb1f 83f861 } - $sequence_9 = { 33c0 89442418 8944241c 85db } + $sequence_0 = { 0bc5 33c1 8b848600ffffff 0bc7 5f 5e } + $sequence_1 = { 8b34b5201b0110 8d04c0 8b0486 83f8ff 7404 85c0 } + $sequence_2 = { 66ab aa 8b84240c020000 8bbc2408020000 83e800 893d???????? 0f8499000000 } + $sequence_3 = { 895de0 895de4 895dd8 895dfc } + $sequence_4 = { 50 e8???????? eb0f 8d4c2418 8d542420 51 } + $sequence_5 = { 8b9c9600040000 8a51ff 0bfb 49 8bd8 83e23f } + $sequence_6 = { 7358 8bc1 c1f805 8d3c85201b0110 8bc1 83e01f 8d34c0 } + $sequence_7 = { 89742418 c744241c02000000 ff15???????? 8d542418 52 } + $sequence_8 = { 750e 8b9424a8000000 8a4c240c 880cf2 } + $sequence_9 = { 50 e8???????? 83c418 8d4c2404 68???????? 51 ff15???????? } condition: 7 of them and filesize < 163840 @@ -108735,36 +109199,36 @@ rule MALPEDIA_Win_Cryptolocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c4f4307-498a-5b8a-b0ac-d9860b1cffe0" - date = "2026-01-05" - modified = "2026-01-06" + id = "a1492219-98ad-5e35-8268-c59b9dfb3959" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cryptolocker_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cryptolocker_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "0e60803263408ddfb3182de11bb9ae9942a6a4eed3e22029213fee0c658ec6ec" + logic_hash = "7b5dc6c7b86f8cb7cbfa9c2f5ea25879d15637080e202621f477c8bf367345bf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1e810 50 8b4610 52 ffd0 0fb6c0 5e } - $sequence_1 = { 83f80d 7605 663bc3 7504 } - $sequence_2 = { 8b06 8945e0 8b4604 8945e4 8b4d14 } - $sequence_3 = { 7539 ff7508 8b55ec 8b4de8 e8???????? } - $sequence_4 = { 48 7527 33f6 397714 7620 8b1d???????? 8b4710 } - $sequence_5 = { 5d c21800 8b4304 6a40 ff7518 8b4004 } - $sequence_6 = { ff15???????? 668b45dc 66a3???????? 8be5 5d c3 33c0 } - $sequence_7 = { 4e 49 79e4 5b } - $sequence_8 = { 740e 50 52 ff35???????? ff15???????? 5f } - $sequence_9 = { 8bd8 81fb7a000780 750e 807dff00 751f } + $sequence_0 = { 6a00 ff7508 56 ff15???????? 8bf8 85f6 } + $sequence_1 = { eb6f 85c0 7555 f605????????01 753b 68???????? ff15???????? } + $sequence_2 = { 50 ff15???????? 83f801 750c 837dfc14 7506 8be5 } + $sequence_3 = { ff15???????? 8d4e10 c701???????? e8???????? 807e0c00 } + $sequence_4 = { 55 8bec 56 8bf1 837e0400 c706???????? 751e } + $sequence_5 = { 83ec24 c705????????1c010000 68???????? ff15???????? } + $sequence_6 = { 8d043f 8945f4 66837c08fe5c 0f95450b } + $sequence_7 = { 50 8b4320 8b4004 ff741824 } + $sequence_8 = { 6a00 ff7634 ff15???????? 3d02010000 } + $sequence_9 = { 50 ff7618 ff15???????? 5f 5e b001 5b } condition: 7 of them and filesize < 778240 @@ -108774,36 +109238,36 @@ rule MALPEDIA_Win_Satana_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2e802f49-7188-54f8-af9a-7b169267990a" - date = "2026-01-05" - modified = "2026-01-06" + id = "6ac5752e-900f-508b-8a43-5d1260606d7f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.satana_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.satana_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "97eda1bd522e83f5fcc03e351c0ecc778e9c052cbb2ce47bd57943571eacd366" + logic_hash = "887ae7387cc24afa23134d1618119c1d4b81112cec1e098d94578e5bdf1bb2a2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 9c 90 8b1d???????? 6a00 } - $sequence_1 = { 50 68???????? a3???????? e8???????? 83c408 03df } - $sequence_2 = { a1???????? 6a00 03d2 52 50 ffd6 8b55ec } - $sequence_3 = { 83c404 8bf0 660f57c0 660f1345c4 8b5dc4 8b7dac } - $sequence_4 = { f7c200000002 7436 660f2805???????? 90 } - $sequence_5 = { 0fb64c0de8 c1ea04 0fb65415e8 8850ff 8808 0fb64c35ae } - $sequence_6 = { 50 68???????? e8???????? 83c414 eb14 ff15???????? } - $sequence_7 = { 83c404 68???????? eb33 8d4db0 51 } - $sequence_8 = { 8bc8 d1e8 83e101 33048d00904000 3305???????? a3???????? 33c0 } - $sequence_9 = { 57 8d45fc 50 3308 db6819 203c53 6840200800 } + $sequence_0 = { e8???????? 33c0 0fb78820b04000 668988a8404100 83c002 } + $sequence_1 = { eb0f 8d0437 2bd0 8a08 880c02 40 84c9 } + $sequence_2 = { 3006 8b45ec 47 46 3bf8 72c6 8b35???????? } + $sequence_3 = { 3463 0fb6d0 8881a83f4100 888a30f24000 41 81f900010000 7cbf } + $sequence_4 = { 8b45dc 8945d4 8b4de0 894dd8 6a10 ff15???????? } + $sequence_5 = { 8da42400000000 8a88703f4100 888c05e4feffff 40 } + $sequence_6 = { 40 84c9 75f6 c785e0feffff65000000 33c0 8da42400000000 } + $sequence_7 = { 75ee b941000000 b8???????? 8d642400 8818 40 49 } + $sequence_8 = { 6a00 6a00 ff15???????? 0fb60d???????? 89048df8864100 6a32 ffd7 } + $sequence_9 = { 8b1d???????? 83c408 6a00 6a00 ffd3 8bf8 a1???????? } condition: 7 of them and filesize < 221184 @@ -108813,36 +109277,36 @@ rule MALPEDIA_Win_Vflooder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6da3af77-bf0c-5d0d-ad9f-8f035b957625" - date = "2026-01-05" - modified = "2026-01-06" + id = "007d0032-91d9-5d44-af19-c7a1fe0790d3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vflooder_auto.yar#L1-L109" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vflooder_auto.yar#L1-L109" license_url = "N/A" - logic_hash = "14b49a20a71548a980ead5d4f60898b254e57c1fbb273dc458944348b271a849" + logic_hash = "7affdbea211038ca3a68c8132e745788163a70b8c713502e8ddb8380677428bf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 9c ff742404 8f4500 9c 60 } - $sequence_1 = { b02e f5 f2ae e8???????? } - $sequence_2 = { 0000 43 7265 61 } - $sequence_3 = { e8???????? 0000 43 7265 } - $sequence_4 = { e8???????? 0000 43 7265 61 7465 } - $sequence_5 = { 9c ff742404 8f4500 9c } - $sequence_6 = { e8???????? 0000 43 7265 61 } - $sequence_7 = { f5 83ef04 f5 ff37 } + $sequence_0 = { 9c ff742404 8d642434 e9???????? } + $sequence_1 = { 9c 60 9c 9c 8d642430 } + $sequence_2 = { 60 ff35???????? 8f442438 9c } + $sequence_3 = { 0000 43 7265 61 7465 } + $sequence_4 = { 0000 43 7265 61 } + $sequence_5 = { e8???????? 0000 43 7265 } + $sequence_6 = { e8???????? 0000 43 7265 61 7465 } + $sequence_7 = { e8???????? 0000 43 7265 61 } $sequence_8 = { 9c f2ae 9c 9c } - $sequence_9 = { 9c 60 9c 9c 8d642430 } + $sequence_9 = { e9???????? ff742408 8f4500 60 } condition: 7 of them and filesize < 860160 @@ -108852,36 +109316,36 @@ rule MALPEDIA_Win_Zerot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b855400-35e2-5ab9-8ab4-5b0c449639bd" - date = "2026-01-05" - modified = "2026-01-06" + id = "5735c4f0-0fa5-56fa-bd10-ccc2b6e6661b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zerot_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zerot_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "c6f6a84594f6a63be175c01b94d4ac1a205809bd4a3810282ffee82abc5e767b" + logic_hash = "3af0379ca1783038b29b17ba19733cb825850b3efe6ca10325b923861c3d0191" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c404 33f6 eb13 6800006000 e8???????? } - $sequence_1 = { 6a00 6a00 ff15???????? a3???????? ff15???????? 3db7000000 7527 } - $sequence_2 = { 8b4608 c706???????? 85c0 740a 50 } - $sequence_3 = { 83c408 e9???????? 8b8d34fdffff bf???????? 83f904 } - $sequence_4 = { ff7610 6a01 ff760c ff15???????? } - $sequence_5 = { 6a00 6820020000 6a20 6a02 8d854cfeffff 66c78550feffff0005 50 } - $sequence_6 = { 7409 50 e8???????? 83c404 33ff c7850cfaffff00000000 32db } - $sequence_7 = { 6800020000 8d8510fdffff 6a00 50 e8???????? } - $sequence_8 = { 8d8524fdffff 50 8d4376 50 6a02 ffd6 8d851cfdffff } - $sequence_9 = { ff15???????? 8bc3 be19000000 43 } + $sequence_0 = { 56 e8???????? 83c408 80780100 } + $sequence_1 = { ba40000000 6a40 50 8d4d90 e8???????? 8d8672050000 ba80000000 } + $sequence_2 = { 46 81e6ff000080 7908 4e 81ce00ffffff 46 8b4dfc } + $sequence_3 = { 83f807 0f84a1000000 80bd13faffff00 0f8494000000 0fb74214 } + $sequence_4 = { 50 e8???????? 8d8510d0ffff 50 8d85becfffff 50 8d859acfffff } + $sequence_5 = { 740d 6a2f 56 e8???????? 83c408 8bf0 803f2f } + $sequence_6 = { 57 8918 e8???????? 83c404 81fb0000a000 } + $sequence_7 = { ff15???????? 8b8d34fdffff 85c0 bf???????? 0f44fe 83f906 } + $sequence_8 = { 57 6aff 50 6a00 6a00 ffd3 8b460c } + $sequence_9 = { 85c0 0f8490000000 85ff 740f 57 e8???????? } condition: 7 of them and filesize < 303104 @@ -108891,42 +109355,42 @@ rule MALPEDIA_Win_Turla_Rpc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "555582c7-de4a-5625-91e9-ac0b0e0d564c" - date = "2026-01-05" - modified = "2026-01-06" + id = "326b499c-0af4-5613-8e0d-6f601ed9cd8d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.turla_rpc_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.turla_rpc_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "4906b07261ee80939dba34c531f28e5f2b514d7751640e2e81057387fedbb8f3" + logic_hash = "e8da3a197a3100c5d1e348ee2c0f0030f7886aae6c71efe765467e397297edf2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c785080100003025213c 66c7850c0100003a3b c6850e01000055 c745c007303431 } - $sequence_1 = { 488bd8 ffd3 488d4d70 488bf8 ffd3 } - $sequence_2 = { 660f6f05???????? 66c785ec0000000255 c785a0000000193a3431 c785a4000000193c3727 c785a800000034272c02 f30f7f8568010000 c685ac00000055 } - $sequence_3 = { c785c400000027273a27 c785c8000000183a3130 c685cc00000055 c785c001000030362155 c745d002273c21 c745d430133c39 66c745d83055 } - $sequence_4 = { 66c74424543155 c744243033273030 c644243455 c744244033263030 } + $sequence_0 = { e8???????? 488bd8 4885c0 744e 4c8b4708 488b17 488bcb } + $sequence_1 = { c744245033273034 66c74424543155 c744243033273030 c644243455 } + $sequence_2 = { c745803322273c 66c745842130 c6458655 c744246838343939 66c744246c3a36 c644246e55 } + $sequence_3 = { 74e7 4883c440 5b c3 488d053bda0000 } + $sequence_4 = { c745c007303431 c745c4133c3930 c645c855 c744244806393030 66c744244c2555 } $sequence_5 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? } - $sequence_6 = { c7456016273034 c745642130133c c7456839300255 c7851001000016273034 c7851401000021300527 c785180100003a363026 } - $sequence_7 = { f30f7f8d98010000 c785b800000027273a27 c685bc00000055 c685d801000055 } - $sequence_8 = { c685d801000055 f30f7f85b0010000 660f6f05???????? c7858000000012302101 c7858400000030382505 } - $sequence_9 = { 68???????? 6a00 6a00 ff15???????? 6a00 6aff 68d2040000 } - $sequence_10 = { c745f474006c00 c785c8feffff14010000 ff15???????? 85c0 750e 50 50 } - $sequence_11 = { 8d45bc 50 ff15???????? 85c0 0f8581000000 } - $sequence_12 = { 7514 8d45ac 50 ff15???????? 8bf8 85ff 0f8434010000 } - $sequence_13 = { 5d c3 6a00 6800000080 6a02 } - $sequence_14 = { e8???????? cc 56 33f6 ffb614730110 ff15???????? } - $sequence_15 = { 833d????????00 0f85d3240000 ba05000000 8d0d10700110 e9???????? } + $sequence_6 = { c7456839300255 c7851001000016273034 c7851401000021300527 c785180100003a363026 66c7851c0100002602 } + $sequence_7 = { 660f6f05???????? 66c785ec0000000255 c785a0000000193a3431 c785a4000000193c3727 c785a800000034272c02 f30f7f8568010000 c685ac00000055 } + $sequence_8 = { c745ac393a3655 c744247026212739 66c7442474303b c644247655 c744246022362636 } + $sequence_9 = { 7434 8da42400000000 8d047d02000000 50 } + $sequence_10 = { 74ab 8d45c4 50 57 6a00 6a00 ff75c0 } + $sequence_11 = { b802000000 5f 5e 5b 8b8c2480020000 33cc } + $sequence_12 = { c745d453002d00 c745d831002d00 c745dc31003600 c745e02d003000 c745e429000000 c745e861006400 c745ec76006100 } + $sequence_13 = { 8d8548ffffff 50 8d8554ffffff 50 ffb54cffffff ffd6 } + $sequence_14 = { 8d4518 c7451840540110 50 8d4dc4 } + $sequence_15 = { 7527 ff15???????? 83c404 57 ff15???????? ff15???????? 5f } condition: 7 of them and filesize < 311296 @@ -108936,36 +109400,36 @@ rule MALPEDIA_Win_Pwnpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1f880853-80ef-5ec2-a31a-31cd2006dc43" - date = "2026-01-05" - modified = "2026-01-06" + id = "546c439a-ccfe-53bd-bc6f-6c9c0e3bf0ae" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pwnpos_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pwnpos_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "145bb3fa97da57220c104891d855f912aebbcf21962d1405b1589dc2cce60605" + logic_hash = "be627f6724334036a177ad77a00dc67bf19908c5daa0a6199c0a6d01353fa95a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? bb0b000000 52 899c2468020000 e8???????? 83c40c } - $sequence_1 = { 8b07 8b4004 3974380c 750f 8b44383c 3bc6 7407 } - $sequence_2 = { 8bf0 33db 83c404 3bf3 742d 8d4e18 c7460401000000 } - $sequence_3 = { 8d4df0 e8???????? 8b4d0c 895dfc 8b5f30 51 c745ec01000000 } - $sequence_4 = { 51 53 56 52 50 8d4c243c 51 } - $sequence_5 = { 8b4d08 83c118 e9???????? 8b4d08 83c118 e9???????? } + $sequence_0 = { 83c408 833d????????00 7606 291d???????? 8b4d0c 8b4508 8908 } + $sequence_1 = { ff2495705d4200 8bc7 ba03000000 83e904 720c 83e003 03c8 } + $sequence_2 = { 8b0485a0774400 83e61f c1e606 8d443004 8020fd 8bc7 } + $sequence_3 = { 8b5514 2bc6 51 40 8944242c 48 50 } + $sequence_4 = { 8b542428 50 8d4c2434 51 52 } + $sequence_5 = { 56 8bf1 8b4810 3bce 7302 } $sequence_6 = { 720f 8b95a0f9ffff 52 e8???????? 83c404 b001 8b4df4 } - $sequence_7 = { 57 57 57 57 57 8d85d8f9ffff 50 } - $sequence_8 = { c705????????80b24300 c3 c705????????80b24300 c3 } - $sequence_9 = { 0f871c020000 ff248dc86f4300 8d48cf 80f908 7706 } + $sequence_7 = { c1e106 030c9da0774400 eb02 8bca f641247f 7525 3bc7 } + $sequence_8 = { 8b550c 7205 8b520c eb03 83c20c e8???????? } + $sequence_9 = { 899dd8fdffff 889dc8fdffff e8???????? 83c404 b001 8b4df4 64890d00000000 } condition: 7 of them and filesize < 638976 @@ -108975,36 +109439,36 @@ rule MALPEDIA_Win_Cueisfry_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0fc68627-9787-5873-a3fa-a9f7712605ab" - date = "2026-01-05" - modified = "2026-01-06" + id = "ea066973-cd7e-55b0-9115-b7ce2188c106" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cueisfry_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cueisfry_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "c43c2b52de01a945341ae2efff0ffdd3edf0dcb4158573a62c18b687e85e4c2e" + logic_hash = "dac3713c628b195143f1278f70ffc2db7ac851e0fa25782b8d46ee8f3a38b6be" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? e8???????? 8d8c24b8050000 68???????? 51 } - $sequence_1 = { 7517 8d8c24b0010000 68???????? 51 e8???????? } - $sequence_2 = { c3 81ec24030000 a1???????? 8b0d???????? } - $sequence_3 = { 8dbc2435010000 c684243401000000 68???????? f3ab 66ab 8d8c2438010000 51 } - $sequence_4 = { 8bee 33ff 85c9 89542430 896c2410 0f8ebd010000 8d4103 } - $sequence_5 = { b940000000 33c0 8dbc2435010000 c684243401000000 } - $sequence_6 = { 6aff 68???????? 64a100000000 50 64892500000000 81eca8070000 } - $sequence_7 = { 68???????? f3a5 50 e8???????? 8d4c2424 } - $sequence_8 = { 68???????? 50 c744242401000000 c744242000010000 } - $sequence_9 = { 51 8d442420 8bcc 89642430 50 c68424c401000003 } + $sequence_0 = { 8d4508 50 e8???????? 8b08 c645fc05 3bcf } + $sequence_1 = { b910000000 8d7c241c f3a5 8d4c241c 68???????? } + $sequence_2 = { 89742424 c1e902 f3ab 8bca } + $sequence_3 = { 66ab 8d8c24d0010000 51 68f4010000 aa ff15???????? } + $sequence_4 = { 88542418 0f84c1000000 8d4c2414 e8???????? } + $sequence_5 = { 7cf4 eb04 885c0428 8d4c2410 } + $sequence_6 = { 8be5 5d c3 ff15???????? 8b45ec 85c0 } + $sequence_7 = { 33c0 8d7c2429 be???????? f3ab } + $sequence_8 = { ff15???????? 8bf0 85f6 0f84c1000000 57 } + $sequence_9 = { 33c0 8dbc24d1010000 889c24d0010000 f3ab 66ab 8d8c24d0010000 } condition: 7 of them and filesize < 81920 @@ -109014,36 +109478,36 @@ rule MALPEDIA_Win_Chinotto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "35bb4fea-9679-5e3a-b2bd-3a05c48c1c83" - date = "2026-01-05" - modified = "2026-01-06" + id = "a4e5757d-d2cc-5071-b3d4-0bfb70d8e677" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chinotto_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chinotto_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "4531bba6bf5c08578cccf53130069c66edf41ca25754f112d734535821ebc612" + logic_hash = "7b586204135ea34672ab4b15620455ab1a4d33cc8dcf3c503169a9aae951316a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4df0 897df4 895de4 8955f8 85c9 0f853dffffff e9???????? } - $sequence_1 = { 57 33f6 bf???????? 833cf5a4e6410001 751d 8d04f5a0e64100 8938 } - $sequence_2 = { 8985a8f6ffff 8d95b4f6ffff 52 8d85c4f6ffff 50 c785a0f6ffff0c000000 } - $sequence_3 = { c3 8b4d08 8b5648 8b45f4 c74638c0444000 897644 897a3c } - $sequence_4 = { 5d c3 8b4de0 8b55d8 8b45ec c1e106 034ddc } - $sequence_5 = { 8bd0 8955d8 eb03 8955d8 } - $sequence_6 = { 50 ff15???????? 8b853cf7ffff 03c3 50 e8???????? 8b8d38f7ffff } - $sequence_7 = { b969000000 66894de2 b96f000000 66894de4 b96e000000 66894de6 b93d000000 } - $sequence_8 = { 8b5628 6a58 6a01 51 } - $sequence_9 = { 6683f919 7725 8d4805 83f97a 7e08 83c0eb 0fb7c0 } + $sequence_0 = { 33c0 5b c3 55 8bec 83ec20 53 } + $sequence_1 = { 397f44 75ed 8b4e4c 894e50 c7473cc04a4000 eb06 } + $sequence_2 = { 66c740502d2d 8d95c4f5ffff 52 66c740522573 } + $sequence_3 = { 0f84f5feffff 8b95c0f6ffff 391a 7564 a1???????? 8b0d???????? 68fc000000 } + $sequence_4 = { 50 66c740047570 57 66c740063a00 e8???????? 8b4dfc 83c408 } + $sequence_5 = { 8d8648010000 50 895e40 e8???????? 83c40c 5f c684334801000000 } + $sequence_6 = { 48 8d51fd 8817 66894701 8a13 d0ea 83c703 } + $sequence_7 = { 89563c b801000000 5b 8be5 5d c3 } + $sequence_8 = { 83c434 5f 5e 33cd 8d85e0fdfcff 5b } + $sequence_9 = { ffd6 85c0 781b 33c0 8d9b00000000 8a8c05f0feffff 888c05d0f6ffff } condition: 7 of them and filesize < 300032 @@ -109053,36 +109517,36 @@ rule MALPEDIA_Win_Cactus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb289dca-899a-5588-9223-1deb6b75b964" - date = "2026-01-05" - modified = "2026-01-06" + id = "1fd0e8f9-1bce-5e79-8b37-b0280903781a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cactus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cactus_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cactus_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "c959580feec97f87bfc35165a408b3d9e2aec2dc4a519f266c222421b5acd4bf" + logic_hash = "9e50f7e3ddf62354701fcc7d65194d9eb3c54c0d9a64a32caffa4accba65a480" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 85c0 0f843e010000 488d1592b52000 4889d9 e8???????? 85c0 } - $sequence_1 = { e8???????? e8???????? 4c8d05d3572000 baf10c0000 488d0d7f562000 e8???????? 4531c0 } - $sequence_2 = { ffd7 8b18 4180fd01 76e1 4584f6 759b e8???????? } - $sequence_3 = { e8???????? 4531c0 ba00010c00 b90d000000 e8???????? 4889e9 e8???????? } - $sequence_4 = { e8???????? 4889c1 e8???????? 488b4b30 4889c2 488b4328 488b4078 } - $sequence_5 = { eb99 c744243806000000 6690 f6431830 0f85cffdffff 488d35df063a00 e9???????? } - $sequence_6 = { e9???????? e8???????? 4c8d056ab43a00 bad6000000 4889e9 e8???????? 4531c0 } - $sequence_7 = { e8???????? 488b4b10 e8???????? 85c0 0f85b4000000 488b8b90000000 bf01000000 } - $sequence_8 = { e8???????? 4989d8 4889fa 4889f1 e8???????? 488d542423 4989d8 } - $sequence_9 = { bacb010000 488d0d282d3b00 e8???????? 4531c0 ba00010c00 b939000000 e8???????? } + $sequence_0 = { e8???????? 4c8d05f3ee3e00 ba41000000 488d0db8ee3e00 e8???????? 4531c0 bac5000000 } + $sequence_1 = { e8???????? 4531c0 ba00010c00 b910000000 e8???????? 48c744243800000000 4c89e1 } + $sequence_2 = { e8???????? 85c0 0f84b6020000 488d153e8d3200 4889d9 e8???????? 4885c0 } + $sequence_3 = { c6042b00 48891f 4c89e8 4883c438 5b 5e 5f } + $sequence_4 = { f30f6f6b50 f30f6f4360 48895070 0f114810 0f115020 0f115830 0f116040 } + $sequence_5 = { e8???????? 4c8d052c9d3b00 ba16040000 488d0d28843b00 e8???????? 4531c0 ba02010c00 } + $sequence_6 = { e8???????? 4889f3 4489f2 29fa 85d2 0f8fb1070000 0f85ab0a0000 } + $sequence_7 = { e8???????? 4889f1 e8???????? 4889f1 4889c7 e8???????? 4889f1 } + $sequence_8 = { e8???????? 48894318 4889c1 4885c0 0f857ffeffff 488b4c2458 4889ea } + $sequence_9 = { e8???????? 4c8d05a4e93a00 ba96010000 ebc6 4839c6 0f95c2 4883e814 } condition: 7 of them and filesize < 13587456 @@ -109092,57 +109556,55 @@ rule MALPEDIA_Win_Pikabot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4ac687d3-814a-53f0-bdd6-30b0d584e28f" - date = "2026-01-05" - modified = "2026-01-06" + id = "d8824f29-919a-59c0-9607-578135bcffcf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pikabot_auto.yar#L1-L281" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pikabot_auto.yar#L1-L264" license_url = "N/A" - logic_hash = "3b0362ab404ac85076078e4d22f7ab9dbd258b909dc0b4272cd29c1c8ac6cad3" + logic_hash = "bfc84ee6747c28b8e7ae6b249e8f34845305e8e39e541269f1731c1749c6b7e3" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ebd3 8b4508 c9 c3 55 8bec } - $sequence_1 = { 83ec0c 8b4508 8945fc 8b450c 8945f8 8b4510 } - $sequence_2 = { 837df400 741a 8b45fc 8b4df8 } - $sequence_3 = { 40 8945f8 ebd3 8b4508 } - $sequence_4 = { 8945f8 8b4510 8945f4 8b4510 } - $sequence_5 = { 8b4510 48 894510 837df400 741a } - $sequence_6 = { 8b4df8 8a09 8808 8b45fc 40 8945fc 8b45f8 } + $sequence_0 = { ebd3 8b4508 c9 c3 } + $sequence_1 = { 48 894510 837df400 741a 8b45fc 8b4df8 8a09 } + $sequence_2 = { 8b4df8 8a09 8808 8b45fc } + $sequence_3 = { 8bec 83ec0c 8b4508 8945fc 8b450c 8945f8 8b4510 } + $sequence_4 = { 40 8945f8 ebd3 8b4508 } + $sequence_5 = { 8945f8 8b4510 8945f4 8b4510 48 894510 } + $sequence_6 = { e8???????? ffd0 c9 c3 55 } $sequence_7 = { 7ce9 8b4214 2b420c 5f } - $sequence_8 = { 8a1c08 8d4320 0fb6c8 8d53bf 80fa19 0fb6c3 0f47c8 } - $sequence_9 = { 56 8bf1 85c9 7419 85d2 7415 } - $sequence_10 = { 85c9 7436 85ff 7432 } - $sequence_11 = { 0fabd0 83fa20 6a08 0f43c8 } - $sequence_12 = { e8???????? 8bd0 e8???????? 3b45fc } - $sequence_13 = { 41 e8???????? ffd0 c9 c3 } - $sequence_14 = { 6a08 0f43c8 33c1 83fa40 } - $sequence_15 = { 3bc7 72d5 5b 5f 8bc6 } - $sequence_16 = { 83ec10 53 56 8b35???????? b84d5a0000 57 8955fc } - $sequence_17 = { 8a040a 84c0 75f6 c60100 8bc6 5e c3 } + $sequence_8 = { 8a1c08 8d4320 0fb6c8 8d53bf 80fa19 0fb6c3 } + $sequence_9 = { 3bc7 72d5 5b 5f 8bc6 5e } + $sequence_10 = { 59 e8???????? ffd0 85c0 } + $sequence_11 = { c3 56 8bf1 85c9 7419 85d2 7415 } + $sequence_12 = { 41 8a040a 84c0 75f6 c60100 8bc6 } + $sequence_13 = { 8bec 83ec10 53 56 8b35???????? b84d5a0000 } + $sequence_14 = { 0fabd0 83fa20 6a08 0f43c8 33c1 } + $sequence_15 = { 8b0cba 03ce e8???????? 8bd0 } + $sequence_16 = { 0345f8 03c8 0fb6c1 8945f8 } + $sequence_17 = { 0345f8 03c8 0fb6c9 894df8 } $sequence_18 = { 0fb6d1 03c2 0fb6c0 8945f8 } $sequence_19 = { 81f900010000 72f0 8bf0 33d2 } - $sequence_20 = { 0345f8 03c8 0fb6c9 894df8 } - $sequence_21 = { 40 3d00010000 72f1 8b35???????? 8bf9 } - $sequence_22 = { 0345f8 03c8 0fb6c1 8945f8 } - $sequence_23 = { 8b01 0d20202020 3d6e74646c 750f } - $sequence_24 = { a3???????? 8b45d4 890424 a1???????? ff5058 56 } - $sequence_25 = { 89442408 31c0 89442404 e8???????? 8b45e4 } - $sequence_26 = { 890424 e8???????? 8b8514f9ffff 89442404 a1???????? } - $sequence_27 = { 890424 e8???????? 8b8560f9ffff 89442404 } - $sequence_28 = { 890424 e8???????? 89c2 a1???????? 895048 } - $sequence_29 = { a1???????? 8b00 890424 e8???????? a1???????? 8b9060010000 89542404 } - $sequence_30 = { 890424 a1???????? ff9090000000 83ec10 } + $sequence_20 = { 40 3d00010000 72f1 8bf2 } + $sequence_21 = { 3d00010000 72f1 8b35???????? 8bf9 } + $sequence_22 = { 8b01 0d20202020 3d6e74646c 750f } + $sequence_23 = { 893c24 e8???????? 31c9 894c2410 } + $sequence_24 = { 897c2414 c744241008000000 c744240807000200 89442404 8b45e4 } + $sequence_25 = { 89442408 31c0 89442404 890424 } + $sequence_26 = { c744240448020000 c7042440000000 a1???????? ff5050 31c9 52 } + $sequence_27 = { 8d4400ff 5d c3 55 89e5 57 56 } + $sequence_28 = { 893c24 a1???????? ff90ec000000 52 } condition: 7 of them and filesize < 1717248 @@ -109152,36 +109614,36 @@ rule MALPEDIA_Win_Babylon_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bc5c3c5f-b09f-560b-a5c8-4129e77b8b02" - date = "2026-01-05" - modified = "2026-01-06" + id = "0a905735-2eee-509c-a070-b289107ed232" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.babylon_rat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.babylon_rat_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "2a5b12d9c48bc80c359b824ca684a979c3525be47a37762af45326a7566f7848" + logic_hash = "d8b93c72ff019a6cc2a29062db68f043ff80eec2c966731e57d60aa4eccaff84" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4610 83c40c 8b4dfc 8b4c080c 8b45f4 3b01 7413 } - $sequence_1 = { ff75ec e8???????? 59 59 85ff 0f8541010000 8b0b } - $sequence_2 = { ff75c0 6a23 56 e8???????? 6a01 56 e8???????? } - $sequence_3 = { 8b450c f6402a20 753d 51 ff75f4 6a70 53 } - $sequence_4 = { ff3402 e8???????? 8bf0 83c404 803e9a 0f85a6000000 8b55bc } - $sequence_5 = { eb5e 83f8fa 7508 897e10 884601 eb51 83f8f6 } - $sequence_6 = { 8d4801 66894dbc 8b4620 8945a4 8b450c 8945b0 8b06 } - $sequence_7 = { 85f6 7e4c c7451007000000 53 8b450c 0fbe5c1001 0fbe0c10 } - $sequence_8 = { ff75f4 ffb57cffffff 53 56 e8???????? 83c42c 837dc000 } - $sequence_9 = { ffb3ac000000 e8???????? 8bbbac000000 be???????? 8b4dfc 03f9 51 } + $sequence_0 = { 89483c 894840 e8???????? 8bc8 83c40c 8b450c 897040 } + $sequence_1 = { eb0b 8b450c 8b7514 8930 8b7508 894804 397df4 } + $sequence_2 = { f7401800000800 0f84a4000000 53 8b5d0c 56 6a1f 59 } + $sequence_3 = { eb04 c6400601 5e 5b 5d c3 55 } + $sequence_4 = { 89bb3c010000 89bb38010000 89bb34010000 89bb40010000 e8???????? 57 } + $sequence_5 = { ff7508 8bf0 53 8975d4 e8???????? 83c414 85f6 } + $sequence_6 = { ff750c 8b7708 e8???????? 837d1800 b9???????? 50 b8???????? } + $sequence_7 = { ffb50cffffff ffb524ffffff 50 8b85f4feffff ff30 e8???????? 8b8df4feffff } + $sequence_8 = { 8aca 2ac8 83e10f 03d9 8b4dec 742b 8b55f8 } + $sequence_9 = { 83c430 33d2 42 f6462a20 0f85ff000000 6a36 56 } condition: 7 of them and filesize < 1604608 @@ -109191,36 +109653,36 @@ rule MALPEDIA_Win_Oddjob_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce6f270b-4df6-5ffb-b080-81b3ac10b32d" - date = "2026-01-05" - modified = "2026-01-06" + id = "e56ada75-c957-524c-8aa7-1b282aea730b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.oddjob_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.oddjob_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "1f224904baf5c3783236036cd0bf598b6b7ff28b5975f43a99b2c079a61b51a9" + logic_hash = "915f827e297dcef6713c32c245190ad2b96f0b86022640796013bd5fdaca18ef" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 399da494ffff 7520 399d9c94ffff 7418 8bb59c94ffff 8b06 56 } - $sequence_1 = { c6856affffff51 c6856bffffff8b c6856cffffff56 c6856dffffff14 } - $sequence_2 = { 888592fcffff c68593fcffff53 c68594fcffff3e c68595fcffff5b } - $sequence_3 = { 8d85fefdffff 57 50 c785ccf7ffff01000000 89bdc0f7ffff e8???????? } - $sequence_4 = { 8b7d08 57 8bcb e8???????? 57 8945e0 897d08 } - $sequence_5 = { 0f844c080000 663d7800 0f8442080000 663d5800 0f8438080000 83a598fbffff00 8bb5dcfbffff } - $sequence_6 = { 889dd3feffff 889dd4feffff 889dd5feffff c685d6feffff56 } - $sequence_7 = { f7f7 8b4508 8a0401 32c2 88040e 41 8955fc } - $sequence_8 = { c68558fcffff8b c68559fcffff76 c6855afcffff10 c6855bfcffff01 c6855cfcffffc3 c6855dfcffff53 } - $sequence_9 = { 83cfff f7f7 8b4508 8a0401 32c2 88040e } + $sequence_0 = { c685f8fcffff8a 889df9fcffff 889dfafcffff 889dfbfcffff c685fcfcffff5b c685fdfcffff53 c685fefcffff8b } + $sequence_1 = { c685d2faffff02 c685d3fafffff3 c685d4faffffab c685d5faffff89 c685d6faffffd1 c685d7faffff83 } + $sequence_2 = { c68595fdffff81 c68596fdffffce 889d97fdffff c68598fdffff02 889d99fdffff 889d9afdffff c6859bfdffff8b } + $sequence_3 = { 6a06 33c0 837dfc00 59 8bfe f3ab } + $sequence_4 = { 57 57 57 ff75f4 8975f8 ff15???????? } + $sequence_5 = { 8d95ecfeffff 8bcf 8d8530ffffff e8???????? 59 8d85a8feffff } + $sequence_6 = { 0f853cfeffff 83c304 f685f8fbffff20 741c f685f8fbffff40 899de8fbffff 7406 } + $sequence_7 = { 56 668985a8c4ffff 8d85aac4ffff 53 50 e8???????? 33c0 } + $sequence_8 = { c68524fcffff59 c68525fcffff66 c68526fcffff59 c68527fcffff8b c68528fcffff46 c68529fcffff0c c6852afcffff85 } + $sequence_9 = { 51 e8???????? 83c40c 8bfe 85db 761c } condition: 7 of them and filesize < 221184 @@ -109230,36 +109692,36 @@ rule MALPEDIA_Win_Adkoob_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bebf573b-46be-5024-b08d-6d19c81fe200" - date = "2026-01-05" - modified = "2026-01-06" + id = "31d519a5-a3ba-5bea-a6ea-39763307fca8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.adkoob_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.adkoob_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "9df45dbba7685f4e50394d5dc1c9c28bf484da1b0409fe46575f0443f2099dc5" + logic_hash = "e36d952d51e8218edeee9b9628905297b79aaf46d498f66614e0fb63919bc975" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4eb0 8b4004 c74430980c4b4c00 8b4698 8b5004 8d4298 89443294 } - $sequence_1 = { 8b45f8 53 ff75fc 50 6a7e 5a 8bcf } - $sequence_2 = { 894638 85c0 740f 68???????? 50 ff15???????? 894640 } - $sequence_3 = { 898424fc000000 33c0 898424f8000000 89842400010000 89842404010000 8a83a4010000 88443134 } - $sequence_4 = { 897dec 8945fc 85ff 741b 8b7508 8bcf 56 } - $sequence_5 = { b8???????? e8???????? 8bf2 8bf9 89bd0cffffff 33c0 898508ffffff } - $sequence_6 = { 8bf9 83fb1c 7517 837f2400 7511 ff750c 8b5508 } - $sequence_7 = { 8d4e28 51 8d4e20 f7de 8b10 1bf6 23f1 } - $sequence_8 = { 8b4714 8945f8 81e1f7ff0000 8bd3 66894f18 8bce e8???????? } - $sequence_9 = { ff75c4 ffb540ffffff e8???????? 83c428 837da400 741a ffb56cffffff } + $sequence_0 = { 8b5678 85d2 740f 395a04 7406 8b12 85d2 } + $sequence_1 = { e8???????? 8d4618 e8???????? c20400 55 8bec 8a4508 } + $sequence_2 = { 8b442434 8bce 98 50 ff742414 ff742474 52 } + $sequence_3 = { 8b4b40 52 50 57 8bd6 e8???????? 8b7dec } + $sequence_4 = { e9???????? 8b45c8 8d55cc 52 50 8b08 ff511c } + $sequence_5 = { ff75d8 50 ff521c 385d08 6a04 58 0f45d8 } + $sequence_6 = { ffb6b0000000 6a03 e8???????? 83c410 33c0 40 8886aa000000 } + $sequence_7 = { ff75d8 8bcf 8bf0 ff75ec 6a4c 5a e8???????? } + $sequence_8 = { 894ddc 8b4d08 8b5104 8bce 8b1410 e8???????? 8945d0 } + $sequence_9 = { f7430800080000 7459 6b0118 89442424 8b4104 89442454 8b442438 } condition: 7 of them and filesize < 1867776 @@ -109269,36 +109731,36 @@ rule MALPEDIA_Win_Slip_Screen_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad9c8d39-15d3-5df8-9251-a49652741d85" - date = "2026-01-05" - modified = "2026-01-06" + id = "95627934-6b1f-5c62-977d-c497249b682b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slip_screen" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.slip_screen_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.slip_screen_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "dad34e4a0f7996ab63085bce3884e3e4048e2436bb6df0518e66ce50f19fbbe3" + logic_hash = "63c4d5f5d5d86a4d1d317a6e73e1cf3d3dcde25f0d946800ae8684cfa7742777" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb0c 4881c7e8000000 4885f6 7405 488bce ff17 4d85f6 } - $sequence_1 = { 4885c9 0f8498000000 4863413c 4533db 448b8c0888000000 } - $sequence_2 = { 48898798000000 4885c0 0f8462020000 41b8ce48ccfd 8bd6 488bcb } - $sequence_3 = { 7447 410fb702 6685c0 7438 8d4abf 6683f919 448d4220 } - $sequence_4 = { eb02 33c0 4c8d9c2490040000 498b5b28 498b6b30 } - $sequence_5 = { 4903c1 4d8bc8 488bc8 48c1e020 48c1e920 480bc8 0fb7c1 } - $sequence_6 = { 0f1000 0f1145c4 f20f104810 f20f114dd4 8b4018 8945dc } - $sequence_7 = { 488b8100010000 4885c0 7403 f0ff00 488d4138 41b806000000 488d1547960000 } - $sequence_8 = { 488bd0 48c1e020 48c1ea20 480bd0 0fb7c2 6633443bfa } - $sequence_9 = { 0fafca 4403c9 440fafc8 458bc1 440fafc0 428d0c0a } + $sequence_0 = { eb0f 488bd3 488d0dec090100 e8???????? 33d2 } + $sequence_1 = { 480bc8 0fb7c1 664133c0 4c8d442470 6689442446 488bc2 f20f10442440 } + $sequence_2 = { f20f104110 498bd2 480faf5108 f20f11442470 66895c2450 488bc2 } + $sequence_3 = { 57 4154 4155 4156 4157 4883ec70 b84d5a0000 } + $sequence_4 = { eb07 488d3d21990000 4533ed 4584f6 740a 418d4d03 e8???????? } + $sequence_5 = { 8bd5 488bce 41ffd2 488b8424c0000000 4885c0 0f8421010000 4183bf8c00000000 } + $sequence_6 = { 0fb7c1 66334304 66894704 488d040a } + $sequence_7 = { 8bcf e8???????? 488bd7 4c8d0583690000 } + $sequence_8 = { 6685c0 7438 8d4abf 6683f919 448d4220 8d4820 66440f47c2 } + $sequence_9 = { 488b13 33c9 4883c202 4803d6 380a 740f 488bc2 } condition: 7 of them and filesize < 282624 @@ -109308,36 +109770,36 @@ rule MALPEDIA_Win_Unidentified_118_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4400b473-0fbc-528a-90a2-ec9f1b80742d" - date = "2026-01-05" - modified = "2026-01-06" + id = "a8e73e12-5254-58f8-aa5b-7d6866cf4024" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_118" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_118_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_118_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "d467c02dd84dc6cead16168800c63f7f296242b2a484c5237404056a67dd88cf" + logic_hash = "ac4ca7fd8b9206c3c4e9dcbed3667ecd11bc7913dbdf39358c48034b9c8b527c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f57c0 c60300 41b820000000 0f1101 4883611000 488bd6 4883611800 } - $sequence_1 = { e8???????? 84c0 7409 488933 c6430800 eb79 48b8e1e1e1e1e1e1e101 } - $sequence_2 = { 84c0 740c 817c243000400000 7502 } - $sequence_3 = { 488bc3 488b4d07 4833cc e8???????? 4881c4b8000000 415f 415e } - $sequence_4 = { 488b49f8 482bc1 4883c0f8 4883f81f 7721 e8???????? 8bc3 } - $sequence_5 = { 7747 e8???????? 660f6f05???????? f30f7f4527 c6451700 807de700 7409 } - $sequence_6 = { 0f45fd 488bce e8???????? 488b4c2430 e8???????? } - $sequence_7 = { 488d4c2460 ffd2 90 e9???????? 0f57c0 0f1145f0 0f57c9 } - $sequence_8 = { e8???????? 4c8b4c2450 4c8bc3 488bd7 488bce } - $sequence_9 = { 488b49f8 482bc1 4883c0f8 4883f81f 0f87d8000000 e8???????? 483bfe } + $sequence_0 = { 488d4c2428 488b742420 418d5708 482bce 4489742438 89442428 895c2444 } + $sequence_1 = { 488bce e8???????? 6644893c33 eb0c 448a45c4 488bcf e8???????? } + $sequence_2 = { 488b4330 488b10 ffd2 4883633800 488b5c2430 4883c420 } + $sequence_3 = { 488bda 4883611800 e8???????? 4883631000 48c743180f000000 c60300 4883c420 } + $sequence_4 = { 488bc8 e8???????? 4c8d4c2450 33c9 4c8d442420 488d542448 ffd0 } + $sequence_5 = { 4883c004 4803c2 8b4808 8b400c 85c9 0f84cafeffff } + $sequence_6 = { 4103c8 3bd9 721a 8bd3 498bc9 e8???????? 4c8bd0 } + $sequence_7 = { 488bd6 4c8b8c2488000000 488bcd 4c8b842480000000 89442428 8b842490000000 } + $sequence_8 = { 488d442440 4889442420 4533c9 4533c0 8bd3 488b4c2450 e8???????? } + $sequence_9 = { 4584ed 7420 0fb7442420 3b4210 0f829d010000 3b4214 0f8394010000 } condition: 7 of them and filesize < 413696 @@ -109347,36 +109809,36 @@ rule MALPEDIA_Win_Turian_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "55f5d82f-afb8-5814-b531-1c9c01e3bde2" - date = "2026-01-05" - modified = "2026-01-06" + id = "89a9c467-b0ac-5e23-b6d1-6af2ec9fb625" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turian" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.turian_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.turian_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "91e36be52281255f5afb4546bb919f97cb536e7671085e0b38ecf9a977103ea1" + logic_hash = "de9a3c6e2b214003d82f67d60d43d46e0ddfcd0d77a473bc19b5569e10cb47ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5b 81c420040000 c3 8d442410 6a10 50 } - $sequence_1 = { 33db 3bc3 7519 668b44240c 881d???????? 891d???????? } - $sequence_2 = { 5e c3 8bc8 57 c1e105 } - $sequence_3 = { 85c0 0f840affffff 5f 5e 5d 33c0 } - $sequence_4 = { 83c9ff 33c0 668b15???????? f2ae } - $sequence_5 = { 8d4c2410 51 e8???????? 8bbc24a0000000 83c404 a1???????? } - $sequence_6 = { 51 52 ffd5 85c0 7423 a1???????? 43 } - $sequence_7 = { 83f810 7e6a 6a00 57 53 } - $sequence_8 = { 56 57 730c 5f } - $sequence_9 = { 8b442414 50 ffd7 56 ff15???????? 83c404 33c0 } + $sequence_0 = { a1???????? 8902 668b0d???????? 66894a04 8b8c2490000000 e8???????? 83f810 } + $sequence_1 = { 881d???????? 891d???????? 66a3???????? 5b c3 6a3f 50 } + $sequence_2 = { 52 ffd5 85c0 7423 a1???????? 43 } + $sequence_3 = { c3 8d542410 6a10 52 8bce } + $sequence_4 = { 51 ffd7 8b542414 52 ffd7 8b3d???????? } + $sequence_5 = { 85c0 0f840affffff 5f 5e 5d 33c0 } + $sequence_6 = { e8???????? 83f810 7e7c 6a00 } + $sequence_7 = { c1e902 f3a5 8bc8 33c0 83e103 8d542456 f3a4 } + $sequence_8 = { 7353 a1???????? 85c0 754a 6809380000 56 } + $sequence_9 = { 81c49c000000 c3 c60000 40 50 ff15???????? } condition: 7 of them and filesize < 645120 @@ -109386,36 +109848,36 @@ rule MALPEDIA_Win_Rhysida_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "56c97e20-7a99-5fbc-90fd-a6127fd088f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "61941372-a64b-5a5f-a0e9-02936a396f91" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rhysida_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rhysida_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "60516db4e2b578f830c415644222719cb56ab464473054de682480b20c1eaa3f" + logic_hash = "80afd01dab25f343bd283faff53c17ec376e70d68c58e315d37dba153bef9f65" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4183c201 4883c108 4d8d3404 4889c5 4d89f4 49c1ec3c 4539d0 } - $sequence_1 = { 488b4510 8b4004 85c0 750a 488b4510 8b5520 895024 } - $sequence_2 = { f30f5e45fc f30f1145f8 488b4518 f30f1000 f30f5945f8 f30f2cc0 89c2 } - $sequence_3 = { 8d7802 430fb60c2a 43300c2b 448d6803 410fb62c12 450fb6043a 41302c13 } - $sequence_4 = { eb18 8b8598000000 898588000000 8b8594000000 898584000000 8b85b4000000 8d5001 } - $sequence_5 = { 41c1e818 46332483 4189e8 45332492 0fb6d4 44332491 4531e0 } - $sequence_6 = { 85d2 0f8f92050000 ba01000000 bd01000000 4531db 4d63cb 49beffffffffffffff0f } - $sequence_7 = { ffd0 c7850c11000000000000 c7850811000000000000 c7850411000000000000 c785dc0d000000000000 c785d80d000000000000 83bd4811000002 } - $sequence_8 = { c1e903 f348ab ff15???????? 83f812 7472 488b8b38020000 e8???????? } - $sequence_9 = { 4589542408 33460c 8b742444 418b2cb3 448b742458 81e5000000ff 478b1cb3 } + $sequence_0 = { 8b4024 4898 4883c006 4801d0 4889c1 e8???????? 98 } + $sequence_1 = { 4539c1 7663 4183c008 660f6f1411 0f111410 660f6f5c1110 0f115c1010 } + $sequence_2 = { 8d5804 7446 4983bc240003000000 8d5805 7438 4983bc248003000000 8d5806 } + $sequence_3 = { 761b 4181fdffff0000 418d4d04 0f8784010000 662e0f1f840000000000 4d85e4 7404 } + $sequence_4 = { f30f1185b0100000 f30f108db8100000 f30f1005???????? f30f59c8 f30f1095b4100000 f30f1005???????? f30f59c2 } + $sequence_5 = { f30f2cc0 c744243800000000 c744243000000000 c744242800000000 c744242000000000 4189d1 4189c0 } + $sequence_6 = { 4989d2 4c01e8 4889fa 4c11f2 4c01c8 4c11d2 4989c1 } + $sequence_7 = { c1ea10 440fb6fa 44897c2428 440fb67c2420 0fb6d4 8954242c 89ca } + $sequence_8 = { 4f892c20 4983c408 4a8b0c20 4b890c20 4983c408 4c3b642440 0f8416fcffff } + $sequence_9 = { 8b45f0 8d48ff 8b45f4 2b45f8 29c1 89c8 4863c8 } condition: 7 of them and filesize < 2369536 @@ -109429,7 +109891,7 @@ rule MALPEDIA_Win_Go_Red_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.go_red" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.go_red_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.go_red_auto.yar#L1-L134" license_url = "N/A" logic_hash = "f8574b8fe29715ba2701e58cba52ed611bfc6971c882e6ec12a4906afec7293e" score = 75 @@ -109464,36 +109926,36 @@ rule MALPEDIA_Win_Blackbasta_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5bbce9ec-7d54-5002-bc1c-a1c1392e7297" - date = "2026-01-05" - modified = "2026-01-06" + id = "a86007f2-a9e0-5d6c-9a3a-f73dca60f97f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackbasta_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackbasta_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "f2cab8177edfb4bc6b2c56a6c1db15098f849335780d0e48121fe5285763e5dd" + logic_hash = "339616ae1dae9ccf79f9db9eaddcce59709dd663083f69c8985672e9fa176bcb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7447 8d45d8 84d2 7402 8bc3 fe0430 eb33 } - $sequence_1 = { c745e4e48c0a10 8b4508 8bcf 8b7510 c745e004000000 dd00 8b450c } - $sequence_2 = { 42 895594 e9???????? 8b45ec c645fc0d 83f810 0f8293000000 } - $sequence_3 = { 52 8d5594 52 8b01 ff503c 50 8d8decfeffff } - $sequence_4 = { 83c404 807d6700 c645fc26 0f8481040000 8d45c4 33ff 50 } - $sequence_5 = { 83c404 8bce 50 e8???????? 83e3ef 895df0 c645fc0c } - $sequence_6 = { 8b4904 8b01 5d ff6048 2b49fc 83e970 e9???????? } - $sequence_7 = { 6af6 ff15???????? 8b049d58cc0c10 8b4dfc 897c0118 33c0 5f } - $sequence_8 = { e9???????? 397d34 7768 ffb564ffffff 8d4d0c e8???????? 8b4d8c } - $sequence_9 = { e8???????? 03c6 13d7 8b75e4 3bd6 7f7a 8b4dec } + $sequence_0 = { 8d4dc0 e8???????? c645fc01 8b4dec 83f910 7228 8b55d8 } + $sequence_1 = { 8d4db8 e8???????? 8d4db8 e8???????? 8b4df4 8bc7 } + $sequence_2 = { 64892500000000 8d4104 68???????? 50 e8???????? 8b4df4 83c408 } + $sequence_3 = { 743a 8d45ec c745ec846e0a10 50 8d4df4 c745f009000000 e8???????? } + $sequence_4 = { c745b874080a10 85c9 7406 8b01 6a01 ff10 8d4d00 } + $sequence_5 = { eb03 50 6af6 ff15???????? 8b049d58cc0c10 834c0718ff 33c0 } + $sequence_6 = { e8???????? 8bf0 c745fc01000000 68???????? e8???????? } + $sequence_7 = { 8d0441 8945dc 2bc6 d1f8 7419 0fb70f 0f1f440000 } + $sequence_8 = { c5fdebe9 c5fe7fa42460020000 c5ddefa42400010000 c5f572f20c c5fd72d214 c5fdebd1 c5f572f30c } + $sequence_9 = { 84c0 0f85c3000000 6a7c e8???????? 83c404 89450c c645fc06 } condition: 7 of them and filesize < 1758208 @@ -109503,42 +109965,42 @@ rule MALPEDIA_Win_Daserf_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9664e62d-eafe-56ce-b464-13f7ca132897" - date = "2026-01-05" - modified = "2026-01-06" + id = "cc942ddd-6198-516b-83c8-dcf3dfacd02a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.daserf_auto.yar#L1-L169" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.daserf_auto.yar#L1-L157" license_url = "N/A" - logic_hash = "bc55f86dc602900cf521d018b673d7e5221e817a978c5aeccfcf33a4e89ac9bd" + logic_hash = "d31e1e550b99f39b2cfdd4c3b670f9eaf5ebe958d543de563b1581bc33fb9241" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d1b 0f8e0d010000 87db 8d8568bfffff 8d1b } - $sequence_1 = { 56 ff15???????? ff75f8 8b35???????? ffd6 } - $sequence_2 = { 9b 68???????? 8bd2 50 f7d0 f7d0 } - $sequence_3 = { 6800280000 8d09 8d8568bfffff f7d1 f7d1 53 90 } - $sequence_4 = { ff15???????? c705????????01000000 50 53 2d907cb3df } - $sequence_5 = { 81ebfff91e8d 81c3fb8dd0b7 2d4e5b5869 2db747503f 05dc183929 81eb25261cb5 } - $sequence_6 = { 05e81801ee 95 89ac2400f1ffff 8be8 8b842400f1ffff 81c38b11c7c3 } - $sequence_7 = { 2d14be6b51 81c37f189ce5 05a5174ceb 81eb5a34b440 } - $sequence_8 = { b8???????? e9???????? 6a0b e9???????? 50 } - $sequence_9 = { 81c38ae02de5 81ebb92f9b23 81eb42c7a1f2 81eb74c57063 2d0f027a7d 2db2e0f8da } - $sequence_10 = { f7d6 f7d6 81eb8054748e f7d6 f7d6 81c3cb6fc0a8 } - $sequence_11 = { 050a037e0a 81ebd4a1a6fb 81c34646dc3b 81c351fc1576 81c3eeb6e6f5 2d8cb08456 } - $sequence_12 = { 0589639a4f 81ebc4cfca9c 05e0940a91 81c3df202492 81c304600bef 81eba197b1b7 } - $sequence_13 = { 2def0da659 87f6 81eb1c07b732 8bc0 } - $sequence_14 = { 81c3787cc718 2ddbcfa691 81c3b7415b90 81c3838339ae 2d5988c64e } - $sequence_15 = { 81c38cf537b9 9b 81c339ec068e 7500 053941cb1e } + $sequence_0 = { 2d7458acf0 81eb4087a1c9 81c324977364 2df0c5683d } + $sequence_1 = { 2d3d9dddda 2d122b9e6e 05a176df80 056a8ceb26 81c3091794b7 81c3477483eb } + $sequence_2 = { f7d2 055764eba6 96 89b42430f4ffff 8bf0 8b842430f4ffff } + $sequence_3 = { ff75e0 8d1b ff75fc 90 } + $sequence_4 = { 0593f8abb9 90 0536f1718f 9b } + $sequence_5 = { 92 89942410f1ffff 8bd0 8b842410f1ffff } + $sequence_6 = { 81eb477bafc6 90 81eb1979d9a8 8bdb 05f1ad59f9 } + $sequence_7 = { 8bc0 8b842400f3ffff 81ebee7d857e 7500 2d444a28fe } + $sequence_8 = { 97 89bc2400f1ffff 8bf8 8b842400f1ffff } + $sequence_9 = { 81c3cfcdd8a3 81eb4769227d 05635637f9 05b537d85e 2dd80e91af } + $sequence_10 = { 05ddf775a4 0583ee701f 2de339226e 81c368780090 81c3f215efea 81eb33a8c4a5 } + $sequence_11 = { 8b842420f4ffff 53 8bdb 53 } + $sequence_12 = { 056213cf4c 2d025bcd54 81eb4f4edeb1 055b9204af 05be0a5f12 058a52e815 } + $sequence_13 = { 81eb8f465a28 05d4ec048f 05ace3258a 2d8c7110f6 } + $sequence_14 = { 2dd1ab761c 81eb0752c899 81eb5e2deea0 056e62ed8e } + $sequence_15 = { 2d99ba6fa8 2d7df1f9f5 81c32b692a0c 81eb4ce843f8 } condition: 7 of them and filesize < 245760 @@ -109548,36 +110010,36 @@ rule MALPEDIA_Win_Clipog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40f61fa4-a638-5725-b8b6-91b34a21950a" - date = "2026-01-05" - modified = "2026-01-06" + id = "7e7808c7-7cc0-51eb-a53a-7e8f1d4eb523" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clipog" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.clipog_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.clipog_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "9ab729847c05f2fd79a1197d1bbe3eecdfb3d818a19100d3fd94f6d00b4e49b5" + logic_hash = "e0b0640aed54bc22b5c131871b5e8076185cb34be80f4832473f3b104845b94b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b4b18 6685c0 740c 488d1552e70100 } - $sequence_1 = { 488d1552e70100 e9???????? 488d154ae70100 e9???????? b910000000 } - $sequence_2 = { 760c 488d0d5fec0100 e8???????? 48397b18 730d 488bd7 } - $sequence_3 = { 753b 488b41f8 483bc1 7338 482bc8 4883f908 7235 } - $sequence_4 = { 4883f808 725d 48ffc0 488b4c2448 493bc4 7606 e8???????? } - $sequence_5 = { 488bda 4c8d0d1fbc0000 8bf9 488d1586a10000 b906000000 4c8d0502bc0000 e8???????? } - $sequence_6 = { 488b05???????? 4833c4 488985a0040000 4c8b95f8040000 488d0524160100 0f1000 } - $sequence_7 = { 488d158ee80100 e9???????? b910000000 ff15???????? 488b4b18 } - $sequence_8 = { e8???????? 90 4c8d0556ea0100 488bd0 } - $sequence_9 = { 488d1599100200 488d0d9a100200 e8???????? 488bd8 488d4c2430 48837c244810 480f434c2430 } + $sequence_0 = { 488d4601 483d00100000 7238 f6c31f } + $sequence_1 = { c3 4057 4883ec20 488d3d939b0100 48393d???????? 742b } + $sequence_2 = { 44896c2444 418d45ff 0fb68c82f2d30100 0fb6b482f3d30100 8bd9 } + $sequence_3 = { 488d1582e80100 e9???????? 488d1586e80100 e9???????? 488d158ae80100 e9???????? } + $sequence_4 = { 4883c428 c3 4883ec28 e8???????? 4885c0 7509 488d059b980100 } + $sequence_5 = { c3 4053 4883ec20 4c8d0d4bbd0000 33c9 4c8d053ebd0000 488d153fbd0000 } + $sequence_6 = { 48890a 48894a08 488d4808 e8???????? 488d05794f0100 } + $sequence_7 = { 4889742418 57 4883ec20 4863d9 488d0de33e0100 } + $sequence_8 = { 6642393440 75f6 488bd0 498bc9 e8???????? 48c7471807000000 488bd8 } + $sequence_9 = { cc 488bd0 488bca e8???????? 488bc3 488b8dc0000000 4833cc } condition: 7 of them and filesize < 372736 @@ -109587,36 +110049,36 @@ rule MALPEDIA_Win_Pickpocket_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "802dc3e0-e29e-5fb9-b36e-fb6fbc442d76" - date = "2026-01-05" - modified = "2026-01-06" + id = "9afab35f-d313-5356-a334-ab9b4d2839fe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pickpocket_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pickpocket_auto.yar#L1-L108" license_url = "N/A" - logic_hash = "22ebdc63d7f82763f33842db7356986ba14b78ce5a40d50ef0cdea3da00bc1be" + logic_hash = "62fd51898dbe8d05ebad3b646b76129a235d6b7bf3b88cdc8c2adf97a2994ac6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 740f b990cc0000 e8???????? } - $sequence_1 = { e8???????? 85c0 750f b962890100 } - $sequence_2 = { e8???????? 85c0 740f b990cc0000 e8???????? } - $sequence_3 = { eb05 b960cb0000 e8???????? eb02 33c0 } - $sequence_4 = { 790e b91dca0000 e8???????? 8907 } - $sequence_5 = { 7504 33c0 eb0a b9e8d70000 } - $sequence_6 = { 8a4201 84c0 7823 83e17f 0fb6c0 c1e107 03c8 } - $sequence_7 = { 7404 8b01 eb03 83c8ff 83f804 } - $sequence_8 = { a846 750f b99be00100 e8???????? e9???????? } - $sequence_9 = { b9dccc0000 e9???????? b9cecc0000 e9???????? b9c7cc0000 e9???????? } + $sequence_0 = { e8???????? 85c0 750f b962890100 } + $sequence_1 = { 7704 33c0 eb0a b952ca0000 e8???????? } + $sequence_2 = { a846 750f b99be00100 e8???????? e9???????? } + $sequence_3 = { 750f b962890100 e8???????? e9???????? } + $sequence_4 = { 750a b80a0c0000 e9???????? e8???????? } + $sequence_5 = { 760f b938e40000 e8???????? e9???????? } + $sequence_6 = { e9???????? b9cecc0000 e9???????? b9c7cc0000 } + $sequence_7 = { 750e b958de0100 e8???????? 8bc8 } + $sequence_8 = { 790e b91dca0000 e8???????? 8907 } + $sequence_9 = { eb0c b96ccb0000 eb05 b960cb0000 e8???????? eb02 } condition: 7 of them and filesize < 1458176 @@ -109626,48 +110088,48 @@ rule MALPEDIA_Win_Suppobox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5b7250ed-3647-5a89-a116-017b310c526f" - date = "2026-01-05" - modified = "2026-01-06" + id = "031ee88b-8498-5660-8a5e-e85c68d643be" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.suppobox_auto.yar#L1-L191" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.suppobox_auto.yar#L1-L191" license_url = "N/A" - logic_hash = "05beb26ad12e675f535ee9462bf9d41a047c1dcd3464f804af01fdd75563ee81" + logic_hash = "e05968374be46a9866db1d87f0344106ac484fec8bfe51cf8bc5f7485b524502" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7e10 a1???????? 0305???????? a3???????? } + $sequence_0 = { 8945f0 a1???????? 83e801 a3???????? } $sequence_1 = { 3bc8 7d10 a1???????? 2b05???????? a3???????? } - $sequence_2 = { 890d???????? e8???????? 8bf0 e8???????? 03f0 } - $sequence_3 = { 8945f0 a1???????? 83e801 a3???????? } - $sequence_4 = { 7412 8b0d???????? 030d???????? 890d???????? } - $sequence_5 = { 7d10 a1???????? 0b05???????? a3???????? } + $sequence_2 = { 7d10 a1???????? 0b05???????? a3???????? } + $sequence_3 = { 890d???????? e8???????? 8bf0 e8???????? 03f0 } + $sequence_4 = { 7e10 a1???????? 0305???????? a3???????? } + $sequence_5 = { 7412 8b0d???????? 030d???????? 890d???????? } $sequence_6 = { 7f10 a1???????? 2305???????? a3???????? } - $sequence_7 = { 01c6 39fe 0f8d2f020000 80bc2ef4f7ffff0a } - $sequence_8 = { 019dacf7ffff 83c40c 299dc4f7ffff e9???????? } - $sequence_9 = { 8d48ff 2d9b507602 8985dcfdffff db85dcfdffff } - $sequence_10 = { 01c6 39fe 0f8d7e010000 80bc2ef4f7ffff0a } - $sequence_11 = { 8d48ff 2d9696ca2f 39c2 66898d92feffff 0f8dbbfcffff } - $sequence_12 = { 01bdacf7ffff 83c40c 83bdc8f7ffff00 8b95c8f7ffff } - $sequence_13 = { 01d8 3b85b0f7ffff 7e2f 8b95c8f7ffff } - $sequence_14 = { 8d48ff 39c2 890d???????? 0f8e93240000 } - $sequence_15 = { 8d48ff 2de13d1921 8985e0f8ffff db85e0f8ffff } - $sequence_16 = { 01d7 68???????? 57 e8???????? } - $sequence_17 = { 8d48ff 39c2 898db4f8ffff 0f8e3d0f0000 } - $sequence_18 = { 01c6 ebdb ff7510 57 } - $sequence_19 = { 01c9 4a 79f2 833b54 } - $sequence_20 = { 8d48ff 2dbb4fb754 39c2 66890d???????? } - $sequence_21 = { 8d48ff 39c2 898dc8feffff 0f8ebb010000 } + $sequence_7 = { 01bdacf7ffff 83c40c 83bdc8f7ffff00 8b95c8f7ffff } + $sequence_8 = { 01c6 ebdb ff7510 57 } + $sequence_9 = { 8d4801 83c601 81fe???????? 898b00010000 } + $sequence_10 = { 8d4801 894e0c 0fb65001 80fa5f 0f94c3 } + $sequence_11 = { 01d8 3b85b0f7ffff 7e2f 8b95c8f7ffff } + $sequence_12 = { 8d4801 890d???????? 8d8402199951bd dd8500f9ffff } + $sequence_13 = { 01c9 4a 79f2 833b54 } + $sequence_14 = { 8d4801 894ddc 0fbf4dd4 01c8 } + $sequence_15 = { 01d7 68???????? 57 e8???????? } + $sequence_16 = { 01c6 39fe 0f8d7e010000 80bc2ef4f7ffff0a } + $sequence_17 = { 8d4801 83c601 39fe 898b00010000 } + $sequence_18 = { 019dacf7ffff 83c40c 299dc4f7ffff e9???????? } + $sequence_19 = { 8d4801 dd442418 8b15???????? 89542408 } + $sequence_20 = { 8d4801 8d8402ec432105 3d182b4547 890d???????? } + $sequence_21 = { 01c6 39fe 0f8d2f020000 80bc2ef4f7ffff0a } condition: 7 of them and filesize < 1875968 @@ -109677,36 +110139,36 @@ rule MALPEDIA_Win_Royal_Dns_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8e4eee0e-991f-5e5c-8e46-34ff6666420e" - date = "2026-01-05" - modified = "2026-01-06" + id = "81aa708c-03d8-569e-9839-f9dc97865af3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.royal_dns_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.royal_dns_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "ebf3458b22350e610da4d705384f784d27dfca7bf952035b68054c9acd2a2a7b" + logic_hash = "701633f4581820c2bdfa58bdd811c787d073106573424af0015f2f793828aaf7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c40c 56 83c30d 8d85d8fcffff 53 50 } - $sequence_1 = { 83c404 83bdb1f7ffff64 8b8dbbf7ffff 8d70f1 7559 83f964 7554 } - $sequence_2 = { f3a5 e8???????? 83c40c b908000000 } - $sequence_3 = { be???????? 8d7dd8 f3a5 83c40c 6a01 a4 e8???????? } - $sequence_4 = { 0fb65c0602 c1ea07 03db 0bd3 83e21f 0fb69248132500 885104 } - $sequence_5 = { 8d85c0feffff 6a00 50 c785b0feffffa9ea6152 c785b4feffffe7a5db56 } - $sequence_6 = { 7416 83fe04 7511 8b95bff7ffff 89957cf1ffff e9???????? 85c9 } - $sequence_7 = { 6888130000 ff15???????? 4e 75f2 68e4000000 8d85c0f5ffff 6a00 } - $sequence_8 = { 393d???????? 7c11 6860ea0000 ffd6 c705????????00000000 68b80b0000 } - $sequence_9 = { 772a ff248590162400 6a01 6a03 } + $sequence_0 = { 8d8dbffdffff e8???????? 8bf0 83c404 85f6 0f8488000000 68ff000000 } + $sequence_1 = { 33ff 33c9 33f6 84db 744c 90 } + $sequence_2 = { 83e01f c1f905 8b0c8d80502500 c1e006 8d440104 8020fe ff36 } + $sequence_3 = { 0fb6730c 83c40c 56 83c30d 8d85d8fcffff 53 } + $sequence_4 = { 03049580502500 eb05 b8???????? f6400420 } + $sequence_5 = { 83c102 2bc8 8817 7434 } + $sequence_6 = { 013d???????? 89410c e8???????? 833800 a3???????? bf03000000 7530 } + $sequence_7 = { ebde 8bc8 83e01f c1f905 8b0c8d80502500 c1e006 0fbe440104 } + $sequence_8 = { c0f803 2403 02c9 0ac8 8a45e0 241f 884def } + $sequence_9 = { 8b0c8d80502500 83e01f c1e006 f644080401 74cd } condition: 7 of them and filesize < 204800 @@ -109716,36 +110178,36 @@ rule MALPEDIA_Win_Avcrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6717dbdb-f4ba-5c23-a152-195fba62bfc4" - date = "2026-01-05" - modified = "2026-01-06" + id = "43b84f09-1b5d-50e6-aaa6-ed2245c22ea0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.avcrypt_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.avcrypt_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "88e8fd00aad138bd5391f93ff200b42a3193bfb4856f2e79b29034d74d91998c" + logic_hash = "72ee95635b57f552cfa51bb0200ba397da957a30f2c8df0690d43c12220d0d09" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c40c 8d4dc0 e8???????? be???????? c745fc02000000 56 } - $sequence_1 = { 0fb7c8 b8ffff0000 663bc1 8b4dec 6a04 58 } - $sequence_2 = { ddd8 db2d???????? b801000000 833d????????00 0f8516a20000 ba05000000 8d0d60974300 } - $sequence_3 = { 8b00 837dec08 8d4dd8 8bd0 0f434dd8 } - $sequence_4 = { e8???????? 59 8365fc00 8b049d80b54300 f644380401 7413 ff7510 } - $sequence_5 = { 8ac3 e8???????? c3 68a4020000 b8???????? e8???????? 8bc2 } - $sequence_6 = { 68???????? 6a18 6a18 50 e8???????? e8???????? } - $sequence_7 = { b44b 5a baa5c94fad 90 302c83 2d2171e50b } - $sequence_8 = { 48 7412 e8???????? c70016000000 e8???????? ebb4 c745e440be4300 } - $sequence_9 = { 8965c8 68???????? e8???????? 83ec18 c645fc14 8bcc 68???????? } + $sequence_0 = { 59 5e c3 b8ffff0000 c20400 33c0 33d2 } + $sequence_1 = { 53 8bce c706???????? e8???????? 8bc7 } + $sequence_2 = { ff75f0 ff15???????? 85c0 790b 8b45f0 50 } + $sequence_3 = { 8b02 eb02 8bc2 3bc8 7413 83e902 ebb6 } + $sequence_4 = { 50 e8???????? 59 85c0 7456 837d1c08 } + $sequence_5 = { ff15???????? 85c0 7507 68???????? ffd6 895de4 837dd000 } + $sequence_6 = { 85c9 7408 8b85ccfdffff 8901 83460404 8d85c4fdffff } + $sequence_7 = { 50 89742414 897c2418 c744241c20000000 ff15???????? 8b450c 48 } + $sequence_8 = { c1e106 8b048580b54300 804c080420 8b4d14 8b75f8 ba000000c0 8bc6 } + $sequence_9 = { 8bf1 8b4690 8d4ea0 8b4004 c7443090b4484300 8b4690 } condition: 7 of them and filesize < 6160384 @@ -109755,36 +110217,36 @@ rule MALPEDIA_Win_Dustpan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9c878b8-cad8-5a19-8f4e-78ad38029b7f" - date = "2026-01-05" - modified = "2026-01-06" + id = "a921ece2-065a-572e-af7d-19f0c17cbe67" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustpan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dustpan_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dustpan_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "5224f428476ca9b9e044abefc44ce9a53e06974708bc3448eb44f67994867ab4" + logic_hash = "6b03af99f3f7639367bb41a3dd55c42a3c6c911e298ae0f97971d1e6cbe164c0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4533c0 4c891d???????? e8???????? 488d0d32010000 4883c420 5b e9???????? } - $sequence_1 = { b9ff000000 e8???????? 488bfb 4803ff 4c8d2d45eb0000 } - $sequence_2 = { 488d0d19a80100 33d2 c744242800000008 895c2420 ffd0 488b4d00 4833cc } - $sequence_3 = { 4c8be7 4c8bf7 49c1fe05 4c8d3dffb60000 } - $sequence_4 = { 488d05fb0a0100 eb04 4883c014 8918 e8???????? 4c8d15e30a0100 4885c0 } - $sequence_5 = { 7440 66448923 8a45d8 4b8b8cf8e0d00100 88443109 8a45d9 } - $sequence_6 = { e9???????? 488d0d45010000 e9???????? 4883ec28 488d0d12910000 e8???????? 488d0d39010000 } - $sequence_7 = { 488bca 48c1f905 4c8d0533760100 83e21f } - $sequence_8 = { 4889442420 e8???????? 488d8380000000 803800 741d 4c8d0df2bc0000 41b802000000 } - $sequence_9 = { 894704 e9???????? 488d0d351f0100 48394c2458 7427 } + $sequence_0 = { 4c8d055debfeff 4403e2 4b8b84f8e0d00100 f644300880 0f8435040000 } + $sequence_1 = { 488bd1 4c8d050e760100 f642387f 7525 83f8ff 741a 83f8fe } + $sequence_2 = { 488b0d???????? 488d15057f0100 488904ca 4883c428 c3 4053 } + $sequence_3 = { 488d0c80 488d058d840100 488d0cc8 e8???????? } + $sequence_4 = { 7871 3b0d???????? 7369 4863d9 488d2debb30000 } + $sequence_5 = { 42888401a0ac0100 ffc7 ebde 488b05???????? } + $sequence_6 = { 4883c014 8918 e8???????? 4c8d15e30a0100 4885c0 7404 } + $sequence_7 = { 4883caff e8???????? 807d580a 4c8d052feafeff 740f } + $sequence_8 = { 488b5c2438 4883c420 5f c3 4c8b0d???????? 4c8d0512860100 } + $sequence_9 = { 4883ec20 488d05571e0100 8bda 488bf9 488901 e8???????? f6c301 } condition: 7 of them and filesize < 282624 @@ -109794,36 +110256,36 @@ rule MALPEDIA_Win_Webc2_Rave_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b8abe54-80f5-58ec-90da-b83888b1df6b" - date = "2026-01-05" - modified = "2026-01-06" + id = "5cefe188-b2d5-5d9e-9fe6-d10eb4d1e4b8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_rave_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_rave_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "af650f13ddb6ad439bdfa3dda339af75bc74ce9074c6268554058b1c377beaa8" + logic_hash = "e5f1d782ff65857d244868f23af182288f59ab9fb6a377cec826015ac4afc033" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8dbc24b0040000 83c9ff f2ae 8b06 8d9424b0040000 f7d1 } - $sequence_1 = { 8b742410 8bc6 85f6 89442418 } - $sequence_2 = { f3ab 85db aa 7464 eb06 8b35???????? } - $sequence_3 = { 83c410 f3ab aa 8d8424a0020000 50 6804010000 } - $sequence_4 = { c784248800000001010000 66899c248c000000 89842498000000 8984249c000000 ffd7 8b542420 50 } - $sequence_5 = { 81fb00040000 c644241300 0f87b4000000 b980000000 33c0 8dbc242c010000 } - $sequence_6 = { 42 56 51 8915???????? } - $sequence_7 = { 8b8c2410020000 33c0 8bd0 83e20f 40 } - $sequence_8 = { aa ffd5 83c410 8d842490000000 8d8c24a8030000 } - $sequence_9 = { e8???????? 83c404 85c0 0f848d000000 33c9 33d2 894c2410 } + $sequence_0 = { 83f830 720b 83f839 7706 83c004 c20400 83f82d } + $sequence_1 = { 85db 759e 8dbc242c010000 83c9ff 33c0 } + $sequence_2 = { 03de 81e3ff000000 8bf3 8a5c3410 885c0c10 } + $sequence_3 = { be???????? 8d8c241c010000 8a01 8ad0 3a06 } + $sequence_4 = { 8b3d???????? 8d542414 8d4604 51 } + $sequence_5 = { b941000000 33c0 8dbc24b0020000 83c410 } + $sequence_6 = { 33c9 eb05 1bc9 83d9ff 85c9 7423 8b4508 } + $sequence_7 = { 56 57 b900010000 33c0 8d7c2414 } + $sequence_8 = { 5d 5b 81c454030000 c3 6a20 ffd7 } + $sequence_9 = { 85c0 0f8426010000 8d4c244c 6804010000 8d542450 } condition: 7 of them and filesize < 57344 @@ -109834,10 +110296,10 @@ rule MALPEDIA_Win_Cova_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "d9a7c58b-e153-5509-9dd6-42fb3c64fb6e" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cova" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cova_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cova_auto.yar#L1-L119" license_url = "N/A" logic_hash = "6df5413ed9281b7c21331e877b1103faf7f6d9e2e13d53e94329d8c943fa063c" score = 75 @@ -109846,9 +110308,9 @@ rule MALPEDIA_Win_Cova_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -109872,44 +110334,44 @@ rule MALPEDIA_Win_Privateloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f74899e2-5f0f-5412-9628-abf5d89b0b25" - date = "2026-01-05" - modified = "2026-01-06" + id = "5803fcaf-bde6-5476-ac4c-582552ce4d0d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.privateloader_auto.yar#L1-L180" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.privateloader_auto.yar#L1-L186" license_url = "N/A" - logic_hash = "6d2070cfc4fc90b89a113279c1da7a1229970780c46dc9914cb804e46d0ce9c2" + logic_hash = "85f38f4b2cd1f8741fd83adce9ca0e994ca024520d1cc7f1c02b5567fb532b86" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bec 83ec1c 894df8 8b45f8 8b4810 894df4 } - $sequence_1 = { 8945f4 8b4dfc 83791408 7209 } - $sequence_2 = { 8b55e4 8a45ff 88040a 8b45f8 } - $sequence_3 = { 8b4d08 3b4814 776d 8b55f8 8955f4 8b45f4 8945ec } - $sequence_4 = { 8b45d8 8b4ddc 8b55d0 8b75d4 } - $sequence_5 = { 8b4508 8945e4 8b4de8 034de4 8a55ff } - $sequence_6 = { 8945c8 8955cc 8b45c8 8b55cc 5e } - $sequence_7 = { 8b55f8 8b45f4 3b4214 736c } + $sequence_0 = { 8b45d8 8b4ddc 8b55d0 8b75d4 } + $sequence_1 = { 7408 8b45fc 8b08 894df0 } + $sequence_2 = { 8b45e4 0345f4 50 e8???????? 83c40c c645ff00 8b4df4 } + $sequence_3 = { 8b5508 895110 8b4508 8945e4 } + $sequence_4 = { 8b45f4 894210 eb2f 837d0808 7329 } + $sequence_5 = { 8b45ec 8945f8 8b4df8 894df0 8b55f8 837a1410 7209 } + $sequence_6 = { 8b4de0 8b75e4 52 50 56 51 e8???????? } + $sequence_7 = { 7408 8b45f8 8b08 894de4 8b55e4 8955d4 } $sequence_8 = { e8???????? 33d2 b93f000000 f7f1 } - $sequence_9 = { 8b4590 8b4d94 8b5588 8b758c } - $sequence_10 = { a3???????? 33c0 5e c3 3b0d???????? } - $sequence_11 = { e8???????? 83c610 83c002 83ef08 } - $sequence_12 = { 81ec68010000 a1???????? 33c5 8945fc 56 57 } - $sequence_13 = { 83c201 8955e0 83d600 8975e4 } - $sequence_14 = { 8b4de0 8b45e4 50 51 52 56 e8???????? } - $sequence_15 = { 6a04 8d4310 50 6a06 } - $sequence_16 = { 0bc8 56 57 7529 } - $sequence_17 = { 8b8578ffffff 8b8d7cffffff 8b9570ffffff 8bb574ffffff } + $sequence_9 = { e8???????? 40 83ef08 a907000000 } + $sequence_10 = { 8b4590 8b4d94 8b5588 8b758c } + $sequence_11 = { a3???????? 33c0 5e c3 3b0d???????? } + $sequence_12 = { e8???????? 6bc007 33c9 41 c1e102 } + $sequence_13 = { 896c2404 8bec 81ec68010000 a1???????? 33c5 8945fc 56 } + $sequence_14 = { 8b45e4 50 51 52 } + $sequence_15 = { 51 6a00 6813000020 50 } + $sequence_16 = { 8bf0 e8???????? 8bc8 8bfa 8bc6 } + $sequence_17 = { 13f1 83c201 8955e0 83d600 8975e4 } $sequence_18 = { 03d0 8b4d9c 13f1 83c201 } condition: @@ -109920,42 +110382,42 @@ rule MALPEDIA_Win_H1N1_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "37ad4a5e-e020-5ff8-9301-408e3e0a9d4d" - date = "2026-01-05" - modified = "2026-01-06" + id = "9b146697-9791-5099-8226-ae9fcb0630e1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.h1n1_auto.yar#L1-L176" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.h1n1_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "2e33215c731e3a160279240713f0099872fd50afe0eb8ebfd851884e2b2c7ed5" + logic_hash = "765db783b2f41671982a50d1cf60b08bf27002298dd12c9d873aef5b9b6f4245" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { bb09000000 eb6c 83bde8feffff0a 7563 } - $sequence_1 = { 51 8b7df4 b900100000 33c0 f3aa 59 } - $sequence_2 = { c745cc01000000 c745d010000000 c745d402000000 c745d820000000 c745dc04000000 c745e040000000 } - $sequence_3 = { ff05???????? 6800020000 ff35???????? 58 } - $sequence_4 = { 3503003400 ab 2d0e00fcff ab } - $sequence_5 = { ffd0 ff750c ff75f0 ff75f4 8d45b8 50 e8???????? } - $sequence_6 = { c745e404000000 c745e840000000 0fb77b06 8db3f8000000 33c9 f7462400000020 7403 } - $sequence_7 = { ff75f8 ff7508 ff75fc ff75f4 ff35???????? 58 ffd0 } - $sequence_8 = { 25ff000000 c1e908 330c85908f0010 42 } - $sequence_9 = { 8bc1 83e001 d1e9 330c8500850010 330c95f48b0010 42 890c95bc850010 } - $sequence_10 = { 8b442404 33d2 a3???????? 42 b9c0850010 8b01 c1e81e } - $sequence_11 = { 50 68fc600010 6804010000 ff7508 e8???????? 83c424 c9 } - $sequence_12 = { 81ff7c8f0010 7cd4 5f 8b0d???????? 330d???????? } - $sequence_13 = { d1e9 330c8500850010 330d???????? 890d???????? 8b0cb5c0850010 8bc1 c1e80b } - $sequence_14 = { 33f6 53 8bd6 bbffffff7f 8b0c95c4850010 330c95c0850010 23cb } - $sequence_15 = { 68f4600010 56 e8???????? 8bf0 59 } + $sequence_0 = { ff750c ff35???????? 58 ffd0 50 ff750c } + $sequence_1 = { 6a00 6a00 6a00 50 6a00 6a00 ff75fc } + $sequence_2 = { 83c608 ac aa 3c2f 75fa } + $sequence_3 = { 59 85c0 75d1 83bb8000000000 7465 } + $sequence_4 = { aa 3c0d 75fa 4f 33c0 } + $sequence_5 = { 8b5d08 035b3c 6a00 ff7350 6a00 6840000008 } + $sequence_6 = { 7453 e8???????? 8ae0 ac 0ac0 7447 3c3d } + $sequence_7 = { ff75f8 ff7508 ff75fc ff75f4 ff35???????? } + $sequence_8 = { e8???????? ff7508 8d85f0fdffff 68dc600010 } + $sequence_9 = { 8bec 81ec04040000 53 56 68806e0010 } + $sequence_10 = { d1e9 330c8500850010 330c95f48b0010 42 890c95bc850010 81fae3000000 } + $sequence_11 = { 8d3c95c0850010 8b0f 334f04 23cb 330f } + $sequence_12 = { 56 6800800010 ff742410 e8???????? } + $sequence_13 = { d1e9 8b048500850010 338774fcffff 33c1 8907 83c704 } + $sequence_14 = { 23cb 330d???????? 5b 8bc1 83e001 d1e9 330c8500850010 } + $sequence_15 = { 8d8614850010 50 ffb610850010 57 ff15???????? 83c608 83fe18 } condition: 7 of them and filesize < 172032 @@ -109965,36 +110427,36 @@ rule MALPEDIA_Win_Woody_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c748e16-00b8-5127-9604-d62e3d04f71e" - date = "2026-01-05" - modified = "2026-01-06" + id = "66315f8b-2bbb-5197-a74a-1868f88ef27b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.woody_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.woody_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "3fdba1a84cd03f528c200b6a293fddfa54111448f7301420a9273bbb05f0134b" + logic_hash = "c73a64bbc8f596f95f70f6096e049e95fdba1190a98d908874b03f5b9cb274f5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c0 83e103 c744241004010000 f3a4 bfc0a60110 83c9ff f2ae } - $sequence_1 = { 8d4ddc 51 ff75e8 50 ff15???????? 85c0 0f8417010000 } - $sequence_2 = { 83c008 83c308 3b4510 75e7 8b4604 50 894508 } - $sequence_3 = { 5d 5b c20800 8b5114 8b690c 8b4910 8bc2 } - $sequence_4 = { ff15???????? 85c0 7404 b001 5e c3 } - $sequence_5 = { 83c408 85f6 751e 68ee050000 50 } - $sequence_6 = { 5e 83c2fc 895508 895108 5d c20400 55 } - $sequence_7 = { 89742458 0f8c78ffffff 8b442454 8d0c92 8b542448 5f c1e102 } - $sequence_8 = { 8ba880000000 85ed 0f84ae000000 8b8884000000 85c9 0f84a0000000 8b443d10 } - $sequence_9 = { 85c0 7447 6a10 8d45e0 6a00 50 e8???????? } + $sequence_0 = { 8d4604 8d4d08 50 e8???????? 81c608010000 8d4d08 56 } + $sequence_1 = { 8bf0 e8???????? 84c0 750d 5f 5e 5d } + $sequence_2 = { ff15???????? 85c0 0f8550010000 b931000000 8d7c2429 88442428 c68424b801000000 } + $sequence_3 = { 8d842478010000 53 50 e8???????? 83c414 8d8c246c010000 68b4000000 } + $sequence_4 = { e8???????? 83c404 8d4c2410 6a00 51 6878150000 68b4b20110 } + $sequence_5 = { 890cd0 8b4dd0 8b55d4 03d1 8b4df4 8954c804 ff45f4 } + $sequence_6 = { 50 8d8520ffffff 50 8d45f0 50 53 } + $sequence_7 = { ffd3 83f8ff 740e 50 ff15???????? b007 e9???????? } + $sequence_8 = { 83c404 663bc3 7606 66a3???????? 8d9540ffffff 68e8ea0110 52 } + $sequence_9 = { 5b 81c470020000 c20400 8b442418 50 ff15???????? 5f } condition: 7 of them and filesize < 409600 @@ -110005,10 +110467,10 @@ rule MALPEDIA_Win_Artfulpie_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "de5450b6-b95f-5bac-b0a9-b9c5fd386b22" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.artfulpie_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.artfulpie_auto.yar#L1-L117" license_url = "N/A" logic_hash = "6beac333cee4f67e44a4d36d19350c582ab6bfc4c8f39d10f4335fab88933e77" score = 75 @@ -110017,9 +110479,9 @@ rule MALPEDIA_Win_Artfulpie_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -110043,36 +110505,36 @@ rule MALPEDIA_Win_Acbackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5acb810f-7fcf-50a8-b5e5-5957312412ae" - date = "2026-01-05" - modified = "2026-01-06" + id = "bf831c0d-2cd2-5387-85a5-889ddbb43279" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.acbackdoor_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.acbackdoor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "e7c1851e66beefe0ede613bab170645d1cd40698015b7587734102d809a005df" + logic_hash = "5aa3c90498f903a2c571d2af12d774a6a5d8ab44b83ae199544fc3b7d1065a5a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 85c0 0f8524020000 83fd04 0f8326020000 85ed 0f853c020000 } - $sequence_1 = { e8???????? c70424???????? ff15???????? 894500 85c0 7488 803e2f } - $sequence_2 = { e8???????? 8b83f0010000 05b8030000 890424 e8???????? 8b83f0010000 89442420 } - $sequence_3 = { e8???????? 803f04 89c5 7567 8d440001 39c6 7555 } - $sequence_4 = { e9???????? 8b6c2448 8b9c24c0000000 8b83f4000000 85c0 0f85d8020000 8b03 } - $sequence_5 = { c783b008000000000000 c7838c05000001000000 c7839005000001000000 c7839405000005000000 895c2404 890424 e8???????? } - $sequence_6 = { 8d57fe 0fb7c0 39d0 0f85bc050000 8d4306 8d342b 89442458 } - $sequence_7 = { c7442408???????? c7442404???????? 890424 e8???????? 84c0 0f8519050000 8b83e4000000 } - $sequence_8 = { ffd0 85c0 0f8863010000 39c5 0f865b010000 29c5 01c7 } - $sequence_9 = { c744242005000000 e9???????? 83c803 8906 8b4304 89442410 85c0 } + $sequence_0 = { c744240c801e4b00 89742408 89442404 c70424???????? e8???????? e9???????? 8b842408020000 } + $sequence_1 = { 89c1 c1e918 0fca 88633a 884b38 89c1 c1e910 } + $sequence_2 = { 8b4c2448 8d742448 894844 8b7c242c 8b4c3c44 894c3afc 8d4848 } + $sequence_3 = { e8???????? 85c0 7594 896c2404 893424 e8???????? c744240448000000 } + $sequence_4 = { c70000000000 85d2 743f 31db bf80ffffff 31c0 90 } + $sequence_5 = { 8b07 31db 8986f8050000 e9???????? 8b2f 8bbef0090000 85ed } + $sequence_6 = { c7831c060000c8000000 c783140a000000000000 c783440a000060ea0000 c783280a000005000000 c7832406000076000000 818b5c0a000010000040 c7830008000002000000 } + $sequence_7 = { e8???????? c7442404???????? 89442408 891c24 e8???????? e9???????? e8???????? } + $sequence_8 = { c744240800000000 897c2404 e8???????? 89c3 85c0 7589 c70424???????? } + $sequence_9 = { c744240c2b0c0000 c7442408???????? c744240401000000 891c24 e8???????? e9???????? c6400700 } condition: 7 of them and filesize < 1704960 @@ -110082,36 +110544,36 @@ rule MALPEDIA_Win_Shylock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "27b4846a-398c-5add-a760-ff7339bbdf8b" - date = "2026-01-05" - modified = "2026-01-06" + id = "e92404bc-c694-5279-a73e-c19c869c5e1a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shylock_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shylock_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "742cfb0b5b4c0d8c9d0f24db70f112e2bfd101bfeb4b4efca74ae8b027c1a20b" + logic_hash = "896486f3678c2ac087489c34815b45f5beb56a6e3c464b0c693cf90d8b3e1140" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? eb75 8d75d0 e8???????? 8d75a4 e8???????? 8d75c4 } - $sequence_1 = { c20800 55 8bec 83ec1c 56 8d45ec 57 } - $sequence_2 = { ff75e0 e8???????? 83c410 33c0 eb0c b857000780 eb05 } - $sequence_3 = { ff75b8 53 e8???????? 83c420 85c0 7439 3975fc } - $sequence_4 = { e8???????? 59 85c0 751a e8???????? 3db7000000 740e } - $sequence_5 = { e8???????? 59 50 ff750c ff7508 e8???????? 8d751c } - $sequence_6 = { ff75f8 e8???????? 8d45f0 50 8bc6 8b7508 50 } - $sequence_7 = { 8d75fc e8???????? 6a00 68???????? 8d5d0c e8???????? 6a00 } - $sequence_8 = { eb06 8b4d20 8d3488 e8???????? 8b75f0 8d7ddc e8???????? } - $sequence_9 = { ff75f0 e8???????? 8b5d0c 8d45d0 50 e8???????? 8bd8 } + $sequence_0 = { eb03 d165fc 49 75de 40 3b450c 7cc6 } + $sequence_1 = { e8???????? 85c0 7507 33c0 e9???????? 8b4df0 8365fc00 } + $sequence_2 = { e8???????? 8b3d???????? 59 8bf7 85ff 7412 e8???????? } + $sequence_3 = { 57 ff33 8986b0000000 8d461c 50 c70776696473 c786c00000000c000000 } + $sequence_4 = { ff7508 680a88e5ff e8???????? 8bf0 e8???????? 59 ffd0 } + $sequence_5 = { c9 c20400 55 8bec 6a00 8d450c 50 } + $sequence_6 = { 741a 8d4dec 51 8bde e8???????? 8bd8 e8???????? } + $sequence_7 = { e8???????? 59 59 8d7508 e8???????? 43 3b5df8 } + $sequence_8 = { e8???????? 8d75a4 e8???????? 8d75d4 e8???????? 8d759c e8???????? } + $sequence_9 = { 83f8ff 741a 8d4dec 51 8bde e8???????? 8bd8 } condition: 7 of them and filesize < 630784 @@ -110121,36 +110583,36 @@ rule MALPEDIA_Win_Lightwork_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d343952d-c497-57b0-a1b6-2c344677756b" - date = "2026-01-05" - modified = "2026-01-06" + id = "3e77cece-ce12-583c-b0fa-21f3abd95124" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightwork" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lightwork_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lightwork_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "ab480be92b4f3e94b9e8b99934bd7d24840465004bb1c1ae3a81e26cd770a803" + logic_hash = "8b837f7d479730c614e8608265b8bad4ca26759cd3f1963e05c894ac8cb3527b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d5001 8b4508 8990c8010000 8b4508 890424 e8???????? 8b4508 } - $sequence_1 = { 83e0e0 89c2 8b450c 83e01f 09d0 } - $sequence_2 = { c3 55 89e5 8b4508 83c011 5d c3 } - $sequence_3 = { e8???????? 69d0e8030000 8b450c 01d0 8945f4 8b45f4 89c2 } - $sequence_4 = { 8b80d8010000 8b5510 89542408 8b550c 89542404 890424 e8???????? } - $sequence_5 = { 7419 8b45f0 8b55f4 89442404 89542408 8b4508 890424 } - $sequence_6 = { 55 89e5 8b4508 0fb64005 83e0f0 89c2 8b450c } - $sequence_7 = { 89e5 8b4508 c74008???????? 8b4508 c740047d000000 90 5d } - $sequence_8 = { 890424 e8???????? 8b450c 8b4014 014518 8b5518 8b4510 } - $sequence_9 = { 66894819 0fb65206 88501b 8b4508 c9 c3 55 } + $sequence_0 = { 885001 90 5d c3 55 89e5 8b4508 } + $sequence_1 = { 7410 8345fc01 8b4508 8b00 3945fc 72df eb01 } + $sequence_2 = { 8910 8b4508 d94510 d9580c 8b4508 0fb655f4 885010 } + $sequence_3 = { 8b4508 8b88b8010000 8b98bc010000 8b45f0 } + $sequence_4 = { e8???????? 8945f4 8d45f0 89442404 8d45cc 890424 e8???????? } + $sequence_5 = { c780e001000000000000 8b45f4 c780e401000000000000 8b45f4 c780e801000000000000 8b45f4 } + $sequence_6 = { 8b4010 99 c1ea18 01d0 } + $sequence_7 = { e8???????? 8945f4 e9???????? c745f005000000 8b4508 890424 e8???????? } + $sequence_8 = { 8b4008 8b4004 8b5508 891424 ffd0 90 c9 } + $sequence_9 = { 8b80e8010000 85c0 747e 8b4508 8b80e8010000 8b5508 8b92ec010000 } condition: 7 of them and filesize < 1132544 @@ -110160,36 +110622,36 @@ rule MALPEDIA_Win_Avos_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "039bebd7-5f26-5f3f-b924-0aa65f143ed6" - date = "2026-01-05" - modified = "2026-01-06" + id = "3a7a2f13-5a61-5510-a1e8-ba3a5b4d5b24" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.avos_locker_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.avos_locker_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "25a4044828a799f02250311dfaed2866f19c9739199bc4c05e8d323abbd8f547" + logic_hash = "40d6d22affd73241c0479cab6267e7741f726a96e3fe2d79a7c53b30d4d43858" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d8d80fbffff e8???????? 888595fbffff 6a20 8d8d80fbffff e8???????? 888596fbffff } - $sequence_1 = { 83fe1a 7ce4 eb0c 57 8d44241c 50 ff15???????? } - $sequence_2 = { c7462800000000 c7462c00000000 0f114618 c645c000 f30f7e45d0 660fd64628 c745d000000000 } - $sequence_3 = { 64a300000000 8bf1 8975ec c745fc00000000 6a24 c745f000000000 e8???????? } - $sequence_4 = { 8955ec 3bda 7467 8b4208 8b4b08 8b730c } - $sequence_5 = { 8d46ec 6a00 50 ff15???????? 85c0 0f8506080000 8b4604 } - $sequence_6 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d8090f74b00 8945e4 } - $sequence_7 = { 66890451 33c0 6689445102 59 c20400 ff742408 c644240400 } - $sequence_8 = { 8bcc 89a54cf7ffff 68???????? e8???????? c645fc35 8d85b8f9ffff 50 } - $sequence_9 = { 8b11 8d4201 8901 8a442413 8802 0fb6c0 eb0b } + $sequence_0 = { 8d8d18ffffff e9???????? 8d8d18ffffff e9???????? 8d8d20feffff e9???????? 8d8d14feffff } + $sequence_1 = { 6a6e 8d8df0fbffff e8???????? 8885f8fbffff 6a65 8d8df0fbffff e8???????? } + $sequence_2 = { 8d41e8 894431dc c706???????? c745fcffffffff 56 c706???????? e8???????? } + $sequence_3 = { 8bc8 ff7508 e8???????? e9???????? 0fbe41ff 8d04c510104a00 50 } + $sequence_4 = { f00fc14608 7507 8b06 8bce ff5004 6a20 } + $sequence_5 = { e8???????? 0fb600 50 8d8db0fcffff e8???????? 888563fdffff } + $sequence_6 = { c7855cffffff00000000 f30f7e4590 897db0 660f7ec8 660fd68558ffffff 83bd5cffffff10 898548ffffff } + $sequence_7 = { 0f8706010000 8d1c0e 3bda 7304 8bda eb0c 81fbffffff1f } + $sequence_8 = { 89842420020000 53 56 57 6800000100 c744241c5a003a00 c74424205c000000 } + $sequence_9 = { 8b530c 8b7b08 8955e8 897dcc 0fb602 35c59d1c81 69c893010001 } condition: 7 of them and filesize < 1701888 @@ -110199,49 +110661,49 @@ rule MALPEDIA_Win_Sakula_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5af52a87-4449-5086-85f2-378359f4ae21" - date = "2026-01-05" - modified = "2026-01-06" + id = "f8a2c779-4af9-54c6-9e7e-1eb974b02d90" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sakula_rat_auto.yar#L1-L238" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sakula_rat_auto.yar#L1-L234" license_url = "N/A" - logic_hash = "58d4e203f11e4dd863a93827734d462109e66a0a903d18e391705e909badfaf0" + logic_hash = "48fea957ae9d893f389dc987b89ecf81d70b75d29b1ca5347ce56ebc138b296a" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 6a00 6800010000 6a00 6a00 68???????? } - $sequence_1 = { b802000000 eb0a f7d8 1bc0 83e0fd } - $sequence_2 = { 83e103 8d8396000000 f3a4 8bc8 8a10 40 84d2 } - $sequence_3 = { 33f6 8d4900 ff15???????? 33d2 b914000000 } - $sequence_4 = { 889c244b010000 48 8d642400 8a4801 40 3acb } - $sequence_5 = { eb05 41 3bce 72dd 8d46ff } - $sequence_6 = { 50 6800040000 57 6a02 51 ff15???????? } - $sequence_7 = { 6a00 6a00 6a00 53 6aff 56 6a00 } - $sequence_8 = { 48895c2420 ff15???????? 33d2 488bcb ff15???????? } - $sequence_9 = { 8b45f8 8b5df4 39d8 721e 741c 29d8 0345fc } - $sequence_10 = { 4c8d4dd7 4c8d05791d0000 488d0d8a1d0000 33d2 ff15???????? } - $sequence_11 = { e8???????? 8b45f0 eb02 31c0 50 ff75fc e8???????? } - $sequence_12 = { 3bc6 745f 4c8d4dcf 4c8d055b1d0000 488d0d7c1f0000 } - $sequence_13 = { 8b4d08 034df8 0fbe11 83fa41 7c16 8b4508 0345f8 } - $sequence_14 = { 488bd8 4885c0 0f84d3000000 8d7e2f 33d2 488bc8 448bc7 } - $sequence_15 = { e8???????? 83f800 7405 8b45ec } - $sequence_16 = { ff15???????? 488bce 488bd8 ff15???????? 488364243800 488364243000 4c8bc6 } - $sequence_17 = { ba14008410 488b01 ff5028 3bc6 747d } - $sequence_18 = { 488b55d7 488b01 488364242000 4c8d0d240f0000 ff9080000000 3bc6 } - $sequence_19 = { 8945f0 83f800 0f84e7000000 6804010000 ff75f0 } - $sequence_20 = { 83f800 742e 8b5d08 8b4df4 8b4114 8903 8b4110 } - $sequence_21 = { 488bce ff15???????? 488364243800 488364243000 8364242800 488364242000 448bc8 } - $sequence_22 = { 689c000000 e8???????? 8945fc 83f800 0f84ab000000 } + $sequence_1 = { 6a00 56 e8???????? 8b3d???????? 83c410 6a00 } + $sequence_2 = { 83f81e 7cf4 eb05 41 3bce 72dd } + $sequence_3 = { 56 6a01 8bd8 57 53 e8???????? 56 } + $sequence_4 = { 83f804 7d07 b803000000 eb1b e8???????? 83f801 7507 } + $sequence_5 = { 7407 b801000000 eb2c e8???????? 83f804 7d07 } + $sequence_6 = { 53 6aff 56 6a00 6a01 } + $sequence_7 = { 56 e8???????? 8d7e10 8ad8 57 8bc7 e8???????? } + $sequence_8 = { ff15???????? 85c0 0f84ae000000 488bcb } + $sequence_9 = { 83c410 31c0 40 eb02 } + $sequence_10 = { 8903 83c304 e8???????? 8903 83c304 53 } + $sequence_11 = { e8???????? eb88 ff75e4 ff75e4 e8???????? } + $sequence_12 = { ff15???????? 488b4c2458 8d53f1 ff15???????? 488b4c2458 ff15???????? 488b9c24c0080000 } + $sequence_13 = { 31c0 8a040b 3c00 7409 38d0 7405 } + $sequence_14 = { eb0d eb0b ff35???????? e8???????? 68e8030000 e8???????? ff75f4 } + $sequence_15 = { 83c004 8b5df8 8918 83c004 50 6a10 68???????? } + $sequence_16 = { 83f800 0f8476010000 6a02 6a00 } + $sequence_17 = { 4c8bc6 448bc8 33d2 33c9 ff15???????? 8bf8 } + $sequence_18 = { 41b804010000 48890d???????? ff15???????? ff15???????? 83f801 } + $sequence_19 = { 33d2 488bc8 448bc7 488905???????? } + $sequence_20 = { 33d2 448bc8 33c9 897c2428 48895c2420 ff15???????? 33d2 } + $sequence_21 = { 488b4dc7 488b01 ff90a8000000 3bc6 740a 488d4de7 } + $sequence_22 = { 55 488dac2450f8ffff 4881ecb0080000 33d2 } condition: 7 of them and filesize < 229376 @@ -110252,10 +110714,10 @@ rule MALPEDIA_Win_Zitmo_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "abf7d489-428c-576b-bf50-6d5176838935" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zitmo_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zitmo_auto.yar#L1-L118" license_url = "N/A" logic_hash = "af492533d6f46a2ad9ae3961738d77dc030c3e8231bbc6ee80a9ef330be7fcfa" score = 75 @@ -110264,9 +110726,9 @@ rule MALPEDIA_Win_Zitmo_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -110290,36 +110752,36 @@ rule MALPEDIA_Win_Bit_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f95bf2c0-1a3f-5ba6-86c1-dc6657e9fb49" - date = "2026-01-05" - modified = "2026-01-06" + id = "c5180548-e44a-569c-97ab-4d6e2fcd4902" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bit_rat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bit_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "6a75a2a36ee1576648e5cd3e08166671639be750c77ff100be6cd8e32ca1f573" + logic_hash = "87b904065bbca0f6e207ff2fe2c8348ebce8823ef90bae96dc004c3ac38b8eba" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb1b 8b4de0 8b5ddc 8b7df8 8b45f4 eba7 8b4510 } - $sequence_1 = { e8???????? 8b4f0c 83c404 3b01 740e 6a00 6a00 } - $sequence_2 = { e8???????? c645fc42 50 8bce e8???????? c645fc24 53 } - $sequence_3 = { 85ed 7460 895c2410 8bd3 8bce 85f6 7454 } - $sequence_4 = { e9???????? 83f85b 751b 8bce e8???????? 8bce e8???????? } - $sequence_5 = { e8???????? 8b4c240c 83c404 83f903 751b 6a00 6a00 } - $sequence_6 = { ff7618 8bd7 e8???????? 8bd8 83c408 8bc2 8bcb } - $sequence_7 = { ff75ec ff75e8 ff75fc ff75f8 ff7514 53 eb2a } - $sequence_8 = { c3 8bff 55 8bec 5d e9???????? 6a00 } - $sequence_9 = { ffb674040000 e8???????? 8bf8 83c408 85ff 0f8595000000 50 } + $sequence_0 = { 8d45a0 0f43c2 0fb700 83f82f 7405 83f85c 7517 } + $sequence_1 = { e8???????? 83c404 e9???????? 8d4580 50 e8???????? 8d4dc0 } + $sequence_2 = { b870000000 eb0a 833b00 7531 b841000000 6a00 6a00 } + $sequence_3 = { e8???????? ffb7e8000000 e8???????? 8d87f0000000 50 e8???????? ffb708010000 } + $sequence_4 = { e8???????? 59 50 8d45ac 50 b9???????? e8???????? } + $sequence_5 = { f6403008 8bc1 744e 2500ff0000 3d00fe0000 744e 85d2 } + $sequence_6 = { 8d4da8 68???????? e8???????? c645fc06 8d45d8 6819040000 50 } + $sequence_7 = { e8???????? 8a0b 8a55ff 5f d2ea 5e 0ac2 } + $sequence_8 = { c70612000000 c7460400000000 83c8ff 5f 5e 5b 59 } + $sequence_9 = { e8???????? 8b4720 53 ff7704 8b00 03c6 50 } condition: 7 of them and filesize < 19405824 @@ -110329,22 +110791,22 @@ rule MALPEDIA_Win_Mosquito_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "34ccfc9c-1c07-526c-894b-5084961ae1c7" - date = "2026-01-05" - modified = "2026-01-06" + id = "531c9979-7c75-5824-8fa4-bb87c0dcf67e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mosquito_auto.yar#L1-L177" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mosquito_auto.yar#L1-L176" license_url = "N/A" - logic_hash = "4f8e972330c002e4476c43f04fdf320df70c4455b51cf01f5f99efe08713790b" + logic_hash = "dcc43f455887bb61be81ee083bf165c94651a19cf91262fb20e7d1eef10d9d29" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -110352,67 +110814,106 @@ rule MALPEDIA_Win_Mosquito_Auto : FILE $sequence_0 = { f7d8 1bc0 83e0b4 83c04c } $sequence_1 = { 52 50 6a00 6801c1fd7d } $sequence_2 = { 8bfc f3a5 ff942464020000 81c450020000 } - $sequence_3 = { 894b02 8bcf 8b17 ff5208 } - $sequence_4 = { 8b750c 57 894dfc 8d5e06 53 e8???????? 8bf8 } - $sequence_5 = { ff5010 85c0 7436 837dfc00 7409 } - $sequence_6 = { f3a5 ff942460020000 81c450020000 85c0 } - $sequence_7 = { e8???????? 6a20 8bf0 e8???????? 8bc8 } + $sequence_3 = { ff5010 8d4dfc e8???????? 8b45fc } + $sequence_4 = { e8???????? 6a20 8bf0 e8???????? 8bc8 } + $sequence_5 = { be9b000000 e9???????? 50 e8???????? } + $sequence_6 = { be???????? 8bd8 56 6804010000 53 } + $sequence_7 = { 8bfc f3a5 ff942460020000 81c450020000 85c0 } $sequence_8 = { 51 8b55fc 52 8b45f8 50 ff15???????? 8b4dfc } - $sequence_9 = { 6801c1fd7d e8???????? 8bd8 eb02 } - $sequence_10 = { e8???????? 83c40c e8???????? 6a20 } + $sequence_9 = { 6824080000 50 e8???????? 83c410 } + $sequence_10 = { 0000 00645657 8b7dc2 0400 } $sequence_11 = { 0000 006301 1000 7500 } - $sequence_12 = { ff15???????? 6a00 56 ff15???????? 8903 } - $sequence_13 = { 0000 006500 676c 0010 } - $sequence_14 = { 0000 00645657 8b7dc2 0400 } - $sequence_15 = { 0000 0032 08804d086440 5e } + $sequence_12 = { 6a00 ff15???????? 6a00 56 ff15???????? 8903 } + $sequence_13 = { 0000 00748078 3001 40 } + $sequence_14 = { 0000 006500 676c 0010 } + $sequence_15 = { 0000 0018 a0???????? 57 } $sequence_16 = { 0000 0001 1001 c550f0 8b8078005900 } - $sequence_17 = { 0000 0018 a0???????? 57 } - $sequence_18 = { 0000 00748078 3001 40 } + $sequence_17 = { 0000 0032 08804d086440 5e } + $sequence_18 = { 6a20 8bd8 e8???????? 8bc8 } condition: 7 of them and filesize < 1015808 } +rule MALPEDIA_Win_Medusa_Http_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "d20a8f8a-0c40-56df-b905-5b8d6ebe61b2" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa_http" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.medusa_http_auto.yar#L1-L120" + license_url = "N/A" + logic_hash = "bf22f346b79f830cfb557e80bea02849fba4fc00ac522de893ed484b5992cd17" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { e1fb 1cc9 3ca5 2c8e a1???????? d528 } + $sequence_1 = { ff7100 52 ff7200 53 ff7300 54 } + $sequence_2 = { 6a00 4b ff6b00 4c ff6c004d ff6d00 4e } + $sequence_3 = { 0050ff 7000 51 ff7100 } + $sequence_4 = { 53 ff7300 54 ff740055 ff7500 56 } + $sequence_5 = { 8b4c6386 8608 5f e1fb 1cc9 3ca5 2c8e } + $sequence_6 = { 0c48 b5f9 43 324dd5 1ddf859f31 } + $sequence_7 = { 0000 aa 05854cffab 004893 } + $sequence_8 = { 05854cffab 004893 3eb35b 813bf80937dc 8b4c6386 } + $sequence_9 = { 1cc9 3ca5 2c8e a1???????? d528 32f4 } + + condition: + 7 of them and filesize < 1720320 +} rule MALPEDIA_Win_Mount_Locker_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2052c543-cb18-5d1a-a87c-7c9ba4a04469" - date = "2026-01-05" - modified = "2026-01-06" + id = "63bbcac5-b955-5b5d-aa2d-70707a28fbd4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mount_locker_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mount_locker_auto.yar#L1-L158" license_url = "N/A" - logic_hash = "9773bfd51e99f33a259a570fd66a0ee2d45575bac793a3c37128b45245a677af" + logic_hash = "fb8e6328f63d69a9ce7f54925d54c5554693b50d0c29d597a972ebecbfcd31cd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 498be8 4d8bc8 4c8bc2 4c8bf2 } - $sequence_1 = { f30f5905???????? 0f5ad0 66490f7ed0 e8???????? } - $sequence_2 = { 8bc8 81e10000ffff 81f900000780 7503 0fb7c0 3d2e050000 } - $sequence_3 = { 488b0b 41b902000000 4533c0 33d2 } + $sequence_0 = { f30f5905???????? 0f5ad0 66490f7ed0 e8???????? } + $sequence_1 = { 488bcb 488b15???????? e8???????? 85c0 } + $sequence_2 = { 4c8bf2 8bf1 33d2 33c9 } + $sequence_3 = { 498be8 4d8bc8 4c8bc2 4c8bf2 8bf1 } $sequence_4 = { 488d4df0 4889442428 4533c9 4533c0 } - $sequence_5 = { 4c8bc2 4c8bf2 8bf1 33d2 33c9 } - $sequence_6 = { 4c8b05???????? 488bcb 488b15???????? e8???????? } - $sequence_7 = { 4533c9 488b4c2458 33d2 c744243001000000 c744243c02000000 } + $sequence_5 = { 8bc8 81e10000ffff 81f900000780 7503 0fb7c0 } + $sequence_6 = { 488364242800 4c8d442430 488364242000 4533c9 488b4c2458 33d2 c744243001000000 } + $sequence_7 = { 488b0b 41b902000000 4533c0 33d2 } $sequence_8 = { ff15???????? 85c0 7509 f0ff05???????? } - $sequence_9 = { 7505 e8???????? 833d????????00 7409 833d????????00 } - $sequence_10 = { 7423 488b0d???????? 4885c9 7417 488364242000 4c8d4c2468 } - $sequence_11 = { 57 ff15???????? 8bd8 85db 7442 } - $sequence_12 = { 66894df8 668945f4 56 56 } - $sequence_13 = { 8b7c2414 8b35???????? bd???????? 8b15???????? 8bde 03df 89542414 } - $sequence_14 = { c3 6aff ff7508 e8???????? 68???????? } - $sequence_15 = { 59 59 5f 5e 33c0 5d } + $sequence_9 = { 488b4d6f 8bd8 ff15???????? 488b4d77 } + $sequence_10 = { 7505 e8???????? 833d????????00 7409 833d????????00 } + $sequence_11 = { 57 ff7608 8d85b0fdffff ff7604 50 e8???????? 85c0 } + $sequence_12 = { d1c0 2da55a0000 d1c8 f7d0 } + $sequence_13 = { 8bc6 83d100 f00fc74d00 3bc6 75d7 } + $sequence_14 = { 89442428 8d442410 50 896c2414 896c2418 } + $sequence_15 = { 89860c020000 ebd5 83be0c02000000 74cd 837f0401 } condition: 7 of them and filesize < 368640 @@ -110422,36 +110923,36 @@ rule MALPEDIA_Win_Carberp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6dabcbc-eb1a-5db4-81e2-886d378b4be1" - date = "2026-01-05" - modified = "2026-01-06" + id = "21842d3f-54ed-5653-ac99-611980f5499e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.carberp_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.carberp_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "86e4e7a3a500c58000a297ef120e6eaa02ce211014fb7c016ba6df2b3118cc01" + logic_hash = "70f324a30a6d2da8c057ef28d208c5aacf94c115b37d5bca42079722049950b2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff750c 33db ff35???????? e8???????? 8bf0 59 59 } - $sequence_1 = { 7416 80f92f 7411 80f93d 740c 3bc6 7e04 } - $sequence_2 = { 7415 3bcb 7611 83fa1f 730c 884415d4 42 } - $sequence_3 = { 8d0409 83f80a 89442410 7e08 c74424100a000000 3b6c243c 0f8cf5fdffff } - $sequence_4 = { ff7514 e8???????? 8bf0 59 85f6 7416 ff7514 } - $sequence_5 = { 68???????? 50 68???????? 6a03 e8???????? 83c410 8906 } - $sequence_6 = { e8???????? 59 5e c3 6a00 56 e8???????? } - $sequence_7 = { ff731c 6a09 680b110000 ff35???????? e8???????? 83c410 85c0 } - $sequence_8 = { ff742410 ff742410 ff742410 ff742410 ffd0 c3 56 } - $sequence_9 = { 817e0402020000 0f85c1000000 6af4 ff36 e8???????? 59 59 } + $sequence_0 = { ff7510 8d4e1c ff750c e8???????? ff7510 8d4e24 ff750c } + $sequence_1 = { 0fb601 50 e8???????? 83c404 84c0 740b 8819 } + $sequence_2 = { 85f6 7454 833d????????00 744b 6a13 6a00 68???????? } + $sequence_3 = { 8b4614 83e804 7438 48 741c 48 7552 } + $sequence_4 = { 8a5c3e08 5d 57 e8???????? 59 5e ff742408 } + $sequence_5 = { 59 59 8bf8 57 e8???????? 55 55 } + $sequence_6 = { ff7508 e8???????? 83c42c 84c0 741c ff750c 56 } + $sequence_7 = { eb08 51 57 56 e8???????? 83c40c 57 } + $sequence_8 = { 3bc7 7525 8b550c 52 e8???????? 83c404 b801000000 } + $sequence_9 = { 57 53 e8???????? 59 84c0 0f8551010000 } condition: 7 of them and filesize < 491520 @@ -110461,36 +110962,36 @@ rule MALPEDIA_Win_Graphsteel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fd70cca8-a56d-5225-a00e-9e9a8f58f3be" - date = "2026-01-05" - modified = "2026-01-06" + id = "002d4f69-04f1-5e03-80bc-b5ac9cab1bdb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.graphsteel_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.graphsteel_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "e3e7b2c9268861fa25138183cb28ca132ae718be8ddf794ff818ae9183996560" + logic_hash = "0d13092c745c3a7a45f6cae4ad1356a333a840eb25ef3d3836be36a3d9bc8246" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c3 488d0584215d00 bb10000000 e8???????? 4889f8 b900200000 e8???????? } - $sequence_1 = { 8b842490000000 85c0 0f84e8feffff 488d4c2470 e8???????? 4489e0 4881c4b0000000 } - $sequence_2 = { 664189856c010000 498b8528010000 4885c0 7407 c7401807000000 4c89e9 4531e4 } - $sequence_3 = { e8???????? 660f1f840000000000 4885c9 0f8425040000 48f7c160000000 7404 31d2 } - $sequence_4 = { ff15???????? 807e6900 7472 8b4628 85c0 7e4e 31db } - $sequence_5 = { e9???????? 488d7101 4839f7 732b 488d0533c23600 e8???????? 488d7301 } - $sequence_6 = { 488d6c2430 48897c2420 48894c2450 48895c2448 4889442428 488d05cd4f4b00 e8???????? } - $sequence_7 = { eb0c 488d3d1e448600 e8???????? 488b0d???????? 48898c24f0020000 488d0533115500 e8???????? } - $sequence_8 = { 90 488b5c2468 488b4c2470 488d3d96682100 4889c6 4531c0 4531c9 } - $sequence_9 = { bb1a000000 e8???????? 0f1f440000 e8???????? 488d0594745400 488d1d8deb6400 e8???????? } + $sequence_0 = { c7400c00000000 48c7401000000000 c7007e000000 4489542420 448b442450 4589f9 4889f9 } + $sequence_1 = { 4c898c24b8010000 4889bc24c0010000 4c8b9424b8010000 4d85d2 7422 450fb65a17 4589dc } + $sequence_2 = { e8???????? b801000000 89e9 d3e0 410985cc000000 83fd01 741a } + $sequence_3 = { f7466000ffff00 753b 8b96d4000000 c6466101 85d2 7e0a c7866001000001000000 } + $sequence_4 = { bb16000000 e8???????? 4889842498020000 48899c2498010000 4889d9 4889c3 488d056e743e00 } + $sequence_5 = { ff5030 85c0 752a 48638bbc000000 488b442428 4801c8 4883e801 } + $sequence_6 = { ffd0 488b6c2448 4883c450 c3 31c0 488d1df2193a00 b926000000 } + $sequence_7 = { 8b54244c 4c8b742430 4189c4 498916 4889d0 4180fc04 0f84dc000000 } + $sequence_8 = { c3 488d05c9d85e00 bb0a000000 0f1f440000 e8???????? 488b4c2428 890d???????? } + $sequence_9 = { eb0c 488d3df63c8600 e8???????? 488b0d???????? 48898c2498030000 488d05f3085500 e8???????? } condition: 7 of them and filesize < 19812352 @@ -110500,35 +111001,35 @@ rule MALPEDIA_Win_Nettraveler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "49924387-14f0-5a87-ae2b-48062b6b59c8" - date = "2026-01-05" - modified = "2026-01-06" + id = "f4869299-c837-587d-adf1-104a1eb2a080" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nettraveler_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nettraveler_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "64cd33a7e821a03ef4cb5acc77650adcc2d4e3c4a14efecc6b33e33a7efaa84e" + logic_hash = "3f3423057f8d483398337e6e473c308736e570456a334e7bcc459ee9dc2e52f8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd0 50 68???????? ff7510 ff15???????? ff7510 e8???????? } - $sequence_1 = { 5e 5d 83c440 c3 56 e8???????? e8???????? } + $sequence_0 = { 3bc3 7420 0145f8 8b450c } + $sequence_1 = { ffd3 59 59 8d85c0feffff } $sequence_2 = { 0bd1 0355b4 8dbc17aac7b6e9 8bd0 8bcf } - $sequence_3 = { aa 8bca 33c0 8dbdddefffff 80a5dcf3ffff00 f3ab } - $sequence_4 = { ff37 56 ff15???????? 53 ff37 56 ff15???????? } - $sequence_5 = { ffd6 bd???????? 8d442418 55 68???????? 50 ffd7 } - $sequence_6 = { 53 6a03 53 53 ff75c0 ff75b8 ff7510 } - $sequence_7 = { ff7508 ffd6 53 8d8590f6ffff 53 50 } - $sequence_8 = { 8db4850cffffff 8b4508 33d2 0fb6803c910010 8bf8 } + $sequence_3 = { 68???????? 68???????? ff15???????? 8bf0 83c43c 3bf3 7504 } + $sequence_4 = { 8d8588f3ffff 68???????? 50 ffd7 59 8d85a4feffff 59 } + $sequence_5 = { 7522 e8???????? 393d???????? 7410 e8???????? 85c0 7507 } + $sequence_6 = { ab 8d45b8 6a10 50 68???????? e8???????? } + $sequence_7 = { ff15???????? 8d45ec 50 6a28 ff15???????? } + $sequence_8 = { 8bf0 8bd0 c1e61c c1ea04 } $sequence_9 = { ff75fc ff15???????? 85c0 7417 8d85f4fdffff 56 } condition: @@ -110539,36 +111040,36 @@ rule MALPEDIA_Win_Victorygate_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad2b94f4-4fb4-597c-a815-1680fdce8561" - date = "2026-01-05" - modified = "2026-01-06" + id = "e1fa2355-f6d1-57a9-9422-748a01820625" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.victorygate_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.victorygate_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "f881de762583581b8f9cd5a6d8f43db0e0fda7800670c3d8d7443132f914f29e" + logic_hash = "334a76c564c3ffd11f6ae43c8e4d98018d208a119d12a2470277496f0d87dc8a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8bd0 c645fc08 8d8d68ffffff e8???????? c645fc07 } - $sequence_1 = { ff75f8 8d8684010000 6a45 50 ff15???????? 85c0 } - $sequence_2 = { c645dc00 33d2 660fd645e4 8d4ddc e8???????? 68???????? 8d4dc4 } - $sequence_3 = { ff36 8bcf 50 e8???????? 8b4e08 83c334 83c634 } - $sequence_4 = { 8d4dc4 c645fc10 e8???????? 0fb64ddc 8bf8 8b45e4 8a17 } - $sequence_5 = { 56 682a2b0000 ffd0 85c0 7419 50 e8???????? } - $sequence_6 = { 50 ff7120 ff7128 e8???????? 83c410 85c0 7415 } - $sequence_7 = { 8b45f0 8d0c90 8b01 85c0 740d 395804 7408 } - $sequence_8 = { e8???????? 68???????? 8d4dc4 c645fc07 e8???????? 0fb64ddc 8bf8 } - $sequence_9 = { 668908 8bcf c7401000000000 c7401407000000 8d45b0 50 660fd645c0 } + $sequence_0 = { 0f84aeba0000 83ec08 0fae5c2404 8b442404 25807f0000 3d801f0000 750f } + $sequence_1 = { 8b85d8f6ffff 0fb704857c1a4600 8d048578114600 50 8d85f0f6ffff 03c7 50 } + $sequence_2 = { 57 ff75ec c745fc00000000 ff7108 837de410 ff75e0 0f4345d0 } + $sequence_3 = { 83c404 8d0481 894df8 8955fc 8945e8 3bc8 7427 } + $sequence_4 = { 69c993010001 33c8 0fb6450f 69c993010001 33c8 69c993010001 8bc1 } + $sequence_5 = { 6a34 8bf1 e8???????? 83c404 85c0 7418 ff750c } + $sequence_6 = { 0f8733110000 52 51 e8???????? 83c408 ff15???????? 8986a8000000 } + $sequence_7 = { 85f6 0f845f030000 837b3801 8d4308 8d533c 0f45d0 83ec18 } + $sequence_8 = { e8???????? 0fb64db8 8bf8 8b45c0 8a17 880f 8b770c } + $sequence_9 = { c745fc05000000 8d4d10 ff7508 e8???????? 8b4df4 8bc7 5f } condition: 7 of them and filesize < 1209344 @@ -110578,36 +111079,36 @@ rule MALPEDIA_Win_Spyeye_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b5e5088a-e300-5034-889b-970db77fc21d" - date = "2026-01-05" - modified = "2026-01-06" + id = "7acec03f-b3d0-5d4c-99bd-81bbbc387c23" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spyeye_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spyeye_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "eb40febb6f1c9817c33c9124c37ea30f926a02c0c70087f7a1361d98282ccb0d" + logic_hash = "c7df17da41575a42bb6bae2d56fd1cf96601d88e57dadd5c077a5d6580f53e29" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 740e 837dfcff 7408 ff75fc } - $sequence_1 = { 8b65fc c9 c20800 55 8bec } - $sequence_2 = { 56 6880000000 6a04 56 6a07 6800000040 57 } - $sequence_3 = { ff7508 ffd0 8b65fc c9 c21400 55 8bec } - $sequence_4 = { ff750c e8???????? 8bd8 83fbff 751b 57 } - $sequence_5 = { 837dfcff 7408 ff75fc e8???????? 3bdf } - $sequence_6 = { 740a 83e0fe 50 57 } - $sequence_7 = { 6a02 eb08 56 6880000000 6a04 } - $sequence_8 = { 6a03 57 6a01 56 ff750c e8???????? } - $sequence_9 = { 50 e8???????? 85c0 7454 57 56 } + $sequence_0 = { 8965fc ff7514 ff7510 ff750c ff7508 ffd0 } + $sequence_1 = { 8d45e8 50 8d45e0 50 53 e8???????? 85c0 } + $sequence_2 = { ff750c ff7508 ffd0 8b65fc } + $sequence_3 = { 81fbffffff7f 7509 56 57 e8???????? 8bd8 3bde } + $sequence_4 = { 56 57 8b7d08 57 e8???????? 83f8ff } + $sequence_5 = { 740e 837dfcff 7408 ff75fc e8???????? } + $sequence_6 = { 837dfcff 7408 ff75fc e8???????? 3bdf } + $sequence_7 = { 57 6a01 be00000040 56 ff750c e8???????? } + $sequence_8 = { 53 e8???????? 85c0 7407 c745f801000000 397dfc } + $sequence_9 = { ff7508 ffd0 8b65fc c9 c20400 55 } condition: 7 of them and filesize < 741376 @@ -110621,7 +111122,7 @@ rule MALPEDIA_Win_Sodamaster_Auto : FILE date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sodamaster_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sodamaster_auto.yar#L1-L121" license_url = "N/A" logic_hash = "fa1144cbcb2ad99084cc1ee6d93d89428028e0238c89b4c179e1b18530e08c7f" score = 75 @@ -110656,36 +111157,36 @@ rule MALPEDIA_Win_Mailto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff9d1a8b-72b0-54b9-b1c0-036aa2d1956d" - date = "2026-01-05" - modified = "2026-01-06" + id = "77746f51-fc1c-50cd-a4af-268d4a5b9d6b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mailto_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mailto_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "74f6ff054191d80b386ecb2515d44043acc73f0e2a8bfe9bc33853bab8856df0" + logic_hash = "53e3ddf0c82c6285bb2fdbc99e3b02c5febe1a13e39cac446d5a6487b03a6443" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 e8???????? 56 ffb42498050000 8d8424e8010000 50 } - $sequence_1 = { 8bce d1ee 83e101 f7d9 81e12083b8ed 33ce 8bd1 } - $sequence_2 = { 7434 a1???????? 8d048504000000 50 ff35???????? e8???????? 83c408 } - $sequence_3 = { b938000000 8d3c32 2bca 33c0 8bd1 c1e902 f3ab } - $sequence_4 = { 47 ff742418 897c2420 6a03 e8???????? 8bf0 } - $sequence_5 = { 83c614 ff36 e8???????? 83c404 8d7620 83ed01 75ee } - $sequence_6 = { 8d4010 0f104406f0 660fefc1 0f1140f0 83e901 75eb } - $sequence_7 = { 6a00 6a02 ffd0 85c0 0f8517020000 53 55 } - $sequence_8 = { 0f1f4000 8b840c54030000 01440c0c 8b840c58030000 11440c10 8b840c5c030000 01440c14 } - $sequence_9 = { d1ea 83e101 f7d9 81e12083b8ed 33ca 8bd1 d1e9 } + $sequence_0 = { 56 e8???????? 83c40c 85c0 75e7 5f 5e } + $sequence_1 = { 68dee412a3 56 894134 e8???????? 8b0d???????? 689a8f3aca 56 } + $sequence_2 = { 5e 85c9 890f 5b 0f95c0 5f c3 } + $sequence_3 = { c744246474000000 e8???????? 8d4c2414 51 56 8b4030 ffd0 } + $sequence_4 = { e8???????? 83c444 6a00 6841db0100 ffb424b0000000 ffb424b0000000 e8???????? } + $sequence_5 = { 23c8 8bc1 c1e01a 29442420 8b442424 03c1 89442424 } + $sequence_6 = { eb08 e8???????? 8b4048 8d4c2410 51 ffd0 880437 } + $sequence_7 = { 33d0 03743c2c 8bc3 03742424 83c704 c1c802 33d0 } + $sequence_8 = { 8d2c8d00000000 23e9 8b4c2430 81f1ffffff03 f7d1 8bc1 8bdd } + $sequence_9 = { ffb424d0000000 89442430 ffb424d0000000 89542438 e8???????? 6a00 6841db0100 } condition: 7 of them and filesize < 180224 @@ -110695,36 +111196,36 @@ rule MALPEDIA_Win_Locky_Decryptor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91dde92f-87a2-5234-b407-3d3ed8c90b2f" - date = "2026-01-05" - modified = "2026-01-06" + id = "ecfeaf41-63ea-55ed-b4aa-03611cff89ae" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.locky_decryptor_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.locky_decryptor_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "adead49efcae5adc3a8d7fcf047561cadce25b6fc8d50f573c5cccce259fe79f" + logic_hash = "0702ae083d89f6bb2206cb125aaa99e0dffc193c2fefab2c47131b299ccaf228" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 03049500c14100 eb05 b8???????? f6400420 } - $sequence_1 = { 7202 8b1b 837dec08 8b4dd8 7303 8d4dd8 03c0 } - $sequence_2 = { 395ddc 7413 837de008 8b45cc 7303 } - $sequence_3 = { 8bf7 83e61f c1e606 03348500c14100 } - $sequence_4 = { 8b4dfa 33c0 4a 49 668945e8 668945ea 6a27 } - $sequence_5 = { 50 33c9 8d7d08 8975f0 e8???????? 83cbff } - $sequence_6 = { 6830010000 e8???????? 33db 59 59 3bc3 7509 } - $sequence_7 = { e8???????? 8b5e04 8b0e 8bc3 2bc1 99 f7ff } - $sequence_8 = { 8b45ec 8b08 890b 8938 397df0 740a 57 } - $sequence_9 = { e8???????? 6a01 33ff 8d75d8 e8???????? 8b450c 8b4df4 } + $sequence_0 = { 50 56 ff750c 895de8 8b3d???????? } + $sequence_1 = { 50 56 e8???????? 83c40c 85ff 0f8435010000 } + $sequence_2 = { 03c7 5a 2b5010 68???????? 01542410 8bf0 } + $sequence_3 = { 8d4508 668378023a 7440 837d1c08 8b4508 7303 8d4508 } + $sequence_4 = { c745f0b86b4100 e8???????? c9 c20c00 55 8bec 83ec10 } + $sequence_5 = { 83c11c 4b 395c2414 7cc8 } + $sequence_6 = { 7209 83ffff 0f879c000000 8d742424 e8???????? c644244c01 85db } + $sequence_7 = { 57 8bc2 c1f805 8b048500c14100 } + $sequence_8 = { 8d4db0 51 c645fc01 e8???????? 56 } + $sequence_9 = { 50 56 53 8d742454 e8???????? 50 } condition: 7 of them and filesize < 278528 @@ -110735,10 +111236,10 @@ rule MALPEDIA_Win_Croxloader_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "74969832-3646-5c22-9967-7e8cb3d178d9" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.croxloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.croxloader_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.croxloader_auto.yar#L1-L124" license_url = "N/A" logic_hash = "5587745f089fbff18eabf5b798d40f2503c06a9701158cb607e6e154e3ca0b65" score = 75 @@ -110747,9 +111248,9 @@ rule MALPEDIA_Win_Croxloader_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -110773,36 +111274,36 @@ rule MALPEDIA_Win_Pkybot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "29bf327d-061e-5e00-99c9-e0f77546c9d5" - date = "2026-01-05" - modified = "2026-01-06" + id = "dad123b0-5214-5e40-a4ae-64b9bde878fa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pkybot_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pkybot_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "8f4c476e3b3790c8de41f37bef9cc1cce302daf7501c6563be237c0b8f2d2ef4" + logic_hash = "1d6798070fba3daea25cacf6da3969ebfcd59365ae5b1adbcd1b6a4bd6c4d903" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf0 eb02 33f6 8b4704 0590000000 894620 } - $sequence_1 = { 33c0 e9???????? 53 6a10 ff7510 8d45f0 } - $sequence_2 = { 53 ff7004 ff30 6aff } - $sequence_3 = { 7407 46 8a06 84c0 79eb 8bc6 } - $sequence_4 = { 7510 8b4e04 21413c c741300d000000 } - $sequence_5 = { 6801000040 ff7510 ff750c e8???????? } - $sequence_6 = { 7503 8b7104 83c10c e8???????? 50 8bce } - $sequence_7 = { 8b07 8bcf ff5008 6a2c e8???????? } - $sequence_8 = { 8b4008 eb08 e8???????? 59 } - $sequence_9 = { 56 ff7510 ff750c ff7508 ff15???????? 85c0 } + $sequence_0 = { 813e50450000 750b b80b010000 66394618 7404 } + $sequence_1 = { 8bf1 f70600020000 7409 ff7604 e8???????? } + $sequence_2 = { 8b4e20 8b01 ff5010 5f 8bc6 5e 5b } + $sequence_3 = { b80b010000 66394618 7404 33c0 } + $sequence_4 = { 53 ff7004 ff30 6aff } + $sequence_5 = { 85c0 0f848a000000 8d45fc 50 6a00 6a00 6a19 } + $sequence_6 = { 6a01 ff7004 ff15???????? 8bf0 83feff } + $sequence_7 = { 8bec a1???????? 83ec10 85c0 743c 833d????????00 7433 } + $sequence_8 = { 8bf8 8d45f8 50 8d85ecfdffff } + $sequence_9 = { ff35???????? e8???????? 59 893d???????? 893d???????? } condition: 7 of them and filesize < 204800 @@ -110812,36 +111313,36 @@ rule MALPEDIA_Win_Paladin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea744185-35d7-56b0-b303-642060848578" - date = "2026-01-05" - modified = "2026-01-06" + id = "9c8bedd6-b4cb-5765-8ae1-c31d65894bd9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.paladin_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.paladin_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "666d7127e3e5da62ea89e9776cb09bdea95055b6e6b5094287262ef9a36c1b71" + logic_hash = "be691830b74f4d504bab7e7cf8fff4ade4c17cd2fe8a405e845f4be66321b112" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b5d00 3bdd 7447 8d4c2414 6a00 8bc3 8b1b } - $sequence_1 = { 03fd ff15???????? 8b4620 85c0 7e44 33c9 8a4e1c } - $sequence_2 = { 40 3bc6 7cf2 6a00 } - $sequence_3 = { 894664 8b465c 6a00 57 8b3d???????? 6a00 } - $sequence_4 = { 7c02 8bc1 57 8bce 894638 e8???????? } - $sequence_5 = { c1e004 03c2 33d2 8a11 8d04c0 8d0443 } - $sequence_6 = { e8???????? 8d442418 6a04 50 8bcb e8???????? 8d4c2424 } - $sequence_7 = { 6a00 6880000000 6a03 6a00 6a01 8d451c 6800000080 } - $sequence_8 = { 56 ff95a4feffff 85c0 7412 6820030000 } - $sequence_9 = { 8d69f3 55 e8???????? 8bf0 55 } + $sequence_0 = { 50 68???????? c78424f800000000000000 e8???????? } + $sequence_1 = { 8d7729 8b542410 8a4208 84c0 7449 33c0 } + $sequence_2 = { 8944241c 3bc3 c744241402000000 740d 6a32 53 57 } + $sequence_3 = { 51 52 ff15???????? 85c0 759d 8b442410 50 } + $sequence_4 = { 85c0 0f8493000000 bf???????? 8d742460 8a16 } + $sequence_5 = { 33c0 8985acfeffff 8985b4feffff 68???????? ff15???????? } + $sequence_6 = { 83c404 8b742410 6800c80000 8bcb e8???????? 50 6a00 } + $sequence_7 = { 50 68???????? c78424e800000000000000 e8???????? 84c0 } + $sequence_8 = { 8d4c242c c68424f000000001 e8???????? 8d4c2400 c68424f000000000 } + $sequence_9 = { 8d44241c 8d7b1c 50 57 ff15???????? 33c9 } condition: 7 of them and filesize < 106496 @@ -110851,36 +111352,36 @@ rule MALPEDIA_Win_Poslurp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "de29f131-c10c-5b1a-9ede-2dfe5ee182bf" - date = "2026-01-05" - modified = "2026-01-06" + id = "f57f3062-2d48-53bc-84d2-4f47478aeafc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.poslurp_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.poslurp_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "dafce983a197626ced3ffe7ea55c9454b2349c0bd7691c948d5ed2bf42cf11d0" + logic_hash = "1ce7d286bb932144dd320e4741b9f64328e3751d7a5f95794d81a78692d9adcd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4883f8ff 743d 448d4f02 4533c0 33d2 488bc8 } - $sequence_1 = { 3905???????? 7309 33c9 ff15???????? } - $sequence_2 = { 44891d???????? eb0b 6689445420 41ffc0 48ffc2 4883c9ff 33c0 } - $sequence_3 = { 48f7d1 4883e901 7458 448b0d???????? } - $sequence_4 = { 4c8bf0 488bf8 33c0 f3aa 498bce 488bd5 } - $sequence_5 = { 740e 0f1f4000 488b1b 66837b3818 } - $sequence_6 = { ff15???????? 4883f830 0f85b3000000 817c245000100000 } - $sequence_7 = { 4d897b08 4d897bc8 8b7c0850 4c8bf2 488be9 4d897ba0 } - $sequence_8 = { 0f84d5000000 6666660f1f840000000000 0fb703 ffc9 83e830 } - $sequence_9 = { ffce 488bd5 48d1f9 8bfb 85c9 } + $sequence_0 = { 4156 4157 4883ec60 448bf2 4c8bf9 4c8be1 } + $sequence_1 = { 488bc8 482bcd 48d1f9 83c1dc 83f93c } + $sequence_2 = { 740e 0fb7d0 488bcd 41ffd5 488907 eb0e } + $sequence_3 = { 498bf7 4c8be8 488bf8 33c0 f3aa 8bcd 498bfd } + $sequence_4 = { 83f809 7709 ffc7 48ffc2 } + $sequence_5 = { 48ffc2 32c1 8842ff 69c90d661900 81e96b1ef949 } + $sequence_6 = { ff15???????? 4c8d4c2458 448bc5 488bd6 } + $sequence_7 = { 488bfe 458bc4 498bd4 66f2af 4c8d2d45220000 48f7d1 4883e901 } + $sequence_8 = { 418bc8 ffce 488bd5 2bcd 8bfb } + $sequence_9 = { 57 4883ec20 48833d????????00 488bd9 751f 488b0d???????? ba08000000 } condition: 7 of them and filesize < 50176 @@ -110890,36 +111391,36 @@ rule MALPEDIA_Win_Poohmilk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cacedc8f-4cf2-5e4c-8224-5986e70d4e19" - date = "2026-01-05" - modified = "2026-01-06" + id = "483e4fcf-1f3d-5e75-bbef-a7bb7c4c805d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.poohmilk_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.poohmilk_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "15b630d72bc25e1b2f8f69f3f9fe553b37147103f16fa6bc4f49ddd60f0d2e34" + logic_hash = "490defb91f075ad3ae75dd04962c4d29229e5802c0b4c23586aa7787b6607d3f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c3 68???????? 8d95ecfdffff 52 } - $sequence_1 = { 0f84de000000 3bf3 0f84d6000000 8b4110 0fb75704 } - $sequence_2 = { 752c ff15???????? 6a05 6a00 6a00 } - $sequence_3 = { 0f84d3000000 33d2 668910 8d85d4f9ffff } - $sequence_4 = { 8b01 33ff 8995f4efffff 397e10 0f86cf000000 } - $sequence_5 = { 83ffff 0f8456ffffff 8b95d4fbffff 6a00 8d8dd0fbffff 51 } - $sequence_6 = { 8bd1 03d7 c785ecefffff00000000 1385ecefffff 89bde8efffff } - $sequence_7 = { 8b8570d2ffff 8b5038 837a3400 7513 8b8d84d2ffff 8b5028 } - $sequence_8 = { 40 80b9b075410000 74e8 8a13 0fb6ca 0fbe89b0754100 } - $sequence_9 = { 33c0 894610 894614 894618 89461c 8b4620 8b4f28 } + $sequence_0 = { 8d85ecfdffff 50 ffd7 8d8dc8fbffff 51 8d95ecfdffff } + $sequence_1 = { 8b5738 8b4230 6a00 51 56 50 } + $sequence_2 = { ff15???????? 85c0 0f84b9000000 8b542410 8d442414 50 } + $sequence_3 = { 0f838d000000 0fbe8818344100 3bf1 7346 8b9564ffffff } + $sequence_4 = { e8???????? 8be5 5d c3 8bbd98fbffff 8d8decfdffff } + $sequence_5 = { 6880000000 6a03 6a00 6a07 6800000080 56 ff15???????? } + $sequence_6 = { bb90010000 f7fb 85d2 740d 8bc6 c1e002 8bb0b0724100 } + $sequence_7 = { 3304bdb8314100 c1e904 8bf8 83e70f } + $sequence_8 = { 0fb63e 0fb6c0 eb12 8b45e0 8a80fc7b4100 08443b1d } + $sequence_9 = { 3bcf 0f85f9000000 03de 11bd68d2ffff 29b594d2ffff 8b8594d2ffff } condition: 7 of them and filesize < 245760 @@ -110929,36 +111430,36 @@ rule MALPEDIA_Win_Gcman_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5cac84ae-f553-54c6-a2ab-9c6f483e5d7f" - date = "2026-01-05" - modified = "2026-01-06" + id = "8224ea9b-cee2-5e48-9bd4-a2a5010f2b30" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gcman_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gcman_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "6db65719f209f972eea7f56ad4db94ab537c244677bf2af532fb68763547fbd8" + logic_hash = "4cf582ce3815e6490fdc2c444f74be071ece657cca140e110f40f7d491c65c14" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 01d9 89de 31c6 21ce 31c6 0375c4 01f2 } - $sequence_1 = { 8d45d4 89442408 c744240413000020 8b45e4 890424 e8???????? } - $sequence_2 = { 89ce 31de 21c6 31de 0375a8 } - $sequence_3 = { 31c6 0375b4 01f1 81e979f22a0b c1c10e 01d9 } - $sequence_4 = { 89442408 8b4510 89442404 8b45e8 890424 e8???????? } - $sequence_5 = { 8b4508 40 0fb600 c0e804 240f 0202 8801 } - $sequence_6 = { c1e818 8802 8b550c 83c254 8b450c 8b4014 } - $sequence_7 = { 40 8945f4 eb0c 8d45e0 } - $sequence_8 = { 01c3 89de 31c6 31d6 0375d4 01f1 81c122619d6d } - $sequence_9 = { 890424 e8???????? 8b45ec 8945f4 8b45f4 803800 741f } + $sequence_0 = { c745fc00000000 8b4508 803800 0f8487000000 } + $sequence_1 = { ff00 837dec01 7443 837dec01 7f0b 837dec00 } + $sequence_2 = { 8b04d5e4504000 ffd0 8945fc c745f401000000 eb07 } + $sequence_3 = { 8d45f4 ff00 ebe7 8b45f4 803800 } + $sequence_4 = { e9???????? 837d0c00 0f8e94000000 8b4dfc } + $sequence_5 = { 09de 31c6 0375c0 01f1 81e9ecbcfe5c } + $sequence_6 = { 7513 8d85d8ebffff 890424 e8???????? a3???????? 8b8590eaffff 89442408 } + $sequence_7 = { 8902 8b5508 83c20c 8b4508 83c00c 8b00 01d8 } + $sequence_8 = { 0385f4efffff 89442404 8b85e0efffff 890424 e8???????? 83ec14 8b85ecefffff } + $sequence_9 = { 40 890424 e8???????? 8945fc 8b45fc 89442408 8b450c } condition: 7 of them and filesize < 81920 @@ -110969,10 +111470,10 @@ rule MALPEDIA_Win_Tandfuy_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "f7c34ec9-5c47-5400-953b-2fc065900f46" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tandfuy_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tandfuy_auto.yar#L1-L118" license_url = "N/A" logic_hash = "8bcf4f8924f2bd51984baf6f9c4aad50acc2f2e7396ee140bd5315db5dd99bae" score = 75 @@ -110981,9 +111482,9 @@ rule MALPEDIA_Win_Tandfuy_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -111007,36 +111508,36 @@ rule MALPEDIA_Win_Fast_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "057c36f1-0a19-594b-99bb-5ac5d28c2830" - date = "2026-01-05" - modified = "2026-01-06" + id = "ade8a502-6d2a-505f-913b-4ccf6f60d01b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fast_pos_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fast_pos_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "bb07ee6c2efdd43c16301c1c39c93cc562e35ab0089f1712602de2983cb204bb" + logic_hash = "4198b8f4efada69a296e0a68647a012e73820aa794b97f722c136001b60ea22b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8b7510 c745fc00000000 57 8bf9 85f6 792b } - $sequence_1 = { 50 68???????? 56 c7857cffffff01000000 e8???????? } - $sequence_2 = { ffb5e8feffff ff15???????? 85c0 7517 } - $sequence_3 = { 5d c20c00 81feffffff7f 7ecf eb33 8b49f0 } - $sequence_4 = { 8bec 8b4508 53 56 8bd9 8b30 } - $sequence_5 = { e8???????? 6a10 68???????? 68???????? 6a00 ff15???????? 6a00 } - $sequence_6 = { 6a64 8d4580 c745fc00000000 50 89b578ffffff c7857cffffff00000000 ff15???????? } - $sequence_7 = { 0f9485ebfeffff 83c2f0 83cfff 8bc7 8d4a0c f00fc101 48 } - $sequence_8 = { 56 c785e8feffff01000000 e8???????? 83c40c 8bc6 } - $sequence_9 = { e8???????? ff30 ff15???????? 8b95e4feffff 8bcf } + $sequence_0 = { c745fc00000000 50 68???????? 56 c785e8feffff01000000 } + $sequence_1 = { c785e8feffff01000000 e8???????? 83c40c 8bc6 8b4df4 64890d00000000 59 } + $sequence_2 = { 7d12 52 8d8de0feffff e8???????? } + $sequence_3 = { e8???????? 8b95e4feffff 83c408 85c0 0f9485ebfeffff 83c2f0 83cfff } + $sequence_4 = { 68ffff1f00 ff15???????? 6a00 50 } + $sequence_5 = { 8d85e4feffff c745fc00000000 50 8d85ecfeffff c785e8feffff00000000 50 } + $sequence_6 = { 751e 8b4d08 57 e8???????? 8b4508 5f 5e } + $sequence_7 = { c785e4feffff04010000 ff15???????? 85c0 7558 8d85e4feffff 50 } + $sequence_8 = { 6a64 8d4580 c745fc00000000 50 89b578ffffff c7857cffffff00000000 ff15???????? } + $sequence_9 = { 50 8d85ecfeffff c785e8feffff00000000 50 89b5e0feffff c785e4feffff04010000 ff15???????? } condition: 7 of them and filesize < 327680 @@ -111046,41 +111547,41 @@ rule MALPEDIA_Win_Yorekey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53555fbf-037b-5e64-8224-50e96dcbd224" - date = "2026-01-05" - modified = "2026-01-06" + id = "399cf119-72a7-502d-89df-3b8c93a5842b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yorekey" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yorekey_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yorekey_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "41e7314d91a8ca800c9d1b91b639e00add0929573052dd3660fca999dcefb1ff" + logic_hash = "3544e5b416e8d746fb70f07c705ae262845731994e4a7851c86617d16965157d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 750a 85c0 7506 ff15???????? } - $sequence_1 = { 4881ec80000000 488b05???????? 4833c4 488945f0 488d55a0 } - $sequence_2 = { a1???????? 8bd0 83f910 7305 ba???????? } - $sequence_3 = { 3da1000000 761b 3da3000000 7714 } - $sequence_4 = { 488bc7 c6041800 ffc5 49ffc6 } - $sequence_5 = { 488b05???????? 4833c4 4889442458 8b01 488bf9 } - $sequence_6 = { 88541c2f 4881fb00010000 72dd 8b5704 8b0f 4c8d442430 4c8bce } - $sequence_7 = { 8bd9 7418 488d0df7f50000 e8???????? 85c0 7408 } - $sequence_8 = { 50 56 8d8c240c080000 51 52 ffd7 } - $sequence_9 = { 8955f0 0fbe13 52 894dec 8b0d???????? 8945f4 8d45e4 } - $sequence_10 = { 8d4598 b919000000 be???????? 8d7d98 50 f3a5 ff15???????? } - $sequence_11 = { 68ff000000 e8???????? 59 59 8b7508 8d34f5d8194100 } - $sequence_12 = { 0fbe84c140e14000 6a07 c1f804 59 } - $sequence_13 = { cc 488d0de61f0100 e8???????? cc 85f6 } - $sequence_14 = { 488b13 498b0f 488d0549470000 4889442450 488b85f0040000 4c8d442430 4889442460 } + $sequence_1 = { 0f849a010000 488d8550030000 4c8d442460 4c2bc0 660f1f840000000000 } + $sequence_2 = { 488d4dbc 4c8d05a5fd0000 488d0c41 41b903000000 488bc1 492bc6 } + $sequence_3 = { 8b5c2444 e9???????? 488d05930b0100 4a8b0ce8 41f6440c0880 } + $sequence_4 = { c1f805 8b0485e0404100 83e61f c1e606 59 c644300400 85ff } + $sequence_5 = { 488b0d???????? ff15???????? 488d0d1c930100 48c705????????ffffffff ff15???????? } + $sequence_6 = { 83e01f c1f905 c1e006 03048de0404100 eb02 } + $sequence_7 = { 7508 ff15???????? eb05 e8???????? 8bc8 } + $sequence_8 = { 83f808 742a 83f80d 7415 83f81b 7530 } + $sequence_9 = { 75c7 eb0a 48398c2490000000 74bb 4d85f6 } + $sequence_10 = { c1e606 033485e0404100 c745e401000000 33db } + $sequence_11 = { 7416 8bc1 83e01f 8bd1 c1fa05 c1e006 030495e0404100 } + $sequence_12 = { 498bcf e8???????? 33c9 4d85f6 7456 482bde } + $sequence_13 = { 6a0d ff15???????? a3???????? 85c0 750c b801000000 5e } + $sequence_14 = { 482bdf 48d1fb 48399c2490000000 7621 4c8bcb 4c8bc7 4883caff } condition: 7 of them and filesize < 274432 @@ -111090,28 +111591,28 @@ rule MALPEDIA_Win_Sombrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d0dde23d-377f-5d10-8911-6d96e1813650" - date = "2026-01-05" - modified = "2026-01-06" + id = "af13e03f-a95f-5ae9-ab66-143e3efb1589" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sombrat_auto.yar#L1-L152" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sombrat_auto.yar#L1-L151" license_url = "N/A" - logic_hash = "941d1381587fea594c21f438f9e9d8395ac2ab22b349124a0b48a1b28fcdbcbd" + logic_hash = "0df08af9c206a75a3da27570d60f8220a1618e070b3671a9b63afb191a74b380" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 014114 8b7508 837df800 8b5df4 0f84c3feffff } - $sequence_1 = { 833d????????10 b9???????? 0f430d???????? 51 8bc8 } + $sequence_1 = { 834e4cff 66894650 8bc3 895620 } $sequence_2 = { 01041e 8b4508 42 8d7308 } $sequence_3 = { 0145e4 8b55f8 83c40c 294644 } $sequence_4 = { 014620 f6460c04 8945e0 742d 85c0 7429 8b4de4 } @@ -111135,36 +111636,36 @@ rule MALPEDIA_Win_Roseam_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d66e57df-f9e1-5b6e-89cb-6ce661f1848e" - date = "2026-01-05" - modified = "2026-01-06" + id = "b9a88bbf-d83b-52cd-bd88-fdf112a23453" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.roseam_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.roseam_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "49c65990e1943387e5f2f0be33c8622a534714937967ee32ce82db7fba5361e7" + logic_hash = "2db7528f6b335f8eb8d43124c1846a4e2840c9e10ae7c969588643c42c1ac20a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5d c3 8d4db8 c60200 51 } - $sequence_1 = { 33c9 66894304 66894b06 50 68???????? } - $sequence_2 = { 0f8682000000 66833b20 747c 56 } - $sequence_3 = { 9d 5d 8b45f8 85c0 0f84db000000 } - $sequence_4 = { 41 40 894dfc 8945f8 68???????? 50 9c } - $sequence_5 = { 58 58 8b45bc 48 7409 83e803 0f854c010000 } - $sequence_6 = { 8d85f4fcffff 8a10 8a1e 8aca 3ad3 751e 84c9 } - $sequence_7 = { 803a2e 740c 8a4201 42 } - $sequence_8 = { c7451800000000 84c0 7478 68???????? 50 } - $sequence_9 = { b9ff000000 33c0 8dbdf1f7ffff 8895f0f7ffff 8b1e f3ab } + $sequence_0 = { 8b51fc c3 a1???????? 85c0 } + $sequence_1 = { 40 894dfc 8945f8 68???????? 50 9c b80a000000 } + $sequence_2 = { 33c0 8dbd19f7ffff c68518f7ffff00 f3ab 66ab aa } + $sequence_3 = { 50 e8???????? 83c414 50 68???????? 50 b822010000 } + $sequence_4 = { e8???????? 0a00 0000 51 b914000000 e2fe 59 } + $sequence_5 = { 50 8d85c8fdffff 51 50 52 } + $sequence_6 = { 64a300000000 5d 5d 9d 5d 8b4df8 51 } + $sequence_7 = { 889524f9ffff f3ab 66ab aa b9ff010000 } + $sequence_8 = { e8???????? 56 e8???????? 8b55d4 } + $sequence_9 = { 0fbe02 85c0 89450c 0f8e19010000 68???????? } condition: 7 of them and filesize < 221184 @@ -111174,36 +111675,36 @@ rule MALPEDIA_Win_Feodo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "294edd8e-79e5-57c8-8d21-3a46810574e0" - date = "2026-01-05" - modified = "2026-01-06" + id = "e16db7c0-878d-5e1b-9414-76d887970340" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.feodo_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.feodo_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "7ae2a34a3e8eb5aa6b8cbee0b549d59082912ee3877b6eb0ff9194b700931591" + logic_hash = "0571c518b31fc97c470818f8cf49a044f58f47461fd50c9e2733a6456f61a621" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 747b 6a00 6800000008 } - $sequence_1 = { 85d2 740a 03ca 397144 75f3 8b7904 } - $sequence_2 = { 6a00 6a03 57 8d442424 50 ff15???????? } - $sequence_3 = { ff15???????? 85c0 743d 8d4c2404 } - $sequence_4 = { 56 6808020000 8d442444 50 } - $sequence_5 = { 83ec0c 56 57 33ff 57 6a02 6a02 } - $sequence_6 = { 8bf0 85f6 75e0 6a00 57 } - $sequence_7 = { 56 57 ff15???????? 8bf0 85f6 75e0 6a00 } - $sequence_8 = { 6a20 8d542404 52 ff15???????? 8d0424 50 } - $sequence_9 = { 743d 8d4c2404 51 8d542424 52 } + $sequence_0 = { 85c0 741f 8b0424 6a00 6a1c 8d54240c } + $sequence_1 = { 6a18 51 c744241000000000 ff15???????? } + $sequence_2 = { 741f 8b0424 6a00 6a1c } + $sequence_3 = { 56 e8???????? eb06 56 e8???????? 83c404 56 } + $sequence_4 = { 0201 0202 0200 0202 0202 0202 } + $sequence_5 = { 6a00 50 2b05???????? 05???????? 50 57 ff15???????? } + $sequence_6 = { 50 51 ff15???????? 83c608 83fe18 72db } + $sequence_7 = { be01000000 f6c302 740e bf000000c0 eb1b be05000000 ebed } + $sequence_8 = { 33ff 57 6a02 6a02 57 6a01 6800000040 } + $sequence_9 = { 83e801 7404 83c8ff c3 8b4c2404 } condition: 7 of them and filesize < 270336 @@ -111213,36 +111714,36 @@ rule MALPEDIA_Win_Wastedlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1b25ab78-4d17-5567-bfe5-7c9cd4852d3a" - date = "2026-01-05" - modified = "2026-01-06" + id = "654494ca-c81c-542d-b415-92a91e406d2a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wastedlocker_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wastedlocker_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "2c12d9ce655c1e066154e40493d5fbd7e9ce57fd1e7f44c9306209ae45654264" + logic_hash = "2465353b53e4cdc20b789b4c3a31fcf9044b84fd7695a49e7a760f4ebef7bf7d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 6a2a e8???????? 8b45fc 8b30 } - $sequence_1 = { 5b 7504 8365fc00 8b4508 ff30 ff15???????? 8b45fc } - $sequence_2 = { 8bc7 351ec34eee 50 53 e8???????? } - $sequence_3 = { ff15???????? 85c0 740f 6a02 57 ff15???????? } - $sequence_4 = { 51 8935???????? 8935???????? a3???????? a3???????? } - $sequence_5 = { e8???????? 8d85d0f3ffff 50 56 8d85b8edffff 50 8d85b0ebffff } - $sequence_6 = { 8918 33f6 eb26 ff15???????? 53 6a00 ff35???????? } - $sequence_7 = { 03c7 13cb a3???????? 0bc1 890d???????? 0f8456010000 8b4dfc } - $sequence_8 = { ff7508 e8???????? 2b4d08 8bf0 03f1 eb02 8bf1 } - $sequence_9 = { ff750c 6a00 ff35???????? ff15???????? 8b45f0 5f 5e } + $sequence_1 = { 51 03c2 2bf8 03f7 56 8bf8 50 } + $sequence_2 = { 83e020 50 ff7510 ff75fc e8???????? 8bf0 } + $sequence_3 = { 8d0477 50 894d10 e8???????? 8b4510 d1e8 83c40c } + $sequence_4 = { 7416 f6c301 7411 83e0fe } + $sequence_5 = { 8d0c36 51 ff7508 50 e8???????? 83c40c } + $sequence_6 = { 399c8df0fbffff 74f4 41 894d10 } + $sequence_7 = { 3d6d006f00 7504 b102 eb14 } + $sequence_8 = { 741a ff75e8 6a00 ff35???????? ff15???????? eb07 c745f801000000 } + $sequence_9 = { 8d45e4 50 8d45ec 50 8bc7 } condition: 7 of them and filesize < 147456 @@ -111252,66 +111753,63 @@ rule MALPEDIA_Win_Etumbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c874e7f9-5803-51aa-bcc8-4faaaf0ce1ce" - date = "2026-01-05" - modified = "2026-01-06" + id = "7a44590c-476a-596a-b348-9adff5cd4282" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.etumbot_auto.yar#L1-L358" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.etumbot_auto.yar#L1-L328" license_url = "N/A" - logic_hash = "bab72b55d5937eff166f630a71bea6d6d650e72f44dc18db352baddef63ef002" + logic_hash = "2541b1e1314c0309767c3abbf1fef376036fad0806f0510c9f7058d5374fb3bc" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a00 02c2 0fb6c0 8a8405fcfeffff } - $sequence_1 = { 0fb6c0 8a8405fcfeffff 320437 8806 46 } - $sequence_2 = { c745b063726f73 c745b46f66745c c745b85c57696e c745bc646f7773 c745c05c5c4375 c745c47272656e } - $sequence_3 = { f7d1 23c1 42 4e 75df } - $sequence_4 = { 8d45f4 6820a10700 50 68???????? 68???????? } - $sequence_5 = { c745cc73696f6e c745d05c5c496e c745d47465726e c745d865742053 } - $sequence_6 = { 03c1 8bc8 81e1000000f0 7407 8bf9 } - $sequence_7 = { 7407 8bf9 c1ef18 33c7 f7d1 23c1 } - $sequence_8 = { c745d47465726e c745d865742053 c745dc65747469 c745e06e677300 } - $sequence_9 = { 53 56 57 8b3d???????? ffd7 8b7508 8bd8 } - $sequence_10 = { 57 0fbe38 33f6 33db } - $sequence_11 = { c745c47272656e c745c874566572 c745cc73696f6e c745d05c5c496e } - $sequence_12 = { ffd7 2bc3 3bc6 72ed 5f 5e } - $sequence_13 = { 8b45f4 0345f0 8b4d08 034dec 8a11 8810 } - $sequence_14 = { c645bf69 c645c062 c645c16c c645c265 c645c33b c645c420 c645c54d } - $sequence_15 = { 8b4d08 83c101 894d08 8b550c 83ea03 } + $sequence_0 = { 8a00 02c2 0fb6c0 8a8405fcfeffff 320437 8806 46 } + $sequence_1 = { c1e004 03c1 8bc8 81e1000000f0 7407 8bf9 } + $sequence_2 = { 23c1 42 4e 75df } + $sequence_3 = { ff15???????? ffd7 2bc3 3bc6 72ed 5f 5e } + $sequence_4 = { 7407 8bf9 c1ef18 33c7 } + $sequence_5 = { c745ac5c5c4d69 c745b063726f73 c745b46f66745c c745b85c57696e } + $sequence_6 = { 8d45a4 50 6801000080 c745a4536f6674 } + $sequence_7 = { 8b3d???????? ffd7 8b7508 8bd8 69f660ea0000 } + $sequence_8 = { c745b46f66745c c745b85c57696e c745bc646f7773 c745c05c5c4375 c745c47272656e c745c874566572 } + $sequence_9 = { 56 57 0fbe38 33f6 } + $sequence_10 = { 55 8bec 53 56 57 8b3d???????? ffd7 } + $sequence_11 = { 33c7 f7d1 23c1 42 } + $sequence_12 = { c745c874566572 c745cc73696f6e c745d05c5c496e c745d47465726e c745d865742053 c745dc65747469 } + $sequence_13 = { 6820a10700 50 68???????? 68???????? } + $sequence_14 = { c645be74 c645bf69 c645c062 c645c16c } + $sequence_15 = { 8d540964 52 e8???????? 83c404 } $sequence_16 = { 83c204 3b5514 7608 83c8ff } - $sequence_17 = { 80e10f c0e102 c0eb06 02cb } - $sequence_18 = { c644242c45 8854242f 884c2431 c644243273 88542434 } - $sequence_19 = { 83c404 8bd1 c1e902 f3ab 8bca } - $sequence_20 = { 6a00 68???????? 6a00 6a00 6a00 51 68???????? } - $sequence_21 = { e8???????? 8d45fc 50 8d85bcfeffff 50 e8???????? } - $sequence_22 = { 8b0c8d20cf4000 8a44c104 83e040 c3 56 8b742408 85f6 } - $sequence_23 = { b9ff000000 33c0 8dbda6fbffff f3ab } - $sequence_24 = { c645d673 c645d720 c645d84e c645d954 } - $sequence_25 = { 83c104 3b4d14 7608 83c8ff } - $sequence_26 = { 50 8d85c4eaffff 50 e8???????? 8d85ecfdffff } - $sequence_27 = { 59 50 8d8504ffffff e9???????? 6a18 } - $sequence_28 = { c645c33b c645c420 c645c54d c645c653 c645c749 c645c845 c645c920 } - $sequence_29 = { 8b4508 8365f800 898184110000 8d45f4 6a00 } - $sequence_30 = { 83c404 85c0 7429 8b442454 0fbe38 40 85ff } - $sequence_31 = { 89442428 f3ab 88542414 89542444 } - $sequence_32 = { c645d057 c645d169 c645d26e c645d364 } - $sequence_33 = { c645cd31 c645ce3b c645cf20 c645d057 c645d169 } - $sequence_34 = { 52 e8???????? 83c404 e9???????? 6a05 } - $sequence_35 = { c645fa74 c645fb2e c645fc64 c645fd6c } - $sequence_36 = { c645f569 c645f66e c645f769 c645f86e } - $sequence_37 = { 8b4df4 034df0 8b5508 0355ec } - $sequence_38 = { 50 8b4dbc 51 8b952ce6ffff 8b4210 ffd0 85c0 } - $sequence_39 = { c685dcefffff45 c685ddefffff20 c685deefffff35 c685dfefffff2e c685e0efffff30 } + $sequence_17 = { 6a00 68???????? 6a00 6a00 6a00 51 68???????? } + $sequence_18 = { 80e10f c0e102 c0eb06 02cb } + $sequence_19 = { 0345f0 8b4d08 034dec 8a11 } + $sequence_20 = { 83c101 894d08 8b550c 83ea03 } + $sequence_21 = { 81ec30030000 8065ff00 56 57 } + $sequence_22 = { 8d8560ffffff 68???????? 50 e8???????? ffb63cb64000 } + $sequence_23 = { c645e96c c645ea20 c645eb73 c645ec6c } + $sequence_24 = { 83c104 3b4d14 7608 83c8ff } + $sequence_25 = { e8???????? 59 50 8d45f8 57 50 } + $sequence_26 = { c645c265 c645c33b c645c420 c645c54d } + $sequence_27 = { c645a52d c645a643 c645a76f c645a86e c645a974 c645aa72 } + $sequence_28 = { 034dec 8a11 8810 8b45f0 83c001 } + $sequence_29 = { c645d577 c645d673 c645d720 c645d84e c645d954 } + $sequence_30 = { 8b4df4 034df0 8b5508 0355ec 8a02 } + $sequence_31 = { c645c653 c645c749 c645c845 c645c920 } + $sequence_32 = { 895da0 895dfc c645e050 c645e172 c645e26f } + $sequence_33 = { c644242d45 c644242e6e c644242f61 c644243062 c64424316c c644243265 c644243300 } + $sequence_34 = { 6a00 c644243457 c644243569 c64424366e } + $sequence_35 = { 83c404 8bd1 c1e902 f3ab 8bca 83e103 } + $sequence_36 = { 3b1cfda0674100 7406 47 83ff17 7cf1 83ff17 } condition: 7 of them and filesize < 450560 @@ -111321,42 +111819,42 @@ rule MALPEDIA_Win_Unidentified_087_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6032a71d-315e-5161-8b29-e52778de6b9c" - date = "2026-01-05" - modified = "2026-01-06" + id = "e0393d3c-afd5-55e5-83bc-a6ecb5781a61" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_087" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_087_auto.yar#L1-L166" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_087_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "6f89e449c7df0d973fa61becfc3b5884b82be1e57577d3cbd257d75e0b80e7b8" + logic_hash = "b93a8e88d597aee090f71e856059643fefb0e2359d012ce6c32dd3dedf782b28" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 498bdd 666666666666660f1f840000000000 0fb6941c98000000 498bcf e8???????? } - $sequence_1 = { 41b900000008 4533c0 488d5560 33c9 ff15???????? 488bf8 4885c0 } - $sequence_2 = { c7457001000000 c7457c02000000 488d4580 4889442428 488d85a8000000 } - $sequence_3 = { 4885c9 7407 ff15???????? 90 4885db } - $sequence_4 = { 488d0c38 4d8bc7 4903cc 4803d5 e8???????? } - $sequence_5 = { 4883794800 7503 83ca04 4533c0 e8???????? 488b442450 } - $sequence_6 = { 4883fb01 0f8288000000 488d2d0e9a0200 48833d????????10 480f432d???????? } - $sequence_7 = { 488d5c3bff 498d7b01 4c8bc3 8bd5 } - $sequence_8 = { 50 56 68???????? 57 ff15???????? 3b442410 7414 } - $sequence_9 = { c78550fbffff94000000 8d8d50fbffff 51 ff15???????? } - $sequence_10 = { 3c58 770f 0fbec2 0fbe80c8b10110 } - $sequence_11 = { 7429 8b5508 39542410 7412 8d442408 50 } - $sequence_12 = { 52 ff15???????? 32c0 e9???????? 8d8550ffffff } - $sequence_13 = { 57 52 53 50 ff15???????? 8b8c242c040000 } - $sequence_14 = { e8???????? 8bdc 57 68???????? 8d4e01 e8???????? } - $sequence_15 = { 0f840c010000 8b0d???????? 8b7c2458 8d44240c } + $sequence_0 = { 488bfa ff15???????? ffc0 4863d0 } + $sequence_1 = { 488d4d20 e8???????? 90 4883bd9800000010 720c 488b8d80000000 } + $sequence_2 = { 33c0 498bce 488bfb 66f2af 48f7d1 4c8d41ff 488bd3 } + $sequence_3 = { 41b802000000 48c744245007000000 4c89742448 664489742438 e8???????? } + $sequence_4 = { eb1a 4d85f6 7515 4c897310 } + $sequence_5 = { 488bc8 4c8d442460 418d542428 ff15???????? 85c0 745f 4c8d4574 } + $sequence_6 = { eb03 498bc6 803c303d 0f84be010000 4883f910 7205 498b06 } + $sequence_7 = { 0f84bf010000 48895c2420 4d8bcd 4d8bc4 } + $sequence_8 = { 33c0 e9???????? 8975e4 33c0 39b8a0080210 0f8491000000 ff45e4 } + $sequence_9 = { bf0f000000 8bc6 897c2430 895c242c } + $sequence_10 = { 83ec1c 8bcc 89a520feffff 33db } + $sequence_11 = { c745fc01000000 e9???????? 8b11 8b421c ffd0 c745fc01000000 eb74 } + $sequence_12 = { 2d08030000 7435 83e805 0f8510010000 } + $sequence_13 = { 57 83c170 e8???????? 57 e8???????? 83c404 } + $sequence_14 = { 03f7 c745f001000000 e8???????? 6a20 8d5f10 56 895e38 } + $sequence_15 = { 52 8d8da4feffff 51 a3???????? 33db c785a4feffff01000600 } condition: 7 of them and filesize < 462848 @@ -111366,42 +111864,42 @@ rule MALPEDIA_Win_Duqu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d021a3e0-a963-5c5a-8894-2a3900c75d82" - date = "2026-01-05" - modified = "2026-01-06" + id = "1b7ddae2-9d4f-55d9-a33a-8e02d1c0d30f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.duqu_auto.yar#L1-L169" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.duqu_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "a5f03c1a39b5d865f59b6af67604227aa6b29a16f7ea254ca225f6a37485518b" + logic_hash = "b1c4299b66f23ea612df73dceb823e0a0151b3112b55ca56ad9d74306040c982" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d8df8fdffff 51 ff9088000000 8bd6 8bc8 } - $sequence_1 = { 5e 5b 8be5 5d c3 8b4718 ebf4 } - $sequence_2 = { ba78978b33 89869c000000 8bcb e8???????? ba5859004e } - $sequence_3 = { 744d 8b4c2414 8a442413 8b5c2418 85c9 7e30 0fb6c8 } - $sequence_4 = { 85c0 7465 e8???????? 85c0 } - $sequence_5 = { 56 51 8bf2 e8???????? } - $sequence_6 = { 8b5c242c 741a 40 83c704 8944241c 3b4218 } - $sequence_7 = { baec8ce154 8bcb e8???????? ba8eacac75 894628 } - $sequence_8 = { ba1225339c 89462c 8bcb e8???????? 89466c 85c0 } - $sequence_9 = { 8b4c2414 40 49 89442420 } - $sequence_10 = { 8bec 81ec0c020000 56 ff7508 8bf2 } - $sequence_11 = { 8bec 81ec04020000 53 8b5d08 56 57 6af0 } - $sequence_12 = { 8bec 81ec10080000 8365fc00 b800010000 } - $sequence_13 = { 8bec 53 56 8bd8 8d732c 57 8bce } - $sequence_14 = { 8bec 56 57 8b7d08 33f6 3b7d0c } - $sequence_15 = { 8bec 81ec0c020000 8365fc00 833d????????ff } + $sequence_0 = { 83e007 c1e009 05270ca208 0faf442420 33c1 42 } + $sequence_1 = { 53 56 57 e8???????? 8bf0 ba5b553fbc } + $sequence_2 = { e8???????? 8bd8 8d442438 6a01 } + $sequence_3 = { 8b442420 33d9 8b4c2414 40 49 89442420 894c2414 } + $sequence_4 = { 56 51 8bf2 e8???????? } + $sequence_5 = { 0fafc3 33c1 46 8bd8 4a 8a06 84c0 } + $sequence_6 = { e8???????? 894620 85c0 0f84f6010000 baec8ce154 } + $sequence_7 = { 1bc0 f7d0 21442414 8d442430 50 ff5324 } + $sequence_8 = { ff9088000000 8bd6 8bc8 e8???????? 5e } + $sequence_9 = { 8bd3 8bf1 e8???????? 8b75fc } + $sequence_10 = { 8bd3 e8???????? 8b15???????? 33c9 } + $sequence_11 = { 8bec 51 a1???????? 56 8b35???????? 57 6a19 } + $sequence_12 = { 8bd3 8bcf e8???????? 85c0 7405 33c0 } + $sequence_13 = { 8bd3 8d4900 0fb641fe 0fb669ff } + $sequence_14 = { 8bd3 8bcf ff542424 8b4708 } + $sequence_15 = { 8bd3 ff542424 3bee 75af } condition: 7 of them and filesize < 18759680 @@ -111412,10 +111910,10 @@ rule MALPEDIA_Win_Gup_Proxy_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "bddfea2f-5980-50a2-824f-c8c992e61d4b" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gup_proxy_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gup_proxy_auto.yar#L1-L121" license_url = "N/A" logic_hash = "a31779681620c829a24a1dd7ede13a209b88a3ec71308cbcd7be1ef7e190536a" score = 75 @@ -111424,9 +111922,9 @@ rule MALPEDIA_Win_Gup_Proxy_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -111450,34 +111948,34 @@ rule MALPEDIA_Win_Shapeshift_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0c5bb16-0064-5063-a167-3feadfc849ba" - date = "2026-01-05" - modified = "2026-01-06" + id = "6d7aa9c7-5847-57a6-a98b-75364e192c85" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shapeshift_auto.yar#L1-L104" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shapeshift_auto.yar#L1-L104" license_url = "N/A" - logic_hash = "d57d4efbadfe762b0a6b1ab41967b0e572158e599e0e6d6d29d5b7411ccf5a23" + logic_hash = "6f12e849941c0807eb033d7cde564e6455bdc7f653a44fbfb21fa8b6b5270414" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 8985f4feffff 33db 6a05 ff15???????? 68???????? } - $sequence_1 = { 8d0d009c4100 ba1d000000 e8???????? 5a c3 8d542408 } - $sequence_2 = { 51 ff15???????? 8bf0 89b5ecfdffff } - $sequence_3 = { 6af6 ff15???????? 8b04bd38054200 834c0318ff 33c0 } - $sequence_4 = { 8bf0 e8???????? 83c404 8bf8 33c9 66660f1f840000000000 0fbf044d3cfa4100 } - $sequence_5 = { f30f5e85ccfdffff f30f5905???????? e8???????? 83bde8fdffff00 741f 3bc7 } - $sequence_6 = { e8???????? 85f6 8bf0 6a0c 7550 e8???????? } - $sequence_7 = { 8995e8fdffff 57 898df8fdffff 899df0fdffff c785ecfdffff00000000 0f86ef010000 } + $sequence_0 = { c745e04c804100 e9???????? c745dc02000000 c745e04c804100 } + $sequence_1 = { 0fbf0d???????? 8bd0 83c404 0fb689589a4100 880a 0fbf0d???????? 52 } + $sequence_2 = { a1???????? 89442448 66a1???????? 668944244c a0???????? 8844244e } + $sequence_3 = { 8bf8 6882000000 57 ff15???????? 6a00 } + $sequence_4 = { 83ec1c 56 6a00 68???????? 6a00 6810040000 } + $sequence_5 = { 83c604 03c8 890d???????? 83fe08 72e2 890cbb 47 } + $sequence_6 = { 660fc5cc03 25ff000000 83c001 25fe010000 f20f593c85109c4100 660f122c85109c4100 } + $sequence_7 = { 3bbdc8fdffff 89bddcfdffff 8b3d???????? 0f82c6fdffff 8bc3 } condition: 7 of them and filesize < 303104 @@ -111487,100 +111985,99 @@ rule MALPEDIA_Win_Bazarbackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2eb10499-a33e-504f-b2b6-402a6cc658a9" - date = "2026-01-05" - modified = "2026-01-06" + id = "362dd415-4df7-59d5-82cd-e37e40b0d057" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bazarbackdoor_auto.yar#L1-L624" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bazarbackdoor_auto.yar#L1-L600" license_url = "N/A" - logic_hash = "bd8ba9a21bc32243d9a5d52be7c33e7ba5fb181916b5174a91f30401b1052790" + logic_hash = "61ffe1442c2fc01f52051e21a03588125e340d70eb2a66d2afa89c1588d485e1" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bce 4889442420 ff15???????? 85c0 780a 4898 } - $sequence_1 = { 41b8e6b5a12c 448d4a7d e8???????? 4885c0 740c } - $sequence_2 = { 4533c0 ffd0 eb03 488bc7 83f8ff } - $sequence_3 = { 48635004 85d2 7415 48035138 488b4928 } - $sequence_4 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 ff15???????? 0fb74f08 } + $sequence_0 = { 41b80f100000 488bce 4889442420 ff15???????? 85c0 780a 4898 } + $sequence_1 = { 8bcf ffd0 488bd8 eb02 } + $sequence_2 = { 813963736de0 755e 83791804 7558 } + $sequence_3 = { ffd0 b802000000 e9???????? 48637e3c 488d55e0 488b4c2458 } + $sequence_4 = { 730b 498bc8 e8???????? 4c8bc0 } $sequence_5 = { 488d4d80 e8???????? 498bd6 488d4d80 } - $sequence_6 = { ff15???????? 0fb74f08 440fb7e8 ff15???????? } - $sequence_7 = { 7507 33c0 e9???????? b8ff000000 } - $sequence_8 = { c3 0fb74c0818 b80b010000 663bc8 } - $sequence_9 = { cc 4053 4883ec20 b902000000 } - $sequence_10 = { 4533c9 4889442428 488d95a0070000 488d442470 41b80f100000 488bce 4889442420 } - $sequence_11 = { 418d5508 488bc8 ff15???????? 488bd8 4885c0 } - $sequence_12 = { 48c1e108 4803c8 8bc1 488d94059f070000 } - $sequence_13 = { 31ff 4889c1 31d2 4989f0 } - $sequence_14 = { 488d9590050000 488bce ff15???????? 85c0 } - $sequence_15 = { e8???????? 4889c7 8b05???????? 8b0d???????? } - $sequence_16 = { e8???????? 4c89e1 e8???????? 8b05???????? } - $sequence_17 = { 08ca 80f201 7502 ebfe } - $sequence_18 = { 488bd3 e8???????? ff15???????? 4c8bc3 33d2 } - $sequence_19 = { 0f94c3 83fa09 0f9fc1 83fa0a 0f9cc2 30da 7519 } - $sequence_20 = { 83ff0a 0f9cc3 83ff09 0f9fc0 38d3 } - $sequence_21 = { 0fb6d1 80f973 7504 0fb65305 33c0 } + $sequence_6 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 ff15???????? 0fb74f08 } + $sequence_7 = { ff15???????? 0fb74f08 440fb7e8 ff15???????? } + $sequence_8 = { 7507 33c0 e9???????? b8ff000000 } + $sequence_9 = { c3 0fb74c0818 b80b010000 663bc8 } + $sequence_10 = { cc e8???????? cc 4053 4883ec20 b902000000 e8???????? } + $sequence_11 = { 0fb6c9 4881e9c0000000 48c1e108 4803c8 8bc1 488d94059f070000 } + $sequence_12 = { e8???????? 4c89e1 e8???????? 8b05???????? } + $sequence_13 = { 488d9590050000 488bce ff15???????? 85c0 } + $sequence_14 = { 488d95a0070000 488d442470 41b80f100000 488bce } + $sequence_15 = { 31ff 4889c1 31d2 4989f0 } + $sequence_16 = { 4533c9 4889442428 488d95a0070000 488d442470 } + $sequence_17 = { e8???????? 4889c7 8b05???????? 8b0d???????? } + $sequence_18 = { 418d5508 488bc8 ff15???????? 488bd8 4885c0 } + $sequence_19 = { 33d2 488bc8 ff15???????? e9???????? ff15???????? } + $sequence_20 = { 0fb64b04 0fb6d1 80f973 7504 } + $sequence_21 = { c744242003000000 4889f9 ba00000080 41b801000000 4531c9 } $sequence_22 = { 4889442428 488d95b0030000 488d4580 41b80f100000 } - $sequence_23 = { 0f9cc3 84d3 7504 30d3 } - $sequence_24 = { c744242800000001 4533c9 4533c0 c744242002000000 ba1f000f00 } - $sequence_25 = { e8???????? 8bd8 ff15???????? 4d8bc7 } - $sequence_26 = { ff15???????? 31db 4889c1 31d2 } - $sequence_27 = { e8???????? 4889f1 e8???????? 8b05???????? 8b0d???????? } - $sequence_28 = { 89d0 83f0fe 85d0 0f94c2 0f95c0 83f90a 0f9cc3 } + $sequence_23 = { 488bd3 e8???????? ff15???????? 4c8bc3 33d2 } + $sequence_24 = { e8???????? 4889f1 e8???????? 8b05???????? 8b0d???????? } + $sequence_25 = { 31ed 4889c1 31d2 4989d8 } + $sequence_26 = { 08ca 80f201 7502 ebfe } + $sequence_27 = { 8b0d???????? 8b05???????? 8d51ff 0fafd1 89d1 83f1fe } + $sequence_28 = { 80f973 7504 0fb65305 33c0 } $sequence_29 = { 0fb65305 33c0 80f973 0f94c0 } - $sequence_30 = { 0fafd0 89d1 83f1fe 21d1 } - $sequence_31 = { c744242880000000 c744242003000000 4889f9 ba00000080 41b801000000 } - $sequence_32 = { 31ed 4889c1 31d2 4989d8 } - $sequence_33 = { 0f9cc3 83f909 0f9fc1 38d3 7507 08c1 } - $sequence_34 = { 7528 0fb64b04 0fb6d1 80f973 } - $sequence_35 = { 08c1 80f101 7502 ebfe } - $sequence_36 = { e8???????? 4c897c2420 4889d9 89fa } - $sequence_37 = { 84d2 7405 80fa2e 750f 0fb6c1 } + $sequence_30 = { 84c1 7504 30c1 744a } + $sequence_31 = { 08c1 80f101 7502 ebfe } + $sequence_32 = { 4533c9 4533c0 c744242002000000 ba1f000f00 } + $sequence_33 = { 89c1 83f1fe 85c1 0f94c1 83ff0a 0f9cc0 } + $sequence_34 = { ebfe 8b05???????? 8b0d???????? 8d50ff } + $sequence_35 = { 0f95c1 0f94c3 83f809 0f9fc2 83f80a 0f9cc0 } + $sequence_36 = { 0f94c2 833d????????0a 0f9cc3 84d3 7504 } + $sequence_37 = { ff15???????? 31db 4889c1 31d2 } $sequence_38 = { 4889c1 31d2 4d89f8 ffd3 } - $sequence_39 = { 31d2 4989d8 ff15???????? 488906 } - $sequence_40 = { 4c8bf0 4889442458 488d4801 e8???????? } - $sequence_41 = { 4889fa 4189f0 4d89f1 ffd0 } - $sequence_42 = { 8d4833 ff15???????? c744242810000000 4533c9 } - $sequence_43 = { 4889f1 ba00000080 41b801000000 4531c9 } - $sequence_44 = { 48c744243000000000 c744242880000000 c744242003000000 4889f1 ba00000080 } - $sequence_45 = { e8???????? 8bc8 e8???????? 8bf8 85ff 7507 6a05 } - $sequence_46 = { 3c0a 7223 89d0 24df 04bf 3c1a } - $sequence_47 = { 84db 7402 ff06 8d4c2410 e8???????? 33d2 85c0 } - $sequence_48 = { 66890d???????? 0fb7ca ff15???????? b901000000 66c746020100 668906 } - $sequence_49 = { 7506 8b0e 894c2460 0fb7c0 } - $sequence_50 = { 686af17afc 6a04 5a e8???????? 59 } - $sequence_51 = { 6685ff 0f849c000000 837c2460ff 0f858c000000 } - $sequence_52 = { 33d2 8d8d00ffffff e8???????? eb18 51 8d4e01 e8???????? } - $sequence_53 = { 59 59 85c0 740b 8bc8 c60100 41 } - $sequence_54 = { 50 0fb745e8 50 68???????? e8???????? } - $sequence_55 = { 51 8b4d00 03cf e8???????? 59 3b442414 } - $sequence_56 = { 0fb7d8 0fb74708 50 ff15???????? 0fb7c8 } - $sequence_57 = { 6a00 ffd3 50 ffd6 33c0 5f 5e } - $sequence_58 = { 83f902 0f95c2 83c224 eb05 ba29000000 } - $sequence_59 = { 8be5 5d c3 6a40 6800300000 ff7750 } - $sequence_60 = { 8d450c 50 ff7508 56 ff15???????? 6a00 } - $sequence_61 = { 660f73d801 660febd0 660f7ed0 84c0 } - $sequence_62 = { 83c40c 8d4101 51 66a3???????? ff15???????? } - $sequence_63 = { 8d7001 81fe80000000 760c 80e1f2 80c902 } - $sequence_64 = { 68???????? e8???????? 83c410 b800308804 6a00 } - $sequence_65 = { 85d2 740d 33d2 83f902 0f95c2 } - $sequence_66 = { 0f848c000000 488b442430 83782000 7460 488b442430 } - $sequence_67 = { 7460 488b442430 488b00 8b4028 488b4c2440 4803c8 488bc1 } - $sequence_68 = { 89442424 48c744242800000000 41b800100200 488d15d02f0000 488d4c2420 } - $sequence_69 = { 4863442430 486bc010 488d0de3380200 4803c8 } - $sequence_70 = { 488d0de3380200 4803c8 488bc1 48634c2434 488d04c8 48634c2438 8b0488 } - $sequence_71 = { 4533c0 ba01000000 488b4c2440 ff9424a0000000 89842480000000 83bc248000000000 } - $sequence_72 = { 488d4c2420 e8???????? 4889442428 4c8d052a200000 } - $sequence_73 = { 4c8d052a200000 488b542428 488d4c2420 e8???????? 4889442430 ff542430 } + $sequence_39 = { 7405 80fa2e 750f 0fb6c1 } + $sequence_40 = { e8???????? 4c897c2420 4889d9 89fa } + $sequence_41 = { 8d4833 ff15???????? c744242810000000 4533c9 } + $sequence_42 = { 48c744243000000000 c744242880000000 c744242003000000 4889f1 ba00000080 } + $sequence_43 = { 4889fa 4189f0 4d89f1 ffd0 } + $sequence_44 = { 66890d???????? 0fb7ca ff15???????? b901000000 66c746020100 668906 ff15???????? } + $sequence_45 = { 59 895c2438 8d4b0c 85c9 } + $sequence_46 = { 81fb80000000 760c 80e1f2 80c902 } + $sequence_47 = { 4531c0 41b904000000 e8???????? 85c0 } + $sequence_48 = { 85f6 754d 85ff 7449 } + $sequence_49 = { 885df4 8bce e8???????? a3???????? } + $sequence_50 = { 6685ff 0f849c000000 837c2460ff 0f858c000000 } + $sequence_51 = { 50 0fb745ea 50 0fb745e8 50 68???????? e8???????? } + $sequence_52 = { a3???????? 85c0 7507 6a04 } + $sequence_53 = { 8bf1 6a02 682680acc8 42 } + $sequence_54 = { 0fb7ca 2b4e10 eb4c 8b6e20 } + $sequence_55 = { 31ed eb16 ff15???????? 31ed } + $sequence_56 = { 8d4b01 51 e8???????? 33d2 83c40c } + $sequence_57 = { 660f73d801 660febd0 660f7ed0 84c0 } + $sequence_58 = { c1f808 0fb6c0 50 0fb6c2 50 } + $sequence_59 = { 51 e8???????? 0fb70d???????? 83c40c } + $sequence_60 = { 740d 33d2 83f902 0f95c2 83c224 eb05 } + $sequence_61 = { e8???????? 83c410 b800308804 6a00 50 } + $sequence_62 = { ffd3 0fb7d8 0fb74708 50 ff15???????? } + $sequence_63 = { ffd3 0fb7f0 0fb74702 50 } + $sequence_64 = { 8bd1 41 3bcf 72e5 53 8b1d???????? ffd3 } + $sequence_65 = { eb08 c744242c00000000 8b44242c 89442438 4863442430 486bc010 488d0de3380200 } + $sequence_66 = { 48894c2408 4883ec48 8b442458 89442424 48c744242800000000 41b800100200 } + $sequence_67 = { 48898424a0000000 4533c0 ba01000000 488b4c2440 ff9424a0000000 } + $sequence_68 = { 83782800 0f848c000000 488b442430 83782000 7460 488b442430 } + $sequence_69 = { 486bc010 488d0de3380200 4803c8 488bc1 48634c2434 } + $sequence_70 = { 41b800100200 488d15d02f0000 488d4c2420 e8???????? 4889442428 4c8d052a200000 } + $sequence_71 = { 83782000 7460 488b442430 488b00 8b4028 488b4c2440 } + $sequence_72 = { 488b4c2440 ff9424a0000000 89842480000000 83bc248000000000 750f b95a040000 } condition: 7 of them and filesize < 2088960 @@ -111594,7 +112091,7 @@ rule MALPEDIA_Win_Unidentified_089_Auto : FILE date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_089_auto.yar#L1-L98" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_089_auto.yar#L1-L98" license_url = "N/A" logic_hash = "f9666eb88fbd91e0eb2e4b4c8812230b36d73d66192fed407aecfaa8f0ed362a" score = 75 @@ -111627,36 +112124,36 @@ rule MALPEDIA_Win_Flowershop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40619a48-6b17-5bee-8aad-65bf7cac75aa" - date = "2026-01-05" - modified = "2026-01-06" + id = "d996e688-d586-5dc9-9e2f-3f808fa39e07" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flowershop_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flowershop_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "ba2d45fad977755fd044c78f8aeed860d85d236ff95a62d89180f428b8bcb5e7" + logic_hash = "654703c0f70eac5d36dc445d7b6a7a5d3ddc5f9375f8c6b671f8b5c9a000b2ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3b45f0 74e0 8945f0 6a08 8d45f0 6a00 50 } - $sequence_1 = { 5e c3 56 33f6 8935???????? e8???????? a1???????? } - $sequence_2 = { ff75e0 e8???????? 83c418 85c0 750e c705????????01000000 33c0 } - $sequence_3 = { 59 85c0 59 741f 8b07 0105???????? } - $sequence_4 = { 51 56 57 33ff 897df8 897dfc c745f898c3fead } - $sequence_5 = { 894d0c 76bb 33c0 5f 5e 5b c9 } - $sequence_6 = { eb71 0fb605???????? 6bc07c 50 8d85f9e0ffff 68???????? 50 } - $sequence_7 = { 33c9 83c60c 81fe???????? 72d8 85c9 0f8471ffffff } - $sequence_8 = { 8b7510 8b7dfc 837e0400 750b 817e0818350000 7502 ff17 } - $sequence_9 = { 2b01 c3 8b442404 8b542408 8b4804 03ca } + $sequence_0 = { 8975f4 7432 3b1d???????? 7631 56 56 56 } + $sequence_1 = { 56 57 6a34 6a00 68???????? e8???????? 8b7d08 } + $sequence_2 = { eb33 53 33db 3bc6 7305 6afb } + $sequence_3 = { 8b38 ff15???????? 3907 740d 8bf7 837e0400 8d4604 } + $sequence_4 = { 33c0 5f 5e c3 55 8bec 81ec04010000 } + $sequence_5 = { 57 e8???????? 59 0fb6c0 eb03 6a1e 58 } + $sequence_6 = { 50 57 e8???????? c1ee10 56 57 } + $sequence_7 = { ff742414 8bfe 2bfd ffd3 3bf8 7513 57 } + $sequence_8 = { 8ad0 d3fb 8b4d14 d2e2 8b4dfc 221e 2b4d08 } + $sequence_9 = { ff35???????? e8???????? 59 59 33c0 eb78 8b45fc } condition: 7 of them and filesize < 829440 @@ -111666,36 +112163,36 @@ rule MALPEDIA_Win_Bee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6f6643e-0c7d-5aa3-acb3-5d655dc4ed63" - date = "2026-01-05" - modified = "2026-01-06" + id = "4c2ed54d-f053-5d0f-aa76-260a6b1cb395" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bee" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bee_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bee_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "d470260abf875100cc9eec94a5fc9a99328d8a9951c079ae2b41e9596561de11" + logic_hash = "4a6ce7a9872f00090a9875cf695e45c7c2c14d7d0fc50b18ee26f883fbcf2d7a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? c706???????? 895618 6689461c 66894e1e ff15???????? } - $sequence_1 = { 3bee 7462 8a46b4 83ee50 83ef50 884704 } - $sequence_2 = { 83c404 8b8534ffffff 8d0cb6 8d1492 c1e104 03c8 } - $sequence_3 = { b8???????? e8???????? 8b15???????? 3bd3 7504 33c9 } - $sequence_4 = { ebc9 8bc8 c1f905 8d1c8d00534200 8bf8 83e71f c1e706 } - $sequence_5 = { ffd0 8b4c2410 64890d00000000 59 5f 5e 83c410 } - $sequence_6 = { e8???????? 83c404 8b4e7c 51 899e88000000 899e8c000000 899e90000000 } - $sequence_7 = { 50 8d4c2438 51 8d4c2444 } - $sequence_8 = { 8d442440 64a300000000 8bf9 833d????????10 a1???????? } - $sequence_9 = { 7639 0fb654240c 0fb644240d 0fb6c9 034c2414 03c2 } + $sequence_0 = { 8817 48 47 85c0 77f2 8b4310 8b4c2424 } + $sequence_1 = { 8bbc2498000000 57 8d4c2458 e8???????? 8b442430 } + $sequence_2 = { 8d442428 50 8bc3 e8???????? 836c240c01 0f8547ffffff } + $sequence_3 = { 83c002 83ea01 75f3 8bc1 } + $sequence_4 = { c1eb18 8bc7 c1e008 03c6 c1e008 03c2 c1e008 } + $sequence_5 = { 83c40c 85c0 0f8ec0000000 8d5e38 8944240c 8b4c2428 } + $sequence_6 = { 8d442410 64a300000000 8b6c2420 33db 895d04 885d0c } + $sequence_7 = { 8b7528 eb03 8d7528 8b8d8c000000 2b8d88000000 7505 } + $sequence_8 = { 8b4510 8b5310 c644241400 8b4c2414 51 8b4c2418 } + $sequence_9 = { 8b9424a4000000 52 e8???????? 83c404 32c0 e9???????? e8???????? } condition: 7 of them and filesize < 394240 @@ -111705,36 +112202,36 @@ rule MALPEDIA_Win_Taurus_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1a1c877-dafe-5bd8-aa9e-f033e2a7d793" - date = "2026-01-05" - modified = "2026-01-06" + id = "2a5f5fe2-ab9c-5c41-be4f-9b6b018b74d0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.taurus_stealer_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.taurus_stealer_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "45f5adaf95071a60a27cbbf5888b0c101a82ad499a857b2070bb83a96bceb96f" + logic_hash = "d0d73505b52153a6343ebe8c9be606e9d2b92f54c6137df45a43aa1dca8ac963" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f9445d1 e8???????? 668945d2 8d4d94 8b45c4 8db778020000 3b45c8 } - $sequence_1 = { 8d45d0 50 8d45f4 50 e8???????? 50 8d45b8 } - $sequence_2 = { 8bce e8???????? 8bd0 c745f829674844 b129 c745fc4c130900 33c0 } - $sequence_3 = { 50 8d85c0feffff 50 8d4dcb e8???????? 8b85c4feffff 8d8d40ffffff } - $sequence_4 = { 33c0 304c05ed 40 83f806 7305 8a4dec } - $sequence_5 = { e8???????? 8bd0 c744242f74271706 6a07 58 88442436 b174 } - $sequence_6 = { f7c300200000 7414 81e3ffdfffff 8d8d04ffffff 895df8 e8???????? } - $sequence_7 = { 57 ffd0 8bf8 897d0c 83ffff 746f 8b9530ffffff } - $sequence_8 = { c1fa06 8bc7 83e03f 6bc838 8b049578c14300 f644082801 7421 } - $sequence_9 = { c74654c3280308 c7465881120d0e c7465ce58b8009 c74660d5208b07 c74664359ac202 c74668f19ad809 c7466ca13ba208 } + $sequence_0 = { 7510 8b5644 8b0e e8???????? 57 e9???????? 8b8e60020000 } + $sequence_1 = { c745fb2e646c6c 885dff 8bcb 891e c7460401fa5607 0fbec0 250f000080 } + $sequence_2 = { 8d84244c100000 50 8d8c246c110000 e8???????? 8d8c2460110000 e8???????? 0f2805???????? } + $sequence_3 = { e8???????? 8d8dd8feffff e8???????? 43 899d68ffffff 3b9d6cffffff 0f8cdef9ffff } + $sequence_4 = { 8d45f4 50 e8???????? 50 8d45b8 50 e8???????? } + $sequence_5 = { 66c745fa2900 8bcb 0fbec0 250f000080 7905 48 83c8f0 } + $sequence_6 = { 8d8d60ffffff e8???????? 8d8d18ffffff e8???????? 8d8d00ffffff e8???????? } + $sequence_7 = { ffd0 85c0 0f8566020000 33db 895dd8 395dd0 0f8643020000 } + $sequence_8 = { c645b621 8855b7 66c745b8213c 885dba 304c05b1 40 83f809 } + $sequence_9 = { 8b4604 2b06 99 f7f9 8945e0 bfc3c3c303 3bc7 } condition: 7 of them and filesize < 524288 @@ -111744,36 +112241,36 @@ rule MALPEDIA_Win_Quiterat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43a5ead4-80ee-505e-8349-ccdf5ab70f14" - date = "2026-01-05" - modified = "2026-01-06" + id = "aceebb03-cba0-5537-9478-df5d66f14a79" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quiterat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.quiterat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.quiterat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "90260961ae1a599548c6d7cadbabe833b3a94be00dfdebc01e1cf8dc50ee7760" + logic_hash = "fdd7dd671b17d7bf9d62997bb9916a23e24d9cef6df9c8a83b5558d480abb8cf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d442440 50 8d442418 50 8d442438 50 8d4c241c } - $sequence_1 = { 8d4dac e8???????? 8d4db0 c645fc2b e8???????? 8d45ec 50 } - $sequence_2 = { e8???????? 8d4c2410 51 50 8bcf e8???????? 8d4c2410 } - $sequence_3 = { 8d442424 57 50 e8???????? 8b8424bc020000 83c40c 8bc8 } - $sequence_4 = { e8???????? 6a01 68???????? 8d4c2430 e8???????? ff7004 ff30 } - $sequence_5 = { f00fc108 0f95c0 84c0 756e 8b44241c eb5b 837f1006 } - $sequence_6 = { 8b7c241c 8a4c2440 8b4360 8b5364 3b4368 7505 3b536c } - $sequence_7 = { 8b7c242c 8b4108 83c004 8d1481 89542418 8b410c 8d0c81 } - $sequence_8 = { c20800 6aff 6a00 68???????? 8d442440 b9???????? 50 } - $sequence_9 = { 8bf1 33db 57 c706???????? 395e50 7e2d 33ff } + $sequence_0 = { 8b730c 8974241c 85c0 0f8c8f010000 8b6c243c 7f08 85ed } + $sequence_1 = { bb02000000 c7442410b4f25800 8d4c2410 8b7c241c 83cdff 8b01 c701???????? } + $sequence_2 = { e8???????? 83c40c 6aff 68???????? 8d4c241c e8???????? 8b33 } + $sequence_3 = { c7442428ec695500 e8???????? 83c408 eb4d ff742434 8d4c2410 e8???????? } + $sequence_4 = { e8???????? 807e5000 8d44241c 6a00 0f84aa000000 68???????? 56 } + $sequence_5 = { e8???????? 83c40c 85f6 7523 68???????? e8???????? 83c404 } + $sequence_6 = { e8???????? 83ce01 8974240c 8b74241c 8d4f10 8b5c2418 53 } + $sequence_7 = { c1fa06 83c40c 8bc2 896c241c c1e81f 03c2 89442410 } + $sequence_8 = { 89410c 8bc1 c70100000000 c7410400000000 c7410800000000 c20400 56 } + $sequence_9 = { e8???????? 8d4c2428 e8???????? 8b442438 85c0 744c 8b742430 } condition: 7 of them and filesize < 5892096 @@ -111783,36 +112280,36 @@ rule MALPEDIA_Win_Quirkyloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96ed682d-1f85-55be-b220-303838180cde" - date = "2026-01-05" - modified = "2026-01-06" + id = "e81434be-41f7-5dbf-b190-cfbb6f88c924" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quirkyloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.quirkyloader_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.quirkyloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "8925860198d03a19b550d761a81339280161301cb85fe60c28e452df7f2a68e4" + logic_hash = "dafbade4332c5557ac1a53d2d3ddbccba3da8784bd54d2b2045495f2df25fae6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 488bd8 488d15636d1200 488d4b10 41b880000000 e8???????? 488d4e10 } - $sequence_1 = { e8???????? 85c0 740e b801000000 4883c438 5b 5e } - $sequence_2 = { 4c8d8c2488000000 488bcb 4533c0 e8???????? 4c8bf8 4c8b6b40 4d85ff } - $sequence_3 = { e8???????? 498bcd e8???????? 488d0d0a1a0300 e8???????? 488bd8 e8???????? } - $sequence_4 = { 8b7a04 49033f 4803f9 4803fb 483bdf 731f 488b0b } - $sequence_5 = { ffc8 488d1480 498b4230 488d0cd0 488b4110 49894110 49c741f801000000 } - $sequence_6 = { 80b9b901000000 7502 eb15 488bce e8???????? 488bc8 33d2 } - $sequence_7 = { eb02 8bc6 8945cc 488b4518 488b4818 48898d70ffffff 488b4518 } - $sequence_8 = { f7da 41b9ff000000 83e207 0fb6ca 488d95c0000000 62d17e486f00 62f17e487f4502 } - $sequence_9 = { e8???????? 488bc3 8138ffffff7f 7409 488bc3 8b00 ffc0 } + $sequence_0 = { c783a000000002000000 b801000000 eb1d c783a000000003000000 eb05 83fe05 7422 } + $sequence_1 = { e8???????? 488bd8 488bcb e8???????? 488d0dbd6e0400 488379f800 751a } + $sequence_2 = { f0440fb102 448b45ec 4533d2 413bc0 410f94c2 448955f0 7411 } + $sequence_3 = { eb82 488b4590 034580 0f28b424d0000000 0f28bc24c0000000 4881c4e8000000 5b } + $sequence_4 = { e9???????? 483bda 776a 448b13 458d8a207f7fff 41f7c1f0c0c000 0f8463feffff } + $sequence_5 = { f7da ffca f00fb111 3b44242c 75e0 83faff 751f } + $sequence_6 = { e8???????? 4c8bf0 488b5308 498bce e8???????? 488d4b10 498bd6 } + $sequence_7 = { e8???????? 488bc8 3909 e8???????? b8e7b5ec1f ebab 4881c4c8000000 } + $sequence_8 = { eb0d 4c8b442430 498bc9 e8???????? 48897c2420 4c8bcf 4489742428 } + $sequence_9 = { e8???????? 33c9 8b5008 85d2 7e49 90 448bc1 } condition: 7 of them and filesize < 4722688 @@ -111822,36 +112319,36 @@ rule MALPEDIA_Win_Doubleback_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "035a9a1e-c37c-5062-9628-749c129d60a8" - date = "2026-01-05" - modified = "2026-01-06" + id = "accfd98a-95e6-5d78-8a91-86c1649ee32f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.doubleback_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.doubleback_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "3ec9aa1fddb06b8b6c176677c7cb9e9e3472c33e097d5e85291d462774406acd" + logic_hash = "b96df0b0c7f3353e72c4ad79211ff5cce481a2dae1949bcbadfd8f41ef95e991" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b947060000 eb49 b9e7050000 eb42 b9e3050000 eb3b } - $sequence_1 = { b947060000 eb49 b9e7050000 eb42 } - $sequence_2 = { 3d00280000 7438 3d5a290000 742a 3d39380000 741c 3dd73a0000 } - $sequence_3 = { b9d4070000 eb13 b975070000 eb0c b96f070000 eb05 } - $sequence_4 = { e8???????? 85c0 7508 c60703 } - $sequence_5 = { b9e3050000 eb3b b90b070000 eb34 2d63450000 7428 } - $sequence_6 = { eb49 b9e7050000 eb42 b9e3050000 eb3b b90b070000 eb34 } - $sequence_7 = { b975070000 eb0c b96f070000 eb05 } - $sequence_8 = { b9d4070000 eb13 b975070000 eb0c b96f070000 } - $sequence_9 = { 751a b9d4070000 eb13 b975070000 } + $sequence_0 = { eb42 b9e3050000 eb3b b90b070000 } + $sequence_1 = { 755e b9ad060000 eb57 b9a7060000 eb50 b947060000 eb49 } + $sequence_2 = { 3d00280000 7438 3d5a290000 742a 3d39380000 741c } + $sequence_3 = { 7438 3d5a290000 742a 3d39380000 741c 3dd73a0000 } + $sequence_4 = { b9d4070000 eb13 b975070000 eb0c b96f070000 eb05 b911070000 } + $sequence_5 = { 3d00280000 7438 3d5a290000 742a } + $sequence_6 = { b9e3050000 eb3b b90b070000 eb34 2d63450000 } + $sequence_7 = { 3dab3f0000 755e b9ad060000 eb57 b9a7060000 } + $sequence_8 = { eb50 b947060000 eb49 b9e7050000 eb42 b9e3050000 } + $sequence_9 = { 742a 3d39380000 741c 3dd73a0000 } condition: 7 of them and filesize < 106496 @@ -111861,36 +112358,36 @@ rule MALPEDIA_Win_Alreay_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e56c2c54-ad52-5b52-a7dc-5167ef6188a3" - date = "2026-01-05" - modified = "2026-01-06" + id = "d689cd57-86fc-54dc-904b-f3e4e8470710" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.alreay_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.alreay_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "691ad5e65c868108d2cf9f6c8d61af6c7a9420c74e344971bfa56b9838124959" + logic_hash = "4a2ff06f065bb0eea8f7a3e2b1c268ec04fcdaba5f19f9ace7da110acd238224" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a4f06 0bc2 33d2 8b742414 8a7704 8a5705 c1e208 } - $sequence_1 = { 0f859ffdffff 8b8538010000 3bc3 741d 83f801 7418 899de8010000 } - $sequence_2 = { 8b6c2424 898760020000 8b442420 896e58 8b6c242c 896e68 89861c010000 } - $sequence_3 = { 8bd0 0bd3 0f8419010000 33c9 8bd3 894c2420 894c2424 } - $sequence_4 = { b926020000 33c0 8bfe f3ab 8dbe10020000 57 e8???????? } - $sequence_5 = { 8b542418 51 57 52 ff15???????? 85c0 7508 } - $sequence_6 = { 8d4c2414 56 33ed 8b38 895c244c 894c2414 e8???????? } - $sequence_7 = { 897c2418 89bc3490000000 8b7c241c 8bf7 8bdf c1e615 c1eb0b } - $sequence_8 = { 8b7e34 3bfb 7436 8b4760 3bc3 740f 50 } - $sequence_9 = { 8beb 8aa760954700 33e8 c1e508 33c0 33db 8a442411 } + $sequence_0 = { 895f2c 8b8608870000 8bd5 3bd0 7528 8b960c870000 8bc3 } + $sequence_1 = { 8b442404 8b88e4010000 85c9 746c 8b4c2408 85c9 7564 } + $sequence_2 = { 51 52 e8???????? 8bf0 83c40c 85f6 755a } + $sequence_3 = { 8d842430010000 51 8b4c242c 23f0 56 51 ff15???????? } + $sequence_4 = { eb38 b90b000000 bf???????? 8bf3 33c0 66f3a7 750a } + $sequence_5 = { 8bdd c1eb16 c1e50a 0bdd 8b6c2428 895c241c 8bd8 } + $sequence_6 = { ff15???????? 83c404 b800edffff 5f 5e 5d 5b } + $sequence_7 = { c3 8b742418 56 e8???????? 8b4d4c 83c404 8901 } + $sequence_8 = { 8b4c2460 89442404 89442408 8b442464 50 8d542408 51 } + $sequence_9 = { 8b4804 51 50 e8???????? 83c40c 85c0 7508 } condition: 7 of them and filesize < 1867776 @@ -111900,36 +112397,36 @@ rule MALPEDIA_Win_Icedid_Downloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7ee6583-0e42-548a-a503-976de56f1492" - date = "2026-01-05" - modified = "2026-01-06" + id = "2a34e136-8b5a-5d79-a742-24868499b9e1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.icedid_downloader_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.icedid_downloader_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "3ad62116cc53f8a172c118313873b176a6f13aff503ffabc7e8b01bb236f4bad" + logic_hash = "906c4fa89e7133d8bf84c63011a192e49bfe0c2cad1764ceed951b829d439dca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf0 8944241c 8d442408 50 6a08 6aff 885c241c } - $sequence_1 = { 56 6a02 ff74241c ffd7 ff15???????? 83f87a 0f85e9000000 } - $sequence_2 = { 8bf0 e8???????? 85f6 740c 8b4508 3b07 } + $sequence_0 = { 50 68???????? c7451c40000000 e8???????? 83c414 897d34 } + $sequence_1 = { 53 8d45c4 50 68???????? e8???????? 59 } + $sequence_2 = { 8d45b4 894528 8d4518 50 ff15???????? } $sequence_3 = { 83e801 740a 83e801 751c 80cb01 } $sequence_4 = { 56 68000000c0 ff7510 ff15???????? } - $sequence_5 = { 8d442428 50 ff742438 ff15???????? 8d442440 50 68???????? } - $sequence_6 = { 7821 395df8 741c 6a04 8d45f8 } - $sequence_7 = { 8b08 50 ff5114 85c0 7404 33c0 } - $sequence_8 = { 8b442418 8d542430 59 59 56 8b08 } - $sequence_9 = { 896c241c 896c240c 896c2420 896c2438 895c2434 ff15???????? } + $sequence_5 = { 6a01 53 ff15???????? 53 8bf0 ff15???????? 57 } + $sequence_6 = { 0f8895000000 8b45ec 85c0 0f848a000000 } + $sequence_7 = { 50 8d85ccfbffff 50 e8???????? 83c40c 85c0 } + $sequence_8 = { 6aff 885c241c ff15???????? 85c0 0f840f010000 57 8b3d???????? } + $sequence_9 = { 57 897568 e8???????? 8d45c8 bf???????? 50 57 } condition: 7 of them and filesize < 40960 @@ -111939,42 +112436,42 @@ rule MALPEDIA_Win_Ariabody_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b288143a-494f-5110-aa08-78c947a2ffad" - date = "2026-01-05" - modified = "2026-01-06" + id = "9c6f8d35-c02f-5ef5-a7e8-cf6533a986bf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ariabody_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ariabody_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "01493614906849451d77f5112637b662b1eef5ef050791957456a657828f7e1a" + logic_hash = "7b7776449c89848422a7843c3d30b8608869b2ffb7534522dcde571e4778c3ab" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3ac3 7402 32c3 88040a } - $sequence_1 = { 8bd9 e8???????? 8bf8 893b } - $sequence_2 = { 8d55fc 03f9 e8???????? 59 85c0 } - $sequence_3 = { 0138 115804 eb02 0138 } - $sequence_4 = { 55 8bec 83ec50 53 57 8bd9 } - $sequence_5 = { ff75d9 8d45cc 50 57 } - $sequence_6 = { 56 8d0c30 ffd1 8bc6 5f } - $sequence_7 = { 8bf8 893e eb13 8b16 8bcf } - $sequence_8 = { 448850d2 448850d3 448850d4 448850d5 448850d6 448858d7 } - $sequence_9 = { 33d2 4c8d4c2420 4d895108 4889f1 4533c0 ff9550010000 4c8b542428 } - $sequence_10 = { e8???????? ba0a000000 4c8d15e189ffff 385558 } - $sequence_11 = { 415c 5f 5e c3 4c89e2 } - $sequence_12 = { 48c7c103000080 33d2 4c8d842498000000 4c8d8c24bc010000 4c897020 4c897028 } - $sequence_13 = { c78424bc01000000010000 488d8c2498000000 488d542448 ff95b8010000 4989e2 } - $sequence_14 = { 85c0 752e 4889e9 4889f2 } - $sequence_15 = { 4889742448 4489de 48897c2440 4489d7 4c89642438 4189c4 } + $sequence_0 = { 8a01 84c0 7406 3ac3 7402 32c3 } + $sequence_1 = { 8901 33c0 40 5b 5e 5f } + $sequence_2 = { 8bf8 893e eb13 8b16 } + $sequence_3 = { 83ec50 53 57 8bd9 e8???????? 8bf8 893b } + $sequence_4 = { 8bcf 0fb6c0 50 ff75fc e8???????? } + $sequence_5 = { eb13 8b16 8bcf e8???????? } + $sequence_6 = { 8bf2 56 8d55fc 03f9 e8???????? 59 } + $sequence_7 = { 03c7 50 ff5204 8b1e 8bd0 } + $sequence_8 = { 4889ce 4d89c4 33d2 41b800010000 } + $sequence_9 = { 8bd9 7418 488d0daf130100 e8???????? 85c0 7408 8bcb } + $sequence_10 = { 4889e0 4889f1 450fb64d00 4889f2 450fb66d01 } + $sequence_11 = { 41b800100000 41b904000000 41ff5710 4989c5 33c9 } + $sequence_12 = { 4889f9 488d141e 440f46c5 4533c9 } + $sequence_13 = { 4c8d35acd20000 49833cde00 7407 b801000000 eb5c b928000000 } + $sequence_14 = { 8bc3 483bd0 0f871a050000 4c8d151d8bffff } + $sequence_15 = { 4c89e9 33d2 41b800800000 41ff5718 4c89e1 } condition: 7 of them and filesize < 253952 @@ -111984,36 +112481,36 @@ rule MALPEDIA_Win_Hesperbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e0f58539-e576-5f23-9601-3ac2130a34d6" - date = "2026-01-05" - modified = "2026-01-06" + id = "f6aea63c-f69e-55d4-97f0-3c40d77d24ea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hesperbot_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hesperbot_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "1227a34f1bfab44843a47045e0bfbe06efc158b222a90f56ca95eeb7d184b831" + logic_hash = "04a0a757bd6a1abed3c2e9cc240e3b373104813c31a80bae17dca4ea598f10fc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33f0 8b442440 0b442438 33cf 23442448 8b7c2444 8b5c2440 } - $sequence_1 = { 33c0 f644240401 7405 b800000200 f644240402 7405 } - $sequence_2 = { 33ed 0be9 33f5 8b6c244c 0fa4dd19 c1e807 c1e319 } - $sequence_3 = { 5e c3 56 8d7010 e8???????? 5e c3 } - $sequence_4 = { 0bcd 33f1 8b4c2434 0b4c242c c1e807 c1e319 0bc3 } - $sequence_5 = { 3bc6 741c 3930 7418 } - $sequence_6 = { 134c241c 01442438 89442458 8b442420 114c243c 8bf8 0facdf1c } - $sequence_7 = { 8b4708 89460c 8b4704 894610 8b4714 894614 8b442408 } - $sequence_8 = { 5f 5b 5d c3 55 8bec 81ecd8000000 } - $sequence_9 = { 59 85db 742f 56 ff742414 } + $sequence_0 = { 0f84e2000000 8bce e8???????? 8b4d10 } + $sequence_1 = { 8d4610 50 8d4608 50 56 ff15???????? 50 } + $sequence_2 = { 77ec eb04 8d744102 8bc6 5e c3 6a00 } + $sequence_3 = { 75f8 8d45e0 50 e8???????? e8???????? 8945ef } + $sequence_4 = { 85ff 742b 6a20 58 48 c6043800 75f9 } + $sequence_5 = { 7414 8b450c 894710 8b4510 33db 894714 43 } + $sequence_6 = { 33f6 46 8937 c7470466864173 c7470867864173 89770c e8???????? } + $sequence_7 = { 8a45fe 8a5dff 2403 004109 7418 2a5508 800940 } + $sequence_8 = { 33f6 56 8d45f8 50 8d45f4 50 ff7508 } + $sequence_9 = { 13f7 034c2458 1374245c 8344241440 894c2418 8974241c } condition: 7 of them and filesize < 188416 @@ -112023,36 +112520,36 @@ rule MALPEDIA_Win_Roopy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8be7b2c4-b174-500b-b0ea-f2839cb0b383" - date = "2026-01-05" - modified = "2026-01-06" + id = "8ad890a7-fe09-5d64-94e8-5e14b31e42fd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.roopy_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.roopy_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "e98d1af71e72ca48289280b30ed691a17624b5a4815404358ace55f7593ba961" + logic_hash = "0c33c8132093324a21cc2614922acb7981dc22fe88a6ee22cf9e952384a3f6a2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d45c0 30c9 ba38000000 e8???????? c745c0504b0606 8d45a8 } - $sequence_1 = { 8b45f8 c7401400000000 8b45f8 e8???????? c745f401000000 } - $sequence_2 = { 6631d2 8d85d8feffff e8???????? 8d45dc 30c9 6631d2 } - $sequence_3 = { 8b09 ff5164 8345f401 8b45f8 8b4004 e8???????? } - $sequence_4 = { c78580fdffff00000000 c78584fdffff00000000 c7858cfeffff00000000 31c0 } - $sequence_5 = { 6631c9 ba03010000 e8???????? 8b85b8feffff ba???????? } - $sequence_6 = { c7406000000000 8b45f4 c7406400000000 8b45f4 83785c00 770b 7210 } - $sequence_7 = { 30c9 6631d2 e8???????? 0fb745fc 68ff000000 8d8dd8feffff baffffffff } - $sequence_8 = { d805???????? d80d???????? 895df0 897df4 0fba65f41f df6df0 7306 } - $sequence_9 = { 8b52fc 29c2 8d4a01 8d5001 8b45fc e8???????? 89d8 } + $sequence_0 = { 8b8594fdffff 89424c 8b8588fdffff e8???????? 8b45f8 dd5828 8b45f8 } + $sequence_1 = { 8945d4 c745d000000000 8d55c8 b901000000 } + $sequence_2 = { 85c9 7403 8b49fc 807c08ff5c 7504 b001 eb02 } + $sequence_3 = { 6689501a 8b45e4 89580e 8b45f4 83785c00 770b } + $sequence_4 = { 7418 8b0424 8b0c24 85c9 7403 8b49fc } + $sequence_5 = { 8b45f4 8d5034 8b4df4 8b412c } + $sequence_6 = { 89c8 8d7de8 89c6 b910000000 f3a4 } + $sequence_7 = { 8d4de0 6631d2 8d85d8feffff e8???????? 8d45e0 30c9 } + $sequence_8 = { 8b0a ff5170 89c2 8b45e4 895012 8b45f4 c7406000000000 } + $sequence_9 = { b8???????? 6681380000 0f8563000000 8d7600 8b4304 3db1d70000 7c36 } condition: 7 of them and filesize < 739328 @@ -112062,36 +112559,36 @@ rule MALPEDIA_Win_Glasses_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e3f60807-9e3f-553f-aab3-2b9d174a2d1f" - date = "2026-01-05" - modified = "2026-01-06" + id = "6d9b306c-9dac-5e6c-ad9a-a63b32b10956" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.glasses_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.glasses_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "f8dc4024fd9ceffd71dbd3d9fead59d2a70f550a13ec78ce30cdcf445ee6a1a3" + logic_hash = "8b4a36bf80c06e78f0e21d1167cf3a3f85699bce5684fa4db409f4ed268e2716" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8b4d10 51 68???????? 8bce e8???????? 8d4de4 } - $sequence_1 = { e9???????? 8d8d38fdffff e9???????? 8d8d94feffff e9???????? 8d8dacfdffff e9???????? } - $sequence_2 = { ffd0 e9???????? 389d4afbffff 0f842f070000 8d8d10fbffff 889d4bfbffff e8???????? } - $sequence_3 = { eb05 1bc9 83d9ff 85c9 0f84643d0000 b9???????? 8d9b00000000 } - $sequence_4 = { eb2d 8b5520 8b451c 8d8e00090000 51 8b4d18 52 } - $sequence_5 = { e8???????? 8ac3 e9???????? 68???????? e9???????? 8b16 8b4214 } - $sequence_6 = { f3ab 8b5510 52 e8???????? 83c404 5f 5e } - $sequence_7 = { e9???????? 8d8df4feffff e9???????? 8d8d08ffffff e9???????? 8b542408 8d420c } - $sequence_8 = { e8???????? 8d8d40fdffff 51 bb05000000 56 8d4d94 885dfc } - $sequence_9 = { ff15???????? 399d60fcffff 8b854cfcffff 7306 8d854cfcffff 50 e8???????? } + $sequence_0 = { eb43 8bce e8???????? c6462d01 c7463017000000 c746340d000000 e8???????? } + $sequence_1 = { e8???????? 8d049d00000000 50 56 8bcf e8???????? 84c0 } + $sequence_2 = { eb3e 68???????? 8d8b88000000 e8???????? 84c0 740c 68???????? } + $sequence_3 = { e8???????? 84c0 7465 8d8d60feffff e8???????? 80381f 7555 } + $sequence_4 = { e8???????? 8bf0 83c404 85f6 0f8494f8ffff 680d010000 8bce } + $sequence_5 = { e8???????? 8d4dac e8???????? 8b96c8010000 83c234 52 8d4dac } + $sequence_6 = { e8???????? 8b8ec8010000 83c134 e8???????? 8b8ec8010000 50 83c134 } + $sequence_7 = { e8???????? 8b45e4 40 8945e4 3b4514 7280 8d4db4 } + $sequence_8 = { e8???????? 8b0d???????? 85c9 74e2 c645ff00 e8???????? 8b0d???????? } + $sequence_9 = { 8be5 5d c3 8d5702 3bf2 733f 8b5d24 } condition: 7 of them and filesize < 4177920 @@ -112101,36 +112598,36 @@ rule MALPEDIA_Win_Observer_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0737640-3fea-5607-8cf7-00374c1f837c" - date = "2026-01-05" - modified = "2026-01-06" + id = "cbedbaf4-a195-51de-b879-f41488de51dc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.observer_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.observer_stealer_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.observer_stealer_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "0be9a733455d3fbd7030daf285d74174d225df89f30a4020aa754c9c1ec43bc3" + logic_hash = "862b73ccc67746005fe7d83245a00e3ac3bae6be8bbc9421be8c99f89b23b255" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 59 57 8bc8 e8???????? 6a14 89442418 e8???????? } - $sequence_1 = { 8bcb e8???????? e9???????? 85ff 74cc 68???????? 8d4c2418 } - $sequence_2 = { c3 33c0 8bd1 53 56 57 8bfa } - $sequence_3 = { 59 59 c20400 56 8bf1 8b46e0 8b4004 } - $sequence_4 = { c3 83ec10 53 8bc1 55 } - $sequence_5 = { 55 e8???????? 3bc7 0f87ab000000 6bc024 50 89442414 } - $sequence_6 = { 8b751c 56 68???????? 57 e8???????? 8b4510 } - $sequence_7 = { 894d0c 894508 3d00100000 7215 8d4508 50 8d450c } - $sequence_8 = { 8d4dc0 68???????? e8???????? 837d3408 8d4d20 8d4508 0f434d20 } - $sequence_9 = { 89773c c7474001000000 c74750fb5d7708 e8???????? 8bc7 5f 5e } + $sequence_0 = { ab 83662c00 c746300f000000 c6461c00 e8???????? 5f 8bc6 } + $sequence_1 = { 40 eb3e f7465000000200 7410 6a00 e8???????? } + $sequence_2 = { 8d5508 57 8d4c2424 e8???????? 837c243400 0f8483010000 837c243808 } + $sequence_3 = { 7422 83c8ff f00fc14120 7518 8b33 eb10 8bce } + $sequence_4 = { 8b442420 8b38 8bd7 e8???????? 8364241800 2bfe 59 } + $sequence_5 = { 27 124100 3a12 41 004e12 41 00741241 } + $sequence_6 = { ffb424f8020000 0f438c24ec020000 51 51 8bc8 e8???????? 50 } + $sequence_7 = { 8d8c249c000000 51 6a01 50 ffd5 8d4c2478 } + $sequence_8 = { f7f9 8bcf 8bd0 d1ea 2bca 56 3bc1 } + $sequence_9 = { e8???????? 59 c3 55 8bec 83e4f8 81ecf0000000 } condition: 7 of them and filesize < 614400 @@ -112141,10 +112638,10 @@ rule MALPEDIA_Win_Webc2_Ausov_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "9f7dcd3a-83e3-51b1-b972-c6423fd03466" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_ausov_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_ausov_auto.yar#L1-L119" license_url = "N/A" logic_hash = "54e3ad7a65c1020ea5947e1b7fb8d16c99e374f254cf080dd27feb76035c9b99" score = 75 @@ -112153,9 +112650,9 @@ rule MALPEDIA_Win_Webc2_Ausov_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -112179,36 +112676,36 @@ rule MALPEDIA_Win_Data_Exfiltrator_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9dfe6899-2a2b-53e4-a45a-9d47fab0bd97" - date = "2026-01-05" - modified = "2026-01-06" + id = "6afd73a7-a5c8-5e31-89ce-c6921a2e1dcf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.data_exfiltrator" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.data_exfiltrator_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.data_exfiltrator_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "76dad4826c4efcd47bcf7b7baeb8873c247d502d84bcb2a2073a82e8e3d63f8c" + logic_hash = "8f08164a99f039dde291616b0a47215bb13392bcfa5a23f45920bb71de8866ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 48837c246800 7504 33c0 eb19 488b542450 488b4c2468 } - $sequence_1 = { 488b442430 8b4c2438 89480c 488b442430 4881c4e8000000 c3 } - $sequence_2 = { 488d152b530000 488b4c2440 ff15???????? 4889442420 } - $sequence_3 = { 8a442470 88442440 48c744243800000000 488d0595c8ffff 4889442430 488d0555d9ffff 4889442428 } - $sequence_4 = { 448bc8 4c8b442420 488b15???????? 488d4c2460 } - $sequence_5 = { 48894c2408 4883ec78 ff15???????? 41b800010000 } - $sequence_6 = { 85c0 742c 0fb6442421 8b4c2424 83c105 8bc9 488b942440010000 } - $sequence_7 = { 488d0dad360000 e8???????? 41b840000000 ba00300000 b908000000 } - $sequence_8 = { 837c245c00 7407 837c244000 7502 eb33 8b442440 } - $sequence_9 = { 488bc1 4889842498000000 488b942498000000 488b8c24c8000000 } + $sequence_0 = { 0fb70424 0fb74c2404 3bc1 7402 } + $sequence_1 = { 89442420 4863442420 4889442438 ff15???????? 488b4c2438 4c8bc1 ba08000000 } + $sequence_2 = { 41b8ffffffff 488d15d32a0000 488b4c2448 ff15???????? 48837c244800 0f84b2000000 8b8424c8000000 } + $sequence_3 = { c644245d78 c644245e00 488d4c2440 e8???????? } + $sequence_4 = { c644244d78 c644244e7a c644244f62 c644245075 } + $sequence_5 = { 488b8c24b0000000 e8???????? 48898424a8000000 488b8424a8000000 8b00 4533c0 } + $sequence_6 = { 488bc1 4889442430 488b542430 488b4c2450 ff542470 8944242c 837c242c00 } + $sequence_7 = { ff15???????? 33c0 e9???????? e9???????? 4533c0 33d2 b900000400 } + $sequence_8 = { 83e830 89442428 837c242800 7c3a 8b442448 39442428 7d30 } + $sequence_9 = { c6442420fb c6442421fc c6442422fe c6442423ff c6442424aa c644242548 } condition: 7 of them and filesize < 107520 @@ -112218,36 +112715,36 @@ rule MALPEDIA_Win_Downex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "780df1d0-772a-58a4-934d-63bed6bd9744" - date = "2026-01-05" - modified = "2026-01-06" + id = "75a4c5a4-828c-538a-84fc-d73a146dfd41" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.downex_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.downex_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "2787ed485caccd79e05aaa2383aa816bb0e34ab86d11b61c935876204e99082a" + logic_hash = "c2d8d6f74a78cee1a1b4955dcfce1bba7077f6919a6bd08030ecc79c5f31e95e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb6443b47 4b 2bf0 8d0440 8d0c82 8b84b7ec000000 8901 } - $sequence_1 = { ffb0d8f24700 e8???????? 83c40c 85c0 7419 46 8d0476 } - $sequence_2 = { e8???????? 8d8d58fdffff e8???????? 8b4da4 83c148 8d4601 50 } - $sequence_3 = { 297e04 83c40c 013e 017e08 8b4e04 83560c00 017e10 } - $sequence_4 = { eb2c b9???????? eb25 b9???????? eb1e 3ddec0c5b0 7412 } - $sequence_5 = { 7214 83c123 8b50fc 2bc2 83c0fc 83f81f 0f87d3030000 } - $sequence_6 = { ff7508 e8???????? 83c414 33d2 85c0 b900100000 0f44d1 } - $sequence_7 = { 85c0 0f85a0050000 f6872802010010 0f8407010000 8b8eb4000000 8bd1 68b5070000 } - $sequence_8 = { 50 e8???????? 68???????? 6aff ffb5f0feffff e8???????? 8bb5f8feffff } - $sequence_9 = { e8???????? 83c410 eb1f 81e7ffffdfff f7c200002000 7411 8d45e4 } + $sequence_0 = { ff4014 83c2f0 66d3ef 8b88bc160000 6689b8b8160000 03ca e9???????? } + $sequence_1 = { e8???????? 83c410 85c0 746a 57 e8???????? 52 } + $sequence_2 = { 8d8d20feffff e8???????? 8d8d08feffff e8???????? 8b8d10ffffff 83f910 7251 } + $sequence_3 = { 8901 83f804 7e7b e8???????? 8b30 eb72 39b1a8000000 } + $sequence_4 = { ffb5f8fdffff e8???????? 8d85ecfdffff 50 e8???????? 83c410 b8e2ffffff } + $sequence_5 = { d3e0 837d0801 8945a0 c7458cffffffff 8d48ff 894d88 0f85a5000000 } + $sequence_6 = { ffd7 85c0 75a2 ba???????? b9???????? e8???????? 837c243c10 } + $sequence_7 = { 898ddcfeffff 8bc7 81f900100000 721a 83c123 898ddcfeffff 8b78fc } + $sequence_8 = { ff75f8 51 8bcf e8???????? 8b4df4 83f910 7228 } + $sequence_9 = { 8d45f0 50 e8???????? 83c410 eb1f 81e7ffffdfff f7c200002000 } condition: 7 of them and filesize < 1067008 @@ -112257,36 +112754,36 @@ rule MALPEDIA_Win_Meltingclaw_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4c934307-6162-5bd3-9838-14fb4893e749" - date = "2026-01-05" - modified = "2026-01-06" + id = "faefad96-2449-59ba-8a93-534e3e089c5c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meltingclaw" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.meltingclaw_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.meltingclaw_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "b6f3eb32e00edec50809c43ad1e4398bb12b63738a427d7db6e1e036df7e69e8" + logic_hash = "b836bc6ac4a03472f5f4372fe7dd58a1cd41dce8029891458b47475ccb8f9c7f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 0f8484000000 ffc1 4c63e1 498bcc e8???????? } - $sequence_1 = { 488d8da8000000 48ffc9 48ffc1 803900 } - $sequence_2 = { 33c9 ff15???????? 488d8d80000000 8bd8 e8???????? } - $sequence_3 = { 8bfa 488bd9 33d2 41b804010000 488d4c2470 e8???????? 660f6f05???????? } - $sequence_4 = { 488364243000 4533c9 44896c2428 4533c0 8364242000 } - $sequence_5 = { 880411 48ffc2 84c0 75f3 488d8da8000000 } - $sequence_6 = { 23c1 41c1ff0c 2bc2 448bf0 418d6f01 4883ffff } - $sequence_7 = { 80c121 418809 49ffc1 b90d000000 490fbe41ff 33d2 } - $sequence_8 = { 750e 48396928 7508 48396930 b001 7403 } - $sequence_9 = { 6bc83f 49c70700010000 80c121 418809 49ffc1 b90b000000 } + $sequence_1 = { 4c8b0a 33f6 448bc6 48c7420816000000 4c8bd2 48c7421009000000 488bf9 } + $sequence_2 = { f3420f7f4409e0 f3420f7f4401f0 f30f7f00 c3 488bc4 } + $sequence_3 = { 33d2 41b880000000 8b5820 e8???????? } + $sequence_4 = { 23d1 03c2 448bf8 23c1 41c1ff0c 2bc2 } + $sequence_5 = { 33c0 0f11442450 6689442460 0f104118 } + $sequence_6 = { 0fb6c0 0fb74c4420 6643890c46 49ffc0 4983f80e 72b0 488b8c2420020000 } + $sequence_7 = { 750e 48396928 7508 48396930 b001 7403 } + $sequence_8 = { 4983f80f 0f870c010000 666666660f1f840000000000 478b8c8200800200 4d03ca } + $sequence_9 = { 4833c4 4889442470 488bda 488bf9 4889542428 } condition: 7 of them and filesize < 348160 @@ -112296,42 +112793,42 @@ rule MALPEDIA_Win_Vsingle_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7b6b6db-e313-5b0b-a645-6bf26597d2b3" - date = "2026-01-05" - modified = "2026-01-06" + id = "7a0dc0b8-8413-526e-80cd-2e11f3fb260c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vsingle" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vsingle_auto.yar#L1-L167" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vsingle_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "f69fc53fa8d26d98505b2a81c4ca94e19258f9d652d84433b0b518828946acca" + logic_hash = "f0219dca344f5491ea50620d0847b642ccbeeaa49ea8c19b88efa0837a19f196" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 668985ccb6ffff 6800200000 6a00 8d8dceb6ffff 51 e8???????? } - $sequence_1 = { 50 6800010000 8b4508 50 } - $sequence_2 = { 50 51 b8b0490000 e8???????? } - $sequence_3 = { 83c404 50 8d4dd0 51 e8???????? 83c40c } - $sequence_4 = { 035508 b801000000 d1e0 8a4dff 880c02 ba04000000 } - $sequence_5 = { 035508 be01000000 d1e6 8a0408 } - $sequence_6 = { 50 0fb78d10efffff 51 0fb79516efffff 52 0fb78512efffff 50 } - $sequence_7 = { 668985d4f6ffff 68fe070000 6a00 8d8dd6f6ffff } - $sequence_8 = { 81c29733eaa8 81f2e97da1b5 81ea52e5b08e 81c2f77c29e2 81ea4b516cc2 89042a 5a } - $sequence_9 = { 5f 51 57 51 b9cd968197 } - $sequence_10 = { 51 b9b187ff90 81e95e49f864 81c17c65b866 81c10f9cc186 } - $sequence_11 = { 81c2b953352c 81c26fe1dd9a 81eaf2033eb3 81f2866440c5 81f237c658eb 81c2a804b1a7 } - $sequence_12 = { 5b 53 bb8fbc7c14 81c30cf1050f e9???????? 5e } - $sequence_13 = { 7505 e9???????? 50 b8e64d1443 81e8dc1e5dbe eb0a } - $sequence_14 = { 89042e 5e 56 be76e3d36a 81ee46419e0d } - $sequence_15 = { 81f19d49dcd4 81e9c159bc74 890429 59 } + $sequence_0 = { 8945fc 56 57 c6850cffffff00 68ef000000 6a00 8d850dffffff } + $sequence_1 = { 51 ff15???????? 8b5508 52 ff15???????? 83c001 } + $sequence_2 = { 33c0 668985d4f6ffff 68fe070000 6a00 } + $sequence_3 = { 51 ff15???????? 8d94057cfeffff 52 } + $sequence_4 = { 8945fc 64a130000000 8945f8 8b45f8 8b4dfc 33cd e8???????? } + $sequence_5 = { 33c0 668985ccb6ffff 6800200000 6a00 8d8dceb6ffff } + $sequence_6 = { 8955c5 8955c9 668955cd 8855cf c645d000 33c0 } + $sequence_7 = { 83c408 894598 8b4508 3b4598 7508 8b4db0 8b4118 } + $sequence_8 = { 81f289e16a3d eb43 81c0e92289a3 81e807909f53 } + $sequence_9 = { 81c3e0fb4709 66890c2b 5b 0fb755e4 85d2 } + $sequence_10 = { 52 bab450bfad 81c2acf92436 81c2d42cb3d3 81ea65354a2c } + $sequence_11 = { 50 b831b265c9 81f0be517822 81c045df1a86 81f017fa817b 81c0a0322d59 } + $sequence_12 = { 21f0 5e 52 bad7593745 } + $sequence_13 = { 5b 53 bb466ba2eb 81c316a49e00 } + $sequence_14 = { e9???????? 81e9699779d1 81c1cdd62061 e9???????? 81e9fcdd35b4 81e914eb6430 } + $sequence_15 = { 81eeef6a17e4 81c63f5b8880 81f63a06f592 81eee27f222c 81f6edd42c06 } condition: 7 of them and filesize < 940032 @@ -112341,36 +112838,36 @@ rule MALPEDIA_Win_Nitlove_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84765628-80ab-5981-9ee3-a789670212a2" - date = "2026-01-05" - modified = "2026-01-06" + id = "1be99c41-1963-58ec-8cf0-aedd46ac6fd9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nitlove_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nitlove_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "6dc343446a186927b9f2cf65101150f5f9c6342bdace19bd149edbf93300570a" + logic_hash = "539576f1d084cda9c06cc41a943bc6264fb00085ac0bf62483af90c6062ea6ad" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 6a0b 59 be???????? 8d7dc8 f3a5 b902000080 } - $sequence_1 = { 03f0 c1e007 33f0 42 3bd7 7ce9 33c0 } - $sequence_2 = { b359 51 8d857cffffff 50 51 } - $sequence_3 = { 6a00 6aff ffd0 bab2bb282b 8bcb } - $sequence_4 = { 6aff ffd7 0fb785dcfeffff 33c9 ba1e3d0000 66898c0504feffff } - $sequence_5 = { ba4d8a978a 8bcb e8???????? ffd0 51 } - $sequence_6 = { 56 57 83ceff 33ff 8bd9 85d2 7e21 } - $sequence_7 = { 6a05 ffd6 833b00 747a 33db } - $sequence_8 = { e8???????? 8b45ec 83c43c 5f } - $sequence_9 = { 33f6 8b45f0 0345e4 8b4dd4 } + $sequence_0 = { e8???????? eb03 8b7508 3b75fc 0f8252ffffff 5b 5f } + $sequence_1 = { 837c241008 8b742414 0f86de000000 6a3c } + $sequence_2 = { 8bec 81ec04050000 53 56 8d45fc } + $sequence_3 = { ffd0 8b45d0 85c0 7452 8b75fc 897ddc 2bf7 } + $sequence_4 = { 8b650c 8b45d0 8b55d4 5f } + $sequence_5 = { 8d8dfcfcffff e8???????? 51 8d95fcfcffff b9???????? e8???????? } + $sequence_6 = { 33c9 ba1e3d0000 66898c0504feffff 8d8d04feffff e8???????? 84c0 } + $sequence_7 = { 53 6a05 ffd6 833b00 } + $sequence_8 = { 6806000200 53 52 51 be???????? ba14eb4517 } + $sequence_9 = { ff750c ff7508 6aff ffd0 } condition: 7 of them and filesize < 49152 @@ -112380,70 +112877,70 @@ rule MALPEDIA_Win_Volgmer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c708d481-8667-53f5-aa6f-d4a1c7cf85b4" - date = "2026-01-05" - modified = "2026-01-06" + id = "6c89b531-23bd-5752-9bcc-2d11e2617f76" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.volgmer_auto.yar#L1-L402" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.volgmer_auto.yar#L1-L406" license_url = "N/A" - logic_hash = "76496bf022136cb4a0da9750dca0578c8d8bf2a12423d01c51f00f5c1f22514f" + logic_hash = "c3bd8d06329fdd72d84752965e665bfe8cf991b80f097cac8bea2df7091ea5b0" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 4533c0 498bd5 33c9 c744242800000008 } - $sequence_1 = { 7454 33d2 488d4c2434 41b804040000 e8???????? 448d4606 } - $sequence_2 = { 7406 488bcf ff5588 4533c9 4533c0 33d2 } - $sequence_3 = { 4889442420 4c8d442448 418d5108 41ffd4 4c8d8da0030000 498bce } - $sequence_4 = { 4883c9ff 48ffc1 803c0800 75f7 66ffc1 488d8560030000 } - $sequence_5 = { 8801 488d4901 ffc0 3d00010000 7cf1 6644899600010000 } - $sequence_6 = { e8???????? e8???????? e8???????? c705????????04000000 } - $sequence_7 = { 488d8d270d0000 0f280d???????? 33d2 0fb705???????? 41b8c5010000 0f1185e40c0000 } - $sequence_8 = { 488d8d20050000 ff542460 488bcb ff542468 8bc6 } - $sequence_9 = { 488d8d400f0000 e8???????? 8bd6 c68435400f000000 488d8d400f0000 } - $sequence_10 = { e8???????? 85c0 740c 418bdd e9???????? 4983cfff } - $sequence_11 = { 33d2 41b808020000 6644896d80 e8???????? 488b3d???????? 33c0 } - $sequence_12 = { 3bd7 89542410 750d 57 } - $sequence_13 = { 89831c0c0000 eb15 8d4601 50 e8???????? 89831c0c0000 83c404 } - $sequence_14 = { 4833c4 48894537 4c8b25???????? 33c0 c745d701234567 8945a3 } - $sequence_15 = { 8bfe 83e03f c1ff06 6bd830 8b04bd80f17300 f644032801 } - $sequence_16 = { c1f906 6bf630 8b0c8d80f16e00 80643128fd 5f 5e } - $sequence_17 = { 6a26 58 0fb60c8536976e00 0fb6348537976e00 8bf9 8985b4f8ffff c1e702 } - $sequence_18 = { 6bd030 895de4 8b049d80f17300 8945d4 } - $sequence_19 = { 89855cf5ffff 0f84df040000 8d8618030000 50 8d85f4fbffff } - $sequence_20 = { 83e809 7443 83e801 0f8501010000 c745e0e4ba6e00 8b4508 8bcf } - $sequence_21 = { c645e316 ff15???????? 410fb7cd 668945e4 } - $sequence_22 = { 8b2d???????? 50 ffd5 8d942480000000 52 ff15???????? } - $sequence_23 = { 83f808 74ba 83f807 77c5 ff2485d1a86d00 8bce } - $sequence_24 = { f3ab 66ab 33c0 8d4c2404 89442409 51 } - $sequence_25 = { 448bc7 4803ce e8???????? 8d7709 488b5310 } - $sequence_26 = { 4c89642440 4c896c2438 488d3576a50100 4c8d056ba50100 } - $sequence_27 = { 663944244d 0f8593010000 488d4f10 4c8d442458 488d542458 448bce } - $sequence_28 = { 8d3c85c8f46e00 8b0f 85c9 740b } - $sequence_29 = { c6442412ed c644241396 c644241425 c644241528 c6442416fd } - $sequence_30 = { 8b04c520986e00 5d c3 33c0 } - $sequence_31 = { 56 83f815 0f8711010000 ff2485786b6d00 51 8d5106 } - $sequence_32 = { e8???????? 83c40c c785e0f3ffff00040000 8d85e0f3ffff 50 } - $sequence_33 = { 5d c3 b801000000 ebc5 b988130000 } - $sequence_34 = { 55 6a00 6a00 8d442410 6a1a } - $sequence_35 = { eb57 53 8b1c85d8886e00 56 6800080000 6a00 } - $sequence_36 = { e8???????? 29bb50000500 448bd8 3bbb54000500 } - $sequence_37 = { 88442419 c644241a13 c644241b0e c644241c5d c644241d9f } - $sequence_38 = { 48f7d1 4c8d0409 488d4dc0 e8???????? 4c8d4c2440 } - $sequence_39 = { 50 ff15???????? 837e0c00 8bf8 0f840a010000 8d8e18030000 51 } - $sequence_40 = { 428b4c8440 0f1f440000 3b8c8440010000 7419 48ffc0 } - $sequence_41 = { 41b800800000 e8???????? 81834c0005000080ffff 8183440005000080ffff } - $sequence_42 = { 6800010000 8db318010000 6a00 56 e8???????? 6800010000 } - $sequence_43 = { 8bf8 0f84df020000 8d8318030000 50 8d85bcf7ffff } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 7406 ffd6 48895f18 488b4f10 4885c9 7406 } + $sequence_1 = { 75ae 488b08 4533c9 48890a 448bc5 } + $sequence_2 = { 4533c0 498bd5 33c9 c744242800000008 } + $sequence_3 = { 898514090000 0f2805???????? 0fb605???????? 0f118de4080000 888518090000 } + $sequence_4 = { 448bc6 4889442460 488d8de0070000 e8???????? 8bd6 c68435e007000000 } + $sequence_5 = { 4183fe03 772f b92c010000 ff15???????? 498b4d18 4c8bce } + $sequence_6 = { 33f6 458d44245f e8???????? 33c0 48897588 } + $sequence_7 = { 33d2 0f1f00 410fb60416 880411 488d5201 84c0 } + $sequence_8 = { 8bf7 8bc6 e9???????? 41b902000000 4533c0 33d2 } + $sequence_9 = { e8???????? e8???????? e8???????? c705????????04000000 } + $sequence_10 = { 0fb684c8a87a6e00 c1e804 5d c20800 8bff } + $sequence_11 = { 6a03 53 6a02 6800000040 57 ff15???????? } + $sequence_12 = { 8a4d08 8d41e0 3c5a 770f 0fbec1 0fb688887a7300 } + $sequence_13 = { 448bcf c644242017 e8???????? 8bcb } + $sequence_14 = { 81c434020000 c3 8d442434 6800020000 50 ff15???????? } + $sequence_15 = { 8bec 8b4508 83f80b 7719 ff24851fb07200 6a04 } + $sequence_16 = { 3b7ddc 0f82eefeffff eb29 8b55d4 8a07 8b0c9580f16e00 } + $sequence_17 = { 458bc5 498bcc e8???????? 85c0 0f84c1000000 } + $sequence_18 = { 8975cc 8d041f 8975d0 8975e0 8975f0 c745f4fc7d6e00 } + $sequence_19 = { 0f43c8 fec1 888c3ac4000500 6646896c8d02 6644896c9d02 } + $sequence_20 = { 4c8d0581f2ffff 4533c9 33d2 33c9 } + $sequence_21 = { 894df0 8b34cd40a96e00 8b4d08 6a5a } + $sequence_22 = { 899df0f3ffff 8d4201 0f1f00 8a0a 42 84c9 } + $sequence_23 = { 8b4514 40 c745ecc89b7200 894df8 8945fc 64a100000000 8945e8 } + $sequence_24 = { e8???????? 85c0 0f8474030000 4889bc24d8000000 } + $sequence_25 = { 7507 6810270000 eb05 6860ea0000 } + $sequence_26 = { 89442464 8b4220 89442468 e8???????? } + $sequence_27 = { 4881ec88000000 488d0df5140100 ff15???????? 488b05???????? 4889442458 } + $sequence_28 = { 450f47c6 ff15???????? 03bc2488000000 413bfc 72ce } + $sequence_29 = { 745d 68c0d40100 ff95ecf7ffff ff049d30f66e00 68d0070000 ff95ecf7ffff } + $sequence_30 = { 418bd1 c1fa08 8955cf 0fb64dd1 8855c9 884dc7 0fb64dd0 } + $sequence_31 = { 8bf0 8b470c 85c0 740a 50 ffd6 c7470c00000000 } + $sequence_32 = { 0f83d5000000 660f1f440000 418bc4 2bc7 3bc3 } + $sequence_33 = { 6b45e430 8945e0 8d80d0e16e00 8945e4 } + $sequence_34 = { c1f906 6bd030 8b45fc 03148d80f16e00 8b00 894218 } + $sequence_35 = { f7d8 c703???????? 6a00 1bc0 c7430400000000 } + $sequence_36 = { c6442427ff c64424283c c6442429a0 c644242ab1 c644242bca c644242c23 } + $sequence_37 = { ff15???????? 89442414 8bd3 be04010000 } + $sequence_38 = { 418bd5 ff15???????? 488bd8 4883f8ff 0f84d8000000 4c8d442468 ba7e660480 } + $sequence_39 = { 40 8985c4f5ffff 8d95d0f9ffff c1e009 8d8870f67300 2bd1 } + $sequence_40 = { 895c2418 897c241c 75e3 8b442410 8b542414 b910000000 } + $sequence_41 = { 8b45e4 8b0c8580f16e00 8b45e8 f644012880 7446 0fbec3 83e800 } + $sequence_42 = { 3bd1 3bd8 3be5 3b993c9e3ca5 3cae 3cb5 3cbd } + $sequence_43 = { e8???????? eb2b 83f8ff 7526 4c8d256bd90000 493bdc } condition: 7 of them and filesize < 393216 @@ -112453,36 +112950,36 @@ rule MALPEDIA_Win_Bqtlock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bb5e42ac-0a96-533f-bdf8-f7363192cc82" - date = "2026-01-05" - modified = "2026-01-06" + id = "a487119a-e7ca-5338-8f6e-4bc772de2ab2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bqtlock" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bqtlock_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bqtlock_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "fe09c813bf2717fae94718806fa0772093be79bdfe9076451ef94ec757b5ff93" + logic_hash = "3551b5a08b9fb2b57803a409650d4a5f2efcf5d251961b29f758577d6968c250" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f859b000000 8b08 e8???????? 6690 4c89e1 e8???????? 48c745e800000000 } - $sequence_1 = { 498d5508 4c89c1 4829d1 83e108 742f 498b5508 4839d0 } - $sequence_2 = { 488d540002 e8???????? 488b4ba0 4885c9 7405 e8???????? 488b4500 } - $sequence_3 = { 4d85c0 48895110 4889cb 0f95c0 31d2 894108 488d057fde0a00 } - $sequence_4 = { 4c89d9 ff5048 83f8ff 0f8451020000 4c8b5c2468 89c1 0fb6d0 } - $sequence_5 = { 4c8d742450 4531d2 4c894c2438 4c89e9 4c89742440 48c744244800000000 664489542450 } - $sequence_6 = { 488d4110 488901 4885d2 7505 4d85c0 7510 4531c9 } - $sequence_7 = { 4c8d0daa38fcff 488b4038 4c39c8 0f856d030000 4839f2 740b 4889f2 } - $sequence_8 = { b800000000 ba00000000 480f45542460 410f44c6 4889542460 4038f0 0f84fdfaffff } - $sequence_9 = { 4d85c0 0f8469fdffff e9???????? e8???????? 4889c3 ff542438 8b00 } + $sequence_0 = { 837c2460ff 742b 410fb64720 31db 41bcffffffff e9???????? 31d2 } + $sequence_1 = { 4c894c2450 48897c2448 f6411801 0f85e6000000 4889842480000000 488d8424d4000000 4c8d842490000000 } + $sequence_2 = { 4d8b5908 4c8b8424b8000000 4c8b8c24c0000000 488b06 4889442468 488b02 4889cb } + $sequence_3 = { 4c0f44d8 e9???????? 498b4510 493b4518 0f83d0030000 0fb700 6683f8ff } + $sequence_4 = { e8???????? 488b8424f0000000 498d5520 488d8c2480010000 4889842468010000 e8???????? 4c89fa } + $sequence_5 = { 4c8b48e8 4901d9 4d89c8 4183ff20 0f85ccfeffff 418b5120 85d2 } + $sequence_6 = { e8???????? 488945f8 488b45f8 483b4518 7320 0fbe4d20 488b4518 } + $sequence_7 = { 83e0df 83f845 0f8505e6ffff c744245800000000 4189dd 4531f6 c744244401000000 } + $sequence_8 = { 498b4510 493b4518 0f8332010000 66662e0f1f840000000000 0f1f4000 440fb708 664183f9ff } + $sequence_9 = { 488d442460 4889442428 e8???????? 8b542460 85d2 7521 488b3d???????? } condition: 7 of them and filesize < 4444160 @@ -112492,36 +112989,36 @@ rule MALPEDIA_Win_Koobface_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "26b0388c-a8f9-5f6a-a459-0177fcecc6df" - date = "2026-01-05" - modified = "2026-01-06" + id = "c7c8ac2b-27e8-5e1a-9981-867addc45abf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.koobface_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.koobface_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "0e852ce8a28d3657fb835380a3e7fdc823e6b573b8d3e8c2631736d136315996" + logic_hash = "129b7af91c58c9077cd85117dcfa9c5b55737107a489f23dd03d3a620ffd3880" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85c8f3ffff 50 ffd6 8d85d8f3ffff 50 c645fc06 ffd6 } - $sequence_1 = { 56 e8???????? 59 50 56 8d8f50010000 e8???????? } - $sequence_2 = { 50 0fb78538c1ffff 50 ffb534c1ffff 8d85f0e8ffff ffb530c1ffff 68???????? } - $sequence_3 = { 6874040000 b8???????? e8???????? 8b4508 } - $sequence_4 = { 8bd6 c1fa05 8b1495a0534200 83e61f c1e606 f644320480 7416 } - $sequence_5 = { 5e 8bc3 5b 5d c20c00 e9???????? 55 } - $sequence_6 = { ff91b4000000 ff75d8 ffd3 8b4514 3bc7 } - $sequence_7 = { 50 e8???????? 68???????? 8d850857ffff 50 } - $sequence_8 = { 8906 3bc7 7425 6aeb 50 ff15???????? ff750c } - $sequence_9 = { ff11 8b45e0 c645fc02 85c0 7406 8b08 50 } + $sequence_0 = { 03048da0534200 eb02 8bc2 f6402480 0f8571ffffff 33f6 } + $sequence_1 = { 50 c645fc1e e8???????? 56 8945b4 e8???????? 59 } + $sequence_2 = { 754c 8d8540c1ffff 6a41 50 e8???????? 59 } + $sequence_3 = { 6a02 8985d4c1ffff ff15???????? 8bd8 83ceff 899d84bfffff 3bde } + $sequence_4 = { 55 8bec 8b450c 832000 33c0 40 5d } + $sequence_5 = { 8d3402 56 e8???????? 56 8d45b4 50 8d4d94 } + $sequence_6 = { 8d8528ffffff 68???????? 50 e8???????? 83c40c 8d8528ffffff 50 } + $sequence_7 = { e8???????? c3 55 8bec ff7510 ff750c e8???????? } + $sequence_8 = { 3d???????? 72f1 5d c3 0fb611 } + $sequence_9 = { 57 c645fc04 ff5124 ff7508 } condition: 7 of them and filesize < 368640 @@ -112531,36 +113028,36 @@ rule MALPEDIA_Win_Unidentified_003_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d98d47b0-9a51-53ac-b838-c109a79a3c60" - date = "2026-01-05" - modified = "2026-01-06" + id = "b7985ab0-3646-5f6a-8383-ec33f2bb6a31" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_003_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_003_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "a77ee5178781b22b88b059404b849af3a08c098d4327a0118f9c2d73b7bfb28c" + logic_hash = "80fc90cd630c043568f4858238164c3dc1dbbe6f5a29cdca3098a6fb3ebf819f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b8???????? 2b05???????? ff7006 50 50 8d442464 50 } - $sequence_1 = { 7561 6a00 68???????? 8d45f0 e8???????? } - $sequence_2 = { 0f8312020000 8dbdf1fdffff 2bf9 8a11 88140f 41 84d2 } - $sequence_3 = { 85c0 75b5 8d45f4 50 8d85e3fbffff 50 } - $sequence_4 = { 395de0 0f8421010000 8b45e0 8b08 50 } - $sequence_5 = { bb01000080 53 ff15???????? 6a22 58 668985f0fbffff 33c0 } - $sequence_6 = { 3bc3 7468 3d00100400 741c 3d10100400 7415 3d00100600 } - $sequence_7 = { ff45fc 8b45fc 8145f80c020000 81c718040000 3b45f0 0f8238ffffff eb07 } - $sequence_8 = { 8b45a4 3bc3 7464 8945d8 33c0 8d7dac ab } - $sequence_9 = { 56 e8???????? 59 59 85c0 7408 c60000 } + $sequence_0 = { 5e 5b 8bc1 c20800 55 8bec } + $sequence_1 = { 53 a3???????? 8d4577 50 57 33db } + $sequence_2 = { 56 56 8d45d0 50 ff75b8 ff75e0 ff15???????? } + $sequence_3 = { 8b430c 50 50 6a0d 897b04 8b0f 57 } + $sequence_4 = { 56 e8???????? 83c40c 85c0 0f8525010000 83c60e } + $sequence_5 = { 85c0 75c7 85db 780b 8b45fc 894604 33c0 } + $sequence_6 = { 53 8dbdedfbffff c6002d e8???????? 53 53 8dbdf2fbffff } + $sequence_7 = { 68???????? ff75f8 ff15???????? ff75dc ff7508 56 ff75f8 } + $sequence_8 = { 47 84c9 75f8 be???????? 66a5 8b750c } + $sequence_9 = { 55 8bec 81ecb4000000 53 56 57 33f6 } condition: 7 of them and filesize < 57344 @@ -112570,36 +113067,36 @@ rule MALPEDIA_Win_Allaple_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "76748fdd-5448-52e3-b40a-c8804bcac97d" - date = "2026-01-05" - modified = "2026-01-06" + id = "91fc2d21-93c0-5b23-b300-8dd84dc8d05c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.allaple_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.allaple_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "89aee7277247b951ca979dcece1297fc5fda6e02a408403041aa3b0414e347cd" + logic_hash = "b918fde6ef67bece0885bc42625f46c423847135b719a0a370bb8da06eede5e8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945f4 57 ff75fc e8???????? 8945f0 897de8 897dec } - $sequence_1 = { 83c704 c70704000000 83c704 6a18 ff7510 57 e8???????? } - $sequence_2 = { c7420c76543210 8be5 5d c3 55 8bec } - $sequence_3 = { 0345d8 50 e8???????? 83c408 a3???????? 6a03 ff35???????? } - $sequence_4 = { 8b45e4 33c2 8945e4 8b4dec 8b55f0 8d044a 0345b0 } - $sequence_5 = { 52 ff750c e8???????? 47 4b 83c604 0bdb } - $sequence_6 = { 50 ff75fc e8???????? 8d85c0feffff 50 8d85c4feffff } - $sequence_7 = { 6a00 6a64 8d8544fdffff 50 e8???????? 6a00 } - $sequence_8 = { 8b55fc 8b4238 3345f4 8b4df8 894138 8b55fc 8b423c } - $sequence_9 = { 8975f0 6a50 e8???????? 668945ee 6a10 8d45ec 50 } + $sequence_0 = { 8985c8faffff eb12 6a00 ff37 ff36 8d85eefcffff } + $sequence_1 = { 0355ec 03954cffffff 8b45e4 33c2 8945e4 8b4dec 8b55f0 } + $sequence_2 = { e8???????? ff75f8 e8???????? c745f000000000 ebb5 5b } + $sequence_3 = { 8d856cfeffff 50 57 e8???????? 03f8 c70702000000 83c704 } + $sequence_4 = { 8b75fc 83c306 8bcb 03ce 51 8d85c8feffff } + $sequence_5 = { 50 ffb5dcfaffff ffb5e0faffff 6a03 6a00 ff75f4 e8???????? } + $sequence_6 = { e8???????? e9???????? 8b95b4fdffff 8d8a8a010000 c785b8fdffff00000000 80790a30 7523 } + $sequence_7 = { 57 e8???????? 03f8 c70718000000 83c714 c707ffffffff 83c704 } + $sequence_8 = { 8d9411eecebdc1 8955f8 8b45f8 c1e016 8b4df8 c1e90a } + $sequence_9 = { 8db5ecf8ffff 83c604 0fb74605 eb07 b8ffffffff eb00 5b } condition: 7 of them and filesize < 253952 @@ -112613,7 +113110,7 @@ rule MALPEDIA_Win_Mykings_Spreader_Auto : FILE date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mykings_spreader_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mykings_spreader_auto.yar#L1-L132" license_url = "N/A" logic_hash = "1bcd674173fea4b83a2f4219e8f61306a972490f94a89cfaf5e1f466fdec8eff" score = 75 @@ -112648,36 +113145,36 @@ rule MALPEDIA_Win_Sidewinder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cc151d68-8079-5f48-8578-23ad18a0a4e7" - date = "2026-01-05" - modified = "2026-01-06" + id = "9e9df07d-bb59-5ce6-ba37-a892c60d7d33" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sidewinder_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sidewinder_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "e4a063cf875d6c669e0a5700a0f46ba681b39263a023b07ff990bd59cdb78477" + logic_hash = "ca9735d92e59cc94af52ead8b46d5b078a3580a8819717e09ce10ee8673415d4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945cc 837dcc00 0f8e37030000 0fbf4510 85c0 740e ff75c0 } - $sequence_1 = { dfe0 9e 740e dd45cc dc1d???????? dfe0 9e } - $sequence_2 = { 8d45b8 50 8d45c8 50 8d45d8 50 8d45a8 } - $sequence_3 = { dbe2 8945dc 837ddc00 7d17 6a3c 68???????? ff75ec } - $sequence_4 = { 817da0a3000000 750a 66830d????????ff eb54 837da058 740c 837da043 } - $sequence_5 = { 8965f8 c745fc???????? 6a02 59 e8???????? 668945e0 8b4508 } - $sequence_6 = { 50 6a00 e8???????? 8d45d4 50 6a00 e8???????? } - $sequence_7 = { 83a59cfeffff00 8b45a0 89853cffffff 8d855cffffff 50 8b853cffffff 8b00 } - $sequence_8 = { eb09 8d45ec 89856cffffff 8b856cffffff 8b00 8945b0 8d45d0 } - $sequence_9 = { e8???????? 898560ffffff eb07 83a560ffffff00 8b45c8 894588 c745b004000280 } + $sequence_0 = { eb04 8365bc00 8d4de0 e8???????? 8d45e0 50 8b4508 } + $sequence_1 = { 8365b400 68???????? 8b45ec 8b00 ff75ec ff506c dbe2 } + $sequence_2 = { 8d4598 50 a1???????? 8b00 ff35???????? ff5064 dbe2 } + $sequence_3 = { 83a5f0feffff00 ff7510 8b8514ffffff 8b00 ffb514ffffff ff5034 dbe2 } + $sequence_4 = { e8???????? 8945b0 eb04 8365b000 837de000 7516 8d45e0 } + $sequence_5 = { 0fbf05???????? 50 ff35???????? e8???????? ff7004 e8???????? 8bd0 } + $sequence_6 = { 8b45e4 8b00 ff75e4 ff501c dbe2 898548ffffff 83bd48ffffff00 } + $sequence_7 = { e8???????? 660fb630 6683e603 666bf610 0f8007010000 ff75dc } + $sequence_8 = { eb0a c78574ffffff1c8c4400 8b8574ffffff 8b00 894594 837de000 7519 } + $sequence_9 = { e8???????? 6a00 6a7f 6a01 6a11 8d45b8 50 } condition: 7 of them and filesize < 679936 @@ -112687,36 +113184,36 @@ rule MALPEDIA_Win_Secondhandtea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "24430ceb-9ce2-5574-9afd-319803953494" - date = "2026-01-05" - modified = "2026-01-06" + id = "41f52151-5e51-5606-8737-723aab9a31f5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.secondhandtea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.secondhandtea_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.secondhandtea_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "7cb092741fedaef6b40610c6e7ec59e3f301485274283d64b8f6a31d3c54f53c" + logic_hash = "048cb3602402d265d0e27fe363656b33ee284c4af694aec548d39d9ba2f26c22" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? cc 4c8d0554c31400 498bd4 488bcd e8???????? 85c0 } - $sequence_1 = { e8???????? 488bcf e8???????? 488b8b18100000 8b93fc070000 0fb701 3bd0 } - $sequence_2 = { 753b c744242025000000 41b841000000 4c8d0d2e9b0b00 bac6000000 b90d000000 e8???????? } - $sequence_3 = { e8???????? 4c8b642468 448be8 4883c470 415d 5f 5e } - $sequence_4 = { e8???????? 8bf8 85c0 7ead 294318 7408 014314 } - $sequence_5 = { e8???????? 4533c0 4c8d8bb4010000 418d502d 488bc8 e8???????? 488bcf } - $sequence_6 = { e9???????? 498bc9 e8???????? 488bf8 4885c0 7527 4c8d0d9d780f00 } - $sequence_7 = { e8???????? 488be8 4885c0 750f 488d154fac0c00 488bcf e8???????? } - $sequence_8 = { e8???????? 418bc7 488b4d68 4833cd e8???????? 488b9da0000000 488bb5a8000000 } - $sequence_9 = { e8???????? 33c0 ebc1 ba7a000000 4c8d0d517c0a00 c744242078000000 8d4a89 } + $sequence_0 = { c744242001000000 ff15???????? 85c0 0f8489010000 488b4c2460 448d4f04 4c8d442470 } + $sequence_1 = { 8b45b7 894330 488b45af 4c8965c7 e9???????? c7442420c0000000 ba74000000 } + $sequence_2 = { c3 9b 401400 8c4014 007d40 1400 7440 } + $sequence_3 = { f20f5e05???????? f2410f1100 c3 660fefc0 33c0 f2480f2a8110100000 f2410f1100 } + $sequence_4 = { c744242079010000 e8???????? e9???????? babb000000 4c8d0de4480a00 b910000000 448d4289 } + $sequence_5 = { b830000000 e8???????? 482be0 4533e4 418be8 4c8bf2 488bf9 } + $sequence_6 = { 7438 498bcc e8???????? 85c0 7407 bb2a000000 eb4a } + $sequence_7 = { e8???????? 488d8ba8160000 e8???????? 488bcb e8???????? 488bcb ff15???????? } + $sequence_8 = { 8bf0 85c0 0f85b8000000 488b5c2420 4885db 0f8494000000 488b87c8150000 } + $sequence_9 = { e8???????? 488bbe00020000 4883c9ff 33c0 f2ae 48f7d1 48ffc9 } condition: 7 of them and filesize < 4452352 @@ -112726,36 +113223,36 @@ rule MALPEDIA_Win_Andardoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "36610ce1-8689-5760-8490-3c048dd08128" - date = "2026-01-05" - modified = "2026-01-06" + id = "845e4a64-842d-58c7-a556-efb320cb2bc4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andardoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.andardoor_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.andardoor_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "77bea7a2d8aed8c22ef97e06e53b736b63004170333d5461958719ea43d8bb7c" + logic_hash = "6b29f91fc534de3abe1762f2b69d0c6222525dbfdf82151119c4f3f760d6ac87" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? eb7d 33d2 488d8db0030000 41b808020000 e8???????? 33d2 } - $sequence_1 = { 90 0fb7840da8030000 6689840dd0040000 488d4902 6685c0 75e7 } - $sequence_2 = { 75f4 4c8d043f 488d9560030000 488d4c2468 e8???????? 488b35???????? } - $sequence_3 = { 488b05???????? 4833c4 4889842450400000 33c0 } - $sequence_4 = { 482bfe 0f1f4000 660f1f840000000000 0fb701 } - $sequence_5 = { 4d894bc8 458a4b28 498943e8 488b8424b0000000 498953b8 498d53b8 4d8943c0 } - $sequence_6 = { 488d4c2440 ff15???????? 85c0 7551 } - $sequence_7 = { 488bc8 e8???????? e8???????? 488b0d???????? 488d542450 4881c108020000 c744245004010000 } - $sequence_8 = { 498bc8 498bd8 e8???????? 33c9 85c0 } - $sequence_9 = { 4883cfff 0f1f8000000000 664439647802 488d7f01 75f4 4c8d043f 488d9560030000 } + $sequence_0 = { 85c0 7578 488d4588 4c896d88 } + $sequence_1 = { 740d ff15???????? 4c8935???????? 488b0d???????? 4883f9ff } + $sequence_2 = { 7e19 448bc3 488d55e0 488bce e8???????? 85c0 } + $sequence_3 = { c744242880000000 4533c0 ba00000040 c744242002000000 ff15???????? 488905???????? } + $sequence_4 = { 48897c2420 488bcb e8???????? 488d8580010000 4c8d8d90030000 4889442420 } + $sequence_5 = { c744245404010000 ff15???????? 488b0d???????? 4c8d81280a0000 } + $sequence_6 = { 488bf8 488bc8 e8???????? 458bcf 895c2428 4c8d442450 } + $sequence_7 = { 41b842000000 488bcf ff15???????? 488bf8 488d4ffe 90 6683790200 } + $sequence_8 = { 488b0d???????? ebb3 33d2 488d4d80 448d4268 e8???????? 33c0 } + $sequence_9 = { e8???????? 488bd8 4885c0 0f85f7feffff 33c0 4889442452 4883cbff } condition: 7 of them and filesize < 339968 @@ -112765,36 +113262,36 @@ rule MALPEDIA_Win_Gspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cfcf9b9b-4569-5d0f-801d-7a4c03469882" - date = "2026-01-05" - modified = "2026-01-06" + id = "7626af5e-836e-5022-af48-0023f94f9118" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gspy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gspy_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gspy_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "5f09532c5cfce71a555d1d7b8c6eb07037f464516d07c67472b924dd34736987" + logic_hash = "3a5d2e1316df0639ee07c76bc59a11a385bbcf5636e050885bf35e88f0de9304" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 8d54241b 52 e8???????? 8944242c 8a442413 8b5c242c } - $sequence_1 = { 83c01c 50 55 56 ff15???????? 85c0 740a } - $sequence_2 = { 8a442412 3cff 7567 8b4d04 66c744241c3f2a c744241ec0744200 33c0 } - $sequence_3 = { c20400 8b0d???????? 56 33c0 57 8b3d???????? 3bcd } - $sequence_4 = { 85c0 757a 8b442414 8b08 8d542420 52 50 } - $sequence_5 = { 51 ff15???????? 85ff 7409 8d442418 e8???????? 83c304 } - $sequence_6 = { 8bf0 89742410 85f6 7449 33c0 897c2414 } - $sequence_7 = { 57 8bf8 32c0 88442407 85ff 0f8456010000 53 } - $sequence_8 = { 8b4124 ffd0 85c0 0f8464ffffff 8b442410 8b08 8b5108 } - $sequence_9 = { 7408 3c09 7c0e 3c0d 7f0a 83fa02 } + $sequence_0 = { c78424d400000099f0883d c78424d800000024a63dde c78424dc0000005bd3b382 c78424e00000009c7e06f4 c78424e40000000816aa07 c78424e80000007ef93a37 c78424ec00000041c4b015 } + $sequence_1 = { 75e9 8d4c2424 83fe01 752b 8d94242c020000 52 } + $sequence_2 = { 50 ff15???????? 8b442424 8b35???????? 85c0 7403 50 } + $sequence_3 = { e8???????? 55 8ad8 a1???????? 6a00 50 ff15???????? } + $sequence_4 = { 83c604 8907 8b06 83c704 85c0 75d9 eb04 } + $sequence_5 = { 51 ff15???????? 8b74241c 8b442418 8b10 50 8b4208 } + $sequence_6 = { 50 e8???????? 8d4c2404 51 6a00 b801000000 6a00 } + $sequence_7 = { 50 885c2420 ffd7 85c0 740f 03c0 8d742460 } + $sequence_8 = { 56 33db b802000000 57 bf00100000 896c2410 } + $sequence_9 = { 50 8bf0 ff15???????? 85c0 7430 03c0 e8???????? } condition: 7 of them and filesize < 421888 @@ -112804,36 +113301,36 @@ rule MALPEDIA_Win_Tinyfluff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "261677c7-52da-544b-abba-e2c9762083b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "3eca6862-6e09-58a6-acd1-a2af98bf8e58" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyfluff" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tinyfluff_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tinyfluff_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "305926cc2d71188dd193eb77d1fd5b2696d785cc7114678a3a44727f806b5473" + logic_hash = "6afa74067516ba5088f7bd96111298af62d0633ee2efb535cb1f77ad63a7d097" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 50 51 ffb5dcfbffff 8d8d74fbffff e8???????? 8d8590fbffff } - $sequence_1 = { 85c0 7418 8b858cfbffff 85c0 7407 50 } - $sequence_2 = { 8b0c8550704100 8a043b 03ce 8b75dc } - $sequence_3 = { eb6f 8b07 8d1c85446d4100 8b33 85f6 } - $sequence_4 = { e8???????? be01000000 8b95d8fbffff 83fa08 7235 } - $sequence_5 = { c7404860604100 8b4508 6689486c 8b4508 66898872010000 8d4dff 8b4508 } - $sequence_6 = { c7404860604100 8b4508 6689486c 8b4508 66898872010000 } - $sequence_7 = { 33c0 c744246000000000 c744246407000000 6689442450 } - $sequence_8 = { 8d85a8fbffff 6a01 0f4385a8fbffff 68???????? } - $sequence_9 = { c1fa06 8934b8 8bc7 83e03f 6bc838 8b049550704100 8b440818 } + $sequence_0 = { 8bce 83e63f c1f906 6bf638 8b0c8d50704100 } + $sequence_1 = { e9???????? 8d8de0fbffff 8d5102 668b01 83c102 6685c0 75f5 } + $sequence_2 = { 83e13f c1f806 6bc938 8b048550704100 f644082801 } + $sequence_3 = { 57 8db8b06e4100 57 ff15???????? } + $sequence_4 = { 8b8650704100 85c0 740e 50 e8???????? } + $sequence_5 = { 6bc838 53 56 8b049550704100 } + $sequence_6 = { 8bce 83e63f c1f906 6bf638 8b0c8d50704100 80643128fd } + $sequence_7 = { 8b0c8550704100 8a043b 03ce 8844192e 43 3bda } + $sequence_8 = { 6a04 58 6bc000 c7806c69410002000000 6a04 58 } + $sequence_9 = { 8b7db4 8bf3 8b04bd50704100 03c1 885c302e 46 3bf2 } condition: 7 of them and filesize < 245760 @@ -112843,41 +113340,41 @@ rule MALPEDIA_Win_Whitebird_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1f55b3f7-b049-5ddb-a603-f3dac3229eba" - date = "2026-01-05" - modified = "2026-01-06" + id = "8d8629e9-04d0-5d1b-a7ec-52f8962a19ca" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.whitebird_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.whitebird_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "084753ca04c12bd29943e734768bdc4d7b6a6a5445a6b9fa8738444da44f9e8b" + logic_hash = "d87787dcbb00e387c1455bf1cef6c6ed4e84fd4e1eef674ade6ef4ca6e18318e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { eb09 80f92f 0f95c1 80c13f } - $sequence_1 = { 488b83e8140000 488d15a7f2ffff 41b82f000000 488901 488b83f0140000 } - $sequence_2 = { 56 e8???????? 59 8945d4 85c0 0f84f5000000 6a00 } - $sequence_3 = { 66898d56ffffff 59 6689855cffffff 66898d58ffffff 8bc8 33c0 } - $sequence_4 = { 74ea 3918 7467 8b85f4feffff } - $sequence_5 = { 7cd5 41c60300 4863c2 4c2bd8 4c891e } - $sequence_6 = { 4c8d4c2440 458bc4 488bd0 488bcd } - $sequence_7 = { 66898572ffffff 66898d68ffffff 59 6a73 66898d6affffff 8bc8 58 } - $sequence_8 = { 488d0dacc9ffff 41b808020000 ff15???????? 4c8d5c2478 488d8424b0000000 } - $sequence_9 = { 8d43f5 66898c2400010000 66898424fe000000 8d43f6 6689942408010000 } - $sequence_10 = { ffd0 8d4584 50 6802000080 } - $sequence_11 = { 41bc00200000 498bd4 488d8c2450050000 e8???????? 33c0 488bcb } - $sequence_12 = { 8985b8fcffff 8b859cfcffff 0fb74002 83c40c 50 c785b4fcffff06000000 ff15???????? } - $sequence_13 = { 83fe1a 0f8c77ffffff 488d4c2450 ff15???????? 8b542460 8b442458 } - $sequence_14 = { 6806020000 50 668985f4fdffff 8d85f6fdffff 50 e8???????? 8bc7 } + $sequence_1 = { 83ff0b 0f8e2d010000 488d842460030000 488d8c2470030000 488b10 } + $sequence_2 = { 51 e8???????? 59 8985a8fdffff } + $sequence_3 = { 418d5003 8d7aff 8bcf ff15???????? 33c9 } + $sequence_4 = { 834dfcff 8bc8 a3???????? e8???????? bf???????? 57 ff15???????? } + $sequence_5 = { a1???????? 83c410 85c0 7405 8b4004 eb02 } + $sequence_6 = { 56 43 53 e8???????? 53 } + $sequence_7 = { 48895c2428 4c895c2420 ff5718 3bc3 0f8c3a010000 } + $sequence_8 = { e9???????? ba20000000 488bcf ff15???????? 4c8be0 4885c0 } + $sequence_9 = { 488bf2 8d6b05 4863cd e8???????? 488bf8 } + $sequence_10 = { be05000000 403833 7551 8a4301 } + $sequence_11 = { 488d05d4bdffff 33ff 4c8be9 488901 4889b910020000 } + $sequence_12 = { 68???????? 57 ff15???????? 8bf0 59 33c0 59 } + $sequence_13 = { 899da0f5ffff c78594f5ffff64000000 e8???????? 53 6a01 8d85d7f5ffff 50 } + $sequence_14 = { eb3f 6a54 ebd2 83e864 742a 48 } condition: 7 of them and filesize < 139264 @@ -112887,42 +113384,42 @@ rule MALPEDIA_Win_Winsloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "191c86a4-a63b-58ad-aa56-a92769922387" - date = "2026-01-05" - modified = "2026-01-06" + id = "ba76a90b-c734-50e9-972e-d56f090bf0e5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.winsloader_auto.yar#L1-L171" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.winsloader_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "b2fd64965251990b571c8a72ebd9a6faa4e5fa165dfd7a3b0d129cdd9946e8f7" + logic_hash = "3e23de21e591d5e814dc9229e916c96b455b15e493e83f4f6d54002bf8da25e4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c40c a4 ffd0 5b 5f } - $sequence_1 = { 83c434 85ff 7510 56 e8???????? 83c404 33c0 } - $sequence_2 = { 8d5c3304 e8???????? 8b0d???????? 8b15???????? 6689841dfcfbffff } - $sequence_3 = { b8???????? 83c40c 66c7843500fcfffff90b 8d4801 8d4900 } - $sequence_4 = { 75f9 2bc1 0fb6f8 888435fefbffff 8d4701 50 } - $sequence_5 = { 8d44020c 0fb6f9 66898435fefbffff 888c3500fcffff 8d4f01 51 8d943501fcffff } - $sequence_6 = { 50 e8???????? 68???????? 8d5c3304 } - $sequence_7 = { 83c40c 03f7 b8???????? 66c78435fcfbffff9001 8d4801 8a10 40 } - $sequence_8 = { 83c40c 6800040000 8d8dfcf7ffff 51 } - $sequence_9 = { 8d8dfcf7ffff e8???????? 85c0 7507 33c0 } - $sequence_10 = { 894df0 8b34cdb86a0110 8b4d08 6a5a 2bce 5b } - $sequence_11 = { 7466 40 68???????? 50 e8???????? 83c408 } - $sequence_12 = { 57 8db8b0c20110 57 ff15???????? ff0d???????? } - $sequence_13 = { 8b85f8f3ffff c68405fcfbffff0b 8b8df8f3ffff 83c101 898df8f3ffff } - $sequence_14 = { 0f84ee020000 66660f1f840000000000 81f900010000 0f8587000000 8bce } - $sequence_15 = { 1bc0 23c1 83c008 5d c3 8b04c50c480110 5d } + $sequence_0 = { 6800100000 56 8d8375050000 6a00 a3???????? ff15???????? 8bf8 } + $sequence_1 = { 68???????? 52 e8???????? 68???????? 8d743e06 e8???????? } + $sequence_2 = { 888c3500fcffff 8d4f01 51 8d943501fcffff } + $sequence_3 = { 8d9b00000000 891cc8 895cc804 41 } + $sequence_4 = { 83c410 8d7001 8d9b00000000 8a08 40 84c9 75f9 } + $sequence_5 = { 83c40c 66c7843500fcfffff90b 8d4801 8d4900 8a10 40 } + $sequence_6 = { 83c40c 6800040000 8d8dfcf7ffff 51 } + $sequence_7 = { 57 8bd8 ff15???????? 53 e8???????? 8bf0 83c404 } + $sequence_8 = { 742e 6a00 57 ff15???????? 6a00 } + $sequence_9 = { 42 3bd3 72f3 8b7c2424 e9???????? 8b442414 } + $sequence_10 = { 83c404 85f6 0f847f000000 57 6a00 } + $sequence_11 = { 741c 8b74241c 8bcf 2bf7 } + $sequence_12 = { 83e03f 6bc830 8b0495c0c00110 f644082801 } + $sequence_13 = { e9???????? c745e0647c0110 e9???????? c745dc02000000 } + $sequence_14 = { e8???????? 83c448 68???????? 6a40 68???????? e8???????? } + $sequence_15 = { 56 e8???????? ff75c8 e8???????? 83c438 33f6 } condition: 7 of them and filesize < 270336 @@ -112932,36 +113429,36 @@ rule MALPEDIA_Win_Chinad_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bcb15e04-b813-5c23-a320-19f34e438aaa" - date = "2026-01-05" - modified = "2026-01-06" + id = "80c5c3d5-342a-5d40-930e-5283e5683416" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chinad_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chinad_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "68dce9aa3cd2233ae8311dfd66d73079e3ad26ce882f6e912148b0f3a7f1f190" + logic_hash = "1134f8f9df296c4970d46e2d05f0af7e8e5a7e70d83fe29743cbe74db2ce9606" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0facde15 83c007 c1fb15 50 89b574ffffff 899d44ffffff e8???????? } - $sequence_1 = { 2385d4feffff 8d93f36f2e68 8985d8feffff 8bc6 2385b8feffff 0985d8feffff 8bc7 } - $sequence_2 = { c64418050a 745a 8b048d88ec4300 8a441825 3c0a } - $sequence_3 = { 8d8534ffffff 50 e8???????? 8d8534ffffff 50 e8???????? 83c430 } - $sequence_4 = { 13bd2cfdffff 81c3281e6323 81d7faffbe90 019d14fdffff 11bd38fdffff } - $sequence_5 = { 898508fdffff 8b8514fdffff 33ff 898d2cfdffff 33d2 8b8d38fdffff } - $sequence_6 = { 0facca08 8975fc c1e908 8850f8 8bce 8bd3 0facca10 } - $sequence_7 = { 50 e8???????? 8b4dec 33c8 8b4514 03c1 894dec } - $sequence_8 = { 8b8d9cfeffff 898d9cfeffff 8b9594feffff 899590feffff 8b8598feffff 898594feffff 8b8da4feffff } - $sequence_9 = { 8b8520fdffff 0bd1 319508fdffff 33d2 8b8d18fdffff 8bf1 0fa4c119 } + $sequence_0 = { 83f9bf 772d ff751c 8b4510 83c6c0 83d7ff 57 } + $sequence_1 = { 837df400 7407 c745f001000000 837df400 740a 8b45f4 50 } + $sequence_2 = { 13f8 039db4fdffff 8b8510fdffff 8bf0 13bdb8fdffff 039d0cfdffff 13bdfcfcffff } + $sequence_3 = { 11550c ff75d8 ff75d0 e8???????? 0145f4 ffb570ffffff 11550c } + $sequence_4 = { 13da ff75d8 ff75d0 e8???????? ff75a0 03f0 ff759c } + $sequence_5 = { 8b7508 6a08 8d4620 50 8d45f4 50 e8???????? } + $sequence_6 = { ff15???????? 68???????? 68???????? ff15???????? eb6e 68???????? 6a00 } + $sequence_7 = { 8bc2 895598 8b55e0 13cb 898d70ffffff 0facc815 } + $sequence_8 = { ba08000000 8d4900 8a48fe 8d4004 0a48fb 0a48fd 0a48fc } + $sequence_9 = { 89750c 8b75ec 13da 895df0 8b5ddc 81c300000001 50 } condition: 7 of them and filesize < 598016 @@ -112971,36 +113468,36 @@ rule MALPEDIA_Win_Vhd_Ransomware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0a8c66bf-eb2b-583f-b44b-433c73c780b6" - date = "2026-01-05" - modified = "2026-01-06" + id = "3eb9d40f-ff35-5179-8981-dd8b14521fe0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vhd_ransomware_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vhd_ransomware_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "dae74c2bc008a70be0fd9b501245d9759dea529e108a1bf96ef7d1de1daf70f9" + logic_hash = "0f5f660b67fba64c29fe18496009f09d3aae32c2edd291f997d3b0d2acf1d206" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { f3ab 8b8530030000 8902 33c0 89a54cf3ffff 398530030000 7e1b } - $sequence_1 = { e8???????? 81c44c060000 80bd7ff6ffff00 7424 8bb574f6ffff 8d8dd0fcffff } - $sequence_2 = { 33d3 8b5df4 0fb69b98744100 0fb61c9d9b854100 33d3 8b5df8 } - $sequence_3 = { 785b 8d74ba04 8b4e04 33c0 33db 0306 13cb } - $sequence_4 = { 83c8ff 5d c3 6a08 68???????? e8???????? e8???????? } - $sequence_5 = { 33c0 b9c8000000 8d7a04 f3ab 8b8dd0fcffff 890a 85c9 } - $sequence_6 = { 8945cc bf40000000 b8???????? 8d75e0 895dc8 c745f40f000000 c745f000000000 } - $sequence_7 = { 8bd8 899d28b4ffff 83fbff 0f8430010000 8b4510 8b4d0c 50 } - $sequence_8 = { 398530030000 7e14 8d4a04 8bb48534030000 8931 40 83c104 } - $sequence_9 = { 03c2 13ce 33d2 52 8b95f4efffff 52 51 } + $sequence_1 = { c78520e6ffff70020000 e8???????? 8b8520e6ffff 8b848524e6ffff 8bc8 c1e90b 238da4f9ffff } + $sequence_2 = { 8845ea 8b45e4 48 8855e9 33d2 8955e0 8945dc } + $sequence_3 = { 8d4a04 8d9b00000000 8bb485a8f9ffff 8931 40 83c104 } + $sequence_4 = { 89a5f4fcffff c60600 e8???????? 8db5f8fcffff } + $sequence_5 = { b801000000 5b 5d c3 8b7d08 e8???????? } + $sequence_6 = { 8b45f8 c9 c3 8bff 55 8bec 5d } + $sequence_7 = { 8b8534f3ffff 40 898534f3ffff 83f820 0f8c23fdffff 8b8538f3ffff 83853cf3ffff04 } + $sequence_8 = { 8345e404 ebe6 c745e0bc514100 817de0c0514100 } + $sequence_9 = { 897de4 8955e0 c60600 895dd8 3bc2 7416 } condition: 7 of them and filesize < 275456 @@ -113010,36 +113507,36 @@ rule MALPEDIA_Win_Echo_Gather_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7335def2-506d-5260-8b0d-ff3650457aaa" - date = "2026-01-05" - modified = "2026-01-06" + id = "5171c59e-97c4-548d-a823-11eaaac4ceba" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.echo_gather" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.echo_gather_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.echo_gather_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "b9e20804863a93244aef376504c1242a73dc60c7321ec31adf915aed9161664d" + logic_hash = "4a250010d057baa3a66c5861fd8998fe771afec2203e9be7843163d459e1c93e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4989d9 4d89fc 488b5c2430 4c8b7c2438 4589f0 4183fe39 0f8451030000 } - $sequence_1 = { 488b45d8 4889c1 488b05???????? ffd0 e9???????? 8b45bc } - $sequence_2 = { 74c4 b920000000 e8???????? 8b4324 83c001 894324 4183ed01 } - $sequence_3 = { 48898424f8040000 488b842450040000 4889842400050000 66c78424e00400000000 e8???????? 4889c2 488b4d10 } - $sequence_4 = { 743f 48c1ea20 7539 4883eb01 4889da e8???????? 85c0 } - $sequence_5 = { 7561 4181fd7a000780 7409 4181fd26000780 75b4 } - $sequence_6 = { 0f94c0 84c0 744a 8b45ec 89c0 4889c2 b940000000 } - $sequence_7 = { 48c78424a800000011000000 c78424bc00000000000000 eb31 8b8424bc000000 4898 488b54c420 488b4510 } - $sequence_8 = { 488d8c2450010000 488d942450020000 488d842450030000 4989c8 4889c1 e8???????? } - $sequence_9 = { ba01000000 b9f1000000 e8???????? 488945f0 488b05???????? } + $sequence_0 = { 8b8424ac000000 39e8 75c2 84d2 7504 660f10c5 f20f100d???????? } + $sequence_1 = { 85ed 0f84d4020000 448b442458 4529f4 418b5504 418d442401 4489c1 } + $sequence_2 = { 488b05???????? ffd0 4889842468040000 488b842468040000 4889c1 e8???????? } + $sequence_3 = { c3 6641833900 0f852affffff e9???????? 4183e001 400fb6d5 488d4e02 } + $sequence_4 = { 08d1 7414 4885f6 740f 488b542440 83e301 488d1453 } + $sequence_5 = { 4889c1 e8???????? 488b4518 488d5008 488b45e8 41b900000000 41b824000000 } + $sequence_6 = { 0f94c0 84c0 740a b800000000 e9???????? 488b4d10 } + $sequence_7 = { 48894d10 48895518 48837d1000 7407 48837d1800 } + $sequence_8 = { 84d1 7409 4439c0 0f8fdd0e0000 8b542460 4101c3 448b642470 } + $sequence_9 = { 4889442420 48894c2440 e8???????? 89c5 85c0 0f8926ffffff e9???????? } condition: 7 of them and filesize < 246784 @@ -113049,36 +113546,36 @@ rule MALPEDIA_Elf_Nosedive_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0896063d-4b04-5de6-a33c-b1437bc56c3d" - date = "2026-01-05" - modified = "2026-01-06" + id = "c9a8f19b-f74f-50aa-88c2-6cc50c81f5c1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nosedive" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.nosedive_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.nosedive_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "8416103e0574bbf55ec9fa82bbc72a32d4b6a677477fed1dee3caabd7071b0d2" + logic_hash = "b5a6cc1bf72377145bc8ef6538251ceeda90c236cc5e68f1cd6540345dca2a49" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8b06 488b7c2408 4589ed 8907 428b442efc 4289442ffc } - $sequence_1 = { c644240800 8b7b10 31c9 488db42404010000 4989e4 ba02000000 e8???????? } - $sequence_2 = { ebe9 4531f6 4531ff 488b6c2410 4c397320 7630 488b4318 } - $sequence_3 = { e8???????? 5f b8008fffff 4158 e9???????? 4c8d05117f0f00 b974090000 } - $sequence_4 = { eb17 4889de 4889ef e8???????? 48895d10 48895d18 4c897520 } - $sequence_5 = { b93f000000 4429f9 4585c9 7527 4139ca 7d27 418d4f01 } - $sequence_6 = { f348ab 49837e6000 4d896e70 49895e78 751e b810000000 4983ff14 } - $sequence_7 = { c3 83c8ff 48397e08 7543 8b07 4c634610 2500010000 } - $sequence_8 = { e8???????? 8b4c243c ffc0 7516 48c7c098ffffff 6483385a 0f85e8010000 } - $sequence_9 = { e9???????? 48ffc0 80fa3a 7408 8a10 84d2 75f2 } + $sequence_0 = { eb1c 8b1486 891487 48ffc0 4839c3 75f2 488d049d00000000 } + $sequence_1 = { 8b12 83fa7f 0f869a000000 c1ea07 81fa001c0000 750a 4889b42480000000 } + $sequence_2 = { 85c0 746a 488d0d2f6c0400 ba6b000000 488d35d0680400 488d3dd5680400 e8???????? } + $sequence_3 = { e8???????? 488b7b10 e8???????? 48c7430801000000 ba08000000 48896b10 eb87 } + $sequence_4 = { eb1a 761a 4883ff02 7502 31ff 488d15c20d0e00 488d72f8 } + $sequence_5 = { 85c0 7460 4983c508 ebdf 4963ca 4889c7 4c89ce } + $sequence_6 = { 84c9 0f85b7000000 4180fd01 7429 31c0 4c8d0525950f00 4c89e2 } + $sequence_7 = { e8???????? 85c0 0f85bc020000 488b542438 488b742448 4c89ef e8???????? } + $sequence_8 = { 8b0d???????? 0fbae109 7333 85d2 790d 0fbae21e 488d058cb20100 } + $sequence_9 = { e9???????? 488d3d54b60b00 e8???????? 488d3dc4720c00 31c0 e8???????? 4c8d8c24b0010000 } condition: 7 of them and filesize < 3268608 @@ -113088,36 +113585,36 @@ rule MALPEDIA_Win_Atmspitter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6677a06d-f51d-5f9e-9075-cbbb34c35eda" - date = "2026-01-05" - modified = "2026-01-06" + id = "c85f1421-0176-5019-ad8e-f16de95cf81a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.atmspitter_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.atmspitter_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "bc5ce97320d3edf2cd777ada69ace7755633451b31f436076d0e817156126e74" + logic_hash = "bbb59db3f43e7008a680e61809047bc9b84d60548ab432dbb68aab227a9a6191" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c70009000000 e8???????? ebd1 8bc8 c1f905 8d3c8d60da4000 } - $sequence_1 = { 57 8bc2 c1f805 8b048560da4000 8bfa } - $sequence_2 = { c686c800000043 c6864b01000043 c7466850c44000 6a0d e8???????? 59 8365fc00 } - $sequence_3 = { ff15???????? 6a02 6a00 8bf8 6a00 57 } - $sequence_4 = { 7d0d 8a4c181c 888870c64000 40 } - $sequence_5 = { 50 68???????? e8???????? 83c408 68???????? e8???????? 8b4528 } - $sequence_6 = { 83f914 0f8798000000 0fb691b0854000 ff249588854000 } - $sequence_7 = { 0f8c260a0000 8d42e0 3c58 770f 0fbec2 0fbe8060914000 83e00f } - $sequence_8 = { 56 57 50 c745fc00000000 ffd3 } - $sequence_9 = { 53 8b1d???????? 56 57 50 c745fc00000000 } + $sequence_0 = { 68???????? e8???????? 83c404 eb77 68???????? e8???????? } + $sequence_1 = { 8b4c2414 8b54244c 51 52 68???????? e8???????? 83c410 } + $sequence_2 = { 8b1d???????? 56 57 50 c745fc00000000 ffd3 } + $sequence_3 = { e8???????? 83c404 e9???????? 3d00f00028 0f87b7000000 0f849f000000 3d04ef0020 } + $sequence_4 = { 8b0c8d60da4000 c1e006 0fbe440104 83e040 } + $sequence_5 = { 68???????? e8???????? 83c408 68???????? e8???????? 8b4528 83c404 } + $sequence_6 = { 89442430 ff15???????? 40 837d0804 89442428 741f 8b550c } + $sequence_7 = { e8???????? ebd1 8bc8 c1f905 8d3c8d60da4000 8bf0 } + $sequence_8 = { 81e907ef0020 7419 49 0f85dd000000 68???????? e8???????? 83c404 } + $sequence_9 = { 56 57 33ff ffb7c4cb4000 ff15???????? } condition: 7 of them and filesize < 147456 @@ -113127,36 +113624,36 @@ rule MALPEDIA_Win_Killav_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "964918fc-ee46-54ff-896b-e1283f7b0e40" - date = "2026-01-05" - modified = "2026-01-06" + id = "1408957e-4599-51ba-a09c-95dde355580f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killav" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.killav_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.killav_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "8efc8b29b31fba331f15fc6d418a70e9cc051d66f52514c3f27af471a4a7b82f" + logic_hash = "04eb14b50262060a97f19cbe61adb75eaeb660a96a83749938b18d56d4587afc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c408 6a09 33c0 c745d800000000 68???????? 8d4dd8 } - $sequence_1 = { 51 e8???????? 83c408 6a13 33c0 c745d800000000 68???????? } - $sequence_2 = { 85c0 0f84b7910000 83f808 7d0f 6bc018 05???????? } - $sequence_3 = { eb1a 8b4508 8bc8 83e03f c1f906 6bd038 8b0c8d70ba4300 } - $sequence_4 = { 8b0c8d70ba4300 804c112802 5b 2bf7 83e6fe 5f 8bc6 } - $sequence_5 = { 895db8 c745dc01000000 8b048570ba4300 8945d4 0f8533010000 8b55d4 8bc3 } - $sequence_6 = { 8b0b 8b4904 6a00 ff75dc ff75e8 } - $sequence_7 = { 0fb74d08 33c0 663b88bcf34200 740d 83c002 83f814 } - $sequence_8 = { c645fc15 50 8d4dd0 e8???????? c645fc00 } - $sequence_9 = { 741c 81f900000400 7542 0c80 88441628 8b04bd70ba4300 c644102901 } + $sequence_0 = { 8b049d70ba4300 8b4de0 f644082801 7515 e8???????? } + $sequence_1 = { 8bc2 8bca 83e03f c1f906 6bc038 8b0c8d70ba4300 807c012800 } + $sequence_2 = { c745ec07000000 668945d8 e8???????? 8d45d8 c645fc11 } + $sequence_3 = { 6a26 58 0fb60c855ed34200 0fb634855fd34200 8bf9 8985b0f8ffff } + $sequence_4 = { e8???????? 8d45d8 c645fc1b 50 8d4dd0 e8???????? c645fc00 } + $sequence_5 = { c1f806 6bc938 8b048570ba4300 0fb6440828 83e040 5d c3 } + $sequence_6 = { 807dfc01 8b4df4 8b55f0 7522 8b048d70ba4300 f644022d02 } + $sequence_7 = { c7869800000050c74200 c7460401000000 8b4dfc 5f 5e 33cd 5b } + $sequence_8 = { eb56 8b048580bb4200 6800080000 6a00 50 8945fc ff15???????? } + $sequence_9 = { 85c0 0f8561ffffff ff742410 ff15???????? } condition: 7 of them and filesize < 517120 @@ -113166,39 +113663,39 @@ rule MALPEDIA_Win_Pss_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8f53afdc-5ec6-5728-abfd-d91f1e9f3440" - date = "2026-01-05" - modified = "2026-01-06" + id = "fbbb2815-94c8-561e-94c6-498d07321f32" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pss_auto.yar#L1-L139" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pss_auto.yar#L1-L140" license_url = "N/A" - logic_hash = "1278c29ce9286804a6a68366ec725de6162c277ad4b04021e24c075a2ce1e54a" + logic_hash = "1bf8fcdb627b9f8c2470bed889f91c7321c8e9a7ea36557fd1df759ed4db903f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 8d48fe e8???????? e9???????? 83f811 } - $sequence_1 = { 7437 ff15???????? 3de5030000 752a } - $sequence_2 = { ff15???????? 83ceff 3bc6 7504 } - $sequence_3 = { 8d4dbc c745fc02000000 e8???????? 8d8550ffffff 50 8d45bc } - $sequence_4 = { 6a00 ff15???????? 50 ff15???????? b001 eb24 e8???????? } - $sequence_5 = { 8d7f08 8b048d387a0010 ffe0 f7c703000000 } - $sequence_6 = { 83feff 0f8413020000 33c0 8d7c2424 ab ab ab } - $sequence_7 = { 51 ff75dc ff15???????? 85c0 751c } - $sequence_8 = { 8bf0 488bcd ff15???????? 85f6 740f 4439b42488000000 } - $sequence_9 = { 90 4c89642420 4c89642428 e8???????? } - $sequence_10 = { 48895d90 4c896588 4488642478 448d430c } - $sequence_11 = { 750d 48890a 488b4908 44384119 74ea } - $sequence_12 = { a801 7524 83c801 8905???????? 488d05c93d0000 488905???????? } + $sequence_1 = { ff15???????? 83ceff 3bc6 7504 } + $sequence_2 = { 7437 ff15???????? 3de5030000 752a } + $sequence_3 = { 53 56 bb???????? 53 8bf1 } + $sequence_4 = { eb07 c74004???????? 5e 5d c20800 6a04 } + $sequence_5 = { b8ffdb0000 663bd0 77dc 3bf3 743c 0fb70e } + $sequence_6 = { 833900 7405 e8???????? 68???????? ff15???????? } + $sequence_7 = { 803e00 7539 68???????? ba00010000 8bcb e8???????? c745c402000000 } + $sequence_8 = { 33c9 418d6801 8bd5 ff15???????? } + $sequence_9 = { 418d5101 ff15???????? 488905???????? 4885c0 0f84e7020000 } + $sequence_10 = { 48f7e7 480f40c3 488bc8 e8???????? 4183c9ff 4d8bc7 } + $sequence_11 = { 0f84ba000000 4883cbff 4c63ff 4d03fe 498bd7 488d4c2478 } + $sequence_12 = { 488bd0 488d0d496a0100 e8???????? 90 48837c244008 } condition: 7 of them and filesize < 421888 @@ -113208,36 +113705,36 @@ rule MALPEDIA_Win_Cruloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "39947838-03a3-5a24-945d-6e866d043993" - date = "2026-01-05" - modified = "2026-01-06" + id = "beb777f6-698b-5f87-9417-eaa53db36a44" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cruloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cruloader_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cruloader_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "4307b8e0f195ebffc58740c34a8819f9896c989908200e4e4f90e094ceef34c2" + logic_hash = "1d25f7864b0ec52a1506576efb05e68dedde2efdecc898c3ce096861873bf5c1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 56 57 8b7d08 eb6f 8b07 8d1c85605c4100 } - $sequence_1 = { 8b413c 0f104508 53 56 } - $sequence_2 = { 8bcf 83e73f c1f906 6bd738 8b0c8dd85e4100 c644112800 85f6 } - $sequence_3 = { 6bc618 57 8db8e8604100 57 ff15???????? } - $sequence_4 = { c0c104 80f19a 884c15f0 42 3bd0 } - $sequence_5 = { 8b75e4 3bf7 7523 baf63f4890 b901000000 } - $sequence_6 = { 33f6 898de0fcffff 898500fdffff 85db } - $sequence_7 = { 894de0 8b049dd85e4100 f644082801 7469 } - $sequence_8 = { 8b8514fdffff 898d0cfdffff 0fb74006 898508fdffff 85c0 7433 83c108 } - $sequence_9 = { b902000000 e8???????? ba241d19e5 a3???????? } + $sequence_0 = { a3???????? 33c9 e8???????? ba4d822ee6 33c9 e8???????? } + $sequence_1 = { 83c408 85c0 0f8540040000 ba4d822ee6 33c9 e8???????? } + $sequence_2 = { 83e13f c1f806 6bc938 8b0485d85e4100 0fb6440828 } + $sequence_3 = { 8d1c85505e4100 8b03 90 8b15???????? 83cfff 8bca 33d0 } + $sequence_4 = { 56 57 8b7d08 eb6f 8b07 8d1c85605c4100 } + $sequence_5 = { 89049d90624100 43 81fb00010000 0f8c5cffffff } + $sequence_6 = { 41 0fbfc1 3bc6 72dd 8b7a04 03d7 8b7a04 } + $sequence_7 = { 53 56 57 33c9 0f1145ec e8???????? } + $sequence_8 = { ddd8 db2d???????? b802000000 833d????????00 0f85b00d0000 8d0db02f4100 ba1b000000 } + $sequence_9 = { 3bf8 7210 8b8508fdffff 42 83c128 3bd0 } condition: 7 of them and filesize < 196608 @@ -113247,66 +113744,66 @@ rule MALPEDIA_Win_Purplefox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a13fd35f-ff4a-5d50-9b5d-b24cdc4536ab" - date = "2026-01-05" - modified = "2026-01-06" + id = "34a46ea5-c31f-5a3e-bf06-a3099f772a6d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.purplefox_auto.yar#L1-L381" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.purplefox_auto.yar#L1-L388" license_url = "N/A" - logic_hash = "19db2fd8d55e9f90545cae61363b7c1883764c9fb7fb14f78b3fa3d087d84046" + logic_hash = "b161dd636f1f60dd3dea9e5aea74e9bbfb20d047d3e6bea34d6bf5b7c6f3077a" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 8b15???????? 53 8a1d???????? 6a01 8906 } - $sequence_1 = { 8945f4 3bc7 740d 8b7308 } - $sequence_2 = { c1fa05 c1e006 030495000c4100 eb05 b8???????? f6400420 } - $sequence_3 = { 85c0 7912 488b8d90010000 ff15???????? e9???????? 488b8d98010000 4533c9 } - $sequence_4 = { 8bcf e8???????? e9???????? 488d0df6200000 ff15???????? 488b3b } - $sequence_5 = { 6800000010 8d45f8 bf40020000 50 c745c018000000 895dc4 } - $sequence_6 = { 488d4e1c 33d2 41b801010000 e8???????? 4c8d546d00 4c8d1db0920000 49c1e204 } - $sequence_7 = { 66b8f230 8b4500 f9 f9 e9???????? } - $sequence_8 = { ff15???????? 488d542440 488d0dca110000 4c8bc6 ff15???????? 488d4c2440 41b001 } - $sequence_9 = { 57 4883ec60 48c7442440feffffff 48899c2488000000 } - $sequence_10 = { 8b7de8 56 8d8dacfbffff 51 8d55b0 52 } - $sequence_11 = { 8da42400000000 8038ff 750b 80780175 7505 385802 7409 } - $sequence_12 = { c9 49 3658 8a3f 3658 7642 } - $sequence_13 = { 4889442430 488b05???????? c644242800 488b08 ba00020000 48894c2420 } - $sequence_14 = { ff15???????? 8bf0 85f6 7914 56 68???????? ffd3 } - $sequence_15 = { ebcf 8bc6 c1f805 8b0485000c4100 83e61f c1e606 8d443004 } - $sequence_16 = { 35fd937dd3 43 d0f2 2f 4a 87cd } - $sequence_17 = { 448bc6 442bc0 488b442450 488d0d4b7e0000 488b0cc1 } - $sequence_18 = { 56 12581a 887ea4 3d0b3a08c2 } - $sequence_19 = { 83c408 6a00 51 ff15???????? 8bf0 } - $sequence_20 = { 51 e8???????? 83c404 8b5704 68???????? } - $sequence_21 = { 81e900202200 be100000c0 0f84ec020000 83e904 0f8486010000 83e904 } - $sequence_22 = { 3918 0f4c18 3bcb 0f8d87000000 488d3dd7b70000 ba58000000 488bcd } - $sequence_23 = { 9c 60 c64424043e f5 } - $sequence_24 = { 488b4c2470 ff15???????? 488b8d08040000 ff15???????? } - $sequence_25 = { 57 56 6a0b ffd3 3d040000c0 750d } - $sequence_26 = { 85c0 790a 8b4df8 ffd3 e9???????? } - $sequence_27 = { 58 773d 33f9 13c9 } - $sequence_28 = { e8???????? 33ff 33c0 8945f4 8945f0 8945f8 8b450c } - $sequence_29 = { c740e40d000000 8b55f8 8950e8 8b4660 } - $sequence_30 = { 488d4c2420 33d2 4889442420 8b05???????? } - $sequence_31 = { 4883f83c 7647 498bcd e8???????? 4c8d05436c0000 41b903000000 488d4c45bc } - $sequence_32 = { 488b4b08 ff15???????? c70300000000 4883c420 5b c3 } - $sequence_33 = { 4883c202 668941fe 6685c0 75ec 488b7e08 4883c9ff 33c0 } - $sequence_34 = { 4883ec20 488bd9 e8???????? 4c8d1d17a10000 } - $sequence_35 = { ff15???????? 4839442470 0f85b3000000 488d542460 488bce ff15???????? 85c0 } - $sequence_36 = { e9???????? 660fb6d1 f9 8b5504 c0c107 d2e9 } - $sequence_37 = { 57 f361 634cea1c bc2cedefeb 59 fb 7fab } - $sequence_38 = { 7506 50 e9???????? 8b55ec } - $sequence_39 = { 56 68???????? ff15???????? 83c408 8bc6 5e 8be5 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 8d4f40 660fbae50c 0fb3c7 660fbec2 8d04ed539f9b01 29d1 } + $sequence_1 = { 8bf0 8b4dfc ff15???????? 56 68???????? ffd3 83c408 } + $sequence_2 = { a3???????? a1???????? c705????????bb454000 8935???????? a3???????? ff15???????? a3???????? } + $sequence_3 = { 410bc0 488d542458 488d0d5fef0000 8905???????? 488d05baa00000 } + $sequence_4 = { 8b742428 66f7d5 8b6c242c 9c 9c 68af6a40e4 } + $sequence_5 = { 8b11 8d45f4 50 8b45f8 6a00 } + $sequence_6 = { 8b4dfc c70700000000 8b07 33cd 5e } + $sequence_7 = { 458bcc 4c8bc6 33d2 4889442420 ff15???????? 8bf8 } + $sequence_8 = { 48895d1f 4889752f 48897537 ff15???????? 8bd8 85c0 } + $sequence_9 = { 8b5604 83c40c 8d8d7cffffff 51 52 ff15???????? } + $sequence_10 = { 59 59 8b7508 8d34f518fc4000 391e } + $sequence_11 = { 448bc6 442bc0 488b442450 488d0d697d0000 488b0cc1 } + $sequence_12 = { 5d c3 56 a3???????? 8d45f8 50 51 } + $sequence_13 = { c20400 6800040000 8d95acfbffff 53 52 } + $sequence_14 = { 4889442458 4889442460 4889442468 e8???????? 488d8d80010000 448bc7 33d2 } + $sequence_15 = { d1d1 cf 4d 7961 24c2 3a3b ea???????????? } + $sequence_16 = { a3???????? bd79c7c7fd dbd1 25346acfea } + $sequence_17 = { ffc0 49ffc0 83f850 7ce2 eb10 418b4805 } + $sequence_18 = { 4883ec20 488bd9 e8???????? 4c8d1d17a10000 } + $sequence_19 = { 3d31040000 7415 50 68???????? e8???????? 83c408 33ff } + $sequence_20 = { 488bd8 4885c0 751c 488b4d6f } + $sequence_21 = { 488bd9 4885c0 7479 488d0d6f960000 483bc1 746d } + $sequence_22 = { 8b07 83c404 8d5002 8d642400 668b08 } + $sequence_23 = { ff15???????? 8bf8 85c0 786d ba58000000 33c9 } + $sequence_24 = { 8bf0 c1fe05 c1e106 030cb5000c4100 eb02 8bca } + $sequence_25 = { f5 c1c002 85e2 e9???????? } + $sequence_26 = { 4883c440 5b c3 448b4310 8bd0 488bcb e8???????? } + $sequence_27 = { 8b55d8 52 ffd6 33c0 5f 5e } + $sequence_28 = { 1052f1 89550b 01c7 55 51 1dd3cb602e 357f437332 } + $sequence_29 = { 68???????? 6a00 52 56 } + $sequence_30 = { c744246800010000 4889742460 89742458 89742450 4889742448 c744244020000000 c744243801000000 } + $sequence_31 = { c1f805 8bf7 83e61f c1e606 033485000c4100 c745e401000000 33db } + $sequence_32 = { 48894a38 33d2 488bc8 ff15???????? } + $sequence_33 = { 8b3d???????? 03d9 8d4900 8b4304 83e808 d1e8 8d5308 } + $sequence_34 = { 85c0 0f850a010000 488b8eb8000000 4c8d25038d0000 f0ff09 7511 } + $sequence_35 = { 55 2d0a08766e 6abd 80e96b 60 } + $sequence_36 = { 488d0d97210000 4c8be2 48897810 ff15???????? 498b8c24b8000000 448b6908 8b4918 } + $sequence_37 = { 33c0 6808020000 50 89442420 89442424 8944242c 89442430 } + $sequence_38 = { 896c243c 660fcf 68e6ef209f 6687cb 0f98c3 8774243c 53 } + $sequence_39 = { 4803c3 eb02 33c0 488d154bb00000 488bc8 e8???????? } condition: 7 of them and filesize < 1983488 @@ -113316,36 +113813,36 @@ rule MALPEDIA_Win_Newcore_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c161add4-90a4-5a07-9de8-bcd8a57e3d69" - date = "2026-01-05" - modified = "2026-01-06" + id = "89e8e9ff-4567-5a66-931a-bebdfed97784" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.newcore_rat_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.newcore_rat_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "85672d8cf8a6bd59109d6c5a704fff80f074ddc2465adb99808889ae02b39e81" + logic_hash = "74c8c4620db1ab49fb76205afff82ca29ae043b9a07f56397c2d852acecc1169" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b883c200000 52 51 c744241000000000 ff15???????? f7d8 1bc0 } - $sequence_1 = { 51 57 6a01 53 52 55 ff15???????? } - $sequence_2 = { c686c800000043 c6864b01000043 c7466878920310 6a0d e8???????? 59 8365fc00 } - $sequence_3 = { 0f8788000000 0fb69028720010 ff249508720010 33c0 83c40c c3 8b4644 } - $sequence_4 = { 57 8b78f4 894dfc 85db } - $sequence_5 = { 0430 0fb64c2426 8844242f 8bc1 c1e804 83f809 } - $sequence_6 = { 8984242c040000 8b842434040000 53 55 56 57 8bf1 } - $sequence_7 = { 81ec54020000 a1???????? 33c4 8984244c020000 8b842458020000 55 } - $sequence_8 = { b903000000 668994249c000000 668984249e000000 66898c24a0000000 ba01000000 66899424a2000000 b809000000 } - $sequence_9 = { e9???????? 8b442410 6a04 56 50 8bde c744242400000000 } + $sequence_0 = { 85c0 0f8455ffffff 8b07 50 ff15???????? e8???????? 85c0 } + $sequence_1 = { 56 c744241c01000000 ffd7 85c0 75a6 6a04 } + $sequence_2 = { 896c2428 896c242c 896c2430 896c2434 e8???????? 53 } + $sequence_3 = { ff15???????? 50 8d542420 6800010000 52 } + $sequence_4 = { a1???????? 33c4 8984245c080000 8b84246c080000 53 55 } + $sequence_5 = { 68ff030000 33ff 8d8424bd050000 57 50 c644242300 c68424c405000000 } + $sequence_6 = { 8b1d???????? 8d34bd40a60310 833e00 752a 68???????? ffd3 833e00 } + $sequence_7 = { 33c0 8b8c24bc090000 5f 5e 5d } + $sequence_8 = { ffd6 85c0 74a2 b30d 83f8ff 749b 83ff04 } + $sequence_9 = { 52 e8???????? 8b44241c 83c0f0 83c40c 8d480c 83caff } condition: 7 of them and filesize < 581632 @@ -113355,104 +113852,102 @@ rule MALPEDIA_Win_Trickbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7dec44a5-ed16-520b-98af-bb6c41308144" - date = "2026-01-05" - modified = "2026-01-06" + id = "57e53e12-8071-534f-9fb7-ec3906c94222" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.trickbot_auto.yar#L1-L647" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.trickbot_auto.yar#L1-L642" license_url = "N/A" - logic_hash = "2410d16d7ee16128151b288938666126105e8a07f0144c47c922a04a3e6d63dc" + logic_hash = "7dff73529836fde10a1501b025b72ce506ba08f239a936b8286c0ce920f83ae0" score = 75 quality = 48 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 1bc0 83e020 83c020 eb36 } - $sequence_1 = { 83c010 eb25 a900000040 7411 2500000080 f7d8 1bc0 } - $sequence_2 = { eb36 2500000080 f7d8 1bc0 83e070 83c010 eb25 } - $sequence_3 = { f7d8 1bc0 83e002 83c002 eb0d 2500000080 f7d8 } - $sequence_4 = { 8b07 a900000020 7429 a900000040 } - $sequence_5 = { c705????????fdffffff c705????????feffffff c705????????ffffffff e8???????? } - $sequence_6 = { 895df8 895df4 895dec 66c745f00005 895dfc } - $sequence_7 = { 8902 3bcb 7507 5f 5e } - $sequence_8 = { 8d1489 8d0cd0 8b4114 2b410c } - $sequence_9 = { 41 83c028 3bce 7ce9 } - $sequence_10 = { 1bc0 83e007 40 8b4fe8 } + $sequence_0 = { f7d8 1bc0 83e020 83c020 eb36 2500000080 f7d8 } + $sequence_1 = { f7d8 1bc0 83e002 83c002 eb0d 2500000080 } + $sequence_2 = { 7429 a900000040 7411 2500000080 f7d8 1bc0 83e020 } + $sequence_3 = { eb36 2500000080 f7d8 1bc0 83e070 83c010 eb25 } + $sequence_4 = { 83e070 83c010 eb25 a900000040 7411 2500000080 } + $sequence_5 = { 83c002 eb0d 2500000080 f7d8 1bc0 83e007 } + $sequence_6 = { 8b07 a900000020 7429 a900000040 } + $sequence_7 = { c705????????fdffffff c705????????feffffff c705????????ffffffff e8???????? } + $sequence_8 = { 895df4 895dec 66c745f00005 895dfc } + $sequence_9 = { 33ff 57 6880000000 6a02 57 6a01 68000000c0 } + $sequence_10 = { 8b45fc 8d1489 8d0cd0 8b4114 2b410c } $sequence_11 = { 488b5118 4889442440 488b4148 4889442438 } - $sequence_12 = { 488b4138 4889442428 488b4130 488b4910 4889442420 41ffd2 } - $sequence_13 = { 4c8b4120 488b5118 4889442438 488b4140 } + $sequence_12 = { 488b5118 4889442438 488b4140 4889442430 } + $sequence_13 = { 33db 53 53 6a03 53 6a01 6800010000 } $sequence_14 = { 488b01 4c8b4120 488b5118 488b4910 } - $sequence_15 = { 488b01 488b5118 488b4910 ffd0 } - $sequence_16 = { 488b4148 4c8b11 4c8b4928 4c8b4120 488b5118 } - $sequence_17 = { 488b4148 4889442438 488b4140 4889442430 488b4138 4889442428 488b4130 } - $sequence_18 = { 48397c2430 0f94c3 8bc3 488b5c2450 4883c440 } - $sequence_19 = { 6644891b 664183fb1a 7307 664183c341 eb13 } - $sequence_20 = { 83780400 7404 8b4008 c3 } + $sequence_15 = { 488b4150 4c8b11 4c8b4928 4c8b4120 488b5118 4889442440 } + $sequence_16 = { 4889442428 488b4130 488b4910 4889442420 } + $sequence_17 = { 4889442430 488b4138 4889442428 488b4130 } + $sequence_18 = { 488b01 488b5118 488b4910 ffd0 } + $sequence_19 = { 48397c2430 0f94c3 8bc3 488b5c2450 4883c440 } + $sequence_20 = { 488bf9 488bca 418bf1 498bd8 } $sequence_21 = { 2bc2 d1e8 03c2 c1e806 6bc05f } - $sequence_22 = { 6820bf0200 68905f0100 68905f0100 50 } - $sequence_23 = { 51 68e9fd0000 50 e8???????? } + $sequence_22 = { 6820bf0200 68905f0100 68905f0100 50 ff15???????? } + $sequence_23 = { 83780400 7404 8b4008 c3 } $sequence_24 = { 6a40 6800300000 6a70 6a00 } - $sequence_25 = { 8d440002 6a00 50 e8???????? } - $sequence_26 = { c3 6a01 ff15???????? 50 } - $sequence_27 = { 85c0 7f0b e8???????? 8b05???????? } + $sequence_25 = { 51 68e9fd0000 50 e8???????? } + $sequence_26 = { 7510 83780c00 750a 83780400 } + $sequence_27 = { c3 6a01 ff15???????? 50 } $sequence_28 = { e8???????? 83f801 7411 ba0a000000 } - $sequence_29 = { 8b45f8 5f c60000 2b450c 5e } - $sequence_30 = { 8b01 59 03d0 52 ebdc 89450c } + $sequence_29 = { 85c0 7f0b e8???????? 8b05???????? } + $sequence_30 = { ff5514 50 8b450c ff4d0c ba28000000 } $sequence_31 = { 8bc1 66ad 85c0 741c } - $sequence_32 = { 50 8b450c ff4d0c ba28000000 f7e2 } + $sequence_32 = { 59 03d0 52 ebdc } $sequence_33 = { 7405 e8???????? ff15???????? 8bc3 } - $sequence_34 = { ff5508 8b5510 8b4a04 ff5508 50 51 } - $sequence_35 = { 2bc1 8b00 3bc7 72f2 } - $sequence_36 = { ff5508 58 894514 8b5510 } - $sequence_37 = { 03d0 895510 8b4a04 ff5508 8b5510 8b4a0c } - $sequence_38 = { c1e102 2bc1 8b00 894508 } - $sequence_39 = { 85c0 741c 3bc1 7213 } - $sequence_40 = { 3bc1 7703 894df4 8b47fc } - $sequence_41 = { 0f8280000000 813950450000 7578 f6411602 7472 } - $sequence_42 = { f7e2 8d9500040000 03d0 895510 } - $sequence_43 = { c744242000300000 ff15???????? 85c0 7911 } - $sequence_44 = { 790f 8bc8 e8???????? 8d5e10 } - $sequence_45 = { 8bcf e8???????? 8bf0 85ed } - $sequence_46 = { 7911 8bc8 e8???????? bb10000000 } - $sequence_47 = { 33c9 33d2 ff15???????? 85c0 } - $sequence_48 = { 7c22 3c39 7f1e 0fbec0 } - $sequence_49 = { 7536 b906000000 8bc1 c3 } - $sequence_50 = { 58 41 41 41 41 } - $sequence_51 = { 8bcd 84c0 742e 660f1f440000 3c30 7c22 } - $sequence_52 = { ff15???????? 8bf0 c1ee1f 83f601 } - $sequence_53 = { ff15???????? 85c0 0f89d2000000 8bc8 e8???????? } - $sequence_54 = { eb0a 83f802 742b 83f803 745b } - $sequence_55 = { 8bc8 33c0 85c9 0f95c0 eb02 } - $sequence_56 = { 41 41 50 2bc1 8b00 } - $sequence_57 = { 2bc1 c1e002 51 8bcf } - $sequence_58 = { 6a00 6a00 ff15???????? 6a00 6a00 6a00 8d45dc } - $sequence_59 = { 8b7d10 2bf9 53 50 } - $sequence_60 = { 8dbf00500310 8bd6 897d08 3bc8 } - $sequence_61 = { 8b4d08 dd01 8b7510 dd1e e9???????? c745dce8c20001 } - $sequence_62 = { 3302 52 8bd0 51 03cf 51 58 } - $sequence_63 = { 58 8910 59 5a } - $sequence_64 = { 760b 8b45d0 83e801 8945d0 } - $sequence_65 = { 8945d4 8b4dfc 51 8b55d4 52 e8???????? 8b45fc } - $sequence_66 = { 85c0 7417 817de013010000 7502 eb0c 8d45dc 50 } - $sequence_67 = { bad64abad6 4a ba5d12f75d 12f7 5d 12f7 5d } - $sequence_68 = { c705????????ad380001 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 } - $sequence_69 = { 51 6800300400 8b55f8 52 ff15???????? 8945fc 837dfc00 } - $sequence_70 = { 40 8945d0 ff75fc ff75d0 } - $sequence_71 = { 84c0 741d 56 68???????? 8bc7 e8???????? } - $sequence_72 = { 8b4508 56 8d34c590f30001 833e00 7513 } - $sequence_73 = { f361 34aa 61 34aa } - $sequence_74 = { c1e803 85c0 7414 56 57 } - $sequence_75 = { 56 ff750c 6818280300 5e 56 } - $sequence_76 = { 83c408 eb18 81ff01030000 7d10 53 53 } - $sequence_77 = { 7420 8b4de0 83c101 894de0 817de014010000 } + $sequence_34 = { 52 ebdc 89450c 8bc5 } + $sequence_35 = { 8b4a04 ff5508 50 51 50 } + $sequence_36 = { 59 ff5508 58 894514 } + $sequence_37 = { 2bc1 8b00 3bc7 72f2 } + $sequence_38 = { 03d0 895510 8b4a04 ff5508 8b5510 } + $sequence_39 = { 741c 3bc1 7213 2bc1 } + $sequence_40 = { ff4d0c ba28000000 f7e2 8d9500040000 03d0 895510 } + $sequence_41 = { ff15???????? 85c0 790f 8bc8 e8???????? 8d5e10 } + $sequence_42 = { 8b03 0fbae01d 732b 0fbae01e 7315 } + $sequence_43 = { eb0a 83f802 742b 83f803 745b } + $sequence_44 = { 7911 8bc8 e8???????? bb11000000 } + $sequence_45 = { 8d4102 66894c2448 c744242840000000 668944244a 0fb7c1 } + $sequence_46 = { 58 41 41 41 } + $sequence_47 = { ff15???????? 8bf0 c1ee1f 83f601 } + $sequence_48 = { 8bcf e8???????? 8bf0 85ed } + $sequence_49 = { 7514 398e8c000000 750c 33c0 } + $sequence_50 = { 8bcd 84c0 742e 660f1f440000 3c30 } + $sequence_51 = { e8???????? e8???????? 8bd8 85c0 740f 8bc8 } + $sequence_52 = { 8bc8 33c0 85c9 0f95c0 eb02 } + $sequence_53 = { 41 41 50 2bc1 8b00 } + $sequence_54 = { 8bc7 e8???????? 85c0 0f849f000000 } + $sequence_55 = { c1e002 51 8bcf 03c8 } + $sequence_56 = { 8dbf00500310 8bd6 897d08 3bc8 } + $sequence_57 = { 8b7d10 2bf9 53 50 } + $sequence_58 = { 6a00 6a00 6a00 8d45dc 50 ff15???????? 85c0 } + $sequence_59 = { 85c0 7417 817de013010000 7502 eb0c 8d45dc 50 } + $sequence_60 = { 5b 81fa???????? 7416 81fa00000002 740a 3bd1 } + $sequence_61 = { e8???????? 03c6 03c3 50 8bc7 e8???????? 03c6 } + $sequence_62 = { ff75d4 ff75f8 ff15???????? 8945fc 837dfc00 750d 6a00 } + $sequence_63 = { 760b 8b55d8 83ea01 8955d8 } + $sequence_64 = { 8945e4 3d00010000 7d10 8a8c181d010000 888800f80001 40 ebe6 } + $sequence_65 = { 8b1a 42 42 8b01 } + $sequence_66 = { 894de0 817de014010000 7502 eb0c 8d55dc } + $sequence_67 = { 7303 8b5d0c 3b7d08 7516 8d0c33 83c8ff e8???????? } + $sequence_68 = { e7bf 31e7 bf6134aa36 11fe 3611fe 3611fe 3611fe } + $sequence_69 = { 837d0c00 8b37 760d ff750c 56 57 e8???????? } + $sequence_70 = { 6a00 6858020000 ff15???????? 837dfc00 74ce 8b45fc } + $sequence_71 = { 57 e8???????? eb0f 85db } + $sequence_72 = { 52 e8???????? 8b45fc 8945cc } + $sequence_73 = { c745d400000400 8b45d0 8945d8 837dd840 7709 8b45d8 } + $sequence_74 = { 7510 68???????? ff15???????? a3???????? 33ff } + $sequence_75 = { 58 42 42 3b5508 7202 8bd6 } condition: 7 of them and filesize < 712704 @@ -113462,36 +113957,36 @@ rule MALPEDIA_Win_Wpbrutebot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "79a22dd8-32fa-5f98-87d6-8da78951869d" - date = "2026-01-05" - modified = "2026-01-06" + id = "e7da9eda-62ee-5169-b7c4-de71276c945c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wpbrutebot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wpbrutebot_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wpbrutebot_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "5822d74137e23703d26984f7196edc8d3decd3d594175136f45cb9821ea5add2" + logic_hash = "658b4515a9ca8bdd5e22581e1ee448525d93fd11afaf0462db43b9ba94c89514" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745f85968337b 33c0 c645fc00 8d4809 304c05f8 40 83f804 } - $sequence_1 = { 85c0 0f8438020000 ff7624 8b442418 ff742414 50 50 } - $sequence_2 = { f7e9 c1fa02 8bc2 c1e81f 03c2 83f803 764f } - $sequence_3 = { c1c010 85c3 7416 8b449438 8904ef b810000000 668944ef04 } - $sequence_4 = { ff742458 0f45c8 8d44247c ff742434 55 56 52 } - $sequence_5 = { c3 b8???????? eb0c b8???????? eb05 b8???????? 57 } - $sequence_6 = { c74008???????? c7400ca0f76200 c74010e1000000 c3 e8???????? 85c0 0f8488000000 } + $sequence_0 = { ffd0 8d442438 50 8d442440 50 8d8694050000 50 } + $sequence_1 = { ffb7c80f0000 68???????? e8???????? 83c418 eb1f ffb7ec0f0000 ffb7e80f0000 } + $sequence_2 = { ff75fc 894608 51 8b0e e8???????? 83c408 8bc6 } + $sequence_3 = { 85c0 0f8553020000 53 57 56 e8???????? 83c40c } + $sequence_4 = { 40 3bc1 72e1 6a02 56 68???????? e8???????? } + $sequence_5 = { e9???????? 83fa18 7530 51 50 55 e8???????? } + $sequence_6 = { ffb7d00c0000 e8???????? 8bd8 83c408 85db 75a6 f687740d000028 } $sequence_7 = { eb10 83f804 755e 807c244020 0f85130d0000 8b442418 8d0480 } - $sequence_8 = { c605????????00 e8???????? b9???????? c645fc05 e8???????? 6a6b 68???????? } - $sequence_9 = { 803f2f 0f8518020000 807f012f 7563 8a4702 83c702 3c2f } + $sequence_8 = { e8???????? 56 8b74240c 83becc00000000 0f85c6050000 ffb6c8000000 e8???????? } + $sequence_9 = { 7c08 85c0 0f8334010000 8b16 8bc2 8b4e04 23c1 } condition: 7 of them and filesize < 5134336 @@ -113501,36 +113996,36 @@ rule MALPEDIA_Win_Bachosens_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "21e78cd2-1c72-5a79-a705-15dc4e8e3d2a" - date = "2026-01-05" - modified = "2026-01-06" + id = "c3ae17b5-5204-5f65-af31-702850596b5b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bachosens" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bachosens_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bachosens_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "34aedbb89c2e7af974768523a03e9308ee6c49afb8486001bfd1e9169e8bf87c" + logic_hash = "4bd1a35420cf40962f926575072382f9bc014a7da3c2700bbf3154843f1f8630" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4d8bd4 4d2bdc 4d8bc4 49f7da } - $sequence_1 = { 488bf9 488b5018 488b5a20 488bd1 488b4b50 e8???????? } - $sequence_2 = { 49f7da 6666660f1f840000000000 430fb61403 410fb608 } - $sequence_3 = { 740e 488bc7 ffc1 488d4001 803800 } - $sequence_4 = { 33d2 385500 740e 488bc5 ffc2 } - $sequence_5 = { 660f1f840000000000 420fb61407 410fb608 8d429f } - $sequence_6 = { 41380a 7417 498bc2 660f1f840000000000 ffc1 } - $sequence_7 = { 66390a 7417 488bc2 0f1f840000000000 ffc1 488d4002 } - $sequence_8 = { 430fb61403 410fb608 8d429f 3c19 } - $sequence_9 = { 803800 75f5 3bca 7550 4c63d1 85c9 7e42 } + $sequence_0 = { 4d8b5310 49895b18 498973d8 49897bd0 4d896bc8 448be8 } + $sequence_1 = { 8d419f 3c19 7703 80c1e0 3ad1 7515 } + $sequence_2 = { 33c9 84db 740f 488bc7 90 } + $sequence_3 = { 4b8d0401 493bc2 7cd3 488935???????? 4c8b542458 } + $sequence_4 = { c3 48891c24 4d63d0 4585c0 7e3d 4c2bda bbe0ff0000 } + $sequence_5 = { 66443908 75f4 443bc1 740a b801000000 4883c408 } + $sequence_6 = { 8b442420 ffc0 89442420 4863442420 b944000000 } + $sequence_7 = { 660f1f840000000000 410fb707 418b3e 6603c1 4803f9 0fb7c0 } + $sequence_8 = { 488d4001 803800 75f5 33d2 385500 740e } + $sequence_9 = { 0fb61f 4803f1 84db 740e 488bc7 ffc2 } condition: 7 of them and filesize < 643072 @@ -113540,42 +114035,42 @@ rule MALPEDIA_Win_Qtbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2b92b0c1-9b29-5389-8e3a-195746a37ab1" - date = "2026-01-05" - modified = "2026-01-06" + id = "da6e4df4-77b8-5d26-ba83-04edea420ed8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.qtbot_auto.yar#L1-L173" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.qtbot_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "eee36880d1f59f5f14d38b39d151180259128bb7c87bcaf8aa7d62fcdb47e198" + logic_hash = "1df39830c0b3567c3c3c35696eb417401a911854c33e81ec8be85bb873588814" score = 60 quality = 25 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4510 89450c 8d4301 0fb6d8 8a941dfcfeffff } - $sequence_1 = { 33c0 53 8a1a 6bc80d } - $sequence_2 = { 0fb6c3 83c0d0 03c1 25ffffff00 42 8a1a } - $sequence_3 = { 33f6 8bde 85ff 7455 8b4510 89450c } - $sequence_4 = { 84db 75e9 5b 5d } - $sequence_5 = { 64a130000000 8b400c 8b7014 ad 8b00 8b4010 } - $sequence_6 = { 742a 8b049a 03c6 50 e8???????? 3b4508 740b } - $sequence_7 = { 88841dfcfeffff 889435fcfeffff 0fb68c1dfcfeffff 0fb6c2 03c8 8b450c 0fb6c9 } - $sequence_8 = { 59 837e04ff 8bd8 8d7e08 7504 8b2f } - $sequence_9 = { 53 6a00 6a00 ff15???????? 833e05 7521 } - $sequence_10 = { 8d7e08 7504 8b2f eb02 8bef 8b06 83661c00 } - $sequence_11 = { eb60 8b46f8 834de4ff 49 c745e8ff000000 8b3c857c300010 } - $sequence_12 = { 49 c745e8ff000000 8b3c857c300010 c745ecffff0000 0faff9 83f801 c745f0ffffff00 } - $sequence_13 = { 894dfc eb0e 8b14957c300010 49 0fafd1 } - $sequence_14 = { 83f807 0f87c7000000 ff24857e230010 832700 e9???????? } - $sequence_15 = { e9???????? 33c0 8b7df4 8b0c855c300010 } + $sequence_0 = { 89450c 8d4301 0fb6d8 8a941dfcfeffff 0fb6c2 03c6 0fb6f0 } + $sequence_1 = { 53 8a1a 6bc80d 0fb6c3 83c0d0 } + $sequence_2 = { 8a1a 84db 75e9 5b 5d c20400 55 } + $sequence_3 = { 8bde 85ff 7455 8b4510 89450c } + $sequence_4 = { 83c0d0 03c1 25ffffff00 42 } + $sequence_5 = { 0fb68c1dfcfeffff 0fb6c2 03c8 8b450c 0fb6c9 } + $sequence_6 = { 8b450c 0fb6c9 8a8c0dfcfeffff 3008 } + $sequence_7 = { 89450c 83ef01 75b1 8b4510 5f 5e 5b } + $sequence_8 = { 50 53 6a00 6a00 ff15???????? 833e05 7521 } + $sequence_9 = { 59 837e04ff 8bd8 8d7e08 } + $sequence_10 = { c745e8ff000000 8b3c857c300010 c745ecffff0000 0faff9 } + $sequence_11 = { 8b06 83661c00 83f807 0f87c7000000 ff24857e230010 832700 e9???????? } + $sequence_12 = { 833e05 7521 6a10 6a40 } + $sequence_13 = { 33c0 8b7df4 8b0c855c300010 c1e705 } + $sequence_14 = { 0f872affffff 0fb6805a210010 ff2485f6200010 8b8614080000 3b45f4 7e03 8945f4 } + $sequence_15 = { 8d7e08 7504 8b2f eb02 8bef } condition: 7 of them and filesize < 57344 @@ -113585,36 +114080,36 @@ rule MALPEDIA_Win_Apocalipto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "040d40e4-215e-5fc8-9173-5081c16b8126" - date = "2026-01-05" - modified = "2026-01-06" + id = "cf312cec-0f73-5d08-8475-4d7fe29a0f23" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.apocalipto_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.apocalipto_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "59ef34dc3f2d1dbdb1e3d7de19e14bb33faf50cd3fbb7faa9fac9e36e92697d7" + logic_hash = "f2b397cd33f5a73ed02ae8827c94ca1277e557e9365d20d9ae80c64009249604" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83ec48 c745f400000000 8d45f4 89442410 c744240c1c000000 8d45d8 } - $sequence_1 = { 85c0 0f8433090000 c7442404???????? 891c24 } - $sequence_2 = { 745f 31db 6690 43 } - $sequence_3 = { 31c0 85ff 75d9 8945f0 31db 31c9 } - $sequence_4 = { 0500100000 8985d0f3ffff c744240c04000000 c744240800100000 89442404 } - $sequence_5 = { c744241800000000 c744241404000000 c744241000000000 c744240c00000000 c744240800000000 8b5508 } - $sequence_6 = { e9???????? ff15???????? 89c6 c705????????01000000 c7442404???????? 890424 e8???????? } - $sequence_7 = { 890424 ff15???????? 50 c744240800400000 895c2404 } - $sequence_8 = { 8974bb08 41 81f900010000 75cf c7430400000000 c70300000000 } - $sequence_9 = { a3???????? 85c0 0f84510a0000 c7442404???????? 891c24 ff15???????? 83ec08 } + $sequence_0 = { 83ec08 a3???????? 85c0 0f84440a0000 c7442404???????? 891c24 ff15???????? } + $sequence_1 = { 84c9 740a 880a 42 43 } + $sequence_2 = { 83ec24 e8???????? 89c3 c7442404???????? 890424 } + $sequence_3 = { e8???????? e9???????? c744240800400000 897c2404 893424 ff15???????? 83ec0c } + $sequence_4 = { 8b4d0c 39ce 75b8 8910 895804 } + $sequence_5 = { ff15???????? 83ec08 a3???????? 85c0 0f843f010000 } + $sequence_6 = { 89542404 893c24 e8???????? 89c2 85c0 7430 8b85c8f3ffff } + $sequence_7 = { a3???????? 85c0 0f8473070000 c7442404???????? 891c24 ff15???????? 83ec08 } + $sequence_8 = { ff15???????? 83ec08 a3???????? 85c0 0f84850a0000 c7442404???????? } + $sequence_9 = { 893424 e8???????? 89f0 83c40c 5b 5e } condition: 7 of them and filesize < 212992 @@ -113625,10 +114120,10 @@ rule MALPEDIA_Win_Shadowhammer_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "297b3240-9669-5c2f-9f70-bac21eea5e4b" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shadowhammer_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shadowhammer_auto.yar#L1-L125" license_url = "N/A" logic_hash = "910985146f49579376d7edf79ed10031d031e34957a06d7ed180548cab7651ac" score = 75 @@ -113637,9 +114132,9 @@ rule MALPEDIA_Win_Shadowhammer_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -113663,40 +114158,43 @@ rule MALPEDIA_Win_Yahoyah_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "abfb222f-4f42-5b73-9d65-3a3b137f2cf3" - date = "2026-01-05" - modified = "2026-01-06" + id = "a1c11137-cf53-5ef0-828e-1d318a6298a4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yahoyah_auto.yar#L1-L151" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yahoyah_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "95a87a262ce818137ca4c6ed87dce3eca74d768b60efbc782f5ec1ec62bf20ab" + logic_hash = "f635314c9876bf0ba9754f0796e30eb1e2ba6407b11d9770ca3b0dbf5bb48cb2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { ff15???????? 6a02 53 6af0 } - $sequence_1 = { 23d1 52 8bd0 c1ea18 52 0fb6d0 } - $sequence_2 = { ff15???????? 85c0 7501 c3 56 } - $sequence_3 = { 0fb6d0 52 c1e808 23c1 50 68???????? } - $sequence_4 = { 81e100200000 7503 41 eb09 } - $sequence_5 = { 50 e8???????? 59 53 53 6a03 0fb7c8 } - $sequence_6 = { 50 6800080000 ff15???????? ff15???????? } - $sequence_7 = { 57 e8???????? 59 56 56 8d45fc 50 } - $sequence_8 = { 53 53 53 56 53 ff15???????? 68d0070000 } - $sequence_9 = { ff15???????? 6a2e 68???????? e8???????? } - $sequence_10 = { ff15???????? 6a3a 56 e8???????? 8bf0 83c410 } - $sequence_11 = { 6a1a 50 e8???????? bf???????? } - $sequence_12 = { 90 90 68add13441 ffb53ffbffff } - $sequence_13 = { 90 90 90 33c9 33c0 648b3530000000 8b760c } + $sequence_1 = { 59 53 53 6a03 0fb7c8 b8???????? } + $sequence_2 = { 59 56 56 8d45fc 50 ff7508 } + $sequence_3 = { c1ea10 b9ff000000 23d1 52 8bd0 c1ea18 } + $sequence_4 = { 53 56 53 ff15???????? 68d0070000 } + $sequence_5 = { 50 e8???????? 83c418 6a02 53 6840feffff } + $sequence_6 = { ff15???????? 85c0 7501 c3 56 } + $sequence_7 = { eb19 ff15???????? 0fb7c0 50 68???????? } + $sequence_8 = { eb09 33d2 3bd1 1bc9 83e102 } + $sequence_9 = { 50 6800080000 ff15???????? ff15???????? } + $sequence_10 = { 68???????? ff15???????? 6a2e 68???????? } + $sequence_11 = { 52 0fb6d0 52 c1e808 23c1 } + $sequence_12 = { 68???????? 6890ef0000 68???????? 6a60 } + $sequence_13 = { 6a3a 56 e8???????? 8bf0 83c410 } + $sequence_14 = { 6a1a 50 e8???????? bf???????? } + $sequence_15 = { 90 90 33c9 33c0 } + $sequence_16 = { 90 90 68add13441 ffb53ffbffff } condition: 7 of them and filesize < 483328 @@ -113706,38 +114204,36 @@ rule MALPEDIA_Win_Nitrogen_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "75d54911-9963-5fa1-94d4-824f367ba5ac" - date = "2026-01-05" - modified = "2026-01-06" + id = "995f9fa6-0ab0-5918-b249-737edbabef9b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitrogen" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nitrogen_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nitrogen_auto.yar#L1-L105" license_url = "N/A" - logic_hash = "5f8ac2a7555dea7311ca047ff8fe4bf1acad1a9235530176528b358f16735fc3" + logic_hash = "cc66ab9c646ce07e1d27540ed605c3197596cae4526dd700bd66d9527a93c64d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 8905???????? 488b05???????? 48ffc0 488905???????? } $sequence_1 = { 4898 488905???????? 8b05???????? 488905???????? } - $sequence_2 = { 488b05???????? 89442454 8b05???????? 89442458 } - $sequence_3 = { 4898 488905???????? 488b05???????? 4885c0 } - $sequence_4 = { 0fbe05???????? c1e002 4898 488905???????? } - $sequence_5 = { 668905???????? 488b05???????? 48ffc8 488905???????? } - $sequence_6 = { 668905???????? 8b05???????? 668905???????? 8b05???????? } - $sequence_7 = { eb35 488b05???????? 4885c0 7429 } - $sequence_8 = { 8b05???????? ffc0 8905???????? 0fb705???????? } - $sequence_9 = { 668905???????? 8b05???????? ffc8 8905???????? } - $sequence_10 = { 0fb6c0 8905???????? 8b05???????? 85c0 } - $sequence_11 = { 8905???????? 488b05???????? 480faf05???????? 488905???????? } + $sequence_2 = { 488905???????? e9???????? 8b05???????? 85c0 } + $sequence_3 = { 4898 488905???????? 8b05???????? 8905???????? } + $sequence_4 = { 8805???????? 488b05???????? 48ffc8 488905???????? } + $sequence_5 = { e8???????? 0fb7c0 8905???????? 8b05???????? 85c0 } + $sequence_6 = { 668905???????? 488b05???????? 48ffc8 488905???????? } + $sequence_7 = { 98 8905???????? 8b05???????? 85c0 } + $sequence_8 = { eb3a 488b05???????? 4885c0 742e } + $sequence_9 = { 8844240c 8b05???????? 8844240d 488b05???????? } condition: 7 of them and filesize < 135349248 @@ -113747,42 +114243,42 @@ rule MALPEDIA_Win_Httpdropper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "18260766-6bdf-5211-bbc4-97447962c71b" - date = "2026-01-05" - modified = "2026-01-06" + id = "f8aedc90-46c4-5f78-8238-405fbade7c86" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.httpdropper_auto.yar#L1-L186" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.httpdropper_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "22451066791784b19aa73ef3663c2f2d2a5d036611d6a095731732bebf19aeab" + logic_hash = "61904ad49a2543e412a09c3ebcb816d4ba3cbc7ad62a8d3b1cf9fe23e0dab3ac" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bd8 8985d0f0ffff 85db 0f8482000000 6a3c 8d8554f0ffff 6a00 } - $sequence_1 = { 3dff000000 0f87c3020000 f685a8f7ffff10 0f844f010000 8b751c 3bf3 0f8444010000 } - $sequence_2 = { 83c40c 6803010000 8d8c2444030000 51 c744241400000000 ff15???????? 8b3d???????? } - $sequence_3 = { 75f9 2bc1 7511 33c0 5e 8b4dfc 33cd } - $sequence_4 = { b9???????? 8bf0 e8???????? 50 8d9435f4feffff 68???????? 52 } - $sequence_5 = { 8d8d64f2ffff e8???????? 687f0c0000 8d856df2ffff } - $sequence_6 = { 50 8d95f8feffff 52 e8???????? 83c408 85c0 } - $sequence_7 = { 8bc6 c1f805 8d0c8560aa0310 8bc6 83e01f c1e006 8b11 } - $sequence_8 = { 41b800040000 c684246002000000 e8???????? 488d8c2470060000 4c8bcf ba01000000 41b800040000 } - $sequence_9 = { 48894c2450 498bf0 0fb6fa 488d8da1000000 33d2 41b80b030000 } - $sequence_10 = { 48c7c102000080 4889442420 ff15???????? 85c0 0f8513010000 488d0d761d0200 c744244004000000 } - $sequence_11 = { 488985400f0000 4c8bb5c00f0000 48894c2450 4d8be0 4c89442448 488bf2 488d8d31060000 } - $sequence_12 = { 41f7e8 c1fa05 4c8d0520440200 8bc2 c1e81f 03d0 } - $sequence_13 = { 488bd0 ff15???????? 488d0d6b080200 488905???????? e8???????? 488bcb } - $sequence_14 = { 53 55 56 4154 4155 4883ec50 448bca } - $sequence_15 = { 450fb6c0 4489542430 89542428 894c2420 488d1599d50100 488d8c2490000000 } + $sequence_0 = { 7539 8d95e4f8ffff 52 8b95e8f8ffff } + $sequence_1 = { 8d8de8feffff 51 ff15???????? 68e8030000 } + $sequence_2 = { 745e 81fe78010000 740c 81fea6010000 0f85bb050000 } + $sequence_3 = { 3acb 75f9 8b8de0f8ffff 2bc2 } + $sequence_4 = { 51 e8???????? 83c408 85c0 7538 8b141e } + $sequence_5 = { 89834c400000 e8???????? 8b4d08 89833c400000 33c0 } + $sequence_6 = { 33f6 3933 742e 807c241300 7515 6a0c } + $sequence_7 = { 68ff000000 e8???????? 59 59 8b7508 8d34f5907d0310 } + $sequence_8 = { 84c0 75ed 488d8d80040000 ba5c000000 } + $sequence_9 = { 488d4c2454 33d2 41b83c010000 c744245000000000 } + $sequence_10 = { be02000000 48898358400000 33c0 0fb7cd } + $sequence_11 = { e8???????? 488d0d88540100 0fb744f102 8983e0af0600 } + $sequence_12 = { e8???????? 4c8d9c2470100000 498b5b18 498b7320 } + $sequence_13 = { 488bd8 4885c0 74c6 488bc8 } + $sequence_14 = { 4533c9 4533c0 488bd3 488bc8 48896c2428 } + $sequence_15 = { 8d51ff 488d4df0 e8???????? 488bf0 } condition: 7 of them and filesize < 524288 @@ -113792,167 +114288,213 @@ rule MALPEDIA_Win_Isfb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b7221ee8-15b6-53d3-9858-cbee4891c3dd" - date = "2026-01-05" - modified = "2026-01-06" + id = "493b79b1-5bcb-50ac-9d99-845489b048c9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.isfb_auto.yar#L1-L1225" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.isfb_auto.yar#L1-L1602" license_url = "N/A" - logic_hash = "8c0f88cb914238661f125a7c021aa83545337967694ef579c4ecd4c1e0598934" + logic_hash = "e7ffd60744cfe4dfc7d9b60a9d8956ab18a233f7dddf4b4ec89935d728f07689" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { eb02 33c0 3bc7 741b 50 33c0 } - $sequence_1 = { 50 33c0 e8???????? 3bc7 740f } - $sequence_2 = { e8???????? eb02 33c0 3bc7 7413 50 } - $sequence_3 = { 3bc7 7413 50 6a10 58 e8???????? } - $sequence_4 = { 6a10 58 e8???????? 3bc7 7406 50 e8???????? } - $sequence_5 = { ff75f0 ff75f4 6822010000 e9???????? ff7508 } - $sequence_6 = { 6a64 ff15???????? a1???????? 85c0 7407 83ee64 } - $sequence_7 = { ff35???????? e8???????? 8bf0 3bf3 7443 } - $sequence_8 = { 5e 8bc5 5d 5b 59 c20400 8325????????00 } - $sequence_9 = { 59 c20400 8325????????00 6a00 68???????? 6a01 ff742410 } - $sequence_10 = { ff15???????? 85c0 a3???????? 7402 ffe0 c20400 } - $sequence_11 = { 50 e8???????? 3bdf 7414 } - $sequence_12 = { c20400 55 8bec 83ec0c a1???????? 8365f800 57 } - $sequence_13 = { ff15???????? 3c05 7506 84e4 7704 } - $sequence_14 = { 8b4e10 83e103 740d 51 50 ff7510 e8???????? } - $sequence_15 = { 7417 8b10 2b55fc 8b7d10 0155fc } - $sequence_16 = { ff7510 e8???????? 83c40c c745fc01000000 8b4610 } - $sequence_17 = { 8bd8 85db 895df4 0f84c7000000 56 53 } - $sequence_18 = { b8???????? 53 bb60ea0000 53 ff750c } - $sequence_19 = { 8b7d10 0155fc 83451004 83c004 49 8917 75e9 } - $sequence_20 = { ff37 ff15???????? 2b442414 50 8b07 } - $sequence_21 = { 6a0d 58 e8???????? 85c0 740d 8906 83c604 } - $sequence_22 = { 83c40c 8974240c c6401a00 8b44240c 85c0 } - $sequence_23 = { 8b07 03442418 50 56 ff5310 } - $sequence_24 = { 5b c20800 55 8bec 83e4f8 83ec14 8364240400 } - $sequence_25 = { 8906 83c604 47 83ff03 } - $sequence_26 = { ff35???????? ff15???????? 8b442414 8b4c240c 8907 8b442418 894110 } - $sequence_27 = { 8b4b24 2b4b28 894c2410 8b4b34 f6c140 } - $sequence_28 = { 8b5d0c 837b240c 56 57 8b3b 897c241c 760a } - $sequence_29 = { 8b3b 897c241c 760a 8b4b20 e8???????? eb02 } - $sequence_30 = { 74a3 33ff eb0b 33ff eb03 } - $sequence_31 = { 8b4a0c 3bc8 7415 8b5210 } - $sequence_32 = { 752f 8b450c 8930 eb33 6a00 } - $sequence_33 = { 8b4a3c 03ca 0fb75114 56 } - $sequence_34 = { 50 8d4508 50 53 8bc6 e8???????? } - $sequence_35 = { 750e 837d0800 7408 ff7508 e8???????? } - $sequence_36 = { 83ec48 53 8b5d08 56 57 33ff } - $sequence_37 = { 8b5210 3bd0 740e 8b742408 } - $sequence_38 = { 837d1800 b8???????? 7505 b8???????? 53 } - $sequence_39 = { 8a4604 2404 f6d8 1bc0 83e006 } - $sequence_40 = { 742d ff75fc 6a0d 58 } - $sequence_41 = { c21000 55 8bec 83ec14 a1???????? 53 } - $sequence_42 = { 50 57 6a01 ff75e0 68???????? e8???????? } - $sequence_43 = { 53 b800080000 50 56 ff35???????? } - $sequence_44 = { 8b35???????? 50 83c604 e8???????? 3bfb } - $sequence_45 = { 50 8bd7 e8???????? eb02 33c0 3bc3 741b } - $sequence_46 = { 50 e8???????? 3bfb 7414 } - $sequence_47 = { e8???????? 85db 7423 8b0d???????? 0fb701 } - $sequence_48 = { ff75fc 56 ff35???????? ff15???????? 53 56 } - $sequence_49 = { 0f854affffff 894330 e9???????? 55 } - $sequence_50 = { 752e 53 e8???????? 6a01 6a01 ff7514 } - $sequence_51 = { 8bf8 85ff 0f845d010000 8b4730 a808 } - $sequence_52 = { 0f84e2000000 8b7334 8d442418 50 8d442410 50 e8???????? } - $sequence_53 = { 8bf8 ff7510 57 ff750c 53 e8???????? 3bfe } - $sequence_54 = { ff15???????? 53 56 ff35???????? ff15???????? 5b } - $sequence_55 = { 0f8544010000 8b472c a801 742d } - $sequence_56 = { 50 56 ff5214 8bf7 8bfe e8???????? 5f } - $sequence_57 = { 56 ff35???????? 8945f8 ff15???????? 8bd8 } - $sequence_58 = { 8b4330 a804 0f8451ffffff 8b470c } - $sequence_59 = { 33f6 3975fc 7410 ff75fc 56 ff35???????? } - $sequence_60 = { a840 7509 83632800 e9???????? 8b4330 a840 0f84e2000000 } - $sequence_61 = { 53 e8???????? 3bfe 740e 57 56 } - $sequence_62 = { 7708 0fb7c0 83e820 eb03 0fb7c0 668901 5f } - $sequence_63 = { c9 c20400 51 56 ff74240c } - $sequence_64 = { e8???????? 85c0 7507 33db 895d08 eb03 } - $sequence_65 = { 50 57 e8???????? e9???????? 68???????? } - $sequence_66 = { ff35???????? ff15???????? 33db 6a01 e8???????? } - $sequence_67 = { 8b45fc 5f 5b c9 c21400 55 } - $sequence_68 = { 8b3d???????? 56 ffd7 53 56 ffd7 } - $sequence_69 = { 8ac3 5b c9 c20400 53 56 8bf0 } - $sequence_70 = { 8bf0 8932 83c204 ff4c240c 75e6 5e 5b } - $sequence_71 = { 8bf1 05fefeffff 33db 33c9 } - $sequence_72 = { 750d eb09 ff7618 ff15???????? } - $sequence_73 = { 8b02 43 8acb d3c0 33c6 33442410 8bf0 } - $sequence_74 = { 5b c3 a1???????? 83c040 } - $sequence_75 = { 3bfb 753e ff7618 8b3d???????? ffd7 ff761c } - $sequence_76 = { 47 83c304 3b3e 72dc 8b45fc } - $sequence_77 = { 53 ff7614 ff15???????? 85c0 7512 ff15???????? } - $sequence_78 = { 8d442430 50 8d442428 50 8d442428 50 } - $sequence_79 = { 488bd8 0f8405010000 488bc8 ff15???????? } - $sequence_80 = { 7416 a1???????? 83c004 50 be???????? } - $sequence_81 = { e8???????? e9???????? b909010000 e9???????? } - $sequence_82 = { ff15???????? 488bcf 48870d???????? 483bcf 7405 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 33c0 3bc7 741b 50 } + $sequence_1 = { 741b 50 33c0 e8???????? 3bc7 740f } + $sequence_2 = { 3bc7 7413 50 6a10 58 e8???????? 3bc7 } + $sequence_3 = { ff75f4 6822010000 e9???????? ff7508 } + $sequence_4 = { e8???????? eb02 33c0 3bc7 7413 50 } + $sequence_5 = { 58 e8???????? 3bc7 7406 50 e8???????? } + $sequence_6 = { 51 57 50 e8???????? 83c40c e8???????? 3bc7 } + $sequence_7 = { 53 ff35???????? e8???????? 8bf0 3bf3 7443 6aff } + $sequence_8 = { 6a64 ff15???????? a1???????? 85c0 7407 83ee64 } + $sequence_9 = { ff35???????? ff15???????? 85c0 a3???????? 7402 ffe0 c20400 } + $sequence_10 = { 7406 50 e8???????? 3bdf 7414 a1???????? } + $sequence_11 = { 5b 59 c20400 8325????????00 } + $sequence_12 = { ff15???????? 3c05 7506 84e4 7704 } + $sequence_13 = { c20400 55 8bec 83ec0c a1???????? 8365f800 } + $sequence_14 = { 83451004 83c004 49 8917 75e9 8b4e10 83e103 } + $sequence_15 = { a1???????? 3bc3 7512 e8???????? 3bc3 a3???????? } + $sequence_16 = { 740d 51 50 ff7510 e8???????? 83c40c c745fc01000000 } + $sequence_17 = { 8bd8 85db 895df4 0f84c7000000 56 53 ff15???????? } + $sequence_18 = { 8b10 2b55fc 8b7d10 0155fc 83451004 83c004 49 } + $sequence_19 = { b8???????? 53 bb60ea0000 53 ff750c } + $sequence_20 = { 58 e8???????? 85c0 740d 8906 83c604 } + $sequence_21 = { 50 8b07 03442418 50 } + $sequence_22 = { 897c241c 760a 8b4b20 e8???????? eb02 } + $sequence_23 = { 8b5d0c 837b240c 56 57 8b3b 897c241c 760a } + $sequence_24 = { 8b442414 8b4c240c 8907 8b442418 894110 836334f9 } + $sequence_25 = { 83631c00 894b34 8b4b24 2b4b28 894c2410 8b4b34 } + $sequence_26 = { 56 57 33ff 3bdf 7414 } + $sequence_27 = { 8364240400 53 8b5d0c 837b240c } + $sequence_28 = { 50 ff35???????? ff15???????? 8b442414 8b4c240c 8907 } + $sequence_29 = { 8b74241c 8b1e 6a00 ff37 ff15???????? } + $sequence_30 = { 8a4604 2404 f6d8 1bc0 83e006 } + $sequence_31 = { 50 8d4508 50 53 8bc6 } + $sequence_32 = { 8911 eb07 6a0b eb02 6a02 58 5e } + $sequence_33 = { 8bd1 83c128 4e 7404 3bd0 74e7 } + $sequence_34 = { 750e 837d0800 7408 ff7508 e8???????? } + $sequence_35 = { 8b4a3c 03ca 0fb75114 56 } + $sequence_36 = { 752f 8b450c 8930 eb33 6a00 } + $sequence_37 = { 74a3 33ff eb0b 33ff } + $sequence_38 = { 7404 3bd0 74e7 3bd0 7420 8b4a0c } + $sequence_39 = { 53 8bc6 e8???????? 85c0 7516 } + $sequence_40 = { 488bcf c744242860ea0000 4c0f45c8 48895c2420 } + $sequence_41 = { 837d1800 b8???????? 7505 b8???????? 53 } + $sequence_42 = { 498bcc ff15???????? 33db 66ba2000 } + $sequence_43 = { 50 57 6a01 ff75e0 68???????? e8???????? } + $sequence_44 = { e8???????? 85c0 742d ff75fc 6a0d } + $sequence_45 = { 33d2 41c1e003 ff15???????? 4885c0 488be8 7453 } + $sequence_46 = { 488b0d???????? 33d2 ff15???????? bb01000000 498bcc eb07 } + $sequence_47 = { 75c4 48892e eb02 33db 488b0d???????? } + $sequence_48 = { e8???????? be01000000 8bc6 4883c440 415e 415d 415c } + $sequence_49 = { 33db 66ba2000 498bcc ff15???????? 4885c0 } + $sequence_50 = { bb01000000 498bcc eb07 83c301 488d4801 66ba2000 ff15???????? } + $sequence_51 = { c21000 55 8bec 83ec14 a1???????? 53 } + $sequence_52 = { 53 b800080000 50 56 } + $sequence_53 = { 5e 5d 5b c3 8b4754 a804 } + $sequence_54 = { ff75fc 6a0d 58 e8???????? } + $sequence_55 = { 4c0f45c8 48895c2420 e8???????? 85c0 } + $sequence_56 = { e8???????? 3bc3 740f 8b35???????? 50 83c604 } + $sequence_57 = { e8???????? 3bc3 7406 50 e8???????? 3bfb } + $sequence_58 = { 85c0 0f84dc000000 8b45e0 8d4de0 3bc1 } + $sequence_59 = { b90e010000 41b800000100 4889442420 e8???????? e9???????? } + $sequence_60 = { 72c1 eb0c bb7f000000 eb05 bb7e000000 } + $sequence_61 = { 8bd7 e8???????? eb02 33c0 3bc3 741b } + $sequence_62 = { 33db 6a01 e8???????? 85db 7423 } + $sequence_63 = { 4883c608 83fd05 72c1 eb0c } + $sequence_64 = { 85db 7423 8b0d???????? 0fb701 663d6100 720e 663d7a00 } + $sequence_65 = { ff15???????? 488bdf 8bf7 483bdf 7508 } + $sequence_66 = { 6641b85c00 33d2 488bcd ff15???????? } + $sequence_67 = { 8b4df4 66c7015c00 eb0f 68???????? 68???????? ff75f8 ffd6 } + $sequence_68 = { 50 83c604 e8???????? 3bfb 7414 } + $sequence_69 = { 8bd5 488bcf bb57000000 e8???????? } + $sequence_70 = { c745f408000000 ff15???????? 3bc3 8945f8 } + $sequence_71 = { e8???????? 8bf8 85ff 0f845d010000 8b4730 } + $sequence_72 = { 0f85d7000000 8b4604 6a00 ff750c ff7508 } + $sequence_73 = { e8???????? 3bfe 740e 57 56 ff35???????? } + $sequence_74 = { ff7510 57 ff750c 53 e8???????? 3bfe 740e } + $sequence_75 = { f6400408 752e 53 e8???????? } + $sequence_76 = { a840 0f84e2000000 8b7334 8d442418 50 8d442410 } + $sequence_77 = { 0f854affffff 894330 e9???????? 55 8bec } + $sequence_78 = { 56 ff5214 8bf7 8bfe e8???????? 5f 5e } + $sequence_79 = { c20800 8b4330 a804 0f8451ffffff 8b470c } + $sequence_80 = { 7509 83632800 e9???????? 8b4330 a840 0f84e2000000 } + $sequence_81 = { e8???????? 33f6 3975fc 7410 ff75fc 56 ff35???????? } + $sequence_82 = { 8b8c2490000000 83bc248800000000 4c8b442440 488b542448 } $sequence_83 = { c744242000010000 ff15???????? 4883f8ff 488bf8 7442 } - $sequence_84 = { b90e010000 41b800000100 4889442420 e8???????? e9???????? } - $sequence_85 = { 741d 3dd2100000 7416 a1???????? } - $sequence_86 = { ff35???????? ffd3 8bd8 85db 7476 } - $sequence_87 = { 898c24f0000000 4533c9 4533c0 498bcb ff5028 } - $sequence_88 = { 0f8386000000 488b18 8364245800 33c0 21442450 21442454 } - $sequence_89 = { 6a03 8935???????? 8935???????? 8935???????? } - $sequence_90 = { 488bcf c744242860ea0000 4c0f45c8 48895c2420 e8???????? 85c0 8bd8 } - $sequence_91 = { 53 56 8bf1 05fefeffff } - $sequence_92 = { a1???????? 25efff0000 0bc2 e9???????? } - $sequence_93 = { 898424f4000000 498b03 898c24f0000000 4533c9 } - $sequence_94 = { 33db 66ba2000 498bcc ff15???????? 4885c0 488bf8 7417 } - $sequence_95 = { 8b8c2490000000 83bc248800000000 4c8b442440 488b542448 } - $sequence_96 = { e9???????? 4885f6 7417 4863461c 2b6e1c 4c03e8 488b4610 } - $sequence_97 = { 4883ec20 488bf1 488b0d???????? 4c8be2 } - $sequence_98 = { 4154 4155 4883ec30 33db 33ed 418bf9 48215810 } - $sequence_99 = { 488b0d???????? 448bc3 33d2 41c1e003 ff15???????? 4885c0 488be8 } - $sequence_100 = { 0f84eb000000 83780408 0f84d9000000 488bcb e8???????? } - $sequence_101 = { 488b0d???????? 33d2 ff15???????? bb01000000 498bcc eb07 83c301 } - $sequence_102 = { 895df4 895df0 c745f857000000 bf19010000 } - $sequence_103 = { eb08 488bce e8???????? 488b5c2440 488b742448 488bc7 } - $sequence_104 = { 488b5610 4d8bc6 488bc8 e8???????? 4863561c 8bc5 2b461c } - $sequence_105 = { 488bcf ff15???????? 4c8964dd00 83c301 } - $sequence_106 = { 5f c20400 55 8bec 83e4f8 81ec9c000000 53 } - $sequence_107 = { 8bc7 e8???????? 8d4618 8b08 50 51 ff7614 } - $sequence_108 = { 8bc6 e8???????? 8b06 8b08 57 } - $sequence_109 = { 6a20 40 50 ffd6 } - $sequence_110 = { 5e 33c0 c9 c20400 55 8bec 51 } - $sequence_111 = { 4c8bcf 4889442428 8364242000 33d2 33c9 ff15???????? } - $sequence_112 = { 7557 813d????????04df2209 743c 8d4604 50 } - $sequence_113 = { 488b0d???????? 4c63c0 33d2 4983c00c ff15???????? } - $sequence_114 = { ff15???????? 83cfff 3bc7 8bd8 } - $sequence_115 = { 480f45ca 488bc1 4883c438 c3 48895c2408 48896c2410 4889742418 } - $sequence_116 = { 448bc0 8bd8 33d2 4983c001 } - $sequence_117 = { e9???????? 488bcb ff15???????? a810 } - $sequence_118 = { ff15???????? 8945f8 85c0 7418 3bd8 7514 57 } - $sequence_119 = { 803f2a 750b 4883c701 83c3ff } - $sequence_120 = { 85ff 756f 8b0d???????? 8b05???????? } - $sequence_121 = { 4d03c0 33d2 ff15???????? 488be8 } - $sequence_122 = { 75ee 488bd5 33c9 ff15???????? 488bf8 } - $sequence_123 = { 488bf8 4885c0 7420 488bd3 488bc8 ff15???????? 488b0d???????? } - $sequence_124 = { 741d 397b04 7618 488d7308 488b0e ff15???????? ffc7 } - $sequence_125 = { c744242880000000 89742420 ff15???????? 488bf0 4883f8ff 742b } - $sequence_126 = { 7510 488b0b e8???????? 85c0 0f859b000000 } - $sequence_127 = { 85c0 0f8561010000 8b4348 a801 742c 488b0b e8???????? } - $sequence_128 = { 85c0 0f859b000000 4863533c 488b4608 } - $sequence_129 = { 8b434c 84c0 0f89a3000000 8b434c a804 7415 } - $sequence_130 = { 85c0 0f85e8000000 488b4608 488b0e 4533c9 } - $sequence_131 = { e8???????? 85c0 0f8561010000 8b4348 } - $sequence_132 = { 7505 217b3c eb0b 8b434c 84c0 0f89a3000000 } - $sequence_133 = { 7508 8b5304 83c304 01f2 8b4c241c 01d1 } - $sequence_134 = { 8b4c2424 01c1 83c304 894c2410 56 90 } - $sequence_135 = { 40 c1ca08 e2e4 c9 } - $sequence_136 = { 56 57 51 64ff3530000000 58 8b400c } - $sequence_137 = { 30c9 eb67 8044241301 0fb6ca 01cb } - $sequence_138 = { 89ec 5d c20c00 60 } - $sequence_139 = { 90 89ce 83e603 750c 8b5d10 } - $sequence_140 = { 8b3a 83c204 8b0a 83e908 } + $sequence_84 = { ff75fc 56 ff35???????? ff15???????? 53 56 ff35???????? } + $sequence_85 = { 8945f8 ff15???????? 8bd8 3bde } + $sequence_86 = { 0f845d010000 8b4730 a808 7412 53 8d47e4 } + $sequence_87 = { 53 56 ff35???????? ff15???????? 5b 5f 5e } + $sequence_88 = { 410fb64101 33d2 488d0cc3 48890d???????? } + $sequence_89 = { c3 418bd8 4803df 410fb64101 33d2 } + $sequence_90 = { 448be8 418b4310 41394308 410f474308 } + $sequence_91 = { ff15???????? 488bcf 48870d???????? 483bcf 7405 e8???????? } + $sequence_92 = { 33d2 ff15???????? 8b05???????? 418bdd } + $sequence_93 = { 33d2 498bcc 498bfd e8???????? } + $sequence_94 = { ff15???????? 4885db 740c 4c8b0d???????? e9???????? } + $sequence_95 = { 50 57 e8???????? e9???????? 68???????? } + $sequence_96 = { c9 c20400 51 56 ff74240c } + $sequence_97 = { e8???????? 85c0 7507 33db 895d08 eb03 8b5d08 } + $sequence_98 = { 85d2 4d8bf1 458bf8 8bc2 } + $sequence_99 = { 8a4b1c 488b4558 4c8b4d30 4c8b4510 } + $sequence_100 = { 48890d???????? 410fb64102 488d0cc3 48890d???????? } + $sequence_101 = { 7708 0fb7c0 83e820 eb03 0fb7c0 668901 5f } + $sequence_102 = { 488bce ff15???????? 488b0d???????? 33d2 4c63c0 } + $sequence_103 = { 410fb64102 488d0cc3 48890d???????? 410fb64103 488d0cc3 48890d???????? } + $sequence_104 = { 33d2 ff15???????? 483bc3 4c8be8 } + $sequence_105 = { 7512 ff15???????? 8bf8 81ffe5030000 } + $sequence_106 = { 8bf0 8932 83c204 ff4c240c 75e6 5e 5b } + $sequence_107 = { 5b c3 a1???????? 83c040 50 ff15???????? eb08 } + $sequence_108 = { ff15???????? 8ac3 5b c9 c20400 53 } + $sequence_109 = { ff7514 ff7510 ff7008 ff750c ff7508 e8???????? 0945fc } + $sequence_110 = { 8b3d???????? 56 ffd7 53 56 } + $sequence_111 = { 750d eb09 ff7618 ff15???????? 33ff 83ffff 7508 } + $sequence_112 = { c9 c20400 53 56 8bf0 8a06 } + $sequence_113 = { 8bf1 05fefeffff 33db 33c9 } + $sequence_114 = { 8b02 43 8acb d3c0 33c6 33442410 8bf0 } + $sequence_115 = { 488bd6 ff15???????? eb14 488b0d???????? 4c8bc7 } + $sequence_116 = { 832700 458be0 bb08000000 e8???????? 85c0 } + $sequence_117 = { 488d542440 488bcd ff15???????? 4883f8ff 4c8be0 0f8583000000 488b0d???????? } + $sequence_118 = { 4c8d4c2450 4c8d442458 8d5001 488bce e8???????? } + $sequence_119 = { ff15???????? 488bf0 488d44246c 2bf0 443bf3 8bc3 7408 } + $sequence_120 = { 83c701 e9???????? 488b8424c8010000 498bcc bb01000000 4c8928 } + $sequence_121 = { 488d9424d8010000 488d4c2454 ff15???????? 3bc3 7fbd 83c701 e9???????? } + $sequence_122 = { 50 8d442430 50 8d442428 50 8d442428 50 } + $sequence_123 = { 3dd2100000 7416 a1???????? 83c004 50 be???????? } + $sequence_124 = { 488bce ff15???????? 4c8d4c2450 4c8d442458 } + $sequence_125 = { ff15???????? 483bc3 4c8be8 0f841c010000 448b05???????? 33d2 488bc8 } + $sequence_126 = { 6a00 ff35???????? ffd3 8bd8 85db 7476 } + $sequence_127 = { 4533c9 4889442428 215c2420 4533c0 } + $sequence_128 = { 33d2 ff15???????? 33ff 4885ff } + $sequence_129 = { e9???????? 33c9 bb26040000 48870d???????? } + $sequence_130 = { 41b905000000 488bd8 ff15???????? 488bcb ff15???????? 4533c9 488bd3 } + $sequence_131 = { 41be01000000 33c9 418bd6 ff15???????? } + $sequence_132 = { 488bc8 ff15???????? 8b05???????? 3d2caedb8b } + $sequence_133 = { 448bc0 8bd8 33d2 4983c001 } + $sequence_134 = { e9???????? 488bcb ff15???????? a810 } + $sequence_135 = { 895df4 895df0 c745f857000000 bf19010000 } + $sequence_136 = { 6a03 8935???????? 8935???????? 8935???????? } + $sequence_137 = { a1???????? 25efff0000 0bc2 e9???????? } + $sequence_138 = { 53 56 8bf1 05fefeffff } + $sequence_139 = { e8???????? 85c0 740f 488d4f50 } + $sequence_140 = { 803f2a 750b 4883c701 83c3ff } + $sequence_141 = { 488b0d???????? 4c63c0 33d2 4983c00c ff15???????? } + $sequence_142 = { 215c2420 4533c9 4533c0 33d2 ff15???????? 85c0 } + $sequence_143 = { ff15???????? 488b0d???????? 4889040f 4883c708 492bf6 } + $sequence_144 = { 8bc6 e8???????? 8b06 8b08 } + $sequence_145 = { 57 4154 4155 4156 4883ec50 488bf1 } + $sequence_146 = { 6a20 40 50 ffd6 } + $sequence_147 = { 8bc7 5f c20400 55 8bec 83e4f8 81ec9c000000 } + $sequence_148 = { 5e 33c0 c9 c20400 55 8bec 51 } + $sequence_149 = { 53 8bc7 e8???????? 8d4618 8b08 } + $sequence_150 = { 750a 488bcf e8???????? 8bd8 488b0d???????? 4c8bc7 } + $sequence_151 = { 488d542438 488bcb e8???????? eb02 } + $sequence_152 = { 33d2 ff15???????? 83bc241002000000 7416 488d942410020000 4c8bcf } + $sequence_153 = { 488b15???????? 4c8d842428020000 48c7c101000080 ff15???????? } + $sequence_154 = { 7417 4863461c 2b6e1c 4c03e8 488b4610 48894718 4883661000 } + $sequence_155 = { 448d4803 4533c0 488bd3 ff15???????? 488b8c2428020000 } + $sequence_156 = { 488bcb ff15???????? 8bc8 ff15???????? 21b42410020000 } + $sequence_157 = { 4155 4881ecf0010000 33f6 33c0 } + $sequence_158 = { 4885c9 7405 e8???????? 4883c428 c3 488d82204a0000 } + $sequence_159 = { c745f801000000 57 53 ff35???????? ff15???????? 8b45f8 } + $sequence_160 = { 85c0 7412 ff7508 e8???????? eb03 33c0 } + $sequence_161 = { 418bcd e8???????? 8b842410020000 4c8d9c24f0010000 498b5b28 } + $sequence_162 = { c3 488d82204a0000 488982284a0000 488900 } + $sequence_163 = { 84c0 0f89a3000000 8b434c a804 } + $sequence_164 = { 4c8d40cc 33d2 33c9 e8???????? 85c0 0f8561010000 } + $sequence_165 = { 7510 488b0b e8???????? 85c0 0f859b000000 4863533c } + $sequence_166 = { 85c0 0f859b000000 4863533c 488b4608 488b0e 48035334 } + $sequence_167 = { 85c0 0f85e8000000 488b4608 488b0e 4533c9 } + $sequence_168 = { e8???????? 488b0d???????? 4c8bc3 33d2 ff15???????? 488b0d???????? 4c8bc7 } + $sequence_169 = { 8b4348 a801 742c 488b0b e8???????? 85c0 0f85e8000000 } + $sequence_170 = { 03d0 4585e4 75b0 4c63d3 42011497 4c8ba42410010000 } + $sequence_171 = { e8???????? 488bf8 4885c0 7427 488d542420 } + $sequence_172 = { 4c89642448 ff15???????? 8bd8 83f8ff } + $sequence_173 = { 488d542440 e8???????? 8bd8 85c0 7541 488b7c2440 85f6 } + $sequence_174 = { 85c0 0f85f3010000 4c8b842418020000 8d5808 488d8c24b0000000 4d85c0 } + $sequence_175 = { 8d4b01 4533c0 ff15???????? 8bd8 83f801 } + $sequence_176 = { ba10000000 488bc8 e8???????? 48898424e0010000 } + $sequence_177 = { 7427 488d542420 b901020000 ff15???????? } + $sequence_178 = { 488b842410020000 4889442420 e8???????? 8bd8 } + $sequence_179 = { 3b5c2428 0f8266ffffff 5f 5e 89e8 } + $sequence_180 = { 85f6 57 884c2413 0f869c000000 eb04 8b742428 84c9 } + $sequence_181 = { ebdd 8b4508 03450c 034510 39d0 75c3 } + $sequence_182 = { 40 c1ca08 e2e4 c9 c20c00 83ec10 } + $sequence_183 = { 89ec 5d c20c00 60 } + $sequence_184 = { 8b4c241c 01d1 894c2414 8b4c2424 01c1 } + $sequence_185 = { eba2 5f 5e 5d 5b 83c408 c3 } + $sequence_186 = { 90 89ce 83e603 750c 8b5d10 6601da } condition: 7 of them and filesize < 2940928 @@ -113962,36 +114504,36 @@ rule MALPEDIA_Win_Credraptor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "38da88b1-241e-5356-be41-ccd7d9b62617" - date = "2026-01-05" - modified = "2026-01-06" + id = "9d0b1027-08e6-50d3-a781-8fb7ecf31e45" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.credraptor_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.credraptor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "0cde833c9a51e3ab99821592757d4fd144febcb8863fef5eac3bf6a67840a9e9" + logic_hash = "fe9ed9ed58c22287dd1af580d8d6d2ff7795312c2dc30f56a9c696ba71ba8156" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4720 83c40c 837e4000 89558c 8945c0 894db8 0f85c9120000 } - $sequence_1 = { e8???????? 83c40c e9???????? 837f3000 7415 8b5508 52 } - $sequence_2 = { e8???????? 83c404 8b5dfc 5e 8b4d0c 51 8bc3 } - $sequence_3 = { e9???????? a802 7508 83c8ff e9???????? 8b45f0 85c0 } - $sequence_4 = { c6043b25 03da ddd9 ddd8 8b4d94 41 803900 } - $sequence_5 = { c745dc377f0682 c745e0002de218 884de9 8855ea 8845eb 3bc7 750e } - $sequence_6 = { c70353000000 b802000000 5b 5d c3 83f83e 7510 } - $sequence_7 = { be???????? 8d4ddc 8a01 3a06 751a 84c0 7412 } - $sequence_8 = { c1f812 0cf0 0fb6c8 51 8bce e8???????? 8bd3 } - $sequence_9 = { e8???????? ff45e4 83c404 83c318 8945f0 85c0 74e0 } + $sequence_0 = { 8b54080c f6424e01 753a 83fb01 7435 8b4508 50 } + $sequence_1 = { ffd3 6804010000 6a00 85c0 7435 8d95f8feffff 52 } + $sequence_2 = { ddd8 83c8ff 8be5 5d c3 dc0d???????? e8???????? } + $sequence_3 = { eb06 891e c6460401 8b4610 83f8ff 7449 8d48d0 } + $sequence_4 = { 8d55a8 52 8945a8 8945ac 8b45ec 6a12 50 } + $sequence_5 = { b801000000 014748 8945d8 8b4748 50 6a00 6a1c } + $sequence_6 = { c3 8b5018 53 8b5838 56 8b31 895588 } + $sequence_7 = { f6411604 8945ac 8944bde8 7440 8b9cbd64ffffff 8b55ac 8bc3 } + $sequence_8 = { e8???????? 50 8bf3 68???????? 8d5f04 e8???????? 8b5df8 } + $sequence_9 = { ff2485b1024900 838de8fdffffff 89b594fdffff 89b5bcfdffff 89b5ccfdffff 89b5d0fdffff 89b5f0fdffff } condition: 7 of them and filesize < 1728512 @@ -114001,36 +114543,36 @@ rule MALPEDIA_Win_Ironhalo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5d173d13-7e7f-5038-a17a-f1673b379630" - date = "2026-01-05" - modified = "2026-01-06" + id = "ff81555d-b057-5dc8-9c08-d50d0e39fa8f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ironhalo_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ironhalo_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "b28c071e016d2fd6c8035d945d059b7edc886edf229a30a1e4641350946cb806" + logic_hash = "b3c3267632db8fb73771a0962aa4b065de65cdb802cf4cd8562b60f577e6d53b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a800c914000 83e00f eb02 33c0 } - $sequence_1 = { 8bcb c1f805 83e11f 8b048560e04000 f644c80401 0f84f9000000 6a01 } - $sequence_2 = { 6a00 56 e8???????? 56 e8???????? 8be8 83c410 } - $sequence_3 = { ffd6 8d542410 8d442424 52 50 ffd6 8d4c2424 } - $sequence_4 = { ffd7 8d742428 bb03000000 8d442438 } - $sequence_5 = { 243f c0e206 0ac2 83c104 88042f 45 803c3100 } - $sequence_6 = { 743a 0fb6d0 f68221cf400004 741a } - $sequence_7 = { 50 ffd7 8d742428 bb03000000 8d4c2438 8d542410 } - $sequence_8 = { 52 668954241c e8???????? 50 e8???????? 83c408 8d442410 } - $sequence_9 = { 6a00 6a50 50 56 ff15???????? 8be8 } + $sequence_0 = { 75f5 8d0c49 5e 8d0c8df0c14000 } + $sequence_1 = { 88442419 fec0 47 3c40 72f1 8a543102 32c0 } + $sequence_2 = { 68???????? 50 e8???????? 8bf0 83c408 85f6 7502 } + $sequence_3 = { fec0 47 3c40 72f1 8a5c3103 8a44241b } + $sequence_4 = { 6689542430 e8???????? 56 e8???????? 8a44242c 83c41c } + $sequence_5 = { 83c408 8944240c 85c0 7502 5e } + $sequence_6 = { b9???????? 8bc2 8bf2 c1f805 83e61f 8b048560e04000 8b04f0 } + $sequence_7 = { 51 e8???????? 83c408 8944240c 85c0 7502 5e } + $sequence_8 = { 7504 88442419 fec0 47 } + $sequence_9 = { 85f6 0f8426feffff 8b3d???????? c744241c01000000 8d4c241c 8d942430030000 51 } condition: 7 of them and filesize < 131072 @@ -114040,36 +114582,36 @@ rule MALPEDIA_Win_Chir_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "78bff571-2d0f-563f-8afb-2fed2637cee4" - date = "2026-01-05" - modified = "2026-01-06" + id = "635d6b9d-8fff-59f3-bbfc-cfe4cfe9f3b7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chir_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chir_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "13fbf415f29c525be8d7104bf47ab4cf9292f1187b96643f7c39e370c88f7e8f" + logic_hash = "5446884e0b652c536e75db77497a5dbef905fa330c5141c089b41eabc61689ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 c745f840214125 c745fc32212400 e8???????? } - $sequence_1 = { 48 59 8bfb 7419 } - $sequence_2 = { 8d45f0 50 c745f021352432 c745f451173300 e8???????? 48 } - $sequence_3 = { 8d4c15f8 8a19 80f3fc 80c302 80f301 80c303 } - $sequence_4 = { 8d45f4 50 c745f421352432 c745f851173300 e8???????? } - $sequence_5 = { 740b 48 8906 66837c47fe5c } - $sequence_6 = { c745f451173300 e8???????? 48 59 8bfb } - $sequence_7 = { 7415 8d4c15f8 8a01 34fc 0402 3401 0403 } - $sequence_8 = { 42 8801 3bd7 72eb } - $sequence_9 = { 8d45f4 50 c745f421352432 c745f851173300 } + $sequence_0 = { 33d2 48 8d4c0901 7410 8d0c8df4ffffff 304c15f8 42 } + $sequence_1 = { 8d4c0901 7410 8d0c8df4ffffff 304c15f8 42 } + $sequence_2 = { 8bc4 fc 56 57 } + $sequence_3 = { e8???????? 48 59 8bfb 7419 } + $sequence_4 = { 80f2fc 80c202 80f201 80c203 } + $sequence_5 = { e8???????? 48 59 8bcb 7419 } + $sequence_6 = { 807df905 0f94c1 33d2 48 8d4c0901 7410 } + $sequence_7 = { 8d4c35f8 8a11 80f2fc 80c202 } + $sequence_8 = { c745f851173300 e8???????? 48 59 } + $sequence_9 = { 66837c47fe5c 75ef 8b06 33c9 66890c47 33c0 } condition: 7 of them and filesize < 286720 @@ -114079,36 +114621,36 @@ rule MALPEDIA_Win_Scoring_Math_Tea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6a5f2479-dd77-5460-b6ab-7a1fa699026a" - date = "2026-01-05" - modified = "2026-01-06" + id = "72a68397-1150-5c5e-aa19-a6f46beacfd1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scoring_math_tea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scoring_math_tea_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scoring_math_tea_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "a12d9d501b7d3baa59a060b6fa56cd1bfb57e15b553bc88c44e1282cce7ff1d8" + logic_hash = "a0b7afbb01f83e4c72fd10ca97627b81d25ffa4f2a282f6522fc2dc5dd107ff6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 448bfe 448be6 89742450 4889b42420010000 0f57c0 f30f7f842430010000 4533c0 } - $sequence_1 = { 66894dea 488d4de0 0fb700 668945ec 33c0 } - $sequence_2 = { 4889458c 33c0 894594 66894598 48b85700650064000000 4889459a 33c0 } - $sequence_3 = { 83ef01 7986 4885db 743d 488b45af 482bc3 48c1f802 } - $sequence_4 = { 83e00a eb09 33c0 eb05 b80a000000 488b5c2430 } - $sequence_5 = { e8???????? 90 488d4c2420 e8???????? 4889742420 4889742430 4889742438 } - $sequence_6 = { 49ffc6 4183c708 443b3a 72d7 8b02 } - $sequence_7 = { 410fb702 6643390413 7515 4983c202 4883ef01 75eb 4c8bc1 } - $sequence_8 = { e8???????? 458d41ff 41bfffff0000 8d7a02 4963c8 664139b44a18100000 7511 } - $sequence_9 = { 49ffc1 413801 7513 4883c108 49ffc1 8a01 413801 } + $sequence_0 = { 4903cf 66443921 75f7 8b05???????? 488d542430 8901 0fb705???????? } + $sequence_1 = { 4885c0 74d1 488d4c2460 ffd0 b9ad2d0ca2 e8???????? 488d4c2448 } + $sequence_2 = { 4c8d8520030000 4c89642428 8bd7 488bce 4c89642420 c744246005010000 ff15???????? } + $sequence_3 = { 740d 418bcf e8???????? 488bce ffd0 418bc6 488b4d27 } + $sequence_4 = { 4881f900100000 7215 e8???????? 488bf8 eb19 493bc8 0f87c2000000 } + $sequence_5 = { 4c8d4c2450 488364242000 448bc7 ff15???????? 8b442450 eb09 c7431400000001 } + $sequence_6 = { 7423 8b5c2440 488bd5 015f5c 448bc3 8b4f60 e8???????? } + $sequence_7 = { 420fb744f204 8987e8af0600 420fb744f206 8987dcaf0600 443bf5 7f07 66834e0404 } + $sequence_8 = { 44886591 e8???????? 488d5587 488bcf 4c8bf8 e8???????? 4c8bf0 } + $sequence_9 = { e8???????? c70022000000 e8???????? 488b8328090000 488db338090000 8bc8 } condition: 7 of them and filesize < 881664 @@ -114118,36 +114660,36 @@ rule MALPEDIA_Win_Stuxnet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "64e9fab1-7d89-5a6e-8a31-2df625be17c1" - date = "2026-01-05" - modified = "2026-01-06" + id = "33713859-db85-53cb-92da-bcaf3d94a143" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stuxnet_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stuxnet_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "0de893dd2abe057bcddad1952313e85e04a81b980ccf81d569805dbd5ff30eda" + logic_hash = "0c8cce219e954862aa17ca0354bb5e042abfb23b35c8dc40c10ca72be2707f0b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 84c0 7504 804e1104 e8???????? 84c0 7404 } - $sequence_1 = { ff750c 8d4580 50 e8???????? 33db 895dfc 8d4580 } - $sequence_2 = { ff75f8 8d963c0b0000 57 e8???????? 59 59 5f } - $sequence_3 = { c3 8b44240c 8906 33c0 40 5e c3 } - $sequence_4 = { 8d4580 50 8d8540ffffff 50 e8???????? c645fc05 50 } - $sequence_5 = { e8???????? ff75c8 8d45ec 50 e8???????? ff75c9 8d45ec } - $sequence_6 = { b8???????? e8???????? 51 8365f000 56 8b7508 8d45f0 } - $sequence_7 = { e8???????? eb02 33c0 c645fc00 8b7d08 83c704 50 } - $sequence_8 = { e8???????? 8906 895604 c9 c3 8b08 8b4004 } - $sequence_9 = { 8955ec c7042410270000 e8???????? c645fc01 8b0e 8b01 6a02 } + $sequence_0 = { e8???????? bef4030000 03c6 e8???????? 8845ef 834dfcff 8d45e8 } + $sequence_1 = { c3 55 8bec 83ec44 56 6a44 8d45bc } + $sequence_2 = { b8???????? e8???????? 81ecc8010000 53 56 57 8965f0 } + $sequence_3 = { 53 e8???????? 8d45d8 50 56 e8???????? 8365fc00 } + $sequence_4 = { ff75e8 ff15???????? 85c0 0f85defeffff eb1a 8d45ac 50 } + $sequence_5 = { c645fc05 8d45f0 50 e8???????? c645fc04 8b75e8 3bf3 } + $sequence_6 = { e8???????? 50 8d470c 50 ff15???????? 83670800 8d8714020000 } + $sequence_7 = { 8b5d08 56 6880000000 8bc3 e8???????? 8bf0 59 } + $sequence_8 = { e8???????? 8b4c2410 8988b4000000 8b4c2414 8988b8000000 834c2424ff 8d44240c } + $sequence_9 = { c645fc03 8d462c 50 895e24 895e28 e8???????? 59 } condition: 7 of them and filesize < 2495488 @@ -114158,10 +114700,10 @@ rule MALPEDIA_Win_Micrass_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "a229f115-b5ac-5aa3-9ddb-ec5c8630e70f" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.micrass_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.micrass_auto.yar#L1-L118" license_url = "N/A" logic_hash = "639446b0255ff71a4b5f82ebea10985e5191c147bc877240c832d8560fe4064d" score = 75 @@ -114170,9 +114712,9 @@ rule MALPEDIA_Win_Micrass_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -114196,36 +114738,36 @@ rule MALPEDIA_Win_Naikon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1a371971-3c14-5c5c-93ec-3bfac331df93" - date = "2026-01-05" - modified = "2026-01-06" + id = "37e44561-1081-5015-9cbe-a00c6a38b717" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.naikon_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.naikon_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "83032b5030b393c588ce5d94661092c796ec6d6ab26688f2a44eab055633535d" + logic_hash = "230f73395e50d4415af67d6ca7236840e64e001520a39d78298757e55e6fb620" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf8 59 3bfb 59 741d 8b06 2bc7 } - $sequence_1 = { eb05 397df8 7415 8d45f0 } - $sequence_2 = { 8975c4 8945b0 8b450c 8945bc 03f0 8b45e4 8b4f6c } - $sequence_3 = { 53 50 e8???????? 6a04 8d85f8fdffff 68???????? 50 } - $sequence_4 = { 8b06 03c3 68???????? 50 e8???????? 68???????? e9???????? } - $sequence_5 = { 03c8 83c00c 8903 8d45d8 6a0c 50 ff750c } - $sequence_6 = { e8???????? ff75fc e8???????? 83c414 eb02 33db } - $sequence_7 = { 6a10 68???????? e9???????? 6a00 ff75fc 53 8d853cffffff } - $sequence_8 = { 8b00 52 53 53 8b4010 } - $sequence_9 = { 838e90000000ff 8dbe8c000000 85c0 740a 50 ff15???????? } + $sequence_0 = { ff75e8 ff5040 8b436c ff750c ff5024 } + $sequence_1 = { 8d459c 8945e8 53 8d45e0 53 50 } + $sequence_2 = { 59 74bd 68???????? e8???????? 03d8 } + $sequence_3 = { e8???????? 83c424 8d45ac 897dac 50 8d45e0 } + $sequence_4 = { 5f 5e c3 55 8bec 81ec340a0000 } + $sequence_5 = { 8bf8 83ffff 0f84bf000000 85ff 0f84b7000000 8d85d4efffff } + $sequence_6 = { 50 68???????? 53 e8???????? 8d8570fdffff 6a3e } + $sequence_7 = { 50 ff75fc e8???????? 53 8945f4 ffd7 837df400 } + $sequence_8 = { 55 8bec 81ec90010000 8d8570feffff 50 6a02 e8???????? } + $sequence_9 = { ff7508 eb17 6a00 8bce e8???????? 8b06 8b4e08 } condition: 7 of them and filesize < 188416 @@ -114235,36 +114777,36 @@ rule MALPEDIA_Win_Rombertik_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fd5d6ec1-b599-5122-939f-30fe62c6e74a" - date = "2026-01-05" - modified = "2026-01-06" + id = "7aa70c23-232c-5b21-a7bd-0ec818b6fe5f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rombertik_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rombertik_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "1bd4f27874587acc7747c5d4ae5b510eeb7a9ee716658437468f5342433983ca" + logic_hash = "fc5e4e935c91415f8beac32f0f98ebdd7353fdfe2ac51f6fae8364c710d9db56" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 56 ff15???????? 85c0 7559 8b5e10 33ff } - $sequence_1 = { 40 49 75f9 8955f8 85d2 } - $sequence_2 = { 0f94c0 84c0 750d 47 3b7d0c 72c9 } - $sequence_3 = { 47 41 3bfb 72be 8b5df0 } - $sequence_4 = { 85c0 7426 8d95f8feffff 52 } - $sequence_5 = { 8d4de4 51 8955e8 8b55fc 6a00 52 } - $sequence_6 = { 8bec 81ec3c030000 53 56 57 bf00010000 } - $sequence_7 = { 8d8ddcfdffff 8bf0 51 56 } - $sequence_8 = { 68???????? 50 56 e8???????? 83c414 a3???????? } - $sequence_9 = { 81c900ffffff 41 8a9c0d00ffffff 889c0500ffffff } + $sequence_0 = { 75f9 2bc6 03c1 03c7 8d4c187e } + $sequence_1 = { 8945f8 ff15???????? b8???????? 40 3818 75fb 8b35???????? } + $sequence_2 = { 6a00 50 ff15???????? 898608010000 } + $sequence_3 = { 52 6800010000 50 ff15???????? f7d8 1bc0 f7d8 } + $sequence_4 = { 6a00 6a00 6a00 6818000900 50 ff15???????? } + $sequence_5 = { 68ffff1f00 ff15???????? 8bf0 3bf3 7473 } + $sequence_6 = { 8d95e0feffff 52 ffd7 85c0 } + $sequence_7 = { 83c410 85c0 7409 6a00 ffd0 83c404 5e } + $sequence_8 = { 60 8b75fc bf???????? 8b4df8 f3a4 } + $sequence_9 = { 50 52 8d85f4feffff 57 50 e8???????? } condition: 7 of them and filesize < 73728 @@ -114274,36 +114816,36 @@ rule MALPEDIA_Win_Kelihos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ce7cec0-9b63-57ad-afe3-2ac567126cba" - date = "2026-01-05" - modified = "2026-01-06" + id = "9f37a975-1de8-509e-9e94-af5d7088fe63" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kelihos_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kelihos_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "c2eacbb99d14be28a148d8ab81d8255fe39a06721e8fc3e2b106469f00f3e62c" + logic_hash = "6ad522b1069e95a2743782babae88b692ba7271a95223f2203556d0dea66c488" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 6a01 6a08 e8???????? 6a03 53 53 } - $sequence_1 = { e8???????? 8bf3 8d5c1b02 3b5d0c 7cb6 7526 8b450c } - $sequence_2 = { 8d8c24ac000000 8844241b e8???????? 85c0 743a 385c2417 7534 } - $sequence_3 = { c3 837c2404ff 750e 817c2408ffffff7f 7504 33c0 40 } - $sequence_4 = { c60060 e8???????? 6a5c 8bce c60064 e8???????? 68c5010000 } - $sequence_5 = { eb02 33c0 57 50 ff742418 ff742420 ff74241c } - $sequence_6 = { c3 56 8bf1 6a00 6a01 8d4e7c c706???????? } - $sequence_7 = { e9???????? e8???????? 8b00 50 e8???????? 83c404 50 } - $sequence_8 = { c6400d00 8908 eb06 8b4508 832000 e8???????? c20c00 } - $sequence_9 = { c1e108 034df0 8d4514 e8???????? 834dfcff 8d4514 50 } + $sequence_0 = { e8???????? 8bf1 8b4508 8945f0 c745fc01000000 8975ec 8d5c3602 } + $sequence_1 = { c645fc08 e8???????? 68???????? 8d8dd0feffff e8???????? 8d85d0feffff 50 } + $sequence_2 = { e9???????? 68cc000000 b8???????? e8???????? 8d8540ffffff 50 8bf9 } + $sequence_3 = { ff7310 33c0 8d7d08 aa 8bfb 8d75e8 e8???????? } + $sequence_4 = { e8???????? 8db5b8fdffff e8???????? 53 6a01 8d4dbc e8???????? } + $sequence_5 = { ff36 ff7004 ff30 8d45c0 50 e8???????? 8b7508 } + $sequence_6 = { c7400c00f0ffff 833f00 8bce 740d 8bd7 8b0a 83791000 } + $sequence_7 = { c6430801 8d4538 50 b9???????? 8bfb e8???????? 8bd8 } + $sequence_8 = { ffd5 0fb7f0 b803000000 8d4805 8d50ff e8???????? 83ffff } + $sequence_9 = { eb89 5f 5e 5b c9 c20400 55 } condition: 7 of them and filesize < 4702208 @@ -114313,42 +114855,42 @@ rule MALPEDIA_Win_Rifdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c64cc60e-de43-57ba-a8c5-3da8fe6ea09a" - date = "2026-01-05" - modified = "2026-01-06" + id = "a31f7bd0-1ed0-5fd9-873c-451f99775a1c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rifdoor_auto.yar#L1-L168" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rifdoor_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "4a7031572d6960be3c18bec0c177698078092abb2ffc70b93030291dca57dff4" + logic_hash = "b71b1ed569a75b60e54eb60641d1720e666f05f6f32fa3269807a7fb2d81288b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7404 3bc3 7508 c744242401000000 8d4c2410 } - $sequence_1 = { 895c2410 8d442410 50 b808000000 b9???????? e8???????? } - $sequence_2 = { 56 bf12000000 e8???????? 83c404 } - $sequence_3 = { c1e006 03048d605d4100 eb05 b8???????? } - $sequence_4 = { 8b4c2408 51 ff15???????? 5f 83c408 c3 } - $sequence_5 = { 6a00 6a12 8d54240c 52 50 } - $sequence_6 = { 85c0 7518 5e 8b8c2404010000 33cc e8???????? 81c408010000 } - $sequence_7 = { 7d0e 885c301c 017e5c 8b465c 3bc1 } - $sequence_8 = { 80bd98feffff00 8d8598feffff 740d 8bc8 } - $sequence_9 = { c1eb10 22d3 8bde 8bc8 } - $sequence_10 = { 03c2 8b9540fbffff 89853cfbffff 52 8d8544fbffff } - $sequence_11 = { 8bec 53 56 8b35???????? 57 3b35???????? 7d4a } - $sequence_12 = { ff15???????? 85c0 0f85cf000000 803d????????00 b8???????? } - $sequence_13 = { 5d c3 6a04 8d45dc 50 6a08 } - $sequence_14 = { 33c0 898540bdffff 898544bdffff 898548bdffff 89854cbdffff 8b8558bdffff } - $sequence_15 = { ff15???????? 8d85e8fbffff 50 8bc8 51 ff15???????? e9???????? } + $sequence_0 = { 57 ffd6 8d4c2410 a3???????? 51 b810000000 } + $sequence_1 = { ff15???????? 5f b001 5e 81c408010000 } + $sequence_2 = { e8???????? 8b4de4 83c40c 6bc930 8975e0 8db1304b4100 } + $sequence_3 = { 02c9 02c9 880c30 eb26 } + $sequence_4 = { 85d2 7e6d 83f93d 7468 83f920 } + $sequence_5 = { 52 b808000000 b9???????? 895c2414 e8???????? 8be8 } + $sequence_6 = { e8???????? 83c410 6a00 8d84240c010000 50 ff15???????? 6a00 } + $sequence_7 = { c3 397c240c 74e1 ba4f000000 8bc2 } + $sequence_8 = { 52 8d45e8 50 8d8de8f7ffff } + $sequence_9 = { b9843a0000 81fb843a0000 7702 8bcb 2bd9 be2c1a0000 33ff } + $sequence_10 = { eb08 ff15???????? 33c9 b873b2e745 f72d???????? } + $sequence_11 = { 83c103 51 ffd3 a3???????? eb2c 8b14b7 83c203 } + $sequence_12 = { 83c40c 8d8d68fcffff 51 8d9574fcffff 52 6a00 } + $sequence_13 = { 68ff000000 e8???????? 59 59 8b7508 8d34f5000d4100 391e } + $sequence_14 = { ff15???????? 8bf8 83ffff 0f84bb000000 53 } + $sequence_15 = { c785e4bcffff44000000 899d1cbdffff c78510bdffff01010000 66898514bdffff 33f6 8d642400 8d8d40bdffff } condition: 7 of them and filesize < 212992 @@ -114359,10 +114901,10 @@ rule MALPEDIA_Win_Bert_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "92a36b55-e0d9-554d-851b-77dda3f7bbeb" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bert" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bert_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bert_auto.yar#L1-L117" license_url = "N/A" logic_hash = "a6e868967ddeea2e01bd4f16c21024fbdee2d69c00cbdbbbdfda193aebc93a0a" score = 75 @@ -114371,9 +114913,9 @@ rule MALPEDIA_Win_Bert_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -114397,36 +114939,36 @@ rule MALPEDIA_Win_Floxif_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ffd7b18b-df79-5e10-a446-739ad37f5cd1" - date = "2026-01-05" - modified = "2026-01-06" + id = "acb02d64-9c01-5139-a9b7-c99a7c71c8c5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.floxif_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.floxif_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "ea5402045cc061612aa202cf5adc4c091c680ec32b64c798623434387b1d2b20" + logic_hash = "65aabe0618ff29144b3651b5eefefbab27efaa678d9484e0fef3171c8e7b36e2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 837dfc05 7e02 eb0d 68a00f0000 ff15???????? } - $sequence_1 = { eb09 8b45a8 83c001 8945a8 8d4dc0 e8???????? 3945a8 } - $sequence_2 = { 68???????? 8d4de0 e8???????? 68???????? b9???????? e8???????? 6a00 } - $sequence_3 = { e8???????? 8d4d08 51 8d4de4 e8???????? c645f400 } - $sequence_4 = { 51 8b55f4 52 8b45fc 50 6aff 8b4d08 } - $sequence_5 = { 837df800 7e68 8b45f8 83c001 50 6a00 8d8d4cffffff } - $sequence_6 = { c6855fffffff94 c68560ffffff92 c68561ffffffe1 c6458c00 c6458d00 c6458e72 } - $sequence_7 = { e8???????? e8???????? 83c410 682c010000 ff15???????? e8???????? 83ec10 } - $sequence_8 = { 83c40c 8b5510 52 8b450c c1e004 8b4d08 03c8 } - $sequence_9 = { 7629 a1???????? 0305???????? 8b4d0c 3981b8000000 7313 } + $sequence_0 = { 53 56 57 e8???????? c3 bd8d459050 8d4df0 } + $sequence_1 = { c70000000000 8b4dfc 83791000 7417 } + $sequence_2 = { 51 8b550c 52 ff15???????? 8b4518 50 8b4d14 } + $sequence_3 = { 8d45fc 50 8b4d1c 51 8b5518 52 8b45b4 } + $sequence_4 = { 7627 8d4df8 51 8b55fc 52 ff15???????? 3b45f4 } + $sequence_5 = { 0f8ca3000000 81fb8a000000 0f8f97000000 56 57 8b7d0c 8b34bd940e0210 } + $sequence_6 = { c1f905 56 57 8b348d805f0210 8d1c8d805f0210 8d3cc0 } + $sequence_7 = { 25ff000000 85c0 7449 6a00 68???????? e8???????? } + $sequence_8 = { 2bd1 8955fc 8b45f0 8b4804 034d0c 894df4 eb1a } + $sequence_9 = { 85c0 7452 c685a4fdffff01 8d4d98 } condition: 7 of them and filesize < 352256 @@ -114436,36 +114978,36 @@ rule MALPEDIA_Win_Kapeka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7a97f5ec-4398-5b2b-8ee0-712591242f63" - date = "2026-01-05" - modified = "2026-01-06" + id = "9683a497-daa1-5a3d-af3c-333183ec614a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kapeka" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kapeka_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kapeka_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "3423309dd00c2032617bc59ad3fa8dc9a6be83aaab30c6da6deeede3840c0066" + logic_hash = "27a466079b0dd09d81ca32f591f191fcd05f3e9c6d49a2bd744df9f52ff21a67" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 498bcf e8???????? 488d15a8530100 488bc8 e8???????? ba02100000 488d4d10 } - $sequence_1 = { 488bda 488bf9 e8???????? 488bd3 48895f28 488bcf e8???????? } - $sequence_2 = { 488bc8 e8???????? 488be8 eb03 488bef 488d4c2420 e8???????? } - $sequence_3 = { 4803c8 e8???????? 488b442468 488b4c2460 482bc1 } - $sequence_4 = { 418bc3 c1e810 0fb6c8 418bbc9470dd0100 4133bc8c70d90100 8bc6 48c1e818 } - $sequence_5 = { 8d4f01 e8???????? 488b4b10 488903 48894308 488b5328 } - $sequence_6 = { 57 4154 4157 4883ec70 488bf9 4c8d252b470100 4c8921 } - $sequence_7 = { e8???????? 488bcb e8???????? 488b5c2430 48894728 4883c420 5f } - $sequence_8 = { 418bc2 c1e810 0fb6c8 418bc3 418bb49670dd0100 48c1e818 4133b48e70d90100 } - $sequence_9 = { 488b442468 4c894138 4533c0 48895158 33d2 48894150 4c894940 } + $sequence_0 = { 668901 498b4740 498d4f40 ff5010 488d0d5b780000 e8???????? } + $sequence_1 = { 4923f7 440fb6ca 458bc4 488bd6 488bcf e8???????? e9???????? } + $sequence_2 = { 884c0424 8b442420 ffc0 89442420 837c242004 0f859a010000 } + $sequence_3 = { 4885ff 7409 488bcf ff15???????? 48c70300000000 488b5c2430 4883c420 } + $sequence_4 = { 488d1549be0000 488bcd e8???????? 8b5650 488bcd e8???????? 488d0d3fbe0000 } + $sequence_5 = { 488d0de4520100 c745c720002f00 c745cb63002000 66895dcf e8???????? } + $sequence_6 = { 410fb6c0 33b48d70ee0100 33b48570f20100 41337608 410fb6c1 418bc8 } + $sequence_7 = { ba01000000 488bcb ff10 4c397c2450 740b 488b4c2468 } + $sequence_8 = { e8???????? 488d4dd7 488bf8 e8???????? 4885c0 740a 488bc8 } + $sequence_9 = { 4133b48470e60100 410fb6c3 4133b48470f20100 418bc0 41337610 c1e808 0fb6c8 } condition: 7 of them and filesize < 377856 @@ -114475,73 +115017,75 @@ rule MALPEDIA_Win_Coreshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "68c75bba-5c1e-5e9d-b9a1-c2a54cb41bad" - date = "2026-01-05" - modified = "2026-01-06" + id = "057eaf1b-377a-5f36-8360-d6459ba519e9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.coreshell_auto.yar#L1-L414" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.coreshell_auto.yar#L1-L423" license_url = "N/A" - logic_hash = "964533465ea71e27159b30ec40d2ad04ff56c4993e1303c6d09339c487e78d9b" + logic_hash = "ed08ece8dfee37be875d12f106e31154d8adaf17e7fb2f8bfc7ec79021cef0b1" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 56 ff15???????? 83c40c 3bc6 } - $sequence_1 = { 6810270000 ff15???????? be06000000 e8???????? 85c0 7401 4e } - $sequence_2 = { 68???????? 52 ffd7 ffd0 } - $sequence_3 = { 6a00 ff15???????? 8bf0 ff15???????? 50 68???????? 68???????? } - $sequence_4 = { 8d041e 50 57 6a08 51 ff15???????? 8bf8 } - $sequence_5 = { 6804010000 6a08 8b15???????? 52 ff15???????? } - $sequence_6 = { 8b0d???????? 8b15???????? 6a01 51 68???????? 52 } - $sequence_7 = { c20400 50 a1???????? 6a00 50 } - $sequence_8 = { e8???????? 85c0 7402 eb14 c745f000000000 68e0930400 ff15???????? } - $sequence_9 = { 8d4c2400 56 51 6a00 } - $sequence_10 = { 50 a3???????? ffd6 a3???????? } - $sequence_11 = { 8bf1 8b4604 85c0 7407 50 ff15???????? 8b36 } - $sequence_12 = { ff15???????? ffd0 85c0 7508 } - $sequence_13 = { 8b0d???????? 52 50 57 68???????? } - $sequence_14 = { 68???????? 6800080000 8d85fcefffff 50 } - $sequence_15 = { 68???????? 50 ffd6 6a00 6a00 6a00 } - $sequence_16 = { 8d442404 6a00 8bf1 50 c744240c00000000 ff15???????? } - $sequence_17 = { 52 ff15???????? 8b0d???????? 8bf0 8b5c241c 8d041e } - $sequence_18 = { 50 68???????? 68???????? 8985f0fdffff 8d85f4fdffff 6804010000 50 } - $sequence_19 = { 03cf 880431 fec3 ebe6 } - $sequence_20 = { 52 e8???????? 83c408 33c0 8b4df0 64890d00000000 } - $sequence_21 = { 81e1ffff0000 81e1ffff0000 81e1ff000000 81e1ff000000 } - $sequence_22 = { 5d 83c8ff 5b c20c00 03f7 } - $sequence_23 = { 8b8dd8edffff 51 8d95f4edffff 52 } - $sequence_24 = { 81e2ffff0000 81e2ffff0000 c1ea08 81e2ff000000 } - $sequence_25 = { e8???????? 8be8 8b442410 50 e8???????? } - $sequence_26 = { 6888130000 ff15???????? c745f000000000 c745f400000000 } - $sequence_27 = { 25ffff0000 0fb7c8 c1e908 81e1ff000000 0fb6d1 52 } - $sequence_28 = { ff15???????? 83c414 8d95f4fdffff 52 ff15???????? } - $sequence_29 = { 56 51 56 6a01 } - $sequence_30 = { ff15???????? ba00080000 2bd0 52 8d85fcefffff } - $sequence_31 = { a1???????? 50 68???????? 8b0d???????? 51 ff15???????? ffd0 } - $sequence_32 = { 0305???????? 50 ff15???????? a1???????? } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 68???????? 52 ffd7 ffd0 } + $sequence_1 = { 56 ff15???????? 83c40c 3bc6 } + $sequence_2 = { ff15???????? be06000000 e8???????? 85c0 7401 } + $sequence_3 = { 56 6810270000 ff15???????? be06000000 } + $sequence_4 = { c20400 50 a1???????? 6a00 } + $sequence_5 = { 6804010000 6a08 8b15???????? 52 } + $sequence_6 = { 50 ff15???????? 83c404 32db } + $sequence_7 = { 6a08 51 ff15???????? 8bf8 85ff 750a 5f } + $sequence_8 = { 8d041e 50 57 6a08 51 ff15???????? } + $sequence_9 = { 8b0d???????? 8b15???????? 6a01 51 68???????? 52 } + $sequence_10 = { eb14 c745f000000000 68e0930400 ff15???????? } + $sequence_11 = { 68???????? 50 a3???????? ffd6 a3???????? a1???????? 68???????? } + $sequence_12 = { 8d4c2400 56 51 6a00 } + $sequence_13 = { 8bf1 8b4604 85c0 7407 50 ff15???????? 8b36 } + $sequence_14 = { e8???????? 85c0 7402 eb14 c745f000000000 } + $sequence_15 = { ff15???????? ffd0 85c0 7508 } + $sequence_16 = { 68???????? 50 ffd6 6a00 6a00 6a00 } + $sequence_17 = { 51 8b0d???????? 52 50 57 } + $sequence_18 = { 6800080000 8d85fcefffff 50 ff15???????? } + $sequence_19 = { 81e1ffff0000 81e1ffff0000 81e1ff000000 81e1ff000000 } + $sequence_20 = { 8b15???????? 57 6a00 52 ff15???????? 8b0d???????? 8bf0 } + $sequence_21 = { 68???????? 68???????? 8985f0fdffff 8d85f4fdffff } + $sequence_22 = { ff15???????? 0fb6cb 03cf 880431 } + $sequence_23 = { ff15???????? eb2f ff15???????? 50 68???????? 6800080000 } + $sequence_24 = { 8d55f0 52 e8???????? 83c408 33c0 8b4df0 } + $sequence_25 = { 51 ff15???????? 83c414 8d95f4fdffff 52 } + $sequence_26 = { 50 ff15???????? 8d8c45fcefffff 51 } + $sequence_27 = { a1???????? 50 68???????? 8b0d???????? 51 ff15???????? ffd0 } + $sequence_28 = { 6888130000 ff15???????? c745f000000000 c745f400000000 } + $sequence_29 = { ff15???????? ba00080000 2bd0 52 8d85fcefffff 50 } + $sequence_30 = { 56 51 56 6a01 } + $sequence_31 = { 81e2ffff0000 81e2ffff0000 c1ea08 81e2ff000000 } + $sequence_32 = { e8???????? 8be8 8b442410 50 e8???????? } $sequence_33 = { ffd6 ffd0 68???????? a3???????? } $sequence_34 = { 68???????? 51 ffd3 ffd0 } - $sequence_35 = { 5f 5b 5d c3 b81c000000 e8???????? 89e0 } - $sequence_36 = { 29d6 0faff0 31d2 f7f6 } - $sequence_37 = { 5f 5d c3 89e0 c70010270000 } - $sequence_38 = { 68???????? 53 a3???????? ffd6 68???????? a3???????? ffd7 } - $sequence_39 = { 29d6 01f0 a3???????? e9???????? } + $sequence_35 = { ff35???????? ff15???????? 0305???????? 50 ff15???????? a1???????? 83c418 } + $sequence_36 = { 8908 8b00 8b5004 8b35???????? } + $sequence_37 = { 68???????? a3???????? ffd7 8bd8 } + $sequence_38 = { 5f 5b 5d c3 b81c000000 e8???????? 89e0 } + $sequence_39 = { 57 8b3d???????? 68???????? ffd7 8b35???????? 68???????? } $sequence_40 = { 690006000000 0306 8b4dcc 8b09 } - $sequence_41 = { a3???????? ffd7 8bd8 68???????? } - $sequence_42 = { bf04010000 57 6a08 ff35???????? ff15???????? } - $sequence_43 = { 6689fb 0fb7fb c1ef08 81e7ff000000 } - $sequence_44 = { 8908 8b00 8b5004 8b35???????? } - $sequence_45 = { 56 57 8b3d???????? 68???????? ffd7 8b35???????? 68???????? } - $sequence_46 = { 8908 8b15???????? 89d6 81c609000000 } + $sequence_41 = { 8908 8b15???????? 89d6 81c609000000 } + $sequence_42 = { 29d6 01f0 a3???????? e9???????? } + $sequence_43 = { 29d6 0faff0 31d2 f7f6 } + $sequence_44 = { bf04010000 57 6a08 ff35???????? } + $sequence_45 = { 68???????? 53 a3???????? ffd6 a3???????? 68???????? } + $sequence_46 = { 6689fb 0fb7fb c1ef08 81e7ff000000 } + $sequence_47 = { 5f 5d c3 89e0 c70010270000 } + $sequence_48 = { a3???????? ffd7 8bd8 68???????? 53 ffd6 68???????? } condition: 7 of them and filesize < 303100 @@ -114551,36 +115095,36 @@ rule MALPEDIA_Win_Acronym_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce514e29-77d6-5ca8-add6-cd76a31812fc" - date = "2026-01-05" - modified = "2026-01-06" + id = "d001ebc0-bfdd-53a1-94a8-8c0b2844e7b6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.acronym_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.acronym_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "5cca7d22218319c4f5ca79e1094be5a7a94847bd4819615124c26ef306c59f0d" + logic_hash = "e1f0a7d7e3a5c52f7f8c52a935c86e313cbf38523c6bf31de959d7d787666150" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 894c05d0 ba04000000 6bd200 8b45ec 894415b4 b904000000 c1e100 } - $sequence_1 = { 0fb6c8 85c9 0f84d4000000 8b550c 8955d8 8b4510 50 } - $sequence_2 = { 50 8b85e8fdffff 8b08 8b95e8fdffff 52 8b413c } - $sequence_3 = { 0fb6c8 85c9 753d 8d4dd8 e8???????? 50 } - $sequence_4 = { 83f832 0f8547170000 c745e400000000 8b4de4 894de8 8b55e8 8955e0 } - $sequence_5 = { 668b544144 668955fc 0fb745fc c1e004 8b4d08 8d940190c90000 b804000000 } - $sequence_6 = { e8???????? 83c404 89853cfeffff 8d4ddc 898d84feffff 8b9584feffff 899540fdffff } - $sequence_7 = { 8b4df0 668b544112 668955fc 0fb745fc c1e004 8b4d08 8d940190c90000 } - $sequence_8 = { 8d95f4fdffff 52 8d8d50fdffff e8???????? 8bc8 e8???????? 50 } - $sequence_9 = { 52 8b450c 50 8b8d0cffffff 51 e8???????? } + $sequence_0 = { 8b7508 8d941660b10000 89048a 8b45f4 8b4df0 0fb7544122 } + $sequence_1 = { 7c05 e9???????? 8b55f8 c1fa05 8b4df8 83e11f b801000000 } + $sequence_2 = { 8d440aff 3945fc 7f02 eb02 eb99 8b4dfc } + $sequence_3 = { 83c40c eb7e 8b45f4 8945dc eb09 8b4ddc 83c101 } + $sequence_4 = { 8b4df8 8b948dbcfaffff 8955d4 8b45f8 8945fc 8b4dfc } + $sequence_5 = { 52 e8???????? 50 a1???????? 50 8d8de0feffff 51 } + $sequence_6 = { 8b45f4 8b4df0 668b54411c 668955fc 0fb745fc c1e004 8b4d08 } + $sequence_7 = { e8???????? 83c40c b8???????? 8b4dfc 33cd e8???????? 8be5 } + $sequence_8 = { e8???????? 898580fdffff eb0a c78580fdffff00000000 c78504ffffff00000000 c785e8feffff00000000 33c9 } + $sequence_9 = { 50 8b4d08 83c108 51 8b0d???????? e8???????? 8b08 } condition: 7 of them and filesize < 466944 @@ -114590,36 +115134,36 @@ rule MALPEDIA_Win_Beast_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8074f5ee-0705-556f-a60f-20fb83a7b6d6" - date = "2026-01-05" - modified = "2026-01-06" + id = "d914f9f4-6d02-5995-8691-12d109b9048f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beast" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.beast_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.beast_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "2393b8a862cb3a2be574fd4cc7aaf3b89fb385083cd12b93e8f9ad9b9f239f88" + logic_hash = "8c032fa2be13beeba9324234662f5be61f2a18a7ee3115f943ef626f84a68e88" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 57 33ff 6a03 47 59 } - $sequence_1 = { 330c8550b44f00 334d1c 83c520 894c242c 83ef01 0f85f0fdffff 8b442410 } - $sequence_2 = { c6857fffffff41 c6458033 c6458141 c6458224 c6458341 c6458420 c6458541 } - $sequence_3 = { eb08 8b4dc4 e8???????? 8bc6 5e c9 c3 } - $sequence_4 = { c6855cfcffff4d 889d5dfcffff c6855efcffff4c 889d5ffcffff c68560fcffff5b 889d61fcffff 889d62fcffff } - $sequence_5 = { 33b1393e5000 8b4c2448 0fb6c9 c1e104 33b9303e5000 33b1343e5000 8b4c2428 } - $sequence_6 = { 6a3f 5a 6a06 898c244a010000 8db424b8000000 898c2452010000 8dbc2460010000 } - $sequence_7 = { 8d143e 03c2 8945f0 8b45cc c1e017 0bc8 8b45cc } - $sequence_8 = { 8b45c8 03c3 33d0 c1c210 8d0c16 8b75f4 33d9 } - $sequence_9 = { c6459025 8bd3 c6459156 c6459223 c6459356 c6459435 } + $sequence_0 = { 8b74243c 33c0 50 8d442418 50 ffb424bc040000 ff36 } + $sequence_1 = { 83fa17 72ea 885c242b c64424387b c644243908 c644243a7c c644243b08 } + $sequence_2 = { 8b4e04 ba???????? e8???????? 59 8bc3 5f 5e } + $sequence_3 = { 8b442424 0423 8844244b 8b442424 0424 346f 8844244c } + $sequence_4 = { 0f84c8000000 48 83e801 0f8486010000 48 83e801 0f840d010000 } + $sequence_5 = { 33b1373e5000 8b4c2420 c1e910 0fb6c9 c1e104 8b542444 33b9323e5000 } + $sequence_6 = { 8884249c000000 8b44247c 041d 8884249d000000 8b44247c 041e 3465 } + $sequence_7 = { 85c0 0f8471030000 83f826 7603 6a26 58 0fb60c854e6c5000 } + $sequence_8 = { 56 8b35???????? 50 ffd6 8d0c4502000000 e8???????? 57 } + $sequence_9 = { 330c8550a84f00 894c2424 8b4c241c 8b742424 0fb6c1 c1e908 0fb6c9 } condition: 7 of them and filesize < 2411520 @@ -114629,36 +115173,36 @@ rule MALPEDIA_Win_Dmsniff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9b02a57-acfd-5696-afff-e1ad9ad00d2f" - date = "2026-01-05" - modified = "2026-01-06" + id = "4010e97f-48bb-5278-898a-0ed97c9f7b8c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dmsniff_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dmsniff_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "8d240517eec8ca9f146a8569ec7f531dfedcca5581430f505c0f5f429a443243" + logic_hash = "f04de7d9182e8a36c29c1a839d5e0508e3e0fa7a86c5eb0919822ac74023875e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7316 8bbdfcfeffff 89fe 46 89b5fcfeffff 899cbd00ffffff 8d85f0feffff } - $sequence_1 = { d92c24 83c404 6a00 6a00 68???????? 68???????? } - $sequence_2 = { 50 8b10 ff5220 89c7 09ff 0f8563010000 6a00 } - $sequence_3 = { 50 8b10 ff5250 89c7 } - $sequence_4 = { 47 39f7 72d3 ff45fc 8b45f4 3945fc 72c2 } - $sequence_5 = { f7e7 8945ec 50 e8???????? 89c3 } - $sequence_6 = { 59 be0f000000 39c6 761a 68???????? e8???????? } - $sequence_7 = { 50 ff7508 e8???????? 68???????? e8???????? 50 ff7508 } - $sequence_8 = { e8???????? 68???????? e8???????? 89c2 6a00 } - $sequence_9 = { 89c3 81e3ff000000 89de 83c661 89f3 881d???????? b803000000 } + $sequence_0 = { eb15 47 39f7 72d3 ff45fc 8b45f4 3945fc } + $sequence_1 = { 09ff 7413 81fe19000200 7507 be19010200 ebd9 31c0 } + $sequence_2 = { 8b7510 ff7508 e8???????? 89c7 } + $sequence_3 = { 57 be19000200 8d45fc 50 56 } + $sequence_4 = { 8945f0 50 e8???????? 89c3 81e3ff000000 89de 83c661 } + $sequence_5 = { 57 e8???????? 59 be0f000000 } + $sequence_6 = { 83bdfcfeffff40 7316 8bbdfcfeffff 89fe 46 89b5fcfeffff } + $sequence_7 = { 8945f4 50 e8???????? 89c3 } + $sequence_8 = { 761a 68???????? e8???????? 50 } + $sequence_9 = { 66810c240003 d92c24 83c404 6a00 } condition: 7 of them and filesize < 131072 @@ -114668,36 +115212,36 @@ rule MALPEDIA_Win_Industrial_Spy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "49532f61-1558-5e03-9771-9daa1443f81c" - date = "2026-01-05" - modified = "2026-01-06" + id = "86751493-28b0-577c-bc7a-18a9ce5ff38e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industrial_spy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.industrial_spy_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.industrial_spy_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "09d68278c920c888a9a9161c0ac726f167f616f36cff9042eab3321dfe0c396f" + logic_hash = "3d02a84d39c81bff432f4a4e8d820eec44463a51de2b7fbd0c8e498b622347de" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 03c8 43890c26 3bc8 7302 ffc7 037c242c } - $sequence_1 = { 33c9 ff15???????? 8b15???????? 4c8d0577020200 498904d0 ffc2 8915???????? } - $sequence_2 = { 418bd9 498bf8 8bf2 4c8d0d2d9c0000 488be9 4c8d051b9c0000 } - $sequence_3 = { 4403d3 41c1ca0c 4503d1 4133c2 054239faff 0345d4 03d0 } - $sequence_4 = { 8bc1 488bce 4803d0 e8???????? 33c0 eb0c b801040000 } - $sequence_5 = { 442bc9 f7d1 443bc9 418bc0 0f46d6 c1e010 } - $sequence_6 = { 0345c0 418d91442229f4 03d0 448d8997ff2a43 418bc2 c1c206 f7d0 } - $sequence_7 = { 418d4a01 418bc1 c1e810 03c2 } - $sequence_8 = { 33c0 eb3d 452bd3 4533c0 4585c9 742f 482bf9 } - $sequence_9 = { 488d0d4bf40000 48894b48 4963d0 c6435401 e8???????? eb18 4885c9 } + $sequence_0 = { 448bcf 4c8d442460 488bd6 488bce 4103dc e8???????? } + $sequence_1 = { 0f8f8dfeffff 4c8bb424a8010000 ff15???????? 488bc8 4d8bc5 33d2 ff15???????? } + $sequence_2 = { 0f8408010000 8b4c2448 488d1502dffeff 2b4c244c 41b826000000 894c2448 0f8542fcffff } + $sequence_3 = { 0f31 48c1e220 480bc2 833900 e9???????? 83650b00 488d5567 } + $sequence_4 = { 41c1e608 440bf0 420fb6441201 41c1e608 440bf0 83bb9001000000 7419 } + $sequence_5 = { eb18 4885c9 750b 488d0d3df40000 } + $sequence_6 = { 85c0 0f840b010000 488d05f6030100 4a8b04e8 42385cf838 } + $sequence_7 = { e8???????? 488d4c2450 ff15???????? 488364242000 4c8d4d88 448bc0 } + $sequence_8 = { 837c8dc000 7508 ffca 4883e901 } + $sequence_9 = { 418be9 48c1f806 488d0de0080100 4183e23f } condition: 7 of them and filesize < 339968 @@ -114707,36 +115251,36 @@ rule MALPEDIA_Win_Bouncer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d675a9d0-d309-5a64-9b07-233609ff1237" - date = "2026-01-05" - modified = "2026-01-06" + id = "bbee767a-0e22-57ba-9f52-4d9f85122434" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bouncer_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bouncer_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "ef61499d69e0696c4532f64e6ff2b982da08dae26c600412b066491c2f5e5346" + logic_hash = "39b37e493efe2469eb26371e5b3ea0d6d9f8914acd8cee091db44cfd373382c3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8441050000 50 ff75fc e8???????? 59 59 } - $sequence_1 = { 8b85b4feffff 48 3bc8 731b } - $sequence_2 = { 50 ff15???????? 8d85a4fdffff c645dc17 50 e8???????? 83c414 } - $sequence_3 = { c3 55 8bec 83ec24 56 8b750c } - $sequence_4 = { 53 8b5d10 56 57 8b7d0c 7410 a0???????? } - $sequence_5 = { 8bd8 3bde 7d13 68???????? ff15???????? } - $sequence_6 = { 56 56 ff15???????? 8d859cf6ffff 50 8d859cf8ffff 68???????? } - $sequence_7 = { 50 ff15???????? 83c40c eb2e ff7508 ff15???????? } - $sequence_8 = { 7e33 8d85f4feffff 50 56 e8???????? 85c0 7422 } - $sequence_9 = { 3bc6 59 a3???????? 750c 50 ff15???????? } + $sequence_0 = { 56 50 e8???????? 8d85a0fbffff c645d02d 50 } + $sequence_1 = { 7408 50 ff15???????? 59 33c0 5f } + $sequence_2 = { 7444 81ffea000000 743c 39750c 751a 57 } + $sequence_3 = { 8d859cfaffff 50 ff15???????? 3bc6 8945fc } + $sequence_4 = { 8945c0 0f846f110000 8935???????? 395dc4 0f8460110000 } + $sequence_5 = { 7431 39750c 68???????? 750e } + $sequence_6 = { 53 8d45e0 57 50 a1???????? 6a04 ff750c } + $sequence_7 = { 3b8db4feffff 72f0 eb7a 8b85b4feffff 48 3bc8 } + $sequence_8 = { 8d85a4faffff c645c82e 50 e8???????? 8945dc 8d45c8 50 } + $sequence_9 = { 48 7417 48 752f } condition: 7 of them and filesize < 335872 @@ -114746,36 +115290,36 @@ rule MALPEDIA_Win_Zedhou_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "671058cb-44d0-5a2d-a903-c2aaa9e6edab" - date = "2026-01-05" - modified = "2026-01-06" + id = "474209b9-d13c-5152-a50c-a3cfbe542c30" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zedhou_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zedhou_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "e746dfbb5d54339f68149693ef0514b3aa092790791cb02e6ab7c27b77b04068" + logic_hash = "eeb067af065a3a11e2e1b534245e471ed519784bc79fd30ede53369628c3f72c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 03c8 8d954cfdffff 51 8d8550fcffff 52 50 68???????? } - $sequence_1 = { 50 0f80d8000000 51 52 e8???????? ffd7 8b85d4feffff } - $sequence_2 = { 68???????? ff15???????? 8bd0 8d8d70ffffff ff15???????? 50 8d956cffffff } - $sequence_3 = { 8b55a0 52 ff15???????? 8bd0 8d4d98 ff15???????? 50 } - $sequence_4 = { 6a00 51 50 ff35???????? ff15???????? 85c0 0f8c0b1a0000 } - $sequence_5 = { 8b04c5fc201822 8b7824 8b450c 85ff 0f847c340000 8b08 3b0f } - $sequence_6 = { ebe5 55 8bec 83ec18 53 56 57 } - $sequence_7 = { 8bcf e8???????? 8bf0 8bcb ff760c ff7608 e8???????? } - $sequence_8 = { 8d45d4 50 6a02 ff15???????? 83c40c 8d4dc0 51 } - $sequence_9 = { ffb610060000 81c610060000 8bc8 e8???????? ff36 832700 } + $sequence_0 = { 3d8bb296b1 0f84f1380000 3d10ed51cf 75db 813d????????10ed51cf 0f8514390000 b910000000 } + $sequence_1 = { b86c261822 50 ff15???????? 8d5c0002 8d8d74ffffff 53 e8???????? } + $sequence_2 = { 0f8516010000 8b460c 8b3d???????? 8b04c5fc201822 ff7020 8d8574feffff 50 } + $sequence_3 = { 56 8bf1 57 8b7d08 8b4630 3b4634 7509 } + $sequence_4 = { 51 ff15???????? 8985c4fdffff eb0a c785c4fdffff00000000 8b55a4 52 } + $sequence_5 = { ff75fc 8bce e8???????? 837d0800 75d3 } + $sequence_6 = { 66c78570feffff0500 66c78574feffff0100 66c745a80100 eb15 668b4da8 66038d74feffff 0f80f9290000 } + $sequence_7 = { c70618401722 ff15???????? 8bc6 5e c20800 a1???????? 56 } + $sequence_8 = { ff15???????? 8d4d94 51 8d5598 52 8d45a0 50 } + $sequence_9 = { ff15???????? 8bd0 8d4d98 ff15???????? 8bd0 8b4d08 83c158 } condition: 7 of them and filesize < 499712 @@ -114785,50 +115329,89 @@ rule MALPEDIA_Win_Absentloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6f362b30-2c49-5b13-a74d-e646b2c361d8" - date = "2026-01-05" - modified = "2026-01-06" + id = "c9a71466-6712-51fe-bbe0-2b4463ced47f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.absentloader_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.absentloader_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "ec030f0c846e40821b8f0d08fe92e09a60380de99ecc678dae260a482a99d7bb" + logic_hash = "51ff6d09638e9228b9e70bcdf22cd50964deb750aee4372725e598d4c91a0a8d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 50 8bce e8???????? 834dfcff 8d85f0f9ffff 50 } - $sequence_1 = { 8b08 8bc3 2bc1 c1f804 3bf0 7238 } - $sequence_2 = { 5e 8b448dd8 83e825 6bc033 99 f7fe } - $sequence_3 = { 6a7f 0f1145dc c745ec59000000 5f 6a32 58 2b448ddc } - $sequence_4 = { 48 a3???????? ff15???????? 8b0d???????? 89048db09506fd 5d c3 } - $sequence_5 = { 68087905fd 68007905fd 68087905fd 6a06 e8???????? 8bf0 } - $sequence_6 = { e8???????? 83ec18 c645fc07 8bcc 68a8f905fd 895910 c741140f000000 } - $sequence_7 = { 8b08 bfc8aa06fd 0f2805???????? a1???????? 0f1145dc c745ec0e5a410e } - $sequence_8 = { 40 83f80e 72f6 8bc1 c3 80791300 740c } - $sequence_9 = { 57 bf88a706fd 8d75e8 689f0705fd a5 a5 } + $sequence_0 = { 8d8de8fbffff e8???????? 68048701fd 53 6a18 8d8568fdffff } + $sequence_1 = { 83e03f c1f906 6bc038 03048de8a006fd 50 ff15???????? 5d } + $sequence_2 = { 895dfc 6a0f 5a 895e10 895614 881e } + $sequence_3 = { c745fc0a000000 8b4d2c 85c9 7411 8b31 8d4508 3bc8 } + $sequence_4 = { 59 c3 83610400 8bc1 83610800 c741040cf305fd c7013c1e05fd } + $sequence_5 = { c74408e82c1a06fd 8b06 8b5004 8d42e8 89440ae4 8365fc00 } + $sequence_6 = { 89a564faffff 8d85c0fbffff 8bf4 83ec18 8bcc 89a55cfaffff 50 } + $sequence_7 = { e8???????? 59 59 85c0 7505 b835f305fd 56 } + $sequence_8 = { 6a32 58 2b448ddc 6bc014 99 f7ff 8d0417 } + $sequence_9 = { 8bcf 8bd8 83c101 0f92c2 f7da 0bd1 52 } condition: 7 of them and filesize < 794624 } +rule MALPEDIA_Win_Tenzor_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "2d9a68e0-7439-5536-8c66-b65ca640a395" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tenzor" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tenzor_auto.yar#L1-L133" + license_url = "N/A" + logic_hash = "43ff9e2d2f97513275a98969c46a749f90e855c4ccaebee02a82dfd51704b200" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 4821ca 48d1e2 48b9cf2b17374d3a5263 4801c8 4829d0 8885a8030000 0fb685bd030000 } + $sequence_1 = { 4989c0 4931c8 4931d0 448d4814 4121d1 49f7d1 4d21c1 } + $sequence_2 = { 4883c420 4c8b7db8 4c8b65c0 488b7de0 eb00 4883ec20 488b4df0 } + $sequence_3 = { 410fb6c4 4401f0 488b542428 01d0 488d0c16 4883c102 4801d6 } + $sequence_4 = { 0fb685bf030000 48b9976fc8d3723f315c 4801c8 48b9cc2b17374d3a5263 4889c2 4821ca 48d1e2 } + $sequence_5 = { 2401 0fb6c0 09c6 83fe00 400f95c6 c68538020000e3 c6853902000001 } + $sequence_6 = { 4488841504010000 4883c201 ebb7 31d2 f7b504010000 8b09 0faf0e } + $sequence_7 = { 4901c7 48c744242000000000 4c8d442444 41b902000000 4889f9 4c89fa e8???????? } + $sequence_8 = { 31c9 48bad3dd07263824c491 90 440fb64c0c20 4989ca 4909d2 } + $sequence_9 = { 48ffc0 4883f804 75d8 440b442454 4889742420 4c89f1 488d542468 } + + condition: + 7 of them and filesize < 548864 +} rule MALPEDIA_Win_Flash_Develop_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "4688ecaa-1305-56f1-b990-d34d1967b3cd" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flash_develop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flash_develop_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flash_develop_auto.yar#L1-L125" license_url = "N/A" logic_hash = "1b0b49a0bdf8cbe355d0f549d184abf36cc5a8a27ac3e4b70ddcdc76ec6e38f0" score = 75 @@ -114837,9 +115420,9 @@ rule MALPEDIA_Win_Flash_Develop_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -114863,36 +115446,36 @@ rule MALPEDIA_Win_Phobos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6caf5a5b-e4a8-5ad7-ac96-0781f61cb33b" - date = "2026-01-05" - modified = "2026-01-06" + id = "2f4fc51d-9af7-5229-9129-309a38ae3ac9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.phobos_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.phobos_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "0813fe2e377724ce620e3c3620ed6e847086eab6c4f49515372897489c1a64d4" + logic_hash = "afd8e31d2a2cd18957b7d58683184c6d0bea6b893d89122b4ff289fbf034cbb8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4f ff75fc e8???????? 59 8bc7 5f 5e } - $sequence_1 = { 6a0c 5b 53 8d442430 56 50 e8???????? } - $sequence_2 = { 7446 8b06 85c0 7440 8b0f 894e04 8b4f04 } - $sequence_3 = { 33db 56 57 33c0 895c2428 8d7c242c ab } - $sequence_4 = { 8bc6 8d3c08 8d8fb2000000 894df4 83c118 2bc8 81c100000400 } - $sequence_5 = { 5b c9 c3 56 6a1c } - $sequence_6 = { 83c002 eb02 8bc7 8bc8 56 8d7102 } - $sequence_7 = { 68ff000000 ff15???????? cc 55 8bec 8b4508 a3???????? } - $sequence_8 = { 0f8452010000 3bf7 7420 8d44243c 50 ff15???????? 50 } - $sequence_9 = { ff7708 8d442430 ff7704 ff37 50 56 e8???????? } + $sequence_0 = { e8???????? e8???????? eb1b 6a10 } + $sequence_1 = { 89460c 0fbf4604 3bf8 7e18 8bcf 2bc8 03c9 } + $sequence_2 = { ff36 ff15???????? 8bd8 f7db } + $sequence_3 = { e8???????? 83c40c 8bc7 5f ebd2 55 8bec } + $sequence_4 = { 53 56 57 8bf8 7505 e8???????? be???????? } + $sequence_5 = { 0fb692a8a44000 23ce 0fb689a8a44000 c1e108 33ca 0fb6501e } + $sequence_6 = { 51 53 56 8bf0 8b4508 33db 57 } + $sequence_7 = { ff75fc ff7508 e8???????? 59 59 eb01 4f } + $sequence_8 = { 85ff 7438 0fb70f 8bc7 eb11 83c002 } + $sequence_9 = { e8???????? 8bf0 33db 59 3bf3 0f84ab000000 68a00f0000 } condition: 7 of them and filesize < 139264 @@ -114902,36 +115485,36 @@ rule MALPEDIA_Win_Alpc_Lpe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9201dab6-c827-5ba9-b6a2-6cc5f0b64e34" - date = "2026-01-05" - modified = "2026-01-06" + id = "4219e065-29e3-5dbd-ae74-7c646b334074" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.alpc_lpe_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.alpc_lpe_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "f47b6095e2a1dadfd3fc285c90742ae34b69859fcd8b2fa148af803fa48f9175" + logic_hash = "4d3c400d1015a24e26312780aac443a53fbb7a739d44e6824f16d588a1c84c48" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c9 0f1f440000 0fb70429 4883c102 6689440ffc 6685c0 } - $sequence_1 = { 48894540 c7455040000000 48c7454800000000 48c7455800000000 48c7456000000000 48c785c800000000000000 c785e800000000000000 } - $sequence_2 = { 488bfc b932000000 b8cccccccc f3ab 488b8c24e8000000 488b85e0000000 488b4008 } - $sequence_3 = { 488b8d00010000 e8???????? 488b8dd8000000 488bd1 488bc8 e8???????? } - $sequence_4 = { 488d1d5c8e0000 8bf7 488b2b 4885ed 741b 837b0801 7415 } + $sequence_0 = { 488d0dbf8a0000 488b0cc1 44897c2444 4c8b7c2460 498b0c0f 4c8d4c2448 } + $sequence_1 = { b801000000 4869c0c0000000 488d0d76ad0000 4803c8 488bc1 } + $sequence_2 = { 488d4c2450 e8???????? 418bcd 4885ff } + $sequence_3 = { 48b8ffffffffffffff0f 48398568010000 7677 488d0577fa0000 4885c0 7406 33c0 } + $sequence_4 = { 488b8d00010000 e8???????? 48833808 0f82be000000 488b8d00010000 e8???????? 488b00 } $sequence_5 = { 488bec 488bfc b932000000 b8cccccccc f3ab 488b8c24e8000000 488b85e0000000 } - $sequence_6 = { 488b8d08010000 488908 48837d0800 7418 488b8d00010000 e8???????? } - $sequence_7 = { 83f8ff 7526 4c8d2587860000 493bdc } - $sequence_8 = { b8cccccccc f3ab 488b8c24e8000000 488b85e0000000 48c70000000000 488b85e0000000 488da5c8000000 } - $sequence_9 = { 4c8b8500010000 488bd0 488d0d60b20000 e8???????? 48894508 8b4508 8bf8 } + $sequence_6 = { ffc6 488d0c80 488d05d2a70000 488d0cc8 48890f } + $sequence_7 = { 488b8c2428010000 488b9508010000 b910000000 e8???????? 488985c8000000 4883bdc800000000 } + $sequence_8 = { 4883bd6001000000 7509 488b4508 e9???????? 48b8ffffffffffffff7f } + $sequence_9 = { 33c0 488bfe f2ae 33c9 660f1f840000000000 0fb6040a 48ffc1 } condition: 7 of them and filesize < 540672 @@ -114941,50 +115524,50 @@ rule MALPEDIA_Win_Colony_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6de8851a-b1ef-561a-a63a-12519dea8778" - date = "2026-01-05" - modified = "2026-01-06" + id = "9aa41fb9-e7e5-56cf-81c0-fe13637eb3f1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.colony_auto.yar#L1-L230" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.colony_auto.yar#L1-L230" license_url = "N/A" - logic_hash = "2b20de5492a48cc7fc726969d55d094c8002372f30c4bd6a4f1592aca3fb7fc0" + logic_hash = "7b5da0368045c7618fabff46a627eec4b6ba1f4b295e9b1b03fdf57fbfff585f" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 740f 0301 eb0b a801 } - $sequence_1 = { 32c0 8be5 5d c3 807d0800 56 57 } + $sequence_0 = { 8b4214 2b4210 660f6ec0 f30fe6c0 } + $sequence_1 = { 8b420c 2b4208 660f6ec0 f30fe6c0 } $sequence_2 = { 8b4224 2b4220 660f6ec0 f30fe6c0 } - $sequence_3 = { 8b421c 2b4218 660f6ec0 f30fe6c0 } - $sequence_4 = { 8a4203 8841fe 8a4202 8841ff 8b02 c1e808 8801 } - $sequence_5 = { 334f14 8b45f4 894dfc 8bca c1e910 81e1ff000000 c1e808 } - $sequence_6 = { 69d200008f04 2bc8 c1e910 69c161a4f778 2bd0 } - $sequence_7 = { 7407 b901000000 eb0a 33c9 803f01 0f95c1 33c0 } - $sequence_8 = { 0fbed9 83eb30 eb13 8ac1 } - $sequence_9 = { 0f85bd000000 807dda01 751f 66a1???????? } - $sequence_10 = { 0f85bc000000 f30f7e05???????? 660fd606 a0???????? } - $sequence_11 = { 0f855b010000 8d7830 c7403c00000000 8d4838 eb0d 8d7824 } - $sequence_12 = { 8b00 83f801 7e5c f7420400080000 } - $sequence_13 = { 0f8fc9010000 0f84ad010000 3d09280000 0f8ff1000000 } - $sequence_14 = { 8b4214 2b4210 660f6ec0 f30fe6c0 } - $sequence_15 = { 0101 0101 0202 0202 0200 0102 0202 } - $sequence_16 = { 483305???????? 488bcb 488905???????? ff15???????? 488d15a9980000 } - $sequence_17 = { e9???????? 4c8d357e0c0100 488b0d???????? eb7b 4c8d35660c0100 } - $sequence_18 = { 48393d???????? 448bf0 0f85f8000000 488d0d687b0000 33d2 41b800080000 } - $sequence_19 = { e8???????? 488d15a3a50000 488d0d94a50000 e8???????? } - $sequence_20 = { 488bd7 488bcf 48c1f905 83e21f 4c8d05f8c70000 498b0cc8 486bd258 } - $sequence_21 = { 7519 4c8d05f3900000 8bd7 498bce } - $sequence_22 = { b91e000000 e8???????? b9ff000000 e8???????? 4803db 4c8d3590fc0000 } - $sequence_23 = { 488bc8 ff15???????? 488d15147b0000 488bcb 488905???????? } + $sequence_3 = { 0fbed9 83eb57 eb03 83cbff } + $sequence_4 = { 7407 b901000000 eb0a 33c9 803f01 0f95c1 33c0 } + $sequence_5 = { 33c0 81fac0000000 0f95c0 8d04450c000000 8987f0000000 8b0b 8bc1 } + $sequence_6 = { 8b421c 2b4218 660f6ec0 f30fe6c0 } + $sequence_7 = { 2c30 3c09 7708 0fbed9 83eb30 } + $sequence_8 = { 1bf6 f7de 4e ff15???????? 8bc6 5e } + $sequence_9 = { 2bf9 8d7304 8d348e 8d04bdfcffffff 50 8d4308 8d0488 } + $sequence_10 = { 8a4203 8841fe 8a4202 8841ff 8b02 c1e808 8801 } + $sequence_11 = { 740f 0301 eb0b a801 } + $sequence_12 = { 0f8f9a000000 85db 7e3c 393f 7438 8b7704 } + $sequence_13 = { 0f849a010000 a1???????? f30f7e05???????? 8945e4 } + $sequence_14 = { 69d200008f04 2bc8 c1e910 69c161a4f778 2bd0 } + $sequence_15 = { 0fbed9 83eb30 eb13 8ac1 } + $sequence_16 = { 488905???????? ff15???????? 488d15c7980000 483305???????? 488bcb 488905???????? } + $sequence_17 = { 7516 488d0558fc0000 488b4c2430 483bc8 } + $sequence_18 = { 0f8515010000 488b8eb8000000 4c8d350cfb0000 f0ff09 } + $sequence_19 = { 4883ec38 ffca 752d 33c0 4c8d05bfffffff 4533c9 4889442428 } + $sequence_20 = { ff15???????? 488905???????? 4885c0 7420 488d15007b0000 488bcb } + $sequence_21 = { b81a000000 eb23 488d0d1bf00000 48890c03 4883c130 488d5b08 } + $sequence_22 = { 488b7c2448 488d052ad00000 488b04f8 41f644050840 } + $sequence_23 = { 488bd9 4885c0 7479 488d0d2e0c0100 483bc1 } condition: 7 of them and filesize < 7599104 @@ -114994,42 +115577,42 @@ rule MALPEDIA_Win_Grateful_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7572cc07-80f2-55f7-bf6f-ae8865b15e70" - date = "2026-01-05" - modified = "2026-01-06" + id = "1107fae2-2967-57c7-a209-7f535055762a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grateful_pos_auto.yar#L1-L163" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grateful_pos_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "6a2ca8a11a50086a2cefa0fa6fd58b658c3b7b35f75875da8a4dcf3d3e8baf00" + logic_hash = "fa9b4d7574f7dfc03c60360742077f74a349f1193ef7c8f8805fa4124390cf09" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7411 e8???????? e8???????? 33c0 e9???????? } - $sequence_1 = { eb07 b8fcffffff eb02 33c0 } - $sequence_2 = { e8???????? 99 b980ee3600 f7f9 } - $sequence_3 = { 83f801 7510 e8???????? e8???????? } - $sequence_4 = { 7407 b8f6ffffff eb02 33c0 } - $sequence_5 = { b8feffffff eb1a b8fdffffff eb13 b8fcffffff } - $sequence_6 = { 0385d0fbffff 8985d0fbffff 6a18 6a00 8d4de4 51 e8???????? } - $sequence_7 = { 0fb61401 52 b804000000 6bc000 } - $sequence_8 = { 83e80e 50 e8???????? 83c40c 85c0 7457 6a03 } - $sequence_9 = { 894110 8b550c 8b420c c1e803 50 68ff000000 8b4dfc } - $sequence_10 = { 0f8c8c000000 8b8df8fffdff 0fb6940dfafffdff 83fa3a } - $sequence_11 = { 83bdd0fbffff00 7568 6a0f 8b85e0fbffff 83e80f } - $sequence_12 = { 83f830 7c62 8b8df8fffdff 0fb6940dfefffdff } - $sequence_13 = { 8945fc c785f8fbffff00000000 c785e8fbffff00000000 8b4508 50 6a00 6810040000 } - $sequence_14 = { 0fbe0401 83f04d 88842486010000 b801000000 486bc037 } - $sequence_15 = { ff15???????? 837c246400 750a b801000000 e9???????? } + $sequence_0 = { 7407 b8f6ffffff eb02 33c0 } + $sequence_1 = { eb1a b8fdffffff eb13 b8fcffffff } + $sequence_2 = { 7411 e8???????? e8???????? 33c0 e9???????? } + $sequence_3 = { e8???????? 99 b980ee3600 f7f9 } + $sequence_4 = { 83f801 7510 e8???????? e8???????? } + $sequence_5 = { eb07 b8fcffffff eb02 33c0 } + $sequence_6 = { 0fb68415fdfffdff 85c0 752b 68???????? 8b4d08 8b5104 } + $sequence_7 = { 0fb64d0c ba08000000 2bd1 8bca d3e0 } + $sequence_8 = { 83bddcfbffff46 0f8dbe000000 c785c0fbffff00000000 eb0f 8b8dc0fbffff } + $sequence_9 = { 6a02 8b85dcfbffff 8b4d0c 8d1441 } + $sequence_10 = { 741d 8b5508 8955fc 8b4508 8b481c } + $sequence_11 = { e9???????? 8b95f8fffdff 0fb68415fbfffdff 83f830 7c6d } + $sequence_12 = { 8b4010 880c10 e9???????? 8b8decfffdff 2b8de8fffdff } + $sequence_13 = { 83f901 0f8584000000 c785dcfbffff01000000 eb0f 8b95dcfbffff } + $sequence_14 = { b801000000 486bc002 488d0d1fe70100 0fbe0401 83f04d 88842402010000 } + $sequence_15 = { 488d0d39c00900 e8???????? 41b900040000 4c8d0527c00900 33d2 488b8424a0000200 488b08 } condition: 7 of them and filesize < 3964928 @@ -115039,36 +115622,36 @@ rule MALPEDIA_Win_Tinytyphon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ab55cd29-217a-5df2-bee5-a74f289c1c92" - date = "2026-01-05" - modified = "2026-01-06" + id = "8401d1c7-7a44-566c-a403-1edcf7c9f03c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tinytyphon_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tinytyphon_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "68d6c1790e6e0cef7204bca3122eca023e6ea67ccbabc152f7ca7bf6dee039f5" + logic_hash = "fcd0fad7aefc3a2ebd626ef8e532007ac6782fdf59d1c8aa064467c747f920b8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 ff15???????? 8d55ec 52 ff15???????? 8d45ec } - $sequence_1 = { 7412 68???????? 8d85e8feffff 50 ff15???????? 8d8dccfdffff 51 } - $sequence_2 = { 0bc2 8b4df4 0fb6512b c1e218 0bc2 8b4d08 } - $sequence_3 = { 8b55c8 0355c0 8b45d4 0345c0 8a08 880a } - $sequence_4 = { 8b550c 8b4208 50 68???????? 8b4d08 51 ff15???????? } - $sequence_5 = { 83bd54ffffff00 7517 8b9558ffffff 52 ff15???????? b801000000 e9???????? } - $sequence_6 = { c1e918 8b550c 884a53 8b450c } - $sequence_7 = { 85c0 744b 8b5508 0fb602 } - $sequence_8 = { 8945f0 837df000 0f8485000000 8b4df0 0fbe5108 83fa02 7410 } - $sequence_9 = { 8945f8 8b4ddc f7d1 0b4df8 334de4 8b5508 038a94000000 } + $sequence_0 = { 7410 8b4508 0fbe08 0fbe550c 3bca } + $sequence_1 = { 8d8c08d9026f67 894ddc 8b55dc c1e20e 8b45dc c1e812 0bd0 } + $sequence_2 = { 8945b0 837db000 7406 837db0ff } + $sequence_3 = { 6800040000 ff15???????? ebee 6a00 ff15???????? 33c0 8be5 } + $sequence_4 = { 83c101 898ddcfeffff 8b95ecfeffff 0395dcfeffff 0fb602 3d9a000000 } + $sequence_5 = { 8b4de4 c1e909 0bc1 8945e4 8b55e4 0355dc 8955e4 } + $sequence_6 = { 034de4 894df8 8b55f4 0fb64204 8b4df4 0fb65105 c1e208 } + $sequence_7 = { c1e814 0bd0 8955e0 8b4de0 034df8 894de0 8b55f4 } + $sequence_8 = { 8945dc 8b55dc 0355e0 8955dc 8b45dc 3345e0 2345f8 } + $sequence_9 = { e8???????? 83c408 8d4db8 51 ff15???????? 8945b0 837db000 } condition: 7 of them and filesize < 90112 @@ -115078,36 +115661,36 @@ rule MALPEDIA_Win_Computrace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d022645b-4eeb-5507-b4bf-b64f930ec84b" - date = "2026-01-05" - modified = "2026-01-06" + id = "6f20e231-3e83-5c1b-a86b-862cf0047b96" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.computrace_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.computrace_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "f20f4a4bfb7063221bca96073a60966b690b58a18a5add0eb3048df505777fc6" + logic_hash = "0bfe1ea1d3adbe04823d462a95cbcd8254c592d8730a9742e5565547142a82a1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4628 8d5508 6a04 52 56 ffd0 } - $sequence_1 = { 7469 c7466c01000000 834e70ff 804e5c04 ff15???????? } - $sequence_2 = { 2bc7 7417 48 740f 48 } - $sequence_3 = { 8d442404 50 6a01 6a00 6a03 ff15???????? c20400 } - $sequence_4 = { 894c862c 8935???????? 5e 8bc3 5b } - $sequence_5 = { 3b0f 7cd3 c60600 2b750c 8937 5f 5e } - $sequence_6 = { 8845f3 33ff 397d14 7e1a } - $sequence_7 = { 56 8b35???????? 57 8b7d08 8d85f8feffff 50 } - $sequence_8 = { 7305 6681f22110 fecd 75f2 } - $sequence_9 = { ffb6401b0000 ff15???????? 8d86301b0000 50 8d45e4 50 } + $sequence_0 = { 8d45cc 50 ff75dc 8d8540f2ffff 50 ff75d8 53 } + $sequence_1 = { 53 53 56 e8???????? ebd5 } + $sequence_2 = { 0f85fbfeffff 8d8558ffffff 50 e8???????? 397de4 7420 } + $sequence_3 = { 7433 817de413010000 750b 8b8658440000 3b45e8 741f 8d45e0 } + $sequence_4 = { 3bf3 7505 83f8ff 750f 53 53 } + $sequence_5 = { 8d7e20 e8???????? 8d83401b0000 8bc8 2b8b481b0000 } + $sequence_6 = { 56 e8???????? 56 e8???????? 0fb64e18 c1e904 80e107 } + $sequence_7 = { 48 7407 035d0c 8a1b eb19 8a5e1a eb1e } + $sequence_8 = { 894104 8b5004 85d2 7504 8901 } + $sequence_9 = { 897dfc 397dd8 7507 57 53 } condition: 7 of them and filesize < 73728 @@ -115118,10 +115701,10 @@ rule MALPEDIA_Win_Harnig_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "9abf1275-be08-57a2-b590-38e4b33996cd" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.harnig_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.harnig_auto.yar#L1-L126" license_url = "N/A" logic_hash = "87f18fe78ccecf6b99a233ae62c504e49ba2ae60d8433aec1b3aa385be172cee" score = 75 @@ -115130,9 +115713,9 @@ rule MALPEDIA_Win_Harnig_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -115156,36 +115739,36 @@ rule MALPEDIA_Win_Unidentified_106_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea4969ee-e7d3-51c5-a790-866750e5961b" - date = "2026-01-05" - modified = "2026-01-06" + id = "1a5a63f0-e61a-5388-a041-ea7c2c03955c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_106" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_106_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_106_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "d6bc870d9f53493eb97d63e12993bef0e39d6447b53eae3a48dc5e8a9f09d6c4" + logic_hash = "ebd07f80acf7eb25b7ba5efbfa82e2156ac262d1e823330a88e4e0ddb2a67982" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff5040 89442440 85c0 780a c783f000000001000000 8b442440 4883c420 } - $sequence_1 = { ba64000c00 488bcf 4c8be8 ff96c0000000 4885c0 750d bfeaffffff } - $sequence_2 = { 83e27f 8d0432 413bc4 0f87e0fbffff 83fa04 0f87d7fbffff 85d2 } - $sequence_3 = { ffc0 4883c110 413bc5 72f0 33c9 e8???????? 488b4c2448 } - $sequence_4 = { e8???????? 488d9424f0000000 498bce e8???????? 488d4c2420 e8???????? 41b820000000 } - $sequence_5 = { 8bea 448b895c010000 448be2 412bf1 488bd9 2bee 85f6 } - $sequence_6 = { c7470801000000 0f57c0 4889442470 0f57c9 48896c2440 41b00b 48896c2448 } - $sequence_7 = { 85c0 7531 0fb7833c040000 6683e030 6683f810 7509 c683470400000a } - $sequence_8 = { 8b4a04 394c2460 7507 beffffffff eb62 ba07000300 48896c2478 } - $sequence_9 = { 7519 488d0598730800 c7450403000000 48898590000000 32c0 eb1f 488b5308 } + $sequence_0 = { 4d8bc6 488bd7 e8???????? 85c0 781d 488d8da8000000 448bce } + $sequence_1 = { eb57 4c8b4c2450 418bcc 2bcf 412bce 4103cf 4183fc02 } + $sequence_2 = { f0440108 488d4138 41b806000000 488d15196a0300 483950f0 740c 488b10 } + $sequence_3 = { eb15 6685c0 7510 66c783480400000f10 c6834a04000001 33c0 488bbc24a8000000 } + $sequence_4 = { e8???????? e9???????? b948000000 4889ac2440010000 e8???????? 488be8 4885c0 } + $sequence_5 = { ffc1 8bc2 3bca 7cef 85d2 7e1f 4c8b4310 } + $sequence_6 = { e8???????? f5 91 32baf8b76637 44e81b3bc545 205943 30ba84ffde36 } + $sequence_7 = { e8???????? 8bc3 eb05 b856ffffff 4c8d5c2460 498b5b10 498b7318 } + $sequence_8 = { e9???????? 80bb4704000002 7518 b206 488bcb e8???????? 8983e4020000 } + $sequence_9 = { e8???????? 8bd0 85c0 7561 0fb68f28020000 458bc7 450fafc6 } condition: 7 of them and filesize < 27402240 @@ -115195,48 +115778,48 @@ rule MALPEDIA_Win_Mimikatz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aca0d4e4-4192-5121-a9cd-9ca0e401c83a" - date = "2026-01-05" - modified = "2026-01-06" + id = "99733101-c0e1-5879-a614-ba036f480ab4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mimikatz_auto.yar#L1-L209" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mimikatz_auto.yar#L1-L202" license_url = "N/A" - logic_hash = "3624438eda15e47ae98de9ad5feae5e5f01b75b23634de1325ad601ffd44065d" + logic_hash = "638f92c68848c06574edddee0cf8e2eecf1f2b7b45373d575d8c91165d8277bf" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 83f8ff 750e ff15???????? c7002a000000 } $sequence_1 = { f7f1 85d2 7406 2bca } - $sequence_2 = { 3c02 7207 e8???????? eb10 } - $sequence_3 = { eb84 668b442430 eb1d 834608fe } - $sequence_4 = { 83f812 72f1 33c0 c3 } - $sequence_5 = { e8???????? 83c8ff e9???????? 8d0412 89442438 } - $sequence_6 = { ff15???????? 85c0 0f94c3 85db 7508 } + $sequence_2 = { 83f812 72f1 33c0 c3 } + $sequence_3 = { c3 81f998000000 7410 81f996000000 } + $sequence_4 = { f6c320 740f 83f809 7c05 } + $sequence_5 = { f6c320 7413 6683f809 7206 } + $sequence_6 = { 66894108 33c0 39410c 740b } $sequence_7 = { 6683f83f 7607 32c0 e9???????? } - $sequence_8 = { c3 81f998000000 7410 81f996000000 7408 } - $sequence_9 = { 66894108 33c0 39410c 740b } - $sequence_10 = { ff15???????? bd6f000000 3bc3 7405 } - $sequence_11 = { e8???????? 8bf0 85c0 7433 8b542478 d1ea 7420 } - $sequence_12 = { ff15???????? 3bc7 0f84d4010000 8b542430 } - $sequence_13 = { 2bc1 85c9 7403 83c008 } - $sequence_14 = { 83fb04 7cdc 8b5df8 8ad3 02d2 8ac7 c0e804 } - $sequence_15 = { 83e001 51 894614 c7461ce0164000 c74620f0164000 c7462410174000 } - $sequence_16 = { 897e14 897e70 c686c800000043 c6864b01000043 c7466878d14600 6a0d } - $sequence_17 = { c745fc00000000 ff15???????? 50 e8???????? 8bd8 } - $sequence_18 = { 03c2 c1f802 57 50 33db 33f6 e8???????? } - $sequence_19 = { 6a00 50 e8???????? 83c40c c7450800000000 } - $sequence_20 = { 83f805 7d10 668b4c4310 66890c45b8e14600 40 } - $sequence_21 = { c705????????cf2f4000 8935???????? a3???????? ff15???????? a3???????? 83f8ff } + $sequence_8 = { e9???????? bd64000000 83ff2d 0f853c040000 c644245c01 } + $sequence_9 = { ff15???????? be00000400 8bc8 8bd6 } + $sequence_10 = { ff5048 8bd8 85c0 7837 } + $sequence_11 = { 2bc1 85c9 7403 83c008 } + $sequence_12 = { 3c02 7207 e8???????? eb10 } + $sequence_13 = { ff15???????? bd6f000000 3bc3 7405 } + $sequence_14 = { 8d4d08 8d0437 51 50 e8???????? 83c40c } + $sequence_15 = { 33c9 3b04cd08d04600 7413 41 83f92d } + $sequence_16 = { 40 8945f4 83fb04 7561 33db 90 } + $sequence_17 = { e8???????? 8bc8 8b4508 ba???????? 2aca } + $sequence_18 = { 8d04453cdb4600 8bc8 2bce 6a03 d1f9 68???????? } + $sequence_19 = { 99 83ec0c 53 83e203 } + $sequence_20 = { c1e80d 8d4dd8 83e001 51 894614 c7461ce0164000 } + $sequence_21 = { 8b5dd0 ebab c745e424714000 817de428714000 7311 8b45e4 8b00 } condition: 7 of them and filesize < 1642496 @@ -115246,36 +115829,36 @@ rule MALPEDIA_Win_Warlock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e6c43cf-6cf3-5e2a-a16b-cb7d8e2e37a1" - date = "2026-01-05" - modified = "2026-01-06" + id = "450cfe2d-3dfd-5087-abe8-4e796115a02e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warlock" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.warlock_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.warlock_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "39dc3d0e9802161f2f6843f6a22ec4febcc1ed616080a524da3e5c547a9f1dac" + logic_hash = "ef2e3efebb6f4f153506d62103df2ba1a6143844b2fad8eab3f823c647b729b4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b95c0f6ffff f724ba 0385ccf6ffff 83d200 01841dc0f8ffff 8b9de0f6ffff 8b85bcf8ffff } - $sequence_1 = { 894c2420 c16c242008 331cc574e44900 0fb6c1 8b4c2410 0fb6c9 8b04c571e44900 } - $sequence_2 = { 03c2 8bd0 c1e81a 2b442448 81e2ffffff03 89542430 89542444 } - $sequence_3 = { c70000000000 c7400800000000 c9 c20400 56 8bf1 8b8e80000000 } - $sequence_4 = { 6a34 e8???????? 8945e8 59 85c0 740d 57 } - $sequence_5 = { 50 8d4de8 c745fc04000000 e8???????? eb0a 6a01 8d4de8 } - $sequence_6 = { 80fb35 7e82 33c0 84db 0f95c0 05feff0000 e9???????? } - $sequence_7 = { 8b94249c000000 81c2feffff07 03c2 8bd0 c1e81a 81e2ffffff03 2b442458 } - $sequence_8 = { 0f94c1 2500180000 2d00100000 f7d8 1bc0 40 f7c300800000 } - $sequence_9 = { 668b4306 663b45e4 7513 c6062d 8d7e01 8bcb 89bd70ffffff } + $sequence_0 = { 803800 0f4ff0 8a06 3c7f 75d1 8b5da0 8b45e8 } + $sequence_1 = { 8bec 8b4508 56 8bf1 894604 8b450c c70600000000 } + $sequence_2 = { 89842468020000 8b84244c010000 038424c4000000 8984246c020000 8b842450010000 038424c8000000 89842470020000 } + $sequence_3 = { 83e80c 7418 83e801 7413 83e801 740e 83e801 } + $sequence_4 = { 58 0f45d0 8ac1 2c30 3c09 7708 0fbec1 } + $sequence_5 = { c1c811 c1c913 33c8 8b442448 c1e80a 33c8 8b442454 } + $sequence_6 = { c20c00 55 8bec 8b4508 56 8bf1 894604 } + $sequence_7 = { 84c0 0f846c040000 3c24 7521 ff7518 8d45ef 8bcf } + $sequence_8 = { 51 e8???????? 83c40c eb25 52 6a00 51 } + $sequence_9 = { 8b4dec 40 898680000000 8b4508 894804 8b4de8 8908 } condition: 7 of them and filesize < 1395712 @@ -115285,75 +115868,153 @@ rule MALPEDIA_Win_Sync_Scheduler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "41472b7c-c76e-5a55-ab89-47e49be56775" - date = "2026-01-05" - modified = "2026-01-06" + id = "95610e1b-5db4-50de-ac44-e5e2c59c0bb8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sync_scheduler" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sync_scheduler_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sync_scheduler_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "cefc3130f1fb15a7eb3be2d60b81171c09dab6a15007b67a76905b9641705749" + logic_hash = "bcac8eebb558ac10a1437f8e96772342840ecc807b424b4bd7b054cc8b3bdd2d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b910270000 ff15???????? 90 488b55f8 4883fa10 7231 } - $sequence_1 = { 498bcd ff15???????? 498bcc ff15???????? e9???????? 0f57c0 } - $sequence_2 = { 33d2 488bc8 ff15???????? 488d0557570000 488903 48896e60 48895e08 } - $sequence_3 = { c6450668 c6450777 c6450855 c6450968 c6450a64 c6450b67 c6450c49 } - $sequence_4 = { 480f42d8 48b8ffffffffffffff7f 488d4b01 483bc8 0f87ad000000 4803c9 4881f900100000 } - $sequence_5 = { 75cb 32db 4883fe10 7238 488d5601 } - $sequence_6 = { e8???????? 488d0d9c090000 e8???????? e8???????? } - $sequence_7 = { c645f277 c645f377 c645f46e c645f56c c645f67d } - $sequence_8 = { 488905???????? c7458017000000 8b4580 3448 } - $sequence_9 = { c6456800 33d2 41b808010000 488d8d20020000 e8???????? 498d8680bc0000 } + $sequence_0 = { 488d4808 0f1102 ff15???????? 488d05dfa30000 488903 } + $sequence_1 = { 48c7c7ffffffff 4d8b6f10 0f1f840000000000 48ffc7 6641391478 75f6 } + $sequence_2 = { e8???????? 83cf02 897df7 488d55ff } + $sequence_3 = { 488d542424 498bc9 e8???????? 0f1000 0f1185e0010000 0f104810 } + $sequence_4 = { 4885c0 7431 4883c027 4883e0e0 488948f8 eb39 483bf1 } + $sequence_5 = { 488d05216a0000 4889843a58ffffff 488b01 48634804 } + $sequence_6 = { c645ab55 c645ac54 c645ad57 c645ae56 c645af51 c645b050 } + $sequence_7 = { 48c705????????00000000 b9e0010000 e8???????? 488bf8 488905???????? 488905???????? } + $sequence_8 = { eb1d ff15???????? cc 488bd6 e8???????? 4d89241e 4d89641e08 } + $sequence_9 = { 0408 3464 8844244c 8b442440 } condition: 7 of them and filesize < 156672 } +rule MALPEDIA_Win_Theme_Forest_Rat_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "2dfda398-f2e0-5044-aa0d-96a802a77678" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.theme_forest_rat" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.theme_forest_rat_auto.yar#L1-L131" + license_url = "N/A" + logic_hash = "1f9b18271343c20c0a3cb56f23f6a9c9adf0d77b95c33d44db6f3d949d45d1a5" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 488bcb ff15???????? 83a56006000000 4c8d8568060000 48c7c702000080 c7855806000064000000 } + $sequence_1 = { 7575 488d442440 c7860824000001000000 488bd6 488d4c2440 482bd0 0fb701 } + $sequence_2 = { 488b4c2460 488d442468 4889442428 41b901000000 4533c0 c744242001000000 ba00000002 } + $sequence_3 = { 56 57 4156 4883ec40 8b6934 488bfa 8b5130 } + $sequence_4 = { 488958e0 488958d8 8958d0 488958c8 4183c9ff 4c8bc1 33d2 } + $sequence_5 = { e8???????? 85c0 0f85be030000 4885f6 488d2d51170300 480f45ee } + $sequence_6 = { 490f43d4 4883c118 e8???????? 4d3bf4 ba08000000 661bc0 66f7d0 } + $sequence_7 = { 8918 c7400416100010 c7400801000000 89bd24a80000 488d8d1ca80000 e8???????? 488bcd } + $sequence_8 = { 4883ec28 4c8b01 498bc0 48f7d0 483bc2 720f } + $sequence_9 = { 03d0 8bc5 8d0c92 03c9 498d5710 2bc1 4863c8 } + + condition: + 7 of them and filesize < 651264 +} +rule MALPEDIA_Win_Dynowiper_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "6f53cc06-0a79-54dc-a61c-834614c7219e" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dynowiper" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dynowiper_auto.yar#L1-L125" + license_url = "N/A" + logic_hash = "87ffa3582c8bdc798a3280ec361a38c33e352272284eb95668c020eadf0b3cc1" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 7528 8d45ec c745ec54474200 50 8d4ddc e8???????? 68???????? } + $sequence_1 = { e9???????? 8b95ecefffff 8b8ddcefffff 2b7b08 037b04 8b049590914200 8b95f4efffff } + $sequence_2 = { 8b45f4 56 ff75e4 8b048590914200 } + $sequence_3 = { 8bd8 6a00 85db 7f1f } + $sequence_4 = { 85c9 7465 8b06 8b04b8 8901 eb5c 8b5608 } + $sequence_5 = { 80b85081420000 751d 8b5df0 83fa04 7f12 3bf3 } + $sequence_6 = { ff15???????? 85c0 7443 8d44240c c744240801000000 50 } + $sequence_7 = { 8d4900 8b06 3d70020000 7509 8bce e8???????? } + $sequence_8 = { 83c404 33c0 c745e807000000 837dd010 668945d4 8945e4 720b } + $sequence_9 = { 33882c060000 33ca 8988b8090000 4e 75c9 eb0e 3de0040000 } + + condition: + 7 of them and filesize < 374784 +} rule MALPEDIA_Win_Nikitear_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f8fdb193-3c11-59c1-829a-a9eb5f221c83" - date = "2026-01-05" - modified = "2026-01-06" + id = "b9049d27-0fc1-583b-81a9-833de2d7522b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nikitear" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nikitear_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nikitear_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "78bbb5bb165f52797af65de0137f35c2d932f8f5aaa20ce84f06a64d8b20f48b" + logic_hash = "5827e9be2a08fd3d9f8ef691b6f311ed8991c684e910e34bdb5878684a36debd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d8d60010000 ffd0 33c0 c74424204004242e 8844242c } - $sequence_1 = { 8d419f 3c19 7706 448d49b9 eb24 8d41d0 3c09 } - $sequence_2 = { 48635708 4c8d3dcce5feff 48035508 0fb60a 83e10f 4a0fbe843908460300 428a8c3918460300 } - $sequence_3 = { 488d4c2440 4885f6 743f 4c8d054ff7fdff 483bca 7333 80390d } - $sequence_4 = { 4c03f3 4c8b6c2460 4b8d0427 4c3bf0 0f94c0 488b4df8 4833cc } - $sequence_5 = { 488d151e570200 488d0de7560200 e8???????? 85c0 7529 } - $sequence_6 = { 39b42480000000 747b 4c8d0576ce0100 498b04e8 f644f83848 7441 0fb7442470 } - $sequence_7 = { 44884c2420 41b901000000 4533c0 418bd1 488bcb e8???????? 83e73f } - $sequence_8 = { 48ffc1 4883f90d 7306 0fb65590 ebea 0fb64591 8bce } - $sequence_9 = { 4883c227 482bc1 4883c0f8 4883f81f 772a e8???????? 488b4310 } + $sequence_0 = { 448bd9 48bbb301000000010000 0f1f4000 660f1f840000000000 410fbe0a 8bd1 80e941 } + $sequence_1 = { 488d1567250200 b903000000 4c8d0553250200 e8???????? 488bd3 8bcf } + $sequence_2 = { 4833d8 490fafde 4983e901 75d9 488bcb e8???????? 488d55b0 } + $sequence_3 = { 4883ec60 488b05???????? 4833c4 488945f8 33db 48895dd0 4c8d05da5e0300 } + $sequence_4 = { 30440db9 48ffc1 4883f910 72ed 0fb645b9 } + $sequence_5 = { f6c304 7424 410fb60a 83e10f 4a0fbe843108460300 428a8c3118460300 } + $sequence_6 = { 40383c0b 75f7 33d2 48f7f1 0fb6041a } + $sequence_7 = { 488bc8 ff15???????? 4889842498000000 4885c0 0f8448070000 c744245654000000 c744245050004f00 } + $sequence_8 = { e8???????? 483bd8 7509 488d3dbce90100 eb16 b902000000 } + $sequence_9 = { 0f1f840000000000 8d040a 30440dc1 48ffc1 4883f90b 7306 } condition: 7 of them and filesize < 610304 @@ -115363,52 +116024,52 @@ rule MALPEDIA_Win_Karius_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f864f52d-97b4-52e1-be47-a43becf89939" - date = "2026-01-05" - modified = "2026-01-06" + id = "3cb1d9ad-d5c4-549f-a1ce-94ef7a14a515" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.karius_auto.yar#L1-L233" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.karius_auto.yar#L1-L245" license_url = "N/A" - logic_hash = "65d32f5659cb602716004ef37e85991451736e33f4d393130adf2e3c033195f4" + logic_hash = "42a51763e275d73b90477c335b593ab917c6a5ba4d2c7362206c1d4f1e01c051" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41b830000000 488bcf ff15???????? 4885c0 } - $sequence_1 = { 85db 0f8477000000 8bb424b0000000 418b10 } - $sequence_2 = { 8bb424b0000000 418b10 8bcd 4903d6 0fb602 } - $sequence_3 = { 4d03d6 448bcd 85db 0f8477000000 } - $sequence_4 = { 488b05???????? 4885c0 7512 ff15???????? 488905???????? 4885c0 } - $sequence_5 = { 0f849d000000 41837b1400 0f8492000000 458b4320 458b5324 33ed } - $sequence_6 = { bf01000000 8bd7 498bce ffd3 4183bf8c00000000 } + $sequence_0 = { 488b05???????? 4885c0 7512 ff15???????? } + $sequence_1 = { 0f8477000000 8bb424b0000000 418b10 8bcd 4903d6 } + $sequence_2 = { 418b5b18 85db 0f849d000000 41837b1400 0f8492000000 458b4320 } + $sequence_3 = { 0f8492000000 458b4320 458b5324 33ed } + $sequence_4 = { 41b830000000 488bcf ff15???????? 4885c0 } + $sequence_5 = { 33ed 4d03c6 4d03d6 448bcd 85db 0f8477000000 8bb424b0000000 } + $sequence_6 = { 0f84b3000000 458b9f88000000 4d03de 418b5b18 85db 0f849d000000 } $sequence_7 = { c3 85c0 7505 e8???????? b801000000 } - $sequence_8 = { 0f84b3000000 458b9f88000000 4d03de 418b5b18 85db 0f849d000000 } - $sequence_9 = { 41 ff45fc 42 ff45f8 } - $sequence_10 = { 8bc7 ffc8 7416 ffc8 } - $sequence_11 = { 81c200000100 8955f8 b804000000 8945fc 81fa80000000 7307 } - $sequence_12 = { 4d8bc7 488bd0 488bce ff15???????? } - $sequence_13 = { 7405 f60001 7502 33c0 } - $sequence_14 = { 48895c2420 4d8bcc 4d8bc7 488bd0 } - $sequence_15 = { 33d2 488bce ff15???????? 4c8bf0 4885c0 } - $sequence_16 = { 47 41 3bfb 0f825ffeffff } - $sequence_17 = { 7505 8d7b02 eb09 6685c0 } - $sequence_18 = { 8a17 80fa41 7c0d 80fa5a } - $sequence_19 = { ff15???????? 4c8be8 498bce ff15???????? 4d85ed } - $sequence_20 = { ebb0 8b5d10 8b750c 8b4d08 47 8b55f4 41 } - $sequence_21 = { 7e26 3c5b 750a 5e 894d0c } - $sequence_22 = { 488d4b10 488d542450 41b804000000 c6430f68 } - $sequence_23 = { 41 7411 43 3c5c } - $sequence_24 = { 4d8bcf 33d2 41b800001000 488bce } - $sequence_25 = { 7c04 3c39 7ee3 803f2e } + $sequence_8 = { 8bd7 498bce ffd3 4183bf8c00000000 0f84b3000000 458b9f88000000 4d03de } + $sequence_9 = { ff15???????? 488bf8 4885c0 7505 8d4701 } + $sequence_10 = { 7407 3c20 7703 46 75f3 803e5d } + $sequence_11 = { 3a06 7522 42 46 } + $sequence_12 = { 448bc0 33d2 488bce ff15???????? 4c8bf0 4885c0 } + $sequence_13 = { 4d8bcf 33d2 41b800001000 488bce ff15???????? 488bd8 } + $sequence_14 = { 488bc8 ff15???????? 4c8be8 498bce } + $sequence_15 = { 488d4b10 488d542450 41b804000000 c6430f68 } + $sequence_16 = { 42 46 83fa05 7cf2 33c0 } + $sequence_17 = { 56 57 e8???????? 8bc8 83c40c 85c9 0f8485000000 } + $sequence_18 = { 8d7b01 448bfb 448be3 4885c9 } + $sequence_19 = { 7405 f60001 7502 33c0 } + $sequence_20 = { f7d8 8945fc 8955f4 85db 7407 3bd3 } + $sequence_21 = { 42 ff45f8 894d08 e9???????? 8b45f8 5f } + $sequence_22 = { 4d8bcc 4d8bc7 488bd0 488bce ff15???????? 85c0 } + $sequence_23 = { 0f93c0 eb06 803900 0f94c0 } + $sequence_24 = { 4c8be8 498bce ff15???????? 4d85ed } + $sequence_25 = { e9???????? 8b4510 5e 8908 } condition: 7 of them and filesize < 434176 @@ -115418,36 +116079,36 @@ rule MALPEDIA_Win_Ruckguv_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0458bbf5-faad-51b1-bbf4-5951261d0eab" - date = "2026-01-05" - modified = "2026-01-06" + id = "a3926da9-97d4-5c70-97f8-77af66641269" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ruckguv_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ruckguv_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "45b231c70efe5a17389a0b484f9ffc2309c40182fd8d298e6f80ad3ac2eb154c" + logic_hash = "bd33d6f723961a50547735b694a0e61de28f94951db04f9854c4c4eb5b1ef5c3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 750f 56 50 53 } - $sequence_1 = { 50 8d4640 50 8d4340 50 } - $sequence_2 = { 51 56 8b7508 8b463c 03c6 } - $sequence_3 = { ff75fc ffd0 5f 5e 8bc3 5b } - $sequence_4 = { a5 a5 66a5 a4 33f6 56 8d453c } - $sequence_5 = { ffd0 8d859cfdffff 50 68???????? } - $sequence_6 = { 884d13 8a8801010000 33ff 884dff 397d0c 763d 53 } - $sequence_7 = { 7908 49 81c900f0ffff 41 0fb7c9 } - $sequence_8 = { 57 8d8598fcffff 50 8d85a0feffff 68???????? 50 ff555c } - $sequence_9 = { 8d859cfdffff 50 68???????? e8???????? 6814f1f808 } + $sequence_0 = { 53 56 fe4513 0fb64d13 8d3401 8a16 0055ff } + $sequence_1 = { 50 e8???????? 59 50 e8???????? 68???????? 50 } + $sequence_2 = { 8b4834 3bf1 7504 b001 eb7c 8b80a0000000 } + $sequence_3 = { 6a01 e8???????? 83c428 8d8da0feffff 51 } + $sequence_4 = { 05f8000000 813f50450000 894508 0f851c010000 8b5f50 68fe6a7a69 } + $sequence_5 = { 0fb645fe 03c1 8a18 fe45ff 881e 8810 660fb645ff } + $sequence_6 = { 8d859cfdffff 50 68???????? e8???????? 6814f1f808 6a01 897558 } + $sequence_7 = { 59 eb1e 8d45d0 ebeb 8d45b4 } + $sequence_8 = { 8b37 85f6 7503 8b7710 03f3 } + $sequence_9 = { 53 33d2 56 57 8855ff 8855fe 889100010000 } condition: 7 of them and filesize < 41024 @@ -115457,36 +116118,36 @@ rule MALPEDIA_Win_Ldr4_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c588634c-3a69-5c4e-b524-6b66db1c4a89" - date = "2026-01-05" - modified = "2026-01-06" + id = "70f63792-fb12-5dc9-8e1c-cdcecc2cc034" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ldr4" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ldr4_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ldr4_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "e747da5dcad3015b47810444cb7613ce4b06e63b04ebbc6ff8767e44ad66440e" + logic_hash = "efd08753414b7d9502b38de382596116e13607d37b302ea183aff8415d3508d2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8d45b4 50 53 33f6 56 } - $sequence_1 = { 8b4008 8945f4 a1???????? 53 35fc28b0ec 56 50 } - $sequence_2 = { c745f40c000000 c745fc01000000 895df8 ffd7 85c0 7508 } - $sequence_3 = { 53 56 57 8bf8 a1???????? 8b5808 8b07 } - $sequence_4 = { a1???????? 8b4008 89442404 85f6 0f84c9000000 8b4610 85c0 } - $sequence_5 = { 8b4008 57 8b3d???????? 6a40 8945f8 8d45b8 } - $sequence_6 = { ff15???????? 8bf0 85f6 750c 57 ff15???????? 6a08 } - $sequence_7 = { 3bc6 743c 56 56 ff75f4 } - $sequence_8 = { ff15???????? 8d4608 50 e8???????? 837e0400 7414 6aff } - $sequence_9 = { 35fc28b0ec 56 50 8b4508 8b402c e8???????? 85c0 } + $sequence_0 = { eb01 41 80fb3b 7506 85ff 7522 } + $sequence_1 = { 33db 897d1c 8b4510 6a10 59 894dfc } + $sequence_2 = { 50 ff15???????? 8b45f0 b90046c323 f7e1 0145e4 8b45e4 } + $sequence_3 = { 56 56 6a1c 51 ff7508 ffd0 eb02 } + $sequence_4 = { 8b4064 85c0 7403 56 } + $sequence_5 = { c20400 55 8bec 51 51 8b4d08 8b413c } + $sequence_6 = { 8bc6 e8???????? 85c0 7410 c60000 40 8a08 } + $sequence_7 = { e9???????? 33db 43 8b4508 } + $sequence_8 = { 57 895df4 e8???????? 83c40c 6a02 58 668907 } + $sequence_9 = { 8b4618 85c0 7407 50 ff15???????? 56 6a00 } condition: 7 of them and filesize < 117760 @@ -115496,36 +116157,36 @@ rule MALPEDIA_Win_Danbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "20935e71-f906-54b9-9bae-c4a4caef1aba" - date = "2026-01-05" - modified = "2026-01-06" + id = "a3db48ee-a8bd-5412-bc94-1b6484e68e3f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.danbot_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.danbot_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "acd94691ea40c5baca6316ac758413a2314f96bf1ccb4eb7ca1bd69319a91f06" + logic_hash = "db7ff4cd51bed02dad1f618aa110021ea4fbebd152bd22b9b719e5e2002e958d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8965f0 4c896df8 448865e0 488d5580 488d4d00 e8???????? } - $sequence_1 = { 4585c0 0f840e020000 89bb88000000 4183f803 0f82b6000000 8b8394000000 85c0 } - $sequence_2 = { 55 56 57 4881ec90000000 48c7442420feffffff 49895b18 488b05???????? } - $sequence_3 = { 483bd7 720e 48ffc2 4d8bc6 498b0f e8???????? } - $sequence_4 = { 488bda 33c0 488b5110 4983c8ff 89442420 48894310 48c743180f000000 } - $sequence_5 = { ffd3 99 33c2 2bc2 89442430 448be0 4c89642450 } - $sequence_6 = { eb03 488bd9 8b4018 25c0010000 410f100424 beffff0000 83f840 } - $sequence_7 = { 488bce ffd3 90 488b742478 488b06 488b5838 488bcb } - $sequence_8 = { 48897310 4c897318 408833 0f1007 0f1103 0f104f10 0f114b10 } - $sequence_9 = { 498bcd e8???????? 4533d2 84c0 741d 418adc 488bcf } + $sequence_0 = { 4c8965d8 66448975c0 488b5518 4883fa10 720f 48ffc2 4c8bc6 } + $sequence_1 = { 488b457f 48894587 4883ceff 488bcb f7431800400000 0f8435010000 488d542440 } + $sequence_2 = { 48895818 48896820 4c8bf2 488bf1 4533ff 4c8939 4c897908 } + $sequence_3 = { 488bc8 ff15???????? 33c9 85c0 7508 ff15???????? 8bc8 } + $sequence_4 = { 0f94c0 84c0 0f8503040000 83ff03 0f94c0 84c0 0f84b6000000 } + $sequence_5 = { 413bc1 7d03 418bd2 8b4b28 488b4310 881401 } + $sequence_6 = { 48897b58 66897b48 488b5340 4883fa08 7210 488b4b28 448d4702 } + $sequence_7 = { 7214 48ffc2 4d8bc4 488b8c2498000000 e8???????? 90 } + $sequence_8 = { 66448933 488b5507 4883fa08 7225 48ffc2 4d8bc4 488b4def } + $sequence_9 = { 442bdd 49ffc1 49ffc0 418a01 418800 83c1ff 75ef } condition: 7 of them and filesize < 1492992 @@ -115535,36 +116196,36 @@ rule MALPEDIA_Win_Fickerstealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c52c8234-c18e-5ab8-95a7-2cfcdb04553b" - date = "2026-01-05" - modified = "2026-01-06" + id = "6f85756a-c843-575d-b94d-3b2f734b01f0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fickerstealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fickerstealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "1997b49e36624536afa96468393213120f734d09be7f5a4952b0a008982c9c1f" + logic_hash = "aa8d1c23014e11385c0a5d073235ca609911431bbe1a8732876dd8cee6965456" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 46 4f ebe7 b001 eb02 31c0 83c404 } - $sequence_1 = { ff74240c ff74240c ff74240c 52 51 53 50 } - $sequence_2 = { eb44 88df 80c7d0 80ff0a 7241 8b7df0 3a1f } - $sequence_3 = { c3 8b8424081d0000 f20f108424001d0000 8b7d0c 89442438 f20f11442430 31c0 } - $sequence_4 = { 8d55f0 8902 894a04 6683620800 89f1 e8???????? 83c40c } - $sequence_5 = { f20f114808 f20f1100 8d4dd4 6a02 58 50 e8???????? } - $sequence_6 = { f20f114610 f20f114e08 f20f1116 56 e8???????? 59 83c418 } - $sequence_7 = { 21f2 8d75d4 8b760c 09da bb08080808 21de 09fe } - $sequence_8 = { 8d55e4 21c3 8d8518ffffff f20f1000 f20f104808 8d45e4 09fb } - $sequence_9 = { e8???????? 83c40c 8b542410 6689442422 89f9 6a04 58 } + $sequence_0 = { c70201000000 894a08 894204 eb0e 8b4df0 89d8 2b45ec } + $sequence_1 = { 83a4240802000000 e8???????? 6a08 58 8b4d08 e9???????? 8d842418020000 } + $sequence_2 = { 8919 895104 894108 e8???????? 894604 31c0 895608 } + $sequence_3 = { 5e 5d c3 89c1 52 56 e8???????? } + $sequence_4 = { 0d0000f07f 660f6ec0 e9???????? 8b4d0c 89c6 89ca 21da } + $sequence_5 = { f20f1000 f20f104808 8d45e4 09f1 8d75d4 894d94 89f1 } + $sequence_6 = { e8???????? 50 e8???????? 5e 5d c3 55 } + $sequence_7 = { 8d8c2400010000 e8???????? 8d8c2444010000 e8???????? 897c2408 89742404 31ff } + $sequence_8 = { 8b4dec e8???????? eb2a 31d2 eb18 85c9 7412 } + $sequence_9 = { a820 b900000000 0f45fe 0f45f1 247f 3c40 0f43f9 } condition: 7 of them and filesize < 598016 @@ -115574,36 +116235,36 @@ rule MALPEDIA_Win_Gameover_P2P_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fe20a97c-206c-5c98-87a9-4b574fa239f7" - date = "2026-01-05" - modified = "2026-01-06" + id = "ba92d203-3f22-5cb1-b58e-197379c62676" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gameover_p2p_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gameover_p2p_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "0a805dc64b5619969bf73a86439d36461e7cd7fd50eef8d82014a2fb996a9dce" + logic_hash = "dc788de3ae476cb443e20aa59ed8f52baa96f93fac9f9c0bd2b59657d4417634" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 88442413 0fb6c0 8944241c 8a80007f3902 0fb6c0 3bc8 } - $sequence_1 = { 8d55ee 33c9 e8???????? ba???????? 6a2e 58 668945ec } - $sequence_2 = { 33c0 e9???????? 6a74 59 e8???????? 8bf8 85ff } - $sequence_3 = { 8b8684000000 8d0440 03c0 0fb78c008a183902 03c0 898e80000000 0fb79088183902 } - $sequence_4 = { 895108 6bd20c 83c104 e8???????? c20400 f644240401 } - $sequence_5 = { 3d02010000 0f85e0000000 8d7dce 6800020000 8d44241c 50 8d8424b0060000 } - $sequence_6 = { e8???????? 33d2 b9ff000000 f7f1 6a00 56 8bcf } - $sequence_7 = { ff15???????? 8bf0 89742410 83feff 7478 8d442414 50 } - $sequence_8 = { 8a0408 3204f598613902 32c2 42 880439 663b14f59a613902 } - $sequence_9 = { 50 8d442448 85ed 8b6c2444 0f45c8 51 ff742430 } + $sequence_0 = { 8b44241c 33c9 66394c043c 0f84ef010000 fec3 66894c043c 885c2417 } + $sequence_1 = { 84db 0f95c2 51 8b4dec 81c292000000 e8???????? } + $sequence_2 = { 8d3c9548373d02 8b0f 334f04 23cb 330f 8bc1 83e001 } + $sequence_3 = { 8d4c2448 c7442448307f3902 895c2450 e8???????? 8b6c2450 b8???????? } + $sequence_4 = { 8a5603 80fa0e 0f87eef7ffff 0fb6c2 3a884c903902 0f85dff7ffff 8a4c2413 } + $sequence_5 = { 8a1428 8a2438 3ad4 7505 80c308 eb3d } + $sequence_6 = { 8d4c2468 c744241494913902 e8???????? 6800100000 8d4c2478 e8???????? ff7510 } + $sequence_7 = { 5e c20400 56 51 8bf2 ff15???????? ba04010000 } + $sequence_8 = { 56 ff15???????? 33d2 8bf2 85f6 0f8453020000 } + $sequence_9 = { 0f95c0 84c0 7404 b001 eb2d 833d????????ff 740d } condition: 7 of them and filesize < 598016 @@ -115613,50 +116274,50 @@ rule MALPEDIA_Win_Smanager_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9094b6d5-dd8f-5044-9d10-3bb7c70d2fbb" - date = "2026-01-05" - modified = "2026-01-06" + id = "a9ebb4a2-279e-50dd-8bbd-faa840ca945d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.smanager_auto.yar#L1-L227" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.smanager_auto.yar#L1-L226" license_url = "N/A" - logic_hash = "e0a2b573b878cce9fd789f6f7825fb445120b343d0f7f8893519c9a9cc16ccfe" + logic_hash = "829bd82c08b6a011f083c5676e02374652bacf1f1d2e6aef291985901b89a342" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { c7462cffffffff 7410 6a00 6a00 } - $sequence_1 = { 8b4608 85c0 7420 a801 } - $sequence_2 = { 83c602 6a22 56 e8???????? 83c408 85c0 } - $sequence_3 = { 740e 3d45270000 7407 3d46270000 } - $sequence_4 = { 51 51 ffd0 83c40c c7460800000000 } - $sequence_5 = { 8b7604 6a00 6a00 56 } - $sequence_6 = { 8b4510 85c0 7407 50 ff15???????? } - $sequence_7 = { 56 68???????? 6a00 6a00 ff15???????? 8bf8 897e28 } + $sequence_1 = { 740e 3d45270000 7407 3d46270000 } + $sequence_2 = { 8b4510 85c0 7407 50 ff15???????? 5f } + $sequence_3 = { 8b4608 85c0 7420 a801 } + $sequence_4 = { 8b7604 6a00 6a00 56 } + $sequence_5 = { 7409 6a02 51 51 ffd0 83c40c c7460800000000 } + $sequence_6 = { 83c602 6a22 56 e8???????? 83c408 } + $sequence_7 = { 6a00 6a00 ff15???????? 8bf8 897e28 } $sequence_8 = { ff15???????? 32c0 e9???????? 0f1005???????? } - $sequence_9 = { 8b43ec 85c0 751d 41f6c040 7408 488b07 } - $sequence_10 = { 0000 80ed4a 0044feff ff900100008c } - $sequence_11 = { 0000 0c0c 0c0c 0c0c 0c0c 0c0c 0102 } - $sequence_12 = { 0007 b15a 0089b05a0089 b05a } - $sequence_13 = { 85c0 745c 448d4368 488d4c2470 33d2 } - $sequence_14 = { 448b842498000000 488b942490000000 488b4c2448 488d842480000000 4533c9 4889442428 895c2420 } - $sequence_15 = { 0008 53 4f 00ef } - $sequence_16 = { 4863ca 8a441918 42888401b0210200 ffc2 } - $sequence_17 = { 488bce e8???????? 8b07 488b8c2480000000 89442430 488d442440 448d4301 } - $sequence_18 = { 0003 b157 0000 0c0c } - $sequence_19 = { b920000000 498bd0 482bd3 488d81deffff7f 4885c0 7417 0fb7041a } - $sequence_20 = { 0007 b15a 00c4 b15a } + $sequence_9 = { 0000 0c0c 0c0c 0c0c 0c0c 0c0c 0102 } + $sequence_10 = { 48894c2430 443b4120 7305 4889542430 488d442430 } + $sequence_11 = { 0001 ce 50 0008 } + $sequence_12 = { 0008 53 4f 00ef } + $sequence_13 = { 488b09 488bf2 4885c9 740a 488b01 ba01000000 ff10 } + $sequence_14 = { 0003 b157 0000 0c0c } + $sequence_15 = { 4889442460 488b4b08 4883c108 488d542430 e8???????? } + $sequence_16 = { 4057 4883ec20 488d3ddb6e0100 48393d???????? 742b b90c000000 e8???????? } + $sequence_17 = { 0007 b15a 00c4 b15a } + $sequence_18 = { 4c89742420 ff15???????? 85c0 7444 8b16 4c8bc5 } + $sequence_19 = { eb40 4c8d35757a0100 488b0d???????? e9???????? 4c8d35727a0100 488b0d???????? } + $sequence_20 = { 0000 80ed4a 0044feff ff900100008c } $sequence_21 = { 0007 b15a 0007 b15a } - $sequence_22 = { 0001 ce 50 0008 } - $sequence_23 = { 751c 4883e0fe 488d4f08 4c8b08 4d85c9 740c 41b802000000 } + $sequence_22 = { 0007 b15a 0089b05a0089 b05a } + $sequence_23 = { 85c0 0f8470010000 488b442448 488d0d07600100 4c8d4c2460 488b0cc1 } condition: 7 of them and filesize < 10013696 @@ -115666,81 +116327,81 @@ rule MALPEDIA_Win_Yty_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b178a64d-90f2-5e14-9301-2d60f407465c" - date = "2026-01-05" - modified = "2026-01-06" + id = "965f193c-3547-5716-8999-17fdc0148252" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yty_auto.yar#L1-L503" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yty_auto.yar#L1-L515" license_url = "N/A" - logic_hash = "ba7411fc89742deab8ac323283edaf67308d62adecd7c34f413e3b6a25925cab" + logic_hash = "102ce8494eea236c491379fdbc383eabf937fd16ffc3acab5a4535a41b2f13f2" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f840c000000 8365d8fe 8b7508 e9???????? c3 8b542408 8d420c } - $sequence_1 = { 64a300000000 8b7508 33ff 897dd8 } - $sequence_2 = { 8b5610 33c9 33c0 8d7910 } - $sequence_3 = { b901000000 e9???????? 8b5508 397d1c 7303 8d5508 } - $sequence_4 = { 5f 668910 8bc6 5b 8be5 5d c20400 } - $sequence_5 = { 8bfe 80ea13 b903000000 eb58 } - $sequence_6 = { 8b4c3138 33db 895de8 885def 8975e0 85c9 } - $sequence_7 = { 50 ffd2 ff15???????? 8a857bffffff 8b4df4 } - $sequence_8 = { 8b08 8b5108 50 ffd2 8b8568ffffff 8b08 } - $sequence_9 = { c645fc01 e8???????? 8b10 8b4a04 03c8 } - $sequence_10 = { 807def00 8b5de8 7503 83cb02 8b16 8b4a04 } - $sequence_11 = { 8bcf e8???????? 8b0e 8b5104 8b443238 } - $sequence_12 = { 8906 894604 894608 8945fc 56 c745f001000000 } - $sequence_13 = { 8bfe 80ea04 b904000000 eb23 } - $sequence_14 = { 397e14 7214 8a1402 8b3e 2ad1 } - $sequence_15 = { 7204 8b3e eb02 8bfe 8a1402 2ad1 80ea13 } - $sequence_16 = { 51 e8???????? 83c408 8bf0 6a0a } - $sequence_17 = { 50 e8???????? 83c40c 8d8de8fdffff 51 53 } - $sequence_18 = { 50 8bce c60600 e8???????? 8b5610 33c9 } - $sequence_19 = { 8d8de8fdffff 51 53 53 6a28 53 } - $sequence_20 = { 33c9 881407 bf10000000 40 3b4610 } - $sequence_21 = { c0ea02 8ac4 80e20f c0e004 } - $sequence_22 = { 8b07 eb02 8bc7 8b4de0 } - $sequence_23 = { c645fc07 e8???????? 8bf0 891f 6a08 c645fc0c e8???????? } + $sequence_0 = { 8b45d8 83e001 0f840c000000 8365d8fe 8b7508 e9???????? } + $sequence_1 = { 8365d8fe 8b7508 e9???????? c3 8b542408 8d420c } + $sequence_2 = { 33c5 50 8d45f4 64a300000000 8b7508 33ff 897dd8 } + $sequence_3 = { 894608 8945fc 56 c745f001000000 e8???????? } + $sequence_4 = { 8a1402 2ad1 8bfe 80ea04 b901000000 } + $sequence_5 = { 0f82dbfeffff 397d1c 720c 8b4508 50 e8???????? } + $sequence_6 = { 64a300000000 8965f0 8bf9 8b7508 8b06 8b4804 8b4c3138 } + $sequence_7 = { 668910 8bc6 5b 8be5 5d c20400 } + $sequence_8 = { 8b4c3138 33db 895de8 885def 8975e0 } + $sequence_9 = { 2ad1 80ea13 33c9 881407 bf10000000 } + $sequence_10 = { 397e14 7204 8b3e eb02 8bfe 8a1402 } + $sequence_11 = { 50 ffd2 ff15???????? 8a857bffffff } + $sequence_12 = { 2ad1 80ea04 b901000000 e9???????? } + $sequence_13 = { eb58 8b5508 397d1c 7303 } + $sequence_14 = { 6aff 6a00 8bcf c645fc02 e8???????? 8b0e } + $sequence_15 = { 8975e0 85c9 7407 8b11 } + $sequence_16 = { 33c0 8d7910 85d2 0f8425010000 83f904 0f8712010000 } + $sequence_17 = { 53 50 e8???????? 83c40c 8d8de8fdffff 51 } + $sequence_18 = { 8b3e 2ad1 80ea04 b904000000 } + $sequence_19 = { 6a01 8bcf e8???????? 8b0e 8b5104 8b443238 } + $sequence_20 = { 807def00 8b5de8 7503 83cb02 8b16 8b4a04 03ce } + $sequence_21 = { 8d8de8fdffff 51 53 53 6a28 } + $sequence_22 = { 7204 8b07 eb02 8bc7 8b4de0 } + $sequence_23 = { 8ad1 c0ea02 8ac4 80e20f c0e004 } $sequence_24 = { 8b4c1938 895dd4 85c9 7405 8b01 ff5004 c745fc00000000 } - $sequence_25 = { 25ff000000 83c001 25fe010000 f20f593c85c0014600 660f122c85c0014600 } - $sequence_26 = { c70424???????? e8???????? 85c0 7424 c70424f4010000 e8???????? 83ec04 } - $sequence_27 = { 8b5508 83e23f 6bd230 8b0c8d00b04600 88441128 e9???????? 8b5508 } - $sequence_28 = { c74410e05c584600 8b42e0 8b4804 8d41e8 894411dc c745fc00000000 } - $sequence_29 = { 33f6 bf???????? 833cf584fe420001 751d 8d04f580fe4200 } - $sequence_30 = { 0f1000 0f1105???????? f30f7e4010 660fd605???????? e8???????? 8d8590bcf0ff } - $sequence_31 = { 0bc8 51 e8???????? 83c404 8d8dd4efffff 83bde8efffff10 } - $sequence_32 = { 83e3fc ba00000000 898c15a4feffff 83c204 } - $sequence_33 = { 01c8 0fb600 38c2 7410 c745e401000000 c745e000000000 eb18 } - $sequence_34 = { 8d8588feffff 890424 e8???????? 8d85bafeffff } - $sequence_35 = { c1fe05 c1e106 030cb5a0244300 eb02 8bca f641247f 759c } - $sequence_36 = { 39e8 741e c74424045c000000 893c24 } - $sequence_37 = { c78534ffffff00000000 6a00 50 e8???????? 83c404 8d8d38ffffff e8???????? } - $sequence_38 = { 3d04010000 7607 b801000000 eb33 c744240404010000 } - $sequence_39 = { 57 33ff ffb744fe4200 ff15???????? } - $sequence_40 = { 89e5 83ec28 c745eb00000000 c645ef00 c745f400000000 } - $sequence_41 = { 6a40 6a00 8d8590fcffff 50 e8???????? 83c40c } - $sequence_42 = { f3ab 8d4dfb e8???????? 8d4dfb e8???????? } - $sequence_43 = { 83f809 7d10 40 ba???????? 50 e8???????? } - $sequence_44 = { 8bec 8b4508 ff34c580fe4200 ff15???????? } - $sequence_45 = { ff15???????? 8d8d90bcf0ff e8???????? 8bf0 c645fc03 } - $sequence_46 = { 64a300000000 8b7510 56 ff15???????? 85c0 0f84cb010000 } - $sequence_47 = { 83e13f 6bd130 8b048500b04600 807c102900 7536 8b4d0c 3b4d14 } - $sequence_48 = { 8b45ec 3b45e0 7517 8b4508 0345e0 894508 } - $sequence_49 = { 8bf4 8b8578fcffff 50 ff15???????? 3bf4 e8???????? 8bf4 } - $sequence_50 = { 8b4d10 394de0 7752 037de0 8b45f0 8b55e8 8b048560cb4300 } - $sequence_51 = { 6a01 e8???????? ebd7 85ff } - $sequence_52 = { 3c5a 770f 0fbec1 0fb680d0ed4200 83e00f eb02 33c0 } - $sequence_53 = { e8???????? 85c0 756f 8b8328020000 } - $sequence_54 = { 898584fbffff 8d85e8fdffff 6808020000 50 } + $sequence_25 = { b904000000 6bd11d 898278a04600 68???????? 8b45fc 50 ff15???????? } + $sequence_26 = { 8345f401 837df40d 76d4 eb01 90 837df40e 7507 } + $sequence_27 = { 68???????? bf01000000 ffd6 8985ecfdffff 83f8ff } + $sequence_28 = { 890424 e8???????? 85c0 0f851f040000 8d853cfeffff } + $sequence_29 = { 8975e0 8b04bda0244300 0500080000 3bf0 0f8396000000 f6460401 755b } + $sequence_30 = { 890424 e8???????? 83ec08 e8???????? c785bafeffff62624a78 c785befeffff6f7c6b4a c785c2feffff677a6762 } + $sequence_31 = { ff75fc 51 8b0d???????? 57 e8???????? 8b0d???????? b893244992 } + $sequence_32 = { 01d0 0fb600 3c2e 7416 } + $sequence_33 = { 732f 8bc6 8bd6 83e03f c1fa06 6bc830 8b049560cb4300 } + $sequence_34 = { c7858cbbf0ff9c734300 e8???????? 83c404 c645fc01 } + $sequence_35 = { e8???????? 6a06 89430c 8d4310 8d8984f94200 5a } + $sequence_36 = { 8b45ec 3b45e0 761e 8b4508 0345e0 894508 8b4508 } + $sequence_37 = { c645fc0a 50 c78594fbffff9c734300 e8???????? c645fc02 } + $sequence_38 = { c78405dcfbffff84734300 8b85dcfbffff 8b4804 8d4190 89840dd8fbffff } + $sequence_39 = { 8b14cd30bc4500 3b5508 750c 8b45fc 8b04c534bc4500 eb04 } + $sequence_40 = { c785e2feffff00000000 c785e6feffff00000000 66c785eafeffff0000 c7442404fa000000 8d85bafeffff 890424 e8???????? } + $sequence_41 = { 89c6 0f8434010000 8db82c020000 8d4301 } + $sequence_42 = { 8d8cc2c8934600 894ddc eb09 8b55dc 83c202 8955dc } + $sequence_43 = { c745ac44000000 6a10 6a00 8d4594 50 e8???????? } + $sequence_44 = { 894104 85c0 75ea 8b0d???????? c7410400000000 8d4df8 } + $sequence_45 = { c1f805 8bfe 53 8d1c85a0244300 8b03 83e71f c1e706 } + $sequence_46 = { 83bd0cefffff00 0f8451020000 8d85c4efffff c785ccefffff00000000 0f57c0 50 } + $sequence_47 = { 50 8d8d8cfcffff 51 6a00 6a00 6800000008 } + $sequence_48 = { 8bcf e8???????? c645fc1e 8b85a4bcf0ff 83f810 } + $sequence_49 = { 0f87a2000000 6683fb56 0f84a2000000 83c320 0fbfc3 56 50 } + $sequence_50 = { 8bc6 c1f805 8bce 83e11f c1e106 8b0485a0244300 8d440804 } + $sequence_51 = { c70424f4010000 e8???????? 83ec04 8b45d8 890424 } + $sequence_52 = { 8b4510 50 8b4d0c 8b148d10cf4400 52 8b4508 50 } + $sequence_53 = { c70424e8030000 e8???????? 83ec04 8345f401 } + $sequence_54 = { 8d3c85a0244300 8bf3 83e61f c1e606 8b07 0fbe440604 83e001 } condition: 7 of them and filesize < 1097728 @@ -115750,42 +116411,42 @@ rule MALPEDIA_Win_Cmstar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a9e2a661-537d-568b-85df-f27a686a58fb" - date = "2026-01-05" - modified = "2026-01-06" + id = "1be886c8-9b51-5137-aeaf-a67c65367096" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cmstar_auto.yar#L1-L177" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cmstar_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "cb1d0cd52e24cba8a51ced68bf521fb28bf6b675c076737849c87cad9d60f02d" + logic_hash = "af8082749fad46b0a710f9a3a1351eedc3f8a705b721d9a56ae6d475cb1d94e2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 56 bb04010000 57 53 } - $sequence_1 = { 8b45e8 ff75e0 ff30 e8???????? 8b4df8 } - $sequence_2 = { 8b4dec c1e802 6a04 52 8d0481 50 e8???????? } - $sequence_3 = { ff15???????? 8bc6 e9???????? 6a10 } - $sequence_4 = { ff15???????? 6a04 e8???????? be00040000 } - $sequence_5 = { 8b45d8 836dfc10 ff75fc 8945e0 8b45dc 83c310 8945e4 } - $sequence_6 = { ff15???????? 6a03 58 5f 5e 5b c9 } - $sequence_7 = { 85c0 7504 6a03 eb0d 803b4d } - $sequence_8 = { 888204420010 83c9ff 33c0 42 f2ae f7d1 49 } - $sequence_9 = { 8bf0 85f6 74b2 817c240cc8000000 741c a1???????? 33f6 } - $sequence_10 = { 81ec08060000 53 55 56 57 33db b9ff000000 } - $sequence_11 = { a1???????? 8b10 52 53 } - $sequence_12 = { 49 8d7c2418 8bc1 83c9ff 89442410 } - $sequence_13 = { a1???????? 85c0 7505 a1???????? 6a00 6a00 6a03 } - $sequence_14 = { be01000000 8b4c2420 51 ff15???????? 3beb 7409 55 } - $sequence_15 = { 64890d00000000 81c4c0120000 c3 8b8c24d0120000 33db 3bcb 741c } + $sequence_0 = { ff15???????? 6a03 58 5f 5e 5b c9 } + $sequence_1 = { 8b4dec c1e802 6a04 52 8d0481 50 } + $sequence_2 = { 8b45d8 836dfc10 ff75fc 8945e0 8b45dc 83c310 } + $sequence_3 = { 7504 6a03 eb0d 803b4d } + $sequence_4 = { ff75e4 8b45e8 ff75e0 ff30 e8???????? 8b4df8 } + $sequence_5 = { 8bc6 e9???????? 6a10 8d45d0 } + $sequence_6 = { ff15???????? 6a04 e8???????? be00040000 } + $sequence_7 = { 56 bb04010000 57 53 } + $sequence_8 = { 6a00 6a01 8d4c242c 6800000080 51 } + $sequence_9 = { 895c2420 895c241c 895c2428 c74424303c000000 } + $sequence_10 = { 68???????? 890d???????? 56 890d???????? c705????????01000000 } + $sequence_11 = { 6a00 6a04 6a00 6a02 6800000040 50 ffd3 } + $sequence_12 = { f3a5 8bc8 33c0 83e103 668b15???????? } + $sequence_13 = { 99 f7fb 80c220 88140e 41 3bcb 7cea } + $sequence_14 = { 7506 8b35???????? bf???????? 83c9ff 33c0 6a00 f2ae } + $sequence_15 = { 895908 89590c a1???????? 8b10 52 53 } condition: 7 of them and filesize < 4268032 @@ -115795,66 +116456,66 @@ rule MALPEDIA_Win_Industroyer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b70a6e6b-a7b3-5905-a2f3-bca4eedf28ac" - date = "2026-01-05" - modified = "2026-01-06" + id = "036f90e4-6096-5517-8806-9299525a1365" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.industroyer_auto.yar#L1-L392" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.industroyer_auto.yar#L1-L375" license_url = "N/A" - logic_hash = "d3f1f022d180cc54e73fc2b0f9206b38d6547f8fb0af0d5f384afd232c2b0a2b" + logic_hash = "0e96d7205874ef66f00b15847a9f0ed79693f731066f01dfdfeeb9fa6bad50ae" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 53 ff75fc e8???????? 57 e8???????? 83c414 56 } - $sequence_1 = { 8d85f8fdffff 56 be04010000 56 50 68???????? } - $sequence_2 = { 8d45f4 50 56 57 53 ff15???????? 037df4 } - $sequence_3 = { 53 ffd6 53 e8???????? 59 85c0 } - $sequence_4 = { 68???????? 56 56 ff15???????? 57 8bf0 e8???????? } - $sequence_5 = { 50 6a02 56 e8???????? ff7710 6a03 56 } - $sequence_6 = { 8d45a8 33f6 57 50 e8???????? } - $sequence_7 = { 51 50 56 57 ff15???????? 56 e8???????? } - $sequence_8 = { 6a02 ff15???????? 8bd8 85db 0f849d000000 8d85d0fdffff c785d0fdffff2c020000 } - $sequence_9 = { ff15???????? 89849da0efffff 83c604 43 81fe88000000 7291 } - $sequence_10 = { 8b35???????? 0f1f00 f644241810 7451 } - $sequence_11 = { e8???????? 83c404 33c0 eb19 8d8d90efffff 51 } - $sequence_12 = { 81ec6c040000 a1???????? 33c4 89842468040000 53 8b1d???????? } - $sequence_13 = { 8b35???????? 39bdd8fdffff 741f 8d85d0fdffff 50 53 } - $sequence_14 = { 6800020000 8d85a0fbffff 50 56 ffb59cf3ffff ff15???????? 8b3d???????? } - $sequence_15 = { 0f847bffffff ffb59cf3ffff ffd7 8b4dfc 5f 33cd } - $sequence_16 = { 89442444 8b442418 89442440 8d44243c 50 } - $sequence_17 = { 8bcb 50 e8???????? 83c408 8d95d8fffeff 8bf0 } - $sequence_18 = { c745e0d4ff4000 e9???????? c745dc03000000 c745e0e0ff4000 e9???????? 83e80f 7451 } - $sequence_19 = { eb07 8b0cc5dc084100 894de4 85c9 } - $sequence_20 = { 7417 68???????? 50 ff15???????? 85c0 7407 6a00 } - $sequence_21 = { 7464 68???????? ff35???????? c705????????01000000 c705????????04000000 c705????????00000000 c705????????00000000 } - $sequence_22 = { 80480c01 eb04 80600cfe 807d1000 8b4604 } - $sequence_23 = { 8b4508 dd00 ebc6 c745e0e8ff4000 e9???????? c745e0f0ff4000 e9???????? } - $sequence_24 = { 8b34cd18c20110 8b4d08 6a5a 2bce 5b 0fb70431 663bc7 } - $sequence_25 = { 75f9 8d7c2430 2bd6 4f 8a4701 47 84c0 } - $sequence_26 = { 8945dc 8b1c9dd01f0210 895de0 f6441a2848 8b5d08 0f84ce000000 } - $sequence_27 = { c7825402000000000000 c7825802000000000000 8b8350020000 898250020000 8b8354020000 } - $sequence_28 = { f6470280 760d 68???????? e8???????? 83c404 } - $sequence_29 = { 0f1f440000 8a02 42 84c0 75f9 8d7c2430 2bd6 } - $sequence_30 = { 660f59f5 660f28aa40fe4000 660f54e5 660f58fe } - $sequence_31 = { e9???????? 894ddc c745e0d8ff4000 e9???????? } - $sequence_32 = { 33c2 2500800000 83f800 0f8547ffffff e9???????? 8b542408 } - $sequence_33 = { 59 8bf0 6a01 8bce e8???????? 8d45f8 c706???????? } - $sequence_34 = { 88d8 e2d9 8dbe00000600 8b07 09c0 } - $sequence_35 = { 83eb01 741e 83eb01 7549 399ffc000000 7441 } - $sequence_36 = { 894e10 e8???????? 59 59 85c0 } - $sequence_37 = { ba05000000 8d0d905b4400 e9???????? a90000f07f 752c a9ffff0f00 } - $sequence_38 = { 773c 2b4334 99 f77d8c 894598 3b4b3c } - $sequence_39 = { 7451 8b7d08 8b4514 8b4d10 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 53 33d2 bbbb010000 66395d0c } + $sequence_1 = { 8d45fc 50 6a04 8d4510 50 ff35???????? } + $sequence_2 = { 8bf8 53 57 e8???????? 83c410 8bc7 5f } + $sequence_3 = { e8???????? 8945f0 e8???????? 50 8945e8 e8???????? 83c40c } + $sequence_4 = { 8945ec 8945e8 33c0 668945dc 8d85a4fdffff } + $sequence_5 = { 68???????? 6a03 50 ff15???????? 8bf0 } + $sequence_6 = { 83c414 56 56 50 } + $sequence_7 = { 8d45f8 50 6a06 53 ffd6 } + $sequence_8 = { 0f84bb000000 53 56 57 6a02 ff15???????? 8bd8 } + $sequence_9 = { 85c0 75cd 56 ff15???????? 8b8c2474040000 5f } + $sequence_10 = { 0f46f9 3d00005000 b900400000 0f46f9 3d00003000 } + $sequence_11 = { 5d c3 6a00 53 ff15???????? 3d0000a000 } + $sequence_12 = { 8bf9 ff15???????? 3bf8 0f84bb000000 53 56 } + $sequence_13 = { 743c 6690 f644241810 751c } + $sequence_14 = { 68???????? 8bf9 89542418 57 50 ffd3 8d442418 } + $sequence_15 = { e8???????? 46 3b35???????? 72eb b101 } + $sequence_16 = { 50 56 ff15???????? 85c0 7450 6aff } + $sequence_17 = { 8b34cd20ee4000 8b4d08 6a5a 2bce 5b 0fb70431 } + $sequence_18 = { 747a 6a00 6a01 6a00 ff15???????? 8bf0 } + $sequence_19 = { c705????????00000000 ffd3 a1???????? 6aff 8945f8 8d45f4 } + $sequence_20 = { eb09 ff15???????? 8945f0 68???????? ff35???????? c705????????00000000 c705????????01000000 } + $sequence_21 = { 0fb64332 884232 0fb64333 884233 f3a5 } + $sequence_22 = { 8d85f0feffff 50 8b0f e8???????? 8b0f } + $sequence_23 = { 833d????????00 0f85b00a0000 8d0d90fd4000 ba1b000000 e8???????? } + $sequence_24 = { 0fb64203 884603 0fb64204 884604 8b4204 c1f808 884605 } + $sequence_25 = { 837c243c04 0f85bd000000 ff7704 ff15???????? ff7708 } + $sequence_26 = { 56 68???????? 50 8d95f0fffeff 8bcf } + $sequence_27 = { 84c9 a1???????? f30f7e05???????? 89442438 66a1???????? 668944243c a0???????? } + $sequence_28 = { 83c404 8985fcf9fdff 8d85fcf9fdff 8d8dc8fefeff } + $sequence_29 = { 5d c20400 c6420201 8a410c 02c0 884204 } + $sequence_30 = { f30f7e0e 83e908 8d7608 660fd60f 8d7f08 8b048dc4ab4000 ffe0 } + $sequence_31 = { 50 e8???????? 8b06 5f 5e 0fb64005 } + $sequence_32 = { 897c241c e8???????? 53 6a01 8d8c24d4000000 } + $sequence_33 = { 8d0441 50 52 8d954cffffff 8d8d14ffffff } + $sequence_34 = { e8???????? 8d8d7cfdffff 83fb06 0f86c1020000 8d4e48 8d4648 } + $sequence_35 = { 7417 807d0c00 0f8488000000 53 8d4db8 } + $sequence_36 = { 0f434da0 51 e8???????? 59 } + $sequence_37 = { b8???????? e8???????? 8bf1 8975ec 8b4e04 } + $sequence_38 = { 8b4dfc 5f 5e 89480c } + $sequence_39 = { 5f 807dfc00 5e 7409 ff75f8 } condition: 7 of them and filesize < 983040 @@ -115864,36 +116525,36 @@ rule MALPEDIA_Win_Makadocs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3783cfc0-154b-51b0-b2f8-112def4fc579" - date = "2026-01-05" - modified = "2026-01-06" + id = "c36372cb-6691-5819-94fe-b771c4bce494" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.makadocs_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.makadocs_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "bc62432004ad887b8979c87f3801ee7c6c80fe20ba6026d285a25c1d6c33524c" + logic_hash = "a5df01775d77577eaa78904dfd4238f0eadeba88f74b3429699d8d017466a1ee" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 e8???????? 83c414 8d5c2414 c644243008 e8???????? c644243003 } - $sequence_1 = { 750d 8d460c 55 e8???????? 84c0 7436 8b4c242c } - $sequence_2 = { c644242c07 8b442434 51 83c0f0 89642420 8bf4 e8???????? } - $sequence_3 = { eb12 8b442420 8b4804 51 ff15???????? } - $sequence_4 = { 8b00 83c404 50 e8???????? 8b9548ffffff 894250 8b8554ffffff } - $sequence_5 = { 85f6 0f8c09020000 3bf1 0f8f01020000 03c6 } - $sequence_6 = { 8d5c2410 c64424300c e8???????? b303 885c2430 8b44241c } - $sequence_7 = { 50 b9???????? e8???????? 8d4c2420 51 8d4c2450 c68424a80000002d } - $sequence_8 = { 8d4c2440 e8???????? 8d542444 68???????? b314 } - $sequence_9 = { 83c404 56 8944241c ff15???????? } + $sequence_0 = { 99 83c404 01442444 11542448 eb44 } + $sequence_1 = { c1f905 8d1c8d407c4200 8bf0 83e61f c1e606 8b0b 0fbe4c3104 } + $sequence_2 = { 50 ffd7 85c0 7508 8b4c2440 8b01 } + $sequence_3 = { 2bc2 8bf8 8b442410 56 e8???????? 85f6 7409 } + $sequence_4 = { 3bf1 0f8f06020000 03c6 68???????? 50 e8???????? 83c408 } + $sequence_5 = { 8b4c2424 51 50 8d4c2434 e8???????? 83c408 c644245402 } + $sequence_6 = { c644246828 e8???????? 8b542434 52 68???????? 8d7c2430 e8???????? } + $sequence_7 = { ffd5 8b06 3b78f8 7f0f 8978f4 8b0e c6040f00 } + $sequence_8 = { e8???????? c68424bc00000001 8b442444 83c0f0 83c404 8d500c 83c9ff } + $sequence_9 = { 68???????? e8???????? 8b4c2438 8b11 52 68???????? e8???????? } condition: 7 of them and filesize < 344064 @@ -115903,36 +116564,36 @@ rule MALPEDIA_Win_Infy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e52df24-aedf-51dc-878e-bd87d1c8f8c2" - date = "2026-01-05" - modified = "2026-01-06" + id = "2b15753a-a26f-5330-91b9-2d5cf1376e75" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.infy_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.infy_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "66e1e03eb3c288253d677feb2572d3dd19031bc03f792127c5e2fe93ef218916" + logic_hash = "fde45b39c8ea6fe9a66fc897a9dcabd474012d94de489b4e43ff6205773cce87" score = 60 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85ff 7e2e 4e 8bd0 } - $sequence_1 = { 33d2 e8???????? eb2d 3b7df8 7514 8b45f0 } - $sequence_2 = { 740e 8d45d0 50 6a03 ff15???????? 8bd8 85db } - $sequence_3 = { 50 89c6 8b449d04 85c0 7412 } - $sequence_4 = { 837dec00 740b 8b45f0 8b55f8 } - $sequence_5 = { 833d????????00 740e 8d55d0 52 6a01 } - $sequence_6 = { b8???????? e8???????? b8???????? e8???????? 807b2800 7514 } - $sequence_7 = { 85f6 7d04 33ff eb0a 8bf8 2bfb } - $sequence_8 = { 7502 eb06 8b1b 85db } - $sequence_9 = { 0fb74af4 870c24 51 8b4afc e9???????? } + $sequence_0 = { 31c9 85d2 740a 66837af601 } + $sequence_1 = { c3 55 8bec 8b4508 2b450c 85c0 } + $sequence_2 = { 8945d4 807de300 7409 8b45e4 66833820 7304 } + $sequence_3 = { 8807 8d0492 8d1492 83f901 83dfff c1e817 } + $sequence_4 = { 7d04 33ff eb0a 8bf8 } + $sequence_5 = { 7507 b801000000 eb02 33c0 5d c20800 } + $sequence_6 = { 8b460c 8b55fc 8b3c90 eb52 } + $sequence_7 = { 56 57 33c9 894df8 8955f0 8945fc 8b45fc } + $sequence_8 = { 870c24 51 8b4afc e9???????? e9???????? e9???????? } + $sequence_9 = { 03c9 e8???????? 8d1437 8bc3 e8???????? } condition: 7 of them and filesize < 147456 @@ -115943,10 +116604,10 @@ rule MALPEDIA_Win_Mistcloak_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "bcb29aaa-c37e-5c55-be1e-5d06aa41cabd" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistcloak" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mistcloak_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mistcloak_auto.yar#L1-L121" license_url = "N/A" logic_hash = "6962ced189f702e03fc18d236cee46a2a0844476537e8c819ea6f1c43f9c0922" score = 75 @@ -115955,9 +116616,9 @@ rule MALPEDIA_Win_Mistcloak_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -115981,36 +116642,36 @@ rule MALPEDIA_Win_Jimmy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "571698ec-d0cc-5f2f-93fe-935369535da3" - date = "2026-01-05" - modified = "2026-01-06" + id = "76343dd1-0001-5a82-b43c-5f555f80a0e2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jimmy_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jimmy_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "4dcefc186990b0fab3b8fbf45f928a3141684ff216c800369029d79b753cf37a" + logic_hash = "088f488629025008909d1b724760373f32f2ec368a4f05990a17a04953fa6e70" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 e8???????? 83c40c 85c0 7460 e8???????? } - $sequence_1 = { 32c0 eb6f 8b45e8 2b45f0 } - $sequence_2 = { e8???????? 59 668945f2 ff750c e8???????? 59 } - $sequence_3 = { 8b4dec 0fbe09 3bc1 755b } - $sequence_4 = { c745fc12030900 e9???????? 837de805 752c ff75e4 } - $sequence_5 = { 81ec40020000 c685cbfdffff01 6a00 6a02 e8???????? } - $sequence_6 = { 8d840004010000 50 e8???????? 59 89856cfeffff ff7508 } - $sequence_7 = { eb12 8b45f8 c6805001000001 33c0 0f855effffff 8b45f8 c9 } - $sequence_8 = { 59 59 ff75f4 e8???????? 59 ff75f8 } - $sequence_9 = { 8b45f8 8945f4 8b450c 8945fc } + $sequence_0 = { 837d0800 7410 8b4508 0fb700 85c0 } + $sequence_1 = { e8???????? 59 8945dc ff75e4 ff75ec 68???????? 68???????? } + $sequence_2 = { ff75fc 6a00 e8???????? 83c428 85c0 7425 6888130000 } + $sequence_3 = { 59 59 8945f8 837df800 7502 eb53 8b45f8 } + $sequence_4 = { ff75f4 8b4508 ff30 e8???????? 83c410 8945c0 } + $sequence_5 = { 8b4dec 8908 ff75f0 e8???????? } + $sequence_6 = { 7410 8b4508 0fbe00 85c0 7406 8365fc00 eb07 } + $sequence_7 = { eb27 ff75f4 e8???????? 034508 50 } + $sequence_8 = { ff75bc 6a00 8b4508 83c008 50 8b4508 } + $sequence_9 = { 8985e8fffdff 8d850000feff 8985e4fffdff eb1c ffb5e4fffdff } condition: 7 of them and filesize < 188416 @@ -116020,36 +116681,36 @@ rule MALPEDIA_Win_Polyglot_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bf3c0440-2d73-51e5-9d4d-22d8d3fb589d" - date = "2026-01-05" - modified = "2026-01-06" + id = "0d7280c7-a39c-59f2-a096-b1cffc32a9a1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.polyglot_ransom_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.polyglot_ransom_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "5cf22f105101e70a8b28d9346158b196300696ba529297d761e1115a7c957230" + logic_hash = "1cf419c8ec4ab0611cf01d79c345147bf19a3d35e1eda5f935ea355df626b23e" score = 75 - quality = 71 + quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 207370 65676e 657265 2064656c 20636f 6d 7075 } - $sequence_1 = { 6a05 68f3000000 8d45e4 68???????? 50 e8???????? 83c434 } - $sequence_2 = { 8d8508faffff 68???????? 50 e8???????? 8d8508f2ffff 50 8d8508faffff } - $sequence_3 = { 740a c783ac00000007000000 39bb1c010100 7708 39bb18010100 7666 39bb20010100 } - $sequence_4 = { 8365e800 8365ec00 837dfc00 7522 837d0800 740e 8b7d08 } - $sequence_5 = { 50 8d8538d9ffff 50 e8???????? 8bc3 50 8d8538d9ffff } - $sequence_6 = { e8???????? 8d4564 50 8d45ec 50 e8???????? } - $sequence_7 = { 7970 7428 293b 223e 44 657363 69667261723c2f } - $sequence_8 = { 807b1d00 8d45e8 50 7445 ff7308 8365e800 680a202600 } - $sequence_9 = { c3 85f6 7504 6a9a 58 c3 8b8608010000 } + $sequence_0 = { ff34fd14e84600 53 55 e8???????? 83c40c 85c0 740d } + $sequence_1 = { e8???????? 66890477 46 83fe08 59 7ceb } + $sequence_2 = { 33cd 40 5b e8???????? c9 c3 6818020000 } + $sequence_3 = { 66890e 66833e1d 7514 8b4008 ff3418 57 e8???????? } + $sequence_4 = { 56 56 50 68???????? e8???????? a3???????? 5f } + $sequence_5 = { 8d8424a8030000 50 ff15???????? 83f8ff 89442434 7525 } + $sequence_6 = { 50 e8???????? 8d8508f2ffff 50 8d8508faffff 50 e8???????? } + $sequence_7 = { 8db388000000 8b06 3bc7 744f 897df0 8b08 8d55f0 } + $sequence_8 = { 8b450c 33f6 c1e218 0bf3 0b55f4 8930 895004 } + $sequence_9 = { 6aff eb16 8b8390000000 33c9 2b8308010100 1b8b0c010100 51 } condition: 7 of them and filesize < 1392640 @@ -116059,34 +116720,34 @@ rule MALPEDIA_Win_Netspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57c767b8-cd93-5302-911f-6988f847c306" - date = "2026-01-05" - modified = "2026-01-06" + id = "45bc7385-75c7-5d89-95c7-73989dd86c33" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netspy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.netspy_auto.yar#L1-L100" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.netspy_auto.yar#L1-L107" license_url = "N/A" - logic_hash = "ecbb26e5fda724e71586bc695509ce41d8249123e16dac20dd9df75d451bc239" + logic_hash = "e687b6fb39407430e86395d82e59b3f1e5f278922975f34f3274680e74dacd15" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4829c4 488b8538340000 4889e1 48898d704d0000 e8???????? } - $sequence_1 = { e9???????? 8b858c170000 3da1b579e1 0f84d92c0000 e9???????? 8b858c170000 3da646bcce } - $sequence_2 = { 48898510130000 8b15???????? 833d????????0a 0f9cc1 } - $sequence_3 = { a801 0f8505000000 e9???????? 488b8da0380000 448b859c380000 } - $sequence_4 = { b8a51c0a0c f6c201 0f45c8 488b85c84a0000 8908 8b15???????? } - $sequence_5 = { 4889e1 48898d90560000 e8???????? 4829c4 } - $sequence_6 = { e9???????? 488b85384d0000 8b00 8985544d0000 e9???????? 488b85404d0000 8a00 } - $sequence_7 = { 448b855c570000 4889c4 b9bc3715ff b88819ea06 } + $sequence_0 = { e9???????? 488b85584c0000 8b10 488b85404c0000 8b08 } + $sequence_1 = { a801 0f8533000000 b810000000 e8???????? 4829c4 488b8508010000 4889e1 } + $sequence_2 = { 0f8505000000 e9???????? 8b85a0430000 8985b4140000 3da51c0a0c 0f8c64000000 8b85b4140000 } + $sequence_3 = { 8908 e9???????? 488b8530530000 0fbe00 89c1 83e120 83f020 } + $sequence_4 = { 3deafd16e5 0f846c250000 e9???????? 8b85340b0000 } + $sequence_5 = { 4829c4 488b85980c0000 4889e1 48898d20660000 488b8d20660000 c70163382994 e8???????? } + $sequence_6 = { 488b8518440000 488985703f0000 8b15???????? 833d????????0a 0f9cc0 89d1 81c1096040c4 } + $sequence_7 = { 488b8530150000 8908 e9???????? 488b8530150000 8b10 } condition: 7 of them and filesize < 12033024 @@ -116096,75 +116757,81 @@ rule MALPEDIA_Win_Acr_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "547d8bdd-72e9-53c8-a71c-7409f9635ddc" - date = "2026-01-05" - modified = "2026-01-06" + id = "1003329d-aff7-559b-894c-14706d73c37d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acr_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.acr_stealer_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.acr_stealer_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "c2e01cdbfe17e3a90e2e6ed950f1a1b39c17c8ce5a68e48be7cf324c1277f6cb" + logic_hash = "d919e082eb04a99d443b28730bcbf6127cc892ba025c69b26f242c19d1e8c686" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b7008 8bce 6a00 ff15???????? 8bcf ffd6 5f } - $sequence_1 = { 6a0b 68???????? eb07 6a04 68???????? 8b3f 8b07 } - $sequence_2 = { 72fa 53 ff30 8b45f8 ff37 8b7030 } - $sequence_3 = { e8???????? 8bf2 33c9 c1ee0f 33f0 33ca } - $sequence_4 = { 8955f4 ff7407f8 e8???????? 8bfe 8955f0 83c410 } - $sequence_5 = { ff7034 ff15???????? ffd6 83c410 85c0 0f8490000000 8b4ddc } - $sequence_6 = { 894e44 83f908 73da 8b95b4feffff 3bd7 0f821affffff 8b4dfc } - $sequence_7 = { 397df4 7508 3bc1 0f8411ffffff 85c9 7403 49 } - $sequence_8 = { 8955f4 85c0 7406 c70000000000 85db 0f8420010000 33c0 } - $sequence_9 = { 85db 7469 83fb03 7329 66019e12860000 0f1f440000 8bc7 } + $sequence_0 = { 891481 8b45f8 83c001 8945f8 8b4d08 51 e8???????? } + $sequence_1 = { 8b55fc 0fb602 8b4df8 0fb611 2bc2 eb16 } + $sequence_2 = { 52 8d4508 50 e8???????? 8945d8 8955dc 6a00 } + $sequence_3 = { 895510 eb94 33c0 8be5 5d c3 55 } + $sequence_4 = { 83c001 8945e4 8b4de4 3b4df8 7314 } + $sequence_5 = { 8d45e0 50 6803200100 8b4df8 e8???????? 0fb6c8 } + $sequence_6 = { 035508 81fa806cfa0b 7604 33c0 } + $sequence_7 = { 8b048a 50 e8???????? 83c404 ebc9 8b4dfc } + $sequence_8 = { 33c0 8bd1 0fa4f11f d1ea } + $sequence_9 = { 0f57c0 6a01 0f1101 68???????? c7411000000000 c7411400000000 e8???????? } + $sequence_10 = { 68???????? 68???????? 6a03 83ec10 } + $sequence_11 = { 5d c3 85f6 747e } + $sequence_12 = { 33c5 8945fc 56 8bf1 8b06 0fb600 } + $sequence_13 = { 41 03d8 8b849574ffffff d3e0 } + $sequence_14 = { 57 8b7e24 0bc7 741e 8bca 8bc7 83c1ff } + $sequence_15 = { 3c5c 0fb6c8 b82f000000 0f44c8 47 880a } condition: - 7 of them and filesize < 1246208 + 7 of them and filesize < 2160640 } rule MALPEDIA_Win_Cmsbrute_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "238a708e-338b-5ab5-8256-9ba00c6b30fb" - date = "2026-01-05" - modified = "2026-01-06" + id = "c0290146-4c9b-5861-ad1a-8479f8f71528" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cmsbrute_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cmsbrute_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "634330623f3144af6ff0dc1b30b95f2861c0e95f174875a559bba752af7efe44" + logic_hash = "18406aa9bd5da858b5bdb2c622d1445a5fe565d78f6d4a353b019d83ef78e47a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f7d1 c1e91f c1e81f 22c1 8bd6 8d4eff c1e91f } - $sequence_1 = { ffb57cfeffff 83c01c 50 e8???????? 83c40c 85c0 7d0f } - $sequence_2 = { e9???????? 8b8780000000 8b7758 81c60c010000 8945d4 3bc3 7505 } - $sequence_3 = { ebad 85f6 7466 8b5d0c 8b03 85c0 7407 } - $sequence_4 = { ff0e 8b06 85c0 7f3b 7426 68ed010000 bf???????? } - $sequence_5 = { f645ff40 7412 8b87c0000000 3b86e0000000 0f85bbfeffff 33c0 40 } - $sequence_6 = { c3 80f92b 740d 80f92d 7408 84c9 74e4 } - $sequence_7 = { ffb7f8000000 83c620 ff76e8 c1e003 56 57 50 } - $sequence_8 = { ff4df4 3975dc 7461 c745f001000000 85f6 7456 ff75cc } - $sequence_9 = { 8b07 59 8983d8040000 e9???????? ff36 8db334040000 e9???????? } + $sequence_0 = { eb02 33db 8b9594feffff 8d859cfeffff 50 03f3 8d85e4feffff } + $sequence_1 = { e8???????? 85c0 7508 83c8ff 5f 5e 5b } + $sequence_2 = { ff37 68???????? e8???????? 8b07 8b7708 83c40c 85c0 } + $sequence_3 = { dd1c24 e8???????? 59 59 8bd8 e8???????? 85c0 } + $sequence_4 = { ff75f8 e8???????? 59 33c0 3906 0f95c0 5f } + $sequence_5 = { e8???????? 59 85c0 0f854cffffff ff74241c 8b74242c ff74241c } + $sequence_6 = { ff75d4 e8???????? 8b4dd8 8b4104 8365d400 83c40c 85c0 } + $sequence_7 = { e8???????? eb29 6a00 eb02 6a01 8bc6 e8???????? } + $sequence_8 = { e8???????? ff75bc 8b75c8 ff75b8 ff75c4 ff7508 e8???????? } + $sequence_9 = { ff7604 e8???????? 59 59 85c0 7504 6a03 } condition: 7 of them and filesize < 5275648 @@ -116174,36 +116841,36 @@ rule MALPEDIA_Win_Azorult_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a0ff14cf-728e-57b5-b780-187246815def" - date = "2026-01-05" - modified = "2026-01-06" + id = "8fe99182-f542-5067-bfcb-311139bd7151" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.azorult_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.azorult_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "b964bdc09887e46f350cee1282648afbe20db6ec0890aa267b03a312df1100f6" + logic_hash = "e090de9e1bb92991d0ec88746593056dfef2b4b8008599bd7412692b05122671" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8901 8bc1 c7410410000000 5d c20400 55 8bec } - $sequence_1 = { ff15???????? 8b4dc8 8bd1 81e20000ff00 8bc1 c1e810 0bd0 } - $sequence_2 = { 83c410 5e c9 c3 55 8bec 81eccc060000 } - $sequence_3 = { 8d9adcbc1b8f 8b702c 03d9 337018 8bcf } - $sequence_4 = { 6a00 6a00 ff7508 ff7510 ff15???????? 85ff 7405 } - $sequence_5 = { e8???????? 84c0 0f8444010000 8d45d8 50 8d4dfc e8???????? } - $sequence_6 = { 83fa04 1bc0 83e004 8b443814 d3e8 884415f8 42 } - $sequence_7 = { 68???????? 680000baba 50 50 e8???????? a1???????? 85c0 } - $sequence_8 = { c3 55 8bec 81ec2c020000 56 8d85d8fdffff 33f6 } - $sequence_9 = { 80f920 74f4 80f97d 750c 8d4201 8907 8bc3 } + $sequence_0 = { 8bf8 59 85ff 7412 53 57 6aff } + $sequence_1 = { 57 e8???????? 59 6a02 68???????? 8d4dfc e8???????? } + $sequence_2 = { e8???????? 85c0 7474 ba???????? 8bce e8???????? 85c0 } + $sequence_3 = { 5e e9???????? 55 8bec 83e4f8 83fa13 7606 } + $sequence_4 = { 83c102 e8???????? 59 8b4704 6a2f 59 } + $sequence_5 = { 8d4dec e8???????? 59 8b0e 8d45ec 6a10 } + $sequence_6 = { ba???????? 8bce 8bd8 e8???????? 837dfc00 8945e8 } + $sequence_7 = { 8d86b41e0000 8bfb 8945fc 8938 33c0 8b0c9598244100 40 } + $sequence_8 = { 893d???????? 7509 8d4f01 890d???????? 8d4df8 e8???????? e8???????? } + $sequence_9 = { 034d0c 8db2dcbc1b8f 03f1 c1c71e 897d0c 8b45fc } condition: 7 of them and filesize < 1073152 @@ -116214,10 +116881,10 @@ rule MALPEDIA_Win_Mrdec_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "5cd525b0-3fcd-5de1-aa88-bd5dca592c29" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mrdec_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mrdec_auto.yar#L1-L126" license_url = "N/A" logic_hash = "c22120d79fe39ae9d27a4d21c75a9bbd9a26aee0b664e8fa2f821d0411c6aa0d" score = 75 @@ -116226,9 +116893,9 @@ rule MALPEDIA_Win_Mrdec_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -116252,36 +116919,36 @@ rule MALPEDIA_Win_Cloudburst_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "66798bc9-d5a7-5171-afa8-26e587fd1d6d" - date = "2026-01-05" - modified = "2026-01-06" + id = "4fea5a25-34b9-567c-918c-c22b7d7d2293" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cloudburst_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cloudburst_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "4402c4459a61713f167f313847e8e10fbc4c4d6c965b37f16be2690ee599b8f7" + logic_hash = "65e14b7f1000073cb09e0abeccac279ec6677d50dc21e39458d65e135de8cbea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33d3 41891424 4133d3 4189542404 } - $sequence_1 = { 49ffc0 eb39 0fb6c1 43c6041825 } - $sequence_2 = { 4585c0 743e 488b0d???????? 4c8d4c2448 488bd7 } - $sequence_3 = { 45330c24 45894c2410 4133d1 4189542414 448bc2 4533442408 } - $sequence_4 = { 0f8cb0000000 48897c2450 4c89642458 488bfe } - $sequence_5 = { 4d8bf8 440fb6420c 41c1e108 4c8d35a3e5ffff 41c1e008 c1e708 } - $sequence_6 = { 418bea 4589542440 33eb 8bc5 } - $sequence_7 = { c744245068000000 48894598 c744247004010000 c745a004010000 } - $sequence_8 = { 418bc6 99 83e20f 03c2 8bc8 83e00f 3bc2 } - $sequence_9 = { 418b4424fc 418942fc 4183bf0002000001 0f8e3d010000 90 458b4c24e0 41ffc6 } + $sequence_0 = { 4433d0 418bc3 c1e818 41c1e208 0fb6c8 } + $sequence_1 = { 335ef4 4133d8 41895c24f0 448bdb } + $sequence_2 = { 45894c2410 4133d1 4189542414 448bc2 } + $sequence_3 = { 0bf8 0fb64202 4d8bf8 440fb6420c 41c1e108 4c8d35a3e5ffff } + $sequence_4 = { 4533c9 4533c0 4803d8 ff15???????? } + $sequence_5 = { 418942f8 418b4424fc 418942fc 4183bf0002000001 0f8e3d010000 90 458b4c24e0 } + $sequence_6 = { 83e00f 3bc2 7407 83e1f0 } + $sequence_7 = { 410fb640fb 420fb61411 c1e208 0bd0 410fb640fc c1e208 } + $sequence_8 = { 4c8d4202 458bcd 8905???????? 4c2bda 90 428d048d00000000 41ffc1 } + $sequence_9 = { 43880c18 ffc3 49ffc0 eb39 0fb6c1 43c6041825 8bc8 } condition: 7 of them and filesize < 2363392 @@ -116291,36 +116958,36 @@ rule MALPEDIA_Win_Catchamas_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b847b40-e879-5e63-94f7-59f1fcf23399" - date = "2026-01-05" - modified = "2026-01-06" + id = "1fbc664f-7a9f-5552-8d5c-95e60000007c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.catchamas_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.catchamas_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "cfbaa74a75beb0fd45948dc9b52c0976cafb521d914a50e8e394b7e70fd341de" + logic_hash = "473e7570bef3a332b187682077d82fa33e5227101da479d784c3662da74732c2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 84c9 75f1 833d????????ff 740c 8db42470100000 } - $sequence_1 = { 40 e8???????? 85db 7411 } - $sequence_2 = { 8bf1 897c2418 c644241c00 e8???????? 68???????? } - $sequence_3 = { 83d200 8955d0 7554 83f8ff } - $sequence_4 = { 6a14 81e300800000 ffd7 83e001 33c9 8bff baba000000 } - $sequence_5 = { ff15???????? 56 8be8 55 53 } - $sequence_6 = { 6a00 52 c745dc00000000 e8???????? 8b45dc 6a00 8d4de8 } - $sequence_7 = { 8b45e0 7409 e8???????? 8bfc eb32 83c9ff } - $sequence_8 = { 66894e14 5e 8b8c2404080000 33cc e8???????? } - $sequence_9 = { e8???????? 682000cc00 53 53 56 57 55 } + $sequence_0 = { baba000000 663bf2 720a bac0000000 663bf2 } + $sequence_1 = { 68???????? 56 e8???????? 8bd8 8d045e } + $sequence_2 = { 0f8207ffffff 8b44242c 8b35???????? 8b3d???????? 8b1d???????? 8b2d???????? 8d542430 } + $sequence_3 = { 7d0a 6857000780 e8???????? 8b442408 8b00 53 55 } + $sequence_4 = { 50 889c2434060000 e8???????? 83c40c 6808080000 8d8c242c060000 51 } + $sequence_5 = { 50 6a00 ff15???????? 8d8424c8000000 48 8a4801 40 } + $sequence_6 = { 8b6c2414 56 57 6830040000 } + $sequence_7 = { be???????? f3a5 bf???????? 4f 8a4701 } + $sequence_8 = { c3 8d44240c 8bd0 2bf2 8a08 880c06 } + $sequence_9 = { ff15???????? 83c42c eb24 8b4c2418 } condition: 7 of them and filesize < 368640 @@ -116331,10 +116998,10 @@ rule MALPEDIA_Win_Isr_Stealer_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "f92134ff-d8ee-58cb-8cb8-468d7205306f" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.isr_stealer_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.isr_stealer_auto.yar#L1-L120" license_url = "N/A" logic_hash = "75691989209029cb7a637cf5df87a857ef3ef18b6fe3194f56cba1ecab86658c" score = 75 @@ -116343,9 +117010,9 @@ rule MALPEDIA_Win_Isr_Stealer_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -116373,7 +117040,7 @@ rule MALPEDIA_Win_Unidentified_094_Auto : FILE date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_094" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_094_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_094_auto.yar#L1-L118" license_url = "N/A" logic_hash = "f3d0ed91e99c9ab03a6ddd24a2a28007a40b7e677077c8b725a5a67f32cc52a7" score = 75 @@ -116408,36 +117075,36 @@ rule MALPEDIA_Win_Evilpony_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ac551db8-0573-5b4c-8b60-da95879223db" - date = "2026-01-05" - modified = "2026-01-06" + id = "365019b5-fb52-5056-8fc1-6f4e449199b8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.evilpony_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.evilpony_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "0bf858d26f7e4c261dccce71f7e0ab87c5f711b7c43013273d044a5073bd8d2b" + logic_hash = "482c1f4a7b469663afaefea91f733447374d45003628fad32bde467d81aa450b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff74242c ff750c 53 e8???????? 83c418 85c0 7488 } - $sequence_1 = { 8d442420 50 ff742420 897c242c bbff070000 57 eb50 } - $sequence_2 = { 897df8 397df4 7654 3bf7 7450 8b4668 6aff } - $sequence_3 = { ff15???????? 8bd8 85db 747c 8bc6 } - $sequence_4 = { 837c241c05 750b 53 e8???????? 59 89442428 } + $sequence_0 = { 8b45f0 8bf0 85c0 7414 8b00 eb0c } + $sequence_1 = { 33ff 85c0 7465 8b450c } + $sequence_2 = { 0bc2 0345e4 0345b4 c14dac02 8d8c08dcbc1b8f 8b45f0 3345e8 } + $sequence_3 = { 740e ff75fc e8???????? 59 8945fc } + $sequence_4 = { 3bf7 746e 33c0 6a2d } $sequence_5 = { ff75fc 8bf8 ff15???????? 85c0 7411 56 57 } - $sequence_6 = { 8d55b8 52 6a10 897dfc 8b08 50 ff510c } - $sequence_7 = { 50 ffd6 83c410 8d8564ffffff 50 ffb500ffffff ffd7 } - $sequence_8 = { 85c0 0f8485000000 8365f400 eb06 8b5d08 8b450c 8b0b } - $sequence_9 = { 33c5 8945f8 8b450c 8985f0f7ffff } + $sequence_6 = { 834df801 59 83c604 83fe10 728f 837df800 } + $sequence_7 = { e8???????? 59 6880080000 6a40 } + $sequence_8 = { 743c ff750c 6a1a ff7508 e8???????? 83c40c } + $sequence_9 = { 85c0 7504 2107 eb0f 8b0e } condition: 7 of them and filesize < 147456 @@ -116447,36 +117114,36 @@ rule MALPEDIA_Win_Mespinoza_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "64606785-caad-5456-be9c-a6b69cbeed8d" - date = "2026-01-05" - modified = "2026-01-06" + id = "cddfe6ae-1a2a-5fdb-ae96-534eea171355" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mespinoza_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mespinoza_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "8fedbfda9801fec8b36b08d0047fda05662354c890294b93f8c3d358064016b8" + logic_hash = "036fee0da39e20585afffc2216a0a66488e92a3407a52ef5c8f5ebfe6833982e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a02 6a00 68???????? 6802000080 ff15???????? 8b15???????? } - $sequence_1 = { 894de4 399860554700 0f84ea000000 41 83c030 894de4 3df0000000 } - $sequence_2 = { 6a00 ff5014 c20800 55 8bec 83c1f8 } - $sequence_3 = { 40 8945d4 8bd8 0f1f00 ff75e0 8b17 } - $sequence_4 = { e8???????? 8d8d98efffff e8???????? 8b4df4 } - $sequence_5 = { 897de4 33db 895dfc 895dd4 81fb80000000 7d4d 8b049d00b04700 } - $sequence_6 = { 3347fc 0be8 83ea01 75f0 8b5c2420 896c2410 eb08 } - $sequence_7 = { c6430900 83630c00 c703???????? 8a00 884310 eb02 33db } - $sequence_8 = { 0f57c0 c745fc00000000 660fd64604 6aff 8d4e10 c706???????? c7460c04000000 } - $sequence_9 = { e8???????? 8bd8 33c9 8bc6 895dc8 f7e7 } + $sequence_0 = { 6a00 53 e8???????? 83c40c eb02 33db 8bfe } + $sequence_1 = { 837d1400 c745fc02000000 741e 57 53 8d4dd0 e8???????? } + $sequence_2 = { 663906 752e 8d5602 663902 7526 8bce 8d5902 } + $sequence_3 = { 8bd9 895de8 8b8504010000 8bb50c010000 8945ec 8b8508010000 8945dc } + $sequence_4 = { 1bc0 83c801 85c9 742a 85c0 7426 ff750c } + $sequence_5 = { 8ad9 eb02 32db 8b45e4 } + $sequence_6 = { 8d8d78ffffff e8???????? ff7564 8d4500 c745fc00000000 50 8d8d78ffffff } + $sequence_7 = { 8bcb 89759c 8b33 8955a4 8945a0 ff5608 } + $sequence_8 = { 57 83e801 7422 8b442420 52 51 50 } + $sequence_9 = { 7427 e8???????? 8b4d14 8d45ec 6a01 50 e8???????? } condition: 7 of them and filesize < 1091584 @@ -116486,36 +117153,36 @@ rule MALPEDIA_Win_Mmon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4eb1ee5b-1ba9-50c6-ae95-4549a25a6630" - date = "2026-01-05" - modified = "2026-01-06" + id = "382929e5-1aeb-598e-80b4-b2e35ebdd0a4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mmon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mmon_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mmon_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "76045ffea1c47426874a11f386aa4b20c1d58a676ebe84d462f434375b141ab2" + logic_hash = "bd55b6e13ac8428dd80e1dee9e31e812c7feeb4888fce48507e76b5a5abcc4d1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf8 8b4710 3bc8 770d 83c8ff 8bf7 e8???????? } - $sequence_1 = { 837e0800 7610 8b4608 8d80ec584200 fe08 803800 } - $sequence_2 = { e8???????? ebd2 8bc3 c1f805 8d3c85606a4200 8bf3 83e61f } - $sequence_3 = { ff15???????? 899ec0000000 899ec4000000 c786c8000000e0e74100 c786cc00000068ec4100 c786d0000000e8ed4100 } - $sequence_4 = { 68???????? 8d4df4 51 c745f440e24100 } - $sequence_5 = { 8bc8 894de4 85c9 747b 8b55d4 85d2 } - $sequence_6 = { 83e71f c1e706 8b0485606a4200 8d44380c } - $sequence_7 = { 8bc8 c1f905 8d3c8d606a4200 8bf0 83e61f c1e606 8b0f } - $sequence_8 = { 8b0d???????? 85c9 7406 8b55ec } - $sequence_9 = { 6a00 8bf1 c745d000000000 ff15???????? 8bf8 33c0 4f } + $sequence_0 = { 7524 a1???????? a3???????? a1???????? c705????????c8234100 } + $sequence_1 = { 8945fc 8bcf 8d45d4 e8???????? } + $sequence_2 = { 89480c 8b45d0 8975e0 3975e4 7303 } + $sequence_3 = { 68???????? 56 897dfc 89bd4cffffff 898d50ffffff } + $sequence_4 = { 52 e8???????? 83c404 bb08000000 837de410 } + $sequence_5 = { 40 0080af4000a4 af 40 } + $sequence_6 = { c1f905 83e01f c1e006 03048d606a4200 eb05 b8???????? f6402480 } + $sequence_7 = { 897c2424 c74424141ce34100 e8???????? f6c102 } + $sequence_8 = { 83c404 c645fc00 837dc810 c745e40f000000 c745e000000000 c645d000 } + $sequence_9 = { 8d541246 51 2bc2 8d4db4 } condition: 7 of them and filesize < 356352 @@ -116525,36 +117192,36 @@ rule MALPEDIA_Win_Bolek_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "69ad8acf-074b-529b-acc6-71dc6d683637" - date = "2026-01-05" - modified = "2026-01-06" + id = "e0711f3d-dc08-5700-b33c-1b4157838473" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bolek_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bolek_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "a52d08446edf10d117ae2bacde4f93e5d2e9e0eaf470758c0d7eff835edf2d23" + logic_hash = "7f48551f5c704655f1f9b7e798e400d056ae3ccf224a062456c04b2346e75270" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f76b10 0fa4ce01 03c9 03c8 8b4340 13f2 f72f } - $sequence_1 = { 8bec 83ec18 53 56 57 33c0 8bfa } - $sequence_2 = { 8b55f8 391401 7416 41 3bce 72f6 33c0 } - $sequence_3 = { 0f84a5000000 8b45f4 8b7028 83c60c 0375e0 e9???????? 8d45e8 } - $sequence_4 = { c606ff 3dff000000 751a 6a05 6a06 5a 32c9 } - $sequence_5 = { ffb42450080000 50 8d84244c060000 50 e8???????? 8d442444 55 } - $sequence_6 = { 899c248c000000 89b42490000000 e8???????? 83c440 85c0 0f85e7fdffff 53 } - $sequence_7 = { ff742444 8d442434 50 e8???????? 6a10 8d44243c 55 } - $sequence_8 = { ff742438 ff742438 56 e8???????? 69ce0d661900 83c40c 8bf8 } - $sequence_9 = { 894dec c745f440000000 894df8 894dfc ff15???????? 8be5 5d } + $sequence_0 = { 8af3 66895df8 8bc3 bf00010000 8801 40 41 } + $sequence_1 = { 894c2410 3c3c 7529 68???????? b8f4010000 2bc7 68???????? } + $sequence_2 = { e8???????? 8bd8 59 59 85db 7e40 ba???????? } + $sequence_3 = { ff15???????? 85c0 740b 8b8c24d4000000 8bd6 eb11 0f57c0 } + $sequence_4 = { 8d7df2 ab 6a02 59 6a06 ab 6a01 } + $sequence_5 = { ff15???????? 83c40c 837dd000 741c 8d8584fdffff 50 8d458c } + $sequence_6 = { ff7508 e8???????? ebbf ff750c ff7508 e8???????? ebb2 } + $sequence_7 = { ff7610 896c242c 894c2428 e8???????? 83c418 85c0 0f8882000000 } + $sequence_8 = { c685d8feffffc3 8d95d8feffff c685f8feffff01 8bce e8???????? 5e 8be5 } + $sequence_9 = { 8bf8 83c40c 85ff 0f888a000000 8b44240c 39442420 757c } condition: 7 of them and filesize < 892928 @@ -116564,36 +117231,36 @@ rule MALPEDIA_Win_Freenki_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "67ab05f0-0092-5ff4-bb96-cc24a6a94dbc" - date = "2026-01-05" - modified = "2026-01-06" + id = "67d32a2a-d637-58a9-8610-92987f338d68" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.freenki_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.freenki_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "a02a6867fe9e948b2e235fe875697f9d977ad7f0e52b8303d46cef856d876490" + logic_hash = "5c9ee79650e79e88185f6c330eec821bed1141aec7128d72a60a985d0e9bdda0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff75e4 ff15???????? 85c0 7920 8b45e4 50 8b08 } - $sequence_1 = { 89b5e4edffff 33c0 c785c0edffff00000000 50 51 8d8dccedffff c785e0edffff07000000 } - $sequence_2 = { 56 e8???????? 8b8d60ffffff 8bf8 8b45f0 83c404 8930 } - $sequence_3 = { 8bf8 83c404 85ff 0f84e4000000 6804010000 57 } - $sequence_4 = { 51 8d4dc0 c745e400000000 e8???????? c745fc00000000 } - $sequence_5 = { 0fb78194f74100 8d4902 6689840deafbffff 6685c0 75e9 56 } - $sequence_6 = { c745c000000000 c745c400000000 c745c800000000 ff15???????? 898554ffffff 57 85c0 } - $sequence_7 = { 0bc8 51 53 e8???????? 8bd8 83c408 85db } - $sequence_8 = { c3 56 57 53 ff75f4 ff75f8 } - $sequence_9 = { 83c202 6685c0 75f5 2bd1 8d8df8deffff d1fa 03d2 } + $sequence_0 = { 0f84d3000000 8b048de4db4100 89859cf8ffff 85c0 0f8498000000 } + $sequence_1 = { c785c0edffff00000000 50 51 8d8dccedffff c785e0edffff07000000 c785dcedffff00000000 } + $sequence_2 = { 6a33 8bd9 e8???????? 68???????? } + $sequence_3 = { 8d85ccedffff 50 56 e8???????? 8b8de0edffff } + $sequence_4 = { 3bc2 7d08 320c30 40 3bc2 } + $sequence_5 = { 59 85c0 7471 8b45f0 8b4de8 8b048578394200 } + $sequence_6 = { 8955e0 8b048d78394200 0fb6441028 83e001 747c } + $sequence_7 = { eb1e 8b45fc 3bd6 8b0c8578394200 0f95c0 02c0 } + $sequence_8 = { 85ff 75f2 897e10 83f908 720f 8b06 33c9 } + $sequence_9 = { 83c420 85ff 746a 6690 8bce 33c0 } condition: 7 of them and filesize < 327680 @@ -116603,35 +117270,35 @@ rule MALPEDIA_Win_Lokipws_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7c0fcf43-8505-5ab1-9538-f95766af9b37" - date = "2026-01-05" - modified = "2026-01-06" + id = "28a37e40-8f10-56c7-aff1-c4b33090b017" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lokipws_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lokipws_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "a16d167a015bb2f0bb35ba7d5dec0418ca90b6fc4e94e3d241cc5d1eead21a9c" + logic_hash = "b547f535c2ccd572397541fb51a9ce5f4b7af301f4acf0d96578b7cd1f9d5cd8" score = 75 - quality = 73 + quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a62 668945f8 58 668945fa 33c0 50 50 } - $sequence_1 = { 6a0a e8???????? 59 33db 6a2e 5e } - $sequence_2 = { 55 8bec 6a00 6a00 686c425ad4 6a09 } - $sequence_3 = { 56 57 50 e8???????? 53 56 8d8574ffffff } - $sequence_4 = { 53 50 8d8550ffffff 50 e8???????? 83c424 } - $sequence_5 = { 85c0 745c 8b9d68ffffff 0fb603 89855cffffff 8b8564ffffff } - $sequence_6 = { eb1f ff75ec 50 e8???????? 59 59 85c0 } - $sequence_7 = { ff36 e8???????? 33c0 891e 83c41c } - $sequence_8 = { 6a2e 5a 6a64 59 6a6c 5e } + $sequence_0 = { c78588f5ffff00488bcb c7858cf5ffff488945c0 c78590f5ffffffd7498d c78594f5ffff950a0100 c78598f5ffff00488bcb c7859cf5ffff48894424 c785a0f5ffff40ffd749 } + $sequence_1 = { 68???????? ff36 8945f4 e8???????? 68???????? ff36 8bf8 } + $sequence_2 = { 50 66897dd4 668955da 66894ddc 66897de4 668955ea 66894dec } + $sequence_3 = { 8d4588 56 50 668955b6 668955c2 66897dc4 66895dcc } + $sequence_4 = { 8b4510 83c410 8bde 8975f8 8975fc 8d50ff 03550c } + $sequence_5 = { c785e0f5ffff8bcb4c8b c785e4f5fffff8ffd749 c785e8f5ffff8d950402 c785ecf5ffff0000488b c785f0f5ffffcb488bf0 c785f4f5ffffffd7498d c785f8f5ffff95cc0200 } + $sequence_6 = { c7855cf5ffff0f84880a c78560f5ffff0000498d c78564f5ffff95a60000 c78568f5ffff00488bc8 c7856cf5ffff4c89b424 c78570f5ffff00010000 c78574f5ffffffd7498d } + $sequence_7 = { 891d???????? 56 85c0 0f85cc010000 57 68bc020000 } + $sequence_8 = { 83c40c ff05???????? 5e 5d c3 55 8bec } $sequence_9 = { e8???????? 8d4df8 51 57 57 6a01 } condition: @@ -116643,10 +117310,10 @@ rule MALPEDIA_Win_Scout_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "e14921fe-74c7-5cda-92ba-67e7cc0f28ef" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scout" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scout_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scout_auto.yar#L1-L121" license_url = "N/A" logic_hash = "3e6544ff6fee99e30b42c384814b4a00494424215e1f894b7afbd76f2c9391e8" score = 75 @@ -116655,9 +117322,9 @@ rule MALPEDIA_Win_Scout_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -116681,50 +117348,50 @@ rule MALPEDIA_Win_Badcall_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "233fe049-459f-50da-b51f-73303606a185" - date = "2026-01-05" - modified = "2026-01-06" + id = "d919ad14-bbba-559a-92aa-bbfb06827c77" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.badcall_auto.yar#L1-L239" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.badcall_auto.yar#L1-L252" license_url = "N/A" - logic_hash = "cbbb68fc4f4ef6dd9bf8f48d22c329386c6109c255e88f35209d20a078bb6b07" + logic_hash = "64b0ed42591d6e6d81719bc1cc4ff48dfeedfd6e071c21515b2908d5a65a10a9" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? b907000000 33c0 8d7c240d } - $sequence_1 = { 85c0 754b bf???????? 83c9ff f2ae f7d1 49 } - $sequence_2 = { c644240c00 f3ab 66ab 8d4c242c c744240800000000 aa } - $sequence_3 = { 8bf1 89742404 8d4e18 e8???????? } - $sequence_4 = { 53 57 33db b97f000000 33c0 8dbc2415010000 } - $sequence_5 = { 89442412 8bf1 6685ff 66c74424080000 6689442416 746d 6a06 } - $sequence_6 = { e8???????? 85c0 7429 8b5604 8d4c240c 51 687e660480 } - $sequence_7 = { 56 89442406 57 8b7c241c 8944240e } - $sequence_8 = { 8b44242c 85c0 0f848a020000 33c9 48 } - $sequence_9 = { 8b742410 8d0c12 57 8bd9 33c0 8bfe 52 } - $sequence_10 = { 8b4c2410 85c9 0f849f080000 8bd1 8bcd } - $sequence_11 = { c1e902 f3a5 8bc8 8b442468 83e103 } - $sequence_12 = { 5f 898834010000 5e 33c0 } - $sequence_13 = { 750f 8b4614 85c0 0f87c2feffff 8b442414 8b442410 5f } - $sequence_14 = { 899014020000 8b94241c010000 898818020000 8b8c2420010000 89901c020000 } - $sequence_15 = { 899518010000 8b542414 85d2 7409 52 } - $sequence_16 = { 3bd1 7d06 ebda 3bd1 } - $sequence_17 = { 81ec2c010000 55 68???????? ff15???????? } - $sequence_18 = { e8???????? 8b442464 6a01 8d4c242c 6a04 51 57 } - $sequence_19 = { 5e 85c0 7406 33c0 83c454 c3 } - $sequence_20 = { 8bb6a48b0110 eb06 8bb6d88b0110 3bce 7e20 83e907 } - $sequence_21 = { 83c40c e9???????? 6a00 6883341200 57 c744242401000000 } - $sequence_22 = { 8d7c240d c644240c00 f3ab 8b35???????? 68???????? } - $sequence_23 = { 6a00 688f341200 56 e8???????? 83c40c 57 } + $sequence_0 = { 83c108 8901 8b44240c 895104 8b542410 } + $sequence_1 = { 83c408 8bce 6a17 6a01 57 53 e8???????? } + $sequence_2 = { 89442408 c1e902 f3a5 8bca 50 83e103 8d442410 } + $sequence_3 = { 6a01 8d542420 53 52 50 ff15???????? } + $sequence_4 = { 894204 8b4108 894208 8b490c 894a0c 8d4c243c e8???????? } + $sequence_5 = { eb05 1bc0 83d8ff 85c0 754b bf???????? } + $sequence_6 = { ff15???????? 83f8ff 7421 8b4604 68ffffff7f 50 } + $sequence_7 = { 89542412 6689542416 ff15???????? 8b4e04 6689442406 } + $sequence_8 = { 8b84243c010000 52 8b94243c010000 50 52 e8???????? 85c0 } + $sequence_9 = { 8bbc244c430000 3b7804 7c12 5f 5e } + $sequence_10 = { 899024020000 8b94242c010000 898828020000 89902c020000 83c004 50 8d44240c } + $sequence_11 = { 81c438430000 c21000 8b16 52 e8???????? 83c404 8bc7 } + $sequence_12 = { 83fd03 7336 8b4c2410 85c9 0f844d070000 8bd1 } + $sequence_13 = { 668b10 8d442400 8d4c2408 50 51 } + $sequence_14 = { 56 57 8b7c241c 83ff01 741b } + $sequence_15 = { 83fa12 750a c744241c07000000 eb07 83c2f2 8954241c } + $sequence_16 = { e9???????? e8???????? 83c408 85c0 0f849dfcffff 8b8424a8000000 c7442428ae080000 } + $sequence_17 = { 6a01 53 8915???????? 66ab ff15???????? 8b2d???????? 8d4c242c } + $sequence_18 = { c1f905 8d04c0 8b0c8de0ad0110 8d44810c 50 ff15???????? c3 } + $sequence_19 = { 8bd9 762f 8b6c2414 8bc7 2bc6 } + $sequence_20 = { 8a4dff 8d3c85e0ad0110 8bc3 80c901 83e01f 884d0b } + $sequence_21 = { 898424a0000000 ff15???????? 8d942498000000 6a10 52 } + $sequence_22 = { 6a00 50 8d842424010000 50 51 } + $sequence_23 = { ff12 e9???????? 8b442438 3bc3 8d8424a8000000 50 56 } condition: 7 of them and filesize < 483328 @@ -116734,36 +117401,36 @@ rule MALPEDIA_Win_Synccrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f82ea40e-0da6-5f75-a1e0-92f3a1e696de" - date = "2026-01-05" - modified = "2026-01-06" + id = "b9d11374-ba24-575b-a7c0-1bc7681682ba" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.synccrypt_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.synccrypt_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "b9e46808771b143f589c002978b4db13a073c8de6a5f0396d2ab6b76d653e5e9" + logic_hash = "1bf20b2107a4669df8784ecef99c13a1f801b7ffeb14b3b53a86c5fbbce0af87" score = 75 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8d43d0 6683f809 0f8654010000 8d439f 6683f805 0f8653010000 } - $sequence_1 = { c7465800000000 893c24 c744240440000000 e8???????? 8b06 8903 8b4604 } - $sequence_2 = { 891c24 c744240400000000 bb01000000 e8???????? c744240c32010000 c7442408???????? c74424041e000000 } - $sequence_3 = { c1fa02 29c2 8d0492 01c0 29c1 85d2 0fb68181e65800 } - $sequence_4 = { c7442408???????? c744240426000000 c704240a000000 e8???????? 833d????????ff 0f851cfeffff eb8d } - $sequence_5 = { c744240878000000 c74424048e000000 c7042426000000 e8???????? 83caff e9???????? c744245caab75900 } - $sequence_6 = { e8???????? 893424 89c3 e8???????? 29c3 7876 39fb } - $sequence_7 = { c7433c00000000 c7434000000000 891c24 ff5608 85c0 7411 83c424 } - $sequence_8 = { 896c2404 893c24 e8???????? 893c24 e8???????? 8b442424 83c43c } - $sequence_9 = { c7442404???????? 893424 e8???????? 85c0 0f8ff3feffff e9???????? c7442404???????? } + $sequence_0 = { f644241840 0f857b010000 89da b830000000 e8???????? 8b4304 89da } + $sequence_1 = { c744240808000000 893424 85c0 b8???????? 0f45442464 89442404 89442464 } + $sequence_2 = { c7450000000000 85db 7406 c70300000000 8b2f 85ed 7523 } + $sequence_3 = { c785a02bfcff00000000 89856c2bfcff 8d858c2bfcff c685a42bfcff00 89b5d42afcff 8985842bfcff 8d85a42bfcff } + $sequence_4 = { c744240c07100000 c744240800040000 c744240498030000 891c24 e8???????? 85c0 0f8e74fdffff } + $sequence_5 = { 8d7473d0 89742434 0f8ed1000000 0fb6580c 8d73d0 885c2438 89f3 } + $sequence_6 = { f7ea 89d8 c1fa05 29ca 01d5 bac5b3a291 f7ea } + $sequence_7 = { c744241057000000 c744240c20195900 c744240841000000 c744240470000000 c7042422000000 e8???????? ebc9 } + $sequence_8 = { c74424100f020000 c744240c20e95800 c744240864000000 c744240464000000 c7042424000000 89442420 e8???????? } + $sequence_9 = { c744240ca0505900 c744240865000000 c74424046a000000 c7042410000000 e8???????? 31c0 83c42c } condition: 7 of them and filesize < 4489216 @@ -116773,36 +117440,36 @@ rule MALPEDIA_Win_Rumish_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db5cf6b1-45f1-5e05-a042-af28c9de660a" - date = "2026-01-05" - modified = "2026-01-06" + id = "fc72283c-b810-5e63-abbc-f834d4e0c674" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rumish_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rumish_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "356c30a3a32f94fe03326f490efe36bc56d49a42cedcdbc6774c882ef857a8dc" + logic_hash = "0c5ea32ffda8b058925c5ec99b0845566d0b256b86c8448a442267945d1357e7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8908 8b4a04 894804 8b5208 895008 ebd7 5d } - $sequence_1 = { c7854cffffff00000000 53 51 52 33c0 0fa2 } - $sequence_2 = { 8b55e4 83ea01 3955a4 7d54 8b45a4 } - $sequence_3 = { e8???????? 89851cfdffff db851cfdffff dc0d???????? dc35???????? dc05???????? } - $sequence_4 = { 0f87c5000000 8b9524fbffff ff2495c0214100 68???????? 8d8dc0fbffff e8???????? } - $sequence_5 = { db8590f6ffff d9e8 dec9 d99d8cf6ffff d9858cf6ffff 51 d91c24 } - $sequence_6 = { c745fcffffffff 8d4dc0 e8???????? 8b852cfdffff e9???????? e8???????? 898508fdffff } - $sequence_7 = { ff15???????? 8b95a0fdffff 89956cfdffff c785b0fdffff00000000 c78544fdffff00000000 eb0f 8b8544fdffff } - $sequence_8 = { d99d54ffffff d98554ffffff 51 d91c24 e8???????? 83c404 dc1d???????? } - $sequence_9 = { 894de4 8b45e4 c700???????? 8b4de4 c7410400000000 8b55e4 c7420800000000 } + $sequence_0 = { 83c101 894d90 8b5590 3b559c 0f8dcd000000 c7458c00000000 } + $sequence_1 = { 8b4d0c 51 8b55fc 52 8b4df4 e8???????? e8???????? } + $sequence_2 = { 33c5 8945e8 53 56 50 8d45f4 } + $sequence_3 = { 8b95a4feffff 83c201 8995a4feffff 8b85a4feffff 3b85acfeffff 0f8d90000000 8b8da4feffff } + $sequence_4 = { 52 8d8db4fdffff e8???????? 8b0e 2b08 898db4fcffff c785b8fcffff00000000 } + $sequence_5 = { 8985a0fdffff db85a0fdffff dc0d???????? d99d9cfdffff d9859cfdffff 51 d91c24 } + $sequence_6 = { c1f905 8d3c8dc0e94400 8bf0 83e61f c1e606 8b0f 0fbe4c0e04 } + $sequence_7 = { 52 e8???????? 83c404 e8???????? 58 33c0 83f800 } + $sequence_8 = { 3b4db0 7f0b 8b55a0 83c201 8955a0 ebda 8b45a0 } + $sequence_9 = { 56 57 6a5a 6a3e 68???????? 8d85a8f9ffff 50 } condition: 7 of them and filesize < 770048 @@ -116812,36 +117479,36 @@ rule MALPEDIA_Win_Grimagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71af2f17-8403-52ad-833c-4f34c39aa4f9" - date = "2026-01-05" - modified = "2026-01-06" + id = "697bb7ee-5f1d-5c1d-b5be-547405716929" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grimagent_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grimagent_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "2bd16393ddc9027f65320f9d7195e30024d5bd5433e4f4effa16eae0aefd4e45" + logic_hash = "1c49744aa5f2c8c4924d5673b41e4aa8c2fbeeea1a58b2719f97b1f003420f8f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83ec18 c745f400000000 c745f800000000 c745e800000000 8b4508 8945f0 } - $sequence_1 = { 8b4d0c 51 e8???????? 83c404 3945f8 7328 8b55ec } - $sequence_2 = { 85c0 7420 8b4d08 51 8d95f4feffff 52 e8???????? } - $sequence_3 = { 83c404 3945f8 750e c745e801000000 b801000000 eb1a 8b4df0 } - $sequence_4 = { 0f8394000000 8b4df0 0fb711 8b45fc } - $sequence_5 = { 8b45ec 83c002 8945ec 8b4dfc 83c102 894dfc eb02 } - $sequence_6 = { 85c0 7420 8b4d08 51 8d95f4feffff } - $sequence_7 = { 83c404 3945f8 750e c745e801000000 } - $sequence_8 = { 8b4508 0fbe08 85c9 7426 } - $sequence_9 = { 8b4508 8945f0 8b4d0c 894dfc c745f400000000 eb09 8b55f4 } + $sequence_0 = { 83c001 8945f8 8b4d0c 51 e8???????? } + $sequence_1 = { 894d0c ebd0 8b5508 0fb602 8b4d0c } + $sequence_2 = { 83c101 894d0c ebd0 8b5508 0fb602 } + $sequence_3 = { 750e c745e801000000 b801000000 eb1a 8b4df0 } + $sequence_4 = { 8b4dfc 51 e8???????? 85c0 7434 8d95d0feffff 52 } + $sequence_5 = { 3bc2 7514 8b45ec 83c002 8945ec 8b4dfc 83c102 } + $sequence_6 = { ebbe 8b550c 8955fc 8b450c 50 } + $sequence_7 = { 7426 8b5508 0fbe02 8b4d0c 0fbe11 3bc2 } + $sequence_8 = { 83c101 894d0c ebd0 8b5508 0fb602 8b4d0c 0fb611 } + $sequence_9 = { 8bec 8b4508 0fbe08 85c9 7426 8b5508 } condition: 7 of them and filesize < 582656 @@ -116851,36 +117518,36 @@ rule MALPEDIA_Win_Cryptoshield_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f09fd893-35c5-517a-95b1-96dc5c00c268" - date = "2026-01-05" - modified = "2026-01-06" + id = "be4157c8-5727-50ab-9cca-a9ccd56abff9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cryptoshield_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cryptoshield_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "41afb8e592a261d954078e9828ef943fd5cdbb4b8df8a3f944658b648d1f2323" + logic_hash = "10779be6e41ed8e80dabfd4dd0af268b936ea8e79c52699d8b6ff23c57737f81" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7405 83f804 751a e8???????? } - $sequence_1 = { ff15???????? 83c40c 8d85b0edffff 50 683f020f00 } - $sequence_2 = { 75cb 66833a00 8bfa 744d 8d4900 } - $sequence_3 = { 6a00 8d85e8fbffff 50 6a01 68???????? 56 ff15???????? } - $sequence_4 = { 8d85c4f1ffff 68???????? 50 ffd3 } - $sequence_5 = { 50 ffd7 8b45f0 85c0 7506 } - $sequence_6 = { 0f84a6000000 8d45fc 50 6a01 ff75f8 6810660000 } - $sequence_7 = { 6a00 ffd3 85c0 0f84bb000000 6804010000 } - $sequence_8 = { ff15???????? c745fc00000000 85f6 7407 56 ff15???????? 85ff } - $sequence_9 = { 0fb7c0 50 8d45f4 68???????? 50 ffd6 83c40c } + $sequence_0 = { 83f801 7516 be06000000 8bc6 5e 8b4dfc } + $sequence_1 = { 50 8d85f4fdffff 50 c785f0fdffff05010000 ff15???????? 85c0 7513 } + $sequence_2 = { ffd7 8b1d???????? 6804010000 8d85ecfbffff } + $sequence_3 = { 8d85c4f1ffff 68???????? 50 ffd3 } + $sequence_4 = { 6a19 ff75fc ff15???????? 85c0 7508 ffd3 8bf8 } + $sequence_5 = { 50 ff15???????? 83c40c 8d85ecfbffff 6a00 6880000000 6a04 } + $sequence_6 = { 8d95f4fdffff 6685c9 7417 0fb7c9 90 } + $sequence_7 = { 50 ffd3 83f8ff 7505 50 ffd6 } + $sequence_8 = { 83feff 7466 6804010000 8d85f8feffff 6a00 50 } + $sequence_9 = { 8b8c243c060000 5f 5e 5b } condition: 7 of them and filesize < 131072 @@ -116890,62 +117557,63 @@ rule MALPEDIA_Win_Deepdata_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8aad3a67-fb15-5e5f-9d9e-ff6fff6a45f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "5e5a8836-fd0b-5eb0-a9f8-002d646cac2d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deepdata" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.deepdata_auto.yar#L1-L338" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.deepdata_auto.yar#L1-L347" license_url = "N/A" - logic_hash = "a34d5234f4db9f94f6aa56b11d8ba8d09bbd4a4349792470c342c748e8726f18" + logic_hash = "eca12beeb04a7796e75eb29b67bcf0ce9310e72338654fdcff0fb4d6a98defc3" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 751d 68???????? ff15???????? 50 } - $sequence_1 = { 83d000 50 51 8bce e8???????? } - $sequence_2 = { b001 5d c3 8ac1 } - $sequence_3 = { 8bd0 8bce e8???????? 83c408 5f } - $sequence_4 = { 837d0800 7502 eb10 8b4508 a3???????? } + $sequence_0 = { 833d????????00 751d 68???????? ff15???????? 50 ff15???????? } + $sequence_1 = { 837d0800 7502 eb10 8b4508 a3???????? } + $sequence_2 = { 83d000 50 51 8bce e8???????? } + $sequence_3 = { b001 5d c3 8ac1 } + $sequence_4 = { 8bd0 8bce e8???????? 83c408 5f } $sequence_5 = { 55 8bec 8b4508 32c9 85c0 } - $sequence_6 = { 740a 50 ff15???????? 83c404 8b8c245c010000 } - $sequence_7 = { 8bec 56 57 8bf9 8d7704 8bce c707???????? } - $sequence_8 = { e8???????? 81e3fbff0000 f20f1106 83cb08 } - $sequence_9 = { ff36 e8???????? 83c408 c707???????? f6450801 } - $sequence_10 = { 8bec 56 8bf1 c706???????? 8b4e18 83f910 7228 } - $sequence_11 = { 83c104 3bd3 7cf2 eb06 32c0 88442425 } - $sequence_12 = { e8???????? 83c40c c785c4fbffff2c020000 6a00 } - $sequence_13 = { 7760 8bc2 51 50 e8???????? 83c408 c7463000000000 } - $sequence_14 = { 64a300000000 8bf1 8b7d08 897dd0 c745d800000000 c745e800000000 c745ec0f000000 } - $sequence_15 = { c78560ffffff00000000 c78564ffffff00000000 c78568ffffff00000000 c7856cffffff00000000 c78550ffffff00000000 c7458800000000 } - $sequence_16 = { 837df401 7543 68???????? ff15???????? } - $sequence_17 = { 8b4dfc e8???????? 8b4dfc e8???????? 8b10 52 8b4dfc } - $sequence_18 = { 83c40c 83c118 6a08 50 } - $sequence_19 = { e8???????? 8b00 50 8b4dfc e8???????? 8bc8 } - $sequence_20 = { e8???????? 8b00 50 e8???????? 83c404 2bf0 } - $sequence_21 = { a1???????? 8b4858 ffd1 83c40c } - $sequence_22 = { 83c428 c645fc00 8d4d08 e8???????? c745fcffffffff 8d4d14 e8???????? } - $sequence_23 = { e8???????? 83c404 394508 7321 8b4dfc } - $sequence_24 = { 83c40c b001 5f 5b } - $sequence_25 = { 8bec 83ec08 894dfc 8b4dfc e8???????? 8b00 50 } - $sequence_26 = { 837df800 7549 837df401 7543 } - $sequence_27 = { 6a00 6a00 ff7514 ff75c8 ff75c0 ff75c4 } - $sequence_28 = { 8b4dfc e8???????? 8b16 3b10 750a 6a01 } - $sequence_29 = { 8945e4 8b4dec e8???????? 833800 } - $sequence_30 = { 50 8b4d10 8b11 ffd2 83c404 } - $sequence_31 = { 8b4dfc 8b5108 0fb602 50 8b4dfc e8???????? } - $sequence_32 = { 85d2 7526 8d4d90 e8???????? 0fb6c0 85c0 } - $sequence_33 = { 83c118 e8???????? 8945f8 837df804 7408 837df808 740c } - $sequence_34 = { 83c00c 6a00 50 e8???????? 84c0 } - $sequence_35 = { 8b4dfc 8b5008 3b5104 7505 83c8ff eb1e 8b45fc } + $sequence_6 = { 8b8c245c010000 8bc6 5f 5e } + $sequence_7 = { 85c0 740a 50 ff15???????? 83c404 8b8c245c010000 } + $sequence_8 = { 50 8bce e8???????? 8b4dfc 8bc6 5b 5f } + $sequence_9 = { 50 57 ffd3 85c0 75da } + $sequence_10 = { 57 8bf9 8d7704 8bce c707???????? 8b06 ff7004 } + $sequence_11 = { 7760 8bc2 51 50 e8???????? 83c408 c7463000000000 } + $sequence_12 = { e8???????? 81e3fbff0000 f20f1106 83cb08 } + $sequence_13 = { c7855cffffff00000000 c78560ffffff00000000 c78564ffffff00000000 c78568ffffff00000000 c7856cffffff00000000 c78550ffffff00000000 c7458800000000 } + $sequence_14 = { 8bc7 5f 5e 5b 8b4c2448 33cc e8???????? } + $sequence_15 = { 83c40c c785c4fbffff2c020000 6a00 6a02 } + $sequence_16 = { ff36 e8???????? 83c408 c707???????? f6450801 740b 6a0c } + $sequence_17 = { 83c40c b001 5f 5b } + $sequence_18 = { 7549 837df401 7543 68???????? } + $sequence_19 = { 833800 7452 8b4dec e8???????? 8b00 50 } + $sequence_20 = { 13cb 85c0 7504 85c9 7467 } + $sequence_21 = { 50 e8???????? 83c404 394508 7321 8b4dfc } + $sequence_22 = { 83c40c 83c118 6a08 50 } + $sequence_23 = { a1???????? 33c5 8945fc c745f400000000 8b4508 } + $sequence_24 = { 8945e8 c745fc00000000 8b4de8 51 8b4dec e8???????? 8b10 } + $sequence_25 = { 6a00 ff7514 ff75c8 ff75c0 } + $sequence_26 = { 83c00c 6a00 50 e8???????? 84c0 } + $sequence_27 = { e8???????? 0fb6c8 85c9 7415 8b4528 50 8b4d24 } + $sequence_28 = { 8b450c 50 8b4d08 e8???????? 50 8b4dec e8???????? } + $sequence_29 = { 898508ffffff c645fc02 83ec0c 8bcc 89a514ffffff } + $sequence_30 = { 50 8b4d10 8b11 ffd2 } + $sequence_31 = { 8945e4 8b4dec e8???????? 833800 7452 8b4dec } + $sequence_32 = { 6a01 a1???????? 8b4858 ffd1 } + $sequence_33 = { 8b0e 3b08 750a 6a01 8b4dfc e8???????? 8b4dfc } + $sequence_34 = { 8b00 50 8b4dfc e8???????? 8bc8 e8???????? } + $sequence_35 = { 833800 0f8484000000 8b4dfc e8???????? } + $sequence_36 = { 8b4510 8945fc 8b4d08 894df8 8b550c 8955f4 837dfc00 } condition: 7 of them and filesize < 33134592 @@ -116955,50 +117623,50 @@ rule MALPEDIA_Win_Oldbait_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3d100a63-9903-54ef-879e-2f52e4e2c1c3" - date = "2026-01-05" - modified = "2026-01-06" + id = "5d0d70ad-1050-54b7-a62c-d83d549cdba4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.oldbait_auto.yar#L1-L229" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.oldbait_auto.yar#L1-L241" license_url = "N/A" - logic_hash = "3c4b648b9be2acfeca2a30294d4a7ef92b56cb886b14af5b01f11170901c19b6" + logic_hash = "b7c91c931f63c5d5512fddb9099d4e32a784361edd4e54f14f37d761af74f655" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7409 43 83c104 83fb40 72f3 } - $sequence_1 = { 8b86f5b11800 8945cc 8b86fdb11800 8945bc } - $sequence_2 = { 05d4db1900 8945f4 ff35???????? ff75fc } - $sequence_3 = { 8d4b08 51 50 ff75e4 } - $sequence_4 = { 50 57 ff55e8 6800080000 ff750c } - $sequence_5 = { 3571281424 42 3bd6 894510 72da 8bc7 5f } - $sequence_6 = { 56 56 50 ff75ac } - $sequence_7 = { 6a00 6a01 6800000080 ff75f8 ff15???????? } - $sequence_8 = { 57 8b7d08 8d70ff 85f6 } - $sequence_9 = { 888800b01800 ebda 8b45fc 0531b11800 50 8b45f8 } - $sequence_10 = { 47 0504040000 83ff08 72f0 83ff08 0f83a6000000 } - $sequence_11 = { 6a40 6800300000 68d4fd1900 6a00 ff15???????? } - $sequence_12 = { 50 ff7508 ff55e0 ff7508 8d83fcf7ffff } - $sequence_13 = { 0f84d3010000 837d0800 0f84c9010000 837ddc0c 7518 } - $sequence_14 = { 7626 8b4510 8bca 83f101 83e107 d3e8 } - $sequence_15 = { 55 8bec 8b450c 56 33d2 57 8b7d08 } - $sequence_16 = { 8b45f8 301c07 41 47 3b4d10 } - $sequence_17 = { 50 8d45c4 50 68???????? ff35???????? ffd6 } - $sequence_18 = { ff55d8 8bd8 83fbff 752c 8d45c4 50 } - $sequence_19 = { 6a00 ff750c ff75fc ff55f0 } - $sequence_20 = { 6a64 50 6a01 6a00 } - $sequence_21 = { ffd6 ffd0 53 ff55e4 90 90 90 } - $sequence_22 = { 50 ff75e0 e8???????? 90 } - $sequence_23 = { 57 8d45ec 57 50 53 } + $sequence_0 = { 0145d8 8b45f0 ff45ec 0fb64004 } + $sequence_1 = { 0145d4 41 c1ea04 75dc } + $sequence_2 = { 0145d8 8bb54cffffff 56 ff55d0 } + $sequence_3 = { 01459c 8b45c8 8945f8 eb05 } + $sequence_4 = { 0145d8 33ff 8d837ff61800 803800 } + $sequence_5 = { ff35???????? ff75fc ff55f4 5f 5e 5b } + $sequence_6 = { 0103 01451c 8b06 8bc8 c1e906 } + $sequence_7 = { ff15???????? 85c0 7505 e9???????? 6a00 6880000000 6a03 } + $sequence_8 = { 6a40 6800300000 68d4fd1900 6a00 } + $sequence_9 = { 8b450c 56 33d2 57 8b7d08 8d70ff } + $sequence_10 = { 42 3bd6 894510 72da 8bc7 5f 5e } + $sequence_11 = { 0145d8 8b45d8 3b45c8 7cc2 } + $sequence_12 = { 8b4510 69c061ea0000 3571281424 42 3bd6 894510 } + $sequence_13 = { 837d2000 7432 66c7045f0d00 43 66c7045f0a00 43 } + $sequence_14 = { 7626 8b4510 8bca 83f101 83e107 d3e8 30043a } + $sequence_15 = { ebda 8b45fc 0531b11800 50 8b45f8 0531010000 50 } + $sequence_16 = { 57 6852020000 68???????? 897dfc c645f469 c645f523 c645f65a } + $sequence_17 = { ffd6 ffd0 8d45f4 50 8d45dc 50 68???????? } + $sequence_18 = { a3???????? 8d85c0feffff 68???????? 50 ff55dc } + $sequence_19 = { 744e 8d45fc 57 50 ff75d4 } + $sequence_20 = { 6a00 6a00 ff75fc ff55f0 6a64 68???????? 6a01 } + $sequence_21 = { 8ad8 8bc7 83e007 0a1c30 0fb64437fe } + $sequence_22 = { ffd0 eb1a 57 8d45ec 57 50 53 } + $sequence_23 = { 8bc2 894de8 53 c1e803 c1e903 56 8b7514 } condition: 7 of them and filesize < 172032 @@ -117008,36 +117676,36 @@ rule MALPEDIA_Win_Flying_Dutchman_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3fa79262-0c02-5cc9-a3a6-873095c530cc" - date = "2026-01-05" - modified = "2026-01-06" + id = "0ac30a60-6323-5b0c-8fb7-f9bbeecdfd88" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flying_dutchman" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flying_dutchman_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flying_dutchman_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "d533074e01136dd41c79c95680e27071c66cb57e7811b397b8be14c8164a2230" + logic_hash = "74706c44c3976290693bb5463f888d6318b4843e7e24551960ce4b70ec88bc2e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 899c2480400000 897c2418 3bc7 7d42 8b5c2410 e8???????? 8b5c2414 } - $sequence_1 = { 8b5104 895008 8b09 894804 833801 } - $sequence_2 = { 83a588fdffff00 899d8cfdffff c68578fdffff00 c645fc05 ff15???????? 50 8d85e8fdffff } - $sequence_3 = { 8b8574f7ffff 8985c0fdffff 8b8578f7ffff 8985c4fdffff 6804010000 8d858cf9ffff 50 } - $sequence_4 = { 83e800 747a 48 7459 48 0f858c000000 8b3d???????? } - $sequence_5 = { ff7508 e8???????? 8bd8 53 57 } - $sequence_6 = { 75f2 8b35???????? 57 57 ffd6 898570ffffff 3bc7 } - $sequence_7 = { 663bcf 75ed e9???????? 83f806 751a 33c0 } - $sequence_8 = { c1e606 03348560e90110 c745e401000000 33db 395e08 } - $sequence_9 = { 3bf3 7405 e8???????? 6a05 ff15???????? 399d68deffff } + $sequence_0 = { 8bbd2cfdffff 89bd44fdffff 6a04 ff37 ffb534fdffff ff15???????? 898528fdffff } + $sequence_1 = { 53 8bc6 8819 e8???????? 83ec1c 8bcc 89a554feffff } + $sequence_2 = { 8db5b0fdffff e8???????? 6a01 8db578fdffff e8???????? 6a01 8db5ccfdffff } + $sequence_3 = { 50 e8???????? 83c40c ffb578f9ffff 8d75c0 ffb574f9ffff e8???????? } + $sequence_4 = { befe010000 56 53 8d85e6fdffff } + $sequence_5 = { 51 50 50 c785f8feffff01000000 c785f0feffff06000000 } + $sequence_6 = { 8b442414 03c3 50 e8???????? 83f8ff } + $sequence_7 = { 8bf1 833eff 89442410 7411 bf00400000 57 } + $sequence_8 = { 50 6a01 57 8d8560fdffff 50 6802000080 } + $sequence_9 = { 81ec00030000 a1???????? 33c5 8945fc 8b4304 8b0b } condition: 7 of them and filesize < 276480 @@ -117047,36 +117715,36 @@ rule MALPEDIA_Win_Fk_Undead_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cf4f13f3-5cfd-52f4-9402-53feb1040423" - date = "2026-01-05" - modified = "2026-01-06" + id = "02969aed-17bc-5bd4-8372-32190b9962f6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fk_undead" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fk_undead_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fk_undead_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "082cbaea4a68893ab74100ece6602c4f221f464c059db4c166d2438647300475" + logic_hash = "568a37848273d11f37d140c220bd173a6167b00475b69ffcde402633d902008d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 80bbbb02000000 0f44f9 83f807 0f87cb020000 ff2485887a0310 ff4618 } - $sequence_1 = { 8965f0 8b4508 8b750c 8b5510 33c9 898dd8f7ffff 894dfc } - $sequence_2 = { 83bb2402000000 745a 6a0a ff37 68???????? e8???????? 83c40c } - $sequence_3 = { 8bf0 6a02 6a02 56 ff15???????? c745fc00000000 56 } - $sequence_4 = { 6a3a ff37 e8???????? 8bf0 83c408 85f6 0f84b7000000 } - $sequence_5 = { 742d 8b94241c080000 8b442408 8b8c2420080000 8902 8b1424 8b842424080000 } - $sequence_6 = { 8b4c241c 52 8908 e8???????? 8b442418 83c404 5e } - $sequence_7 = { 0fb7780c 8b442428 8d5001 8a08 40 84c9 75f9 } - $sequence_8 = { 8b6c2414 33c0 33d2 57 89442408 85ed 0f8402010000 } - $sequence_9 = { 51 e8???????? 83c404 8903 85c0 7516 8b5500 } + $sequence_0 = { 83c002 6685c9 75f5 2bc2 d1f8 83f816 7607 } + $sequence_1 = { 52 53 53 50 57 68c0300800 56 } + $sequence_2 = { 7416 8b450c 854160 740e b901000000 33c0 85c9 } + $sequence_3 = { 52 e8???????? 8bf8 83c404 897c2410 85ff 0f84ad000000 } + $sequence_4 = { 83fa03 750e 8b0c85e0650a10 8a06 46 88441926 2bf2 } + $sequence_5 = { 7407 50 ff15???????? 57 ff15???????? 8b442410 } + $sequence_6 = { 0fb74d1c 894c2420 8b4d24 89542424 8b5520 894c2454 0fb64d0a } + $sequence_7 = { 52 e8???????? 83c410 89442438 3bc6 0f8430010000 } + $sequence_8 = { 0f84a4020000 c7461801000000 e9???????? 803f0a 7533 837e2000 } + $sequence_9 = { 33db 48 ff248d84b40010 8d543e5e 8b443e18 8b5c3e3c 8944244c } condition: 7 of them and filesize < 1418240 @@ -117086,36 +117754,36 @@ rule MALPEDIA_Win_Tarsip_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "75e9f569-8d36-54c4-8e68-bdfe5fadb50e" - date = "2026-01-05" - modified = "2026-01-06" + id = "c10eeba8-cd9e-54e7-a8c0-793f44e9ab8d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tarsip_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tarsip_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "d620ca424e61c9ab1970fe1ca1122ff88c39fb4068349c8790c7e61013d76968" + logic_hash = "e4f1edc7f5ac879ec18dc16f773b536d35530d5470f74bca35d4b4c37d0dbe98" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895c2420 885c2410 6a25 68???????? 8d4c2414 899c243c010000 e8???????? } - $sequence_1 = { 53 68???????? 8d4c247c c78424940000000f000000 899c2490000000 889c2480000000 } - $sequence_2 = { b001 894c2410 88442414 0f85ff000000 8b742434 8b4614 8b4e18 } - $sequence_3 = { 7210 8b9424dc000000 52 e8???????? 83c404 84db 745c } - $sequence_4 = { ff15???????? 5b 33c0 5e c3 57 6a00 } - $sequence_5 = { 885c2470 6a0e 68???????? 8d4c2474 899c24bc0e0000 e8???????? 68ff000000 } - $sequence_6 = { 51 c68424c801000000 e8???????? 8bbc248c000000 be10000000 83c40c 39b42494000000 } - $sequence_7 = { 50 52 53 e8???????? 8b8690830000 8b08 } - $sequence_8 = { 8d44242c 50 8d4c242c 51 8d542424 52 ffd6 } - $sequence_9 = { eb03 897e08 8b5118 392a 7520 807f4500 7404 } + $sequence_0 = { 51 e8???????? 83c40c 85c0 7511 8d8c248c8e0000 e8???????? } + $sequence_1 = { 51 e8???????? 8d9424a4000000 52 55 e8???????? 83c408 } + $sequence_2 = { 52 ba???????? 8bcf e8???????? 8d8424ac000000 50 e8???????? } + $sequence_3 = { 0fb60f 0fb602 2bc8 7531 83fe01 7638 0fb64f01 } + $sequence_4 = { 889c2478010000 83fe10 7209 57 e8???????? 83c404 8d542430 } + $sequence_5 = { 7e5c 8d0440 99 2bc2 8bf8 d1ff 81c700040000 } + $sequence_6 = { e8???????? 83c40c 889c2478010000 83fe10 7209 } + $sequence_7 = { 8d8c244c840000 51 8d542430 8bc5 c744243040000000 } + $sequence_8 = { 83c107 83e1f8 894c2410 0f848a000000 53 50 } + $sequence_9 = { 55 8d8601060000 6a30 50 68???????? } condition: 7 of them and filesize < 360448 @@ -117125,36 +117793,36 @@ rule MALPEDIA_Win_Recordbreaker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84c578f1-7563-5244-9c52-c15658d206fd" - date = "2026-01-05" - modified = "2026-01-06" + id = "08560daa-5fe8-595e-9dbc-a441ed4bb00d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.recordbreaker_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.recordbreaker_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "47ce2cf43e0dd275e8c2b25425755b57837a7a72d47324aa716f84b51ead687c" + logic_hash = "0c3c04c3e787bdbde6eff7122bcf70b1628690be33e8fdffdc0fb66bd4e37294" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8b15???????? 8bc8 e8???????? 8b55f0 } - $sequence_1 = { 8a040e 46 8802 42 3bf3 72f5 } - $sequence_2 = { 51 8d4de4 51 ff750c a5 } - $sequence_3 = { ff15???????? 33c0 40 eb08 ff15???????? 33c0 5f } - $sequence_4 = { 8365f800 a1???????? c745f464000000 53 56 } - $sequence_5 = { 33c0 50 6800000008 6a02 50 50 } - $sequence_6 = { ba04010000 8d0c41 51 8d85d0fdffff 50 } - $sequence_7 = { ff15???????? 8b7508 83c410 8bd3 } - $sequence_8 = { 8b15???????? 8bc8 e8???????? 8b55f8 } - $sequence_9 = { 81ec68040000 837d1002 53 56 8bf2 57 } + $sequence_0 = { ff15???????? 83c8ff eb2f ff35???????? } + $sequence_1 = { e8???????? 8b15???????? 8bc8 e8???????? 8b55f0 } + $sequence_2 = { 51 8b4dfc 8975d0 e8???????? } + $sequence_3 = { 7407 56 ff15???????? 837db400 7409 ff75b4 } + $sequence_4 = { ff15???????? 57 ff750c 8bf0 ff15???????? 83c410 } + $sequence_5 = { 037d10 40 8901 a5 a5 a5 a5 } + $sequence_6 = { ff751c ff7518 ff7510 ff750c 53 53 e8???????? } + $sequence_7 = { 8bd9 663bc8 7416 6a22 8bc2 } + $sequence_8 = { 8bd6 e8???????? 8b15???????? 8bc8 8903 e8???????? } + $sequence_9 = { 33c0 50 50 6a04 50 6a01 6800000080 } condition: 7 of them and filesize < 232312 @@ -117164,36 +117832,36 @@ rule MALPEDIA_Win_Lorenz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3aee8adc-1b9f-5b03-9288-bb1500e950aa" - date = "2026-01-05" - modified = "2026-01-06" + id = "d46d5b6e-dd5e-559f-9545-61f51029b356" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lorenz_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lorenz_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "c80c5566415183b7ec75889797e4ddd8ca135fa83bddd748f7ac34751f1b8d91" + logic_hash = "b1691f020a5fa10447934fe0f22959d84966da721af4f14db39e17b38db11901" score = 60 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bec 51 894dfc 6a0c 8b4508 50 8b4dfc } - $sequence_1 = { 894db0 8b55b0 3b55f4 7314 8b45b0 8b4dfc 8b1481 } - $sequence_2 = { e8???????? 8945f8 8b55fc 833a02 753d 8b4df8 e8???????? } - $sequence_3 = { e8???????? 68???????? 8d4d84 51 e8???????? 8b5514 52 } - $sequence_4 = { 8b4dfc e8???????? 0fb6d0 85d2 7454 8b45fc 8b480c } - $sequence_5 = { ff15???????? 33d2 8b450c 66895004 8b4d0c 8b55f4 8911 } - $sequence_6 = { 8b55dc 8b02 50 8b4d08 51 8b4ddc e8???????? } - $sequence_7 = { 83c410 e9???????? 68???????? 8d4dbc e8???????? 8b4dec 8b11 } - $sequence_8 = { 6a00 68840a0000 68???????? 6a02 e8???????? 83c418 83f801 } - $sequence_9 = { cc 33d2 75c3 33c0 75bf 837dfc00 7408 } + $sequence_0 = { 8b1481 8955b8 8b450c 8b482c 8b55ec 8b45e0 8b75ec } + $sequence_1 = { 8b55b8 8b02 8b4808 894db4 8b4db4 e8???????? 8b4db8 } + $sequence_2 = { 6a00 68d5070000 68???????? 6a02 e8???????? 83c418 83f801 } + $sequence_3 = { ba01000000 d3e2 8955f8 8b45fc 8b08 234df8 7421 } + $sequence_4 = { e8???????? 8bc8 e8???????? 0fb6c8 85c9 7460 8d4ddc } + $sequence_5 = { 8b55fc 8b427c 50 8b4dfc 8b5158 8b45fc 8b7058 } + $sequence_6 = { e8???????? 8b4d08 ff55e0 8b4df4 64890d00000000 59 8be5 } + $sequence_7 = { 8b91ac000000 83ea01 8b45f8 8990ac000000 8b4df8 8b919c000000 8955e8 } + $sequence_8 = { e9???????? 8d4df2 894dd0 6859020000 68???????? 8b55d0 0fb602 } + $sequence_9 = { c745f800000000 837d0800 742c 8b45fc 8b88a4000000 394d08 } condition: 7 of them and filesize < 2254848 @@ -117203,60 +117871,59 @@ rule MALPEDIA_Win_Op_Blockbuster_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b7f0c30-0206-5506-9bf8-8eb817cff417" - date = "2026-01-05" - modified = "2026-01-06" + id = "8c9a0435-c2f5-5c56-96a6-d039595e42b0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.op_blockbuster_auto.yar#L1-L322" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.op_blockbuster_auto.yar#L1-L312" license_url = "N/A" - logic_hash = "ef3bbaff4dfd2be69511dd31c3bf7441917e62af8119f46abb34c10cb6a977e8" + logic_hash = "4093ffe1a868b4a0da01c63f7eb7414a9b3d91b966d265764d4f9b873695a33e" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { c701???????? 8b497c 85c9 7407 51 } - $sequence_1 = { 57 683c400000 6a40 ff15???????? } - $sequence_2 = { e8???????? 85c0 7407 83f802 } - $sequence_3 = { ff15???????? 6808400000 6a40 ff15???????? } - $sequence_4 = { 56 e8???????? 68???????? 56 a3???????? e8???????? 83c440 } - $sequence_5 = { f3ab 66ab aa 5f 85f6 5e } - $sequence_6 = { 8a08 80f920 7505 83c021 } - $sequence_7 = { 8d45fc 6a04 50 57 ff15???????? } - $sequence_8 = { 85c0 7412 68???????? 50 e8???????? 59 a3???????? } - $sequence_9 = { 56 50 8d45fc 6a04 } - $sequence_10 = { 3c70 7f04 0409 eb06 } - $sequence_11 = { 3c69 7c08 3c70 7f04 } - $sequence_12 = { 8bf0 ff15???????? 85f6 7404 85c0 } - $sequence_13 = { 4863c1 48ffc7 448bc2 88940460010000 0fb607 84c0 } - $sequence_14 = { 33c0 8bf8 488d8dd0020000 4863df ff15???????? 488d4c3302 488d95d0020000 } - $sequence_15 = { a3???????? 5e c3 68???????? ff15???????? 85c0 7412 } - $sequence_16 = { 57 e8???????? 56 e8???????? 83c414 b801000000 } - $sequence_17 = { 666666660f1f840000000000 0fb603 48ffc3 884419ff 84c0 75f2 488d9580010000 } - $sequence_18 = { 488d8d11010000 33d2 41b803010000 c6851001000000 e8???????? 4533e4 488d542460 } - $sequence_19 = { 8bc6 5f 5e c3 33c0 6a00 } - $sequence_20 = { 6a00 ff15???????? 8bf8 85ff 7504 5f 5e } - $sequence_21 = { 89442440 888424c0020000 e8???????? 488d9424c0020000 } - $sequence_22 = { c3 56 53 6a01 57 e8???????? } - $sequence_23 = { c3 33c0 ebf8 53 33db 391d???????? 56 } - $sequence_24 = { 0fb607 48ffc1 84c0 75ea 803f20 740a } - $sequence_25 = { 68???????? 56 e8???????? 56 e8???????? 83c438 } - $sequence_26 = { 897de0 394508 7c1f 3934bdd8974400 } - $sequence_27 = { 83e03f c1ff06 6bd830 8b04bdd8974400 f644032801 } - $sequence_28 = { 6bc830 8b0495d8974400 8b440818 83f8ff 7409 83f8fe 7404 } - $sequence_29 = { 50 68???????? 6a05 8d856cffffff 57 50 } - $sequence_30 = { 8bcb 8d84240c0c0000 83e103 50 } - $sequence_31 = { c745d403000000 8975d8 8b08 52 } - $sequence_32 = { 8d85e0fdffff d1fe 4e 56 50 } - $sequence_33 = { e8???????? 6800040000 56 ff742414 ff15???????? 5f } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 8a08 80f920 7505 83c021 } + $sequence_1 = { c701???????? 8b497c 85c9 7407 } + $sequence_2 = { 57 683c400000 6a40 ff15???????? } + $sequence_3 = { e8???????? 6800400000 6a00 ff15???????? } + $sequence_4 = { f3ab 66ab aa 5f 85f6 5e } + $sequence_5 = { e8???????? 85c0 7407 83f802 } + $sequence_6 = { ff15???????? 6808400000 6a40 ff15???????? } + $sequence_7 = { 68???????? 56 ff15???????? 68???????? 56 a3???????? e8???????? } + $sequence_8 = { 56 50 8d45fc 6a04 50 } + $sequence_9 = { 3c69 7c08 3c70 7f04 0409 eb06 3c72 } + $sequence_10 = { 488d4590 4c8d8510010000 4889442448 4c89642440 4c89642438 4489642430 } + $sequence_11 = { ff15???????? 85f6 7404 85c0 } + $sequence_12 = { 4533c9 ba7a341200 e9???????? 4053 4883ec20 ff15???????? 8bc8 } + $sequence_13 = { 5e c3 68???????? ff15???????? 85c0 7412 68???????? } + $sequence_14 = { 56 6a00 ff15???????? 8bf8 85ff 7504 } + $sequence_15 = { c3 56 53 6a01 57 e8???????? } + $sequence_16 = { ff15???????? 488d542440 488bcf ff15???????? 4c8be0 4883f8ff 0f840b010000 } + $sequence_17 = { 6a01 57 e8???????? 56 e8???????? 83c414 b801000000 } + $sequence_18 = { 68???????? 56 e8???????? 56 e8???????? 83c438 } + $sequence_19 = { 4154 4155 4881ecf0070000 488b05???????? 4833c4 48898424d0070000 } + $sequence_20 = { ff15???????? 8b442444 eb10 48b8756e6b6e6f776e00 } + $sequence_21 = { 57 ff15???????? 8bc6 5f 5e c3 33c0 } + $sequence_22 = { c3 33c0 ebf8 53 33db 391d???????? 56 } + $sequence_23 = { 4533c9 33d2 4489642428 4c89642478 c7459068000000 } + $sequence_24 = { 488b8c24c0060000 4833cc e8???????? 4881c4d8060000 5e } + $sequence_25 = { 77c5 ff2485f20c4100 8bce e8???????? eb45 } + $sequence_26 = { 895de4 8b049dd8974400 8945d4 8955e8 8a5c1029 80fb02 } + $sequence_27 = { c1f906 6bd030 8a45fe 8b0c8dd8974400 88441129 8b0b } + $sequence_28 = { 83c8ff eb68 ff75fc 8d85e8efffff } + $sequence_29 = { 66f7460c0c01 7552 833c85048f400000 53 } + $sequence_30 = { e8???????? 59 8bc6 5e c20400 833d????????ff } + $sequence_31 = { 85c0 59 0f8495000000 56 } + $sequence_32 = { ff15???????? 85c0 7d07 33f6 e9???????? } condition: 7 of them and filesize < 74309632 @@ -117266,36 +117933,36 @@ rule MALPEDIA_Win_Rockloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "104e8d35-82fc-516a-9593-bcf9bbbb834c" - date = "2026-01-05" - modified = "2026-01-06" + id = "3b6fe0be-24e2-5fa5-9c6b-c51e1d1c929d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rockloader_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rockloader_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "64906b80f87c45698d39208b0d7a3080387e28b93568b203b7e0595d5362c76c" + logic_hash = "793503e3062a6c8d1d48d29e6bfc48b2bfbd7ddb06209354c6c109f6ca1d96d0" score = 75 - quality = 73 + quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { dc4dec 83650800 dec9 dd5dec dd45ec dd5918 9b } - $sequence_1 = { 40 8a0c30 3acb 75f3 8a0c30 3acb 7413 } - $sequence_2 = { c3 80f961 7c0d 80f966 7f08 0fbec9 8d44c1a9 } - $sequence_3 = { c0e204 240f 02d0 8817 } - $sequence_4 = { 80383a 75b7 40 e8???????? 50 } + $sequence_0 = { 8945f8 eb07 c745ec01000000 8b36 85f6 } + $sequence_1 = { 8d44c1a9 c3 33c0 c3 } + $sequence_2 = { eb07 50 ff15???????? 8bf0 85f6 7507 33c0 } + $sequence_3 = { 8d45ec 50 8d85a0f7ffff 50 } + $sequence_4 = { ff7508 8bc6 e8???????? eb40 } $sequence_5 = { 46 80382d 750a dd05???????? 40 dd5de4 } $sequence_6 = { 7f09 0fbec9 8d44c1d0 eb24 80f941 7c0e 80f946 } - $sequence_7 = { 5d c20400 e8???????? 85c0 7407 c7400c05000000 c3 } - $sequence_8 = { 6a02 58 e8???????? 8bf8 85ff 0f84a9feffff 837d1000 } - $sequence_9 = { 48 746a 48 744e } + $sequence_7 = { 66c7075d00 8bc6 5f 5e 5b } + $sequence_8 = { 3b75f4 7ce9 ff75f8 ff15???????? } + $sequence_9 = { 3c30 7c04 3c39 7e2a 3c5b 750c 8b4d08 } condition: 7 of them and filesize < 98304 @@ -117305,36 +117972,36 @@ rule MALPEDIA_Win_Valkyrie_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4598928-8b14-591c-9777-90769a8eecd7" - date = "2026-01-05" - modified = "2026-01-06" + id = "475b59ce-6bc1-5e23-9d64-0fbfc446846d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.valkyrie_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.valkyrie_stealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.valkyrie_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "c5262da30071ead337de0712314a64ba13ec652e925a6c656e4cda19b1fcb853" + logic_hash = "4ad11ec1233604364bd3f3f9ec4542833905e352458285bfa2ad33f2344496ac" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89442430 85c0 0f85ab130000 4a8b4c3500 44396914 7d18 e8???????? } - $sequence_1 = { 85c9 741c 498b07 44386067 750f 498b8788000000 488d0c49 } - $sequence_2 = { e8???????? 448b4ddc eb2a 8d4101 418907 488d0c49 488b8388000000 } - $sequence_3 = { 8bc2 c645b82d c1e81f 03d0 c645bb20 c645be3a 8d0492 } - $sequence_4 = { 8bde eb4e 803c3e75 751b 8d4305 413bc6 7359 } - $sequence_5 = { e8???????? 8d4701 e9???????? 8bcd 488d15829f0b00 4803ce 41b804000000 } - $sequence_6 = { 8b8590000000 ffc8 4898 488d0c40 488d1ccf 0fbe4301 3cfa } - $sequence_7 = { 7417 4c8b542448 41f6427002 750b 410fbae61c 0f820c010000 488b85f0000000 } - $sequence_8 = { 488bf0 4885c0 0f84cb000000 837d0800 7411 488b4f20 498bd6 } - $sequence_9 = { eb25 48c744242002000000 4c8d0d17781100 4533c0 ba02000000 488d8c2498000000 e8???????? } + $sequence_0 = { c744242074cd0000 8bd0 4c8d0561e70300 b90e030000 e8???????? eb22 83c503 } + $sequence_1 = { c704c80e000000 448944c804 448944c80c 488d14c8 8b842480000000 48897a10 894208 } + $sequence_2 = { 7f1f 41b903000000 44896c2420 4533c0 ba76000000 488bcb e8???????? } + $sequence_3 = { 80f980 7513 83e03f c1e206 03d0 41ffc1 49ffc0 } + $sequence_4 = { ba5e000000 488bcb e8???????? 4533d2 eb2d 8d4101 898390000000 } + $sequence_5 = { 488d0c49 488b8388000000 c704c85e000000 44897cc804 897cc808 448954c80c 4c896cc810 } + $sequence_6 = { 85c6 7577 8d86fffeffff 3dfffe0000 776a 0fb64714 448be6 } + $sequence_7 = { 8954c80c 4c895cc810 83bc24e001000000 488b842490000000 7442 493bc7 753d } + $sequence_8 = { 7418 488d1533081000 488bcb e8???????? 48894558 be01000000 488b4f08 } + $sequence_9 = { 7419 0fbae20e 7307 483b6c2478 740c 4d8bc3 488d15ea260c00 } condition: 7 of them and filesize < 2895872 @@ -117344,36 +118011,36 @@ rule MALPEDIA_Win_Revil_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6d9b3831-9422-59dd-891e-cc56c498429e" - date = "2026-01-05" - modified = "2026-01-06" + id = "b1ad6f98-f355-58f7-9005-19954a2d15bd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.revil_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.revil_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "5ffcb29efd36b8555dc7beef77a59c8169ca5a939654167ee68e6e55a4f62dd3" + logic_hash = "5d33fffaf68198c6aae66933e5fea0ec5482714ebf11d122b8198c06a1f19c8f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33f6 6a00 6841db0100 ffb4356cffffff ffb43568ffffff } - $sequence_1 = { 50 8d8538feffff 50 ff7508 e8???????? ff7508 e8???????? } - $sequence_2 = { 8b80c0000000 8b5d08 8945ec 8b4508 } - $sequence_3 = { 0cc0 80c980 880437 884c3701 } - $sequence_4 = { 8365d000 807d0f2d 8b75f0 8975f4 7408 83ca02 } - $sequence_5 = { 4b 8955f8 e9???????? 837db400 } - $sequence_6 = { 8bc2 33437c 33cf 3345fc 894b78 8bcb } - $sequence_7 = { 3345e4 89417c 8bce f7d1 8bc2 234ddc } - $sequence_8 = { 81ecf0040000 53 56 57 bf90000000 } - $sequence_9 = { 57 33db 89b53cffffff 8d8540ffffff 43 } + $sequence_0 = { c1ee1f 0bd1 03c0 0bf0 8bc2 334324 8bce } + $sequence_1 = { 894df4 8b4e0c 334e34 334e5c 338e84000000 338eac000000 8955dc } + $sequence_2 = { 8dbd80feffff f3a5 50 e8???????? } + $sequence_3 = { 8b5a70 8b5274 0fa4fe12 c1e90e c1e712 0bc6 0bcf } + $sequence_4 = { 89463c 0bcb 894e38 33c0 8b7e58 8bca 8b765c } + $sequence_5 = { ff15???????? 8bf0 6a01 ff15???????? ff15???????? 3bf0 74ee } + $sequence_6 = { 894104 8bce f7d1 8bc2 234ddc } + $sequence_7 = { 0bcb 894a78 8bcf 89427c } + $sequence_8 = { 7508 85ff 0f850a010000 8b7518 b8c8000000 } + $sequence_9 = { 3bd6 72ee 8b7d14 8d8534ffffff } condition: 7 of them and filesize < 155794432 @@ -117383,36 +118050,36 @@ rule MALPEDIA_Win_Invisimole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff26101a-652d-5609-8231-3c338869a11e" - date = "2026-01-05" - modified = "2026-01-06" + id = "00c4d480-eaff-5d5b-b7ed-fc8b15da400c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.invisimole_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.invisimole_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "8969781531efc17812b2df34968a188468c9267be73167ccabb12759d11db9c9" + logic_hash = "14d34ed0e95c30e1382775d7712f70010bd01725cbef579fec5803fe70172684" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745f4ffffffff e8???????? 83c414 e9???????? 6a00 6800000008 6a03 } - $sequence_1 = { 8b0d???????? 6a04 6a08 51 ffd6 85c0 7491 } - $sequence_2 = { 52 56 884d0b e8???????? 8a450c 83c448 6a01 } - $sequence_3 = { 746a 53 ff15???????? 8b4df4 51 c645ff01 ffd7 } - $sequence_4 = { 8d4da0 51 52 50 ff55c8 85c0 } + $sequence_0 = { 8d45c8 50 8d75fc b80a020000 e8???????? 8bf0 83c404 } + $sequence_1 = { 57 6810040000 6a08 50 ff15???????? 8bf8 85ff } + $sequence_2 = { 8b06 6a00 050080c12a 6880969800 } + $sequence_3 = { 7418 8b45fc 40 8945fc 83f80a 0f8c51ffffff 5e } + $sequence_4 = { 50 ffd7 8bd8 895df4 85db 0f843e010000 } $sequence_5 = { c645bc0d 668955bd 894dbf 8bde 7409 83c302 66833b2a } - $sequence_6 = { 7449 899e8caf0600 3d06010000 7305 e8???????? 899e7caf0600 0fb60f } - $sequence_7 = { 52 ffd7 8bd8 895c2414 85db } - $sequence_8 = { 895de8 3bde 0f8418010000 8b55ec 8b45f8 53 52 } - $sequence_9 = { 8d4602 50 8d8f22020000 51 ff15???????? 33d2 668916 } + $sequence_6 = { 0f8443010000 8b15???????? 52 ffd7 8bd8 895c2434 } + $sequence_7 = { ff15???????? 807c241300 0f85e8030000 33f6 33db 89742414 89742418 } + $sequence_8 = { 52 ff15???????? e9???????? a1???????? 50 ffd7 8bf0 } + $sequence_9 = { 50 8b07 e8???????? 83c414 83f801 0f85920c0000 d1ee } condition: 7 of them and filesize < 139264 @@ -117422,36 +118089,36 @@ rule MALPEDIA_Win_Darkrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23e37317-8228-5897-b34f-5636920d388d" - date = "2026-01-05" - modified = "2026-01-06" + id = "8bee2e79-1a8d-5e83-941e-ef510af53b72" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkrat_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkrat_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "c66a4bb6e3f6849fe471570a3e9ab067b886ef3521f3b46d24057084154fb02f" + logic_hash = "79d2084e3a9b2691c0663414b7566cfc4d180b2c229dea2838d64e78da8905dc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c408 837b100a 8b7dd4 0f8514ffffff 8b55ec } - $sequence_1 = { e8???????? 83c408 c745e800000000 8d4dd8 } - $sequence_2 = { 51 56 e8???????? 83c40c c6043e00 eb17 57 } - $sequence_3 = { 72bd 8b4d08 42 8bc1 81fa00100000 72a5 8b49fc } - $sequence_4 = { 7435 6a13 68???????? 8bcb } - $sequence_5 = { 85c0 7527 6a0c 68???????? 8bcb e8???????? } - $sequence_6 = { c645fc01 8b45cc 83f810 7227 8d4801 } - $sequence_7 = { c7856cffffff0f000000 c68558ffffff00 6880000000 8d8570ffffff c745fc01000000 } - $sequence_8 = { c745d400000000 e8???????? 50 e8???????? 83c408 c745e800000000 8d4dd8 } - $sequence_9 = { 8b4314 0f43d6 8b7b10 2bc7 8b4dc8 3bc8 7726 } + $sequence_0 = { 85c0 750f 8906 894604 894608 8bc6 } + $sequence_1 = { 8bcb e8???????? 8b75b8 c645fc01 8b45cc 83f810 7227 } + $sequence_2 = { 884c32ff 83e801 75f2 8b45f0 } + $sequence_3 = { c745fc01000000 c7431000000000 c743140f000000 c60300 bf01000000 897dd4 e8???????? } + $sequence_4 = { 6a3e 68???????? e8???????? c745fc01000000 } + $sequence_5 = { c645fc02 8d55b8 837dcc10 8b75b8 8b4314 } + $sequence_6 = { 7202 8b3f 56 03c7 } + $sequence_7 = { 8a0e 8d7601 884c32ff 83e801 75f2 8b45f0 } + $sequence_8 = { 8b551c 83fa10 72bd 8b4d08 } + $sequence_9 = { c745e800000000 8d4dd8 c745ec0f000000 c645d800 6a3e } condition: 7 of them and filesize < 884736 @@ -117461,36 +118128,36 @@ rule MALPEDIA_Win_Nikihttp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7cb3a9d-079b-5853-9e14-59480637c45a" - date = "2026-01-05" - modified = "2026-01-06" + id = "efb93d62-2d55-5928-82c0-465797a9ac82" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nikihttp" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nikihttp_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nikihttp_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "3a904456555531ef9c0cf6ba40524ce39305f318798212cc3d8f5ea0c8f6e7e2" + logic_hash = "b0bfb904b49f84c19d386d2f363ca9288bcaadac73c512fcbf2bf48b763ea69c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81fb41cd9ec8 75f0 bbcc8dc70b 662e0f1f840000000000 90 81fbe1bcb5f8 7e28 } - $sequence_1 = { bf35a51c0f 41bed886138b 41bf87556a70 0f1f440000 81ffdc69e0ab 0f84b0000000 81ff35a51c0f } - $sequence_2 = { 81fe7b887e5d 740a 81fee5f97f04 75f0 eb07 bee5f97f04 ebe7 } - $sequence_3 = { b8ca43fd9f e9???????? 488b8d98000000 488b9580000000 488b4580 4883ec20 ffd0 } - $sequence_4 = { c785d000000003000000 8b8dd0000000 0fbec9 01c1 bab8c94eab ebab 898dd0000000 } - $sequence_5 = { bbdd37ea6d ebb4 884d78 8a4d78 884801 c6400200 488b4d00 } - $sequence_6 = { bb26cfb9cb 660f1f840000000000 81fbf6c7d601 7f28 81fbddb48ecd 7f50 81fb1c10669d } - $sequence_7 = { 8b442404 8b442404 8b442404 8b442404 8b442404 b837c4eca4 e9???????? } - $sequence_8 = { babec982ec 0f45ea ba51cce543 662e0f1f840000000000 0f1f00 81facbe177f9 7e28 } - $sequence_9 = { ebe9 89bdd0080000 8b85d0080000 6689431e c785a808000020000000 b813cbdf5e 662e0f1f840000000000 } + $sequence_0 = { ba9ff636ca e9???????? c78424900000006f000000 898424c0000000 8b842490000000 038424c0000000 888424d1000000 } + $sequence_1 = { 8b6c2440 40886906 c744245067000000 bdde57ec52 0f1f8000000000 81fdde57ec52 740a } + $sequence_2 = { eb07 b90e73818d ebe7 c785c000000069000000 c785e800000033000000 b94880ffaa 662e0f1f840000000000 } + $sequence_3 = { 8b05???????? 8d50ff 0fafd0 f6c201 bae2cac19b 410f44d1 833d????????0a } + $sequence_4 = { b97ce72407 662e0f1f840000000000 6690 81f921011b60 0f8488feffff 81f97ce72407 75ec } + $sequence_5 = { baeefaca92 eba1 88842448010000 8a842448010000 046f 88842492010000 488d842493010000 } + $sequence_6 = { e8???????? 884604 4889d9 b253 e8???????? 884605 4889d9 } + $sequence_7 = { bab24ff80a ebb3 c7859800000069000000 888588000000 8a8588000000 8b8d98000000 00c1 } + $sequence_8 = { bb5c2fdba5 b8d00d104b 41b8787aaae5 bae5e72c6e 0f1f4000 81fb777aaae5 7e28 } + $sequence_9 = { e9???????? 888424d0000000 8a8424d0000000 884706 488d5908 bae09a3ca6 0f1f4000 } condition: 7 of them and filesize < 2543616 @@ -117500,36 +118167,36 @@ rule MALPEDIA_Win_Zeus_Action_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1bc7ed7-2f41-59f6-b8c0-74ccb733a5b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "378c6095-d42a-5bf9-9fb1-ed9c51a5bf48" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zeus_action_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zeus_action_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "e0a4177bac84ef56b9551fcc42fe4ba9ebe72ed006b608f1d2911d9c311b37c6" + logic_hash = "caae1a669867320f43a9d91c38e71681c37072fd4c5e5df67047c94e16d1bf5e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 ff15???????? 89866c070000 85c0 0f849c010000 ff15???????? } - $sequence_1 = { 59 ebb1 8365fc00 8d45fc 50 56 e8???????? } - $sequence_2 = { 50 ffd6 8b4304 83c40c 83400403 e9???????? 8d4df8 } - $sequence_3 = { c3 55 8bec 33d2 837d1008 53 8ada } - $sequence_4 = { ff15???????? 89442420 0fb705???????? 50 ff15???????? 668944241e 6a10 } - $sequence_5 = { 75e6 8b55e8 8b7508 8b7d0c 8b4510 eb05 } - $sequence_6 = { 8b3f 8b4f0c 8b5f08 894dfc 8b45f8 3b7df4 0f85ebfeffff } - $sequence_7 = { 3bc1 7e04 33c0 eb37 8b4d18 0fb73b 8b11 } - $sequence_8 = { eb76 80f96e 7523 8b4304 8b4804 8b5008 2bd1 } - $sequence_9 = { 8945e4 85c0 0f849f010000 8b4508 8bf8 c1ef06 a83f } + $sequence_0 = { 51 56 57 8bf0 e8???????? 8bf8 85ff } + $sequence_1 = { 0f84d1000000 53 6800040000 e8???????? 8bd8 59 85db } + $sequence_2 = { ebdd 8b45ec 25ff000000 8b4dfc 8801 8b45fc 40 } + $sequence_3 = { ffb3c4020000 8d45e0 6a05 50 ffb360010000 e8???????? 83c410 } + $sequence_4 = { f7fe 8945bc 8b4508 0fafc1 99 f7fe } + $sequence_5 = { 3b45bc 0f85a4000000 33c0 40 6bc005 8b4df0 0fb60401 } + $sequence_6 = { 8b7df0 49 3bdf 7507 894dec 8bc1 eb03 } + $sequence_7 = { 6a01 ff750c ff75f4 ff15???????? 8365e000 6a02 8d45e0 } + $sequence_8 = { 57 8d45f4 50 68???????? 33ff 6a01 57 } + $sequence_9 = { 51 50 0fb74304 50 52 56 e8???????? } condition: 7 of them and filesize < 827392 @@ -117539,36 +118206,36 @@ rule MALPEDIA_Win_Tellyouthepass_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "354e0e6c-ccce-5215-81be-86e86c2d035f" - date = "2026-01-05" - modified = "2026-01-06" + id = "20b2ccf2-d496-503c-bb6d-239d66ef8d68" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tellyouthepass_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tellyouthepass_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "dc25f522d82a6df0aaae3de9d80ac3b6a17f46baeb51d065b8c3d1eda2c481dc" + logic_hash = "e3244206608d48815abb86d53782b6d05c5406454ea3a5b330be098013681725" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b0d???????? eb0a 488b4c2448 488b5c2420 48894c2440 48895c2428 488d050b4e1000 } - $sequence_1 = { 4d85c0 7f1d 488b8c24f0000000 488b9424f8000000 488b9c24a8010000 e9???????? 4889bc2418010000 } - $sequence_2 = { f20f10442440 e8???????? 488d051a1f1a00 bb0c000000 6690 e8???????? e8???????? } - $sequence_3 = { 80f902 7345 884c2417 0fb6d1 4889542420 48c1e206 488d35728f3000 } - $sequence_4 = { 48c740102c000000 833d????????00 750d 488d0d57b70600 48894808 eb10 488d7808 } - $sequence_5 = { 4c8b4028 4c8b4830 4c8b5020 488dbc2490010000 488d3585530b00 48896c24f0 488d6c24f0 } - $sequence_6 = { 6690 eb10 488d7a70 488d155b4b0d00 e8???????? 90 488b15???????? } - $sequence_7 = { bb06000000 90 e8???????? 488b442410 e8???????? 488d0525631700 bb0b000000 } - $sequence_8 = { eb09 4889c7 90 e8???????? 488d0514690e00 488b5c2438 488d0d73e11000 } - $sequence_9 = { eb14 488d7818 488b8c24c0020000 0f1f00 e8???????? 48c740100b000000 488d0d9ed01300 } + $sequence_0 = { e8???????? 48c740100e000000 488d0d1f031400 48894808 833d????????00 7509 488905???????? } + $sequence_1 = { e8???????? 488d05513f1800 bb13000000 0f1f440000 e8???????? 8b442424 89c0 } + $sequence_2 = { bb10000000 e8???????? 488b442428 e8???????? 488d0509dd1700 bb07000000 e8???????? } + $sequence_3 = { 833d????????00 7505 488910 eb08 4889c7 e8???????? 488d05ad720e00 } + $sequence_4 = { e8???????? 488b942488000000 48895a10 833d????????00 7506 48894208 eb09 } + $sequence_5 = { f0480fc102 ba01000000 4c8d0542853300 f0490fc110 eb32 4883fa02 751a } + $sequence_6 = { 48c1fe3f 4921f3 4b8d1c18 4d85db 7412 4c89c0 4c89d1 } + $sequence_7 = { e8???????? eb0f 488d15b2060600 488bb424d0000000 4889942488000000 4889b42490000000 488b942488000000 } + $sequence_8 = { 8b9890000000 895c2414 0fb6b0b0000000 4080fe1b 720e be13000000 4c8d0502f31500 } + $sequence_9 = { 7d74 4c8d1431 4d39d1 0f867e010000 470fb61410 4589d5 4183e2c0 } condition: 7 of them and filesize < 7152640 @@ -117578,36 +118245,34 @@ rule MALPEDIA_Win_Electricfish_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4bbe8d4f-bb22-5f20-a9d1-098a3e3e3fc4" - date = "2026-01-05" - modified = "2026-01-06" + id = "644381b6-362d-5f1b-9303-d5ae25d7db40" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.electricfish_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.electricfish_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "107f1b585d0a1fb5b5a2004135458a9d2fc68da8f22b2f0a6dfa6f03b7f81b2b" + logic_hash = "9942678020bb2669f734d3306a631ed9324c86db369d8b9407670b5141533d86" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb08 56 57 53 ffd0 83c40c 3bc6 } - $sequence_1 = { e8???????? 8bf8 85ff 75e0 6891010000 68???????? 6a41 } - $sequence_2 = { eb3a 0fb67201 81e680000000 b901000000 3bc6 75c4 68ae000000 } - $sequence_3 = { 39442458 7413 6852020000 68???????? 50 e8???????? 83c40c } - $sequence_4 = { c3 837f1006 7414 689a010000 68???????? 6892000000 e9???????? } - $sequence_5 = { 33c0 c745fc02000000 8945e8 8945ec 8d45e8 6a08 50 } - $sequence_6 = { f6423401 7508 c744241401000000 8b834c010000 85c0 0f8426010000 3bf8 } - $sequence_7 = { 85ed 7518 6874010000 68???????? 6a41 6a7d 6a0b } - $sequence_8 = { e8???????? 83c40c 85c0 0f84bb040000 6a01 53 c7430c00000000 } - $sequence_9 = { 85ff 0f8522010000 e8???????? 5f 5e 5d } + $sequence_0 = { 3bc3 7438 6a7e 68???????? 50 e8???????? 83c40c } + $sequence_1 = { 3bc3 7417 50 e8???????? 83c404 898608020000 3bc3 } + $sequence_2 = { 3bc3 7421 395f04 747b 68c2000000 68???????? 6a08 } + $sequence_3 = { 3bc3 741d 8b87b0010000 3bc3 741e 50 } + $sequence_4 = { 3bc3 7413 50 e8???????? 83c404 89861c020000 3bc3 } + $sequence_5 = { 3bc3 741a 8b8edc000000 8d542470 89442478 894c2470 895c247c } + $sequence_6 = { 3bc3 741e 50 e8???????? 83c404 898618020000 3bc3 } + $sequence_7 = { 3bc3 7429 395860 7424 8b4c2414 51 8b4c2424 } condition: 7 of them and filesize < 3162112 @@ -117617,36 +118282,36 @@ rule MALPEDIA_Win_Morto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b5b99ce-9055-5caf-9153-d6b5f44f1d51" - date = "2026-01-05" - modified = "2026-01-06" + id = "fd233ec9-9086-58a2-9510-dd6eeb30478a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.morto_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.morto_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "3f690f88537e995c1dc2e4101db7568f5b1a20d460c6735cbb429d69f53136bf" + logic_hash = "34c000300d31b377966f017e5c380e6b5fd4b77b6af01988376ae47ea7092b6d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 e8???????? 59 8d8594fdffff 59 56 50 } - $sequence_1 = { 8bf9 760c 8a4d10 280c30 40 3b450c } - $sequence_2 = { 0f859f020000 53 57 8ac0 33db ba25537973 } - $sequence_3 = { ff55ec 53 6a04 ff55e4 6a01 } - $sequence_4 = { 6a01 68???????? ff35???????? a3???????? e8???????? 83c438 } - $sequence_5 = { 3bc3 59 0f843e010000 8d4dbc 51 50 } - $sequence_6 = { c20c00 b8???????? e8???????? 81ec38020000 53 56 57 } - $sequence_7 = { 50 6a00 ff15???????? 85c0 894704 742a 83c005 } - $sequence_8 = { b9???????? e9???????? 55 8bec b86c260300 } - $sequence_9 = { 8b450c 68???????? c745f44d61696e c745f854687265 ff30 c745fc61640000 ff15???????? } + $sequence_0 = { 7406 802600 46 ebf5 8b4601 46 } + $sequence_1 = { ff35???????? c745ec04000000 c745fce8030000 ff15???????? } + $sequence_2 = { 8a0419 41 8d440001 8bf0 } + $sequence_3 = { 83c604 8ac0 56 ff15???????? } + $sequence_4 = { 83ec1c 8b4508 8365f400 8945e8 8b450c 8945f0 } + $sequence_5 = { 3a1f 751a 84c0 7412 8a5e01 8ac3 } + $sequence_6 = { 8945d8 c745dc44726f70 c745e0004d5c57 ff15???????? 33db 59 3bc3 } + $sequence_7 = { 56 8b5178 57 8945fc 03d0 } + $sequence_8 = { 280c30 40 3b450c 72f4 8b4608 } + $sequence_9 = { 85c0 7521 8d45e4 8bce 50 e8???????? } condition: 7 of them and filesize < 49152 @@ -117656,36 +118321,36 @@ rule MALPEDIA_Win_Yoddos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "10bd6a04-5d32-593e-bba9-9dd8c0a017eb" - date = "2026-01-05" - modified = "2026-01-06" + id = "ce3366b3-97d7-5265-839e-0c05d54993fd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yoddos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yoddos_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yoddos_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "2bcf30b4ceb2923df5d8477756a290466d01852078cc1f43ff184eee0a076cc3" + logic_hash = "cc00931bf754d34c9039429c6f0e8b0dd0a6174815db0d639298ba58b19cd157" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 034508 57 53 894508 8d85d0feffff 50 } - $sequence_1 = { e8???????? 59 59 50 ff75bc ff75b8 e8???????? } - $sequence_2 = { 83c44c 8d85bcf6ffff 50 8d85bcfaffff } - $sequence_3 = { c68530ffffff77 c68531ffffff77 c68532ffffff77 c68533ffffff2e } - $sequence_4 = { c645e374 c645e465 c645e546 c645e669 } - $sequence_5 = { 50 e8???????? 8d85c8feffff 50 e8???????? 83c410 } - $sequence_6 = { c645db54 c645dc45 c645dd4d c645de5c c645df43 c645e075 c645e172 } - $sequence_7 = { c645fa74 c645fb6c 885dfc c645e857 c645e953 c645ea32 c645eb5f } - $sequence_8 = { ffd7 8d8d58ffffff 8945fc 51 50 c68558ffffff49 c68559ffffff6e } - $sequence_9 = { 7e06 897db4 8945ac 8d8548feffff 50 } + $sequence_0 = { 50 8d45bc 33db 50 c645cc4b c645cd45 c645ce52 } + $sequence_1 = { 6a01 6a02 ff15???????? 8bf0 83feff 0f84d7000000 } + $sequence_2 = { 833d????????00 7414 e8???????? 99 b9ffff0000 } + $sequence_3 = { 56 ff15???????? b863000000 90 b89dffffff 90 ffb564ffffff } + $sequence_4 = { 59 8d85bcfaffff 53 50 e8???????? 59 40 } + $sequence_5 = { ffb5f4fdffff ff15???????? e9???????? 834dfcff e8???????? 33c0 8b4df0 } + $sequence_6 = { 68f4000000 8d8564feffff 53 50 e8???????? 83c40c } + $sequence_7 = { b89dffffff 90 be04010000 8d858cfeffff 33db 56 } + $sequence_8 = { c68547ffffff20 c68548ffffff28 c68549ffffff63 c6854affffff6f c6854bffffff6d c6854cffffff70 c6854dffffff61 } + $sequence_9 = { 90 b89dffffff 90 e8???????? b863000000 } condition: 7 of them and filesize < 557056 @@ -117695,50 +118360,50 @@ rule MALPEDIA_Win_Dizzyvoid_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db997ae6-872c-5121-a308-2ff2cf7909e7" - date = "2026-01-05" - modified = "2026-01-06" + id = "be06e11d-d778-5269-9dcb-1746f75ce88f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dizzyvoid" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dizzyvoid_auto.yar#L1-L234" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dizzyvoid_auto.yar#L1-L235" license_url = "N/A" - logic_hash = "ee47377d576371e1f242f6668080ed5eb3d7f4fc6edffaf4a1f51714c1f6dc67" + logic_hash = "7ffc974db56fb5a292ad36d0e4faa208c0c7b9ebd44121608cef37bef591b8a0" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b8bd0000000 4885c9 7403 ff5350 } - $sequence_1 = { 41c1e11c c1e904 4403c9 498bc8 48c1e902 418bc1 48c1e802 } - $sequence_2 = { 48b865210b59c84216b2 4c2bc1 49f7e8 4903d0 } - $sequence_3 = { 48b865210b59c84216b2 48f7e9 4803d1 48c1fa07 } - $sequence_4 = { 48895c2430 44897c2428 48896c2420 448bce } - $sequence_5 = { 4889442428 c7442420f8080000 4c8d8da0050000 41b806000000 } - $sequence_6 = { 488b8bc8000000 ff5350 90 488b8bd0000000 ff5350 90 488b8bd8000000 } - $sequence_7 = { 0f118980000000 48898190000000 488d0557e5ffff 498b0b } - $sequence_8 = { 8bec 81ec34040000 53 56 57 8dbdccfbffff b90d010000 } - $sequence_9 = { 8b8d90fcffff 51 e8???????? 83c40c 8bf4 } - $sequence_10 = { 7320 8b859cfcffff 0fb68c05a8fcffff 83f104 8b959cfcffff } - $sequence_11 = { 8b4dfc 33cd e8???????? 81c434040000 3bec } - $sequence_12 = { 8bf4 ff9590fcffff 3bf4 e8???????? 33c0 52 8bcd } - $sequence_13 = { 8dbdccfbffff b90d010000 b8cccccccc f3ab a1???????? 33c5 8945fc } - $sequence_14 = { a1???????? a3???????? a1???????? c705????????2a134100 } - $sequence_15 = { c705????????2a134100 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 } - $sequence_16 = { e8???????? c70016000000 e8???????? ebb4 c745e4700a4100 a1???????? } - $sequence_17 = { 83e908 8d7608 660fd60f 8d7f08 8b048de81f4000 } - $sequence_18 = { 59 8365fc00 8b049d601c4100 f644380401 740b } - $sequence_19 = { c3 8b04c53cb04000 5d c3 55 8bec } - $sequence_20 = { 33f6 e8???????? 83c404 8bf8 6800100000 } - $sequence_21 = { 8d44242c 50 57 46 ffd3 85c0 75f3 } - $sequence_22 = { 888690f54000 46 ebe5 ff35???????? } - $sequence_23 = { 8b04b5601c4100 0500080000 3bc8 7324 66c74104000a } + $sequence_0 = { 41b8bc469d7d 488b15???????? e8???????? 48898388000000 } + $sequence_1 = { 492bc9 48b865210b59c84216b2 48f7e9 4803d1 48c1fa07 } + $sequence_2 = { 488bd9 33d2 488b89d8000000 ff9390000000 } + $sequence_3 = { 48896c2420 448bce 4d8bc6 33d2 } + $sequence_4 = { 488b03 488d0c07 48894b10 4c8bc0 488b5608 488b0e e8???????? } + $sequence_5 = { 41b8cc38fcbf 488b15???????? e8???????? 48894360 } + $sequence_6 = { 33d2 33c9 ff15???????? 4c63f8 498bcf e8???????? } + $sequence_7 = { 4885c9 7403 ff5350 488b8bc8000000 } + $sequence_8 = { 8b8d90fcffff 51 e8???????? 83c40c 8bf4 } + $sequence_9 = { c705????????2a134100 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 } + $sequence_10 = { a1???????? a3???????? a1???????? c705????????2a134100 8935???????? a3???????? } + $sequence_11 = { 83c40c 8bf4 ff9590fcffff 3bf4 e8???????? 33c0 52 } + $sequence_12 = { 8bec 81ec34040000 53 56 57 8dbdccfbffff } + $sequence_13 = { ebc5 8bf4 6a40 6800300000 } + $sequence_14 = { b90d010000 b8cccccccc f3ab a1???????? 33c5 } + $sequence_15 = { 33cd e8???????? 81c434040000 3bec e8???????? 8be5 } + $sequence_16 = { 83e71f c1e706 8b049d601c4100 0fbe443804 83e001 } + $sequence_17 = { 8d4df0 c745fc???????? e8???????? 68???????? 8d45f0 50 c745f084af4000 } + $sequence_18 = { f3a5 8d8dc4fcffff 51 6a00 } + $sequence_19 = { f0300e 40 3d31030000 72eb 6a40 6800100000 6800040000 } + $sequence_20 = { c1e706 8b0485601c4100 83c00c 03c7 50 } + $sequence_21 = { 8b04c5d4f04000 5d c3 ff15???????? 33c9 } + $sequence_22 = { 51 6af6 ff15???????? 8b04bd601c4100 830c06ff 33c0 } + $sequence_23 = { 59 83f83c 7635 68???????? e8???????? 8d0c458c024100 } condition: 7 of them and filesize < 479232 @@ -117748,42 +118413,42 @@ rule MALPEDIA_Win_Aurastealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c36a500-8774-5585-be5e-1badb5bb0481" - date = "2026-01-05" - modified = "2026-01-06" + id = "1a3e0581-ade7-54a6-bdd4-28a51aa380b8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurastealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.aurastealer_auto.yar#L1-L147" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.aurastealer_auto.yar#L1-L151" license_url = "N/A" - logic_hash = "8480b12b568e7fb011f2e56db2dfa5eb1d5aeacb4a24d1ba1c2deb0c82ba7d5d" + logic_hash = "c0b56dc51d5bf53a1c37dbc5bcb3ec65064d15522621c2ad5124f0404d3d455d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 09f8 894648 83c110 894e44 8b7e30 } - $sequence_1 = { 09f9 85d2 0f49c8 89f5 } - $sequence_2 = { 09fb 895e48 83c110 894e44 } - $sequence_3 = { 09fb 8b0c24 0fb68c0e32900000 01d1 } - $sequence_4 = { 0a1c24 751f 8b7920 8b3f } - $sequence_5 = { 0a442404 89ee 7456 8b6c2410 } - $sequence_6 = { 09fa d1ea 89f7 83e601 } - $sequence_7 = { 0a4c2410 751c 6840df0400 6a01 } - $sequence_8 = { 01442428 8bf1 13d9 33d2 } + $sequence_0 = { 0fb6c8 e8???????? 8a0c24 30f9 } + $sequence_1 = { 0fb6c9 52 51 50 89fd } + $sequence_2 = { 0fb6c8 e8???????? 88442409 8b4c2410 } + $sequence_3 = { 0fb6ca e8???????? 325c2401 30c3 } + $sequence_4 = { 0fb6c8 e8???????? 88442408 0fb6c8 } + $sequence_5 = { 0fb6c8 e8???????? 88442407 89d8 } + $sequence_6 = { 01de ff742408 55 56 e8???????? } + $sequence_7 = { 01de eb41 c746140f000000 89d8 83c80f 83f817 bd16000000 } + $sequence_8 = { 0002 8a0c0f 83c40c 020e } $sequence_9 = { 01442420 13d1 c1eb0b 0fa4c115 } - $sequence_10 = { 012c18 42 3bd7 72dc } + $sequence_10 = { 01442428 8bf1 13d9 33d2 } $sequence_11 = { 014c241c 13f0 33d2 89742420 } - $sequence_12 = { 014c2420 8be8 13f0 33ff } - $sequence_13 = { 0144241c 8b7c2424 136c2414 33c0 } - $sequence_14 = { 0128 42 3bd7 72db } - $sequence_15 = { 0002 8a0c0f 83c40c 020e } + $sequence_12 = { 0144241c 8b7c2424 136c2414 33c0 } + $sequence_13 = { 0128 42 3bd7 72db } + $sequence_14 = { 012c18 42 3bd7 72dc } + $sequence_15 = { 014c2420 8be8 13f0 33ff } condition: 7 of them and filesize < 1918976 @@ -117797,7 +118462,7 @@ rule MALPEDIA_Win_Socksproxygo_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksproxygo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.socksproxygo_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.socksproxygo_auto.yar#L1-L134" license_url = "N/A" logic_hash = "dae101b13021abf8406ff6df83b23a76fef8534b33d21e36035ee793df6e14d3" score = 75 @@ -117832,36 +118497,36 @@ rule MALPEDIA_Win_Horus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "69a4cf35-2806-517b-bb53-0add97c1f457" - date = "2026-01-05" - modified = "2026-01-06" + id = "d360dcae-88e3-56c3-ad49-d048a5d59f10" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.horus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.horus_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.horus_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "98e7222b64c7a567c8f798abf5f3ca917bf88c189a0e21ef9e9894081482246f" + logic_hash = "3391a294872b22675b06e19bbaf99f8ddf342a638d7246e9d740ef6d2b2068a6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b456f 3bc7 0f8458ffffff 488b757f 897d6f 8b456f 3bc7 } - $sequence_1 = { 57 4883ec20 488b19 488bf9 4885db 0f84de000000 488b7378 } - $sequence_2 = { 4c8945e8 488d4550 488945e0 65488b042560000000 488b4818 488b4110 488b08 } - $sequence_3 = { 480f499df0000000 4885db 742f 488d4307 b908000000 8000d9 48ffc8 } - $sequence_4 = { 488b5df8 eb02 33db 4885db 7429 488d4307 b908000000 } - $sequence_5 = { 4c8bc6 488bc8 33d2 ff15???????? 49833c2400 0f8494000000 bd01000000 } - $sequence_6 = { 83632c00 83633000 c7456f04fa0100 e9???????? 83637c00 488d4b04 488bd6 } - $sequence_7 = { 7457 3d21c40100 0f84d8000000 3d84c80100 0f85cf000000 488b4580 4885c0 } - $sequence_8 = { b803000000 c3 83792800 7427 488b5118 48837a0800 741c } - $sequence_9 = { 0f849e000000 3d45940100 7465 3d56a60100 7441 3dffdc0100 7424 } + $sequence_0 = { 48894c2448 8b85a8040000 3d2a750000 0f8435010000 3d36c20100 743c 3dcbf80100 } + $sequence_1 = { 8000d9 48ffc8 48ffc9 75f5 4883659f00 488d45f7 48894597 } + $sequence_2 = { 3bc0 0f854a010000 4533c9 c7442430d05b0000 8b442430 3dd05b0000 0f84c8000000 } + $sequence_3 = { ff15???????? 488bd8 4885c0 7453 c785100100000d800300 8b8510010000 3d124e0000 } + $sequence_4 = { 740b e8???????? 4533c0 488bd8 89b530030000 eb86 4439458c } + $sequence_5 = { 744d 4c8d4538 488d15718dffff 33c9 ffd0 488bcb 85c0 } + $sequence_6 = { 4c8d4520 488d1509a7ffff 33c9 ffd0 498bcf 85c0 480f494d28 } + $sequence_7 = { 4c89b508020000 44896c2420 8b442420 413bc5 7429 3d49bc0100 7441 } + $sequence_8 = { 742d 4c8d45f0 488d1580bbfdff 33c9 ffd0 488bd7 85c0 } + $sequence_9 = { 48894c2478 3d4b0e0000 74e1 eb05 488b4c2478 3d4d050200 750f } condition: 7 of them and filesize < 887808 @@ -117872,10 +118537,10 @@ rule MALPEDIA_Win_Net_Star_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "e4a1e4d6-66ac-52a3-a1bf-1a40ab526cfc" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.net_star" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.net_star_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.net_star_auto.yar#L1-L124" license_url = "N/A" logic_hash = "93e5fe016bec66ccfdfdaabf1a580d9d03655d26419d498170f8b7ee102df278" score = 75 @@ -117884,9 +118549,9 @@ rule MALPEDIA_Win_Net_Star_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -117910,36 +118575,36 @@ rule MALPEDIA_Win_Arkei_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1f91473e-0f59-5d43-b31c-36e662e7cb73" - date = "2026-01-05" - modified = "2026-01-06" + id = "3de0bd09-57e2-59a9-b60f-83adb1dab455" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.arkei_stealer_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.arkei_stealer_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "ce62b8dc4f39a6203176e1a77c002f4403d000ee3dbdbb3ae02c853f65ed371e" + logic_hash = "26da82ca5a11cef123ad331344126b45d9f81d18a9c5914ab02d3198808fcb02" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f849ffeffff ba424d0000 668955ec 8b4620 8b0e 8d1481 } - $sequence_1 = { 57 57 68000000c0 68???????? ff15???????? 8bf8 } - $sequence_2 = { 52 57 8945f6 ff15???????? 85c0 0f8458feffff 8b4e20 } - $sequence_3 = { 6689460c 668b4dd6 66894e0e 6683fb18 } - $sequence_4 = { ff15???????? 85c0 74be 8b45e0 } - $sequence_5 = { 8d55ec 52 57 8945f6 } - $sequence_6 = { 895608 668b45d4 6689460c 668b4dd6 66894e0e } - $sequence_7 = { 8b16 8d448a0e 6a00 8d4de4 51 6a0e } - $sequence_8 = { 74be 8b45e0 8d55c4 52 6a18 50 } - $sequence_9 = { 57 8945e8 ffd3 6a0a 57 8bf0 } + $sequence_0 = { 8b4e20 8b16 8d448a0e 6a00 8d4de4 51 6a0e } + $sequence_1 = { 894e04 8b55cc 895608 668b45d4 6689460c 668b4dd6 } + $sequence_2 = { 6a40 ff15???????? 8bf0 c70628000000 8b4dc8 894e04 8b55cc } + $sequence_3 = { 8b4dc8 894e04 8b55cc 895608 668b45d4 } + $sequence_4 = { 668b45d4 6689460c 668b4dd6 66894e0e } + $sequence_5 = { ff15???????? 85c0 74de 8b4de8 682000cc00 53 56 } + $sequence_6 = { 56 6a00 6a00 57 53 56 6a00 } + $sequence_7 = { 57 8945e8 ffd3 6a0a 57 8bf0 } + $sequence_8 = { 83ffff 0f849ffeffff ba424d0000 668955ec } + $sequence_9 = { 6a00 51 ff15???????? 85c0 74be } condition: 7 of them and filesize < 1744896 @@ -117949,36 +118614,36 @@ rule MALPEDIA_Win_Danderspritz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1b0527de-0d7b-5ad4-aabc-a511337e98f1" - date = "2026-01-05" - modified = "2026-01-06" + id = "5c8ea881-51a4-51cf-bc8e-85530c02beed" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danderspritz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.danderspritz_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.danderspritz_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "a3dc5330dc4023c2900af3ec5e9bf8ed5ecdce820fe76e6a6bb8f01cda67ce81" + logic_hash = "dcaf03b4c0c98f17c5c3314ddcf84bf8099caddc8d860b2cd8f3c4ec00e859e0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 3ac3 7534 4c8b15???????? 483bfb 4d8bca 0f94c2 } - $sequence_1 = { 48894360 4183f802 0f877bfeffff 4183e101 488bcb 418bd1 e8???????? } - $sequence_2 = { 7425 85d2 7421 3bc1 721d 3bc2 7219 } - $sequence_3 = { 4053 4883ec30 488bd9 85d2 753d 488d9198010000 488d0d75e60100 } - $sequence_4 = { 83f8ff 7505 e8???????? 8b0d???????? ff15???????? 4885c0 7404 } - $sequence_5 = { 4c8d0d5fe60300 4c8d0560e60300 488d1555e60300 488bc8 e8???????? 83f8ff 7525 } - $sequence_6 = { 0fb6da 498d4be0 4533c9 448bc0 498bd2 896c2448 66896c2434 } - $sequence_7 = { 488bfe 4885f6 759a 8b435c 83635400 894348 } - $sequence_8 = { 4103fd 488b4538 8a480c 80f9ff 7403 83c708 393e } - $sequence_9 = { 448bc0 ba02000000 488bcf e8???????? b800000010 488b9c2408010000 4881c4c0000000 } + $sequence_0 = { ffc2 4883c108 8b8798000000 3bd0 72e3 eb04 b301 } + $sequence_1 = { e9???????? 488d9424b0000000 488d4c2430 488b01 488902 488b4108 48894208 } + $sequence_2 = { eb17 be11000000 eb10 be0a000000 eb09 be0e000000 eb02 } + $sequence_3 = { 48896c2440 6689ac24d8000000 e8???????? 3bc5 7528 448b4c2438 4c8b442440 } + $sequence_4 = { 4057 4883ec50 48c7442430feffffff 48895c2460 48896c2468 4889742470 498bf0 } + $sequence_5 = { 750a b8010000f0 e9???????? 448b8c24a8000000 4c8b8424a0000000 488bd6 488bcb } + $sequence_6 = { 33c9 ff5058 413bc4 0f85a8030000 488b942418010000 493bd4 0f8497030000 } + $sequence_7 = { 85c0 7512 488325????????00 488325????????00 eb07 c605????????01 488d0dd58e0200 } + $sequence_8 = { 488b05???????? 488d15c31c0300 eb0d 488d4880 44395918 740a 488b00 } + $sequence_9 = { 33d2 488bcd e8???????? 8b4338 488bcd 39433c 0f87e5000000 } condition: 7 of them and filesize < 750592 @@ -117988,33 +118653,34 @@ rule MALPEDIA_Win_Poison_Ivy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0917932a-f079-5bf1-931c-716d03c726be" - date = "2026-01-05" - modified = "2026-01-06" + id = "a2d89fd6-480f-57cd-bd0d-2560bff27c54" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.poison_ivy_auto.yar#L1-L94" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.poison_ivy_auto.yar#L1-L100" license_url = "N/A" - logic_hash = "3536834c24827a74ee9df7192a4db2e3644f1cf45a57755c4feba403f8b5bbbf" + logic_hash = "b2475431ed758e3ff8935e1c74ac6b4f3926f08275a382bf8b4567e43b005f1e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a01 6a00 8d86120e0000 50 } - $sequence_1 = { 683f000f00 6a00 57 51 ff5635 68ff000000 } - $sequence_2 = { 51 57 ff9681000000 8d45fc 50 683f000f00 6a00 } - $sequence_3 = { 80beaf08000001 7507 b902000080 eb05 b901000080 8d45fc 50 } - $sequence_4 = { 8d86120e0000 50 ff75fc ff563d } - $sequence_5 = { 51 ff5635 68ff000000 8d86b1060000 50 6a01 6a00 } - $sequence_6 = { 57 ff9681000000 80beaf08000001 7507 } + $sequence_0 = { 68ff000000 8d86b1060000 50 6a01 6a00 8d86120e0000 50 } + $sequence_1 = { eb05 b901000080 8d45fc 50 683f000f00 } + $sequence_2 = { 57 ff9681000000 80beaf08000001 7507 } + $sequence_3 = { 683f000f00 6a00 57 51 } + $sequence_4 = { 80beaf08000001 7507 b902000080 eb05 b901000080 } + $sequence_5 = { 59 51 57 ff9681000000 8d45fc } + $sequence_6 = { 6a00 8d86120e0000 50 ff75fc ff563d ff75fc ff5631 } + $sequence_7 = { 57 51 ff5635 68ff000000 8d86b1060000 } condition: 7 of them and filesize < 204800 @@ -118024,36 +118690,36 @@ rule MALPEDIA_Win_Koadic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "90cb2869-83e9-5158-9659-47bf570b7e5e" - date = "2026-01-05" - modified = "2026-01-06" + id = "bf88d4a7-0ac8-5d5f-97c3-f273f6977c73" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.koadic_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.koadic_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "d8659459b0b0216a7ee3a53301a133024a4e0a3aca2952b29c3bef6ea3dd8620" + logic_hash = "9196b0f87e82e86efe9c0d9c680f1d92780e7fd08cea995d1ee35ec7725abb9e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 58 89450c 8b0424 50 58 894510 } - $sequence_1 = { 884c3410 85db 75d4 85f6 7e0c 8a4c3410 } - $sequence_2 = { 89442428 ff742420 8b6c2418 58 894500 ff742424 58 } - $sequence_3 = { 740d 50 51 e8???????? 83c408 c20800 } - $sequence_4 = { ff05???????? 8934c558344100 890cc55c344100 5e c20800 55 8bec } - $sequence_5 = { 8bf0 e8???????? 33ff 3bc7 740a 893e 897e04 } - $sequence_6 = { 897e1c 3bc5 0f8490000000 8b4804 894e10 8b480c 894e18 } - $sequence_7 = { c21000 8b442408 48 7404 33c0 eb15 8b442404 } - $sequence_8 = { 58 a3???????? ff7508 58 } - $sequence_9 = { 6a08 ff35???????? ff15???????? 8bf0 33db 3bf3 } + $sequence_0 = { 011424 ff35???????? e8???????? 89c5 c7450001000000 ff35???????? } + $sequence_1 = { 8d442424 50 e8???????? eb0f 8d4c2418 } + $sequence_2 = { 6810000000 ff35???????? e8???????? 68???????? e8???????? 8b15???????? } + $sequence_3 = { ff3424 e8???????? 8b1424 ff35???????? e8???????? 58 } + $sequence_4 = { 8b4c241c 894f04 885d30 5f 5e 5b } + $sequence_5 = { 50 e8???????? eb29 6a08 51 845c2420 7411 } + $sequence_6 = { ff7500 58 a3???????? 8b6c240c ff7500 58 a3???????? } + $sequence_7 = { 83feff 0f8580fdffff 8bc8 8b450c 5e 3bc8 7d1d } + $sequence_8 = { 8b4614 55 8b6c241c 57 8b3d???????? } + $sequence_9 = { e8???????? ff35???????? e8???????? 8d442410 50 e8???????? ff35???????? } condition: 7 of them and filesize < 180224 @@ -118063,40 +118729,40 @@ rule MALPEDIA_Win_Zeroaccess_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b43bafa0-7845-5d97-89eb-71fc1e8384a0" - date = "2026-01-05" - modified = "2026-01-06" + id = "d6895c5d-03b4-5482-a225-c716497077e5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zeroaccess_auto.yar#L1-L139" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zeroaccess_auto.yar#L1-L144" license_url = "N/A" - logic_hash = "58e6fa201d2edf5394810209f43ab6a140ff615859a9e38ec78386b3f1a7fa21" + logic_hash = "e144ce8260c81dad853ba3565e71a072be1e883cbcc3648a4cb072052ebb1362" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 85c0 7408 ff15???????? eb02 } - $sequence_1 = { 8b01 ff761c ff7618 ff5004 } - $sequence_2 = { 50 68???????? 6889001200 8d45fc } - $sequence_3 = { 6a01 8d45f4 50 ff7608 ff15???????? } - $sequence_4 = { 48 83c9ff c744242804000000 48 } - $sequence_5 = { 3bf8 730e 2bc7 e8???????? } - $sequence_6 = { 68060000c8 ff7708 ff15???????? 85c0 } - $sequence_7 = { 6a10 68???????? 68060000c8 ff7708 } + $sequence_0 = { 85c0 7408 ff15???????? eb02 } + $sequence_1 = { 56 68???????? 50 8d460c 50 } + $sequence_2 = { 6a01 8d45f4 50 ff7308 ff15???????? 85c0 7408 } + $sequence_3 = { 33c0 48 83c9ff c744242804000000 48 } + $sequence_4 = { 56 6a10 8945e8 8d45e4 50 } + $sequence_5 = { 68???????? 68060000c8 ff7708 ff15???????? 85c0 } + $sequence_6 = { 50 68???????? 6889001200 8d45fc } + $sequence_7 = { 68???????? 68060000c8 ff7308 ff15???????? } $sequence_8 = { 740c bf03000040 eb05 bf010000c0 85ff } $sequence_9 = { 3bc1 7604 83c8ff c3 } $sequence_10 = { ff15???????? 85c0 7407 b8e3030000 } - $sequence_11 = { 89742438 897c2448 e8???????? 48 } - $sequence_12 = { eb06 ff15???????? 48 8b9520020000 4c } - $sequence_13 = { 85c0 750c 8d7808 e8???????? ffcf 75f7 833d????????06 } + $sequence_11 = { 7e29 41 8d5001 41 8bc0 } + $sequence_12 = { 85c0 753d 8175bb01010101 48 8d4de7 } + $sequence_13 = { fec1 45 0fb6c1 47 021418 43 } condition: 7 of them and filesize < 464896 @@ -118106,36 +118772,36 @@ rule MALPEDIA_Win_Frozenhill_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "67a93804-b581-5120-9731-01f5ce053d83" - date = "2026-01-05" - modified = "2026-01-06" + id = "26625aa3-abba-591f-a652-9624a7920c00" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.frozenhill" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.frozenhill_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.frozenhill_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "f77792066de7c23219a214fc531000b7de62e743dbb704f0fcc9770a904b8873" + logic_hash = "c710aa7e73f3bdc066823c167b48d01dd77758aaeacb7c96940acf3188491e90" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8be5 5d c3 1b9b0e10769b 0e 10d1 9b } - $sequence_1 = { ff7508 8d85c8f7ffff 50 ff15???????? 3bf4 } - $sequence_2 = { 8d85f4feffff 3985e8feffff 7436 8b85e8feffff 0fbe08 83f95c 7428 } - $sequence_3 = { 05???????? 50 e8???????? 83c404 ebda 5f 5e } - $sequence_4 = { f3ab a1???????? 33c5 8945fc b9???????? e8???????? 6a73 } - $sequence_5 = { 8bf4 8b4508 8b4808 51 8b55f8 81c2300c0000 52 } - $sequence_6 = { 8bf4 8d85f0fdffff 50 6804010000 ff15???????? 3bf4 } - $sequence_7 = { b874000000 66894586 b85c000000 66894588 b857000000 6689458a b869000000 } - $sequence_8 = { 5b 8b4df0 33cd e8???????? 81c480030000 } - $sequence_9 = { 8945fc b9???????? e8???????? c745f400000000 c745e800000000 c745dc00000000 c745d000000000 } + $sequence_0 = { 8b0485507c1310 8a4c102d 80e1fe 8b55e0 c1fa06 8b45e0 83e03f } + $sequence_1 = { 6a72 58 668985a6fdffff 6a61 58 668985a8fdffff 6a6d } + $sequence_2 = { ff15???????? 3bf4 e8???????? 8945e0 837decff 7507 c745ec80000000 } + $sequence_3 = { 81c1???????? 51 8b5510 8b02 0345c4 50 } + $sequence_4 = { 50 8b4df4 51 e8???????? 85c0 7583 8bf4 } + $sequence_5 = { b872000000 668945a4 b865000000 668945a6 b85c000000 668945a8 b84d000000 } + $sequence_6 = { 8d8520ffffff 50 8b4df8 e8???????? 8b08 898d2cffffff 8b5508 } + $sequence_7 = { c645fc00 8d8df4feffff e8???????? 0fb6850bffffff 85c0 744b } + $sequence_8 = { b8cccccccc f3ab b9???????? e8???????? 8b4508 8945f8 8b450c } + $sequence_9 = { b001 eb2e 8d85c4feffff 50 ffb5b8feffff e8???????? 8945f4 } condition: 7 of them and filesize < 2652160 @@ -118145,52 +118811,50 @@ rule MALPEDIA_Win_Conti_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "495a4961-c51d-5437-b6e5-42c5ef6dadea" - date = "2026-01-05" - modified = "2026-01-06" + id = "243432c5-f0f7-5b86-b633-89ff78c7e694" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.conti_auto.yar#L1-L249" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.conti_auto.yar#L1-L230" license_url = "N/A" - logic_hash = "8e7e21e9b7d082151509bf910013dc897955e4fc02be809b33bd86909bb72949" + logic_hash = "20c829c3c99980f53d00293a720f0b57b6132e54bd1517f31879bd40125146b9" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7542 53 bb0e000000 57 8d7e01 8d7371 } - $sequence_1 = { 56 8bf1 8975fc 803e00 7542 53 bb0e000000 } - $sequence_2 = { 8d7f01 0fb6c0 b957000000 2bc8 } - $sequence_3 = { 0f1f4000 8a07 8d7f01 0fb6c0 b966000000 2bc8 } - $sequence_4 = { 8d7f01 0fb6c0 b927000000 2bc8 } - $sequence_5 = { 8d7f01 0fb6c0 b978000000 2bc8 } - $sequence_6 = { 56 57 bf0e000000 8d7101 } - $sequence_7 = { 8d7f01 0fb6c0 b918000000 2bc8 } - $sequence_8 = { ff75fc ff15???????? e9???????? 6800800000 } - $sequence_9 = { 57 56 ff15???????? ff75f8 56 ff15???????? } - $sequence_10 = { 7605 b800005000 6a00 8d4c2418 } - $sequence_11 = { ffd0 85c0 7519 c705????????0a000000 e9???????? b801000000 e9???????? } + $sequence_0 = { 8d7f01 0fb6c0 b957000000 2bc8 } + $sequence_1 = { 0f1f4000 8a07 8d7f01 0fb6c0 b96c000000 } + $sequence_2 = { 8d7f01 0fb6c0 b918000000 2bc8 } + $sequence_3 = { 56 8bf1 8975fc 803e00 7542 53 bb0e000000 } + $sequence_4 = { 57 bf0a000000 8d7101 8d5f75 8a06 } + $sequence_5 = { 8d7f01 0fb6c0 b95d000000 2bc8 } + $sequence_6 = { 57 bf0e000000 8d7101 8d5f71 8a06 8d7601 0fb6c0 } + $sequence_7 = { 7542 53 bb0e000000 57 8d7e01 8d7371 0f1f4000 } + $sequence_8 = { 85c0 7508 6a01 ff15???????? 6aff 8d45fc 50 } + $sequence_9 = { 7408 57 56 ff15???????? ff75f8 56 } + $sequence_10 = { 68???????? ff75f8 ff15???????? 85c0 7508 6a01 } + $sequence_11 = { 780e 7f07 3d00005000 7605 b800005000 6a00 8d4c2418 } $sequence_12 = { 6810660000 ff7508 ff15???????? 85c0 } - $sequence_13 = { e8???????? 8bb6007d0000 85f6 75ef } - $sequence_14 = { ff75f8 ff15???????? 85c0 7508 6a01 ff15???????? 6aff } - $sequence_15 = { 7411 a801 740d 83f001 50 ff7608 ff15???????? } - $sequence_16 = { 53 56 8bf1 57 ff7608 ff15???????? } - $sequence_17 = { 3ce9 7412 3cff 0f859d000000 807f0125 0f8593000000 } - $sequence_18 = { 85c0 742b 03f0 03d8 } - $sequence_19 = { 41b901000000 4533c0 488bd3 488bce } - $sequence_20 = { 410f4ff5 488bcb 448bc6 ffd0 } - $sequence_21 = { 49f7e8 4903d0 48c1fa06 488bca 48c1e93f 4803d1 488d3c92 } - $sequence_22 = { 72c3 488b7c2448 b801000000 488b742440 4883c430 } - $sequence_23 = { ffd0 4c3beb 740f 4c3bfb 740a 4c3bf3 } - $sequence_24 = { 4833c4 4889442438 4533e4 418be8 4489642430 4c8bfa 4c8bf1 } - $sequence_25 = { 8b4c2430 8b05???????? 03c7 03c8 894c2430 8b442430 } + $sequence_13 = { ff15???????? ff75f4 ff15???????? ff75f0 ff15???????? 5e } + $sequence_14 = { 50 6a20 ff15???????? 68???????? } + $sequence_15 = { 740d 83f001 50 ff7608 } + $sequence_16 = { 4881ec38010000 488b05???????? 4833c4 4889842420010000 ba15000000 } + $sequence_17 = { 4881ec20010000 488b05???????? 4833c4 48898424e0000000 448b5114 } + $sequence_18 = { 4889542458 8b4c2424 448bfb 448b6c2430 } + $sequence_19 = { 03d0 6bc27f 442bc0 46884415c0 } + $sequence_20 = { 03d0 8d0452 3bc8 7548 } + $sequence_21 = { 2bc8 884c3c31 48ffc7 4883ff72 } + $sequence_22 = { 4889542458 44894c2448 4c896c2460 e9???????? 4c8bbc24f0000000 418d41ff 4c8bb424f8000000 } + $sequence_23 = { 03d1 8d0c52 3bf9 744c } condition: 7 of them and filesize < 520192 @@ -118200,36 +118864,36 @@ rule MALPEDIA_Win_Grimplant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f4355e5f-8d8e-5a41-aaf8-ff78dc5bf245" - date = "2026-01-05" - modified = "2026-01-06" + id = "b646bda4-ba63-534d-b90e-bc37d2891c7f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grimplant_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grimplant_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "4dec16f667070add3c068beb4323237f7a05d78d34df766eafa3cbe4813f7400" + logic_hash = "3bcf70c420714a855a299c19c4ff6823f81d3e2bec3239f9d704a08e640d4e70" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb13 4889c3 4889f0 e8???????? 488b942480000000 84c0 742a } - $sequence_1 = { eb09 488d7908 e8???????? 488b6c2420 4883c428 c3 0f1f4000 } - $sequence_2 = { e8???????? 488d056e852500 488b5c2428 488b4c2448 488b7c2450 e8???????? 48c7400801000000 } - $sequence_3 = { e8???????? 4889d8 e8???????? 4c89e0 0f1f440000 e8???????? 488b9424f8000000 } - $sequence_4 = { 4c8b442458 4c8b4c2460 4c8d15f1213300 4989c3 4889c8 4889d1 488bac24a0000000 } - $sequence_5 = { eb1c 488b4c2460 488b8908010000 488b442468 ffd1 3c03 7505 } - $sequence_6 = { 8400 833d????????00 750c 488d0da5553c00 488908 eb0f 4889c7 } - $sequence_7 = { c3 4889d0 488b5c2468 488b4c2440 488d3dd7323800 be04000000 e8???????? } - $sequence_8 = { bf01000000 4889fe e8???????? 0f1f440000 e8???????? 4889c3 488d05f1d22a00 } - $sequence_9 = { ffd2 488d48ff eb15 31c0 488b6c2468 4883c470 c3 } + $sequence_0 = { c60002 c644242f0a 488d058c792b00 488b5c2440 488d4c242f 6690 e8???????? } + $sequence_1 = { e8???????? 48c740081b000000 488d0d9a972500 488908 488d0d312b2f00 48894c2450 4889442458 } + $sequence_2 = { 7404 488b4008 48898424c0000000 48899c24c8000000 488d05b7651300 bb12000000 488d8c24c0000000 } + $sequence_3 = { e8???????? 488d0d1a4e1800 488b542438 48894a10 833d????????00 7506 48894218 } + $sequence_4 = { eb1c 488d7810 488d1558094400 e8???????? 488d3da6958200 e8???????? 488b1d???????? } + $sequence_5 = { eb04 31c0 31db 48899c24b0000000 4889842488000000 488b8c2498000000 488b91c8000000 } + $sequence_6 = { eb36 488b4c2450 488b4940 488b442478 ffd1 488b7c2468 488b0f } + $sequence_7 = { e8???????? 84c0 7577 488d05c7b12f00 e8???????? 488b0d???????? 488b15???????? } + $sequence_8 = { 750d 488b542440 488910 e9???????? 4889c7 488b542440 e8???????? } + $sequence_9 = { e8???????? 488dbc2400020000 4889e6 660f1f840000000000 0f1f4000 48896c24f0 488d6c24f0 } condition: 7 of them and filesize < 19940352 @@ -118239,36 +118903,36 @@ rule MALPEDIA_Win_Shatteredglass_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1439db5c-49a0-5968-b59a-03910a603b61" - date = "2026-01-05" - modified = "2026-01-06" + id = "39cb3af5-0e68-5635-a62b-60546d0e9e97" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shatteredglass" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shatteredglass_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shatteredglass_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "f010e143a6683faf7af5372236553bb5fc1b43eebb2159b594f8f51e8251f8d5" + logic_hash = "0b1681c32ce8a6822174580d2b05a091bad92dada181ea808112b252c55fa7e1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 03f0 83fe10 7ce1 83fe10 752f } - $sequence_1 = { 7ce1 83fe10 752f eb29 } - $sequence_2 = { 0f8ecf000000 8b531c 8bca 8d7102 } - $sequence_3 = { 6a00 b810000000 2bc6 50 8d8640d74100 50 57 } - $sequence_4 = { eb02 32d2 8bc6 c0e104 d1e8 02ca 83c602 } - $sequence_5 = { 8d4900 0fb70c77 8d41d0 6683f809 7705 } - $sequence_6 = { 7705 80e937 eb10 8d419f 6683f819 7705 } - $sequence_7 = { 53 ff15???????? 80bd33ffffff00 0f8452ffffff 57 e8???????? } - $sequence_8 = { 2bce d1f9 83f918 740a 68???????? e9???????? } - $sequence_9 = { 72f1 33c0 5d c3 8b04c58c434100 5d c3 } + $sequence_0 = { eb05 1bc0 83c801 85c0 0f8505ffffff } + $sequence_1 = { 884109 0fb605???????? 88410a 0fb605???????? 88410b } + $sequence_2 = { 6a02 8ad9 ff15???????? 8bf8 } + $sequence_3 = { 50 e8???????? 668906 8d7602 83c404 66833e00 } + $sequence_4 = { 7d10 668b444b0c 6689044da4d14100 41 ebe8 8bce } + $sequence_5 = { eb08 c744241001000000 8b4314 a3???????? 83ff06 } + $sequence_6 = { 031485d0d14100 eb05 ba???????? f642247f 0f85810a0000 } + $sequence_7 = { ffd3 85c0 7e07 03f0 } + $sequence_8 = { c1e706 8b049dd0d14100 0fbe443804 83e001 750a e8???????? 832000 } + $sequence_9 = { 8d410d 8d642400 8a08 8a5001 8a6802 8a70ff } condition: 7 of them and filesize < 273408 @@ -118278,36 +118942,36 @@ rule MALPEDIA_Win_Zhcat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0341c55f-b49b-59ad-9995-dc165ee721c5" - date = "2026-01-05" - modified = "2026-01-06" + id = "6add86c9-ad70-50f2-9381-df2a0d1943c1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zhcat_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zhcat_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "4527f43b00c94d79075579376bd5c0c607ad5c4bcbb3975ed225c4c4eea50561" + logic_hash = "174068f088329bcd8e22ef60e4ede88a5db0c9b84fb2b1f343ce4990bc429798" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff7510 668945c6 ffd7 8b3d???????? 8945c8 8b45fc 33f6 } - $sequence_1 = { e8???????? a1???????? 59 803d????????00 } - $sequence_2 = { 8d45d4 50 8d45ec 50 33db 8d45f8 } - $sequence_3 = { 8bc6 c1f805 8b048540604100 83e61f c1e606 59 c644300400 } - $sequence_4 = { 7506 394c2418 742c c705????????01000000 eb20 8b450c } - $sequence_5 = { ffd7 6a02 8945d8 58 ff7514 668945c4 ffd6 } - $sequence_6 = { c3 8bff 56 57 33ff ffb7004e4100 ff15???????? } - $sequence_7 = { 3b04cd20434100 7413 41 83f92d 72f1 } - $sequence_8 = { e8???????? 8b45f8 8b4dfc 83c40c 894104 } - $sequence_9 = { 7407 68???????? ebd3 39742418 7507 68???????? ebc6 } + $sequence_0 = { 8bf9 eb02 33ff 8b45f0 8b1d???????? } + $sequence_1 = { 03f3 56 57 ff7508 ff15???????? 57 8bf0 } + $sequence_2 = { c705????????02000000 eb1c c605????????01 eb13 c705????????01000000 eb07 c605????????01 } + $sequence_3 = { 894df8 8975f4 e8???????? 59 } + $sequence_4 = { 6a00 ff75f0 ff15???????? 8945f8 ebde 33f6 68???????? } + $sequence_5 = { 56 ff750c 68???????? 57 e8???????? 33f6 83c40c } + $sequence_6 = { 8906 8d45fc 50 53 56 68???????? 53 } + $sequence_7 = { ebe6 c745e0b0f14000 817de0b4f14000 7311 8b45e0 8b00 85c0 } + $sequence_8 = { 8d45f8 8d5dfc e8???????? 59 } + $sequence_9 = { 807e0a00 7534 803d????????00 742b 33c9 394d08 7e24 } condition: 7 of them and filesize < 376832 @@ -118317,49 +118981,47 @@ rule MALPEDIA_Win_Nymaim_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "30c4b930-78a7-5077-a5dc-408a5cbb77f2" - date = "2026-01-05" - modified = "2026-01-06" + id = "1dc81ffd-7022-5fb2-97fe-c4366ef5d1b7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nymaim_auto.yar#L1-L209" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nymaim_auto.yar#L1-L198" license_url = "N/A" - logic_hash = "84775fe355e4469ac977f6fbd11fdede8794d879792df66f4d5d03f1510d45b2" + logic_hash = "a60e8675afacffc171c9e5312e7b3de12446af5228c1a66431bd4e23f0127d93" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 89d8 01c8 31d2 f7f7 } - $sequence_1 = { f7f7 92 31d2 bf64000000 } - $sequence_2 = { 0f94c1 09c8 6bc064 09c0 } - $sequence_3 = { 38f0 83d100 38d0 83d900 } - $sequence_4 = { 010d???????? 8b1d???????? 011d???????? c1eb13 } - $sequence_5 = { c1eb13 331d???????? 31c3 c1e808 } - $sequence_6 = { 31c3 891d???????? 89d8 01c8 } - $sequence_7 = { 31d2 bf64000000 f7f7 5b } - $sequence_8 = { 38d0 83d900 c1e105 01c8 } - $sequence_9 = { 00d3 8a16 301e 46 01fb } - $sequence_10 = { c1e808 31c3 895e0c 89d8 } + $sequence_1 = { 09c0 0f94c1 09c8 6bc064 09c0 } + $sequence_2 = { 31d2 f7f7 92 31d2 } + $sequence_3 = { 92 31d2 bf64000000 f7f7 } + $sequence_4 = { c1eb13 331d???????? 31c3 c1e808 } + $sequence_5 = { c1e105 01c8 c1c307 30c3 } + $sequence_6 = { 31c9 38f0 83d100 38d0 83d900 c1e105 01c8 } + $sequence_7 = { 00d3 8a16 301e 46 } + $sequence_8 = { 8b5d18 8b1b 4f 31c0 fec2 } + $sequence_9 = { 8b5514 8b12 8b4d0c 8b5d18 } + $sequence_10 = { f7e0 0fc8 01d0 894704 } $sequence_11 = { 8b5604 0116 8b4e08 014e04 8b5e0c } - $sequence_12 = { 8b5d18 8b1b 4f 31c0 fec2 } - $sequence_13 = { f7e0 0fc8 01d0 894704 } - $sequence_14 = { 8b5514 8b12 8b4d0c 8b5d18 } - $sequence_15 = { 31c9 8b55f4 8b75ec 89723c c7424003000000 } - $sequence_16 = { 56 83ec28 8b450c 8b4d08 8d154e30d201 } + $sequence_12 = { c1e808 31c3 895e0c 89d8 } + $sequence_13 = { 55 89e5 83ec10 8b4508 8d0d3430d201 } + $sequence_14 = { 31c9 8b55f4 8b75ec 89723c c7424003000000 } + $sequence_15 = { 53 56 57 83ec44 8b4508 8d0d2030d201 } + $sequence_16 = { 890424 894c2404 e8???????? 8d0d3430d201 } $sequence_17 = { 83ec44 8b4508 8d0d2030d201 31d2 890c24 c744240400000000 } - $sequence_18 = { 890424 894c2404 e8???????? 8d0d3430d201 } - $sequence_19 = { 5b 5d c3 8b45f0 8b0c850440d201 } - $sequence_20 = { 53 56 57 83ec44 8b4508 8d0d2030d201 } - $sequence_21 = { 31d2 890c24 c744240400000000 8945f4 8955f0 e8???????? 8d0d8630d201 } - $sequence_22 = { 55 89e5 83ec10 8b4508 8d0d3430d201 } + $sequence_18 = { 5b 5d c3 8b45f0 8b0c850440d201 } + $sequence_19 = { 56 83ec28 8b450c 8b4d08 8d154e30d201 } + $sequence_20 = { 31d2 890c24 c744240400000000 8945f4 8955f0 e8???????? 8d0d8630d201 } condition: 1 of them and filesize < 2375680 @@ -118369,36 +119031,36 @@ rule MALPEDIA_Win_Afrodita_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0b89d48b-e8eb-5aec-a4a1-cb25be8e6ea8" - date = "2026-01-05" - modified = "2026-01-06" + id = "580ed23c-7302-51d4-93b0-0340cef83f3b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.afrodita_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.afrodita_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "ba96a282578cd431adb4de4c63175081873626ab508dce847aa3397ecdd6e0da" + logic_hash = "3a282bb5302c8b448e6265a1555c313c3b81bd1f815936e652164bb8e4c7fdd3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ff75dc e8???????? 83c40c 84c0 0f84aa030000 } - $sequence_1 = { 52 53 ff7508 8b4004 c645fc01 8b4c3038 8b01 } - $sequence_2 = { e8???????? 83c404 c645fc09 8d8d6cffffff ff75a0 e8???????? 83e3df } - $sequence_3 = { 6a7d 8d4d80 53 e8???????? e9???????? 83ff4d 0f8443010000 } - $sequence_4 = { 33c8 8b45f0 3345e4 23c7 8b7ddc 3345e4 03c8 } - $sequence_5 = { 837d1000 8b10 0f444d10 51 56 } - $sequence_6 = { 2345e4 03ca 3345f4 03c1 8945e4 85db 7437 } - $sequence_7 = { 51 8d4b04 ff5008 68???????? 50 8d45c0 c745fc00000000 } - $sequence_8 = { 7445 833d????????00 743c 56 6a10 8d45ec 50 } - $sequence_9 = { e8???????? eb05 e8???????? 83c404 8b9564ffffff 399560ffffff 8bb568ffffff } + $sequence_0 = { c78538ffffff00000000 c68530ffffff00 8b06 85c9 8d8d4cffffff c645fc03 51 } + $sequence_1 = { 8d86d4000000 50 8d8fd4000000 e8???????? 8d86ec000000 50 } + $sequence_2 = { 8d856cffffff 50 8d45c8 50 e8???????? 83c408 84c0 } + $sequence_3 = { 8d044dffffffff 49 23c2 894744 8d1c30 8bc3 d1e8 } + $sequence_4 = { 50 e8???????? 83c414 84c0 0f84ed020000 8b9524ffffff 399520ffffff } + $sequence_5 = { e8???????? 50 8d4588 50 8d8df4feffff e8???????? 8d45a0 } + $sequence_6 = { 85f6 7436 80782400 8b55c8 8b481c 6a01 6a00 } + $sequence_7 = { c7473800000000 e8???????? 83c408 8d4f10 e8???????? f6450801 740b } + $sequence_8 = { e8???????? 037da8 8d4e28 ff761c 897dac 8b3e } + $sequence_9 = { 742f 0fb707 8d4db0 50 e8???????? 8b06 8d4db0 } condition: 7 of them and filesize < 2334720 @@ -118408,79 +119070,118 @@ rule MALPEDIA_Win_R77_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b79f20de-193b-5b74-8687-5e00cdb0b22f" - date = "2026-01-05" - modified = "2026-01-06" + id = "37f7a978-a7e5-5410-9083-a09fa21c8e1f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.r77" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.r77_auto.yar#L1-L158" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.r77_auto.yar#L1-L150" license_url = "N/A" - logic_hash = "ee9f3e01cb496a017b30e9f636bd55f0ca4c077d0d62d251be75c67533f23dc5" + logic_hash = "1736f21ff7c691211d3e9dcd35bc840c7e9e551945dbc1deeab3d32e6e1975e5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 740c 8b4f0c e8???????? 85c0 } $sequence_1 = { 740b 8b0f e8???????? 85c0 } - $sequence_2 = { bafeff0000 6623c2 6683f806 721a 41b803000000 } - $sequence_3 = { c1e202 8b4508 0fb60c10 83f91f 757d } - $sequence_4 = { 0f8595010000 c745e4f8630110 e9???????? 894de0 c745e4f8630110 e9???????? } - $sequence_5 = { ba01000000 c1e200 8b4508 0fb60c10 81f990000000 750a } - $sequence_6 = { c745fc???????? eb07 c745fc???????? 8b4dfc 894df8 8b5510 } - $sequence_7 = { 83e03f c1eb06 6bf838 8b049df8a00110 f644072801 7444 837c0718ff } - $sequence_8 = { b801000000 d1e0 8b4d08 0fb61401 85d2 750a } - $sequence_9 = { 488d157ad40000 e8???????? 8bcb 4885c0 740c 4883c420 } - $sequence_10 = { ff15???????? 4889442450 488bd8 48897c2458 8d7d01 4885f6 } - $sequence_11 = { c3 4883ec38 488d05f5d50100 4889442428 488b05???????? 4889442420 48837c242000 } - $sequence_12 = { 488b4c2440 e8???????? eb55 4c8b4c2458 4c8b442450 488d15f3010200 488b4c2440 } - $sequence_13 = { 4885db 7436 488b0d???????? 4885c9 7410 488b4910 488bd3 } + $sequence_2 = { 83f866 0f85a9000000 b901000000 6bd103 8b4508 0fb60c10 } + $sequence_3 = { 488d050a440100 483bc8 7406 e8???????? 90 8b0b e8???????? } + $sequence_4 = { 8bd3 b9???????? e8???????? a3???????? 5f } + $sequence_5 = { 8b4d10 0fb61401 83e21f 8855ff } + $sequence_6 = { ff752c ff7528 56 ff7520 53 } + $sequence_7 = { c1cf0d 803b61 8d42e0 0f4cc2 03f8 43 6685f6 } + $sequence_8 = { 4883ec20 488d05df750000 488bd9 483bc8 7417 8b815c010000 } + $sequence_9 = { 488d3d6cb6feff 488bcf e8???????? 85c0 } + $sequence_10 = { e8???????? e9???????? 493bff 7508 41bc06000080 eb21 83eb01 } + $sequence_11 = { c745e806000000 e9???????? 8b4df4 034dec 8b55fc } + $sequence_12 = { 0f85a9000000 4885f6 0f84a0000000 8b4704 } + $sequence_13 = { 48894328 e8???????? 48894330 e8???????? 48894338 488d153fc30100 } condition: 7 of them and filesize < 350208 } +rule MALPEDIA_Win_Archer_Rat_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "9837935a-6948-55bc-923a-16560db69193" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.archer_rat" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.archer_rat_auto.yar#L1-L134" + license_url = "N/A" + logic_hash = "ae7af025c04aff01e3d2f0dd3c48a68d6dd407caa219f0bf97beb5b3d7883a05" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { ff5028 e8???????? 41c6460800 84db 0f8433040000 e8???????? 41b701 } + $sequence_1 = { e9???????? 488bbc2420020000 488b9c2428020000 488d8c2420060000 e8???????? 4885db 7408 } + $sequence_2 = { 7344 4989c7 4989d4 418a2c1e 48ffc3 4c8d0d26780c00 4c89f1 } + $sequence_3 = { e9???????? 56 4883ec20 0fb68118050000 4883f805 0f87e8000000 4889ce } + $sequence_4 = { ff5018 4883661000 4883c420 5e c3 56 57 } + $sequence_5 = { f3a4 488d942438040000 488dbc24a0030000 448a4a08 488db42470010000 4889f1 4989f8 } + $sequence_6 = { e8???????? 418a07 3c02 756b 4c8d7c2458 4c89f9 4889da } + $sequence_7 = { f30f7f84242c0b0000 660f7f8424200b0000 6a20 5a b900040000 e8???????? 4889842400030000 } + $sequence_8 = { 4c8d0533720600 4c89442420 4989c0 eb22 498b08 498b5008 4c8d054b720600 } + $sequence_9 = { ebec 4883c428 5f 5e c3 80792002 0f85d5280200 } + + condition: + 7 of them and filesize < 2612224 +} rule MALPEDIA_Win_Khrat_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d98fbdf3-9fe4-57f4-bc2e-25361c02b6b3" - date = "2026-01-05" - modified = "2026-01-06" + id = "c5554cbf-7a31-5b1c-9039-4cbcc26596f4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.khrat_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.khrat_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "f897e4b10c9d307944a08dbe843650aba78831f11c2fc81a4d9a80e6f47607a3" + logic_hash = "8b3433938065827622086cc345de4533ff49d109019eb1344aae1940a021402a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7415 ff35???????? e8???????? c705????????00000000 833d????????ff 7415 ff35???????? } - $sequence_1 = { 0fb64306 a3???????? 8d7307 56 68???????? e8???????? 6a00 } - $sequence_2 = { e8???????? eb0f 807b06ff 7509 8b4b07 51 e8???????? } - $sequence_3 = { 50 8d8500fcffff 50 6801000080 e8???????? } - $sequence_4 = { c6430500 c6430600 894307 8d7b0b } - $sequence_5 = { 66c746326500 66c746347700 66c746363a00 66c746380000 8db500feffff } - $sequence_6 = { 8d8500fcffff 50 e8???????? 6a00 51 8d8500fcffff 50 } - $sequence_7 = { e8???????? 0bc0 0f84da000000 d1e0 8985fcfbffff ffb5fcfbffff } - $sequence_8 = { c9 c3 55 8bec 81c490fbffff } - $sequence_9 = { c9 c3 55 8bec 81c4f8fbffff 8d9d00fcffff } + $sequence_0 = { 0bc0 0f8542ffffff ffb5d0f9ffff e8???????? } + $sequence_1 = { 8bd8 6aff 53 e8???????? 53 } + $sequence_2 = { 8d85d4f9ffff 50 ff35???????? e8???????? 83f8ff 7502 } + $sequence_3 = { 83f805 7405 83f806 7567 c60300 c64301c4 } + $sequence_4 = { ff75a0 e8???????? 3d02010000 751e } + $sequence_5 = { c20800 55 8bec 81c48cfbffff 8d1d10520010 } + $sequence_6 = { 6a00 ff35???????? e8???????? 0bc0 7424 } + $sequence_7 = { c64301c4 66c743020004 c6430403 c6430500 } + $sequence_8 = { e8???????? 68???????? ff35???????? e8???????? 83bde4fdffff00 7413 ffb5e4fdffff } + $sequence_9 = { 56 68ff000000 6a01 e8???????? 8b4d0c } condition: 7 of them and filesize < 57344 @@ -118490,36 +119191,36 @@ rule MALPEDIA_Win_Flashflood_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d9f5526b-ab62-532b-9666-be6697f92fbf" - date = "2026-01-05" - modified = "2026-01-06" + id = "3fe8a561-35ad-5cec-b5fe-1888e6cb394e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flashflood_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flashflood_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "446473d1c32fe4cdbf702296b6f8adbdf5ae7aa855f826a53c94075ec6207623" + logic_hash = "0dc336395449e271154fbfa917207d9d0a0a63096c28a7539ca62812b85fe231" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? eb0c ff7508 ff75fc ff15???????? 3975fc 5e } - $sequence_1 = { 8b45ec 52 8d55f8 52 8b08 6a10 } - $sequence_2 = { 8b5508 8b427c 6bc00c 33c9 668b88ec914000 8b5508 } - $sequence_3 = { c21000 b8???????? c3 33c9 394c2408 7e0f } - $sequence_4 = { 8b45f4 25ffff0000 33c9 8a88b0984000 894de8 eb17 8b55f4 } - $sequence_5 = { 8d853cf9ffff 50 ff15???????? 83c420 } - $sequence_6 = { 33c0 eb0a 57 ff15???????? 6a01 58 5f } - $sequence_7 = { 6a01 57 e8???????? 6a01 e8???????? } - $sequence_8 = { 50 e8???????? ff45fc 83c610 } - $sequence_9 = { 8a0406 8ad0 c0ea04 c0e004 02d0 } + $sequence_0 = { ff15???????? 8bf0 59 85f6 59 741c 56 } + $sequence_1 = { 85c0 753e 8d857cffffff 50 8d853cf9ffff 50 } + $sequence_2 = { 817d0c00010000 7310 8b550c 33c0 8a82b0984000 8945fc eb11 } + $sequence_3 = { e8???????? e8???????? 8d85fcfdffff 53 50 e8???????? } + $sequence_4 = { ffd6 53 ff75fc 6a01 } + $sequence_5 = { ff15???????? 85c0 7410 83c704 81ff???????? } + $sequence_6 = { 6a00 50 ff15???????? 8d85a8fcffff } + $sequence_7 = { e8???????? 85c0 59 7411 6a00 ff750c } + $sequence_8 = { 6a00 68???????? ff15???????? 68???????? ffd7 } + $sequence_9 = { 40 8945f8 0fbe06 50 ff15???????? 8bf8 } condition: 7 of them and filesize < 114688 @@ -118529,36 +119230,36 @@ rule MALPEDIA_Win_Hemigate_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7f247b7a-51fa-56b6-b5ca-706ac00fbf7d" - date = "2026-01-05" - modified = "2026-01-06" + id = "dbedd2f4-c78f-5eff-82cf-e54d6dea7f7f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hemigate" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hemigate_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hemigate_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "05c380bd4c229bd57061005a2f77b730cb7f642aa2a7c3aed0193470cbd60a00" + logic_hash = "54c09158805e71b39f30b6c3f2f6ea82fac15f16df917ad345ed43c8c4fe7e37" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85f6 0f8597000000 8bd3 8d4ddc e8???????? 8bf0 85f6 } - $sequence_1 = { c1e208 0bd1 0fb64f06 3155a8 0fb65707 c1e208 0bd1 } - $sequence_2 = { c3 ff75f4 ff36 ff15???????? 8bf0 83c408 85f6 } - $sequence_3 = { 8b550c 8d45d4 50 8d8fa8000000 e8???????? 8b55cc 8d8fb8110100 } - $sequence_4 = { 83f801 0f85b8000000 ffb55cf7ffff ffd3 0fb7c0 8d9554f7ffff 6a02 } - $sequence_5 = { c1c919 33c8 8b75ec 8bc7 8b7de8 c1c806 33c8 } - $sequence_6 = { c1e903 f7e1 56 c1ea03 33f6 8d0492 03c0 } - $sequence_7 = { eb48 b840000000 8bfb 2bc1 3bd8 0f43f8 8d462c } - $sequence_8 = { 0f84a4f4ffff 8b45c8 0345c4 53 50 51 e8???????? } - $sequence_9 = { 8d742418 8bf8 f3a5 8143080c020000 e9???????? 8d4c2418 51 } + $sequence_0 = { 8945fc 56 8bf1 57 8bfa 0fb64610 8b5610 } + $sequence_1 = { 6a00 e8???????? 83c404 899594efffff 50 ff15???????? 894620 } + $sequence_2 = { 8d8588feffff 50 e8???????? 83c408 8bcf 85c0 0f44f9 } + $sequence_3 = { b8d8100000 e8???????? a1???????? 33c4 898424d4100000 56 be???????? } + $sequence_4 = { 33c8 895ddc 8b45ec c1c802 33c8 8b45ec } + $sequence_5 = { ff7310 ff7318 ff731c ff7320 ff730c ff7304 ff7308 } + $sequence_6 = { 6a01 ff10 ffb5d4fdffff e8???????? ffb5d8fdffff e8???????? 83c408 } + $sequence_7 = { c1c919 33c8 8b7de0 8bc3 8b5dfc c1c806 33c8 } + $sequence_8 = { 83fa6f 750c c681????????2f e9???????? 83fa6e 750c c681????????2e } + $sequence_9 = { e8???????? 8bf0 85f6 0f8529060000 8bd7 8d4d88 e8???????? } condition: 7 of them and filesize < 991232 @@ -118568,36 +119269,36 @@ rule MALPEDIA_Win_Avzhan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84066c6e-b6ba-5768-970d-dec408a0e7ed" - date = "2026-01-05" - modified = "2026-01-06" + id = "5b8494e0-2006-59e5-baef-c4ea2a52d6bd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.avzhan_auto.yar#L1-L111" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.avzhan_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "a735be6148b9160f001fa1a5adca0dca85c778e318efdbf988b4428d95a16bfa" + logic_hash = "f6e23c8e08058a67326cfea3b28e1c9952733accb0c67143c3d4c383f7bc3a04" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb1d 6a02 e8???????? 83c008 } - $sequence_1 = { 51 8d8c2404020000 51 56 } - $sequence_2 = { e8???????? 83c003 33d2 0fafc6 f7742408 } - $sequence_3 = { c744243844000000 f3ab 8b442464 8b3d???????? } - $sequence_4 = { ffd7 6a00 8b542414 52 ffd3 6a0a ffd7 } - $sequence_5 = { 8d8c2418020000 6a00 51 6a00 ffd5 85c0 } - $sequence_6 = { 49 50 8bd9 e8???????? } - $sequence_7 = { 6a14 ff15???????? 833d????????01 75d2 } - $sequence_8 = { e8???????? 8bf0 6a64 81c600040000 e8???????? } - $sequence_9 = { 83c418 3935???????? 7450 8b942464010000 } + $sequence_0 = { 6a00 6a00 8d8c2418020000 6a00 } + $sequence_1 = { e8???????? 83c404 50 e8???????? 8bf0 8dbc2404020000 83c9ff } + $sequence_2 = { 8d542468 51 8d842484010000 52 50 8d8c240c020000 68???????? } + $sequence_3 = { 8b3d???????? 833d????????01 7418 6a00 } + $sequence_4 = { 83c408 8bc2 c1e010 668bc2 } + $sequence_5 = { 66c74424500000 3935???????? 743c 8d542410 8d442420 52 50 } + $sequence_6 = { ffd5 85c0 7410 68d0070000 ffd7 6a00 8b542414 } + $sequence_7 = { 8bc3 83c408 c1e010 668bc3 8b1d???????? c1e902 } + $sequence_8 = { 56 e8???????? 83c404 85c0 741e 8d442464 8d4c2464 } + $sequence_9 = { 85c0 741e 8d442464 8d4c2464 50 } condition: 7 of them and filesize < 122880 @@ -118607,36 +119308,36 @@ rule MALPEDIA_Win_Casper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a2a62877-f95a-5635-83dc-ecf2c1bcc8c6" - date = "2026-01-05" - modified = "2026-01-06" + id = "483c8201-f37a-53e7-9113-9d548aa8d32e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.casper_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.casper_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "51f38b9a318c7cdad54224577e1ce438c8182ba77e67e0978d20f3d358b38e98" + logic_hash = "89ad7b43d1f5ceb79d3ec58d7e3b639bca64e16a9f104c9726dbf8ed7bb127dc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 59 8d4df8 51 6a01 50 6801000080 } - $sequence_1 = { 88471c 8a4626 88471d 8b4624 59 c1e808 59 } - $sequence_2 = { 83c40c ff7010 8d8560fdffff 68???????? 50 } - $sequence_3 = { 832600 83661400 894608 c7461000100000 e8???????? 8945fc a1???????? } - $sequence_4 = { 8d8500ffffff 50 ff7510 e8???????? 83c410 8d8500ffffff 50 } - $sequence_5 = { 897808 eb02 33c0 8930 897804 8b4b10 } - $sequence_6 = { 5e 40 5b c9 c21000 8b8118010000 c3 } - $sequence_7 = { 8a01 84c0 75f1 8b4d08 52 ff7510 } - $sequence_8 = { 81e200008000 52 57 57 57 ff75a8 ff34850ca14200 } - $sequence_9 = { 2bc6 03450c 50 ff7508 e8???????? } + $sequence_0 = { 3bc7 0f8445010000 68???????? e8???????? 3bc7 0f8433010000 be???????? } + $sequence_1 = { c745f800020000 50 68???????? e8???????? 59 8b4d08 50 } + $sequence_2 = { 894770 85c0 742d 680af1d476 56 53 e8???????? } + $sequence_3 = { 50 e8???????? 85c0 7428 ff75fc 57 e8???????? } + $sequence_4 = { 8945f8 85c0 742f 8d771c e8???????? } + $sequence_5 = { 727d 8b01 ba4d5a0000 663910 7571 8b503c } + $sequence_6 = { ff7508 56 e8???????? 85c0 756e 50 8d45fc } + $sequence_7 = { 83c40c 56 8d85fcefffff 6a00 50 e8???????? 83c40c } + $sequence_8 = { 59 8bc7 5f 5e c20400 8b06 85c0 } + $sequence_9 = { 895df8 894df4 83c010 c745f006000000 eb03 8b5df8 8bf7 } condition: 7 of them and filesize < 434176 @@ -118646,36 +119347,36 @@ rule MALPEDIA_Win_Mrac_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8e787bb3-4d81-533a-b44d-f20be9e2f442" - date = "2026-01-05" - modified = "2026-01-06" + id = "88171e5e-9c24-5782-abfb-8337ed9a4dfa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrac" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mrac_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mrac_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "5fe94aec6f3ba68621e3ca20e2c4449488e4dd8245ed859f8a76ad9159490f6c" + logic_hash = "e11a99e612e507640597f11e8b4184164080099e30421a7ac342c05566021711" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8bc8 e8???????? c78424780600001e000000 c684247c0600006a c684247d0600007f c684247e0600006d } - $sequence_1 = { 8bde 83e03f c1fb06 6bc830 8b049d804b4500 894dfc 837c0118ff } - $sequence_2 = { e8???????? 0420 8d8c2434040000 6a35 8884244f040000 e8???????? } - $sequence_3 = { 040f 3476 888424ef040000 8b8424dc040000 0410 3463 888424f0040000 } - $sequence_4 = { 8b4df0 8b048d804b4500 f644382848 741c 8a55ff 80fa0a 7504 } - $sequence_5 = { e8???????? c68424c813000076 c68424c91300006d c68424ca1300007c 8d8c24c8130000 c68424cb13000028 c68424cc1300007b } - $sequence_6 = { 8a840d6cffffff 2c0a 88840d6cffffff 41 83f909 72ea 68eeeac01f } - $sequence_7 = { 8bf0 c645e57d c645e675 c645e74a c645e86d c645e973 c645ea7e } - $sequence_8 = { 8d8c2458090000 88842466090000 e8???????? 3453 8d8c2454090000 6a0c 88842467090000 } - $sequence_9 = { c68424ce0e000049 c68424cf0e000056 c68424d00e000006 c68424d10e00006b c68424d20e000075 c68424d30e000075 c68424d40e000077 } + $sequence_0 = { 88842475060000 e8???????? 3451 8d8c2464060000 6a0b 88842476060000 e8???????? } + $sequence_1 = { 888424eb020000 8b8424dc020000 040c 3420 888424ec020000 8b8424dc020000 040d } + $sequence_2 = { c68424c804000025 c68424c904000043 c68424ca04000053 c68424cb0400005a c68424cc04000051 c68424cd04000025 c68424ce04000037 } + $sequence_3 = { 0407 3453 8845a7 8b459c 0408 3465 } + $sequence_4 = { c3 682680acc8 ba01000000 33c9 e8???????? 83c404 56 } + $sequence_5 = { 8d8c2418030000 6a43 8884242d030000 e8???????? 0463 8d8c2418030000 6a43 } + $sequence_6 = { e8???????? 8bc8 e8???????? 6a00 8d8c2438080000 c784243808000062000000 e8???????? } + $sequence_7 = { c644242100 8a442410 e8???????? 8bc8 e8???????? 6a49 8d4c2450 } + $sequence_8 = { c684241402000079 c68424150200007a c684241602000075 c684241702000076 c684241802000026 c68424190200004b c684241a02000079 } + $sequence_9 = { c684244b0900006c c684244c0900007e c684244d09000072 c684244e0900007e c684244f0900001f c684245009000010 c684245109000046 } condition: 7 of them and filesize < 745472 @@ -118685,36 +119386,36 @@ rule MALPEDIA_Win_Miniasp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dd001a5f-6edc-54d2-8944-1f96a2068de8" - date = "2026-01-05" - modified = "2026-01-06" + id = "6cfa02ba-df4d-55d2-bb63-74f1f94f15c2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.miniasp_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.miniasp_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "d2281d1c5f13ba61fe4f1a7571230cd90a3ba2e219ba542805e8f7cc31494450" + logic_hash = "1ee105f2133cec94270e0aea10fd8c08f641fd091b26e4be16436f63bb16389c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4de8 e8???????? 0fb6c0 85c0 742f 8b45e8 } - $sequence_1 = { 8a8d7bffffff 8808 8b4584 40 894584 8b4580 40 } - $sequence_2 = { 75ef 8b45a0 2b459c 894594 6800000010 ff7594 ff7510 } - $sequence_3 = { 8b45bc ffb0b4000000 8b45bc ffb088000000 8d4dfb e8???????? 8945fc } - $sequence_4 = { 8b45f0 ffb088000000 e8???????? 83c40c 837df800 7463 } - $sequence_5 = { 33c0 40 e9???????? 8b4510 25ffff0000 0fb7c0 8945b4 } - $sequence_6 = { 8b4dfc c6040820 8b45fc 40 8945fc } - $sequence_7 = { 7432 68???????? 8b45f8 ffb0e8000000 e8???????? 59 59 } - $sequence_8 = { 807ddf00 741f 8b45e0 8a4001 8845de 8b4de4 } - $sequence_9 = { 33c0 8b7df8 83c742 ab ab ab ab } + $sequence_0 = { 8b85e4feffff 8985e0feffff 8b85e4feffff 8a00 8885dffeffff ff85e4feffff 80bddffeffff00 } + $sequence_1 = { 2b45fc 48 3d00080000 7e07 } + $sequence_2 = { 894ddc 8365ec00 8365fc00 8b45dc 83b81804000000 7515 c745e4b4d84000 } + $sequence_3 = { 59 8d7de4 8b7508 33c0 f3a7 7408 83c8ff } + $sequence_4 = { 735e 8b45f4 0345e4 8b4dfc 8a00 } + $sequence_5 = { 83c40c 8d45d8 50 e8???????? 59 8b4588 8b4804 } + $sequence_6 = { c645fb00 8365f400 8a45fb d0e8 8845fb e9???????? c9 } + $sequence_7 = { 8b45ec ffb098000000 6a00 8b45ec ffb0a4000000 8b45ec ffb094000000 } + $sequence_8 = { 48 8945cc 8b45cc 8a4001 8845cb ff45cc 807dcb00 } + $sequence_9 = { 75e3 8b8574ffffff 2b8570ffffff 898568ffffff 8b8568ffffff 8945a4 837da402 } condition: 7 of them and filesize < 139264 @@ -118724,36 +119425,36 @@ rule MALPEDIA_Win_Telb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "888a5e5b-e658-58db-97cc-bf969236e2af" - date = "2026-01-05" - modified = "2026-01-06" + id = "459c3a84-daaf-53e5-b279-0425129cafd7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.telb" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.telb_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.telb_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "e3ec407f2b3918e01e6c60147a108fc9762a60e1c29d49f9899f4240d976bb07" + logic_hash = "0ab17b3cea5ea46aff846464fbd31adca0e4482fb3a24bedceed5e8c72dcc979" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? a1???????? 33c4 89842404100000 56 57 6a00 } - $sequence_1 = { 51 e8???????? 83c408 8d85e8dfffff c78598dfffff00000000 8985a0dfffff } - $sequence_2 = { eb07 6a16 68???????? e8???????? 8d4c2430 e8???????? } - $sequence_3 = { 81cf00000003 89bd48eeffff 0f1000 0f1185b0eeffff f30f7e4010 } - $sequence_4 = { ffd1 8bf0 8b442414 50 8b08 ff5108 } - $sequence_5 = { 8d8d88efffff e8???????? 33c9 81cf80000000 89bd38eeffff } - $sequence_6 = { c7400400000000 8985e8edffff 8908 c645fc09 8b85a8eeffff 89853ceeffff 8b85dceeffff } - $sequence_7 = { c644241b01 8b14b8 8bca 8d7102 668b01 } - $sequence_8 = { eb06 8bbd48eeffff 80bd4feeffff00 0f84a1010000 51 8d8d88efffff e8???????? } - $sequence_9 = { c7401407000000 668908 8d8db8efffff c645fc28 } + $sequence_0 = { c7859cefffff07000000 e8???????? 83bd84efffff08 8d8570efffff 56 0f438570efffff 8d8d88efffff } + $sequence_1 = { 8d8c24a0000000 e8???????? 8b3d???????? 8d4c2430 e8???????? eb2f 68???????? } + $sequence_2 = { 50 8d458c eb3f 0fb600 0fbe8858d74100 41 } + $sequence_3 = { 8d442430 8b3d???????? 0f43442430 6a01 6a00 50 68???????? } + $sequence_4 = { 8d8d40efffff e8???????? c645fc18 8d8d40efffff } + $sequence_5 = { 68???????? 8bc8 c645fc1e e8???????? c785e0efffff00000000 33c9 } + $sequence_6 = { 7202 8b00 51 50 e8???????? 83c408 8d4c2460 } + $sequence_7 = { c745e404954100 8b4508 8bcf 8b7510 c745e001000000 dd00 } + $sequence_8 = { 83c9ff c7859cefffff07000000 83f8ff 0faee8 0f42c8 c78514eeffffffffffff 83bd48eeffff08 } + $sequence_9 = { 83c223 2bc1 83c0fc 83f81f 0f8796150000 52 51 } condition: 7 of them and filesize < 286720 @@ -118763,36 +119464,36 @@ rule MALPEDIA_Win_Powerloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c50a3558-9d40-5d02-8dcc-a013fb97306d" - date = "2026-01-05" - modified = "2026-01-06" + id = "30bd8eda-b551-54e7-b872-dd4a165250aa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.powerloader_auto.yar#L1-L106" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.powerloader_auto.yar#L1-L107" license_url = "N/A" - logic_hash = "c426c342e944500b9eabe80251134c6aa09970a7034e66d9d42756bf84d7595a" + logic_hash = "1eb26ce024f61f0f1eea7f5544a609966d274e2c391c548ba37a25dc3ec932d7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8b7c2430 85ed 740d } - $sequence_1 = { e8???????? eb22 33c9 66666666660f1f840000000000 0fb6840c30010000 } - $sequence_2 = { 33d2 ff15???????? 83f81f 7323 } - $sequence_3 = { 7441 8b5c2430 85db 741d } - $sequence_4 = { 8bd0 e8???????? 85ff 740c } - $sequence_5 = { e8???????? 0fb6d8 84c0 7514 ff15???????? } - $sequence_6 = { e8???????? 0fb6d8 84c0 7514 } - $sequence_7 = { eb22 33c9 66666666660f1f840000000000 0fb6840c30010000 } - $sequence_8 = { e8???????? eb22 33c9 66666666660f1f840000000000 } - $sequence_9 = { 33d2 c605????????00 e8???????? 0fb6c3 } + $sequence_0 = { eb22 33c9 66666666660f1f840000000000 0fb6840c30010000 } + $sequence_1 = { 33d2 ff15???????? 83f81f 7323 } + $sequence_2 = { 7441 8b5c2430 85db 741d } + $sequence_3 = { ff15???????? 83f81f 7323 ff15???????? } + $sequence_4 = { e8???????? 0fb6d8 84c0 7514 ff15???????? } + $sequence_5 = { 33d2 c605????????00 e8???????? 0fb6c3 } + $sequence_6 = { ff15???????? 83f803 7405 83f802 7530 } + $sequence_7 = { e8???????? eb22 33c9 66666666660f1f840000000000 } + $sequence_8 = { e8???????? 0fb6d8 85ff 740c } + $sequence_9 = { 8bf2 32db e8???????? 3bc7 7349 } condition: 7 of them and filesize < 155648 @@ -118802,36 +119503,36 @@ rule MALPEDIA_Win_Badhatch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d1d3a6d7-0b13-5342-b91c-01db9308bc68" - date = "2026-01-05" - modified = "2026-01-06" + id = "09b51d46-6dc1-5e9a-8bb9-1dc7429848c4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.badhatch_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.badhatch_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "2f3c78bf8e633b7d8699c41a378230a8ee0e51bf5f6dea1277813531be01c065" + logic_hash = "5c3f60af302817c6a58c82b4927ad610ae6b882e60ab23578f05f3ec21be4793" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8b3d???????? 85c0 7512 ffd7 53 } - $sequence_1 = { 83c420 5f 5e 83c574 c9 c3 55 } - $sequence_2 = { 837df800 7435 837f0c00 742f 33c0 e9???????? 8b4f08 } - $sequence_3 = { 7cb9 eb09 ff15???????? 8945fc 8b45fc 5f 5e } - $sequence_4 = { 53 ff750c 8d443750 50 e8???????? 83c40c ff750c } - $sequence_5 = { ffd6 8d45e8 50 68???????? ff7508 e8???????? } - $sequence_6 = { 7559 ff15???????? 3dea000000 754c ff75fc 56 ff35???????? } - $sequence_7 = { 03d0 03d1 52 50 e8???????? 83c40c b8ea000000 } - $sequence_8 = { 838b40010000ff 33f6 56 56 6a01 56 } - $sequence_9 = { eb05 8b450c 8938 395dfc 740e 57 53 } + $sequence_0 = { 5f c3 55 8bec 83ec2c 8b450c 53 } + $sequence_1 = { 57 57 6a01 ff7508 897df0 } + $sequence_2 = { 58 6a53 668945f4 58 668945f6 33c0 668945f8 } + $sequence_3 = { 8bec 53 56 57 be54010000 56 33ff } + $sequence_4 = { 6a02 5b 53 ff15???????? 8945b8 83f801 0f85ff060000 } + $sequence_5 = { ff75f4 ff75fc e8???????? 83c410 6800800000 } + $sequence_6 = { 57 57 57 6aff ff15???????? 8906 3bc7 } + $sequence_7 = { c7470401000000 89770c 8936 895f3c ff7024 b001 e8???????? } + $sequence_8 = { 5e 8bc1 5b 8be5 5d c20400 51 } + $sequence_9 = { 55 8bec 83ec14 53 8d45f8 50 68???????? } condition: 7 of them and filesize < 156672 @@ -118841,36 +119542,36 @@ rule MALPEDIA_Win_Merdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "840879eb-651f-58a0-a9dd-c8bbbd75be85" - date = "2026-01-05" - modified = "2026-01-06" + id = "ce97ad18-dd6a-5d38-b1cb-6f602f074318" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.merdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.merdoor_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.merdoor_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "6ad90da4b59952ca06b1d837955ca9f12c104be55324a03e7aaa640c9c01019a" + logic_hash = "f624f566a05578274e6d537f288d926b01192f8176e72a7f99468f16d9fee3ea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41 0fb7c0 47 663102 83c202 6683f908 72cf } - $sequence_1 = { e8???????? 83c40c 8934fd78f30110 eb07 56 e8???????? 59 } - $sequence_2 = { 5d c20400 c7875404000001000000 8b07 } - $sequence_3 = { 8d4590 50 8d45a4 50 ff15???????? } - $sequence_4 = { 75f9 2bca 51 8d85acfeffff 50 8d8d7cfcffff e8???????? } - $sequence_5 = { b91a000000 f7f9 80c261 eb10 e8???????? 99 } - $sequence_6 = { e8???????? 8987e4020000 c645fc02 8d55c0 b8fe000000 c745c0a3008d00 33c9 } - $sequence_7 = { 8dbb78030000 c785dcfdffff01000000 7204 8b07 eb02 8bc7 } - $sequence_8 = { e8???????? 8987e4020000 c645fc02 8d55c0 b8fe000000 c745c0a3008d00 } - $sequence_9 = { 8b7310 8d4310 8b11 51 50 8d4508 } + $sequence_0 = { c787e802000000000000 e8???????? 8987e4020000 c645fc02 } + $sequence_1 = { 50 ff7608 ffd7 8986f8000000 83befc00000000 750f 8d45d0 } + $sequence_2 = { 8d85e6fdffff 50 c785bcfdffff00000000 c785c0fdffff00000000 e8???????? 33c0 } + $sequence_3 = { 8987b4020000 8d45c0 50 6a00 57 68???????? 6a00 } + $sequence_4 = { 84c0 75f9 2bca 51 8d8598fcffff } + $sequence_5 = { 8b5514 8b5d08 c745fc00000000 83790400 8955e0 8955d8 } + $sequence_6 = { 8bd8 894df8 8bd3 8b4b04 80790d00 7518 } + $sequence_7 = { c1e706 8b0485f0070210 83c00c 03c7 50 ff15???????? 33c0 } + $sequence_8 = { 8987b0020000 8d45f0 50 8d45a0 50 ff15???????? 50 } + $sequence_9 = { ffd6 89858cfdffff 8d45c0 50 57 ffd6 } condition: 7 of them and filesize < 307200 @@ -118880,36 +119581,36 @@ rule MALPEDIA_Win_Wastedloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9b391e1-a439-5c84-8bc6-d01e7837fa3f" - date = "2026-01-05" - modified = "2026-01-06" + id = "77a2ade8-76ac-5489-9bb2-292337810980" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wastedloader_auto.yar#L1-L111" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wastedloader_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "f52a5046711dc64fff342d42959b67fac6d384f1f957f74196d547273f13eb4f" + logic_hash = "9f8caca5f314d306a16416a35fd4a4839e75a98e2820acfdeaabd9b8b5446868" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7444 eb00 686bb90000 ff15???????? } - $sequence_1 = { 7ed7 7488 09b31ced6185 1ce2 } - $sequence_2 = { e8???????? 3d1e050000 c10147 833b38 } - $sequence_3 = { a828 b409 1c04 e8???????? } - $sequence_4 = { 7aec e471 e8???????? 0057bb 038919fc885d e479 } - $sequence_5 = { b9b5000000 8b55f8 66894a4c 8b45f8 } - $sequence_6 = { 8b45f8 66895056 b9b8000000 8b55f8 66894a58 8b45f8 0fb74858 } - $sequence_7 = { 0200 00e7 aa 53 } - $sequence_8 = { 2cbe 832061 5b 5b } - $sequence_9 = { 8b55f8 0fb7421e 83e854 8b4df8 6689411e ba86000000 } + $sequence_0 = { 8b4df8 0fb75156 83ea54 8b45f8 66895056 b9b8000000 } + $sequence_1 = { e74d b980344b51 7385 20e1 } + $sequence_2 = { 1008 a6 660f1b09 0000 a7 7280 011cfd80edc199 } + $sequence_3 = { 04ee 1dd1704c64 0ffda4e83d005d04 008b4c81d274 } + $sequence_4 = { 98 fc b54c 90 b182 7c80 } + $sequence_5 = { 6a3b 11c2 855cb412 8bb8181480c8 1808 007056 8b4c00f9 } + $sequence_6 = { 037fc1 00e4 1ac7 7240 ad 58 2448 } + $sequence_7 = { 6ac1 8b700b 2c85 a5 5b df8bd2687320 ef } + $sequence_8 = { 2430 8b1c24 a1???????? b6f6 ff4565 f9 } + $sequence_9 = { 1c34 83f4f0 0d844de3fd ff959ef9ff7b f34a 24f0 801abd } condition: 7 of them and filesize < 2677760 @@ -118919,36 +119620,36 @@ rule MALPEDIA_Win_Pay2Key_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8e07d004-8ab0-5ac0-b5f3-02a0577c17ab" - date = "2026-01-05" - modified = "2026-01-06" + id = "52ae617d-90c8-59a4-a326-6f6d8bf7a495" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pay2key_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pay2key_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "bffaa691493d14e2f3352a01cee177c0e343912969f9938647f417173ef48232" + logic_hash = "0979f527206b0fbcd39ef7939d91af8f5875a83da45102ef8c9ab6d75ed03216" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c707???????? 5f 5e 8be5 5d c3 c6470400 } - $sequence_1 = { 0f8412000000 83a50ce6fffffe 8b8dfce5ffff e9???????? c3 } - $sequence_2 = { c60000 8d4540 6a00 50 e8???????? 83ec18 c645fc05 } - $sequence_3 = { 8bce ff5004 8b45f0 8b4d0c 8907 8b4514 895f04 } - $sequence_4 = { 8d4e34 c645fc09 c741140f000000 c7411000000000 83791410 7204 8b01 } - $sequence_5 = { 8db758030000 8b4614 83f808 720b 40 8bce 50 } - $sequence_6 = { c7411000000000 8b4114 894754 c7411400000000 8b5d10 c745fc00000000 8b0b } - $sequence_7 = { c745fc01000000 8b4de0 85c9 7414 8b01 8b4010 ffd0 } - $sequence_8 = { 8886b2000000 c686b300000001 c7411407000000 c7411000000000 83791408 7204 8b01 } - $sequence_9 = { c645fc01 8d45a8 6a00 50 8d4dd8 c745ec0f000000 c745e800000000 } + $sequence_0 = { 8d45f4 64a300000000 c745fc00000000 8b7110 85f6 7421 83cfff } + $sequence_1 = { 8bf1 57 8b4604 85c0 7408 8b4004 } + $sequence_2 = { c74608???????? 8b4dfc b001 5f 33cd 5e e8???????? } + $sequence_3 = { ff75ec ff15???????? 8d4d90 e8???????? 8b4df4 64890d00000000 } + $sequence_4 = { 8b01 eb02 8bc1 33d2 6aff 668910 8d85c4000000 } + $sequence_5 = { 8b4d0c 8d45e4 50 e8???????? 8d4de4 c745fcffffffff } + $sequence_6 = { f30f7e00 660fd606 8b4008 894608 8b44241c 57 } + $sequence_7 = { eba9 807f0c00 740c 53 8bcf c6470c00 e8???????? } + $sequence_8 = { e8???????? 84c0 7520 8b4d0c 8d45e4 50 e8???????? } + $sequence_9 = { 8b32 8975f0 85db 7404 f0ff4304 8b7704 } condition: 7 of them and filesize < 2252800 @@ -118958,101 +119659,100 @@ rule MALPEDIA_Win_Emotet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "590db82a-e64b-59fe-a363-cd344fccdc7b" - date = "2026-01-05" - modified = "2026-01-06" + id = "33448f21-f6aa-5ab5-a076-e899361a6743" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.emotet_auto.yar#L1-L618" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.emotet_auto.yar#L1-L626" license_url = "N/A" - logic_hash = "9ea1f202fdf175311dcb11b7b6f7efdcd86b6e87b055de16a61627e022c993b1" + logic_hash = "b2ed4a37d0b8ff43c68782f7ce4cae9390d09554938c29fc5dacea41bfa364e5" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3c41 7c04 3c5a 7e03 c60158 } - $sequence_1 = { 3c61 7c04 3c7a 7e0b 3c41 } + $sequence_0 = { 3c41 7c04 3c5a 7e03 c60158 41 } + $sequence_1 = { 7c04 3c7a 7e0b 3c41 7c04 3c5a } $sequence_2 = { 8a01 3c30 7c04 3c39 7e13 3c61 } - $sequence_3 = { 7e03 c60158 41 803900 } - $sequence_4 = { 3903 5f 5e 0f95c0 5b 8be5 } - $sequence_5 = { 83c020 eb03 0fb7c0 69d23f000100 } - $sequence_6 = { 880a 8bc1 c1e808 8d5204 } - $sequence_7 = { c1e910 8842fd 884afe c1e908 } - $sequence_8 = { 75f2 eb06 33c9 66894802 } - $sequence_9 = { c1e808 8d5204 c1e910 8842fd } - $sequence_10 = { 8d5801 f6c30f 7406 83e3f0 } - $sequence_11 = { 8b16 8945fc 8d45f8 6a04 } - $sequence_12 = { 0faf4510 50 6a08 ff15???????? } - $sequence_13 = { 8901 8b477c 85c0 7448 } - $sequence_14 = { 8b4508 894dcc 8d4dc8 8945c8 8975d4 } - $sequence_15 = { 7448 8b00 2b878c000000 56 } - $sequence_16 = { 894630 8b45f8 01460c 294610 } - $sequence_17 = { 50 8d45f8 81ca00000020 50 52 } - $sequence_18 = { 48894808 48895010 4c894018 4c894820 c3 } - $sequence_19 = { 488bd3 488bcf 488b5c2460 4883c450 } - $sequence_20 = { 0fb7c1 c1e910 66c1e808 4d8d4004 } - $sequence_21 = { 418bd0 d3e2 418bcb d3e0 03d0 } + $sequence_3 = { 7e13 3c61 7c04 3c7a } + $sequence_4 = { c60158 41 803900 75dd } + $sequence_5 = { 33c0 3903 5f 5e 0f95c0 5b 8be5 } + $sequence_6 = { 83c020 eb03 0fb7c0 69d23f000100 } + $sequence_7 = { 75f2 eb06 33c9 66894802 } + $sequence_8 = { 8bc1 c1e808 8d5204 c1e910 8842fd } + $sequence_9 = { 8d5801 f6c30f 7406 83e3f0 83c310 } + $sequence_10 = { 8945c8 8975d4 8955d8 e8???????? } + $sequence_11 = { 8d45f8 6a04 50 ff760c 8d45fc } + $sequence_12 = { 50 8b4774 03878c000000 50 ff15???????? 017758 83c40c } + $sequence_13 = { 8b477c 85c0 7448 8b00 2b878c000000 56 8b775c } + $sequence_14 = { ff15???????? 017758 83c40c 29775c 8b477c 01b78c000000 8b8f8c000000 } + $sequence_15 = { 8bf1 ff15???????? 8b17 83c40c 8b4d0c 8bc2 } + $sequence_16 = { 50 8d45f8 81ca00000020 50 52 } + $sequence_17 = { 488bc4 48894808 48895010 4c894018 4c894820 c3 } + $sequence_18 = { 2bca d1e9 03ca c1e906 894c2430 } + $sequence_19 = { 66c1e808 4d8d4004 418840fd 418848fe 66c1e908 418848ff } + $sequence_20 = { 418808 0fb7c1 c1e910 66c1e808 4d8d4004 } + $sequence_21 = { 483bd8 730b 488bcb e8???????? 488bd8 } $sequence_22 = { d3e7 83f841 7208 83f85a } - $sequence_23 = { 4803c8 eb08 803900 7408 } - $sequence_24 = { 2bca d1e9 03ca c1e906 894d18 } - $sequence_25 = { 4d8d4004 418840fd 418848fe 66c1e908 418848ff 4d3bd9 72cf } - $sequence_26 = { 483bd8 730b 488bcb e8???????? } - $sequence_27 = { c1e807 41 83f87f 77f7 } - $sequence_28 = { f7e1 b84fecc44e 2bca d1e9 } - $sequence_29 = { 84c0 75f2 eb03 c60100 } - $sequence_30 = { 8bd3 8b0f e8???????? 85c0 } - $sequence_31 = { 83c104 894e04 8b00 85c0 } - $sequence_32 = { 7907 83c107 3bf7 72e8 } - $sequence_33 = { 0fb6c0 668942fa c1e910 0fb6c1 } - $sequence_34 = { 56 57 6a1e 8d45e0 } - $sequence_35 = { 52 52 52 52 68???????? 52 } - $sequence_36 = { 83ec48 53 56 57 6a44 } - $sequence_37 = { 83f87f 760d 8d642400 c1e807 } - $sequence_38 = { 83f87f 7609 c1e807 41 } - $sequence_39 = { 50 6a00 6a01 6a00 ff15???????? a3???????? } - $sequence_40 = { 6a00 6aff 50 51 ff15???????? } - $sequence_41 = { 50 6a00 ff75fc 6800040000 } - $sequence_42 = { 50 56 6800800000 6a6a } - $sequence_43 = { 53 56 8bf1 bb00c34c84 } - $sequence_44 = { 83ec08 56 68400000f0 6a18 33f6 56 56 } - $sequence_45 = { ff75fc 6800040000 6a00 6a00 6a00 } - $sequence_46 = { 8bec 83ec08 56 57 8bf1 33ff } - $sequence_47 = { 83ec10 53 6a00 8d45fc } - $sequence_48 = { 8bf1 bb00c34c84 57 33ff } - $sequence_49 = { 8b7d08 83fe00 8945f0 894dec 8955e8 8975e4 } - $sequence_50 = { 6a03 6a00 6a00 ff7508 53 50 } - $sequence_51 = { 56 57 00b807000000 008b45fc33d2 00b871800780 00558b ec } - $sequence_52 = { 8b55f4 01ca 89d6 83c60c 8b7df4 8b4c0f0c 83f900 } - $sequence_53 = { 56 8b4510 8b4d0c 8b5508 befbffffff c600e8 } - $sequence_54 = { 51 8d4df8 51 ff75f8 50 6a03 } - $sequence_55 = { 39c7 0f97c7 08fb f6c301 89f0 8945a4 } - $sequence_56 = { 8b466c 5f 5e 5b 8be5 5d } - $sequence_57 = { 8b7020 8b7840 89c3 83c33c } - $sequence_58 = { 31f6 89720c 897208 897204 } - $sequence_59 = { 7519 33c9 0f1f4000 0fb6840c30010000 } + $sequence_23 = { 488bd3 488bcf 488b5c2460 4883c450 } + $sequence_24 = { 66c1e908 418848ff 4d3bd9 72cf } + $sequence_25 = { 4803c8 eb08 803900 7408 48ffc9 } + $sequence_26 = { c1e807 41 83f87f 77f7 } + $sequence_27 = { f7e1 b84fecc44e 2bca d1e9 } + $sequence_28 = { 84c0 75f2 eb03 c60100 } + $sequence_29 = { 8bd3 8b0f e8???????? 85c0 } + $sequence_30 = { 7907 83c107 3bf7 72e8 } + $sequence_31 = { 83c104 894e04 8b00 85c0 75f4 } + $sequence_32 = { 52 52 52 68???????? 52 } + $sequence_33 = { 83ec48 53 56 57 6a44 } + $sequence_34 = { 83f87f 760d 8d642400 c1e807 } + $sequence_35 = { b901000000 83f87f 7609 c1e807 41 } + $sequence_36 = { 6a00 6aff 50 51 ff15???????? } + $sequence_37 = { 50 6a00 6a01 6a00 ff15???????? a3???????? } + $sequence_38 = { 6a00 ff75fc 6800040000 6a00 } + $sequence_39 = { 50 56 6800800000 6a6a } + $sequence_40 = { 53 56 8bf1 bb00c34c84 } + $sequence_41 = { 56 68400000f0 6a18 33f6 56 56 } + $sequence_42 = { 6a00 6a00 ff7508 53 50 } + $sequence_43 = { 8b4d0c 8b5508 befbffffff c600e9 29d6 } + $sequence_44 = { ff75f8 50 6a03 6a30 } + $sequence_45 = { 55 89e5 56 8b4510 8b4d0c } + $sequence_46 = { 83ec10 53 6a00 8d45fc } + $sequence_47 = { 8bf1 bb00c34c84 57 33ff } + $sequence_48 = { 008b45fc33d2 00b871800780 00558b ec 8b450c 00558b ec } + $sequence_49 = { 83fe00 8945f0 894dec 8955e8 } + $sequence_50 = { 55 8bec 83ec08 56 57 8bf1 33ff } + $sequence_51 = { 8d4df0 51 8d4df8 51 ff75f8 } + $sequence_52 = { 9c 50 51 52 01c8 } + $sequence_53 = { 89e5 648b0d18000000 8b4130 83b8a400000006 } + $sequence_54 = { 8b466c 5f 5e 5b 8be5 5d } + $sequence_55 = { 8b7020 8b7840 89c3 83c33c } + $sequence_56 = { 89e2 31f6 89720c 897208 } + $sequence_57 = { c605????????00 0fb6d8 e8???????? 0fb6c3 } + $sequence_58 = { 743e 8b5c2430 85db 741d } + $sequence_59 = { 84c0 7519 33c9 0f1f4000 0fb6840c30010000 } $sequence_60 = { ff15???????? 83f803 7405 83f802 751e } - $sequence_61 = { 743e 8b5c2430 85db 741d } - $sequence_62 = { 31c9 89e2 31f6 89720c } - $sequence_63 = { 33d2 c605????????00 0fb6d8 e8???????? } - $sequence_64 = { 8bf8 e8???????? eb04 8b7c2430 } - $sequence_65 = { e8???????? 84c0 7519 33c9 } - $sequence_66 = { 81fecd000000 7740 0fb6b62043e601 ff24b50443e601 884801 80ca04 } - $sequence_67 = { e9???????? 8b84248c000000 f20f10842490000000 31c9 } - $sequence_68 = { 89e8 894c247c 8b8c2480000000 01c8 83c1c0 } - $sequence_69 = { 744b 488d15583f0000 488bc8 e8???????? 4885c0 742f } - $sequence_70 = { 488b43f8 4c8d4be0 4889442428 8b03 498d55ff 4c8d05ce3f0000 89442420 } - $sequence_71 = { c744240400000000 8954240c e8???????? 8d0d2231d800 890424 } - $sequence_72 = { 53 57 56 83ec44 8b442454 8d0d5830d800 } - $sequence_73 = { dd5c2450 f20f10442450 8b442444 8b4838 } - $sequence_74 = { 8bcc 8bd0 895c2420 e8???????? 44 8bc3 48 } + $sequence_61 = { 8bf8 e8???????? eb04 8b7c2430 } + $sequence_62 = { 89442440 894c243c e8???????? dd5c2448 f20f10442448 } + $sequence_63 = { 83f80a 0f28ca f20f11942480000000 f20f114c2458 89442454 0f84fcfeffff } + $sequence_64 = { 488d158d130000 6644392b 7407 488d15fc110000 } + $sequence_65 = { 57 e8???????? ff15???????? 8bf8 8bc6 } + $sequence_66 = { 0fb75614 8b74245c 01f2 89cf 89cb } + $sequence_67 = { 32db e8???????? 48 8be8 48 83f8ff 0f84c0000000 } + $sequence_68 = { 488d15583f0000 488bc8 e8???????? 4885c0 } + $sequence_69 = { 8b54246c 894c2434 ffd2 83ec10 31c9 ba78000000 8b742478 } + $sequence_70 = { 4889442428 488d154c2d0000 4533c0 48895c2420 } + $sequence_71 = { 89442438 8b442478 813c3850450000 0f44f5 895e34 890424 c744240400040000 } + $sequence_72 = { 8b4c2418 4d 8b442410 49 8b542408 49 } + $sequence_73 = { 8944241c ffd0 83ec04 89e1 c701???????? 8b4c241c } condition: 7 of them and filesize < 733184 @@ -119062,36 +119762,36 @@ rule MALPEDIA_Win_Http_Troy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "95fd4364-0c49-5029-9362-b053f1981ad0" - date = "2026-01-05" - modified = "2026-01-06" + id = "6011a7c1-7091-5196-9758-6de95f0ab9f2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.http_troy_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.http_troy_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "f51f643b968f327406be07b32339103de989865626147227f095521c9d0409e5" + logic_hash = "488bde7398d50562c8fe6443248710e21d8c716d51fd04bb9e07c7350be1de5b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c9 894c241d 8d443bfb 3be8 66894c2421 8bf5 c644241c00 } - $sequence_1 = { 895e70 899e90000000 895e74 750a 5e b800000100 } - $sequence_2 = { 8d442414 50 8d4c241c 51 6a00 6a00 6a00 } - $sequence_3 = { 33f1 33f0 03f3 8dbc37a9cfde4b 8bf7 c1e70b 8b5c2430 } - $sequence_4 = { e8???????? 83c418 ff7508 e8???????? 83c404 833d????????00 752c } - $sequence_5 = { 0bd3 4f 8956fc 75da } - $sequence_6 = { e8???????? 59 83e6fb e9???????? 84c3 0f84d8000000 f6451008 } - $sequence_7 = { 6802000080 c744242800000000 ff15???????? 8b542418 8d442408 } - $sequence_8 = { 8d8c2478010000 51 ffd6 b801000000 8b8c2414110000 e8???????? 5f } - $sequence_9 = { 6a00 68???????? e8???????? 8b54241c 83c404 50 52 } + $sequence_0 = { 85c0 57 741b e8???????? 83c404 68c0d40100 } + $sequence_1 = { 83c404 50 57 ffd6 a3???????? 68???????? } + $sequence_2 = { 8d8c2434030000 6800040000 51 e8???????? 8d84243c030000 83c40c 8d5001 } + $sequence_3 = { dd5df0 dd45f0 eb20 8b4d0c dd01 dc1d???????? dd05???????? } + $sequence_4 = { 0fa2 8945e0 895dec 8955f0 894df4 } + $sequence_5 = { e8???????? 8b8c24ec140000 83c410 b864000000 e8???????? 5f 5e } + $sequence_6 = { 75cd eb06 46 89748c1c 41 894c240c 8b442414 } + $sequence_7 = { 6a00 6840004804 6a00 6a00 6a00 51 68???????? } + $sequence_8 = { 8b4518 0f8b89000000 dd05???????? 33f6 46 e9???????? 394d14 } + $sequence_9 = { c3 8b8c244c080000 33c0 e8???????? 5f 5e 5b } condition: 7 of them and filesize < 475136 @@ -119101,57 +119801,57 @@ rule MALPEDIA_Win_Broomstick_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1ab4b8f8-6d0d-5d71-8cc9-a6fff05006b5" - date = "2026-01-05" - modified = "2026-01-06" + id = "031d3005-b442-55d4-8d83-1a297eb7be2c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.broomstick_auto.yar#L1-L284" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.broomstick_auto.yar#L1-L269" license_url = "N/A" - logic_hash = "0c1a3ef9abdd4d0302256ec532496054e8db7eaa8ec35bdd017317b264a8cb67" + logic_hash = "b9e0193d35c0132cc23484b7b930b099a5ae3a5afda8520f3677e1992f92723f" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 2bc2 83c002 99 83e203 03c2 } - $sequence_1 = { 03f0 56 e8???????? 8b45dc 83c40c c6040600 eb10 } - $sequence_2 = { 83c40c c6040600 eb10 c645dc00 ff75dc 51 8d4dc0 } + $sequence_0 = { 76f3 2bc2 83c002 99 83e203 03c2 c1f802 } + $sequence_1 = { 8b75d0 2bc6 894ddc 51 } + $sequence_2 = { 0fb608 40 80b9????????3f 76f3 2bc2 } $sequence_3 = { c6400100 8808 eb13 ff75e8 } $sequence_4 = { 51 50 51 8bce e8???????? 8b4dec } - $sequence_5 = { 83c408 33c0 c7467000000000 c7467407000000 66894660 } - $sequence_6 = { 8b45d4 8b75d0 2bc6 894ddc 51 52 } - $sequence_7 = { 80b9????????3f 76f3 2bc2 83c002 } - $sequence_8 = { 49898688150400 488d4c2428 ffd5 48b80b8b55f8b9616cd5 } - $sequence_9 = { ba01000000 488bcf ff15???????? ba32ac0600 488bcf ff15???????? } - $sequence_10 = { 488d4d38 e8???????? 0f57c0 0f114518 } - $sequence_11 = { 498986876a0300 4889f1 ba07000000 488b2d???????? } - $sequence_12 = { 49898687650300 488d4c2428 41ffd4 4889f1 } - $sequence_13 = { 4c2bc1 ba2c000000 e8???????? 488bc8 4885c0 } - $sequence_14 = { ba01000000 488bcf ff15???????? ba08000000 488bcf ff15???????? 48b8e01fcd305c98c076 } - $sequence_15 = { ba01000000 488bcf ff15???????? ba58000000 488bcf ff15???????? } - $sequence_16 = { ba01000000 488bcf ff15???????? ba3a867600 488bcf ff15???????? } - $sequence_17 = { ba01000000 488bcf ff15???????? ba0a000000 488bcf ff15???????? } - $sequence_18 = { ba01000000 488bcf ff15???????? ba5a000000 488bcf ff15???????? } - $sequence_19 = { 498986876b0300 488d4c2428 41ffd7 4d89fc } - $sequence_20 = { 49898688160400 b917d46400 41ffd4 4889c7 } - $sequence_21 = { 49898688320300 b9bc474300 41ffd4 4889c7 } - $sequence_22 = { 0f114540 4c896d50 4c896d58 4533c0 } - $sequence_23 = { 4c8d053e920100 488bc2 83e23f 48c1f806 488d0cd2 } - $sequence_24 = { ba01000000 488bcf ff15???????? ba31e7ca00 488bcf ff15???????? } - $sequence_25 = { 488d056cc10200 488907 488d057ac10200 0f104318 488b5c2430 } - $sequence_26 = { ba01000000 488bcf ff15???????? ba6ef90b00 488bcf ff15???????? } - $sequence_27 = { 49898688140400 4889f1 4889fa 4c8b3d???????? } - $sequence_28 = { 48c7457807000000 0f1006 0f114560 e9???????? } - $sequence_29 = { 498986876c0300 4889f9 4c8b3d???????? 41ffd7 } - $sequence_30 = { 498bc6 4d8bee 49c1fd06 4c896dc7 488d0d8f3afeff } + $sequence_5 = { 33c0 c7467000000000 c7467407000000 66894660 } + $sequence_6 = { 56 e8???????? 8b45dc 83c40c c6040600 eb10 } + $sequence_7 = { 51 50 e8???????? 83c408 33c0 c7467000000000 } + $sequence_8 = { ba01000000 488d8120630400 ffd0 488b05???????? } + $sequence_9 = { 49898688150400 488d4c2428 ffd5 48b80b8b55f8b9616cd5 } + $sequence_10 = { 49898688410300 b9f0712400 4c8b25???????? 41ffd4 } + $sequence_11 = { 49898688430300 4889f1 ba97000000 41b8cb000000 } + $sequence_12 = { 49898688140400 4889f1 4889fa 4c8b3d???????? 41ffd7 4889f1 ba0a000000 } + $sequence_13 = { ba01000000 488bf8 ff15???????? 488d8d80050000 } + $sequence_14 = { 488d15e9640100 ff15???????? 4885c0 7412 49ba707b5a5e9b8701a2 } + $sequence_15 = { 49898688360300 488d4c2420 41ffd7 4889f1 } + $sequence_16 = { 49898688160400 b917d46400 41ffd4 4889c7 } + $sequence_17 = { ba01000000 488bd8 ff15???????? 488bd6 } + $sequence_18 = { ba01000000 49898602940300 488bcf 48b81e53fbe65dc7397c } + $sequence_19 = { ba01000000 488bf0 ff15???????? 4533c9 } + $sequence_20 = { 488d1500520300 eb2a 418bc8 e8???????? 0f57c0 } + $sequence_21 = { ba01000000 488bcf ff15???????? ba32ac0600 488bcf } + $sequence_22 = { ba01000000 49898612ff0300 488bcf 48b81f58d5789b9e337f } + $sequence_23 = { 48c1e203 490314de eb07 488d15e5150200 } + $sequence_24 = { e8???????? 488b442420 4c8b4818 4d85c9 } + $sequence_25 = { 83f801 7516 488d05a2ab0100 488b4c2430 483bc8 } + $sequence_26 = { ba01000000 49898565230300 488bce 48b8234a9581780326f6 } + $sequence_27 = { 4c89bc2460100000 ff15???????? 4c8bf8 4885c0 } + $sequence_28 = { 49898688320300 b9bc474300 41ffd4 4889c7 } + $sequence_29 = { 49898688420300 48b8111ed81f4f83a99f 49898690420300 488d4c2420 } + $sequence_30 = { 4c2bc0 ba22000000 488bc8 e8???????? 4885c0 } condition: 7 of them and filesize < 1567744 @@ -119161,36 +119861,36 @@ rule MALPEDIA_Win_Ice_Cache_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2bb6d9ef-4306-54f0-bb68-5fe8abb99071" - date = "2026-01-05" - modified = "2026-01-06" + id = "c8cd297c-ec1f-5fc6-b8b2-e35339b31f52" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_cache" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ice_cache_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ice_cache_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "257ed7cb63e1c0858485a90386f353a13f9ab5e026a2c8483909741253dfdd4d" + logic_hash = "559e40e472e46ff9d60659226f58c40932b63678bb97da17fd2e5e3c180662d8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4156 4157 4883ec30 488b19 498be8 4c8bf2 } - $sequence_1 = { 488bd9 4885c0 7479 488d0d0a520200 483bc1 746d 488b83e0000000 } - $sequence_2 = { 33d2 498bce e8???????? 90 488d8c24080f0000 e8???????? e9???????? } - $sequence_3 = { 0f114a10 4c894110 48c741180f000000 448801 44894220 4883c420 } - $sequence_4 = { 48f7d0 493bc6 0f8694000000 48897c2430 4a8d3c01 4d85f6 746d } - $sequence_5 = { 488b542448 488d4c2448 e8???????? e8???????? e8???????? 0fb6c3 488b4c2468 } - $sequence_6 = { 744c 0fb618 48ffc0 48894710 83fbff 7440 } - $sequence_7 = { 74e8 488bd8 4889442470 493bdf 7410 488d5320 498bce } - $sequence_8 = { 7536 4c8bc7 488d1502700300 660f1f440000 0fb702 663901 } - $sequence_9 = { 418bf0 4c8d0d0f870100 8bda 4c8d05fe860100 } + $sequence_0 = { 84c0 0f844e010000 48897b10 48837b1810 7205 488b03 eb03 } + $sequence_1 = { 4883ec28 488d0d5db40400 ff15???????? 488d0df0b50400 ff15???????? 488d0d8bb40400 ff15???????? } + $sequence_2 = { 754f 498b4010 80781900 7525 488bd8 488b00 80781900 } + $sequence_3 = { 48894d68 48c7457007000000 66894d58 4883cbff 488b4588 48394810 } + $sequence_4 = { e8???????? 4c8d0db1830100 b915000000 4c8d059d830100 } + $sequence_5 = { 4c8bc7 488d55f7 488d4d97 e8???????? 488b7df7 8b45e7 } + $sequence_6 = { 4d897c2410 49c744241807000000 6645893c24 eb03 4533ff 4c8b45d8 4983f808 } + $sequence_7 = { e8???????? 4885db 7528 488d0d5c450400 e8???????? 488b1d???????? } + $sequence_8 = { 7458 837c245000 7651 4c89742420 4c8d4c2454 41b800100000 488d9580000000 } + $sequence_9 = { 90 488bd0 488d8c24180a0000 e8???????? 90 41b101 4c8bc3 } condition: 7 of them and filesize < 801792 @@ -119200,36 +119900,36 @@ rule MALPEDIA_Win_Maoloa_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "afa3d79b-4a68-539f-9bf1-2fbe13d229d7" - date = "2026-01-05" - modified = "2026-01-06" + id = "fcd0291c-63b4-5084-b54e-a5edfb0609c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.maoloa_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.maoloa_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "6927aeeb8c5b24487b9e82b9c7317d430a704e39d7308aabba00107302314472" + logic_hash = "64f56eccd30c53f745e880b39b68eadc4cdfe37108ec2500bd2ddfd24f541a7a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 8d4c241c e8???????? 8bf0 83c404 85f6 7524 0f10842468010000 } - $sequence_1 = { 90 ff0f 8d4dd8 33d2 e8???????? 8bf0 85f6 } - $sequence_2 = { 53 ff15???????? 85c0 7595 53 } - $sequence_3 = { 8b4d0c 81ff00040000 7615 5f b8fcffffff 5b 8b4dfc } - $sequence_4 = { 897018 8bcb 895d08 c1e918 89581c 0fb69998f14200 8b4d08 } - $sequence_5 = { 8b45f4 8d1c9f 338310100000 81c710100000 314df0 8945f4 8b45ac } - $sequence_6 = { 8d4dd8 33d2 e8???????? 8bf0 85f6 0f85dc010000 837dbc01 } - $sequence_7 = { c3 8b4d9c 53 52 33d2 e8???????? } - $sequence_8 = { 8bc6 c1e002 50 8b85b4f8ffff 0fb70485cc444200 8d0485c83b4200 } - $sequence_9 = { 8bf0 6a08 6a08 89742430 e8???????? 83c410 } + $sequence_1 = { 8b35???????? ffd6 ff37 8d85c8f3ffff 50 ffd6 68???????? } + $sequence_2 = { 6a00 8d45f8 50 ff7508 ff75fc 56 ff15???????? } + $sequence_3 = { 8901 8bc2 8b4db8 c1e017 c1fa09 33c2 8b957cffffff } + $sequence_4 = { b9f0ffffff 894dfc e9???????? 8b4304 3bc1 7360 } + $sequence_5 = { 8bf8 83c404 85ff 750a 8b4dc8 0f1045ec } + $sequence_6 = { 03da 33c3 23c7 8dbaf8a3effc 33c2 05ed145a45 0345e0 } + $sequence_7 = { 6bc830 8b0495d8ed4200 f644082801 7414 8d4508 8945fc 8d45fc } + $sequence_8 = { 85c9 7460 85ff 0f84c6000000 51 8d4de8 e8???????? } + $sequence_9 = { 7416 83f002 d1f8 8945b8 a801 } condition: 7 of them and filesize < 586752 @@ -119239,42 +119939,42 @@ rule MALPEDIA_Win_Pebbledash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5b2e91f-ba86-5aee-a150-1a0e9285e25b" - date = "2026-01-05" - modified = "2026-01-06" + id = "32741f62-64dd-567f-aa49-1cc4f42738e6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pebbledash_auto.yar#L1-L181" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pebbledash_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "e36d4a9a300e40c4a3570c6f2230ff5d0e8e8c772444b2ae33bda786b301ae99" + logic_hash = "1e51e4ff96dae4383b4a305d8c94bc69f42ea75b074b6acbec6bd629d39626bd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 50 b9???????? e8???????? 85c0 7514 } - $sequence_1 = { 5e c3 55 8b6c2408 56 33f6 8b4d00 } - $sequence_2 = { e8???????? 6888130000 ff15???????? b9???????? e8???????? 68???????? e8???????? } - $sequence_3 = { 832000 a1???????? a3???????? c3 8b442404 a3???????? } - $sequence_4 = { 5b 5e 5f c9 c3 6a01 ff742408 } - $sequence_5 = { e8???????? 33d2 b90e000000 f7f1 } + $sequence_1 = { 5b 5e 5f c9 c3 6a01 ff742408 } + $sequence_2 = { 894604 5e c3 55 8bec 833d????????00 750f } + $sequence_3 = { e8???????? 6888130000 ff15???????? b9???????? e8???????? 68???????? e8???????? } + $sequence_4 = { a1???????? a3???????? c3 8b442404 a3???????? c3 } + $sequence_5 = { 5e c3 55 8b6c2408 56 33f6 8b4d00 } $sequence_6 = { 6829080000 68???????? 68???????? e8???????? } - $sequence_7 = { 5e c3 55 8bec 833d????????00 750f } - $sequence_8 = { 41894e04 0fb64209 0fb64a08 c1e108 0bc8 0fb6420a c1e108 } - $sequence_9 = { 4c8bf1 488bf1 85c0 bd01000000 0f44c5 41c1e008 8905???????? } - $sequence_10 = { c1e108 0bc8 0fb6420b c1e108 0bc8 41894e08 0fb6420d } - $sequence_11 = { 0fb64201 4c8db100010000 0fb63a 4c8d258fdaffff 440fb65a04 4d8be8 440fb64a08 } - $sequence_12 = { 66420f6e4ccb10 4b8d0c5b 660f6e5ccb10 4183c308 4c8d0440 66420f6e54c310 8d47ff } - $sequence_13 = { 41c1e008 8905???????? 0fb64201 440bc0 0fb64202 41c1e008 } + $sequence_7 = { e8???????? 33d2 b90e000000 f7f1 } + $sequence_8 = { 0f44c5 41c1e008 8905???????? 0fb64201 440bc0 0fb64202 41c1e008 } + $sequence_9 = { 41894e08 0fb6420d 0fb64a0c c1e108 } + $sequence_10 = { e8???????? 498bcc 85c0 7512 e8???????? } + $sequence_11 = { 8b4118 894604 8b411c 894608 8b01 } + $sequence_12 = { e8???????? 4533c9 4c89742430 c744242880000000 } + $sequence_13 = { e8???????? 488d542440 488bce ffd0 85c0 } $sequence_14 = { 415e 415d 415c 5d c3 498bcc e8???????? } - $sequence_15 = { e8???????? 488b0d???????? 33d2 ffd0 85c0 } + $sequence_15 = { 33c9 4889742438 4889742430 89742428 89742420 ffd0 } condition: 7 of them and filesize < 677888 @@ -119284,36 +119984,36 @@ rule MALPEDIA_Win_Unidentified_113_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "026f5486-b8e6-5386-ab78-8b52aa522545" - date = "2026-01-05" - modified = "2026-01-06" + id = "5d0296bf-baaf-53a4-9aeb-8da6b1c4565e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_113" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_113_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_113_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "c4dbb7c789bd37f81bad9c32be7e0c5fc26b7a85c7d9e53aaac6f7a0dd9d408f" + logic_hash = "397c4f2ff62087eb02ce1bb7f9b6c0b1271d057b9a04c7531d9630cd496233bf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c408 be08000000 e9???????? 83f904 0f82a2000000 807c19fe3e } + $sequence_0 = { eb07 c7470400000000 0fb602 83e801 7419 83e801 7409 } $sequence_1 = { ff742434 ff15???????? ff74243c ff15???????? 57 ff15???????? 8b8c2468030000 } - $sequence_2 = { e8???????? 83c40c 8b4c2410 83c502 83d100 894c2410 85c0 } - $sequence_3 = { ff74242c 55 57 e8???????? 55 8bf8 e8???????? } - $sequence_4 = { ffd6 ff742414 ffd6 8b8c247c040000 5e 33cc e8???????? } - $sequence_5 = { ff7630 e8???????? 6a38 6a00 56 e8???????? 8b4710 } - $sequence_6 = { ff15???????? 8bd8 899da0feffff 85db 0f84fc030000 0f1f440000 ff15???????? } - $sequence_7 = { e8???????? 89442424 83c408 8bc7 837c241c00 0f44d8 53 } - $sequence_8 = { c785acf3ffff00000000 0fb608 8bd1 c785b0f3ffff00000000 c785b4f3ffff00000080 83ea01 741d } - $sequence_9 = { ff7020 8d44242c 50 8b442434 50 8b4020 ffd0 } + $sequence_2 = { 8b7704 8b442418 8b0e 8b5140 83f807 750d 8b44241c } + $sequence_3 = { c707ffffffff c6470400 c7470800000000 c7470c00000000 85f6 7421 83cfff } + $sequence_4 = { ffd1 56 e8???????? 8b742424 83c414 eb53 83bdc800000001 } + $sequence_5 = { c744881000000000 eb70 8b94242c010000 837a0800 7467 8d0489 8b8c2434010000 } + $sequence_6 = { ff15???????? 83c40c c786000d000000000000 5e 5f 5d 8bc3 } + $sequence_7 = { c745fcffffffff 83c408 8b55e4 83fa08 72c2 8b4dd0 8d145502000000 } + $sequence_8 = { ff15???????? 83c410 83be240d000000 0f8449030000 8b6c2418 8d442434 50 } + $sequence_9 = { c7442438e0ec0a10 50 c744244070fe0a10 c744244400000000 89542438 894c2450 e8???????? } condition: 7 of them and filesize < 4707328 @@ -119323,42 +120023,42 @@ rule MALPEDIA_Win_Usbferry_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "099a1369-e001-5f55-b4f6-6858d99ec27a" - date = "2026-01-05" - modified = "2026-01-06" + id = "7d09bc56-455f-5960-897e-c3b7455498c5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.usbferry_auto.yar#L1-L163" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.usbferry_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "a271aa110aa02149e584931e66f43eb3286c2529fb4319139aeea9b3438deb58" + logic_hash = "0945567a57779bec5e838aa3a56e2d7838def15ae0fcfa557a1da9b07da9a13a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3c4c 750c 0fbec0 42 89442428 } - $sequence_1 = { 83c40c c785b0f7ffff44000000 c785dcf7ffff01000000 33d2 } - $sequence_2 = { ff5018 8bf0 83feff 7504 } - $sequence_3 = { 33c5 8945fc c645f463 c645f56d } - $sequence_4 = { 8b15???????? 8bcb ff7210 898214010000 } - $sequence_5 = { 88441de0 8a0439 88441de1 83c302 } - $sequence_6 = { 83c40c 8d85c4e9ffff 50 a1???????? ff90a4000000 } - $sequence_7 = { e8???????? 8b459c 807b0c67 750c 85c0 } - $sequence_8 = { 8981c8000000 8b09 e8???????? 8b0d???????? } - $sequence_9 = { 8b45cc e9???????? 8b55e0 52 ff15???????? 837d1401 0f8583000000 } - $sequence_10 = { 50 e8???????? 83c40c 8b4d08 51 8d55f4 } - $sequence_11 = { 7547 6a04 8d4d1c 51 8b5514 52 } - $sequence_12 = { 50 8d8db0f7ffff 51 6a00 6a00 6800000008 6a00 } - $sequence_13 = { c645b45c c645b54d c645b669 c645b763 } - $sequence_14 = { 83c009 eb4d 84db 0f94c0 83c00b eb43 } - $sequence_15 = { c3 3b0d???????? f27502 f2c3 f2e960030000 55 } + $sequence_0 = { 56 ff5134 33c0 40 5b 8b4dfc } + $sequence_1 = { 0f8583000000 8b4518 8945d8 8b4dd8 } + $sequence_2 = { 8bd7 8d8df8fbffff e8???????? eb5b 6800040000 8d8df8f7ffff } + $sequence_3 = { 742c 8b4de0 51 ff15???????? c745c000000000 } + $sequence_4 = { c685b5faffff69 c685b6faffff6d c685b7faffff20 c685b8faffff00 68ef030000 } + $sequence_5 = { 0f570d???????? c645a72d eb14 f6c104 7406 } + $sequence_6 = { 8bec 81ec880a0000 a1???????? 33c5 8945fc 56 57 } + $sequence_7 = { 57 8d45fb c645fb00 50 8bce e8???????? } + $sequence_8 = { c645c069 c645c16e c645c264 c645c36f c645c477 } + $sequence_9 = { 83c40c 6a00 6a2e 8d8da8feffff } + $sequence_10 = { 8a02 8845df 8345d801 807ddf00 75ee 8b4dd8 2b4dc8 } + $sequence_11 = { 838598f5ffff01 80bda1f5ffff00 75e2 8b9598f5ffff 2b9588f5ffff 8b8588f5ffff 89857cf5ffff } + $sequence_12 = { d3e0 844415e0 75d9 8bfe } + $sequence_13 = { 8bc6 f7f3 8bf0 8a043a 88440da4 } + $sequence_14 = { ffb5acfaffff e8???????? 59 59 eb1e } + $sequence_15 = { 83ceff 89542410 8944240c 89742418 80f930 } condition: 7 of them and filesize < 638976 @@ -119368,48 +120068,49 @@ rule MALPEDIA_Win_Anchor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bb15263f-399c-5701-ae36-ae60623792e3" - date = "2026-01-05" - modified = "2026-01-06" + id = "6d13839a-1ec1-504f-9a24-f75e63119b5e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.anchor_auto.yar#L1-L210" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.anchor_auto.yar#L1-L211" license_url = "N/A" - logic_hash = "00f136c31d3ac19e1483ba5e1be1e038dd18c931fe522c85d8ea96a7f9411021" + logic_hash = "5bbbe06646a03dc8328467a298828d31e85ca378152e4d97a6baf9d0107bf3bd" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c6400365 eb0a 66c74001646c c640036c } - $sequence_1 = { 740c 66c740016578 c6400365 eb0a } - $sequence_2 = { 8bf8 f7e6 0f90c1 f7d9 0bc8 51 e8???????? } - $sequence_3 = { c1e102 51 6a00 50 a3???????? e8???????? } - $sequence_4 = { b001 5d c3 e9???????? 6a0c 68???????? e8???????? } - $sequence_5 = { 66894818 33c9 8b4608 6689581a 8b4608 5b } - $sequence_6 = { 33c9 8b461c 6689781a 8b461c 5f } - $sequence_7 = { 50 56 e8???????? 83bde8feffff10 8d85d4feffff } - $sequence_8 = { b101 e8???????? e8???????? 84c0 } - $sequence_9 = { 0bc1 4898 488d0d12920200 488b5528 } - $sequence_10 = { 4889842440140000 488bd9 4c63d2 498bc2 418be9 48c1f806 488d0db8020100 } - $sequence_11 = { 03c2 c1f802 6bc003 894504 } - $sequence_12 = { 034524 3b8520010000 760c c785f400000001000000 } - $sequence_13 = { 4881e9c0000000 48c1e108 4803c8 8bc1 488d9405bf090000 eb0c 8bc7 } - $sequence_14 = { 0bc1 488b4d48 8801 488b4548 } - $sequence_15 = { 03c8 8bc1 8985a4000000 488d8da8010000 } - $sequence_16 = { 498bcf e8???????? 498bc7 488b8d90000000 } - $sequence_17 = { 7ce8 488b4350 4903d1 b945000000 66890c50 } - $sequence_18 = { 488bfa 7203 488b3a ba20000000 488bcf e8???????? 33db } - $sequence_19 = { 00040f 830905 0000 83bd641a0000ff } + $sequence_0 = { 66c740016578 c6400365 eb0a 66c74001646c } + $sequence_1 = { e8???????? 660f6ec0 f30fe6c0 f20f5e05???????? f20f5905???????? e8???????? } + $sequence_2 = { 33c9 8bf8 f7e6 0f90c1 f7d9 0bc8 51 } + $sequence_3 = { 33c9 8b4608 6689581a 8b4608 5b 6689481c } + $sequence_4 = { 66894830 33c9 8b4610 66894832 } + $sequence_5 = { f2e965020000 e9???????? 53 56 57 6a00 68a00f0000 } + $sequence_6 = { 56 e8???????? 8b30 833e00 } + $sequence_7 = { b101 e8???????? e8???????? 84c0 } + $sequence_8 = { 66894304 33c0 6a01 894306 } + $sequence_9 = { 0bc1 488b4d48 8801 488b4548 } + $sequence_10 = { 4c89742420 4c8d4dbb 4533c0 488b4d2f ff15???????? 8b4db7 } + $sequence_11 = { 00040f 830905 0000 83bd641a0000ff } + $sequence_12 = { 85c0 0f8401010000 488d05bffd0000 4a8b04e8 42f644303880 } + $sequence_13 = { 488b4338 6689480c 8d4f53 488b4338 6689480e } + $sequence_14 = { 03c2 c1f802 6bc003 894504 } + $sequence_15 = { 0bc1 4898 488d0d12920200 488b5528 } + $sequence_16 = { 66894810 8d4f7a 488b4320 6644894812 } + $sequence_17 = { 03c8 8bc1 8985a4000000 488d8da8010000 } + $sequence_18 = { e8???????? 90 488d0d06f50000 e9???????? } + $sequence_19 = { 4903c9 488b4360 418d5012 66891448 488b4360 66897c4802 } $sequence_20 = { 05e0930400 894544 8b5544 488b4508 } $sequence_21 = { 0000 83bd641a0000ff 0f85fc040000 c6859412000000 } + $sequence_22 = { 034524 3b8520010000 760c c785f400000001000000 } condition: 7 of them and filesize < 778240 @@ -119419,36 +120120,36 @@ rule MALPEDIA_Win_Wndtest_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fa7e1d3e-ff37-533f-8f3a-ddc800dad583" - date = "2026-01-05" - modified = "2026-01-06" + id = "fcffc60e-f5cd-56f2-814b-65667e5a4113" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wndtest_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wndtest_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "e52dae40ef4794c37daf120253466cc3a5d1ee85941c6b51e3b69e035267f66f" + logic_hash = "75cda83c1b6534e75db20e65d99b9945bb4b394b3d0ced556f8b38455e701786" score = 50 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89461c 8907 894704 894708 89470c 894710 } - $sequence_1 = { 8945fc eb03 8b45fc 8b5d08 } - $sequence_2 = { 53 6a00 ff15???????? 6a0d ff15???????? } - $sequence_3 = { 8b4de8 41 51 e8???????? 83c404 } - $sequence_4 = { 5e 8be5 5d c3 880c3e 5f 5e } - $sequence_5 = { 6805010000 e8???????? 83c404 6804010000 8bd8 53 6a00 } - $sequence_6 = { 33c9 8d460a ba02000000 f7e2 0f90c1 f7d9 } - $sequence_7 = { 50 56 ffd7 a3???????? 8b0d???????? 8b15???????? } - $sequence_8 = { 46 895dfc 3b750c 7cbe 5f } - $sequence_9 = { c3 880c3e 5f 5e } + $sequence_0 = { 7429 833d????????00 7420 833d????????00 7417 85c0 7413 } + $sequence_1 = { 894618 89461c 8907 894704 } + $sequence_2 = { 8d481f 8d5020 90 f6c301 } + $sequence_3 = { 894704 894708 89470c 894710 8d41f8 83c408 83f80a } + $sequence_4 = { 8d55e0 52 ffd3 6a00 } + $sequence_5 = { 895004 8b0d???????? 894808 e9???????? 8d46fe } + $sequence_6 = { 8bf8 85f6 7e30 b8???????? 2bc7 53 } + $sequence_7 = { c3 56 ff15???????? 6a00 e8???????? 83c404 5f } + $sequence_8 = { ffd7 8b15???????? a3???????? a1???????? 52 50 e8???????? } + $sequence_9 = { e8???????? 8be5 5d c3 6a00 ff15???????? eb10 } condition: 7 of them and filesize < 901120 @@ -119458,36 +120159,36 @@ rule MALPEDIA_Win_Mocton_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9f4f983b-9c6b-508d-9490-50b17ee1d0df" - date = "2026-01-05" - modified = "2026-01-06" + id = "a65db501-bd68-5659-bb38-ad6b899cd84d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mocton_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mocton_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "16b135f602d0bf1d0d71eee14e2cd809b4b69481edc54d1e4a70e6527694874b" + logic_hash = "2e67232f692cd88d3a04d3704851160466fb82bb47c43a0c1d77909b1956ba54" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4d10 e8???????? 8985e4e8ffff 8b85e4e8ffff 2b45a4 3b45dc 7202 } - $sequence_1 = { 83e801 8945d4 8b4dd4 0faf4de8 8b55e4 c1fa05 69d271460389 } - $sequence_2 = { 8b9524fcffff 69d2a44539db 33c0 81fa35ac0e36 0f9cc0 355ba30c98 7461 } - $sequence_3 = { 2b45e4 33c9 3d6b76f951 0f9dc1 33d1 742c 8b55e4 } - $sequence_4 = { 8b95c8e9ffff 83c201 8995c8e9ffff eb4e 8b85c0e9ffff 83e801 8985c0e9ffff } - $sequence_5 = { 83c104 894df8 8b55f8 3b55cc 0f8475060000 c745ac5aee3273 8b45ac } - $sequence_6 = { c745c842fc81f2 c7459cea0bbd91 c745b0238aa931 8b55c8 c1fa03 0faf55b0 b886628d96 } - $sequence_7 = { 898d70feffff 8b9570feffff 81c28029ab41 33c0 399570feffff 0f9dc0 338570feffff } - $sequence_8 = { 0355e4 8b45e4 d1f8 33c9 3b45e4 0f9ec1 33ca } - $sequence_9 = { 33d2 3b8d8cfdffff 0f9cc2 81e2d70a7b03 81f21da6f69d 7419 8b854cfdffff } + $sequence_0 = { 83f001 0f843f010000 8b4dcc 83c101 894dcc 8b55cc 8b45cc } + $sequence_1 = { 81c15366cc2a 33d2 3b8d24fbffff 0f95c2 81e23e6061db 81f2607c608b } + $sequence_2 = { 3d44ee8048 7f0c c785acfdffff01000000 eb0a c785acfdffff00000000 8b95acfdffff 81e20caea439 } + $sequence_3 = { 8955e8 8b45e8 83e801 8945e8 6a03 68???????? e8???????? } + $sequence_4 = { 0faf950cfbffff 0faf950cfbffff 89950cfbffff 8b850cfbffff 83c001 89850cfbffff 6a02 } + $sequence_5 = { 8b8d68feffff 81e9ef3da703 0b8dd4fdffff 7422 8b9568feffff 81f2fcd0115a 81f2bfe3969a } + $sequence_6 = { 8b9590fdffff c1e209 8b8590fdffff 2bc2 898590fdffff 6800040000 e8???????? } + $sequence_7 = { 85c9 7462 b8337b9ca9 2b85d8fcffff 33c9 3b85d8fcffff 0f9dc1 } + $sequence_8 = { 69c972b1ac43 898dacfeffff eb79 8b95acfeffff 83ea01 8995acfeffff 8b85acfeffff } + $sequence_9 = { 0f9dc1 81c9540e540f 7455 8b9590fdffff c1e209 8b8590fdffff c1e009 } condition: 7 of them and filesize < 573440 @@ -119497,36 +120198,36 @@ rule MALPEDIA_Win_Neteagle_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "32895ae7-ce57-521b-b8af-c26cb59a6de4" - date = "2026-01-05" - modified = "2026-01-06" + id = "adaeac65-5a8b-5988-9e09-39ad38ef8a03" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.neteagle_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.neteagle_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "cd9004d8f3e934bcdc5c7488fb3dbf59ca59052c62f38c8a57dd749c0498c5bb" + logic_hash = "cb219582fd53f0cf7f3070518bd8f563abc303c4bc5342428b1ef2e9a2308947" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b86040c0000 40 8d0c40 c704ce02000000 e9???????? 8b54242c } - $sequence_1 = { 8b4c241c 52 53 50 51 ff15???????? 85c0 } - $sequence_2 = { 8b461c 85c0 0f849e010000 8bce e8???????? 85c0 0f848f010000 } - $sequence_3 = { 8bf8 6804010000 897c2424 c744242804010000 c744242c01000000 e8???????? 8b8c2464010000 } - $sequence_4 = { 8b4b24 03c8 89542901 8b4b24 8b542438 03c8 89542905 } - $sequence_5 = { 6a17 50 8bcb e8???????? 8d4da0 6a0f 8d55e0 } - $sequence_6 = { e8???????? 8b470c 83c604 8b0430 85c0 75e1 33f6 } - $sequence_7 = { a1???????? 83f801 7f82 5f 5e 5b 8b4dfc } - $sequence_8 = { 68???????? 52 ffd5 83c408 8d4c2440 85c0 0f94c3 } - $sequence_9 = { 894d98 8b8de4feffff 89559c 8945a0 8d95e8feffff 6a64 8d45d8 } + $sequence_0 = { c684244002000002 e8???????? 8d4c2420 8bf8 c684243802000001 e8???????? ff15???????? } + $sequence_1 = { 83c41c 6a01 53 53 53 6a01 6a02 } + $sequence_2 = { 898dacfcffff 8b4208 8985b0fcffff 8b4a0c } + $sequence_3 = { 8d7c2438 8b542410 f3ab 66ab 8b442414 8d4c2438 51 } + $sequence_4 = { 50 64892500000000 53 56 57 8b5c2424 } + $sequence_5 = { 8b7500 8bc2 8a18 8acb 3a1e 0f8581040000 } + $sequence_6 = { 8d7598 33c0 f3a6 7404 1bc0 1bc3 } + $sequence_7 = { 84c0 75dc 33c0 eb04 1bc0 1bc5 } + $sequence_8 = { e8???????? 8b442414 40 83f85b 89442414 0f8c16feffff } + $sequence_9 = { 8d4e30 c684241002000004 e8???????? 8d4e34 c684241002000005 e8???????? 8d4e38 } condition: 7 of them and filesize < 262144 @@ -119536,40 +120237,40 @@ rule MALPEDIA_Win_Geminiduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba57e2c8-93bd-55ac-a9e9-1b7d9180b057" - date = "2026-01-05" - modified = "2026-01-06" + id = "c813f2e4-4bb2-55df-aeb2-26a57862cea7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.geminiduke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.geminiduke_auto.yar#L1-L149" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.geminiduke_auto.yar#L1-L154" license_url = "N/A" - logic_hash = "19a3524ebf5f0547a75168cd2fc0d4ded0d15d189661f967133afc45a2ebe1fb" + logic_hash = "dc6f874b6b51fa873cea776bdf1fa1a6877110f2ddb71159112001b39ae77ae7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c404 50 6801000080 ff15???????? 85c0 7407 } - $sequence_1 = { 8b7c2410 8b442414 8b4c2418 f3aa 5f 59 } - $sequence_2 = { 52 6819000200 6a00 68???????? e8???????? 83c404 50 } - $sequence_3 = { 50 51 57 8b7c2410 } + $sequence_0 = { 8b7c2410 8b442414 8b4c2418 f3aa 5f 59 } + $sequence_1 = { 6819000200 6a00 68???????? e8???????? 83c404 } + $sequence_2 = { 50 51 57 8b7c2410 } + $sequence_3 = { 83c404 50 6801000080 ff15???????? 85c0 7407 33c0 } $sequence_4 = { 034590 03c8 894dd0 8b45f8 } $sequence_5 = { 034584 8b8d64ffffff c1e907 8b9564ffffff c1e219 0bca 8b9564ffffff } $sequence_6 = { 034590 8b8d70ffffff c1e907 8b9570ffffff } $sequence_7 = { 03459c 03c8 894ddc 8b45fc } - $sequence_8 = { 33d2 f7f3 668907 8bc2 } - $sequence_9 = { 83c1d8 e9???????? 53 56 57 32db } - $sequence_10 = { 80f909 7704 8ac1 0430 } - $sequence_11 = { 8a6834 0fb65036 8a4835 c1e108 0bca 0fb65037 } - $sequence_12 = { 8ad1 80ea0a 80fa05 7705 } - $sequence_13 = { 66894704 8bc2 c1e010 668b4602 33d2 f7f3 } + $sequence_8 = { 57 8b7c240c 6a01 6a00 8bf1 } + $sequence_9 = { 8ac8 80e961 80f919 7703 b001 c3 2c41 } + $sequence_10 = { 2500800000 50 8bcf e8???????? 8be8 8bc3 2500020000 } + $sequence_11 = { 8b770c 89442410 8b4704 8bc8 } + $sequence_12 = { 56 57 8bf9 8b4724 8b5f08 8b770c 89442410 } + $sequence_13 = { 7704 8ac1 0430 8ad1 80ea0a 80fa05 7705 } condition: 7 of them and filesize < 327680 @@ -119579,36 +120280,36 @@ rule MALPEDIA_Win_Biscuit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b580404-4186-5ded-b852-ff8cc2d91924" - date = "2026-01-05" - modified = "2026-01-06" + id = "062ec03e-5ccb-5b37-8cc7-78ed1aedd673" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.biscuit_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.biscuit_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "21658c2822d8c2da349d55326a2fbe01a4e5603d4a188c5f0ab05c786709117d" + logic_hash = "3713cf5bf6043388eec10abe26f246e21c50fdd9e033f5be30dfd6c09387e08e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c6040800 8b4c241c 5f c745300030c084 8bc5 5e } - $sequence_1 = { 8b95b8b7ffff 52 e8???????? 83c404 eb22 8b85d4daffff 83e801 } - $sequence_2 = { 8d8dd0daffff 51 b9???????? e8???????? 25ff000000 85c0 } - $sequence_3 = { eb1f 8b45f0 83e801 898584b6ffff 8b8d84b6ffff 8a11 } - $sequence_4 = { 8b8d74b7ffff 3b4de0 0f83f5000000 8b55e0 2b9574b7ffff 899588b7ffff 8b857cb7ffff } - $sequence_5 = { 83bd28ffffff00 7502 eb71 8b8528ffffff 33c9 } - $sequence_6 = { 03f0 03d8 3bb42458100000 734f 6800100000 8d442444 53 } - $sequence_7 = { 8d8da0daffff e8???????? 8d9510b9ffff 52 b9???????? e8???????? } - $sequence_8 = { 8b8db0feffff 51 e8???????? 83c404 eb1f 8b55e4 83ea01 } - $sequence_9 = { 83e901 898d34feffff 8b9534feffff 8a02 2c01 8b8d34feffff } + $sequence_0 = { 8810 c78550b9ffff00000000 c78554b9ffff00000000 c78558b9ffff00000000 8d8d5cb9ffff e8???????? } + $sequence_1 = { ff2485d07f4000 c7442410e8b84000 eb1c c7442410e4b84000 eb12 c7442410dcb84000 eb08 } + $sequence_2 = { 83c002 8985f8b6ffff 8b8de8faffff 83e901 898dfcb6ffff 8b95fcb6ffff } + $sequence_3 = { 51 52 8d45f4 6aff 50 6a65 } + $sequence_4 = { 752f 8b8d58b8ffff 83c102 898de0b6ffff 8b9550b8ffff 83ea01 8995e4b6ffff } + $sequence_5 = { 33d2 8a51ff 81faff000000 752f 8b8580fbffff 83c002 8985f0b6ffff } + $sequence_6 = { 81c440220000 c20c00 b900080000 33c0 8dbc2450020000 53 f3ab } + $sequence_7 = { 83bd08ffffff00 7573 c645bc00 33d2 8955a8 } + $sequence_8 = { 898d00ffffff 8b55e4 0395ecfeffff 8995f8feffff } + $sequence_9 = { 895e5c 8b4644 3bc3 741d 8d48ff 8a40ff 3ac3 } condition: 7 of them and filesize < 180224 @@ -119618,42 +120319,42 @@ rule MALPEDIA_Win_Salgorea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "24c723a2-add3-5c98-ac68-d74df04ec748" - date = "2026-01-05" - modified = "2026-01-06" + id = "32e80e1b-bbd8-5fdc-b536-f398d7f7b28b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.salgorea_auto.yar#L1-L164" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.salgorea_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "269f1f65813d46929a9206777195f8973f6aec01fe1e29b4790465e302c7f726" + logic_hash = "d9a9c5d6342dc8d993420dfb86cba439439978b87800895d170d027929927ec0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 893424 57 a1???????? 33c5 50 } - $sequence_1 = { 81e1ab000000 8b4c2414 f7d3 8b5c2418 53 9d } - $sequence_2 = { 66b9ad00 66f7e1 2bcb 80ef1f 59 } - $sequence_3 = { e8???????? 8b4510 2bfb 3bc7 0f8302000000 8bf8 3bf1 } - $sequence_4 = { 53 52 8d9c10f47e0000 6699 66c1e303 f6d1 } - $sequence_5 = { 8d6424fc 8d6424d0 9c 51 f6d1 9c } - $sequence_6 = { 80e6ee f8 f6d1 52 40 f7d3 8b5c2404 } - $sequence_7 = { 41 6681c1db00 8b4c2410 66c1e804 8b44240c } + $sequence_0 = { 0fbcda 66c1e306 80eb38 80e6ee f8 } + $sequence_1 = { 66c1fb03 660fbafa04 2f fec3 27 b885000000 f9 } + $sequence_2 = { 50 0fbafa02 41 8b4c2404 6699 f5 } + $sequence_3 = { f6d1 52 40 f7d3 8b5c2404 27 } + $sequence_4 = { 66f7f1 d40a 9f fec8 f9 } + $sequence_5 = { 50 66c1e804 f8 660fbae803 f8 0fcb } + $sequence_6 = { 0f8207000000 8b06 e9???????? 8bc6 8b5610 03d0 3bd3 } + $sequence_7 = { 50 8b442414 50 9d 58 } $sequence_8 = { a1???????? 8945cc 8d45cc 3930 } $sequence_9 = { 8d943a9979825a 8b7df4 c1c61e 33fe } - $sequence_10 = { 8d9432dcbc1b8f 8b75fc 0b75f8 8b7dfc } - $sequence_11 = { 8d943a9979825a 8b7df0 337dfc 8bf2 } - $sequence_12 = { 8d942498030000 89542428 8b531c 894c2434 } - $sequence_13 = { 8d942490000000 e8???????? 8b03 ff7030 } - $sequence_14 = { 8d9432a1ebd96e 8b75e0 3375cc 8955ec } - $sequence_15 = { 8d942490000000 e8???????? 85c0 7403 83cfff 8bc7 85ff } + $sequence_10 = { 8d942490000000 e8???????? 8b03 ff7030 } + $sequence_11 = { 8d942498030000 89542428 8b531c 894c2434 } + $sequence_12 = { 8d943a9979825a 8b7df0 337dfc 8bf2 } + $sequence_13 = { 8d9432dcbc1b8f 8b75fc 0b75f8 8b7dfc } + $sequence_14 = { 8d942490000000 e8???????? 85c0 7403 83cfff } + $sequence_15 = { 8d9432a1ebd96e 8b75e0 3375cc 8955ec } condition: 7 of them and filesize < 2007040 @@ -119663,36 +120364,36 @@ rule MALPEDIA_Win_Xiangoop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "361620d5-e5e6-5f74-925d-645a80b78212" - date = "2026-01-05" - modified = "2026-01-06" + id = "8e13413d-8c86-5ba7-a174-ffa7ddfdd425" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiangoop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xiangoop_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xiangoop_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "f8f21cace7fd103bdd27ecbe99bad091ab92dc71874d8f32014c3d64cede2d0d" + logic_hash = "5b4a2b1e743ae264fb9ffec999a591588fff93c31b7ee4ee8eb41312b10571da" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945fc e9???????? e9???????? 837d1020 0f850e040000 b901000000 6bd100 } - $sequence_1 = { 81e2ff000000 8b45f4 c1e810 25ff000000 8b0c95587d0110 330c8558650110 8b55f8 } - $sequence_2 = { 6bd10d 8b4dfc 890411 ba04000000 6bc206 } - $sequence_3 = { 83e801 0f8539010000 c745e414430110 8b4508 } - $sequence_4 = { 8b45f4 0fb64c081c 81e1ff000000 c1e108 0bd1 } - $sequence_5 = { 57 8d1c8518b00110 8b03 90 8b15???????? 83cfff 8bca } - $sequence_6 = { b804000000 6bc805 8b45fc 8b75fc 8b1410 } - $sequence_7 = { 8b55f0 c1ea00 81e2ff000000 330495585d0110 b904000000 6bd105 } - $sequence_8 = { 8b45dc c1e800 25ff000000 330c85585d0110 ba04000000 6bc203 8b55fc } - $sequence_9 = { b901000000 6bd100 8b45f4 0fb64c1010 } + $sequence_0 = { d1e9 894de4 c745f400000000 eb09 } + $sequence_1 = { ba01000000 d1e2 8b4df4 0fb6541118 } + $sequence_2 = { 81e2ff000000 8b048d587d0110 33049558650110 8b4dec c1e908 81e1ff000000 33048d58610110 } + $sequence_3 = { e9???????? c745e410430110 ebb8 d9e8 8b4510 } + $sequence_4 = { 88540104 8b55f4 c1ea08 81e2ff000000 } + $sequence_5 = { 8bc6 8bd6 83e03f c1fa06 6bc838 8b0495a8b00110 f644082801 } + $sequence_6 = { 05f0000000 8945fc 8b4d10 8b5508 8d448a60 8945f0 } + $sequence_7 = { 6bd100 8b45f4 0fb64c1008 81e1ff000000 c1e118 } + $sequence_8 = { 7741 7206 837df40a 7339 } + $sequence_9 = { 7208 8b45f8 3b450c 7365 } condition: 7 of them and filesize < 246784 @@ -119702,36 +120403,36 @@ rule MALPEDIA_Win_Htprat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e0f24e75-a1ab-500e-b0d4-d1209cde7f99" - date = "2026-01-05" - modified = "2026-01-06" + id = "2a40ad4e-1514-53dd-8180-69420f7bc60e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.htprat_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.htprat_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "e91a3a65365c65376e7831a92808c9a23ec534df8de8b5e0e4180f6424135b1f" + logic_hash = "9b31ea685effc72070edec20cdbb0f150b670c182033265ef40f9b7f10fd4d1d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 8db794010000 c645fc0c e8???????? 53 } - $sequence_1 = { 743c 33c0 57 50 668985d8f9ffff } - $sequence_2 = { 8bcb e8???????? 57 57 89b398000000 } - $sequence_3 = { 57 57 57 ffb574efffff } - $sequence_4 = { 832700 8d7708 c6470400 e8???????? 8365fc00 bb???????? 53 } - $sequence_5 = { e9???????? 6a22 e9???????? 6a0c e9???????? 83e96e 7479 } - $sequence_6 = { 8d742430 e8???????? 8bd6 8d4c2418 c68424e800000009 } - $sequence_7 = { 83671000 c747140f000000 c60700 837de810 8b45d4 895d80 } - $sequence_8 = { 8d442468 ff742478 50 8d8424a8000000 50 e8???????? 83c40c } - $sequence_9 = { 8d741eff 8d5801 56 57 } + $sequence_0 = { 50 e8???????? ffb568efffff e8???????? 59 } + $sequence_1 = { a3???????? 53 8d854cdcffff 50 8bce e8???????? c78540dcffff01000000 } + $sequence_2 = { 8b4d08 83c10c 8bc3 e8???????? 84c0 7445 } + $sequence_3 = { c745cc73747576 c745d07778797a c745d441424344 c745d845464748 c745dc494a4b4c c745e04d4e4f50 c745e451525354 } + $sequence_4 = { c6400401 eb3c 8d45f8 e8???????? 8b4df8 83c10c 8bc3 } + $sequence_5 = { 7705 83c2d0 eb1c 83fa41 720a 83fa46 7705 } + $sequence_6 = { 8b01 8945d0 3bc1 744e } + $sequence_7 = { a1???????? 33c4 50 8d8424e0000000 64a300000000 33db c744245c0f000000 } + $sequence_8 = { 6a16 ffb574efffff 89bd6cefffff ffd6 3bc7 750b } + $sequence_9 = { 50 e8???????? 83c40c 8d85e8fdffff 6a0c 898524efffff } condition: 7 of them and filesize < 278528 @@ -119741,36 +120442,36 @@ rule MALPEDIA_Win_Saint_Bot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b3de383-83bb-59eb-ab8e-cf55885e5316" - date = "2026-01-05" - modified = "2026-01-06" + id = "75ddcf26-38c5-549f-a6a3-862fb78c8c35" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.saint_bot_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.saint_bot_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "c120f50dc769e408884483c5952b8e78bb4b0a03aaa97a8ecb7b623ae2701d23" + logic_hash = "ad4e5ffd766762a1d069e699fd31508d93ad9d74c556f3936a7fa77c515610c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 ff15???????? 6800018000 eb11 6a50 } - $sequence_1 = { 668975d4 8d4508 33f6 c745b418000000 683f000f00 50 } - $sequence_2 = { 3d2b040000 7415 3d3f040000 740e } - $sequence_3 = { 8945f8 e8???????? 68???????? 8945f0 } - $sequence_4 = { 56 ff15???????? ff15???????? 3db7000000 741c } - $sequence_5 = { 58 6a6e 668945f0 58 6a74 668945f2 } - $sequence_6 = { 6a00 56 68???????? 53 ff15???????? 8bf0 } - $sequence_7 = { 897dec 897df8 ffd6 6808020000 57 8bd8 ffd6 } - $sequence_8 = { ff75dc ffd6 ff75d4 ffd6 e8???????? } - $sequence_9 = { ffd6 ff75f0 ffd6 ff75f4 ffd6 ff75f8 ffd6 } + $sequence_0 = { 7406 2bd0 8911 eb03 } + $sequence_1 = { 50 e8???????? 56 8d8574e0ffff 6a00 50 e8???????? } + $sequence_2 = { 7429 8bc2 0fb7547108 6685d2 7415 81e2ff0f0000 8bc3 } + $sequence_3 = { 56 8d0447 50 e8???????? eb05 b857000780 5f } + $sequence_4 = { ff75f8 ffd6 ff75fc ffd6 ff75ec ffd6 } + $sequence_5 = { 0f42c1 50 ff75e8 56 ff15???????? } + $sequence_6 = { ff15???????? ebbb 55 8bec 53 56 57 } + $sequence_7 = { 59 8d4f01 51 6a00 ff15???????? 8945f4 85c0 } + $sequence_8 = { 741a 837dfc00 7414 53 56 ffd7 } + $sequence_9 = { 33c0 eb1d 56 e8???????? 59 8bc8 c1e802 } condition: 7 of them and filesize < 93184 @@ -119780,36 +120481,36 @@ rule MALPEDIA_Win_Loup_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1404f79d-5679-58f8-95e7-ea2d681e99b9" - date = "2026-01-05" - modified = "2026-01-06" + id = "bf37937a-9845-5933-8705-1237eb714b3e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.loup" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.loup_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.loup_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "01fac51b45c233a343e6af089564cab69dab8dfa8648336955517c666022b803" + logic_hash = "b157fec713ef1e6b8fba7b77efcbad0f33af584006f06a860a88fc826eee1a78" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4508 50 8d8de0fbffff 51 8d95f0fdffff 52 } - $sequence_1 = { 668945e8 33c0 668945ea c745ee01000000 b804000000 } - $sequence_2 = { 8d15341a4100 e8???????? 58 5a 5f 5e } - $sequence_3 = { 33c5 8945fc b9???????? e8???????? c745c000000000 c745b400000000 } - $sequence_4 = { c784055cffffff01000000 8d855cffffff 8945d5 8bf4 6a03 } - $sequence_5 = { 7709 8b048514824100 5d c3 33c0 } - $sequence_6 = { c705????????01000000 b904000000 6bd100 c78264a1410002000000 b804000000 6bc800 } - $sequence_7 = { a1???????? 8985c4fbffff 8b0d???????? 898dc8fbffff 8b15???????? } - $sequence_8 = { 668945e8 33c0 668945ea c745ee01000000 } - $sequence_9 = { 51 e8???????? 85c0 7513 8b45f4 50 e8???????? } + $sequence_0 = { b904000000 6bd100 c78264a1410002000000 b804000000 6bc800 8b15???????? } + $sequence_1 = { e8???????? 8945b4 8b45c0 50 e8???????? 837db400 750c } + $sequence_2 = { e8???????? e8???????? 85c0 750c c7853cffffff01000000 } + $sequence_3 = { f3ab b9???????? e8???????? e8???????? 85c0 750c } + $sequence_4 = { 53 56 ff3485647b4100 50 e8???????? } + $sequence_5 = { 8bcd 50 8d156c1b4100 e8???????? 58 5a 5f } + $sequence_6 = { 52 6802020000 68c0d40100 6a00 6a00 } + $sequence_7 = { ff15???????? 83c40c 3bf4 e8???????? c745cfc8000000 } + $sequence_8 = { c78568fcffff01000000 eb0a c78568fcffff00000000 8b8568fcffff 52 8bcd 50 } + $sequence_9 = { 8d156c1b4100 e8???????? 58 5a 5f } condition: 7 of them and filesize < 257024 @@ -119819,36 +120520,36 @@ rule MALPEDIA_Win_Joanap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "59ddd497-e48f-5e4c-aaa1-e68a7dcd2888" - date = "2026-01-05" - modified = "2026-01-06" + id = "3ccae381-ec95-5807-a7bf-503ee346fc58" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.joanap_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.joanap_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "2db58924366bc00afcca8a8ac59fc7a0399fb6bba1dea50a7dd31138b4827114" + logic_hash = "b3f43991b19b6e52d2dd76c4e9c03367f6c5dd6ee409972ee35e34daebd2537f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89510c 8b0d???????? dd442418 dd5c0810 8d9c2488030000 c744241432000000 8b43f0 } - $sequence_1 = { 8d4c240a 6a01 51 56 ff15???????? 6a00 } - $sequence_2 = { 8844241a 8844241b a1???????? 89442408 8b8590010000 33d2 56 } - $sequence_3 = { 8b3d???????? 8d4c2414 51 56 ffd7 85c0 a3???????? } - $sequence_4 = { 8d8c24b0000000 51 56 ffd7 85c0 a3???????? 750c } - $sequence_5 = { 893d???????? ff15???????? 8b842494000000 6a01 6820bf0200 53 66c74304feff } - $sequence_6 = { 66c74424380040 e8???????? 83c414 83f8ff 0f8468010000 668b4610 6689442424 } - $sequence_7 = { 83c404 eb58 8d4e03 51 e8???????? 83c404 eb4a } - $sequence_8 = { 8bac2424100000 8b3d???????? 8b1d???????? 894820 6a01 } - $sequence_9 = { 6a01 6820bf0200 8d442418 6a04 50 56 } + $sequence_0 = { 33d2 f3a7 5f 55 75a9 e8???????? 83c404 } + $sequence_1 = { 6a00 6a00 68???????? 6a00 6a00 8935???????? ff15???????? } + $sequence_2 = { 8d4c2424 6820bf0200 51 53 e8???????? } + $sequence_3 = { 6820bf0200 8d54245c 6a04 52 53 } + $sequence_4 = { 33fb 33db 8adc 8b049500bb2c00 8b149d00c32c00 33c2 33d2 } + $sequence_5 = { 33c0 85d2 7e4b 53 55 8bac2414010000 47 } + $sequence_6 = { 8b4214 85c0 7434 6a01 8d442424 6820bf0200 50 } + $sequence_7 = { 56 ff15???????? eb17 8b542414 a1???????? 42 } + $sequence_8 = { 33d2 8bdf 8a542417 897c2438 c1fb18 8a9200b92c00 } + $sequence_9 = { 8d842494000000 6880000000 50 6800040000 68???????? 6a02 e8???????? } condition: 7 of them and filesize < 270336 @@ -119858,36 +120559,36 @@ rule MALPEDIA_Win_Moriya_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "59d11a0a-17d5-591e-bce9-2635239237cd" - date = "2026-01-05" - modified = "2026-01-06" + id = "5e86b1a3-5d2e-58a2-b6f3-ee6493a0eb7e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriya" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.moriya_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.moriya_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "502cc93b2e63f3afc69dfd0a7f0cef3fdb24356c38e271e56341bfbf7336c1de" + logic_hash = "4b2c346f1178ba9ce9d00f4fda666d39e5c4c2cec7acd5a1892705c7d51c3f70" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 4881c490000000 5b c3 4055 } - $sequence_1 = { 48833d????????00 7405 e8???????? 48833d????????00 7417 488d4dd0 ff15???????? } - $sequence_2 = { 488b9c2490000000 0f57c0 4d8bf0 488bea 0f1103 0f114310 48894320 } - $sequence_3 = { 66480f6ec2 0f16c0 0f1101 4c03c1 4883c110 4883e1f0 } - $sequence_4 = { 488945d8 488d442420 f30f7f45e4 c745e003500000 0f1005???????? } - $sequence_5 = { ff15???????? 488b0d???????? 488d842498000000 4889442430 33d2 48895c2428 } - $sequence_6 = { 488364243800 498bd8 488364245000 488bfa 488bf1 33d2 } - $sequence_7 = { 4881c490000000 5b c3 4055 53 56 57 } - $sequence_8 = { 4983f84f 7350 4d8bc8 4983e1f8 } - $sequence_9 = { 0f100d???????? 83a5a000000000 488d542460 488b0d???????? 4533c9 f30f7f45a0 } + $sequence_0 = { 488d542460 488b0d???????? 4533c9 f30f7f45a0 4889442470 4533c0 0f1007 } + $sequence_1 = { 488bcb 4889442448 f30f7f442428 e8???????? 8bd8 } + $sequence_2 = { 8844242e e8???????? 488d442428 482bf0 } + $sequence_3 = { 742a 488b4b08 4885c9 7406 ff15???????? } + $sequence_4 = { 786d 488b0d???????? 33d2 e8???????? 8bd8 } + $sequence_5 = { 4883ec38 488364242000 488bd1 4c8b0d???????? } + $sequence_6 = { e8???????? 48833d????????00 7417 488d4dd0 ff15???????? 488b0d???????? ff15???????? } + $sequence_7 = { 4883ec28 418b00 4c8bc9 448bd8 4c8bd1 } + $sequence_8 = { 660f1f440000 4a895408f8 4983e908 75f5 4983e007 } + $sequence_9 = { 0f57c0 488985b0000000 33d2 0f118590000000 448d4058 0f1185a0000000 e8???????? } condition: 7 of them and filesize < 99328 @@ -119897,36 +120598,36 @@ rule MALPEDIA_Win_Andromut_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "deb4a424-4b4e-5ea2-908f-5ddc5f18ef00" - date = "2026-01-05" - modified = "2026-01-06" + id = "b468f4ca-e27c-5dd4-8fb9-52480adaac11" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.andromut_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.andromut_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "230945b6168ef420f0744200cbf464e2eea8368844f9caec3ac8e73f949cddb4" + logic_hash = "c7bb27f9630a4fc0f04d55e6bf36c672266b537a9c6fdf533cba5d8028553d1a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d8da0dfffff 51 6819000200 56 8d4da4 51 } - $sequence_1 = { 47 3bfb 72e9 8b75fc 8b45f8 8b7c1018 33db } - $sequence_2 = { 8d8db8f9ffff 51 8d8d70f9ffff 51 57 57 } - $sequence_3 = { 53 51 ffb5a0f7ffff 8d8590f7ffff b92d57ae5b 0f438590f7ffff } - $sequence_4 = { 8a4d08 8d41bf 3c19 7708 0fbed1 83ea41 eb34 } - $sequence_5 = { 8d44246c b974723dc5 50 8d84247c030000 50 e8???????? } - $sequence_6 = { 49 8bc1 c1e10b c1e805 25ff070000 0bc1 } - $sequence_7 = { 8b9d70ffffff 8b856cffffff 03df a801 7415 6aff } - $sequence_8 = { b802210000 6689443e16 0fb7443e06 8b75f8 } - $sequence_9 = { e8???????? 8be5 5d c3 68c8060000 b8???????? e8???????? } + $sequence_0 = { 83c418 8d8d04ffffff e8???????? 8d8504ffffff b9b4733de3 50 8d85b8fbffff } + $sequence_1 = { 8a4e01 8a46ff 8a7efe 884dfc 32cb 8ae9 8845fe } + $sequence_2 = { e8???????? 6810270000 ff15???????? 8b15???????? 8d45d4 8b0d???????? 33f6 } + $sequence_3 = { 6a00 8d8d70f0ffff 51 ffb500f3ffff 56 } + $sequence_4 = { 57 0f438538f3ffff 50 e8???????? 8bf8 8d8de0f3ffff } + $sequence_5 = { 8bce e8???????? fec3 6a10 58 80fb0e } + $sequence_6 = { e8???????? 59 8945e0 3818 755d 837f1410 } + $sequence_7 = { 8bf0 8d458c 2bf3 56 53 } + $sequence_8 = { 83ec18 8b5d10 8bcc 50 } + $sequence_9 = { 663bc3 75f6 2bca 8d856cffffff d1f9 51 } condition: 7 of them and filesize < 368640 @@ -119936,36 +120637,36 @@ rule MALPEDIA_Win_Puzzlemaker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "62794821-c42e-5220-ad0d-6e7823ce4882" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b409857-ba16-52f8-86a4-f03b4c20bcd6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.puzzlemaker_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.puzzlemaker_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "e75d1e0c1e55c34f83f0daa3660ed41869121e99648bc4cb3b1da2986e8ecbae" + logic_hash = "0ccc3e98278c1b00c53a3ce232e13d909a5b06ff70a8c837731ae91ba328c74b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c74078feffffff 83ffff 0f8c60040000 41837e0800 4c8d05b7b6ffff } - $sequence_1 = { 4883ec20 8bfa 4c8d0d25a00000 488bd9 488d151ba00000 b916000000 4c8d0507a00000 } - $sequence_2 = { 448bc0 4c8d157d0a0200 0f1f4000 660f1f840000000000 410fb6d0 420fb60c12 } - $sequence_3 = { 488905???????? 4885c0 7551 488b0d???????? 488d157c160200 } - $sequence_4 = { 4c8d0d3da30000 33c9 4c8d0530a30000 488d1531a30000 e8???????? 4885c0 } - $sequence_5 = { ff15???????? 4c8be0 4c896ddf 488b4dc7 488b11 4c8b5230 } - $sequence_6 = { e8???????? 488db328010000 bd06000000 488d7b38 488d05462d0100 } - $sequence_7 = { 84c0 7421 4885db 750b 488d1d83f20000 48895f48 4863d6 } - $sequence_8 = { 7410 41ffc0 4983c102 4181f880000000 72e1 448bc0 } - $sequence_9 = { 418bd2 4d8b8cc7f02b0200 498bfa 4b8d04f1 443854383e } + $sequence_0 = { 0f857e010000 4c8d3deddafeff 418bd2 4d8b8cc7f02b0200 498bfa 4b8d04f1 443854383e } + $sequence_1 = { 4181f880000000 72e1 448bc0 4c8d0d470c0200 0f1f8000000000 410fb6d0 } + $sequence_2 = { 7e1f 4c8d0538dafeff 4b8b8ce0f02b0200 4803ca } + $sequence_3 = { 0f1103 48894310 4c896b08 c7431001000000 488bce ff15???????? } + $sequence_4 = { 498bc2 458bf1 48c1f806 488d0d80000100 4183e23f } + $sequence_5 = { c3 48897c2408 488d3dac420100 488d05b5430100 483bc7 488b05???????? 481bc9 } + $sequence_6 = { eb19 488d3d5e400100 eb10 488d3d65400100 eb07 488d3d44400100 } + $sequence_7 = { 7479 488d0d86330100 483bc1 746d } + $sequence_8 = { 4883ec20 488bd9 488bc2 488d0d053b0100 0f57c0 } + $sequence_9 = { 3bf0 7c36 4c8d3d454e0100 49393cdf 7402 } condition: 7 of them and filesize < 331776 @@ -119975,36 +120676,36 @@ rule MALPEDIA_Win_Scanline_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0a94c58f-9a04-5a8f-a52b-c8922aabd872" - date = "2026-01-05" - modified = "2026-01-06" + id = "6588f5d4-97d1-57f0-81e1-0eda8bafbce1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanline" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scanline_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scanline_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "ae2af87b82d9394b37c14ff046f7786f58d075866fa464adcdf96cb76e14a4ba" + logic_hash = "aa6bb9834ecff92a2f48a98c05c2a277badfa393a35954e0c3eeb55b999b5334" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7404 8b400c c3 33c0 c3 83611000 c3 } - $sequence_1 = { 740e 53 8bc8 ff742414 e8???????? eb02 } - $sequence_2 = { 8bd8 85db 743d 6800040000 8d4608 ff7508 } - $sequence_3 = { 7434 6a10 e8???????? 3bc3 59 740e 53 } - $sequence_4 = { 750f 83f81f 730a 885c0438 8a1f 40 } - $sequence_5 = { 7e10 894608 c1e003 50 e8???????? 59 894604 } - $sequence_6 = { 59 59 8b45fc a3???????? e9???????? c705????????01000000 e9???????? } - $sequence_7 = { 8bc8 c1e103 8bd1 89460c 33c0 c1e902 } - $sequence_8 = { 51 bbffff0000 6806100000 53 50 ffd7 8d8608050000 } - $sequence_9 = { 8b4e18 50 e8???????? 6a24 e8???????? 8bf8 59 } + $sequence_0 = { 72e8 894670 8b4674 03d8 8a450c 0803 } + $sequence_1 = { 33c2 668b0e 2bc2 99 f7fb 8d0457 668b1457 } + $sequence_2 = { 83c10c 83fa40 7cf2 c3 6a01 58 } + $sequence_3 = { 897dfc eb20 ff15???????? 8bc8 2b4e70 81f9e8030000 72e8 } + $sequence_4 = { 68???????? e8???????? 59 392d???????? 0f8522020000 b9???????? e8???????? } + $sequence_5 = { f3a5 8bc8 83e103 f3a4 ff7304 e8???????? 8b45fc } + $sequence_6 = { 84db 740f 8819 41 ff45fc 817dfcff070000 7308 } + $sequence_7 = { 83fb40 7cb6 5f 5e 5d 5b c3 } + $sequence_8 = { 8b3d???????? ff7604 bb00040000 8d85fcfbffff 53 50 } + $sequence_9 = { 7510 80a11703000000 c6811603000008 eb15 807c24040d 750e c681160300000d } condition: 7 of them and filesize < 151552 @@ -120014,41 +120715,41 @@ rule MALPEDIA_Win_Rapid_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c19fad8c-a407-5bf5-acec-08286bdf3f5a" - date = "2026-01-05" - modified = "2026-01-06" + id = "d1f55c5c-3edd-5051-a42b-f4ae5356321e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rapid_ransom_auto.yar#L1-L164" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rapid_ransom_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "67800a8541a0930476ccb252960ba42436cf1502df6e201c2920e486423cdc16" + logic_hash = "ecbf33a99cf78add42d7c499c34146ca392efd676167a207850c5efa57f65d3c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 50 6801000004 6800a40000 ff75f8 } - $sequence_1 = { eb05 803e00 7509 803a00 0f840c010000 } - $sequence_2 = { ff15???????? 8b4c2438 f6c110 7410 68???????? 56 } - $sequence_3 = { 6a00 6a07 6a00 ff75fc ffd7 } - $sequence_4 = { 75f7 ff75fc 51 6801000040 ff750c 53 ff15???????? } - $sequence_5 = { 84c0 0f94c1 33c0 84c9 5f 5e 0f94c0 } - $sequence_6 = { ff15???????? 56 ffd7 8bd0 8bce e8???????? } - $sequence_7 = { 80c261 8857ff 4b 75eb 8b75fc 5b } - $sequence_8 = { a3???????? e8???????? 83c404 b001 5e } - $sequence_9 = { 6a02 6a00 6a03 68000000c0 8d85f8feffff 50 } - $sequence_10 = { 56 ff15???????? 85c0 7448 8b3d???????? } - $sequence_11 = { 8d7601 80becc8c410000 75f4 e8???????? 99 8d4eff } - $sequence_12 = { 83ea01 75f2 8b7dac 8b55b4 33c0 c6043200 } - $sequence_13 = { 8d7f08 8b048dc4724000 ffe0 f7c703000000 7413 } - $sequence_14 = { eb05 1bc0 83c801 8b4df0 85c0 0f84a0feffff } + $sequence_1 = { 57 663901 7561 8b713c 03f1 813e50450000 } + $sequence_2 = { ff15???????? 8bd8 895c2434 85db 7509 } + $sequence_3 = { 6a00 68a7000000 6a01 e8???????? } + $sequence_4 = { ff15???????? 56 8ad8 ff15???????? 56 ff15???????? 5f } + $sequence_5 = { 803e00 7509 803a00 0f840c010000 8d742464 b8???????? } + $sequence_6 = { 55 8bec 83e4f8 81ec6c010000 53 56 57 } + $sequence_7 = { 8bd0 8bce e8???????? 8b0d???????? 8b75ec 50 } + $sequence_8 = { e8???????? c70021000000 eb44 c745e002000000 c745e494824100 8b4508 8bcf } + $sequence_9 = { 81784820c14100 7409 ff7048 e8???????? 59 c70701000000 } + $sequence_10 = { 8b4514 40 c745ecf54e4000 894df8 } + $sequence_11 = { 56 57 6804010000 8d85f8feffff 8bfa } + $sequence_12 = { ffd6 85c0 753b 8b542410 b9???????? e8???????? } + $sequence_13 = { 8bcb 8b55ec 68???????? 893d???????? e8???????? 83c404 84c0 } + $sequence_14 = { 8b75ec 8ac4 8b7de4 c0e102 c0eb04 } condition: 7 of them and filesize < 286720 @@ -120062,7 +120763,7 @@ rule MALPEDIA_Win_Unidentified_082_Auto : FILE date = "2021-10-07" modified = "2021-10-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_082" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_082_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_082_auto.yar#L1-L124" license_url = "N/A" logic_hash = "fdfe1ddce9f77ac8b465b0ddebe868c5e77078cf2b2457573a5b3810682f45ee" score = 75 @@ -120097,36 +120798,36 @@ rule MALPEDIA_Win_Ziyangrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad05acb3-2122-508e-96e1-44a0677aa226" - date = "2026-01-05" - modified = "2026-01-06" + id = "25e524a5-eba0-5c32-83d3-3afde1b8e5de" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ziyangrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ziyangrat_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ziyangrat_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "89f077d6fe657db2420d0ceec203b172ff92ec6b640db30714a01b0a429a9ae6" + logic_hash = "9108b91275ac2a1e4658df30ca253567f8a6e50bf090392d9fbc56695be2a574" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c0 8dbc2421140000 889c2420140000 f3ab } - $sequence_1 = { 50 ff15???????? 85c0 751d ff15???????? 50 56 } - $sequence_2 = { 7560 55 6800040000 ff15???????? 55 8d842468010000 } - $sequence_3 = { 0f841b010000 81fe4c4f0000 0f87e6000000 8b4c2424 8d542414 83e110 } - $sequence_4 = { 33c0 8d7c2409 8bb4240c040000 f3ab 66ab 56 6a00 } - $sequence_5 = { 7e95 ffd5 8bf0 89742430 } - $sequence_6 = { 83f810 0f85a6000000 8b7304 81fe00500000 0f8f97000000 85f6 0f8c8f000000 } - $sequence_7 = { 33c0 8dbc2411010000 889c2410010000 f3ab 66ab aa b91f000000 } - $sequence_8 = { 8db424c0190000 f2ae f7d1 49 bf???????? 8bd1 c1e902 } - $sequence_9 = { 50 c68424fb00000061 c68424fc00000074 c68424fd00000061 889c24fe000000 c684240801000053 c684240901000079 } + $sequence_0 = { 0f8539ffffff 50 ff15???????? 8bfd 83c9ff 33c0 f2ae } + $sequence_1 = { 3bf1 8bf8 7e2a 8bd6 6a00 2bd1 } + $sequence_2 = { 7ce6 85ff 897c2418 896c2420 750a 5f 5e } + $sequence_3 = { 89742414 e8???????? b9fb030000 b820202020 bf???????? c644242800 f3ab } + $sequence_4 = { 85ff 897c2418 896c2420 750a 5f } + $sequence_5 = { 46 8d0c17 3bcb 7ce7 5f 5e } + $sequence_6 = { 8b4c241c 46 81e6ff0f0000 8d4101 25ff0f0000 } + $sequence_7 = { 5f 5e 5b 81c494000000 c3 8b9c24a4000000 } + $sequence_8 = { 89742448 e8???????? 5e 83f8ff 5b 7515 a1???????? } + $sequence_9 = { 8b7c240c 8b04bd10894000 8d1cbd10894000 3d00100000 0f84c8000000 8b04bd20094100 56 } condition: 7 of them and filesize < 188416 @@ -120136,36 +120837,36 @@ rule MALPEDIA_Win_Kuaibu8_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "755c9fef-12d3-5450-97c1-5338be93504a" - date = "2026-01-05" - modified = "2026-01-06" + id = "677a7b27-8dba-50f8-a903-d3ae3dd1454a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kuaibu8_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kuaibu8_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "fc318523e53f24e8818ee766d5be4e6f49732099f739761d424c7624b095d7ec" + logic_hash = "0baf0af63f21cd612a4fdefb8c0477dd54dc083c1e606251e564162b27012807" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff35???????? b902000000 e8???????? 83c408 8945e0 8b45e0 50 } - $sequence_1 = { 83c404 c1e002 03d8 895db4 8b5de8 e8???????? b804000000 } - $sequence_2 = { 6a10 52 56 6689442416 e8???????? } - $sequence_3 = { 7409 53 e8???????? 83c404 8b5de8 e8???????? } - $sequence_4 = { 895dbc e8???????? 894db8 8b7dbc c70701000000 83c704 8bc1 } - $sequence_5 = { 83c404 58 8945f4 8965ec 8d45f0 50 8b45f4 } - $sequence_6 = { 83f800 0f851e000000 b8???????? 50 8b5d10 8b1b } - $sequence_7 = { b8???????? 8945d8 8d45d8 50 6800000000 ff35???????? 8d45e0 } - $sequence_8 = { 837d1400 0f8507000000 c7451401000000 837d1000 0f85aa020000 6802000080 6a00 } - $sequence_9 = { 53 55 56 8b742430 85f6 57 750a } + $sequence_0 = { 7404 3c5c 7503 c60100 8d8c2410010000 51 e8???????? } + $sequence_1 = { 8b9698160000 8b4c2414 42 899698160000 81e1ff000000 33d2 8a91e08b4300 } + $sequence_2 = { 5b 81c440030000 c21000 3b7810 7d09 50 e8???????? } + $sequence_3 = { 83c404 e9???????? 8965f0 ff75fc ff15???????? 90 90 } + $sequence_4 = { 8945ec 6804000080 6a00 68???????? 6804000080 6a00 a1???????? } + $sequence_5 = { 50 56 e8???????? 5e 81c40c010000 c3 b8fdffffff } + $sequence_6 = { 51 c1e810 50 899524010000 e8???????? 83c408 } + $sequence_7 = { 0f8406000000 8bca 33c0 f3ab ff75fc e8???????? 83c404 } + $sequence_8 = { 8d942454020000 68???????? 52 e8???????? 8d44242c 50 6a00 } + $sequence_9 = { 33d2 8a90e08a4300 8bc2 66ff848680090000 8b8694160000 8b8e98160000 } condition: 7 of them and filesize < 737280 @@ -120175,36 +120876,36 @@ rule MALPEDIA_Win_Thanatos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "503a7f37-fd56-5eb4-8fd1-5ecbf912c720" - date = "2026-01-05" - modified = "2026-01-06" + id = "5d21030d-7dfc-518b-8358-5e84b9aa8841" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.thanatos_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.thanatos_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "a490fddf2b1c7ed46086686ac0e8278c90a6f240d56058a2bebac261ed9edf67" + logic_hash = "f8b101a3eb23d9bffc88667836f507717244d359292f3afdd082a29fe1a6ac77" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 740a 8b45f8 83e007 3c05 751c 834714fc } - $sequence_1 = { ff15???????? 03c0 50 53 ffb514fdffff 56 ff15???????? } - $sequence_2 = { 8b856cffffff 8906 8b8570ffffff 8907 8b4dfc 5f 33cd } - $sequence_3 = { 56 8d43fe 8bd1 33f6 57 8b7d08 } - $sequence_4 = { 8d0449 8d0445981c0210 5d c3 8d04cd00000000 2bc1 8d0445c0390210 } - $sequence_5 = { 2db8000000 81e6ff1f0000 03f0 0fb7047528f10110 6685c0 74c5 } - $sequence_6 = { 6a00 c705????????00000000 c705????????00000000 ff15???????? 85c0 743e 8d85f0fdffff } - $sequence_7 = { 66a1???????? 668945f8 a0???????? 83c420 8845fa 8d45f4 50 } - $sequence_8 = { 0f8718010000 8b35???????? 68???????? 53 ffd6 85c0 } - $sequence_9 = { 83e003 c1e004 5f 0fb68028850110 884101 5e } + $sequence_0 = { e8???????? 83c40c 8d85ecfeffff 68???????? 68???????? 50 ff15???????? } + $sequence_1 = { ba75453a66 8bcf a3???????? e8???????? } + $sequence_2 = { 56 ffd7 8d3446 83c602 66833e00 75bc 5f } + $sequence_3 = { 8b06 83c004 03c6 50 e8???????? 8b04bdf0ac0110 } + $sequence_4 = { 25ff000000 c1ea08 331485b8520d10 0fb64601 33c2 c1ea08 25ff000000 } + $sequence_5 = { 83ec0c 837d0c00 8bc1 57 8955f8 8945fc } + $sequence_6 = { 8d45c4 50 c745c470520110 e8???????? ff7524 e8???????? } + $sequence_7 = { 8d41fc 83f803 771c 8b45fc 5f 83c13c 5e } + $sequence_8 = { 8945ec 894df1 ff15???????? 898510fdffff 85c0 0f8458ffffff 6a00 } + $sequence_9 = { 8d856cffffff 53 50 8bf1 c78568ffffff94000000 e8???????? 83c40c } condition: 7 of them and filesize < 1810432 @@ -120214,36 +120915,36 @@ rule MALPEDIA_Win_Hotcroissant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "83ef5f77-5617-5f2c-aab4-e7c78e791ad8" - date = "2026-01-05" - modified = "2026-01-06" + id = "9c03b379-6b63-5f09-aa8b-fbd48eed164c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotcroissant" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hotcroissant_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hotcroissant_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "dce551f3abb53b003bc43a41a6cd9ea09bb62dbd64ab9e901fd3bd3c6af24937" + logic_hash = "8ff8cec58017b3310f3e99f6bf45a85f3fa651c35cf6576e8ea91c6bb4a11df0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 6a00 68703a0000 6a00 } - $sequence_1 = { 6a00 c705????????00000000 ff15???????? 6a00 } - $sequence_2 = { 52 50 6a08 ff15???????? 50 ff15???????? 85c0 } - $sequence_3 = { ffd6 6800040000 68???????? 68???????? 68???????? ffd6 } - $sequence_4 = { 6a01 50 ff15???????? a1???????? 8b35???????? 50 ffd6 } - $sequence_5 = { 8b15???????? 33c0 52 a3???????? a3???????? a3???????? } - $sequence_6 = { 8b15???????? 52 ffd6 893d???????? } - $sequence_7 = { 56 57 683f000f00 33db 53 53 ff15???????? } - $sequence_8 = { ffd7 807c30ff5c 8b1d???????? 740a } - $sequence_9 = { 8b15???????? 33c0 52 a3???????? a3???????? } + $sequence_0 = { 32da 32d8 32d9 881c3e } + $sequence_1 = { c705????????00000000 ff15???????? 6a00 c705????????00000000 c705????????00000000 } + $sequence_2 = { 68???????? 68???????? 68???????? ffd6 a1???????? 85c0 } + $sequence_3 = { ffd6 a1???????? 85c0 7409 6a01 50 ff15???????? } + $sequence_4 = { 8be5 5d c3 e8???????? 6a00 c705????????00000000 ff15???????? } + $sequence_5 = { ffd6 6800040000 68???????? 68???????? 68???????? ffd6 a1???????? } + $sequence_6 = { ffd6 8b15???????? 52 ffd6 893d???????? 893d???????? 893d???????? } + $sequence_7 = { 6a00 ffd7 85c0 7506 46 83fe08 } + $sequence_8 = { 6800000400 68???????? 68???????? 68???????? } + $sequence_9 = { 6a00 ffd7 85c0 7506 46 83fe08 7cd5 } condition: 7 of them and filesize < 591872 @@ -120253,36 +120954,36 @@ rule MALPEDIA_Win_Sword_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8539535f-357d-5d16-925a-82cf11392564" - date = "2026-01-05" - modified = "2026-01-06" + id = "e56fc473-b1b6-501b-aeb7-ef5ae56ac83d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sword_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sword_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "f965a414f19aed1fee3b06d38e5b293cff63935b0d3b803549aab6fbb9244e65" + logic_hash = "30f0c4e367cd7d968dab2e3cd6db1e620abc706992eec1c72c2add2debae898b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 897c242c 8b3d???????? 6800010000 c74424143c000000 c744242064924000 89542424 } - $sequence_1 = { f2ae f7d1 49 8d842488020000 51 50 56 } - $sequence_2 = { 8bfd 83c9ff 33c0 f2ae 8b542424 33db f7d1 } - $sequence_3 = { e8???????? 83c404 50 ff15???????? 668944240a 8d842428040000 50 } - $sequence_4 = { 7c85 5f 5e 5d b801000000 5b 83c40c } - $sequence_5 = { 8d8c2498060000 51 52 e8???????? 83c40c 8d842474020000 } - $sequence_6 = { 8d942488030000 f2ae f7d1 2bf9 53 8bf7 8bfa } - $sequence_7 = { 52 e8???????? 8818 8d842490020000 } - $sequence_8 = { 6a00 6a00 6a00 7509 8d542414 } - $sequence_9 = { 8d3c8d00a14000 c1e603 8b0f f644310401 7456 50 e8???????? } + $sequence_0 = { 49 807c29ff22 7510 8bfd 83c9ff 33c0 f2ae } + $sequence_1 = { eb05 1bc0 83d8ff 3bc3 0f8403010000 8bfd 83c9ff } + $sequence_2 = { 0f8480020000 8d4c2428 6a5c 51 e8???????? 8d542430 } + $sequence_3 = { 83ff03 7d22 8d4c2410 6a10 51 56 ffd3 } + $sequence_4 = { 52 e8???????? 83c40c 85c0 0f856f050000 8a8c2496060000 } + $sequence_5 = { 89842478010000 ff15???????? 8dbc2484020000 83c9ff } + $sequence_6 = { 83e103 f3a4 8d442428 6a5c 50 } + $sequence_7 = { 8bf0 e8???????? 83c410 3bf0 7431 68???????? e8???????? } + $sequence_8 = { 8dbc2494060000 83c9ff 33c0 f2ae f7d1 49 } + $sequence_9 = { 49 885c0c27 807c242822 7525 8d7c2429 } condition: 7 of them and filesize < 106496 @@ -120292,36 +120993,36 @@ rule MALPEDIA_Win_Dinodas_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "431aac36-5429-5cb6-a22f-6d22f4b46964" - date = "2026-01-05" - modified = "2026-01-06" + id = "3f96c0f8-2210-5d52-8b00-7c1a7a8c93a9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dinodas_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dinodas_rat_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dinodas_rat_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "f12d1a523704ecc621dca1f8d26285a0bb3fbc82969aec41d1e0b2ffd38a67b5" + logic_hash = "53fba0eb0c3eb1f2376d1163bc5a5612f52699040ad1ae4dd7c519333eee7c8a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf0 33c9 83c404 8975ec 3bf1 745c 8b4704 } - $sequence_1 = { ffd2 8b9d94fdffff 8d8da0fdffff 51 53 ff15???????? } - $sequence_2 = { c745a80f000000 e8???????? c645fc01 a1???????? 6aff 50 ff15???????? } - $sequence_3 = { 8d45b4 e9???????? 8d45a8 e9???????? 8d75d4 e9???????? 8d75b8 } - $sequence_4 = { 6a00 6a01 ff15???????? 8bf8 85ff 741a 6a00 } - $sequence_5 = { 8d4d9c 68???????? 51 e8???????? 83c40c 397594 720c } - $sequence_6 = { 8bce 8bf3 83f804 7217 8d4900 8b16 3b11 } - $sequence_7 = { 8b4204 ffd0 8b4d0c 51 e8???????? 83c404 8937 } - $sequence_8 = { 83e810 e8???????? 8d7010 8975c4 c645fc07 8b4714 } - $sequence_9 = { 8d75b8 e9???????? 8d759c e9???????? 8db578ffffff e9???????? 8db548ffffff } + $sequence_0 = { 03f0 83d700 837d2c00 8d56fb 895301 7410 8b4508 } + $sequence_1 = { e8???????? 8b4304 c645fc02 85c0 } + $sequence_2 = { 8b00 3b05???????? 7406 8b506c 8955c4 a1???????? 50 } + $sequence_3 = { 8b4d0c 51 e8???????? 83c404 8937 5e } + $sequence_4 = { c645fc06 8b4710 83e810 e8???????? 8d7010 8975c4 } + $sequence_5 = { 8bc8 3b0d???????? 75b4 eb1e 8d4df0 51 8d7d08 } + $sequence_6 = { e8???????? eb11 8bd9 2bd8 8bfe e8???????? 8b5df8 } + $sequence_7 = { 897de0 8955dc eb03 8b55dc 8d0c07 03d1 3b5508 } + $sequence_8 = { 8955e8 8945ec 56 83c9ff 895dfc e8???????? 8b4e1c } + $sequence_9 = { 8bf0 7524 8b4510 50 8b450c 51 83c0f0 } condition: 7 of them and filesize < 638976 @@ -120331,36 +121032,36 @@ rule MALPEDIA_Win_Shimrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b3f34c04-651c-587d-bd77-b7f0b88267a0" - date = "2026-01-05" - modified = "2026-01-06" + id = "70e33ec3-66b2-5b91-b97f-587ecaebd7d7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shimrat_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shimrat_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "f6aefe8dd1d3b634b60800b8c047d2a812717e57ed1af7e84c8f3a77485271ec" + logic_hash = "8697af9b18c284d147e66b212e455da89b2dac87c41140c0740622082b9305c9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 59 ff750c 8b4d08 e8???????? 8b4508 5f } - $sequence_1 = { 6aff ff75fc 56 ff7514 ffd7 8bd8 8d4301 } - $sequence_2 = { 8d4d50 e8???????? ff7570 e8???????? 8d4d50 } - $sequence_3 = { 85ff 7e1a 8b19 ff742410 8d0433 50 e8???????? } - $sequence_4 = { ff15???????? 895df8 3bc3 0f8483000000 } - $sequence_5 = { 53 8d45e8 56 50 e8???????? 6a02 } - $sequence_6 = { 742e 837dfc04 7519 68???????? ff75f8 e8???????? 59 } - $sequence_7 = { 8d4ddc e8???????? 85c0 754b 8d4df0 e8???????? } - $sequence_8 = { 33c0 40 c3 a810 7404 } - $sequence_9 = { ff15???????? c20400 55 8bec 81ec88000000 8365ec00 53 } + $sequence_0 = { 50 8d4f30 e8???????? 85c0 0f8559ffffff 33f6 46 } + $sequence_1 = { 83c40c 8d4d30 e8???????? 85c0 750f 81c784000000 57 } + $sequence_2 = { e8???????? 50 8bce e8???????? 85c0 74d9 } + $sequence_3 = { 53 3b4610 0f843cfdffff ff757c ff15???????? ff757c 8b35???????? } + $sequence_4 = { 8d45f4 50 6a1f ff75fc c745f400330000 } + $sequence_5 = { 8bf1 57 8d4dec e8???????? 33db 895e1c ff15???????? } + $sequence_6 = { 6a01 57 8d4520 50 } + $sequence_7 = { 59 ff75f8 ff15???????? 8bce e8???????? } + $sequence_8 = { 8d4dbc e8???????? be00040000 56 8d85bcefffff 50 8d4d18 } + $sequence_9 = { e8???????? 50 8bcb e8???????? 85c0 7409 } condition: 7 of them and filesize < 65536 @@ -120370,36 +121071,36 @@ rule MALPEDIA_Win_Portdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e4b852ed-5498-5523-835d-78e52c259853" - date = "2026-01-05" - modified = "2026-01-06" + id = "a40c10b1-235a-55ec-95b5-4cdbbf235ce6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.portdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.portdoor_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.portdoor_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "7da9aa8b4f7f6857e35f1211f6a60eddf3c94eedff73ea09aab294e2b6809d65" + logic_hash = "3173641723a4083ca793307c4ec809672142abfaeaab61ddcafdcbfd45695b6b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 884dff eb4e 8808 46 40 eb48 80f909 } - $sequence_1 = { e8???????? 6a5c 58 6a2a 668945f0 } - $sequence_2 = { 50 a3???????? e8???????? 83c410 8b4dfc 33cd 5e } - $sequence_3 = { ff75e8 ff15???????? 6828020000 8d85c0fdffff } - $sequence_4 = { 6a64 5a ffb57cf7ffff 668945e0 } - $sequence_5 = { 8b0485b80f0210 f644010440 7409 803a1a 7504 33c0 eb1c } - $sequence_6 = { 59 85c0 0f84da000000 8b4704 8bce 8b7708 c1e102 } - $sequence_7 = { 807e0400 0f8564ffffff eb0c ff36 ff15???????? c6460400 5f } - $sequence_8 = { 85ff 7450 8d4701 50 } - $sequence_9 = { e8???????? a1???????? 33c5 8945fc 53 8b5d08 8d85fdfbffff } + $sequence_0 = { e8???????? a1???????? 83c40c 814dd400010000 8945e8 8945e4 a1???????? } + $sequence_1 = { ddd8 db2d???????? b801000000 833d????????00 0f8586480000 ba05000000 8d0d80f70110 } + $sequence_2 = { 8b1d???????? 33c9 6a0f 58 894619 894e15 } + $sequence_3 = { 8b0d???????? e8???????? 0fb6c0 85c0 7502 ebaf } + $sequence_4 = { 8d0c45c4070210 8bc1 2d???????? d1f8 2bf0 56 } + $sequence_5 = { 8be5 5d c3 a1???????? 8a4004 c3 55 } + $sequence_6 = { 43 8d4908 e8???????? 3d00f00000 7d12 8d8570fbffff } + $sequence_7 = { 8b45f8 0345fc 0fb600 35fe000000 8b4df8 034dfc } + $sequence_8 = { 0f8486000000 836de410 0f849d000000 e9???????? 8b45e0 } + $sequence_9 = { ff36 33db 53 6a01 ff5778 85c0 7409 } condition: 7 of them and filesize < 297984 @@ -120409,36 +121110,36 @@ rule MALPEDIA_Win_Fishmaster_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "85781cdb-ef0a-5ba4-9f1c-a71e1fb971a5" - date = "2026-01-05" - modified = "2026-01-06" + id = "ac12363c-ad41-579d-a95f-802bb5193b75" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fishmaster_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fishmaster_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "fa4353e268ca10ee73320d72c1e5a21f512b82d4c18bb38fa107cace5c168150" + logic_hash = "af57c8e9f29c0f762ec23f8aea5068b150dc565479ee1a3701b57daf5f6f894f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b9e8030000 ff15???????? 4c89742450 48c74424580f000000 } - $sequence_1 = { 8d45fd 4863c8 460fbe0401 418d40bf 3c19 7706 } - $sequence_2 = { 7203 4c8b03 8d45ff 4863c8 } - $sequence_3 = { 488d0d25310000 0f57c0 488d5308 48890b 488d4808 0f1102 ff15???????? } - $sequence_4 = { 488bcb 41ffd5 90 488b5558 4883fa10 7234 } - $sequence_5 = { ba05000020 488bcb ff15???????? 488bcb ff15???????? c744243000010000 } - $sequence_6 = { 488d054d2a0000 c3 8325????????00 c3 48895c2408 55 } - $sequence_7 = { 4983f910 7203 4c8b03 8d45ff 4863c8 460fbe0401 418d40bf } - $sequence_8 = { 83f828 7309 33c9 ff15???????? cc } - $sequence_9 = { 4883f801 721c 488d4101 48894310 4883fa10 488bc3 7203 } + $sequence_0 = { 7705 8d51bf eb2f 8d419f 3c19 } + $sequence_1 = { 0f86ba030000 488bc8 e8???????? 488bc8 } + $sequence_2 = { 3cfd 774e 88940d81000000 0fb65308 8d42ff 3cfd } + $sequence_3 = { 80f92f 410f44d2 4c8bc3 4983f910 7203 } + $sequence_4 = { e8???????? 488bd8 448b8550200000 33d2 } + $sequence_5 = { 410f44fa c1ff04 c0e202 400afa 498b4e10 498b5618 } + $sequence_6 = { 488d0d8a2c0000 e8???????? 85c0 7510 488d0d922c0000 e8???????? } + $sequence_7 = { 7505 448be7 eb07 80f92f 450f44e0 488bc3 4883fa10 } + $sequence_8 = { 48c747180f000000 c60700 488bc3 488b9c24b0000000 4883c460 415f } + $sequence_9 = { 88940d81000000 0fb65308 8d42ff 3cfd 773c } condition: 7 of them and filesize < 812032 @@ -120448,36 +121149,36 @@ rule MALPEDIA_Win_Dexter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1377870-3c18-50e1-8895-9f4c52e3708d" - date = "2026-01-05" - modified = "2026-01-06" + id = "9519d404-6a4b-5b1d-98c6-1314866cc904" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dexter_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dexter_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "a43855bc8fa5d1635b94e65a3069c65413410fe093cfd7f70d80f09412658791" + logic_hash = "3d2ad37d315b42c5076b399bde55d7819e0a753a35d2ccfdafe151fe9ebf74d9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a59 ff15???????? 85c0 7414 68???????? 8b4d08 } - $sequence_1 = { 50 6a00 ff15???????? 68???????? 68???????? } - $sequence_2 = { 8b0d???????? 51 ff15???????? 8b15???????? 8955fc 8b45fc 50 } - $sequence_3 = { 8b45fc 50 ff15???????? 8b0d???????? 51 ff15???????? ebc6 } - $sequence_4 = { 83c40c 68???????? ff15???????? 6a00 6a00 6a00 6a00 } - $sequence_5 = { e9???????? 6a59 ff15???????? 85c0 7514 68???????? 8b4d08 } - $sequence_6 = { e8???????? 83c410 8b4508 50 8b4d10 } - $sequence_7 = { ff15???????? 6a4a 6a00 68???????? e8???????? 83c40c 6a4a } - $sequence_8 = { 7514 68???????? 8b5508 52 ff15???????? e9???????? } - $sequence_9 = { 51 6a08 8b15???????? 52 ff15???????? 8945f8 } + $sequence_0 = { 52 ff15???????? a3???????? c705????????00000000 6a01 } + $sequence_1 = { 83c40c eb1a 6a00 6a00 6a00 6a06 8b15???????? } + $sequence_2 = { 7508 6a00 ff15???????? ff15???????? a3???????? ff15???????? a3???????? } + $sequence_3 = { 85c0 7428 8b0d???????? 51 ff15???????? 85c0 750a } + $sequence_4 = { 51 68???????? 8b5508 52 ff15???????? 68???????? } + $sequence_5 = { 83fa63 7502 eb44 8b4510 } + $sequence_6 = { a1???????? 0305???????? 8945fc 8b4d0c 51 8b5508 52 } + $sequence_7 = { 52 6a00 ff15???????? 68???????? 68???????? } + $sequence_8 = { 8bec b801000000 85c0 7428 8b0d???????? } + $sequence_9 = { 6a00 8b0d???????? 51 e8???????? 83c40c c705????????00000000 68???????? } condition: 7 of them and filesize < 98304 @@ -120487,36 +121188,36 @@ rule MALPEDIA_Win_Shortleash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b69c5abe-5ff2-5cda-b15d-4ffaeea772b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "2dce8e58-6ca1-5187-ba1f-93da289cd793" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shortleash" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shortleash_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shortleash_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "7625917da117618d50239e800ec3508d722326f3509a4fb7631eb7833bd5c208" + logic_hash = "71539c4b2430b9e8011503006f9e5cf6c8a2770185be5eff5fd5462a77f2cf20" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff10 83c8ff f00fc1430c 83f801 750c 488b4c2450 488b01 } - $sequence_1 = { e9???????? 4055 4883ec20 488bea ba90000000 488b4d30 e8???????? } - $sequence_2 = { f30f7f4de8 4533f6 4c8975f8 418d4e10 e8???????? 488bd8 488d45d8 } - $sequence_3 = { e9???????? 488d15d5580200 488bcf e8???????? 85c0 7504 488d7706 } - $sequence_4 = { e8???????? 488bd0 488d4c2440 e8???????? 90 488b8eb0000000 e8???????? } - $sequence_5 = { eb09 4c394810 7453 488b00 493b00 75f2 4d8b00 } - $sequence_6 = { b910000000 e8???????? 488906 488d0d0e020000 488d1533090000 48895308 48890b } - $sequence_7 = { ff15???????? 488b542458 488bcb e8???????? 488b542450 488d4b08 e8???????? } - $sequence_8 = { e8???????? 8bf0 85c0 0f8548010000 488b4530 4c8d8348010000 482b8390000000 } - $sequence_9 = { ff15???????? 4839b3a8000000 7442 488bcb e8???????? 488b8ba8000000 e8???????? } + $sequence_0 = { e8???????? 3ac3 7506 4883c420 5b c3 41b848020000 } + $sequence_1 = { e8???????? 48894308 4c8b26 0f57c0 f30f7f45c0 498b5618 4885d2 } + $sequence_2 = { ba18000000 488bcb e8???????? 488b5540 488d4d58 e8???????? 488b5d38 } + $sequence_3 = { 4a8d1c09 eb02 33db 4885db 7410 488d056e070000 488d0d7b210000 } + $sequence_4 = { 488d4c2440 e8???????? 0f1007 f30f7f442420 4c8d442420 488bd0 488bcb } + $sequence_5 = { b880c2ffff e9???????? 4c8d45e0 488bd7 488d4d30 e8???????? 8bd8 } + $sequence_6 = { 418bcb 4433c0 f7d1 4123cc 418bc3 c1c806 4433c0 } + $sequence_7 = { ffd2 498d8da0000000 488d559f e8???????? 90 4c8bc0 498bd5 } + $sequence_8 = { 85ed 74c8 458bf0 ebc6 33c0 85c9 751a } + $sequence_9 = { 7516 488bcf e8???????? 8bd8 498bce e8???????? 3bc3 } condition: 7 of them and filesize < 2415616 @@ -120526,36 +121227,36 @@ rule MALPEDIA_Win_Lightneuron_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "effcdfe2-a4bd-534e-86eb-84be08a02b5f" - date = "2026-01-05" - modified = "2026-01-06" + id = "0f248e2e-c77f-5f8d-bf7d-2bd528ffdcf8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lightneuron_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lightneuron_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "6ad51552136a32b2e5f3fef922b412240ca64bebb497b163d34faf6af2a9c320" + logic_hash = "8d97170963d246081dc44167f7668d73066d05f4df6b51d06f693d59de4ff7e4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b0d???????? 4885d2 480f45ca ff15???????? 488b4b08 8d5001 e8???????? } - $sequence_1 = { 448830 e8???????? 85c0 744e 488bcb e8???????? 41ffc4 } - $sequence_2 = { 488bd3 4c0f45c8 488b05???????? 488bcf 4885c0 4c0f45c0 e8???????? } - $sequence_3 = { c744244801000000 85ff 0f8598080000 488b8c24d8000000 4883f901 7304 33c0 } - $sequence_4 = { 2bd8 78ef 4863db 488bd5 4803de 488bcb } - $sequence_5 = { e8???????? 488bc7 41be01000000 458d4603 33d2 488bcf 4c89742470 } - $sequence_6 = { 4883ec38 488b4c2440 ff15???????? 89442420 837c2420ff 7507 } - $sequence_7 = { 4885ed 7437 4885c0 7432 488d7501 483bf0 7729 } - $sequence_8 = { 0fb6c8 410fb6c1 339c8dc0e90300 339c8580d50300 418bc1 41c1e910 41335d04 } - $sequence_9 = { 4c89742428 4489742420 e8???????? 418bee 488b05???????? 488b15???????? } + $sequence_0 = { a801 7508 4c8bc1 4885c9 75eb 48c1e205 4a8d440207 } + $sequence_1 = { 4585ff 0f8fd5fdffff 4c8b7c2450 448bdb 8bf9 418bc5 48c1e808 } + $sequence_2 = { 488bd3 488bc8 e8???????? 4c8b5d00 4c2bdb 41c6043300 } + $sequence_3 = { 4533c9 baa6010000 b900001000 448bc0 48c744242800000000 8bf0 c744242000000000 } + $sequence_4 = { 33d2 498bcc ff15???????? 498bcc ff15???????? 488b4c2438 ff15???????? } + $sequence_5 = { 488903 e8???????? 85c0 0f8587000000 488b03 48894610 498b00 } + $sequence_6 = { 85c0 0f8956010000 8b8424d8010000 8bf8 0faf4500 85c0 } + $sequence_7 = { 4c89642428 4489642420 e8???????? 488b5c2450 488b6c2460 488bc6 4883c430 } + $sequence_8 = { 498bce 488be8 e8???????? 4885ed 7504 33c0 eb3d } + $sequence_9 = { 4489742420 4c3935???????? 745c baa1010000 e8???????? 488b0d???????? 4885db } condition: 7 of them and filesize < 573440 @@ -120565,60 +121266,60 @@ rule MALPEDIA_Win_Ghost_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a5c1e7c4-1b2d-598f-9f4c-addb333c7981" - date = "2026-01-05" - modified = "2026-01-06" + id = "b3c0a496-a8e9-5e0a-81fc-8cfef4071d10" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ghost_rat_auto.yar#L1-L313" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ghost_rat_auto.yar#L1-L315" license_url = "N/A" - logic_hash = "1382f8506f533271928000e01179914edf911c946385102a130b99bae8ad91d3" + logic_hash = "f6cde1e9a7a7c4d78a246882e7f130237b23653d10843e75f08c553708ae3734" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bd9 e8???????? 8b4d08 3bc8 } - $sequence_1 = { 8b400c 85c0 7505 a1???????? 50 8bce e8???????? } - $sequence_2 = { 6a01 56 ff15???????? 5e c20800 } - $sequence_3 = { 33c0 5b 8be5 5d c20400 894df4 } - $sequence_4 = { c745f800000000 df6df4 83ec08 dc0d???????? } - $sequence_5 = { c20400 894df4 c745f800000000 df6df4 } - $sequence_6 = { 6a6b 8bce e8???????? 5f 5e } - $sequence_7 = { 68???????? 50 6802000080 e8???????? 83c41c 5f 5e } - $sequence_8 = { 68???????? 68???????? 6a00 6a00 c705????????20010000 e8???????? 8b35???????? } - $sequence_9 = { e8???????? 8b8e549f0000 83c41c 89848e14030000 } - $sequence_10 = { e8???????? 83c40c ff7508 6a40 ff15???????? } - $sequence_11 = { ff7510 ff75dc ff15???????? 85c0 7507 } - $sequence_12 = { e9???????? 8d45dc 50 681f000200 } - $sequence_13 = { f7d1 49 7509 5f 5e 5b } - $sequence_14 = { 83c408 e8???????? c1e00a 6a04 } - $sequence_15 = { e8???????? 6a6f 8bce e8???????? 5e } + $sequence_0 = { 6a01 56 ff15???????? 5e c20800 } + $sequence_1 = { 8b400c 85c0 7505 a1???????? 50 8bce } + $sequence_2 = { 8bd9 e8???????? 8b4d08 3bc8 } + $sequence_3 = { 8be5 5d c20400 894df4 c745f800000000 } + $sequence_4 = { c745f800000000 df6df4 83ec08 dc0d???????? dd1c24 ff15???????? 83c408 } + $sequence_5 = { 6a6b 8bce e8???????? 5f 5e } + $sequence_6 = { ff7628 ff15???????? 6a01 ff7620 ff15???????? 8b4e04 } + $sequence_7 = { 6a00 6a00 c705????????20010000 e8???????? } + $sequence_8 = { b302 50 51 c744242003000000 c744242400000000 } + $sequence_9 = { e9???????? 8b4df0 83c154 e9???????? 8b4df0 83c17c e9???????? } + $sequence_10 = { ff15???????? 85c0 7507 c745e401000000 834dfcff } + $sequence_11 = { 68???????? 50 6802000080 e8???????? 83c41c 5f 5e } + $sequence_12 = { 50 e8???????? 83c40c ff7508 6a40 ff15???????? } + $sequence_13 = { 6a6f 8bce e8???????? 5e } + $sequence_14 = { 6a00 52 ff15???????? 8b462c 68d0070000 } + $sequence_15 = { e8???????? 8b8e549f0000 83c41c 89848e14030000 8b86549f0000 } $sequence_16 = { 8dbd85feffff f3ab 66ab aa } - $sequence_17 = { 83c12c e9???????? 8b4df0 83c154 e9???????? 8b4df0 83c17c } - $sequence_18 = { 8d4e10 e8???????? 6a6b 8bce } - $sequence_19 = { 8365fc00 ff7508 ff15???????? 40 50 ff15???????? 59 } - $sequence_20 = { e8???????? 84c0 7505 83ceff eb2c } - $sequence_21 = { 89849614030000 8b86549f0000 40 8986549f0000 } - $sequence_22 = { 6a00 ff7628 ff15???????? 6a01 ff7620 ff15???????? 8b4e04 } - $sequence_23 = { 8bce ff75e8 e8???????? 8bce e8???????? 6a00 } - $sequence_24 = { ff15???????? 6800000002 6a00 6a00 ff15???????? } - $sequence_25 = { 6a00 6a00 6838040000 6a00 6a00 } - $sequence_26 = { 83e9fc c7014c696272 83e9fc c70161727941 83e9fc c70100000000 } - $sequence_27 = { 8b4608 8b7e20 8b36 813f6b006500 7406 813f4b004500 75e8 } - $sequence_28 = { ff8b8d60ffff ff03 0c90 898df4feffff } - $sequence_29 = { 8b4df0 51 8b9558ffffff 52 8b8560ffffff 50 } - $sequence_30 = { 83c40c c7856cffffff00000000 eb0f 8b8d6cffffff 83c101 } - $sequence_31 = { 03480c 894dc0 8b55c0 52 8b450c } - $sequence_32 = { 8d9530ffffff 52 6a40 8b4580 } - $sequence_33 = { 8b423c 8945ec 8b8d58ffffff 034dec } + $sequence_17 = { ff7508 ff15???????? 40 50 ff15???????? } + $sequence_18 = { ff15???????? 85c0 7506 46 83fe19 } + $sequence_19 = { 6a00 e8???????? 8b96549f0000 83c41c 89849614030000 } + $sequence_20 = { ff7620 ff15???????? 8b4e04 e8???????? 33c0 5e } + $sequence_21 = { e8???????? 8d85c0feffff 50 57 ff15???????? 8bf8 83ffff } + $sequence_22 = { 8bce ff75e8 e8???????? 8bce e8???????? 6a00 } + $sequence_23 = { 6a00 6a00 e8???????? 8b8e549f0000 } + $sequence_24 = { e9???????? 8d45dc 50 681f000200 } + $sequence_25 = { 6a00 6a00 6838040000 6a00 } + $sequence_26 = { 83e9fc c7014c696272 83e9fc c70161727941 } + $sequence_27 = { 813f6b006500 7406 813f4b004500 75e8 } + $sequence_28 = { 8b4608 8b7e20 8b36 813f6b006500 7406 } + $sequence_29 = { 83ec14 8b4508 8b4d10 2b481c 894df8 8b5508 } + $sequence_30 = { 8b9558ffffff 52 8b8560ffffff 50 ff9514ffffff 83c40c } + $sequence_31 = { 7522 60 8b75dc 8b5e24 035df8 8b761c 0375f8 } + $sequence_32 = { 85c0 7530 8b8d48ffffff 8b9560ffffff 03511c 8995f0feffff 8b8554ffffff } + $sequence_33 = { 75d4 817f0865006c00 7407 817f0845004c00 } condition: 7 of them and filesize < 357376 @@ -120628,35 +121329,35 @@ rule MALPEDIA_Win_Lilith_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b5f168af-a3f0-50f9-b1ea-d5b831d2999b" - date = "2026-01-05" - modified = "2026-01-06" + id = "f6688e49-d078-590c-bce7-a52bca0db647" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lilith_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lilith_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "24d3c4eccb2438b08f77ee93becbd460d6cfbdd1ec4e6b4842ec58df50e21530" + logic_hash = "3c7101c31004d9177d9faf8afb631ac20e5bd29dcbe6d175a24a1aad91893e1b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81784800374300 7409 ff7048 e8???????? 59 c70701000000 8bcf } - $sequence_1 = { 8b7d08 8bd9 33f6 0f1f00 6a00 } - $sequence_2 = { e8???????? 8d4dd4 e8???????? 83c418 b9???????? 50 e8???????? } - $sequence_3 = { 57 56 ff15???????? ff75a0 8b35???????? ffd6 ff75a4 } - $sequence_4 = { 33c0 663b8880974200 740d 83c002 } - $sequence_5 = { 8d3c85d04a4300 8b0f 85c9 740b 8d4101 f7d8 1bc0 } - $sequence_6 = { 8d4dd4 50 e8???????? 8d4db4 e8???????? } - $sequence_7 = { c7411400000000 6a00 c741140f000000 c7411000000000 68???????? 8801 } - $sequence_8 = { c745fc00000000 0f57c0 6a00 50 } + $sequence_0 = { 6a00 b804000000 2bc6 50 8d4508 03c6 50 } + $sequence_1 = { 50 0f4ef0 8d8564ffffff 50 e8???????? } + $sequence_2 = { 6a00 57 56 ff15???????? ff75a0 } + $sequence_3 = { 8955e4 897dfc 8b0495a84b4300 8945e8 894df0 } + $sequence_4 = { 899e8c000000 33c0 899e90000000 c706???????? c78694000000b0764200 c7869800000030784200 c7460401000000 } + $sequence_5 = { 8d4dd4 c745cc00000000 6a00 68???????? 8975b0 c745e80f000000 } + $sequence_6 = { 8b8540ffffff 6a00 6a00 6a00 ff7008 } + $sequence_7 = { 837e1408 895df0 722a 8b36 eb26 ba???????? 8d4da4 } + $sequence_8 = { 8b0485a84b4300 0fb6440828 83e040 5d } $sequence_9 = { e8???????? 8b0d???????? e8???????? eb10 ff75dc 8b35???????? ffd6 } condition: @@ -120667,36 +121368,36 @@ rule MALPEDIA_Win_Lumar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "66198547-c312-5005-8756-3c4d434f3dfb" - date = "2026-01-05" - modified = "2026-01-06" + id = "e881dc92-d171-5105-bb07-ff98181ef78b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lumar_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lumar_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "7775336cd5e4593c9fd91e39a7fb1823140e1a9590624def112d1a4339e9c62e" + logic_hash = "ea178313c43524fd7a7002575f589f09acf9805a9145d8f1811f2c4d6c208d78" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7418 8b4514 83c004 894514 8b4514 } - $sequence_1 = { 6a68 66898506ffffff 58 6a2f 6689850affffff 58 } - $sequence_2 = { 8bd9 03fe e8???????? 3bf8 7604 33c0 } - $sequence_3 = { e8???????? 8b7d08 8b5610 8bca 2b4e0c 0fb7df } - $sequence_4 = { 58 6bc005 ff5405b4 6a04 58 6bc007 } - $sequence_5 = { 668945b0 e8???????? 83c414 fe05???????? 8bce e8???????? 8bcb } - $sequence_6 = { 3bc2 753e 8b4510 85c0 74d3 } - $sequence_7 = { 0fb74df8 3bc1 7503 ff65e0 ebd9 } - $sequence_8 = { 0f2805???????? b900010000 53 56 57 } - $sequence_9 = { 8d842414010000 47 50 57 6a00 c7842420010000a8010000 } + $sequence_0 = { 8d0441 8945f4 e9???????? 8b45b0 83e002 744c 837d0c03 } + $sequence_1 = { 5f 5e 5b 5d c3 2bca 0fb702 } + $sequence_2 = { 663b5dfc 0f8e08010000 83ea01 895518 0f84fc000000 8b4df4 0fbfc3 } + $sequence_3 = { f7d8 1bc0 83c004 ebeb f60210 6a00 } + $sequence_4 = { ffb7e4910000 8d55fc 51 53 6a02 56 8d8fac970000 } + $sequence_5 = { 833c9600 74f9 ff0c96 8344960402 83ef01 79c4 5f } + $sequence_6 = { 8b45ec 663b45fc 0f8e85010000 8b7508 8bce e8???????? } + $sequence_7 = { 81feba499307 7432 81fe0f766ed2 742a } + $sequence_8 = { 3bd0 7209 8bd0 4a } + $sequence_9 = { 6a1b 59 66890d???????? 8d4877 eb52 } condition: 7 of them and filesize < 81920 @@ -120706,34 +121407,34 @@ rule MALPEDIA_Win_Ymir_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec16ddc4-25ef-5b31-b796-dd562960b36b" - date = "2026-01-05" - modified = "2026-01-06" + id = "278c6b49-2804-5b51-9c14-eb7f1a9b17c8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ymir" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ymir_auto.yar#L1-L92" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ymir_auto.yar#L1-L90" license_url = "N/A" - logic_hash = "853e5b985d29c6039b89b0f82cf98458f3d83850f989fe396b592ab8b2bdf1fe" + logic_hash = "3d66ab481f8e9eef312301fbcf8dd546d68cce30bc83067a87933ba87376dbb7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c89ea 4889c1 4c0f47c3 e8???????? } - $sequence_1 = { 4c89ea 4889cb ff5078 488d05a7211000 } - $sequence_2 = { 4c89ea 4889d9 41ff14fe eb85 } - $sequence_3 = { 4c89ea 4889c1 4989c4 e8???????? 488d1573bf0400 31c9 } - $sequence_4 = { 4c89ea 4889c7 488d05ec682800 4c8d3585682800 } - $sequence_5 = { 4c89ea 4889c6 498b0424 c744242001000000 } - $sequence_6 = { 4c89ea 4889d9 488ba8d8000000 4889ac2488000000 } - $sequence_7 = { 4c89ea 4889c1 e8???????? 4189f2 } + $sequence_0 = { 4c89ea 488d4e08 4c8b3d???????? 668986e8000000 } + $sequence_1 = { 4c89ea 488d4b18 e8???????? 488b05???????? } + $sequence_2 = { 4c89ea 488d4830 e8???????? 48035c2440 } + $sequence_3 = { 4c89ea 488d1dde871900 48c784245801000000000000 4c89f1 } + $sequence_4 = { 4c89ea 488d0df9be2600 48891d???????? e8???????? } + $sequence_5 = { 4c89ea 488d4e08 48c786e000000000000000 498d4618 } + $sequence_6 = { 4c89ea 488d4b10 4989e9 ff5048 } + $sequence_7 = { 4c89ea 488d1dae691900 48c784243801000000000000 4c89f1 } condition: 7 of them and filesize < 5530624 @@ -120743,42 +121444,42 @@ rule MALPEDIA_Win_Doublefantasy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba30a5f3-35d1-5f03-be08-9b3934519f6b" - date = "2026-01-05" - modified = "2026-01-06" + id = "6effc5c9-0006-5ed7-b805-b3d9b614f224" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.doublefantasy_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.doublefantasy_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "1a0409b74271064d42217a7a2221717756e298061c677390a0017c2a29a907a4" + logic_hash = "e51e60993fcda8ab09ee32d5deecfc0fd82ef9804363aa3f286e47f2d848dfa5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { bfd3360000 57 6a40 8b35???????? ffd6 } - $sequence_1 = { 8b442404 0fb608 c1e902 8a91908c2700 8b4c2408 8811 33d2 } - $sequence_2 = { e8???????? 8bcb 2bc8 51 ff7514 } - $sequence_3 = { 50 6a00 56 8907 e8???????? 83c40c } - $sequence_4 = { 66ab be???????? 8dbd9ffaffff a5 } - $sequence_5 = { ff15???????? eb72 56 6a00 ff75e0 e8???????? ff75e4 } - $sequence_6 = { 83e20f c1e202 0bd6 8a92908c2700 eb02 b23d 837c241002 } - $sequence_7 = { ff750c ff7508 e8???????? 83c414 8945e0 } - $sequence_8 = { 8a80ad8c2700 eb02 32c0 84c0 } - $sequence_9 = { 891485a4ab2700 40 3bc1 72f1 } - $sequence_10 = { 8a92908c2700 885101 7e1c 0fb67002 33d2 8a5001 c1ee06 } - $sequence_11 = { 8a80908c2700 eb02 b03d 884103 } - $sequence_12 = { 33c0 85c9 7616 8da42400000000 8d50fd 891485a4ab2700 40 } - $sequence_13 = { b9d2360000 51 52 48 } - $sequence_14 = { c68094a3270000 ff35???????? ff35???????? e8???????? 83c414 e8???????? } - $sequence_15 = { ff37 ff750c 8b460c 03c3 50 e8???????? } + $sequence_0 = { 56 e8???????? 8945e4 3bc6 7c49 8b07 } + $sequence_1 = { ff15???????? 83f8ff 751c 397514 7409 ff7514 } + $sequence_2 = { c6430174 8b4508 668b4002 668945dc 3935???????? 7421 } + $sequence_3 = { 6805010000 57 68???????? e8???????? } + $sequence_4 = { 393d???????? 7523 3d52000028 741c 3d54000028 750c } + $sequence_5 = { 8a91908c2700 8b4c2408 8811 33d2 8a10 56 } + $sequence_6 = { 3d09000c80 7451 3bc3 7c59 6aff ff35???????? } + $sequence_7 = { 5e 7e0f 0fb64002 83e03f 8a80908c2700 eb02 } + $sequence_8 = { c1e204 0bd6 837c241001 8a92908c2700 885101 7e1c } + $sequence_9 = { e8???????? 8b4605 c68094a3270000 ff35???????? ff35???????? e8???????? 83c414 } + $sequence_10 = { 43 895de0 33ff 897de4 897dd4 897dd8 897dfc } + $sequence_11 = { 0fb608 c1e902 8a91908c2700 8b4c2408 } + $sequence_12 = { 8a92908c2700 885101 7e1c 0fb67002 33d2 8a5001 c1ee06 } + $sequence_13 = { e8???????? 3bc7 8945e8 7d42 8b4628 3bc7 7414 } + $sequence_14 = { 720f 3c7a 770b 0fb6c0 8a80ad8c2700 eb02 } + $sequence_15 = { 0fb6c0 8a80ad8c2700 eb02 32c0 84c0 7410 } condition: 7 of them and filesize < 172032 @@ -120788,41 +121489,41 @@ rule MALPEDIA_Win_Waterminer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c2bad66-5d35-57b7-b9da-21c6dec00989" - date = "2026-01-05" - modified = "2026-01-06" + id = "2a534eb8-9d9c-5bd9-aeca-b5e0da164f1d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.waterminer_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.waterminer_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "f10b4bcaeeaace43d5cd2141c609b5656e22416293022c0fdf8f9cf3861e271d" + logic_hash = "e53e34b0461a0435196ef4d1bfa18622f5fd6c288970234a403508c69ed49afb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 6804100020 8b5508 52 } - $sequence_1 = { 8b9584fdffff 0fb68208794400 ff2485f0784400 8b8decfdffff 83c904 898decfdffff } + $sequence_0 = { 6a00 68f9030000 68???????? 68???????? } + $sequence_1 = { 8b45cc 0fb68898e94600 ff248d70e94600 8b55f8 81e2ff64ffff 81ca00900000 } $sequence_2 = { 03bc24a8000000 488bcd 4c8d0d35cb0300 83e13f } - $sequence_3 = { b804000000 6bc014 8b8880434b00 330d???????? 894dfc } - $sequence_4 = { 02d0 49ffc3 418d4001 881418 } - $sequence_5 = { 8d8518f5ffff 50 e8???????? 83c404 898500f7ffff e8???????? 85c0 } + $sequence_3 = { 02d0 49ffc3 418d4001 881418 } + $sequence_4 = { c1e006 8b0c95c02b4b00 0fbe540104 83e2fd 8b4508 } + $sequence_5 = { 83bd88fdffff37 0f87270a0000 8b8d88fdffff 0fb6919c794400 ff249560794400 8b85ecfdffff } $sequence_6 = { 0344240c 4403d0 428b4405e7 418bd2 } - $sequence_7 = { 03442410 4403e8 428b4405e7 418bd5 } - $sequence_8 = { 03c1 03d0 488d051e580500 418b0400 } - $sequence_9 = { 6bc903 898180434b00 68???????? 8b55fc 52 } - $sequence_10 = { 02c8 41880c18 418a03 240f } - $sequence_11 = { 8945d8 837dd806 0f8797000000 8b4dd8 ff248d54e94600 8b55f8 } - $sequence_12 = { 83fa78 7f19 0fbe85f3fdffff 0fbe8800ec4900 83e10f 898d28fdffff eb0a } - $sequence_13 = { 8945f0 817df005010000 7302 eb05 e8???????? 8b4df0 c681f82c4b0000 } - $sequence_14 = { 03c0 2bc8 0f84ec040000 8d41ff 8b848288d20600 } + $sequence_7 = { 750c 8b5508 8b049524074b00 eb1d 8b4508 8b0c8524074b00 } + $sequence_8 = { b904000000 6bc900 8b91c02b4b00 81c200080000 3955e4 7375 8b45e4 } + $sequence_9 = { 03c1 03d0 488d051e580500 418b0400 } + $sequence_10 = { 837d1000 0f8429010000 b902000000 6bc900 33d2 8b4510 6689940820010000 } + $sequence_11 = { 8b4d08 034dfc 8b55fc 8a82600a4b00 } + $sequence_12 = { 03c0 2bc8 0f84ec040000 8d41ff 8b848288d20600 } + $sequence_13 = { 02c8 41880c18 418a03 240f } + $sequence_14 = { 03442410 4403e8 428b4405e7 418bd5 } $sequence_15 = { 0344240c 4403d0 488d051a560500 418b0400 } condition: @@ -120837,7 +121538,7 @@ rule MALPEDIA_Win_Unidentified_101_Auto : FILE date = "2023-03-28" modified = "2023-04-07" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_101" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_101_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_101_auto.yar#L1-L128" license_url = "N/A" logic_hash = "71f0751fbd77a928634515b558d06922b4bf4a312042d6abbd6ba70171c64843" score = 75 @@ -120872,36 +121573,36 @@ rule MALPEDIA_Win_Starcruft_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e43c9dba-c687-54c9-a2de-dd0a9a45d60b" - date = "2026-01-05" - modified = "2026-01-06" + id = "dc096f6e-ea1d-5470-8866-51bf722773fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.starcruft_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.starcruft_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "96896309775ea1553e784bf38519d110c5e6ff85ff5070e7ca85592bc9b55bb1" + logic_hash = "b72b8384869c2c954f191bce498484c3530f8a31a3f0457ad539656016382ef9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c40c 8b45ec 50 e8???????? 83c404 8b4de8 894dec } - $sequence_1 = { 85c0 7505 83c8ff eb17 6a00 8b55ec } - $sequence_2 = { ff15???????? 8945e4 837de400 740c e8???????? } - $sequence_3 = { 8d4dfc 51 8d95f0f9ffff 52 6a13 8d8538fbffff } - $sequence_4 = { 8955fc 8b45f8 8945f0 eb09 8b4df0 83c102 } - $sequence_5 = { 83c408 83f8ff 7516 6a00 8d95c8fcffff 52 8d85d0fdffff } - $sequence_6 = { 6a36 8b4d08 83c158 51 e8???????? 83c40c 6a40 } - $sequence_7 = { e9???????? 6a00 8b95e4f5ffff 52 ff15???????? 8b4d10 8901 } - $sequence_8 = { 8d95f0feffff 52 e8???????? 83c40c 6804010000 8d85ecfdffff 50 } - $sequence_9 = { 6a06 8d9578fbffff 52 e8???????? 83c410 8d85d0fbffff 50 } + $sequence_0 = { 66890c4500e82e00 40 ebe8 33c0 8945e4 3d01010000 } + $sequence_1 = { 837df000 740d 8b4df0 e8???????? 8945e4 eb07 c745e400000000 } + $sequence_2 = { e8???????? 83c410 8b4d28 c70103800000 0fb65534 } + $sequence_3 = { 51 8d55f8 52 8d45f4 50 8b0d???????? 51 } + $sequence_4 = { e8???????? 83c40c 6804010000 8d85ecfdffff 50 8d8df0feffff } + $sequence_5 = { 50 e8???????? 83c408 eb6a 6804010000 8b0d???????? 51 } + $sequence_6 = { c68567fbffffe9 c68568fbffff0d c68569fbffff0c c6856afbffff53 c6856bfbffffeb c6856cfbffff14 c6856dfbffff9c } + $sequence_7 = { 89853cfeffff 83bd3cfeffff00 7407 32c0 e9???????? 8b5508 } + $sequence_8 = { 8d8dc8f4ffff 51 8b95ccfcffff 52 ff15???????? 6a00 8d856cf2ffff } + $sequence_9 = { 83ec0c c745f801000000 68c8000000 e8???????? 83c404 } condition: 7 of them and filesize < 294912 @@ -120911,36 +121612,36 @@ rule MALPEDIA_Win_Keymarble_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "447d0650-610a-5703-8049-ac11f5ff96b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "b0e409ac-4108-55d8-bf04-020335d82e05" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.keymarble_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.keymarble_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "e486a69a145cdf890bda9b04db818a44b92722887c60b9c58647de19116cd1c1" + logic_hash = "4f15343aab11eb8c534c10fd6ae13176ab38bae1a79f04e126b7e1c4503c999d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 50 e8???????? 83c404 56 6a40 } - $sequence_1 = { 6a00 6a03 6800000040 57 ffd6 } - $sequence_2 = { ff15???????? e8???????? 99 b907000000 f7f9 } - $sequence_3 = { e8???????? 83c408 85c0 7407 bb7a452301 } + $sequence_0 = { 50 e8???????? 83c404 56 6a40 } + $sequence_1 = { ff15???????? e8???????? 99 b907000000 } + $sequence_2 = { 6a03 6800000040 57 ffd6 } + $sequence_3 = { e8???????? 83c404 e8???????? 8d3470 81e6ffffff7f } $sequence_4 = { ffd7 50 e8???????? 83c404 e8???????? 8d3470 81e6ffffff7f } - $sequence_5 = { e9???????? 50 6a00 6810040000 } - $sequence_6 = { 85db 7407 53 ff15???????? ff15???????? } - $sequence_7 = { e9???????? 50 6a00 6810040000 ff15???????? } - $sequence_8 = { ff15???????? 85db 7407 53 ff15???????? ff15???????? } - $sequence_9 = { 50 e8???????? 83c404 e8???????? 8d3470 81e6ffffff7f } + $sequence_5 = { ff15???????? 50 e8???????? 83c404 56 6a40 } + $sequence_6 = { ff15???????? 50 e8???????? 83c404 56 6a40 ff15???????? } + $sequence_7 = { e8???????? 83c408 85c0 7407 bb7a452301 } + $sequence_8 = { e8???????? 83c404 56 6a40 ff15???????? } + $sequence_9 = { 50 e8???????? 83c404 56 6a40 ff15???????? } condition: 7 of them and filesize < 1146880 @@ -120950,36 +121651,36 @@ rule MALPEDIA_Win_Rhino_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "301844bb-5a4f-5171-97e6-f16bb6b6ee32" - date = "2026-01-05" - modified = "2026-01-06" + id = "65eddb08-1e01-51ca-aab1-68bf6350530c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rhino_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rhino_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "5ce22b89951420015e2398779d8c31359ab3803912d8b24c1d8c37a7a67db86a" + logic_hash = "52499ce11e9ade581b226e5885e4ae7366a465260ba6a9fd82f4ac5a32e1c067" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3944240c 760a f71487 40 3b44240c 72f6 } - $sequence_1 = { 8bc7 c1c806 33c8 8b44242c 33442420 23c7 3344242c } - $sequence_2 = { 8d45d8 50 6a06 8bce e8???????? 6a00 6a01 } - $sequence_3 = { 03c1 8b4c2420 83d500 894114 8b470c f7e0 } - $sequence_4 = { 8d45d0 50 e8???????? e8???????? c20800 8b5114 } - $sequence_5 = { 83ec78 8d6c24fc a1???????? 33c5 894578 6a14 b8???????? } - $sequence_6 = { 53 53 6800000008 51 53 53 56 } - $sequence_7 = { 68???????? 50 e8???????? 83c40c 8365fc00 8bce 50 } - $sequence_8 = { 8b06 ff5048 85c0 0f849c000000 807c241006 0f8591000000 57 } - $sequence_9 = { 8b5528 0f1101 034c241c 836c242801 89442410 894c2414 758a } + $sequence_0 = { 7528 8d85c0feffff c785c0feffff14010000 50 ff15???????? 83bdd0feffff02 740f } + $sequence_1 = { 03fa 894110 8b4c2418 13de 8b01 f76514 8bf0 } + $sequence_2 = { c20c00 ff7510 8b06 ff7508 ff5020 84c0 74cf } + $sequence_3 = { 03ca 03c1 eb03 8b4710 8b5c2420 8bd0 } + $sequence_4 = { 5b c20400 6a2c b8???????? e8???????? 8bf9 8b750c } + $sequence_5 = { e8???????? 83f8ff 7432 50 6a00 8d45b0 8bce } + $sequence_6 = { 33442434 8bcf 3344242c 33442420 d1c0 8944242c } + $sequence_7 = { c1cb02 33c7 03c1 03f0 8b442464 8bce c1c105 } + $sequence_8 = { 8945a4 83f801 7603 48 eb02 33c0 23c6 } + $sequence_9 = { 8b4f14 8b4114 3b410c 7507 8bcf e8???????? 33c0 } condition: 7 of them and filesize < 1288192 @@ -120989,36 +121690,36 @@ rule MALPEDIA_Win_Crenufs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "487ba1c7-31dd-5f61-bb00-5c9d73db857b" - date = "2026-01-05" - modified = "2026-01-06" + id = "4dda6e31-1886-5895-a7ee-5884365d4f51" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crenufs_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crenufs_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "b8d4f6abd83faf05e3956845ba58bcd09d9f7c4a785dc9758948905ec6301e11" + logic_hash = "936bd00a40e25669696da995db269922ec1698c3967ec2109a7ba4bca514ece2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a01 8d4de4 ff15???????? 8b4df4 5f 5e 5b } - $sequence_1 = { 8b7610 c744241000000000 3930 770a } - $sequence_2 = { 50 56 8d4de0 ff15???????? 57 68???????? } - $sequence_3 = { 8bf9 56 897c2418 e8???????? 56 ff15???????? } - $sequence_4 = { c7461001000000 8bde ff15???????? 392d???????? 7512 8935???????? 892e } - $sequence_5 = { 52 8d7e58 6a04 57 50 ffd5 } - $sequence_6 = { 03ca 894c2438 3b4b18 740d 8b4c2454 c74118ccc74000 eb61 } - $sequence_7 = { ff15???????? 834dfcff 6a01 8d4ddc ff15???????? 8b4df4 8bc6 } - $sequence_8 = { 53 50 68???????? 53 ff15???????? 6a01 8d4db0 } - $sequence_9 = { ff15???????? e9???????? a1???????? bf???????? 83c9ff } + $sequence_0 = { 5f 5e 33c0 5b c20c00 8b4c2414 } + $sequence_1 = { 81ec24040000 53 56 57 ff7508 e8???????? 59 } + $sequence_2 = { 85ff 7c24 8b06 ff501c 3bf8 7d1b 8b4638 } + $sequence_3 = { e8???????? 8b4d1c 53 6880000000 } + $sequence_4 = { 8d4d80 85c0 c645fc06 ff15???????? 56 8d4d90 } + $sequence_5 = { c74204ffffffff 894210 894214 894218 } + $sequence_6 = { 753f 3bf6 753b 8b4604 } + $sequence_7 = { 50 ff15???????? 8d8560feffff 50 e8???????? 83c420 8d4de0 } + $sequence_8 = { c645fc08 ff31 8d4de0 53 50 ff15???????? } + $sequence_9 = { 33c0 eb05 1bc0 83d8ff 5d 5b } condition: 7 of them and filesize < 106496 @@ -121028,36 +121729,36 @@ rule MALPEDIA_Win_Phoenix_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "32012f66-221c-5fa5-9d14-f943abc9c522" - date = "2026-01-05" - modified = "2026-01-06" + id = "4dfa7ef0-4875-564b-b865-e6f102f3af31" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.phoenix_locker_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.phoenix_locker_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "c929252a8fed8f1bda435d368708b210ebe5b5f043e324b3e033e447747795e0" + logic_hash = "b1d5a233dad93ad87e8e6ab53dd93151b79c7e64341cdca8448cd67b7ab7a537" score = 75 - quality = 75 + quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffc3 4d0fbfd0 66450fbed2 450fbfd5 4c63d3 e9???????? e9???????? } + $sequence_0 = { 418d4238 fece 66450fb3f8 418d5278 66440fb6c0 c1e903 } $sequence_1 = { 0f8774000000 0f8530000000 488b542428 480fb7cd 488d4b14 e9???????? ff15???????? } - $sequence_2 = { 41b07c 6644896c2420 480fabc8 48ffc8 4180d05d 488d542420 } - $sequence_3 = { 4586c0 4c8bc2 f7d2 488bd1 488d0de21fe5ff e8???????? 488d0dd61fe5ff } - $sequence_4 = { 4184eb f9 4c03d1 4d8d1c0b f8 41f6c484 4585c9 } - $sequence_5 = { 688c4bd073 0f82f8aefeff 48818424100000006c322f5a 5e 5e 5e } - $sequence_6 = { 418b0c84 98 23cd 660fb6c6 4433c1 98 4633048b } - $sequence_7 = { e9???????? 0f84c0000000 418d5424ff 6641f7c2266e 4c0fa4cfaa 4c8bed } - $sequence_8 = { 55 d9b726ae0b68 a947d046d6 5b 21bd5e13d92f 5a 81e516495a66 } - $sequence_9 = { f5 f69c2418000000 5f 415e 415e 415e 5f } + $sequence_2 = { e9???????? c3 683065706f 9c 48c1a4240800000041 6827366401 } + $sequence_3 = { 41d3c5 488b6c2468 4080d718 80fb82 488b742478 490fbbd5 8bc3 } + $sequence_4 = { 7f52 b760 00504f d1c0 0c86 32fb } + $sequence_5 = { 0855dd 43f6d1 11d7 43b7b1 743d bc15d6512a bc112e45ce } + $sequence_6 = { e9???????? 41ffc6 49ffc4 413aed 4489b424a0000000 4080fc80 664585dd } + $sequence_7 = { 3bc6 e9???????? 0f84e8fdffff 488b5c2430 48d3c7 488b742438 } + $sequence_8 = { e8???????? 4881842418000000aa78f72a 488b7c2428 48c74424281256ce88 68d72a8642 48c1a42400000000ef 689b25ad02 } + $sequence_9 = { 415b 415e 415f 415f 415e } condition: 7 of them and filesize < 3702784 @@ -121067,36 +121768,36 @@ rule MALPEDIA_Win_Aveo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "58fed8b1-4a4c-5644-af15-f834ce14a282" - date = "2026-01-05" - modified = "2026-01-06" + id = "fb889ef9-a682-5b51-8022-216452d8fd70" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.aveo_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.aveo_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "50253623bc7141d72df42bdf99f9bb3131c73cf858d2c7872df300d67b84cd17" + logic_hash = "e9f6213270d9d49b7acda0afe44bd1176c2b3c4e120bd57d3f83dcb416e84c86" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 894804 894808 89480c b9???????? 8d7901 8a11 41 } - $sequence_1 = { 68???????? e8???????? 83c404 899df4fdffff eb06 89b5f4fdffff 68???????? } - $sequence_2 = { 52 50 8d9df8feffff e8???????? } - $sequence_3 = { 8d8dfcefffff 51 8bf8 e8???????? 33ff 39bdf4efffff } - $sequence_4 = { e8???????? 83c40c 8d842418010000 50 8d8c241c030000 } - $sequence_5 = { b9???????? 8d7901 8a11 41 84d2 75f9 2bcf } - $sequence_6 = { 8db590fdffff 898574fdffff e8???????? be00100000 } - $sequence_7 = { 50 e8???????? 8d8df4f9ffff 51 8d95f4feffff 52 } - $sequence_8 = { 6803800000 50 ff15???????? 8b4de8 6a00 6a05 } - $sequence_9 = { 51 e8???????? 8b4df8 83c404 5f } + $sequence_0 = { c1eb04 0bda 0fb69390fa4000 88543001 8a543901 } + $sequence_1 = { 8b85dcfbffff 890f 8b8de4fbffff 51 52 } + $sequence_2 = { 68???????? c705????????00000000 c705????????00000000 a3???????? c705????????0c000000 c705????????00000000 a3???????? } + $sequence_3 = { 50 e8???????? 8bce 51 8d8578fdffff 8d8d90fdffff } + $sequence_4 = { 0fbec2 0fbe8058e24000 83e00f eb02 33c0 0fbe84c178e24000 6a07 } + $sequence_5 = { 83c408 8bc8 8da42400000000 8a10 40 84d2 } + $sequence_6 = { 898500feffff 3bc3 7515 68???????? e8???????? } + $sequence_7 = { 51 c70700000000 ffd6 8b5720 52 } + $sequence_8 = { 8985ecfaffff 8bc6 83c408 8bc8 8a10 } + $sequence_9 = { 50 8b85dcfbffff 890f 8b8de4fbffff } condition: 7 of them and filesize < 180224 @@ -121106,36 +121807,36 @@ rule MALPEDIA_Win_Megacortex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "208deefe-8484-5fed-92e0-3f970a206260" - date = "2026-01-05" - modified = "2026-01-06" + id = "b5bb63fb-3089-5f8c-b023-4b322e1ffdeb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.megacortex_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.megacortex_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "8fabc9945f7f432c61dd2181155b450bb3827a4277be45dd2f60b6e5a7f065dc" + logic_hash = "fec25d610ad764a47bbbd46e44e0e105c2dbfc3def1f6860b6a5cbcbda6add1c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f843e040000 53 ff75e4 e8???????? 83c408 8945e0 85c0 } - $sequence_1 = { ff75c8 50 e8???????? 83c40c eb03 8b45c8 8b75b8 } - $sequence_2 = { f7db 1bdb 23d8 8b4304 83c304 2bde 8d50ff } - $sequence_3 = { 83c408 8d75fc 8b10 8d4aff f7d9 1bc9 } - $sequence_4 = { c3 8bc7 c745f801000000 8d4dec c745fc01000000 2bc1 8d7304 } - $sequence_5 = { f7da 1bd2 23d1 03d0 8d4d0c 2bf1 8d42ff } - $sequence_6 = { f6430401 c645ff01 7506 8b45e4 894308 807dff00 0f8422030000 } - $sequence_7 = { eb3a 83fb0b 7507 68???????? eb2e 83fb30 7507 } - $sequence_8 = { 8d45d0 50 e8???????? 8d75e8 8b10 8d4aff f7d9 } - $sequence_9 = { e8???????? 8d45b8 50 8d4e30 e8???????? 8b45d0 8d4d80 } + $sequence_0 = { 8b00 8be5 5d c3 8d4df0 e8???????? 68???????? } + $sequence_1 = { f7df 1bff 2bd8 23fa 03f9 8d46ff f7d8 } + $sequence_2 = { ff75c4 ff15???????? 85c0 740a ff15???????? 85c0 742b } + $sequence_3 = { ff75b8 e8???????? 0175b8 8d430f 83c40c 8d5320 297510 } + $sequence_4 = { 894604 8901 8b85349cffff 8b00 50 8d4808 51 } + $sequence_5 = { eb21 83bdac9cffff10 8d85989cffff 52 0f4385989cffff 8d8de09cffff 50 } + $sequence_6 = { 8db378020000 56 e8???????? ff7508 57 53 68???????? } + $sequence_7 = { ff75e8 56 6a18 eb0f 83f807 7538 } + $sequence_8 = { f7d8 895dfc 1bc0 23c1 8b10 2bc6 83e2fd } + $sequence_9 = { e8???????? 8bf0 83c40c 85f6 0f85b0000000 6a01 ff750c } condition: 7 of them and filesize < 1556480 @@ -121145,36 +121846,36 @@ rule MALPEDIA_Win_Fct_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d02b72bc-5bf1-5377-8d43-512cbfd79322" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b1da02b-a363-5ef2-ae38-9d414e9e310b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fct" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fct_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fct_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "cc0dc64d7cd3b6633f3a5f0a0519f80550bbd17b8f06fffbd5263c4f40c48188" + logic_hash = "cf248cc99d95b049cef15f8204c6f670912853fdcd63ef0022eb4dd99239b0d8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 803d????????00 753c c705????????60504100 c705????????88534100 c705????????80524100 e8???????? } - $sequence_1 = { 8365c000 c745c42b2e4000 a1???????? 8d4dc0 33c1 8945c8 8b4518 } - $sequence_2 = { ffb52cfdffff 6a01 e8???????? 8d8d80fdffff } - $sequence_3 = { 0f434dd8 3bc2 772c 8d3400 898544fdffff 83fa08 8dbd34fdffff } - $sequence_4 = { 83c8ff eb07 8b04f574204100 5f 5e 5b } - $sequence_5 = { 03348d50614100 837e18ff 740c 837e18fe 7406 } - $sequence_6 = { 83c102 6685c0 75f5 8b5dec } - $sequence_7 = { 8bc3 d1f9 2bc2 3bc8 772f 83fb08 } - $sequence_8 = { eb1e 6a02 68???????? c6854cfdffff00 8d4dbc } - $sequence_9 = { 33c0 6689047e eb21 6a04 } + $sequence_0 = { e9???????? 8b048d50614100 f644102840 7405 803b1a } + $sequence_1 = { 57 8b7d08 e9???????? 8b1f 8d049d58634100 8b30 } + $sequence_2 = { 68???????? c6854cfdffff00 8d4dbc ffb54cfdffff 6a02 e8???????? } + $sequence_3 = { e8???????? 83c404 a3???????? b9???????? e8???????? } + $sequence_4 = { c3 8b04c5e4fd4000 5d c3 8bff 55 8bec } + $sequence_5 = { 894dd8 85c9 0f8ea2000000 8b45d0 0fb644022e 0fbe8058574100 } + $sequence_6 = { 3b8d74fdffff 72f1 6a00 6a00 } + $sequence_7 = { 56 8b048550614100 8b7508 57 } + $sequence_8 = { 85f6 7420 6bc618 57 8db8d05c4100 57 ff15???????? } + $sequence_9 = { 6bd838 8b04bd50614100 f644032801 7444 837c0318ff } condition: 7 of them and filesize < 204800 @@ -121184,34 +121885,34 @@ rule MALPEDIA_Win_Fullmetal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b8b29202-9be6-50e1-9bec-3cebf32dec61" - date = "2026-01-05" - modified = "2026-01-06" + id = "855da0e4-b67c-5e96-940e-51fe9337ca3a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fullmetal" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fullmetal_auto.yar#L1-L95" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fullmetal_auto.yar#L1-L101" license_url = "N/A" - logic_hash = "c47370c8b8f3f3ccbb9778b64f7c7a952cf6e37e2cb16598ed18037ff7fcc6b0" + logic_hash = "6ff59e0e5bd1ba537b4bb84615f6a75f4daef5ba07d099bc3ea4d3a200088092" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 90 8b4714 90 c1e80d } - $sequence_1 = { 488b05???????? 488d4de0 4d63c8 488bd3 4c8d8300010000 } - $sequence_2 = { e9???????? 488d1580960200 488bcb ff15???????? } - $sequence_3 = { 85c0 7918 488d542420 488d0dc0b60200 } - $sequence_4 = { 83e03f 4c8d3cc0 4a8b84e9404a0400 4a8b44f828 488945e7 458be1 } - $sequence_5 = { 85c0 7560 49ffc6 6646392c73 75f6 } - $sequence_6 = { eb20 bffdffffff 488b9424c8000000 488d0d2bc30200 4883c212 } - $sequence_7 = { 415e c3 8bc1 488d0df7990200 } + $sequence_0 = { 488bc8 33d2 e8???????? 488bd8 4885c0 7517 } + $sequence_1 = { 4863c8 4881f9ff0f0000 7366 807c39ff5c 740a } + $sequence_2 = { 75f6 48c7c1ffffffff 48ffc1 803c0a00 75f7 48ffc0 } + $sequence_3 = { 4b0394d8404a0400 8a02 88440dff 48ffc1 48ffc2 } + $sequence_4 = { e8???????? 4885c0 7520 41b800100000 } + $sequence_5 = { c3 a1????????3d0000a1 3c00 00053d0000f3 3c00 } + $sequence_6 = { 7512 ff15???????? 4c8d0d06970200 e9???????? 488d1512970200 488bcb } + $sequence_7 = { 4d63c8 488bd3 4c8d8340010000 4c895c2420 ff15???????? 0f1000 } condition: 7 of them and filesize < 733184 @@ -121221,36 +121922,36 @@ rule MALPEDIA_Win_Metastealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d224b589-7615-5bc0-8bb6-5706cda78332" - date = "2026-01-05" - modified = "2026-01-06" + id = "3baf84fe-10cc-57cd-aa16-e96a6c220c3c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.metastealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.metastealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "6cb10cffce7c1599b69c9e05c260560e4bdcb2bc8aa657b55f875ee3bb8ed71d" + logic_hash = "9af13bebbf5e90fc81418a1671f5578121365d1656c7cb07e006574138ecd4c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f30f59c3 f30f584104 f30f114104 0f28c1 f30f584108 f30f584918 f30f59c3 } - $sequence_1 = { f3a5 68???????? 66a5 c680b600000000 e8???????? 68???????? e8???????? } - $sequence_2 = { ffb6a8000000 8d86d8000000 50 56 e8???????? 83c410 f7d8 } - $sequence_3 = { f30f59cb f30f5c662c f30f101d???????? f30f5c4e28 f30f1150f8 f30f59e2 f30f59ca } - $sequence_4 = { ff7624 e8???????? 83c404 894654 85c0 7412 0f57c0 } - $sequence_5 = { f30f5dc3 f30f107804 f30f102d???????? f20f1035???????? f30f59d3 f30f59c5 f30f5ed7 } - $sequence_6 = { f20f101d???????? f20f1025???????? f20f102d???????? f20f1035???????? f20f103d???????? 8b5508 8b45fc } - $sequence_7 = { ffd0 8bd8 83c40c 807d0c00 899f88010000 895df8 c703???????? } - $sequence_8 = { e8???????? 6a02 8d4704 83c302 50 53 e8???????? } - $sequence_9 = { ffd0 83c404 85c0 7423 8b8690010000 80781100 74e8 } + $sequence_0 = { ff74c120 ff7514 e8???????? 83c410 eb32 50 53 } + $sequence_1 = { ff710c 68???????? 50 e8???????? 8b16 83c424 8b4208 } + $sequence_2 = { f7d9 51 50 e8???????? 83c408 c640ff2d 48 } + $sequence_3 = { e8???????? 8bc8 0fb6d1 c1f908 898d88f6ffff 85d2 0f84b0000000 } + $sequence_4 = { e8???????? 837e1410 8bc6 7202 8b06 6a00 6a00 } + $sequence_5 = { f7d8 3bd0 737c 8d42ff 33d2 03c6 f7f6 } + $sequence_6 = { ffb52ceeffff 50 8d8560ffffff 50 ff9510eeffff 83c41c c645fc0a } + $sequence_7 = { f7470c00040000 740b 8b9f80020000 895d08 eb0e 57 e8???????? } + $sequence_8 = { ffb568ffffff 6a00 8b08 50 ff5114 8b4f24 8d573c } + $sequence_9 = { ff7010 52 e8???????? 8d4358 8d4f58 3bc8 7413 } condition: 7 of them and filesize < 26230784 @@ -121260,47 +121961,48 @@ rule MALPEDIA_Win_Amadey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1f098ad5-f3e6-509c-99f1-f0cffd69c9f4" - date = "2026-01-05" - modified = "2026-01-06" + id = "17b0a191-fa2a-5ef3-9f2d-125b2ad4edf9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.amadey_auto.yar#L1-L210" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.amadey_auto.yar#L1-L226" license_url = "N/A" - logic_hash = "fb6578b6e50d377be8fb88ae4d5eeeb58ec3e463dc3822773f271e1c55398ad5" + logic_hash = "02a44f5b2cc526f00f8467a45ba073fe983f5b5db1ea7fccfc8f156f021923d8" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5b 8be5 5d c3 5f c6040e00 8bc6 } - $sequence_1 = { 57 ff15???????? 85c0 75d9 bb01000000 } - $sequence_2 = { 68???????? eb42 e8???????? 83f801 7431 e8???????? } - $sequence_3 = { 83ec18 8bcc 68???????? e8???????? 8d4db4 } - $sequence_4 = { 8a0402 88040f 41 8b7dfc 8d4201 } - $sequence_5 = { 68???????? e8???????? 8d4dcc e8???????? 83c418 } - $sequence_6 = { 0f434d20 40 50 52 6a02 6a00 51 } - $sequence_7 = { 83f811 7413 e8???????? 83f812 7409 6a01 68???????? } - $sequence_8 = { 68???????? e8???????? 8d4d98 e8???????? 83c418 } - $sequence_9 = { 8b8d78feffff 42 8bc1 81fa00100000 7214 } - $sequence_10 = { 83fa10 722f 8b8d78feffff 42 } - $sequence_11 = { 8b85f49fffff 40 89442404 8d85f8bfffff 890424 e8???????? } - $sequence_12 = { 8d55c8 89442404 891424 e8???????? 85c0 7523 } - $sequence_13 = { c745fc05000000 c70424???????? e8???????? 890424 e8???????? 84c0 } - $sequence_14 = { 8d85d8fdffff 890424 e8???????? e8???????? 89442404 } - $sequence_15 = { 89e5 b828200000 e8???????? 817d08???????? 0f84be000000 } - $sequence_16 = { e8???????? 8b45dc 890424 e8???????? 83ec04 } - $sequence_17 = { c745fc0c000000 8b45fc c9 c3 } - $sequence_18 = { 55 89e5 81ec48040000 e8???????? 89c2 c744241c00020000 8d85f8fbffff } - $sequence_19 = { 56 57 8b3d???????? 83ec18 } - $sequence_20 = { 722f 8b8d60feffff 42 8bc1 } + $sequence_0 = { 7202 8b10 ff7010 837d4c10 } + $sequence_1 = { 68???????? e8???????? 8d4db4 e8???????? 83c418 } + $sequence_2 = { 83c408 84db 740c 6a01 68???????? } + $sequence_3 = { 3bc7 8bfe 0f45d0 833d????????10 } + $sequence_4 = { 8bcc 68???????? e8???????? 8d4dcc e8???????? 83c418 } + $sequence_5 = { 68???????? eb42 e8???????? 83f801 7431 e8???????? 83f802 } + $sequence_6 = { 6a01 68???????? e9???????? 83ec18 8bcc 68???????? e8???????? } + $sequence_7 = { 83c408 84db 7409 6a02 68???????? eb42 e8???????? } + $sequence_8 = { 722f 8b8d78feffff 42 8bc1 81fa00100000 7214 } + $sequence_9 = { 8bcc 68???????? e8???????? 8d4d98 e8???????? 83c418 } + $sequence_10 = { c745fc0a000000 c70424???????? e8???????? 8b45fc 89442408 c7442404???????? } + $sequence_11 = { e8???????? e8???????? 890424 e8???????? c7042400000000 e8???????? 890424 } + $sequence_12 = { e8???????? 89442404 8d85e8feffff 890424 e8???????? 8d85d8fdffff 89442404 } + $sequence_13 = { 898514ffffff 8b8514ffffff c9 c3 55 } + $sequence_14 = { 8be5 5d c3 68???????? e8???????? e8???????? 68???????? } + $sequence_15 = { 743a 8d85f8dfffff 890424 e8???????? 89442408 } + $sequence_16 = { 8d85f8bfffff 890424 e8???????? 2b85f49fffff 89442408 } + $sequence_17 = { 8b00 89442404 8d45d8 83c004 890424 e8???????? 8b45dc } + $sequence_18 = { 50 68???????? 83ec18 8bcc 68???????? } + $sequence_19 = { 55 89e5 83ec18 c70424???????? e8???????? c744240404010000 } + $sequence_20 = { 56 57 8b3d???????? 83ec18 } + $sequence_21 = { 52 51 e8???????? 83c408 8b9514feffff } condition: 7 of them and filesize < 908288 @@ -121310,58 +122012,58 @@ rule MALPEDIA_Win_Gozi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c925d7e-4a58-58b3-a521-9431dccc113c" - date = "2026-01-05" - modified = "2026-01-06" + id = "9aa10efd-66c7-5e31-9851-226298d161da" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gozi_auto.yar#L1-L308" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gozi_auto.yar#L1-L307" license_url = "N/A" - logic_hash = "d60d7415702d07d989a84ad089c91c9c930dfc0751149612c046eb9a7bf0b686" + logic_hash = "dac9feb06c684c42ada85b54c60ce95ba475c3e84edfabcc82c47570c2d13d67" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 8b4dd0 03d1 8915???????? 03d9 891d???????? a3???????? } - $sequence_1 = { 6a00 68cee6ac00 52 50 e8???????? 898500ffffff } - $sequence_2 = { 50 ff7508 8d8771030000 ff10 } - $sequence_3 = { fb 5c 3c32 7e02 19c1 a6 3327 } - $sequence_4 = { c9 50 0c73 0e 96 3b5375 60 } - $sequence_5 = { 55 f79bfe7ca80d a7 ad b710 } - $sequence_6 = { 6a00 e8???????? 85c0 0f8899000000 8b45a8 } - $sequence_7 = { 8ee1 54 257c693a5c 48 fb 5c } - $sequence_8 = { e8???????? 03f0 46 ebdc ff75fc e8???????? } - $sequence_9 = { 6a00 6a00 6a00 8d87a2020000 ff10 } - $sequence_10 = { 0f8459010000 50 ff7570 ff15???????? } - $sequence_11 = { 50 8b35???????? ffd6 57 68???????? e8???????? } - $sequence_12 = { 50 68???????? 6a00 e8???????? c745ec01000000 } - $sequence_13 = { 8b4d18 e8???????? 8b45e0 50 } - $sequence_14 = { 3327 72e7 3ebb4a68d947 d93e } - $sequence_15 = { 3818 0f8453feffff 50 e8???????? 89463c ffb574ffffff } - $sequence_16 = { e8???????? ebda 8bc3 c1f805 8d3c85e00c4400 } - $sequence_17 = { 89950cfeffff 8b8d08feffff 0b8d0cfeffff 7431 0fc0f2 } - $sequence_18 = { f6c5ae 69d5e21d6c7f 0fc0f2 0fce 8af4 } - $sequence_19 = { ffb5acfeffff e8???????? 8bd8 039dacfeffff ff7510 53 } - $sequence_20 = { dc6f1b 95 bf633629a8 02738f 1da2c9dde2 } - $sequence_21 = { 84e5 0fce 0fbef4 69f116814003 0faceaca c0d6f6 } - $sequence_22 = { 8b440704 8945a4 50 e8???????? 8b4648 8b7c0708 897da0 } - $sequence_23 = { 68???????? ffb5bcfdffff ff15???????? 897dfc e8???????? 8d85c0fdffff 50 } - $sequence_24 = { 03c7 03cf 83ff1f 0f87a4030000 ff24bd95244300 } - $sequence_25 = { e8???????? 83f8ff 7442 8985fcfeffff 68???????? e8???????? } - $sequence_26 = { 8ad0 4a 8ad0 84c1 } - $sequence_27 = { 6af4 dbe9 68912b4384 2383e08985e4 0572b6e2f4 fd } - $sequence_28 = { 128b42926614 12a502b346d1 41 b87e8da638 e022 } - $sequence_29 = { 68???????? ff75c0 ff15???????? 834dfcff e8???????? ff7508 8d45c4 } - $sequence_30 = { 0f848ffbffff 50 8b4658 8d443804 50 e8???????? 898574ffffff } - $sequence_31 = { 5b 5f c9 c21400 8d87eb040000 8b00 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 45 43 6f 6d 7061 63743200 c808bf35 } + $sequence_1 = { 6a00 6a00 8b4d18 e8???????? 8b45e0 50 } + $sequence_2 = { 94 6e 8ee1 54 257c693a5c 48 fb } + $sequence_3 = { c7400402000000 e9???????? 817df800001000 7607 c745f800001000 } + $sequence_4 = { 8bf0 8b450c 8b4010 83660c00 894604 } + $sequence_5 = { ff7514 ff7510 ff750c ff7508 8d8715050000 ff10 } + $sequence_6 = { 7447 56 53 ff15???????? 8945d8 56 } + $sequence_7 = { e8???????? 6af4 dbe9 68912b4384 2383e08985e4 0572b6e2f4 fd } + $sequence_8 = { f6c5fe 0fbed0 4a d2ca 86f2 } + $sequence_9 = { e8???????? 6a00 8d879a040000 50 ff750c e8???????? } + $sequence_10 = { 36110b 33745571 de7e75 cd18 4a 51 d2b8c512294e } + $sequence_11 = { 85c0 7417 8b55f0 8b75f0 2bd1 } + $sequence_12 = { 86f2 84c1 0fadea 86f2 0fafd5 } + $sequence_13 = { 8a11 3a140e 750e 47 41 } + $sequence_14 = { b606 d2ca 0fafd5 8af4 a1???????? } + $sequence_15 = { 7502 eb20 8d458c 50 } + $sequence_16 = { 741f 0faccef6 0fbdd5 0fc0d6 } + $sequence_17 = { ff15???????? 8945e4 57 68???????? e8???????? } + $sequence_18 = { ff15???????? 85c0 7454 83a5d0fdffff00 6800040000 e8???????? 59 } + $sequence_19 = { c22800 55 8bec 56 8b752c 57 } + $sequence_20 = { e9???????? 395dec 0f8415010000 c745fc02000000 c745f801000000 e9???????? } + $sequence_21 = { 743b 0fc0d6 80ca72 b6e6 } + $sequence_22 = { 0fbdd5 0ad0 bef48d351e b6f6 c0caaa } + $sequence_23 = { 41 b87e8da638 e022 3a56b9 } + $sequence_24 = { 8d45e0 50 68???????? 6802000080 ff15???????? 85c0 7517 } + $sequence_25 = { 036890 2b02 9a102a6715fb53 31db b0a6 46 } + $sequence_26 = { 8c6a38 55 f79bfe7ca80d a7 ad b710 } + $sequence_27 = { e9???????? ff75d8 ff7514 8d87f2030000 ff10 0bc0 } + $sequence_28 = { fb 5c 3c32 7e02 19c1 a6 3327 } + $sequence_29 = { 83c40c c20400 6a0c 68???????? e8???????? } + $sequence_30 = { ff7618 8f461c 8b13 8b12 } + $sequence_31 = { 0fbdf1 4e d2ee b6d6 } condition: 7 of them and filesize < 568320 @@ -121371,36 +122073,36 @@ rule MALPEDIA_Win_Cicada3301_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7338c12c-73b8-5d10-8e46-a50135055df6" - date = "2026-01-05" - modified = "2026-01-06" + id = "f61ae320-9d9a-50b0-b111-80302728896c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cicada3301" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cicada3301_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cicada3301_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "71afdc3382366bc56a3a7b41e98090049ed0f50bc476acc71b1f38d7b1e1424b" + logic_hash = "7fd7553441050010b234608d074a06e5ba5c4250e4845be3d86d81d102460ad6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 4c8d057fb12e00 4c89d9 4c89d2 e8???????? 4c8d059db12e00 4c89d9 } - $sequence_1 = { e8???????? 4531ff 4c89f9 4889f2 e8???????? 31db 4889d9 } - $sequence_2 = { f30f6f00 0f104810 0f105020 660f7f842420010000 0f298c2430010000 0f29942440010000 488b542470 } - $sequence_3 = { e9???????? 4885c0 0f8499070000 84db 0f85c9020000 488b9c24b0010000 4839cf } - $sequence_4 = { e8???????? 49ffcf 4d897e48 4d85ed 0f84e2010000 4c896c2428 0f28442460 } - $sequence_5 = { f30f6f8610020000 f30f6f8b08020000 660f70c044 660febc1 f30f7f8308020000 0f1006 0f1103 } - $sequence_6 = { eb21 4889de 4c8d0531002c00 4889e9 4889f2 e8???????? e9???????? } - $sequence_7 = { ff13 e9???????? 4d85f6 7433 498d4c2408 4c89f0 488b4cc1f8 } - $sequence_8 = { e8???????? 0f108424e0000000 0f108c24f0000000 0f10942400010000 0f29442450 0f294c2460 0f29542470 } - $sequence_9 = { c1eb10 488d8c2490020000 488d94248b030000 41b8f5000000 e8???????? 4c8b442440 4c8b4c2438 } + $sequence_0 = { f30fbcd2 4801ca 4821fa 41807c150000 0f88ecfeffff 66410f6f4500 660fd7c8 } + $sequence_1 = { e8???????? 85c0 0f84d9090000 4c89e1 e8???????? e9???????? 4c89742448 } + $sequence_2 = { e8???????? 4889f9 4889f2 4989d8 e8???????? eb7b 0f10842490040000 } + $sequence_3 = { f3440f6f0438 66410f6fc0 660f74c7 66440fd7f0 4585f6 7533 66440f74c6 } + $sequence_4 = { f390 83c1f8 75eb 83e005 74ab 660f1f440000 f390 } + $sequence_5 = { bad0010000 480f44d7 41b808000000 e8???????? 488b9660010000 4889d8 4889f1 } + $sequence_6 = { f3420f6f0c0f f3410f6f10 660f6fda 660f60d8 660f70db4e f20f70db1b f30f70db1b } + $sequence_7 = { f3410f7e10 660f60d0 660f70d24e f20f70d21b f30f70d21b 660f67d2 660fd61413 } + $sequence_8 = { f3450f58c0 f3440f5ec6 f3440f59c1 f3440f5cc7 ffc1 0f28f9 410f28c8 } + $sequence_9 = { e9???????? 89f0 31d2 41f7f6 4885d2 741e bf02000000 } condition: 7 of them and filesize < 11247616 @@ -121410,35 +122112,35 @@ rule MALPEDIA_Win_Thunker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c02652c6-959e-5488-b341-ccfb73521f28" - date = "2026-01-05" - modified = "2026-01-06" + id = "596b0505-d644-578c-8c9a-31483a868244" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.thunker_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.thunker_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "8683a109f273456a365b0d0365e46b8d3a1cb330ad7cb852c208d9e170093c6d" + logic_hash = "9cb29cda2c3ded251b99a2c2ca405d795779a9250b9c2344a0131abd8e836620" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7505 e9???????? ffb5fcfdffff e8???????? 68???????? 8d8500feffff } - $sequence_1 = { e8???????? 8d8500feffff 50 e8???????? 8d8500feffff 50 68???????? } - $sequence_2 = { 7417 e9???????? 3de7710000 7433 7c79 } - $sequence_3 = { 8d0556412600 8945fc a1???????? 8945e8 8d05a02a2600 8945dc 8365f000 } - $sequence_4 = { e8???????? 83c40c 09c0 750d } - $sequence_5 = { e8???????? 6a06 53 e8???????? 83c410 eb40 6a04 } - $sequence_6 = { 09c0 743b 6a00 6800100000 8d85fceeffff 50 ffb5e0edffff } - $sequence_7 = { c6843d00feffff00 09ff 7405 83ffff 7502 eb48 } - $sequence_8 = { 83c40c 8d8544edffff 50 e8???????? 8985c4edffff } + $sequence_0 = { 6800100000 8d85fceeffff 50 ffb5e0edffff e8???????? } + $sequence_1 = { 68204e0000 68d3710000 50 e8???????? 6a00 68804f1200 } + $sequence_2 = { 68???????? 8d45c0 50 e8???????? 83c438 c645c134 8d45c0 } + $sequence_3 = { 0f84fc000000 6a00 6a01 6a02 e8???????? 89c6 } + $sequence_4 = { 59 e8???????? bf60ea0000 b9d8d60000 } + $sequence_5 = { e8???????? 89c6 ff75fc e8???????? } + $sequence_6 = { ff750c ff7508 e8???????? 8d45f4 50 6a00 6a00 } + $sequence_7 = { c685fceeffff00 6a07 68???????? ff7508 } + $sequence_8 = { 5b c9 c3 55 89e5 b804110000 e8???????? } $sequence_9 = { 89e5 51 56 57 8b7d08 ff750c } condition: @@ -121449,36 +122151,36 @@ rule MALPEDIA_Win_Greenshaitan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14595aea-9f28-5e60-9b87-81d296b006da" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b6c920b-61fa-5645-9e14-f59bb31cffc6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.greenshaitan_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.greenshaitan_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "1f6063ccf28ef721dc1c6c4df5a5fddba54c56e2e1ec3d58cf26082647681dea" + logic_hash = "3b9467c3378280e2269ba3424b66c5d1482fc874345f811cd08ad75be75ca37f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d442434 64a300000000 8b6c2444 33db 895c2410 c744242c0f000000 895c2428 } - $sequence_1 = { 6a02 68???????? 8d842494000000 e8???????? } - $sequence_2 = { 895c244c 668944243c 3974246c 720d 8b4c2458 51 e8???????? } - $sequence_3 = { 7594 8b7c2414 83ff01 7534 } - $sequence_4 = { ff15???????? 8d442404 c746180f000000 c7461400000000 c6460400 8d5001 8a08 } - $sequence_5 = { 3974246c 720d 8b4c2458 51 e8???????? 83c404 8b542430 } - $sequence_6 = { 56 e8???????? 56 8bd8 e8???????? 8be8 8b4734 } - $sequence_7 = { c74424480f000000 895c2444 885c2434 eb1b 837d6810 7205 8b4554 } - $sequence_8 = { 53 890a e8???????? 55 e8???????? 83c408 } - $sequence_9 = { 8bf1 8b4814 c744240800000000 7214 8b4004 51 8bd8 } + $sequence_0 = { 837b4400 c744241400000000 0f8658010000 eb02 8bd9 8b7340 8b5344 } + $sequence_1 = { e9???????? 6a24 e8???????? 8bf0 83c404 89742418 c684249800000007 } + $sequence_2 = { e8???????? 55 6a00 b9???????? c784246802000003000000 e8???????? 89ac2460020000 } + $sequence_3 = { b9???????? e8???????? 3bc3 751a 83fe02 721a } + $sequence_4 = { 50 8b06 51 52 50 68???????? 8d74242c } + $sequence_5 = { 394608 741e 8b442410 8b4d08 40 89442410 3b4124 } + $sequence_6 = { 035318 3bc2 7209 e8???????? 8b4c2420 85c9 7404 } + $sequence_7 = { 51 e8???????? 83c404 8d4c2410 e8???????? 55 } + $sequence_8 = { 53 56 57 8bf9 8bda 57 e8???????? } + $sequence_9 = { 8d0c8d60ab6e00 8901 8305????????20 8d9000080000 eb2a c6400400 } condition: 7 of them and filesize < 253952 @@ -121488,36 +122190,36 @@ rule MALPEDIA_Win_Wipbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9a0970f9-ec33-54d5-ae53-9537a083afd7" - date = "2026-01-05" - modified = "2026-01-06" + id = "bd5577aa-67ba-543c-bbd0-aa8886b2d319" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wipbot_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wipbot_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "fb932c7b46d7c186e09cb261140c60f0fb4b0c9205bd0105a6b5687477b202b2" + logic_hash = "6f73faacae1ffc109325c2efb64536010c6b53a5cda18c4f2206ae66981fdd19" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48 89cb 48 89d6 b98855514f ba4656f1f6 e8???????? } - $sequence_1 = { c744241400000000 c744241800000000 8974240c 89542410 c74424080a000000 890424 } - $sequence_2 = { 48 01cb 66813b9090 0f8404040000 bace2cfb69 b98855514f } - $sequence_3 = { 85c0 48 8907 74a0 48 83c708 48 } - $sequence_4 = { c744240400000000 893424 89442408 ffd7 } - $sequence_5 = { ba2e9fd298 b98855514f e8???????? 49 } - $sequence_6 = { 89e5 e8???????? 85c0 7405 8b4034 eb02 } - $sequence_7 = { 41 b901000000 ba01000000 4c 8d442468 48 8d4c246c } - $sequence_8 = { 740d 8b45f4 e8???????? e9???????? 89d8 e8???????? 85c0 } - $sequence_9 = { 48 8b442428 eb02 31c0 48 } + $sequence_0 = { ba01000000 85c0 754f 89d9 e8???????? 85c0 89c6 } + $sequence_1 = { 7437 45 31c9 45 31c0 ba11000000 48 } + $sequence_2 = { 01de 08c1 7459 b801000000 eb5b 48 01d9 } + $sequence_3 = { e8???????? 48 85c0 0f85b6feffff e9???????? 31c0 } + $sequence_4 = { c644245a19 c644245b06 c644245c4d c644245d4a c644245e4b } + $sequence_5 = { 893424 89d9 e8???????? 85c0 52 7465 89d9 } + $sequence_6 = { 8b08 85c9 750c 8b5004 ff45c8 8d441008 eb21 } + $sequence_7 = { c644242c46 c644242d56 c644242e41 c644242f55 c644243042 c644243152 c644243244 } + $sequence_8 = { c1fa1f c1f91f 89542420 8d5594 894c2428 89d1 8954240c } + $sequence_9 = { 85c0 56 56 89c6 750f e8???????? } condition: 7 of them and filesize < 253952 @@ -121527,36 +122229,36 @@ rule MALPEDIA_Win_Govrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c1f568e-0870-502d-8ab7-d2bc8e9569e8" - date = "2026-01-05" - modified = "2026-01-06" + id = "b07b1562-1d63-5dd4-91cd-3f2d51f57604" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.govrat_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.govrat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "abfba34e1bd79612302779859a269397cc43e8444d7e6090aaef75a3d69df6b1" + logic_hash = "21b5c6122229b659ecc3ebe130beeebd787ba55f551a29f3f1eb5cfbb2ba6e10" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4dc4 e8???????? 8b00 50 8d4708 895f10 895f14 } - $sequence_1 = { 897804 8b7904 8930 8b31 0facfe01 d1ef 83780400 } - $sequence_2 = { 59 03f1 8dbc24b8000000 33c0 f3a7 7418 } - $sequence_3 = { ff15???????? 83a65401000000 c3 53 55 56 8d6f44 } - $sequence_4 = { ff15???????? 83a65401000000 c3 53 55 } - $sequence_5 = { 6a00 6a00 ff15???????? 8b4c2404 8901 85c0 7404 } - $sequence_6 = { 832d????????04 e9???????? 55 8bec 83ec14 a1???????? 53 } - $sequence_7 = { 7543 837d1000 0f845cfeffff 8b87a8000000 2b442420 8b8fac000000 1b4c2424 } - $sequence_8 = { 8d4df8 8d4518 e8???????? 8b45f8 0b45fc 750a 2145fc } - $sequence_9 = { 8945f8 8b4508 ff700c ff15???????? 8bf0 } + $sequence_0 = { 8d86f42b0300 50 6a04 58 e8???????? 8907 43 } + $sequence_1 = { 53 e8???????? 8b45cc 6aff 6a00 8d7e4c } + $sequence_2 = { 2b30 8933 8910 42 ff4d14 75c1 5f } + $sequence_3 = { 898624010000 5e 5b c3 55 8bec } + $sequence_4 = { e8???????? 83c420 50 e8???????? 837e1808 7202 8b1b } + $sequence_5 = { 3bf8 7216 8b4510 8908 8d57ff 8bc3 e8???????? } + $sequence_6 = { e8???????? 8b38 85ff 7405 e8???????? ff742410 8d442418 } + $sequence_7 = { 33c0 8a143b 47 40 8bc8 83e107 3a91ac9b4300 } + $sequence_8 = { c1fa02 83fa01 7344 8b36 8d5104 51 e8???????? } + $sequence_9 = { 8b39 0fb64701 8b4924 8955fc 0fb617 330491 } condition: 7 of them and filesize < 761856 @@ -121566,36 +122268,36 @@ rule MALPEDIA_Win_Darkshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0b6aea26-4d2d-5fe4-85ac-1a4c560ab87d" - date = "2026-01-05" - modified = "2026-01-06" + id = "ae71ffe7-b49d-5c88-be47-ec3990826878" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkshell_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkshell_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "adda1c8d572ab121457592ba92d94ead9ada07c703fcce314ed00968f454839e" + logic_hash = "0bb359d9a10ee5d5d6c95e04809223f2e1738e42e64764d66327c9e203e0e593" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c004 8901 83c014 8902 6681380b01 7511 } - $sequence_1 = { 8b442434 83c410 8b8088000000 85c0 } - $sequence_2 = { c744246044000000 ff15???????? 8be8 85ed 0f8494000000 8bbc2488000000 } - $sequence_3 = { 51 50 8b442420 50 ff15???????? } - $sequence_4 = { 8d7e08 f7c2feffffff 767a 668b07 8bc8 81e100f00000 6681f90030 } - $sequence_5 = { ffd6 5e c20400 8b15???????? } - $sequence_6 = { 8b35???????? 48 7457 48 742b } - $sequence_7 = { f3ab 66ab aa 8b442410 83c9ff 8b5008 33c0 } - $sequence_8 = { 5e c20400 8b15???????? 68???????? 52 } - $sequence_9 = { 03ca c1e80c 51 50 68???????? } + $sequence_0 = { ff15???????? 8b33 8b17 8d4c2424 } + $sequence_1 = { 8b4e54 50 51 8bcf e8???????? 66837e0600 } + $sequence_2 = { 8b0f 8b5138 52 50 } + $sequence_3 = { 8d7e08 f7c2feffffff 767a 668b07 8bc8 81e100f00000 6681f90030 } + $sequence_4 = { 52 8bce 83cfff e8???????? 85c0 7446 } + $sequence_5 = { 742b 8b55f8 85d2 7412 } + $sequence_6 = { 8b4df8 3bc8 7307 8b4e38 51 } + $sequence_7 = { ff15???????? 8b542410 8d4c2414 51 6a04 52 } + $sequence_8 = { 83ec1c 8d442400 c744240000000000 50 6a28 ff15???????? } + $sequence_9 = { 5d 83c474 c21c00 8bc5 5f 5d } condition: 7 of them and filesize < 344064 @@ -121605,36 +122307,36 @@ rule MALPEDIA_Win_Gsecdump_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2dfd4f44-5170-5305-aab8-b4eb041699cc" - date = "2026-01-05" - modified = "2026-01-06" + id = "ac0f1259-48d6-5710-9bf8-dfea66b044a0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gsecdump_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gsecdump_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "c92dc71f6df6f2ca655d1d4b5083e376ffdf96fc42dec3e3018507005bdeaa61" + logic_hash = "a236e3d0edda486728d4449a675bdc3d6e98110f787f5aa48c1ed0d849c090de" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8b742408 85f6 57 8bf9 7505 bef7030000 } - $sequence_1 = { e8???????? 6aff 53 8d4c2430 51 8bce e8???????? } - $sequence_2 = { 720d 8b542430 52 e8???????? 83c404 8bc6 8b4c2448 } - $sequence_3 = { 8bef 83c701 eba4 8b4e24 3bca 740c } - $sequence_4 = { 7422 8b4c2440 51 8b4c2428 8d542420 52 51 } - $sequence_5 = { 8db424c0000000 89742424 896c2428 8bc2 7307 8d8424c4000000 } - $sequence_6 = { 50 895c241c e8???????? 8b4c2464 8b542468 8b44246c 894e44 } - $sequence_7 = { 50 8b8de8f7ffff 8b5110 ffd2 81c49c000000 85c0 7d0c } - $sequence_8 = { e8???????? 33c0 e9???????? 6a06 68???????? 8d4dd4 c745ec0f000000 } - $sequence_9 = { 83f8ff 7409 8b74246c eb03 8d7004 56 8d4c2418 } + $sequence_0 = { 8be9 2bef 7510 8bce e8???????? 5f 5d } + $sequence_1 = { 7205 e8???????? 8b4704 8b3cf0 53 be0f000000 68???????? } + $sequence_2 = { 8bc7 75ee 5f 8b4c2410 8b542414 8b4604 8b00 } + $sequence_3 = { 33c4 898424a8000000 56 57 ff15???????? 8bf8 } + $sequence_4 = { 85d2 8bea 7426 83f910 8bc2 7307 } + $sequence_5 = { 56 8d4c2418 e8???????? 8b54246c 8d4c2414 51 52 } + $sequence_6 = { 660dffff c3 ff742408 8b01 6aff ff74240c } + $sequence_7 = { 3bf0 7605 e8???????? 56 8d842488000000 50 8d44244c } + $sequence_8 = { e8???????? 8344241001 8b7c2420 33db e9???????? 83fe02 0f85a4000000 } + $sequence_9 = { 8b4c2424 394e04 751f 807f4000 0f8590fdffff 8b4c2414 } condition: 7 of them and filesize < 630784 @@ -121644,36 +122346,36 @@ rule MALPEDIA_Win_Troldesh_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71dc6e06-8dd4-5865-ab10-09f20ee5e07a" - date = "2026-01-05" - modified = "2026-01-06" + id = "aa1dada1-fc44-5c70-8e7a-a41829817c8c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.troldesh_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.troldesh_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "54ddaca68ab9115d35e14f6b78269f4735d8b277965f7a8b9f90608c52763a8d" + logic_hash = "bc8750f369e8305d26b619f7fd06da2c5ab432759328596ab4de07b78e838e98" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd5 85c0 755e 6a08 8d442478 50 8d44244c } - $sequence_1 = { e8???????? 56 57 8bf3 b8ff0f0000 c1ee0c 8bfb } - $sequence_2 = { ff75fc 50 e8???????? 83c40c 85c0 741a 8b4610 } - $sequence_3 = { e8???????? 8b3e 53 e8???????? c7839400000001000000 8b36 8b462c } - $sequence_4 = { e8???????? e9???????? 83f807 0f85d4000000 8bf5 e8???????? 8bf0 } - $sequence_5 = { e8???????? 8b4f04 51 89442418 895c241c e8???????? 83c404 } - $sequence_6 = { e8???????? ff750c ff7508 e8???????? 83c418 eb6d e8???????? } - $sequence_7 = { e8???????? 8b8c249c000000 83c40c 50 57 68???????? 53 } - $sequence_8 = { ff75f8 8b7070 e8???????? 8945f8 59 85c0 0f8562ffffff } - $sequence_9 = { e9???????? 3975f4 740b 53 e8???????? 59 85c0 } + $sequence_0 = { ff742404 8b54240c 2bc1 d1f8 8bc8 e8???????? c20800 } + $sequence_1 = { e8???????? 83bed001000000 8bf8 740b 8b4508 832000 e9???????? } + $sequence_2 = { e9???????? 68???????? e8???????? 8b869c000000 8b4014 c1e804 f7d0 } + $sequence_3 = { eb0e 6a26 b989000000 eb05 6a26 6a43 59 } + $sequence_4 = { eb61 8b4758 39b018040000 7510 f7870001000000000400 0f8445010000 8b87e4000000 } + $sequence_5 = { e8???????? 59 397dbc 7415 68???????? e8???????? 59 } + $sequence_6 = { e8???????? 8bf8 47 68bf010000 8bf7 68???????? c1e602 } + $sequence_7 = { e8???????? ffb000020000 8b45e0 2b4748 8d75fc 50 8d45cc } + $sequence_8 = { eb02 8bcb 57 51 e8???????? 8b7d0c 83c404 } + $sequence_9 = { e8???????? 59 85c0 7427 68???????? 68???????? 68e2020000 } condition: 7 of them and filesize < 3915776 @@ -121683,36 +122385,36 @@ rule MALPEDIA_Win_Enfal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "664ed877-3f83-5f6a-92fa-e1c35cd0edbd" - date = "2026-01-05" - modified = "2026-01-06" + id = "76e67618-ae5f-5e6f-b36a-f6e61e82415a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.enfal_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.enfal_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "872fbd5343bee5c1e22067a7277b79e519c2acefc43b08d0086dc684465dbd92" + logic_hash = "78bfb8fb04b701b7c2ebdd450cd7fec7b7cf53c5a9b52b49092d5af345cf38b0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d8648020000 68???????? 50 } - $sequence_1 = { bffe010000 eb05 bff4010000 8bc7 5e eb02 } - $sequence_2 = { 51 8d8de8fcffff 51 53 ff505c 85c0 } - $sequence_3 = { 8d85b4fdffff 68???????? 50 e8???????? 8d85b4fdffff 57 } - $sequence_4 = { 8bec 81eccc040000 53 56 8b35???????? 57 } - $sequence_5 = { 89430c ffd6 8b4b1c 68???????? 57 } - $sequence_6 = { 50 e8???????? 8d8628020000 68???????? } - $sequence_7 = { 0fb645da 8d0480 8dbc0059020000 eb54 8b8548ffffff } - $sequence_8 = { 6a01 57 ff15???????? 8bf0 85f6 0f848e000000 8b4624 } - $sequence_9 = { 57 8901 ffd6 8b4b1c 68???????? 57 } + $sequence_0 = { 8d85f8fdffff 57 50 6804010000 ff5608 8d85f8fdffff } + $sequence_1 = { 894108 ffd6 8b4b1c 68???????? 57 89410c ffd6 } + $sequence_2 = { 51 8d8d68ffffff 51 8d8de8fcffff } + $sequence_3 = { bf00010000 33db 57 8d85e8fcffff 53 50 } + $sequence_4 = { 50 ff15???????? 6a0f 56 53 e8???????? } + $sequence_5 = { 683a040000 ff55e0 85c0 8945fc 0f84b5000000 56 } + $sequence_6 = { a5 66a5 a4 be???????? 8dbd58ffffff } + $sequence_7 = { ff5620 85c0 7403 6a01 5f 53 ff15???????? } + $sequence_8 = { 8b750c 57 57 6a02 8b461c 57 57 } + $sequence_9 = { 8b4e04 8b4610 0faf4d08 03c1 } condition: 7 of them and filesize < 65536 @@ -121722,36 +122424,36 @@ rule MALPEDIA_Win_Netwire_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4555ab85-e4c7-54f3-be4b-3e67ab290352" - date = "2026-01-05" - modified = "2026-01-06" + id = "783b2ad9-8a92-5f20-91ea-7a531d8d1ecc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.netwire_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.netwire_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "10b18e0d62127105687ce75fd82795cf02980d2ae8e7158e6a2316037cb7d8e4" + logic_hash = "c854fb69722859407a6120609f087093208de2c0ebe14534f3eb81877b205622" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c744241000000000 c744240c00000000 c744240800000000 c744240400000000 c7042410000000 } - $sequence_1 = { c744242c00000000 c744242800000000 c744242400000000 c7442420fdffffff } - $sequence_2 = { e8???????? c7042410000000 e8???????? 84c0 } - $sequence_3 = { e8???????? c7042446000000 e8???????? c7042449000000 e8???????? c7042446000000 e8???????? } - $sequence_4 = { c70424???????? e8???????? a3???????? e9???????? c705????????00000000 e9???????? c7042410020000 } - $sequence_5 = { e8???????? c7442410000000f0 c744240c01000000 c744240800000000 c744240400000000 c70424???????? } - $sequence_6 = { 83ec0c c7442408???????? c7442404???????? c70424???????? } - $sequence_7 = { 740c c7042400000000 e8???????? c70424???????? e8???????? } - $sequence_8 = { c70424???????? e8???????? a3???????? e9???????? c705????????00000000 e9???????? } - $sequence_9 = { e8???????? c7042401000000 e8???????? 84c0 } + $sequence_0 = { c744242c00000000 c744242800000000 c744242400000000 c7442420fdffffff c744241c00000000 } + $sequence_1 = { e8???????? c7042400000000 e8???????? c7042402000000 } + $sequence_2 = { e8???????? c704244a000000 e8???????? c7042446000000 e8???????? c7042449000000 e8???????? } + $sequence_3 = { c7042400000000 e8???????? c70424???????? e8???????? } + $sequence_4 = { e8???????? c7042446000000 e8???????? c7042449000000 e8???????? c7042446000000 e8???????? } + $sequence_5 = { 890424 e8???????? 83ec20 3d03010000 } + $sequence_6 = { e8???????? c7042408000000 e8???????? 84c0 } + $sequence_7 = { c7042402000080 e8???????? c7042404000000 e8???????? 84c0 } + $sequence_8 = { 890424 e8???????? e9???????? c704240c000000 } + $sequence_9 = { c7042402000000 e8???????? 84c0 7405 e8???????? } condition: 7 of them and filesize < 416768 @@ -121765,7 +122467,7 @@ rule MALPEDIA_Win_Spybot_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spybot_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spybot_auto.yar#L1-L132" license_url = "N/A" logic_hash = "086db381edc017239cf316ebb3a9419f50149c95f9ac3a29e8ecb7d10b4a280d" score = 75 @@ -121800,36 +122502,36 @@ rule MALPEDIA_Win_Virtualgate_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ec48095-319c-5914-b4c7-b90192caa4ab" - date = "2026-01-05" - modified = "2026-01-06" + id = "3eb444b3-9208-59ac-86c8-3211d7a93c93" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virtualgate" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.virtualgate_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.virtualgate_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "bdfea9aeb2fcf2d699fffd47ea03945e66306ca4f124485dd66c43c3284358f7" + logic_hash = "2daf67764e26a50e18438b5adb25dbc1098eb81b65854a793c423b7a9fbfebe7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 418bc4 0f47c1 89442438 ffc8 8bf8 0fb68c82029a0100 } - $sequence_1 = { 66250100 7225 0100 7e25 0100 8a25???????? } - $sequence_2 = { 48894604 b906000000 48898620020000 0fb7c0 66f3ab 488d3d18470100 482bfe } - $sequence_3 = { 85c0 0f8483000000 488d8510030000 49c7c0ffffffff 49ffc0 42383400 } - $sequence_4 = { 488d15263d0100 e8???????? 8bcb 4885c0 740c } - $sequence_5 = { 488d0d30ecfeff 4c8945e7 4d03e8 48895df7 4c8be3 4c896db7 } - $sequence_6 = { 85c0 0f8403010000 488d0566080100 4a8b04e8 42385cf838 0f8ded000000 } - $sequence_7 = { 48895c2408 57 4883ec20 488d1d8fc60100 488d3d88c60100 } - $sequence_8 = { f30f6f0f 4883f80e 7773 8b848634270100 4803c6 } - $sequence_9 = { 4b8b8ce0f0250200 4803ca 48ffc2 468854f13e } + $sequence_0 = { 4c8d0dedd20000 33c9 4c8d05e0d20000 488d15e1d20000 e8???????? 4885c0 } + $sequence_1 = { 0100 8426 0100 8b26 0100 } + $sequence_2 = { 74a4 488bcb e8???????? b801000000 488b8c2420800200 4833cc } + $sequence_3 = { 0f1f8000000000 4c8d442434 c744243410000000 488d542448 488bcf } + $sequence_4 = { c5e9eb15???????? c5f1eb0d???????? 4c8d0dc69b0000 c5f35cca c4c173590cc1 4c8d0d958b0000 } + $sequence_5 = { ff15???????? 488d0d00b90100 eb0c 83f901 750d 488d0d0ab90100 e8???????? } + $sequence_6 = { 4c8d05b4d30000 488d15b1d30000 e8???????? 4885c0 7416 } + $sequence_7 = { eb1d 488d0577ed0100 ffcb 488d0c9b } + $sequence_8 = { 740c 488b442450 83a0a8030000fd 448bc3 eb3a e8???????? 85c0 } + $sequence_9 = { 48895c2420 488d05df750100 483bd8 7419 483933 740e } condition: 7 of them and filesize < 323584 @@ -121839,36 +122541,36 @@ rule MALPEDIA_Win_Burnbook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d8a1b3af-c791-5a49-95d1-39ec74922c1f" - date = "2026-01-05" - modified = "2026-01-06" + id = "02000a13-2529-57ea-aa62-b6f7ce3e2eb2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.burnbook" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.burnbook_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.burnbook_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "6939db5a1f9211e1e7ddaeea7285f0f9407b5dc4feaa3227884659565987f25b" + logic_hash = "6367011145daa4e6e20d8dc7e17d53718b953c9e018db0f0c6352f7209d0790a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f7d8 418906 418bc3 83ffff 7d02 f7d8 410fafd9 } - $sequence_1 = { e8???????? 8945ef 41b881010000 488bd7 488bcb e8???????? 4885c0 } - $sequence_2 = { f30f2cc0 8801 48ffc1 4883ea01 75c9 488b459f 4c2b5028 } - $sequence_3 = { ffc1 448bd1 f7d9 8d344e 0f1f00 0fb60a 0faf08 } - $sequence_4 = { f20f1003 f20f59c6 f20f58c7 e8???????? f20f2cc0 89862c0c0000 f20f104308 } - $sequence_5 = { e8???????? 85c0 7419 488b5308 8b0c3a 85c9 7407 } - $sequence_6 = { f30f2c442440 4883c304 488d7f04 8947fc 4883ee01 75dc 488b742430 } - $sequence_7 = { f30f7f840cf0030000 f30f5bc2 f30f7f440cf0 81fa00010000 0f8c5cffffff 0f28bc24100c0000 0f28b424200c0000 } - $sequence_8 = { f30f114014 488bc3 4881c448010000 415f 415e 5f 5e } - $sequence_9 = { e8???????? 85c0 7814 0fb6c0 488bd6 488bcd 0bf8 } + $sequence_0 = { ff432c e9???????? 44396b30 7432 8b4b34 8d41db 83f838 } + $sequence_1 = { f7d8 894614 8b461c f7d8 89461c 0fb67b6a e8???????? } + $sequence_2 = { ffc8 894afc 85c0 7fec 0fb64500 41ffc2 49ffc3 } + $sequence_3 = { f30f1007 f30f104f04 488b4b28 f30f59c6 f30f59ce f30f2cc0 f30f104708 } + $sequence_4 = { f30f585110 f30f10491c 0f28df f30f584914 f30f585120 f30f584924 f30f585128 } + $sequence_5 = { f20f594240 f20f5cf2 f2440f5cc0 0f28c7 f20f5902 0f28ce f20f594a10 } + $sequence_6 = { f7d9 4585db 410f44cc 41c1e313 4183cb10 41894d00 41834ffc20 } + $sequence_7 = { f20f59ca f20f580d???????? 660f2fc1 720a 33c0 66c1c008 668901 } + $sequence_8 = { f00fc14108 83f801 7505 e8???????? 488b4d30 48897530 4885c9 } + $sequence_9 = { f7d9 81e1ff7f0000 894b68 488b4378 488bc8 ff10 8b4b6c } condition: 7 of them and filesize < 22976512 @@ -121878,36 +122580,36 @@ rule MALPEDIA_Win_Webc2_Head_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d2a730d-97a8-5241-8842-4f785d02a551" - date = "2026-01-05" - modified = "2026-01-06" + id = "d4e6e5cb-74a5-542a-9357-9594f4725991" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_head_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_head_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "de901b0b98bf3f5b5c73a555d4c5ec984c92ea5b4ae983fcd4805edfd4129476" + logic_hash = "394f3309d74a178201ba63d639ef72e0e8440ef340541d411459feea7eafad4e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { a4 8d049500000000 8d0c52 89442418 894c2438 8b44241c 8b00 } - $sequence_1 = { 735a 8bc8 83e01f c1f905 8b0c8d40cb4000 } - $sequence_2 = { 0f8550ffffff 8b542424 8b4c241c 3bd1 0f8dc9000000 2bca } - $sequence_3 = { 83c40c f2ae f7d1 49 894c2414 7511 bf???????? } - $sequence_4 = { 0fb6fa 3bc7 7714 8b55fc 8a9220994000 } - $sequence_5 = { f2ae f7d1 49 51 68???????? 50 50 } - $sequence_6 = { 8d9e38994000 803b00 8bcb 742c } - $sequence_7 = { f7d1 49 68???????? 68???????? 894c2438 e8???????? } - $sequence_8 = { f3ab 68???????? e8???????? 6a03 68???????? 68???????? } - $sequence_9 = { 8b6c2424 884603 83c604 89742410 8bde } + $sequence_0 = { 8b442410 83c204 48 89542424 } + $sequence_1 = { 5e 5d 83c8ff 5b 81c4341c0000 } + $sequence_2 = { 8a15???????? b910000000 be???????? 8d7c2428 f3a5 895c2410 88542410 } + $sequence_3 = { 7e2a b910000000 be???????? 8dbc2474010000 f3a5 c1ea10 } + $sequence_4 = { 8d7c2414 c1e902 f3a5 8bca 83e103 f3a4 8b542414 } + $sequence_5 = { 55 ff15???????? a3???????? eb19 } + $sequence_6 = { 49 894c241c 8d942444040000 8d41fd 89542420 } + $sequence_7 = { 8d049500000000 8d0c52 89442410 894c2424 8b442420 8b00 8bc8 } + $sequence_8 = { f6c202 7410 8088????????20 8a9405ecfcffff ebe3 80a0e0b8400000 } + $sequence_9 = { 884502 7e2a b910000000 be???????? 8dbc2474010000 } condition: 7 of them and filesize < 106496 @@ -121917,36 +122619,36 @@ rule MALPEDIA_Win_Nightdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d8e136f5-ecc5-5fee-8886-ee91c9e305f7" - date = "2026-01-05" - modified = "2026-01-06" + id = "d38ad97c-8334-5c35-b5d2-cf4cfcfc0660" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nightdoor_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nightdoor_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "d66f399d7d6cc21f703af3dc1753edb59e4b1b5c61847dda1732e7b96de70f40" + logic_hash = "282aa2fd4e6a9b9cf98e8eacfd3a3a6983b24bbc2284b36375a9713a0c96c7df" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 ff15???????? 8b45fc 8b08 51 e8???????? 83c404 } - $sequence_1 = { 51 8d4dac e8???????? c7458800000000 eb09 8b5588 } - $sequence_2 = { 0f840c020000 6a00 8d4dc0 51 8d55c8 52 } - $sequence_3 = { 6a01 e8???????? 83c404 8945fc 8b4d10 51 8b550c } - $sequence_4 = { 85c0 7505 8b45fc eb1c 8b4dfc e8???????? 8b4d08 } - $sequence_5 = { e9???????? 8b4518 3b450c 7765 8b4d18 51 8b4df0 } - $sequence_6 = { ff15???????? 8945e0 837de0ff 7524 ff15???????? 8945dc } - $sequence_7 = { 51 ff15???????? 85c0 0f853a030000 8d95d4feffff 52 8d85d4f6ffff } - $sequence_8 = { 83c404 b001 e9???????? 83ff0b 7510 8bd6 8bcb } - $sequence_9 = { 8b45f0 c7400c00000000 68???????? 8b4df0 83c110 } + $sequence_0 = { 8d95bcfbffff 52 ff15???????? 8945d0 837dd0ff 0f8476020000 } + $sequence_1 = { 83c408 8b45fc b301 38582c 0f8504010000 8b4a04 } + $sequence_2 = { 8986b0000000 e8???????? 8d9e88000000 8bce 8986d8000000 e8???????? 8d9e88000000 } + $sequence_3 = { 68e9fd0000 ff15???????? 8b55cc 0355d0 c60200 8b45cc 50 } + $sequence_4 = { 33d1 89502c 0fb6482f 0fb689b0e20710 0fb6582e 0fb69bb0e20710 c1e108 } + $sequence_5 = { 8d45c0 e8???????? e9???????? 8b8d58feffff 8bf7 8bbd68feffff 8bd7 } + $sequence_6 = { 8d8d84f7ffff e8???????? c645fc02 8d8dccf4ffff e8???????? 8d8d34f5ffff 51 } + $sequence_7 = { 897768 894f78 895f6c 53 893a e8???????? 83c418 } + $sequence_8 = { 8945fc 8b55f8 8b45fc 894208 8b4df8 8b5104 52 } + $sequence_9 = { 57 8b7d08 8bcf 8bf0 e8???????? 6a00 57 } condition: 7 of them and filesize < 1124352 @@ -121956,36 +122658,36 @@ rule MALPEDIA_Win_Ufrstealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba013c32-c7d7-5540-a7af-23c784527e98" - date = "2026-01-05" - modified = "2026-01-06" + id = "11a0bab3-2f7d-53b2-9813-a5a2c542e4b3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ufrstealer_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ufrstealer_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "5a74533151b417ab8386a9dc0bd4bcb97ff632563f715bef9c755e4394a3e888" + logic_hash = "4bb7875dc5a5a805eca82b3bd4cd0cfc13bf7e9278e731ae57ef8ff6afd5ed42" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8955f4 3b55f0 0f82ddfcffff 68???????? e8???????? 68???????? } - $sequence_1 = { 72f2 eb1e 8b75e8 46 } - $sequence_2 = { ff35???????? ff15???????? 8bd8 ff75fc ff7608 53 ff15???????? } - $sequence_3 = { 83c304 ebb2 c705????????66666666 6a04 68???????? e8???????? } - $sequence_4 = { 85c0 7548 803d????????00 7411 6a00 68???????? ff15???????? } - $sequence_5 = { 6800040000 ff7510 6aff ff7204 6a00 6a00 ff15???????? } - $sequence_6 = { 8945ec ff75f0 ff15???????? 50 6a06 ff75f0 } - $sequence_7 = { 6801000080 ff15???????? 85c0 0f85fc030000 68000000f0 6a01 6a00 } - $sequence_8 = { e8???????? 85c0 0f846c020000 83c00a } - $sequence_9 = { a1???????? 0305???????? c60000 68???????? ff35???????? e8???????? } + $sequence_0 = { 68???????? ff35???????? ff15???????? 85c0 0f8471ecffff a3???????? 68???????? } + $sequence_1 = { a3???????? 68???????? ff15???????? 85c0 0f84b5e4ffff a3???????? 68???????? } + $sequence_2 = { 85c0 7571 ff55e4 8945f0 85c0 7464 6a00 } + $sequence_3 = { 0f84a3010000 83c019 8945e8 ff75e8 ff15???????? } + $sequence_4 = { ff75fc ff15???????? 85c0 0f841d020000 a3???????? 68???????? } + $sequence_5 = { ff75fc ff15???????? 85c0 0f846a020000 } + $sequence_6 = { 61 8b55f4 42 8955f4 3b55f0 0f82ddfcffff } + $sequence_7 = { 7405 e8???????? 8bc4 c3 33c0 c3 64a130000000 } + $sequence_8 = { 55 8bec 6a00 ff750c ff7508 ff15???????? 0bc0 } + $sequence_9 = { 05???????? 59 8808 8b45f0 8945f4 59 49 } condition: 7 of them and filesize < 770048 @@ -121995,36 +122697,36 @@ rule MALPEDIA_Win_Stealer_0X3401_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2ae48584-3f0a-5429-8e37-f6d8d22f0c81" - date = "2026-01-05" - modified = "2026-01-06" + id = "c3a754bd-df85-5443-a989-e577888f5f8f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealer_0x3401" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stealer_0x3401_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stealer_0x3401_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "d48e39ba989936cedf7a0bb5dfb1b2a5b1f5da933f4aa10a0b47e5b061091dba" + logic_hash = "a0c2640511ace27c59577cc0f7a5154040435b7300f76db857b3e86a8af1af06" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83e03f 6bc830 8b0495c8710210 8b440818 83f8ff 7409 } - $sequence_1 = { c685d07dffff00 83f808 720d 40 50 ffb5487effff } - $sequence_2 = { 68???????? 8bd0 c645fc21 8d4d90 e8???????? } - $sequence_3 = { 8d45bc 837dd010 c745cc01000000 0f4345bc c6400100 8d8578ffffff 50 } - $sequence_4 = { 660fd645bc f30f7e05???????? 8945b4 a1???????? c78500ffffff3f3f3f00 c78523ffffff00000000 } - $sequence_5 = { 50 b9???????? c645fc19 e8???????? 8d4d90 } - $sequence_6 = { 735f 8bc6 8bfe 83e03f c1ff06 6bd830 8b04bdc8710210 } - $sequence_7 = { 7534 40 83f8fe 0f8798020000 3bc8 7310 ff7710 } - $sequence_8 = { 49 83c9fe 41 99 898cb558f0ffff 2bc2 } - $sequence_9 = { 0f95c0 8985a8feffff 3bf7 741f 6690 68???????? 8bcb } + $sequence_0 = { e8???????? c745fcffffffff 8b45bc 83f810 7242 8b4da8 40 } + $sequence_1 = { 8b8510ffffff 85c0 7473 50 8d4dbc e8???????? 8bd0 } + $sequence_2 = { 8bc8 51 e8???????? 83c404 6a54 68???????? } + $sequence_3 = { 68???????? b9???????? e8???????? e9???????? 83fe03 0f87e3000000 ff24b55c3e0010 } + $sequence_4 = { 8b06 894714 c70607000000 833e08 c746fc00000000 7205 8b46ec } + $sequence_5 = { 731f 8bc1 83e13f c1f806 6bc930 8b0485c8710210 f644082801 } + $sequence_6 = { c745e800000000 668945d8 663902 741d 8bc2 8d7802 } + $sequence_7 = { c745fc04000000 e8???????? 8b45a4 83f810 7242 8b4d90 } + $sequence_8 = { 50 8d45f4 64a300000000 8d8580fdffff c7857cfdffff00000000 50 ff15???????? } + $sequence_9 = { c70300000000 8b4310 894610 8b4314 894614 c7431407000000 837b1408 } condition: 7 of them and filesize < 357376 @@ -122034,36 +122736,36 @@ rule MALPEDIA_Win_Kdcsponge_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "31a4aae6-c5e0-50ee-8647-19b734337847" - date = "2026-01-05" - modified = "2026-01-06" + id = "d2b2a073-5815-5a1f-88d5-a9feead1108f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kdcsponge" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kdcsponge_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kdcsponge_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "797313fd55f6c292fca430846a21ff5b3c78f0f888b26a3429a3aef947194551" + logic_hash = "d05489522f7f815e9a7a1406ca3b374411d8cb4e8f7daf4ac0bc6f9e3d44a2ba" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 80fa01 751c 80bbc204000000 7709 80bbbc0400000f 740a c783a004000002000000 } - $sequence_1 = { 41b800100000 488d442440 48894c2448 4889442428 488d0d3bdd0200 4c89742420 ff15???????? } - $sequence_2 = { 894364 0fb601 488bcb ff14c2 83bb7804000010 750c d1bb44040000 } - $sequence_3 = { 754d 83ba4404000020 7c0f c7826004000004000000 8d4804 eb0f c7826004000002000000 } - $sequence_4 = { 4883c8ff 807c030100 488d4001 75f5 448d4801 } - $sequence_5 = { 7514 4183b85004000004 750a 4180b8a604000000 740a 488d4201 488b5c2408 } - $sequence_6 = { 0fb64101 c1e806 898348040000 83f803 0f84d6000000 488d8b10010000 c7436000001900 } - $sequence_7 = { 4053 4883ec20 80b9c304000001 488bd9 0f853d010000 80b9b004000001 0f850a020000 } - $sequence_8 = { b800001100 b900001400 0f44c1 894360 7507 c683c504000005 488d8b10010000 } - $sequence_9 = { e9???????? 33d2 418bcd 448d4201 e8???????? 488b542440 4c8d1ddb420100 } + $sequence_0 = { 89442430 0f84b2000000 488d4c2420 e8???????? 85c0 746c 488b858c030000 } + $sequence_1 = { 440fb693ad040000 4584d2 750c c783ca04000004000000 eb25 4180fa01 } + $sequence_2 = { 89816c030000 4883c420 5b c3 48897c2430 8bb93c040000 c7813c04000010000000 } + $sequence_3 = { 488903 488b0b e8???????? 4898 488907 b801000000 eb4e } + $sequence_4 = { e8???????? 4881c478040000 5f 5e 5d 5b c3 } + $sequence_5 = { 498d4202 493bc0 738e 4863824c040000 4c8d052403feff 498bc9 4883c428 } + $sequence_6 = { 48c781e401000000000200 48c7811402000001000000 48c7811c02000020000000 83f840 751e } + $sequence_7 = { ba00001400 0f44ca 83c102 80bbb2040000c4 894b60 7513 80bba404000001 } + $sequence_8 = { 740e 80bbae0400000f 750e 80f901 7518 80bbbc0400000f 740a } + $sequence_9 = { 0f94c1 83c167 898b40040000 3c01 ba40000000 b920000000 0f44ca } condition: 7 of them and filesize < 720896 @@ -122073,36 +122775,36 @@ rule MALPEDIA_Win_Shipshape_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d9d684b1-6d28-5be9-a8dd-2a5e64ca3d0c" - date = "2026-01-05" - modified = "2026-01-06" + id = "21006046-5956-532e-82d1-2f90e304b30a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shipshape_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shipshape_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "7ccbb1b47c0ba6ada9222b7cb4a37cd39065499a023a5e14e23083e9a19aaeee" + logic_hash = "6aae056ceba6ac1037921829a73785ed0631bdb9c10390961975a6d89d39d719" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d9424f8010000 c1e902 f3a5 8bc8 } - $sequence_1 = { 83f843 7c55 50 e8???????? } - $sequence_2 = { 8bf7 c1f805 83e61f 8d1c8560d54000 c1e603 } - $sequence_3 = { 83e11f 8b3cbd60d54000 8d3ccf eb05 bf???????? } - $sequence_4 = { f3a5 8bcd 8d942434030000 83e103 f3a4 8dbc2434020000 83c9ff } + $sequence_0 = { 7355 8bc1 8bf1 c1f805 83e61f 8d3c8560d54000 } + $sequence_1 = { e8???????? 8db62cbc4000 bf???????? a5 a5 } + $sequence_2 = { 80e920 ebe0 80a000c3400000 40 3bc6 72be 5e } + $sequence_3 = { 8bfa 8bd1 83c9ff 68???????? f2ae } + $sequence_4 = { 3bc6 7305 395004 75f4 8d0c49 5e 8d0c8de0b64000 } $sequence_5 = { 808801c4400008 40 3dff000000 72f1 } $sequence_6 = { 8bbc2410020000 83c9ff 33c0 8d54240c f2ae } - $sequence_7 = { 55 ff15???????? 5d 5b 81c440060000 c3 56 } + $sequence_7 = { 8b4c2408 8a1408 2ad0 80f203 } $sequence_8 = { 0f8430010000 8dbc2434010000 83c9ff 33c0 8d9424b4010000 } - $sequence_9 = { 52 50 e8???????? 8b4c241c 8b542418 } + $sequence_9 = { 8088????????10 8a9405ecfdffff 889000c34000 eb1c f6c202 } condition: 7 of them and filesize < 338386 @@ -122112,36 +122814,36 @@ rule MALPEDIA_Win_Meduza_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e3895974-72b9-57f5-8c34-0e6d028adf2b" - date = "2026-01-05" - modified = "2026-01-06" + id = "c0c15191-ded8-5ae0-8f8f-7ef94fb2eca1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meduza" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.meduza_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.meduza_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "91edd922ee662fa1f50c4b9c5768d207acd5144b81bbe8f2830a6c18fd7c29e5" + logic_hash = "55be562129c487f1236189f3c578422d39d422aaafeec055785306bea9b6404f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b8d7cf2ffff 0f288d90ebffff 898decf8ffff 8d8d90ebffff 8985e8f8ffff 8d5101 660fef8de0f8ffff } - $sequence_1 = { 898db4f8ffff 8985b0f8ffff c78548f8ffff22b9d72e c7854cf8ffff97001a04 8b8548f8ffff 8b8d4cf8ffff c5fe6f8540f1ffff } - $sequence_2 = { 898d54f9ffff c785d8e4ffff12b8295c c785dce4ffffd94ef7ef 8b85d8e4ffff 8b8ddce4ffff 898558f9ffff 898d5cf9ffff } - $sequence_3 = { 0f288d00edffff 898d5cfaffff 8d8d00edffff 898558faffff 8d5101 660fef8d50faffff 0f298d00edffff } - $sequence_4 = { 8b4908 8d5801 2bca 895de0 c1f904 b8ffffff0f 8bd1 } - $sequence_5 = { 0f1f440000 8a01 41 84c0 75f9 2bca 8d8530e1ffff } - $sequence_6 = { c78578fdffff88642bdd c7857cfdffff13203a28 8b8578fdffff 8b8d7cfdffff 898d2cfeffff 898528feffff c78578fdffff6d0b2891 } - $sequence_7 = { 6aff 68???????? 64a100000000 50 53 81eca8060000 a1???????? } - $sequence_8 = { c5f8298d80f4ffff c5f81185e8e8ffff c785f8e8ffff00000000 c785fce8ffff00000000 c5f877 8a01 41 } - $sequence_9 = { 51 52 e8???????? 83c408 eb08 85c9 0f85a9000000 } + $sequence_0 = { c785d8f6ffff0a6141f0 c785dcf6ffff216f18d1 8b85d8f6ffff 8b8ddcf6ffff 898530f1ffff 898d34f1ffff c785d8f6ffff76d35939 } + $sequence_1 = { eb10 83ceff bbffffff7f 8975e4 eb03 8b75d8 8d4dc8 } + $sequence_2 = { 898dfcfcffff 8d8da0f5ffff 8985f8fcffff 8d5101 660fef8df0fcffff 0f298da0f5ffff 0f1185d0ecffff } + $sequence_3 = { c745b407000000 50 e8???????? 83c404 c78544ffffffc87a4a00 f30f7e00 8b4808 } + $sequence_4 = { 898d4cd3ffff c785d8e4ffffcb46855e c785dce4ffffee6e1f36 8b85d8e4ffff 8b8ddce4ffff 898580eeffff 898d84eeffff } + $sequence_5 = { 83c408 c645fc0d 837f1408 7202 8b3f 8b8544feffff } + $sequence_6 = { e9???????? 8d8d50c7ffff e9???????? 8d8d50c7ffff e9???????? 8d8d80c7ffff e9???????? } + $sequence_7 = { c785d8e4ffffdc70e11a c785dce4fffff74b9182 8b85d8e4ffff 8b8ddce4ffff 898568e9ffff c5fe6f85e0cdffff c5fdef8540e9ffff } + $sequence_8 = { e9???????? 8d8dc0faffff e9???????? 8d8df0faffff e9???????? 8d8df0faffff e9???????? } + $sequence_9 = { 23ce b801000000 d3e0 8b4dbc 8502 0f8499000000 e8???????? } condition: 7 of them and filesize < 1433600 @@ -122151,56 +122853,56 @@ rule MALPEDIA_Win_Sisfader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a0cdd7ba-37f5-5dee-9bd0-dfe8ed58e119" - date = "2026-01-05" - modified = "2026-01-06" + id = "a85deabd-1713-5712-ad21-30c4dbfed6c4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sisfader_auto.yar#L1-L285" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sisfader_auto.yar#L1-L274" license_url = "N/A" - logic_hash = "d369a40cd08ca7aac194db42ed12df65df4a56409fba20e45dda5f2780e9b9bf" + logic_hash = "183bda12581d1ae277a0dafad31da6228edc983478c44a7bd0986aab756d3f6f" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { e8???????? 85c0 b91d000000 0f44d9 } - $sequence_1 = { 741f 33c0 85c9 7419 } - $sequence_2 = { 8905???????? c705????????00000000 8b442440 8905???????? } - $sequence_3 = { ff15???????? 85c0 7e08 03d8 3bdf 7c98 } - $sequence_4 = { 33c0 83f801 7425 baffffffff } - $sequence_5 = { 85c0 753e 8d47dc 8903 83f824 723b } - $sequence_6 = { c705????????10000000 8b442430 8905???????? c705????????07000000 } - $sequence_7 = { eb5b 837d0800 751f 8b451c 50 8b4d18 } - $sequence_8 = { 8b4508 8b4808 51 ff15???????? 83c408 8945e0 } - $sequence_9 = { 837c245000 7405 e9???????? 83bc248000000000 7539 } - $sequence_10 = { 837c245000 7402 eb12 c744245401000000 33c0 } - $sequence_11 = { 85c0 7502 eb71 8b45fc 8b08 } - $sequence_12 = { c7430438020000 66837c247c2e 751f 0fb744247e 6685c0 0f8496010000 6683f82e } - $sequence_13 = { ff15???????? 83c414 8945d8 837dd800 } - $sequence_14 = { 8b5118 52 8b45f4 8b4830 51 ff15???????? } - $sequence_15 = { ff15???????? 8945f8 837df800 7402 eb5b 837d0800 } - $sequence_16 = { 83ec60 c745fc00000000 c745e000000000 6a40 8b450c 50 e8???????? } - $sequence_17 = { e8???????? 85c0 7412 ba01000000 b910270000 } - $sequence_18 = { 89442420 837c242001 7425 837c242002 } - $sequence_19 = { 5e 5b 8be5 5d c3 3de3e00000 7511 } - $sequence_20 = { 51 ff15???????? 85c0 0f85ba010000 8b55fc 837a0c00 0f84ad010000 } - $sequence_21 = { 8a0410 30443924 41 3b4f04 72ee 8b4704 8bd7 } - $sequence_22 = { 7425 837c242002 7441 837c242003 } - $sequence_23 = { 0f1086f0000000 c7400410000000 c7400c00000000 0f114014 } - $sequence_24 = { 8b442464 89442430 8b442468 89442434 } - $sequence_25 = { a810 746a 8b570c 8d8c2460020000 6a00 e8???????? 83c404 } - $sequence_26 = { 8bd0 83e20f 8a8c0a00010000 300c18 } - $sequence_27 = { 685c020000 6a40 ffd6 0f1005???????? 8bf8 8b4508 0f114714 } - $sequence_28 = { 745d 837c242004 7479 837c242005 0f8480000000 e9???????? } - $sequence_29 = { c700aaeeddff 33c0 894710 c7470430020000 8d4840 ff15???????? } + $sequence_1 = { 85c9 741f 33c0 85c9 } + $sequence_2 = { 8955f0 8b45f8 8b4838 894dcc } + $sequence_3 = { 33c9 e8???????? 85c0 7502 eb7c } + $sequence_4 = { ff15???????? a3???????? 833d????????00 7510 6a00 } + $sequence_5 = { 85c0 754b 8b4f04 83c124 } + $sequence_6 = { c705????????07000000 8b442438 8905???????? c705????????00000000 } + $sequence_7 = { 8b442440 89442420 837c242001 7425 } + $sequence_8 = { ff15???????? 89442450 837c245000 7402 } + $sequence_9 = { 7568 8d43dc 8906 83f824 } + $sequence_10 = { 6bc800 8b550c 8b040a 50 ff15???????? } + $sequence_11 = { 33c0 e9???????? e9???????? ff15???????? } + $sequence_12 = { 75f5 c70665632985 663939 8b3d???????? 7407 } + $sequence_13 = { 0f84cd010000 6683f92e 750f 6683bc248000000000 0f84b8010000 ffc5 } + $sequence_14 = { 7424 85c9 7420 8bc3 660f1f440000 8bc8 } + $sequence_15 = { 8bda 8bf9 ff15???????? 85c0 0f8584000000 6a06 6a01 } + $sequence_16 = { eb2e 8b4dfc c7411001000000 eb11 8b55fc 8b02 8b4df4 } + $sequence_17 = { 8b3d???????? 81c600010000 c745dcaaeeddff c745e4e1f00000 } + $sequence_18 = { 83c418 85c0 7502 eb67 8b4dfc } + $sequence_19 = { 85c0 741d 8bd3 0f1f440000 8bc2 ffc2 } + $sequence_20 = { 6685c0 0f8496010000 6683f82e 750b } + $sequence_21 = { 83ec60 c745fc00000000 c745e000000000 6a40 8b450c } + $sequence_22 = { 837c242002 7441 837c242003 745d 837c242004 7479 837c242005 } + $sequence_23 = { 7405 e9???????? 83bc248000000000 7539 } + $sequence_24 = { 33c9 85c0 7415 0f1f00 8bc1 } + $sequence_25 = { 6a00 6a00 6a01 e8???????? 83c40c eb38 6a00 } + $sequence_26 = { 56 57 8b7d10 8b7720 c706aaeeddff 8b420c 89460c } + $sequence_27 = { 8b4204 8bcf 83c024 50 e8???????? } + $sequence_28 = { 6bc800 8b5510 0fb7440a40 85c0 } + $sequence_29 = { e8???????? 33c0 83f801 7425 baffffffff } condition: 7 of them and filesize < 417792 @@ -122210,36 +122912,36 @@ rule MALPEDIA_Win_Nightshade_C2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "506408db-305c-5339-b348-c82ff40c922a" - date = "2026-01-05" - modified = "2026-01-06" + id = "3a013c55-9475-5a91-b423-49431172c7d5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nightshade_c2_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nightshade_c2_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "73549f59f11fbc1afdb3ccb5b45ff5a2e04bde2ab7c3c97f1567af6c297191aa" + logic_hash = "d5caecbd40f88b16a3cfb1034ff1c4e785b22070242bd631775bbe4afd9f4f1d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c744243000000000 488b842438010000 4889442428 89542420 448bcf 4533c0 33d2 } - $sequence_1 = { c744242000000000 eb0b 8b442420 83c002 89442420 8b842480000000 39442420 } - $sequence_2 = { 488b4c2458 ff15???????? 90 48837c247000 740c 488b4c2470 ff15???????? } - $sequence_3 = { 8b442458 89442428 488b442460 4889442420 448b4c2454 4c8b442470 33d2 } - $sequence_4 = { 8b0c24 486bc903 488b542408 0fb60c0a 81e1ff000000 0bc1 8b0c24 } - $sequence_5 = { ff15???????? ff15???????? 90 488b442440 488bc8 e8???????? 90 } - $sequence_6 = { 48638424b8000000 488b8c24b0000000 4803c8 488bc1 4889442430 c744244400000000 eb0b } + $sequence_0 = { 85c0 742a 488d1503a00200 488d4c2420 e8???????? 85c0 7415 } + $sequence_1 = { 7502 eb3c 837c244000 7402 eb33 448b442450 488b542468 } + $sequence_2 = { 4883ec28 488b442430 488b4c2430 8b09 8b4008 2bc1 f30f2ac0 } + $sequence_3 = { ff15???????? 90 ebcc ba02000000 488b4c2440 ff15???????? } + $sequence_4 = { b954040000 f3aa 488d842460020000 488bf8 33c0 b918040000 f3aa } + $sequence_5 = { eb0b 8b442440 83c002 89442440 8b8424d8000000 39442440 0f83b9030000 } + $sequence_6 = { 488b8c24a0000000 483bc8 732b 4863442450 48634c2450 488d1588ca0200 4c8b442440 } $sequence_7 = { 85c0 7479 488b542438 488d0d0ce50100 e8???????? 85c0 } - $sequence_8 = { ff15???????? 85c0 7505 e9???????? 41b810000000 488d9424b8000000 488b4c2448 } - $sequence_9 = { 8b442424 8b4c2460 2bc8 8bc1 3dffff0000 7e0a c7442420ffff0000 } + $sequence_8 = { 85c0 7552 e8???????? e8???????? 85c0 740c 488d0d46060000 } + $sequence_9 = { 0fb78c24a6000000 8bc1 99 83e207 03c2 c1f803 8b8c2488000000 } condition: 7 of them and filesize < 458752 @@ -122249,36 +122951,36 @@ rule MALPEDIA_Win_Bluelight_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e926d75-3ab2-5756-a7ce-3e5a6c0d0aa0" - date = "2026-01-05" - modified = "2026-01-06" + id = "e8f9e882-a97e-5a18-bbc2-a1cc0401340b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluelight" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bluelight_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bluelight_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "41a5ac3b75dc9289131b8472b69bdf4cdf3bf64ebeaeb2e76e9bbd4dca7df902" + logic_hash = "278911f138cae178eb8e13b99f631191fe53859706126567e1ed729abc024bfd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff771c ff15???????? ff771c 8b7714 ff15???????? 5f 8bc6 } - $sequence_1 = { 884dc7 8955d0 81faa7000000 0f87a8410000 ff249526044300 6b4b0428 6a04 } - $sequence_2 = { 85db 740f ff7760 53 ff7764 e8???????? 83c40c } - $sequence_3 = { eb0c 8b4508 8907 c7450800000000 8b4518 894710 8b4520 } - $sequence_4 = { f64605c0 7415 8d442420 68???????? 50 e8???????? ff44241c } - $sequence_5 = { e8???????? 8d4d8c 894314 e8???????? 8d4d9c e8???????? 8d4d94 } - $sequence_6 = { e8???????? b8???????? e9???????? 8d8d60feffff e9???????? 8d4da8 e9???????? } - $sequence_7 = { ff761c 50 e8???????? 83c410 8d4510 50 ff750c } - $sequence_8 = { 8b45d4 3bde 7507 8bc8 e8???????? 8a4d9f 33db } - $sequence_9 = { ff7304 8b4d0c ff73ec 6a2d 5a e8???????? 8943ec } + $sequence_0 = { 85c0 7511 8b459c 85c0 740a 8bd0 8d4d80 } + $sequence_1 = { 85ff 740a 0fb64618 298708010000 5f c6461800 5e } + $sequence_2 = { e8???????? e9???????? 85c0 0f8447040000 8a4d10 32c0 215dc4 } + $sequence_3 = { 8d4d94 e8???????? 85c0 0f84c1000000 68???????? 8d4ddc e8???????? } + $sequence_4 = { 8d3c97 3bd8 7704 3bfe 7354 8bc2 8bfb } + $sequence_5 = { eb41 33c0 8bfb 6a06 59 f3ab 8b442418 } + $sequence_6 = { e8???????? 8bf0 85f6 7575 8b4dd8 e9???????? b93e070100 } + $sequence_7 = { 8b75f8 8d45ec 50 8b45e4 8bd6 85c0 50 } + $sequence_8 = { c3 55 8bec 83ec2c 8365f000 33c0 2145e0 } + $sequence_9 = { 8b8e24010000 85c9 0f8495020000 eb02 8b09 3939 75fa } condition: 7 of them and filesize < 2191360 @@ -122288,36 +122990,36 @@ rule MALPEDIA_Win_Virlock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9f47c27a-c9f5-5a88-9d0b-7ae966c8318a" - date = "2026-01-05" - modified = "2026-01-06" + id = "085cabe9-e2a4-55b6-bc55-1f46be32d6fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virlock" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.virlock_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.virlock_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "57885374cad55b220d8ca1f9432224bf7f5758a9b4619824c3d2cad7d03a8a3d" + logic_hash = "4ef2107be4b7bc5e1cb0ced0363b649b9482a5e0be91cefd14ffeda65e047d99" score = 75 - quality = 71 + quality = 69 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81f234ea98fc ba77fa04fa bb5191b6fe e8???????? 81f2fcfd84fd bb9d77e800 81f32dcee8ff } - $sequence_1 = { 41 4a 54 52 4a 4b 55 } - $sequence_2 = { 68???????? eb0a 68???????? 68???????? e8???????? 83fa00 751b } - $sequence_3 = { 49 52 43 52 58 } - $sequence_4 = { 3b12 3646 9a19386f50123e 54 0ae7 0220 6f } - $sequence_5 = { d0c3 4a 43 d0a90a2bd0f3 } - $sequence_6 = { bb666d87fd 83e904 ba0dd2b2fe eb00 83f905 7d74 bb93ec7eff } - $sequence_7 = { 6b484768 e4cc 681cafc880 cf 6a78 d6 49 } - $sequence_8 = { 70c1 8a6a8f b3f0 46 fd 098f46182e59 53 } - $sequence_9 = { 36a25c6a5eac 42 775c 44 e4f2 2b470c d04ba2 } + $sequence_0 = { 3006 ba6aa196ff 46 bae0fba3f9 ebc9 be???????? ba5e3718fa } + $sequence_1 = { 7552 ff35???????? 6a00 6a01 68???????? e8???????? e8???????? } + $sequence_2 = { a4 2af4 d8d5 ac 3122 a4 2a8e18e1cb3e } + $sequence_3 = { 6a04 e8???????? 6aff ff35???????? 68???????? e8???????? e8???????? } + $sequence_4 = { 44 43 50 49 4e 42 51 } + $sequence_5 = { 43 49 55 41 4f 59 51 } + $sequence_6 = { 60 16 16 4c 6b1617 4c } + $sequence_7 = { 54 49 44 48 42 4b 51 } + $sequence_8 = { bf56ab9071 53 a0???????? 5d bb6eab9071 53 e542 } + $sequence_9 = { b521 744c e75f 25490fe965 2e59 53 70c1 } condition: 7 of them and filesize < 4202496 @@ -122327,36 +123029,36 @@ rule MALPEDIA_Win_Cherry_Picker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a7caa2a0-b6b8-580c-adee-e174a6220843" - date = "2026-01-05" - modified = "2026-01-06" + id = "1141c862-ff66-57b5-8358-945b902a0152" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cherry_picker_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cherry_picker_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "576fc4aca504b01489ce7bd7347bbe12054a63e779c96e3d35219ad0c56e8479" + logic_hash = "f05118b88b6d50e73141e31e40609464d5b4f86673532dbf5e0b5d6fe325ed99" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd3 68???????? 56 8944242c ffd3 68???????? } - $sequence_1 = { 8d442428 50 ff542420 8b442420 } - $sequence_2 = { 8bf0 8bd1 83c408 2bf2 8a11 88140e 41 } - $sequence_3 = { 68???????? 68???????? a3???????? ffd6 69c0e8030000 } - $sequence_4 = { ff15???????? a3???????? 85c0 7512 68???????? 50 } - $sequence_5 = { a3???????? ffd6 68???????? 6a3c } - $sequence_6 = { 8bf0 0fbec9 81e6ff000000 33f1 8a4a01 42 c1f808 } - $sequence_7 = { 68e8030000 68???????? 68???????? a3???????? } - $sequence_8 = { 68???????? 68e8030000 68???????? 68???????? a3???????? } - $sequence_9 = { 68???????? 56 8944242c ffd3 68???????? } + $sequence_0 = { 69c0e8030000 68???????? 6a01 68???????? 68???????? a3???????? ffd6 } + $sequence_1 = { ffd3 68???????? 56 8944242c ffd3 68???????? } + $sequence_2 = { ffd6 68???????? 68e8030000 68???????? 68???????? a3???????? } + $sequence_3 = { ffd3 6a00 6a00 6a03 6a00 6a00 6800000040 } + $sequence_4 = { 6bc964 03ca 69c910270000 03c8 } + $sequence_5 = { ffd3 68???????? 56 89442420 ffd3 68???????? 56 } + $sequence_6 = { 68???????? 68???????? ffd6 68???????? 6800010000 68???????? 68???????? } + $sequence_7 = { 68???????? 56 8944242c ffd3 68???????? } + $sequence_8 = { 8bf0 0fbec9 81e6ff000000 33f1 8a4a01 42 } + $sequence_9 = { 52 e8???????? 83c42c 6a00 6a00 6a04 6a00 } condition: 7 of them and filesize < 712704 @@ -122366,36 +123068,36 @@ rule MALPEDIA_Win_Ravenstealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84f90220-3279-5007-a5a1-8ce5ade31449" - date = "2026-01-05" - modified = "2026-01-06" + id = "20212807-4d14-59e4-9d40-eb50743670c1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ravenstealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ravenstealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ravenstealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "79823541f3a380244fa96c3e3bd68dec6432b3566c33a9fa586cf37babf2bf66" + logic_hash = "6ec6455bdf09b1be97121b32ca42f5b288d6d83756a0d435d5f3b0e6afc2b07a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8b742430 4883c438 415f 415c 5f 5b c3 } - $sequence_1 = { f20f5cc8 f20f59ca f20f114c2440 e8???????? 440fbef0 e8???????? 0fbed8 } - $sequence_2 = { c744247809000000 eb58 448d3c37 0fbe05???????? 4103c7 0fbe0d???????? 33d2 } - $sequence_3 = { 8b5c2450 8b742454 3bc1 0f84bb130000 0fb605???????? 0fb605???????? 0fb605???????? } - $sequence_4 = { f20f59c8 f2440f2cf1 8b85e01f0000 83c04c f20f2ad0 0fb605???????? 0fbec8 } - $sequence_5 = { f2480f2ac0 f20f594590 f20f2cc0 89442428 8b442458 83e86a 660f6ed0 } - $sequence_6 = { e8???????? 488bf8 488d9424b0000000 488d8c2450090000 e8???????? 488b18 488d9424b8000000 } - $sequence_7 = { 85c0 7416 81a5fc030000fffeffff 488d8d28100000 e8???????? 4883c420 5d } - $sequence_8 = { 83f801 750a 488b07 488bcf ff5008 90 4d85f6 } - $sequence_9 = { 7406 6683f92f 7504 4883c002 483bd8 7442 0f1f8000000000 } + $sequence_0 = { 90 c644245f00 488d5590 488d4c245f e8???????? 4c8bf0 f2440f100d???????? } + $sequence_1 = { 660fefc0 0f1101 660f6f05???????? 660f7f85301b0000 48c7c7ffffffff 4c8bc7 6690 } + $sequence_2 = { 90 488d8d80160000 660fefc0 0f1101 660f6f05???????? 660f7f8590160000 4c8bc7 } + $sequence_3 = { 48837df00f 480f4745d8 0fbe18 ebb7 48837df00f 480f4745d8 488b4dc0 } + $sequence_4 = { 8944244c 8b442420 83c059 660f6ed0 f30fe6d2 0fbe05???????? 660f6ec0 } + $sequence_5 = { 7443 e8???????? 0fbec8 0fbe15???????? 0fafd1 8d1c92 03db } + $sequence_6 = { 488d8a60000000 e9???????? 488d8a88000000 e9???????? 488d8a60000000 e9???????? 488d8a28030000 } + $sequence_7 = { 4d8bc7 488bc8 4983fe07 764b 488b1f 488bd3 e8???????? } + $sequence_8 = { 488bc8 e8???????? 488bc8 488d85c8020000 660fefc0 0f1100 660f6f0d???????? } + $sequence_9 = { f20f59442440 f20f2cc0 898424f8000000 48638c24a0000000 0fb78424b0000000 6623842498000000 6603c0 } condition: 7 of them and filesize < 8337408 @@ -122405,36 +123107,36 @@ rule MALPEDIA_Win_Bredolab_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9ae7558-41e9-5f48-a345-a8a0a59274ec" - date = "2026-01-05" - modified = "2026-01-06" + id = "e7c8cb13-3905-583a-b6e2-16aa5a73cace" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bredolab_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bredolab_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "b7fcc4ad5e8f568651dead1485597f16282b873ba030d633458bd92c7562859d" + logic_hash = "ae5a50df2a29ef50bff534d97949c926ce824947abe5c43c0516cdec4a20851c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c3 55 89e5 56 53 8b5508 8b4d0c } - $sequence_1 = { 75be 8b8348080000 40 898348080000 } - $sequence_2 = { 7424 8b5514 c60200 8d85e0f7ffff 89442404 c7042400080000 ff15???????? } - $sequence_3 = { 89853cfcffff ff15???????? 51 66c78560ffffff0800 c744240408020000 c7042400000000 ff15???????? } - $sequence_4 = { c7834808000000000000 c7442404???????? 8d4314 890424 ff15???????? } - $sequence_5 = { ff15???????? 57 57 8b45e4 89442404 8b4510 890424 } - $sequence_6 = { 895c2424 89542420 c744241c00000000 c744241800000000 } - $sequence_7 = { 84c0 75f6 894d14 8b5d14 c60300 8b4d0c 8b8560ffffff } - $sequence_8 = { 8b450c 8b5510 8d1c07 85c0 740a 807bff3f 7404 } - $sequence_9 = { 89d6 31db 6690 80be5409000000 7523 b030 } + $sequence_0 = { 53 83ec04 e8???????? 8b1d???????? } + $sequence_1 = { 89e5 57 56 53 81eccc010000 89c3 899560feffff } + $sequence_2 = { 895c2404 893424 ff15???????? 83ec08 893424 ff15???????? } + $sequence_3 = { 7fe0 89f3 8bb514f7ffff a1???????? 898514f7ffff 8d9520ffffff 8d4584 } + $sequence_4 = { 83f830 75f1 8b430c a804 0f8418ffffff } + $sequence_5 = { 55 89e5 53 83ec04 e8???????? 8b1d???????? 0fb6c8 } + $sequence_6 = { c7042412000000 e8???????? 89742414 8b5508 89542410 c744240c03000000 } + $sequence_7 = { 89542404 c704240f000000 898510f7ffff e8???????? 89742414 897c2410 8b8d10f7ffff } + $sequence_8 = { e8???????? 8b45d4 890424 ff15???????? 52 89c7 85c0 } + $sequence_9 = { 51 8b4508 8b984c090000 89d8 8d65f4 } condition: 7 of them and filesize < 90112 @@ -122444,36 +123146,36 @@ rule MALPEDIA_Win_Unidentified_001_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f3b6be6e-c236-5d2d-a19b-afb6b895b93e" - date = "2026-01-05" - modified = "2026-01-06" + id = "369dc43d-7026-56ce-913f-b32cf475cb69" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_001_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_001_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "499ec49f978d7f898a74204c78a47d7ff968e3be0856c4a113e03a1aece4ce50" + logic_hash = "ae2ae65dfaf0eab14746b11963fc57125c51ecb695f96061026741c08884869d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 741c 83e80a 0f84c6fcffff 2def000000 } - $sequence_1 = { 6830750000 ffd6 8b4df8 85c9 7483 8d45fc } - $sequence_2 = { 85c9 0f84dafdffff e8???????? 85c0 0f85f3000000 } - $sequence_3 = { 8b06 8d4dfc 51 56 ff5028 85c0 7d0c } - $sequence_4 = { 895824 895808 c7401c06000000 47 } - $sequence_5 = { 2d0a020000 0f84a2faffff 2d02020000 e9???????? c705????????0d000000 } - $sequence_6 = { 8b4508 83e103 f3a4 8bd0 668b08 } - $sequence_7 = { 0f8468feffff 3d4b475a00 0f845dfeffff 3d4d4f5a00 0f8507f9ffff 8325????????00 e9???????? } - $sequence_8 = { 2df9070000 0f8437010000 2d01010000 0f84e2050000 2df3010000 7420 } - $sequence_9 = { 3d54484100 7416 3d414c4100 753b c705????????09000000 e9???????? } + $sequence_0 = { 85c9 7483 8d45fc 50 } + $sequence_1 = { ff5108 8b45f8 3bc3 0f8435fdffff 8b08 } + $sequence_2 = { 0f87c8000000 0f844bfbffff b952555300 3bc1 7767 74d3 2d434d5200 } + $sequence_3 = { 2d49525100 0f84acfbffff 2d04020000 0f8400fcffff 2d00ed0000 0f8496fbffff } + $sequence_4 = { 0f8462fdffff 8d45f0 50 e8???????? 8b00 85c0 7404 } + $sequence_5 = { 59 5e c3 55 8bec 837d0800 56 } + $sequence_6 = { 50 ff75ec 56 ff5720 } + $sequence_7 = { 85c9 74e7 e8???????? 33c9 } + $sequence_8 = { 8b4d0c 894dec 668b4d08 66894de8 } + $sequence_9 = { 6a04 68???????? 6a07 6800080000 } condition: 7 of them and filesize < 65536 @@ -122483,36 +123185,36 @@ rule MALPEDIA_Win_Thunderx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2518ca7c-7e0a-565b-be3c-84d244188fab" - date = "2026-01-05" - modified = "2026-01-06" + id = "74cc12c7-c26c-5b07-8bf3-e61c0c3737a0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.thunderx_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.thunderx_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "4292a9f6c1d3812002d780fdcc81ab5726cfcf5e40c47b2cebcf85c542667c9b" + logic_hash = "be1fae743a9b33f70688c51942e116572c878e8696fd03ea77455b3bd8028673" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 e8???????? 59 8d45b0 8bcf 50 e8???????? } - $sequence_1 = { 75f2 85c9 7509 3bc6 740b 83e802 ebd7 } - $sequence_2 = { 8bcb e8???????? 83c318 83c618 895de0 3bf7 75eb } - $sequence_3 = { 8b35???????? ffd6 ff75ec ffd6 b001 eb02 32c0 } - $sequence_4 = { 7462 8b44240c 3b05???????? 7556 8b442410 89442438 8b442414 } - $sequence_5 = { c3 6a54 b8???????? e8???????? 8bf9 897dac } - $sequence_6 = { 7415 ff15???????? 85c0 750b e8???????? 84c0 } - $sequence_7 = { 59 56 8bd0 885dfc 8d8d40feffff e8???????? 59 } - $sequence_8 = { e8???????? 8d8dc8fdffff e8???????? 8d8db0fdffff c645fc05 e8???????? } - $sequence_9 = { 8bfa 2b7d0c eb02 8bfe } + $sequence_0 = { 56 8b7508 8d5602 668b06 83c602 6685c0 } + $sequence_1 = { 8b4590 03c1 894d8c 6a0d 50 e8???????? } + $sequence_2 = { 50 e8???????? 8d4dd4 e8???????? 8d4dbc e8???????? 8bc3 } + $sequence_3 = { eb02 33db 8ac3 e8???????? c3 55 8bec } + $sequence_4 = { 8945f0 e8???????? 8bf8 6bc61c 8b750c 56 897df8 } + $sequence_5 = { 6a00 51 ff35???????? b8???????? 0f4305???????? 50 } + $sequence_6 = { a1???????? 33c4 8944241c 56 57 8bfa 8bf1 } + $sequence_7 = { 6a00 6a01 ff15???????? 8bf8 85ff 751a } + $sequence_8 = { 50 56 ffd7 85c0 7462 8b44240c } + $sequence_9 = { 894db0 8b048d701b4200 8975b4 8b440618 8b7514 03f2 } condition: 7 of them and filesize < 319488 @@ -122522,39 +123224,39 @@ rule MALPEDIA_Win_Torisma_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0490c82-c45a-54e7-aa2a-3188c569a1ea" - date = "2026-01-05" - modified = "2026-01-06" + id = "429c4685-02ab-53bb-bf5a-5d589554aaee" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.torisma_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.torisma_auto.yar#L1-L135" license_url = "N/A" - logic_hash = "4aa02301b79ecba1924d78ea53a128f60820750cf7fd370e510af85a61be0b19" + logic_hash = "e05205fd2ec61ac7ebc1e65ee815290cba6c9a83ebb3a4a6c0d647bde599cf40" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 3d83490000 7507 b883490000 } - $sequence_1 = { 7402 eb05 e9???????? b833280000 } + $sequence_0 = { 7402 eb05 e9???????? b833280000 } + $sequence_1 = { e8???????? 3d83490000 7507 b883490000 } $sequence_2 = { e8???????? 3d514b0000 7504 33c0 } - $sequence_3 = { 8b3f c1ef02 83e701 c1e702 } - $sequence_4 = { 488b4c2440 e8???????? 488b442460 488b4018 48c70000000000 } - $sequence_5 = { 488b00 488b7820 33c0 b920000000 } - $sequence_6 = { 48894c2408 57 4883ec40 48c744242000000000 } - $sequence_7 = { ff2495c0d50010 8bc7 ba03000000 83e904 } - $sequence_8 = { 837c242000 7504 33c0 eb23 } - $sequence_9 = { 894dec 6a00 ff15???????? 8d55dc 52 } - $sequence_10 = { 51 8b5510 52 6a25 6a20 } - $sequence_11 = { 6a02 8b4da4 8b11 52 } - $sequence_12 = { c1e104 8b94242c010000 0bd1 8bca } + $sequence_3 = { 740d 8b4dd8 e8???????? 8945c0 } + $sequence_4 = { 8d4310 8d89f4cd0110 5a 668b31 668930 } + $sequence_5 = { 334dfc 894dfc 8b4d08 8b5164 } + $sequence_6 = { 4881ec98000000 48c7442460feffffff b914000000 e8???????? 4889442438 48837c243800 } + $sequence_7 = { c644245137 c644245282 c644245367 c644245432 } + $sequence_8 = { 48c744244800000000 488b4c2438 e8???????? 488b442438 4889842480000000 } + $sequence_9 = { 39442424 7202 eb2a 48837c245800 7413 } + $sequence_10 = { 0bd1 8bca 898c24ac000000 488b542478 8b5210 488b7c2470 8b1497 } + $sequence_11 = { 6a03 8b55f8 8b4204 50 } + $sequence_12 = { b862000000 668945f6 33c9 66894df8 8d55b0 52 } condition: 7 of them and filesize < 322560 @@ -122564,36 +123266,36 @@ rule MALPEDIA_Win_Deltastealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4fccefcb-7a2e-57a6-ab41-b89b24454179" - date = "2026-01-05" - modified = "2026-01-06" + id = "bccdc496-6ad8-5308-ab4b-c25e332f3814" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.deltastealer_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.deltastealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "8e1fc56421c67233761e9d4924d596056974746fe89cb951900a859521620234" + logic_hash = "ddf696ca17f3f657bd5d8043a87964d8b73f81a4cca8cc13d670bbdbb128e5ea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb5d 31ff eb18 48314618 4889f1 e8???????? 488b4638 } - $sequence_1 = { 4d89d7 40b601 83ff01 0f8583000000 4181fcff000000 0f873c050000 4885db } - $sequence_2 = { e8???????? 8a5860 4889f9 e8???????? 448a7060 4889f9 e8???????? } - $sequence_3 = { c3 4d89c8 e8???????? 0f0b 4157 4156 4155 } - $sequence_4 = { e8???????? 4889f9 89ea e8???????? 41c60707 4883c438 5b } - $sequence_5 = { 498b4e28 498b5630 41c60709 41c7471802000000 e8???????? 90 4883c438 } - $sequence_6 = { eb18 488b4e40 4883c118 e8???????? e8???????? 488906 895608 } - $sequence_7 = { e8???????? 0f0b ba08000000 4889f0 4883c420 5b 5f } - $sequence_8 = { e8???????? 4829fe 4c89f1 4889f2 4883c428 5b 5f } - $sequence_9 = { 8b90cc000000 895108 83a0c400000000 e8???????? c70701000000 894704 } + $sequence_0 = { 4885c0 7807 4801c6 720d eb34 4889c1 48f7d9 } + $sequence_1 = { c3 31ff eb0c 31ff b301 eb06 b302 } + $sequence_2 = { 4c89f9 ba3a000000 ffd3 84c0 0f850a010000 4c896c2478 4c89b42480000000 } + $sequence_3 = { 488b4c2440 8b3481 48ffc0 49c7467001000000 49894678 eb33 4983661800 } + $sequence_4 = { e8???????? 84c0 0f840effffff e9???????? b301 48833f00 7588 } + $sequence_5 = { e8???????? 48033e 48897c2428 483b7e08 770e 48893e 4881c480000000 } + $sequence_6 = { 785c 4983faff 74e6 4489d7 29c7 83e707 75dc } + $sequence_7 = { 4c89e9 4d89e0 e8???????? eb81 48c1ef39 488d43f0 4821c5 } + $sequence_8 = { 83be9000000004 7479 e9???????? 4885c0 0f8588000000 488b8690000000 4883f803 } + $sequence_9 = { 5f 5e e9???????? 8a0f 4889f2 4883c428 5f } condition: 7 of them and filesize < 3532800 @@ -122603,36 +123305,36 @@ rule MALPEDIA_Win_Doublefinger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1a4bb31a-3c01-5b6e-ae26-bb31027c979c" - date = "2026-01-05" - modified = "2026-01-06" + id = "3d9393e9-7773-5480-8061-9ef15c01ff97" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefinger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.doublefinger_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.doublefinger_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "34310946832cc40b49a31828e604fb9d9a1c8fad12732184c4ffa2b4443b2159" + logic_hash = "853a77566abb8caa206ba73d4a3891e986337f4b63f9bfa4751336f42049cb30" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c644247d64 c644247e79 c644247f97 488d942410030000 488d4c2478 e8???????? } + $sequence_0 = { 8b442404 8b0c24 03c8 8bc1 03442408 8bc0 } $sequence_1 = { 8b442448 39442444 7d27 41b87a000000 ba61000000 488b8c2468010000 e8???????? } $sequence_2 = { 4533c0 8b942464010000 488b4c2450 e8???????? } - $sequence_3 = { c6440478af ba0a020000 b940000000 488b842468010000 ff5038 } - $sequence_4 = { e8???????? ba0a020000 488d8c2460010000 e8???????? } - $sequence_5 = { 39442408 0f8394000000 c6042400 c744240400000000 eb0a 8b442404 } + $sequence_3 = { 4883ec38 ba08000000 488d4c2420 e8???????? 6944244810270000 } + $sequence_4 = { 488b4c2450 e8???????? 48898424f8020000 8b442458 35beaeaeab } + $sequence_5 = { 4c89442418 4889542410 48894c2408 4883ec68 48c744243000000000 c744242880000000 c744242003000000 } $sequence_6 = { 488bc1 eb7a 837c242000 7471 } - $sequence_7 = { ba0a020000 b940000000 488b442470 ff5038 } + $sequence_7 = { 85c0 752d 41b975020000 4533c0 48c7c2ffffffff 488d8c2410030000 } $sequence_8 = { 3565708005 8984246c010000 8b84246c010000 8b4c2460 33c8 } - $sequence_9 = { 66898424fc000000 33c0 66898424fe000000 ba64000000 } + $sequence_9 = { 488b8424a0020000 8b4c2460 3908 7502 } condition: 7 of them and filesize < 115712 @@ -122643,10 +123345,10 @@ rule MALPEDIA_Win_Play_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "fb8bcd82-2890-51e9-aef7-15cdb7334359" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.play" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.play_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.play_auto.yar#L1-L126" license_url = "N/A" logic_hash = "98ed430384a69d155a8a3b8add1f6db92e55c318ad1d4defbfbdd225c9837ee9" score = 75 @@ -122655,9 +123357,9 @@ rule MALPEDIA_Win_Play_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -122682,10 +123384,10 @@ rule MALPEDIA_Win_Ayegent_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "ced11e8d-8efd-5b26-929c-fa1cb31d81f3" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ayegent_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ayegent_auto.yar#L1-L127" license_url = "N/A" logic_hash = "ba5d5de854dff7a7f643a8b1e7c7fe4de58085b126949eb8bd1d550389e21c48" score = 75 @@ -122694,9 +123396,9 @@ rule MALPEDIA_Win_Ayegent_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -122721,10 +123423,10 @@ rule MALPEDIA_Win_Brutpos_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "bb6abccd-59b3-5a30-9e67-ccbe498737a5" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.brutpos_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.brutpos_auto.yar#L1-L117" license_url = "N/A" logic_hash = "89d0bc6a7e52ba9f63dface96ebbf483b03be0cbf8144ed32f3b88bf360b4eda" score = 75 @@ -122733,9 +123435,9 @@ rule MALPEDIA_Win_Brutpos_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -122759,42 +123461,42 @@ rule MALPEDIA_Win_Crosswalk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1076206e-4e1c-51ff-b49e-1f2c394e3af9" - date = "2026-01-05" - modified = "2026-01-06" + id = "7cf43d9f-bacd-5ede-9b50-cbf46214205f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crosswalk_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crosswalk_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "41379ac5fd7ea514139388720a6ee90edcc7ef23d2f29794443905502b173fda" + logic_hash = "66a6f588ae9606cfadfda7951f064572a6601950dd15ac146973fdd58f684b57" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4883ec28 4885c9 7402 ffd1 } - $sequence_1 = { 8bc2 c1e81f 03d0 69c2890e0000 3bc8 } - $sequence_2 = { d3ca 03d0 4183ef01 75ef } - $sequence_3 = { 33f6 8d6e20 8bcd e8???????? } - $sequence_4 = { 458d7ee0 418bd7 ff15???????? 4821742420 } - $sequence_5 = { 41b88d56e68c 418bc0 f7e9 03d1 } - $sequence_6 = { 458bc6 33d2 488bc8 e8???????? 4533c9 } - $sequence_7 = { 410fbe00 49ffc0 d3ca 03d0 } - $sequence_8 = { c1f906 6bd730 8b0c8d808e4100 c644112800 85f6 740c 56 } - $sequence_9 = { 58 6bc000 c7803c88410002000000 6a04 58 6bc000 8b0d???????? } - $sequence_10 = { 6a00 6a00 57 56 8945f8 ff15???????? } - $sequence_11 = { 41 4a c60100 b8???????? c745dc0c234100 8945bc } - $sequence_12 = { 8945e8 8945f8 8b4508 56 be???????? c745ec24234100 57 } - $sequence_13 = { 7420 6bc618 57 8db880904100 57 ff15???????? } - $sequence_14 = { 83e03f 8bca 6bc030 c1f906 03048d808e4100 eb02 } - $sequence_15 = { 6bf030 03348d808e4100 837e18ff 740c } + $sequence_0 = { 4c8bc6 33d2 410fbe00 49ffc0 d3ca 03d0 4183ef01 } + $sequence_1 = { 33f6 8d6e20 8bcd e8???????? } + $sequence_2 = { ff15???????? 448bf0 4533c9 4533c0 } + $sequence_3 = { 458d7ee0 418bd7 ff15???????? 4821742420 } + $sequence_4 = { 4883ec28 4885c9 7402 ffd1 } + $sequence_5 = { 8bc2 c1e81f 03d0 69c2890e0000 } + $sequence_6 = { 458bc6 33d2 488bc8 e8???????? 4533c9 4533c0 33d2 } + $sequence_7 = { 418bc0 f7e9 03d1 c1fa0b 8bc2 } + $sequence_8 = { 83e13f 6bc930 53 56 8b0485808e4100 33db 8b7508 } + $sequence_9 = { 660fd60f 8d7f08 8b048d34024100 ffe0 f7c703000000 7413 8a06 } + $sequence_10 = { 898850030000 8b4508 59 c74048f0844100 } + $sequence_11 = { 33c9 8b450c 0fb684c8981a4100 c1e804 } + $sequence_12 = { 75be ddd8 db2d???????? b802000000 833d????????00 0f85a0110000 8d0dc0584100 } + $sequence_13 = { 6bd030 895de4 8b049d808e4100 8945d4 8955e8 } + $sequence_14 = { 57 8bf9 0f1f440000 6a00 6a00 57 } + $sequence_15 = { 6a00 50 6a0c 53 56 ff15???????? } condition: 7 of them and filesize < 286720 @@ -122804,36 +123506,36 @@ rule MALPEDIA_Win_Smac_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aa200520-854b-5bad-b989-05c108d9a8dd" - date = "2026-01-05" - modified = "2026-01-06" + id = "cd9f318b-8b86-5db7-92c6-cd44e49264e1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.smac_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.smac_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "048e342bef93bb6d74cc2ec6d93a75375cb38005feab23ff54823997fa4e630f" + logic_hash = "3a760a111c02344763c745180f5dfae6ad40ea331d619c10bbdfaeabeb18494a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 59 59 8bd8 8d8514f1ffff c645fc16 e8???????? 6a01 } - $sequence_1 = { ffd6 8d45e0 50 ff35???????? c745e04d6f7665 c745e446696c65 c745e845785700 } - $sequence_2 = { c3 8bff 55 8bec 8b4508 56 8d34c5d0504100 } - $sequence_3 = { 668985fcfeffff 668985fefeffff 58 6a5c 66898500ffffff 58 6a63 } - $sequence_4 = { 33c0 668985f0efffff 8d8504f1ffff 50 8d85c0efffff 50 56 } - $sequence_5 = { 6aff ff7508 bbe9fd0000 50 53 ffd6 8bf8 } - $sequence_6 = { ff35???????? 66898d76ffffff c745a04765744d 66c745a46f64 c645a675 66c745a86546 c645aa69 } - $sequence_7 = { 58 6a5b 66894594 33c0 66894596 58 } - $sequence_8 = { 50 ffd6 53 6a07 8d8d34feffff 51 53 } - $sequence_9 = { 50 ff15???????? ffb568f4ffff ff15???????? 56 e8???????? 59 } + $sequence_0 = { c745dcc5d94000 a1???????? 8d4dd8 33c1 8945e0 } + $sequence_1 = { 6a69 668975c8 8bf0 66894da2 668975ca 5e } + $sequence_2 = { 7303 8d45d4 53 8d4dd0 51 } + $sequence_3 = { 8d850cf9ffff 50 8d45c8 50 8d8504f7ffff 50 ffd7 } + $sequence_4 = { 8d9dd0feffff 8d8578feffff 50 8bc7 } + $sequence_5 = { 6a3c b8???????? e8???????? 807b5400 7462 8d45b8 68???????? } + $sequence_6 = { 8d4598 c645fc0d e8???????? 8d45d0 50 8d45b4 } + $sequence_7 = { 8d8564f4ffff 50 57 8d856cf4ffff 50 53 8d45d4 } + $sequence_8 = { ff15???????? 33c0 56 66898504f7ffff 8d8506f7ffff 53 50 } + $sequence_9 = { 6a01 33ff 8d75d0 e8???????? 8d8530f9ffff 50 ff15???????? } condition: 7 of them and filesize < 212992 @@ -122843,36 +123545,36 @@ rule MALPEDIA_Win_Sepulcher_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "802dcce7-e6b4-5d4a-a31c-1fbaf1e1892c" - date = "2026-01-05" - modified = "2026-01-06" + id = "a6431b51-e633-5c7f-aae9-b755f6d76c30" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sepulcher_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sepulcher_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "5e68d8ea35ea7e66861512d33b8203bcd0ab7d3eb1395ac8fae23afff0a1b2a5" + logic_hash = "29a2e79b7f9b4200c42a42b4ebc98c4eddd3e5b31679b40d2090401136cf8e8a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6828080000 33ff 8d85ccf7ffff 57 50 } - $sequence_1 = { 0fb77124 8b11 668b450c 668944b202 } - $sequence_2 = { 56 53 e8???????? 85c0 743d 6a00 } - $sequence_3 = { e8???????? 894608 8b857cffffff 6a3c 894620 8d459c 6a00 } - $sequence_4 = { 668984247e6e0000 0f1184241c6e0000 c784242c6e000006000000 c78424306e000009000000 } - $sequence_5 = { 668975dc 668975e2 668975e4 66c745ac756d c645ae62 8855af } - $sequence_6 = { 88043e 46 3c3e 752f 83fe05 7235 } - $sequence_7 = { 6a00 8d4df8 51 6a01 8d4dff 51 50 } - $sequence_8 = { 8b048550de0110 f644082801 7406 8b440818 5d c3 e8???????? } - $sequence_9 = { e8???????? 59 8d8c24a0250000 e8???????? 68f2030000 } + $sequence_0 = { 8bf9 0fb64722 83e801 7439 } + $sequence_1 = { e8???????? 85c0 0f8434030000 6828080000 33ff 8d85ccf7ffff 57 } + $sequence_2 = { 741c 85db 7507 c746346c5c0110 57 ff7634 c6463c01 } + $sequence_3 = { 8b4508 83c40c 89851cd8ffff 8b8618250000 898540d8ffff } + $sequence_4 = { 8a1c01 eb40 8a5dff eb3b 8b4f30 8b4718 f6c101 } + $sequence_5 = { 8d8424f0040000 50 ffd6 6a10 59 } + $sequence_6 = { 7437 3df2030000 7530 56 6a00 68???????? eb1c } + $sequence_7 = { 59 6a25 8bfa f3ab 59 6a64 58 } + $sequence_8 = { 56 50 68???????? 8d8424d4710000 6800040000 50 } + $sequence_9 = { 7428 ba00010000 663bc2 741e ba00020000 663bc2 } condition: 7 of them and filesize < 279552 @@ -122883,10 +123585,10 @@ rule MALPEDIA_Win_Huskloader_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "baa8dc28-4bde-5660-bacb-e311987b66fe" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.huskloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.huskloader_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.huskloader_auto.yar#L1-L128" license_url = "N/A" logic_hash = "efaf6361c8e2a990c1d94ea51b671a22e525594bb6c413d70cb1d93190351b34" score = 75 @@ -122895,9 +123597,9 @@ rule MALPEDIA_Win_Huskloader_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -122921,36 +123623,34 @@ rule MALPEDIA_Win_Onliner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e266190c-77cd-5e00-b175-da1e4e33561c" - date = "2026-01-05" - modified = "2026-01-06" + id = "fa3dd8d7-a5cc-58f8-ae0d-e850fb7db769" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.onliner_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.onliner_auto.yar#L1-L90" license_url = "N/A" - logic_hash = "c9e55a1b6192aded12d9bdf9f70d961ece286b9f8d470b491a50250894e58dcc" + logic_hash = "597deb9e2d0b7df5d7ff676ac825978c222dfe4f2de499345b8b00fb5671cd6a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8bf0 85f6 0f85ab000000 8b45f8 8945f4 e9???????? } - $sequence_1 = { 58 e8???????? 0f8436010000 a1???????? e8???????? 3c01 7412 } - $sequence_2 = { 058a4c2a8d ba14000000 e8???????? 03c7 8bf0 8bc7 33c6 } - $sequence_3 = { 8910 33c0 8ac3 8d448604 8b17 e8???????? 8b17 } - $sequence_4 = { e8???????? ff75ec 8b45fc e8???????? 0fb7c0 8d55e4 e8???????? } - $sequence_5 = { eb41 83c0bf 83e81a 7225 83c0fa 83e81a } - $sequence_6 = { 837df800 750f 8bc3 8b55fc e8???????? e9???????? 8b45f8 } - $sequence_7 = { 8bd7 e8???????? 8b0424 833800 742e 8b0424 } - $sequence_8 = { 8993b4010000 8d8398000000 e8???????? 8d9398000000 8b83b4010000 e8???????? 8bc3 } - $sequence_9 = { 8bcf 83e11f c1e106 8b048560f94c00 c644080401 57 e8???????? } + $sequence_0 = { 000c4b 41 001e 4b } + $sequence_1 = { 001c87 42 002483 42 } + $sequence_2 = { 0003 9a4100539a4100 879a4100d19a 41 } + $sequence_3 = { 001c83 42 00a887420014 834200bc } + $sequence_4 = { 001c99 41 004999 41 } + $sequence_5 = { 0008 874200 fc 8242003c } + $sequence_6 = { 0004054100d005 41 00d0 0541001505 } + $sequence_7 = { 0000 55 8bec 83c4f0 } condition: 7 of them and filesize < 1736704 @@ -122960,42 +123660,42 @@ rule MALPEDIA_Win_Younglotus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "04c5b48c-c00c-5587-800f-b26c8ea57f39" - date = "2026-01-05" - modified = "2026-01-06" + id = "554380af-366d-53a8-8c28-aef30d98c1a4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.younglotus_auto.yar#L1-L171" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.younglotus_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "0969f03b284985af7df0ddb5d516ceb371a29a3573bcea4b892c82226c445838" + logic_hash = "aacec19b197e5dcfdea8930de258c96adf4bce4ad48726b17cf7c20f4827ae63" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 6802000080 e8???????? 83c41c 6a01 } - $sequence_1 = { c745e800000000 c745fc00000000 837d0c03 754c 6a03 } - $sequence_2 = { 8945c8 68???????? 8b45c8 50 } - $sequence_3 = { 83c404 8b4de0 51 ff55dc } - $sequence_4 = { c745ec00000000 c745fc00000000 8b450c 50 8b4d08 51 8b55e8 } - $sequence_5 = { 50 8b8d9cfeffff 51 ff15???????? c785a0feffff00000000 } - $sequence_6 = { 8b8d5cfeffff 83c114 e8???????? c645fc01 8b8d5cfeffff 83c124 e8???????? } - $sequence_7 = { 8b4508 50 e8???????? 83c404 8945a0 837da000 } + $sequence_1 = { eb02 ebc9 8b45f8 50 } + $sequence_2 = { ff15???????? 8945d8 68???????? 8b55c8 52 ff15???????? 8945d0 } + $sequence_3 = { 3419 8b4d08 034dfc 8801 8b5508 } + $sequence_4 = { 64a100000000 50 64892500000000 81c4d0feffff 53 56 } + $sequence_5 = { 8d95a8faffff 52 ff15???????? 83c408 } + $sequence_6 = { 51 68???????? 68???????? ff15???????? 83c408 } + $sequence_7 = { 8d85f8fdffff 50 68???????? 8d8df8fdffff 51 ff15???????? } $sequence_8 = { 53 56 57 68???????? ff15???????? 8945dc 68???????? } - $sequence_9 = { 8b703c 03f0 813e50450000 0f85e8000000 } - $sequence_10 = { 83f802 7503 33c0 c3 6a01 58 } - $sequence_11 = { e8???????? 83c41c 8d85e8feffff 6804010000 53 50 } - $sequence_12 = { 33f6 8975fc 397508 68ff010000 56 56 } - $sequence_13 = { 85c0 8945f4 7e49 6a04 53 50 } - $sequence_14 = { ff750c ff7508 50 e8???????? 8d430f 83c40c } - $sequence_15 = { bf00040000 57 8d85e4fbffff 53 50 e8???????? } + $sequence_9 = { 8d85e8feffff 68???????? 50 ff15???????? 6a01 } + $sequence_10 = { 837c240c00 c706???????? 740f ff74240c 68???????? ff15???????? 8b442410 } + $sequence_11 = { 50 ff15???????? 83c40c 8d85f8fdffff 6a00 } + $sequence_12 = { 8b35???????? 8365fc00 8bf8 68???????? } + $sequence_13 = { 8bf8 8b45fc 33c9 6a04 } + $sequence_14 = { e8???????? 8b45fc 83c40c 80cc10 } + $sequence_15 = { 51 ffd0 50 ffd3 } condition: 7 of them and filesize < 106496 @@ -123005,48 +123705,48 @@ rule MALPEDIA_Win_Vawtrak_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce9fb6b0-3a67-57cc-b4c0-309ef9ca9f22" - date = "2026-01-05" - modified = "2026-01-06" + id = "779e17e2-0a5b-503c-9ec0-b238e6b49565" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vawtrak_auto.yar#L1-L207" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vawtrak_auto.yar#L1-L207" license_url = "N/A" - logic_hash = "0909b4692ca0a0193737f7d7a0d93f3e3c94141796cfc88c3ca14d523aa0a3d1" + logic_hash = "ba996f83019663a7eecfbae0747c28c946b24c8682ad79bc04bea8c2b6f7a6d5" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a01 ff35???????? 6a04 6a01 } - $sequence_1 = { 6a04 6a01 50 ff15???????? 85c0 } - $sequence_2 = { 6a00 6a00 e8???????? 50 ff15???????? } - $sequence_3 = { 85c0 7415 ff15???????? 50 ff15???????? 6aff } - $sequence_4 = { ba00ff0000 8bc1 23c2 3bc2 } - $sequence_5 = { 69d26d4ec641 81c239300000 2ac2 8801 } - $sequence_6 = { e8???????? eb09 a804 7405 e8???????? 803d????????00 } - $sequence_7 = { 6a08 68???????? 56 ffd7 85c0 } - $sequence_8 = { ff15???????? a3???????? 85c0 74e7 } - $sequence_9 = { 7528 68???????? ff15???????? 85c0 7504 33c0 } + $sequence_0 = { 6a01 ff35???????? 6a04 6a01 50 } + $sequence_1 = { 6a00 6a00 e8???????? 50 ff15???????? } + $sequence_2 = { e8???????? 837d1040 752d 8b4d04 e8???????? 85c0 7421 } + $sequence_3 = { ba00ff0000 8bc1 23c2 3bc2 } + $sequence_4 = { 69d26d4ec641 81c239300000 2ac2 8801 } + $sequence_5 = { 0fb6c9 81c900ff0000 e8???????? 85c0 } + $sequence_6 = { ff15???????? a3???????? 85c0 74e7 } + $sequence_7 = { 7528 68???????? ff15???????? 85c0 7504 } + $sequence_8 = { 6a08 68???????? 56 ffd7 85c0 } + $sequence_9 = { e8???????? 33d2 b9ff3f0000 f7f1 } $sequence_10 = { 59 57 8bf0 ff15???????? 8bc6 } - $sequence_11 = { e8???????? 33d2 b9ff3f0000 f7f1 } - $sequence_12 = { 8bc6 8703 3bc6 74f8 } - $sequence_13 = { 8d429f 3c0f 7705 80ea61 eb0a 8d42bf 3c0f } - $sequence_14 = { ff7510 ff750c ff7508 e8???????? 83c40c 8d45fc 50 } + $sequence_11 = { 8bc6 8703 3bc6 74f8 } + $sequence_12 = { eb04 8b01 8907 e8???????? } + $sequence_13 = { ff750c ff7508 e8???????? 83c40c 8d45fc } + $sequence_14 = { f3aa 5f 5d c3 55 8bec 51 } $sequence_15 = { c1e910 e9???????? 8ac1 c1e904 c0e004 } $sequence_16 = { 8ac8 240f 80e1f0 80c110 } $sequence_17 = { 3c41 7c11 3c46 7f0d } - $sequence_18 = { 03ea 03ff 03db 4883fe1e } - $sequence_19 = { 4533c0 488bd6 488bcd 48897c2428 4889442420 ff15???????? } - $sequence_20 = { 400f95c7 4533c9 4533c0 ff15???????? } - $sequence_21 = { 488364242000 4c8d442430 4533c9 33d2 } + $sequence_18 = { 488364242000 4c8d442430 4533c9 33d2 c744243001000000 c744243c02000000 } + $sequence_19 = { 40883c08 ff430c e9???????? 0f86bf000000 81c7fffeffff 83ff1d } + $sequence_20 = { 4885c0 7523 488b0b ff15???????? } + $sequence_21 = { 4885c9 7504 33c0 eb43 ff15???????? 8d7001 } condition: 7 of them and filesize < 1027072 @@ -123056,42 +123756,42 @@ rule MALPEDIA_Win_Laturo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f1cda2c1-6a5a-560d-b916-62a96cbfcef4" - date = "2026-01-05" - modified = "2026-01-06" + id = "98d40c94-b7bc-59a3-90e9-3d3cbb975d15" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.laturo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.laturo_auto.yar#L1-L175" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.laturo_auto.yar#L1-L179" license_url = "N/A" - logic_hash = "fadff8d37ea5314574a4da4608d7ce7e1536afc4770400da40abe05fbc19031e" + logic_hash = "527994ff8a64611a3b4923dfec436ab105c6a6829fbdd226093aaafb3854beb4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 418bf0 4c8d0d83b80000 8bda 4c8d0572b80000 488bf9 488d1570b80000 } - $sequence_1 = { 88442438 807c243801 7413 807c243802 743a } - $sequence_2 = { 57 4883ec78 c744242000000000 e8???????? 48833d????????00 0f84fb010000 488b8c2490000000 } - $sequence_3 = { 4889442410 837c244c40 750d 0fb60424 88442403 } - $sequence_4 = { 3b442450 740a 8b442420 89442424 } - $sequence_5 = { 4883ec38 488b442440 48833800 747b c744242000000000 eb0a } - $sequence_6 = { 25f0000000 3d80000000 0f8521010000 0fb6442450 488b4c2430 4803c8 488bc1 } - $sequence_7 = { 4488742470 eb22 488d3d720a0100 eb19 488d3d610a0100 eb10 } - $sequence_8 = { eb3f f6c201 740d 8b0e 8d41fb 3985e0fdffff 7430 } - $sequence_9 = { 2502ffffff eb0d 8b45f4 807dfa05 0fb6c0 } - $sequence_10 = { 8a4dff d3e0 84c0 7907 } - $sequence_11 = { c745d500000000 66c745c40f80 c745c600000000 c645ff00 897de4 } - $sequence_12 = { c645f404 eb2b c645f401 eb25 f6c110 7410 } - $sequence_13 = { 51 0f95c0 6a40 8d044505000000 50 53 } - $sequence_14 = { 43 884210 2a5dd8 881a 80fb0f 7615 814a1800500000 } - $sequence_15 = { 68???????? 897df8 ff15???????? 85c0 742a 8b3d???????? 83fe20 } + $sequence_0 = { 25fd000000 3de9000000 0f85e4000000 0fb6442450 488b4c2430 4803c8 488bc1 } + $sequence_1 = { 488b4c2428 894120 8b442478 83e001 c1e002 } + $sequence_2 = { 48894c2428 89542420 4c8d0d574effff 4c8b4570 8b5568 } + $sequence_3 = { 660feb15???????? 660feb0d???????? 4c8d0de4910000 f20f5cca f2410f590cc1 660f28d1 660f28c1 } + $sequence_4 = { 8b4021 83c820 488b8c24a8000000 894121 488b8424a8000000 488b4c2410 } + $sequence_5 = { 39442420 7342 8b442420 488b4c2440 488b09 448b0481 33d2 } + $sequence_6 = { eb76 488b8424a8000000 0fb60c24 884802 0fb6442401 83c820 88442401 } + $sequence_7 = { 4889442440 0fb644245b 25f0000000 83f870 7411 } + $sequence_8 = { 8a4dfc be04000000 0fb6c0 83e800 741f 83e801 } + $sequence_9 = { c1fa06 8934b8 8bc7 83e03f 6bc830 8b049530430110 8b440818 } + $sequence_10 = { eb07 8b0cc5fc1b0110 894de4 85c9 7455 } + $sequence_11 = { c1ea03 33c9 83e20f 7640 8b5e08 0fb6440e20 03c3 } + $sequence_12 = { 0fbe45b8 03c8 8b5de8 8b03 3bc1 7718 83c005 } + $sequence_13 = { 33f6 c745fc00000000 56 6a01 } + $sequence_14 = { 8b03 03de 894214 8b45f0 eb30 } + $sequence_15 = { 8a65fb 8bf7 84e4 754e 80fdd9 7249 80fddf } condition: 7 of them and filesize < 253952 @@ -123101,36 +123801,36 @@ rule MALPEDIA_Win_Appleseed_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6233653f-8647-5513-96a5-b2cd884fdea1" - date = "2026-01-05" - modified = "2026-01-06" + id = "5e75ff8d-dcc6-5c49-b79f-c03df6c864fe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.appleseed_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.appleseed_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "142435c8e7521abcc92619a4e86e241d8250a7e1e464619e8d897ededc2c5423" + logic_hash = "498815391cb94c3e1010d2da48bc884a430b5773abee5b451ff2f5206fb77443" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4989742410 41c6042400 49837f1810 7208 498b0f e8???????? 49c747180f000000 } - $sequence_1 = { 0f8414010000 488d15d2160200 488d4db8 e8???????? 90 488d55d8 488bc8 } - $sequence_2 = { 48894c2470 33f6 89742440 48c741180f000000 48897110 408831 4533c0 } - $sequence_3 = { 48837dd010 7209 488b4db8 e8???????? 48833d????????00 0f847c180000 48c745d00f000000 } - $sequence_4 = { 480f434daf 488b5d07 4c8bc3 4c8b75bf 4c3bf3 4d0f42c6 4d85c0 } - $sequence_5 = { 4889742440 4088742430 448d463c 488d1524b40100 488d4c2430 e8???????? 90 } - $sequence_6 = { 488b5c2438 4883c420 5e c3 488d0d887c0200 e8???????? } - $sequence_7 = { 48897310 c60300 48837d9810 7209 488b4d80 } - $sequence_8 = { e8???????? 488325????????00 4883c428 c3 488d05310a0200 c3 4053 } - $sequence_9 = { 488bfa 488bf1 4533f6 4489742460 44887580 33d2 41b8ff030000 } + $sequence_0 = { 48c745d80f000000 488975d0 c645c000 4d8bce 4533c0 498bd4 488d4dc0 } + $sequence_1 = { 488d4db8 e8???????? 48833d????????00 0f84d5110000 488d151b1b0200 488d4db8 e8???????? } + $sequence_2 = { e8???????? 488b8d90000000 4833cc e8???????? 488b9c24b0010000 4881c4a0010000 } + $sequence_3 = { 488b8d00010000 e8???????? 48c785180100000f000000 4889bd10010000 c6850001000000 4883bdf800000010 } + $sequence_4 = { 48c74424580f000000 48c744245000000000 c644244000 897c2428 } + $sequence_5 = { 48833d????????00 0f84f50b0000 488d1533190200 488d4db8 e8???????? 90 488d55d8 } + $sequence_6 = { 488d4c2420 e8???????? 90 48c745a00f000000 4c896d98 c6458800 4983c9ff } + $sequence_7 = { 488b05???????? 4833c4 48898590000000 488d4d70 } + $sequence_8 = { 48ffc7 803c3a00 75f7 488d4c2450 4c8bc7 e8???????? 488d4c2450 } + $sequence_9 = { 4883feff 748e 41b904010000 4c8d842460010000 33d2 488bce ff15???????? } condition: 7 of them and filesize < 497664 @@ -123140,36 +123840,36 @@ rule MALPEDIA_Win_Erebus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "39f02208-f6d1-53ec-bb2d-e4d6d7fbb231" - date = "2026-01-05" - modified = "2026-01-06" + id = "b55f6d61-5516-52a8-9f11-bbc6c3256406" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.erebus_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.erebus_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "720efa579203a9c164159e94c36d17e968a866b84ffb4b18a083c36176a0a8d5" + logic_hash = "58a7097f7d645c280477f955a2776e0b140b8f1b0ba314c39e5de6941820eb32" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 53 50 52 8bcf e8???????? 837d1c08 } - $sequence_1 = { 32db eb02 b301 57 e8???????? 83c404 c7442420ffffffff } - $sequence_2 = { 83c430 837dec10 720b ff75d8 e8???????? 83c404 837d1c10 } - $sequence_3 = { 55 57 8bf9 3bfa 7412 8d049d00000000 50 } - $sequence_4 = { 732f 8a80c4244f00 8d4da8 88857cfeffff ffb57cfeffff 6a01 e8???????? } - $sequence_5 = { 8d4e38 e8???????? 8d87e4000000 50 8d8ee4000000 e8???????? 5f } - $sequence_6 = { 8b542410 f30f6f40f0 83c708 8d4920 8d4020 660f380005???????? f30f7f41e0 } - $sequence_7 = { 83c40c 8b4610 89442444 8b542450 33c0 8b742454 8bca } - $sequence_8 = { 83f905 7d10 668b444b0c 6689044d0c775200 41 ebe8 8bce } - $sequence_9 = { bd20000000 83c6fc 2be9 03f2 8b16 8d76fc } + $sequence_0 = { 57 ff750c e8???????? 83c41c 8d4c246c ffb424b4000000 ffb424bc000000 } + $sequence_1 = { 83fa40 7707 ba40000000 eb19 8d42ff 8d4c241c 8944241c } + $sequence_2 = { 7433 8b07 83f81d 7d2c 83f81a 7c06 837d0c04 } + $sequence_3 = { e8???????? 83c404 c645fc06 83bd14ffffff10 c745c00f000000 c745bc00000000 c645ac00 } + $sequence_4 = { c741140f000000 c7411000000000 50 c60100 e8???????? 8d8d30ffffff e8???????? } + $sequence_5 = { ff35???????? 50 e8???????? ff35???????? e8???????? 83c404 8d045b } + $sequence_6 = { 68???????? c744241000000000 c705????????402b4f00 e8???????? 83c404 8b442414 8b4c2418 } + $sequence_7 = { 8d44240c c644245c00 50 c7442410a0fb4f00 e8???????? 8b4c2450 64890d00000000 } + $sequence_8 = { 2142fc 5b 5f 5e c20400 68???????? e8???????? } + $sequence_9 = { 8bcb 6a00 8b4014 ffd0 8b7510 8d4c2478 0fb6c0 } condition: 7 of them and filesize < 2564096 @@ -123179,36 +123879,36 @@ rule MALPEDIA_Win_Mozart_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6ef70f1-9d8c-5900-bac0-94145c939b8a" - date = "2026-01-05" - modified = "2026-01-06" + id = "83806af7-d9bd-5675-873d-31f6311ab16c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mozart_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mozart_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "3d072f882d8d032cd0ba33880719776c6c63b0d1fb641e5640a7afb53ae04bf9" + logic_hash = "99ae6bb8e4f475ba6d77c0ab9a4ae5829ba89933aab4d79d20ca7b2e5c413440" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33f6 c644241800 eb26 8d4c2418 51 } - $sequence_1 = { 8b542468 41 3bca 736e 8bd0 } - $sequence_2 = { 7c19 3c39 7f15 bd01000000 eb08 3c30 7c36 } - $sequence_3 = { 7471 c1e006 0bc7 a900000001 7425 } - $sequence_4 = { 0f84a0010000 48 0f84e6000000 48 0f85fd010000 85ed 7544 } - $sequence_5 = { 0fbe0a 8a89c8924000 0fb6f9 8bcf 42 83e940 } - $sequence_6 = { 8a08 40 84c9 75f9 8b8c2420100000 } - $sequence_7 = { 90 8a82e0ba4000 3a841420010000 751f b8???????? } - $sequence_8 = { 83fe10 7409 33f6 c644241800 eb39 80fb3d 740e } - $sequence_9 = { 3bd0 72e2 5e 32c0 } + $sequence_0 = { 7471 57 8b15???????? a1???????? } + $sequence_1 = { 8bc7 2bc6 50 51 56 } + $sequence_2 = { c3 ff15???????? 33d2 3d14050000 0f95c2 4a 83e204 } + $sequence_3 = { f6c410 741a 8b542420 8b0a 45 3be9 760a } + $sequence_4 = { 3bca 736e 8bd0 c1ea0c 83e23f } + $sequence_5 = { 8d3c85c0db4000 8b07 83e61f c1e603 } + $sequence_6 = { 8bd9 33d2 85db 7c12 8d0495f8c84000 } + $sequence_7 = { 84c0 7546 8d942418010000 52 56 e8???????? } + $sequence_8 = { 50 6a01 ffd6 8b35???????? 50 ffd6 8b4c2408 } + $sequence_9 = { 83c408 5d c20400 833d????????02 750d } condition: 7 of them and filesize < 114688 @@ -123218,36 +123918,36 @@ rule MALPEDIA_Win_Dispcashbr_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "55df9dfe-3a05-5311-b783-4a51e2e4694d" - date = "2026-01-05" - modified = "2026-01-06" + id = "5d906369-ab72-596d-b376-4acc9669d1a2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dispcashbr_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dispcashbr_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "086284cd3c4f836fd2903e8ee5f20f6af858fd595f5b202fe80164aaffa860ae" + logic_hash = "0e34e30f9b9fd7ae522b86423487368ba913a525ba8a084fcc0f22ae0efde288" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83ec08 c7442408c8ffffff c7442404???????? } - $sequence_1 = { e8???????? e9???????? c70424f5ffffff e8???????? } - $sequence_2 = { c744240404000000 890424 e8???????? 83ec08 c7442408f2ffffff } - $sequence_3 = { c744240404000000 890424 e8???????? 83ec08 c7442408c9ffffff c7442404???????? a1???????? } - $sequence_4 = { c744240404000000 890424 e8???????? 83ec08 c7442408eaffffff c7442404???????? a1???????? } - $sequence_5 = { 890424 e8???????? 83ec08 c7442408c8ffffff } - $sequence_6 = { e8???????? 83ec08 c7442408c9ffffff c7442404???????? a1???????? 83c020 890424 } + $sequence_0 = { e8???????? 83ec08 c7442408ceffffff c7442404???????? } + $sequence_1 = { e8???????? 83ec08 c7442408eaffffff c7442404???????? } + $sequence_2 = { c744240404000000 890424 e8???????? 83ec08 c7442408ccffffff c7442404???????? a1???????? } + $sequence_3 = { e8???????? 83ec08 c7442408c9ffffff c7442404???????? } + $sequence_4 = { ffe0 a1???????? 83c020 8944240c c744240822000000 } + $sequence_5 = { 83ec04 c744240404000000 890424 e8???????? 83ec08 c7442408d9ffffff c7442404???????? } + $sequence_6 = { c7442408fcffffff c7442404???????? a1???????? 83c020 890424 e8???????? } $sequence_7 = { c744240404000000 890424 e8???????? 83ec08 c7442408fcffffff c7442404???????? } - $sequence_8 = { 83c020 8944240c c744240822000000 c744240401000000 c70424???????? e8???????? } - $sequence_9 = { 83ec04 c744240404000000 890424 e8???????? 83ec08 c7442408e6ffffff c7442404???????? } + $sequence_8 = { 890424 e8???????? 83ec08 c7442408caffffff c7442404???????? a1???????? 83c020 } + $sequence_9 = { e8???????? 83ec04 c744240404000000 890424 e8???????? 83ec08 c7442408ceffffff } condition: 7 of them and filesize < 123904 @@ -123257,36 +123957,36 @@ rule MALPEDIA_Win_Vx_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "819f769e-28ec-57e1-97b7-877072140604" - date = "2026-01-05" - modified = "2026-01-06" + id = "941970f3-acd1-5d76-a161-eb83ac443b4a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vx_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vx_rat_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vx_rat_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "97c6bacd6a4877ccea5be5ba5b0fe3c6e6fc6df11d41b5e80278399e84bfb336" + logic_hash = "6e0437926602f26dec13f159f210507f9809f0c1e755d4de82980349c13c6c34" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d45f4 64a300000000 8bf1 8b1d???????? c70600000000 c7461400000000 85db } - $sequence_1 = { 8b0d???????? 8bd3 ff7608 6a32 50 } - $sequence_2 = { e9???????? d9ee 84cd 0f84d2ae0000 d9e0 e9???????? ddd8 } - $sequence_3 = { a1???????? 833c0700 7518 6a28 e8???????? 8b0d???????? 83c404 } - $sequence_4 = { 8b45b8 03c0 c78540fdffff07000000 6889000000 } - $sequence_5 = { 8bca c1f906 83e23f 6bd238 8b0c8d10df4300 88441129 } - $sequence_6 = { 8b048510df4300 f644082801 7406 8b440818 5d } - $sequence_7 = { 8b4ddc 8b45e8 8b0c8d10df4300 f644082804 7416 8a45ec } - $sequence_8 = { 55 8bec 8b4510 56 8b750c 8b0e 3b0c8514e24300 } - $sequence_9 = { 68e0070000 57 e8???????? ffb5d8f7ffff eb0c 68e0070000 } + $sequence_0 = { 894de8 33f6 8955ec 6a00 50 } + $sequence_1 = { ffb574f7ffff ffd6 e9???????? 80f921 7527 a1???????? 85c0 } + $sequence_2 = { c645fc08 8b9530ffffff c78544ffffff00000000 c78548ffffff07000000 66898534ffffff 83fa08 } + $sequence_3 = { ff742424 ff15???????? e8???????? 85c0 7509 e8???????? } + $sequence_4 = { 8b45e4 0f4355d4 03c0 8b4dac } + $sequence_5 = { b9???????? 8601 6a00 6a00 6a00 56 } + $sequence_6 = { 8d8518f8ffff 50 e8???????? 83c40c eb1d e8???????? } + $sequence_7 = { 8b148d10df4300 0355b0 8a0c03 03d3 43 } + $sequence_8 = { 8d500d a1???????? 8945e8 8bc1 894dec 8955e4 85c9 } + $sequence_9 = { e8???????? c745fcffffffff e9???????? 83c8ff 8b4df4 64890d00000000 } condition: 7 of them and filesize < 550912 @@ -123296,62 +123996,62 @@ rule MALPEDIA_Win_Rovnix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "32481422-18fb-556e-8e6c-7773a418af62" - date = "2026-01-05" - modified = "2026-01-06" + id = "96cca0a7-218f-5ee0-9ffd-50cbfca54b67" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rovnix_auto.yar#L1-L329" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rovnix_auto.yar#L1-L326" license_url = "N/A" - logic_hash = "ba6bf6a0e452ea16caba209e420afba03e6b6e5de61f66132ac7c6a92113c249" + logic_hash = "09bad611863bfd4b106094172a565d95276a93c2f1fd033ad8314dfd7e9f170e" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c335 c1e902 ad 2bc3 } - $sequence_1 = { 57 6a00 ffd2 89442408 8bcf } - $sequence_2 = { ad 2bc3 ab e2fa 61 } - $sequence_3 = { 837c242c00 7405 57 6a00 } - $sequence_4 = { 8b15???????? 83e7f0 89542418 83c710 8bea } + $sequence_0 = { be???????? 8b15???????? 83e7f0 89542418 83c710 } + $sequence_1 = { 837c242c00 7405 57 6a00 ffd2 } + $sequence_2 = { 6a00 ffd2 89442408 8bcf } + $sequence_3 = { c1e902 ad 2bc3 ab e2fa } + $sequence_4 = { 8bf8 83c335 c1e902 ad } $sequence_5 = { 60 bf40090000 be???????? 8b15???????? } - $sequence_6 = { 8b4d0c 897604 8936 8d7e08 } - $sequence_7 = { 8b7e10 eb06 8b5d0c 8b7d08 8bcf } - $sequence_8 = { 8bc2 c1e802 25ff000000 8d4cc324 8b01 } - $sequence_9 = { 85c0 e8???????? 8be5 5d } - $sequence_10 = { 25ff000000 8d4cc624 8b01 3bc1 } - $sequence_11 = { 3bc1 75f3 395e14 7511 ff4e18 } - $sequence_12 = { 894804 8b4608 8b4e0c 8901 894804 8b4718 } - $sequence_13 = { 894f04 8939 897804 ff4308 } - $sequence_14 = { 8975e4 c745ec40020000 8975e8 8975f0 } - $sequence_15 = { 83f919 7703 83c220 85c0 7404 } - $sequence_16 = { e8???????? 8be5 5d c3 85c0 e8???????? } - $sequence_17 = { 5d c3 85c9 e8???????? } - $sequence_18 = { 55 8bec 85db 85c9 } - $sequence_19 = { 23c9 16 85c9 23d2 } - $sequence_20 = { 23db 81e1ff000000 23c9 83440c0404 } - $sequence_21 = { 89442408 8bcf bb1092c63b 8bf8 83c335 c1e902 } - $sequence_22 = { 57 4883ec20 488b35???????? 33c9 bb9a0000c0 e8???????? 33ed } - $sequence_23 = { aa 27 ff44a8d2 4b } - $sequence_24 = { e8???????? 483bf3 75ea 4883c310 4983ec01 75db 8a5508 } - $sequence_25 = { 85c9 23c0 8be5 5d c20800 159e9dc35a fa } - $sequence_26 = { 488d8c2400010000 ba00001080 895c2428 897c2420 ff15???????? 85c0 7914 } - $sequence_27 = { 488905???????? 4a8d0c10 eb0d 488b02 488905???????? 488b0a 488b05???????? } - $sequence_28 = { 6232 27 0149bc 2ec9 } - $sequence_29 = { 8bec 23db 16 23c9 59 } - $sequence_30 = { d147f0 79f4 28f8 8fc1 } - $sequence_31 = { ae d7 b81fe9f60b e8???????? 7660 b85c8e6189 } - $sequence_32 = { 488b4128 4883c120 488905???????? 48890d???????? 4c8918 4c895908 33c0 } - $sequence_33 = { 488bcf ff15???????? 4c8d5c2470 8bc3 498b5b30 498b6b38 498b7348 } - $sequence_34 = { 83440c0404 23c9 8be5 5d c20400 95 367a3e } - $sequence_35 = { 4c397500 741e 837d04ff 750f 837d00ff 7512 488b4308 } + $sequence_6 = { 85c0 e8???????? 8be5 5d } + $sequence_7 = { 7703 83c220 85c0 7404 } + $sequence_8 = { 8d4e1c 8908 8b4508 c7461801000000 } + $sequence_9 = { 8975d4 8975dc 8975e0 ff15???????? 85c0 } + $sequence_10 = { 894804 8b4608 8b4e0c 8901 894804 8b4718 85c0 } + $sequence_11 = { eb06 8b5d0c 8b7d08 8bcf } + $sequence_12 = { 8d7e08 897f04 893f 894e14 895e10 } + $sequence_13 = { c745ec40020000 8975e8 8975f0 8975f4 ff15???????? 85c0 } + $sequence_14 = { 8b4d0c 897604 8936 8d7e08 897f04 } + $sequence_15 = { 8b00 3bc1 75f3 395e14 } + $sequence_16 = { 23c9 16 85c9 23d2 } + $sequence_17 = { 5d c3 85c0 e8???????? } + $sequence_18 = { 23db 81e1ff000000 23c9 83440c0404 } + $sequence_19 = { 55 8bec 85db 85c9 } + $sequence_20 = { 8be5 5d c3 85c9 e8???????? } + $sequence_21 = { 9f ed c43f d332 92 33d3 3a922fd34292 } + $sequence_22 = { 6689442444 0fb7c1 66c1e909 66c1e805 6683e00f 6689442442 } + $sequence_23 = { 83c710 8bea b89b97d1c2 05???????? 05???????? 2d9b97d0c2 837c242c00 } + $sequence_24 = { 488364245800 488364247000 488364247800 488d442430 4c8d4c2440 } + $sequence_25 = { 45 7d58 95 08c1 a3???????? } + $sequence_26 = { 0b616c 16 00ef 7d18 48 f1 7067 } + $sequence_27 = { ab e2fa 61 ba54060000 03ea } + $sequence_28 = { 488d4c2448 448d4228 e8???????? 488d0503fcffff } + $sequence_29 = { 488b442438 443838 7409 ffc1 } + $sequence_30 = { 498943f0 49895bf8 41c643bbe0 488b0d???????? 488bd7 ff15???????? } + $sequence_31 = { 4489742428 448bc9 894c2420 488b4d00 450fafcc 4c034d10 } + $sequence_32 = { 488b4ccb08 e8???????? ff0b 3933 75e5 } + $sequence_33 = { 74e5 01c4 035dfc 022464 b428 40 40 } + $sequence_34 = { 16 d24055 2672f7 6232 ce 3d2033ce3d 6215???????? } + $sequence_35 = { 46 92 c55151 a2???????? d24b46 92 c55151 } condition: 7 of them and filesize < 548864 @@ -123361,36 +124061,36 @@ rule MALPEDIA_Win_Bagle_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fe60543c-8794-58a6-ba42-981191e2cc82" - date = "2026-01-05" - modified = "2026-01-06" + id = "3d6fb2ec-2002-5a88-bf6b-4d42e5c04418" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bagle_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bagle_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "eb49ea6ae472fea8285550f6b2bf1be9757590ced359fd50f12f529f0e70029d" + logic_hash = "608ca2fefabc2e405950aa99ace2873cf3777aacad49cf543e323b2ef9538bb9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b03d f3aa 5b 5f } - $sequence_1 = { e340 ac c1e010 83f901 740b } - $sequence_2 = { 56 57 53 8b7508 8b7d0c 8b4d10 33db } - $sequence_3 = { 6a00 6a00 6a04 50 e8???????? 0bc0 } - $sequence_4 = { 042b aa c3 55 8bec } - $sequence_5 = { 68???????? e8???????? 68???????? 68???????? e8???????? 6804010000 } - $sequence_6 = { 2bf9 b03d f3aa 5b } - $sequence_7 = { 2bf9 b03d f3aa 5b 5f 5e } - $sequence_8 = { 0bc0 7426 6880000000 68???????? } - $sequence_9 = { 668945f2 c745f400000000 6a06 6a01 6a02 e8???????? 8bd8 } + $sequence_0 = { 57 53 8b7508 8b7d0c 8b4d10 } + $sequence_1 = { 7426 6880000000 68???????? e8???????? 6a00 6a00 6a00 } + $sequence_2 = { 6880000000 68???????? e8???????? 6a00 6a00 6a00 } + $sequence_3 = { e8???????? 0bc0 7426 6880000000 } + $sequence_4 = { 68???????? e8???????? 0bc0 7426 6880000000 } + $sequence_5 = { 7426 6880000000 68???????? e8???????? 6a00 6a00 } + $sequence_6 = { 75e2 c3 55 8bec 56 } + $sequence_7 = { f3aa 5b 5f 5e c9 } + $sequence_8 = { 68???????? e8???????? 0bc0 7426 6880000000 68???????? e8???????? } + $sequence_9 = { 83e903 79c6 f7d9 2bf9 } condition: 7 of them and filesize < 245760 @@ -123400,42 +124100,42 @@ rule MALPEDIA_Win_Blindingcan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "acf0a9ea-8e05-5582-9c4c-05db475e1e05" - date = "2026-01-05" - modified = "2026-01-06" + id = "7fd302e7-fd2c-50df-b2a0-1a6d431c6b3a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blindingcan_auto.yar#L1-L169" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blindingcan_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "106ff295c55cb42cf4cd73966a6c4c30703711b6e069188fdbe10ead59c40c1a" + logic_hash = "92e4319977551df3fd2ef0b0a9fbbd2aa0b1b91e8cddb3206851a2859f8eb343" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745cc2932779f 66c745d0e35b c745d45df0da89 c745d87b772e76 c745dc62a9f6c4 c745e0d29c1f7b } - $sequence_1 = { a1???????? 33c5 8945fc 56 57 8d85f8f7ffff } - $sequence_2 = { 750a 8b30 89b495fcfeffff 42 83c00c 49 } - $sequence_3 = { c7857cfeffff36a54e6b c78580feffff5c01611e c78584feffffb5dcfc68 c78588feffff6ce7a33a c7858cfeffffafe2e55a c78590feffff74c31dff c78594feffff657f9183 } - $sequence_4 = { c78514fdffff7532479f c78518fdffffe35bc9c0 c7851cfdfffffc9c461f c78520fdffff9821ddfa c78524fdffff589a8f7a } - $sequence_5 = { c78554feffffa14b0c27 c78558feffff10c0aac6 c7855cfeffff489a8471 c78560feffff9cab4ad6 c78564feffff67cf2900 c78568feffff02dbaeb5 } - $sequence_6 = { 83c40c 85f6 741f 68???????? 68???????? 6a00 } - $sequence_7 = { c78504fdfffff79d6681 c78508fdffffbfa7f8a5 c7850cfdffffa0118db8 c78510fdffff4d3feb78 } - $sequence_8 = { 8bca e8???????? 85c0 7409 e8???????? } - $sequence_9 = { 99 f7fe 8bca e8???????? } - $sequence_10 = { b990190000 66394802 7574 488b35???????? 33d2 } - $sequence_11 = { 488bd3 ff15???????? 4c21642438 4c21642430 895c2428 83cbff } - $sequence_12 = { 4c8bc9 753b 0fb789a8040000 b8bb010000 ba00010000 } - $sequence_13 = { 488d4dd0 ff15???????? 488d55b8 488d4dd0 ff15???????? f20f102d???????? } - $sequence_14 = { 4533848410cb0100 4533451c 418bc0 c1e810 } - $sequence_15 = { 488bf8 483bc3 7423 448d4e81 448d4684 488d542440 } + $sequence_0 = { dc1d???????? dfe0 f6c405 7bd5 } + $sequence_1 = { a1???????? 33c5 8945f8 8b4508 db00 } + $sequence_2 = { 750a 8b10 8994bdfcfdffff 47 } + $sequence_3 = { c785f8fcffffe25fcedf c785fcfcfffff15112b2 c78500fdffffc2840aa6 c78504fdfffff79d6681 } + $sequence_4 = { c7858cfeffffafe2e55a c78590feffff74c31dff c78594feffff657f9183 c78598feffffa78b5b05 c7859cfeffff87f53e0c c785a0feffff074f9b22 c785a4feffff7c7277e4 } + $sequence_5 = { c745a453e8ba52 c745a8b67dbc8f c745ac3a39b69d c745b08c5fbadf c745b4e13300b2 } + $sequence_6 = { c785c0feffff10d43c68 c785c4feffff7c9f1888 c785c8feffff1ce6ae9e c785ccfeffff64ceb0a1 c785d0feffff2d58cb71 c785d4feffff62c2f218 } + $sequence_7 = { c78508ffffffdcb29bd9 c7850cffffff5e41f6d0 c78510ffffff75bb0656 c78514ffffff47cdfbc7 c78518ffffff79ecb859 } + $sequence_8 = { f7fe 8bca e8???????? 85c0 7409 e8???????? 85c0 } + $sequence_9 = { 48832300 4883c310 48ffce 75d4 488d1d9f0e0100 488b4bf8 4885c9 } + $sequence_10 = { 45339c8c10c30100 45339c8410cb0100 418bc2 41c1ea10 45335d44 c1e818 0fb6d0 } + $sequence_11 = { 4533848410cb0100 4533456c 418bc0 c1e810 0fb6d0 418bc1 418bb49410c30100 } + $sequence_12 = { e8???????? 488d0dcfdb0100 448bc6 33d2 e8???????? 488bcb 33f6 } + $sequence_13 = { 488b15???????? b918200000 4533c9 458bc4 e8???????? 33db 85c0 } + $sequence_14 = { 4533e4 488bf9 448bc3 488d95f0030000 458d6c2401 498d80fefdff7f 4885c0 } + $sequence_15 = { ff15???????? 83f802 0f8c9f020000 488bcf ff15???????? 83f804 0f8c8d020000 } condition: 7 of them and filesize < 363520 @@ -123445,36 +124145,36 @@ rule MALPEDIA_Win_Tokyox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d34e4ceb-0bc2-5477-9c12-3a529f2527e6" - date = "2026-01-05" - modified = "2026-01-06" + id = "b462a8a0-f28a-5712-a990-5092edb8777f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tokyox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tokyox_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tokyox_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "a5f77c70b1ac6566e10c0515d32c74e5ec77d8ebaa8bcecbb1bfc331f53b6f71" + logic_hash = "bb3a8a4224c473eeac74ab6318474ce515ef18ff1b0ab86de8b1da62cb868436" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 85c0 0f84b6010000 8d4590 } - $sequence_1 = { e8???????? 8b4508 83c40c b90d0a0000 66890c07 } - $sequence_2 = { c745f450726f64 50 6a00 8d45f4 c745f87563744e } - $sequence_3 = { 0f842e020000 8d4df0 c745fc00000000 51 } - $sequence_4 = { 8d45f8 50 6a05 ff7608 ffd7 6a3c ff7510 } - $sequence_5 = { 51 56 6a00 68e9fd0000 ff15???????? 8945e4 33db } - $sequence_6 = { 7534 83f801 721f 66a1???????? 8d5601 } - $sequence_7 = { 8bec a1???????? 3b05???????? 0f85a10f0000 ff7508 e8???????? 59 } - $sequence_8 = { 8bf2 c745a046003400 c745a435003000 c745a831002d00 c745ac46003400 c745b034004700 c745b42d003400 } - $sequence_9 = { ff15???????? 894608 85c0 754e ff15???????? 8b4e08 } + $sequence_0 = { c78550ffffff44000000 51 33c0 c7857cffffff01010000 837df010 } + $sequence_1 = { 50 ffd6 c7470400000000 8b07 85c0 0f8405feffff 50 } + $sequence_2 = { 6a00 68e9fd0000 ff15???????? 894508 33db 40 b902000000 } + $sequence_3 = { ff15???????? 83f8ff 7487 5f 5e } + $sequence_4 = { 83f808 8975b0 8b45fc 0f43cb } + $sequence_5 = { 50 894508 e8???????? 8b33 } + $sequence_6 = { 8b451c 83c404 8b00 85c0 7428 50 e8???????? } + $sequence_7 = { 33f6 0f57c0 6a20 53 } + $sequence_8 = { 0f84a4010000 50 e9???????? 8b1d???????? 68fe010000 8d85ecfdffff } + $sequence_9 = { 68fe010000 8d44244c 6a00 50 e8???????? 83c40c 8d442410 } condition: 7 of them and filesize < 237568 @@ -123484,42 +124184,42 @@ rule MALPEDIA_Win_Miya_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b014bac2-07d1-5fef-bdcc-2e598306fac3" - date = "2026-01-05" - modified = "2026-01-06" + id = "2fa09cd0-d97e-5ef1-8afd-e504ebc4635f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miya_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.miya_rat_auto.yar#L1-L191" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.miya_rat_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "98cc52272c83937733d9eba2aa0b9bb5ed8cab147dbc386514a5033d544b9bd7" + logic_hash = "82308fdb4facad37689505ec7cf7b431c129eb6fc4d51d1c40907638216c7b5c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f84fa0f0000 83ec08 0fae5c2404 8b442404 25807f0000 3d801f0000 750f } - $sequence_1 = { 0fbf45fc c9 c3 8bff 55 8bec 83ec18 } - $sequence_2 = { 68a00f0000 ff15???????? 6a00 6a00 6a00 6a06 6a01 } + $sequence_0 = { 0fbf45fc c9 c3 8bff 55 8bec 83ec18 } + $sequence_1 = { 68a00f0000 ff15???????? 6a00 6a00 } + $sequence_2 = { 837c240800 75be ddd8 db2d???????? b802000000 833d????????00 0f85e00c0000 } $sequence_3 = { 7541 d9ec d9c9 d9f1 833d????????00 0f854c0d0000 } - $sequence_4 = { 5d e9???????? 8bff 55 8bec b8ffff0000 83ec14 } - $sequence_5 = { 8bc6 5e 5d c20400 e8???????? cc 56 } - $sequence_6 = { 8d642408 0f85c90f0000 eb00 f30f7e442404 660f2815???????? 660f28c8 660f28f8 } - $sequence_7 = { 75be ddd8 db2d???????? b802000000 833d????????00 0f85e00c0000 } - $sequence_8 = { 4889742418 57 4883ec20 488d05da910700 33f6 488901 488b4108 } - $sequence_9 = { e9???????? 488d8a48000000 e9???????? 488d8a40010000 e9???????? 488d8ab0010000 e9???????? } - $sequence_10 = { 4c8bc7 89742428 33d2 b9e9fd0000 4889442420 ff15???????? 0f10442450 } - $sequence_11 = { 4533c0 488bd6 488d4dc7 e8???????? 488b7ddf 4533e4 eb67 } - $sequence_12 = { 0f57c9 f30f7f4d40 488d4d40 e8???????? 488d4d40 e8???????? } - $sequence_13 = { 0f1145c7 4c8965d7 48897ddf 66448965c7 488d7160 48897597 44386168 } - $sequence_14 = { 0f57c0 488d5308 48890b 488d4808 0f1102 e8???????? 488d0588aa0600 } - $sequence_15 = { 90 44897608 488d0554590500 488906 488937 488d4dd7 e8???????? } + $sequence_4 = { 6a00 6a06 6a01 6a02 ff15???????? a3???????? } + $sequence_5 = { 833d????????00 0f84fa0f0000 83ec08 0fae5c2404 8b442404 25807f0000 3d801f0000 } + $sequence_6 = { 0f85c90f0000 eb00 f30f7e442404 660f2815???????? 660f28c8 660f28f8 660f73d034 } + $sequence_7 = { 6683e07f 6683f87f 8d642408 0f85c90f0000 } + $sequence_8 = { 03bc24b8000000 488b542440 488d2d5c080300 488b44d500 } + $sequence_9 = { 03c0 2bc8 0f84adfdffff 8d41ff 8b8482f83d0700 } + $sequence_10 = { 0308 3bcf 0f84ff000000 488d8c2470010000 } + $sequence_11 = { 03c0 2bc8 0f8456f9ffff 8d41ff 418b8480f83d0700 } + $sequence_12 = { 03c0 442bc0 0f8423010000 418d40ff 418b8484f83d0700 } + $sequence_13 = { 03c0 442be8 0f84a1000000 418d45ff 418b8484f83d0700 } + $sequence_14 = { 03c0 442be8 0f84bd000000 418d45ff 488d1d6debfaff } + $sequence_15 = { 03c0 442be0 7443 418d4424ff 8b8483f83d0700 } condition: 7 of them and filesize < 1238016 @@ -123529,36 +124229,36 @@ rule MALPEDIA_Win_Dented_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec077e48-e364-5ad2-b3eb-708d9cb96474" - date = "2026-01-05" - modified = "2026-01-06" + id = "6d9f3006-8589-5328-8333-f84c73aa8db5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dented_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dented_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "8a83542dc4cfbb6071fb1f2a2748ff19dad273e746a7625af72e8307d011702d" + logic_hash = "d6b616a382cf89cb39c9d2b5b26a8a077346bf2509ae21f5aba3b547b7819f6d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 68???????? bf08020000 8d85ecfbffff 57 } - $sequence_1 = { c1e814 8b4dfc 5f 33cd } - $sequence_2 = { 8d55ff a1???????? 52 885dff 8d4810 } - $sequence_3 = { 8b35???????? 8d85f8feffff 50 8d85f4fdffff 50 ffd6 } - $sequence_4 = { 6a01 53 68???????? ffb5e8fbffff ff15???????? } - $sequence_5 = { e8???????? 8364242c00 8d4c2434 807d1c00 c74424300f000000 c644241c00 } - $sequence_6 = { 59 8bf0 8bcf 33c0 89b5e8f7ffff 2185f0f7ffff } - $sequence_7 = { 8b85f8f7ffff 8a8485fcfbffff 32c1 880416 8b8decf7ffff 43 42 } - $sequence_8 = { c21000 55 8bec 81ec18040000 a1???????? 33c5 8945fc } - $sequence_9 = { 5f 57 8d45b8 6a00 50 } + $sequence_1 = { ff751c 8b742440 8b08 894d10 8b4004 83632000 } + $sequence_2 = { 898de4f7ffff 33f6 89bdecf7ffff 33c9 } + $sequence_3 = { 8b8de4f7ffff 56 c6041e00 e8???????? 8b4dfc 8b85e4f7ffff 33cd } + $sequence_4 = { 53 e8???????? 8b4c2444 83c418 33f6 8b10 89550c } + $sequence_5 = { ff15???????? 83a5e8fdffff00 53 33db 8985e0fdffff } + $sequence_6 = { e8???????? 59 8945ec 3818 7567 837f1410 } + $sequence_7 = { 8bd1 53 56 8b7508 f6423c02 } + $sequence_8 = { 8d4de0 885de0 895df0 897df4 } + $sequence_9 = { 8b00 2bc8 51 50 8d4de0 885de0 } condition: 7 of them and filesize < 450560 @@ -123568,36 +124268,36 @@ rule MALPEDIA_Win_Spora_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb2e8bb4-ead2-5b5f-8d4b-4b5ca032457e" - date = "2026-01-05" - modified = "2026-01-06" + id = "e1930c51-2918-587d-b041-4dd8796ca1fc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spora_ransom_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spora_ransom_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "4e1870b731d039931c3cd87b8cbae836b84abbb8438fb88731c5b4fc00862572" + logic_hash = "1881827949ec7db6ac288b256e538504654f981c275cdc5903f7eae60b834288" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 8d45f0 50 ff5508 } - $sequence_1 = { 7436 03fb 83ff0c 72ec } - $sequence_2 = { 53 56 ff7508 e8???????? 85c0 7422 56 } - $sequence_3 = { ff36 57 ff15???????? 57 e8???????? } - $sequence_4 = { 83fe0a 72e4 5e c9 c3 } - $sequence_5 = { 8bf0 85f6 7445 8365fc00 8d45fc 50 57 } - $sequence_6 = { 8d45f0 50 ff5508 d1eb 46 83fe1a 72c7 } - $sequence_7 = { 740e 8b45fc 8b4010 0fb6f0 } - $sequence_8 = { 0bf0 57 ff15???????? 5f 8bc6 } - $sequence_9 = { 741f ff36 ff15???????? 85c0 7413 0fb600 } + $sequence_0 = { e8???????? 57 ff15???????? 83c620 ff4d08 } + $sequence_1 = { 85c0 7436 03fb 83ff0c 72ec 33ff } + $sequence_2 = { 51 50 53 6a07 53 } + $sequence_3 = { ffd6 85c0 7448 03fb } + $sequence_4 = { 7438 57 53 56 ff7508 e8???????? 85c0 } + $sequence_5 = { 8bf0 85f6 7445 8365fc00 } + $sequence_6 = { ebf5 b002 ebf1 b003 ebed } + $sequence_7 = { ff15???????? 85c0 7413 0fb600 48 50 } + $sequence_8 = { ff75fc 8975f8 e8???????? 85c0 7557 394508 7452 } + $sequence_9 = { 5e 5d 5b c20400 b001 ebf5 b002 } condition: 7 of them and filesize < 73728 @@ -123608,10 +124308,10 @@ rule MALPEDIA_Win_Homefry_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "d7d35e8c-e0c5-5ba6-b2d4-e95c77830765" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.homefry_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.homefry_auto.yar#L1-L119" license_url = "N/A" logic_hash = "3f2d14189cc000f371864eda6ce01209469d1d59387364413aee3876a7479356" score = 75 @@ -123620,9 +124320,9 @@ rule MALPEDIA_Win_Homefry_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -123647,10 +124347,10 @@ rule MALPEDIA_Win_8Base_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "c4b48847-5291-521d-93fb-9294f21140e6" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.8base" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.8base_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.8base_auto.yar#L1-L119" license_url = "N/A" logic_hash = "b47a40948bded147073cdef65076e2a74aedf9d527ccdea9c267a440037e5b0f" score = 75 @@ -123659,9 +124359,9 @@ rule MALPEDIA_Win_8Base_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -123685,36 +124385,36 @@ rule MALPEDIA_Win_Railsetter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40a35231-bcd6-50b5-8c16-f4224571abb5" - date = "2026-01-05" - modified = "2026-01-06" + id = "c45e5098-e995-5824-9e1f-fff841727b35" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.railsetter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.railsetter_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.railsetter_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "1c0f0eee020c15b328d39cbed0a5c62b2c564fd1a70af2c0c1b9fc2367e71a1f" + logic_hash = "621471e8e170b617c4c45d2d76a4272856dd60bf407e6bda7ff43a732023d384" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d4d20 ff15???????? 90 488d8dd0010000 e9???????? } - $sequence_1 = { 488d0ddc760400 eb07 488d0deb760400 ba11000000 } - $sequence_2 = { 488d8d10010000 ff15???????? 85c0 741a ff15???????? 8bc8 2b8d14010000 } - $sequence_3 = { 428a8c09687e0400 482bd0 8b42fc d3e8 49895008 41894018 0fb60a } - $sequence_4 = { 488d0d36a00500 e8???????? 488bc8 0fb754246e e8???????? 488bc8 e8???????? } - $sequence_5 = { 448d4205 488d0d4dae0400 e8???????? 0f57c0 0f1185c8000000 498bcc 49837c241810 } - $sequence_6 = { 488d05c3ef0200 488903 eb02 33db 48891f } - $sequence_7 = { 488d0d00690400 e8???????? ba19000000 448bca 448d4205 488d0d18640400 } - $sequence_8 = { 483bc1 0f8291010000 4c8d4d0f 48837d2710 4c0f434d0f } - $sequence_9 = { 48894a10 880a 488d153f360500 448d4115 488bcb e8???????? 488bc3 } + $sequence_0 = { 33c9 894c2448 4585c9 742d 488d05e6f40200 488903 48894b18 } + $sequence_1 = { 0f1006 0f294517 4883781000 7415 41b802000000 488d153e310500 } + $sequence_2 = { 488d0d24f60200 0f57c0 4889442420 48890b 488d5308 488d4c2420 0f1102 } + $sequence_3 = { b903000000 4c8d05a7920200 e8???????? 488bd3 8bcf 4885c0 7408 } + $sequence_4 = { 488d1d9eef0000 eb52 bac0020000 b901000000 e8???????? 488bd8 4885c0 } + $sequence_5 = { 33d2 41b810010000 488d4df4 e8???????? c745f014010000 488d4df0 ff15???????? } + $sequence_6 = { 48896810 48897018 48897820 4156 33ed 4c8d3576470100 } + $sequence_7 = { 498bc2 458bf1 48c1f806 488d0d08bf0200 4183e23f 4d03f0 49c1e206 } + $sequence_8 = { 48c745780f000000 44886d60 ba20000000 488d0def160500 e8???????? c744243010000000 488d542430 } + $sequence_9 = { 48894517 c6451f01 488d4d17 e8???????? 488d05b94a0400 488903 488b55e7 } condition: 7 of them and filesize < 866304 @@ -123724,36 +124424,36 @@ rule MALPEDIA_Win_Himera_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d48b80f9-ba7c-5b70-abe3-35c7e699db08" - date = "2026-01-05" - modified = "2026-01-06" + id = "aaafc79e-21a9-5fbe-be05-950c921e16fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.himera_loader_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.himera_loader_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "ac37c3c2c74b38220d6622ffc9fadece4f2263ad47a93b2ffce232c15567e711" + logic_hash = "c95cedbeeb5f742b1056f8097a9a669c5e53ab6bc28c56f35234b991823260d7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c645e656 c645e70e c645e801 c645e90e c645ea18 c645eb1a } - $sequence_1 = { 83e03f c1f906 6bd038 8b0c8d00a14200 804c112802 5b } - $sequence_2 = { 83bd00faffff00 7409 83bd1cfaffff00 7504 33c0 } - $sequence_3 = { 0f84d3000000 8b048d7c3c4200 89858cf8ffff 85c0 0f8498000000 83f801 0f84b5000000 } - $sequence_4 = { 6689411e 6a10 ba02000000 c1e204 8b4508 0fb70c10 } - $sequence_5 = { 0fb6d0 85d2 744c 8d4df0 e8???????? 8945e8 8b45e8 } - $sequence_6 = { e8???????? 83c404 33d2 88957582ffff } - $sequence_7 = { 8d950c82ffff 52 8d85ec81ffff 50 8d8de881ffff 51 } - $sequence_8 = { 8945f0 50 8d45f4 64a300000000 894da4 c745a048000000 c645a846 } - $sequence_9 = { e8???????? 8bc8 e8???????? 50 8b8d3082ffff } + $sequence_0 = { 6a44 6a00 8d858482ffff 50 e8???????? 83c40c 33c9 } + $sequence_1 = { c645eb42 c645ec2e 64a12c000000 8b08 8b15???????? 3b9104000000 } + $sequence_2 = { c645e841 c645e940 c645ea00 c645eb4b c645ec56 } + $sequence_3 = { 8b4df0 8b048500a14200 807c012800 7d5d 8d45d8 50 } + $sequence_4 = { 3d75e7111a 750e 8b45e8 50 } + $sequence_5 = { 8b048d00a14200 33c9 41 897df0 894de0 8a543828 } + $sequence_6 = { c745e4503f4200 eb10 c745e4583f4200 eb07 c745e4443f4200 8b4508 8bcf } + $sequence_7 = { c1e200 8b4508 0fb70c10 51 e8???????? 83c408 8b55fc } + $sequence_8 = { e8???????? 83c410 ebb2 8b953482ffff 52 } + $sequence_9 = { 8d8d6c82ffff e8???????? 8bc8 e8???????? } condition: 7 of them and filesize < 385024 @@ -123763,36 +124463,36 @@ rule MALPEDIA_Win_Slimagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "81a11c11-c6ba-51d7-a103-aa43fd5efed5" - date = "2026-01-05" - modified = "2026-01-06" + id = "99a5dbc6-3135-5e93-aab6-9b79abe889ca" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slimagent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.slimagent_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.slimagent_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "78304dd9a4e758407499c150f8ded9d2c3d715e90c8046900ee52970af3e3c9d" + logic_hash = "f50f752fc0d7d8f3f01b7dc9b2a072e61b78695da29a813e76e8d4486d4da2ea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bc2 488d0df5440200 0f57c0 48890b 488d5308 488d4808 0f1102 } - $sequence_1 = { b801000000 874110 85c0 7427 8364244000 488d05d2a5feff 4889442448 } - $sequence_2 = { c3 4053 4883ec20 488d054bcf0200 488bd9 488901 f6c201 } - $sequence_3 = { 0f1102 e8???????? 488d058c780200 488903 488bc3 4883c420 5b } - $sequence_4 = { 66413b444b02 7515 4883c102 4883f90b 7415 0fb7044a 66413b044b } - $sequence_5 = { 488d0c4f 41b810000000 488d15004c0400 e8???????? 6646892c77 eb7d 48c744242008000000 } - $sequence_6 = { 4c8b83f0000000 498bc0 482bc1 483bd0 772f 488d3411 } - $sequence_7 = { 488bc2 48c1e83f 4803d0 4863c2 4869c880aefeff 488d0535240100 89531c } - $sequence_8 = { 4803fa 4d8bc6 33d2 488bcf e8???????? 42c6043700 eb0f } - $sequence_9 = { 48899fc8000000 668919 488d8fd8000000 4883bff000000008 7207 } + $sequence_0 = { 458b949b14350400 eb08 458b949bdc340400 41ffc2 448d46ff bf1f85eb51 } + $sequence_1 = { e8???????? 488d4df8 e8???????? 488d1543720200 488d4df8 e8???????? cc } + $sequence_2 = { e8???????? cc 488d4c2438 e8???????? 488d15bbc20200 488d4c2438 e8???????? } + $sequence_3 = { 488b4f10 48894daf 498bc5 482bc2 483bc1 0f82f3030000 49837f1808 } + $sequence_4 = { 0f85e3000000 4d3bc1 0f84d0000000 8b7500 498b9cf7e0550500 4885db 740b } + $sequence_5 = { 8bd7 4c8bf7 498b84c3b05c0500 4e8d0cfd3e000000 4c03c8 498bc1 403838 } + $sequence_6 = { 498bd9 498bf8 8bf2 4c8d0d99020100 488be9 4c8d0587020100 488d1588020100 } + $sequence_7 = { 488b4c2460 ff15???????? 488b4dc0 ff15???????? 0f1045a0 } + $sequence_8 = { 4885db 740b 493bde 0f8599000000 eb6b 4d8bbcf788130400 33d2 } + $sequence_9 = { ff15???????? 488bc8 488d15202c0300 ff15???????? 488bf0 4885c0 745c } condition: 7 of them and filesize < 769024 @@ -123802,56 +124502,57 @@ rule MALPEDIA_Win_Redalpha_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "882ba549-5d0f-5044-9824-7266c16fd3e3" - date = "2026-01-05" - modified = "2026-01-06" + id = "cd9045d7-f87a-592e-9809-e5720f592d0f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.redalpha_auto.yar#L1-L286" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.redalpha_auto.yar#L1-L295" license_url = "N/A" - logic_hash = "6d0bc4e07b8bfd5d42ec13b7e486282bb3ab0b08b56807472d5876342a41efce" + logic_hash = "f85fca11ddb3d7432dacaec7cca79704d6819401bb8debb1c4167507085bc80d" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 83c40c c0e304 0fb6c3 50 68???????? } - $sequence_1 = { 68???????? 50 e8???????? 83c40c c0e304 } - $sequence_2 = { 8b4314 015330 ffd0 5f } - $sequence_3 = { 8b4310 ffd0 8945fc 85c0 } - $sequence_4 = { 488da998000000 458be0 4c8be9 488bfa 488d4d20 ff15???????? 488b4508 } - $sequence_5 = { 8785c8000000 488b8dd8000000 ff15???????? 488b8de0000000 ff15???????? 48c785d8000000ffffffff } - $sequence_6 = { 8b4328 8bcb 52 8b5310 } - $sequence_7 = { 89048b 488b4d58 418bc5 48c1e002 480101 } - $sequence_8 = { eb0e 48897da0 41bc13000000 48897da8 498b1e } - $sequence_9 = { d3eb 442bd9 400fb6d7 f6c210 753d 0f1f840000000000 } - $sequence_10 = { 8b430c ffd0 8d50ff 8b45fc 03f2 } - $sequence_11 = { e9???????? 488d5908 488d4b20 ff15???????? 488b4308 48894310 ba00040000 } - $sequence_12 = { 8b4328 52 8b5310 2b5604 } - $sequence_13 = { 8b4324 8975f8 8945dc 8b4328 } - $sequence_14 = { 48897db8 448865c0 4533c9 4533c0 33d2 33c9 } - $sequence_15 = { e8???????? 48c744243000000000 c744242880000000 c744242002000000 4533c9 4533c0 } - $sequence_16 = { 89441f05 8b85c0feffff 89441f09 8b85c4feffff } - $sequence_17 = { 6a00 6a00 8d8534ffffff c78514feffff08b94000 898518feffff 8d8514feffff } - $sequence_18 = { e8???????? 8b404c 83b8a800000000 7512 8b04bd30744100 807c302900 } - $sequence_19 = { 660fd60f 8d7f08 8b048d343b4000 ffe0 } - $sequence_20 = { 8bec 81ec1c010000 56 6880000000 8bf1 c745f8ff000000 6a00 } - $sequence_21 = { 8d44241c 50 8d442424 50 8d442418 } - $sequence_22 = { 8d45f4 8bcf 50 e8???????? 5f 5e 5b } - $sequence_23 = { 6a34 68???????? 57 ff15???????? 8bf0 85f6 7517 } - $sequence_24 = { ff15???????? 8bf8 85ff 7459 6a00 } - $sequence_25 = { c745dc03000000 eb7c c745e040314100 ebbb d9e8 8b4510 dd18 } - $sequence_26 = { 8b4710 8d044502000000 50 7219 } - $sequence_27 = { 50 f3a5 8d8574ffffff 8bca } - $sequence_28 = { c1fa06 8934b8 8bc7 83e03f 6bc830 8b0495581f4000 8b440818 } - $sequence_29 = { 7517 57 ff15???????? 5e 5f 8b4dfc } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 50 e8???????? 83c40c c0e304 0fb6c3 50 } + $sequence_1 = { ba00010000 488d8d00010000 ff15???????? 488b8b38010000 } + $sequence_2 = { 8b4508 be00100000 89475c 8b978c000000 } + $sequence_3 = { 8b4508 c645fc06 85c0 753f 8d45e0 c745dcd4024300 } + $sequence_4 = { 8b4508 c1ee04 33f1 033cb0 } + $sequence_5 = { 8b4508 8d4dc4 53 8b5d10 } + $sequence_6 = { 4889742420 57 4881ec30040000 33f6 } + $sequence_7 = { 6690 39b42440040000 76b7 33d2 } + $sequence_8 = { 803831 0f8539020000 83bc248800000058 0f852b020000 4885c9 750f } + $sequence_9 = { 8b4508 898850030000 8b4508 59 c74048c8154400 } + $sequence_10 = { 83cdff 488bd9 4c8bfa 458bc2 4c637014 } + $sequence_11 = { 4155 4156 4157 8bb994000000 448bda 448b4944 } + $sequence_12 = { 730d 488b03 83780800 0f855dfeffff 8b8b18170000 } + $sequence_13 = { 488b0b ff15???????? 488b0b ff15???????? ffc7 } + $sequence_14 = { 8b4508 8bc8 83e03f c1f906 6bc030 03048d30284400 } + $sequence_15 = { 8b4508 8955fc 56 8bf1 57 bf01000000 85c0 } + $sequence_16 = { 50 64892500000000 ff7108 c701???????? ff15???????? } + $sequence_17 = { 8d1c3f 53 50 51 } + $sequence_18 = { c645fc01 8d5102 668b01 83c102 6685c0 75f5 2bca } + $sequence_19 = { 8d74242c 83c40c 33c9 8d5601 8a06 46 84c0 } + $sequence_20 = { 8945f4 8b4514 40 c745ec33374000 894df8 8945fc 64a100000000 } + $sequence_21 = { 68???????? 50 ffd7 8b5d08 8d85f4fbffff 8b35???????? } + $sequence_22 = { 50 e8???????? 8d842480140000 c74424443c000000 } + $sequence_23 = { c3 8bff 55 8bec 8b4d08 33c0 3b0cc5a8fc4000 } + $sequence_24 = { ffd6 8b45a0 85c0 7403 50 ffd6 85ff } + $sequence_25 = { 8b4308 2bc1 51 50 ff7658 8bce e8???????? } + $sequence_26 = { 6800040000 894608 e8???????? 53 8b1d???????? } + $sequence_27 = { ffd3 56 ffd3 ff742428 ffd3 8b8c246c180000 8bc7 } + $sequence_28 = { e8???????? 84c0 7508 83ceff e9???????? 6a00 } + $sequence_29 = { b9???????? c745fc00000000 8d5102 6690 } + $sequence_30 = { c1e902 50 f3a5 8d8574ffffff } condition: 7 of them and filesize < 606208 @@ -123861,36 +124562,36 @@ rule MALPEDIA_Win_Shady_Hammock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dffdbcb2-bd98-5c78-b119-218bf0b8f1f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "41c3aaa9-ec9c-5423-941f-aed113fcfb80" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shady_hammock" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shady_hammock_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shady_hammock_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "eb81523b23e33f9ac426471f12cb50726588d21942b2b73e8ff2883c6fa0b314" + logic_hash = "b49c92e74da64fe8fdb809be9329ec761057630f027c87ebb0b466286bd101ab" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7203 488b01 488d0c10 488bfe 492bf9 4c8bc7 } - $sequence_1 = { 488bcd e8???????? 498d5701 41c6042c00 4881fa00100000 7218 } - $sequence_2 = { e8???????? 4c8b5368 488d4d2f 48837d4710 0f93c2 480f434d2f 4c8b4d3f } - $sequence_3 = { 3bc7 0f843e010000 0fb6f8 e9???????? 0f57c0 } - $sequence_4 = { 7453 488b5318 4883fa10 7205 488b0b } - $sequence_5 = { 0bc1 89442408 0fae542408 c3 488bc4 53 } - $sequence_6 = { 747e 8b82b0000000 4803c8 4903c9 4a8d1408 } - $sequence_7 = { 4883781810 7203 488b00 41b80a000000 488bd0 488bcf e8???????? } - $sequence_8 = { eb2c 498bcf 488bc3 48d1e9 } - $sequence_9 = { 48895c2408 4889742410 48897c2418 488bd9 4c8bc9 482b5a30 } + $sequence_0 = { 48895f30 8b87d0000000 85c0 740c 488d0c03 488bd3 } + $sequence_1 = { 488bc8 488bf8 e8???????? 488b0d???????? 4533c9 } + $sequence_2 = { eb2c 498bcf 488bc3 48d1e9 482bc1 } + $sequence_3 = { 4a8b0c2b 4885c9 75cc ffc5 488d0cad00000000 4803cd } + $sequence_4 = { 4a8d0439 488bda 483bd0 480f42d8 488d4b01 4881f900100000 720a } + $sequence_5 = { 48896f10 498d2c36 48895f18 4d8bc6 488bce 4983ff10 724d } + $sequence_6 = { 4863413c 33db 4c8bea 488bf1 8bbc0888000000 } + $sequence_7 = { 418b88b4000000 4803d0 418b80b0000000 4903c1 } + $sequence_8 = { eb09 488bcb 4883fa0f 743b 803d????????00 7432 4883c208 } + $sequence_9 = { 0fb74c4420 6643890c46 49ffc0 4983f81d } condition: 7 of them and filesize < 635904 @@ -123900,36 +124601,36 @@ rule MALPEDIA_Win_Goldenspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9a246a47-ca73-52d5-9d24-1b989582e4ce" - date = "2026-01-05" - modified = "2026-01-06" + id = "8e5fb206-77e0-5dd3-98ec-06de6fbdfe65" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.goldenspy_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.goldenspy_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "abc1cc932d348f65dac5bf1d4eeb448d62aaba8c9d68819a9d802639d61024c9" + logic_hash = "7037c3fc68997fb05e5ab137d1d1c4cd3416d317a297b94cd308e656dfed6b03" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b0cbd48b24700 c644112900 837dfc00 7507 } - $sequence_1 = { 8bce ff5010 eb2d 8b06 8bce ff501c eb24 } - $sequence_2 = { 8bc8 e8???????? 8d4de0 c645fc0c e8???????? } - $sequence_3 = { ff75bc 8bcf e8???????? 3bf3 0f85b4feffff b001 } - $sequence_4 = { 50 8bcb e8???????? ba01000000 eb0d } - $sequence_5 = { e8???????? 84c0 0f84d7000000 8b55c8 8d4dd8 e8???????? c745fc01000000 } - $sequence_6 = { 50 8bce c78588fdffff00000000 e8???????? 8b00 3b06 7507 } - $sequence_7 = { 51 0f434520 50 51 8d8dccfeffff e8???????? 837d1c10 } - $sequence_8 = { 8b08 2bd1 52 eb2b 8b8538ffffff a804 752d } - $sequence_9 = { 6a00 50 6802000080 ff15???????? 85c0 7557 } + $sequence_0 = { 741e 85f6 7409 56 e8???????? 83c404 33c0 } + $sequence_1 = { 8bcb 017334 56 e8???????? 01730c 5f 5e } + $sequence_2 = { 8d8560ffffff 50 8d8d78ffffff e8???????? c645fc06 } + $sequence_3 = { 57 50 8d45f4 64a300000000 8bf9 8b4d08 32c0 } + $sequence_4 = { 8b30 3bf0 7456 0f1f4000 8b5610 51 ff7614 } + $sequence_5 = { 6a01 50 e8???????? 83c408 6a01 e8???????? 894584 } + $sequence_6 = { 6690 8a06 8d7601 8801 8d4901 84c0 75f2 } + $sequence_7 = { 31dc 31fc 3108 3228 323432 54 326032 } + $sequence_8 = { f7ee 0f2805???????? 69de6d010000 0f1145cc 0f2805???????? b81f85eb51 } + $sequence_9 = { 51 e8???????? 83c408 85c0 0f9845ec 85c0 79ae } condition: 7 of them and filesize < 1081344 @@ -123939,36 +124640,36 @@ rule MALPEDIA_Win_Kgh_Spy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dc190002-e772-5121-92cd-702f57df5a52" - date = "2026-01-05" - modified = "2026-01-06" + id = "72b18407-a672-56ad-bde7-953ddc753662" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kgh_spy_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kgh_spy_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "e5faa391b98537b62aa0655593e441fa8bf7b12383d96ea8cca680986ba0c716" + logic_hash = "bebc75bd969d7cd192eb6066de467aec8def71c23ce54a280cd465540e88b364" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 488b8c24a0000000 ff15???????? 0fb605???????? 88842480010000 488d842481010000 488bf8 } - $sequence_1 = { 488d0dd0fd0000 e8???????? c744244000000000 c744244800000000 488d442460 488d0def150100 488bf8 } - $sequence_2 = { ff15???????? 4889442468 48837c246800 7507 32c0 e9???????? 48c744243800000000 } - $sequence_3 = { 448d4202 e8???????? 8bcb e8???????? 85c0 0f84bc020000 488d0517bf0000 } - $sequence_4 = { 75eb 488b442430 488b8c2490000000 4803c8 488bc1 } - $sequence_5 = { e8???????? 488905???????? 48833d????????00 7504 32c0 eb26 ba855d05a6 } - $sequence_6 = { 488d8424f0030000 488bf8 33c0 b908020000 f3aa 4c8d0df7e30000 } - $sequence_7 = { 89442428 488d8424300e0000 4889442420 448bc9 4c8d8424300a0000 } - $sequence_8 = { 488b442428 8b4c2430 894808 4863442424 4889442440 488b7c2430 33c0 } - $sequence_9 = { ff15???????? 0fb605???????? 888424a0030000 488d8424a1030000 488bf8 33c0 } + $sequence_0 = { 488bc1 4c8d8c2458010000 448b44247c 488bd0 } + $sequence_1 = { ff15???????? 488d154fc70000 488bc8 ff15???????? 488b4c2430 48898108050000 } + $sequence_2 = { 488d0562160100 4889442428 488d0546150100 4889442420 4c8d0d8a2e0100 } + $sequence_3 = { c744244400000000 c684248004000000 488d842481040000 488bf8 33c0 b92f750000 f3aa } + $sequence_4 = { f3aa c784242001000038000000 488d8424b0040000 4889842430010000 488d8424b0040000 4889842400010000 48c7842488000000ffffffff } + $sequence_5 = { ff15???????? 4c8d0df8ed0000 4c8d05813d0100 488d15eeed0000 488d0d833e0100 e8???????? 488d1597400100 } + $sequence_6 = { 488b8c24e8080000 ff15???????? 48898424a0000000 4883bc24a0000000ff 7507 32c0 e9???????? } + $sequence_7 = { 42888401b0230100 ffc7 ebde 488b0d???????? 83c8ff f00fc101 ffc8 } + $sequence_8 = { 41b803000000 ba00000080 488b4c2470 ff15???????? } + $sequence_9 = { 48634c2404 488b542420 0fb60c0a 03c1 } condition: 7 of them and filesize < 207872 @@ -123978,36 +124679,36 @@ rule MALPEDIA_Win_Octowave_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "35c13348-0eb4-5d13-a207-5c2013e4210f" - date = "2026-01-05" - modified = "2026-01-06" + id = "85414a71-9137-581f-9bba-b22bd8bc0186" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.octowave" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.octowave_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.octowave_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "1fa979b8176587b51d4501d3bbb1e6a1953eac27bc34cded0325574b49761409" + logic_hash = "604ff06a585ef27202c35c7e4b47bd9528bd6c469f90955aee6f71ff2a73e229" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { fecb 889c24c0000000 8b9c244c010000 85db 7529 8d9c242c010000 8d7b01 } - $sequence_1 = { ff86201b0000 8b86201b0000 c684302013000000 83ef01 75d3 8b5c2414 85d2 } - $sequence_2 = { ff742450 56 e8???????? 83c408 85c0 0f850a040000 83cb10 } - $sequence_3 = { 8d4f02 51 56 e8???????? 83c408 5f 8bc6 } - $sequence_4 = { ff742418 2bf5 ff742424 8b04b568022110 ffd0 8b7c241c 83c40c } - $sequence_5 = { ff7500 50 e8???????? 83c408 837db800 750a f30f1015???????? } - $sequence_6 = { f30f5cc8 f30f1041e8 f30f594714 f30f5cc8 f30f1041e4 f30f594718 f30f5cc8 } - $sequence_7 = { f76b14 03f8 8b4560 13ca f76b18 03f8 8b455c } - $sequence_8 = { ff5004 48 8bcf 50 ff560c 8b17 8bcf } - $sequence_9 = { ff74241c 8b4608 8b4e04 48 f20f1044242c 23c2 6a00 } + $sequence_0 = { f786c46d000000020000 7426 8d4bff 8bc5 0faf8ed46c0000 2bc1 83f80a } + $sequence_1 = { ff7704 68???????? 56 e8???????? ff7708 68???????? 56 } + $sequence_2 = { f30f70c0d8 660f70c0d8 0f5405???????? 660f67c0 660f7e0413 660f6ec0 8d4104 } + $sequence_3 = { ffd0 8b4710 83c418 8b4c241c 0fafc3 894f1c 5d } + $sequence_4 = { ff5038 8b4d14 8bf0 8b01 ff5038 8bc8 8b450c } + $sequence_5 = { f30f5dd0 0f28c2 f30f5fc1 f30f110410 8b44242c f30f5c1410 0f2f15???????? } + $sequence_6 = { ff742470 ff742440 6a02 ff74245c ff74246c e8???????? 8bce } + $sequence_7 = { f30f59c3 f30f1100 03c1 836dec01 75a7 8b750c 8b5d10 } + $sequence_8 = { f30f5cc8 f30f10423c f30f59463c 83c640 f30f58d1 f30f5cd0 0f5ac2 } + $sequence_9 = { ff10 8d4c2408 e8???????? 8b442408 80780d00 74e0 8d4e04 } condition: 7 of them and filesize < 7258112 @@ -124017,36 +124718,36 @@ rule MALPEDIA_Win_Erbium_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b8a0033-eafb-588e-852d-212657477c66" - date = "2026-01-05" - modified = "2026-01-06" + id = "c3c12ae7-8ed6-548d-9985-1a4da5637250" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.erbium_stealer_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.erbium_stealer_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "52e0e8033201024664e25bae217264a7d239dc0c23fc20bab4e50f4bf89b0343" + logic_hash = "de00ca92d87ab0b2a175fcafd75670f13d759e2dc763fd66e79358c5abc0aab2" score = 75 - quality = 75 + quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 75f8 ba???????? b926000000 2bd0 } - $sequence_1 = { 7409 83c002 66833800 75f7 668b4c2450 6685c9 7418 } - $sequence_2 = { 6a04 6800200000 23f0 56 6a00 ff15???????? } - $sequence_3 = { ff15???????? 8945bc 68???????? 8b55f4 52 } - $sequence_4 = { eb96 6a04 6800300000 6a18 6a00 8b4508 50 } - $sequence_5 = { 52 8b4508 50 ff55bc 33c9 } - $sequence_6 = { 668b8c24a0020000 6685c9 741b 8d9424a0020000 0fb7c9 2bd0 668908 } - $sequence_7 = { ff55b8 c745cc00000000 837dcc00 0f85a2000000 c745c400000000 8d4dc4 51 } - $sequence_8 = { 75f8 668b8c24a0020000 6685c9 741b 8d9424a0020000 } - $sequence_9 = { 8b55f8 8b45fc 0302 8b4de0 0fb711 81e2ff0f0000 } + $sequence_0 = { 8b4508 50 ff55fc 6800800000 6a00 } + $sequence_1 = { 837de800 752b 6800800000 6a00 8b55f8 52 } + $sequence_2 = { 51 8b5508 52 ff55fc 32c0 e9???????? 6a00 } + $sequence_3 = { 744a 51 51 51 } + $sequence_4 = { 8bd8 8944241c 8d8424a0000000 ba???????? } + $sequence_5 = { 8b5520 8955a4 8b4524 8945a8 6a00 } + $sequence_6 = { 8b55ec 837a1000 7441 6a00 8b45ec } + $sequence_7 = { 034214 50 8b4dec 8b55f8 03510c 52 } + $sequence_8 = { 8b5110 52 8b45fc 50 ff55b0 } + $sequence_9 = { 8b4c2410 2bc7 3bc1 0f8284000000 } condition: 7 of them and filesize < 33792 @@ -124056,36 +124757,36 @@ rule MALPEDIA_Win_Goggles_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "040bb693-a4be-548d-a501-6f2900be4db7" - date = "2026-01-05" - modified = "2026-01-06" + id = "a7ce7fd1-4839-56bc-b3dd-e50bbf8fa16e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.goggles_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.goggles_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "2057c3d81d740df16e7462115b1eb3ac99d3eec33754199313bf18b2c821d705" + logic_hash = "bfd505c41dc2f5864e7244db4f7ec8d466462c849cb1f516848602d30cc7f47c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 8d842488010000 6a00 50 ff15???????? } - $sequence_1 = { 52 68???????? ff15???????? 8a542b01 } - $sequence_2 = { 68???????? e8???????? 83c410 c680a841001000 8d842410010000 } - $sequence_3 = { 8a8010400010 88441efe 8a4c2fff 83e13f 4a 8a8110400010 88441eff } - $sequence_4 = { 0f8559ffffff 8b442414 83f803 756e 0fbe0437 } - $sequence_5 = { 33f6 894c240c 85c9 7e6f 8b4c2418 8bc2 2bc1 } - $sequence_6 = { 0fbe043e 50 68???????? ff15???????? b9???????? 2ac1 c0e002 } - $sequence_7 = { 55 57 88442410 b940000000 33c0 8d7c2411 } - $sequence_8 = { 8a4c2ffe c1f806 83e10f 83e003 c1e102 0bc1 8a8010400010 } - $sequence_9 = { 0fbe8288410010 50 68???????? ff15???????? } + $sequence_0 = { 83c404 83f804 0f8cbd000000 8bc8 c1e902 } + $sequence_1 = { 884c2b01 83c302 eb43 83f802 753e 0fbe0437 50 } + $sequence_2 = { ffd3 83c418 85c0 752d 8b8424c0080000 8d4c244c } + $sequence_3 = { 33c0 5b 81c418060000 c3 68???????? ff15???????? } + $sequence_4 = { 894c2404 83c9ff f2ae f7d1 49 } + $sequence_5 = { 56 57 b941000000 33c0 8d7c2478 c744241000000000 f3ab } + $sequence_6 = { 40 f6d2 8854041b 3bc5 7cf1 } + $sequence_7 = { 8be8 2bd6 56 57 03ea ffd3 57 } + $sequence_8 = { 83c414 ebc7 8b3d???????? 55 ffd7 } + $sequence_9 = { 33c0 5b 81c418060000 c3 } condition: 7 of them and filesize < 57344 @@ -124095,36 +124796,36 @@ rule MALPEDIA_Win_Cameleon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6ba1f947-7c11-5a6f-94b1-6f9ed842ec2b" - date = "2026-01-05" - modified = "2026-01-06" + id = "e40c4ff3-5c93-5f3f-97ce-ce981e4b7a6c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cameleon_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cameleon_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "5126d39a589ca456705b9580398901c26a625f6b65ede04aeb5951f2fdaf02c8" + logic_hash = "644560948d1e9d94a94549954ead48f81d616d5f4876406316acd5719620707c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b7de0 85f6 0f8567ffffff 83ff20 0f83a8000000 83c8ff 2bc7 } - $sequence_1 = { 3975d4 7347 52 56 8d4dc0 } - $sequence_2 = { c3 e8???????? 85c0 0f843aa70000 c3 833d????????ff 7503 } - $sequence_3 = { c745ecd88e0210 894df8 8945fc 64a100000000 8945e8 } - $sequence_4 = { 83f924 7d10 8a80f8c70410 8807 47 } - $sequence_5 = { 8b45b8 8b11 03c6 50 56 8d450c 50 } - $sequence_6 = { 253bffffff 33f6 3bc8 740c 8b0cb584bf0410 46 85c9 } - $sequence_7 = { 7405 e8???????? a900000080 751f d9fa 833d????????00 0f85037f0000 } - $sequence_8 = { 2bc1 83f808 0f86bc000000 8d7108 83fefe } - $sequence_9 = { e8???????? 8d8d04ffffff e8???????? 8d4d8c e8???????? 8d4da4 } + $sequence_0 = { 8b4004 c74408e0bc4b0510 8b41e0 8b5004 } + $sequence_1 = { 56 e8???????? eb65 8b4db8 83f910 0f83d4000000 83c8ff } + $sequence_2 = { 8d41e0 3c5a 770f 0fbec1 0fb68018fb0410 83e00f eb02 } + $sequence_3 = { 8b08 8b4904 f644010c06 7539 0f1f00 8d8504ffffff 50 } + $sequence_4 = { 57 8d1c8510d40510 33c0 f00fb10b 8b15???????? 83cfff 8bca } + $sequence_5 = { 8a90ac4c0510 e8???????? 0fbe06 83e00f 8a90ac4c0510 8d8dccfeffff } + $sequence_6 = { 8bc2 8bca 83e03f c1f906 6bc030 03048d50d60510 eb05 } + $sequence_7 = { 8365fc00 8b45e4 8b048550d60510 8b4de0 f644082801 } + $sequence_8 = { 0f43559c 66833a00 7504 33c9 } + $sequence_9 = { 0f8497040000 8b75a4 3b75a8 0f848b040000 660f1f840000000000 8d8db4feffff e8???????? } condition: 7 of them and filesize < 824320 @@ -124134,36 +124835,36 @@ rule MALPEDIA_Win_Synflooder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b4db3a4-161f-5f48-96b1-18c835e76606" - date = "2026-01-05" - modified = "2026-01-06" + id = "efa068ab-80ee-5171-9690-564cfdb6f68c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.synflooder_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.synflooder_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "71981dc7d5e3732f6bffc2a9248cb281eeec7fbd198e397f9ba4db0beb4f7d0b" + logic_hash = "4a8a1c9ae0a778696e25fa4570a1688ba1f6ebca583f2f70ec6f184bb580f357" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 762a 56 e8???????? 8d0445f4f34000 8bc8 } - $sequence_1 = { 8be5 5d c3 8b35???????? b802000000 6a50 668944242c } - $sequence_2 = { 8bec 8b4508 ff34c580e44000 ff15???????? 5d } - $sequence_3 = { 0f8f0b010000 33f6 85db 7e1b 8bff e8???????? 0fbec0 } - $sequence_4 = { 8a13 0fb6ca 0fbe8910ee4000 85c9 } - $sequence_5 = { 897e70 c686c800000043 c6864b01000043 c74668f0e54000 } - $sequence_6 = { 03048d20fc4000 eb02 8bc2 f6402480 } - $sequence_7 = { 33c5 8945fc 8d8568faffff 50 6a02 ff15???????? } - $sequence_8 = { c7470640008006 8b44242c 50 ff15???????? } - $sequence_9 = { 897df4 85ff 75d1 53 e8???????? 8b45f0 } + $sequence_0 = { 51 ff15???????? 89470c c7471800000000 e8???????? 99 } + $sequence_1 = { 7229 f3a5 ff2495e07a4000 8bc7 ba03000000 83e904 } + $sequence_2 = { 50 e8???????? 8b4de4 83c40c 6bc930 8975e0 8db130ea4000 } + $sequence_3 = { ff15???????? 89470c c7471800000000 e8???????? 99 b9e8fd0000 f7f9 } + $sequence_4 = { a3???????? 8d7901 8a11 41 84d2 } + $sequence_5 = { 8bff 56 57 33ff ffb7b0e54000 ff15???????? 8987b0e54000 } + $sequence_6 = { 83c404 eb17 bb00040000 c744241800280000 } + $sequence_7 = { e8???????? 85c0 0f8517010000 ff15???????? 50 e8???????? } + $sequence_8 = { 52 0fb6d4 52 0fb6c0 } + $sequence_9 = { 81ecf4010000 a1???????? 33c4 898424f0010000 53 56 } condition: 7 of them and filesize < 163840 @@ -124173,36 +124874,36 @@ rule MALPEDIA_Win_Bbsrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a602361e-80e2-5b74-861b-7270dd69ebb0" - date = "2026-01-05" - modified = "2026-01-06" + id = "5b887e3a-3852-55ad-842d-3f30bc70dda4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bbsrat_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bbsrat_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "9e349c993b7b920b82b539668c983c2083c9d2bb77a365140f827640d24e311d" + logic_hash = "97bccd3cc92c66cd629e29f693559475b9d36ff616ada661a2a1a82dcf4d90a9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3b0a 7411 837e3800 7d05 8d48fa 890b } - $sequence_1 = { 52 50 55 e8???????? 8d8c2418140000 51 68???????? } - $sequence_2 = { 3b7e28 7cf2 8b4b10 2b4b0c f7c1f0ffffff 0f84c1000000 8b5618 } - $sequence_3 = { 3488 34a8 34b0 34c4 34cc 34e0 34e8 } - $sequence_4 = { 33db f7442410fcffffff 0f86d5000000 6800060000 8d8c241c100000 56 } - $sequence_5 = { 8bd0 89442428 83fe04 722c 8bff 8b0a 8b542414 } - $sequence_6 = { 52 897b08 e8???????? f7d8 1bc0 } - $sequence_7 = { e8???????? 6a36 8d4c246c 51 8d5610 6a46 52 } - $sequence_8 = { e8???????? 85c0 752d 8b560c 895608 ff15???????? } - $sequence_9 = { 7536 80780300 7530 80780400 752a 80780500 7524 } + $sequence_0 = { 898e44020000 899648020000 57 894308 894304 8903 ff15???????? } + $sequence_1 = { 83c414 c20400 83ec1c a1???????? 33c4 89442418 8b442420 } + $sequence_2 = { 6800000080 50 ffd5 8bf0 83feff 7508 5e } + $sequence_3 = { 0fb70f 6685c9 741e 66890a 83c202 83c702 } + $sequence_4 = { e8???????? 8b460c 8b7e10 2bf8 c1ff04 83c408 47 } + $sequence_5 = { 8944245c 897c2458 e8???????? 83c414 8bf8 } + $sequence_6 = { 0f873c0c0000 ff2485a0ed0010 8b742418 83fd03 733c 8b442414 8b7c2410 } + $sequence_7 = { 33ff 391e 7e2d 8d6e04 8d4900 8b4d00 8b542414 } + $sequence_8 = { e9???????? c70009000000 c74718e4b10210 eb4c 8b442424 895e1c 894620 } + $sequence_9 = { e8???????? 89ae8c000000 896e40 8b4644 } condition: 7 of them and filesize < 434176 @@ -124212,36 +124913,36 @@ rule MALPEDIA_Win_Danabot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d405be96-12b3-5521-8438-92276494b614" - date = "2026-01-05" - modified = "2026-01-06" + id = "14596762-1d51-5a7b-8337-b6826adee68a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.danabot_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.danabot_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "d0742d8634d1bfb6b6cd9fd56080ad6a40985205234e33c349c6b1c80cbce68a" + logic_hash = "21994cde6882891a98d175e0371a8ba822d22cae42aa803b4cdf0c04e08404e4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b701c ad 0f1f00 8b4008 } - $sequence_1 = { 83f838 730b ba38000000 2bd0 } - $sequence_2 = { 8d45f8 50 6804010000 8d85e8fdffff 50 } - $sequence_3 = { e8???????? 8b03 50 8b442440 } - $sequence_4 = { e8???????? eb0e 8d541d00 8bc6 e8???????? 83c340 8d433f } - $sequence_5 = { 33c9 ba44000000 e8???????? c745b844000000 33c0 8945c0 } - $sequence_6 = { e8???????? 50 6aff 8bc6 e8???????? 50 6a01 } - $sequence_7 = { 8b55f4 8d45f8 e8???????? 8b55f8 8bc7 } - $sequence_8 = { 6a0e 8b45f8 50 ff15???????? 84c0 7447 33c0 } - $sequence_9 = { e8???????? 8bd8 8b17 8bc2 85c0 7407 83e804 } + $sequence_0 = { 53 81c4f4fdffff 8bd8 a1???????? } + $sequence_1 = { e8???????? 8b07 50 8b442438 50 } + $sequence_2 = { 68c3595b65 8bc3 8b0f 8b16 e8???????? 8b07 } + $sequence_3 = { 55 8bec 8b4510 8b15???????? 8990b8000000 8b15???????? 8990c4000000 } + $sequence_4 = { 50 6a0a 6897ff2a43 8bc5 8b0e 8b13 e8???????? } + $sequence_5 = { 8b17 e8???????? 8b0424 8b13 } + $sequence_6 = { 8b5dfc 8d4df4 0fb603 b202 e8???????? 8b55f4 8d45f8 } + $sequence_7 = { e8???????? 3b05???????? 7e0a c705????????45000000 a1???????? } + $sequence_8 = { 50 6a15 6891d386eb 8bc6 } + $sequence_9 = { 8bde 85db 7405 83eb04 } condition: 7 of them and filesize < 237568 @@ -124251,36 +124952,36 @@ rule MALPEDIA_Win_Rarog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f5f8ab57-da39-59fd-96e2-5478facae854" - date = "2026-01-05" - modified = "2026-01-06" + id = "e020263d-ee7c-5d98-8049-179a71cab21f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rarog_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rarog_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "631ab74dfbbcce858a4c6605f35ed1c081c9a6b77767d5321714353e8fbb62e4" + logic_hash = "6d71ef483d3bf9549ac5f129736d3e4e238e402d10434b4694a95dd62d034597" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b8c246c030000 33cc e8???????? 8be5 5d c3 55 } - $sequence_1 = { 8d45b8 50 8d4d24 e8???????? 83781408 7202 8b00 } - $sequence_2 = { 89a504ffffff c741140f000000 895910 68???????? 8819 e8???????? e8???????? } - $sequence_3 = { 8bc8 8bdf c645fc01 e8???????? c645fc02 c70424???????? 50 } - $sequence_4 = { c645fc22 e8???????? 8bd8 8db5bcfbffff c645fc23 e8???????? 8bf8 } - $sequence_5 = { ffb510ffffff 8d8d48ffffff e8???????? 8d9d48ffffff e8???????? 8b8510ffffff } - $sequence_6 = { 8bc4 89a550ffffff 50 e8???????? 8b8d5cffffff c645fc17 } - $sequence_7 = { 884597 c645fc04 e8???????? 83ec1c } - $sequence_8 = { ff7518 8845bc ff7514 8d45b0 ff75bc ff75d0 50 } - $sequence_9 = { 83c40c 8d8dbcfbffff 51 8bc8 } + $sequence_0 = { 8d8d24feffff e8???????? 6860ea0000 ff15???????? 33f6 } + $sequence_1 = { 8b450c e8???????? 8bf0 8b4508 e8???????? 8b4508 5e } + $sequence_2 = { e8???????? 33db 8bf9 895dec 895dfc c645fc01 } + $sequence_3 = { 8d42e0 3c58 770f 0fbec2 0fb68000a54200 83e00f eb02 } + $sequence_4 = { 6a30 51 50 53 ffd6 68???????? } + $sequence_5 = { c1f805 8bcf 83e11f c1e106 8b0485203b4300 c644080401 57 } + $sequence_6 = { 6a09 bf???????? 59 33c0 f3a6 7519 } + $sequence_7 = { 59 33c0 f3a6 753e 891d???????? eb36 8bf0 } + $sequence_8 = { c645fc10 8bcc 89a568fbffff 897114 895910 } + $sequence_9 = { e8???????? 53 56 8d8dd8fcffff e8???????? 53 56 } condition: 7 of them and filesize < 598016 @@ -124290,42 +124991,42 @@ rule MALPEDIA_Win_Resident_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1b67466a-54db-5e85-b74e-0f6af48d989f" - date = "2026-01-05" - modified = "2026-01-06" + id = "31c8cedb-b8c8-50af-8f65-2ca441a2c46a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.resident" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.resident_auto.yar#L1-L176" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.resident_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "c657f6a8f6e1222a8318e6995666aff3bd59abbbd0dacc976a5ca7724d12794b" + logic_hash = "8286f78c5f5fef0421ae4dbf75c8520e292621bde24259a94df34e1760f1910d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 8d95dcf9ffff 52 6a00 ff15???????? 85c0 } - $sequence_1 = { c1e606 03348500b94000 8b45f8 8b00 8906 8b45fc 8a00 } - $sequence_2 = { 894c243c 8b4c2460 89442404 89542440 8b54245c } - $sequence_3 = { 895c2410 c744240cffffffff 89742408 c744240400000000 } - $sequence_4 = { e8???????? 89c6 85c0 0f8427010000 c70424???????? 8d6c243e e8???????? } - $sequence_5 = { 8d85d8f9ffff e8???????? 8b95d4f9ffff 8bf0 03d2 8d45dc e8???????? } - $sequence_6 = { 750f 33c0 807dfa01 0f94c0 8d740010 eb41 83f803 } - $sequence_7 = { 8d55e4 52 ffd6 85c0 75e3 5b } - $sequence_8 = { 6689442430 668954242c 8b542422 b830000000 6689442428 66894c242e 0fb74c2420 } - $sequence_9 = { c744240800000000 c744240400000000 ff15???????? 83ec20 891c24 e8???????? } - $sequence_10 = { 8d34ad00000000 8b04a8 890424 e8???????? 83f825 76da } - $sequence_11 = { 8b37 89442418 8d460a 890424 e8???????? 89c3 85c0 } - $sequence_12 = { 75e4 b801000000 893c24 8944241c e8???????? } - $sequence_13 = { ff15???????? 6a04 8d55fc 52 6a06 } - $sequence_14 = { ff15???????? 83ec04 0fb7442446 66895c2450 } - $sequence_15 = { eb05 e8???????? 83c404 84c0 0f848e000000 } + $sequence_0 = { ffd6 83ec04 85c0 7491 } + $sequence_1 = { 6a00 83f864 7c26 8b7508 6801040000 } + $sequence_2 = { 6a00 6a00 ff15???????? 6800080000 6a08 ffd7 50 } + $sequence_3 = { 7424 83e101 741f b901000000 83c002 0fb710 } + $sequence_4 = { 890424 894c2404 ff5218 83ec10 85c0 7852 8b442428 } + $sequence_5 = { 83f801 7508 8d7001 e9???????? 83f802 0f85ac000000 } + $sequence_6 = { 68???????? 50 ff15???????? 5f 33c0 5e } + $sequence_7 = { c70424???????? e8???????? 837c242c01 89c7 7e4b } + $sequence_8 = { e8???????? 89c7 c7002d2d2d2d c740042d424547 } + $sequence_9 = { e8???????? 893c24 89442428 e8???????? 8b542428 } + $sequence_10 = { 33ff 68007f0000 57 c745b430000000 897db8 c745bc20144000 } + $sequence_11 = { 56 68e9fd0000 ffd3 8d85dcfeffff 8d7001 8a08 } + $sequence_12 = { 8b3d???????? 890424 ffd7 8b4c2428 } + $sequence_13 = { 8b2d???????? 83ec08 8d9c248e000000 c744241c00000000 } + $sequence_14 = { 8bec 81ec84060000 a1???????? 33c5 8945f8 53 56 } + $sequence_15 = { 57 ff15???????? 57 e8???????? 83c424 57 } condition: 7 of them and filesize < 125952 @@ -124335,36 +125036,36 @@ rule MALPEDIA_Win_Warezov_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0ec3e9cd-ecfd-5888-8e71-8272853df26c" - date = "2026-01-05" - modified = "2026-01-06" + id = "9f1ca9c9-8322-5782-b8dd-c2427f4806b9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warezov" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.warezov_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.warezov_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "8a169bcf46fd926fd65360d9ee1ccb1e67a44520c106569cb5acbfc473bbceb3" + logic_hash = "bbdc72c212d89cd3767ecdf3c5b36958b8588c84dc1bccbab7ed8b463aae0457" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a8c04cc000000 8a9404fc000000 02d1 8a8c04fd000000 889404fc000000 8a9404cd000000 02ca } - $sequence_1 = { c68424a300000065 c68424a400000062 c68424a500000075 c68424a600000070 c68424a700000077 889c24a8000000 c68424ad00000070 } - $sequence_2 = { ffd3 50 ff15???????? 85c0 8b942430010000 8902 7531 } - $sequence_3 = { 8d8c24a8000000 51 6a00 68???????? 8d9424b8010000 52 } - $sequence_4 = { c684243801000039 c6842439010000ac c684243a0100000f c684243b010000fe c684243c01000046 c684243d0100006a c684243e01000038 } - $sequence_5 = { 885e14 8b5008 56 8bcd 885a14 e8???????? eb78 } - $sequence_6 = { 0473 b142 f6e9 8ad8 8b06 80eb12 80cbcd } - $sequence_7 = { 33f6 4d 85ed ba77000000 7e50 8b74240c 53 } - $sequence_8 = { 32ca 888c049c020000 40 83f809 7ce3 8d8424a8020000 50 } - $sequence_9 = { c68424aa000000d3 c68424ab000000b8 c68424ac000000a9 c68424ad0000002e c68424ae00000049 c68424af00000041 } + $sequence_0 = { c6842451020000ac c6842452020000b1 c6842453020000a6 c6842454020000b3 c6842455020000af c6842456020000ba c6842457020000c3 } + $sequence_1 = { ffd5 50 8d8c24ac010000 51 8bcb e8???????? 83f8ff } + $sequence_2 = { c644247bcc c644247ccc c644247d16 c644247efb c644247f92 c684248000000094 c6842481000000c6 } + $sequence_3 = { 33c0 e9???????? 6a44 c645fc01 e8???????? 83c404 3bc3 } + $sequence_4 = { 83f8ff 0f853c010000 b0b0 88442409 8844241b b08c } + $sequence_5 = { 50 e8???????? 83c40c 83bdecfcffff00 7511 8d85f0fcffff 50 } + $sequence_6 = { 8854242c c644242d5f c644242e64 c644242f63 c644243069 c644243165 c64424326e } + $sequence_7 = { c644241c9a c644241e8c c644241fef e8???????? 8d4c241c 8d542414 c644241473 } + $sequence_8 = { ffd7 55 6a00 56 ffd7 8b442444 50 } + $sequence_9 = { 0f8438ffffff 8d45cc 50 8d4d90 e8???????? 8b7dc0 8b5f08 } condition: 7 of them and filesize < 827392 @@ -124374,43 +125075,43 @@ rule MALPEDIA_Win_Ssload_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "30dda8cc-ed50-5e35-9e3b-577f2e01ce05" - date = "2026-01-05" - modified = "2026-01-06" + id = "6a7f874c-6610-5162-ba91-1cc1181f5dd9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ssload" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ssload_auto.yar#L1-L187" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ssload_auto.yar#L1-L183" license_url = "N/A" - logic_hash = "ac05084ef9800673d1ca7ea15965552cfd923f1e160cfabe8236802f68f627b1" + logic_hash = "ad4eafdd7db8d5909c1f0b5f12cdb3737a7d865694dd047c95a4d7271fb85450" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 894dd4 51 8945e0 ff10 83c404 } - $sequence_1 = { f7e1 c1ea03 8d0492 8d0442 } - $sequence_2 = { 50 e8???????? 83c40c 01de 89770c e9???????? 8b770c } - $sequence_3 = { 85f6 b8ffffffff 0f48f8 81ff01020000 } + $sequence_0 = { f7e1 c1ea03 8d0492 8d0442 } + $sequence_1 = { 01de 89770c e9???????? 8b770c } + $sequence_2 = { 85f6 b8ffffffff 0f48f8 81ff01020000 } + $sequence_3 = { 894dd4 51 8945e0 ff10 83c404 } $sequence_4 = { c745d002000000 648b0d00000000 894de8 64a300000000 } - $sequence_5 = { 0fb6f0 83fe0c 7e0c 83fe1f 7e14 83fe20 7418 } - $sequence_6 = { 89d5 57 53 52 e8???????? 83c40c } - $sequence_7 = { 56 83ec2c 8b5c2444 8b6c2440 } - $sequence_8 = { 0f57c0 0f1144240c 894c2408 89442404 } - $sequence_9 = { 83ec0c 8db53cffffff 8baeb0000000 8b4608 } - $sequence_10 = { 83c40c 037de0 8b55d8 39d7 } - $sequence_11 = { 0345e8 2b45d4 8945dc e9???????? } - $sequence_12 = { 034828 8b55fc 894a2c eb0a } - $sequence_13 = { 034228 8945c4 6a00 6a01 6800000010 } - $sequence_14 = { 034a10 894de0 8b45e0 3b45dc 7606 8b4de0 894ddc } - $sequence_15 = { ffd1 83c408 ebbc 8b55fc 8b4208 50 e8???????? } - $sequence_16 = { 034214 50 8b4df8 51 e8???????? } + $sequence_5 = { 8d442408 89e1 ba???????? 68???????? 50 e8???????? } + $sequence_6 = { 8d4ddc a1???????? 6a00 6a00 68000000c0 } + $sequence_7 = { 83ec0c 8db53cffffff 8baeb0000000 8b4608 } + $sequence_8 = { 89d5 57 53 52 e8???????? } + $sequence_9 = { 8b4f18 0f94c0 83c802 50 } + $sequence_10 = { 55 83ec10 83c50c 837dd800 } + $sequence_11 = { 034214 50 8b4df8 51 e8???????? } + $sequence_12 = { 034228 8945c4 6a00 6a01 6800000010 } + $sequence_13 = { 0345e8 2b45d4 8945dc e9???????? } + $sequence_14 = { 034828 8b55fc 894a2c eb0a } + $sequence_15 = { 034a10 894de0 8b45e0 3b45dc 7606 8b4de0 894ddc } + $sequence_16 = { ffd1 83c408 ebbc 8b55fc 8b4208 50 e8???????? } $sequence_17 = { 03420c 50 ff15???????? 8945f8 837df800 } $sequence_18 = { 034110 50 8b550c 52 8b4de8 e8???????? } @@ -124422,35 +125123,35 @@ rule MALPEDIA_Win_Bedep_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6ea06871-a8ca-5ce7-b9c2-106c128847d6" - date = "2026-01-05" - modified = "2026-01-06" + id = "147a95ed-f45b-5c4b-8cf3-c78a1e2ee891" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bedep_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bedep_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "16b76a62133391f06cc2c61f0e60ca33efb0a31528884eb23ddb66df3319299d" + logic_hash = "34cac102e630f654981eed7cf86b59f05bd62306480fc321271de8c9f2a30c4a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a02 5f 397df0 7e03 895dfc 837d0800 741f } - $sequence_1 = { 8d45a4 50 ff7508 8975fc e8???????? } - $sequence_2 = { e8???????? 8bf0 85f6 59 743c 8a45e0 832600 } - $sequence_3 = { eb54 53 6878020000 8d8580fdffff 50 6a01 ff75f8 } - $sequence_4 = { 85c9 7410 3bd1 740c 8b09 85c9 } - $sequence_5 = { 740b 8d442410 50 ff15???????? 8bc7 5f 5e } - $sequence_6 = { e8???????? 8bf0 f7c67fffffff 7729 ff7508 e8???????? 3bf3 } - $sequence_7 = { 8b4c2414 8b463c c644240f01 ff742418 ff742420 ff7644 6a01 } - $sequence_8 = { 40 85c9 7c08 668b4b0c 66014b0a 66894308 5f } + $sequence_0 = { c21000 55 8bec 83ec14 85c0 6a2b 5a } + $sequence_1 = { 3d02010000 6a81 5f 742a 385e04 7509 83f801 } + $sequence_2 = { 895c2430 90 e8???????? 6a60 6a01 6800001000 8d44243c } + $sequence_3 = { ff7618 e8???????? 8bc7 5f c9 c3 55 } + $sequence_4 = { 7c21 8d442418 50 8d442414 50 90 } + $sequence_5 = { b8e0000000 7403 83c008 53 8d4df4 51 53 } + $sequence_6 = { e8???????? 8d45fc 50 e8???????? 8bf8 eb03 8b7df8 } + $sequence_7 = { 8d65ec 5f 5e 5b c9 c20c00 55 } + $sequence_8 = { e8???????? 3bc3 8945f0 7c31 e8???????? 85c0 7405 } $sequence_9 = { ff7638 ff742438 50 8d442450 50 ff742438 8d442438 } condition: @@ -124461,36 +125162,36 @@ rule MALPEDIA_Win_Avast_Disabler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "645a106b-f735-50ef-a098-7cdfe936ba27" - date = "2026-01-05" - modified = "2026-01-06" + id = "6a09cca4-7cb6-5c97-b15b-4f7311a6621b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.avast_disabler_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.avast_disabler_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "d9bf9a929cf2cb5bcebd034c783b915e751fc8d18f9e66457ed913ca7fa968a1" + logic_hash = "19754a7bc503b1b28bdfc059b6eb230f6f3e29b2e990d8ace51bd954a83ec439" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 8d85f0feffff 50 e8???????? 8b4c371c } - $sequence_1 = { c20c00 3b0d???????? 7503 c20000 e9???????? 8bff } - $sequence_2 = { e8???????? 8b4c371c 8d85f0feffff 2b4c3718 } - $sequence_3 = { 8bf0 85f6 7815 8d45f8 50 e8???????? 8bf0 } - $sequence_4 = { 41 83ef01 75f1 8b85ecfeffff 33c9 0fb7d0 33c0 } - $sequence_5 = { 57 8945e4 33ff 8d45dc } - $sequence_6 = { 8bf0 85f6 7826 6a04 59 } - $sequence_7 = { 6a00 ff7508 8bf0 57 } - $sequence_8 = { 6bf80e 668b450c 6639443712 7408 } - $sequence_9 = { 6a00 ff7508 8bf0 57 e8???????? } + $sequence_0 = { 85c0 7404 3bc1 7515 0f31 35???????? } + $sequence_1 = { 7534 837c371400 752d 89443714 6a08 8d45f4 50 } + $sequence_2 = { b94ee640bb 85c0 7404 3bc1 7515 } + $sequence_3 = { 2b4c3718 51 53 53 50 e8???????? 8b4dfc } + $sequence_4 = { 50 ff15???????? 6a01 8d45f8 50 ff750c ff15???????? } + $sequence_5 = { 33c0 40 394510 7534 837c371400 752d } + $sequence_6 = { 8b5c3718 83c112 03d9 837d1000 } + $sequence_7 = { 75a9 5f 5e 5b 5d c21000 55 } + $sequence_8 = { 51 803d????????00 7520 c605????????01 } + $sequence_9 = { 5f 5e 5b 8be5 5d c20c00 3b0d???????? } condition: 7 of them and filesize < 41984 @@ -124500,36 +125201,36 @@ rule MALPEDIA_Win_Seduploader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8fb6991a-2035-5d98-8418-a7713bf4dcf3" - date = "2026-01-05" - modified = "2026-01-06" + id = "4c53289a-51fa-54db-81fd-87ed394209d0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.seduploader_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.seduploader_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "322f530e99af9eadb7926bd0383665644ca1fdc1bbd87072e1c813cec7a54a88" + logic_hash = "3e4260fdc9b88e3916c7f93d5e8154ac02f053175e4c0905f8df8c6bf1bfb083" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff763c e8???????? 83c40c 3b4508 } - $sequence_1 = { 50 e8???????? 8b4510 83c6fe 8930 8d4601 50 } - $sequence_2 = { 8b4510 83c6fe 8930 8d4601 50 e8???????? } - $sequence_3 = { 83c6fe 8930 8d4601 50 e8???????? } - $sequence_4 = { 8b4510 83c6fe 8930 8d4601 } - $sequence_5 = { e8???????? 8b4510 83c6fe 8930 8d4601 } - $sequence_6 = { 56 6a3e 8bf1 e8???????? } - $sequence_7 = { 8b4510 83c6fe 8930 8d4601 50 } - $sequence_8 = { 50 e8???????? 8b4510 83c6fe 8930 } - $sequence_9 = { 83c6fe 8930 8d4601 50 } + $sequence_0 = { e8???????? 8b4510 83c6fe 8930 8d4601 50 } + $sequence_1 = { ff763c e8???????? 83c40c 3b4508 } + $sequence_2 = { 50 e8???????? 8b4510 83c6fe } + $sequence_3 = { 5e c3 55 8bec e8???????? 8b4d0c } + $sequence_4 = { 50 e8???????? 8b4510 83c6fe 8930 8d4601 } + $sequence_5 = { c6411001 c3 55 8bec } + $sequence_6 = { 8b4510 83c6fe 8930 8d4601 } + $sequence_7 = { e8???????? 8b4510 83c6fe 8930 8d4601 } + $sequence_8 = { 89b5ecfeffff 89b5f0feffff 89b5f4feffff e8???????? 83c40c } + $sequence_9 = { 83c6fe 8930 8d4601 50 e8???????? } condition: 7 of them and filesize < 401408 @@ -124539,36 +125240,36 @@ rule MALPEDIA_Win_Sfile_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e614c85b-182e-5624-9633-dd84a183f73d" - date = "2026-01-05" - modified = "2026-01-06" + id = "1371ec68-7f57-5bf8-9285-a67271319fdb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sfile" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sfile_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sfile_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "4284a47c1e2e07fe055fa45f368d41b804eaf7390d53426d31beb69dd3e007f9" + logic_hash = "2e803e34921e7c7f82272ac430b6ecde5565de98da9f8311330dbe239e6e595f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 8b4514 50 e8???????? 83c408 eb49 } - $sequence_1 = { 8b55f8 2b55e8 d1fa 8955e4 8b45e4 } - $sequence_2 = { 8b55fc c7422000000000 8d45fc 50 } - $sequence_3 = { 7433 6aff 8b4dfc 8b5118 52 } - $sequence_4 = { 8b4818 51 ff15???????? 8b55fc 8b421c } - $sequence_5 = { 8d8db8fdffff 51 e8???????? 83c41c 837dc800 7507 } - $sequence_6 = { 8b4244 8b4d08 8b5120 8b4008 } - $sequence_7 = { 8b5158 52 e8???????? 83c404 8b4510 } - $sequence_8 = { 8b751c 8b4d20 f3a4 837d0802 } - $sequence_9 = { 8bec 83ec2c 56 57 c745f400000000 } + $sequence_0 = { 8b45fc c7402400000000 8b4dfc 8b5508 895144 } + $sequence_1 = { 8b45f8 c7808405000000000000 8b4df8 c7414800000000 c7414c00000000 } + $sequence_2 = { 3945f4 7d89 8b4dfc 034df4 c60100 837dec00 7547 } + $sequence_3 = { 83c001 8b4d10 894130 6a10 6a40 ff15???????? 8945f8 } + $sequence_4 = { 8b45fc 50 8b4d08 8b5104 52 ff15???????? } + $sequence_5 = { 8b4508 8b4838 83c101 8b5508 894a38 b801000000 } + $sequence_6 = { ff15???????? 8b55f8 8b828c050000 50 e8???????? 8b4df8 } + $sequence_7 = { f3aa 8b4d0c 51 8b5510 8b4258 } + $sequence_8 = { 8b4df8 8b10 8b4914 8b4204 ffd0 } + $sequence_9 = { 8b4204 ffd0 8b4df8 c7412000000000 833d????????ff } condition: 7 of them and filesize < 588800 @@ -124578,36 +125279,36 @@ rule MALPEDIA_Win_Poweliks_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f451c0b0-4649-5c08-94b0-36c17c318bbf" - date = "2026-01-05" - modified = "2026-01-06" + id = "3e672ccd-012a-5b57-a517-e45f47f01bf7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.poweliks_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.poweliks_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "67c4fd9796059c69286d2c247dc5cb104b6a720e1f7ef3b5b45dfcea3566e76a" + logic_hash = "4173833635c9cc3550e9d5ba2ea8d9228892732990b366844f597ca84f9e314b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3bce 7602 8bce 85c9 7415 8b7d08 8b720c } - $sequence_1 = { 394df4 72cd 8b703c 03f0 8b8e80000000 837c010c00 7449 } - $sequence_2 = { ff55f0 8b7508 8b9e40110000 81c604110000 6a40 6800300000 03de } - $sequence_3 = { 55 8bec 83ec68 6a6b 58 6a65 66894598 } - $sequence_4 = { 6a6b 58 6a65 66894598 58 } - $sequence_5 = { 51 ff15???????? 8945f8 8d45f8 50 ff15???????? 33d2 } - $sequence_6 = { 8b0c87 0fb70443 8b3486 8365fc00 03ca 894df4 } - $sequence_7 = { 58 6a72 6689459a 58 6a6e 6689459c 58 } - $sequence_8 = { 47 83ff0c 72ea 83ff0c } - $sequence_9 = { 8b5df4 03d8 8a4405d0 3a441dd0 } + $sequence_0 = { 8b4df4 8a5c05b0 03c8 3a5c0db0 7506 40 } + $sequence_1 = { eb0b 8b5118 ebc9 8b5dec 8b75e8 8b45f8 8b0c87 } + $sequence_2 = { c745b4726f6341 c745b864647265 66c745bc7373 c645be00 8bc8 57 } + $sequence_3 = { 83ff0c 72ea 83ff0c 7439 3bc8 } + $sequence_4 = { 8b3486 8365fc00 03ca 894df4 8d45d0 03f2 2945f4 } + $sequence_5 = { 8945e4 85c0 0f8482000000 eb0b 8b5118 ebc9 } + $sequence_6 = { 6aff ffd0 8b45fc c9 c3 } + $sequence_7 = { 8b5dec 8b75e8 8b45f8 8b0c87 } + $sequence_8 = { 6689459a 58 6a6e 6689459c 58 6a65 6689459e } + $sequence_9 = { 0fb7c0 eb07 8b4df8 8d440802 50 ff75e4 } condition: 7 of them and filesize < 115712 @@ -124617,36 +125318,36 @@ rule MALPEDIA_Win_Darkcloud_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cd1b5f5a-7942-5b60-9ccf-fe3c4e2edece" - date = "2026-01-05" - modified = "2026-01-06" + id = "df67c908-566e-5104-991e-28a743215162" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkcloud_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkcloud_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "aa0d92530fd9200448b5bea8151df68481eaae78d40aef44b3313e13499f3f86" + logic_hash = "8185778aadd4fb8f9f71efe3f006bb532a2d30e6bd927dd702c18c8fa3072883" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 68???????? 8d857cffffff 50 ff15???????? 8d8d7cffffff 51 } - $sequence_1 = { 8b9584feffff 52 8b8580feffff 50 ff15???????? 898568fdffff eb0a } - $sequence_2 = { 89952cffffff 6aff 8b45a8 50 8b4d08 8b11 52 } - $sequence_3 = { c7458c0a000000 c745a404000280 c7459c0a000000 c745b404000280 c745ac0a000000 8b45d8 } - $sequence_4 = { 83c418 c745fc11000000 ba???????? 8d4da0 ff15???????? 8d45a0 50 } - $sequence_5 = { 51 8d8544ffffff 52 50 ff15???????? } - $sequence_6 = { 8bd0 8d4d98 ff15???????? ba???????? 8d4dac ff15???????? 8b5598 } - $sequence_7 = { ff15???????? 8d4dc8 ff15???????? 8d4db8 ff15???????? c745fc0c000000 8b45d4 } - $sequence_8 = { 68???????? ff15???????? 8bd0 8d4da8 ff15???????? 8d4590 50 } - $sequence_9 = { 8d4d88 51 8d558c 52 8d4590 50 6a05 } + $sequence_0 = { 50 51 c78504ffffff11600000 e8???????? 8bd0 8d4de8 ffd6 } + $sequence_1 = { 8d8d44ffffff 50 51 c7850cffffff408f4000 c78504ffffff08000000 ff15???????? 50 } + $sequence_2 = { 68???????? 8b4dbc 51 ff15???????? c745fc4f000000 8b550c 8995e8feffff } + $sequence_3 = { 8975ac 89759c 89758c 89b578ffffff e8???????? 8b0b 8d45bc } + $sequence_4 = { 52 50 ff15???????? 8b8558ffffff 8d9554ffffff 52 6a01 } + $sequence_5 = { 6a10 8d4594 50 ff15???????? 8bd0 } + $sequence_6 = { ff15???????? c785d8fdffff00000000 83bdd8fdffff12 730c c785e4fcffff00000000 eb0c ff15???????? } + $sequence_7 = { 898578fdffff 8d4590 50 8d8d50ffffff 51 8d5580 52 } + $sequence_8 = { 52 89850cffffff ffd3 33d2 8d8d7cffffff ff15???????? 8b85c8feffff } + $sequence_9 = { 89410c 8b95d4fdffff 8d4d8c ff15???????? 50 8b8d84feffff } condition: 7 of them and filesize < 622592 @@ -124656,36 +125357,36 @@ rule MALPEDIA_Win_Miragefox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "845d5292-b7ea-5816-ae3f-26f365bc2587" - date = "2026-01-05" - modified = "2026-01-06" + id = "1d4fca18-a022-571e-aeb0-0676a97d36c9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.miragefox_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.miragefox_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "3f9732b4e7f509d0ad8d4d1803424245eb1ca2a613f2fd892ba39e0af22d7971" + logic_hash = "1e2d5b7118076c52af1b2e7f473f69ed25f9fa3d1f16ab191228d3f93bc2fe63" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945ca 8b45f4 83c036 66c745c8424d } + $sequence_0 = { c745f0555c2900 8965f4 896df8 64a100000000 8945d8 } $sequence_1 = { 8b45e0 8b4df4 53 50 8d440828 50 } - $sequence_2 = { 8a8010132a00 83e00f eb02 33c0 0fbe84c130132a00 c1f804 } - $sequence_3 = { 8d45fc 50 e8???????? 59 8d44180c } - $sequence_4 = { 57 8d859c7cffff 6a00 50 e8???????? 57 } - $sequence_5 = { 2900 59 352900be35 2900 3236 2900 98 } - $sequence_6 = { 83c418 8d45ec 53 50 8d857cbcffff } - $sequence_7 = { 85c0 0f84be000000 8d85c0feffff 50 8d85b8fcffff 68???????? 50 } + $sequence_2 = { 03c1 eb17 8a8341f72a00 2410 } + $sequence_3 = { ff75f4 8945ec ff36 50 e8???????? } + $sequence_4 = { 8d700c 56 8975d8 e8???????? } + $sequence_5 = { e8???????? 8b4508 83c40c 8985d4beffff 8bc6 6a02 53 } + $sequence_6 = { 8b1c9d20f52a00 8d0cc9 f6448b0480 7429 } + $sequence_7 = { 8365f000 ff75ec e8???????? 8365ec00 59 eb03 ff45f0 } $sequence_8 = { 83c01f 894d8c 99 59 8b75b8 f7f9 8b4df4 } - $sequence_9 = { 8d45f0 8975ec 50 8d45f8 } + $sequence_9 = { 5e 5b c9 c21088 55 8bec 83ec18 } condition: 7 of them and filesize < 286720 @@ -124695,36 +125396,36 @@ rule MALPEDIA_Win_Zeoticus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e7b44470-c2f9-5eee-bb9d-e8020120bbe3" - date = "2026-01-05" - modified = "2026-01-06" + id = "02062136-4ff6-5a0d-a2b7-9e52e208dc4c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zeoticus_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zeoticus_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "9c3c5f162f682b504ac63e5a0d758fab5141989ce6052830dd9338be25cf4ff1" + logic_hash = "1938f528cac13c2816df475085910aa07eeddab6b22755098f5f4dade956f9bd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 660f6e9c248c000000 660f62d8 0f29942490000000 660f6e942414010000 660f62ca 660f6e9424a0000000 0f295c2410 } - $sequence_1 = { b9d0fe4bac e8???????? 83c408 a3???????? 6a00 6a00 } - $sequence_2 = { 660feff0 8345f010 0f117710 8345ec10 83c720 0f1002 } - $sequence_3 = { 8d8690101000 8bd7 8d8ee8101000 50 83ec08 e8???????? } - $sequence_4 = { 0f286c2430 660fd4e0 0f29bc2490000000 660f73d03f 660f6eff 660fefe0 660f3a0fdd08 } - $sequence_5 = { 8b842498010000 898424f0000000 8b84249c010000 898424f4000000 8b8424a0010000 898424f8000000 8b8424a4010000 } - $sequence_6 = { 8b4618 314718 8b461c 31471c 8b4620 } - $sequence_7 = { 50 6a00 ff15???????? 85c0 0f84e7000000 33db 33c9 } - $sequence_8 = { 8b7020 03f3 0f1f4000 8b06 bac59d1c81 03c3 } - $sequence_9 = { 0f295c2410 0f28442410 660f62c1 660fd4c6 660f6ec9 660fd4c5 660f62ca } + $sequence_0 = { 6a0e b9b7070247 e8???????? 83c408 a3???????? 8d4c2408 51 } + $sequence_1 = { 5e 0f28ac2408020000 660feff1 660fd4ac2458010000 660f380035???????? 0f28a42448010000 660fd4eb } + $sequence_2 = { 0f29742460 660fd4c3 0f294c2410 0f298424d0000000 660fd4cc 660fefc5 } + $sequence_3 = { 8bf0 e8???????? 83c408 a3???????? 8d4c241c 51 56 } + $sequence_4 = { ba???????? 6811e7c138 6a14 b93c0b0ae9 e8???????? 83c408 a3???????? } + $sequence_5 = { 2b8564ffffff 898534ffffff 8b45b8 2b8568ffffff 898530ffffff 8b45bc 2b856cffffff } + $sequence_6 = { 660f6e5c244c 660f62d8 0f294c2410 660f6e4c2448 0f29542460 0f295c2470 } + $sequence_7 = { 83e904 79ed 8b4c2444 8d51fe 85d2 } + $sequence_8 = { 53 ffd0 85c0 7511 39742414 750b } + $sequence_9 = { 68ebe5da62 6a10 e8???????? 83c408 a3???????? 8d4c2418 51 } condition: 7 of them and filesize < 468992 @@ -124734,36 +125435,36 @@ rule MALPEDIA_Win_Stinger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3d5345cc-6891-5cd1-840e-a83631b5fe99" - date = "2026-01-05" - modified = "2026-01-06" + id = "e5caa567-60b3-51af-a604-22092049729c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stinger_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stinger_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "89238eb5fdfe99680f7f49528afc66652f68e02cb4c9414363e841a63c1fb66a" + logic_hash = "dab4f3da82d7d0f2258afb9c975eea5a7f38b7ec97daa84aa46ab3c887394d0a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c404 8b5dfc 53 83c324 53 8b1b } - $sequence_1 = { 85db 7409 53 e8???????? 83c404 ff75f0 ff75f4 } - $sequence_2 = { 83f90a 1bd2 83d100 c1e008 8d4cd137 0bc1 } - $sequence_3 = { 8b5dfc 83c320 895df8 8b5df8 } - $sequence_4 = { 83f800 0f84e6030000 ff75fc 8b5d08 ff33 b902000000 e8???????? } - $sequence_5 = { ff35???????? ff35???????? b903000000 e8???????? 83c40c 8945c4 6805000080 } - $sequence_6 = { 51 53 890b 50 3bc8 0f8f56030000 } - $sequence_7 = { 8b5dfc 83c314 895df8 8965f4 6800000000 ff15???????? 90 } - $sequence_8 = { 8a143a 8a0c30 32ca 5a 880c10 } - $sequence_9 = { 8b5df8 8b7df4 85db 8b75fc 7436 0fb606 8bc8 } + $sequence_0 = { e8???????? 83c404 5b 59 ebd1 83c408 } + $sequence_1 = { 8b5de4 85db 7409 53 e8???????? 83c404 ff35???????? } + $sequence_2 = { 8b5df8 8903 8b5dfc 83c308 } + $sequence_3 = { c745d800000000 c745dc00000000 817d0c19020000 0f85d5040000 } + $sequence_4 = { e8???????? 83c404 8d4c241c 892b c7442438ffffffff c744241cd8904000 e8???????? } + $sequence_5 = { 83f805 7732 ff24854c634000 66897c2448 eb2b } + $sequence_6 = { ff35???????? b903000000 e8???????? 83c40c 8945dc 6805000080 } + $sequence_7 = { 83c404 837dec00 0f8436000000 68???????? 8b5d08 ff33 } + $sequence_8 = { 895df8 8b5df8 c70310000000 8b5dfc 83c324 895df8 b8???????? } + $sequence_9 = { 750a c705????????80714000 40 a3???????? 8bbc2418040000 } condition: 7 of them and filesize < 197096 @@ -124773,36 +125474,36 @@ rule MALPEDIA_Win_Poldat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "42cee7c4-4091-565d-9c3d-72814a243e33" - date = "2026-01-05" - modified = "2026-01-06" + id = "0ab576ed-e0ee-5da0-8f81-cfe82fe216e2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.poldat_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.poldat_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "623b16e441bfe440967c1ef70315e2275e1dcbf3de26c2e6e7dae46aecf0c483" + logic_hash = "a6f8e59d2c945b62038e5cd56baf57eea43e69c171234f5505f4b9b3436c2cf3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8b4514 83c410 8906 8b4510 } - $sequence_1 = { c74724c0324000 8b4c2418 83f9ff 750c c744241806000000 8b4c2418 } - $sequence_2 = { 89be4c0c0000 89be500c0000 89be540c0000 8bc6 5f } - $sequence_3 = { 8b4720 895718 3bc2 750a c74720a0324000 } - $sequence_4 = { 8d888c000000 8d9080090000 8988100b0000 8d88740a0000 8988280b0000 33c9 c780180b000018b24100 } - $sequence_5 = { 50 e8???????? 55 8d86bc0a0000 57 50 c786b80a0000901f0000 } - $sequence_6 = { 8bc7 83e007 83ed03 8b148dbc9c4100 } - $sequence_7 = { c3 55 8bec 81ec68040000 8065fc00 53 56 } - $sequence_8 = { 2bc8 03c7 51 6a00 8d441804 50 } - $sequence_9 = { 50 e8???????? 59 e8???????? 6a04 99 } + $sequence_0 = { 89beb4070000 e8???????? 53 8d86b6090000 57 50 e8???????? } + $sequence_1 = { 56 8975fc e8???????? 8d4dfc 8945f8 } + $sequence_2 = { 03ce 8988b4160000 8b149d00934100 85d2 0f8484000000 } + $sequence_3 = { 50 8d45fc 50 8d45c0 56 50 8d8598fbffff } + $sequence_4 = { 7514 8d85acfdffff 50 56 } + $sequence_5 = { 894c241c 8b4c242c 8b0c8d68c34100 894c2420 83f814 7323 8b4c2410 } + $sequence_6 = { 41 3be8 894c2410 72c5 8b048568c34100 } + $sequence_7 = { c645e465 c645e578 c645e665 c645e720 c645e822 c645e925 } + $sequence_8 = { 8d859cf9ffff 57 50 e8???????? } + $sequence_9 = { 8945f8 51 50 8d4510 56 50 } condition: 7 of them and filesize < 247808 @@ -124812,36 +125513,36 @@ rule MALPEDIA_Win_Quan_Pin_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1fa8c8cd-f609-5225-baa7-0fa410d45d6c" - date = "2026-01-05" - modified = "2026-01-06" + id = "cb420fb2-b488-5c7f-b834-9533a753ee16" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quan_pin_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.quan_pin_loader_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.quan_pin_loader_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "4f7da9c0c4a15d34fa1ce0c27eb780960020faa43be4d9d68fb3c3bdcd21f6fc" + logic_hash = "65b010711b4c2c76593478f090f82f4b1954bcc1d046520a6a3556edf300074d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4d08 e8???????? 85c0 750f 0fb703 6683f80d 7406 } - $sequence_1 = { 83630800 488d0524c10400 488903 eb3a 41b804000000 488d15d6ba0400 e8???????? } - $sequence_2 = { 4183f904 7410 4183f906 0f85c8fdffff 0fbaea0a eb0a 0fbaea08 } - $sequence_3 = { 84d2 7418 c6415401 d1e8 eb14 488d1524a80300 b806000000 } - $sequence_4 = { 4d8bc6 418bd7 488bcf e8???????? 8bf0 85c0 0f8850010000 } - $sequence_5 = { 488b5d60 488d4c2430 e8???????? 488d4c2420 e8???????? 4883eb20 } - $sequence_6 = { b904010000 660b0d???????? 66890d???????? 480fbae71e 7224 0fb7c5 ba0f000000 } - $sequence_7 = { 488b5008 488b4810 482bca 48c1f902 493bcd } - $sequence_8 = { 488bcb 0f2845e0 660f7f45e0 e8???????? e9???????? c745e805000000 488d0539ef0400 } - $sequence_9 = { 41b907000000 4c8bc3 8bd5 ff5018 8bf8 8b442478 } + $sequence_0 = { 488364242800 488d0da6090700 4889542420 488d542420 e8???????? 8903 33c0 } + $sequence_1 = { 4803c8 488b45cf 44885488f3 8b4dcb 448b45c7 450fb653fd 8d4101 } + $sequence_2 = { 488b742438 b801000000 c70302000000 c7430409000000 488b5c2430 4883c420 5f } + $sequence_3 = { 0f8fe0000000 48833b00 488b10 7524 4885d2 7511 0fbe5008 } + $sequence_4 = { ffd0 8bd8 85c0 782e 488b4c2430 4885c9 7437 } + $sequence_5 = { 4885c9 750a 488d0d9e640300 48890f 4863d2 e8???????? 894350 } + $sequence_6 = { e8???????? 4584e4 7430 488d05bdb80400 c745ff03000000 488945f7 488d5507 } + $sequence_7 = { 49890e 4c8b4708 488b17 488bc8 4d3be0 7505 4c2bc2 } + $sequence_8 = { 498b5508 488bc1 482bc2 48c1f805 443bf8 0f8256ffffff } + $sequence_9 = { 440fb61d???????? 8d4101 99 2bc2 d1f8 83f803 7c3a } condition: 7 of them and filesize < 1711104 @@ -124851,35 +125552,35 @@ rule MALPEDIA_Win_Suncrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7f081e6a-91fb-536b-b660-2da418a7ac6f" - date = "2026-01-05" - modified = "2026-01-06" + id = "438299e1-9b8a-5dbe-a855-53f87a2e7bd3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.suncrypt_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.suncrypt_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "25c1a2f4bf5a2bd511d08d2068ef5b4858a377d650c7c729810ab075898356ca" + logic_hash = "626089557c34d266e7c3da2426ab8cf2692508df2d0b7a2ba3721dc6a03911ad" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33d2 c68518ffffff6e c68519ffffff64 c6851affffff13 c6851bffffff2d c6851cffffff28 c6851dffffff28 } - $sequence_1 = { 0fbec0 33c1 884415c8 42 83fa1c 72e9 8d4dc8 } - $sequence_2 = { 6a00 6a00 6a00 6a00 ff35???????? be00310884 c745e000010000 } - $sequence_3 = { 0405 83f031 8845f9 8b45f0 0406 83f02e 8845fa } - $sequence_4 = { 8bec 8a5508 80fa2c 7446 a0???????? b9???????? 84c0 } - $sequence_5 = { ff15???????? 8bf0 85f6 742a 83feff 7425 8d45e8 } - $sequence_6 = { 8b7308 83c140 8b7da0 894df4 8b4df0 eb7e } - $sequence_7 = { 0f28dc 660ffe9df0fdffff 0f28c3 660fef45a0 0f28c8 660f72f00c 660f72d114 } - $sequence_8 = { 83fa11 72e8 ff7510 8d45ec 885dfd ff750c } + $sequence_0 = { c685dafeffff2d c685dbfeffff34 c685dcfeffff29 c685ddfeffff2c c685defeffff3a c685dffeffff5f c685e0feffff7e } + $sequence_1 = { 33c9 c68557ffffff77 c68558ffffff6f c68559ffffff4a } + $sequence_2 = { 0f1145c8 e8???????? 83c408 33c0 8be5 } + $sequence_3 = { 56 ff15???????? 85c0 7416 8b4df0 8b4508 83e10f } + $sequence_4 = { c68501ffffff00 50 56 ffd7 6808020000 6a00 } + $sequence_5 = { 0fbec0 2bc8 eb1b 8a4f16 8ac1 2430 } + $sequence_6 = { 85c0 7404 8b00 eb03 8b4718 89471c 80e10f } + $sequence_7 = { c3 8b531c 85d2 7517 52 52 56 } + $sequence_8 = { 41 81f900010000 72d4 c78568feffff1a000000 c6856cfeffff57 c6856dfeffff75 } $sequence_9 = { 8bc3 85c9 7411 660f1f440000 803800 740b 47 } condition: @@ -124890,36 +125591,36 @@ rule MALPEDIA_Win_Murofet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff4651b8-f01c-5a4b-b3ae-29bd62dfdd08" - date = "2026-01-05" - modified = "2026-01-06" + id = "871c8abd-d27a-5dd6-8d25-459690b56255" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.murofet_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.murofet_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "94ade8c85b5c2b31256b3a8187c71d11e0c07536823190c2ab9a762d80de406f" + logic_hash = "bcdf13cf357018e2defb57b821c0abbdf67a4ef3f8183eace9d99e5b445dfac1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { a2???????? 84c0 7510 e8???????? 3c04 73ce b002 } - $sequence_1 = { 72e5 e8???????? a2???????? 84c0 7510 } - $sequence_2 = { 3c02 72e5 e8???????? a2???????? 84c0 7510 } - $sequence_3 = { 3c04 73ce b002 a2???????? } - $sequence_4 = { 57 56 ff15???????? c6443eff00 83f8ff 7509 56 } - $sequence_5 = { e8???????? 32c0 eb43 be30750000 56 } - $sequence_6 = { e8???????? a2???????? 84c0 7510 e8???????? } - $sequence_7 = { e8???????? 3c04 73ce b002 } - $sequence_8 = { 84c0 7510 e8???????? 3c04 } - $sequence_9 = { 3c02 72e5 e8???????? a2???????? } + $sequence_0 = { e8???????? 3c02 72e5 e8???????? a2???????? 84c0 7510 } + $sequence_1 = { e8???????? a2???????? 84c0 7510 e8???????? 3c04 73ce } + $sequence_2 = { e8???????? 32c0 eb43 be30750000 56 } + $sequence_3 = { 8816 e8???????? 0fb6c0 99 f7ff } + $sequence_4 = { e8???????? 0fb6c0 99 bfff000000 } + $sequence_5 = { 53 57 56 ff15???????? c6443eff00 83f8ff } + $sequence_6 = { 7504 3c02 72bf b001 } + $sequence_7 = { e8???????? 32c0 eb43 be30750000 56 6a04 } + $sequence_8 = { 50 53 57 56 ff15???????? c6443eff00 83f8ff } + $sequence_9 = { fec2 8816 e8???????? 0fb6c0 99 f7ff } condition: 7 of them and filesize < 622592 @@ -124929,63 +125630,63 @@ rule MALPEDIA_Win_Gootkit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cc674f83-d3cc-5cc6-8f48-f7ded72789f2" - date = "2026-01-05" - modified = "2026-01-06" + id = "9a3d9b0d-dbda-5397-b5f3-2efa5a6522fd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gootkit_auto.yar#L1-L334" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gootkit_auto.yar#L1-L329" license_url = "N/A" - logic_hash = "e886088177ff2cbe60c39328c9402db705beff1123d5a11d85e3c6ea020086bf" + logic_hash = "82ac35f22a8beab968bc9e08c6c5d87bde2e895aab0790510c1c7aa719899d56" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41 3bca 72f2 56 6a00 ff15???????? } - $sequence_1 = { 3bca 72f2 335df0 6a10 58 } - $sequence_2 = { 33c0 85c9 0f444508 5d c20400 } - $sequence_3 = { 50 56 ff15???????? 56 ffd7 8bd0 33ff } - $sequence_4 = { 59 85c0 740c 8b30 33ff 0375dc } - $sequence_5 = { 8b840888000000 eb04 8b440878 03c1 c3 } - $sequence_6 = { e8???????? 8b5dfc ff75f4 6a00 ff15???????? } - $sequence_7 = { 894df4 50 ff75fc ffd7 85c0 744b } + $sequence_0 = { 8bd0 33db 33c9 85d2 740e 0fbe0431 c1cb0d } + $sequence_1 = { 8945f4 51 8d4ddc 660f1345d4 51 8bc8 } + $sequence_2 = { 0fbe39 4a 6a08 41 } + $sequence_3 = { 53 6a00 6a00 8d45c4 8975f8 50 ff75fc } + $sequence_4 = { e8???????? 85c0 0f85d4000000 51 } + $sequence_5 = { 33c9 c745f804000000 41 33f6 85c0 } + $sequence_6 = { 85c0 740e 837df004 7508 8b45ec 03c6 } + $sequence_7 = { 895dec f3aa 8b3d???????? 8d45f8 50 53 } $sequence_8 = { f3aa 68???????? ff15???????? 50 } $sequence_9 = { 8b7df4 32c0 8b4de4 f3aa } - $sequence_10 = { 50 68???????? ff15???????? 85c0 7505 e8???????? } - $sequence_11 = { 50 e8???????? 83c40c 68fd000000 } - $sequence_12 = { 50 8b4508 8b00 99 } - $sequence_13 = { c705????????01000000 c705????????02000000 8be5 5d } - $sequence_14 = { 833d????????00 750a 6a32 ff15???????? } - $sequence_15 = { e8???????? 6a0c 6a08 ff15???????? 50 ff15???????? } - $sequence_16 = { 6808020000 6a00 ff15???????? 50 } - $sequence_17 = { 6a02 ff15???????? 6888130000 ff15???????? } + $sequence_10 = { 50 e8???????? 83c40c 68fd000000 } + $sequence_11 = { 50 68???????? ff15???????? 85c0 7505 e8???????? } + $sequence_12 = { 50 8b4508 8b00 99 52 50 } + $sequence_13 = { 7514 c705????????01000000 c705????????02000000 8be5 5d } + $sequence_14 = { e8???????? 6a0c 6a08 ff15???????? 50 ff15???????? } + $sequence_15 = { 6808020000 6a00 ff15???????? 50 } + $sequence_16 = { 833d????????00 750a 6a32 ff15???????? } + $sequence_17 = { 50 6a02 ff15???????? 6888130000 } $sequence_18 = { e8???????? 8d45fc 50 6a01 6a01 6a00 6800000002 } $sequence_19 = { e8???????? 85c0 750c c705????????03000000 } - $sequence_20 = { 8b4508 8b00 99 52 50 6a00 } + $sequence_20 = { e8???????? 85c0 740d 6810270000 ff15???????? } $sequence_21 = { 53 53 53 8901 } - $sequence_22 = { 0f114f20 0f104840 0f114730 0f104050 0f114f40 0f104860 0f114750 } - $sequence_23 = { 754c 8b5e02 8d45e4 6a1c 50 } - $sequence_24 = { 03c1 3bd8 7323 8b33 } - $sequence_25 = { 85c0 56 0f45ca 894dfc ff15???????? } - $sequence_26 = { 8b4c2434 ff15???????? 0fb74c2432 ff15???????? } - $sequence_27 = { 0f104010 0f110f 0f104820 0f114710 0f104030 0f114f20 0f104840 } - $sequence_28 = { 8b4070 894770 be01000000 ff15???????? } - $sequence_29 = { 0f104060 0f114760 8b4070 894770 } - $sequence_30 = { 7510 8d4864 ff15???????? ffc3 83fb0a } - $sequence_31 = { c602e9 2bc8 894a01 83c205 8b4610 33c9 } + $sequence_22 = { 83faff 7508 ff15???????? 8bd0 } + $sequence_23 = { 663901 754e 8b513c 03d1 813a50450000 } + $sequence_24 = { 03d1 813a50450000 7541 8b82d8000000 } + $sequence_25 = { 0f114710 0f104030 0f114f20 0f104840 0f114730 } + $sequence_26 = { 7235 8b82dc000000 0382d8000000 03c1 3bd8 7323 } + $sequence_27 = { 0f114730 0f104050 0f114f40 0f104860 0f114750 } + $sequence_28 = { ff15???????? ffc3 83fb0a 7cd5 33c0 } + $sequence_29 = { 83faff 7509 56 ff15???????? 8bd0 } + $sequence_30 = { 8b5610 3bca 724b 8d4204 3bc8 } + $sequence_31 = { 50 6a10 8d45e8 50 68060000c8 56 } $sequence_32 = { 0f104860 0f114750 0f114f60 b801000000 } - $sequence_33 = { 8b4de8 b84d5a0000 663901 754e 8b513c 03d1 813a50450000 } - $sequence_34 = { ffc3 83fb0a 7cd5 33c0 } - $sequence_35 = { ffd3 8b8de4fdffff 8b36 85f6 75a2 8b3f 85ff } - $sequence_36 = { 8b7df4 85ff 7414 57 8bce e8???????? } + $sequence_33 = { 85c0 7550 ff15???????? 8bf8 893d???????? } + $sequence_34 = { 0f104060 0f114760 8b4070 894770 be01000000 } + $sequence_35 = { 7510 8d4864 ff15???????? ffc3 } + $sequence_36 = { e8???????? 83ec0c ba???????? b9???????? } condition: 7 of them and filesize < 516096 @@ -124995,36 +125696,36 @@ rule MALPEDIA_Win_Unidentified_092_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "59b4c790-d726-59b3-ba7e-c5c1b1aad17c" - date = "2026-01-05" - modified = "2026-01-06" + id = "14e64b33-e569-59ba-b47c-8b4cdb728f15" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_092" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_092_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_092_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "94c0cdecf630787615c3fd3071d6bf919aa9412f5889bd4558c045e4fba0dd89" + logic_hash = "54d6e0fbc038fcf7b73c3947d1cfaef6baa43c5b34ab36fc838e7feab62932d7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 8b08 ff511c c745fcffffffff 83ceff 8b7db4 } - $sequence_1 = { e8???????? 83bd94f6ffff08 8d8d98f5ffff 8d8580f6ffff 0f438580f6ffff 51 } - $sequence_2 = { 57 6a00 ff15???????? 50 ff15???????? 8bc3 8b4df4 } - $sequence_3 = { 8d8d14f6ffff e8???????? 8d8d14f6ffff 8ad8 e8???????? 84db 0f84b0000000 } - $sequence_4 = { 8b5ddc 03ca 23c7 8bd3 0bf0 c1ca0b 03f1 } - $sequence_5 = { 8b470c 89460c 8b4710 894610 c745fc00000000 8d4e14 c706???????? } - $sequence_6 = { c1c10a c1ca0d 33d1 895dfc 8b4df4 c1c902 33d1 } - $sequence_7 = { 8d8db8fdffff 81e37fffffff e8???????? f6c340 } - $sequence_8 = { ffd7 8bf8 897dd4 eb03 8b7dd4 } - $sequence_9 = { 51 8bd0 8d8d68fbffff e8???????? 8bf8 83c410 8d045b } + $sequence_0 = { 6a5c 8d4dd8 e8???????? e9???????? 33c0 8945d0 } + $sequence_1 = { 83c404 b9???????? 50 e8???????? 8d4dd8 e8???????? 8d8d88fdffff } + $sequence_2 = { eb02 33d2 8b45c4 52 50 8b08 ff5120 } + $sequence_3 = { c78548f6ffff0f000000 c78544f6ffff00000000 c68534f6ffff00 83f810 7241 8b8d4cf6ffff 40 } + $sequence_4 = { 0375a0 33d1 8b4d08 03d6 8db34aaad84e 8b5ddc } + $sequence_5 = { 51 e8???????? 83c404 c745fcffffffff 8b85d0fbffff c785a0fbffff0f000000 c7859cfbffff00000000 } + $sequence_6 = { c1c10a 03de c1ca0d 33d1 895ddc 8b4d08 c1c902 } + $sequence_7 = { c745fc00000000 50 6a00 8d45e8 c745e401000000 50 6a00 } + $sequence_8 = { 0b45ec 234508 0bc1 03c2 8b55f0 8bf2 8945e8 } + $sequence_9 = { 51 e8???????? 83c404 c645fc01 8b8560f6ffff c68534f6ffff00 c78544f6ffff00000000 } condition: 7 of them and filesize < 10202112 @@ -125034,36 +125735,36 @@ rule MALPEDIA_Win_Ghole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "42011619-6775-5fd7-9f1a-e781b1936bb7" - date = "2026-01-05" - modified = "2026-01-06" + id = "195f2f13-9875-59d9-8fe8-8e0e76442b1d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ghole_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ghole_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "0d47b012ca3e41e041f7c9334a8bf5ea912b5069ddcb6bf59ee419c3c1cf9dc4" + logic_hash = "6281a4d5e37d96a386d1124179345dc04e912430f57bcad1d91c88d2c8048205" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48 89c7 e8???????? c745cc00000000 c745b800000000 eb14 c78540ffffffe9030000 } - $sequence_1 = { 8878e0 49 8be9 45 8be0 44 8bea } - $sequence_2 = { 89f8 f7d0 89d9 21c1 48 8b45d0 48 } - $sequence_3 = { 83ec30 48 897dd8 48 8975d0 48 8b45d0 } - $sequence_4 = { 7509 83bdecf6ffffff 7448 8b855cffffff 80cc01 89855cffffff } - $sequence_5 = { 48 8b4040 48 8945f0 48 8b45f0 48 } - $sequence_6 = { 8b5010 8b45f8 0345fc 89c0 48 01c2 48 } - $sequence_7 = { 8b4008 8b55e4 48 8b4de8 48 89ce 48 } - $sequence_8 = { 48 89c7 e8???????? 85c0 7515 8b55f8 48 } - $sequence_9 = { 48 8b1d???????? 48 8b55a0 48 8b45c0 48 } + $sequence_0 = { 89c7 e8???????? 85c0 0f8484000000 48 8d8520fdffff } + $sequence_1 = { 48 8b45e0 48 89de 48 89c7 e8???????? } + $sequence_2 = { 8b8568feffff 48 8945e8 eb17 48 8b45e8 0fb600 } + $sequence_3 = { 8b45f8 48 8b55f0 48 8910 48 8b45f8 } + $sequence_4 = { 25ff000000 89c2 48 8d05b37c0000 0fb60402 0fb6c0 c1e008 } + $sequence_5 = { 0f94c0 0fb6c0 c9 c3 55 48 89e5 } + $sequence_6 = { 8b855cffffff 83c801 89855cffffff 66c78560ffffff0000 48 8b05???????? } + $sequence_7 = { 8b45f8 48 8b4038 48 85c0 7429 48 } + $sequence_8 = { 2500ff0000 31c1 8b45ec 25ff000000 89c0 48 8d148500000000 } + $sequence_9 = { 89e0 48 83c00f 48 c1e804 48 c1e004 } condition: 7 of them and filesize < 622592 @@ -125073,34 +125774,34 @@ rule MALPEDIA_Win_Tinymet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4e92467-e964-5a19-9a8e-d27b4954cbf2" - date = "2026-01-05" - modified = "2026-01-06" + id = "6775c374-42e8-5fee-a18c-478fbb5ba8bd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tinymet_auto.yar#L1-L105" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tinymet_auto.yar#L1-L98" license_url = "N/A" - logic_hash = "bbccdde23def456246dacbb5efe68ad5d612883065da6028a6a7729364ff21ca" + logic_hash = "94c6e27ff3c618819e3b60e754f8b83bc94a1ce9c08d446173df5a7be96c6416" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8b400c ff750c 8b00 8b00 a3???????? } - $sequence_1 = { 7419 a1???????? 6a00 83c005 56 } - $sequence_2 = { 5e 5d c3 a1???????? 56 57 6a5c } - $sequence_3 = { 85c0 0f8545010000 ff7508 ff15???????? 85c0 750a 68???????? } - $sequence_4 = { 385d10 7416 6a04 8d45fc } - $sequence_5 = { 8d45f0 50 8d45e8 50 e8???????? 83c410 b80033a084 } - $sequence_6 = { a1???????? 59 50 ff35???????? } - $sequence_7 = { 33c0 57 668906 e8???????? a3???????? 8d4602 50 } + $sequence_0 = { 33c9 6a5f 56 668908 } + $sequence_1 = { 2bf0 75e7 a1???????? 5f 5e } + $sequence_2 = { 75e4 8d45e8 68???????? 50 e8???????? 8d45f0 } + $sequence_3 = { 68???????? e9???????? 8d45ec 6a10 50 56 } + $sequence_4 = { e8???????? 83c410 b80033a084 385d10 be00022084 } + $sequence_5 = { 68???????? ff15???????? 8bf8 85ff 0f84c0000000 } + $sequence_6 = { 6a04 6800100000 8d7801 8d0c3f 51 } + $sequence_7 = { 50 6800100000 8d043b 50 } condition: 7 of them and filesize < 57344 @@ -125110,36 +125811,36 @@ rule MALPEDIA_Win_Avaddon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c31fafc-c10e-58b1-9fee-fb7be191e4b5" - date = "2026-01-05" - modified = "2026-01-06" + id = "5cb51d73-4df1-5370-ad9f-5f0397fd6b67" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.avaddon_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.avaddon_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "157dd793c1260894e97de0f6c4ec6c5a408218110364a6a1e7630b93b4914514" + logic_hash = "cd8cd662fd3aa37a84b9ecc87e76f8041ce8ab8576b522fec0af1be4a254ca86" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c7459408020000 837f1410 c7459810660000 c7459c20000000 7202 8b3f 0f1007 } - $sequence_1 = { bf20000000 0f1f00 84db 7574 ff75fc 57 ff75f8 } - $sequence_2 = { 0f4345d0 51 50 8d45e8 50 ff15???????? 837de410 } - $sequence_3 = { 83c404 3dff000000 7607 b8ff000000 eb09 83c0ff 0f886f000000 } - $sequence_4 = { 8b4dcc 8b45d0 030e 83c018 8b75d4 8b55c0 46 } - $sequence_5 = { 0bc8 51 e8???????? 8bcf 83c404 47 8bf0 } - $sequence_6 = { 8b4e08 b8ffffff07 2bca 47 c1f905 8bd1 d1ea } - $sequence_7 = { c78524fdffff00000000 c78528fdffff0f000000 c68514fdffff00 898d2cfdffff 8a08 40 84c9 } - $sequence_8 = { 51 8b4df0 e8???????? 83c410 83f8ff 750e 8d4510 } - $sequence_9 = { e8???????? 83c408 33c0 c745ac00000000 6689459c 8b45e8 c745b007000000 } + $sequence_0 = { 8d044502000000 50 ff758c e8???????? 83c408 c7459c00000000 33c0 } + $sequence_1 = { e8???????? 8bb7a0000000 b8abaaaa2a 8b8fa8000000 2bce f7e9 c1fa02 } + $sequence_2 = { 75f5 2bc2 8d4c2410 d1f8 50 8d442450 50 } + $sequence_3 = { c64405f000 40 83f804 72f5 8b0d???????? 33ff 0f1f840000000000 } + $sequence_4 = { 50 ffb508ffffff e8???????? 83c408 33c0 c78518ffffff00000000 c7851cffffff07000000 } + $sequence_5 = { 89b500ffffff 3bf1 0f8c87fdffff 8b9554ffffff 8bb5f4feffff 46 89b5f4feffff } + $sequence_6 = { 895df8 8b4f14 8bc1 8b7710 2bc6 8975ec 894df4 } + $sequence_7 = { 33f0 8b4514 33f1 8b4d24 3bc1 8bd9 } + $sequence_8 = { 85d2 0f8ea0020000 8b4dac 8b45a4 0f1f840000000000 33f6 89b500ffffff } + $sequence_9 = { baffffff7f 8bc2 2bc3 83f801 0f82a4000000 56 8d7301 } condition: 7 of them and filesize < 2343936 @@ -125149,36 +125850,36 @@ rule MALPEDIA_Win_Kagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eeb554cd-bcde-5191-9d05-cd5d3b643304" - date = "2026-01-05" - modified = "2026-01-06" + id = "451a4eff-6ce7-5f9f-99c4-8fedb39d353b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kagent_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kagent_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "f0789c212010e4f78374ae02f32c05cce682ad24c1e1d92ee73ca388e2879a4e" + logic_hash = "ac140ab97dc52a57935b92c8b15bdbef0312eaf71c152b1c54098c93e06c68f2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83ec0c 56 57 8bf8 8b7744 8b4f18 c745f800000000 } - $sequence_1 = { 85c0 7e2b 3bf0 7d51 85f6 784d 8b450c } - $sequence_2 = { ff15???????? 57 ffd6 68???????? e8???????? 83c404 53 } - $sequence_3 = { 50 8d45f4 64a300000000 8a450c 8b5d10 8955ac 8b5518 } - $sequence_4 = { 56 8d75ec e8???????? 8b4804 8b4704 bb01000000 e8???????? } - $sequence_5 = { ffd6 668b542410 663b542420 74ed ff15???????? 33d2 b9e8030000 } - $sequence_6 = { 8b4004 33f6 83c40c 897220 897224 8b5580 52 } - $sequence_7 = { 56 8bf0 57 3b7508 745a 8d542410 33c9 } - $sequence_8 = { e8???????? c7459c09000000 895de8 8d8d6cffffff 51 57 c645fc05 } - $sequence_9 = { 50 68???????? 68???????? e8???????? 83c40c eb24 } + $sequence_0 = { 85f6 0f858cfcffff 8b542420 8d0411 39442438 8b5378 } + $sequence_1 = { 7604 2bf9 eb02 33ff 8b4314 8b742418 } + $sequence_2 = { 51 e8???????? 33c9 a3???????? c605????????01 c705????????00000000 } + $sequence_3 = { 83c8ff 5b 8be5 5d c3 66833b2d } + $sequence_4 = { 8bf8 83c40c 897d98 85ff } + $sequence_5 = { f7d9 0bc8 51 e8???????? 894304 c6430801 } + $sequence_6 = { 6683790200 7507 40 8906 3bc3 7ce7 8b3e } + $sequence_7 = { ff15???????? 85c0 7428 8b5678 8b7d08 017e74 52 } + $sequence_8 = { 57 53 8bce e8???????? 3bc7 7526 } + $sequence_9 = { c645fc21 8b430c 8b4b14 8d444003 8d0481 } condition: 7 of them and filesize < 4972544 @@ -125188,36 +125889,36 @@ rule MALPEDIA_Win_Action_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0abe3565-6584-5599-b7de-461d5c2244c8" - date = "2026-01-05" - modified = "2026-01-06" + id = "5571ee23-f5cb-5620-ad04-8dde75af97ac" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.action_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.action_rat_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.action_rat_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "5ed778484db64ab13a477929c07da39230f4ad04ded616573b48c243aaef2b6f" + logic_hash = "15a64480baa582334b9c37f46db7e9ed5ac7e5786d2c4af775ac6fa13267b3b7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b10 8955ec 8b45ec 3b45f0 7707 e8???????? eb3c } - $sequence_1 = { 894d9c c645fc00 8d4db0 e8???????? c745fcffffffff 8d4d18 e8???????? } - $sequence_2 = { 8b4df8 c1e104 81c1???????? e8???????? 8b55f8 c1e204 038298f80210 } - $sequence_3 = { 51 ff15???????? 83c404 85c0 7412 0fbe5508 83ea30 } - $sequence_4 = { 8b55f4 837a1800 7420 0fb645fb 50 8b4df4 8b4918 } - $sequence_5 = { e8???????? 83c408 8d450c 50 8b4dec 83c104 51 } - $sequence_6 = { d1e8 8945ec 8b4dec 034dc8 894de0 8b55f8 } - $sequence_7 = { 8d4dec 51 8b4d08 e8???????? 50 8d55d0 } - $sequence_8 = { 7702 eb02 eb9f 6a00 8b4dd4 51 8d4dd8 } - $sequence_9 = { 8d4dd8 e8???????? 50 e8???????? 83c414 8945d4 8d4dd8 } + $sequence_0 = { 8bec 83ec38 56 894dfc 8b45fc 50 } + $sequence_1 = { 8b4d10 51 8b4df0 81c1b4000000 e8???????? c645fc09 } + $sequence_2 = { 52 e8???????? 83c404 50 8b4dfc 83c118 } + $sequence_3 = { ba01000000 c1e200 8b450c 880c10 8b4d08 c1f906 } + $sequence_4 = { 8b4d10 51 8b4d0c e8???????? 0fb6d0 85d2 752a } + $sequence_5 = { 83c902 8b5004 52 51 ff15???????? 83c41c } + $sequence_6 = { 51 6a00 6a00 8b55fc 8b4204 50 8b4dfc } + $sequence_7 = { 68901f0000 68???????? b9???????? e8???????? 68???????? e8???????? } + $sequence_8 = { 7209 c745d803000000 eb0b 8b4df8 83e901 d1e9 894dd8 } + $sequence_9 = { 89856cfbffff 8b8d6cfbffff 898d68fbffff c645fc13 8b9568fbffff 52 8d85ecfcffff } condition: 7 of them and filesize < 480256 @@ -125227,42 +125928,42 @@ rule MALPEDIA_Win_Qadars_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db370ffd-dc25-54ab-be3c-753161f66e40" - date = "2026-01-05" - modified = "2026-01-06" + id = "025526bd-ff82-5cf0-a77c-2d01f67f205c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.qadars_auto.yar#L1-L168" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.qadars_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "b7f3cdd5f9bd5d75d1b4c3d8620e10078807a9df5c67d92510598cbd69ac717d" + logic_hash = "5d743a8f393eb2f6cdf0f2ee2fce09eeac09b4a1b47105cef178b9000f2776a3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 7410 8d642400 8b0b 48 c7048100000000 75f4 } - $sequence_1 = { 8910 8b4510 85c0 7406 c700???????? 8b4514 } - $sequence_2 = { 56 8d4dcc e8???????? 8d4dcc e8???????? 8bc6 5e } - $sequence_3 = { 8b4dec 39590c 7405 ff490c eb25 8b4104 3bc3 } - $sequence_4 = { 6a04 8d550c 52 8d443801 } - $sequence_5 = { 8945fc 8b45e8 6a10 8945f8 e8???????? 83c404 } - $sequence_6 = { 8b4510 8b08 51 52 8d4df0 897704 8975f4 } - $sequence_7 = { 8b00 50 e8???????? 8b45fc 50 e8???????? 83c408 } + $sequence_0 = { 8b4308 56 894df8 8b703c } + $sequence_1 = { 33d2 8955fc eb08 8b0e 8b14b9 } + $sequence_2 = { 83e11f bf01000000 d3e7 85fb 7504 } + $sequence_3 = { 8bf8 eb14 68???????? bb02000000 e8???????? 8b7dfc } + $sequence_4 = { 837f0800 7407 b801000000 eb0c } + $sequence_5 = { e8???????? 8b4d08 8b5d10 8b550c } + $sequence_6 = { 895dfc 885df0 895de0 895de4 } + $sequence_7 = { 83c2f0 83d0ff 894604 8b45d8 8916 } $sequence_8 = { 6a00 8d4df4 51 6a04 8d55f8 } - $sequence_9 = { 83c40c 6805010000 8d8df8feffff 51 } - $sequence_10 = { 6a01 8b55fc 52 ff15???????? 83c408 } - $sequence_11 = { 6a01 6a08 ff15???????? 83c408 } - $sequence_12 = { 51 8b55f0 52 ff15???????? 83c40c } - $sequence_13 = { 50 8d8d98fcffff 51 e8???????? } - $sequence_14 = { 8945fc 6a02 8b85d4fdffff 50 } - $sequence_15 = { 750b 68???????? ff15???????? 6a00 } + $sequence_9 = { 51 8b55f0 52 ff15???????? 83c40c } + $sequence_10 = { 83c40c 6805010000 8d8df8feffff 51 } + $sequence_11 = { 6a01 8b55fc 52 ff15???????? 83c408 } + $sequence_12 = { 6a01 6a08 ff15???????? 83c408 } + $sequence_13 = { 83c408 8945e8 837de800 7512 68???????? ff15???????? 33c0 } + $sequence_14 = { 83c408 8945e8 8b45f8 50 8b4dfc } + $sequence_15 = { 83c408 8945e8 8b45fc 50 8b4df8 } condition: 7 of them and filesize < 630784 @@ -125272,36 +125973,36 @@ rule MALPEDIA_Win_Unidentified_115_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a1ba5f2-6d8b-53d1-afa7-3efb81c22fc0" - date = "2026-01-05" - modified = "2026-01-06" + id = "3f57197c-2a0e-5c2f-91b4-2a6584aed0f1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_115" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_115_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_115_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "6028b5eb1b27194aba70c1eb50e5d4032510571ea08ddcbdb15ab7d8877e12da" + logic_hash = "f34d16f4fb1756d871f8b8d2b98778ba2d274726c5e8a4c97d5758d2a5b7da7f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488945f0 488b05???????? 488945f8 ff15???????? 488d0d72f80000 ff15???????? } - $sequence_1 = { 488d0d8f150100 eb62 488b1d???????? 4c8d4c2428 ba01000000 4889c1 41b840000000 } - $sequence_2 = { 488b13 4889f1 4883c308 e8???????? ebea 4881c420010000 5b } - $sequence_3 = { ffd3 488d1590f60100 4889c1 e8???????? b901000000 e8???????? 90 } - $sequence_4 = { 48893d???????? 498dbe50010000 48891d???????? 488d1d80dc0300 4c891d???????? 4c8d1d72e10300 } - $sequence_5 = { 483346f0 4889842490000000 e9???????? 488b3a 4883c208 4889f8 4989fc } - $sequence_6 = { 488b15???????? 4c89e1 e8???????? 4989c4 e9???????? 488b43f0 488d53f0 } - $sequence_7 = { 488b03 4989df 4889fa 4885c0 7403 488b10 498b4f08 } - $sequence_8 = { 4c8d2d33db0200 e8???????? 4c89e9 4889c2 e8???????? 488b0d???????? ba18000000 } - $sequence_9 = { 89dd c1c507 4431d5 448b9424d8000000 428db416708b4bc2 4189da 01ee } + $sequence_0 = { e9???????? 4c8d6c242c baf4010000 4c89e9 e8???????? 31c9 } + $sequence_1 = { 4889cb 4889d1 4989d4 e8???????? 4889c6 4885c0 7505 } + $sequence_2 = { 4431e5 4189c4 4401dd 4189d3 01eb 89d5 41c1cb0b } + $sequence_3 = { 4989c6 488b05???????? 4d8b7e18 498906 488d0531650100 49894610 } + $sequence_4 = { 498907 4c89442448 e8???????? 4c8b442448 49894718 4d85c0 7408 } + $sequence_5 = { 31d2 e8???????? 4898 48898424d8020000 4885c0 7511 488b4c2438 } + $sequence_6 = { 488b8c24b8000000 e8???????? e9???????? 488b0d???????? ba30000000 e8???????? 4989c4 } + $sequence_7 = { 488b0d???????? ba30000000 4c8d35a9b70100 e8???????? b941000000 4989c5 488b05???????? } + $sequence_8 = { 4c8b0e 488bb424d0010000 488b7c2430 488b4e38 4c8d4710 4889542420 488b542438 } + $sequence_9 = { e8???????? 49c7450800000000 4c8d0d67410100 4c89e9 4c8d0568410100 48c7442420ed000000 } condition: 7 of them and filesize < 648192 @@ -125311,43 +126012,43 @@ rule MALPEDIA_Win_Sdbbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5ddf82d-6516-5715-9fa8-b1a6bdbb883d" - date = "2026-01-05" - modified = "2026-01-06" + id = "7d5002c0-d7fd-50b1-bfb2-c37fa40b27a7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sdbbot_auto.yar#L1-L180" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sdbbot_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "a7c9bbefe17c51ab7bd282fe70d8133f645f1f7f65d3be7e33bd1c26f76ee007" + logic_hash = "de9dc7d37c5bc02342c2b5aae7b7fbfc11a387ed4ab52ccf3403110a8ec7f197" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 03f3 8b17 03d3 33c9 8a02 } - $sequence_1 = { 8b5df0 8bbb80000000 03fe 897dec 833f00 0f847d000000 } - $sequence_2 = { 2b7b34 8955ec 85d2 0f84ae000000 8b83a0000000 03c6 } - $sequence_3 = { 56 57 c745e400000000 895df4 895de0 } - $sequence_4 = { 8945fc 85c0 0f84c2010000 0f1f840000000000 8b7028 33c9 } - $sequence_5 = { 8b5b10 8b433c 8b441878 03c3 8945dc 8b7820 } - $sequence_6 = { 03c1 8955ec 8945e4 85d2 0f8560ffffff 8b5df0 8b7328 } - $sequence_7 = { 7403 4f ebe2 64a130000000 897df8 } - $sequence_8 = { c3 803d????????00 750c c605????????01 } - $sequence_9 = { 664503de 4983c004 4983c102 664585db 75ac 4c8bb42480000000 } - $sequence_10 = { 41bb01000000 48897c2438 4c89ac2488000000 488b4818 4c8b7920 } - $sequence_11 = { 41b9ffff0000 458d6b03 66660f1f840000000000 498b5750 33c0 450fb74748 } - $sequence_12 = { 48ffc2 8801 488d4901 4983e801 } - $sequence_13 = { 7446 4d03cf 0f1f840000000000 418b49f8 49ffca 418b11 4903ce } - $sequence_14 = { 418b11 4903ce 458b41fc 4903d5 4d85c0 7419 0f1f8000000000 } - $sequence_15 = { 488bf0 4885c0 7474 8b7d10 8b5d00 4903fe } - $sequence_16 = { 0f84a7000000 0f1f840000000000 8b4304 85c0 } + $sequence_0 = { 7413 8a02 8d4901 8841ff 8d5201 } + $sequence_1 = { 0f8495000000 8b30 8d59f8 0375fc } + $sequence_2 = { 8b5820 8b4024 03de 03c6 8945f0 0f1f4000 } + $sequence_3 = { 0f855effffff e9???????? 81f95d68fa3c 757c } + $sequence_4 = { 8d4901 88440fff 83ea01 75f2 0fb77b14 03fb 0fb75b06 } + $sequence_5 = { d1eb 8945e8 746e 0fb710 } + $sequence_6 = { 8955ec 85d2 0f84ae000000 8b83a0000000 } + $sequence_7 = { ebe2 64a130000000 897df8 8b400c 8b4014 8945fc } + $sequence_8 = { c3 803d????????00 750c c605????????01 e8???????? } + $sequence_9 = { 41b9ffff0000 458d6b03 66660f1f840000000000 498b5750 } + $sequence_10 = { 4c89ac2488000000 488b4818 4c8b7920 4d85ff 0f840e020000 } + $sequence_11 = { 410fb7dd 41bdffff0000 4963413c 428bbc0888000000 } + $sequence_12 = { 33ed 4c89b42480000000 48895c2478 e8???????? 4c8be8 } + $sequence_13 = { 4983c12c 4d85d2 7446 4d03cf 0f1f840000000000 418b49f8 49ffca } + $sequence_14 = { 0f84a7000000 0f1f840000000000 8b4304 85c0 0f8494000000 448b03 } + $sequence_15 = { 66660f1f840000000000 498b5750 33c0 450fb74748 0f1f440000 0fb60a } + $sequence_16 = { 7405 49ffcd ebd9 65488b042560000000 } condition: 7 of them and filesize < 1015808 @@ -125357,35 +126058,35 @@ rule MALPEDIA_Win_Lazardoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aeee5fb7-3124-5412-93e2-d397e0b6b5aa" - date = "2026-01-05" - modified = "2026-01-06" + id = "1c3b2aa2-6cc6-541e-8292-04b34695a0bb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazardoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lazardoor_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lazardoor_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "6155f61e925d37cd5ef1d71aad2d5b29beaeb971eaf97c299374ef05d14474a1" + logic_hash = "d8c063259d0312061a78075c68596206f8a986db3041daf64f815aad14c0b292" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4883c024 8938 e8???????? 488d1d23ce0100 } - $sequence_1 = { e8???????? ba50540000 488b0d???????? 4533c9 4533c0 ff15???????? } - $sequence_2 = { 4803cf e8???????? 488b0e 41ffc6 4883c328 } - $sequence_3 = { 4889442420 498bd4 ff15???????? 85c0 7506 ff15???????? 4533f6 } - $sequence_4 = { 4c8bb424d0010000 488b8dc0000000 4833cc e8???????? 4881c4e8010000 415f 415d } + $sequence_0 = { 7522 4c8d0dcb930100 4c8bc6 488bd7 488bcb e8???????? } + $sequence_1 = { 48c7c7ffffffff 488bc7 0f1f8000000000 66395c4502 488d4001 75f5 448d0c00 } + $sequence_2 = { 75c5 ff15???????? 8b8424c0000000 488b8c2480020000 } + $sequence_3 = { d1f8 4863e8 488bd5 488bf5 4803d2 498b94d720f70100 e8???????? } + $sequence_4 = { 8905???????? 4533c0 8b05???????? 33d2 c744242801000000 8905???????? } $sequence_5 = { 488d45e8 48894de8 488945f0 488d155cde0000 } - $sequence_6 = { 83c8ff f00fc103 83f801 7516 488d05a6470100 488b4c2430 483bc8 } - $sequence_7 = { 7873 3b1d???????? 736b 488bc3 488bf3 48c1fe06 4c8d2dbe0f0100 } - $sequence_8 = { 488d1517c4feff c1e803 89442450 8bc8 89442448 } + $sequence_6 = { 488b05???????? 4833c4 48898424c0140000 8d82b0abffff 498be9 } + $sequence_7 = { e8???????? ebd3 488b442448 4883f8ff 74c8 488bd3 4c8d0552ff0000 } + $sequence_8 = { 48895308 89431c 0fb60a 83e10f 4a0fbe841188a50100 428a8c1198a50100 482bd0 } $sequence_9 = { 488d15c2a20200 488bce ff15???????? 85c0 0f84f3000000 48c7c7ffffffff 488bc7 } condition: @@ -125396,36 +126097,36 @@ rule MALPEDIA_Win_Urausy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1beffaf4-c79f-5031-ba16-920ad7ce2336" - date = "2026-01-05" - modified = "2026-01-06" + id = "906f9c66-0a09-5550-bec6-ef66136f2376" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.urausy_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.urausy_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "8b8a7bd5c9e36633624e07a893f13b5d5c82edf3b42773503b98b1177601ac24" + logic_hash = "c1687e6775a909e8e54adca0cc645d96dd6c52e6c0b08740ac97f27f0f9acf23" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff7508 e8???????? 8945ec ff7514 e8???????? 8945e8 } - $sequence_1 = { ff75a0 ff75ec e8???????? 33c0 b4ff b0ff c1c008 } - $sequence_2 = { e8???????? 5e 6a00 6a00 6a00 } - $sequence_3 = { ff7594 ff7598 ff75ec e8???????? 33c0 } - $sequence_4 = { 6a28 ff75e4 ff75e8 6802000050 68???????? 68???????? 6800000400 } - $sequence_5 = { e8???????? 53 e8???????? 8d85f8fdffff } - $sequence_6 = { ff75e8 e8???????? c9 c21000 55 8bec 81c4ecefffff } + $sequence_0 = { e8???????? 8945e8 ff75e8 e8???????? 0bc0 7510 } + $sequence_1 = { ff75fc e8???????? 8b45f8 c9 c20400 ff25???????? } + $sequence_2 = { 8945e8 ff75e8 8d45f0 50 ff75ec e8???????? } + $sequence_3 = { 53 ff75ec e8???????? ff75e8 ff75ec e8???????? } + $sequence_4 = { ffb538edffff e8???????? 33c0 b400 b000 } + $sequence_5 = { b0b2 50 e8???????? 898538edffff ffb538edffff ff75ec e8???????? } + $sequence_6 = { ff75e4 e8???????? 8945f0 6a5a ff75e8 e8???????? 68ec090000 } $sequence_7 = { 8b4508 50 8b00 ff5018 8d45e0 } - $sequence_8 = { 83c4e8 833d????????01 7504 c9 } - $sequence_9 = { e8???????? c9 c20400 55 8bec 83c4e8 8d45f0 } + $sequence_8 = { ff75e8 ff75ec 6809000058 6a00 68???????? 6a00 e8???????? } + $sequence_9 = { 6a00 e8???????? c705????????00000000 6a00 68???????? e8???????? 0bc0 } condition: 7 of them and filesize < 98304 @@ -125435,36 +126136,36 @@ rule MALPEDIA_Win_Pittytiger_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4a10640a-725b-54f9-8b7f-afdce80ef3e7" - date = "2026-01-05" - modified = "2026-01-06" + id = "af66804b-9dd4-58de-b963-2c79999ba5a1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pittytiger_rat_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pittytiger_rat_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "1df7687d7c472496ea30aa086a3178f66e3b2104d4ea79dc045c4e3023b998ae" + logic_hash = "c1cb987b89d8914cb0f777c62f136fb2331d664c3a4d2cee6430b1eb052ca11d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ffd7 83c410 8d8558f9ffff 50 ff15???????? 50 } - $sequence_1 = { 33db f3ab ff7508 895dfc 66ab aa } - $sequence_2 = { e8???????? 83c428 8d85e0fdffff 50 8b46f8 ff760c c1e005 } - $sequence_3 = { 8d85f8fbffff ffb69c010000 68???????? 50 ffd7 } - $sequence_4 = { 8b1d???????? 59 59 56 ffd3 57 } - $sequence_5 = { 3bc3 a3???????? 0f84f2fdffff 8d45b8 c745c441786100 50 57 } - $sequence_6 = { 56 56 ff15???????? 3bc6 8945f4 0f84bc000000 } - $sequence_7 = { 51 53 56 57 33db bf80000000 53 } - $sequence_8 = { e8???????? 85c0 0f85e2020000 85f6 } - $sequence_9 = { ff750c ff7508 e8???????? 83c420 43 } + $sequence_0 = { 50 57 c745b852656753 c745bc65745661 c745c06c756545 885dc6 } + $sequence_1 = { 7411 8d85e4feffff 56 50 e8???????? 59 } + $sequence_2 = { 57 c745b8436c6f73 c745bc65536572 c745c076696365 c745c448616e64 } + $sequence_3 = { 56 57 8d8de4fdffff 8965f0 e8???????? 8d85e4feffff 33db } + $sequence_4 = { ff15???????? 8d45fc 50 683f000f00 6a00 68???????? ff75fc } + $sequence_5 = { 8d85f8fdffff 6a5c 50 ff15???????? 50 8d85fcfeffff 56 } + $sequence_6 = { 66a5 a4 8d7dbf be???????? ab ab aa } + $sequence_7 = { a3???????? 0f84c8feffff 8d459c c745ac727941da 50 57 } + $sequence_8 = { e8???????? 83f86f 7513 ff75fc ff15???????? ff75f8 6a40 } + $sequence_9 = { 50 8b46f8 ff760c c1e005 05???????? 50 } condition: 7 of them and filesize < 2162688 @@ -125474,36 +126175,36 @@ rule MALPEDIA_Win_Curator_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "88dd85f1-9cc3-5f60-833e-59e5ff5c2a14" - date = "2026-01-05" - modified = "2026-01-06" + id = "fcac612a-2e34-59e3-865b-891a1ba269a7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.curator" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.curator_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.curator_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "ce369866ebd7e0f8a7ef01400f189e7f18bf8531561abd861592d244202fec85" + logic_hash = "9c9891d2183ddd3488b2d5adb3081a7f4ddac4155c80a1223d6eb63be40a5482" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d4108 4889459f 488d5d8f 4883fa10 480f435d8f 4803d9 41b808000000 } - $sequence_1 = { 488b07 488d542420 488bcf ff9090000000 488bcd 48c1e903 488b4620 } - $sequence_2 = { 85c0 0f4ed0 e8???????? 488d15c2140400 488d4c2420 e8???????? cc } - $sequence_3 = { 5d c3 4883c202 488915???????? 0fbe0a 85c9 74bd } - $sequence_4 = { 8b45d8 e9???????? 0fbe42ff 488d4dd0 83c004 4863d0 488d05abbf0300 } - $sequence_5 = { 83e802 0f853ffaffff 660f6fa42400010000 660ffe2424 660f6fac24d0010000 660ffeac24d0000000 660f6fb424a0010000 } - $sequence_6 = { 4156 4157 4883ec50 488b7128 4c8d25880c0000 33ed 488bf9 } - $sequence_7 = { 488945e0 895128 488d0d332f0300 488b45d8 488908 488d0d950a0500 488b45d8 } - $sequence_8 = { 0fb68c2490000000 4c8d0501350300 4803da 4883f101 4803d9 482bfb 488bcb } - $sequence_9 = { ff15???????? 4885c0 7411 488bc8 ff15???????? 3bc6 0f84eb040000 } + $sequence_0 = { c3 4883ec38 488d05f9210300 41b91b000000 4889442420 e8???????? } + $sequence_1 = { 488b06 488bce 48896c2430 4c89742438 ff9098000000 85c0 488bce } + $sequence_2 = { f00fc101 83f801 751c 488b4530 488b8888000000 488d056ad40400 483bc8 } + $sequence_3 = { 488d57f8 488bcb e8???????? 488bc8 33c0 4885c9 7404 } + $sequence_4 = { 4881fb00100000 720d 488bcb e8???????? 488be8 eb11 4885db } + $sequence_5 = { f6d9 488903 1bc0 83e002 894308 488bc3 488b8c2480000000 } + $sequence_6 = { 83f801 7e18 83f802 7430 488d05a1940500 488901 4883c108 } + $sequence_7 = { 33c0 488bca f3aa 498bc8 e8???????? 90 } + $sequence_8 = { 4889442448 33ed 85ff 400f98c5 896c2450 8bcf } + $sequence_9 = { 48895c2408 57 4883ec20 488d99c8000000 488bf9 488d0505080200 488bd3 } condition: 7 of them and filesize < 1265664 @@ -125513,36 +126214,36 @@ rule MALPEDIA_Win_Krbanker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d85e7258-981d-5cc6-a33a-cbcdd663368d" - date = "2026-01-05" - modified = "2026-01-06" + id = "3510fffa-0173-5cd5-afc6-be6b1c6982fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.krbanker_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.krbanker_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "e566b2d91c9e72b8d03a6b5c791e4e71a6dc723cd18d0207fd049c63356700fa" + logic_hash = "1a834be2227ecc2b12fc4935d053b1aeae77b26c9f0258726b1be0d0e7462f84" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895500 8b4104 894504 8b5108 895508 8b410c } - $sequence_1 = { 6a00 6a00 6801030080 6a00 6802000000 6805000080 } - $sequence_2 = { 23d0 8954244c eb08 c744244cffffffff 8d4c2424 } - $sequence_3 = { bb40010000 e8???????? 83c410 8945d0 ff75d0 ff75d4 } - $sequence_4 = { 8955e0 8d55d4 52 6a01 50 51 } - $sequence_5 = { e8???????? 47 4b 3bdd 0f8d5bffffff eb02 8bde } - $sequence_6 = { 75a4 dd442410 e8???????? 8ad8 } - $sequence_7 = { c3 8b4c2420 8b542404 8d442408 50 51 } - $sequence_8 = { 50 8b5dec 8b1b 85db 7409 } - $sequence_9 = { 0faffa 46 3bf0 76cf } + $sequence_0 = { 23d0 8954244c eb08 c744244cffffffff 8d4c2424 } + $sequence_1 = { 894504 8b5108 895508 8b410c } + $sequence_2 = { 6874000000 6801000000 bb40010000 e8???????? 83c410 8945d0 6801010080 } + $sequence_3 = { 53 57 e8???????? 8bf0 83c40c 83feff 0f848f000000 } + $sequence_4 = { 7412 6802000000 e8???????? 83c404 d945d8 eb06 8955dc } + $sequence_5 = { c3 8b4c2420 8b542404 8d442408 50 51 } + $sequence_6 = { 83c410 8945e4 6801010080 6a00 6841000000 6801000000 bb40010000 } + $sequence_7 = { 894de8 8b4de8 8b55e4 8b45e0 } + $sequence_8 = { 6803000000 bb9c010000 e8???????? 83c428 8945ec } + $sequence_9 = { 57 8902 8b4104 894204 8b4108 894208 } condition: 7 of them and filesize < 1826816 @@ -125552,75 +126253,75 @@ rule MALPEDIA_Win_Blackcat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d7e215c-b7ec-5d55-a8aa-0595745c47b1" - date = "2026-01-05" - modified = "2026-01-06" + id = "147245f0-84ec-5795-8c4d-7890e426d2f2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackcat_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackcat_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "f613dd0b295abc7ed25049f8912ac5a26d116d8e5b2b8db308f5a3d66d3b2048" + logic_hash = "1e960d9ec2237cde0b75097904a089b8f30618d33f39f9e4f21e5b7a680bc6bf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4701 31c9 31d2 89460c 4f c745f000000000 } - $sequence_1 = { 3c02 7351 88c4 8975cc } - $sequence_2 = { 8945e8 0f83a1000000 85db 0f8499000000 803c3b5f } - $sequence_3 = { 81f902010000 747b e9???????? 8d81d6c3ffff 83f802 726b 81f9ed350000 } - $sequence_4 = { 31f6 c70201000000 c7420400000000 894208 c7420c00000000 0fb788d6040000 } - $sequence_5 = { c1e203 662e0f1f840000000000 90 85d2 7411 8b39 83c108 } - $sequence_6 = { 0f1f840000000000 6690 55 89e5 } - $sequence_7 = { 8b450c 89d6 8a10 80c2e6 80fa05 7779 } - $sequence_8 = { 80c230 8894056bffffff 48 e9???????? } - $sequence_9 = { 83c40c 84c0 0f858b010000 8d4704 } + $sequence_0 = { 897204 83780400 7416 c6410835 b801000000 eb12 8d7804 } + $sequence_1 = { e9???????? 8d4de4 6a03 e8???????? 83c404 8b45e4 8b55ec } + $sequence_2 = { 8b7508 8b7d0c c744245400000000 c744245000000000 c744245800000000 89542424 894c2420 } + $sequence_3 = { 8b461c 01f8 53 52 50 e8???????? 83c40c } + $sequence_4 = { 8b7de0 3955ec 75ba 8b45f0 8b7ddc 8b4de8 8938 } + $sequence_5 = { 8b4df0 0fb6d2 c7410c00000000 895108 897110 894114 b801000000 } + $sequence_6 = { 893a 897204 83780400 7416 c6410835 b801000000 eb12 } + $sequence_7 = { 89e5 8a01 04fe 3c05 7748 } + $sequence_8 = { 89f1 660f70c944 660fef0d???????? f30f7f442430 f30f7f4c2440 c744245c00000000 ff7008 } + $sequence_9 = { eb5a 8d770c c6471101 8d4de4 } condition: - 7 of them and filesize < 29981696 + 7 of them and filesize < 6313984 } rule MALPEDIA_Win_Xfscashncr_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "08fa1629-5d24-53b4-85f4-eb31463ca09f" - date = "2026-01-05" - modified = "2026-01-06" + id = "67959928-435d-51a8-886a-05d309cc7e34" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfscashncr" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xfscashncr_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xfscashncr_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "6e03028d0cfd23b56ac82a98bfd4131d910eac7c39a1c7a0b0fafa796b30a166" + logic_hash = "38d25d3277d16acd0ae222ce1c741d64603fcf05fcb8a79e50c3cbbc913f0abf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 741b 0fbe4d82 85c9 7413 8b4d10 e8???????? 0fbe10 } - $sequence_1 = { 8b4d18 e8???????? 8b8564ffffff 50 0fb64d1c 51 8b5514 } - $sequence_2 = { c1f805 8b4de0 83e11f c1e106 030c85c0195700 894de4 8b55e4 } - $sequence_3 = { 8d450c 50 e8???????? 83c408 0fb6c8 85c9 742a } - $sequence_4 = { 004fed 4e 0015???????? ed 4e 0000 0501050205 } - $sequence_5 = { 8955f4 8b450c 8b4d18 8d14c1 8955f8 8b4508 50 } - $sequence_6 = { 8b45d0 8b0c85c0195700 81c100080000 394de4 7366 8b55e4 c6420400 } - $sequence_7 = { d1f8 b902000000 c1e100 8b5508 0fb70c0a c1e10f 0bc1 } - $sequence_8 = { 8b55fc 0fb7040a 85c0 752f b902000000 c1e100 8b55fc } - $sequence_9 = { 0fb755a4 52 6a01 8b4524 50 8d4dd4 e8???????? } + $sequence_0 = { 89959cfbffff 83bd9cfbffff10 776a 8b859cfbffff 0fb688502c5100 ff248d382c5100 8b95f8fbffff } + $sequence_1 = { 8b450c 50 8b4d08 51 e8???????? 83c410 68b90b0000 } + $sequence_2 = { 898578ffffff 83bd78ffffff00 7526 68???????? 68???????? 6a00 68e9010000 } + $sequence_3 = { e8???????? 59 c3 8d8dc0fdffff e9???????? 8b8d38feffff e9???????? } + $sequence_4 = { 83c408 0fbf4df4 51 8d5510 52 e8???????? 83c408 } + $sequence_5 = { 8b4de4 51 8b55f4 8b4248 50 8b4d08 } + $sequence_6 = { ba01000000 6bd21a 81c2???????? 52 b801000000 6bc000 05???????? } + $sequence_7 = { c745d801000000 c745d400000000 eb12 8b45d4 83c001 8945d4 8b4dd8 } + $sequence_8 = { e8???????? 50 8d85c0fdffff 50 e8???????? 83c408 8985b8fdffff } + $sequence_9 = { 8b4508 c1f805 8b4d08 83e11f c1e106 8b0485c0195700 88540824 } condition: 7 of them and filesize < 3126272 @@ -125630,36 +126331,36 @@ rule MALPEDIA_Win_Latentbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d1503e41-08e6-5adf-a875-66636893fe66" - date = "2026-01-05" - modified = "2026-01-06" + id = "2b2846e7-a549-5a22-9e74-a412529ab6cf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.latentbot_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.latentbot_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "c8242f2d9f053ebc06f18c04d8c5d76f7cd68171deb734a7f00fb470d56dc52c" + logic_hash = "c8304c357f93cd21f4858be07310d0cd7eab97fa741d9287595d4edc7f89418a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5f c3 55 8bec 8b4604 81ecdc020000 85c0 } - $sequence_1 = { 7505 be04000000 56 6800300000 8d44241c 50 6a00 } - $sequence_2 = { 8d4c2410 51 6aff ffd2 33c0 8703 } - $sequence_3 = { 8bc3 e8???????? 299ff42a0000 015e0c 295e10 015e14 8b87f42a0000 } - $sequence_4 = { ff5554 395d70 0f8689000000 833d????????06 752c 833d????????03 7434 } - $sequence_5 = { 83ec08 3bc2 7769 8d4c2404 51 8d542404 } - $sequence_6 = { 50 e8???????? 0145f8 837df805 8945e8 72e7 } - $sequence_7 = { 7814 8d5002 85d2 7406 8d440802 eb02 } - $sequence_8 = { 8b413c 53 03c1 0fb74814 56 0fb77006 33db } - $sequence_9 = { 66890477 46 3bf3 72ea 33c0 66890477 } + $sequence_0 = { d1e8 894618 0f847d0a0000 83f803 0f846d0d0000 83f801 } + $sequence_1 = { 83e007 ff454c 888431801b0000 e9???????? 8bf8 81e7ff030000 } + $sequence_2 = { c21000 55 8bec 83ec2c 8365ec00 686a79fa99 } + $sequence_3 = { ff542460 8364244400 8d442428 89442438 8d442460 8bc8 } + $sequence_4 = { 59 59 33c0 c3 55 8bec 83ec38 } + $sequence_5 = { 8d4c2420 48 8d942430010000 8a01 48 ffc1 44 } + $sequence_6 = { 8d4598 50 ff7508 ff5620 8d4598 50 ff7608 } + $sequence_7 = { c70100000000 c7410400000000 897114 89791c c7411028000000 c7410800000000 8bd0 } + $sequence_8 = { 8b4d18 8b4550 0fb60c0a c16d5003 836d5803 83e007 ff454c } + $sequence_9 = { c7062a000000 e9???????? 83654800 c70622000000 e9???????? c70628000000 e9???????? } condition: 7 of them and filesize < 401408 @@ -125669,36 +126370,36 @@ rule MALPEDIA_Win_Netsupportmanager_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "13acdf1c-aae7-5f3b-a339-4a965b00f439" - date = "2026-01-05" - modified = "2026-01-06" + id = "0f1d3844-5bc1-5784-a15f-71f2d33313fd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.netsupportmanager_rat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.netsupportmanager_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "3b964c7562d1d913c21c0e25b573efbe6d24c01cca1047333434d5efeafe733c" + logic_hash = "2eaf0a14cf605bcfa7fa4971b72015b58dc722cb3878175d7ffb65f97581b58e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8b4530 83c62c 3bf0 7516 8b4538 83c004 } - $sequence_1 = { ffd7 68???????? 56 894344 ffd7 8b7508 89431c } - $sequence_2 = { e9???????? 8d8d4cffffff e9???????? 8d8dacfeffff e9???????? 8d8d6cffffff e9???????? } - $sequence_3 = { e8???????? 83f82a 7520 ba???????? 85d2 7417 6877270000 } - $sequence_4 = { ffd7 8b4620 50 ff15???????? 8b4e24 5f 66c741080000 } - $sequence_5 = { 8dbe88000000 c745fc06000000 8b07 85c0 7403 50 ffd3 } - $sequence_6 = { ff15???????? 5f 33c0 5e c3 68???????? 56 } - $sequence_7 = { e8???????? 8b3d???????? 83c418 68???????? 56 ffd7 3bc3 } - $sequence_8 = { ff4020 8b7604 8b460c 85c0 740a 8b450c 85c0 } - $sequence_9 = { ff5254 83f8ff 0f8517020000 8b4514 8b16 50 57 } + $sequence_0 = { c7869400000000000000 8945ec c70000000000 c70700000000 0f85d5000000 8b4510 85c0 } + $sequence_1 = { f2ae f7d1 d1e9 8d55cc 51 52 e8???????? } + $sequence_2 = { ff5218 6a1e e8???????? a1???????? 83c404 3bc3 0f8595000000 } + $sequence_3 = { f3ab 8d45f8 8d8df0feffff 50 51 e8???????? 8bf8 } + $sequence_4 = { 8bd9 33ff 8d4dbc 897dec e8???????? 8db30d010000 897dfc } + $sequence_5 = { e8???????? eb14 3bf7 7410 8bce e8???????? 56 } + $sequence_6 = { e8???????? 53 894508 e8???????? 8b7ddc 8b1d???????? 83c40c } + $sequence_7 = { ff15???????? 8bf0 85f6 8975f8 0f8488000000 68???????? 56 } + $sequence_8 = { e8???????? c7865c02000001000000 c7863c02000001000000 5f 5e 8b4df4 64890d00000000 } + $sequence_9 = { eb03 895e2c 8b4df4 8bc6 5f 5e 5b } condition: 7 of them and filesize < 4734976 @@ -125708,36 +126409,36 @@ rule MALPEDIA_Win_Katz_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c49e5ae3-476e-56a3-98bc-9b636f776fa6" - date = "2026-01-05" - modified = "2026-01-06" + id = "bde55bfb-328d-582b-b706-1df2d61f4bd0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.katz_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.katz_stealer_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.katz_stealer_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "fd471cd54233791d0b513e7355b1bd82a81ef2e5ff3948f16fb07b4227562780" + logic_hash = "3fece06f73acdaf2f0d86637cc8d424114a6d9900d5ed4c7cfdda3ff7f88d554" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd5 85c0 7516 6aff 5a 488b8c2480000000 ff15???????? } - $sequence_1 = { 31c9 e8???????? 4893 e9???????? 85f6 } - $sequence_2 = { 0f8517ffffff e9???????? 4889f9 ff15???????? 83f8ff 0f84ba030000 85db } - $sequence_3 = { 488b4c2470 e8???????? 488b5c2450 8b742460 39b42480000000 } - $sequence_4 = { e9???????? 4885d2 0f8429ffffff 488d0562f30000 4889842490000000 4c8b842490000000 } - $sequence_5 = { e8???????? 66490f6ec5 66480f6ee7 4889f1 f20f5ec4 488d15dab00000 f20f5905???????? } - $sequence_6 = { 488b8424b0070000 488d15663a0000 4889d9 488b04f8 448b4004 e8???????? } - $sequence_7 = { f3ab 488d15f64c0000 4889f1 488dbc2494050000 e8???????? 4885c0 7449 } - $sequence_8 = { 4c89c7 f3ab 488d0d075d0000 48b80100000006000000 4889842490020000 4c8d8c2480010000 } - $sequence_9 = { 4489c8 4883c468 5b 5e c3 f6c701 0f8477010000 } + $sequence_0 = { 4d85db 0f8473feffff 48c744245801000000 4b8d445afe 31d2 4889442450 668910 } + $sequence_1 = { 488d8c2448020000 e8???????? 4885c0 0f845e010000 4896 488d442438 41b919000200 } + $sequence_2 = { 4c8d05f6ae0000 5a 4889e9 e8???????? 4889e9 ff15???????? } + $sequence_3 = { 4885f6 7450 488b8c24780c0000 e8???????? 488364242000 4889f2 } + $sequence_4 = { 488d152d880000 4c89f9 e8???????? 85c0 0f85e9040000 4c8d05a2880000 ba04010000 } + $sequence_5 = { 488d15a1690000 488d8c2474040000 e8???????? 4897 4885ff 7454 4889fa } + $sequence_6 = { 488b05???????? 4889442448 f68424c005000010 0f85c6000000 4c8dbc24ec050000 4c8d8c24ac000000 ba04010000 } + $sequence_7 = { 4c8b442460 ba08020000 488d8c2410080000 ffd6 488b442468 488364243800 4531c9 } + $sequence_8 = { 410fb701 6685c0 75d0 41f7c300020000 0f85bb010000 31c9 48895c2470 } + $sequence_9 = { 4531c9 488b2d???????? 4889f1 4158 } condition: 7 of them and filesize < 238592 @@ -125747,36 +126448,36 @@ rule MALPEDIA_Win_Selfmake_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14e0b71d-d2cd-519a-a7ac-d6d6b6506061" - date = "2026-01-05" - modified = "2026-01-06" + id = "07fdac44-2cb3-5222-82f9-fdcadc317366" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.selfmake" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.selfmake_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.selfmake_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "08e1e6c97c92f2a3bf3c8dda29bd3cb3a7515a9d0a9d08d73c9a2b096d151fb4" + logic_hash = "635e27c7b3d38cdbf42f8154e54daa9018d5b0977042b1072b01d9b50bb94469" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? c644247801 837c244810 720d } - $sequence_1 = { c1e902 8bf2 f3a5 8bc8 83e103 6a0a f3a4 } - $sequence_2 = { 68???????? e8???????? 83c040 50 e8???????? 8b5608 8b4254 } - $sequence_3 = { 57 8d7c2414 e8???????? 83c404 83f8ff 751d 68???????? } - $sequence_4 = { 3bf3 760a 2bf3 eb08 8b5c246c ebe7 } - $sequence_5 = { 83c408 6818020000 6a00 8d8de0fdffff 51 e8???????? 83c40c } - $sequence_6 = { 8be8 6a1f 55 ff15???????? } - $sequence_7 = { 80387f 0f844e010000 8bc2 83f910 } - $sequence_8 = { 51 8b95a0fbffff 52 ff15???????? 8945f8 837df800 } - $sequence_9 = { 33c0 e9???????? 8d95c0fbffff 52 } + $sequence_0 = { 8b4d0c 51 8d55f0 52 8b4dec } + $sequence_1 = { 8b45ec 0fbe08 894dfc 8b55e8 8b420c c70003000000 eb2b } + $sequence_2 = { 0fbec0 3bc2 731d 6a00 2bf8 6a01 } + $sequence_3 = { 55 68???????? 894c2418 03d9 e8???????? 83c040 50 } + $sequence_4 = { f7431000400000 8b7508 89742414 895c2428 } + $sequence_5 = { 8b4b2c 6a00 6a01 51 ffd0 8b16 83c604 } + $sequence_6 = { 68???????? e8???????? 83c40c ff15???????? a3???????? 68???????? } + $sequence_7 = { 6a00 e8???????? 5e 5d c20400 e9???????? 833d????????00 } + $sequence_8 = { c3 8b460c 53 3bc7 } + $sequence_9 = { 8d4e04 8b5614 2bd7 52 8b542410 03d7 } condition: 7 of them and filesize < 932864 @@ -125786,36 +126487,36 @@ rule MALPEDIA_Win_Auriga_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "34318cf5-8b0c-5480-b67c-27a4f4ec96e2" - date = "2026-01-05" - modified = "2026-01-06" + id = "f63eadf1-7904-5ef6-85f0-77802d1f0795" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.auriga_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.auriga_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "916cc30b11a1636c868f6de19248b0e5c25381e64e7d76c56c161fbf71269000" + logic_hash = "2e66bf255be1de171c49cb4f15dfc11bec65479a2cb57d50a7d67deba40b6489" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 59 59 8945fc 897df8 763a } - $sequence_1 = { 83c10c 894df4 8b11 3b15???????? 755b 8bd0 2b55fc } - $sequence_2 = { ffd7 33c0 8985c0fbffff 8985ccfbffff 8985d0fbffff 8d85bcfbffff } - $sequence_3 = { 33c0 83c40c 8d7dec ab ab 33c0 6a20 } - $sequence_4 = { 59 648b01 8b400c 8b701c ad 8b4008 } + $sequence_0 = { a1???????? 85c0 7408 8b0d???????? } + $sequence_1 = { 7518 51 ff7508 e8???????? 3b05???????? a3???????? 7513 } + $sequence_2 = { 894d80 33db 894d9c 8d4ddc } + $sequence_3 = { 8b45e8 03c7 803820 7503 } + $sequence_4 = { c1cf0d 03f8 ebf4 3b7c2428 75e1 } $sequence_5 = { 742d 8b430c 8b580c 53 ffd7 84c0 7420 } - $sequence_6 = { 8b0d???????? 03c1 3900 74f0 8b15???????? 56 } - $sequence_7 = { 59 59 8945fc 897df8 763a 8b45e8 03c7 } - $sequence_8 = { 0f8ce7010000 8d85e8f9ffff 50 8d85e0f9ffff } - $sequence_9 = { 8945e8 a1???????? 8b1c30 8bfb 8d45f0 8d5001 8a08 } + $sequence_6 = { 7407 b8010000c0 eb51 833d????????00 74f0 56 } + $sequence_7 = { 6a30 53 8b35???????? ffd6 8945e4 3bc3 750a } + $sequence_8 = { ffb5bcfbffff 8d85ccfbffff 50 ffd7 } + $sequence_9 = { 8b3c30 ff45ec eba1 8bc6 eb02 } condition: 7 of them and filesize < 75776 @@ -125825,36 +126526,36 @@ rule MALPEDIA_Win_Rhttpctrl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c1f067f-4c03-5217-84ef-e2056be8411e" - date = "2026-01-05" - modified = "2026-01-06" + id = "e0709115-4980-5221-8430-26746eaddf9e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhttpctrl" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rhttpctrl_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rhttpctrl_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "e08ad966d09dce27a6d8e5d5ac2bacf3849e80bd61e38dcdd72f40d98e9b8f3d" + logic_hash = "0d5f2c9302dd349ec78e91bf1381d6ac321cb006482302efe750d53313dcc6c2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { d1fe 6a55 ff34f5c0d54100 ff7508 e8???????? 83c40c 85c0 } - $sequence_1 = { ffd7 8b4c241c ff742410 8b35???????? 894114 ffd6 } - $sequence_2 = { 6a00 8d442418 50 8d4714 50 56 } - $sequence_3 = { 2bc3 39460c 0f8660ffffff 50 53 6aff ff7608 } - $sequence_4 = { 83c408 895f08 837f1400 c7471001000000 } - $sequence_5 = { 8b01 52 8d95f0d7ffff 52 ff5004 } - $sequence_6 = { 8d8424e4010000 6a00 50 e8???????? 83c40c c68424c001000000 } - $sequence_7 = { c705????????090400c0 c705????????01000000 c705????????01000000 6a04 58 6bc000 c780f43b420002000000 } - $sequence_8 = { 3bc1 7410 50 e8???????? 83c404 0f1085c0feffff 8b4508 } - $sequence_9 = { 8b7d0c 8bd9 85ff 7417 803e52 750c 807e0145 } + $sequence_0 = { 52 c785d8feffff1c010000 898de4feffff c785e8feffff02000000 ffd6 6a01 6a08 } + $sequence_1 = { 8d442434 50 e8???????? 83c408 85c0 7510 8b5c2444 } + $sequence_2 = { e8???????? 83c40c 83c61d ffb5f0feffff ffb5ecfeffff 56 e8???????? } + $sequence_3 = { 85c9 7407 395004 7402 8811 8b4808 85c9 } + $sequence_4 = { 6a00 6a00 8945ec 8b450c } + $sequence_5 = { 8d4704 56 51 50 8d7101 } + $sequence_6 = { 84c0 740b 8937 46 81feffff0000 76e8 8b9dd0feffff } + $sequence_7 = { ff5004 8b5704 83ea10 f00fc1720c 4e } + $sequence_8 = { 740b 8937 46 81feffff0000 76e8 8b9dd0feffff } + $sequence_9 = { 8d85f0d7ffff 50 56 ffd3 } condition: 7 of them and filesize < 339968 @@ -125864,36 +126565,36 @@ rule MALPEDIA_Win_Rctrl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "521dcb03-760d-5ed1-9bc0-cfe33a8e8406" - date = "2026-01-05" - modified = "2026-01-06" + id = "957bfbd2-cd15-53c8-906d-2ba3b32154e0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rctrl" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rctrl_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rctrl_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "3aa1e790ecad0aeaad15ec64d74fdf04a1c9b1767736a5ae9f383b695d1cefd0" + logic_hash = "41d67828bd5cd0d3a848db8c668a883d749583eba8e7c1da637587685e42750e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41 0024bf 41 00558b ec 81ec90000000 a1???????? } - $sequence_1 = { e8???????? c3 83795c00 7405 } - $sequence_2 = { 7507 32db e9???????? 6890010000 8d8564fcffff 6a00 50 } - $sequence_3 = { e8???????? cc 55 8bec 837d0c00 57 8bf9 } - $sequence_4 = { 8b02 3b07 7536 52 e8???????? 83ceff 8985c8fbffff } - $sequence_5 = { b801000000 833d????????00 0f8516710000 ba05000000 8d0dd0185a00 e8???????? 5a } - $sequence_6 = { ffb3780b0000 8d4d80 6a00 6a00 56 50 e8???????? } - $sequence_7 = { 8bc7 8b55cc 83c2f0 f00fc1420c 48 85c0 7f08 } - $sequence_8 = { 84c0 75f9 2bce 51 52 e8???????? 6a00 } - $sequence_9 = { e9???????? 8d8de0fcffff e9???????? 8d8de8fcffff e9???????? 8d8d00fdffff e9???????? } + $sequence_0 = { ff500c 83c010 8906 8b5508 c745fc00000000 85d2 743a } + $sequence_1 = { 56 57 ff7518 8b7dfc ff7514 ff7510 } + $sequence_2 = { 59 59 5f ebc7 55 8bec } + $sequence_3 = { eb04 ddd8 33c0 5e 5d c20800 6a08 } + $sequence_4 = { 6a00 f3a5 50 e8???????? 8b8540f9ffff 8945b8 8d8530f5ffff } + $sequence_5 = { 5d c22000 33c0 c7410c01000000 894104 8901 894108 } + $sequence_6 = { 8b4508 33c9 668908 56 ff15???????? } + $sequence_7 = { b920030000 c78540ffffff681c5800 be90010000 899d44ffffff ba58020000 89b564ffffff } + $sequence_8 = { 8d0411 99 8bcb 2bc2 89bd70ffffff d1f8 89bd50ffffff } + $sequence_9 = { 85f6 7851 8b07 b901000000 2b48fc 8b40f8 } condition: 7 of them and filesize < 4315136 @@ -125903,43 +126604,44 @@ rule MALPEDIA_Win_Photoloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8e57491c-6cec-54b0-9e33-36f4eaa437c4" - date = "2026-01-05" - modified = "2026-01-06" + id = "6c751be1-c2cb-5243-adb8-0d3b0ee080b0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.photoloader_auto.yar#L1-L174" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.photoloader_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "2f15d6b5866c53e3831e42ccf3580d949b52efae89debdf96aad0057ebcc65ac" + logic_hash = "4ef9abae65ee48675c18344bccc98eacf875c4cac6a37cb56292b6b1626aa103" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fa2 894704 33c9 b800000040 0fa2 } - $sequence_1 = { 8bf7 8d6f10 ff15???????? 0f31 } - $sequence_2 = { c0c003 0fb6c8 8bc1 83e10f } - $sequence_3 = { ff15???????? 25ffffff00 0d00000005 e9???????? 8bd7 } - $sequence_4 = { b800000040 0fa2 895f0c e8???????? } - $sequence_5 = { f7411400000020 7407 8b41f8 3901 7714 } - $sequence_6 = { 7512 ff15???????? 25ffffff00 0d00000007 eb4a 397b1c 7629 } - $sequence_7 = { f7f1 438b4cd314 4803cb 4903c9 418d0411 } - $sequence_8 = { 33c9 b801000080 0fa2 0fbae216 7307 } - $sequence_9 = { b90b010000 66394a18 8d41ed 448d59fd 440f44d8 4533c9 4c03da } - $sequence_10 = { 33ff 2175fc 85ff 751d } - $sequence_11 = { 89470c e8???????? 894708 5f 5e 5d 5b } - $sequence_12 = { 0fb6c3 8d95e8fdffff f7d8 1bc0 f7d0 25???????? } - $sequence_13 = { 57 8bfa ff15???????? 8bac2434010000 25ffffff7f 8b9c2438010000 } - $sequence_14 = { 8d461e 50 68???????? 8d1c31 } - $sequence_15 = { 8bc8 2bfa 66890c17 46 8d5202 } - $sequence_16 = { 6a44 5e 56 33db 8d442424 53 } + $sequence_0 = { 25ffffff00 0d00000005 e9???????? 8bd7 397b1c 7640 } + $sequence_1 = { f7411400000020 7407 8b41f8 3901 } + $sequence_2 = { 0fa2 894704 33c9 b800000040 } + $sequence_3 = { 33c9 b800000040 0fa2 895f0c } + $sequence_4 = { 33ff 8bf7 8d6f10 ff15???????? 0f31 } + $sequence_5 = { c0c003 0fb6c8 8bc1 83e10f } + $sequence_6 = { e8???????? 85c0 7512 ff15???????? 25ffffff00 0d00000003 } + $sequence_7 = { 7417 448bc2 0f31 48c1e220 480bc2 } + $sequence_8 = { 4c03da 4585c0 7420 498d4b10 f7411400000020 } + $sequence_9 = { 488bcd ffd0 ff15???????? 25ffffff00 } + $sequence_10 = { 7512 ff15???????? 25ffffff00 0d00000007 eb4a 397b1c 7629 } + $sequence_11 = { 55 33ed c744241804000000 56 } + $sequence_12 = { 7461 8d4c2410 51 8d4c2424 51 53 } + $sequence_13 = { 89742414 eb1b 8d4101 89742414 89442410 8d4601 } + $sequence_14 = { 759a 50 51 53 55 } + $sequence_15 = { 03f8 8d0c7b e8???????? 03f8 } + $sequence_16 = { 8bf9 33f6 33c9 0fa2 894500 } + $sequence_17 = { 7504 8907 8bf0 8d6c2410 33c9 b801000080 } condition: 7 of them and filesize < 107520 @@ -125949,36 +126651,36 @@ rule MALPEDIA_Win_Derusbi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c6e0e6e7-cbdf-5891-a775-1ae225a23d68" - date = "2026-01-05" - modified = "2026-01-06" + id = "25ba9766-84c3-5e6f-8fc7-ad21ccc0accb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.derusbi_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.derusbi_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "36fd1aba73e044d12574f8ec4270d71e7197a2500df09c018d411307abbf5635" + logic_hash = "519bf5263f034b4d816c8d61db89645803d0c1857321f7a4a03bad90b2aaf5b2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 75be 8b45c8 895db0 895dac 3bc3 0f84affeffff } - $sequence_1 = { 72e4 5e c3 55 8bec 51 53 } - $sequence_2 = { 6810040000 ff15???????? 8985f8fdffff 85c0 7464 } - $sequence_3 = { ff7508 ff15???????? 8bf0 59 85f6 740f ff7508 } - $sequence_4 = { 56 89442418 57 8d442424 50 8d44242c 50 } - $sequence_5 = { 83c108 3d00040000 72f1 e9???????? 215cc70c 8d5cc710 } - $sequence_6 = { 50 ff15???????? 83c40c 56 8d4c2470 51 889c2407010000 } - $sequence_7 = { 83c40c 8d45dc 50 ff15???????? 83f8ff 740d a810 } - $sequence_8 = { 53 50 ffd6 83c40c 8d442424 50 8d84242cbc0200 } - $sequence_9 = { 8d85b8f7ffff e8???????? 59 33c9 85c0 7e25 80b40db8fbffff99 } + $sequence_0 = { 751a 398644040000 7512 3b864c040000 7722 7208 3b8e48040000 } + $sequence_1 = { a1???????? 33c5 8945fc 8b4508 53 56 8985d0fdffff } + $sequence_2 = { 50 ff15???????? 50 8d8424f8000000 50 ff15???????? 83c40c } + $sequence_3 = { 8bf8 83ffff 7432 6a00 8d85d4fdffff 50 ff35???????? } + $sequence_4 = { 56 68???????? 8d85fcfbffff 53 50 ff15???????? 8b3d???????? } + $sequence_5 = { 740b 2bd8 75dd 33c0 e9???????? ff15???????? 894604 } + $sequence_6 = { ff15???????? 85c0 752c ff15???????? ff75f8 8b35???????? } + $sequence_7 = { 0f84e0000000 8b442414 83c014 83f81c 7303 6a1c 58 } + $sequence_8 = { 85db 0f8ead000000 8b85acf7ffff 8985b4f7ffff 6a2c 57 } + $sequence_9 = { 8b3d???????? 8bf1 898558ffffff 8d9d64ffffff c78560ffffff18000000 6a00 ffb560ffffff } condition: 7 of them and filesize < 360448 @@ -125988,36 +126690,36 @@ rule MALPEDIA_Win_Clambling_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "76c3ecc2-3249-54dd-85de-02fe8ad874ce" - date = "2026-01-05" - modified = "2026-01-06" + id = "3e48a631-6b3f-574d-9024-9b07fa4a08b0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.clambling_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.clambling_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "95ebecd5667958656960c5343bf195152cd54c7954e81daf96b602e90195edba" + logic_hash = "e92df890e550a324f897959e843521eecd464c3badb0618706ca33cbb43bcce4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3bc6 746f 488d8424a8010000 448d4612 488d8c24a0010000 } - $sequence_1 = { 44896c2428 895c2420 e8???????? e9???????? ff15???????? 3bc6 } - $sequence_2 = { 440fb75c2440 66453bdd 7f0b 0fb7442442 66413bc7 } - $sequence_3 = { 7507 66893d???????? 488b0d???????? 488d542430 ff15???????? 448b442430 33d2 } - $sequence_4 = { 7412 48ffc3 4883c010 4881fb00040000 } - $sequence_5 = { ffd0 483bdf 7409 488bcb ff15???????? 33c0 488b5c2438 } - $sequence_6 = { 4c8d442470 8d5601 4889442420 ff15???????? } - $sequence_7 = { 488b542470 488b8c24a8010000 ff15???????? 8907 eb08 ff15???????? } - $sequence_8 = { 8bc3 eb02 33c0 4883c470 415d 5f } - $sequence_9 = { 893d???????? ff15???????? 3bc7 7507 66893d???????? } + $sequence_0 = { 4c8be0 89742420 ff15???????? 488bf0 } + $sequence_1 = { 4883ec30 488b4108 458bc8 4533c0 498943e8 } + $sequence_2 = { 8b442450 83f801 7419 83f802 7414 83f803 7508 } + $sequence_3 = { 4883ec30 33db 488bf9 215c2448 48215c2458 ff15???????? 4c8d442458 } + $sequence_4 = { ff15???????? 83f8ff 7524 ff15???????? 418bd7 488bcf 8bd8 } + $sequence_5 = { ff15???????? 488b742478 8bc3 488b5c2470 4883c460 } + $sequence_6 = { 33f6 33d2 4c8bc3 6689b0c8fbffff } + $sequence_7 = { 33d2 c744242038020000 895818 8bf3 e8???????? } + $sequence_8 = { 83f802 7414 83f803 7508 } + $sequence_9 = { 89442428 4533c0 488bd6 48897c2420 ff15???????? 488b4c2450 } condition: 7 of them and filesize < 412672 @@ -126027,36 +126729,36 @@ rule MALPEDIA_Win_Common_Magic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "af63221a-d89f-5b5e-b536-f2130b5cebfc" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b8ec34f-64ef-5d8b-a9f9-cff72a12d1a9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.common_magic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.common_magic_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.common_magic_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "20951a1a53280d6d98a10f242cdfcf681eb6a68d19880713aace683e29423308" + logic_hash = "57cdd1e579da97572bf4d420f494a264192cff56dd86f56812a8f1acb0926b5e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 59 5d c20400 e8???????? 85c0 0f84c02e0000 } - $sequence_1 = { 885c012e 8b049570804100 804c012d04 46 } - $sequence_2 = { 8d8de8fdffff c685a4fdffff00 51 ffb5a4fdffff 8d8dacfdffff } - $sequence_3 = { 68???????? 51 50 51 ffb580feffff 8d8d5cffffff e8???????? } - $sequence_4 = { 83c404 c645fc03 8b8d70ffffff 83f908 } - $sequence_5 = { 0f1f4000 0f1f840000000000 a1???????? c7855cffffff00000000 } - $sequence_6 = { ff7610 50 8d45c8 50 ffd7 } - $sequence_7 = { 75e8 8b7dd4 8b55c4 8d4dd4 8b45e8 8bf2 } - $sequence_8 = { 85c0 0f84c02e0000 c3 833d????????ff 7503 33c0 c3 } - $sequence_9 = { 90 668b0431 663b01 750a 83c102 83ea01 75ef } + $sequence_0 = { 0f438d14ffffff 837f1408 7202 8b37 8b5710 } + $sequence_1 = { 8b8d54ffffff 2bc1 c745dc43006c00 c745e065006100 c745e46e002e00 c745e865007800 c745ec65000000 } + $sequence_2 = { 6bc938 8b048570804100 0fb6440828 83e040 5d c3 e8???????? } + $sequence_3 = { 8a8750754100 08441619 42 0fb64101 } + $sequence_4 = { 8d45c8 897dac b941000000 c745cc4f004700 } + $sequence_5 = { c78598feffff07000000 66898584feffff 83f908 7235 8b95fcfeffff 8d0c4d02000000 } + $sequence_6 = { 746e 8b4dfc 8d7823 8b55f8 83e7e0 8947fc eb19 } + $sequence_7 = { 51 ffb580feffff 8d8d5cffffff e8???????? 838d78feffff06 8d8de4feffff 83bdf8feffff08 } + $sequence_8 = { 668b040e 663b01 7517 83c102 83ea01 75ef 8b45e8 } + $sequence_9 = { 8d8068754100 8945e4 803800 8bc8 7435 8a4101 84c0 } condition: 7 of them and filesize < 212992 @@ -126066,36 +126768,36 @@ rule MALPEDIA_Win_Unidentified_103_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b558874c-ad8a-53b0-9aa8-68edfb2b5b00" - date = "2026-01-05" - modified = "2026-01-06" + id = "64622a9f-f4c8-5d4f-9dcc-725cd2a73291" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_103_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_103_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "53bab14606fb94c26c9c4250a4ba5d5b69e3e483ae51cdbc9cd021b3f09f3c4b" + logic_hash = "c4457a2e96653608dbfd3d34bd6343ff7e25cef91bacc5bf1546231e59399b05" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89c3 ffd6 897c2408 c744240400000000 890424 ff942488000000 } - $sequence_1 = { 897c2434 8bbc2450010000 894c2430 8b8c244c010000 } - $sequence_2 = { 8944246c 8d842419010000 c784241901000061647661 c784241d01000070693332 c78424210100002e646c6c 890424 } - $sequence_3 = { 8b3c24 85ff 743a c6012d c6441e0200 89d3 0fb60c06 } - $sequence_4 = { 8b8424c4000000 ffd0 83ec04 c684249001000000 8dac240c060000 c78424c403000000000000 } - $sequence_5 = { 8b842440010000 89442418 8b842438010000 89442414 8b8424d0000000 8b00 89442404 } - $sequence_6 = { 8d54244a 83c001 803c0200 75f7 8b8c2498000000 c744240c34020000 } - $sequence_7 = { c78424a60000007072696e c68424ac00000000 e8???????? b865000000 31db c784241c03000028010000 c7842433010000576d6950 } - $sequence_8 = { 89442404 c78424d201000052656164 c78424d601000046696c65 c68424da01000000 e8???????? 891c24 8984241c010000 } - $sequence_9 = { 897c2420 8bbc2444010000 897c241c 8bbc2440010000 897c2418 8bbc2488010000 } + $sequence_0 = { 8b442470 c744243008000000 c744243400000000 89442418 8b44246c 89442414 8d442430 } + $sequence_1 = { 8bbc2444010000 897c241c 8bbc2440010000 897c2418 } + $sequence_2 = { 8b742460 8b7c2464 896c2410 8b442440 } + $sequence_3 = { c744240401000000 c7042402000000 ff9424ec010000 83ec0c 8906 83f8ff } + $sequence_4 = { 85c0 75e2 8b3c24 89f2 } + $sequence_5 = { e8???????? 31c0 c78424ec05000063686370 c78424f005000020363530 c78424f405000030310a00 83c001 803c0300 } + $sequence_6 = { 897828 8bbc2458010000 89782c 8bbc245c010000 897830 8bbc2480010000 897834 } + $sequence_7 = { 396a04 75e2 8b4210 85c0 7514 8b07 8b5f3c } + $sequence_8 = { 891c24 89442404 e8???????? 83c420 89f8 5b 5e } + $sequence_9 = { 89742404 892c24 89c2 80ce02 81e300000004 0f45c2 8d54241c } condition: 7 of them and filesize < 188416 @@ -126105,36 +126807,36 @@ rule MALPEDIA_Win_Innaput_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d86d59ae-6efa-5db2-8e1b-5b4757eca710" - date = "2026-01-05" - modified = "2026-01-06" + id = "422dfd82-e226-5a8e-9d2c-79d5bd2e6ebc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.innaput_rat_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.innaput_rat_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "9400019d5ff97dc8155c2ec12b684baeeb0d9d8ecccb4529f4b2a8b8f06ad889" + logic_hash = "d02c037df8056caadb43216129d9b47bf6e5121ddfb6ddf5397fb57756c8baa8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffb720060000 8d8f1c060000 51 ffb718060000 } - $sequence_1 = { 85c0 7427 ffb720060000 8d8f1c060000 51 } - $sequence_2 = { 8bf8 33c0 893b ab } - $sequence_3 = { ff15???????? ffb718060000 ff15???????? 85c0 750c ffb71c060000 ff15???????? } - $sequence_4 = { ff15???????? 85c0 750c ffb71c060000 ff15???????? 57 e8???????? } - $sequence_5 = { 59 8bc6 3bf3 75ed } - $sequence_6 = { 751b 53 53 53 } - $sequence_7 = { ff15???????? 85c0 750c ffb71c060000 ff15???????? } - $sequence_8 = { 85c0 7413 3bc6 740f 8b4d08 e8???????? 3b450c } - $sequence_9 = { 2bf1 8a08 884c0616 40 84c9 75f5 } + $sequence_0 = { 68???????? 8d85c8fdffff 50 ffd6 85c0 } + $sequence_1 = { 2bf1 8a08 884c0616 40 84c9 75f5 } + $sequence_2 = { 8bec 56 33f6 46 eb1a 68c8000000 6a00 } + $sequence_3 = { ff15???????? 85c0 750c ffb71c060000 ff15???????? 57 e8???????? } + $sequence_4 = { 740f 8b4d08 e8???????? 3b450c 72d9 } + $sequence_5 = { 8a08 884c0616 40 84c9 } + $sequence_6 = { ff15???????? 85c0 7413 3bc6 740f 8b4d08 } + $sequence_7 = { 8bd0 8bce 2bca 8d5134 } + $sequence_8 = { 751b 53 53 53 6a06 6a01 6a02 } + $sequence_9 = { 85c0 750c ffb71c060000 ff15???????? 57 e8???????? } condition: 7 of them and filesize < 73728 @@ -126144,41 +126846,42 @@ rule MALPEDIA_Win_Zxxz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6bed2c22-407f-5c6f-838c-89149563448f" - date = "2026-01-05" - modified = "2026-01-06" + id = "d9eb3f1f-ebae-5e2a-a481-441f696b828e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxxz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zxxz_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zxxz_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "9578e76393d5b7664234570897b9446d75c18108dd9f2d16b199e15d869c1364" + logic_hash = "65572d79e5990af47836e788f5829e7ffd3cb87c450ab3af8c0b48c5e790a501" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd3 e8???????? 6830750000 ffd3 6a01 6a00 } - $sequence_1 = { 68fa000000 50 ffd5 83c40c 68???????? 8d4c2414 } - $sequence_2 = { c605????????01 6830750000 ffd3 68???????? } - $sequence_3 = { c20400 8bfe 83cf0f 81ffffffff7f 7627 } - $sequence_4 = { 8d4c2430 c744241401000000 c644242400 ff15???????? 8bc5 8b4c241c } - $sequence_5 = { 83c404 e8???????? 803d????????00 7435 33c0 68fe1f0000 } - $sequence_6 = { ff7508 8945f4 6a00 68e9fd0000 ffd0 } - $sequence_7 = { 51 ff55ec 83c404 8bc6 8bcf 8901 } - $sequence_8 = { 6a01 6a01 68???????? ffd7 a1???????? 2bc3 } - $sequence_9 = { 8b01 ff5004 c745fcffffffff 8b9558feffff 83c2f0 } - $sequence_10 = { eb23 03c8 c744241c01000000 83fa02 770c 8079fe3d 7506 } - $sequence_11 = { 33c0 68f8000000 8bd9 50 } - $sequence_12 = { c705????????1cb94000 7410 a1???????? 85c0 7407 50 } - $sequence_13 = { 85c0 0f84ef000000 eb06 8bc7 8930 } - $sequence_14 = { 8bc6 8931 6a00 6a00 53 } + $sequence_0 = { 8b35???????? 83c404 68???????? 681c020000 } + $sequence_1 = { 8b2d???????? 85c0 741a 8d442410 50 } + $sequence_2 = { 85f6 0f844a010000 8b0d???????? 8b07 } + $sequence_3 = { 6a00 50 e8???????? 8dbc2464020000 83c40c 4f } + $sequence_4 = { 83e103 f3a4 83f810 722b 8d4801 8bc3 81f900100000 } + $sequence_5 = { 50 6802020000 ff15???????? 85c0 0f8556010000 68???????? } + $sequence_6 = { 83c404 68fa000000 8bcf 6a00 51 e8???????? 8b0d???????? } + $sequence_7 = { bf???????? e8???????? 83c404 57 ff15???????? 8b35???????? } + $sequence_8 = { 8b45c4 8945e4 ff774c ff15???????? 83c410 8945c4 83f8ff } + $sequence_9 = { e8???????? 8b1d???????? 83c404 803d????????00 7415 } + $sequence_10 = { 0f4315???????? 8b3d???????? 8b8de0feffff 2bc1 57 } + $sequence_11 = { 84c0 75f6 a0???????? 68f4010000 8807 ff15???????? 6a00 } + $sequence_12 = { 83c40c 8d4c2404 51 8d542414 52 6a00 68ffff0000 } + $sequence_13 = { 68???????? ffd6 83c40c c605????????01 5f } + $sequence_14 = { ff75e4 50 6aff 56 6a00 } + $sequence_15 = { 7414 0f1f440000 3c20 7403 8801 41 } condition: 7 of them and filesize < 4142080 @@ -126188,42 +126891,42 @@ rule MALPEDIA_Win_Alureon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "117dd26b-ed24-54a6-81be-757a69affa6d" - date = "2026-01-05" - modified = "2026-01-06" + id = "6b3df0b2-18d6-5c71-84b0-99b1fa393a55" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.alureon_auto.yar#L1-L175" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.alureon_auto.yar#L1-L175" license_url = "N/A" - logic_hash = "9eb93e11f255dfd7233db5216742e55bd1642de34cc4ea7abe163cf90bc56063" + logic_hash = "d1337818060e1faa6c9ccaf02ea2d21121701238579c72d130738da6cbb0e301" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895d14 7439 49 d1e9 41 894df8 8b4d14 } - $sequence_1 = { 6a60 59 32c0 8d7c2420 } - $sequence_2 = { 45 33d2 0fb74158 d1e8 44 } - $sequence_3 = { 49 8d541d2c 45 8be3 49 8bfb } - $sequence_4 = { 8bc3 c1e808 88442440 8954242c } - $sequence_5 = { 68000010c0 8d45fc 50 c745d818000000 895ddc c745e440000000 895de8 } - $sequence_6 = { 49 8bfb 44 2b6330 8b0a 48 } - $sequence_7 = { 668b85a0fbffff 8b4df4 8b3d???????? 66894108 } - $sequence_8 = { 5f 8d442454 89442428 8d442420 50 } - $sequence_9 = { 75f9 ff75b4 8d4dbc 2bc6 8b35???????? 51 } - $sequence_10 = { 50 68???????? a4 ff15???????? 8bc3 8d7001 8a08 } - $sequence_11 = { ff742428 ff15???????? 8bf8 83ffff 7507 33c0 eb43 } - $sequence_12 = { beff000000 33db 56 8d85f9fcffff 53 50 } - $sequence_13 = { 8d9c2400050000 e8???????? 8bc3 50 33db 53 53 } - $sequence_14 = { 8bf8 83c418 85ff 7504 32c0 } - $sequence_15 = { e8???????? be00030000 83c418 8975ec c745f000010000 895df8 56 } + $sequence_0 = { 83c0f8 743e 44 8d50ff 41 d1ea } + $sequence_1 = { 48 ffc5 48 8d44ad00 } + $sequence_2 = { 0fb74314 8b7350 57 56 8d441818 } + $sequence_3 = { 7511 8b0a 41 81e0ff0f0000 4b 8d0403 } + $sequence_4 = { 72e0 4d 634b3c 4d 03cb 0f84fa010000 } + $sequence_5 = { 02ca 004dfd 0fb64dfd 8d8c0dfcfeffff 8a19 } + $sequence_6 = { 75d1 8b7df4 8b4514 85f6 75b0 } + $sequence_7 = { 41 8bb1b4000000 49 8d1403 eb4f 8b4204 48 } + $sequence_8 = { 56 6a01 53 ff15???????? 53 89442414 } + $sequence_9 = { 56 56 6a08 56 57 ff15???????? 8b2d???????? } + $sequence_10 = { 50 ff75f8 ff75e8 ff15???????? 85c0 7527 } + $sequence_11 = { 53 8d8424b0000000 89842488000000 6a01 8d44247c 50 } + $sequence_12 = { 7527 8d85e4fbffff 50 e8???????? 84c0 59 } + $sequence_13 = { 59 c3 33c9 394c2408 7614 8b442404 8ad1 } + $sequence_14 = { 895c246e c7442472832c240a c6442476b8 89442477 } + $sequence_15 = { 81ec58010000 56 57 6a00 6a00 8d45ac 50 } condition: 7 of them and filesize < 278528 @@ -126233,66 +126936,66 @@ rule MALPEDIA_Win_Rm3_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ae32a8ae-4008-5a29-ba53-9431479c4978" - date = "2026-01-05" - modified = "2026-01-06" + id = "55974a73-f2ee-57f4-9fb2-9af114dc90d9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rm3_auto.yar#L1-L393" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rm3_auto.yar#L1-L372" license_url = "N/A" - logic_hash = "04a502f8c76326d2d2ff87950393542f221575ef954be32116492ddddf4bc28b" + logic_hash = "1bed90ec4522c70ac09c22db83604c066c1ea6e59d91187470276c98decc4f24" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 8b483c 03c8 0fb74106 8365f800 } - $sequence_1 = { 897104 8b4808 ff7004 034c240c 8b00 51 } - $sequence_2 = { 7303 8975f8 8b45f8 83c628 ff4dfc 85c0 7505 } - $sequence_3 = { 53 8945fc 0fb74114 56 57 8d740818 } - $sequence_4 = { 8b4508 3b460c 7247 8b7938 8b4608 8b513c } - $sequence_5 = { 56 57 8d740818 8b4508 3b460c 7247 } - $sequence_6 = { 8b460c 03c2 394508 7303 8975f8 8b45f8 } - $sequence_7 = { f7d2 23fa 3bf8 7609 8b413c 8d5418ff } - $sequence_8 = { 8bec 51 837d0804 53 56 6a57 } - $sequence_9 = { 8bf0 6a08 8d7e10 5a 8bc7 8d4df8 e8???????? } - $sequence_10 = { 56 57 8bd8 8bf9 8db5f0feffff 8bce 8d041b } - $sequence_11 = { 8bc6 e8???????? 56 ff7510 8d8df4feffff 51 ff7508 } - $sequence_12 = { 51 8365fc00 56 8d4508 50 6a08 } - $sequence_13 = { e8???????? ff7518 8d8578ffffff 50 50 8bc8 e8???????? } - $sequence_14 = { 8d856cfeffff ff750c 8d8de8fdffff 50 e8???????? ff7518 } - $sequence_15 = { 8bc6 e8???????? 6a58 6a00 56 e8???????? 83c40c } - $sequence_16 = { 4883ec30 488b05???????? 4c8ba42480000000 498bf1 4c8b90b0000000 } - $sequence_17 = { 4833d0 488bc2 48c1e81b 4833d0 488bc2 480fafc3 488901 } - $sequence_18 = { 4883ec50 418bf0 4c8b05???????? 498bf9 4d8b80c8000000 488bea 4c8d48d8 } - $sequence_19 = { 4c8d443b80 488d48b8 488d5098 e8???????? 85c0 0f84f0000000 8b4c2470 } - $sequence_20 = { 3c41 7204 3c5a 763e 3c61 7204 3c7a } - $sequence_21 = { ff15???????? 85c0 8bd8 0f8560020000 8a442431 3c02 } - $sequence_22 = { 4885c0 488bd8 742f 8d4f01 448bce } - $sequence_23 = { 488bc3 48c1e80c 4833d8 488bc3 48c1e019 4833d8 488bc3 } - $sequence_24 = { eb0a 8b45ec 83c410 5e 5f } - $sequence_25 = { 8945e8 7442 ebcf 8b45dc b931000000 8b15???????? } - $sequence_26 = { 83ec28 31c0 31c9 8945fc } - $sequence_27 = { e8???????? 8d0d84308702 31d2 8b75f0 89460c 890c24 } - $sequence_28 = { 8b4dec 89c2 83c201 89ce } - $sequence_29 = { 31c9 ba03000000 8d75f1 83ec0c } - $sequence_30 = { 8d95f1fbffff c785ecfbffff00000000 8db5ecfbffff 8b3d???????? 56 68ff030000 52 } - $sequence_31 = { 8995d8fbffff 89b5d4fbffff e8???????? 83c40c 8b85d4fbffff 50 e8???????? } - $sequence_32 = { 8b7138 891424 c744240400000000 89742408 8945dc e8???????? 8b45e0 } - $sequence_33 = { 894de0 0f84ca000000 8b45cc 8b08 8b55ec 035010 } - $sequence_34 = { 8b4048 8945b0 8b45b4 8b4040 8945ac } - $sequence_35 = { 51 ffd0 8b0d???????? 8b95e4fbffff } - $sequence_36 = { 8b8dccfbffff 51 8bb5e0fbffff 56 } - $sequence_37 = { 89442404 c744240800000000 8954240c 8b4590 894d80 ffd0 } - $sequence_38 = { 89cf 83c710 89957cffffff 898d78ffffff 89bd74ffffff 89b570ffffff } - $sequence_39 = { 890c24 c744240400000000 8955dc e8???????? 8d0d77318702 890424 894c2404 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 23d0 8b460c 03c2 394508 } + $sequence_1 = { 8b4138 8b5608 8d5410ff 48 f7d0 23d0 } + $sequence_2 = { 8d5418ff eb0a 8b4138 8b5608 } + $sequence_3 = { 8b00 51 03c2 50 e8???????? 83c40c } + $sequence_4 = { 03c8 0fb74106 8365f800 53 } + $sequence_5 = { 23fa 3bf8 7609 8b413c } + $sequence_6 = { 8d740818 8b4508 3b460c 7247 } + $sequence_7 = { 7505 3945fc 759f 5f 5e } + $sequence_8 = { 8db5f0feffff 8bce 8d041b 51 8945f8 e8???????? 57 } + $sequence_9 = { 41 ff4508 ff4d0c 885405fc 40 83f803 7ce4 } + $sequence_10 = { 83c704 83c604 837dfc00 75de 8d85f0feffff 50 } + $sequence_11 = { 50 8db4b558feffff 894510 56 8bc3 } + $sequence_12 = { 56 ff7510 8d8df4feffff 51 } + $sequence_13 = { 57 8bc3 8d8d58feffff e8???????? } + $sequence_14 = { 8bcb 8d9568ffffff 8bc6 e8???????? ebd2 } + $sequence_15 = { 50 e8???????? ff7518 8d85f0feffff ff750c 8d8d6cfeffff } + $sequence_16 = { e8???????? 483bc3 488bf8 7416 } + $sequence_17 = { eb8c ff15???????? 8bd8 4885ff 7412 488b0d???????? 4c8bc7 } + $sequence_18 = { 8803 4883c601 4883c301 4883ef01 75a0 } + $sequence_19 = { 754f 8d5001 8d480f e8???????? } + $sequence_20 = { 448be0 7476 4c8d6e78 498bcd e8???????? 488b4c2460 488b6e20 } + $sequence_21 = { 83e802 85c0 7e20 488d4c243c 8b01 4183c001 4883c104 } + $sequence_22 = { 488bf9 488d4c2450 498bd8 ff15???????? 4c8b1b 8364242800 4c015c2450 } + $sequence_23 = { e8???????? f7d0 31470c 488b0d???????? 4c8bc3 33d2 ff15???????? } + $sequence_24 = { 01ce 83f900 0f44f2 8b0e 83f900 } + $sequence_25 = { 894dec 8955e8 8975e4 8945e0 0f84f2000000 8b45f0 } + $sequence_26 = { 56 8985d0fbffff 8995ccfbffff 898dc8fbffff ffd7 83f800 } + $sequence_27 = { a1???????? 8b8de0fbffff 51 ffd0 8b0d???????? 8b95e4fbffff } + $sequence_28 = { 89c7 01f7 83c6c0 81fec00f0000 8945f4 894df0 } + $sequence_29 = { 8b8d60ffffff 83c101 8b954cffffff 83c228 8b75ac } + $sequence_30 = { 89b504ffffff e8???????? 8b854cffffff 890424 } + $sequence_31 = { c7424418180000 c7424800a00100 8b7de4 c787cc00000000000000 c787c800000000000000 } + $sequence_32 = { e8???????? 8d0db2318702 890424 894c2404 } + $sequence_33 = { 89442404 e8???????? 83c408 c785ecfbffff00000000 8d8decfbffff 8b15???????? } + $sequence_34 = { 891c24 89442404 c744240800000000 8954240c 8b4590 894d80 } + $sequence_35 = { 80fa00 8945f4 894df0 742f 8b45f4 8b4df0 8945ec } + $sequence_36 = { 894da4 8945a0 0f855affffff b801000000 8b4db0 8b11 } + $sequence_37 = { 6a50 68???????? 50 8985e8fbffff ffd1 8b0d???????? } + $sequence_38 = { 8b8d6cffffff 894c2404 898558ffffff e8???????? 83c408 b901000000 } + $sequence_39 = { b901000000 8d956cfdffff 891424 c74424040d000000 c744240801000000 } condition: 7 of them and filesize < 221184 @@ -126302,89 +127005,128 @@ rule MALPEDIA_Win_Amtsol_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "10cd2a6a-97cd-5bbf-a2de-d51937233e16" - date = "2026-01-05" - modified = "2026-01-06" + id = "610e7b35-7f0a-5ba1-b999-5bd60046d93f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.amtsol_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.amtsol_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "f41e59806427fb3074e56403dfc0119ba4416aa791cb2055a2846e43c19529c3" + logic_hash = "ed00c83f511bca8c0c3d0585f98066d967f5b19ef305174aa0a360226a1bb072" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bec 83ec20 53 56 8b7508 33db 3bf3 } - $sequence_1 = { 035e24 8945fc 8b45f8 8d9c1839d0d4d9 53 e8???????? 8b4df0 } - $sequence_2 = { 836d1010 8b7d10 83e810 8bf0 a5 a5 } - $sequence_3 = { 50 8d4de4 e8???????? 84c0 7418 8d4de4 e8???????? } - $sequence_4 = { c6451054 c6451172 c6451261 c645136e c6451473 c6451566 } - $sequence_5 = { 3d01010000 7d0d 8a4c181c 8888b82b4200 40 ebe9 } - $sequence_6 = { 53 e8???????? 0345fc 8b4df0 8945f8 8b45f4 } - $sequence_7 = { 50 e8???????? 59 50 ff7604 e8???????? 83c41c } - $sequence_8 = { 33cb 030e 8d840878a46ad7 50 e8???????? 0345fc } - $sequence_9 = { 83c040 50 e8???????? 83c40c 8bc6 5e c3 } + $sequence_0 = { ff36 ff7610 e8???????? 83c414 3bc3 0f8c92000000 0f8e8c000000 } + $sequence_1 = { 7545 c745e4dfffffff eb6b c7456410000000 66894548 395de0 740e } + $sequence_2 = { e8???????? 59 53 68???????? e8???????? 8d8580fdffff 50 } + $sequence_3 = { e8???????? 83c40c c3 837c2404ff 7405 e9???????? c3 } + $sequence_4 = { 56 8d45e0 50 57 e8???????? 83c418 } + $sequence_5 = { 8bff 56 57 33ff 8db758304200 ff36 e8???????? } + $sequence_6 = { 8bde 23d9 03bc98480c0000 337814 33d7 8bfa } + $sequence_7 = { c685280100003c c685290100003c c6852a0100003c c6852b01000025 c6852c01000073 889d2d010000 } + $sequence_8 = { 8d4508 50 e8???????? 59 59 8d4d08 894dd8 } + $sequence_9 = { 8b03 85c0 755b 33db 43 899e2c030000 eb03 } condition: 7 of them and filesize < 335872 } +rule MALPEDIA_Win_Maskgramstealer_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "4ee1204a-c4f7-5140-8868-3ec21d80ad68" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maskgramstealer" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.maskgramstealer_auto.yar#L1-L113" + license_url = "N/A" + logic_hash = "aaf8addcd84a5405900df60d1e4cadcf3baed2d226e1d47976eaeb2f5bfc316c" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 48ffc2 807c11ff00 75f3 c3 } + $sequence_1 = { 4c39c0 7412 448a0c02 4584c9 7409 44880c01 48ffc0 } + $sequence_2 = { c3 31c0 448a0402 4584c0 } + $sequence_3 = { 7503 48ffc2 4c89d1 e8???????? 4c89d1 e8???????? } + $sequence_4 = { 48833d????????00 0f95c2 4885c0 0f95c0 } + $sequence_5 = { e9???????? 4881c428060000 5b 5e 5f } + $sequence_6 = { 8a02 3c5c 7404 3c2f 7503 } + $sequence_7 = { 488b0d???????? 488b1d???????? ffd3 488b0d???????? ffd3 } + $sequence_8 = { 8b8c24b0060000 488d942480000000 e8???????? 83bc24b006000000 } + $sequence_9 = { 498d1400 8a02 3c5c 7404 3c2f } + + condition: + 7 of them and filesize < 353280 +} rule MALPEDIA_Win_Ghostemperor_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb9bf224-db51-5bdd-bed6-58106efc8832" - date = "2026-01-05" - modified = "2026-01-06" + id = "03561f3b-0abe-57dc-b978-3c939c0fe915" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ghostemperor_auto.yar#L1-L226" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ghostemperor_auto.yar#L1-L226" license_url = "N/A" - logic_hash = "7df60cceb98a60fe2e2f53ccef69a2b508e5a3019ab430e008473c427496d31f" + logic_hash = "3fa3d4eb8704961c7c97c6073c0242bdef28b1790df0c9cdaa55e317b1e02d8f" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c7464800000000 488d4e18 ff15???????? 488b4e40 } - $sequence_1 = { 89d5 4889ce b920000000 e8???????? 4889c7 0f57c0 0f2900 } - $sequence_2 = { 4885c9 7443 4889ce ff15???????? } - $sequence_3 = { 4883c601 4883c2f8 39f1 75ec 4929d1 } - $sequence_4 = { 4883ec28 ff15???????? 488d542424 89c1 ff15???????? 85c0 7406 } - $sequence_5 = { 418d42ff 4c8d5801 4983fb04 7222 488d3cc2 4883c708 } - $sequence_6 = { 4839cf 0f86fb000000 488d04c1 4883c008 } - $sequence_7 = { 488d5108 e8???????? 8b4648 85c0 746e } - $sequence_8 = { 49895d38 41897530 eb18 418b07 85c0 7411 4c03f8 } - $sequence_9 = { 01c3 69cbe8030000 81c130750000 4883ec20 } - $sequence_10 = { 01c1 89ca c1ea1f c1f904 } - $sequence_11 = { 488364c60800 488b05???????? 8a5008 488d4810 ff15???????? } - $sequence_12 = { 41391e 0f84fc010000 418b06 85c0 745d 448b4540 } - $sequence_13 = { 052797fa04 351337a665 8945f4 488b4510 } - $sequence_14 = { 4154 4156 488d6898 4881ec50010000 4533f6 4c8d257b390000 488bd9 } - $sequence_15 = { 05f226dac9 35bcfe1eea 894534 488b4550 } - $sequence_16 = { c745505f007300 c74554ee005200 0f1185c8030000 c74558ec005600 c7455c05008500 0f104d50 } - $sequence_17 = { 00c2 488b8568020000 8854080c 488b85b0020000 } - $sequence_18 = { 488bcf 2b542428 83c207 e8???????? 85c0 } - $sequence_19 = { 0552f0384d 358e257f87 894530 488b4570 } + $sequence_0 = { ff15???????? 89f0 4883c420 5b 5d 5f } + $sequence_1 = { 44894648 49c1e003 488d5108 e8???????? 8b4648 85c0 } + $sequence_2 = { c3 4489d6 83e603 4929f3 4e8d0cd9 4a8d04da 4529da } + $sequence_3 = { 4889ce b920000000 e8???????? 4889c7 0f57c0 } + $sequence_4 = { 4989d6 4889ce 498b4808 4885c9 740d e8???????? 48c7470800000000 } + $sequence_5 = { 4585d2 0f84b9000000 418d42ff 4c8d5801 4983fb04 7222 } + $sequence_6 = { 89ce c1ee1d c1e103 09ce } + $sequence_7 = { 4989c9 4889d0 458d5aff 41f6c203 7427 4489d1 83e103 } + $sequence_8 = { 7567 8b542450 33c9 ff15???????? 488bf8 } + $sequence_9 = { 00c2 488b8568020000 8854080c 488b85b0020000 } + $sequence_10 = { 0fb78316010000 c1e208 0bd1 0fb6c8 } + $sequence_11 = { 052797fa04 351337a665 8945f4 488b4510 } + $sequence_12 = { 01c3 69cbe8030000 81c130750000 4883ec20 } + $sequence_13 = { 0552f0384d 358e257f87 894530 488b4570 } + $sequence_14 = { 4885c0 7405 493bc0 7538 0f31 48c1e220 488d0db130ffff } + $sequence_15 = { c7858c000000bf00d200 0f108580000000 c78590000000f0000000 8b8590000000 } + $sequence_16 = { ffc0 4881c200010000 413bc0 72ed eb1b } + $sequence_17 = { 8bf0 85c0 792e 4c8d442470 } + $sequence_18 = { 05f226dac9 35bcfe1eea 894534 488b4550 } + $sequence_19 = { 01c1 89ca c1ea1f c1f904 } $sequence_20 = { 01d1 89ca c1e205 89cb } - $sequence_21 = { 3d040000c0 7567 8b542450 33c9 ff15???????? 488bf8 } + $sequence_21 = { 48897c2448 448bc5 89442440 498bd6 } $sequence_22 = { 00c1 488b8568020000 488b95b0020000 884c100c } - $sequence_23 = { 33c0 488b6c2438 488b742440 48894f38 } + $sequence_23 = { 4983f90f 72bf 66895df5 c745f701000000 488bcb 0fb7440dd7 6689440d17 } condition: 7 of them and filesize < 1115136 @@ -126394,36 +127136,36 @@ rule MALPEDIA_Win_Hamweq_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "000e8959-0108-5c25-ad30-8e891fdada1d" - date = "2026-01-05" - modified = "2026-01-06" + id = "2e021414-7f19-5bad-bdf3-a58acfeef825" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hamweq_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hamweq_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "5208d20513fd6a1e5edd1bc25c2bf088fa1869066d91ad8af3cf21319dcb16db" + logic_hash = "926f2e39a4bfc4a89fdc4cd6c55e635055d85786284c6186d54479233cd9a22a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff500c 56 e8???????? 8b06 } - $sequence_1 = { 8d8500feffff 50 ff5148 8b4e08 8b06 ff7138 } - $sequence_2 = { ff5744 50 8d8500feffff 50 } - $sequence_3 = { 51 ff5038 b906030000 33c0 80bdfcfdffff5c } - $sequence_4 = { 0f847a030000 85c0 0f8472030000 ff35???????? ff75f8 ffd6 } - $sequence_5 = { 50 8d45e0 50 ff750c 56 e8???????? 83c410 } - $sequence_6 = { ff7508 ff5020 8b4e08 8b06 ffb180010000 8d8decfeffff 51 } - $sequence_7 = { 8b0e ff30 33db ff5144 } - $sequence_8 = { 3ad0 742d 8b4c2414 8bd6 2bd1 8a19 3ad8 } - $sequence_9 = { 33c0 8dbdfcfdffff f3ab 8b4e08 8b06 ffb1e8000000 8d8dfcfdffff } + $sequence_0 = { ff35???????? 898554ffffff ff75f8 ffd6 } + $sequence_1 = { 8945a4 53 ffd6 ff35???????? 8945a8 53 ffd6 } + $sequence_2 = { ffb118010000 8d8dfcfdffff 51 ff5048 8b06 } + $sequence_3 = { ffb188010000 8d8dfcfeffff 51 ff5048 8b4e08 8b06 ffb180010000 } + $sequence_4 = { 83a5d8fdffff00 53 56 57 6a49 33c0 59 } + $sequence_5 = { 8d45e0 8b0e 50 8d459c 50 53 53 } + $sequence_6 = { 76d2 80240700 5f 5e } + $sequence_7 = { e9???????? 8b4e08 8b06 ffb188000000 ff33 ff504c 8b4e08 } + $sequence_8 = { 51 ff5048 8b4e08 8b06 ff7108 8d8decfeffff } + $sequence_9 = { ff742414 e8???????? 83c40c 85c0 7511 8b4e08 } condition: 7 of them and filesize < 24576 @@ -126433,36 +127175,36 @@ rule MALPEDIA_Win_Dragonbreath_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dce0b381-95ab-5aa0-a119-0eedad899009" - date = "2026-01-05" - modified = "2026-01-06" + id = "859cc782-92e3-5d0e-b557-fd5ba7e1d621" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dragonbreath" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dragonbreath_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dragonbreath_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "f0cd4604abe67553fcedb3fe371f55dd5d5d8e023a81a960ca3c6bc06a72d951" + logic_hash = "47f702ba42042822f712ae9d928530e0b75a1ec97ba6f12966ed5250de0cf75a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c410 eb14 8d8590fdffff 50 } - $sequence_1 = { 68???????? 8d4da8 51 e8???????? 8b7de4 } - $sequence_2 = { 8b5dd0 ebab c745e470820110 817de47c820110 7311 } - $sequence_3 = { 33db 8945c8 895dcc 895dd0 c745e80f000000 895de4 885dd4 } - $sequence_4 = { 2bcf b879787878 f7e9 c1fa07 8bf2 } - $sequence_5 = { 8dbd84fcffff 68ff010000 f3a5 8d8df5fdffff 6a00 51 } - $sequence_6 = { c1e006 8b0c8d80fb0110 8d440104 8020fe ff36 e8???????? 59 } - $sequence_7 = { e8???????? 85ff 7407 57 ff15???????? 8b8558fdffff 8b4df0 } - $sequence_8 = { 51 ff15???????? 46 3bb424dc110000 72e8 e9???????? } - $sequence_9 = { 8bd6 69d200a4d9fa 03ca b8b17c2195 f7e1 8bda c1eb15 } + $sequence_0 = { c745e000000000 68???????? ff15???????? 8bf0 } + $sequence_1 = { 85ff 7507 c605????????da 85db 7409 53 e8???????? } + $sequence_2 = { 8d9541feffff 52 e8???????? 83c40c } + $sequence_3 = { 57 68???????? ff15???????? 8b1d???????? 8bf0 68???????? } + $sequence_4 = { 6a00 6a00 c686f000000001 ff15???????? } + $sequence_5 = { 0175fc 6a1e 81c700200000 ff15???????? 8b45f8 2d00200000 8945f8 } + $sequence_6 = { 8d5601 52 e8???????? a0???????? 83c40c 57 56 } + $sequence_7 = { 83c408 85c0 75e7 50 68???????? ff15???????? } + $sequence_8 = { e8???????? 68???????? ff15???????? 8b7508 c7465c988f0110 } + $sequence_9 = { 8d4f04 51 ff15???????? c70794160000 } condition: 7 of them and filesize < 295936 @@ -126472,36 +127214,36 @@ rule MALPEDIA_Win_Lechiket_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "08dac53f-197a-5416-a7db-8f3c1de4ec77" - date = "2026-01-05" - modified = "2026-01-06" + id = "50bb5ff6-9983-5192-9148-15d4b532b4b7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lechiket" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lechiket_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lechiket_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "fc33b6d2e9f07c53a0ef858e0194b9a6cf5341ef888af832ba9746c5214aaca1" + logic_hash = "65d3ebe3766eacf2dda256f82461ccb140fa71b5f9a496a2aff1df45cdefa7ae" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 ff15???????? 3d02010000 7519 56 ff15???????? 53 } - $sequence_1 = { 57 eb4b 8a16 80fac0 } - $sequence_2 = { 740f 47 3b7d0c 76d6 33c0 } - $sequence_3 = { 51 ff7518 8365fc00 ff7514 8d4510 } - $sequence_4 = { c786????????1a000000 8a550b 8bcb ff15???????? 5f 5e } - $sequence_5 = { ff750c e8???????? 85c0 0f84bdfdffff 8b4df8 8d7c0f01 8d480a } - $sequence_6 = { 85d2 7505 b80d0000c0 85ff 5e 740c 85c0 } - $sequence_7 = { e8???????? 84c0 7504 fec0 eb1c 53 8bce } - $sequence_8 = { 33f6 39750c 57 7613 ff15???????? 88843500ffffff 46 } - $sequence_9 = { 8945f8 8d45d0 6808070000 50 } + $sequence_0 = { 6a06 59 8d7db8 f3ab 8d7dd0 ab ab } + $sequence_1 = { 8908 8b06 c74004???????? a1???????? ba???????? 33c9 } + $sequence_2 = { 0f8569ffffff 0fb7480c 014d0c 8b4dfc 41 394d0c 0f8755ffffff } + $sequence_3 = { e8???????? 68???????? 8d45e4 50 ffd7 ff4df4 } + $sequence_4 = { 50 e8???????? 8bf8 85ff 7414 ff750c ff7508 } + $sequence_5 = { 8bff 55 8bec 83ec78 53 } + $sequence_6 = { 8b45f4 8b4dec 8d4401f8 898564fdffff 897004 8d856cffffff 50 } + $sequence_7 = { 7726 0fbe4813 0fbe5014 83e930 6bc90a 8d4c11d0 49 } + $sequence_8 = { 6639460a 0f8494000000 0fb7560a 3bd0 761d 8b4e18 } + $sequence_9 = { 57 68fe050000 33f6 8d85f4f9ffff 56 50 e8???????? } condition: 7 of them and filesize < 331776 @@ -126511,36 +127253,36 @@ rule MALPEDIA_Win_Whispergate_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9dc05d10-b36b-5ddc-8d53-1a84a19c9fff" - date = "2026-01-05" - modified = "2026-01-06" + id = "c5290043-19ea-5c32-a2ba-8565baa0d7b5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.whispergate_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.whispergate_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "f1a5fde20ead0d040272e28cb5dd9257a9305ae69c007901daa130bb710a267b" + logic_hash = "6c0d0966d06d85ae8563d605e30aa1d97700858fdb23c919af01a4e6e5cfc9ca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 89f4 0f841bffffff 8b5508 85d2 0f8410ffffff 8b5508 } - $sequence_1 = { 83f801 0f8543010000 83c30c 81fb???????? 0f8389000000 8b13 8b7b04 } - $sequence_2 = { 83c301 ebe1 83c301 ebe3 8d6b01 e9???????? } - $sequence_3 = { b8???????? c705????????01000000 2d???????? 83f807 7ee0 57 } - $sequence_4 = { 53 83ec4c f605????????02 0f84ea020000 e8???????? 8965c4 } - $sequence_5 = { 84d2 7906 81cf00ffffff 29f7 8d54241c } - $sequence_6 = { c1e004 e8???????? 8b4de0 29c4 } - $sequence_7 = { 83f802 89c1 7417 8d65f4 89c8 5b } - $sequence_8 = { 5e c3 31d2 89d0 c3 } - $sequence_9 = { c706???????? 893424 8b4d10 89fa 89d8 e8???????? } + $sequence_0 = { 7405 e8???????? 8b4308 85c0 7404 85f6 } + $sequence_1 = { 7510 e8???????? c70009000000 83c418 } + $sequence_2 = { 83f803 8903 7431 e8???????? 81380b010000 } + $sequence_3 = { 3c5d 742e 3c7f 7415 } + $sequence_4 = { 7468 0fbeda 83fb5d 8d7701 0f841a010000 83fb2d 0f848d000000 } + $sequence_5 = { ebde c705????????feffffff ff15???????? ebcc } + $sequence_6 = { 8b7db4 8945b4 c704240c000000 e8???????? 85c0 0f8418030000 } + $sequence_7 = { 0f8565ffffff 90 8d742600 c60200 } + $sequence_8 = { 83fb2f 0f8400010000 83fb5c 0f84f7000000 0fb616 89dd 89f7 } + $sequence_9 = { 89e5 57 56 53 83ec2c 8b7514 8b5d08 } condition: 7 of them and filesize < 114688 @@ -126550,36 +127292,36 @@ rule MALPEDIA_Win_Ahtapot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "30983b3b-d2d6-5541-9384-47b5921b3fc8" - date = "2026-01-05" - modified = "2026-01-06" + id = "0de48784-0e8e-5edf-a0de-2e4389e99a58" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ahtapot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ahtapot_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ahtapot_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "7f340dfa857e7f52e8c2b134f735bba10e8c0df571d4ec73a1af949780ad4400" + logic_hash = "de143e832fbf5d044cd300629d503d5d9e4691647c9cadb64a0821350f4cddf1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1fa05 8bc2 c1e81f 03d0 b814000000 2bc2 0fb7542410 } - $sequence_1 = { 51 8d9580fbffff 52 8d8570f7ffff 68???????? 50 ffd7 } - $sequence_2 = { 8d842494000000 6683383f 7508 ba20000000 668910 41 66399c4c94000000 } - $sequence_3 = { bf00000800 7413 893d???????? 833b02 7422 } - $sequence_4 = { 69c9e8030000 51 ff15???????? 80bec412000000 0f8504fbffff 33c0 8b8c24d8120000 } - $sequence_5 = { 7cb7 3d00010000 740a c786a4af060028a74200 8a55fc 8894303c1b0000 8d8eb41e0000 } - $sequence_6 = { 0f8494000000 8d85bcf7ffff 8d5002 8d642400 668b08 83c002 6685c9 } - $sequence_7 = { 889d65cbffff 89954ccbffff 898550cbffff 899d28cbffff 899d38cbffff 899d48cbffff } - $sequence_8 = { 75df 8d85d0fdffff 50 ffd3 8b4dfc 5f 5e } - $sequence_9 = { 899d70cbffff 899568cbffff 899d60cbffff 3bf3 7533 8b8518cbffff 8b4804 } + $sequence_0 = { 8d83cc100000 50 8d83b40a0000 33d2 50 6689944bcc100000 8d8bbc0c0000 } + $sequence_1 = { 83c418 8d8d8cf1ffff 51 8d9544f1ffff 52 6a00 6a00 } + $sequence_2 = { 68???????? 51 ffd7 83c40c 80bbc712000000 } + $sequence_3 = { 8a85fcebffff a810 0f8495000000 a804 0f858d000000 68???????? 8d8dacfeffff } + $sequence_4 = { c78548ebffff44000000 c78574ebffff01000000 ff15???????? 8b8da8ebffff 8b95b0ebffff 8b85a4ebffff 51 } + $sequence_5 = { c786a4af060094a74200 3d1e010000 7f0a 83ff1e 7f05 83fb13 7e0a } + $sequence_6 = { 51 89b590c3ffff e8???????? 83c404 33d2 66399598d7ffff 7427 } + $sequence_7 = { 7610 8b4608 8d80a8f14200 fe08 } + $sequence_8 = { a3???????? ebd2 8b7b04 33f6 807f2c00 7509 8bc7 } + $sequence_9 = { 50 ffd3 83c410 8d85e0f9ffff e8???????? 8d9590f7ffff 52 } condition: 7 of them and filesize < 430080 @@ -126589,36 +127331,36 @@ rule MALPEDIA_Win_Darkvnc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "333202ce-cf04-5e1c-95d5-ed62536bc798" - date = "2026-01-05" - modified = "2026-01-06" + id = "dd5a26ee-a38d-520d-9cfd-328c8968b573" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkvnc_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkvnc_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "7d4bb25715c42c98fca5b840dde51c070d19a7e331a44598eca4d1a3afd0df99" + logic_hash = "bc5d5b75d56591d898c2949895d9a98b84444bd3d5a21ec3176ba22b58571023" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 428994817c120000 48638178540000 891481 ff8178540000 c3 8bc2 41b2ff } - $sequence_1 = { 81f9f4010000 7265 488bd5 898708030000 488bcf e8???????? 488b4768 } - $sequence_2 = { 4c8bc1 ebdd 81fba3000000 0f8583000000 33d2 488bcf ff15???????? } - $sequence_3 = { 4c8bf9 4889b5b8020000 4889bdc0020000 488d1508df0000 488d4d00 33ff 4d8be1 } - $sequence_4 = { 488d542420 488bcf e8???????? 8bd8 488b0d???????? 4c8bc7 33d2 } - $sequence_5 = { 740c 498bd7 488bcb ff15???????? 4d85f6 740c } - $sequence_6 = { f645e801 7425 8b8f80000000 85c9 0f94c0 a801 7436 } - $sequence_7 = { e9???????? 488b442448 4889442460 488b442460 4863403c 488b4c2460 4803c8 } - $sequence_8 = { 83caff ff15???????? 488d55e0 488bcb e8???????? 488b8be8070000 ff15???????? } - $sequence_9 = { 4889842480000000 4883bc24800000000d 0f874b070000 488d0577f9feff 488b8c2480000000 8b8c88dc0d0100 } + $sequence_0 = { 488bd9 e8???????? 83f806 7714 e8???????? 83f806 753f } + $sequence_1 = { e8???????? 493bf5 72d9 4489b42490000000 448bb424b0000000 49638778540000 41bb01000000 } + $sequence_2 = { 7437 488b4320 488d4b30 48894340 ba02000000 8b4328 2b4320 } + $sequence_3 = { 488b4008 4889442430 488b442430 488b4c2428 488908 488b442428 488b4c2430 } + $sequence_4 = { 48ff4308 4883fa02 7ce9 4883c420 5b c3 48895c2408 } + $sequence_5 = { 4157 488bec 4883ec50 33ff 488d5548 488bf1 48897d50 } + $sequence_6 = { 8bc1 4123c4 c1e908 0bd8 4123cc 0fb64707 c1e308 } + $sequence_7 = { ff15???????? 488b0d???????? 4c8bc6 33d2 ff15???????? 4c8d9c24a0000000 33c0 } + $sequence_8 = { 448bc6 33d2 498bcc ff15???????? 85c0 7438 4885ed } + $sequence_9 = { 418bf3 899424c0000000 448bc1 83f811 7d41 488d0d6bc00100 8b4481fc } condition: 7 of them and filesize < 606208 @@ -126628,36 +127370,36 @@ rule MALPEDIA_Win_Crylocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c49832e-3a15-5c26-a16b-f08cf4de197b" - date = "2026-01-05" - modified = "2026-01-06" + id = "ba8013ac-ab0d-54e4-8e27-41843f998720" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crylocker_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crylocker_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "9984a5545190dc600307a66e2e0bae93c274e609548786d31df4138b67fc5f5d" + logic_hash = "3f275058e277046ba506ca6d012d8f12db84391ca9a536fb0c7f325de63fcadd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d542408 68c5090000 52 e8???????? 8d442410 68???????? } - $sequence_1 = { ff15???????? 6afe e8???????? 83c404 5f 5e } - $sequence_2 = { 56 8da42400000000 8b44241c 8bf7 } - $sequence_3 = { 53 33ff ff15???????? 8bf0 3bf3 762e 3bfb } - $sequence_4 = { 8b7c242c 8b7704 50 e8???????? 8b4c2440 8bd8 51 } - $sequence_5 = { 8d442430 50 e8???????? 8d4c2434 68???????? 51 e8???????? } - $sequence_6 = { 50 50 8b44244c 50 6a00 6a00 56 } - $sequence_7 = { 50 894608 e8???????? 83c414 eb76 } - $sequence_8 = { 81c4cc000000 c3 5f 5e 5d b8fdffffff 5b } - $sequence_9 = { e8???????? 8d4c2408 6aff 51 e8???????? 8d542410 6a02 } + $sequence_0 = { 56 e8???????? 83c408 8b442410 40 89442410 3b4704 } + $sequence_1 = { ffd5 85c0 750a b8faffffff } + $sequence_2 = { 394c243c 0f8711ffffff 5f 5b } + $sequence_3 = { 8b7c241c 8b07 50 56 e8???????? 33db 83c408 } + $sequence_4 = { 8b442438 8b4c2434 50 51 56 e8???????? 8b542444 } + $sequence_5 = { 85ed 0f84d5010000 8b742438 6a00 56 53 55 } + $sequence_6 = { 8b442430 68???????? 68???????? 50 } + $sequence_7 = { 55 57 33ff 8d442424 } + $sequence_8 = { 56 51 e8???????? 8d542408 6a00 52 } + $sequence_9 = { ffd7 8bf0 83feff 750c 5f 5e b8f5ffffff } condition: 7 of them and filesize < 139264 @@ -126667,36 +127409,36 @@ rule MALPEDIA_Win_Spider_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c1d0a0a-c7b7-560c-afbd-cff397912aa2" - date = "2026-01-05" - modified = "2026-01-06" + id = "b0d90359-2598-5519-ad5e-e2cd0ed58518" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spider_rat_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spider_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "91b51e3f34e8589c66f7bc8774754ce78933dd5fa4cfa89093817c8c758e1ad5" + logic_hash = "b0533445a9bbea3abbfea008098be4356c285de1302cc31eddd214e7a9d0fb61" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 493bce 7415 488b01 4d8bc5 ba01000000 ff5020 8bd8 } - $sequence_1 = { 833903 b801000000 756e 397104 7569 488b4908 4885c9 } - $sequence_2 = { e8???????? cc 488d88c0000000 488d15b2f7ffff e8???????? 8bce 483bc6 } - $sequence_3 = { 7433 488bc8 833904 7517 44396104 7511 } - $sequence_4 = { 4c8be8 c64424305c 41b901000000 4983c8ff 488d542430 488bce e8???????? } - $sequence_5 = { 0fb601 8807 48ffc1 48ffc7 84c0 75f1 49837d2010 } - $sequence_6 = { 4883ec20 488d05df860200 488bf9 488901 4883c118 e8???????? 488b5718 } - $sequence_7 = { 488b4c2440 488d542478 488b01 ff5018 413bc6 8bd8 0f8c4c010000 } - $sequence_8 = { b890900100 e8???????? 482be0 48c7442448feffffff 488b05???????? 4833c4 4889842480900100 } - $sequence_9 = { 664489442420 4533c9 4c8d05322a0200 418b9424f0000000 ff5030 488b8c2420010000 488b01 } + $sequence_0 = { 488b442440 83a0c8000000fd 33c0 eb1a 1bc0 83e002 ffc8 } + $sequence_1 = { 448d4201 e8???????? 4c8d0d7d60feff 4c8bd8 4b8b84f1e07a0700 4c895c3040 4b8b84f1e07a0700 } + $sequence_2 = { 5f c3 4053 4883ec20 83a12001000000 83a12401000000 488bd9 } + $sequence_3 = { 4889442428 33d2 33c9 897c2420 e8???????? 488983c0020000 } + $sequence_4 = { 498b00 488d153a400200 4c8d442438 498bc9 ff10 488b4c2438 4885c9 } + $sequence_5 = { 4885c9 7406 e8???????? 90 488d050720feff eb00 4883c420 } + $sequence_6 = { 0fb64308 488907 4903f8 eb1f 480fbe4308 } + $sequence_7 = { 5f c3 c60300 33c0 ebe4 e8???????? cc } + $sequence_8 = { ff15???????? 458d9c249a130000 4183fb12 0f8781070000 488d151a83fdff 4963c3 8b8c8290840200 } + $sequence_9 = { 4883a3f001000000 83a3f801000000 83a3fc01000000 4883a30802000000 488bcb e8???????? 89bb08010000 } condition: 7 of them and filesize < 1107968 @@ -126706,36 +127448,36 @@ rule MALPEDIA_Win_Vyveva_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c28bdd95-7642-5880-a40e-4b358402045a" - date = "2026-01-05" - modified = "2026-01-06" + id = "3ffef48f-c957-57e8-b562-ac95c16583e2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vyveva_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vyveva_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "96e07d213688d1c1087554cfee92b5503a65dfc0259352cd96965149acc4d781" + logic_hash = "f381163425c79c2111283dd22dd78fd5d45105bdfce92e8044d04b9b50ad0bc3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7404 ff7604 59 3b7108 7506 50 8f4108 } - $sequence_1 = { 8b442428 3b4c2438 740c 3b4c2438 7406 33c9 034c2438 } - $sequence_2 = { 83ec04 33ed 8d6c2c74 83ed74 c74424fcffffffff 83ec04 68???????? } - $sequence_3 = { e8???????? 8b4c242c 8b442428 8d54243c 894c2440 6a08 52 } - $sequence_4 = { 037e3c 8d4c0f38 83e938 50 5f 51 52 } - $sequence_5 = { 51 5d 59 55 59 6a01 } - $sequence_6 = { 8b8c2434020000 8d54240c 894c240c 6a04 52 56 59 } - $sequence_7 = { 8365f000 8365f400 8365f800 8365fc00 c745f0900c0110 } - $sequence_8 = { 33c0 0306 395814 0f854b010000 8b4c2410 55 8f4614 } - $sequence_9 = { 741c 56 8b742414 ff36 59 41 51 } + $sequence_0 = { 89742418 88460c e8???????? 50 8f00 394004 7408 } + $sequence_1 = { c644242097 c644242159 aa e8???????? 8d942488000000 52 68???????? } + $sequence_2 = { 83ec04 5a 83c50a 50 8f02 668b442438 51 } + $sequence_3 = { 8b8e90000000 6a00 41 6a10 898e90000000 51 51 } + $sequence_4 = { c74424fc00000000 014424fc 83ec04 2bc1 58 722c 8d4c246c } + $sequence_5 = { 58 ff7004 59 897914 ff7604 5a 8b7204 } + $sequence_6 = { 56 8f4034 e8???????? ff7534 59 33c0 8d440644 } + $sequence_7 = { 1bc0 2480 0500010000 50 5b 53 6a1d } + $sequence_8 = { fec9 5f 8848ff 895e04 895e08 53 8f460c } + $sequence_9 = { 57 8b460c 85c0 0f8402010000 33c0 034604 3b08 } condition: 7 of them and filesize < 360448 @@ -126745,36 +127487,36 @@ rule MALPEDIA_Win_Shrinklocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2766ab1f-0f76-5831-84d1-b9f95003f3f6" - date = "2026-01-05" - modified = "2026-01-06" + id = "3c787fbd-bf0c-5d9a-9fba-067c6f540acd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shrinklocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shrinklocker_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shrinklocker_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "51a8eff3d0e892d08ca7cb6cb77d8a510f6bbf09ab967ba64d6200c00464e9c5" + logic_hash = "d4695391c1b2664a33b20b19c2324c749b4af51c2b6b35bce8ae0c41f5a7efa8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { a804 7409 488d1db94c0300 eb14 a802 488d1dc64c0300 488d05d74c0300 } - $sequence_1 = { 4803c8 488bc1 488b4d20 488b95d8000000 488d0c51 4c8bc0 488b4538 } - $sequence_2 = { 488b4c2460 898110170000 e9???????? 8b442468 ffc8 488b4c2460 4881c1bc000000 } - $sequence_3 = { 4c896310 4d8bc6 48897318 488bcf 4883fd0f 7648 488b33 } - $sequence_4 = { e8???????? 488b4c2430 48894c2420 4c8b4c2458 4c8b442460 488b4c2450 488b5110 } - $sequence_5 = { e8???????? 88442425 488b8c2480000000 488b09 48634904 488b942480000000 } - $sequence_6 = { eb58 b804000000 4869c000010000 488b4c2468 0fb70401 488b4c2460 8b8910170000 } - $sequence_7 = { 8b84815c270100 4803c1 ffe0 488b442430 83781000 7511 } - $sequence_8 = { 2500e00000 85c0 7424 488b842410010000 488d0de2300400 48894820 488b442430 } - $sequence_9 = { 488d54242f 488d4c2458 e8???????? 90 c644243011 488d542430 488d4c2458 } + $sequence_0 = { 488d4c2448 e8???????? 90 e9???????? 488b4c2470 e8???????? 4c8bc0 } + $sequence_1 = { 4889442440 488d4c2470 e8???????? 4889442438 488b542438 488b4c2440 e8???????? } + $sequence_2 = { 8b44245c 39442444 7608 8b44245c 89442444 837c244400 } + $sequence_3 = { 483bc8 480f42f0 488d4e01 4885c9 7504 33ff } + $sequence_4 = { eb07 488d15f1500300 488d4c2420 e8???????? be01000000 83630800 488d05175e0200 } + $sequence_5 = { c1f803 89442420 488b842480000000 8b4c2420 8b4018 2bc1 } + $sequence_6 = { 8d4401f0 488b4c2460 898110170000 eb48 0fb744240c 488b4c2460 8b8910170000 } + $sequence_7 = { 83f801 751b 488b4308 488b08 488d0534070200 483901 7408 } + $sequence_8 = { 7578 48630df866feff 488d15b566feff 4803ca 813950450000 755f b80b020000 } + $sequence_9 = { 4889451f 33c0 488945c7 4183fe04 488d45b7 897dd7 4889442448 } condition: 7 of them and filesize < 10490880 @@ -126784,49 +127526,49 @@ rule MALPEDIA_Win_Ketrican_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "17c7dffb-a011-5900-a31d-1d30da8f8252" - date = "2026-01-05" - modified = "2026-01-06" + id = "9314d763-217b-5a0a-ac6b-e1deaae445fc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ketrican_auto.yar#L1-L230" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ketrican_auto.yar#L1-L238" license_url = "N/A" - logic_hash = "bc80dac3ff7e066cc7e5cdc3a2c5cdfaac267fb28bf5e233f76a95cbb08049bc" + logic_hash = "e663ac1ef65e774d3270c6a651d1d432b34f54becbddfefc56a51ae770faba5d" score = 75 - quality = 73 + quality = 71 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 8965f0 33db 895dfc 33c0 } - $sequence_1 = { 5e c3 55 8bec 837d0800 7d0a } - $sequence_2 = { 8bc1 8945f0 834dfcff e8???????? } - $sequence_3 = { e8???????? 83c010 8906 c3 56 8bf1 57 } - $sequence_4 = { 5f 5e 8901 5b 5d c20800 680e000780 } - $sequence_5 = { 7417 6a0a 6a1f 68???????? } - $sequence_6 = { e8???????? cc 8b06 83e810 8b08 395008 } - $sequence_7 = { e8???????? 8b06 5d c20400 55 8bec 8b4508 } - $sequence_8 = { 8bc7 c1e810 83e03f e8???????? } - $sequence_9 = { 2bc6 8b35???????? 53 8bf8 57 } - $sequence_10 = { 8bec 8b4508 53 56 57 8d7001 33db } - $sequence_11 = { 56 8d4806 57 e8???????? 83c414 8bf0 } - $sequence_12 = { 83c604 8345f804 8b45f8 5f c60600 5e } - $sequence_13 = { 7706 8a4405bc c9 c3 } - $sequence_14 = { eb1f 68???????? e8???????? a3???????? } - $sequence_15 = { 8b8a8c2f0000 33c8 e8???????? b8???????? e9???????? } - $sequence_16 = { b8???????? e9???????? 8b542408 8d420c 8b8aecfdffff 33c8 e8???????? } - $sequence_17 = { e9???????? c705????????ac824100 c3 b9???????? e9???????? } - $sequence_18 = { e9???????? 8d45d0 e9???????? 8d4dd0 } - $sequence_19 = { e9???????? 8b4508 e9???????? 8b45ec 83e001 0f840c000000 8365ecfe } - $sequence_20 = { e9???????? 8d4dd0 e9???????? 8d4de0 e9???????? 8d4db8 e9???????? } - $sequence_21 = { e9???????? 8d4ddc e9???????? 8b45d4 83e001 } - $sequence_22 = { 8365d4fe 8d4da4 e9???????? c3 8d4dbc e9???????? } + $sequence_1 = { e8???????? 8b06 5d c20400 55 8bec 8b4508 } + $sequence_2 = { c3 55 8bec 8b4508 85c0 742c 83f80c } + $sequence_3 = { e8???????? 83c010 8906 c3 56 8bf1 } + $sequence_4 = { cc 8b06 83e810 8b08 } + $sequence_5 = { 5e 8901 5b 5d c20800 680e000780 } + $sequence_6 = { 5d c20800 680e000780 e8???????? cc 8b06 } + $sequence_7 = { 5f 5e c3 55 8bec 837d0800 7d0a } + $sequence_8 = { 33db 53 8d85f2f4ffff 50 e8???????? } + $sequence_9 = { 48 743a 48 7426 48 } + $sequence_10 = { eb02 b03d 884602 83fb02 } + $sequence_11 = { 53 56 57 8965f0 33f6 8975fc 33c0 } + $sequence_12 = { 8b7508 83650800 8d48fd 85c9 0f8e98000000 8d41ff 33d2 } + $sequence_13 = { ff7508 53 53 ffd6 50 ff750c 57 } + $sequence_14 = { 6a02 8d45ec 50 e8???????? 83c410 53 } + $sequence_15 = { 8b542408 8d420c 8b8a54ffffff 33c8 e8???????? 8b8adc090000 } + $sequence_16 = { e8???????? 8b8ae8060000 33c8 e8???????? b8???????? } + $sequence_17 = { 8b8a78ffffff 33c8 e8???????? 8b8a8c2f0000 33c8 e8???????? } + $sequence_18 = { e9???????? c705????????ac824100 c3 b9???????? } + $sequence_19 = { e8???????? b8???????? e9???????? 8b4508 e9???????? 8b45ec 83e001 } + $sequence_20 = { ff15???????? 68???????? c705????????98824100 a3???????? c605????????00 e8???????? 59 } + $sequence_21 = { 8b8a24ffffff 33c8 e8???????? 8b8ae8080000 33c8 e8???????? b8???????? } + $sequence_22 = { 8d45d0 e9???????? 8d4dd0 e9???????? 8d4de0 } condition: 7 of them and filesize < 1449984 @@ -126836,36 +127578,36 @@ rule MALPEDIA_Win_Grillmark_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "94d64c09-2c69-5952-977d-9716f3cb3003" - date = "2026-01-05" - modified = "2026-01-06" + id = "5d9d7077-4d35-5427-aea9-fea5014998bb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grillmark_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grillmark_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "c6ddc22f686e3bfc93b0245e1ab65f2459e27d4cb969cb323a24bb3baf4cbe5c" + logic_hash = "500c6b8c0800de4961c4ce9356dae8cfef331dbc99a179cdaadaa4d6c89566da" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8d4df4 56 51 53 50 57 } - $sequence_1 = { 6800000080 ff7510 ff15???????? 8bf8 83ffff 7436 53 } - $sequence_2 = { f3ab 66ab aa 8d458c 895df8 50 895df4 } - $sequence_3 = { 83ffff 7504 33c0 eb1a } - $sequence_4 = { 66a5 a4 5f 33c0 3905???????? 5e 50 } - $sequence_5 = { 57 e8???????? 8d85f4fcffff 50 57 } - $sequence_6 = { ff15???????? 6a40 33c0 59 8dbdfdfeffff 889dfcfeffff 53 } - $sequence_7 = { 66ab aa 8d85fcfeffff 50 6804010000 e8???????? } + $sequence_0 = { 59 33c0 8dbdf5fcffff 8b7508 f3ab } + $sequence_1 = { 83c104 ebf5 5d c3 } + $sequence_2 = { 8065ff00 eb6c ff45f8 880f 47 eb64 80f909 } + $sequence_3 = { 8911 8d1406 83c104 3b5510 72d7 5f 5e } + $sequence_4 = { 53 50 8d45c8 50 6a13 } + $sequence_5 = { 7473 8d45c8 50 e8???????? 3d94010000 } + $sequence_6 = { 8945fc 0f84b8000000 56 e8???????? } + $sequence_7 = { 33c0 8d7dc9 885dc8 895df4 f3ab 66ab } $sequence_8 = { 50 57 ffb604010000 56 e8???????? 83c410 85c0 } - $sequence_9 = { 6a01 ff7508 e8???????? 56 e8???????? ff75f4 } + $sequence_9 = { 0a450f 46 8806 8b45fc 46 3b45f4 0f82d6feffff } condition: 7 of them and filesize < 212992 @@ -126875,36 +127617,36 @@ rule MALPEDIA_Win_Badaudio_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "05c804a9-cf16-57d2-a80f-b619976bbd0d" - date = "2026-01-05" - modified = "2026-01-06" + id = "f66510e8-a79b-5f39-b71b-ec60a2990bcb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badaudio" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.badaudio_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.badaudio_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "a6c973b5c41c14ecfe9459d805cffcba8f5aa17e724a8b86913ac3f147c5345e" + logic_hash = "b6858436bb9db6a00abff42fb02bf9495539b4e40b1440eb6da886e953dd1918" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 886e09 88560d 886602 884e0a } - $sequence_1 = { c6470c00 807de000 0f8447ffffff 8b45dc c745dc00000000 8b4dd4 } - $sequence_2 = { 885c8103 40 83f83c 7463 8a7c81fc 0fb65481fd 0fb6f7 } - $sequence_3 = { f20f114030 f20f10442438 f20f114038 f20f108424e0000000 f20f114058 f20f108424d8000000 f20f114050 } - $sequence_4 = { 0f57d8 0f115c2411 0f10442461 0f104c2421 0f109424a1000000 } - $sequence_5 = { 8a4627 88431c 8a4626 88431d 8a4625 88431e 8a4624 } - $sequence_6 = { 8b540c48 89542438 83c104 894c2408 8b0c24 894c2430 } - $sequence_7 = { c7462800000000 c7462c0f000000 c6461800 f20f104010 f20f114310 } - $sequence_8 = { 8a442404 3287e4000000 884604 329fe5000000 885e05 3297e6000000 885606 } - $sequence_9 = { 0355e0 39d1 89d6 0f43f1 } + $sequence_0 = { c7417800000000 c7417c0f000000 c6416800 c7818000000000000000 c7819000000000000000 c781940000000f000000 c6818000000000 } + $sequence_1 = { 89d7 c1c70f 8b74840c 89d3 c1c30d } + $sequence_2 = { 89f2 eb17 8902 894204 894208 89c1 eb22 } + $sequence_3 = { 81fa00100000 721c 8b51fc 83c1fc 8955e0 } + $sequence_4 = { 8baea8000000 8b4644 83f810 722c } + $sequence_5 = { 732b 83c023 89d1 50 } + $sequence_6 = { 83c414 5d c3 e8???????? 55 83ec14 8db524ffffff } + $sequence_7 = { c745f001000000 8d4dd4 8d45b8 50 56 } + $sequence_8 = { 30dd 30fd 886c06fa 88cd 00cd c0f907 } + $sequence_9 = { 7218 8b79fc 83c1fc 29f9 83f920 0f83a6010000 83c024 } condition: 7 of them and filesize < 1420288 @@ -126915,10 +127657,10 @@ rule MALPEDIA_Win_Bid_Ransomware_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "ce47ce7f-14e1-59ae-ba57-79394ad6dc42" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bid_ransomware_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bid_ransomware_auto.yar#L1-L127" license_url = "N/A" logic_hash = "f1877b67a4049109e0b2de66aad3ce4469b6223b173e84f5ebaf276fe703ce2d" score = 75 @@ -126927,9 +127669,9 @@ rule MALPEDIA_Win_Bid_Ransomware_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -126953,36 +127695,36 @@ rule MALPEDIA_Win_Unidentified_074_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0e88fd75-1316-5da0-a27c-d979440b0d1c" - date = "2026-01-05" - modified = "2026-01-06" + id = "06f7aa01-f191-54de-a676-efe22bef6230" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_074" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_074_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_074_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "efaf1ffd6b205d550b6e92c44f0056ae88e73af2fe4605531aaeb9c3b3bf90af" + logic_hash = "b4388f366ca52c7df9d794bf9eb2d136a972045d8a1c1c2ab56f0a2e6a455390" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4d0c 3bf1 752a 8b4614 83f808 7204 } - $sequence_1 = { 83f808 720d 40 50 ffb528e7ffff e8???????? } - $sequence_2 = { 8d8528e7ffff 50 8d8570e7ffff 50 8d85f8e6ffff 50 } - $sequence_3 = { 75f3 8bcf e8???????? 3bd0 } - $sequence_4 = { 8855ee 660f1f440000 0fb64435ec 50 51 } - $sequence_5 = { 33d2 8b4f10 33f6 c740140f000000 83781410 894ddc 8955e0 } - $sequence_6 = { 6800040000 8985f8f7ffff 8901 8d85fcfbffff } - $sequence_7 = { 8b85e0f7ffff 85c0 7407 50 ff15???????? 85ff } - $sequence_8 = { 8d4618 7202 8b00 837e1410 7202 8b36 6a00 } - $sequence_9 = { 8b853ce7ffff 83f808 720d 40 50 ffb528e7ffff } + $sequence_0 = { 8acf 8a55ea 8ac3 c0e904 } + $sequence_1 = { 33c0 c785a4dfffff07000000 50 68???????? 8d8d90dfffff c785a0dfffff00000000 } + $sequence_2 = { 0f84ce190000 83ec08 0fae5c2404 8b442404 25807f0000 3d801f0000 750f } + $sequence_3 = { c7853cffffff73657400 c745e8706f7274 c745ec73657400 56 50 53 e8???????? } + $sequence_4 = { 894dfc 8b7e10 c745f001000000 8b4310 40 } + $sequence_5 = { 5e 5d c20800 85ff 7511 897e10 83f808 } + $sequence_6 = { 6a00 6a00 ff15???????? 8b35???????? 0f1f440000 6a0a } + $sequence_7 = { c7853cffffff73657400 c745e8706f7274 c745ec73657400 56 } + $sequence_8 = { 8d85c0dfffff 50 56 ffd7 85c0 75c9 8b85bcdfffff } + $sequence_9 = { 0f84d2000000 ff750c ffb5f0f7ffff 6a00 6a00 } condition: 7 of them and filesize < 335872 @@ -126992,36 +127734,36 @@ rule MALPEDIA_Win_Ripper_Atm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8f521802-fe9f-59e3-95e4-5c6b679dd629" - date = "2026-01-05" - modified = "2026-01-06" + id = "abfa5bbc-7e2b-518c-93b7-97db3ca12128" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ripper_atm_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ripper_atm_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "20a25cf7a57e29f6fcd47218cda1c983413d86161c6d93b073b8fbc3d2b6ce43" + logic_hash = "386c947474920550baec0da9a91550d4fc1de86f84fa17586679290334ca5f50" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 8bcc 89a57cfdffff 68???????? e8???????? } - $sequence_1 = { 2bc1 99 c745f818000000 f77df8 83c410 8945e8 85c9 } - $sequence_2 = { c7470411000000 897708 89770c 897710 c707???????? } + $sequence_0 = { 7471 8b0c85f0974400 f644190480 7463 8d45e0 50 ff3419 } + $sequence_1 = { 8b45e0 ff7010 ffd3 8b45e0 ff7014 ffd3 ff75e0 } + $sequence_2 = { 7407 8d5518 3bce 7403 8d55f8 8b12 8913 } $sequence_3 = { c3 55 8bec 8b0d???????? 8b15???????? 8bc1 2bc2 } - $sequence_4 = { 8b4f3c 50 e8???????? 8b4f3c ff75fc 0fbec0 894744 } - $sequence_5 = { 7516 8b7708 8b4610 3b02 0f8d8e000000 ff7514 } - $sequence_6 = { 8b4de8 3b4810 7d27 8b4e08 ff7514 80790d00 51 } - $sequence_7 = { 68???????? 53 ff15???????? 56 56 50 8945fc } - $sequence_8 = { 8bf9 50 e8???????? ff7518 8d45ec ff7514 8bcf } - $sequence_9 = { 7409 6aff 53 50 e8???????? be???????? 56 } + $sequence_4 = { 85f6 0f8e55ffffff 8b4c2418 ebde 55 8bec 83e4f8 } + $sequence_5 = { 7406 57 e8???????? 015e04 eb2b 3b4e08 7508 } + $sequence_6 = { e8???????? 8906 8b5508 8b0a 890e 8902 8b4204 } + $sequence_7 = { 57 e8???????? 8b4304 8b0b 8945fc } + $sequence_8 = { 56 8d45d0 50 e8???????? 8b75d0 8d4dd4 } + $sequence_9 = { 8d45e0 43 eb13 6a02 c745dc0f000000 8955d8 } condition: 7 of them and filesize < 724992 @@ -127031,36 +127773,36 @@ rule MALPEDIA_Win_Kingminer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dc87ee85-ad64-51c7-a30a-c6bd4d73fed8" - date = "2026-01-05" - modified = "2026-01-06" + id = "cababd46-6347-56e0-b03d-c943afd5466a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kingminer_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kingminer_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "a5745ddfac302b5a6ad793ecca6fc94da98fb5fc6ae2a187ff80bbe4b8e2d2c1" + logic_hash = "ddfcfd02d66c1a1e3b836b4fd835c5cf4b9c2c912a462b20ea999a1fd9923eaa" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945f0 c745f400000000 3b0d???????? 0f8d8e010000 68???????? ff15???????? } - $sequence_1 = { 8b8db0feffff e8???????? 8b95d8feffff 8b8db0feffff 52 8bf0 e8???????? } - $sequence_2 = { 53 8b5f38 f6c301 7570 0fb74706 } - $sequence_3 = { 0fb75714 8d4c3a24 85c0 7429 8bf0 } - $sequence_4 = { 52 e9???????? a1???????? 6800040000 } - $sequence_5 = { 3bf0 741e 68c1000000 ff15???????? 5b } - $sequence_6 = { 68???????? ff15???????? 8b7508 c7465c88d00010 } - $sequence_7 = { 8b0d???????? 8945ec 8b4624 83c628 } - $sequence_8 = { 8975e4 33c0 39b8a0f70010 0f8491000000 } - $sequence_9 = { 8b95d0feffff 2b4234 7419 83b9a000000000 7466 50 } + $sequence_0 = { ff34c518f20010 ff15???????? 5d c3 6a0c 68???????? } + $sequence_1 = { ff15???????? 85c0 7517 8b4924 } + $sequence_2 = { 51 52 50 8985e0feffff } + $sequence_3 = { b3e8 50 885df6 56 } + $sequence_4 = { e8???????? 68???????? ff15???????? 8b7508 c7465c88d00010 83660800 } + $sequence_5 = { 8a16 381408 8d3c08 751d } + $sequence_6 = { 83791000 7514 8b4f3c 8b17 394a38 740a 33d2 } + $sequence_7 = { 7467 57 6a08 56 8d3c18 e8???????? 8b4e04 } + $sequence_8 = { 52 6a04 6800100000 50 53 ff95dcfeffff } + $sequence_9 = { 57 ff15???????? 6a00 57 ff15???????? 8bf0 a1???????? } condition: 7 of them and filesize < 165888 @@ -127070,36 +127812,36 @@ rule MALPEDIA_Win_Hacksfase_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "729ac06e-5cdf-534d-872e-f45399aff424" - date = "2026-01-05" - modified = "2026-01-06" + id = "c3914b01-a5ad-5c7f-a735-7dcc2ab34591" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hacksfase_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hacksfase_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "475d936eb0e74e3fe48740a165f50322f1d0bfb51d9d93ce37cd5fe8ac260ab9" + logic_hash = "c0e0ff5e2fc92b0c1528abf2f97b13e72f28cf3013e9ec1c6c3c66dabce1d837" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8965e8 33db 895de0 895de4 895dd8 895ddc 895dfc } - $sequence_1 = { 56 6a02 68???????? 56 ff500c } - $sequence_2 = { 56 ffd3 50 ffd5 56 ff15???????? } - $sequence_3 = { 89442418 894c241c 6a00 6a00 6a00 6a06 6a01 } - $sequence_4 = { 3975b4 7416 3975bc 7411 ff75b4 8bcb } - $sequence_5 = { 7479 bf02000000 8b442414 40 3bc7 89442414 } - $sequence_6 = { e8???????? 8b1d???????? 83c40c 68e8030000 ffd3 6a00 6a00 } - $sequence_7 = { 895dc8 895dd0 ff5064 3bc3 894508 7d5d } - $sequence_8 = { b8???????? e8???????? 83ec0c 8b412c 56 57 } - $sequence_9 = { 33d2 8d0cb6 f7f6 8d0c89 } + $sequence_0 = { f7d1 83c108 898da4dfffff b9???????? } + $sequence_1 = { c744241c44000000 89742420 89742428 89742424 89742438 89742434 89742430 } + $sequence_2 = { 8d450b 83ec10 8bcc 8965ec 50 68???????? ff15???????? } + $sequence_3 = { ff75d8 8b35???????? ffd6 8945e0 8b45d0 03c0 50 } + $sequence_4 = { 85f6 742e b9???????? c745fc00000000 e8???????? 8b0d???????? 8d95ecdfffff } + $sequence_5 = { 5f 5e 81c434010000 c3 e8???????? 5f } + $sequence_6 = { 750e 395dfc 7409 ff75fc ff15???????? } + $sequence_7 = { 6a00 83c660 6a00 56 6a00 ff15???????? } + $sequence_8 = { e8???????? 83c404 56 57 b940000000 33c0 8d7c2439 } + $sequence_9 = { 68???????? ff15???????? 8b4dec e8???????? eb02 33c0 834dfcff } condition: 7 of them and filesize < 106496 @@ -127109,36 +127851,36 @@ rule MALPEDIA_Win_Lookback_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "85752543-778d-502f-a58c-a2ac64bb54fd" - date = "2026-01-05" - modified = "2026-01-06" + id = "e13ea758-f188-55b7-ab30-2735604804af" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lookback_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lookback_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "d58209e22f4f6576558a613c24f624b5020028fc2870f726763fd240be9135bc" + logic_hash = "eb2c18512dc4c793c56c11e19b2283a1a218be4cc01b5a9bc695280303a63821" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b7c241c 33ed 8b473c 8b443878 03c7 8b5024 } - $sequence_1 = { 393d???????? 75af eb24 8b0d???????? } - $sequence_2 = { 8b542430 894308 8b442428 83c414 } - $sequence_3 = { 8b31 25ff0f0000 03c6 8bf7 } - $sequence_4 = { 8b7af8 83c228 03f8 8bc1 c1e902 f3a5 } - $sequence_5 = { 668b4b06 3be9 7cd0 5f 5e } - $sequence_6 = { 7422 6a00 8d4c2404 6a20 51 6a03 } - $sequence_7 = { ff15???????? 8d542400 52 e8???????? 33c0 81c408010000 } - $sequence_8 = { 5b 81c410070000 c3 55 8bec 51 53 } - $sequence_9 = { 3bef 741b 6800800000 57 } + $sequence_0 = { 56 57 b946000000 33c0 } + $sequence_1 = { 85db 0f8482000000 52 ff15???????? 85c0 7477 0fbf480a } + $sequence_2 = { e8???????? 3bc7 0f84a1010000 83f8ff 0f8498010000 } + $sequence_3 = { 3bef 7511 8b4810 3bcf 0f8493010000 894c241c eb25 } + $sequence_4 = { ff15???????? 8d542400 52 e8???????? 33c0 81c408010000 c3 } + $sequence_5 = { 56 8d7c2420 8b32 6a00 c1e902 } + $sequence_6 = { 8d5108 d1e8 85c0 7e33 } + $sequence_7 = { 7446 83b89001000006 7514 b903000000 8bfd 8db094010000 } + $sequence_8 = { 66396b06 7636 8d930c010000 8b32 } + $sequence_9 = { 7422 6a00 8d4c2404 6a20 51 6a03 } condition: 7 of them and filesize < 131072 @@ -127148,47 +127890,47 @@ rule MALPEDIA_Win_Badnews_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "669fd264-b6d6-5d6c-8250-2eaeef7607f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "c22c77c9-3014-5c4a-80c0-0ac5a063cf6d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.badnews_auto.yar#L1-L205" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.badnews_auto.yar#L1-L214" license_url = "N/A" - logic_hash = "70dca6886c221c9bfe5fe7481db4825e4f99d418a6f0f0b45196e36a94b37f92" + logic_hash = "c0bd9568fd9756b685279f1522fb03096d0525a822427ad3f4c15ae42af5c745" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 50 e8???????? 83c404 68???????? 6804010000 } - $sequence_1 = { c0e004 02c1 3423 c0c003 } - $sequence_2 = { c78534ffffff47657457 c78538ffffff696e646f c7853cffffff77546578 66c78540ffffff7457 } - $sequence_3 = { c705????????33322e64 66c705????????6c6c c605????????00 ff15???????? } + $sequence_0 = { 50 e8???????? 83c404 68???????? 6804010000 ff15???????? } + $sequence_1 = { 83e957 eb02 33c9 c0e004 02c1 3423 c0c003 } + $sequence_2 = { c705????????33322e64 66c705????????6c6c c605????????00 ff15???????? } + $sequence_3 = { c78534ffffff47657457 c78538ffffff696e646f c7853cffffff77546578 66c78540ffffff7457 } $sequence_4 = { a1???????? 33c5 8945fc 53 56 57 8d8534ffffff } - $sequence_5 = { eb02 33c9 c0e004 02c1 } - $sequence_6 = { 55 8bec 8b450c 3d01020000 } - $sequence_7 = { 68???????? 6a1a 68???????? 57 } - $sequence_8 = { 6a00 d1f9 68???????? 03c9 } - $sequence_9 = { 57 6a00 6880000000 6a04 6a00 6a01 6a04 } - $sequence_10 = { ffd3 85c0 7403 83c608 8a06 } - $sequence_11 = { ff15???????? 85c0 7405 83c004 } - $sequence_12 = { 68???????? ff15???????? b8???????? 83c424 8d5002 668b08 } - $sequence_13 = { 41 84c0 75f9 2bce 3bd1 72e4 } - $sequence_14 = { 8bc7 c1f805 83e71f c1e706 8b0485d0a70110 } - $sequence_15 = { 4b 75da 8b35???????? 8b9d50fbffff } - $sequence_16 = { 8bce 83e11f c1e106 8b0485d0a70110 c644080401 56 e8???????? } - $sequence_17 = { 6a03 8802 42 8b048dd0a70110 4e 5f 6a0a } - $sequence_18 = { c1e106 899528e5ffff 53 8b1495d0a70110 } - $sequence_19 = { 84c0 75f9 2bce 741c 804415ec03 8d4dec 42 } - $sequence_20 = { c7465c00350110 83660800 33ff 47 897e14 } + $sequence_5 = { 55 8bec 8b450c 3d01020000 } + $sequence_6 = { 68???????? 6a1a 68???????? 57 } + $sequence_7 = { 6a00 d1f9 68???????? 03c9 51 } + $sequence_8 = { 56 ffd3 85c0 7403 83c608 } + $sequence_9 = { ff15???????? 85c0 7405 83c004 eb02 } + $sequence_10 = { 8bf0 56 ff15???????? 50 6a40 ff15???????? } + $sequence_11 = { 57 6a00 6880000000 6a04 6a00 6a01 6a04 } + $sequence_12 = { b8???????? 83c424 8d5002 668b08 83c002 } + $sequence_13 = { 894de4 399870980110 0f84e8000000 41 83c030 894de4 } + $sequence_14 = { 8bf0 c1ff05 83e61f c1e606 8b0cbdd0a70110 f6440e0401 } + $sequence_15 = { 8d4df0 e8???????? 68???????? 8d45f0 c745f0402f0110 50 e8???????? } + $sequence_16 = { 2400 1098240010bc 2400 1023 d18a0688078a } + $sequence_17 = { 8b4d08 33c0 3b0cc530610110 740a 40 83f817 72f1 } + $sequence_18 = { 8b0c85d0a70110 8a06 46 88441926 2bf2 eb14 f7da } + $sequence_19 = { e8???????? 59 ff34f5009e0110 ff15???????? 5e } + $sequence_20 = { c705????????369f0010 c705????????aaa80010 c705????????12a80010 c705????????fda80010 c3 } condition: 7 of them and filesize < 612352 @@ -127199,10 +127941,10 @@ rule MALPEDIA_Win_Plurox_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "00819bcc-51e2-53a8-9308-9b7887ed6069" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plurox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.plurox_auto.yar#L1-L112" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.plurox_auto.yar#L1-L112" license_url = "N/A" logic_hash = "fa579257df25509063a4df447932e0b25e6ea4c45a2af23b4dfc95998427a19a" score = 75 @@ -127211,9 +127953,9 @@ rule MALPEDIA_Win_Plurox_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -127237,36 +127979,36 @@ rule MALPEDIA_Win_Fakeword_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "83704e50-1dbd-5c9a-b83f-e831a9bf7880" - date = "2026-01-05" - modified = "2026-01-06" + id = "5742bbe6-a351-5e75-a811-907f4506a816" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fakeword_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fakeword_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "109b39226f4f475b4c3e023db9ba2c26fa6ab8a72ccbfd12335d1989ed05d36a" + logic_hash = "bf3af91eec46a25586a139e90909fd74d2b75e281f4a326e8e73dd924abbc0c7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 750d 381c08 7408 8bd1 8915???????? 8a0408 3ac3 } - $sequence_1 = { 89442418 33c0 8a07 50 } - $sequence_2 = { 03ce 0fbe540cd8 52 68???????? 50 ff15???????? 83c40c } - $sequence_3 = { 41 81f900010000 89448afc 7cd4 } - $sequence_4 = { 83e210 f3ab 80fa10 c684246c02000007 743d 8d442458 } - $sequence_5 = { 83f804 7519 56 6a07 8d442418 } - $sequence_6 = { 3a5418ff 750b 83f801 7459 3a5418fe 7453 40 } - $sequence_7 = { 8b6c2420 8b4c2430 8b5c2434 41 83c304 83f908 894c2430 } - $sequence_8 = { c3 8b4c241c 56 51 e8???????? 8b442414 } - $sequence_9 = { 85ff 7446 8b7010 8b042f 03fd 03f5 } + $sequence_0 = { 668b4d06 6683f901 0f8295010000 8bc1 8db5f8000000 } + $sequence_1 = { 68???????? 55 be41000000 ff15???????? 8b3d???????? 8b1d???????? c74424781a000000 } + $sequence_2 = { 81c400010000 c20800 53 ff15???????? 85c0 } + $sequence_3 = { 33c0 8bfe 68???????? f3ab 56 } + $sequence_4 = { e8???????? 83c404 6a00 6a00 6a00 68???????? ff15???????? } + $sequence_5 = { ffd7 8bbc240c010000 8d542408 52 6a35 8d7704 eb11 } + $sequence_6 = { 83c414 6800000100 68???????? 56 ff15???????? } + $sequence_7 = { 66895004 8d442414 50 55 e8???????? 8b35???????? } + $sequence_8 = { 5f 5e 5d 59 c3 80f9c8 7610 } + $sequence_9 = { c20800 8bc8 56 8bb42408100000 8bd1 57 8d7c240c } condition: 7 of them and filesize < 98304 @@ -127276,36 +128018,36 @@ rule MALPEDIA_Win_Radamant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9054a5c-bb68-56d9-b004-7795b422035b" - date = "2026-01-05" - modified = "2026-01-06" + id = "51a61f0e-4cae-5829-9af3-9cd114207b94" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.radamant_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.radamant_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "c8bbb0af31c01f18c5c289ae1834ad1b53dc2920970c2b6e405a5699e0104750" + logic_hash = "4a47a6928da5ed0f36364d352fedc0cdfe40060dd4dc5b4089dd5bceddfffd6c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b45f0 f7d0 2345f4 09d0 0345c4 0345ec } - $sequence_1 = { 7519 8b45c4 890424 e8???????? 8b45f4 8985f4fdffff e9???????? } - $sequence_2 = { 8b5510 83c20e 8b45ec c1e808 8802 8b5510 83c20f } - $sequence_3 = { 31c2 8b45e8 c1e808 0fb6c0 0fb680b0094100 } - $sequence_4 = { 8901 8b4df4 83c128 8b55f4 83c208 8b45f4 83c024 } - $sequence_5 = { 8d85a4fcffff ff00 8d85b8fdffff 890424 e8???????? 3985a4fcffff } - $sequence_6 = { c7042400000000 e8???????? 83ec0c 8d85b8fdffff 890424 e8???????? 8985a4fcffff } + $sequence_0 = { 89e5 53 83ec24 8b4508 890424 e8???????? 89c3 } + $sequence_1 = { ff00 ebd1 8b45f4 0345ec c60000 c745f003000000 } + $sequence_2 = { 8b85c8f6ffff 89442408 8d45c8 89442404 8d8508fbffff } + $sequence_3 = { 0fb680b01a4100 c1e010 31c2 8b45e8 c1e808 0fb6c0 0fb680b01a4100 } + $sequence_4 = { 83c02c 890424 e8???????? 85c0 7443 8d85b8feffff } + $sequence_5 = { 8d85ccf6ffff 8944240c 8b85c8f6ffff 89442408 8b4514 89442404 } + $sequence_6 = { 89442408 c7442404???????? 8b85f4feffff 890424 e8???????? } $sequence_7 = { 8b45f4 8b00 c1e810 0fb6c0 8b0485e02f4100 8b1495e02b4100 31c2 } - $sequence_8 = { 09d0 0345a8 0345f4 2d885b9528 8945f4 8d45f4 c10007 } - $sequence_9 = { c1e818 0fb6c0 8b0485b01b4100 8b12 31c2 } + $sequence_8 = { 0385d4fdffff 2d10010000 80385c 740a 8d85d4fdffff ff08 ebe3 } + $sequence_9 = { e8???????? c744241405000000 c744241000000000 c744240c00000000 8d85f8feffff } condition: 7 of them and filesize < 204800 @@ -127315,36 +128057,36 @@ rule MALPEDIA_Win_Chiser_Client_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c99b11d6-95f8-5089-bb79-3dcbcddf715f" - date = "2026-01-05" - modified = "2026-01-06" + id = "1bf7733a-b27d-5245-8a73-b8cddcf167c9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chiser_client" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chiser_client_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chiser_client_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "a4f562ea6b25a50fa272453bc9361d6900c9cafcbad3f751e3aa04995d53620d" + logic_hash = "a1f8775a472f3a9fd5e419158a63b6c87d1e5ed0df024c103e8c519aecb3c0dc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48890a 48894a08 488d4808 e8???????? 488d05a9e30200 488903 488bc3 } - $sequence_1 = { 480f40c1 488bc8 e8???????? 488bc8 49890424 } - $sequence_2 = { 0f1f440000 418d40fc 460fb61408 418d40fd 460fb61c08 } - $sequence_3 = { c744245865007800 c744245c2e006800 c744246074006d00 c74424646c000000 4c89742430 bf01000000 897c2428 } - $sequence_4 = { 498b0e 4c8d4110 488d5108 e8???????? 90 488bcb e8???????? } - $sequence_5 = { 41b904000000 0f1f440000 b904000000 6666660f1f840000000000 410fb60414 } - $sequence_6 = { 488bc5 0f1f00 48ffc0 66833c4100 75f6 83c008 4863f8 } - $sequence_7 = { 48636908 488bf1 4c8b7118 b802000000 } - $sequence_8 = { 48894320 488d1511f5ffff e8???????? eb09 488bcb ff15???????? 408ac5 } - $sequence_9 = { 81ca00000780 85c0 0f4ed0 e8???????? 488d1584aa0100 488d4c2440 } + $sequence_0 = { e8???????? 488b542458 4885db b923810000 480f45d1 4889542458 4d85ed } + $sequence_1 = { 4d8bf0 4c8bfa 488bf9 488b5908 48895c2448 488bcb e8???????? } + $sequence_2 = { 4c8d05e4ca0300 c7431828005700 ba50000000 c7431c69000000 488bcb e8???????? 4c8d05c6ca0300 } + $sequence_3 = { 4883ec20 488bd9 488bc2 488d0d1dc20200 48890b 488d5308 33c9 } + $sequence_4 = { 488bcf e8???????? 4863c3 66833c465c 740e 4863c5 } + $sequence_5 = { 3d05005000 7562 807c243101 7552 488d542470 e8???????? 85c0 } + $sequence_6 = { 7504 32c0 eb1b 488d156a0e0400 8bc8 e8???????? 85c0 } + $sequence_7 = { 488d442460 48894c2450 4c8d4c2458 4889442420 e8???????? 85c0 } + $sequence_8 = { 488bc8 e8???????? 4c634e08 488d146d00000000 4c8b06 4d03c9 488bc8 } + $sequence_9 = { e8???????? e9???????? 6683f833 0f858d000000 } condition: 7 of them and filesize < 714752 @@ -127355,10 +128097,10 @@ rule MALPEDIA_Win_Photofork_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "03f3231c-1475-52ed-bb16-632751ac4d12" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photofork" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.photofork_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.photofork_auto.yar#L1-L117" license_url = "N/A" logic_hash = "709bae5e70c248514471207a86aa73bde84d2e17312283aa497e33ccd6cf6fc3" score = 75 @@ -127367,9 +128109,9 @@ rule MALPEDIA_Win_Photofork_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -127393,36 +128135,36 @@ rule MALPEDIA_Win_Bitsloth_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d21005cc-48c4-5c1b-8a1c-480f484a1c06" - date = "2026-01-05" - modified = "2026-01-06" + id = "454523ed-3989-5b43-989d-e180635030fa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsloth" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bitsloth_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bitsloth_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "b507e5914cce1955d65d2d9ef747d0eb1b6c8dbf2ed2455d47603f8c520d8766" + logic_hash = "37b254160e826989242054a172066a367786b8951b8fccae5ac5cc09a7c7c237" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 837de800 740e 8b4de8 8b11 8b45e8 50 } - $sequence_1 = { eb44 8b45f4 0345ec 8a48ff 884dfc 8b55f4 0355ec } - $sequence_2 = { 52 e8???????? 83c40c 8b45f8 83e801 8945f8 837df803 } - $sequence_3 = { 034df8 8b5508 898a90af0600 8b4508 81b890af060006010000 7310 8b4d08 } - $sequence_4 = { 8b5104 52 8b01 50 8b4df0 e8???????? c745fc00000000 } - $sequence_5 = { eb1b 68???????? 8b4df8 51 e8???????? 83c408 } - $sequence_6 = { 837df400 751b 6a00 6a00 6812c92300 e8???????? } - $sequence_7 = { 8b4d08 89487c 33c0 8b4dfc 33cd e8???????? 8be5 } - $sequence_8 = { 6a03 ff15???????? 8985f8ecffff 8d95e4ecffff 52 8d859cecffff 50 } - $sequence_9 = { 7515 6a00 6a00 68fa920300 e8???????? 83c40c 33c0 } + $sequence_0 = { e9???????? 837d0c29 7512 68???????? 8d4dd8 } + $sequence_1 = { 51 8b5508 52 e8???????? 83c40c 8b45f8 83e801 } + $sequence_2 = { 51 8b951cf3ffff 52 e8???????? 83c40c 8d8568f9ffff 50 } + $sequence_3 = { 8b5164 b108 e8???????? ba01000000 6bca0e 88440de8 8b9564faffff } + $sequence_4 = { 7465 8b45e8 83c068 50 8b4de8 } + $sequence_5 = { 0fb785b4feffff 83f809 750f c705????????f6030000 e9???????? 83bde4feffff05 7524 } + $sequence_6 = { 83bd2cf1ffff00 0f8e99000000 6a00 8d85e0faffff 50 e8???????? } + $sequence_7 = { 51 e8???????? 83c410 8985f0fdffff 83bdf0fdffff00 7511 68???????? } + $sequence_8 = { 6822a40600 e8???????? 83c40c 33c0 eb7d 837df400 } + $sequence_9 = { e8???????? 83c40c e9???????? 8b9574ffffff 8b02 8b8d74ffffff 51 } condition: 7 of them and filesize < 677888 @@ -127436,7 +128178,7 @@ rule MALPEDIA_Win_Unidentified_061_Auto : FILE date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_061" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_061_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_061_auto.yar#L1-L123" license_url = "N/A" logic_hash = "ee3ce5b6c77f09c690f7a934c26be09c58c4fcdee70275b61c00e527d8aa097d" score = 75 @@ -127471,36 +128213,36 @@ rule MALPEDIA_Win_Smarteyes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8abe8c6c-e31a-5eb9-813d-c2cddefb10f7" - date = "2026-01-05" - modified = "2026-01-06" + id = "7d577ede-8b7b-55bb-9817-61c267c3463e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smarteyes" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.smarteyes_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.smarteyes_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "a98816f76882e4d75e28a23473f5f4b08f8f9c7a339abedcd3611228b4563cbb" + logic_hash = "bedef1215e15dad4311337dbae5a82cc03b2b4ef473ee5847f58becb7f6421c5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 84c9 75f6 8b8da8feffff 8bc1 c1e817 2401 8885dafeffff } - $sequence_1 = { 8b7b3c 898580fbffff 33c0 66898594fbffff 8b432c 89859cfbffff 8b4310 } - $sequence_2 = { 84c9 75f9 2bc6 8d8418280a0000 50 e8???????? 8bd8 } - $sequence_3 = { 3bc8 727c 03c0 8945fc 3bc1 7703 894dfc } - $sequence_4 = { ffb5e0feffff e8???????? 59 8bbde4feffff 8b4508 6a4b 83c708 } - $sequence_5 = { 814df800000001 3bd7 7507 814df800008000 8b5d08 57 } - $sequence_6 = { 33c9 3c01 0f94c1 8d442430 52 51 50 } - $sequence_7 = { 50 e8???????? 8b4de4 83c40c 6bc930 8975e0 8db118bb0210 } - $sequence_8 = { 56 57 6a09 59 33c0 be1c010000 56 } - $sequence_9 = { 53 55 56 57 33c0 be???????? 6a06 } + $sequence_0 = { 668b10 03c7 6685d2 75f6 2bc6 d1f8 3d04010000 } + $sequence_1 = { 8bf0 59 85f6 0f84af000000 6aff 56 8d4c2418 } + $sequence_2 = { 53 e8???????? 8bc7 83c40c 8d4801 8a10 } + $sequence_3 = { 50 e8???????? 8d85ecfeffff 50 c685f0feffff00 e8???????? } + $sequence_4 = { eb05 2bd6 8955e8 837de800 0f842b040000 8b7304 } + $sequence_5 = { eb1b 8bc6 c1f805 8b0485c0f50210 83e61f c1e606 8d443004 } + $sequence_6 = { 6a02 57 6a03 68???????? 8d85e8feffff 50 ffd6 } + $sequence_7 = { 83e21f 83e01f 8d840202010000 8b55e8 03d1 3bd0 0f870d020000 } + $sequence_8 = { 50 6804010000 ff15???????? 56 8d8584f8ffff 50 8d85c4fcffff } + $sequence_9 = { c9 c3 55 8bec b84c430000 e8???????? a1???????? } condition: 7 of them and filesize < 429056 @@ -127510,36 +128252,36 @@ rule MALPEDIA_Win_Uacme_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53c60ae4-37ff-5d21-9239-76220be2dce4" - date = "2026-01-05" - modified = "2026-01-06" + id = "449c52c7-62d4-5a56-8e6b-0b7ee455ae22" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.uacme_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.uacme_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "3f55ec845579c619785e67b0034681c5b25544222a3c6be5c29fd4298627878a" + logic_hash = "293e546ca5b87e83de5ade24cb0073289f7a33b52a80f27bae1209841ef5ce87" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d45e8 50 ff15???????? 2175f8 8d45f8 50 8d45f0 } - $sequence_1 = { 8d85ecfbffff 50 8d85ccf3ffff 50 } - $sequence_2 = { 50 8d45b4 50 68???????? ff15???????? 8bf0 } - $sequence_3 = { 8bcf c60000 40 83e901 75f7 8b1d???????? 394d10 } - $sequence_4 = { ff75f4 53 ff15???????? ff75fc 53 ff15???????? 6807700000 } - $sequence_5 = { 83ee01 75f7 68???????? 8d85c8fdffff 50 } - $sequence_6 = { 5d c3 ff7508 8bd3 8d8de0f7ffff e8???????? 59 } - $sequence_7 = { 8975dc 8975cc 85f6 7421 8b55e0 } - $sequence_8 = { 8906 5e 8b45fc 8be5 5d c3 55 } - $sequence_9 = { 3db7000000 0f8593010000 ba???????? 8d8ddcfbffff e8???????? 6a00 } + $sequence_0 = { 8d45e8 50 ff75fc ff15???????? 8b4df8 33d2 85c0 } + $sequence_1 = { 6a08 ff7018 ff15???????? 8bf0 85f6 0f84de000000 } + $sequence_2 = { 68???????? ff15???????? 8b5de4 834dfcff 85ff 740e } + $sequence_3 = { 56 ff15???????? 6802700000 56 ff15???????? 85c0 } + $sequence_4 = { 83ec0c 53 56 57 6a04 6800300000 8d44241c } + $sequence_5 = { 8d45f0 6a08 8bfa 895dfc 895df8 5e } + $sequence_6 = { c3 55 8bec 81ec20040000 53 56 be0a020000 } + $sequence_7 = { e8???????? ff75f0 8b55ec 8d8ddcfbffff e8???????? } + $sequence_8 = { 58 6a65 59 668945f6 6a78 } + $sequence_9 = { 89421c ba???????? e8???????? 85c0 0f8493000000 50 } condition: 7 of them and filesize < 565248 @@ -127549,36 +128291,36 @@ rule MALPEDIA_Win_Mpkbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c0d844d-8443-5cd2-85d1-0760b4dc7471" - date = "2026-01-05" - modified = "2026-01-06" + id = "bc1b8bdd-8001-5079-be14-f5c36d3d10ad" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mpkbot_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mpkbot_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "e000d2e2dca508ff7c1606218ef334f987cad7bd6633af2fef3bc1fd70b54752" + logic_hash = "67aecb7e8edf0aeb49c931f01e1e8cf13f73baf1a8fcba853c7ded9188a5c741" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ff15???????? ff7510 a3???????? } - $sequence_1 = { 68???????? 68???????? 8975f8 8b08 50 } - $sequence_2 = { 52 56 6a20 68???????? 68???????? 8975f8 8b08 } - $sequence_3 = { 50 ff15???????? 8b45fc 3bc6 7406 8b08 } - $sequence_4 = { 68???????? 68???????? 8975f8 8b08 50 ff5150 } - $sequence_5 = { a5 a5 8b75fc 5f 53 ff15???????? 8bc6 } - $sequence_6 = { 56 68???????? 68???????? ffd7 6a00 6a01 } - $sequence_7 = { eb15 53 ff75f8 56 } - $sequence_8 = { d95dd0 d945d0 d9c1 dee1 d95dcc 0fb630 } - $sequence_9 = { 6a01 6aff 8975fc 8b08 50 ff5110 85c0 } + $sequence_0 = { ffd6 8bd8 85db 740c } + $sequence_1 = { c70028000000 895010 895014 894818 89481c 895020 } + $sequence_2 = { 85c0 7fdf 5e 5b c9 c3 } + $sequence_3 = { ff75f8 56 ff15???????? 8bd8 3bde 7507 } + $sequence_4 = { 6a20 68???????? 68???????? 8975f8 8b08 50 ff5150 } + $sequence_5 = { 56 57 6a00 ff15???????? 8bf0 0fb7450c } + $sequence_6 = { ffe0 55 8bec 68???????? ff15???????? 68???????? } + $sequence_7 = { 6689500e 33d2 c70028000000 895010 } + $sequence_8 = { 384508 7507 38450c 740a eb05 } + $sequence_9 = { ffd0 5d c3 68???????? ff15???????? 68???????? } condition: 7 of them and filesize < 139264 @@ -127588,36 +128330,36 @@ rule MALPEDIA_Win_Scranos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6b87374-5f91-5170-a53f-357b78008c92" - date = "2026-01-05" - modified = "2026-01-06" + id = "ce7511d4-9f42-54c9-acac-77edbe055210" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scranos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scranos_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scranos_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "52e1cc52ba176c72c7453bb67f5d2aeb347a2cda714eb2419f457836d51a180e" + logic_hash = "d1149f3696074172322e1c9b718c78bd06ed86bf6f6714e9a671da9ed742f38a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8d4dd0 e9???????? 8d8d64ffffff e9???????? b8???????? e9???????? } - $sequence_1 = { c68424450e00002d 8db424460e0000 f6c102 7406 c6062b 83c601 f6c101 } - $sequence_2 = { c745a800000000 837d9c00 7508 8b45a0 8b08 894d9c 8b55f4 } - $sequence_3 = { e8???????? 83c404 85c0 0f8587050000 39442424 0f8570050000 8b8d940c0000 } - $sequence_4 = { c745b07c441010 e8???????? cc 6a44 b8???????? e8???????? 68???????? } - $sequence_5 = { 8d6803 e8???????? 83c40c 85c0 0f85c4000000 6a07 56 } - $sequence_6 = { 8b5518 8991e0010000 c745f800000000 eb09 8b45f8 83c001 8945f8 } - $sequence_7 = { c6405400 0fb64dff 85c9 7514 8b55e4 8b45ec 3b424c } - $sequence_8 = { 90 8d442410 50 6a00 55 56 e8???????? } - $sequence_9 = { c7414802000000 8b55e8 52 e8???????? 83c404 83c001 8945b0 } + $sequence_0 = { 8b8f20030000 895004 8b9724030000 894808 8b4c242c 89500c 8b542430 } + $sequence_1 = { 8d44242c 50 56 e8???????? 83c40c 8bd8 e8???????? } + $sequence_2 = { f7d9 1bc9 83c101 884de3 837d1400 0f8451010000 c745dc00000000 } + $sequence_3 = { 8b8dbcfeffff 83c101 51 8b5510 52 8d45c0 50 } + $sequence_4 = { 8d4dd4 e8???????? 50 8b4d2c e8???????? 8d4dd8 e8???????? } + $sequence_5 = { ebce 0fb645ce 85c0 740f 8b4dec c6012e 8b55ec } + $sequence_6 = { 8b8350030000 85c0 89442414 7504 89742414 83bd180c000000 740e } + $sequence_7 = { 8b5508 66894a10 8b450c 50 8b4d08 51 e8???????? } + $sequence_8 = { 83c404 85c0 7544 68???????? 8d8d5cfdffff e8???????? 8985c8fcffff } + $sequence_9 = { eb54 bd???????? bf???????? eb09 bd???????? 8bdd 8bfd } condition: 7 of them and filesize < 2859008 @@ -127628,10 +128370,10 @@ rule MALPEDIA_Win_Nocturnalstealer_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "5964c83b-5a1b-5913-a49a-303693a90164" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nocturnalstealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nocturnalstealer_auto.yar#L1-L134" license_url = "N/A" logic_hash = "c662283be69db4ef7dfe1019eca1797cdbfc6ecd9828799d75f57c47594f7be3" score = 75 @@ -127640,9 +128382,9 @@ rule MALPEDIA_Win_Nocturnalstealer_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -127666,36 +128408,36 @@ rule MALPEDIA_Win_Royal_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b707ba7e-f795-5786-96ea-1fd46c83e33f" - date = "2026-01-05" - modified = "2026-01-06" + id = "ef929107-28ce-5f41-8494-9d1ee160df90" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.royal_ransom_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.royal_ransom_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ff950c4f22d55465d57ffb0791253a97dd6631f204494c457bce80921890bdb0" + logic_hash = "80b8c157898c37b93935d25a0e42b1caeb54652b750c63fc9dedffe23195c14f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 4c8d059b3b1400 ba8f000000 e9???????? 488b4608 8b08 e8???????? } - $sequence_1 = { 803d????????00 754c 488d0d5c220d00 48890d???????? 488d050e1f0d00 488d0d37210d00 488905???????? } - $sequence_2 = { e8???????? 482be0 488bfa 488bd9 4885c9 747e 488d156abf0600 } - $sequence_3 = { 85c0 0f450d???????? 85c9 7411 488d0d31212400 e8???????? 4885c0 } - $sequence_4 = { e8???????? 4c8d0503171400 8d562b 488d0d09171400 e8???????? 4533c0 8d4e10 } - $sequence_5 = { c3 e8???????? 4c8d0553bd1400 ba8f010000 488d0d2fbd1400 e8???????? 4533c0 } - $sequence_6 = { e8???????? 397010 0f84ccfeffff e8???????? 4c8d052eb91400 ba66000000 488d0deab81400 } - $sequence_7 = { 754c e8???????? 4c8d05aeb81600 bae9000000 488d0d8ab81600 e8???????? 4533c0 } - $sequence_8 = { e8???????? 4c8d0533510e00 bac1010000 488d0da7500e00 e8???????? 4533c0 8d4f39 } - $sequence_9 = { c3 49ff80c0000000 488bcb 488b4308 8b10 e8???????? b801000000 } + $sequence_0 = { e8???????? 41b889000000 488d15e0541500 498bce e8???????? 33c0 488b5c2470 } + $sequence_1 = { b820000000 e8???????? 482be0 488bd9 448d4009 488b4918 488d15e7a80d00 } + $sequence_2 = { e8???????? 482be0 488bc2 488bf9 488bc8 488d1595640900 e8???????? } + $sequence_3 = { e9???????? 4533c0 c744243001000000 498bcf 418d5003 e8???????? 488bcd } + $sequence_4 = { e8???????? 85c0 0f8486000000 488d15896f0700 488bcf e8???????? 488bf8 } + $sequence_5 = { 7649 e8???????? 4c8d05565d1400 bab90c0000 488d0dca5c1400 e8???????? 4533c0 } + $sequence_6 = { ba12020000 488d0df73e1500 e8???????? ba78000000 eb6a 80bc24c000000000 0f8599000000 } + $sequence_7 = { e8???????? 482be0 488b05???????? 4833c4 488985c06d0000 48899c24006f0000 4889b424086f0000 } + $sequence_8 = { 749c 488d1515dd0900 488bcf e8???????? 488bd8 4885c0 7449 } + $sequence_9 = { e8???????? badd030000 4c8d05dab61200 488d0debb61200 e8???????? ba74000000 e9???????? } condition: 7 of them and filesize < 6235136 @@ -127705,42 +128447,42 @@ rule MALPEDIA_Win_Cuba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "86d7ccf5-17e2-58df-93e2-25197c1f8e94" - date = "2026-01-05" - modified = "2026-01-06" + id = "a35b9290-3766-538c-a78b-83e4f421f750" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cuba_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cuba_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "06e63a9dd7221f555e50b6728a34cba72d1d2d067337f699676a2804a6a34058" + logic_hash = "0adb50371f856938be045a74c4609808fc9f721ab8545ed3a45e4ef714da22cc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 7810 3de4000000 7309 8b04c510704100 5d } - $sequence_1 = { c3 8bff 55 8bec 8b4d08 33c0 3b0cc5905d4100 } - $sequence_2 = { 0019 43 41 00444341 } - $sequence_3 = { 8bd6 c745ac749f4100 8bce 0fb707 } - $sequence_4 = { 000d???????? 384100 b538 41 } - $sequence_5 = { 0026 45 41 003a } - $sequence_6 = { 0026 43 41 00b043410062 } + $sequence_0 = { 0019 43 41 00444341 } + $sequence_1 = { 6a00 6a02 8985c0fbffff ff15???????? 8d8dccfbffff 8985c8fbffff 51 } + $sequence_2 = { 003a 45 41 004245 } + $sequence_3 = { 000d???????? 384100 b538 41 } + $sequence_4 = { 000c43 41 0035???????? 43 } + $sequence_5 = { 000446 41 00d1 45 } + $sequence_6 = { ff15???????? 33c0 8bf8 8985f8f7ffff 8bb778df4100 8d95fcf7ffff } $sequence_7 = { 0012 45 41 0026 } - $sequence_8 = { 83e801 0f8501010000 c745e004934100 8b4508 } - $sequence_9 = { ff24953c354000 c7878c00000001000000 85c9 747e 3bc6 730a } - $sequence_10 = { 660fc5c400 25f0070000 660f28a040974100 660f28b830934100 660f54f0 660f5cc6 660f59f4 } - $sequence_11 = { ffd7 85c0 750c e8???????? 5f } - $sequence_12 = { 000c43 41 0035???????? 43 } - $sequence_13 = { 003a 45 41 004245 } - $sequence_14 = { 7414 8d85c0f9ffff 50 56 ff15???????? 85c0 75e6 } - $sequence_15 = { 000446 41 00d1 45 } + $sequence_8 = { 3b0cc5905d4100 7427 40 83f82d 72f1 8d41ed } + $sequence_9 = { 3d00002000 7710 8d85e8f7ffff 8bcf 50 e8???????? eb55 } + $sequence_10 = { 0026 45 41 003a } + $sequence_11 = { 0026 43 41 00b043410062 } + $sequence_12 = { 5d c3 8b04c5945d4100 5d c3 } + $sequence_13 = { ffb5e8f7ffff ff15???????? 8b8de4f7ffff 8b85e0f7ffff 3bcb 7f4c 7c07 } + $sequence_14 = { 33c0 c785c0f9ffff2c020000 668985ecfbffff 668985f4fdffff 8d85c0f9ffff 50 56 } + $sequence_15 = { ffb5fcfdffff ff15???????? 85c0 750d 8b95c0fbffff 53 e8???????? } condition: 7 of them and filesize < 1094656 @@ -127750,36 +128492,36 @@ rule MALPEDIA_Win_Electric_Powder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "70f1fd4f-5a0a-57d1-8155-729a3e15c844" - date = "2026-01-05" - modified = "2026-01-06" + id = "4874a66c-d43a-5b79-b790-b3b0b51d61b0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.electric_powder_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.electric_powder_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "801118c2f636f6d2e21f384ccb7f80375d94dda489cf095ec07a8f466a0ae16c" + logic_hash = "00f376c7fdfd443684ae6ea39fc6081aa1286493adbdaeedd0588edee57b33a9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 0f84b6130000 8d8de0fbffff 8d5720 8d7102 668b01 83c102 } - $sequence_1 = { 8d8d68faffff e9???????? 8d8d5cf9ffff e9???????? 8d8df8faffff e9???????? 8b857cf9ffff } - $sequence_2 = { 3bd8 0f42d8 8d4301 85c0 7504 33f6 eb34 } - $sequence_3 = { 8b35???????? 81c230750000 89b574f9ffff 52 ffd6 68???????? 6a01 } - $sequence_4 = { 3b4e08 0f838e010000 8b4604 c704c810000000 8b5608 83ea01 } - $sequence_5 = { 0f4dd0 7ce7 56 8d7207 83e6f8 3bd6 } - $sequence_6 = { c645fc79 e8???????? c785e0fbffff00000000 81cf00010000 c785e4fbffff00000000 } - $sequence_7 = { c60600 8d8d30fcffff e8???????? 8d8520fdffff ba???????? 50 8d8da0fbffff } - $sequence_8 = { 8947fc eb0b 50 e8???????? 83c404 8bf8 8b4dfc } - $sequence_9 = { 8bf0 e9???????? 8b45f8 46 8b541004 8955ec 3bf2 } + $sequence_0 = { c1e81f 03c2 8bd6 3daaaaaa0a 0f879b070000 8d0c40 c1e103 } + $sequence_1 = { 59 59 3bc7 7404 8bc3 eb17 8b461c } + $sequence_2 = { 3b4a14 7740 837a1408 8bc2 899548efffff 7208 8b02 } + $sequence_3 = { 83bd64faffff08 6a00 0f438550faffff 50 ff15???????? 83bd34fdffff10 } + $sequence_4 = { 0f8698000000 8bd6 a81f 0f858e000000 8b49fc 3bc8 0f8383000000 } + $sequence_5 = { 2930 8b411c 0130 8b45fc eb30 8b01 } + $sequence_6 = { 07 854000 15854000c6 864000 8a8440008a8440 007585 40 } + $sequence_7 = { c7856cfbffff00000000 0f1007 c7857cf9ffff01000000 0f118558fbffff f30f7e4710 660fd68568fbffff c7471000000000 } + $sequence_8 = { 8bc8 85c9 0f88bffeffff 8b4708 3945fc } + $sequence_9 = { 8d8d98efffff e8???????? 83bdacefffff08 8d8598efffff 8bb53cefffff 0f438598efffff 6800000001 } condition: 7 of them and filesize < 565248 @@ -127789,41 +128531,41 @@ rule MALPEDIA_Win_Newbounce_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e3986fe-0558-5f1b-99f3-eb9b18b9db79" - date = "2026-01-05" - modified = "2026-01-06" + id = "554f1f64-8795-5f81-a4e0-9ae2b3fe03d2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.newbounce_auto.yar#L1-L149" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.newbounce_auto.yar#L1-L144" license_url = "N/A" - logic_hash = "53993fab1fffe3be30682fcde23603c8013a2f2c28d0b685101dbd874fd28f1f" + logic_hash = "5871c2f4b934fe6925fce9367be6b26e7a02354d682ba41ca50d8bbad1475c5c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 83e00f 7e05 2bf0 83c610 } - $sequence_1 = { 7c11 8a03 4b8b8cf8a0b40600 48ffc3 } - $sequence_2 = { 7c2f 803b39 7f2a 488d4c2420 } - $sequence_3 = { 7c07 488d4c2438 eb0a 4889442430 488d4c2430 488b09 483b8e78020000 } - $sequence_4 = { 7c0c 488d15bad00200 e9???????? 488d1566d00200 } - $sequence_5 = { 7c8d 4863c8 498bd6 85c0 } - $sequence_6 = { 7c4b 4c8bc6 e8???????? 48017748 } - $sequence_7 = { 7c07 488d4c2460 eb0a 4889442468 } - $sequence_8 = { 81ec68010000 a1???????? 33c4 89842464010000 56 57 8bf1 } - $sequence_9 = { 81ec20020000 a1???????? 33c4 89842418020000 56 } - $sequence_10 = { 81ec50030000 a1???????? 33c5 8945ec 53 } - $sequence_11 = { 81ec28010000 a1???????? 33c5 8945fc 8b4610 } - $sequence_12 = { 81ec64060000 a1???????? 33c4 89842460060000 53 } - $sequence_13 = { 81ec8c010000 56 a1???????? 33c5 } - $sequence_14 = { 81ec58030000 a1???????? 33c4 89842450030000 } + $sequence_1 = { 7cd4 2983d0010000 3bfe 7530 } + $sequence_2 = { 7cd6 488d0d527a0200 e8???????? 448b460c } + $sequence_3 = { 7cba 4863c3 6644893447 eb31 } + $sequence_4 = { 7cca 488d0d108f0200 448bc6 8bd3 } + $sequence_5 = { 7cd5 81fb401f0000 750d 44392d???????? } + $sequence_6 = { 7cdd 488b8c2420100000 4833cc e8???????? } + $sequence_7 = { 7cc4 4883c8ff eb03 488bc7 } + $sequence_8 = { 81e7ff000000 3304bd485b6300 895c2458 3304ad48536300 } + $sequence_9 = { 81e7ff000000 89442444 89bc24c8000000 8bf8 c1e818 8b0485485b6300 } + $sequence_10 = { 81e7ff000000 896c2410 8be8 8b04bd48536300 } + $sequence_11 = { 81e7ff000000 330cbd48576300 c1e208 330c8548536300 } + $sequence_12 = { 81e7ff000000 3304bd485f6300 33442418 33442410 } + $sequence_13 = { 81e7???????? e8???????? 6aff 6aff 8d4510 50 ff15???????? } + $sequence_14 = { 81e7ff000000 8b0cbd48576300 894c241c 8b0c9d48536300 } condition: 7 of them and filesize < 8637440 @@ -127833,36 +128575,36 @@ rule MALPEDIA_Win_Parasite_Http_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "428f5b1a-bef9-53b1-98cc-8fc8771086ec" - date = "2026-01-05" - modified = "2026-01-06" + id = "92065351-1450-5e34-9ab7-a2e33040f8f7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.parasite_http_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.parasite_http_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "17acd197a87921b670f888ee97c4d2fb4638cc1589bba3924516c4ae4f9f894f" + logic_hash = "5f370e186027199caf1cd68938741ba318cb3d8a0b61f1b15eb9db06b1d68ce6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c602 43 3b5df4 72e6 8b7de4 eb07 8bcf } - $sequence_1 = { ff75f4 6aff ff15???????? 5f 5e 8bc3 5b } - $sequence_2 = { 8d95d4fdffff c785d4fdffff2c020000 8bce e8???????? e9???????? e8???????? 8b8ddcfdffff } - $sequence_3 = { 85c9 7405 e8???????? 5e 8bc3 5b 5f } - $sequence_4 = { ff7508 6801000040 57 53 ffd0 f7d8 5f } - $sequence_5 = { ff7510 6aff ff7508 6a00 68e9fd0000 ffd0 5e } - $sequence_6 = { ff55f0 8945e0 837de000 0f84eb000000 ff75ec 6a00 ff55e8 } - $sequence_7 = { e8???????? 8bd6 8bc8 e8???????? ff751c ff7518 } - $sequence_8 = { 6a00 6a00 681f000f00 57 ffd0 5f 5e } - $sequence_9 = { 8d8df8efffff 51 ffd0 5e 85c0 7917 b9???????? } + $sequence_0 = { 7407 b9???????? eb71 e8???????? 85c0 7407 b9???????? } + $sequence_1 = { 51 51 53 57 51 6880000000 6a02 } + $sequence_2 = { c745e0c2154000 c745e4e2154000 c745e806164000 c745ec2a164000 c745f052164000 c745f472164000 } + $sequence_3 = { 8d45e8 50 ff75e0 6800100000 8b55f8 33c9 e8???????? } + $sequence_4 = { 8365ec00 8365fc00 8d45fc 50 ff7510 8b550c } + $sequence_5 = { 8b45f8 48 8945f8 ebe4 c745b43c000000 c745bc20000000 c745c800010000 } + $sequence_6 = { 6801000040 57 53 ffd0 f7d8 5f 1bc0 } + $sequence_7 = { 8bc1 33d2 f7f6 8bc8 8d4230 668907 8d7ffe } + $sequence_8 = { 42 e8???????? 8bf8 e8???????? 3db7000000 750d } + $sequence_9 = { ffd7 53 8d4508 50 8d460a 50 ffd7 } condition: 7 of them and filesize < 147456 @@ -127872,36 +128614,36 @@ rule MALPEDIA_Win_Deathransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50ee2015-88b7-58a2-ad62-287a84416fd8" - date = "2026-01-05" - modified = "2026-01-06" + id = "64427647-6fce-5755-8829-e1146578a5e4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.deathransom_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.deathransom_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "4fbf584c560c10f65d1ed9a5619731c7c654805433383d8df8efbda5a45512a6" + logic_hash = "952a3b2641269e5f046a7ee2ac94d4a65c748fea8db42d338e3254f72a56328f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 668945d8 8d55d8 8b45f4 52 6a00 68???????? 8b08 } - $sequence_1 = { 03d6 8bc1 8b75c8 03da c1c00d 8bd1 } - $sequence_2 = { 8b75d4 c1c90e 33c8 836dc001 894ddc 894dbc 8b4df8 } - $sequence_3 = { ffd7 50 ffd6 ff75d8 6a00 ffd7 50 } - $sequence_4 = { 894108 eb03 8b7df8 56 6a00 ff15???????? 8b35???????? } - $sequence_5 = { 33c8 8bc3 034dcc 33c6 2345e4 33c3 03c1 } - $sequence_6 = { f7d8 837b0400 5f 0f4dc6 5e 894304 5b } - $sequence_7 = { 894db8 0fb64a38 c1e108 0bc8 0fb6423a c1e108 0bc8 } - $sequence_8 = { 33c8 8b7de4 03ca 8b5df4 8b55dc 8bc6 } - $sequence_9 = { 33c2 8b55dc 8945e4 8d0413 c1c007 3345cc 03d0 } + $sequence_0 = { 8b55d8 33c3 03c1 81c216c1a419 03d0 8bcf 0155ec } + $sequence_1 = { 8d049d00000000 50 6a08 ffd1 50 } + $sequence_2 = { 5f 33c0 5e c3 8b4908 f7d6 } + $sequence_3 = { 83c42c 8b4df4 57 53 e8???????? 8b55e4 } + $sequence_4 = { 5e 5b 8be5 5d c3 8b35???????? 6a04 } + $sequence_5 = { 235ddc 0bd8 895de0 014de0 8b4dc4 8bd1 } + $sequence_6 = { 33c8 8b7de4 03ca 8b5df4 8b55dc 8bc6 } + $sequence_7 = { c1e80a 33d0 8b5da0 0355bc 8bcb c1c10e 8bc3 } + $sequence_8 = { 8bc3 c1e803 33f8 8b5de0 03fa 8b55ec 037db4 } + $sequence_9 = { 3b55fc 8b75f0 1bc0 c1eb10 f7d8 03c1 8b4df8 } condition: 7 of them and filesize < 133120 @@ -127911,36 +128653,36 @@ rule MALPEDIA_Win_Evilbunny_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09358091-8a71-53e9-955e-7e0615a7395b" - date = "2026-01-05" - modified = "2026-01-06" + id = "0fdd257f-e1de-5162-b898-318e3646215a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.evilbunny_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.evilbunny_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "129d7389b0c5c744f879d0c6646586dd6514e45e4141df82d478776226b51b53" + logic_hash = "c0f269d64ef466ac9dc41c429b57bd677a932b045efbd4c52947e3b37d72f372" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb37 6a00 8b4df4 2b4d0c 51 8b55fc 8b4218 } - $sequence_1 = { 2b45e4 1b55e8 8945a0 8955a4 eb0e c745a000000000 c745a400000000 } - $sequence_2 = { 8b55f8 8b4218 8b550c 891401 8b450c 0fb64805 83e103 } - $sequence_3 = { 8b5518 c1e20e 0bc2 50 8b4508 50 e8???????? } - $sequence_4 = { 8d8c3a4b661aa8 894df8 8b95ccfeffff c1ea02 8b85ccfeffff c1e01e 0bd0 } - $sequence_5 = { 55 8bec 51 8b4508 8b4824 034d0c 894dfc } - $sequence_6 = { e8???????? 8b55f8 c782060c000001000000 33c0 52 8bcd 50 } - $sequence_7 = { e8???????? 8b858cfeffff 52 8bcd 50 8d1540f91000 e8???????? } - $sequence_8 = { e8???????? 83c408 8b4dfc 51 8b95e4fdffff 52 8d85e8fdffff } - $sequence_9 = { 8b5508 8b4238 89413c 8b4d08 8a5510 885136 b801000000 } + $sequence_0 = { 8b55e8 8902 8b45e8 c7400804000000 8b4d08 8b5108 83ea10 } + $sequence_1 = { e8???????? 8b4dfc 894108 8b55fc c7420400000000 8b45fc c70000000000 } + $sequence_2 = { 8b4dfc 0fb65105 8b45f0 0fb64814 83f103 23d1 83e203 } + $sequence_3 = { 8b4dfc e8???????? 8b4dfc c701???????? 8b45fc 83c408 3bec } + $sequence_4 = { 8b550c 8b420c 837c080800 7445 8b4dfc c1e104 8b550c } + $sequence_5 = { c705????????00000000 eb0c 8b55e0 52 e8???????? 83c404 6a08 } + $sequence_6 = { e8???????? 83c408 85c0 0f84fc000000 8d8da0eeffff 51 8b55f8 } + $sequence_7 = { c1e202 52 8b45fc 8b4830 c1e102 51 8b55fc } + $sequence_8 = { 51 e8???????? 83c404 8b55ec 8902 8b45ec c7400801000000 } + $sequence_9 = { c745dc00000000 8bf4 68e8030000 ff15???????? 3bf4 e8???????? 8b45e0 } condition: 7 of them and filesize < 1695744 @@ -127950,36 +128692,36 @@ rule MALPEDIA_Win_Ondritols_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "81710fe6-9ae7-546c-9cb9-b9c86df2ce65" - date = "2026-01-05" - modified = "2026-01-06" + id = "f1b815f1-229d-587f-9b83-698adf9033b8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ondritols" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ondritols_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ondritols_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "44ff18d30e7336ef39e54fec8b0b622a69d795c9c1893d07882cb3b4d93aa6f9" + logic_hash = "5c8bafb3ef1aa0c6c467b3ea0bd2b3c727b4a1c0491ef4c729d846f51f47fabb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f3ab 59 894df8 8b4df8 e8???????? 50 8b45f8 } - $sequence_1 = { c745fcffffffff 8d4d10 e8???????? 8a8523ffffff eb1e eb9c c6852fffffff01 } - $sequence_2 = { c745fc00000000 8b4508 c1f805 8b4d08 83e11f c1e106 8b1485e0ca4600 } - $sequence_3 = { 50 8d45f4 64a300000000 894dec 6a01 8d8518ffffff } - $sequence_4 = { 7409 8b55e4 c70201000000 eb15 c745e400000000 c745f000000000 c745e848a54600 } - $sequence_5 = { 895f14 895f18 39b530ffffff 720f 8b951cffffff 52 e8???????? } - $sequence_6 = { e8???????? 8b45e4 50 e8???????? 83c408 885dfc 8d7310 } - $sequence_7 = { 746a 833d????????10 720e a1???????? 50 e8???????? 83c404 } - $sequence_8 = { c645fc04 e8???????? 83c404 3bc3 0f84a7020000 8906 } - $sequence_9 = { 8d8568f5ffff 50 e8???????? 83c404 83c00b 83f83c } + $sequence_0 = { 898558ffffff 895804 33c9 8908 8b8558ffffff 8d9558ffffff 8910 } + $sequence_1 = { 8d542412 c6474901 39542424 0f8533010000 85db 7517 } + $sequence_2 = { 59 894df8 8b45f8 8b4df8 8b5054 2b5158 3b550c } + $sequence_3 = { 8b4508 50 8b4de8 e8???????? e9???????? 8b45a0 6bc00a } + $sequence_4 = { 50 57 6a00 68e9fd0000 ffd3 8bf0 8bc7 } + $sequence_5 = { c22000 c745fcffffffff 837d2010 720c 8b450c 50 e8???????? } + $sequence_6 = { 51 8b4dec e8???????? 8985acfdffff c645fc04 8d45d8 } + $sequence_7 = { 83c40c 837d2010 8b450c 7303 8d450c 803c3839 7e64 } + $sequence_8 = { 8b5d08 33c0 8945f0 c703???????? c74360d4534500 8945fc 8b03 } + $sequence_9 = { e8???????? 68???????? 8d858cfdffff 50 c7858cfdffffc0544500 e8???????? 8d8d30feffff } condition: 7 of them and filesize < 964608 @@ -127989,89 +128731,90 @@ rule MALPEDIA_Win_Qakbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e4d23f43-6680-5968-8ae5-2a0425f4dd3a" - date = "2026-01-05" - modified = "2026-01-06" + id = "7957858b-aa57-5c3b-abd3-0c04fecb548d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.qakbot_auto.yar#L1-L535" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.qakbot_auto.yar#L1-L530" license_url = "N/A" - logic_hash = "bc5a235576277933c27e5fa570e0287f83745ef4475cd2eb6f595916a62cbcba" + logic_hash = "03bf5dab1c79c244389fe8a48fff6f5e76846945af5e907a22d389c939247dd5" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c0 7402 ebfa e8???????? } - $sequence_1 = { 7402 ebfa 33c0 7402 } - $sequence_2 = { 7402 ebfa eb06 33c0 } - $sequence_3 = { 50 e8???????? 8b06 47 59 } - $sequence_4 = { 59 59 6afb e9???????? } - $sequence_5 = { 740d 8d45fc 6a00 50 } - $sequence_6 = { 48 50 8d8534f6ffff 6a00 50 e8???????? } - $sequence_7 = { 50 e8???????? 59 59 6afe 58 } + $sequence_0 = { c9 c3 55 8bec 81ecc4090000 } + $sequence_1 = { 33c0 7402 ebfa e8???????? } + $sequence_2 = { 7402 ebfa 33c0 7402 } + $sequence_3 = { 7402 ebfa eb06 33c0 } + $sequence_4 = { 50 e8???????? 8b06 47 } + $sequence_5 = { 59 59 6afb e9???????? } + $sequence_6 = { 48 50 8d8534f6ffff 6a00 } + $sequence_7 = { 740d 8d45fc 6a00 50 e8???????? } $sequence_8 = { 8945fc e8???????? 8bf0 8d45fc 50 e8???????? } - $sequence_9 = { 33c0 e9???????? 33c0 7402 } - $sequence_10 = { 7402 ebfa e9???????? 6a00 } - $sequence_11 = { eb0b c644301c00 ff465c 8b465c } - $sequence_12 = { 7cef eb10 c644301c00 ff465c } - $sequence_13 = { e8???????? 83c410 33c0 7402 } - $sequence_14 = { 5e c9 c3 55 8bec 81ecc4090000 } - $sequence_15 = { 85c0 750a 33c0 7402 } - $sequence_16 = { 7507 c7466401000000 83f840 7507 } - $sequence_17 = { 837dfc00 750b 33c0 7402 } + $sequence_9 = { 50 e8???????? 59 59 6afe 58 } + $sequence_10 = { 33c0 e9???????? 33c0 7402 } + $sequence_11 = { 7402 ebfa e9???????? 6a00 } + $sequence_12 = { 8d45f8 6aff 50 e8???????? } + $sequence_13 = { 837e5c38 7cef eb10 c644301c00 ff465c } + $sequence_14 = { c644301c00 ff465c 8b465c 83f840 7cf0 } + $sequence_15 = { e8???????? 83c410 33c0 7402 } + $sequence_16 = { 85c0 750a 33c0 7402 } + $sequence_17 = { 7507 c7466401000000 83f840 7507 } $sequence_18 = { e8???????? e8???????? 33c0 7402 } - $sequence_19 = { 833d????????00 7508 33c0 7402 } - $sequence_20 = { c7466001000000 33c0 40 5e } - $sequence_21 = { 7402 ebfa 837d1000 7408 } - $sequence_22 = { 80ea80 8855f0 e8???????? 0fb64df7 } - $sequence_23 = { 83f841 7c05 83f85a 7eeb 83f861 } - $sequence_24 = { 7eeb 83f861 7c05 83f87a } + $sequence_19 = { 837dfc00 750b 33c0 7402 } + $sequence_20 = { 833d????????00 7508 33c0 7402 } + $sequence_21 = { c7466001000000 33c0 40 5e } + $sequence_22 = { 7402 ebfa 837d1000 7408 } + $sequence_23 = { 80ea80 8855f0 e8???????? 0fb64df7 } + $sequence_24 = { 83f841 7c05 83f85a 7eeb 83f861 7c05 83f87a } $sequence_25 = { e8???????? 833822 7505 83c8ff } - $sequence_26 = { 6a00 50 e8???????? 6a00 57 e8???????? } + $sequence_26 = { 7418 813800200000 7304 b301 eb0c } $sequence_27 = { b301 eb0c 813800300000 b302 7202 } - $sequence_28 = { 7418 813800200000 7304 b301 eb0c } - $sequence_29 = { c1e81e 33448afc 69c06589076c 03c1 89048a ff82c0090000 81bac009000070020000 } - $sequence_30 = { ff10 85c0 750b ff15???????? e9???????? } - $sequence_31 = { 50 8d45d8 50 8d45d4 50 8d45ec 50 } - $sequence_32 = { 7507 e8???????? 8bc8 890d???????? } - $sequence_33 = { 83f801 7513 85c9 7507 e8???????? } - $sequence_34 = { 6a00 6800600900 6a00 ff15???????? a3???????? } - $sequence_35 = { e8???????? 33c0 c3 55 8bec 51 51 } - $sequence_36 = { 50 ff5508 8bf0 59 } - $sequence_37 = { 6a00 58 0f95c0 40 50 } - $sequence_38 = { c3 33c9 3d80000000 0f94c1 } - $sequence_39 = { 750c 57 ff15???????? 6afe 58 } - $sequence_40 = { 57 ff15???????? 33c0 85f6 0f94c0 } - $sequence_41 = { 57 6a00 6a02 ff15???????? 8bf8 83c8ff 3bf8 } - $sequence_42 = { 50 e8???????? 6a40 8d4590 } + $sequence_28 = { c1e81e 33448afc 69c06589076c 03c1 89048a ff82c0090000 81bac009000070020000 } + $sequence_29 = { ff10 85c0 750b ff15???????? } + $sequence_30 = { 56 e8???????? 8b45fc 83c40c 40 } + $sequence_31 = { 50 8d45d8 50 8d45d4 50 8d45ec } + $sequence_32 = { 85c9 7507 e8???????? 8bc8 890d???????? } + $sequence_33 = { 83f801 7513 85c9 7507 } + $sequence_34 = { 6a00 6800600900 6a00 ff15???????? } + $sequence_35 = { 50 ff5508 8bf0 59 } + $sequence_36 = { 6a00 58 0f95c0 40 50 } + $sequence_37 = { 57 ff15???????? 33c0 85f6 0f94c0 } + $sequence_38 = { 85c0 750c 57 ff15???????? 6afe 58 } + $sequence_39 = { c3 33c9 3d80000000 0f94c1 } + $sequence_40 = { 6a02 ff15???????? 8bf8 83c8ff } + $sequence_41 = { 50 e8???????? 6a40 8d4590 } + $sequence_42 = { 8d85e4fcffff 50 8d85e4fdffff 50 } $sequence_43 = { 56 e8???????? 83c40c 8d4514 50 } $sequence_44 = { c7871002000001000000 8bc3 eb02 33c0 } - $sequence_45 = { e8???????? e8???????? e8???????? e8???????? 85c0 7405 e8???????? } - $sequence_46 = { eb13 488bd3 488bce ff15???????? } - $sequence_47 = { eb05 be01000000 488b15???????? 488b4d48 ff5220 488b15???????? } - $sequence_48 = { f7d9 eb03 4d8bda 4d8bc3 33d2 498d7b01 } - $sequence_49 = { e8???????? 6a00 8d45d4 50 68???????? } - $sequence_50 = { 5d c3 33c9 66890c46 } - $sequence_51 = { 8974240c 8a742431 80c63d 28d6 8874240b 69f60ea9c735 89742404 } - $sequence_52 = { 69f63c13b648 01f2 89442428 8954242c } - $sequence_53 = { 8955cc 74bf e9???????? 55 89e5 83ec08 c745fca1552064 } - $sequence_54 = { 0f4cc8 8b442408 890424 894c2404 8b4c2444 ffd1 83ec08 } - $sequence_55 = { 8b84248c000000 35fc387373 8b4c2470 01c1 } - $sequence_56 = { 57 85c0 0f8445010000 8b3d???????? } - $sequence_57 = { 66660f1f840000000000 8b4c9604 330c96 81e1ffffff7f } - $sequence_58 = { 8b442438 8b4c243c 8b11 83fa00 8944241c 894c2420 } - $sequence_59 = { c785f8f9ffff00000000 6a00 56 8bf9 e8???????? } - $sequence_60 = { 8b742418 8b7c241c f7d7 f7d6 89742418 } - $sequence_61 = { 7536 56 50 ff35???????? ff15???????? 8b85c0faffff 85c0 } - $sequence_62 = { 880c1a 8a4df3 324df3 884df3 83c301 8b55ec 39d3 } + $sequence_45 = { 7505 83c8ff eb51 8b0a } + $sequence_46 = { e8???????? 48898424280a0000 488bd8 4885ff } + $sequence_47 = { c745d7ffff1f00 448975db c745df03000000 8975f3 c745f705000000 } + $sequence_48 = { e8???????? 4883caff 488d4c2430 e8???????? } + $sequence_49 = { 8d4a02 418a40ff 4d8d4004 42880431 8d4a03 418a40fa } + $sequence_50 = { e8???????? 6a00 8d45d4 50 68???????? } + $sequence_51 = { 5d c3 33c9 66890c46 } + $sequence_52 = { 7411 33c9 0f1f8000000000 41 } + $sequence_53 = { 83c001 83f814 89442420 75c1 8d0534402e00 31c9 890424 } + $sequence_54 = { 66c74424768e36 c74424708247cf6d 89442458 648b1518000000 } + $sequence_55 = { c7842494000000be0ece2e 8b513c 6689d6 668bbc24a2000000 6681c7854e } + $sequence_56 = { bfb407fc3b 29cf 8b4c2444 01f9 8b7c2444 0fb77714 01f1 } + $sequence_57 = { 8d85d0faffff 50 ffb5bcfaffff 56 } + $sequence_58 = { 894c2420 897c2404 89542468 885c2403 887c2402 0f8477fdffff eb00 } + $sequence_59 = { ebe0 55 89e5 83e4f8 83ec28 8b4508 } + $sequence_60 = { 89442410 894c240c 89542408 7408 31c0 89442404 } + $sequence_61 = { b930000000 f7f1 83e60f 80ea80 83c640 0fb6c2 50 } + $sequence_62 = { 7498 8d95d4fcffff 8d8dd4feffff e8???????? 8bf0 8d4dd4 } + $sequence_63 = { 89742430 89442410 0f84bd000000 e9???????? } condition: 7 of them and filesize < 4883456 @@ -128081,36 +128824,36 @@ rule MALPEDIA_Win_Hodur_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "529f3e13-6dbd-5bfd-9d2e-8112cb176080" - date = "2026-01-05" - modified = "2026-01-06" + id = "e3722ba4-9330-5acf-a001-36d58f674969" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hodur" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hodur_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hodur_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "52f28b8a0f887df21ab70c260b17a2f99e348211a9b139c663c0b81c4937fcbf" + logic_hash = "3004265ec10071e206b1f9b36449d098d336382ccfd9415098927b3da32456f7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 83c414 0f2805???????? 833d????????0a 0f11442468 66c74424781b3e c644247a00 } - $sequence_1 = { 8b15???????? 8b3d???????? 8d42ff 0fafc2 83e001 83ff0a 7c15 } - $sequence_2 = { c684243801000000 7c0f 8d48ff 0fafc8 83e101 0f85a0260000 8d8c2430010000 } - $sequence_3 = { 7c0b 8d41ff 0fafc1 83e001 752a 6a5c 55 } - $sequence_4 = { c74424080c043500 7c14 a1???????? 8d48ff 0fafc8 83e101 0f85b10b0000 } - $sequence_5 = { 6a5c 8d842454040000 50 e8???????? 83c408 833d????????0a 89c7 } - $sequence_6 = { c78424e0000000b9ffceff 7c15 8b0d???????? 8d51ff 0fafd1 83e201 0f85ab0a0000 } - $sequence_7 = { ebfe 833d????????0a 66c784249a0000000000 7c12 a1???????? 8d48ff 0fafc8 } - $sequence_8 = { 7c0d 8d50ff 0fafd0 83e201 7402 ebfe e8???????? } - $sequence_9 = { 75f4 c6410d00 e8???????? 53 ff75e4 ffd0 833d????????0a } + $sequence_0 = { f30f7f03 66c743101b3e 884312 7c12 a1???????? 8d48ff 0fafc8 } + $sequence_1 = { e8???????? 6a64 ffd0 e9???????? 83feff 0f848c010000 895de4 } + $sequence_2 = { c78540ffffff00000000 898588fdffff 83bd40ffffff0c 0f8338000000 8b8540ffffff 8b8d88fdffff 0fbe0401 } + $sequence_3 = { e9???????? 6a3a ff75f0 e8???????? 83c408 833d????????0a 7c20 } + $sequence_4 = { 0fafd0 83e201 7402 ebfe e8???????? 6a00 ff7604 } + $sequence_5 = { c64424325a ebb2 833d????????0a c644243300 7c12 a1???????? 8d48ff } + $sequence_6 = { c644245400 c74424506c202530 c744244c0d0a6465 ff742460 ff742468 8d84245c090000 50 } + $sequence_7 = { e8???????? 57 ffd0 8b15???????? 8d4aff 0fafca } + $sequence_8 = { c74750ee00dd00 c74754d000f600 c74758ea008500 66899fb6000000 7c12 a1???????? 8d48ff } + $sequence_9 = { 8b7e18 57 e8???????? 83c40c 0f2805???????? b8ecffffff 0f1103 } condition: 7 of them and filesize < 1067008 @@ -128121,10 +128864,10 @@ rule MALPEDIA_Win_Pwndlocker_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "0ef9ef98-b584-5412-b76c-e3c013260c32" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pwndlocker_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pwndlocker_auto.yar#L1-L119" license_url = "N/A" logic_hash = "5bc1fe4d9dda2a3d7b92f6be48794f673659ba8123fb93f2622432356a3f4a56" score = 75 @@ -128133,9 +128876,9 @@ rule MALPEDIA_Win_Pwndlocker_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -128159,36 +128902,36 @@ rule MALPEDIA_Win_Laplas_Shell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c75f717-3a83-5505-a36a-1bce6df358ef" - date = "2026-01-05" - modified = "2026-01-06" + id = "007f629b-6271-5096-b5e8-85b54f8e039c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.laplas_shell" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.laplas_shell_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.laplas_shell_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "651ff3d6bd8dabc0c16e2a61ceeb9a40f1d04f00168f1b0feb2a3661a16c588d" + logic_hash = "3f223ab486e3f4d345335979b6cf3c983d7555ddaba7389e25e940250dc83f7a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb6825c324000 308618504000 8b4f10 8b5f14 0fb69618504000 3bcb } - $sequence_1 = { f7f1 0fb6825c324000 308618504000 8b4f10 8b5f14 0fb69618504000 3bcb } - $sequence_2 = { 8bc8 85c9 7504 ffd3 } - $sequence_3 = { c745fcffffffff 8b95ecfbffff 8b1d???????? 8b3d???????? } - $sequence_4 = { 89b594e6ffff 89b590e6ffff ff15???????? 85c0 7555 56 } - $sequence_5 = { 55 8bec 6aff 68???????? 64a100000000 50 b8ac190000 } - $sequence_6 = { 668985cafbffff 8d85c8fbffff 6a10 50 } - $sequence_7 = { 0f57c0 c78558e6ffff44000000 6a00 50 } - $sequence_8 = { ba???????? 50 8b0d???????? e8???????? } - $sequence_9 = { c745fc00000000 83bdecfbffff08 8d85d8fbffff 51 0f4385d8fbffff 8d8d58e6ffff } + $sequence_0 = { ffd3 e9???????? 83ec0c 8d8dd8fbffff e8???????? 83c40c } + $sequence_1 = { 8d0c1a 81f900000080 8d9100000080 8d8100000080 } + $sequence_2 = { 8bf8 8d8d50e6ffff 8d85b0e6ffff 50 e8???????? } + $sequence_3 = { c705????????090400c0 c705????????01000000 c705????????01000000 6a04 58 6bc000 c780ac50400002000000 } + $sequence_4 = { 2bfb ba???????? 57 eb0e 68???????? 8d043b ba???????? } + $sequence_5 = { 8bda 33d2 8bc7 f775fc 3bc1 7204 3bde } + $sequence_6 = { ffb5a4e6ffff ffd3 6800040000 8d85f0fbffff } + $sequence_7 = { c7471407000000 668907 8945fc 33f6 c745ec01000000 b907000000 0f1f440000 } + $sequence_8 = { c78554e6ffff64000000 e8???????? 8bf8 8d8d50e6ffff 8d85b0e6ffff } + $sequence_9 = { 74e6 5d c3 837d08ff 0f8472040000 e9???????? 55 } condition: 7 of them and filesize < 59392 @@ -128199,10 +128942,10 @@ rule MALPEDIA_Win_Marap_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "b10f821b-8ff2-589d-803b-f9a90d7546d1" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.marap_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.marap_auto.yar#L1-L117" license_url = "N/A" logic_hash = "546aba24f6e8400321dff7dca511f4540ee158508029bfb4a7f44eaf5c6b5908" score = 75 @@ -128211,9 +128954,9 @@ rule MALPEDIA_Win_Marap_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -128237,36 +128980,36 @@ rule MALPEDIA_Win_Explosive_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fcdedcfb-8d9a-5318-b6f5-1c975904e20d" - date = "2026-01-05" - modified = "2026-01-06" + id = "e139402c-edd2-58d3-9ecf-0198273ab8f0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.explosive_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.explosive_rat_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.explosive_rat_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "41c4f7e33c52dbbd452e704e97d77f2addf0978f42a72a996b63009951e0b21e" + logic_hash = "9d06166324a057db0813d94dae91a6fe31798f8ad412a3f80e56121007b1ee1a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 0f84fb000000 68???????? 68???????? ffd6 85c0 0f84e7000000 } - $sequence_1 = { 72cc 5d 8b442428 be10000000 3bc6 720d } - $sequence_2 = { 8d4514 50 8d4d0c e8???????? 84c0 8b7520 } - $sequence_3 = { 8902 8908 894104 5b c20400 894208 8908 } - $sequence_4 = { 89bdc4010000 89bdc8010000 6689bdd4010000 e8???????? 8bb508040000 83c41c } - $sequence_5 = { e8???????? 3bfb 745b 395d14 7539 6a34 e8???????? } - $sequence_6 = { 8d8d44ffffff e8???????? 8d8d04f5feff e8???????? 8b8558ffffff 8985f801ffff 89853402ffff } - $sequence_7 = { 3bfb 745b 395d14 7539 6a18 e8???????? 59 } - $sequence_8 = { 8d8d44ffffff e8???????? 8d8d7cffffff e8???????? 807d2475 0f8537010000 53 } - $sequence_9 = { 663bf2 771d 7220 41 41 40 40 } + $sequence_0 = { 40 40 3b4d0c 75e5 3b4514 750d 33c0 } + $sequence_1 = { 83ec1c 8bcc 68???????? e8???????? 56 e8???????? } + $sequence_2 = { c20800 85f6 7525 83f808 897514 7214 8b6d04 } + $sequence_3 = { 8b4b28 6a04 50 51 ff5320 83c40c 85c0 } + $sequence_4 = { 0fb6d9 40 f6834166460004 740c ff06 85ff } + $sequence_5 = { 8bcc 68???????? e8???????? e8???????? 83c41c 6689b5b0fbffff 668975b0 } + $sequence_6 = { 8b10 8b4004 8b5c2454 83c408 33f6 eb08 8b442464 } + $sequence_7 = { 0f856a010000 85f6 0f85defcffff 8b442418 8b7578 03c2 39442458 } + $sequence_8 = { 33f6 eb5d 8b542460 8b44245c 8b7c2410 52 8b542458 } + $sequence_9 = { c60065 e8???????? ff7514 8bce c6450b00 33db e8???????? } condition: 7 of them and filesize < 855040 @@ -128276,36 +129019,36 @@ rule MALPEDIA_Win_Entryshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6aaf8e64-ed2e-5afd-ab35-8772e849151b" - date = "2026-01-05" - modified = "2026-01-06" + id = "82e4a823-01cf-56d7-8340-980df8088b7d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.entryshell" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.entryshell_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.entryshell_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "00133e95c431c2a3dcea85bea219e4bd4bbb96106a72aed7e1fb3e93342dd945" + logic_hash = "49cc13055a9557a2218886e2b044353fefd63370fec61b9a78e27c64c694ac91" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 43 895de4 8b049578512501 8945ec 897df0 8a543828 8855ff } - $sequence_1 = { 5d c3 8d4301 57 50 e8???????? 83c404 } - $sequence_2 = { 6800020000 8d85f8fdffff 50 ff36 ffd3 85c0 0f855fffffff } - $sequence_3 = { 6a10 e8???????? 6a40 6a00 8d45a4 50 e8???????? } - $sequence_4 = { 83c202 6685c0 75f5 8b8df8dfffff 2bd6 83c1fe } - $sequence_5 = { 60 33d2 8b55f4 33c0 8d05e4382501 33c9 8b0c90 } - $sequence_6 = { 0101 8d22 0131 8d22 015e8d 2201 8e8d2201558b } - $sequence_7 = { c705????????00400000 33c0 c3 6a08 68???????? e8???????? 833d????????01 } - $sequence_8 = { 8bf2 ff15???????? 85c0 7523 68???????? ff15???????? } - $sequence_9 = { 50 e8???????? 83c414 8d85f8f7ffff 6a00 6a00 6aff } + $sequence_0 = { 50 e8???????? 83c414 40 8bf0 6690 } + $sequence_1 = { 83c404 8d842458410000 50 8d84245c010000 50 57 } + $sequence_2 = { 8b74242c 3bc6 7456 8b4c2428 83b90809000000 751d 56 } + $sequence_3 = { 83c40c c785f4fbffff4e544c4d c785f8fbffff53535000 c785fcfbffff03000000 83ee01 0f841c020000 83ee01 } + $sequence_4 = { 8b45fc c745bc01010000 8945d0 8945cc ff15???????? 8d45d4 50 } + $sequence_5 = { 8d85f8efffff 83c404 50 8b8590efffff 50 51 50 } + $sequence_6 = { 660f13842468080000 ff15???????? 6800080000 8d8424ac200000 6a00 50 e8???????? } + $sequence_7 = { 8988444b2501 68???????? e8???????? c9 c3 55 8bec } + $sequence_8 = { 7e0b 8d4d08 47 03c8 8a140a eb10 83f803 } + $sequence_9 = { 757c 8985e0bfffff 6800080000 50 68???????? e8???????? 68???????? } condition: 7 of them and filesize < 663552 @@ -128315,42 +129058,42 @@ rule MALPEDIA_Win_Virut_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3fd5dd6e-824b-546b-b12a-268a3f416abf" - date = "2026-01-05" - modified = "2026-01-06" + id = "61738a64-536a-5286-9f76-81ccd0fd8299" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.virut_auto.yar#L1-L167" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.virut_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "de37b05635cd805b87d10763e231c25410e6442bea902a0aedfdfedcccb45534" + logic_hash = "5af56b3e01c108da2d6f2ca230caa7d802bdb1cc7c6713fe866b9160eec88552" score = 75 - quality = 73 + quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c40c ab ab 8d442430 50 } - $sequence_1 = { e9???????? 8dbec8000000 0fb74e1e 8d74311f 6804010000 57 } - $sequence_2 = { 3bf1 7ce5 8b442414 6a03 } - $sequence_3 = { 6804010000 ff15???????? 8d8424c8000000 50 } - $sequence_4 = { 53 6a05 8bcc 50 } - $sequence_5 = { 50 ff15???????? 3bc3 0f8484020000 8b400c } - $sequence_6 = { 03f9 57 52 6a18 } - $sequence_7 = { 54 51 50 52 51 51 } - $sequence_8 = { 85c0 7416 e314 50 8bd4 6a00 } - $sequence_9 = { 85c0 7d04 33c0 eb63 ff750c } - $sequence_10 = { 8d8424dc020000 50 33db 53 ff15???????? 8b35???????? 53 } - $sequence_11 = { 6a00 8bcc 6a40 6800001000 } - $sequence_12 = { 6a00 6800000008 6a40 51 52 6a0e 50 } - $sequence_13 = { 83e003 40 50 8d442428 50 8d8424e0020000 } - $sequence_14 = { 3b44240c 8d8c1139300000 894c2414 7cdc 53 8d442410 } - $sequence_15 = { 8bd4 50 54 6a40 51 52 } + $sequence_0 = { ff15???????? 83e003 40 50 8d442428 } + $sequence_1 = { 124a02 124a03 0b442408 80e10f c1e008 51 } + $sequence_2 = { 50 8d8424d4000000 50 ff15???????? 6800100000 8d842474050000 } + $sequence_3 = { 53 53 53 8d8424e8000000 50 53 89742468 } + $sequence_4 = { 8b4c241c 53 2bc8 51 03c7 50 } + $sequence_5 = { 2bca 8d8c0cd1010000 8a02 880411 } + $sequence_6 = { 8b7224 59 03f3 8b521c 0fb7044e 03d3 } + $sequence_7 = { e2f5 ebc2 83c70f 57 8bd4 53 } + $sequence_8 = { 50 8bd4 6a00 52 51 57 } + $sequence_9 = { 58 8d9704010000 ab 33c0 6a10 59 } + $sequence_10 = { 52 f6d9 52 83e103 } + $sequence_11 = { 8bf0 3bf3 0f8e82000000 ff74240c 57 } + $sequence_12 = { ff742424 ff15???????? 3bc3 7e1a 0144240c } + $sequence_13 = { 51 ad 03c3 81780165536572 } + $sequence_14 = { 50 53 6a05 8bcc 50 8bd4 } + $sequence_15 = { e8???????? 83c40c 89442418 3bc3 0f8441020000 } condition: 7 of them and filesize < 98304 @@ -128360,36 +129103,36 @@ rule MALPEDIA_Win_Tildeb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c974fa6c-0d31-59bc-a143-d1c23bc433da" - date = "2026-01-05" - modified = "2026-01-06" + id = "eb305449-5b3b-5160-966f-298ae31af147" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tildeb" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tildeb_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tildeb_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "7842b223356a837886d4f126b2b0f2ea5dcea94b3925e6e82a6b6f41a78e7627" + logic_hash = "966c30ecae6c911a7ff546cfd289148116a3e200dc70373695f42352909858ed" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bbc24e0000000 03fb 03ef 8b3d???????? } - $sequence_1 = { ff15???????? e9???????? 6810270000 8b0d???????? 51 ff15???????? 85c0 } - $sequence_2 = { 83c8ff 5e 81c494010000 c3 b80a000000 5e 81c494010000 } - $sequence_3 = { 8d4c2420 e8???????? 50 ff15???????? 8bf8 83c9ff 33c0 } - $sequence_4 = { 50 51 ff15???????? 3d040000c0 7516 8b16 } - $sequence_5 = { b9???????? e8???????? 6a00 6a04 8d85e0f9ffff 50 } - $sequence_6 = { 8d85e4f9ffff 50 6800040000 ff15???????? 8d8de0f5ffff 51 6a00 } - $sequence_7 = { 33dd 8bac24d0000000 899c24ec000000 8b9c24e4000000 33dd 8bac24b8000000 33dd } - $sequence_8 = { 89442460 8b442454 8d4c2458 33f0 51 89742468 e8???????? } - $sequence_9 = { 85c0 7507 c605????????01 68???????? 68???????? 8b3d???????? ffd7 } + $sequence_0 = { 51 ffd5 8d7c245c 83c9ff 33c0 83c418 f2ae } + $sequence_1 = { 53 56 8944242c ffd7 83c41c 8d542410 } + $sequence_2 = { 57 50 51 e8???????? 6808010000 8d542428 } + $sequence_3 = { 8bde 8a54041c 81e3ff000000 33d3 c1ee08 8b1495f0c34000 33f2 } + $sequence_4 = { 8985c0f5ffff 85c0 7446 50 68???????? 68???????? } + $sequence_5 = { e8???????? 83c404 8d95e0f5ffff 52 ff15???????? e9???????? 6810270000 } + $sequence_6 = { 56 57 8b4314 8d14c8 3bd0 } + $sequence_7 = { eb04 8b742418 8b442418 8b0d???????? 8d542424 52 50 } + $sequence_8 = { c3 b815000000 5e 81c494010000 c3 f7d8 5e } + $sequence_9 = { b90e000000 33c0 f3ab eb1b b938000000 8d7c321c 2bca } condition: 7 of them and filesize < 8532488 @@ -128399,36 +129142,36 @@ rule MALPEDIA_Win_Taleret_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09104a61-10e4-51be-8fcd-72ca4b899ef9" - date = "2026-01-05" - modified = "2026-01-06" + id = "58411d22-df08-5045-b580-cac3d9c43b25" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.taleret_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.taleret_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "4f3dbb090232b14fe9d8fb1c04016f4bef98cd25096fea3fc24c423d5e08c994" + logic_hash = "9c15ba4de20a27b10c5a64dd85c811317d8986e9ee5a9f8f40302d48aa34774f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89442430 8bf8 8bc1 8bf5 55 c1e902 f3a5 } - $sequence_1 = { 85c0 741b 8b4c241c 51 ffd3 8b542410 } - $sequence_2 = { 51 68???????? 52 e8???????? 50 8d4c2414 c644243802 } - $sequence_3 = { 8d4c242c c78424a8030000ffffffff e8???????? 56 e8???????? 83c404 8b7c2410 } - $sequence_4 = { 85ff 896c2420 7e2a 8b4c2440 8d442420 } - $sequence_5 = { 85c0 0f84a6000000 50 51 } - $sequence_6 = { 50 e8???????? 8d8eb0010000 8d542434 51 68???????? 52 } - $sequence_7 = { 51 ffd6 85c0 7536 ff15???????? 83f87a } - $sequence_8 = { ff15???????? 8bd8 3bde 895c2420 750d 5f } - $sequence_9 = { 8b4c2424 c644310100 8d4c2430 e8???????? 50 } + $sequence_0 = { c21000 6a00 ff15???????? a1???????? 85c0 } + $sequence_1 = { 3bc7 0f8408010000 a1???????? 68007f0000 } + $sequence_2 = { 51 8b4c2424 e8???????? 8d45fd } + $sequence_3 = { 8b1d???????? 83f86f 750f 56 ffd3 8b4c2414 51 } + $sequence_4 = { 5d 33c0 5b 81c478040000 c3 8b4c2438 8b442434 } + $sequence_5 = { 81c478040000 c3 8b542424 8b3d???????? 8d4c2434 } + $sequence_6 = { 52 68???????? 6a00 6a00 ff15???????? 83c41c 8bf0 } + $sequence_7 = { 0f84cc050000 8b4c2448 8b35???????? 8d442414 } + $sequence_8 = { 8be8 83cfff 3bef 0f854b010000 68???????? ff15???????? 3bc6 } + $sequence_9 = { c744243000000000 895c2434 896c2410 0f8eb5010000 8d4103 c1e802 89442418 } condition: 7 of them and filesize < 73728 @@ -128438,36 +129181,36 @@ rule MALPEDIA_Win_Leash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "834a92ba-9821-599a-958a-a52bb0a34e26" - date = "2026-01-05" - modified = "2026-01-06" + id = "35986a45-731e-5b33-8972-5a112dfc0fb1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.leash_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.leash_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "c93eec2e1f2f1d66b27a1254f16f6dd424c1be05af8702a857f092a6abe7b4de" + logic_hash = "cbe363d95ef920a5a4c20a6b994434ecf799cc3c166f9de1e2837ac2d62aec2f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c408 85c0 744f 8b0e 53 83c10c } - $sequence_1 = { e8???????? 8bf8 8d8548feffff 6a0a 50 6a00 56 } - $sequence_2 = { 8b5d08 8d55cc 50 52 8d8bff000000 c645fc02 } - $sequence_3 = { 83c41c 83f8ff 0f8482010000 85c0 } - $sequence_4 = { 83c41c f2ae f7d1 2bf9 8bd1 8bf7 8bfd } - $sequence_5 = { 8b7c242c 6800040000 8d8328380000 57 50 e8???????? 668b44243c } - $sequence_6 = { aa b9ff000000 33c0 8dbc2411040000 f3ab } - $sequence_7 = { 8dbd5df9ffff 889d5cf9ffff f3ab 66ab aa b9ff000000 33c0 } - $sequence_8 = { 68???????? e8???????? a1???????? 83c40c 8d95e4f7ffff 8d8819100000 51 } - $sequence_9 = { e9???????? 8d8424fc290000 8d8c24fc050000 50 51 e8???????? } + $sequence_0 = { 3bc8 8944241c 0f8ef5000000 85db c744244400000000 0f8eb4000000 8b7c2418 } + $sequence_1 = { f2ae f7d1 2bf9 8d95e0fdffff 8bc1 8bf7 8bfa } + $sequence_2 = { 8bfb 8b9c2424200000 c1e902 f3a5 8bc8 88542413 83e103 } + $sequence_3 = { 68???????? e8???????? 8d8c241c040000 51 6a10 68???????? } + $sequence_4 = { 53 e8???????? 83c41c eb04 8b742414 56 8bcb } + $sequence_5 = { 51 8d4db0 c645fc05 8975ec e8???????? 8d55d4 8bf8 } + $sequence_6 = { 8dbd9dd8ffff 889d9cd8ffff f3ab 66ab aa b9ff000000 33c0 } + $sequence_7 = { 8d8514fcffff 52 50 e8???????? 83c40c 8d4dec 8bf0 } + $sequence_8 = { 8b4c2414 8b7c2448 2bce 894c2448 8b4c2424 2bce 894c2430 } + $sequence_9 = { 85f6 0f8c97000000 8d4601 8d4dec 50 6a2e e8???????? } condition: 7 of them and filesize < 761856 @@ -128477,36 +129220,36 @@ rule MALPEDIA_Win_Startpage_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5a6b784b-ec8f-5962-9d64-894cc5561282" - date = "2026-01-05" - modified = "2026-01-06" + id = "5f33a0ce-1ee4-5284-b811-3cd912e096b8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.startpage_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.startpage_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "21d756dfb49cd7d91a800b8f6049ef1f88714f6007f6f320c1aa4c2e5532acfc" + logic_hash = "e3def3e475768dc5beb30e0c6ce70808e4c68bddf9be3a7f9d7491a9ba0c742b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6801000080 ff15???????? 8b4dd8 8bf0 83c1f0 e8???????? 85f6 } - $sequence_1 = { 8b4f18 84040a eb57 8b471c 85c0 741b 8b4808 } - $sequence_2 = { 663bc3 75f6 2b8de4deffff d1f9 41 8d344e 8d144a } - $sequence_3 = { 1bc0 2516020780 e9???????? 56 8b36 e8???????? 59 } - $sequence_4 = { 50 8d4e0c e8???????? 33c0 894610 894614 894618 } - $sequence_5 = { 8d7010 89b5e0feffff 8d85e0feffff c645fc0d 50 8d4b1c e8???????? } - $sequence_6 = { 85c0 51 0f45d8 c645fc05 53 8d4db8 e8???????? } - $sequence_7 = { ff15???????? 6a01 ff758c ff15???????? 8b4588 6a15 8b484c } - $sequence_8 = { 7417 56 8b30 50 e8???????? 8bc6 59 } - $sequence_9 = { 5b 8be5 5d c3 ff15???????? 0fb7c8 81c900000780 } + $sequence_0 = { 53 ff7338 99 2bc2 6a00 8bc8 8b45b8 } + $sequence_1 = { 8bf8 85ff 7409 8bcf e8???????? eb23 8b9dd0deffff } + $sequence_2 = { ff15???????? 8b4df0 894704 8b01 894708 eb03 } + $sequence_3 = { 8b4b18 6a01 50 8b45ec 2bc1 2bc7 50 } + $sequence_4 = { 33c5 8945fc 8b4510 8d4de4 53 8b5d1c 56 } + $sequence_5 = { 8d85ecdfffff 8985e0deffff 7440 50 ff15???????? 8bc8 8b85e0deffff } + $sequence_6 = { 7202 8b06 66c704080a00 e9???????? 6a0a c645b000 ff75b0 } + $sequence_7 = { 8b4d08 50 e8???????? 8b4508 e8???????? c20c00 8d4104 } + $sequence_8 = { 57 ff15???????? 85c0 7406 8b08 50 ff5108 } + $sequence_9 = { 8b4dd0 8bf4 8975c8 8d49f0 e8???????? 83c010 8d4dbc } condition: 7 of them and filesize < 2277376 @@ -128520,7 +129263,7 @@ rule MALPEDIA_Win_Unidentified_102_Auto : FILE date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_102" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_102_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_102_auto.yar#L1-L130" license_url = "N/A" logic_hash = "7cf959abf8b06a75a101a66334f27ae5601df812c1ddb140fd9298ef735bb0dc" score = 75 @@ -128555,34 +129298,34 @@ rule MALPEDIA_Win_Milkmaid_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7da20991-98e0-57dd-8b6d-3afa27d44835" - date = "2026-01-05" - modified = "2026-01-06" + id = "fb3ce002-8358-50a4-a797-6f9fe573da22" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.milkmaid_auto.yar#L1-L106" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.milkmaid_auto.yar#L1-L101" license_url = "N/A" - logic_hash = "7d1f7f5be2aa6e035c1f331c5b3df828eca6552df1209a5dbc69d5d2d3452b78" + logic_hash = "7b0b35283fc00cda0dcd2b7be098c70c6caaf6bfe464d9c9743b484b111a2022" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4c2414 889c24dc280100 e8???????? 8d4c240c } - $sequence_1 = { 8d442408 57 50 e8???????? 83c404 33db 68???????? } - $sequence_2 = { 8d4c2408 e8???????? 68???????? 8d4c2408 e8???????? 8b442404 6a00 } - $sequence_3 = { 8a8528280100 81e1ff0f0000 33db 84c0 8a5c2918 895c2428 } - $sequence_4 = { 50 ff15???????? 8b74241c 8d4c2404 51 8bce } - $sequence_5 = { 8d4c240c c78424dc280100ffffffff e8???????? 33c0 8b8c24d4280100 5f } - $sequence_6 = { 8b4c240c 50 51 8d8c2480000000 c68424e428010003 e8???????? } - $sequence_7 = { 6a00 6a1a 6a00 ff15???????? 6aff 8d4c2408 } + $sequence_0 = { 6a1a 6a00 ff15???????? 6aff } + $sequence_1 = { 53 6801100000 51 8d4c2420 c68424e828010001 e8???????? 85c0 } + $sequence_2 = { 81e1ff0f0000 33db 84c0 8a5c2918 895c2428 } + $sequence_3 = { 64a100000000 6aff 68???????? 50 b8c8280100 } + $sequence_4 = { 53 53 8d4c2434 89542454 } + $sequence_5 = { 7504 33d2 eb05 8b5708 2bd1 8b5c2428 } + $sequence_6 = { 6800010000 8d4c2408 c744241801000000 e8???????? 50 6a00 6a00 } + $sequence_7 = { 8b8c24d4280100 5f 5e 5b 64890d00000000 } condition: 7 of them and filesize < 65536 @@ -128592,36 +129335,36 @@ rule MALPEDIA_Win_Daolpu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b0894e5-1a8e-5546-8c9e-1b741fdf5950" - date = "2026-01-05" - modified = "2026-01-06" + id = "5f8a2489-eebb-59c1-83ee-84d14567df79" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daolpu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.daolpu_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.daolpu_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "8005f7b5dce3eec7097b3ee19274ed96f4a8267ee8f070756b8e93cef441b9c0" + logic_hash = "5d06bfe6b30a4183072e7ce693ff565545184fbd7603b8a66d017fb655dbbfe4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7506 4883c460 5b c3 a804 7409 488d1dbe721100 } - $sequence_1 = { 7439 488b442470 488b8080000000 4883c008 4889442438 488b442470 488b4c2438 } - $sequence_2 = { 498bf8 488bf2 488bd9 0f85bc000000 80b9ae0a000000 0f85af000000 41b80f000000 } - $sequence_3 = { 48ffca 4d85f6 75ec e9???????? 83f840 0f85d0000000 4d8b7610 } - $sequence_4 = { 897c2428 448be2 44896c2424 8944242c 3801 0f8411050000 0f1f840000000000 } - $sequence_5 = { e8???????? 8b442428 c1f806 4898 488d0da3a10600 8b542428 83e23f } - $sequence_6 = { 498b4c2448 ff15???????? 0f104500 488bcd 410f110424 0f104d10 410f114c2410 } - $sequence_7 = { 66ffc3 66413bdf 0f864fffffff 488d15adc40a00 498bce e8???????? e9???????? } - $sequence_8 = { 7501 cc 48c744242000000000 41b951050000 4c8d05cd131200 488d158e141200 488d0dff151200 } - $sequence_9 = { e8???????? 0f57c0 f30f7f4558 4c896568 488b4d50 4c896550 ba10000000 } + $sequence_0 = { e8???????? eb0a 488d4c2440 e8???????? 0f10442448 0f114308 0f104c2458 } + $sequence_1 = { 89442440 837c244000 753a 488d0560510800 4889442428 488d0544230700 4889442420 } + $sequence_2 = { eb23 488d155cd50500 488b4c2448 e8???????? 85c0 750e 488b442448 } + $sequence_3 = { 5f c3 4c8b8970070000 4d85c9 743d 80bffa00000000 7534 } + $sequence_4 = { 6690 4c396028 7407 488904df 48ffc3 488b00 4885c0 } + $sequence_5 = { e8???????? 48ffc0 48898424c0000000 488b8424c0000000 488b4c2448 4803c8 488bc1 } + $sequence_6 = { e8???????? 85c0 7418 41be17000000 488b8c2480000000 4885c9 740d } + $sequence_7 = { e8???????? 85c0 7523 488b842400010000 4889442430 488d4c2450 e8???????? } + $sequence_8 = { 4c8d0de8da0c00 4885c0 4c8d0546b90a00 488bda 488bf9 4c0f45c8 4881c2d0050000 } + $sequence_9 = { 488bcb e8???????? 4885c0 742d 4c8d0d94fc0b00 48c74424200c000000 41b807000000 } condition: 7 of them and filesize < 2877440 @@ -128631,36 +129374,36 @@ rule MALPEDIA_Win_Alphanc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "44e5cd2d-dd6f-5dec-8633-e36984c0d4b0" - date = "2026-01-05" - modified = "2026-01-06" + id = "63c8da31-f973-5c7b-9594-c519a80fe95f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.alphanc_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.alphanc_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "d03fa53d22f05f45f0bb38627a16b1b71ce74e44da84ac0b88c2ab879180e110" + logic_hash = "2ecf03abfbcf914e091aa062990492cf80f3dc2af12440b4eca9248289748f21" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8d45f0 8d4de8 50 51 ff15???????? 57 } - $sequence_1 = { 8d044544ce4e00 eb59 8d044542ce4e00 eb50 f6c303 740d 0fb74208 } - $sequence_2 = { 8b6c2424 55 56 e8???????? 8b542458 83c408 8d4aff } - $sequence_3 = { bf50000000 6a41 e9???????? 56 e8???????? 83c404 85c0 } - $sequence_4 = { e8???????? 85c0 7526 8a4b7c 8a142e 32d1 6857a0a6f8 } - $sequence_5 = { 8b6c2438 68f1000000 68???????? 6a68 6891000000 6a04 e8???????? } - $sequence_6 = { 8b7c240c 8b4604 894704 8b0e 8b5608 51 52 } - $sequence_7 = { e8???????? 8be8 83c40c 85ed 753e b841000000 6852010000 } - $sequence_8 = { 8b4d04 83c102 3bc1 7cef 8b5504 83c202 895704 } - $sequence_9 = { 57 e8???????? 83c408 85c0 0f8489000000 8b0f 8b5500 } + $sequence_0 = { 8f45f4 c745f80a000000 7e58 50 5a 4a 8915???????? } + $sequence_1 = { b904000000 83e00f 8bd7 89442414 8b442434 c1e01c 89442430 } + $sequence_2 = { c3 57 8bcb 8bf8 8bc1 46 c1e902 } + $sequence_3 = { e8???????? 83c410 9b c745fc00000000 b909000000 33c0 8dbd5cfbffff } + $sequence_4 = { 8b5c2418 55 bd01000000 8b4304 56 85c0 57 } + $sequence_5 = { 8d1c85001c4f00 8b0485001c4f00 03c6 8a5004 f6c201 0f849e010000 8365f800 } + $sequence_6 = { eb0a b912000000 be???????? 50 5f f3a5 bf24000000 } + $sequence_7 = { 8b6c2414 3bee 7e02 8bee 8b442418 8bc8 8bd0 } + $sequence_8 = { ebb3 7db1 68d7000000 68???????? 6888000000 6894000000 6a04 } + $sequence_9 = { c744241c01000000 57 e8???????? 8b44241c 83c404 85c0 5d } condition: 7 of them and filesize < 2015232 @@ -128671,10 +129414,10 @@ rule MALPEDIA_Win_Unidentified_023_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "1400fef8-22ab-55d3-be00-2034b5c77506" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_023_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_023_auto.yar#L1-L125" license_url = "N/A" logic_hash = "967009d10509388ccde45cabcb9706cb7743d93f422192cdf1b0f418e7706b0c" score = 75 @@ -128683,9 +129426,9 @@ rule MALPEDIA_Win_Unidentified_023_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -128709,41 +129452,42 @@ rule MALPEDIA_Win_Iisniff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5f9ab050-d8e9-5f55-b8de-0b8b687ab914" - date = "2026-01-05" - modified = "2026-01-06" + id = "59ae67d6-c405-593d-aa52-7d85666bbc9f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.iisniff_auto.yar#L1-L173" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.iisniff_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "a06a69af46b33b23bbf69f750fc8ce55147252095bace2f8e829199a964e0a2d" + logic_hash = "2f095cbc2ce5bc42775472b904d61ae180591897821e4a8f0cf3e5c0e017b52c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b8c240c000100 56 8d842414000100 50 51 8d542410 52 } - $sequence_1 = { 7413 0fb7542418 8b44241c 50 89570c ff15???????? 8b4f60 } - $sequence_2 = { 51 89742478 e8???????? 8b8c2450010000 83c404 5f } - $sequence_3 = { e8???????? 8b550c 8b02 89450c 3b35???????? 7442 } - $sequence_4 = { 83c710 e8???????? 59 8b4c2414 50 56 6a03 } - $sequence_5 = { 8bc7 c20400 55 8bec 56 57 8b7d08 } - $sequence_6 = { 6a00 e8???????? c745fcffffffff 8b45dc 8b08 8b5104 8b440228 } - $sequence_7 = { 8d8424d0010000 50 89442430 e8???????? } - $sequence_8 = { 037dbc 8d5d94 8d75d4 e8???????? 8bf0 e8???????? 8b4dcc } - $sequence_9 = { 52 8d842434010000 50 8d4c2420 } - $sequence_10 = { 6a03 68000000c0 68???????? ff15???????? 6a02 } - $sequence_11 = { 837d1000 57 8bf9 7e5f 53 8b5d08 56 } - $sequence_12 = { 6a02 e8???????? 83bc24f000000010 8b8424dc000000 7307 8d8424dc000000 ffb424ec000000 } - $sequence_13 = { 59 5e 5b 8b8c243c010000 33cc e8???????? } - $sequence_14 = { 8b7d08 33db 68ff0f0000 8d8424cd000000 53 50 889c24d4000000 } + $sequence_0 = { ff74240c 8b44240c e8???????? c20800 55 8bec 56 } + $sequence_1 = { 6a03 68000000c0 68???????? ff15???????? 6a02 } + $sequence_2 = { 8b4104 33db bf10000000 395c0418 0f85c0000000 } + $sequence_3 = { e9???????? 83bc248001000010 8b84246c010000 7307 } + $sequence_4 = { e8???????? 8b44244c 8b4004 397c0454 0f8429010000 8d8424d0010000 50 } + $sequence_5 = { 8d8c24dc000000 e8???????? 8d8c24a4000000 e8???????? e9???????? 8b4608 } + $sequence_6 = { e8???????? ff75e8 8d45d4 53 e8???????? 57 } + $sequence_7 = { 8d4c246c 8b44247c 50 51 50 } + $sequence_8 = { 8b442404 c3 8bff 55 8bec 8b550c } + $sequence_9 = { 8945fc 56 57 8d450c 50 ff7508 } + $sequence_10 = { 83f8ff 0f84da000000 83c644 8975c0 } + $sequence_11 = { 33cc e8???????? 8be5 5d c20400 8b4724 } + $sequence_12 = { 83f8ff 7603 83c8ff 8b4f18 894c240c 8d6f04 } + $sequence_13 = { 8bc2 8bd6 e8???????? 85c0 7412 8bcf e8???????? } + $sequence_14 = { 8b44244c 8b4804 6a00 8d4c0c50 6a02 } + $sequence_15 = { 884604 8bc6 8b4c2410 64890d00000000 59 5f } condition: 7 of them and filesize < 1441792 @@ -128753,36 +129497,36 @@ rule MALPEDIA_Win_Poortry_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1496d84e-656c-5933-9472-ddcca15979df" - date = "2026-01-05" - modified = "2026-01-06" + id = "1f8d98a2-a5f7-5828-82e3-9ead1b765b9a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poortry" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.poortry_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.poortry_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "e3df0ea052d8930e4d05b0682bf4eefe707f0b5452f36cf3547bbe2d0167b185" + logic_hash = "a6fb93cbf0c200c1e50eeeae7896a1d724d2f9d94a40fdda11ffb63d0ceab95f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 80c2d6 f6da 41d2db 80f283 4d63d8 4181e3cc593b0e 41c0c35a } - $sequence_1 = { 9c 418f00 450fbbf2 458b11 664585f0 66f7c16046 4181fd7b733a3c } - $sequence_2 = { 41d3d3 312c24 66450fabe3 410fbafb10 415b 3ac5 f9 } - $sequence_3 = { 0fbfdb 66440fb3fa 418ad6 410fb618 48d3ea 66d3c2 d2fe } - $sequence_4 = { 480fbfed f8 44311c24 400f9ec5 5d f8 4d63db } - $sequence_5 = { 4d0fb7e7 448ae7 415c 66450fbeea 66410fcd 490fbfed 415d } - $sequence_6 = { 0fca 41f6c185 56 311424 f8 5e 4863d2 } - $sequence_7 = { 66f7de 5e 4584c3 f9 4c3bc0 4d63d2 4d85eb } - $sequence_8 = { 488b11 40f6c6b8 498912 4863d7 411ad2 4881ef04000000 66c1daa9 } - $sequence_9 = { f5 55 4080e5d9 4881cda16c1a19 40d2d5 311424 66440fbbfd } + $sequence_0 = { 4981e804000000 41f6c3a0 d2e7 418b18 f8 33de } + $sequence_1 = { c1c903 66443bc1 41f6c39f f5 81f17f2af75d 0fc9 f9 } + $sequence_2 = { 41ffc3 f5 80ffe1 410fcb 4180ffe7 f5 4181c3b9310b6e } + $sequence_3 = { 4502ee 4881c440010000 440fb7ed 490f4dee 415f 4487ef 660fbef9 } + $sequence_4 = { 1bd9 5b 48f7c57830f62d f8 4863ed 6681f90317 41f6c678 } + $sequence_5 = { 66450fabf9 313424 410fbaf1fc 4159 4080ff4a 4863f6 453ac5 } + $sequence_6 = { 440fb7df 4881ef04000000 448b1f 4533d9 41ffcb f8 3bfc } + $sequence_7 = { 415c 415e 02e8 4159 49c1e35e 5d 4d0fb7d1 } + $sequence_8 = { 4002f3 44311c24 40f6de 4963f4 66d3c6 5e f8 } + $sequence_9 = { 81f3c94f3919 f9 55 440fa4f5bd 311c24 0fcd 40f6dd } condition: 7 of them and filesize < 8078336 @@ -128792,36 +129536,36 @@ rule MALPEDIA_Win_Graphical_Neutrino_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b8be2926-4142-5b9c-963d-8827c1d257eb" - date = "2026-01-05" - modified = "2026-01-06" + id = "5e484c52-8197-5c60-9f92-392a76e22970" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphical_neutrino" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.graphical_neutrino_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.graphical_neutrino_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "738cd6fc4267dd6a5687776cc638194fdfe1e78d0e84383b17d6f440ed210297" + logic_hash = "e72ebac441acc2b91428139ea31b042f1b14738500c491c82356ff72f48ae1fd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 56 53 498b18 458b5808 } - $sequence_1 = { e8???????? 4c89e1 4c89f2 4c8d4010 } - $sequence_2 = { 8b6c242c 48637c2428 8d743d00 39f7 7f2b 83fe0f } - $sequence_3 = { 83c030 83c230 8806 488d4602 885601 } - $sequence_4 = { 488d8424d8020000 4c8dbc24c8020000 48898424c8020000 488d442460 } - $sequence_5 = { 488b742470 4c8b7c2450 8a05???????? 84c0 } - $sequence_6 = { 7518 488b5108 48c1e004 480302 } - $sequence_7 = { 4863ee 4d89e0 488d4c2b02 e8???????? 488d5302 b030 89f1 } - $sequence_8 = { 4c8b4c2438 eb26 4584f6 750e 488b17 428a1422 88541d5a } - $sequence_9 = { 4885d2 0f840d020000 8a02 ffc8 3c01 0f8701020000 } + $sequence_0 = { 31d2 f7f1 4189c1 85ed 0f8573ffffff 4c39f6 } + $sequence_1 = { ff15???????? 85c0 740b 4c89e9 } + $sequence_2 = { e8???????? 4c89e9 4889c2 e8???????? 41b808000000 } + $sequence_3 = { e8???????? 4889f9 e8???????? 4889e9 e8???????? 90 4881c4b8010000 } + $sequence_4 = { 488d5302 b030 89f1 4889d7 66c703302e } + $sequence_5 = { e8???????? c60303 b920000000 e8???????? 498b5500 4889c1 } + $sequence_6 = { 8a02 ffc8 3c01 0f8701020000 4c8d6c2420 4c89e9 } + $sequence_7 = { 48ffc0 4883f811 75f3 c3 31c0 } + $sequence_8 = { e8???????? 4c89e1 4883c620 e8???????? } + $sequence_9 = { e9???????? 83fe1f 7617 83fe7e } condition: 7 of them and filesize < 674816 @@ -128831,56 +129575,56 @@ rule MALPEDIA_Win_Retefe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8aa29e0c-c404-5a57-8eda-15f9ee27924e" - date = "2026-01-05" - modified = "2026-01-06" + id = "31200cc7-03b1-55f5-b69b-b9e36950bf28" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.retefe_auto.yar#L1-L279" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.retefe_auto.yar#L1-L276" license_url = "N/A" - logic_hash = "2fe6220549475b9cb9f17de89d5a599ff0e604b2c25c7a541e74c1b0545a1a8f" + logic_hash = "5b3eefe7ca9a8548d99314574f752a7999d6bd3b917149311736d19204ce71ad" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 51 8bf8 ffd6 85c0 } $sequence_1 = { 68f5000000 50 ff15???????? b801000000 } - $sequence_2 = { e8???????? 6a08 e8???????? 894604 83c404 } - $sequence_3 = { 6a1c 6ae1 6aa5 6a00 6a14 6aea 6abe } - $sequence_4 = { 894604 83c404 8bc6 e8???????? } - $sequence_5 = { 6adb 6a1c 6ad8 6a2f 6ad1 6a0a } - $sequence_6 = { 6ada 6a53 6ac7 6a36 6acb 6a18 6ac4 } - $sequence_7 = { 8901 8b4e04 33c0 83c404 394104 } - $sequence_8 = { 8b4e04 40 3b4104 72ec } - $sequence_9 = { e8???????? 8b4e04 8901 8b4e04 } - $sequence_10 = { 51 8d9570efffff 52 50 50 50 6a01 } - $sequence_11 = { 6afa 6acb 6a12 6a79 } - $sequence_12 = { c1eb18 884101 c1ea10 33c0 } + $sequence_2 = { 6a3b 6a95 6ae7 6a07 6a22 } + $sequence_3 = { 6a90 6a19 6ad6 6a2c 6ad3 6a13 } + $sequence_4 = { 50 8b4204 ffd0 8b85e8efffff 6a00 8d8ddcefffff 51 } + $sequence_5 = { 894604 83c404 8bc6 e8???????? } + $sequence_6 = { 8b450c 3978fc 7e10 8b40f4 } + $sequence_7 = { 6adb 6a52 6af1 6a72 6a8a 6a3f } + $sequence_8 = { 6a17 6a31 6a1b 6a24 6a5a 6a3d } + $sequence_9 = { e8???????? 6a08 e8???????? 894604 83c404 } + $sequence_10 = { 52 e8???????? 8b4e04 8901 } + $sequence_11 = { 8b4e04 40 3b4104 72ec } + $sequence_12 = { 8b4e04 8901 8b4e04 33c0 83c404 } $sequence_13 = { 50 e8???????? 88043e 46 83c404 3bf3 75ec } - $sequence_14 = { 0f8520010000 33c0 8ad8 8d8d04dcffff } - $sequence_15 = { 803800 740b 6a18 59 } - $sequence_16 = { 83e809 7443 83e801 0f8501010000 c745e014344100 8b4508 8bcf } - $sequence_17 = { 5d 5b c20800 833d????????00 } - $sequence_18 = { 8b7c2410 85f6 0f840b010000 53 e8???????? } - $sequence_19 = { 6a00 e8???????? 803d????????00 750c 8d859cdeffff } - $sequence_20 = { 8b0e 394104 761c 660f1f840000000000 8b11 8a88503e4100 } - $sequence_21 = { ff5004 8b4ddc 8b4104 895904 85c0 7406 8b08 } - $sequence_22 = { 8bf0 8b5508 83c9ff 83c2f0 f00fc14a0c } - $sequence_23 = { 8b5c2418 89442434 8b44241c 8d48f8 } - $sequence_24 = { 33c0 668945e8 8b45d4 886de5 8b1485a0bf4200 } - $sequence_25 = { 897de0 394508 7c1f 3934bd08d44500 } - $sequence_26 = { 57 8d3c85a8c14200 8b0f 85c9 740b 8d4101 f7d8 } - $sequence_27 = { 8b01 51 ff5008 8b4e0c 85c9 7406 } - $sequence_28 = { 7ead 8b0d???????? 8d857869ffff 6a00 } - $sequence_29 = { 0fb6c0 eb17 81fa00010000 7313 8a87ccb14200 08441619 } + $sequence_14 = { 668908 8d85c4efffff bf???????? 50 } + $sequence_15 = { c745fcffffffff 8935???????? 8b06 51 8bfc } + $sequence_16 = { e8???????? 83a6a0bf420000 59 83c604 81fe00020000 72dd b001 } + $sequence_17 = { 756e 85d2 756a 8b3d???????? 8db7ff1f0000 } + $sequence_18 = { 83c001 89442414 0f8429010000 55 } + $sequence_19 = { 8d442410 50 ffd3 8b450c 2dd0070000 } + $sequence_20 = { 894c243c 8d48fd 83e10f 8d7007 } + $sequence_21 = { c70021000000 e9???????? 894ddc c745e008344100 e9???????? c745e004344100 } + $sequence_22 = { 40 83f81d 7cf1 eb07 8b0cc5fc3c4100 } + $sequence_23 = { 6bf030 03348da0bf4200 837e18ff 740c 837e18fe 7406 } + $sequence_24 = { f2c3 f2e953070000 53 56 57 6a00 68a00f0000 } + $sequence_25 = { 8364240400 56 57 8b7c2418 57 } + $sequence_26 = { 8bfe e9???????? 33db 33c0 } + $sequence_27 = { 0f87ed010000 ff24855c664000 ff36 68???????? 6a00 } + $sequence_28 = { 56 e8???????? 85c0 0f8425ffffff 56 } + $sequence_29 = { 83e03f c1ff06 6bd830 8b04bda0bf4200 } condition: 7 of them and filesize < 843776 @@ -128890,35 +129634,35 @@ rule MALPEDIA_Win_Wscspl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d78cbcb-c636-58e3-9d8d-70bd821838ca" - date = "2026-01-05" - modified = "2026-01-06" + id = "10a44a18-6fde-56d6-a217-c144613b4151" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wscspl_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wscspl_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "a06a73900ca2c0d42b899a919a39813227fe95be2c044a4b97a03a121cdc8aa6" + logic_hash = "cb5e227e13a328f2f5a7f4eeebaf49373e99a1f533f44dd2fff577df3e9bedce" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8464020000 8b3d???????? f644243810 8a442464 0f8481000000 3c2e } - $sequence_1 = { 885c342c ffd5 a3???????? a3???????? b8???????? } - $sequence_2 = { 33d2 33c9 8d5c2418 e8???????? 8b8c2494230000 83c414 5b } - $sequence_3 = { c705????????01000000 e8???????? 891d???????? eb25 } - $sequence_4 = { 51 50 ff15???????? 2935???????? 83c40c } - $sequence_5 = { 5f 8935???????? 5e 5d 8b8c2488230000 } - $sequence_6 = { 6a01 50 ff15???????? 687c230000 68c10b0000 } - $sequence_7 = { 8d443410 68???????? 50 e8???????? 668b0d???????? } - $sequence_8 = { 68ba0b0000 33d2 33c9 8d9c24a4050000 } + $sequence_0 = { 8b3d???????? 8bf0 a1???????? 83c404 50 57 56 } + $sequence_1 = { 8b842490230000 55 8bac2498230000 56 57 0fbff8 81c745f4ffff } + $sequence_2 = { 56 8d44244c 57 8944241c c744241810270000 c744242000000000 } + $sequence_3 = { 8d842494050000 57 50 e8???????? 83c40c 83cbff } + $sequence_4 = { 5f 33c0 5e 83c40c c20400 57 } + $sequence_5 = { ff15???????? 687c230000 68be0b0000 33d2 } + $sequence_6 = { 663bf8 752f e8???????? 8b0d???????? } + $sequence_7 = { 8984247c230000 b8???????? 8d5001 8a08 40 } + $sequence_8 = { 89442438 e8???????? 8b7c2438 83c702 68???????? } $sequence_9 = { 2bc1 8b4c2448 03f0 8b442444 ba3f3a0000 } condition: @@ -128929,36 +129673,36 @@ rule MALPEDIA_Win_Devilstongue_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cb644977-bc63-5b36-b265-16f0a9990cd7" - date = "2026-01-05" - modified = "2026-01-06" + id = "c6296a14-247c-5d9c-8d1f-348789c61ed7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.devilstongue" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.devilstongue_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.devilstongue_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "6bf4998aa4a3a736abc9e6f3277df773ad349380ff37a5c0b9cd66bbd149cb14" + logic_hash = "9dee1844d5a8913abb1cf0f26ef9ded1101ccfa9a82167b8e1ee7ed31be870d0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b442430 b9daa5a546 ebbb 4889442428 488b442428 4889442420 4889f9 } - $sequence_1 = { b8be144e7b 3db15f1d58 744c 3dbe144e7b 75f2 488b7c2420 } - $sequence_2 = { 3dea84e30c 741d 3d140a3916 75b7 807c242f00 b81ec8dc61 0f45c6 } - $sequence_3 = { 488d0d5edf0100 48894c05b0 488b45b0 48634004 8d8850ffffff 894c05ac 488d4dc0 } - $sequence_4 = { ebe1 488b45b8 488b45b0 b9bd77097c 488b75e8 81f9316958ca 7436 } - $sequence_5 = { 4881c4e0040000 5f 5e 5d 48ff6018 488d4da8 e8???????? } - $sequence_6 = { 4883ec28 488d6c2420 48c74500feffffff 4889ce 488d05f9750300 488901 488d4108 } - $sequence_7 = { 4889d9 4889f2 4d89c1 e8???????? 4989c4 b9abd62222 81f92832a1a7 } - $sequence_8 = { 75f2 488d0dd3030500 48890f 488b4f08 ffd6 b862579455 } - $sequence_9 = { 3d1bc2c8c1 0f8582feffff b88853f001 3d7f2a6238 0f84f7010000 3d8853f001 75ee } + $sequence_0 = { 3d2cdd096e 0f846d010000 3d3dbb976f 759a e9???????? 4889742428 488b7c2428 } + $sequence_1 = { 410f45c5 e9???????? b88c5552d1 e9???????? 488b442440 0fb710 4889d9 } + $sequence_2 = { 81f97feb91bd 740a 81f993a42c33 75f0 eb0b 488945c8 b993a42c33 } + $sequence_3 = { 0f84ba010000 3dbfb3c1e3 0f84cb010000 3d7138f0ec 0f85b6feffff 8b44244c 8944245c } + $sequence_4 = { b856061272 31db ebcc 3d7dc1b65d 7e67 3d7ec1b65d 0f84b7000000 } + $sequence_5 = { b84ca412c0 e9???????? 3db31f6708 0f84b1010000 3dc98f7215 0f85f0fdffff b819f28c8b } + $sequence_6 = { 75ee b85792143b 4889ee 4881fe00100000 bf59f344aa 410f43fe 3daea7d7d8 } + $sequence_7 = { b8021d4c78 3d021d4c78 7409 3db59140dc 75f2 eb07 b8b59140dc } + $sequence_8 = { 4883ec10 4889c8 b97b298f6d 81f97b298f6d 740a 81f9c942a44b 75f0 } + $sequence_9 = { 488b442408 488b00 488b4c2418 488908 488b442418 4883c008 4889442410 } condition: 7 of them and filesize < 990208 @@ -128968,49 +129712,49 @@ rule MALPEDIA_Win_Olympic_Destroyer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4acd0027-92fe-500e-bf15-82d11cf7dd70" - date = "2026-01-05" - modified = "2026-01-06" + id = "faeb4d04-06cb-5bef-81e3-d206357d9612" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.olympic_destroyer_auto.yar#L1-L227" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.olympic_destroyer_auto.yar#L1-L230" license_url = "N/A" - logic_hash = "04c4fa0edf97b10dccc92d5a353a5a44b42a7347836f6e32d55d1c64914c31af" + logic_hash = "51dc89cee66d8f8ded98919f34996e3d35cc35bca0e71ba7194f7f3686df36aa" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 56 33c0 89542414 57 } - $sequence_1 = { 85c0 7453 8b44242c 8d4c2410 } - $sequence_2 = { ffd7 85c0 0f848c000000 68???????? 8d85c0f9ffff 50 } - $sequence_3 = { 8985d4f7ffff 8d8580f7ffff 56 50 89b5d8f7ffff } - $sequence_4 = { 51 8bce 8b4004 894510 e8???????? 8b4d10 } - $sequence_5 = { 51 8bcf 89442424 e8???????? 8b542424 } - $sequence_6 = { 51 8bcb 8975c4 e8???????? 83c404 8945e4 } - $sequence_7 = { 83e801 743e 83e805 756d 50 50 8b4104 } - $sequence_8 = { 8945fc 53 56 8d45e8 33f6 50 8975e8 } - $sequence_9 = { ff15???????? 85c0 0f88ac000000 6a00 } + $sequence_1 = { 89442418 85c0 7419 56 8d542414 } + $sequence_2 = { 3b0cc5686a4000 740a 40 83f816 72ee } + $sequence_3 = { 51 8bcb e8???????? 8b75ec 83c404 8945e4 } + $sequence_4 = { 50 6a03 683f010000 ff75e0 } + $sequence_5 = { 76cb 83c614 6a04 57 } + $sequence_6 = { ff15???????? 83c420 6810040000 8d85dcf7ffff 50 } + $sequence_7 = { 8d7e10 85ff 7476 8bcf e8???????? 85c0 746b } + $sequence_8 = { 51 8bcb e8???????? 8bc8 83c408 85c9 0f858d000000 } + $sequence_9 = { ff15???????? 57 ff15???????? 81bd7cf9ffff40420f00 760e ffb590f9ffff } $sequence_10 = { 51 8bce 8d52ff e8???????? 83c408 85c0 0f851f040000 } $sequence_11 = { 51 8bce 8944244c 89bc2480000000 } - $sequence_12 = { 3bc6 742a 0185f0efffff 8b85ecefffff } - $sequence_13 = { a4 4a 40 00d0 4a 40 } - $sequence_14 = { ff74241c ff15???????? 5f 33c0 5e 40 5b } - $sequence_15 = { 0f8794020000 ff2485bc4b5500 51 8d542454 e8???????? 83c404 85c0 } - $sequence_16 = { 8b6c2424 55 6a40 ff15???????? 89442418 85c0 } - $sequence_17 = { 51 8bcb e8???????? 8a45dc } - $sequence_18 = { 89442414 e8???????? 85c0 7415 8d4e08 } - $sequence_19 = { 89442430 8b442444 89442434 751f } - $sequence_20 = { 51 8bce e8???????? 6a00 68???????? } - $sequence_21 = { 50 ffd7 85c0 747a ffb590f9ffff e8???????? eb5f } - $sequence_22 = { 56 ff15???????? 6880ee3600 ff15???????? } + $sequence_12 = { 898c24b0000000 898424b4000000 c7460400000000 85c9 7435 0fb74602 } + $sequence_13 = { 8975e8 ff15???????? 8d45dc 50 68???????? } + $sequence_14 = { 51 8bce 8b4004 894510 e8???????? 8b4d10 } + $sequence_15 = { c3 8b742420 51 ff15???????? 8bc6 5f 5e } + $sequence_16 = { 770e 8b8de8efffff 398df0efffff 7690 53 ff15???????? } + $sequence_17 = { 85db 0f84f6000000 8b4308 8b5304 89442414 8d44242c 51 } + $sequence_18 = { 51 8bce e8???????? 6a00 68???????? } + $sequence_19 = { 50 68???????? 56 ff15???????? 8b45dc 8945f0 } + $sequence_20 = { 8d442424 89442414 c7442418d0f25500 8b0f } + $sequence_21 = { 51 8bcf 89442424 e8???????? 8b542424 } + $sequence_22 = { 89442414 e8???????? 33c9 83c404 85c0 0f45f9 } condition: 7 of them and filesize < 1392640 @@ -129020,42 +129764,42 @@ rule MALPEDIA_Win_Gophe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2491eb29-3935-5849-a2ad-9eccac6a7b9a" - date = "2026-01-05" - modified = "2026-01-06" + id = "8e9321bd-61f1-5f79-ba42-b60c8ef3b2ea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gophe_auto.yar#L1-L159" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gophe_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "5cb34ff791810c63e96dde8e723ffcb01f24b10439430c6d1044dfaa95dacbda" + logic_hash = "fbec502bd60fccfae95bb152b1898b200d8a79611d87a22cedd265b39479bb10" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 833902 0f94c0 84c0 7407 } - $sequence_1 = { b905000000 ff15???????? 8b05???????? 85c0 } - $sequence_2 = { 8d45f4 64a300000000 68e0000000 e8???????? 83c404 } - $sequence_3 = { 85c0 7509 b803000000 5d } - $sequence_4 = { c744242880000008 c744242003000000 4533c9 ba00000080 458d4103 } - $sequence_5 = { 85f6 7416 6830020000 6a00 } - $sequence_6 = { c744242010000000 4533c9 4c8b4210 8b5208 ff9088000000 } - $sequence_7 = { 57 68???????? c70605000000 e8???????? } - $sequence_8 = { 85c0 7838 488b4c2440 ff15???????? 8bf8 85c0 } - $sequence_9 = { 8bf0 83c404 8bd6 b9???????? } - $sequence_10 = { 8bf8 e8???????? 83c408 8d5001 } - $sequence_11 = { 837d0800 7507 b802000000 5d c3 33c0 } - $sequence_12 = { 90 4c8b45b8 4d8bc8 4d8b00 } - $sequence_13 = { b801000000 eb09 83c8ff eb04 } - $sequence_14 = { c744242880000000 c744242003000000 4533c9 4533c0 ba00000080 ff15???????? 488bf8 } - $sequence_15 = { 8b4dec 33cd e8???????? 8be5 5d c21000 c745fc02000000 } + $sequence_0 = { 833902 0f94c0 84c0 7407 e8???????? } + $sequence_1 = { c684249000000000 488b542440 488b4a10 668379300b } + $sequence_2 = { 8907 6a20 e8???????? 8b4d08 } + $sequence_3 = { 894104 418b01 894108 418b4104 } + $sequence_4 = { 8b05???????? 85c0 0f85a9000000 4533c9 } + $sequence_5 = { 894614 8b4614 85c0 740a } + $sequence_6 = { c7000300150c 488b4210 c7400801000000 488b4210 } + $sequence_7 = { b903400080 e8???????? cc 488b01 ff90a0000000 } + $sequence_8 = { 8bd0 b9???????? 8a19 3a1a } + $sequence_9 = { 837d0800 7507 b802000000 5d c3 33c0 } + $sequence_10 = { 85c0 7509 b803000000 5d c20400 6683383c } + $sequence_11 = { 83781408 7202 8b00 51 6a00 } + $sequence_12 = { 894108 418b4104 89410c 4983f801 } + $sequence_13 = { 8be5 5d c3 b896ffffff } + $sequence_14 = { 57 68???????? c70605000000 e8???????? 68???????? 8bf8 } + $sequence_15 = { 8901 418b4104 894104 418b01 } condition: 7 of them and filesize < 1582080 @@ -129065,36 +129809,36 @@ rule MALPEDIA_Win_Transbox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "587785a3-ca04-5ed2-9e1f-d44127f3688f" - date = "2026-01-05" - modified = "2026-01-06" + id = "6f117e62-8575-5fe3-8195-6ec80d2fbbd5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.transbox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.transbox_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.transbox_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "5d7fecd2b9b1e3ab63215aebd667fbd9c5d2815341d593f4c4a09feacf699ae3" + logic_hash = "00f5f7654b95fc913f44a97a6f4a0a9d519ac1eefc2272bdb980d385a462b743" score = 75 - quality = 75 + quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf1 8bda 57 837e1408 } - $sequence_1 = { 33d2 8b5d08 8955fc 8945e4 8945d8 8955e8 395104 } - $sequence_2 = { 8d4db8 e8???????? 8b35???????? 3b35???????? } - $sequence_3 = { 74e0 6a04 8d85f8fbffff 50 6a49 6a00 ff964c010000 } - $sequence_4 = { f7fb 56 8bf0 bbe0077e00 8bc3 2bc6 83f801 } - $sequence_5 = { 57 8bf1 33ff 6804010000 57 8d4610 c706???????? } - $sequence_6 = { 894608 85c0 74e0 6a04 8d85f8fbffff 50 6a49 } - $sequence_7 = { 8985d8faffff 8b8544faffff 8985dcfaffff 397e14 7204 8b16 } - $sequence_8 = { e8???????? 83c420 b812000000 33d2 8a900c530110 6683bc96760a000000 7506 } - $sequence_9 = { 8d8504e1ffff 89bd44e1ffff 50 33db 89b540e1ffff 53 } + $sequence_0 = { 6683f95a 7609 8d419f 6683f819 7771 53 } + $sequence_1 = { 50 6a01 e8???????? ffb5ccd3ffff 68???????? ff15???????? 59 } + $sequence_2 = { c20800 68???????? e8???????? cc b8???????? c3 55 } + $sequence_3 = { 57 56 ff7508 e8???????? e9???????? 53 ff7508 } + $sequence_4 = { 740c c74318acbb0110 befdffffff 8b4b28 57 51 } + $sequence_5 = { 8d45d4 53 0f4345d4 8945d0 e8???????? 8bf8 397de4 } + $sequence_6 = { 59 6a69 58 6a36 } + $sequence_7 = { 50 50 8d85b8fbffff 68???????? 50 e8???????? } + $sequence_8 = { 66898338070000 e8???????? 898334070000 8d45f8 50 8d8308020000 } + $sequence_9 = { 50 51 ff15???????? 8bd8 83c40c 85db 7434 } condition: 7 of them and filesize < 288768 @@ -129104,36 +129848,36 @@ rule MALPEDIA_Win_Jasus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b02d02a-6c2f-5b7d-a1b9-9adc3f6ec692" - date = "2026-01-05" - modified = "2026-01-06" + id = "882742f7-248b-59d5-a29c-1579bd678e05" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jasus_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jasus_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "b14ad9069299f53695d1925d28e19a4f9144d4135d3ef376cb647d76db2503c7" + logic_hash = "9b98a21e4c34c14913920873f0c7e2f01f9f3240655777b402d1be04c71efd38" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 663915???????? 0f8730020000 663915???????? 0f8723020000 663915???????? 0f8716020000 663915???????? } - $sequence_1 = { 740f 50 68???????? 56 e8???????? 83c40c 8b45f0 } - $sequence_2 = { e8???????? 8b54241c 8bf0 80bb8000000000 c6432d00 7412 } - $sequence_3 = { 8bcb 2b4e14 2bc2 3bc8 744e 8b4df8 85c9 } - $sequence_4 = { 8d7b1e e8???????? 84c0 7437 a1???????? 8b55f8 } - $sequence_5 = { c3 56 33f6 85db 0f889d000000 57 8bf8 } - $sequence_6 = { 7474 833b00 756f f644242c01 668954242e 750a } - $sequence_7 = { 8b8534feffff 668955c4 8b958cfeffff 6a02 } - $sequence_8 = { c1f905 8b0c8d809d4300 c1e006 8d440104 800820 8b4df4 b8000000c0 } - $sequence_9 = { 68???????? e8???????? 8b8df8feffff 83c448 51 ff15???????? 83c404 } + $sequence_0 = { 40 84c9 75f9 2bc7 03d0 8b45f8 } + $sequence_1 = { 80b930fd410000 74e8 8a13 0fb6ca 0fbe8930fd4100 85c9 750d } + $sequence_2 = { e8???????? 83c404 84c0 0f8493010000 8d4594 } + $sequence_3 = { eb02 32c9 83fb09 7e03 83eb07 83f809 7e03 } + $sequence_4 = { e8???????? 83c40c 8b45ec 85c0 740f } + $sequence_5 = { 8b15???????? 51 52 ff15???????? 8b4608 50 } + $sequence_6 = { 8d45a4 50 51 ffd3 8bf8 83c40c 85ff } + $sequence_7 = { 8d14dd00000000 01966caf0100 5f c786a4af060074cf4100 5e 5d } + $sequence_8 = { 83c40c 8b45f4 85c0 740f 50 68???????? 56 } + $sequence_9 = { 381e 7423 8da42400000000 8a06 3a4510 7410 } condition: 7 of them and filesize < 507904 @@ -129144,10 +129888,10 @@ rule MALPEDIA_Win_Malumpos_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "cd78d99d-ded9-59a9-a898-9ec39f928aa5" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.malumpos_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.malumpos_auto.yar#L1-L116" license_url = "N/A" logic_hash = "29cfae31eaa84f0f9fcc3ec276520376ec4d5f40c7104f5c7188971142f1d819" score = 75 @@ -129156,9 +129900,9 @@ rule MALPEDIA_Win_Malumpos_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -129182,36 +129926,36 @@ rule MALPEDIA_Win_Unidentified_091_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43cbe43d-9747-5a0c-bb40-dd9c7c940d50" - date = "2026-01-05" - modified = "2026-01-06" + id = "cf09f652-e969-58ee-9b4f-8afb50f512ed" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_091" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_091_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_091_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "4634e6f2999913eaf2a083116e36bae941dd940a5cf81991fb84c6cc55fc0d2d" + logic_hash = "a228d061a0a5a0cb3920e1fda0eaddb57b86d5516f29931565c9af29e9a8ece4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81e1ff00ff00 0bd1 895618 418b481c 8bd1 c1ca08 c1c108 } - $sequence_1 = { c0e904 8885f8000000 888df9000000 0fb64a1d 0fb6c1 c0e904 240f } - $sequence_2 = { e8???????? 85c0 743c 48ffc3 483b5c2430 72c4 488bcf } - $sequence_3 = { 8b442448 418bd1 4133d2 c1ca10 03fa 893c24 448bc7 } - $sequence_4 = { c1cd02 c1e718 418bc0 c1c005 4103c2 4489642418 03d0 } - $sequence_5 = { 85c0 0f8eee000000 488d0d49421600 48894d00 48215508 48215510 ffc0 } - $sequence_6 = { e8???????? 488bd3 488bcf 4c8bf0 8b30 c70000000000 e8???????? } - $sequence_7 = { f30f58d0 0f57c0 0fc6d200 0f51ca 410fc2d304 0fc2c104 0f5ed9 } - $sequence_8 = { 4c894507 48894d0f e9???????? c74424285a0a0000 ba50000000 4c89542420 41b966010000 } - $sequence_9 = { c784248000000001000000 eb32 c7442420f6010000 baa6000000 4c8d0db8a71100 b906000000 448d42fc } + $sequence_0 = { 89552c 44894550 4c8d14c1 44894530 4803c2 4c895520 c7455402000000 } + $sequence_1 = { 8b542420 443bd3 0f8481000000 443bd2 0f82df000000 453bd3 0f83d6000000 } + $sequence_2 = { ff15???????? 48898378040000 4883f8ff 742c c7837004000001000000 4885ff 744e } + $sequence_3 = { 7593 b841000000 b9b6000000 ba6d000000 894c2420 4c8d0d366d1200 448bc0 } + $sequence_4 = { e9???????? c6456807 816568fffeffff 0f57c0 f30f7f4570 4c89bd80000000 b910000000 } + $sequence_5 = { 7511 c7442428c60c0000 8d5050 448d4810 eb69 41b901000000 4c8bc7 } + $sequence_6 = { c744242801000000 488d0d028a1400 4c8bc3 89442420 e8???????? 4883c430 5b } + $sequence_7 = { 8945a7 8945f3 8bc7 3345ab c1c00c 4403f0 418bd6 } + $sequence_8 = { c3 ba50000000 c7442428d1010000 488d0568001300 41b8d5010000 488bcb 4889442420 } + $sequence_9 = { 7415 41b8240b0000 488d1558971100 488bcb e8???????? 488b5c2430 b801000000 } condition: 7 of them and filesize < 5777408 @@ -129225,7 +129969,7 @@ rule MALPEDIA_Win_Unidentified_111_Auto : FILE date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_111_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_111_auto.yar#L1-L125" license_url = "N/A" logic_hash = "8a86a6eb9509e0a5b4e912cde53abfcabb23f3644fc565d69ca8396c5dc5d7c9" score = 75 @@ -129260,34 +130004,34 @@ rule MALPEDIA_Win_Ismagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "67740cfb-8507-5206-9327-8d9ca8f2fd2f" - date = "2026-01-05" - modified = "2026-01-06" + id = "d30a21b6-9168-58ac-be0f-21bd6de3a54f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ismagent_auto.yar#L1-L100" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ismagent_auto.yar#L1-L107" license_url = "N/A" - logic_hash = "59fcd27aca5a3625483340bfe48980fca66506765ca3b82f7d01afb486f805fc" + logic_hash = "b9bb1dae4329c5eb1e40c0a1e6a1b949614e1a70afb3bd7bafc8905aff0f960d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68000000a0 ff7510 51 57 ffd0 68???????? } - $sequence_1 = { 50 56 57 8d942418170000 } - $sequence_2 = { 68e8030000 50 8d8424580b0000 50 e8???????? 83c40c 8d842418030000 } - $sequence_3 = { f3a4 8dbc24183e0000 4f 90 } - $sequence_4 = { 33c9 660f1f840000000000 8a81a00a4200 8d4901 88840c370f0000 84c0 } - $sequence_5 = { 66a5 8b7c2418 837c241400 742d 8bc8 8d5101 } - $sequence_6 = { c744243400000000 e8???????? 8b4c2428 8d442444 } - $sequence_7 = { 51 8b4c2434 8d942418070000 50 6a01 } + $sequence_0 = { 8816 eb3e c6060d 8b048d48404200 8854382a eb2e } + $sequence_1 = { 8b048d48404200 5b 8b543818 8955ec } + $sequence_2 = { 8bd7 2bd1 8a01 8d4901 884411ff 84c0 } + $sequence_3 = { 6a44 83e103 6a00 f3a4 50 e8???????? 8b7c244c } + $sequence_4 = { c1f806 6bc930 8b048548404200 f644082801 7406 8b440818 } + $sequence_5 = { 53 8b5d10 8b048548404200 56 8b7508 57 8b4c0818 } + $sequence_6 = { 8a01 41 84c0 75f9 2bca 0f8417010000 8d8424500b0000 } + $sequence_7 = { 47 42 8d7001 90 8a08 40 } condition: 7 of them and filesize < 327680 @@ -129297,36 +130041,36 @@ rule MALPEDIA_Win_Unidentified_110_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cf62c553-12f9-5533-845c-44826d9d56b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "2d5ba36e-5361-5b2d-9c23-9f15aade20bf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_110_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_110_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "e61c3758e63fca434ff16788b9f2b50055e755cc5399fb0099b370350ca7876a" + logic_hash = "2e7c9ac386af40c86b98568776f1bc132b500de4e78d099d84b189be0b32b69a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 753e 4c89f1 89da 4189e8 e8???????? 8a08 488b5040 } - $sequence_1 = { 4c89e0 48f7e1 4989c7 0f91c0 0f8050010000 88c3 48c1e306 } - $sequence_2 = { f0480fc11d???????? 8b05???????? 65488b0c2558000000 488b04c1 80b82001000000 7505 e8???????? } - $sequence_3 = { 48ffc8 4883f802 0f83ab000000 488bb42430010000 488d4e18 498b1424 e8???????? } - $sequence_4 = { e8???????? 0f1006 0f104e10 0f105620 0f119390000000 0f118b80000000 0f114370 } - $sequence_5 = { 4c89c1 e8???????? 4889c7 83ff01 7543 4889d9 ba2f000000 } - $sequence_6 = { 4c8d642448 49c7c6ffffffff 4c89e9 e8???????? 6683f801 0f85b6000000 89d5 } - $sequence_7 = { 4c8d0557060800 ba25000000 e8???????? 0f0b 56 4883ec20 488b31 } - $sequence_8 = { 4869cf48010000 4801c1 4883c108 48c741f801000000 41b840010000 4c89f2 e8???????? } - $sequence_9 = { 65488b0c2558000000 488b2cc1 0fb7b578010000 66c785780100000180 4889f9 4c89f2 e8???????? } + $sequence_0 = { bb00000000 4989fc bf00000000 0f84021f0000 31f6 418874247b 498dbc24c80b0000 } + $sequence_1 = { e8???????? eb18 488d0d4de10a00 4c8d05067c0800 ba2b000000 e8???????? 0f0b } + $sequence_2 = { 898c245c100000 488b8c2458050000 48898c2460100000 89842468100000 8b842483030000 8984248c100000 8b842480030000 } + $sequence_3 = { 660f1f840000000000 8b9c2ca8000000 488d1c9b 488d0458 89842ca8000000 48c1e820 4883c504 } + $sequence_4 = { e8???????? 4889c1 e8???????? 4183fe05 753f 89c1 81e1000000ff } + $sequence_5 = { e8???????? 4889c5 e8???????? 488d8c2408030000 488b942498000000 48899168ffffff 488b942490000000 } + $sequence_6 = { eb18 488d0d4de10a00 4c8d05067c0800 ba2b000000 e8???????? 0f0b 662e0f1f840000000000 } + $sequence_7 = { 4401d9 4489d8 4431f8 31c8 4401cd 01c5 81c5e599dbe6 } + $sequence_8 = { e8???????? 4989c6 4c8d7e10 488d842480000000 488938 4c8d8424e0010000 498900 } + $sequence_9 = { 8b4c2434 894c2424 488b8c2418010000 48898c2460010000 488b8c2420010000 48898c2468010000 488b8c2428010000 } condition: 7 of them and filesize < 3217408 @@ -129336,36 +130080,36 @@ rule MALPEDIA_Win_Powersniff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2a881adf-7d1a-56c3-b5e7-0d44ba58f640" - date = "2026-01-05" - modified = "2026-01-06" + id = "d9a15ab2-f4aa-5861-a29d-0a1142275d5d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.powersniff_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.powersniff_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "5f0dc4acb7c58a41f657c7beac5f0371e51ded838f8edb6d41966e6195e43ff4" + logic_hash = "16f88330ecf20551c60ee3117d183ea0c8f76719f3c28b652c50ef00521f303c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b5dec ff75fc e8???????? 8bd8 3bde } - $sequence_1 = { 894df4 33ff eb08 3c0d 7408 47 } - $sequence_2 = { c745e04d9b0010 c745e46f910010 c745e8a2910010 c745ec549b0010 c745f0c2910010 } - $sequence_3 = { 8b4508 56 be???????? 57 8908 8a03 894dfc } - $sequence_4 = { 8975ec 8b75f4 c1ee18 8b34b590740010 } - $sequence_5 = { eb12 c745fc08000000 eb09 ff15???????? 8945fc 8b45fc 5f } - $sequence_6 = { 33db 43 5e 5f ff75fc ff15???????? ff75f0 } - $sequence_7 = { 750f ff15???????? 3de5030000 750d eb09 ff7610 } - $sequence_8 = { ff15???????? 8bf8 897df0 3bfb 7435 8d4508 50 } - $sequence_9 = { 331cb590840010 c1ea18 8b349590780010 8b55f4 335808 c1ea08 } + $sequence_0 = { 3314b590800010 8b75ec c1ee18 3314b590780010 0fb675fc } + $sequence_1 = { 7558 8d45f0 50 8d45f8 } + $sequence_2 = { 6800000020 8d4590 50 ffd3 50 8d4590 50 } + $sequence_3 = { 8b4d0c 8364241000 8901 8b44242c } + $sequence_4 = { 68???????? ffd6 85c0 0f8592000000 68???????? ffd6 85c0 } + $sequence_5 = { 8d45ec 50 8d45f8 50 ff75f4 e8???????? } + $sequence_6 = { 85db 7521 e8???????? 8bd8 85db 7516 ff75f8 } + $sequence_7 = { 85c0 7405 3b4508 7210 ff45fc } + $sequence_8 = { 393d???????? 7578 8b35???????? 6800010000 57 ff35???????? } + $sequence_9 = { ff7614 ffd7 8b4d74 8b4570 03c1 8b4d7c 03c1 } condition: 7 of them and filesize < 90112 @@ -129375,36 +130119,36 @@ rule MALPEDIA_Win_Royalcli_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9a5a0dbf-041d-5a71-ace4-cc85bbf8dbac" - date = "2026-01-05" - modified = "2026-01-06" + id = "7501bc95-5970-51f4-8011-8d170714f8a7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.royalcli_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.royalcli_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "c1838945d5c33b64e750d6ae434f43dd65441d3926695dd6e2b710434dc1c7bb" + logic_hash = "a49cc79a85580805d992a2da818540011215a14958a82e3f5a04eda36df1756a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a02 53 56 c745e844006900 c745ec73006100 c745f062006c00 c745f465004300 } - $sequence_1 = { 33f6 85ff 7e4b 4f c1ef02 8d4a01 } - $sequence_2 = { 66895008 6800000080 8d85d8fdffff 50 ffd3 83f8ff 7421 } - $sequence_3 = { 6840000100 89b5c0feffff e8???????? 83c404 } - $sequence_4 = { 5d c3 56 57 6a01 50 e8???????? } - $sequence_5 = { 33cd e8???????? 8be5 5d c3 8b85e8fcffff 6840771b00 } - $sequence_6 = { 68???????? ffd7 8d55e8 52 e8???????? 83c404 8bd8 } - $sequence_7 = { 8b5d0c 8995bcf9ffff 8b5518 899da8f9ffff 8995b8f9ffff 7d11 33c0 } - $sequence_8 = { 8b85bcfeffff 50 33f6 ff15???????? e9???????? 3d00000100 0f8f2bffffff } - $sequence_9 = { 8d85c4fdffff 50 68???????? 68???????? 68???????? ffd6 bf???????? } + $sequence_0 = { ffd6 b907000000 8db57cf7ffff 8dbd60f7ffff f3a5 } + $sequence_1 = { ffd6 8d8df4f6ffff 51 ffd6 } + $sequence_2 = { 6804010000 8d95e0feffff 52 68???????? 68???????? 68???????? ffd7 } + $sequence_3 = { 8b4808 334804 8b500c 3310 8d8178563412 356699aa55 03c2 } + $sequence_4 = { 8be5 5d c3 53 56 8d85d8fdffff 50 } + $sequence_5 = { 03ca 32d8 32d9 8ac3 8b5d08 88041f 47 } + $sequence_6 = { 8bd0 83e01f c1fa05 8b1495c04b4100 59 c1e006 } + $sequence_7 = { 6a00 57 e8???????? 83c40c 8d85a4feffff } + $sequence_8 = { 57 56 e8???????? c1f805 56 8d3c85c04b4100 } + $sequence_9 = { 8bf9 85c9 7428 0fb61c32 8bc8 c1e90f 03c0 } condition: 7 of them and filesize < 204800 @@ -129414,36 +130158,36 @@ rule MALPEDIA_Win_Whiteblackcrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b018fd5-a77f-5d35-804b-d70e18428f2b" - date = "2026-01-05" - modified = "2026-01-06" + id = "fc05c9b5-93d3-547a-b483-4cf070671b07" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.whiteblackcrypt_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.whiteblackcrypt_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "4f74eb7c5773b19a8be72f0225ca23ef138b3bc453243d9314335e49ca519939" + logic_hash = "553d6e8fdc611531b3afb86539039720ae5eaac9626613ba9a8069195b84c748" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 40326c243e 31ef 4131fa 4531d6 4531f5 } - $sequence_1 = { 7477 83feff 7c60 752e 488b8b38020000 } - $sequence_2 = { 410f94c2 4409d0 4109cb 753a } - $sequence_3 = { ff15???????? 83f812 0f84d4000000 488b8b38020000 e8???????? 48c7c0ffffffff } - $sequence_4 = { 0f840c010000 488d7c2420 4889da 41b804010000 4889f9 } - $sequence_5 = { 4889c1 e8???????? 4889e9 4889c2 4883c428 5b } - $sequence_6 = { 0f84d4000000 488b8b38020000 e8???????? 48c7c0ffffffff 48898338020000 } - $sequence_7 = { 4c89e1 41c6442cff00 e8???????? 4c39e6 } - $sequence_8 = { 4889f1 e8???????? 4889f1 85c0 7407 } - $sequence_9 = { 4401e6 4d63c4 4889f9 4989d9 ba01000000 } + $sequence_0 = { 0f1086b0000000 4889f2 4889e9 0f29442420 e8???????? } + $sequence_1 = { 8a4301 0fb64c243a 8844243b 8a4302 8844243c } + $sequence_2 = { 83f8ff 89c5 749a 8b442420 488d7324 41b804010000 } + $sequence_3 = { e8???????? 99 f7fd 88141e 48ffc3 ebec 4889f0 } + $sequence_4 = { 4889c7 4989d9 41b800000002 ba01000000 4889f9 } + $sequence_5 = { e8???????? 31c0 8a9407b0000000 301406 48ffc0 } + $sequence_6 = { 0f8498000000 80fa2f 75e3 4883c001 } + $sequence_7 = { 458a4803 458a7801 4489f7 4489d1 4431cf } + $sequence_8 = { 0f94c2 89d0 4883c458 c3 53 4883ec20 ba2e000000 } + $sequence_9 = { 0f29442420 e8???????? b80f000000 8a9406b0000000 80faff 7513 } condition: 7 of them and filesize < 99328 @@ -129453,36 +130197,36 @@ rule MALPEDIA_Win_Rgdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2eb99ad7-9e75-5845-969c-c304a1478e04" - date = "2026-01-05" - modified = "2026-01-06" + id = "7a748caa-9610-585e-a73c-af1eb7a2a2d0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rgdoor_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rgdoor_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "fb170bfaa8b6f4f88bfae97b02b3770495bd4a9f8715b2816fb97989dc207528" + logic_hash = "2f0ca04169b6a62bbae53949d82c4fbf97fc4cec0ba1f3cd80e4bb6d6018d2d1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8d0dbe380200 4c8b442448 488b542438 488b4c2440 83bc24c800000000 7413 } - $sequence_1 = { 488d0d53170100 e8???????? 85c0 754a 488d0d774a0000 e8???????? 488d152f170100 } - $sequence_2 = { ff15???????? 488d15e3580100 483305???????? 488bcb 488905???????? ff15???????? 488d15e5580100 } - $sequence_3 = { 4c8d25d8310200 83e01f 4c6bf858 498b04fc 420fbe4c3808 83e101 7449 } + $sequence_0 = { 48634804 488d05db7e0200 4889841968ffffff 488b8368ffffff 48634804 8d51e8 } + $sequence_1 = { 83fa02 7c12 8a03 4b8b8cea503f0300 48ffc3 4288443139 83fa03 } + $sequence_2 = { 440fb60c3a 4180f93d 7504 33d2 } + $sequence_3 = { 48895c2408 4889742410 57 4883ec20 488d3d064a0200 } $sequence_4 = { 488d4c2420 41b801000000 4889442458 e8???????? 488d05e6840100 488d154f530200 488d4c2420 } - $sequence_5 = { e8???????? 4c8bf8 4889842488000000 4885c0 } - $sequence_6 = { 4863ca 0fb7444b0c 6641898448c0410300 ffc2 ebe2 8bd7 } - $sequence_7 = { e8???????? 488bf0 488b8de0000000 48635104 } - $sequence_8 = { e9???????? 488d8a98000000 e9???????? 488d8ae0010000 e9???????? 488d8a60000000 e9???????? } - $sequence_9 = { 4c8d3d6c3c0100 4c8d6738 4c8d05e13d0100 488bd3 498bce e8???????? } + $sequence_5 = { 488b0f eb03 488bcf 0fb606 440fb60408 ba01000000 488d4dd8 } + $sequence_6 = { 4863f0 89b424b0000000 3bf3 0f8475010000 488bce 488bd6 } + $sequence_7 = { 4c8d35e4fb0100 f0ff09 7511 488b8eb8000000 493bce } + $sequence_8 = { 488d057635feff eb0a 33d2 33c9 e8???????? 90 4883c420 } + $sequence_9 = { 488d1510da0000 488bcb ff15???????? 488bc8 ff15???????? 488905???????? ff15???????? } condition: 7 of them and filesize < 475136 @@ -129492,36 +130236,36 @@ rule MALPEDIA_Win_Dratzarus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f9302a79-cbbb-577e-b0de-afebe2c4bd13" - date = "2026-01-05" - modified = "2026-01-06" + id = "b05b6cf3-df9c-5822-94de-c2d1dd169a66" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dratzarus_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dratzarus_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "0edbbc2d6b5b6d721d8b3aacd843dcee1111d0fce65e6b309e3647e78f406b33" + logic_hash = "28b394085017763658cb32f571c0bc3ead50b44836e5d19cbb1fb8a91890baf5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c7850002000016bc0b71 c78504020000128aa4ac c785080200000fa52ff4 c7850c020000421880f6 c7851002000023121336 } - $sequence_1 = { c7852802000014a20b6d c7852c02000012d8a499 c785300200000fa32ffa c78534020000420d80c7 c78538020000230a133f 66c7853c0200003e85 } - $sequence_2 = { 894511 66894515 8b05???????? 894517 0fb705???????? 6689451b } + $sequence_0 = { 33d2 33c9 4889442420 48895c2448 c744244001000000 } + $sequence_1 = { c6453c5b e8???????? 488bc8 ff15???????? 488bd8 4885c0 7511 } + $sequence_2 = { c785380400004e70775d c7853c04000063706229 c745b002332420 c745b435240728 c745b82d240041 c74424607a2ed60d } $sequence_3 = { 6689440afe 6685c0 75ef 33c0 4883c9ff 488dbc2480060000 } - $sequence_4 = { 488d8de0000000 ba0f000000 488905???????? e8???????? 488bcb 488bd0 ff15???????? } + $sequence_4 = { 4883c430 5f 5e 5b c3 488b4c2468 41b902000000 } $sequence_5 = { bf01000000 488bcb ff15???????? 8bc7 488b8c2460020000 4833cc e8???????? } - $sequence_6 = { c74424306133dc18 c7442434679eb315 66c744243876d4 c785e0000000eb6cf5c3 } - $sequence_7 = { c7450c4b676e4a c745101d29ecd4 c745142daca8b6 c64518f2 c785800000005e7c6d4c c78584000000747e6447 c785880000003134f9ef } + $sequence_6 = { c785f0000000fd77f4c4 c785f4000000ba55a70a c785f8000000d01a40b1 66c785fc00000064ca c685fe000000e4 } + $sequence_7 = { e8???????? 488bcb 488bd0 ff15???????? 488d8d58020000 ba13000000 488905???????? } $sequence_8 = { 89842454020000 e8???????? b902000000 8d5701 4533c0 } - $sequence_9 = { 488bd0 ff15???????? 488d8da0020000 ba14000000 488905???????? e8???????? 488bd0 } + $sequence_9 = { 488d4de0 ba16000000 e8???????? 488bcb 488bd0 ff15???????? 488b5c2460 } condition: 7 of them and filesize < 1606656 @@ -129531,36 +130275,36 @@ rule MALPEDIA_Win_Bunitu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad5c884d-40cc-596d-af5c-643847feb65b" - date = "2026-01-05" - modified = "2026-01-06" + id = "c85a7627-4384-5dd1-9fe2-f7c21bc40415" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bunitu_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bunitu_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "4579187f29545393632699d1b30240f12e5e7855e0bb344d18579a744895ea25" + logic_hash = "ef61b95a2caa6c954a4bcdebaf86e1775c34fff361c1dda8a0360f85c88dbfda" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c70003000000 ff75f0 8f4004 ff75ec 8f4008 8bc8 } - $sequence_1 = { ff15???????? 59 5d 5a } - $sequence_2 = { 6a00 50 ff15???????? 6a00 68e8030000 ff15???????? 33c0 } - $sequence_3 = { aa 5a 5f 5e 42 5b } - $sequence_4 = { 6800000100 50 51 6800080000 6a00 } - $sequence_5 = { 8b85d8feffff 898538fdffff 6a10 8d8d34fdffff 51 ffb528fdffff ff15???????? } - $sequence_6 = { 668b85dcfeffff b901190000 49 663bc1 } - $sequence_7 = { 50 53 8d85caf7ffff 50 e8???????? } - $sequence_8 = { 837df000 7614 6a02 ff75f0 ff15???????? ff75f0 } - $sequence_9 = { 8dbd58feffff b91c000000 33c0 f3aa e8???????? 8945fc } + $sequence_0 = { ff75fc ff15???????? 6a05 ff75fc ff15???????? 6a00 6a00 } + $sequence_1 = { 50 ffb524fdffff e8???????? 58 } + $sequence_2 = { 899078130000 ffb544feffff 51 6800040000 6a00 } + $sequence_3 = { eb05 e8???????? 6864190000 6a08 } + $sequence_4 = { 8b09 898dd8feffff 6689bddcfeffff e9???????? 80bd2ffdffff01 } + $sequence_5 = { 57 52 8b7d08 8b750c 8b4d10 49 } + $sequence_6 = { 50 687c150000 6a08 ff35???????? } + $sequence_7 = { 8b8544feffff 8b9530feffff 899074130000 8b5510 } + $sequence_8 = { 81c458feffff 8dbd58feffff b91c000000 33c0 f3aa } + $sequence_9 = { 0bc0 7415 40 7412 48 50 ff7508 } condition: 7 of them and filesize < 221184 @@ -129570,36 +130314,36 @@ rule MALPEDIA_Win_Hazy_Load_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "24c66e7b-2677-5514-927b-1f5ec58947dd" - date = "2026-01-05" - modified = "2026-01-06" + id = "a350eaad-9bcb-5f5e-81a1-787050135b96" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hazy_load" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hazy_load_auto.yar#L1-L112" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hazy_load_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "689a5f8205a52a844de3b9ea93f7ac4cdf01c931efdc00759c5c614c1c72cb27" + logic_hash = "6dd70fa7df72f7c4ea5416ccf00a68d1eab60e78bafa0a38a25801f23d6cb5fb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d542420 442bc7 4803d0 4533c9 } - $sequence_1 = { 33d2 488bc8 4c8bf8 e8???????? 4c8bc6 41893f 498d4f08 } - $sequence_2 = { 488d35c3aa0100 eb16 488b3b 4885ff } - $sequence_3 = { 418be9 48c1f806 488d0db8200100 4183e23f } - $sequence_4 = { 4883ec20 8bd9 4c8d0d09c60000 b904000000 4c8d05f5c50000 488d15aeb20000 } - $sequence_5 = { 0f848d010000 83cfff 488d2ddf120100 83635000 83632c00 e9???????? } - $sequence_6 = { 0fb64201 84c0 744d 0fbec8 83e968 } - $sequence_7 = { 83fb08 7cd5 83fb08 0f8522010000 } - $sequence_8 = { 4883ec20 488d3d93690100 48393d???????? 742b } - $sequence_9 = { ff15???????? 48832300 4883c308 488d0551d50100 } + $sequence_0 = { 33c0 f04d0fb1bcf130100200 488bd8 740e } + $sequence_1 = { 488945f0 488d1594c40000 b805000000 894520 894528 } + $sequence_2 = { f00fc103 83f801 7516 488d05b5330100 488b4c2430 483bc8 7405 } + $sequence_3 = { 488b442448 4883f8ff 74c8 488bd3 4c8d05ceed0000 83e23f } + $sequence_4 = { 488d0d12c9ffff 4933f8 4a87bcf150100200 33c0 488b5c2450 488b6c2458 488b742460 } + $sequence_5 = { 8d41ff 8b8482f89e0100 85c0 0f8489000000 } + $sequence_6 = { 488d0d5beffeff 48c1e602 0fb784b9609e0100 488d9150950100 } + $sequence_7 = { 448bc7 4863c3 488d5504 442bc3 } + $sequence_8 = { 442bc3 4803d0 4533c9 488bce ff15???????? 85c0 0f8eacfeffff } + $sequence_9 = { eb75 4c8bf3 488d3513be0100 488d2df4bd0100 } condition: 7 of them and filesize < 315392 @@ -129609,42 +130353,42 @@ rule MALPEDIA_Win_Tiger_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "45a8f301-bb79-5b2b-bc44-a24cf96c6108" - date = "2026-01-05" - modified = "2026-01-06" + id = "bb552065-88a9-5f82-907d-8836dc928a50" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tiger_rat_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tiger_rat_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "86fb8964d90e4f85207407bd6a1343f7cd65992f2c3c62186f5ccbef201af0b2" + logic_hash = "65882f2780c0847bc47b54c18167ad25463eebf3cfee7497aef68625066b38d3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4883fbff 7425 48c74108ffffffff ba02000000 488bcb } - $sequence_1 = { 4883f8ff 740c 83caff 488bc8 ff15???????? 33c0 } - $sequence_2 = { 41b831000000 48895c2420 e8???????? 488bcb } - $sequence_3 = { 33d2 41b800020000 e8???????? c7832804000020000000 89bb30040000 48c7834c04000000000000 } - $sequence_4 = { 0fb745ae 663b0d???????? 750d 663b05???????? } - $sequence_5 = { 381a 7505 448bc3 eb11 4983c8ff 0f1f4000 } - $sequence_6 = { 2bef 488bcb 4c63c5 e8???????? 442be7 488bce } - $sequence_7 = { 49c1eb04 c0e104 0ac1 410fb6cf 0845d6 } - $sequence_8 = { 415f 5e c3 8b5650 33c9 41b800100000 } - $sequence_9 = { 4898 483de4000000 730f 488d0d1d840000 4803c0 8b04c1 eb02 } - $sequence_10 = { 8b4e28 4803cf e8???????? 488bbc24c0000000 } - $sequence_11 = { f30f7f4507 0b0d???????? 41b8d0070000 c745f74008027b } - $sequence_12 = { 488bdf 48c1fb05 4c8d353a1c0100 83e01f 486bf058 } - $sequence_13 = { 488d1578bd0000 488bcb 488905???????? ff15???????? 488bc8 ff15???????? 488d1570bd0000 } - $sequence_14 = { 0fb64c05b7 48ffc0 42324c05a7 4883f80f } - $sequence_15 = { 4c8d2d166e0100 413bff 7d77 488b0e } + $sequence_0 = { 458bc1 8bc8 440fb60c3a 41d3f8 } + $sequence_1 = { 4103c8 458bd8 81e1ff000080 7d0a ffc9 81c900ffffff } + $sequence_2 = { 0f11442440 0f849b000000 498d4d28 ff15???????? 498b7520 4c8d4c2438 } + $sequence_3 = { 488bf8 e8???????? 33db 4c8d0525ffffff } + $sequence_4 = { 33c9 48895c2428 c6464201 895c2420 ff15???????? } + $sequence_5 = { 4885c0 488905???????? 0f95c0 488b5c2438 4883c420 } + $sequence_6 = { 83f901 743f 4c897c2450 8d79ff } + $sequence_7 = { 4885c0 7412 b001 488b5c2438 488b7c2440 } + $sequence_8 = { 488b8424c0000000 448938 498bc4 4883c470 415f 415e } + $sequence_9 = { 33d2 41b8d0070000 488bcb f30f7f442430 c705????????12000000 } + $sequence_10 = { c3 48895c2408 57 4883ec20 488d1de7410100 488d3de0410100 } + $sequence_11 = { 488bcb e8???????? 8b0d???????? 41b800800000 030d???????? } + $sequence_12 = { 488bce c745f74511197b c745fb14483240 8905???????? c745ff5c6e560b 66c745035400 c705????????33000000 } + $sequence_13 = { 33c0 4883c468 c3 3305???????? } + $sequence_14 = { 488d5567 8bd8 0faf0d???????? 890d???????? 488d4d6f ff15???????? } + $sequence_15 = { c744245808377817 c744245c4c35571a 8905???????? c74424602a420000 c644244000 e8???????? } condition: 7 of them and filesize < 557056 @@ -129654,36 +130398,36 @@ rule MALPEDIA_Win_Chrgetpdsi_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d3ecdf63-3d7b-56f8-8ebb-39b6f5471caa" - date = "2026-01-05" - modified = "2026-01-06" + id = "4b33cd5b-8079-52fc-b7ed-b1adf7d885ba" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chrgetpdsi_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chrgetpdsi_stealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chrgetpdsi_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "6bfcd142e96c03742e4fbcd1d45c8791f0f2de988eb9c6e51f8b962532c287a2" + logic_hash = "e320738bdce66bcf9e9b4d1435fc683c80facbe71e20f18a2db06792d0965432" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488dbc2428010000 488d742408 660f1f840000000000 0f1f4000 48896c24f0 488d6c24f0 e8???????? } - $sequence_1 = { e8???????? 84c0 0f8489010000 488b4c2458 488d7101 488b7c2478 0f1f440000 } - $sequence_2 = { 48898c24b0000000 4889442468 48895c2460 488d3dd9b32500 be27000000 e8???????? 488b542468 } - $sequence_3 = { 89d8 e8???????? 4889442458 48895c2448 488d05e3a61c00 0f1f00 e8???????? } - $sequence_4 = { 90 90 488d05e41e4200 e8???????? 90 488b4c2420 488b542418 } - $sequence_5 = { b909000000 488bbc2408060000 488bb42410060000 4c8d0575882700 41b91a000000 e8???????? 0f1f4000 } - $sequence_6 = { 31c0 31c9 31d2 31db e9???????? 4889d9 4889c3 } - $sequence_7 = { 48c740100f000000 488d0dca832500 48894808 833d????????00 7509 488905???????? eb0c } - $sequence_8 = { 4c8b842410010000 0f1f4000 e9???????? 4c8b842410010000 4d85c0 7e24 498d48ff } - $sequence_9 = { 4c89442478 0f1f00 4883fa01 7546 488d0573ca1a00 bb01000000 4889d9 } + $sequence_0 = { 803800 7532 488b5008 4889d9 48c1eb06 660f1f440000 48395810 } + $sequence_1 = { ffd2 488b4c2478 488b5940 488b5148 488d05723b1400 4889d1 e8???????? } + $sequence_2 = { c3 e8???????? e8???????? 488d0548981800 488d1d31832000 90 e8???????? } + $sequence_3 = { e8???????? 488b0d???????? 48898c24a8060000 488d05734e1900 e8???????? 833d????????00 750e } + $sequence_4 = { 85db 754d 8b5920 4863411c 85c0 7924 48f7d8 } + $sequence_5 = { e9???????? c70301000000 458b4c2458 89442430 4585c9 0f85cdfdffff 31c9 } + $sequence_6 = { e9???????? 488d15d94f2300 48895068 e9???????? 488d15c14f2300 48895070 4889d0 } + $sequence_7 = { e8???????? 488b442438 488b5c2428 e8???????? 488d0584982e00 bb0f000000 e8???????? } + $sequence_8 = { f30f6f6810 410f116a18 f30f6f6020 410f116228 f30f6f6830 410f116a38 f30f6f6040 } + $sequence_9 = { 81f992d74abd 0f8783000000 0f1f00 81f90241adbb 7538 488d0d911c2c00 4839c8 } condition: 7 of them and filesize < 10027008 @@ -129693,42 +130437,42 @@ rule MALPEDIA_Win_Ketrum_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1ff13c8d-0527-5a40-b6b9-bb4141259de3" - date = "2026-01-05" - modified = "2026-01-06" + id = "34dfc7f1-3388-5508-be93-54df608c7b6f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ketrum_auto.yar#L1-L171" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ketrum_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "2f5239fe4e1f5d031309de047f066345a22c976ad71c9c05f830bcb3f0899bfb" + logic_hash = "a40464d91af1dd1635901962dcdc758cf799db87ab42c7b659961a1c1df8820e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a08 40 3acb 75f9 52 ff74241c 2bc7 } - $sequence_1 = { 6a00 50 e8???????? 8d85fcefffff 83c418 } - $sequence_2 = { 8bf7 83e61f c1e606 033485a0bc6200 c745e401000000 } - $sequence_3 = { 68???????? 50 ffd7 83c43c 53 53 } - $sequence_4 = { 85c0 7549 ff15???????? 8bf0 56 68???????? } - $sequence_5 = { ba???????? 898df0d3ffff 3bc7 7321 8995f0d3ffff } - $sequence_6 = { 894dd4 8945d8 eb06 215dd4 215dd8 } - $sequence_7 = { 58 b9???????? e8???????? 59 57 68???????? e8???????? } - $sequence_8 = { 68???????? 50 ff15???????? ffb534fdffff 8d8de0fdffff ffb52cfdffff e8???????? } - $sequence_9 = { 68???????? 8d4da8 e8???????? 59 84c0 } - $sequence_10 = { e8???????? 8b450c 8b5d08 33c9 } - $sequence_11 = { ff15???????? 898350010000 80bd33efffff00 0f84e3f2ffff } - $sequence_12 = { 7503 6a09 59 66890e eb03 668916 830002 } - $sequence_13 = { 898d34efffff 6a00 ffb534efffff 83c8ff } - $sequence_14 = { 50 8db578fdffff e8???????? 8bc6 50 8d85a0fbffff 50 } - $sequence_15 = { 8d458c 50 c645fc03 e8???????? 59 } + $sequence_0 = { 7e0d 33db 53 53 } + $sequence_1 = { 8818 8816 8a00 02c2 8b55f8 0fb6c0 } + $sequence_2 = { 8bfe 33db 897de0 895de8 } + $sequence_3 = { b8???????? ffb5e8cbffff 68???????? ffb5f4cbffff 68???????? ffb5f8cbffff } + $sequence_4 = { ffb5f0cbffff ff15???????? ffb5f0cbffff ff15???????? ffb5e8cbffff ffb5f4cbffff ffb5f8cbffff } + $sequence_5 = { 50 e8???????? 50 e8???????? 83c420 ff35???????? ff05???????? } + $sequence_6 = { 53 53 68???????? 6a03 eb04 53 53 } + $sequence_7 = { ff15???????? 8bf8 3bfb 0f8670020000 } + $sequence_8 = { 8b8510efffff 8b8d0cefffff 2bc1 6a1c 99 5e } + $sequence_9 = { e8???????? 8d4dc4 c745c802000000 e8???????? 84c0 753f } + $sequence_10 = { 75e6 c6460401 830eff 2b34bd20174800 c1fe06 8bc7 } + $sequence_11 = { 59 8b83ac000000 be00280000 33ff } + $sequence_12 = { 50 898d24efffff ffd7 8bf0 } + $sequence_13 = { 33ff 8d742414 e8???????? 833d????????01 7507 e8???????? } + $sequence_14 = { 0f95c0 e8???????? c20800 b8???????? c3 } + $sequence_15 = { 8b4508 897708 83781c00 7510 } condition: 7 of them and filesize < 4599808 @@ -129738,49 +130482,49 @@ rule MALPEDIA_Win_Dadjoke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea7282f2-8a4c-5601-bbd1-b76f58e52bc1" - date = "2026-01-05" - modified = "2026-01-06" + id = "e70c26e7-ab23-539f-9446-f64c119c6dd4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dadjoke_auto.yar#L1-L228" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dadjoke_auto.yar#L1-L231" license_url = "N/A" - logic_hash = "9c73a5622c3f32fd5cf8900e0843a3bbc9bcae66e0aa7ecc5e1cf55e72cc18b5" + logic_hash = "52eb13df90c67913476e398c58754b4e8e0394f30601d8e379450da51f4622c9" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 56 57 6800081000 6a00 } - $sequence_1 = { 52 8b4508 0528020000 50 8b0d???????? } - $sequence_2 = { 83ec40 56 57 8d45e0 50 e8???????? } - $sequence_3 = { 8b45e8 50 e8???????? 83c404 898578ffffff } - $sequence_4 = { e8???????? 83c408 8945f8 8b4d08 8b5110 52 8b45f8 } - $sequence_5 = { 8845f4 8345d801 807df400 75ee 8b4dd8 } - $sequence_6 = { 8b4df4 8dbc0d2cffffff b910000000 8d75ac f3a5 8b55f4 83c240 } - $sequence_7 = { 83c414 8b4df4 64890d00000000 8be5 5d c20800 } + $sequence_1 = { 894808 8b95ecfeffff 89500c 8b8df0feffff 894810 c745e814000000 } + $sequence_2 = { 83c201 8955cc 8b45f8 8a08 } + $sequence_3 = { b941000000 f3a5 8b4dfc 81c104010000 894dfc 8b5508 } + $sequence_4 = { 8b55ac 895584 894d80 a1???????? 83c0ff 8945c8 } + $sequence_5 = { e8???????? 8945e8 837de8ff 7533 c645f300 } + $sequence_6 = { 8b0d???????? 51 e8???????? 83c414 eb1e } + $sequence_7 = { 6a00 ff15???????? e9???????? 8b4dd4 51 ff15???????? 8be5 } $sequence_8 = { 33c9 84c0 0f94c1 8bc1 c3 a1???????? } - $sequence_9 = { 5e c3 8bff 55 8bec 83ec10 33c0 } - $sequence_10 = { e8???????? c3 6a04 e8???????? 59 c3 6a0c } - $sequence_11 = { ff15???????? 85c0 7417 b920000000 } - $sequence_12 = { 5d c3 6a04 8d458c c7458c80330000 50 } - $sequence_13 = { 84c0 75ef b82f000000 8d55f4 } - $sequence_14 = { 6a07 6a00 ff15???????? 85c0 0f881f010000 } - $sequence_15 = { 83fe04 7ce7 8d45f4 c645f800 } - $sequence_16 = { 7508 807e015a 7502 ffd6 6800400000 } - $sequence_17 = { 8b1d???????? 51 e8???????? 8bf0 83c404 85f6 } - $sequence_18 = { 0f85b5000000 50 ff15???????? 8d85e4faffff 50 } - $sequence_19 = { d9c9 d9f1 833d????????00 0f85cc140000 } - $sequence_20 = { 6804010000 85c0 57 6a00 } - $sequence_21 = { 55 8bec 8b4d0c 85c9 7454 8b5508 8b4514 } - $sequence_22 = { 83e908 8d7608 660fd60f 8d7f08 8b048db47c7300 ffe0 } + $sequence_9 = { 6a02 ff15???????? 85c0 7417 } + $sequence_10 = { 5e c3 8bff 55 8bec 83ec10 33c0 } + $sequence_11 = { e8???????? c3 6a04 e8???????? 59 c3 6a0c } + $sequence_12 = { 50 e8???????? 83c404 bf3e000000 } + $sequence_13 = { e8???????? 5e 5d c3 e8???????? 85c0 0f84d5480000 } + $sequence_14 = { 8d85f8feffff 68???????? 50 e8???????? 6804010000 } + $sequence_15 = { 85c0 0f85b5000000 50 ff15???????? 8d85e4faffff 50 68???????? } + $sequence_16 = { 741d 8d4588 50 6800100000 8d041e 50 } + $sequence_17 = { ff5108 8b3d???????? 8b1d???????? 51 e8???????? } + $sequence_18 = { 740d 803e4d 7508 807e015a } + $sequence_19 = { 6800400000 6800004000 56 ffd7 } + $sequence_20 = { 0f8241ffffff 68???????? e8???????? 8b75fc 83c404 } + $sequence_21 = { 00f8 e401 00ec e401 00dc e401 00ca } + $sequence_22 = { 33f6 8b45e4 83f810 720d 40 8d4dd0 50 } condition: 7 of them and filesize < 344064 @@ -129790,36 +130534,36 @@ rule MALPEDIA_Win_Pinchduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6e399a5-546d-5d19-a886-28527d9b5a32" - date = "2026-01-05" - modified = "2026-01-06" + id = "c48e5224-03d5-5f12-97a7-477d432fc035" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pinchduke_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pinchduke_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "e4ca655f5577580240493398d3de5b1f8ec351f42cf4a56b66853235bb7ac675" + logic_hash = "9518739146fc8fd6107c1d91ab25bd13480289cf62905fcb0a46441c7752268e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c40c 83c610 4f 75c3 e9???????? 8d45f0 50 } - $sequence_1 = { c6400274 e8???????? 56 e8???????? 59 59 89442414 } - $sequence_2 = { e8???????? 59 59 8d8df8fdffff 3bc1 7545 } - $sequence_3 = { c685f7fbffff00 e8???????? 8d85f4fbffff 50 e8???????? 83c414 84c0 } - $sequence_4 = { 68???????? 50 e8???????? 3bc7 59 59 740f } - $sequence_5 = { 334dcc 8d943a9979825a 8b7df4 d1c1 8955f0 c1c205 337df8 } - $sequence_6 = { c9 c3 833d????????00 752f 833d????????00 } - $sequence_7 = { 898618040000 6a08 50 ff15???????? 898608010000 5f 8bc6 } - $sequence_8 = { 03f9 037df0 8908 8b4824 334804 8975fc 334838 } - $sequence_9 = { 53 e8???????? 59 85ff 7472 c60700 e9???????? } + $sequence_0 = { 6801000080 ff15???????? 85c0 7575 53 56 57 } + $sequence_1 = { 50 c685c8f8ffff00 e8???????? ff750c ff7508 e8???????? 83c444 } + $sequence_2 = { 803800 8bc8 7416 41 803900 75fa eb0a } + $sequence_3 = { 8b4530 0faf4534 c1e80a 0faf452c c1e80a 50 } + $sequence_4 = { 50 c6400561 e8???????? 59 6a32 ffd6 6a32 } + $sequence_5 = { 50 7513 e8???????? 8b4d0c 8d45eb 50 e8???????? } + $sequence_6 = { 85db 7e07 0fbe4c0201 eb03 33c9 41 8b75f8 } + $sequence_7 = { 8d450c 53 50 e8???????? 83c40c ff7510 ff7514 } + $sequence_8 = { 334824 c1c605 334838 c1ca02 d1c1 8db437d6c162ca 8b7df8 } + $sequence_9 = { 8d450c 83ec10 8bcc 50 e8???????? 8d45e3 } condition: 7 of them and filesize < 223680 @@ -129829,42 +130573,42 @@ rule MALPEDIA_Win_Jessiecontea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ed5d981c-49e8-5f40-808b-1f7fc2ae5113" - date = "2026-01-05" - modified = "2026-01-06" + id = "9d64ca7e-a0bd-52a7-a577-888415a044a2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jessiecontea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jessiecontea_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jessiecontea_auto.yar#L1-L158" license_url = "N/A" - logic_hash = "f376a26e7b2528bac10debe17ecc06d45573d24dcd0617a6c31e158d3d59f89a" + logic_hash = "cd5290a2f328f5ae54af9983eccd2c6f7265487a9f01ecabfc45226fcef81bba" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85a8f9ffff 50 8d85f8fbffff 50 ff15???????? } - $sequence_1 = { 8b7d18 8945c0 8b4510 8945c4 8b451c } - $sequence_2 = { 660fdbe3 660fdfc8 660febe1 3bd6 0f826effffff 660ffee5 0f28c4 } - $sequence_3 = { e8???????? 83c418 c7857cf0ffffffffff7f c78580f0ffffffffff7f b8ea650000 c7858cf0ffff00000000 } - $sequence_4 = { 50 51 8d8df8f7ffff e8???????? 8d85f8f7ffff 6a5c 50 } - $sequence_5 = { 745b 8b35???????? 57 ffd6 3d04010000 7d4b } - $sequence_6 = { 83c404 85f6 7425 8bbd7cf4ffff 68???????? } - $sequence_7 = { 7f0a 8bb5f0b7ffff 3bfe 7293 } - $sequence_8 = { 452be5 488d152b6bfeff 4489642440 0f8574fcffff } - $sequence_9 = { 6603c1 0fb70d???????? 0fb7c0 33c8 66898dde000000 } - $sequence_10 = { 83c008 668945d8 0fb705???????? 83c008 668945da } - $sequence_11 = { 6683c00c 0fb7c8 8b05???????? 33c1 6689459c 8b4580 } - $sequence_12 = { 4889542440 488bfa be01000000 ff15???????? } - $sequence_13 = { 4889442430 488d4e10 4889442428 4c8bcb } - $sequence_14 = { 4533c9 4889742420 4c8d85d0040000 488bcf 488d95e0050000 } - $sequence_15 = { 817c2440949dd460 7489 33c0 4c8ba424880b0000 488b9c24800b0000 } + $sequence_0 = { 6a00 50 e8???????? 83c424 56 6a00 6810040000 } + $sequence_1 = { bb01000000 57 8bfa 898d84fbffff 57 } + $sequence_2 = { 57 89bd8cfbffff 898590fbffff ffd6 } + $sequence_3 = { 50 ff15???????? 8d85d8fbffff 8bd7 } + $sequence_4 = { b900010000 8db5f8f3ffff 8dbdf8fbffff f3a5 } + $sequence_5 = { 83c420 85c0 0f843effffff 68???????? } + $sequence_6 = { 83c261 668956fe 66833e00 75e8 } + $sequence_7 = { 50 e8???????? 83c40c 8d85f8fbffff 50 6804010000 } + $sequence_8 = { 488b4de8 ff15???????? 488b4de0 33d2 ff15???????? } + $sequence_9 = { 6690 8d4701 4c8d0c40 8bc7 } + $sequence_10 = { 4533c9 4533c0 c744242003000000 ba00000040 ff15???????? 4533c9 } + $sequence_11 = { 0f284c2460 0f114020 0f28442470 0f114830 } + $sequence_12 = { 4881c4a0120000 5f 5e 5d c3 } + $sequence_13 = { ff15???????? 488b0d???????? 4c8d442440 41b904000000 c744244020bf0200 } + $sequence_14 = { 4c89bc24d0120000 448b7c2470 c744242004000000 c7442450959dd460 f20f1145e0 } + $sequence_15 = { 488d82f9ffff7f 4885c0 7417 410fb70408 } condition: 7 of them and filesize < 413696 @@ -129874,36 +130618,36 @@ rule MALPEDIA_Win_Pandora_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "03d00108-515b-5000-bfce-e0864b2e89ce" - date = "2026-01-05" - modified = "2026-01-06" + id = "5a478b86-c7f1-5694-81de-5a436000636f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pandora_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pandora_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "a88747b8869f7f515751ff70f3553c380e5110ab9369144ac753a62c000a1cae" + logic_hash = "21801a2a1f3115a215f9cf41d0c458a01baea44d2832950deffa844619bd2ff7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41ffc7 83f81e 0f8f88030000 4885ff 7418 488d47ff 498d04c6 } - $sequence_1 = { 7424 838da400000010 448d4710 4c8b0d???????? 488d4c2430 33d2 41ffd1 } - $sequence_2 = { 48897c2418 4156 4883ec20 33ff 4533f6 4863df 488d0d88040300 } - $sequence_3 = { 415e c3 48895c2408 4889742410 57 4883ec20 4c8b5108 } - $sequence_4 = { 4c8d45b0 488d55c8 e8???????? 8bd8 85c0 7524 f7de } - $sequence_5 = { 8bcf 44335014 c1e918 0fb6d1 8bce } - $sequence_6 = { 498b06 4885c0 0f8432020000 8b4008 ffc8 83f806 0f8724020000 } - $sequence_7 = { 488b05???????? 33d2 498bcc ffd0 4c8b642460 4c8b742448 488b7c2440 } - $sequence_8 = { 0bc8 0fb64238 c1e108 0bc8 0fb6423e 440bd0 894c2440 } - $sequence_9 = { 4503d3 418bc6 23c6 41c1c60a 0bf8 4181c34efd53a9 81c7e9766d7a } + $sequence_0 = { 488bc8 4c8975d0 4c03e7 4889442458 e8???????? 85c0 0f840e040000 } + $sequence_1 = { f30f7f0b 4883c310 4883c510 4883ef10 0f1136 4983ef10 0f8577ffffff } + $sequence_2 = { b940000000 418bc0 83e03f 2bc8 48d3cf 488d0d6683fcff 4933f8 } + $sequence_3 = { c3 bad8000000 b901000000 e8???????? 48894308 4885c0 748a } + $sequence_4 = { 4885c0 0f84fa000000 488b4910 4885c9 0f84ed000000 48897c2470 0fb6780d } + $sequence_5 = { 418bd2 448b64242c 4533ec d1c0 89442424 418bc0 } + $sequence_6 = { 498d4e30 e8???????? 8bd8 4c8ba424e0000000 4c8bbc24e8000000 488d4dd7 e8???????? } + $sequence_7 = { ffc1 894d60 83f80a 0f8f2a030000 8bf2 8bc6 ffc6 } + $sequence_8 = { 488d6c24e0 4881ec20010000 4533ff c744242801000000 44393d???????? 488d3d17340600 0f57c0 } + $sequence_9 = { 0f8580000000 41be80b2ffff 4c8bbc2498000000 483bafe8000000 488bf3 4c8b6c2458 480f45f5 } condition: 7 of them and filesize < 1032192 @@ -129914,10 +130658,10 @@ rule MALPEDIA_Win_Boxcaon_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "a730ae2b-b623-5088-86a7-4d1a4eb89ea5" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boxcaon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.boxcaon_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.boxcaon_auto.yar#L1-L120" license_url = "N/A" logic_hash = "5b71da83cc61472fd3b6239fea0178674ab4b3cf9a9678dbeeda07cdd88e683a" score = 75 @@ -129926,9 +130670,9 @@ rule MALPEDIA_Win_Boxcaon_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -129952,36 +130696,36 @@ rule MALPEDIA_Win_Nozelesn_Decryptor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d81a4891-2ccb-5a37-a1c9-3cb6dc4ddf54" - date = "2026-01-05" - modified = "2026-01-06" + id = "8cd10556-b324-52b7-8cdd-e1b3f5dbdf6c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nozelesn_decryptor_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nozelesn_decryptor_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "df00466a0b451868376ca8f8e40a817d0c669175deb69c467a31b881c85a7c54" + logic_hash = "54bd15efad95c79510799a7ab6954cc5d821f04b1e2f05690ce0540510110b5c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1c20d 33f0 8bca 33f2 c1e103 33c8 d1c6 } - $sequence_1 = { 8bff 55 8bec 8b4d08 33c0 3b0cc5a8574600 7427 } - $sequence_2 = { 80f939 7510 c60630 8b8578ffffff 4e 3bf0 75e0 } - $sequence_3 = { 0f8742010000 eb14 8b7d80 83c002 8b75b4 8b8d7cffffff e9???????? } - $sequence_4 = { 8b450c 8b5508 8bca c745e800000000 c745ec0f000000 8b38 } - $sequence_5 = { 53 8b5d10 56 57 8bf9 33f6 8b07 } - $sequence_6 = { 89bd78ffffff 47 897d8c 813900ca9a3b 88559f 0f95c0 895588 } - $sequence_7 = { 8bfb 335df8 f7d7 8b4df8 0bd8 f7d1 } - $sequence_8 = { c745e428664200 eb08 8d4dd8 e8???????? 837e1808 } - $sequence_9 = { 837de800 894da0 894d90 7653 8b03 8d4dc0 51 } + $sequence_0 = { cc 6a08 ff7120 e8???????? 59 59 } + $sequence_1 = { 23df 50 33da 8d45fc 315df4 33d2 50 } + $sequence_2 = { 83c40c 85c0 7447 68???????? 68???????? 68???????? e8???????? } + $sequence_3 = { 50 6a15 5a 8bcf e8???????? 8b4df0 } + $sequence_4 = { 8b5df0 33c1 8945e8 33da 8bc2 894df8 0b45e8 } + $sequence_5 = { 8bd6 c1fa06 8bce 83e13f 6bc930 8b049568ff4700 c644082801 } + $sequence_6 = { 51 8d4dd4 e8???????? 0fb74602 83c602 8b55e8 8bf8 } + $sequence_7 = { 018100010000 5f 5e 5b 8be5 5d } + $sequence_8 = { 8b45e8 33d7 0bc6 8bca 334df4 33cb 33c1 } + $sequence_9 = { 50 894d10 e8???????? 8d4320 c645fc03 } condition: 7 of them and filesize < 1122304 @@ -129991,36 +130735,36 @@ rule MALPEDIA_Win_Shareip_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9f46ee27-fcc3-5b26-9e77-331cb46925ef" - date = "2026-01-05" - modified = "2026-01-06" + id = "db6f1ae6-bc9f-5a8f-bc94-5a2883881ae0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shareip_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shareip_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "b24d153dc5c903a6f61d1f00b3b16ac72a620a7bd569254dc7e2236cbdbfd920" + logic_hash = "cd31b56b5ca1b13f310e89bd6ddcf782ea5731d52a4e8ef1542320d852089b36" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b02 8d8c2414010000 ffd0 83bc243001000000 7425 83bc242401000000 7412 } - $sequence_1 = { 56 894c2438 33d2 50 8d4c2440 895c2458 89742454 } - $sequence_2 = { 83f8ff 7566 be10000000 39742444 720d 8b542430 52 } - $sequence_3 = { 8b7e10 8bcf 2b4d10 b867666666 f7e9 c1fa03 8bc2 } - $sequence_4 = { 8b542468 89542424 eb08 8d442468 89442424 39b424ec000000 720d } - $sequence_5 = { 8bc2 c1e81f 03c2 83f803 0f8557feffff 8d78ff 8d742414 } - $sequence_6 = { 50 8d4c2420 51 8d5f20 c744243803000000 89542448 e8???????? } - $sequence_7 = { 8d442408 8da42400000000 8a10 3a11 751a 84d2 } - $sequence_8 = { 8b01 8d7001 8a10 40 84d2 75f9 2bc6 } - $sequence_9 = { 8bce bb03000000 e8???????? eb02 33c0 c78424b000000002000000 8907 } + $sequence_0 = { e8???????? 8b0f 8b06 8bd3 c1ea10 88540801 8b0f } + $sequence_1 = { 895c242c 89742414 885c2418 895c2420 895c241c } + $sequence_2 = { e8???????? 53 e8???????? 83c404 83bc24d400000000 7412 8b8424c4000000 } + $sequence_3 = { 8d8424fc000000 50 8bce c684248c01000002 e8???????? 85c0 7443 } + $sequence_4 = { 83c404 33c0 8b8c249c010000 64890d00000000 59 5f 5e } + $sequence_5 = { 56 8b7030 0fb7760c 8931 8b4830 0fb6702c 0fb7490e } + $sequence_6 = { 7463 8d842454010000 e8???????? 83bc24c000000008 7210 8b9424ac000000 52 } + $sequence_7 = { 83c408 85c0 750a 5f 5b c6461001 32c0 } + $sequence_8 = { 59 47 83ff05 7ee1 56 53 e8???????? } + $sequence_9 = { e8???????? 8b442424 8b7c2420 8d4c2424 51 8d542414 83c740 } condition: 7 of them and filesize < 811008 @@ -130030,42 +130774,42 @@ rule MALPEDIA_Win_Systembc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9f869723-6075-5b32-a402-475b08d3e463" - date = "2026-01-05" - modified = "2026-01-06" + id = "be08117d-8246-530f-9d5f-cd6143f1e35f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.systembc_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.systembc_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "9ee9f5ea5ece65bf2a7fd4bf4633a524cd0ca65ce3683cb8ae8b66a7bc9315ba" + logic_hash = "a9818f1f55e16b84edae3af4f5f9f1c3955cbf2e948518d2fcc753adba968256" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b000 ae 75fd 8a57fe } - $sequence_1 = { 8b7d0c 8b4d10 f3a4 5e } - $sequence_2 = { 33c0 ab 837d0c00 7403 ff47fc } - $sequence_3 = { e8???????? 8d5804 6a18 e8???????? 83c061 aa } - $sequence_4 = { 57 56 ff7508 e8???????? 8bd0 } - $sequence_5 = { 66837aff00 7502 eb2e 837d0cff 7518 837d1000 } - $sequence_6 = { c7049e00000000 b800000000 5e 5f 5b } - $sequence_7 = { 8b4514 ab 8b4518 ab b801000000 } - $sequence_8 = { 6a01 6a00 8b85bcfbffff 8b08 8b5118 50 } - $sequence_9 = { c68573ffffff05 c68574ffffff01 c68575ffffff00 c68576ffffff01 48c78510ffffff01000000 } - $sequence_10 = { 4883c420 66c7474e0100 c6475101 c6477b00 4883ec40 } - $sequence_11 = { 0f858e010000 4883ec20 48c7c100000000 48c7c200000100 } - $sequence_12 = { 49c7c0faff0000 49c7c100000000 ff15???????? 4883c420 } - $sequence_13 = { e8???????? 4883c420 4883ec20 488d8e88010000 488d55b0 } - $sequence_14 = { 4c8d474e 49c7c132000000 e8???????? 4883c420 488b4598 4883c01c 4883ec20 } - $sequence_15 = { 488b8d48f9ffff 498d1438 4c8bc0 49c7c100000000 } + $sequence_0 = { b000 ae 75fd 8a57fe 80fa39 } + $sequence_1 = { e8???????? 8b450c 8945e4 c745e801000000 c745ec06000000 8d45dc } + $sequence_2 = { 53 57 56 8b7d10 33c0 ab } + $sequence_3 = { ff7518 6a00 6a00 ff75fc e8???????? 6a00 } + $sequence_4 = { 803f00 740b 837d1000 7407 } + $sequence_5 = { 7403 ff47fc 8b4508 ab 8b450c } + $sequence_6 = { 8b45f8 8b08 8b91a8000000 50 ffd2 8d85f4fbffff } + $sequence_7 = { 6a10 68???????? e8???????? 8d85bcfbffff } + $sequence_8 = { 66837aff00 7502 eb2e 837d0cff } + $sequence_9 = { 89848dbcfbffff 482d04040404 48ffc9 75ee 4833c0 488b7d10 4833db } + $sequence_10 = { ff15???????? 4883c420 e9???????? 66c78560ffffff0200 807e0703 7553 480fb65e08 } + $sequence_11 = { e8???????? 4883c420 4883ec20 488d8e90010000 488d55a0 } + $sequence_12 = { 488b7520 488b7d10 488b4d28 4833db } + $sequence_13 = { 4883ec20 488b4d98 488d9560ffffff 49c7c010000000 ff15???????? 4883c420 } + $sequence_14 = { c68575ffffff00 c68576ffffff01 48c78510ffffff01000000 4883ec20 488b4d98 } + $sequence_15 = { 83f900 7fe4 4883bdb8fbffff01 0f84cf000000 48b8fcfdfeff00000000 48c7c140000000 89848dbcfbffff } condition: 7 of them and filesize < 75776 @@ -130075,36 +130819,36 @@ rule MALPEDIA_Win_Darkvision_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1a6f6701-70b7-5c48-928b-485642438bd0" - date = "2026-01-05" - modified = "2026-01-06" + id = "d8f88a61-3b53-5e7f-a245-28c27259198d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvision_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkvision_rat_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkvision_rat_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "ea735f4eeed059962dba8005baff4c34c6d0e6dbba61d43d1f0324dec9b20b8d" + logic_hash = "8ccc68ca17af1f5ed3d9e6c6f99e00360018c95702d9b72c49381c60586654b0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb0a 8b44243c ffc0 8944243c 837c243c64 } - $sequence_1 = { 85c0 7523 488d15da6b0300 488b8c2460030000 ff15???????? 488b8c2460030000 ff15???????? } - $sequence_2 = { ff15???????? 488b8c2468030000 ff15???????? 41b838000000 33d2 488d8c2428030000 e8???????? } - $sequence_3 = { 488d0d9efe0100 48837c010800 7432 4863442424 4869c0040b0000 488d0d83fe0100 66ba6600 } - $sequence_4 = { 741d 488b4c2438 ff15???????? 488b4c2430 ff15???????? 33c0 } - $sequence_5 = { 4c8d0505910100 baff7f0000 488b4c2440 ff15???????? 4c8d0deaf40200 4c8d05ff900100 baff7f0000 } - $sequence_6 = { baffffffff 488b4c0110 ff15???????? 4863442424 486bc028 488d0d71550200 48837c010800 } - $sequence_7 = { ff15???????? 4885c0 0f847a010000 488bc8 ff15???????? 488d15e0620000 488bce } - $sequence_8 = { 488b4c2430 4803c8 488bc1 4889442470 c744247c00000000 eb0a } - $sequence_9 = { ba7c040000 b940000000 ff15???????? 4889442428 48837c242800 0f8477020000 4c8b442428 } + $sequence_0 = { 89842408040000 83bc240804000004 7d1f 4863842408040000 488b94c4e8030000 488b8c24e0030000 e8???????? } + $sequence_1 = { 837c242000 7426 448b442420 33d2 b901001000 ff15???????? 4889442428 } + $sequence_2 = { 48638c2420010000 486bc91c 48837c081800 7464 4863842408010000 4869c0040b0000 } + $sequence_3 = { 4889442460 c784249801000000000000 eb10 8b842498010000 ffc0 89842498010000 } + $sequence_4 = { 488d840108010000 4889842498020000 c78424f402000000000000 eb10 8b8424f4020000 ffc0 898424f4020000 } + $sequence_5 = { 8b8c24ac000000 03c8 8bc1 898424ac000000 48638424a8000000 488b8c2430010000 4803c8 } + $sequence_6 = { 488d9424f0000000 48c7c101000080 ff15???????? bafeff0000 b940000000 ff15???????? 48898424e8000000 } + $sequence_7 = { 48c784246002000000000000 b9e8030000 ff15???????? 833d????????01 0f85ba000000 4883bc247802000000 0f85ab000000 } + $sequence_8 = { 8b440124 8984249c010000 c78424a401000000000000 8b84249c010000 2500000004 85c0 7412 } + $sequence_9 = { 4889442460 488b442460 4863403c 488b4c2460 4803c8 488bc1 4889442420 } condition: 7 of them and filesize < 618496 @@ -130114,35 +130858,35 @@ rule MALPEDIA_Win_Diceloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e4ad2ec4-b137-51c9-b85d-da5f37acfb45" - date = "2026-01-05" - modified = "2026-01-06" + id = "c4aad231-ea2c-5210-bb63-f8760172bc48" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diceloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.diceloader_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.diceloader_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "1be6b9044c29cb995b59a77fc46c72f3850615efa951d1383ccf2030df818a85" + logic_hash = "f3e938dbdd00e83350232d468e3eda846f6a381118852c4e5af93b10405702f6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bcb e8???????? 4c634518 488d4c2420 4c03c3 41ffd0 } - $sequence_1 = { ff15???????? 488bd7 488d0d14260000 e8???????? } - $sequence_2 = { 8b5710 4c8d054f250000 488b4f08 41b91f000000 e8???????? } - $sequence_3 = { 448b07 488d1569000000 8b5f04 488d0d4b1e0000 e8???????? 4885c0 7413 } - $sequence_4 = { 0fb6c2 8a13 48c1e804 488b44c430 488941f8 } + $sequence_0 = { ffc6 f73d???????? 4863ea 488bc5 48c1e004 480305???????? 3b35???????? } + $sequence_1 = { 490f45c4 4c8be0 4d85c9 740f } + $sequence_2 = { eb47 4c897c2428 4c8d0591000000 4533c9 44897c2420 33d2 33c9 } + $sequence_3 = { 0f8416010000 83fa01 7463 448bc6 488d157a010000 488d0d8f1f0000 e8???????? } + $sequence_4 = { f6c20f 7435 488d4808 0fb6c2 488d5b03 83e00f 4403c7 } $sequence_5 = { ff15???????? 488b1e 4885db 7420 488b1b 498bd6 } - $sequence_6 = { 440f4fe8 48035d48 418bd5 488d4b30 e8???????? 418bd5 8945e0 } - $sequence_7 = { 488dac2450faffff 4881ecb0060000 4c8d3d7b250000 c705????????00000000 } - $sequence_8 = { 448b541620 8b5c1624 4c03d2 4803da 4533c9 458d7901 458b02 } + $sequence_6 = { e8???????? 488d15752a0000 488bf8 488d4801 c60001 ff15???????? 66895f11 } + $sequence_7 = { 4889442434 89742420 4c897c243c 4489742444 ff15???????? } + $sequence_8 = { e8???????? 498bd5 488d0dea1f0000 e8???????? } $sequence_9 = { 488bda 448bc1 488d1561ffffff 488d0d761d0000 e8???????? } condition: @@ -130153,36 +130897,36 @@ rule MALPEDIA_Win_Toughprogress_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f7aead55-8a03-5bbf-af11-1841c77b5719" - date = "2026-01-05" - modified = "2026-01-06" + id = "479b9480-8efa-5049-b86e-7e3e91762757" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.toughprogress" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.toughprogress_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.toughprogress_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "639d2f4f2de7d57a54ced0a82f1a1b4924ec9dac72884175b29f7cbb63a0d4bc" + logic_hash = "406a3832e729608f1528f3996a58b544fb6c497823fa857be31a03a868c4a293" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48b93448af150d8462e4 4801c8 4c89e1 ffd0 488b05???????? 48b93b8ce2c7a3ecddc7 488b0408 } - $sequence_1 = { ffd7 0f104508 0f104d18 0f105524 410f1154244c 410f114c2440 410f11442430 } - $sequence_2 = { 48b93f5d14dd8256b94f 488b0408 4c01e8 4c89f9 4889fa 4189e8 ffd0 } - $sequence_3 = { ffd0 898688000000 488d8e8c000000 488b05???????? 48bab6b1569bc6a2bb92 48033c10 ffd7 } - $sequence_4 = { bd05000000 8d42cf 49bee5819fecd253eebe 83f809 0f8364020000 49bfdd819fecd253eebe 0f1f440000 } - $sequence_5 = { 4989d3 4983e307 7420 4531d2 6690 420fbe3c11 66418938 } - $sequence_6 = { 56 4883ec20 4889ce 488b05???????? 48b90d1dc3fe89299d3f 48ba098af7fc2873d775 48031408 } - $sequence_7 = { 884101 440fb64202 4489c0 34e2 4420c0 4189c1 4180e1fa } - $sequence_8 = { 84c0 0f85b2030000 488b07 4c8b36 0fb64f08 baffffffff 41baffffffff } - $sequence_9 = { 4d89c6 4889d6 488b05???????? 49b89bc488db85ad3022 48baadb54d2cbea5f70f 4a8b0400 4801d0 } + $sequence_0 = { f00fc101 83f801 7512 488d053e820600 483bc8 7406 e8???????? } + $sequence_1 = { 53 4189d0 4180e007 c1ea03 440fb60c11 4489c8 f7d0 } + $sequence_2 = { ffd0 488b4df8 488b15???????? 4c8b0c32 4d01e9 4889c2 4989d8 } + $sequence_3 = { 48bb136f553659972b06 488b0408 4801d8 4889d1 ffd0 488b05???????? 48b9ef6e1e2c733fced7 } + $sequence_4 = { 48bf6f0c78c0a7583d67 488b0408 4801f8 4889d1 ffd0 0fb700 668906 } + $sequence_5 = { 794a 0fb65678 488b05???????? 48b93faa3d93bf1e803d 488b0408 4c01c8 4889f1 } + $sequence_6 = { 666666662e0f1f840000000000 4c89c8 49f7e2 48d1ea 4883e2f8 488d0452 4b8d1408 } + $sequence_7 = { 4c894708 894718 410fb608 83e10f 4a0fbe841110361000 428a8c1120361000 4c2bc0 } + $sequence_8 = { 488d0dd0dc0e00 ffd0 48bbab8be2c7a3ecddc7 48031d???????? 488b05???????? 48b950bd9f47f0766383 49bf5b1d11895113db65 } + $sequence_9 = { 85c0 0f95c1 48c1e104 48030d???????? 48b8e701c589e09907ad 48bf3c3732457de63ecb 488b0408 } condition: 7 of them and filesize < 3117056 @@ -130192,36 +130936,36 @@ rule MALPEDIA_Win_Gcleaner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db79045a-62be-5422-a484-4f1494402bb2" - date = "2026-01-05" - modified = "2026-01-06" + id = "c3822f02-0892-5d2a-98c8-4d206ba71569" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gcleaner_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gcleaner_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "87e8c0680ea583ebecdec70190c315f1a40f9206262d6c132334f2c61dd046c1" + logic_hash = "9ae9f77597fc976b82df803a390c8f3c52d9cc90030b10ce00399af10c6d32b5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 6a04 8d85f0feffff 50 56 ff15???????? 85c0 } - $sequence_1 = { 5e c9 c3 53 ff7518 } - $sequence_2 = { 8035????????2e 8035????????2e 8035????????2e 8035????????2e 8035????????2e } - $sequence_3 = { 8bf8 83c40c 83ffff 743b 3bf7 } - $sequence_4 = { 57 8bd0 c645fc03 8d4dc0 } - $sequence_5 = { 7505 c60600 ebe9 837d1000 7518 } - $sequence_6 = { 8bd0 c645fc02 8d4da8 e8???????? 57 8bd0 } - $sequence_7 = { 8bd0 c645fc04 8d4dd8 e8???????? 83c410 8d4dc0 } - $sequence_8 = { 50 660fd685f8feffff e8???????? 83c40c 56 } - $sequence_9 = { ebe9 837d1000 7518 c60600 e8???????? } + $sequence_0 = { c60600 ebe9 837d1000 7518 c60600 } + $sequence_1 = { 50 6a04 8d85f0feffff 50 56 } + $sequence_2 = { 8d4dd8 e8???????? 83c410 8d4dc0 e8???????? } + $sequence_3 = { 51 6a00 6a00 ffd3 8bcf } + $sequence_4 = { 8bd0 c645fc04 8d4dd8 e8???????? 83c410 8d4dc0 } + $sequence_5 = { 6804010000 8d85f8feffff 50 ffb5f0feffff 56 ff15???????? 56 } + $sequence_6 = { 56 6a2f 53 e8???????? 8bf8 } + $sequence_7 = { 89b5f4feffff ff15???????? 8bf8 85ff 741c 6804010000 8d85f8feffff } + $sequence_8 = { 89b5f4feffff ff15???????? 8bf8 85ff } + $sequence_9 = { 8d85f4feffff 50 6a04 8d85f0feffff 50 56 ff15???????? } condition: 7 of them and filesize < 540672 @@ -130231,36 +130975,36 @@ rule MALPEDIA_Win_Collectorgoomba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "030c7bf4-8b0d-51f1-a0c7-6787c27c5097" - date = "2026-01-05" - modified = "2026-01-06" + id = "a73568dd-8012-5e0b-a790-5693fa8892f0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.collectorgoomba_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.collectorgoomba_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "da75c37e8b44a581ccdac242b61ed90697e0dec4be3fbb969cde47a5043e7eae" + logic_hash = "ccc70aa25566d885a18e0254684b925e4ba02133fe0b1ae9e16d93c2cdf4aeec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff30 ff7508 e8???????? 59 59 898504ffffff 6af7 } - $sequence_1 = { 8b45f4 c1e803 8b4d08 8b4954 0fb60401 8b4df4 83e107 } - $sequence_2 = { ff75fc e8???????? 83c410 ff75c8 ff7588 6a7a ff75fc } - $sequence_3 = { ff702c ff7508 e8???????? 83c40c ff75f4 6a24 ff75fc } - $sequence_4 = { ff750c ff75e8 ff75e4 e8???????? 83c414 8b4df4 64890d00000000 } - $sequence_5 = { ff15???????? 59 8b4514 83e002 7421 ff7518 8b4514 } - $sequence_6 = { ffb594feffff ffb590feffff e8???????? 83c40c c645fc23 8d8d54fcffff e8???????? } - $sequence_7 = { ff75f8 e8???????? 83c418 33c0 40 e9???????? 8b450c } - $sequence_8 = { ffb558ffffff ffb554ffffff 8b4508 ff30 e8???????? 83c418 8945d0 } - $sequence_9 = { ffb518ffffff 8d8500fdffff 50 e8???????? 83c40c 898514ffffff 8b8514ffffff } + $sequence_0 = { ff75f8 8b4508 ff7050 6a00 ff7508 e8???????? 83c410 } + $sequence_1 = { ff5590 83c40c 8b4508 8b4010 c1e810 25ff000000 8845f4 } + $sequence_2 = { f7d8 8b4dfc 894114 eb31 8b45fc c6401c00 8b45fc } + $sequence_3 = { ff750c ff75f8 e8???????? 59 59 50 8b45fc } + $sequence_4 = { ff7598 ff750c ff7508 e8???????? 83c40c 6b451028 8b4d0c } + $sequence_5 = { ff75f0 e8???????? 59 8945d8 837de410 7246 8b45fc } + $sequence_6 = { 8b45f0 8b4dfc 8d44c108 50 ff15???????? 83c40c 8b450c } + $sequence_7 = { c705????????080d0a0a c705????????03020a06 c705????????030b0208 833d????????00 740a c705????????000f0903 c705????????08000a07 } + $sequence_8 = { ff15???????? 59 85c0 7402 ebe2 8b4508 0345fc } + $sequence_9 = { ffb57cffffff 68???????? ff75f4 e8???????? 83c414 8945a4 eb04 } condition: 7 of them and filesize < 1400832 @@ -130270,36 +131014,36 @@ rule MALPEDIA_Win_Fonix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "830a78fe-5e83-5a5d-85e3-7068b4a16c64" - date = "2026-01-05" - modified = "2026-01-06" + id = "4900a49c-53ff-58e3-8741-0a01bd599c10" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fonix_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fonix_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "f38caf2a92a21c38ad3b20bd93c5f2960092d1cc56de1072c080f008b7483511" + logic_hash = "553cbdbcbcd711010287bdf9f31e679e2d986459fdb32dc6d12479a4feccc0a4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { a801 8b04d560b74900 8b14d564b74900 7506 83c002 83ea02 5d } - $sequence_1 = { 59 59 8b471c 89461c 8bc6 5f } - $sequence_2 = { c645fc18 8d4dc4 8bd0 c70424???????? e8???????? 59 8d8d44fcffff } - $sequence_3 = { 8b16 50 ff5220 e9???????? e8???????? 8b75ac 83c404 } - $sequence_4 = { 8985a0f8ffff 0f85c5fcffff 8b8d8cf8ffff 85c9 0f84d3000000 8b048d2cdc4900 89858cf8ffff } + $sequence_0 = { 6a01 8d8d20010000 e8???????? c78514010000d0554900 c78518010000fc554900 c7851c01000020564900 8b8528010000 } + $sequence_1 = { 8d8d74feffff 56 57 c645fc14 e8???????? 6a02 51 } + $sequence_2 = { 8d8d5cfcffff e8???????? 68???????? 8d955cfcffff c645fc16 8d8d2cfcffff e8???????? } + $sequence_3 = { 89a590fdffff 57 e8???????? 83ec18 c645fc34 8bcc 68???????? } + $sequence_4 = { 8d8d48feffff e8???????? 8d8d48feffff e8???????? 8d8d48feffff e8???????? 8d4dd8 } $sequence_5 = { 50 8d8de0feffff e8???????? 8d8dc8feffff e8???????? 8d8db0feffff e8???????? } - $sequence_6 = { 50 c745fc01000000 ff5248 ffb578ffffff 8d4e4c e8???????? ff7620 } - $sequence_7 = { 83e3fe e8???????? 807d6700 0f8413010000 6a01 8d4dac e8???????? } + $sequence_6 = { 83c044 c3 6a14 b8???????? e8???????? 8bf1 } + $sequence_7 = { 50 8d4500 50 e8???????? 8b43c4 8d73c4 83c408 } $sequence_8 = { 8b45fc 0580000000 c5fe7f00 c5fe6f8560feffff c4e37d46458031 c5fe7f8580e5ffff c5fe6f8580e5ffff } - $sequence_9 = { 0f849c050000 6a01 8d8d50020000 e8???????? 6a01 8d4d8c c645fc0c } + $sequence_9 = { 85db 0f8494000000 837e2c00 7e03 ff4628 8b4e28 33ff } condition: 7 of them and filesize < 2226176 @@ -130309,41 +131053,41 @@ rule MALPEDIA_Win_Comebacker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "19238c8d-fa63-54d2-9e85-3ef6a0f14568" - date = "2026-01-05" - modified = "2026-01-06" + id = "283e196d-4b65-5a97-9fa8-14d372a10e7d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.comebacker_auto.yar#L1-L159" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.comebacker_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "5042f5e1cb03a035d2e07683a701a487f9bff93086c3cbb30af6f5ad30fe783b" + logic_hash = "f005bb35ac6298943648f97e044ccda3f9c6413b06990126be1e4da06640dd63" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6683f809 7f04 0430 eb02 0437 } - $sequence_1 = { baa2000000 4c8d0d47450300 b910000000 448d42a0 } - $sequence_2 = { 0fb6c2 418b8c8270c30400 81e100ff0000 4433c1 453341fc 453343fc } - $sequence_3 = { b801000000 418bc8 0f45c8 488d05c0150300 488d1d11aa0300 85c9 } - $sequence_4 = { 4c8d0583520100 418d5216 e8???????? 85c0 750a b805000000 } - $sequence_5 = { 6690 e8???????? 48ffc3 8bf8 b84fecc44e f7ef } - $sequence_6 = { 89742440 48894598 c744245068000000 c744247004010000 } - $sequence_7 = { 0fb6c8 8bc5 8b948e70cf0400 48c1e808 0fb6c8 81e20000ff00 } - $sequence_8 = { e8???????? a1???????? 8b8da8f8ffff c1e00a d1e8 2bcf } - $sequence_9 = { 33d2 8a54242a 8adc 8b149538600410 } - $sequence_10 = { 5b c3 8b74241c 8b6c2414 85f6 } - $sequence_11 = { 6806020000 8d8d7ef7ffff 53 51 885de8 8945e9 } - $sequence_12 = { 52 ff15???????? a3???????? 85c0 7440 399de8e5ffff 750a } - $sequence_13 = { 8b0c8d38500410 33d3 8b3cbd38500410 81e1ff000000 } - $sequence_14 = { 74ab 8d8df4feffff 51 e8???????? 83c404 } + $sequence_0 = { 7f04 0430 eb02 0437 } + $sequence_1 = { 4d85c0 7526 418d5072 4c8d0de4d40300 c7442420f2020000 448d42d0 } + $sequence_2 = { 4c8bc3 66f2af 33ff 488d442440 } + $sequence_3 = { 442bc1 488bca 4c8d2defa60300 0f1f8000000000 } + $sequence_4 = { 4885c0 7522 4c8d0d85f80300 8d5075 8d4804 448d4041 } + $sequence_5 = { 33d2 41b806020000 885dd0 488945d1 8945d9 } + $sequence_6 = { ba67000000 4c8d0d0ac80200 c7442420ab030000 8d4aa9 448d42ff e8???????? } + $sequence_7 = { 4c8be8 ff15???????? 488d156de10200 488bcb 488bf8 ff15???????? } + $sequence_8 = { 6aff 68???????? 6800020000 53 ff15???????? e8???????? 3bc3 } + $sequence_9 = { 8944242c 8b1c9538500410 8b542414 c1ea18 } + $sequence_10 = { e8???????? 83c40c 8d8d8cf6ffff 51 8d55e8 52 } + $sequence_11 = { 83c43c 8903 5f 8bc6 33cd 5e } + $sequence_12 = { 8b0485e01f0910 c644080401 57 e8???????? } + $sequence_13 = { 6a00 6a00 8bf0 8d8570ffffff 6a00 50 e8???????? } + $sequence_14 = { 03c0 8d9dc8f8ffff 8985c8f8ffff e8???????? 8bbdc8f8ffff 6802200300 } condition: 7 of them and filesize < 1429504 @@ -130353,41 +131097,41 @@ rule MALPEDIA_Win_Ismdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "540e8392-0220-5703-98ef-e8f75cf1cca1" - date = "2026-01-05" - modified = "2026-01-06" + id = "e0aae3cc-79c5-5c93-8a8e-f77b4b6583b2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ismdoor_auto.yar#L1-L153" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ismdoor_auto.yar#L1-L156" license_url = "N/A" - logic_hash = "0347b8b3605f80aa046ee397578be54423bd20b2d0f0c466e85204c8c4819aa8" + logic_hash = "89f200894264a4e825a6752f2d54dd2f2d37f2185269543d8bfcc888eeba7337" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 83f8ff 7504 32c0 eb05 c0e804 2401 84c0 } - $sequence_1 = { 488bd6 488bcb ff5048 4885c0 750e } - $sequence_2 = { 7419 488d4dc0 e8???????? 483bd8 7405 } - $sequence_3 = { 448bc3 4963c0 4585c0 7514 } - $sequence_4 = { 90 c685200100006b 4c89bd38010000 4c89bd40010000 48c7854001000007000000 } - $sequence_5 = { 488d4c2448 e8???????? 90 4c8d45f0 488bd0 } - $sequence_6 = { 488b45b8 48898310020000 48898318020000 48898320020000 } - $sequence_7 = { e9???????? 4532ed 488d8db0010000 e8???????? } - $sequence_8 = { eb02 33c0 8bbdccfbffff 6bc009 0fb6bc38107a4700 8bc7 } - $sequence_9 = { e8???????? 83f8ff 7e3c ff75ec } - $sequence_10 = { 52 50 e8???????? 68e8030000 ffd6 } - $sequence_11 = { c645fc3f e9???????? 6a00 68???????? } - $sequence_12 = { c785f0fdffff00000000 50 6a00 6a00 6a1d 8bf1 } - $sequence_13 = { 46 83fe10 7cdb ff75d0 8d55e8 } - $sequence_14 = { 8bc8 eb0c 0fb6c0 0fbe8040714800 03c8 } + $sequence_1 = { e8???????? 48c785680200000f000000 4c89ad60020000 c6855002000000 4883bd0802000010 } + $sequence_2 = { e8???????? 488bf8 488d5570 488d8db0010000 } + $sequence_3 = { 4157 488d68c1 4881ecc0000000 48c745b7feffffff 48895808 } + $sequence_4 = { 668933 488b5c2450 488b742458 4883c430 } + $sequence_5 = { 483bf5 0f8c29ffffff 488d4b60 488d542428 } + $sequence_6 = { 488bcb ff5038 eb1a 488bd3 488bcd } + $sequence_7 = { e8???????? 894744 488b8c2488000000 4883c160 e8???????? 85c0 } + $sequence_8 = { 23c8 394b18 7709 d1ee 83c8ff } + $sequence_9 = { 8bf8 8bcc 8bf2 6a17 c741140f000000 c7411000000000 } + $sequence_10 = { 8b4594 83e001 0f840c000000 836594fe 8b4d9c e9???????? } + $sequence_11 = { 8bf0 b9???????? c645fc01 e8???????? 52 } + $sequence_12 = { 897dd4 85ff 752a 8b55e8 837a1410 } + $sequence_13 = { 33db 660fd6442478 c784248000000000000000 895c2478 } + $sequence_14 = { e8???????? 8d8dc8fdffff e8???????? 83c418 8bc8 6a02 } condition: 7 of them and filesize < 1933312 @@ -130397,42 +131141,42 @@ rule MALPEDIA_Win_Xdspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "54110d73-619a-59d4-a80b-7be8436504a7" - date = "2026-01-05" - modified = "2026-01-06" + id = "c51b5351-ac66-5093-9414-46afdfb7472f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xdspy_auto.yar#L1-L174" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xdspy_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "6256dc971ecf3bb6744674fefad5e90a83cd8cf7acf2f0addd47bba093a56e7a" + logic_hash = "946eac892e0a436fe7bc8c10c81550a1b9e8644df3bf4335d1695a2ae8dac0c3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85b0510000 50 e8???????? 8d85b0510000 50 897da4 } - $sequence_1 = { 5e e8???????? c9 c3 53 56 68???????? } - $sequence_2 = { e8???????? 8d851cd1ffff 50 e8???????? ff35???????? 8d851cd1ffff 50 } - $sequence_3 = { 89459c ff15???????? 85c0 7413 ff15???????? 3db7000000 7506 } - $sequence_4 = { 56 8bf8 e8???????? 83c410 8bd8 85ff } - $sequence_5 = { 85f6 0f84ba000000 8975e0 8b04bd804e4100 0500080000 3bf0 } - $sequence_6 = { c3 8bff 56 57 33ff 8db730074100 } - $sequence_7 = { e8???????? 68ff000000 e8???????? 59 59 8b7508 8d34f548044100 } - $sequence_8 = { 0f8514010000 83fb01 0f850b010000 e8???????? 488d8dc0130000 ff15???????? } - $sequence_9 = { 88840d80070000 488d4901 84c0 75e8 80bd8007000000 488d8580070000 } - $sequence_10 = { 48898424c0000000 4889bc24c8000000 488d8c2480000000 ff15???????? } - $sequence_11 = { 4983e801 75ea b801000000 8d501f 6690 } - $sequence_12 = { 880413 48ffc3 4883fb0e 7cea } - $sequence_13 = { 75e8 488bcb 0f1f440000 420fb684399c941700 } - $sequence_14 = { 7413 0f1f840000000000 fe08 488d4001 403838 75f5 } - $sequence_15 = { e8???????? 488b05???????? 488d15853a0100 488bcb 83e13f } + $sequence_0 = { 7416 ff35???????? 68???????? 56 } + $sequence_1 = { 50 e8???????? ffb56cd8ffff e8???????? 83c40c 85c0 } + $sequence_2 = { 8d85b0510000 68???????? 50 e8???????? 56 8d85c84d0000 57 } + $sequence_3 = { 8bc8 83e11f 8bf0 c1fe05 c1e106 030cb5804e4100 } + $sequence_4 = { 7413 ff15???????? 3db7000000 7506 57 e8???????? } + $sequence_5 = { c705????????97654000 8935???????? a3???????? ff15???????? a3???????? } + $sequence_6 = { ffd7 ff75e4 e8???????? 6a16 ff75d8 8d45e8 50 } + $sequence_7 = { 55 8bec 8b4508 33c9 3b04cd58004100 } + $sequence_8 = { 488d95e01c0000 488bc8 ff15???????? 498bd4 498bcd ffd0 } + $sequence_9 = { 0f1f440000 fe08 488d4001 443838 } + $sequence_10 = { c705????????68002000 c705????????32000d00 c705????????7470646c 66c705????????6675 } + $sequence_11 = { 488d4001 3818 75f6 488d85c0060000 389dc0060000 7411 } + $sequence_12 = { 440fb706 488bcf 488b15???????? 4883c8ff 48ffc0 } + $sequence_13 = { eb1d 488d05774a0100 ffcb 488d0c9b } + $sequence_14 = { 85c1 7402 ffc2 d1c0 85c1 7402 } + $sequence_15 = { 2c2c 42888429b8aa1700 48ffc1 4883f90c 7ce4 488bcb 90 } condition: 7 of them and filesize < 3244032 @@ -130442,36 +131186,36 @@ rule MALPEDIA_Win_Prilex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ddf38178-7ef1-5c36-b125-6bf3f451e7fb" - date = "2026-01-05" - modified = "2026-01-06" + id = "cfa9c347-701d-5be0-b9b5-d92f94caa4a7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.prilex_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.prilex_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "fbaec0a907818a5c45443c868d80b924ff651b8b9668a983a8d7f07c1fa9a7e6" + logic_hash = "9281cf8853e03a025741c5aeaadccfffd4e62039176ca35464c7fdb66c7ccff8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4ddc ff15???????? 8d4dcc ff15???????? 8d55c4 52 6a00 } - $sequence_1 = { 8d4db0 50 51 8975b0 e8???????? 8b55e8 } - $sequence_2 = { c785d4feffff01000000 8b45c4 50 6a01 ff15???????? } - $sequence_3 = { 8b550c 3b32 0f84d4000000 3bf7 0f84cc000000 8d55b8 } - $sequence_4 = { ff15???????? 50 8b45e0 8d4ddc 50 } - $sequence_5 = { 8bf0 ff15???????? 8d45c8 8d4dcc 50 51 } - $sequence_6 = { 33c0 833a00 0f95c0 0bc8 85c9 7538 c745fc03000000 } - $sequence_7 = { 51 e8???????? 8945d0 c745fc04000000 66c785f8feffff0000 8d95f8feffff } - $sequence_8 = { 8d8dacfdffff 68???????? 52 898d54fdffff c7854cfdffff08400000 } - $sequence_9 = { 8b542428 33c0 89442414 53 8944241c 33c9 } + $sequence_0 = { 8d4dd8 ffd3 8b550c 3b32 0f84d4000000 3bf7 } + $sequence_1 = { 8b4510 8b08 894dbc c745fc09000000 837dbc00 7505 e9???????? } + $sequence_2 = { 8975cc e8???????? 8bd8 3bdf 0f8408010000 } + $sequence_3 = { c745fc02000000 8b4510 33c9 833800 } + $sequence_4 = { 8b45ac 8b480c 038d8cfeffff 51 } + $sequence_5 = { 7405 e9???????? c745fc15000000 6a00 } + $sequence_6 = { 751d ba???????? 8d4de0 ff15???????? } + $sequence_7 = { c745fc0d000000 8d45c8 50 68ff000000 } + $sequence_8 = { 83c420 6685f6 7431 8b17 } + $sequence_9 = { 52 ff15???????? 50 8b4508 8b08 51 57 } condition: 7 of them and filesize < 450560 @@ -130481,41 +131225,41 @@ rule MALPEDIA_Win_Dtrack_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a8e0795f-f37a-570e-a2d0-586d485922bb" - date = "2026-01-05" - modified = "2026-01-06" + id = "31cb7461-b760-57f9-aee0-20dea95545c9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dtrack_auto.yar#L1-L159" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dtrack_auto.yar#L1-L150" license_url = "N/A" - logic_hash = "6b14b7e6495b7f7e349f91bcaae4aa222786469ac0195332831e5ef10b7a534f" + logic_hash = "a9c7c2c4ebe62b1d7d9c7a1d0a5de32d036ef184fb4be1393eec7ec2793856bd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 } - $sequence_1 = { 50 8d8dccfdffff 51 6a00 8d95b0faffff 52 } - $sequence_2 = { 8b4df8 c1e902 334df8 8b55f8 c1ea03 33ca } - $sequence_3 = { 33ca 8b55f8 c1ea07 33ca c1e118 } - $sequence_4 = { 50 e8???????? 83c40c c685b8fbffff00 } - $sequence_5 = { 8b88fc180000 8b5508 8b4508 8b8008100000 89848a04100000 8b4d0c } - $sequence_6 = { 8d959efaffff 52 e8???????? 83c410 8d85d4faffff 898528f6ffff } - $sequence_7 = { e8???????? 83c410 c68587f6ffff00 8b15???????? 52 } - $sequence_8 = { eb64 8b4d10 51 6a00 } - $sequence_9 = { 8b08 894dfc 8b550c 8b4204 8945f8 68efcdab89 } - $sequence_10 = { c1e217 0bca 894d14 8b45f8 } - $sequence_11 = { 6a00 8b55f4 52 e8???????? 83c40c 8b450c 8b08 } - $sequence_12 = { 0bc1 894518 8b5514 8955f8 } - $sequence_13 = { 8b4df8 c1e908 234df8 8b45f8 c1e810 23c8 } - $sequence_14 = { 8b4df0 3b4d10 0f8d90000000 8b5508 } + $sequence_1 = { 50 e8???????? 83c408 c68588f6ffff00 } + $sequence_2 = { 57 c68590f5ffff00 680b030000 6a00 } + $sequence_3 = { 50 8d8d90f5ffff 51 e8???????? 83c414 } + $sequence_4 = { 50 6a01 6a01 8d4d0c 51 } + $sequence_5 = { 57 c685e0feffff00 6803010000 6a00 } + $sequence_6 = { 66890f 68???????? 8d95e0feffff 52 } + $sequence_7 = { 50 8d8d70eeffff 51 8b5508 } + $sequence_8 = { 33c2 8b4d0c 034df0 8801 } + $sequence_9 = { 83c414 8b4d10 51 8b55f4 52 8b4508 } + $sequence_10 = { 33d0 8b4df8 c1e908 234df8 8b45f8 c1e810 } + $sequence_11 = { 55 8bec 83ec10 8a4514 } + $sequence_12 = { 740c 837d0c00 7406 837d1408 7304 } + $sequence_13 = { 8855f7 8b4df8 c1e908 8b55fc d1ea } + $sequence_14 = { 8845f7 8b4d14 d1e9 894df8 } condition: 7 of them and filesize < 1736704 @@ -130525,75 +131269,75 @@ rule MALPEDIA_Win_Mokes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b39bf037-fa7d-5a3c-86ca-2ed67b32fce6" - date = "2026-01-05" - modified = "2026-01-06" + id = "335218d6-cb44-5cf3-8b98-d13b75bd5fa6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mokes_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mokes_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "b9e014e60ad1f3bca1bf46f5b4621f6e946c48cba595440a4767fbc6ec5a2bfa" + logic_hash = "de29443f85d97d36c782d0775fdc17aebc27c9a0f2516ba5bc9ebc6f5848757a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f30f7f442438 8b442438 3b442428 751e 8b442440 3b442430 7514 } - $sequence_1 = { f20f5cd0 f20f58d1 f20f2cca 03c8 8d442430 894c2430 8b4c240c } - $sequence_2 = { ffb6c8010000 e8???????? 8b8e0c010000 8b4104 397808 7417 3b7808 } - $sequence_3 = { f6450801 56 8bf1 57 8b7e04 7423 8b0d???????? } - $sequence_4 = { ff742420 ba04000000 53 8d4a28 e8???????? 8b6c2420 8bf0 } - $sequence_5 = { ff5030 8b4004 f780e000000000000200 7404 c6432b01 807c241b00 8b5c2454 } - $sequence_6 = { ffd0 83c410 8b74240c 8b542418 8bca 8b7c241c 81c11ff9ef9e } - $sequence_7 = { f77e6c 89542420 8b450c 8b7004 807e7000 7407 8bce } - $sequence_8 = { ff74240c 889018020000 8b8e5c010000 e8???????? 80be9a02000000 7517 ff7604 } - $sequence_9 = { f6c310 7410 83e3ef 8d4c242c 895c2414 e8???????? c7442458ffffffff } + $sequence_0 = { f20f594618 f20f595638 f20f107c2418 f20f58f8 0f28c1 f20f594628 f20f58da } + $sequence_1 = { ffd0 84c0 0f85cf000000 c7879400000003000000 e9???????? 6a00 8d8f80000000 } + $sequence_2 = { f30f10809c000000 f30f114c2418 0f28ce f30f58c8 f30f5cf0 0f28d1 f30f58d5 } + $sequence_3 = { ff9088000000 b001 5f 5e 5b 8be5 5d } + $sequence_4 = { ff7624 e9???????? 8b4e08 6a00 6800000400 8b01 ff507c } + $sequence_5 = { ff10 3d???????? 742a 8b00 85c0 75f3 8b7740 } + $sequence_6 = { f20f11442450 f20f118c2448010000 0f28c2 f20f11542428 f20f59c1 f20f11442458 dd442458 } + $sequence_7 = { f20f104808 f20f58c2 f20f11542438 f20f114c2440 f20f114c2450 f20f11542468 f20f11442448 } + $sequence_8 = { ff5008 8bc8 33c0 85c9 0f98c0 e9???????? 83fb02 } + $sequence_9 = { ff750c 8d4508 50 e8???????? 8bf0 8975e8 c745fc00000000 } condition: - 7 of them and filesize < 18505728 + 7 of them and filesize < 17990656 } rule MALPEDIA_Win_Nitrogen_Ransomware_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f1d15105-1f60-56bd-9f57-5d0889e5b371" - date = "2026-01-05" - modified = "2026-01-06" + id = "6c181df2-98aa-50c7-8294-ada1bd47e30e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitrogen_ransomware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nitrogen_ransomware_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nitrogen_ransomware_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "80271e297eab8217b53749d1fda8214698e5eac53c180b085f9fa59013bd1e3e" + logic_hash = "4e2ca4609381b30d42e64c0b5293ba475f8fc064d2896c6840f5040db174f8c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83f26c 4183c405 66410f6ed8 4183f569 8b8c2470030000 4183f46c 660f6eca } - $sequence_1 = { 83c004 31d0 66898424bc020000 0fb79424be020000 8b8424b0020000 83c005 31d0 } - $sequence_2 = { 66898424ae240000 0fb79424b0240000 8b8424a0240000 83c006 31d0 66898424b0240000 0fb79424b2240000 } - $sequence_3 = { 4189c3 8b8424a06a0000 83c01b 663305???????? 89c3 8b8424a06a0000 83c01c } - $sequence_4 = { 83c20d 8944247c 8b8424204f0000 83f274 89442478 8b8424204f0000 89442474 } - $sequence_5 = { 89442428 660fc4cf01 448b8424702a0000 66450fc4cb01 894c2424 4183c107 66410f62c9 } - $sequence_6 = { 83f065 668984247a400000 0fb7442420 83c00e 83f072 668984247c400000 31c0 } - $sequence_7 = { 440fb73d???????? 0f118c24d0650000 8d680a 0fb705???????? 418d4f0a 440fb73d???????? 8d780a } - $sequence_8 = { 6689bc24900a0000 0fb77c245e 6689bc24920a0000 6689b424940a0000 f30f6fac24400a0000 f30f6fa424700a0000 66899c24960a0000 } - $sequence_9 = { ff15???????? 8b542440 4889d9 83ca04 ff15???????? 90 4883c468 } + $sequence_0 = { 4889e5 4883ec20 894d10 837d1000 741e 8b4510 89c0 } + $sequence_1 = { 8b842460010000 83c001 31d0 6689842466010000 0fb7942468010000 8b842460010000 83c002 } + $sequence_2 = { 83f624 6689b42470550000 0fb7742450 83c609 83f653 6689b42472550000 0fb774244c } + $sequence_3 = { 83c004 31d0 668984245c130000 0fb794245e130000 8b842450130000 83c005 31d0 } + $sequence_4 = { 83e80a 668984246c040000 0fb784246e040000 f30f7e35???????? 4c8b3d???????? 83e80a 448b35???????? } + $sequence_5 = { 83c007 31d0 66898424d21b0000 0fb79424d41b0000 8b8424c01b0000 83c008 31d0 } + $sequence_6 = { 83ea05 66899444203e0000 4883c001 4883f81f 75e3 488d8424203e0000 4c8b05???????? } + $sequence_7 = { 8bbc24204f0000 4183c601 8bb424204f0000 4183c502 4183c403 4183f665 83c504 } + $sequence_8 = { 488d8424647c0000 31c9 66899424ce7c0000 4889842420870000 c78424a05b000024000000 8bb424a05b0000 448bb424a05b0000 } + $sequence_9 = { 89442468 8b8c24205d0000 8b9424205d0000 448b9c24205d0000 897c2460 448b8424205d0000 448b8c24205d0000 } condition: 7 of them and filesize < 2590720 @@ -130603,36 +131347,36 @@ rule MALPEDIA_Win_Sneepy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c029590c-a1be-50f8-80cf-c12927fcf1f6" - date = "2026-01-05" - modified = "2026-01-06" + id = "6b1a27cc-c83f-505c-9e9b-c13052965bfd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sneepy_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sneepy_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "978ba91f40e008ec1e688527edb2f9c28d926adc71b28f1ad0432cb8831f1c4c" + logic_hash = "91a9e511dd68c0086fb3f601c9310c63778276b1ac215798e05435336d9866f2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 c3 8bff 55 8bec b8e41a0000 e8???????? } - $sequence_1 = { 6888130000 ffd6 68???????? c705????????e8d44000 e8???????? 83c404 } - $sequence_2 = { 8b4dfc 33c0 83ff01 5b 0f94c0 } - $sequence_3 = { c1fa05 8b149560314100 59 c1e006 59 8a4dff 80c901 } - $sequence_4 = { 52 8945dc c745c801000000 8975cc } - $sequence_5 = { 89b5c0feffff 46 83fe07 7cdf } - $sequence_6 = { 85c0 7459 81bdb0feffffc8000000 7526 8b3d???????? 8d8dc0feffff 51 } - $sequence_7 = { e8???????? 8bc6 c1f805 8b048560314100 } - $sequence_8 = { 83e103 f3a4 8d8df0feffff 68???????? 51 e8???????? } - $sequence_9 = { 33c0 8945e4 83f805 7d10 668b4c4310 66890c4514314100 } + $sequence_0 = { 8bc1 c1f805 8bf1 83e61f 8d3c8560314100 8b07 c1e606 } + $sequence_1 = { e8???????? 83c404 85c0 0f8527ffffff 6800020000 } + $sequence_2 = { 83c404 68983a0000 ffd6 68???????? c705????????ccd44000 e8???????? 83c404 } + $sequence_3 = { 668945f8 6a0a 8d45f0 50 57 c705????????00000000 ffd3 } + $sequence_4 = { 8d95acfcffff 52 50 ffd7 a3???????? 83f8ff } + $sequence_5 = { 85f6 7408 6aff 56 } + $sequence_6 = { f3a4 8dbdacfeffff 4f 90 8a4701 } + $sequence_7 = { 770f 0fbec2 0fbe8088df4000 83e00f eb02 } + $sequence_8 = { a1???????? 6a00 6a07 68???????? } + $sequence_9 = { 51 e8???????? 83c404 8bd0 8a08 40 } condition: 7 of them and filesize < 188416 @@ -130642,41 +131386,41 @@ rule MALPEDIA_Win_Coredn_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "07ee8205-8782-52d9-9a53-818875f21066" - date = "2026-01-05" - modified = "2026-01-06" + id = "e9fc964d-6932-50e6-9a6d-da9755e9c916" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.coredn_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.coredn_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "67a00f5807f423f86c2e11cef6a3e34c3be3d717b80668bf24ae3e2d19c2ab6b" + logic_hash = "7d9edbb68b504dec3f9ba24b68f1383d8814ab8f2dfe1d64015ce60053d3dd65" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 51 56 8d45fc 8bf1 50 e8???????? 85c0 } - $sequence_1 = { 8b7508 ba04010000 2bf1 6690 } - $sequence_2 = { 84c0 7415 8801 41 83ea01 } - $sequence_3 = { 5e 8be5 5d c20400 85c9 7506 48 } - $sequence_4 = { 8a1c06 84db 741c 8818 4a 40 83e901 } - $sequence_5 = { 0f1f440000 3811 7408 41 83e801 75f6 eb04 } - $sequence_6 = { 41 83ea01 75e7 8851ff b87a000780 5e } - $sequence_7 = { 75ec 48 bf7a000780 8808 8bc7 5f 5b } - $sequence_8 = { 85d2 7417 0fb73407 6685f6 740e } - $sequence_9 = { d3c8 3305???????? 3905???????? 0f8594070000 } - $sequence_10 = { 83e13f c1f806 6bc930 8b048508414100 } - $sequence_11 = { 8b30 8bd6 c1fa06 8bc6 83e03f 6bc830 8b049508414100 } - $sequence_12 = { eb57 53 8b1c85e8dd4000 56 6800080000 6a00 53 } - $sequence_13 = { b802000000 833d????????00 0f85b00a0000 8d0d60104100 } - $sequence_14 = { 8b0c8d08414100 c644112800 85f6 740c 56 } + $sequence_1 = { 7415 8801 41 83ea01 } + $sequence_2 = { 53 57 bf00000000 8d0432 2bca 7438 } + $sequence_3 = { 741c 8818 4a 40 83e901 75ec } + $sequence_4 = { 5e 5d c20400 c60100 33c0 } + $sequence_5 = { 7423 8a1c06 84db 741c } + $sequence_6 = { 0f1f440000 3811 7408 41 83e801 75f6 } + $sequence_7 = { 41 83ea01 75e7 8851ff b87a000780 } + $sequence_8 = { 740b 6a01 50 e8???????? 83c408 8b442420 85c0 } + $sequence_9 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80a8304100 } + $sequence_10 = { e8???????? 83c408 8d842490040000 50 } + $sequence_11 = { 8365fc00 8b049d08414100 8b4de0 f644082801 7515 } + $sequence_12 = { 668945e8 8b45d4 886de5 8b148508414100 8a4c1a2d f6c104 7419 } + $sequence_13 = { 6808020000 8d842494040000 6a00 50 e8???????? } + $sequence_14 = { 8bcf 8bc7 894de4 399898304100 0f84ea000000 } condition: 7 of them and filesize < 270336 @@ -130686,36 +131430,36 @@ rule MALPEDIA_Win_Herpes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e63d0f33-775b-5606-bd1d-23c306bf37e3" - date = "2026-01-05" - modified = "2026-01-06" + id = "38c3cfb9-210b-5ee0-9cb8-caacfa12bb4c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.herpes_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.herpes_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "754c79a3fce60a65d5238f8bbab4a5de6f5328cd0831b8e3c8484725e4b748a5" + logic_hash = "f9348f3af61a3466303ab9a2e43310879d34aab298604f86ec8a030ec1f6ec4c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3945cc 8b45b8 7303 8d45b8 56 51 50 } - $sequence_1 = { 68???????? e8???????? 83c404 5e 5d c20400 83ff75 } - $sequence_2 = { 8945e4 3d01010000 7d0d 8a4c181c 8888c0c24100 40 } - $sequence_3 = { 8d45d4 3bc7 7450 3975e8 720c 8b4dd4 51 } - $sequence_4 = { ffd7 68???????? 898664010000 ffd5 68???????? 50 898600020000 } - $sequence_5 = { e8???????? 8bc7 5f c20400 83661000 } - $sequence_6 = { ffd6 0145f0 8b75dc 8b45f0 56 ff75e0 03c7 } - $sequence_7 = { ffd7 68???????? ffb6f8010000 894664 } - $sequence_8 = { 8b4dfc 898134050000 6a00 6880000000 6a03 6a00 6a01 } - $sequence_9 = { 33db 58 89863c020000 899e38020000 } + $sequence_0 = { 898554010000 6a24 b8???????? e8???????? 33db 83ec1c } + $sequence_1 = { e8???????? 8b0d???????? c70101000000 83c41c } + $sequence_2 = { 8d95c1feffff 52 ffd6 68???????? 8d85dafeffff 50 ffd6 } + $sequence_3 = { 56 52 8bc7 e8???????? eb5a 83fefe } + $sequence_4 = { 33db be10000000 53 39b5d4fcffff 7302 8bc7 } + $sequence_5 = { c68510fcffff00 e8???????? 83c40c 8d8d00fcffff 51 ff15???????? } + $sequence_6 = { 84c0 0f84a8000000 8db5c0fcffff e8???????? 8bce } + $sequence_7 = { 8975e8 895de4 c645d400 397db0 0f82cbfeffff 8b4d9c } + $sequence_8 = { 8dbd88fcffff e8???????? 84c0 0f8487000000 8b0d???????? } + $sequence_9 = { 8b4d9c 51 e8???????? 83c404 b8???????? 8d4dd4 } condition: 7 of them and filesize < 319488 @@ -130725,36 +131469,36 @@ rule MALPEDIA_Win_Raccoon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "426735cd-205f-5856-956c-bf7b885a57ea" - date = "2026-01-05" - modified = "2026-01-06" + id = "be17eb82-5d09-5c28-94e2-f91b89bbacd9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.raccoon_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.raccoon_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "30039f1e9ada41f0fa18f5ba2d7fb988ae243b357b509d0986ea0785e88878da" + logic_hash = "2104132907b7800a05fb078dfdfbe610078ebccd71144da00c01ee5b843b1309" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 ff75f8 c745fcff070000 ff15???????? 85c0 7488 } - $sequence_1 = { e8???????? e9???????? 8d45f0 c645f001 51 50 } - $sequence_2 = { 7403 832700 8b5d14 33f6 83fb01 7507 } - $sequence_3 = { 394708 7417 684c0e0000 68???????? 68???????? } - $sequence_4 = { 51 8bc2 8945fc 56 8bf1 } - $sequence_5 = { 8d4dfc 51 8d4df8 c745ec02000000 51 } - $sequence_6 = { 56 57 e8???????? 83c414 ff75f4 ff15???????? } - $sequence_7 = { 8d45ec c706???????? 50 53 ff75e4 895dec ff15???????? } - $sequence_8 = { 8d55cc ff75cc 52 ff5024 807dcc00 6a04 58 } - $sequence_9 = { 8975e4 894df0 33c0 40 8945fc } + $sequence_0 = { 85c0 0f85dd000000 57 57 57 } + $sequence_1 = { 8b3f 8b4638 03c7 3945fc } + $sequence_2 = { 897df4 50 8d85f0efffff c745fcff070000 50 } + $sequence_3 = { 0f8486000000 53 8b1d???????? 68???????? 50 ffd3 } + $sequence_4 = { 33f6 8d7dfc 56 57 ff7508 } + $sequence_5 = { 51 8bc2 8945fc 56 8bf1 } + $sequence_6 = { ffd6 6a10 ff15???????? 8bf0 8975f0 85f6 } + $sequence_7 = { 59 c60700 85db 7409 ff36 57 ff15???????? } + $sequence_8 = { 6a01 52 52 52 52 } + $sequence_9 = { 8b7d0c 8d4de8 33f6 c745e810000000 56 51 } condition: 7 of them and filesize < 1212416 @@ -130764,36 +131508,36 @@ rule MALPEDIA_Win_Dispenserxfs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dcad1348-3e3e-5861-ac43-e7a329125581" - date = "2026-01-05" - modified = "2026-01-06" + id = "f5230e78-f9c8-536f-aec9-e20f575383e8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dispenserxfs_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dispenserxfs_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "8f86c5e67886e9169f08b08ef67943d3d51f035e4bbfcd62571f895fcd1de81c" + logic_hash = "fe196789895dd63b4ce6f206a4a4e6b2b60ee03ffa80291c63416518d5fc66ee" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? e8???????? 8b4c242c 83c41c 8bc1 } - $sequence_1 = { 58 6689854affffff 33c0 66898574ffffff 8d45cc } - $sequence_2 = { 75ee 83c004 0fb708 66890f } - $sequence_3 = { 68???????? e8???????? 59 ff75fc ff15???????? eb0d } - $sequence_4 = { 47 84c0 75f8 8bca 8d85f8eeffff c1e902 f3a5 } - $sequence_5 = { 0f84e6000000 0fb74106 50 0fb74104 50 } - $sequence_6 = { 57 8d45f0 8bd9 50 6860ea0000 33f6 895de4 } - $sequence_7 = { 0f8408010000 33f6 8bcb 894df4 663bf2 0f83f8000000 57 } - $sequence_8 = { 6683f802 750b 8b4c2408 e8???????? eb10 0fb6c1 50 } - $sequence_9 = { 89b544ffffff 89b564ffffff 89b568ffffff 89b56cffffff 89b570ffffff 89b57cffffff } + $sequence_0 = { ff30 8d45c4 53 68???????? 6a1f 50 } + $sequence_1 = { 68ff0f0000 53 50 8bf1 889df8eeffff e8???????? 83c40c } + $sequence_2 = { 59 59 68e8030000 ff15???????? 4e } + $sequence_3 = { c785d0feffff55534420 c785d4feffff41555344 899dd8feffff 898ddcfeffff 898de0feffff 89b5e4feffff 89b5e8feffff } + $sequence_4 = { 8bf9 8845da 8d4dd8 668b4508 } + $sequence_5 = { 89b5c1fdffff c785c5fdffff48474000 c785c9fdffff55534420 c685cdfdffff42 } + $sequence_6 = { 731f 8b4230 0fb7cb 8b0488 } + $sequence_7 = { 8bf2 8a02 42 84c0 75f9 8dbdf8eeffff } + $sequence_8 = { 8d45fc 50 6860ea0000 8d45e4 50 6838010000 } + $sequence_9 = { 8b7d1c 8b5d18 59 57 53 ff7514 } condition: 7 of them and filesize < 114688 @@ -130803,36 +131547,36 @@ rule MALPEDIA_Win_Zeus_Mailsniffer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fb336c30-936c-5161-8554-4fa39d727895" - date = "2026-01-05" - modified = "2026-01-06" + id = "aaa8e772-89b4-5a81-a4de-d9c0e696d143" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zeus_mailsniffer_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zeus_mailsniffer_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "b88fdb233f08271f4c82945f7e7e3b8d498570e4526ea1a19d24dcafd9d77060" + logic_hash = "caa1fd0a72d34989de98237506f293f039aa94b0638bba8fb60cbd5148d0d3d9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81ec1c020000 56 6a1c 58 8945f0 c745f4c89d2d01 8945f8 } - $sequence_1 = { 0f8486000000 6a10 58 e8???????? 8bf0 85f6 } - $sequence_2 = { e8???????? 83c40c 833e00 894608 897e0c 7421 } - $sequence_3 = { 8b4508 8b4dec c745f451000000 8908 83ff17 750f } - $sequence_4 = { e8???????? 57 68???????? 57 e8???????? 83c424 } - $sequence_5 = { 85c0 0f8498010000 8b45f4 8365c800 83c004 } - $sequence_6 = { 57 8d85ecfeffff 50 53 8d85b4faffff } - $sequence_7 = { ff15???????? ffb424f4040000 ff15???????? 8b8424cc040000 } - $sequence_8 = { 83c410 85ff 742c 8b462c ff7608 ff7628 85c0 } - $sequence_9 = { 743f 66833f00 7439 56 6a16 8d75e4 58 } + $sequence_0 = { 6a01 56 e8???????? 83c40c 85c0 7473 807b0e02 } + $sequence_1 = { 895c2424 897c2428 897c242c ff15???????? 85c0 7562 6a25 } + $sequence_2 = { 66837ddc00 8b87a0902d01 7403 6a29 58 8d8dd4fdffff 51 } + $sequence_3 = { 751e 53 8d45f8 50 57 ff750c ff75f4 } + $sequence_4 = { 742c 56 e8???????? 8b45c0 a3???????? } + $sequence_5 = { 0f8632050000 8d7910 897ddc 8945d0 8b47f0 } + $sequence_6 = { 8d44244c 50 8d442454 50 8d44246c 50 } + $sequence_7 = { 0f83e5020000 6639430e 0f83db020000 0fb703 8bf0 2345e8 c1ee09 } + $sequence_8 = { f684241c01000020 59 7407 830d????????10 6a5a 8db424ac070000 58 } + $sequence_9 = { ffd7 85c0 7570 8bc6 50 8d84249c030000 } condition: 7 of them and filesize < 368640 @@ -130842,35 +131586,35 @@ rule MALPEDIA_Win_Nexster_Bot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a43d5074-419f-56bf-9041-ecb4085c5c0f" - date = "2026-01-05" - modified = "2026-01-06" + id = "061dbb6e-2064-504e-9aa2-e17c3536465b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nexster_bot_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nexster_bot_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "030c2bb9e4dedc4e668df50b31810c5f051c7ed3a34092c75978caae787f72df" + logic_hash = "57aa1e0d86dc2359eca8bf96c5c5a73ccf3596b3d24f53deb980f0656810b232" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8a4701 47 84c0 75f8 8b0d???????? 8d84240c010000 } - $sequence_1 = { 6a00 8908 668b0d???????? 6a00 895004 68000000c0 } - $sequence_2 = { 42 3acb 75f6 8dbd00080000 8db5000c0000 e8???????? } - $sequence_3 = { e8???????? 8b54241c 68???????? 8bf0 52 8d44241c 50 } - $sequence_4 = { 33c0 8da42400000000 8a1485d0604100 889405000e0000 40 83f80b } - $sequence_5 = { 8d842480000000 50 ff15???????? 8b3d???????? } - $sequence_6 = { 8d0cbd20804100 8901 8305????????20 8b11 81c200080000 } - $sequence_7 = { 85c0 0f8581000000 80bc24ae01000001 7533 8b0d???????? 8b15???????? } - $sequence_8 = { 84c0 75f6 8d85c0140000 48 } + $sequence_0 = { 750e a1???????? 50 ff15???????? ffd7 } + $sequence_1 = { 68fe030000 51 8d95be050000 52 66898dbc050000 } + $sequence_2 = { 7d10 668b4c4310 66890c45186e4100 40 ebe8 33c0 } + $sequence_3 = { 837a1810 720e 8b4d00 5f } + $sequence_4 = { e8???????? b8???????? e9???????? c705????????80124100 } + $sequence_5 = { 8a01 8802 41 42 3ac3 75f6 8d8500100000 } + $sequence_6 = { e8???????? 6aff 53 8d4dd0 51 8d8d90010000 c645fc02 } + $sequence_7 = { 51 6a02 ff15???????? 85c0 742d ff15???????? 33c0 } + $sequence_8 = { 84c9 75f8 8d85bc150000 50 e8???????? 83c404 } $sequence_9 = { 75f9 8b1424 6a00 2bc1 8d4c242c } condition: @@ -130881,36 +131625,36 @@ rule MALPEDIA_Win_Byeby_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0ebfb487-5cbf-53be-adad-b7561bd94d85" - date = "2026-01-05" - modified = "2026-01-06" + id = "a809d589-69e9-5647-ba09-f68948a3093e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.byeby_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.byeby_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "14e04fc099db6b56de85356d95024648b8f691b46ad7013820136f566a988b61" + logic_hash = "df94a0c9ee5af482c36257d5a32647f83cf7394fffb39d5c7c8cba2b95446879" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c78424a002000059335630 c68424a402000000 50 8d8424380a0000 50 ff15???????? } - $sequence_1 = { c68424d402000000 c784242c0300005130394e c78424300300005455464f c684243403000000 c78424e402000056464a42 c78424e8020000546c4e47 c68424ec02000000 } - $sequence_2 = { 8d85c0f9ffff 66c745e80d0a 6804050000 50 f30f7f45d4 c645ea00 } - $sequence_3 = { 50 8b8528e5ffff 0f94c1 898d3ce5ffff 8b8d24e5ffff 8b048518ab0110 ff3401 } - $sequence_4 = { 85c0 7411 ff35???????? 8bc8 } - $sequence_5 = { 8bf0 83feff 0f8489000000 6a00 56 ff15???????? 3d00900100 } - $sequence_6 = { 894c2428 ff15???????? 85c0 7430 8b7c2414 8d4900 83f8ff } - $sequence_7 = { 64890d00000000 59 5f 5e 8b8c243c100000 33cc } - $sequence_8 = { 0fbec2 0fb680d0450110 83e00f eb02 33c0 8bbdc8fdffff 6bc009 } - $sequence_9 = { 740b 8d44246c 50 ff15???????? 8b442430 85c0 7409 } + $sequence_0 = { 83f8ff 0f85be010000 8b35???????? 8d44241c 6a01 } + $sequence_1 = { 8b7c2414 83f8ff 7420 03f0 3bf7 741a 6a00 } + $sequence_2 = { be02000000 b9???????? e8???????? 84c0 750c 68c0270900 ffd7 } + $sequence_3 = { 0f84bf000000 ff15???????? 6803010000 8bf0 c68424f003000000 8d8424f1030000 6a00 } + $sequence_4 = { 6804010000 50 6a00 ff15???????? 6803010000 8d85cdfeffff c685ccfeffff00 } + $sequence_5 = { 8d85c8fdffff 50 ffd3 68???????? 8d85c8fdffff 50 a1???????? } + $sequence_6 = { c705????????00000000 ffd6 c705????????00000000 e9???????? 8b35???????? 8d84243c060000 68???????? } + $sequence_7 = { 85c0 0f8588010000 89442420 8d4c242c 89442424 8d442420 6a08 } + $sequence_8 = { ff15???????? 53 e8???????? 6803010000 8d8589feffff c78578feffff00000000 6a00 } + $sequence_9 = { 57 ff15???????? 85c0 0f84f6010000 8b542418 03542414 } condition: 7 of them and filesize < 253952 @@ -130921,10 +131665,10 @@ rule MALPEDIA_Win_Seasalt_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "53347621-44c1-525f-89d0-f50b729b9b9d" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.seasalt_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.seasalt_auto.yar#L1-L121" license_url = "N/A" logic_hash = "efb41d41f20a6c99bb3444a374f65b02c8e63a28ca4361b924bf5bfe71fe1970" score = 75 @@ -130933,9 +131677,9 @@ rule MALPEDIA_Win_Seasalt_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -130959,53 +131703,53 @@ rule MALPEDIA_Win_Disttrack_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "656ce2d7-e23b-52b7-a17b-bd1f83c468f3" - date = "2026-01-05" - modified = "2026-01-06" + id = "53169439-d446-5a46-8914-3e46d4af0e4c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.disttrack_auto.yar#L1-L269" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.disttrack_auto.yar#L1-L264" license_url = "N/A" - logic_hash = "1a87cbbf3cac3bb5395930782b27d52657176f4eea6766d20ecb09a08d9650c6" + logic_hash = "eb36e0cc772010320a144ee63e859b04cd9e770414447bbd7f53d733325bd26c" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 52 6a00 6a00 6848000700 } - $sequence_1 = { e8???????? 83c404 50 e8???????? 83c404 68???????? ff15???????? } - $sequence_2 = { 53 ff15???????? 5d 5b 8bc7 5f 5e } - $sequence_3 = { ff15???????? 8d45dc 50 ff15???????? 8b4ddc } - $sequence_4 = { 57 e8???????? 6a07 e8???????? 59 c3 6a10 } - $sequence_5 = { 8b4204 8d8c24a4000000 894c2420 c7440434fcc24100 8d4c244c } - $sequence_6 = { ff15???????? 85c0 7406 8b4df0 51 ffd0 83ffff } - $sequence_7 = { 0f85a5000000 33d2 488d4c2470 448d4268 } - $sequence_8 = { 83c1ff 898d14f8ffff 8b9514f8ffff 8a4201 888513f8ffff } - $sequence_9 = { 48397d10 7430 488b4c2430 e8???????? 4c8bc0 488b542430 } - $sequence_10 = { 740c 837d1800 7406 837d1c00 751f } - $sequence_11 = { 8d8424fc000000 50 8d4c2450 e8???????? } - $sequence_12 = { 0f87260a0000 ff248597fa4000 33c0 838df4fbffffff } - $sequence_13 = { 32040e 6a00 8d55f0 52 } - $sequence_14 = { 85c0 750e 80fb2b 7409 80fb2f 0f858c000000 } - $sequence_15 = { 488d9c1de0010000 448be6 48895c2428 4963cc } - $sequence_16 = { e8???????? 85c0 75de 488bcb ff15???????? 33c0 488b8c2460020000 } - $sequence_17 = { 83c804 48397948 0f44d0 eb0e 488b4148 48f7d8 1bd2 } - $sequence_18 = { e8???????? 68???????? 8d4df4 51 c745f408f34100 e8???????? } - $sequence_19 = { 85c0 751a 488d156cb10000 41b810200100 488bcd e8???????? } - $sequence_20 = { c1fe05 c1e106 030cb540174200 eb02 8bca f641247f 759b } - $sequence_21 = { 33f6 56 51 50 52 e8???????? 8945b8 } - $sequence_22 = { c745fc00000000 e8???????? c745fcffffffff 8b5790 8b4204 c7443890b4c24100 } - $sequence_23 = { 8d5c0002 e8???????? 488d542430 448bd8 } - $sequence_24 = { 8b0c8d40174200 83e61f c1e606 89040e 8b45f8 e9???????? } - $sequence_25 = { e8???????? 408ac7 488b8d80020000 4833cc e8???????? 4c8d9c2490030000 498b5b10 } - $sequence_26 = { 8b149540174200 59 c1e006 59 8a4dff 80c901 884c0204 } + $sequence_1 = { 53 ff15???????? 5d 5b 8bc7 5f 5e } + $sequence_2 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? } + $sequence_3 = { 68???????? ff15???????? 8d45dc 50 ff15???????? 8b4ddc } + $sequence_4 = { e8???????? 6a07 e8???????? 59 c3 6a10 } + $sequence_5 = { 6a64 68???????? ff15???????? 6a64 68???????? } + $sequence_6 = { 8bf8 c745fc03000000 e8???????? c645fc02 8b7d94 } + $sequence_7 = { 8bc1 c1f805 8bf1 83e61f 8d3c8540174200 } + $sequence_8 = { 837d0800 7412 837d0c00 7e0c 837d1000 } + $sequence_9 = { 488d4c2432 8945ca 0fb705???????? 33f6 } + $sequence_10 = { 8d4c0c44 3bfb 741e 8b410c 0bc7 } + $sequence_11 = { e8???????? 8bd8 85c0 7432 488bce e8???????? e8???????? } + $sequence_12 = { 48638528050000 498b16 498b0f 4889442468 0fb68540050000 4c8d1d03340000 } + $sequence_13 = { 0fbe89a06d4200 85c9 750d e8???????? } + $sequence_14 = { 408a6c2427 40b701 403aef 7454 } + $sequence_15 = { 8bff 56 57 33ff ffb740004200 ff15???????? 898740004200 } + $sequence_16 = { 7406 53 e8???????? 8d44244c e8???????? } + $sequence_17 = { ff15???????? 33d2 75fc eba1 33c0 } + $sequence_18 = { eb01 53 e8???????? 8b8c24ec500000 5f 5e } + $sequence_19 = { 50 e8???????? 6a00 6800020000 52 } + $sequence_20 = { 8b55ec 8b4254 50 e8???????? 83c408 85c0 } + $sequence_21 = { 4a8d4c5c30 e8???????? 488bcf e8???????? 488d4c2430 8d5c0002 e8???????? } + $sequence_22 = { 8d1480 3bd6 7e08 c7442410ffffffff ff442410 e9???????? 83f903 } + $sequence_23 = { 8b442460 488b4c2458 8907 ff15???????? } + $sequence_24 = { 1bc0 23d8 6644396de0 752a 66397de2 7524 66443965e6 } + $sequence_25 = { 33f6 8d85e8feffff 898578ffffff 8d7d94 8d8540ffffff } + $sequence_26 = { 57 4883ec20 488b7968 488d0546490100 8bf2 488bd9 } condition: 7 of them and filesize < 1112064 @@ -131015,36 +131759,36 @@ rule MALPEDIA_Win_Diztakun_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "438551c7-604a-5ad2-954a-f3ff63f3cb31" - date = "2026-01-05" - modified = "2026-01-06" + id = "8ae0a633-46e6-5dae-93e3-705866df839b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diztakun" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.diztakun_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.diztakun_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "fc2cd18a0fc5853e5904a0ff7267816d8fa89853fb1e9c46e2210edfcdfdf3de" + logic_hash = "0853f23dae5ee56818e1ad88ca2ed7fab58041d16960c3f4aea5b114c9876102" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7f05 b8???????? e8???????? 8b4c2444 8b5c2428 8b6c2430 } - $sequence_1 = { 53 e8???????? cc 5a 58 } - $sequence_2 = { 7d0c 57 8bcb e8???????? 8b542418 8b0b 3bf5 } - $sequence_3 = { e9???????? 8b451c 83c0c7 56 83f80b 0f87c4000000 ff2485ffff4000 } - $sequence_4 = { 7574 8b4008 3bc6 746d 663930 7468 8b5808 } - $sequence_5 = { 50 8d84241c020000 64a300000000 8b84242c020000 6a00 6a00 8d4c2420 } - $sequence_6 = { ff15???????? 83c6f0 56 e8???????? 8b7c2418 83c010 8907 } - $sequence_7 = { 89642418 8bfc 50 e8???????? 83c010 83c404 8907 } - $sequence_8 = { 8b8254010000 83c404 8bcb ffd0 } - $sequence_9 = { 8bd9 895c2414 c744241000000000 e8???????? 33c9 85c0 0f95c1 } + $sequence_0 = { 50 8d34fdf4874400 ff36 e8???????? } + $sequence_1 = { 8d442408 50 51 ff15???????? 8d542408 52 8bcf } + $sequence_2 = { a1???????? 894c2430 8d4c2430 51 89542438 8944243c } + $sequence_3 = { ff15???????? 33c0 85ff 0f94c0 eb12 ff7168 ff7510 } + $sequence_4 = { c20400 8bff 56 8bf1 8d8688000000 833800 } + $sequence_5 = { 8b4204 ffd0 c68424d807000001 8b442444 83c0f0 8d480c } + $sequence_6 = { 8b4204 ffd0 c7842424020000ffffffff 8b442408 } + $sequence_7 = { 50 8b4204 ffd0 84db 0f8494000000 68???????? 8d4c242c } + $sequence_8 = { 8bf8 85ff 744a 6a05 8bce e8???????? 8b4e20 } + $sequence_9 = { 8bcb e8???????? 8bf0 8b0e 8b11 55 68???????? } condition: 7 of them and filesize < 688128 @@ -131054,50 +131798,50 @@ rule MALPEDIA_Win_Plead_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea1e32f2-faad-594a-a682-0f661211cc9b" - date = "2026-01-05" - modified = "2026-01-06" + id = "7e9e1e58-39f7-59e5-b3a4-1b007bd3b49b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.plead_auto.yar#L1-L223" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.plead_auto.yar#L1-L235" license_url = "N/A" - logic_hash = "e24e1751ade86b382e488f87af3eb86584ff682352dde27167e20cbed17a20c8" + logic_hash = "472077a875ce718756c4b86321844910a5fcb198a9f726c61a5f321a6737bcb0" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 897d14 e8???????? 83c40c 8d4514 } - $sequence_1 = { 8b4514 56 881c30 ff15???????? } - $sequence_2 = { 40 50 6a01 ff15???????? 83c40c } - $sequence_3 = { 90 0145fc ff75fc ff15???????? } - $sequence_4 = { 53 6a05 ff7508 ff15???????? } - $sequence_5 = { 3bf7 740f ebda 33f6 } - $sequence_6 = { 50 8b4518 03c6 57 } - $sequence_7 = { ebda 33f6 c745fcf8ffffff 3bf7 750c 895dfc } - $sequence_8 = { 40 49 8975fc 75ec 8bc6 5e } - $sequence_9 = { 81c900ffffff 41 85c9 7e1c 55 } - $sequence_10 = { 33c0 81c418020000 c21000 8b84241c020000 6a00 6a00 6801020000 } - $sequence_11 = { 50 ff15???????? 33c0 81c418020000 } - $sequence_12 = { 7cf1 ffd3 8b35???????? 2bc7 3de8030000 760f } - $sequence_13 = { 8844341c 46 3bf1 7cf1 } - $sequence_14 = { c145fc05 8b75fc 33d2 8a10 03f2 40 } - $sequence_15 = { 6804010000 ff15???????? 8b4c2412 8b54240e 8b44240c } + $sequence_0 = { 56 50 e8???????? 59 59 5e c20400 } + $sequence_1 = { 0f31 90 0145fc ff75fc ff15???????? } + $sequence_2 = { 8d4514 53 50 56 53 6a05 } + $sequence_3 = { 40 50 6a01 ff15???????? 83c40c 85c0 } + $sequence_4 = { e8???????? 817d14e8030000 53 56 57 } + $sequence_5 = { c745fcf8ffffff 3bf7 750c 895dfc } + $sequence_6 = { 83c40c 85c0 7504 33c0 eb09 56 } + $sequence_7 = { 56 897d14 e8???????? 83c40c 8d4514 53 } + $sequence_8 = { 49 85d2 8945fc 741c 8b4508 } + $sequence_9 = { 3de8030000 760f 8d44241c 50 } + $sequence_10 = { 51 ff15???????? 33c0 81c418020000 } + $sequence_11 = { 8bcf 81e1ff000080 7908 49 } + $sequence_12 = { 6a00 6a00 ff15???????? 6a02 a3???????? 8b8c242c020000 51 } + $sequence_13 = { 49 8975fc 75ec 8bc6 5e } + $sequence_14 = { 8bd8 b941000000 33c0 8dbddcfeffff } + $sequence_15 = { 6a01 50 ff15???????? 50 ff15???????? 33c0 } $sequence_16 = { 648b1530000000 8b520c 8b521c 8b5a08 } - $sequence_17 = { eb02 8bfa 8955f4 897df0 } - $sequence_18 = { 8dbd00ffffff 33db 891f 0fb602 42 } - $sequence_19 = { 85c0 750f 6800800000 6a00 ff75f8 ff5648 eb0d } - $sequence_20 = { d3e0 f7c200000004 7403 80cc02 } - $sequence_21 = { 75f1 5e 8b4624 03c3 668b1450 } - $sequence_22 = { 8b562c c7048a00000000 8b7df0 8b07 } - $sequence_23 = { 8b4510 40 c1c803 ab 3bef } + $sequence_17 = { 6a04 8d45fc 50 6805100000 68ffff0000 57 ff9698000000 } + $sequence_18 = { ebc4 8345fc14 8b5dfc e9???????? 33c0 } + $sequence_19 = { b800010000 e8???????? 85c0 7477 50 8bf8 } + $sequence_20 = { 80cc02 8b4b10 85c9 751a f6c240 7408 8b4dfc } + $sequence_21 = { 6a08 ff563c 50 ff5620 c3 50 6a00 } + $sequence_22 = { 50 8bf8 668b4514 668907 } + $sequence_23 = { 85c0 0f84a7000000 03403c 85c0 0f849c000000 } condition: 7 of them and filesize < 8224768 @@ -131107,36 +131851,36 @@ rule MALPEDIA_Win_Sys10_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f6b87c71-e5a8-51b9-bf42-5ce35b9897c0" - date = "2026-01-05" - modified = "2026-01-06" + id = "25ead334-3ff3-5105-aeb8-19cda0e51f07" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sys10_auto.yar#L1-L112" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sys10_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "34aa3f50a631ab8b6462b3454dab9cbf3c83a5ccbafc56348e488e070debe8a8" + logic_hash = "4eab0b3fb0f38183f34336fa26210a7a985de8bb3e5b003cd604b6ce57bd75ca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ffd7 8b4b08 51 } - $sequence_1 = { 7511 6810270000 ff15???????? 33c0 } - $sequence_2 = { ffd3 6a00 6a00 6a00 6a00 8bf8 } - $sequence_3 = { 7407 53 ff15???????? 8b06 50 } - $sequence_4 = { 53 52 e8???????? 83c42c 85c0 } - $sequence_5 = { ffd7 8b4304 50 ffd7 8b4b08 51 } - $sequence_6 = { 52 ffd7 8b4308 50 } - $sequence_7 = { 57 8d542438 53 52 e8???????? } - $sequence_8 = { 6a00 897c2434 894c242c 89742438 } - $sequence_9 = { 52 6a05 50 ffd6 8b5308 } + $sequence_0 = { 8b442410 8b4c240c 8b542408 6a03 } + $sequence_1 = { c744245444000000 ff15???????? 8b5610 8b44241c 8902 8b4e0c 51 } + $sequence_2 = { ff15???????? 68b80b0000 ff15???????? 6800280000 } + $sequence_3 = { 837e04ff 740b 8b16 52 e8???????? } + $sequence_4 = { 51 6a00 56 e8???????? 57 } + $sequence_5 = { 51 6a05 52 ffd6 } + $sequence_6 = { 837e04ff 740b 8b16 52 e8???????? 83c404 } + $sequence_7 = { 897c2434 894c242c 89742438 ff15???????? } + $sequence_8 = { 51 6a05 52 ffd6 8b4b08 } + $sequence_9 = { ffd7 8b4304 50 ffd7 8b4b08 51 ffd7 } condition: 7 of them and filesize < 286720 @@ -131146,36 +131890,36 @@ rule MALPEDIA_Win_Downeks_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c1af7457-a967-5afd-afe7-3e5e1a0a9026" - date = "2026-01-05" - modified = "2026-01-06" + id = "8b2a6554-990d-5230-ae29-0893455452fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.downeks_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.downeks_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "2a5314b1c911549ae340f3f5ef76252cb23ca35ba95d30c0718999dad54c01d3" + logic_hash = "4f442da78ad9c372f04bf135865025a90df8d05dccae16541bd33990b38d0162" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bec 817d08c8000000 53 56 8bf0 8b9e38040000 57 } - $sequence_1 = { c3 b8042c0804 5d c3 b8ec250804 5d c3 } - $sequence_2 = { c20c00 8bc1 ddd8 894dd8 81e1ffffff7f 8955cc 894dd0 } - $sequence_3 = { 8b7d08 8bc7 c1f805 8bf7 83e61f c1e606 033485e0ffb405 } - $sequence_4 = { 8bbd48ffffff 039d68ffffff c1ef03 33f7 03f3 03b544ffffff 897584 } - $sequence_5 = { b820000000 8bce e8???????? 33c0 5f 5e 5b } - $sequence_6 = { 8d5df0 8b5508 893a 393b 0f8598000000 56 e8???????? } - $sequence_7 = { c746140f000000 c7461000000000 6839ac0804 8bce c60600 e8???????? eb7a } - $sequence_8 = { c78550ffffff01000000 89b7a0040000 394d98 7c12 7f08 8b5594 3b558c } - $sequence_9 = { 6a3f 85c0 7403 40 eb09 8b55e8 8b8298000000 } + $sequence_0 = { e8???????? 83c404 85c0 75aa 8b45fc 5f 5e } + $sequence_1 = { 51 68d0620804 52 e8???????? 83c40c 5b 5f } + $sequence_2 = { b8d06f0804 8a10 3a11 751a 84d2 7412 8a5001 } + $sequence_3 = { 52 50 68681d0804 6a06 56 e8???????? 83c414 } + $sequence_4 = { e8???????? 8bbd60ffffff 8b4da4 51 e8???????? 8b55a0 83c404 } + $sequence_5 = { 8b7dc0 52 8bc6 e8???????? 83c404 56 e8???????? } + $sequence_6 = { 8d854cfdffff 50 e8???????? c3 8d8dd4fdffff e9???????? 8d8588fcffff } + $sequence_7 = { e8???????? 3bf3 7d49 8b45d4 8b08 8b5108 50 } + $sequence_8 = { 8b450c ff3485c8790804 ff7508 e8???????? 83c40c 5d c3 } + $sequence_9 = { cc 6a0c 6890850904 e8???????? e8???????? 8365fc00 ff7058 } condition: 7 of them and filesize < 1318912 @@ -131185,36 +131929,36 @@ rule MALPEDIA_Win_Ragnarok_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0503ca8a-2001-56e1-b42c-037f05f91d96" - date = "2026-01-05" - modified = "2026-01-06" + id = "82302a4c-16b6-5be5-a67d-2e75f8519b08" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ragnarok_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ragnarok_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "5619f0dd5fd5026a251efa6637f932f898dc57a4a8452621caeee9cc8878df0d" + logic_hash = "bd7608435ba262c87009ad2abe5aea205ed23c2ca5fdd3ed5024ffa92a619e35" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1f906 57 6bf838 894df4 8b048d28754300 8b540718 8955ec } - $sequence_1 = { 8945b8 8b45a8 8bc8 2345b0 f7d1 234d98 c1c20a } - $sequence_2 = { 0f1f4000 8bc8 8b4104 85c0 75f7 895104 8b9db4feffff } - $sequence_3 = { 8bc6 f7d0 c1c208 03550c 0bc7 33c3 8955bc } - $sequence_4 = { 8b96e0000000 83fa14 7d38 8d0492 8d0c86 8d0492 c781e4000000e0b04000 } - $sequence_5 = { 8b7d08 0fb6ca 333c8d105d4300 8bcf 897d08 334814 894d08 } - $sequence_6 = { 3a8a54d84200 7532 8b06 8a08 40 42 8906 } - $sequence_7 = { c1c10a 89459c 81c6a1ebd96e 8bc2 894d98 } - $sequence_8 = { 234db4 03c3 894598 8b45b8 23c2 c145b80a 0bc8 } - $sequence_9 = { 8b0c8d28754300 88440f2b 83fa03 7511 8b45fc 8b0c8528754300 8a06 } + $sequence_0 = { 0fb689104b4300 314dfc 8bca c165fc08 c1e908 0fb6c9 0fb689104b4300 } + $sequence_1 = { 8a08 40 84c9 75f9 2b45f8 8bcb } + $sequence_2 = { ffd6 ffb544ffffff ffd7 6a40 e8???????? } + $sequence_3 = { 83e03f 6bc838 894de0 8b049d28754300 f644082801 7469 56 } + $sequence_4 = { 0bc8 034de4 8d86dcbc1b8f 8b75b4 03c1 8b4dac c1c00f } + $sequence_5 = { 8b8538fdffff 031cc558af4200 133cc55caf4200 039cc57cfdffff 13bcc580fdffff 039d70fdffff 8b856cfdffff } + $sequence_6 = { 7409 57 e8???????? 83c404 8b0e 8d5101 8a01 } + $sequence_7 = { 8d9e9979825a c1c00c 8db79979825a 03c2 81c224d14d5c 8945a8 8b45ac } + $sequence_8 = { 8bec 8b4508 53 57 8d1c8590744300 8b03 90 } + $sequence_9 = { e8???????? 68???????? 56 8b5810 e8???????? } condition: 7 of them and filesize < 483328 @@ -131225,10 +131969,10 @@ rule MALPEDIA_Win_Dlrat_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "7bb91210-a1a6-58a8-9c5b-ff8edf88b110" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dlrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dlrat_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dlrat_auto.yar#L1-L134" license_url = "N/A" logic_hash = "a3f1e1206cd1c309e34cacc09c3103fc944a2e61c558b93390de2cb1efae2fc5" score = 75 @@ -131237,9 +131981,9 @@ rule MALPEDIA_Win_Dlrat_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -131263,36 +132007,36 @@ rule MALPEDIA_Win_Emdivi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef5b2254-03f0-58f4-b962-bbb2c39fe141" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b250a38-8a48-5c38-8c97-641fef80d82d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.emdivi_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.emdivi_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "a232eb74848fdd496e4591cb6ccd862ae9760c83f1359caadd1d0bedc4ecfd7c" + logic_hash = "f6e7363d6344c0f3090662aede939b2a7861d4f22a9013a66d4b159511f51ccf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1e304 83e203 3355f8 33fb } - $sequence_1 = { e8???????? ff75ec 8ad8 c0fb02 } - $sequence_2 = { e8???????? c3 beff010000 56 } - $sequence_3 = { e8???????? 0ad8 59 881f } - $sequence_4 = { e8???????? 99 2bf7 f7fe 8bc2 } - $sequence_5 = { 0f8785000000 8a45ff c0fb04 c0e002 0ad8 881f } - $sequence_6 = { f7fb 5b 6a07 03f8 8bc1 } - $sequence_7 = { e8???????? 8bd8 8bc6 59 c6432000 8d7801 } - $sequence_8 = { 83ec10 8bfc 8db5f4f2ffff a5 a5 a5 } - $sequence_9 = { 385d08 7513 53 53 6a01 53 53 } + $sequence_0 = { 8d45f8 50 8d45d0 50 8955fc e8???????? } + $sequence_1 = { 85c9 7405 394df8 7765 ff75f0 e8???????? } + $sequence_2 = { e8???????? 83c40c eb02 33db 3bdf } + $sequence_3 = { f7fe 8bc2 03c7 5f 5e } + $sequence_4 = { 8a0401 3ac3 750a c68415b4fdffff2c eb07 } + $sequence_5 = { 8bec 83ec18 53 56 57 8bf8 83ff01 } + $sequence_6 = { f7fb 5b 6a07 03f8 8bc1 99 } + $sequence_7 = { e8???????? eb1f 8bc6 e8???????? ff7508 } + $sequence_8 = { 55 8bec 53 56 6a03 5b } + $sequence_9 = { 8b749104 8bfb c1ef05 8bc6 } condition: 7 of them and filesize < 581632 @@ -131302,36 +132046,36 @@ rule MALPEDIA_Win_Akira_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9957fbe0-0809-5ea9-92e6-35285e3e151d" - date = "2026-01-05" - modified = "2026-01-06" + id = "c426bd5b-8805-5b66-8daf-ba1d072bce3f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.akira_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.akira_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "3bec6caf716d6a1efb83aa954ea803db62de6e65cc0a5401d25e2d0c788df4d4" + logic_hash = "c1aab8eddda1d3480074bed6d80c6e71287cefda313e66277925e225b843ef1f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb64718 8807 4863c1 48893cc2 e9???????? 0fb64718 8807 } - $sequence_1 = { 498d4f18 e8???????? 84c0 742d 498d5718 488d8f18030000 } - $sequence_2 = { 6642833c4000 75f5 488d559d 488d8de0080000 e8???????? 90 c645a700 } - $sequence_3 = { e9???????? 488d8a20140000 e9???????? 488d8a40140000 e9???????? } - $sequence_4 = { ffc3 48ffc0 4883f806 7cee 488bcf e8???????? 488b5c2450 } - $sequence_5 = { 4883c108 488b01 48c70100000000 4889442460 bb04000000 4885f6 744e } - $sequence_6 = { 0f8456ffffff eb05 4084f6 7407 41c60630 49ffc6 498bd4 } - $sequence_7 = { 488bda 4533ed 41f7411800400000 7528 410f1000 0f2945c0 4c8b11 } - $sequence_8 = { f00fc181a4000000 83f801 7506 e8???????? 90 488bc3 4883c420 } - $sequence_9 = { 48895110 4c8bc7 418bd6 e8???????? 4088341f e9???????? 488bc7 } + $sequence_0 = { eb0f 48890f 8b45c7 894710 8b456f 894714 33c0 } + $sequence_1 = { c3 4055 4883ec20 488bea b818010000 48038520010000 48898598000000 } + $sequence_2 = { 4156 4883ec20 65488b042558000000 488bf9 b904000000 bd01000000 896a30 } + $sequence_3 = { e9???????? 488d8a60120000 e9???????? 488d8a80120000 e9???????? 488d8aa0120000 e9???????? } + $sequence_4 = { 8bc1 660f1f440000 48833cc200 7426 ffc1 48ffc0 4883f806 } + $sequence_5 = { ff5020 88442430 0f57c0 0f11459f 48c745af01000000 41bf0f000000 4c897db7 } + $sequence_6 = { 4533c0 488bd7 488d4dcf e8???????? 90 4c8d4dcf } + $sequence_7 = { ffd2 90 488d55c7 488bce e8???????? 4533f6 4c3975e7 } + $sequence_8 = { 75ab 0f2845bf 488b4d5f 0f1101 4c8d75cf 48837de710 } + $sequence_9 = { e8???????? 8b0d???????? ff15???????? 4885c0 7423 488b4808 } condition: 7 of them and filesize < 1286144 @@ -131341,36 +132085,36 @@ rule MALPEDIA_Win_Bhunt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4af1ffc-8c62-52d5-b468-d6549e9f3fe4" - date = "2026-01-05" - modified = "2026-01-06" + id = "a9facee3-4dd7-5260-beba-bcbcd37dd8ee" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bhunt_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bhunt_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "00be53192993cb157d23710f27883aec97e607f299251d85f4a360507da1c6b0" + logic_hash = "8f9d238e1873602c1f1d2a51ceae3644628925cd92168059944cf247081c2cfb" score = 50 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f6c643 f65f47 146d 80739aea 7cf9 ed cf } - $sequence_1 = { ff7510 8d442414 50 8984240c070000 e8???????? 8bb42404070000 68???????? } - $sequence_2 = { 50 e8???????? 8d86001c0000 50 8d85b6f3ffff 50 e8???????? } - $sequence_3 = { 6613c6 8b07 84c8 f8 8dbf04000000 66f7c76d13 33c3 } - $sequence_4 = { 83c40c 6a03 bbfb020000 e8???????? 50 56 e8???????? } - $sequence_5 = { 83e01f c1f905 8b0c8d00e04900 c1e006 8d44010c 50 e8???????? } - $sequence_6 = { 85c0 751f 8b4518 0118 33c0 5f 5e } - $sequence_7 = { 46 56 68???????? 56 56 e8???????? 85c0 } - $sequence_8 = { fc 8e04a5???????? 33ef aa 3417 ed b877eefc1d } - $sequence_9 = { 2522e9fb64 794f 8b00 9a5250f0069a5c 2640 2e9b 1a489f } + $sequence_0 = { 59 eb0a 68???????? e8???????? 59 8b742430 ff442418 } + $sequence_1 = { 50 81c768030000 57 e8???????? c745f001000000 83c40c 8b7dfc } + $sequence_2 = { ff73f4 8bc6 ff30 e8???????? 59 59 8b43e4 } + $sequence_3 = { 63e2 4d 0fbfd8 50 6641 ffc5 4c } + $sequence_4 = { 8945c8 8b4308 8945cc 68???????? eb0c 68???????? eb05 } + $sequence_5 = { 57 9d 43 b4a2 99 0bdd 4b } + $sequence_6 = { 81ef04000000 8b07 33c3 f9 f8 2d1f6f2761 f9 } + $sequence_7 = { ff7304 ff75fc e8???????? e9???????? 8b7dfc e8???????? 85c0 } + $sequence_8 = { ff73e4 eb0f 0fb643b4 50 ff73e4 6a00 } + $sequence_9 = { 8b86f3c0ac70 26100a d804d4 f8 a6 3f 13f1 } condition: 7 of them and filesize < 19161088 @@ -131380,75 +132124,114 @@ rule MALPEDIA_Win_Breakthrough_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52cb4cda-5730-54cc-9d0c-9a1defab8d55" - date = "2026-01-05" - modified = "2026-01-06" + id = "e645845e-c3b6-5403-ab57-d1895ba4ee25" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.breakthrough_loader_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.breakthrough_loader_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "4417981ceb1c9a0093d9616e44b7782cd49e18f4737822a85a59217b8658f0b2" + logic_hash = "72f018ae6839e189f46ae35cc609987afd77297bc81d0ddccfad97886fb913f6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb06 8b3d???????? 8b4df4 85c9 7403 } - $sequence_1 = { 50 57 ff15???????? 85c0 740a ba???????? e8???????? } - $sequence_2 = { 83c408 83f8ff 742a 8b75f8 8bce 8935???????? } - $sequence_3 = { ff5220 83e800 7412 83e801 7411 8b4c2424 } - $sequence_4 = { 56 57 8965f0 8955dc bb???????? 895de4 33ff } - $sequence_5 = { 7408 8b10 8bc8 6a01 ff12 5f 5e } - $sequence_6 = { 8b048540354500 f644012880 745d 8d45d8 50 ff75e4 ff15???????? } - $sequence_7 = { 85c0 7fb4 837dc810 8d4db4 0f434db4 33c0 } - $sequence_8 = { ff75e4 e8???????? 8b7508 c746140f000000 } - $sequence_9 = { 895de4 8b049d40354500 8945d4 8955e8 8a5c1029 } + $sequence_0 = { c745dc02000000 c745e004844400 8b4508 8bcf 8b7510 dd00 8b450c } + $sequence_1 = { 8bec 83ec0c 53 56 c745fc00000000 57 } + $sequence_2 = { 8bf0 85f6 7441 8b442410 8d8c24e0000000 } + $sequence_3 = { c745a800000000 83c410 c6459800 3bf0 740c 2bc6 } + $sequence_4 = { 57 ffd3 a3???????? 85c0 0f84c1000000 68???????? } + $sequence_5 = { 881418 8d442420 837c243410 89742430 0f43442420 } + $sequence_6 = { f0ff08 899e8c000000 33c0 899e90000000 c706???????? c7869400000048724400 c78698000000c8734400 } + $sequence_7 = { 8955f4 8d4801 894df0 90 } + $sequence_8 = { e9???????? 8b443e50 6a00 6800000008 } + $sequence_9 = { 59 83f80a 7336 8b4d98 83f924 7d0f 8a8080244400 } condition: 7 of them and filesize < 753664 } +rule MALPEDIA_Win_Petit_Potato_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "faf42773-999a-5989-b81d-5811249c6943" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petit_potato" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.petit_potato_auto.yar#L1-L130" + license_url = "N/A" + logic_hash = "c1d02b88a45c3b14c7fe722ea8aece32c4629095fd0d70f6525501e57f2d48a5" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 4889442450 488b442450 4889842400060000 48b8501adcae54c47955 4889442450 } + $sequence_1 = { 48898520020000 488bf9 33f6 0f57c0 33c0 0f114540 0f114550 } + $sequence_2 = { 48c785080300000f000000 0f1f840000000000 49ffc0 46382400 75f7 488d9510010000 488d8df0020000 } + $sequence_3 = { b902000000 488d154e300100 e8???????? 4885c0 7415 488b4c2460 4c8bcb } + $sequence_4 = { 4889442420 e8???????? 488d2d7f400100 4c8d0578410100 498bd5 498bce e8???????? } + $sequence_5 = { 488b442430 48897c2430 48898598060000 488b442430 4889742430 488985a0060000 488b442430 } + $sequence_6 = { 660f6f8c24c0000000 660fef8c2470090000 660f7f8c24c0000000 660f6f8424d0000000 660fef842480090000 660f7f8424d0000000 660f6f8c24e0000000 } + $sequence_7 = { 4d85c0 7e2d 482bfe 488d1d25c7fdff 8a0437 } + $sequence_8 = { 488d4c2420 0f1102 e8???????? 488d05bde80100 488903 488bc3 4883c430 } + $sequence_9 = { 488d1d96de0200 488d05a7de0200 480f44d8 ba01000000 488d4c2420 e8???????? 4c8bc0 } + + condition: + 7 of them and filesize < 628736 +} rule MALPEDIA_Win_Spectre_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ab060ee1-08ad-588e-8d49-1ae94553e1b3" - date = "2026-01-05" - modified = "2026-01-06" + id = "00684289-4d32-5a20-98ac-86aa2fc22f4d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spectre" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spectre_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spectre_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "84c50bd871d13f0a4f1a8853e9cdfc23094379080d0055ac204b2f23d3a74297" + logic_hash = "631c501823e25a6714576acdf9016c9f529899c48be9ff3a59f7c88054cb0a11" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bce 50 ff750c ff7508 e8???????? 8d4de4 e8???????? } - $sequence_1 = { 6bc938 53 56 8b048538324700 8b7508 57 8bfe } - $sequence_2 = { 8d4d20 e8???????? 8b4dfc 33cd 5e e8???????? c9 } - $sequence_3 = { 50 e8???????? 8b8424b4000000 83c434 8b4c247c 2bc1 83e830 } - $sequence_4 = { c605????????01 e8???????? eb0c 881d???????? 881d???????? 8b442448 bb00100000 } - $sequence_5 = { 8bcf 89442420 e8???????? 89442410 8bc3 2b442414 6a18 } - $sequence_6 = { 6a01 be???????? 8d8de4feffff 56 e8???????? 8d454c 50 } - $sequence_7 = { 8b4e0c b8ffffff7f 2bc1 3bc3 7279 83651000 8d4510 } - $sequence_8 = { 8d8c24fc010000 e8???????? 8d8424f8010000 50 8d842454010000 68???????? 50 } - $sequence_9 = { e8???????? 8b44242c 83c40c 0430 89442420 8b44245c 8b542420 } + $sequence_0 = { 6a0c 5b 8b4604 2b06 99 f7fb 8bf8 } + $sequence_1 = { 894804 894808 eb02 33c0 894520 56 8bc8 } + $sequence_2 = { 8d8424f4000000 50 57 8d442454 56 50 e8???????? } + $sequence_3 = { 897df8 885de4 e8???????? 8b4dfc 8bc6 5f 5e } + $sequence_4 = { eb29 57 8d4dc8 e8???????? 8d45c8 8bce 50 } + $sequence_5 = { 80791300 740c 33c0 80340847 40 83f814 72f6 } + $sequence_6 = { ffd6 6a12 ffd6 6a14 ffd6 6a11 ffd6 } + $sequence_7 = { 8d85dcfdffff 50 56 e8???????? 59 59 8d8ddcfdffff } + $sequence_8 = { 50 8d442454 50 e8???????? b9???????? 83c40c 3bc1 } + $sequence_9 = { e8???????? 83c418 83ec18 8d45e4 8bcc 50 895910 } condition: 7 of them and filesize < 990208 @@ -131458,36 +132241,36 @@ rule MALPEDIA_Win_Open_Carrot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "83f461b8-8266-54de-aecf-ccf2d96f380a" - date = "2026-01-05" - modified = "2026-01-06" + id = "dadc219e-ff11-50c2-a306-4898e5118184" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.open_carrot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.open_carrot_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.open_carrot_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "e66ea48fe876b6e65527515af0e78a716fad581d1208dc43cfdbcb201ec0f71a" + logic_hash = "b027bfe178713589e12c0e71da6febe9ea05a10388e8fab3b8164ea80b002904" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 66894110 837de801 0f8588000000 488bc7 80bdfa00000001 7545 0f1f440000 } - $sequence_1 = { e8???????? 4863d7 4c8d05dbdc0f00 41b9e3010000 498bce e8???????? 418bc7 } - $sequence_2 = { 80fb00 0f846c000000 4d31e5 4881e700080000 49c7c501000000 4989eb 4881e190000000 } - $sequence_3 = { 55 48bd612fef7700000000 48016c2408 5d 8f042b 48812c2b612fef77 50 } - $sequence_4 = { 4d29c9 0137 4981e13f000000 4889eb 4881c306010000 4d09c1 2933 } - $sequence_5 = { 8bd6 488d8d10070000 e8???????? 85c0 400f94c7 eb03 4032ff } - $sequence_6 = { e8???????? 498bcd e8???????? 448b442434 4c8d0dc8cb0d00 ba72000000 c744242082020000 } - $sequence_7 = { 4c8d8594080000 4489b520030000 bacc010000 488d8d24030000 e8???????? 448bad20030000 448b4c2438 } - $sequence_8 = { 68bc5c574f 4150 4d89f0 4150 8f442408 4158 8f0424 } - $sequence_9 = { 488d1575381000 41b872010000 e8???????? 48638300020000 4c89bcc380000000 48638300020000 488b6c2448 } + $sequence_0 = { 4981c700000000 490fb71f 4881cf3f000000 4989ed 4981c50a000000 412b5d00 } + $sequence_1 = { 7f74 f6c304 756f ba76000000 c7442420ad000000 4c8d0dda0d1000 8d4a98 } + $sequence_2 = { c3 488d05b24b0600 c3 488d05da4b0600 c3 488d05fa4b0600 c3 } + $sequence_3 = { 498bcc 488d155bf51000 e8???????? 8d4720 41b87e000000 4863c8 488d1543f51000 } + $sequence_4 = { e8???????? 85c0 7422 ba75000000 c744242055000000 4c8d0dd85f0a00 8d4ab9 } + $sequence_5 = { c702ff000000 8d41fd 4883c440 5b c3 33c9 4c8d0d03d91000 } + $sequence_6 = { 8bd8 488d0569660900 48c1e304 4803d8 74d7 8b4b08 e8???????? } + $sequence_7 = { 66833c4300 75f6 4898 66448974432e 488d43fe 0f1f840000000000 488d4002 } + $sequence_8 = { 4989eb 4c31e9 4981c327000000 41810352a65858 4d29d4 4881c900000080 4989eb } + $sequence_9 = { e8???????? 85c0 0f8551010000 488d4db3 e8???????? 85c0 0f852b010000 } condition: 7 of them and filesize < 8377344 @@ -131497,36 +132280,36 @@ rule MALPEDIA_Win_Green_Dispenser_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "954f1c32-9e66-5f40-9a6c-8af93a40211b" - date = "2026-01-05" - modified = "2026-01-06" + id = "f68f99bd-67a1-5d16-ab8e-4b1776b63b08" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.green_dispenser" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.green_dispenser_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.green_dispenser_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "4d0e3b4ff260054d419dc5677f1ac18d6112aade6736ec0a9f2b7f8946b1fdb4" + logic_hash = "43c9d3a0c017d323803714c391c503baf5f0bb9068bbac7ba368336725aa1907" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c404 897508 895dfc 85f6 7453 8b450c 895e08 } - $sequence_1 = { 8d3c9e 03c2 03fa 49 } - $sequence_2 = { ffb554fbffff e8???????? 83c404 ff75d0 ff15???????? 8bbd9cfbffff 8b8da0fbffff } - $sequence_3 = { 8b7d08 85ff 747e 391f 757a 6a18 e8???????? } - $sequence_4 = { c1f803 b9???????? 8d3c9530df4200 8b11 2b17 3bd0 } - $sequence_5 = { 50 8b8530e5ffff c645f40d 8b048550aa4500 ff3406 } - $sequence_6 = { 0f841d010000 397e04 0f8e14010000 8b4e08 894dec 51 8bd7 } - $sequence_7 = { 6a00 68???????? ff75e8 0f57c0 660fd645f1 c745ec09000000 ff15???????? } - $sequence_8 = { 8bec 53 56 8b750c 57 8bfa 83fe03 } - $sequence_9 = { 7436 ba02000000 e8???????? 8945fc 85c0 74bf 8bd0 } + $sequence_0 = { 83c1fe 57 03f1 b8???????? bf05000000 0fb648fe 880e } + $sequence_1 = { 8b4df0 8b45fc 0375f8 037df4 41 83c404 83c310 } + $sequence_2 = { 7e07 83ff1a 0f9fc0 40 8b3485f8e34200 8b4304 99 } + $sequence_3 = { f6d2 80e201 32d3 8816 8b55fc 8b5d08 41 } + $sequence_4 = { 6a08 8bf9 e8???????? 8bf0 83c404 85f6 740d } + $sequence_5 = { 8845f9 8d45ec 50 8d45f0 50 6a00 6a00 } + $sequence_6 = { 747f 83fb03 7d34 e8???????? c70016000000 8b770c } + $sequence_7 = { 740a 48 740a 48 48 7568 40 } + $sequence_8 = { 8b048550aa4500 f644180401 7418 ff7514 ff7510 ff750c 57 } + $sequence_9 = { 57 8bf9 6a08 8bda 897dfc e8???????? } condition: 7 of them and filesize < 838656 @@ -131536,36 +132319,36 @@ rule MALPEDIA_Win_Orpcbackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cd974481-8117-5632-aade-5ef10c39e2d5" - date = "2026-01-05" - modified = "2026-01-06" + id = "b1469adc-1aed-5d92-a8e2-21f306040afe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orpcbackdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.orpcbackdoor_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.orpcbackdoor_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "dd9da45feb732da3d95212bca52a2ed758b546277cb96d095b747d85f59e36f4" + logic_hash = "7cbc299a7e1f14b797d0ab31cc299afb88e54a5cff70962d9fc7cbe7fafc04f6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d45a4 50 e8???????? 59 6a0b 59 8bf0 } - $sequence_1 = { 8b4df0 e8???????? 8945d8 33c0 8b4de4 83c101 } - $sequence_2 = { e8???????? 8d8d18ebfeff e8???????? 8d8d48f4feff e8???????? 8d8d30f4feff e8???????? } - $sequence_3 = { 50 8d8de8ecffff e8???????? ff30 8d8d10e9ffff e8???????? } - $sequence_4 = { 50 e8???????? 59 8845d4 8d45d0 50 8d45f8 } - $sequence_5 = { 8b85ccfdffff 8b00 ffb5ccfdffff ff5024 89859cfdffff 8d8d50fdffff e8???????? } - $sequence_6 = { 750a 68???????? e8???????? 8b45f0 833822 750a 68???????? } - $sequence_7 = { 817df8ff0f0000 7649 8b45f0 ff704c 68ff0f0000 6a01 ff7508 } - $sequence_8 = { a1???????? 33c5 8945fc 894df0 8365e800 8b45f0 8b00 } - $sequence_9 = { eb9e 8d8508f8feff 50 8d8da0fbfeff e8???????? 6a01 8d8da8fcfeff } + $sequence_0 = { e8???????? 8bc6 c1e002 50 8b85acf8ffff 0fb70485ac820310 } + $sequence_1 = { 6a00 8b4dfc e8???????? 8b45fc c9 } + $sequence_2 = { 0f94c0 c3 c705????????80700000 33c0 c705????????01000000 c705????????f0f1ffff c705????????a0450410 } + $sequence_3 = { e9???????? 8b45e4 2b450c 8b55e8 1b5510 c9 c20c00 } + $sequence_4 = { 59 8945d4 8b45d4 8945e0 8b450c 8945d8 837d0c00 } + $sequence_5 = { 32c0 ebf7 8bff 55 8bec 0fb7450e 2500800000 } + $sequence_6 = { ff75f4 ff75d4 8d4d0c e8???????? 8d45f8 50 ff75f4 } + $sequence_7 = { ff7518 ff7510 ff750c ff7508 ff75e0 e8???????? 83c418 } + $sequence_8 = { 894244 8b4df0 e8???????? ff75f8 ff75f4 8b45f0 ff7044 } + $sequence_9 = { cc e9???????? 55 8bec 8b4d08 b8???????? 3908 } condition: 7 of them and filesize < 918528 @@ -131575,36 +132358,36 @@ rule MALPEDIA_Win_Backbend_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c7ec5485-6e9e-5eb4-aaaa-c0daf2bd8fb9" - date = "2026-01-05" - modified = "2026-01-06" + id = "a271230c-415a-5c8b-a44e-d5381dfab9e5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.backbend_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.backbend_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "935509ae6988f2d539b3ef5a76f3b49b19110a268e5a967dacc21ae1460d274a" + logic_hash = "19465656784d958c0db9ab5bff33cc7dcae94bbfaafe0680ece5acfd15f162e8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c40c 8d45f0 c745d801000000 66c745dc0500 50 } - $sequence_1 = { 56 ffd3 6a00 8d8500ffffff } - $sequence_2 = { c3 8b442404 8a08 84c9 7408 80e904 } - $sequence_3 = { ebf2 c3 55 8bec 81ec0c010000 } - $sequence_4 = { 6860ea0000 ffd6 33c0 8d8d00feffff 50 } - $sequence_5 = { 50 e8???????? 8d8500fbffff 53 50 e8???????? } - $sequence_6 = { c605????????43 ff15???????? 8bf0 68???????? } - $sequence_7 = { 85c0 7508 6a01 58 e9???????? 6a07 } - $sequence_8 = { 57 ffd6 85c0 740b 50 ff15???????? } - $sequence_9 = { c745d801000000 66c745dc0500 50 8d45ac 50 53 } + $sequence_0 = { 8d8500ffffff 50 ff15???????? 85c0 7416 8d8500fbffff } + $sequence_1 = { 6800020000 50 e8???????? 8d8500fbffff 53 } + $sequence_2 = { 50 8d8500ffffff 50 ff15???????? 85c0 7416 8d8500fbffff } + $sequence_3 = { 68e8030000 ffd6 ff7510 ffd3 } + $sequence_4 = { ff15???????? 80a40500ffffff00 8d8500ffffff 56 50 ff15???????? } + $sequence_5 = { e8???????? 8d8500f9ffff 50 e8???????? } + $sequence_6 = { e8???????? 68???????? 56 e8???????? 8d8500fdffff 56 50 } + $sequence_7 = { 56 8bf8 ff15???????? 68???????? ff7508 } + $sequence_8 = { e8???????? 8d8500f9ffff 56 50 e8???????? } + $sequence_9 = { 57 e8???????? 83c410 6860ea0000 ffd6 33c0 } condition: 7 of them and filesize < 49152 @@ -131614,36 +132397,36 @@ rule MALPEDIA_Win_Darktequila_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b84bd16-ca3f-5431-937c-08f7f5b85ab2" - date = "2026-01-05" - modified = "2026-01-06" + id = "5a67a969-bfb9-557e-a75e-d8c883c33482" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darktequila_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darktequila_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "33ae748771a6cb26fc0c416897ca1e808c4fe1a22bddffab51a85bc073a3f977" + logic_hash = "863eb34f8c97db9cf3d6e4d8f74e632c37a5c5b226f09062b7b2658ea826e6f7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { a1???????? 894604 8bc6 5e c3 8bff } - $sequence_1 = { 33c5 8945fc 33c0 53 8bd9 33c9 } - $sequence_2 = { 83c00d b901000000 ba???????? e8???????? } - $sequence_3 = { 894df8 e8???????? 83c410 8bf3 e8???????? } - $sequence_4 = { 40 83f838 72dc b8???????? c3 33d2 3915???????? } - $sequence_5 = { 83f818 72dc b8???????? c3 } - $sequence_6 = { 85c0 7466 8b4b0c 8b5310 } - $sequence_7 = { 884ddf 8945e0 8945e4 8945e8 8945ec } - $sequence_8 = { 4a 7419 83ea02 753c 8b4508 } - $sequence_9 = { e8???????? 85c0 742e a1???????? 8d5001 } + $sequence_0 = { 83c410 8bf3 e8???????? 8b45fc 8b4df8 8b55f4 } + $sequence_1 = { 85c0 7466 8b4b0c 8b5310 894df4 8b4b08 51 } + $sequence_2 = { 037d0c 7509 8bf3 e8???????? eb65 3b7b04 } + $sequence_3 = { b81b000000 e8???????? 50 57 ffd6 a3???????? 85c0 } + $sequence_4 = { 8b15???????? 51 52 bb???????? } + $sequence_5 = { 83f814 72dc b8???????? c3 33d2 3915???????? 0f859c000000 } + $sequence_6 = { 50 53 51 ff15???????? 8bf8 5f 895e10 } + $sequence_7 = { 7412 8b16 8bc8 85d2 } + $sequence_8 = { c604085c 8b5310 52 ff15???????? } + $sequence_9 = { cc 8bff 55 8bec 81ecd0020000 a1???????? 33c5 } condition: 7 of them and filesize < 1827840 @@ -131653,36 +132436,36 @@ rule MALPEDIA_Win_Ransomhub_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e3a1e40-e1d1-52bd-84f7-e9d4fbcb059d" - date = "2026-01-05" - modified = "2026-01-06" + id = "7f0dcd12-657d-5b0f-8e9a-ee3005dc36b9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomhub" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ransomhub_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ransomhub_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "04cb851589645119dff5d45b0c40a2835781fcc030d792f49fd4c3e1be1bf3b4" + logic_hash = "bb77ad35ebd6a8974aeb3f02e410ce4c914bb83c0cb552b114febdf9722d7214" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb0f 488d3dbb5d5100 0f1f00 e8???????? e8???????? 48891d???????? 833d????????00 } - $sequence_1 = { e8???????? 488d3d03f63300 0f1f00 e8???????? e8???????? 4889842430190000 48899c24b00a0000 } - $sequence_2 = { bb07000000 488bac2488000000 4881c490000000 c3 488d058db90b00 bb07000000 488bac2488000000 } - $sequence_3 = { bf01000000 488b8424f00b0000 e8???????? 4c8b8c24f00b0000 41ff8980000000 488b8c2488030000 488b8424b8030000 } - $sequence_4 = { b90f000000 e8???????? 48898424000e0000 48899c24b8000000 488b15???????? 48899424c0110000 488d0580fd2800 } - $sequence_5 = { 48c744243400000000 0fb6542449 0fb6742443 01f2 0fb6742442 0fb67c244c 440fb6442457 } - $sequence_6 = { eb09 4889c7 90 e8???????? 488d05d40d2f00 488b5c2438 488d0db3af3300 } - $sequence_7 = { 4d8d0cb0 4d8d49fc 450fb609 488d4701 4839c1 0f86ff000000 4829f2 } - $sequence_8 = { c3 80fb2d 0f85be010000 8400 833d????????00 750c 488d0dbdfa2800 } - $sequence_9 = { e8???????? 4889442428 48c70000000000 488d05b41b0700 e8???????? 4889442420 488d05a3ea0900 } + $sequence_0 = { e8???????? 488d7810 e8???????? e8???????? 4889c1 4889df 488d05d9992200 } + $sequence_1 = { 88442446 4c89d0 bf01000000 488d35d42c2a00 e8???????? 488b7c2458 48894f10 } + $sequence_2 = { 48bad56e6ff840cf319f 4889542450 48ba85ddfddbb9232823 4889542458 440f117c242c 440f117c242e 0fb6542442 } + $sequence_3 = { b801000000 eb0f 89d0 4c8b5c2448 488b942498000000 84c0 0f84d1010000 } + $sequence_4 = { 4c8d25aaa35600 4f8b2cd4 48d3e2 4c21ca 4f8d0452 4e8b4cc010 4e8b04c0 } + $sequence_5 = { 752f 4889d8 4889cb 488d0d722c3800 e8???????? 84c0 7566 } + $sequence_6 = { 807e3100 0f8585010000 90 beffffffff 4c8d054f835d00 f0410fc130 488b7128 } + $sequence_7 = { e8???????? 0f1f00 4885c0 7444 90 48ba046957830785f12d 4889542471 } + $sequence_8 = { b805000000 488d0d09151a00 4889c3 4889c8 488b6c2430 4883c438 c3 } + $sequence_9 = { 90 7512 488b4c2458 48894808 488905???????? eb1d 488d7808 } condition: 7 of them and filesize < 12821504 @@ -131692,42 +132475,42 @@ rule MALPEDIA_Win_Spyder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b0ab008-5fca-5304-bb77-2526da47aa2d" - date = "2026-01-05" - modified = "2026-01-06" + id = "49c2f7a4-c2df-5588-ba40-2ef1012f45f0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spyder_auto.yar#L1-L174" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spyder_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "12d22cf7781abc3ab19a5f3d98a04aaf02d5caaba80e64280fab23edd5e8d3b7" + logic_hash = "1f2f2b8b3552c904a7bda16aac06661c245bdc415e25af6bcbb29062971d99e1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d057a150000 488905???????? 488d0590200000 488905???????? 488d0576150000 488905???????? } - $sequence_1 = { 488bc8 ff15???????? 488d15385f0000 488bce 488905???????? ff15???????? } - $sequence_2 = { 4181f9000000c0 7532 4585d2 756e 488d4b04 4c8d05563e0000 } - $sequence_3 = { 4c8d05fc890000 498bd4 488bcd e8???????? 85c0 } - $sequence_4 = { 486bd258 488b04c1 488d4c1010 48ff25???????? 48895c2408 57 } - $sequence_5 = { 4c8bd8 488905???????? 4885c0 7422 488d15795e0000 488bce ff15???????? } - $sequence_6 = { 488d0d68a10000 e8???????? 488d1584a10000 488d0d75a10000 e8???????? 90 } - $sequence_7 = { 443bce 753c 4585d2 7537 488d4b04 4c8d05173e0000 418d5216 } - $sequence_8 = { 6803010000 f3ab 66ab aa 8d442414 50 } - $sequence_9 = { 8b4c2414 81e2ffff0000 25ffff0000 52 8b542416 } - $sequence_10 = { ff15???????? 5f 5e b801000000 5b 81c47c150000 c3 } - $sequence_11 = { 8bec 8b4508 ff348570370910 ff15???????? 5d } - $sequence_12 = { c1f805 8d3c85204b0910 8bc3 83e01f } - $sequence_13 = { 8944241a 66895c2410 668944241e ff15???????? 8b542418 8b442416 } - $sequence_14 = { f3ab 8b8c248c150000 8d942488010000 66ab aa 8d842490150000 } - $sequence_15 = { b918000000 33c0 8d7c2431 885c2430 } + $sequence_0 = { 33db 48391d???????? 488bf8 0f85d5000000 488d0d935f0000 } + $sequence_1 = { 33c9 ff15???????? 488d0d63880000 ff15???????? 833d????????00 750a b901000000 } + $sequence_2 = { 85c0 755a 488d0d13330000 e8???????? 488d1da7a20000 488d3da8a20000 } + $sequence_3 = { 488905???????? ff15???????? 488bc8 ff15???????? 488d15005f0000 } + $sequence_4 = { 488d15385f0000 488bce 488905???????? ff15???????? } + $sequence_5 = { 4883ec48 488364243000 8364242800 41b803000000 488d0d84340000 } + $sequence_6 = { 4c8d05ca930000 388c2498000000 0f94c1 4803da 4803d9 482bfb } + $sequence_7 = { e8???????? b905000000 4885c0 0f44d9 8bc3 4883c420 } + $sequence_8 = { 6800100000 51 55 ffd6 8b742418 8b4f54 } + $sequence_9 = { c1f905 83e01f 8b0c8d204b0910 8d04c0 8d0481 8b4dfc 8b09 } + $sequence_10 = { ffd3 8b4750 8b4f34 8b35???????? } + $sequence_11 = { bf???????? 8d3452 f3ab c1e604 aa 8d9e903d0910 } + $sequence_12 = { 7372 8bc3 c1f805 8d3c85204b0910 8bc3 } + $sequence_13 = { 83c604 ebed 5e c3 a1???????? 56 6a14 } + $sequence_14 = { e8???????? 83c42c 5f eb26 8d4508 8db6ec3c0910 6a00 } + $sequence_15 = { 0f8794000000 8088014a091004 40 ebee } condition: 7 of them and filesize < 1458176 @@ -131738,10 +132521,10 @@ rule MALPEDIA_Win_Mapiget_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "90931f84-8d97-5d03-9fd8-5157c4363161" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mapiget_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mapiget_auto.yar#L1-L119" license_url = "N/A" logic_hash = "db2ad0ac6ed98d9fe4028516eb88a6adb15c290b65682d6ffe66f99e185c09f3" score = 75 @@ -131750,9 +132533,9 @@ rule MALPEDIA_Win_Mapiget_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -131776,36 +132559,36 @@ rule MALPEDIA_Win_Deputy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5f636daa-92f3-5297-9096-cf07f3905b0c" - date = "2026-01-05" - modified = "2026-01-06" + id = "7db16092-0da1-599b-abab-2765f76fa711" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.deputy_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.deputy_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "ca97585f0db258f9fdf08cb077c29b43b172f7ef4964d85d883e4007934393d7" + logic_hash = "2a3428ced3ea55a0459ee797c020f5b50c9a870d36ca8f3e9417e12dbd141c51" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 6808020000 50 8d85e4f9ffff 50 e8???????? 83c40c } - $sequence_1 = { 58 6bc000 c780ac40001002000000 6a04 } - $sequence_2 = { 8d0436 50 6a00 57 8985ccf9ffff e8???????? } - $sequence_3 = { ff15???????? eb6c 56 57 } - $sequence_4 = { 50 ff510c 85c0 0f85b0030000 } - $sequence_5 = { 8d85d0f9ffff 50 68???????? 68???????? ff15???????? 85c0 } - $sequence_6 = { 59 c3 e8???????? 85c0 0f843f070000 } - $sequence_7 = { 0f1005???????? 66a1???????? 2bca d1f9 0f11844df4fdffff 6689844d04feffff 85db } - $sequence_8 = { e8???????? 83c40c 8d85ecfbffff 6804010000 50 ff35???????? } - $sequence_9 = { ffb5c8f9ffff 8bd8 8d85e0f9ffff ffb5ccf9ffff 56 53 50 } + $sequence_0 = { 81ec38060000 a1???????? 33c5 8945fc 6808020000 8d85ecfbffff } + $sequence_1 = { 8d7202 0f1f840000000000 668b02 83c202 6685c0 75f5 8d0409 } + $sequence_2 = { 8d5102 668b01 83c102 6685c0 75f5 0f1005???????? 66a1???????? } + $sequence_3 = { 2bd1 8bcf d1fa 8d7102 668b01 83c102 6685c0 } + $sequence_4 = { 7509 57 ff15???????? eb6c 56 57 } + $sequence_5 = { 6a00 57 8985ccf9ffff e8???????? 8d95ecfbffff 83c410 8d4a02 } + $sequence_6 = { 83c202 6685c0 75f5 2bd1 8bcf d1fa 8d7102 } + $sequence_7 = { 85c0 0f85d5030000 8b85d0f9ffff 8d95d4f9ffff 52 } + $sequence_8 = { 52 68???????? 68???????? 8b08 50 ff510c } + $sequence_9 = { 85c0 0f843f070000 c3 6a00 e8???????? 59 } condition: 7 of them and filesize < 51200 @@ -131816,10 +132599,10 @@ rule MALPEDIA_Win_Supernova_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "b0d23010-e706-5a6c-87f1-b10df99d0461" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.supernova_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.supernova_auto.yar#L1-L116" license_url = "N/A" logic_hash = "3eb1ef4641d5ab988a67e433660b28cc5e0a8f3de783c5473bb118a467afaed4" score = 75 @@ -131828,9 +132611,9 @@ rule MALPEDIA_Win_Supernova_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -131854,36 +132637,36 @@ rule MALPEDIA_Win_Kugelblitz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db17bbb0-50e5-5fe6-929a-1431a26aafbe" - date = "2026-01-05" - modified = "2026-01-06" + id = "f64354f5-4a94-5810-a35f-987cafd4bd97" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kugelblitz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kugelblitz_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kugelblitz_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "4575fda7b8a74c948e62c70a1906fcade3b297881f83d4f61f7fa59414771962" + logic_hash = "59471ccdfb15903a9f2fa3b118377bbd14277cdcb24b0f2e5b2bde09d5d88951" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 448bc0 83f8ff 0f8405010000 0f1f440000 488b4de8 } - $sequence_1 = { c3 488d0511430000 c3 488d0501430000 c3 } - $sequence_2 = { 4053 4883ec20 488bd9 488d0580230000 488901 } - $sequence_3 = { 4883c227 488b49f8 482bc1 4883c0f8 4883f81f 7669 } - $sequence_4 = { 483bd3 0f8727010000 48896c2430 4883ca07 488b6918 } - $sequence_5 = { 488d542448 488d4c2470 480f47542448 e8???????? 488b442470 } - $sequence_6 = { 488d0da2410000 e8???????? 85c0 742e 32c0 eb33 } - $sequence_7 = { 33db eb49 4881f900100000 7238 } - $sequence_8 = { 4a8d1409 e8???????? 48895de8 488b8f80000000 ff15???????? } - $sequence_9 = { 488b442470 4533c0 ba02000000 48634804 488d442470 } + $sequence_0 = { 488d4b01 483bc8 0f87d8000000 4803c9 7513 } + $sequence_1 = { e8???????? 8bc7 488b8d80000000 4833cc e8???????? 488bbc24b8010000 } + $sequence_2 = { 66897c2456 4d85c0 7442 48c7c2ffffffff 660f1f440000 } + $sequence_3 = { 4889b424a8010000 41b810010000 488d4c2470 e8???????? } + $sequence_4 = { 83e801 0f85af000000 488d45d0 488b5de8 483945c8 488d45d8 } + $sequence_5 = { 4883611000 488d05980f0000 48894108 488d057d0f0000 } + $sequence_6 = { 48896c2440 4c8d4c2440 4c8d442438 488d542430 } + $sequence_7 = { c705????????01000000 b808000000 486bc000 488d0d8d3f0000 } + $sequence_8 = { 48ff25???????? 488d8a30000000 e9???????? 4055 4883ec20 488bea } + $sequence_9 = { 488d158c150000 ff15???????? bf01000000 e9???????? 4c8bc6 } condition: 7 of them and filesize < 82944 @@ -131893,36 +132676,36 @@ rule MALPEDIA_Win_Webc2_Adspace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "58de5ec4-0318-51d8-b594-608e74c6b19b" - date = "2026-01-05" - modified = "2026-01-06" + id = "0dff9713-e4cb-58e3-953c-a3fe4b8702d9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_adspace_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_adspace_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "a92489c81a6d8e641c169a9deed543e2e8352f876cddeafa8d67d22e27f031a4" + logic_hash = "2aceed9decd37a1fe606f240cdfda10cb442b0491094f3466c8db6d636f895fe" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c0 8d7c241d c744241400010000 f3ab } - $sequence_1 = { e8???????? 8b4c2420 2bc7 03c1 50 89442424 } - $sequence_2 = { e8???????? 8365fc00 57 56 8d4dec } - $sequence_3 = { 50 ff15???????? ff742410 e8???????? 56 e8???????? 55 } - $sequence_4 = { 50 89442438 e8???????? ff742438 ff15???????? 69c060ea0000 83c42c } - $sequence_5 = { 85c0 7408 c744241001000000 bf???????? } - $sequence_6 = { 83c40c 8bf8 8d45fc 50 a1???????? 40 50 } - $sequence_7 = { b8???????? e8???????? 81ec08010000 53 56 8b1d???????? 57 } - $sequence_8 = { ffd6 b8???????? 5e 5b c9 } - $sequence_9 = { 83c418 8d85ecfeffff 68???????? 50 ff15???????? 85c0 a3???????? } + $sequence_0 = { 53 e8???????? ff7510 ff15???????? } + $sequence_1 = { 8bc1 c3 c20400 8b442408 48 } + $sequence_2 = { 8d4dec e8???????? 6a0a ff15???????? } + $sequence_3 = { 6a03 e8???????? 8b35???????? 68???????? ffd6 } + $sequence_4 = { 8d4580 6a00 50 e8???????? 46 8d4580 56 } + $sequence_5 = { e8???????? 80243b00 6a2f 53 ff15???????? 40 50 } + $sequence_6 = { 8bf0 e8???????? 6a50 59 3bc1 7609 } + $sequence_7 = { 55 e8???????? 83c40c e9???????? 56 e8???????? 55 } + $sequence_8 = { 68???????? 56 8bd8 e8???????? 6af8 } + $sequence_9 = { 89442420 e8???????? 8b4c2420 2bc7 03c1 50 89442424 } condition: 7 of them and filesize < 49152 @@ -131932,36 +132715,36 @@ rule MALPEDIA_Win_Concealment_Troy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "85d5c577-b8ec-58e5-9740-0a0ca10b0ae9" - date = "2026-01-05" - modified = "2026-01-06" + id = "d822767a-8c04-558b-930b-6b6391ffe818" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.concealment_troy_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.concealment_troy_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "b00daac439b94b56b64f9d02955d44b706d6186abc3a4c26b1bfb61dd4d222d0" + logic_hash = "3a7e443f445eacb8c042e7be4377aac46835c47f71393e8f2e8481f78470bb38" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c744244000000000 ff15???????? 85c0 0f844cffffff 8b542424 } - $sequence_1 = { 7530 8b54240c 52 ff15???????? 53 } - $sequence_2 = { 8bc8 83e103 f3a4 8d542418 8d8c2430090000 e8???????? 85c0 } - $sequence_3 = { 3acb 75f6 6804010000 8d8c2424010000 53 } - $sequence_4 = { f3a5 66a5 83c40c a4 8d4c2418 8d642400 8a01 } - $sequence_5 = { 85c0 0f8476ffffff 6a00 6a08 6a00 } - $sequence_6 = { e8???????? 83c414 ebd0 8bc8 c1f905 8d3c8da0774100 } - $sequence_7 = { 8d8c2470050000 68???????? 51 e8???????? 8d842478050000 83c418 8d5001 } - $sequence_8 = { b87c130000 e8???????? a1???????? 33c4 89842478130000 53 } - $sequence_9 = { 52 889c242c010000 e8???????? 6807020000 8d842441090000 53 } + $sequence_0 = { 33c0 5f 5e 5b 8b8c24580d0000 33cc } + $sequence_1 = { 741d 8bc7 c1f805 83e71f c1e706 8b0485a0774100 } + $sequence_2 = { e8???????? 8b542410 56 52 8d442434 } + $sequence_3 = { 7523 57 e8???????? 83c404 5f 5e } + $sequence_4 = { 33ff 897dfc 3b1cfd40564100 7409 47 897dfc } + $sequence_5 = { 53 897c242c e8???????? 8bf0 83c408 } + $sequence_6 = { 8bd8 8bc8 8a141e 02ca 020c07 40 32ed } + $sequence_7 = { 5b 8b8c2478130000 33cc e8???????? 81c47c130000 c3 8b542414 } + $sequence_8 = { 85ed 7521 57 ff15???????? 5d 5f } + $sequence_9 = { 8b1495a0774100 c1e006 8d440224 802080 884dfd 8065fd48 884dff } condition: 7 of them and filesize < 229376 @@ -131971,41 +132754,41 @@ rule MALPEDIA_Win_Lcpdot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a81ecd6b-bd4a-5150-b889-dde71e2987e1" - date = "2026-01-05" - modified = "2026-01-06" + id = "76876136-343a-5c81-a02b-a18393c3d2bc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lcpdot_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lcpdot_auto.yar#L1-L156" license_url = "N/A" - logic_hash = "d5b8eea547f6e9190b9bc0d0e04ea03ad2b12f2bfb6cbcdecca904cccb5849ef" + logic_hash = "2d48af13c45dab65f9999900c2d0ab4587f4416e05b404cd63339cc6256297ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { e9???????? c705????????01000000 e8???????? 83f801 } - $sequence_1 = { 418bdc 4c89642438 4489642430 488d442430 } - $sequence_2 = { 8bf1 889d14fcffff e8???????? 8d4620 83c40c 8d5002 } - $sequence_3 = { c78560fbffff4b4c6763 c78564fbffff66975c5f c78568fbffff8d676a9b c7856cfbffff5254774f c78570fbffff51724647 c78574fbffff5d9293ab } - $sequence_4 = { 742b 488d153c300100 eb15 48ffc9 741d 448b4338 } - $sequence_5 = { 52 ff15???????? 8b85f0efffff 8b8de8efffff 8b5604 6a00 6a00 } - $sequence_6 = { e8???????? 85c0 745f 8b8db4fbffff 85c9 7e23 8b85b8fbffff } - $sequence_7 = { ff15???????? 85c0 7468 33d2 68fe010000 } - $sequence_8 = { 741e 448b4638 4585c0 7415 488d1537380100 488d8c2440020000 } - $sequence_9 = { 8b542460 41bb00020000 4c8d0dc990ffff 458a20 4584e4 } - $sequence_10 = { 8975c8 c745dc38634100 ff15???????? 6a00 56 } - $sequence_11 = { e9???????? 488bd3 b940000000 4889ac24a8080000 } - $sequence_12 = { c74594c17e92d8 c74598a0b6d79f c7459cb6e6b8cb c745a0e5b6cad0 c745a4d0def5f5 c745a8faf2f2f7 } - $sequence_13 = { 468d2cb500000000 41f7ed 448bda 41c1fb05 } - $sequence_14 = { 52 8d041f 50 e8???????? 8b861c080000 83c418 03c7 } + $sequence_1 = { 33c0 488d8d10030000 664489b510030000 48898512030000 89851a030000 } + $sequence_2 = { e8???????? ebd2 8bc3 c1f805 8d3c8520824100 8bf3 } + $sequence_3 = { 438d0476 4c8b742420 2be8 7469 } + $sequence_4 = { 50 6a00 8bce c745fcffffffff ffd2 8b06 } + $sequence_5 = { 8907 837e1401 751e 8b0f 6a04 8d85f8f3ffff } + $sequence_6 = { 8b4c2430 85c9 7e1d 488b442438 4883c010 833800 } + $sequence_7 = { ffd2 8b4508 8b30 3bf0 743a 8bff } + $sequence_8 = { 52 50 ff15???????? 8b55f8 8b450c } + $sequence_9 = { 8bff 0fb78840134100 66898c05fcf7ffff 83c002 } + $sequence_10 = { 8b7e10 83c40c 83c70a 8b5618 } + $sequence_11 = { 3b3d???????? 737d 488bdf 488bf7 48c1fe05 4c8d254a030100 } + $sequence_12 = { ff15???????? 33c0 e9???????? 488b07 488bd3 488bcf } + $sequence_13 = { 4c89642458 4c896c2460 4c89742420 b856555555 418bf8 } + $sequence_14 = { eb02 33c0 488d1577bd0000 488bc8 } condition: 7 of them and filesize < 257024 @@ -132015,36 +132798,36 @@ rule MALPEDIA_Win_Wmighost_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "55e49921-45ae-5b90-8672-392197d5c46d" - date = "2026-01-05" - modified = "2026-01-06" + id = "4d961091-e7db-51cf-b2b4-3f5a2dad88fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wmighost_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wmighost_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "baccfa7c7ba02590525c187cca262206672accd6710804ff2657e35b11ab051c" + logic_hash = "3aa73c6bd5516b227259b8af1959ad4357e1d0f102f6296109b4a3dafddf8756" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ff5238 8945fc 837dfc00 7d12 } - $sequence_1 = { 8b95f8feffff 52 ff15???????? 83c410 8b85f8feffff 50 } - $sequence_2 = { 8d95f0fcffff 52 ff15???????? 68e8030000 ff15???????? } - $sequence_3 = { c745fcffffffff 8d4de8 e8???????? e9???????? 51 8bcc 8965c4 } - $sequence_4 = { 8bc8 e8???????? 6aff 8d4de8 e8???????? } - $sequence_5 = { 50 64892500000000 83ec08 894dec c745fc00000000 8d4d08 e8???????? } - $sequence_6 = { ff15???????? e9???????? c745fcffffffff 8d4d84 e8???????? } - $sequence_7 = { 6a44 6a00 8d45b0 50 e8???????? } - $sequence_8 = { 894dfc 8b45fc 50 ff15???????? 8b45fc 8be5 5d } - $sequence_9 = { 6a00 6a00 ff15???????? 6a17 6a00 68???????? } + $sequence_0 = { 6a00 8b95f8feffff 52 e8???????? 83c40c 8b4510 50 } + $sequence_1 = { 83c40c 8b4510 50 8d8df0fcffff } + $sequence_2 = { 52 e8???????? 8945b4 8b45b4 } + $sequence_3 = { c745fcffffffff 8d4d84 e8???????? 8b4df4 64890d00000000 8be5 5d } + $sequence_4 = { 8d55cc 52 e8???????? 83c408 c645fc00 8d4dcc e8???????? } + $sequence_5 = { 8d8decfeffff 51 8d958caeffff 52 e8???????? 83c404 } + $sequence_6 = { ff15???????? e9???????? c745fcffffffff 8d4d84 e8???????? 8b4df4 } + $sequence_7 = { ff15???????? e9???????? c745fcffffffff 8d4d84 e8???????? } + $sequence_8 = { 50 8d8df0fcffff 51 68???????? 8b95f8feffff 52 ff15???????? } + $sequence_9 = { 8b55f8 8882c8304000 8b45f8 0fbe88c8304000 33d2 } condition: 7 of them and filesize < 49152 @@ -132054,36 +132837,36 @@ rule MALPEDIA_Win_Sslmm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d8086894-ce35-51e5-80fd-c0d5178aba78" - date = "2026-01-05" - modified = "2026-01-06" + id = "8ca87078-8100-5bd1-8798-54d3e2b28ab6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sslmm_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sslmm_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "a85823710a9c9f3b9c72213ada570b2364c16fc9f2cafb50a35e2a98adedaa0a" + logic_hash = "b59a6cbb4229b581ad3d667790c29c9dd7a69cc275f8aeb2850b68e9c295e7e7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 55 50 51 8bcb e8???????? 85c0 0f854d010000 } - $sequence_1 = { 51 03ee 55 50 e8???????? 8b442478 } - $sequence_2 = { 8bca 83e103 f3aa 8b842480000000 8b4c2420 2bc6 } - $sequence_3 = { 5b 81c45c020000 c3 8b1d???????? 68???????? 56 } - $sequence_4 = { 81ecc8000000 53 8bd9 8b8c24d8000000 55 } - $sequence_5 = { 51 6a00 8d93dc000000 50 52 } - $sequence_6 = { 33c0 5e 81c4ac010000 c21000 } - $sequence_7 = { ff5204 33c0 5e c20c00 6a00 } - $sequence_8 = { 68c8000000 8bf1 6a00 ffd7 8b1d???????? } - $sequence_9 = { 83c404 40 50 53 6aff 57 6a00 } + $sequence_0 = { 8d4c243c 8bc2 899374010000 8b9370010000 8944245c 8d44245c } + $sequence_1 = { 8bce 895c2420 e8???????? 85c0 745e 399e9c000000 } + $sequence_2 = { 8b542434 57 6a01 55 52 8bce } + $sequence_3 = { 55 03d0 8d4c243c 8bc2 899374010000 8b9370010000 } + $sequence_4 = { 8bd9 55 56 8b8360010000 33ed 33f6 3bc5 } + $sequence_5 = { 7538 8b442434 85c0 7430 8b4c242c 8b9370010000 51 } + $sequence_6 = { 33c9 8d542408 894c2428 52 894c2430 } + $sequence_7 = { 8bf8 ff15???????? 8b44240c 8b4804 8b10 51 } + $sequence_8 = { e8???????? 53 55 8bac241c140000 } + $sequence_9 = { 8d83e4000000 51 6a04 50 ff931c010000 3bc6 0f85a0010000 } condition: 7 of them and filesize < 188416 @@ -132097,7 +132880,7 @@ rule MALPEDIA_Win_Locky_Auto : FILE date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.locky_auto.yar#L1-L181" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.locky_auto.yar#L1-L181" license_url = "N/A" logic_hash = "cfd0780ce81a27b30c6ff7ba29e871c926663b6bd8e9b266836319c43aec3bb1" score = 75 @@ -132139,95 +132922,134 @@ rule MALPEDIA_Win_Sality_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "491e3727-8d5f-59a5-be7f-6df769a7e7b0" - date = "2026-01-05" - modified = "2026-01-06" + id = "d0e87793-8727-541b-80e3-48566039d565" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sality_auto.yar#L1-L222" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sality_auto.yar#L1-L224" license_url = "N/A" - logic_hash = "69c1f81399935d5f7c9bd23257cd0c140ba6f95de6444c6618514cda674397de" + logic_hash = "3c42cf6b73a36e92fe732265007b14ef1fc7a763be4f7671d25a9c70858af341" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81f201a00000 668955f8 eb0b 668b45f8 66d1e8 668945f8 } - $sequence_1 = { 6a67 e8???????? 83c410 8b4dfc 03c8 894dfc } - $sequence_2 = { 51 ff15???????? e9???????? 68581b0000 } - $sequence_3 = { 51 ff15???????? eb14 8d95f0fdffff } - $sequence_4 = { 81ec88010000 57 c78578feffff00000000 c685fcfeffff00 b940000000 33c0 8dbdfdfeffff } - $sequence_5 = { 6a66 e8???????? 83c410 8b55fc 03d0 8955fc eb37 } - $sequence_6 = { 0f8447010000 d1ea 7307 4e } - $sequence_7 = { 51 ff15???????? e8???????? 25ffff0000 } - $sequence_8 = { 7513 8bc2 83e804 8b00 8906 } - $sequence_9 = { 8920 896804 8d9dba114000 895808 } - $sequence_10 = { 035c240c 33c0 8b3b 037c240c 8b742410 } - $sequence_11 = { 8bf2 8bf8 50 ff95c5144000 8bc8 f3a6 61 } - $sequence_12 = { 52 ff953a144000 e8???????? 8907 } - $sequence_13 = { 646789260000 8b74240c 66813e4d5a 0f858c000000 03763c 813e50450000 } - $sequence_14 = { 8b7c2410 b996000000 32c0 f2ae 8bcf } - $sequence_15 = { 59 83c304 40 3b4218 75e2 3b4218 } - $sequence_16 = { 010d???????? 83c004 5f 5e } - $sequence_17 = { 00fb fb 804880bc 280d???????? } - $sequence_18 = { 0306 50 8b4e04 8d5608 } - $sequence_19 = { 0306 50 8d5604 e8???????? } - $sequence_20 = { 0007 7307 c607ff 8ac1 } - $sequence_21 = { 014304 c3 53 56 } - $sequence_22 = { 0202 7466 0fb77202 8b7a04 } - $sequence_23 = { 031e ff7608 ff7604 e8???????? } + $sequence_0 = { 7206 837d087e 7612 817d08c8000000 721d 817d08d5000000 7714 } + $sequence_1 = { 721b 817d08d5000000 7712 8b4510 } + $sequence_2 = { 7207 b801040000 eb54 8b55fc 2b55f4 8b450c 8910 } + $sequence_3 = { 0f8411010000 8b55dc 33c0 668b4212 } + $sequence_4 = { 52 68ff011f00 8d45f4 50 } + $sequence_5 = { 52 68a3000000 e8???????? 83c414 8b4dfc } + $sequence_6 = { 0f8410020000 c785ccfdffff28010000 b949000000 33c0 } + $sequence_7 = { 0f8410010000 e8???????? 25ffff0000 99 b967000000 } + $sequence_8 = { 85c0 74f6 c3 8bf7 } + $sequence_9 = { c8000000 8b4510 ff35???????? 8f80b8000000 ff35???????? 8f80c4000000 } + $sequence_10 = { 50 6a00 ff951a154000 85c0 } + $sequence_11 = { 8bf8 50 ff95c5144000 8bc8 f3a6 } + $sequence_12 = { 6a01 6a00 6a00 8d9578274000 } + $sequence_13 = { 83c404 eb0a 59 83c304 40 3b4218 } + $sequence_14 = { ffb554134000 33c0 64ff30 8d8586134000 8920 896804 8d9dba114000 } + $sequence_15 = { 81feffff0000 7278 fc 8dbd3d154000 } + $sequence_16 = { 807dc300 7506 ff05???????? 6810270000 e8???????? 33c0 } + $sequence_17 = { 83e600 66c704753a1742000100 8bc6 0573020000 } + $sequence_18 = { e8???????? 46 83fe5b 7edd 5e } + $sequence_19 = { 50 ff35???????? 68ff000000 e8???????? } + $sequence_20 = { 0fb6db 8b45f0 f7ef 33d8 881c37 47 } + $sequence_21 = { 8bec 81ec00020000 50 837d0801 7d07 } + $sequence_22 = { 68???????? a1???????? ffb09c000000 e8???????? } + $sequence_23 = { f7d1 49 7432 8bd1 } condition: 7 of them and filesize < 1523712 } +rule MALPEDIA_Win_Remus_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "2418691b-bfa3-53c7-8042-79c45de3be4c" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remus" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.remus_auto.yar#L1-L130" + license_url = "N/A" + logic_hash = "280229eb33c473e7345c774cc14b3e45e3c50c5dec27b2e29f787d916e88bb7f" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 4989c1 4929d1 4983c1fe 4c8d442410 90 4c89ca 450fb610 } + $sequence_1 = { 4989f0 e8???????? 4883c420 4889f1 4883c104 4883e804 8b16 } + $sequence_2 = { 4c89e9 e8???????? 4883bc24e800000000 0f84b4fdffff 4d85e4 0f84abfdffff } + $sequence_3 = { 48c744242000000000 41b805000000 ba04000000 4531c9 e8???????? c744245000000000 } + $sequence_4 = { 05e4fb1700 31c1 8b8424c0000000 8b8424c0000000 89c2 83e201 83f001 } + $sequence_5 = { ba03000000 4989c0 4531c9 4889c7 e8???????? 4889f8 488b0d???????? } + $sequence_6 = { 4c89f9 4989d8 4531c9 e8???????? 4c89f9 4889fa } + $sequence_7 = { 4885c9 740a 448b481c 41d1e9 448909 488b8c24b8000000 } + $sequence_8 = { 8b8c2410030000 85c9 74cb 39c5 7469 c784241003000000000000 8b8c2410030000 } + $sequence_9 = { 4c8b65d0 eb00 83f800 7509 488b5b08 e9???????? eb00 } + + condition: + 7 of them and filesize < 475136 +} rule MALPEDIA_Win_Dadstache_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b2a62577-cb7e-5e21-91ce-710fa4e05555" - date = "2026-01-05" - modified = "2026-01-06" + id = "e98094f0-0020-57dd-95bb-6582f11111c5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dadstache_auto.yar#L1-L167" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dadstache_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "73e72c498fc907fc6a73ed239a2f6863b09267af51df13ccdd17c0fe20abede8" + logic_hash = "d4b7b2319b07081295c36fd104af9427fd846713a216bedec8ef501f72661951" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b35???????? 85c9 7403 51 ffd6 a1???????? } - $sequence_1 = { 6a40 6a00 8d4620 c70600000000 c7460400000000 c7460800000000 } - $sequence_2 = { 57 6aff 6a00 8d4508 c74424240f000000 } - $sequence_3 = { 756c ff15???????? 53 53 8d4d08 } - $sequence_4 = { 83c404 85c0 7428 8bb30c020000 8bf8 } - $sequence_5 = { 57 8d4304 c6437401 50 53 c7070c000000 c7431400000000 } - $sequence_6 = { 314608 8b470c 8bf9 31460c 0f1006 } - $sequence_7 = { 8b45f4 c1e808 0fb6c0 894e04 8bcb c1e918 } - $sequence_8 = { 8b4604 8d7604 85c0 75ee b801000000 } - $sequence_9 = { 57 03c3 895508 33ff 8945fc } - $sequence_10 = { 8b55f4 8b4485b0 85d2 8b56f8 7405 0d00020000 } - $sequence_11 = { 8b06 85c0 7543 8b46f8 8945ec } - $sequence_12 = { 8955e0 0f2805???????? 8b703c 03f0 b801000000 } - $sequence_13 = { c745bc56697274 50 57 c745c075616c41 } - $sequence_14 = { 51 ff55f4 8bf8 85ff 0f8423ffffff } - $sequence_15 = { 56 ff7034 ffd7 8945f8 85c0 } + $sequence_0 = { 0f1145e8 0f85f2feffff 8b7df4 8bc7 c1e818 } + $sequence_1 = { c6437401 50 53 c7070c000000 c7431400000000 c7431801000000 } + $sequence_2 = { 75f9 2bf2 7429 90 6a00 } + $sequence_3 = { 41 84c0 75f9 e9???????? 80f902 0f85f8000000 8b830c020000 } + $sequence_4 = { 7454 6a00 ff35???????? ff15???????? 85c0 } + $sequence_5 = { ffb01c020000 ff15???????? 85c0 0f8584000000 } + $sequence_6 = { bb04000000 c1e108 8bf7 0bc8 c745d801000000 0fb64201 } + $sequence_7 = { 57 8bf9 897df4 85db 7419 } + $sequence_8 = { 8b0e 33d2 33db 8955f4 8b56f8 c745e400000000 } + $sequence_9 = { 660f383ffc 0f28c7 894df8 660f73d808 660f383ff8 } + $sequence_10 = { 56 ff7034 ffd7 8945f8 } + $sequence_11 = { 0f44d8 c745f8616c4672 8d45e8 66c745fc6565 50 57 c645fe00 } + $sequence_12 = { 7405 0d00020000 8d5de4 53 50 51 } + $sequence_13 = { 8bec 81ec9c000000 56 57 648b3d30000000 33c0 c745806b006500 } + $sequence_14 = { 57 8d3c16 897df4 85c9 } + $sequence_15 = { 894ddc 53 56 57 85c9 0f8415010000 8b410c } condition: 7 of them and filesize < 580608 @@ -132237,36 +133059,36 @@ rule MALPEDIA_Win_Client_Maximus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "38a249dd-6d8f-54ce-920d-61d566c5cc15" - date = "2026-01-05" - modified = "2026-01-06" + id = "5d6bb12e-b2df-543e-8ffb-ef0045a99b13" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.client_maximus_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.client_maximus_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "5ff2445dece4914e3eb7fbfccded1318ff7646d3eb9b7b22684fe253e9bf4e40" + logic_hash = "67fc1a4154f7aebb975d73c79c32360f7f9bf329326869e116c673ccce0cc653" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89542404 ff532c 8b5308 83c601 39730c } - $sequence_1 = { 8b4304 85c0 741d 8b5330 c744240800800000 c744240400000000 890424 } - $sequence_2 = { 890424 8954240c ff5320 ff15???????? 895c2408 } - $sequence_3 = { c70424???????? ffd0 a1???????? 85c0 7438 } - $sequence_4 = { e8???????? 8b4304 85c0 741d 8b5330 c744240800800000 c744240400000000 } - $sequence_5 = { 85c0 741d 8b5330 c744240800800000 } - $sequence_6 = { 7410 8b5330 890424 89542404 ff532c 8b5308 } - $sequence_7 = { 89c2 85d2 7409 c70424???????? ffd2 8d65f8 } - $sequence_8 = { 8b4628 85c0 7535 c70424???????? } - $sequence_9 = { 85c0 741d 8b5330 c744240800800000 c744240400000000 890424 } + $sequence_0 = { 83c601 39730c 7fe1 891424 e8???????? 8b4304 85c0 } + $sequence_1 = { 7409 c70424???????? ffd2 8d65f8 5b 5e } + $sequence_2 = { 85c0 7535 c70424???????? ff15???????? 83ec04 85c0 } + $sequence_3 = { c744240414000000 890424 ff15???????? 83ec08 85c0 } + $sequence_4 = { 7418 8b5014 85d2 7511 8b5034 85d2 } + $sequence_5 = { c744240800800000 c744240400000000 890424 8954240c } + $sequence_6 = { 881403 75d1 5b 5e } + $sequence_7 = { ff15???????? c74424083c000000 c744240408000000 890424 ff15???????? 83ec0c } + $sequence_8 = { 83ec04 a3???????? c7442404???????? 893424 ff15???????? 83ec08 } + $sequence_9 = { 8b442420 c70424???????? a3???????? e8???????? b801000000 } condition: 7 of them and filesize < 106496 @@ -132276,36 +133098,36 @@ rule MALPEDIA_Win_Mewsei_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "add045ad-b22b-5690-8008-c500cb8eb696" - date = "2026-01-05" - modified = "2026-01-06" + id = "ff043805-5ac3-54cf-b0e0-78cba5f67524" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mewsei_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mewsei_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "25d3161d5bf746c6ecd7f709f19943bce6135e5cdd1b0f6ec1d26ee45065cb61" + logic_hash = "f355a0c41703f12991cabb20de971b5202bf753a8636b8f2b9f554e6c9d16aac" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 037dfc 897df0 0fb6780b c1e708 } - $sequence_1 = { c1e708 0fb6582c 0bfb 89b984000000 897dbc 8b7df0 337dfc } - $sequence_2 = { 03de 8dbc3b56b7c7e8 0fb6580a c1c70c 037dfc 897df0 0fb6780b } - $sequence_3 = { 0f8278ffffff 5b 5f 8bc6 5e } - $sequence_4 = { 3bcf 7319 bf???????? 8d5101 2bf9 } - $sequence_5 = { c3 8b4d0c 85c9 7411 8bc1 } - $sequence_6 = { 6a00 50 68???????? 6a00 6a00 ffd6 50 } - $sequence_7 = { 8b08 8b511c 50 ffd2 3bc3 740a 83f801 } - $sequence_8 = { 33d2 25ff7f0000 f7f1 80c230 885305 c6430600 85ff } - $sequence_9 = { c1ea10 884708 8b4610 884f05 885706 8bc8 8bd0 } + $sequence_0 = { 6a00 6a01 6a0e 56 ff15???????? 85c0 7411 } + $sequence_1 = { a3???????? a3???????? a1???????? 68???????? 50 c705????????03000000 } + $sequence_2 = { 85c0 750c 6a01 e8???????? 83c404 ebe3 } + $sequence_3 = { 5b c3 6a00 6a00 57 ff15???????? } + $sequence_4 = { f7d2 c1c70a 03fb 0bd7 33d3 0355d4 8b5df8 } + $sequence_5 = { 6a00 8d5117 8bc7 e8???????? b901000000 6a00 6a00 } + $sequence_6 = { 83c418 56 ff15???????? 85c0 7409 56 e8???????? } + $sequence_7 = { 2bf1 8d4900 8a140e 881408 } + $sequence_8 = { 7415 8b04b7 85c0 7409 50 e8???????? } + $sequence_9 = { ff15???????? 85c0 7404 c645fe01 85ff 7409 57 } condition: 7 of them and filesize < 504832 @@ -132315,36 +133137,36 @@ rule MALPEDIA_Win_Darkside_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aefc41a3-b8c0-5b26-a4f2-4bd0717ef6d0" - date = "2026-01-05" - modified = "2026-01-06" + id = "db2cdd3c-5e22-5c22-ae3f-7b575bd4e0a8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkside_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkside_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "19da14f3a366acd3b23a4b82b0e78c008b7088d377404cdf8c0d0057a334f0f7" + logic_hash = "f2169ec34857b2fed3d7cb22b0d61cf468a6b46d49e423c1793b76420663486f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 59 5b 5d c20800 55 8bec 53 } - $sequence_1 = { 895c0e04 893c0e 81ea10101010 2d10101010 81eb10101010 81ef10101010 } - $sequence_2 = { 75d2 5f 5e 5a 59 } - $sequence_3 = { 8b4508 8b10 8b5804 8b7808 8b400c 89540e0c 89440e08 } - $sequence_4 = { be???????? 8b4508 8b10 8b5804 8b7808 8b400c } - $sequence_5 = { b9f0000000 be???????? 8b4508 8b10 } - $sequence_6 = { e8???????? 5f 5e 5a 59 5b 5d } - $sequence_7 = { 85c0 7418 8bd8 68ff000000 57 } - $sequence_8 = { 57 e8???????? 81c7ff000000 4b 85db 75ea } - $sequence_9 = { 75da eb06 33db fec1 75d2 5f 5e } + $sequence_0 = { eb06 33db fec1 75d2 5f } + $sequence_1 = { 59 5b 5d c20c00 55 } + $sequence_2 = { 89540e0c 89440e08 895c0e04 893c0e 81ea10101010 2d10101010 } + $sequence_3 = { 57 8b7d08 8b450c b9ff000000 33d2 } + $sequence_4 = { 33db fec1 75d2 5f 5e } + $sequence_5 = { 895c0e04 893c0e 81ea10101010 2d10101010 81eb10101010 81ef10101010 83e910 } + $sequence_6 = { 4b 85db 75ea 85d2 7407 52 } + $sequence_7 = { 8b4508 8b10 8b5804 8b7808 } + $sequence_8 = { 81c7ff000000 4b 85db 75ea 85d2 7407 52 } + $sequence_9 = { 85d2 7407 52 57 } condition: 7 of them and filesize < 286720 @@ -132354,42 +133176,42 @@ rule MALPEDIA_Win_Syscon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5a8ce706-db42-58e3-9d51-88fe0c5beb4f" - date = "2026-01-05" - modified = "2026-01-06" + id = "7eb8abcd-342c-50c3-89c9-ff4cd5248368" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.syscon_auto.yar#L1-L167" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.syscon_auto.yar#L1-L176" license_url = "N/A" - logic_hash = "e30c1d08a4b5a8899edc4bd6891355bf1333e55e03f2135a162795fd594797ac" + logic_hash = "cd8f7f985388b766a488de21cbd16adb9d28f56e0a8adca4ec1abebcb3805f91" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c4 898424d80b0000 53 56 } - $sequence_1 = { 47 83c604 897df8 80fb40 7412 8a55ff } - $sequence_2 = { 8d942414040000 68???????? 52 ff15???????? 83c40c 6a00 } - $sequence_3 = { 57 8bc6 e8???????? 83c408 56 } - $sequence_4 = { 68e8030000 ffd6 6a00 6a20 6a03 } - $sequence_5 = { a1???????? 68???????? 50 ff15???????? 85c0 0f846affffff } - $sequence_6 = { ff15???????? e9???????? 8b8c24e40b0000 5f } - $sequence_7 = { eb0c 53 68???????? ff15???????? 57 } - $sequence_8 = { 488d5590 488d0daa300000 448bc0 e8???????? 488d8d20040000 } - $sequence_9 = { e8???????? 488d0dab460000 ff15???????? 488d542420 488d0d99460000 } - $sequence_10 = { 498bcc ff15???????? 488bcf ff15???????? bf04010000 } - $sequence_11 = { 488d4c2440 448bc3 33d2 e8???????? 488d542440 b904010000 ff15???????? } - $sequence_12 = { 488d8d90050000 488d159e2f0000 ff15???????? 488d9590050000 488d8d60010000 e8???????? 488d8d60010000 } - $sequence_13 = { c705????????02000000 83f901 750a c705????????01000000 890d???????? 488b0d???????? 8915???????? } - $sequence_14 = { 488d0d07460000 448bc0 e8???????? 488d542420 } - $sequence_15 = { 89542420 4c8d442450 488d8d90050000 488d1514310000 } + $sequence_0 = { 6a01 68???????? 8d4c2440 51 } + $sequence_1 = { ff15???????? 6804010000 68???????? 53 ff15???????? } + $sequence_2 = { 8935???????? c705????????10000000 8935???????? ffd7 8b0d???????? } + $sequence_3 = { 68???????? 68???????? 6a15 68???????? 52 ff15???????? a3???????? } + $sequence_4 = { 51 8d942414040000 68???????? 52 ff15???????? 83c40c 6a00 } + $sequence_5 = { ff15???????? 8bf8 83ffff 0f84f9000000 6a00 57 } + $sequence_6 = { 6a00 8d842414040000 50 ff15???????? 68e8030000 ffd6 } + $sequence_7 = { 897df8 8b45f4 03c6 3b450c 0f8c56ffffff } + $sequence_8 = { 488d0d03490000 ff15???????? 488d542420 488d0df1480000 } + $sequence_9 = { ff15???????? 488bcf ff15???????? bf04010000 488d4c2440 448bc7 } + $sequence_10 = { 488d1566ffffff ff15???????? 8d4f02 bab80b0000 488905???????? e8???????? 8d5f01 } + $sequence_11 = { 5d c3 41bd04010000 488d8d80040000 33d2 } + $sequence_12 = { 488905???????? 4885c0 0f8475f7ffff 488d4c2420 4c8bc6 33d2 e8???????? } + $sequence_13 = { 33d2 e8???????? 488d542440 488d8c2450010000 4c8bcd 4c8bc6 ff15???????? } + $sequence_14 = { e8???????? 488d8d60010000 ff15???????? 418bdc 418bcf ff15???????? } + $sequence_15 = { 4c8bc6 33d2 e8???????? 488d0dc6510000 ff15???????? 488d542420 488d0db4510000 } condition: 7 of them and filesize < 120832 @@ -132399,40 +133221,40 @@ rule MALPEDIA_Win_Nokki_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5dc3d6e8-6868-523c-9edf-f4ac449ab566" - date = "2026-01-05" - modified = "2026-01-06" + id = "1609949c-31c1-5097-ae50-2a963298fcb3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nokki_auto.yar#L1-L149" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nokki_auto.yar#L1-L148" license_url = "N/A" - logic_hash = "0fb121b3fe7dee465d08717e2553d7155ecc791f48d5f128590e890ccc5d33a8" + logic_hash = "d6f9477446553d712cc3e0fe640246f7b41e895702b35c9425952d6967d4e838" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 33d2 68ce070000 52 } - $sequence_1 = { e8???????? 33c9 68ce070000 51 } - $sequence_2 = { a1???????? a3???????? a1???????? c705????????b7634000 } - $sequence_3 = { 8b550c 83c41c 6a00 6880000000 } - $sequence_4 = { 8945ca 8945ce 668945d2 e8???????? 33c0 8945d6 8945da } - $sequence_5 = { c745ec5c374000 894df8 8945fc 64a100000000 8945e8 8d45e8 } - $sequence_6 = { 51 52 ff15???????? 85c0 0f85b1010000 8b957ce8ffff } - $sequence_7 = { 8d8db4f7ffff 51 68???????? 56 ffd3 } - $sequence_8 = { e8???????? 33c0 8d4dac 51 668945ac 8945ae } - $sequence_9 = { e8???????? 83c404 8bf0 8d850cf8ffff } - $sequence_10 = { 68???????? eb10 6a0b 68???????? eb07 6a0d } - $sequence_11 = { 83c40c 6bc930 8975e0 8db1a0e94000 8975e4 eb2b } - $sequence_12 = { 888888e84000 40 ebe6 ff35???????? } - $sequence_13 = { e8???????? ebde 8bc8 83e01f c1f905 8b0c8d80054100 c1e006 } + $sequence_0 = { e8???????? 33c9 68ce070000 51 } + $sequence_1 = { e8???????? 33d2 68ce070000 52 } + $sequence_2 = { 33c8 e8???????? b8???????? e9???????? 8b8d18f8ffff } + $sequence_3 = { 8d4310 8d8994e94000 5a 668b31 668930 83c102 83c002 } + $sequence_4 = { 8da42400000000 6683bdc4fbffff2e 7435 8d85c4fbffff } + $sequence_5 = { 8b5d10 33c0 898500f8ffff 8b15???????? 8945fc 8b420c } + $sequence_6 = { 8bc6 c1f805 57 83e61f 8d3c8580054100 8b07 } + $sequence_7 = { 888888e84000 40 ebe6 ff35???????? ff15???????? } + $sequence_8 = { 8d3c8580054100 8bf3 83e61f c1e606 } + $sequence_9 = { 7461 8d0cbd80054100 8901 8305????????20 8b11 81c200080000 } + $sequence_10 = { 51 668985ecfbffff e8???????? 83c420 } + $sequence_11 = { 83e71f c1e706 8b0485c02b4100 8d44380c 50 ff15???????? 8b45e4 } + $sequence_12 = { 762a 56 e8???????? 8d044524fc4000 } + $sequence_13 = { 8bf8 83ffff 7424 6a00 8d8560f1ffff 50 } condition: 7 of them and filesize < 454656 @@ -132442,36 +133264,36 @@ rule MALPEDIA_Win_Catb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "933995f2-f16f-57d3-8dbf-a34d98a15a16" - date = "2026-01-05" - modified = "2026-01-06" + id = "5f727573-f261-5578-8b83-74ab1ed31834" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.catb" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.catb_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.catb_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "67c973c178a5aaefb496aaca8211cbe6cac87c68d3dfe20d86da6ecd47acde94" + logic_hash = "2f34f99c9516d4cefe1f06a36fd1a871f11ac79e7a0d20c0f60d54be32dad4b9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8491000000 498bc5 4c8d0d5d58ffff 83e03f 498bd5 } - $sequence_1 = { eb1f be07000000 488d15ef9e0000 448bc6 488bcf e8???????? 85c0 } - $sequence_2 = { 488d1db6a90300 488d3537fe0000 48895c2420 488d05aba90300 483bd8 7419 483933 } - $sequence_3 = { 4c8d0da47f0000 b903000000 4c8d05907f0000 488d15f9750000 e8???????? 4885c0 740f } - $sequence_4 = { 48895c2408 4889742410 57 4883ec20 418bf0 4c8d0d8fcf0000 } - $sequence_5 = { 7832 3b0d???????? 732a 4863c9 4c8d05e89f0300 488bc1 } - $sequence_6 = { 4c8d0d757d0000 488bd9 488d156b7d0000 b916000000 4c8d05577d0000 e8???????? 488bcb } - $sequence_7 = { 4c8d05117f0000 488d1592750000 e8???????? 8bcb } + $sequence_0 = { e9???????? 488d0543dd0300 4a8b04e8 42f644f83840 7405 } + $sequence_1 = { 90 488d1db6a90300 488d3537fe0000 48895c2420 } + $sequence_2 = { 488d159bdc0000 483950f0 740b 488b10 } + $sequence_3 = { 428844f13e 4b8b84e0403e0400 42804cf03d04 38558f ebcc ff15???????? 894597 } + $sequence_4 = { 0fb7c0 66f3ab 488d3d10130100 482bfe 8a041f 8803 } + $sequence_5 = { eb16 b902000000 e8???????? 483bd8 757a 488d3df0d50300 ff05???????? } + $sequence_6 = { 48ffcb ffc2 0fb603 4280bc087098010000 74e3 440fb603 } + $sequence_7 = { 8bda 4c8d057e7e0000 488bf9 488d151c750000 } $sequence_8 = { 488bf8 4885c0 0f8483000000 41b812000000 488d1569550100 488bc8 ff15???????? } - $sequence_9 = { 44895c2448 81fae9fd0000 0f8570010000 4c8d3d23aaffff 418bd3 } + $sequence_9 = { 488bc3 498784f6803c0400 4885c0 7409 } condition: 7 of them and filesize < 593920 @@ -132481,50 +133303,49 @@ rule MALPEDIA_Win_Vobfus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "42158425-a27c-57e2-bcf0-e9d26bb44ebe" - date = "2026-01-05" - modified = "2026-01-06" + id = "9e90427e-91ff-50fd-8c84-43d105124887" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vobfus_auto.yar#L1-L228" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vobfus_auto.yar#L1-L218" license_url = "N/A" - logic_hash = "c01a7c959701e62f162b2189e2ece4b76a685509f6980577800ff6467b1d208b" + logic_hash = "e1c5225cb8b745260ef017c2e1ec5a24f4db637bf90e460b430cb82031425688" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b5508 8b92e8000000 8b826c1a0000 50 } - $sequence_1 = { 8b5508 8b92e8000000 8b827c040000 50 } - $sequence_2 = { 8b5508 8b92e8000000 8b82d81a0000 50 } - $sequence_3 = { 8b5508 8b92e8000000 8b82f00b0000 50 } - $sequence_4 = { 8bec 8b5508 8b92e8000000 8b82a00d0000 50 50 8b10 } - $sequence_5 = { 8b82180b0000 50 50 8b10 ff5204 58 } - $sequence_6 = { 55 8bec 8b5508 8b92e8000000 8b82c4040000 50 } - $sequence_7 = { 8b5508 8b92e8000000 8b82b41a0000 50 } - $sequence_8 = { 78ff 0d50004900 3e3cff 46 } - $sequence_9 = { f2ed ec f2ed ec f3ed ebf2 ed } - $sequence_10 = { 801800 0808 0006 3401 41 06 1005???????? } - $sequence_11 = { f2e8fae6d5f6 d2b5f2bb8ff3 ae 73f3 } - $sequence_12 = { 5c f6ac4ff8b54ffb c058fcca 61 } - $sequence_13 = { 00e0 c9 8f00 e3ce 97 00e6 d39500e4d19b } - $sequence_14 = { d39500e4d19b 00cf c0b200d1c3b600 e6d3 a1???????? 00ec dea600e0d4b3 } - $sequence_15 = { 41 06 1001 ff06 0200 0100 } - $sequence_16 = { 91 00d5 c19400d6c49500d7 c59900dac999 00e0 } - $sequence_17 = { 06 1005???????? 0100 6c 74ff } - $sequence_18 = { 7cc8 dc7acd e291 d2e8 } - $sequence_19 = { 0100 8a00 0010 4c 0007 } - $sequence_20 = { 46 14ff 0470 fe0a } - $sequence_21 = { 6c 74ff 801800 0808 } - $sequence_22 = { ae 73f3 aa 5c f6ac4ff8b54ffb } - $sequence_23 = { 1400 48 0008 78ff 0d50004900 } + $sequence_0 = { 8b5508 8b92e8000000 8b829c0e0000 50 } + $sequence_1 = { 8b5508 8b92e8000000 8b82dc190000 50 } + $sequence_2 = { 8b5508 8b92e8000000 8b82dc100000 50 } + $sequence_3 = { 55 8bec 8b5508 8b92e8000000 8b8200230000 } + $sequence_4 = { 8b92e8000000 8b82d0130000 50 50 } + $sequence_5 = { 8b8204190000 50 50 8b10 ff5204 } + $sequence_6 = { 8b5508 8b92e8000000 8b8200110000 50 } + $sequence_7 = { 8b5508 8b92e8000000 8b82c0050000 50 } + $sequence_8 = { 48 0008 78ff 0d50004900 3e3cff 46 14ff } + $sequence_9 = { f2e8fae6d5f6 d2b5f2bb8ff3 ae 73f3 aa 5c } + $sequence_10 = { 41 06 1001 ff06 } + $sequence_11 = { 00d5 c19400d6c49500d7 c59900dac999 00e0 c9 } + $sequence_12 = { c9 8f00 e3ce 97 } + $sequence_13 = { ff06 0200 0100 8a00 0010 4c 0007 } + $sequence_14 = { 7cc8 dc7acd e291 d2e8 } + $sequence_15 = { c0b200d1c3b600 e6d3 a1???????? 00ec dea600e0d4b3 00e0 d4b4 } + $sequence_16 = { f2ed ec f3ed ebf2 ed ec } + $sequence_17 = { 46 14ff 0470 fe0a } + $sequence_18 = { 5c f6ac4ff8b54ffb c058fcca 61 } + $sequence_19 = { 0100 6c 74ff 801800 } + $sequence_20 = { 801800 0808 0006 3401 41 06 } + $sequence_21 = { 97 00e6 d39500e4d19b 00cf c0b200d1c3b600 e6d3 } + $sequence_22 = { f2ed ec f2ed ec f2ed ec f3ed } condition: 7 of them and filesize < 409600 @@ -132534,36 +133355,36 @@ rule MALPEDIA_Win_Unidentified_080_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "167c06b1-3a4c-5ce4-bead-27b24b52c04c" - date = "2026-01-05" - modified = "2026-01-06" + id = "afb0dce3-a620-523e-848e-5c7e1392b889" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_080_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_080_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "1ce14bfb96c0d551ff9abc4441491b6d6b29b9deb460d6ae62dbbcd58745f42a" + logic_hash = "2b52161c4f8131d07a81333aa3ba5e4cbef65b4861940f4df33c7b85205fc1fa" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85f6 7431 8d460d 50 e8???????? 83c404 85c0 } - $sequence_1 = { ff15???????? 68e8030000 ff15???????? 8b85e0fdffff 40 8985e0fdffff 83f80a } - $sequence_2 = { 8b5004 8bce c745ec88310210 ffd2 33c0 } - $sequence_3 = { 899d8cfdffff 898504fdffff 899d88fdffff 899d90fdffff 899d94fdffff } - $sequence_4 = { 57 56 6a01 50 ff15???????? 85c0 } - $sequence_5 = { 741d 8b5508 8bf3 e8???????? 83c404 5f c7830050000000000000 } - $sequence_6 = { 767d 03c7 3b44243c 763f 8b44243c 0500400000 50 } - $sequence_7 = { 894c2414 8b4760 8b5f6c 8b742414 } - $sequence_8 = { 40 3bc7 72f6 eb2b 8d5001 8bcf 2bca } - $sequence_9 = { 8b5c2414 83c3f4 81fb???????? 7414 53 ff15???????? 85c0 } + $sequence_0 = { 8d3c85c0a20210 8bf3 83e61f c1e606 8b07 0fbe443004 83e001 } + $sequence_1 = { 8975f0 e8???????? 85c0 0f848a000000 8b5dec 8975d8 8975dc } + $sequence_2 = { 8b37 83c6f4 837e0400 743e 833e00 7c2a } + $sequence_3 = { 895c2434 895c2438 c744241c28290210 8b4c244c 53 8d9424a4000000 52 } + $sequence_4 = { 56 ff15???????? 89859cfdffff 83f8ff 7532 83c6f4 81fe???????? } + $sequence_5 = { 85c0 742d 33c9 c70001000000 897004 897008 66894c700c } + $sequence_6 = { e8???????? 33c9 83c424 3bc3 0f94c1 8bf1 eb1a } + $sequence_7 = { 894f08 c7442438ffffffff 8b44241c 33db 3bc3 740f } + $sequence_8 = { 8bec 83ec10 53 8bd8 ff4320 56 33f6 } + $sequence_9 = { 0fb77448fe 33c9 83fe5c 0f94c1 3bcb 7516 } condition: 7 of them and filesize < 392192 @@ -132573,36 +133394,36 @@ rule MALPEDIA_Win_Fatduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "adb8db95-b0a4-5276-93ef-e2fa83c10075" - date = "2026-01-05" - modified = "2026-01-06" + id = "fa43f7a1-5b72-519a-ba87-112b516efd99" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fatduke_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fatduke_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "e52f36e4d51bd81125ac15c50f357b773a2dec05d6d491e80497ca4c3e0bf041" + logic_hash = "823f29cda72367b334bd8f12bb466104e5c3e5cae142985544db044753352739" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c404 c7451c07000000 c7451800000000 33c0 66894508 c745fcffffffff } - $sequence_1 = { e8???????? c745fc00000000 33c0 8b4d08 c706???????? f6c101 7505 } - $sequence_2 = { 8b4004 8a540840 8855ee 8b4c0838 8b4120 833800 7423 } - $sequence_3 = { c784248800000000000000 c784248c00000000000000 c784248c0000000f000000 c784248800000000000000 c644247800 803a00 7504 } - $sequence_4 = { a1???????? 33c4 50 8d442430 64a300000000 8bf1 ff74240c } - $sequence_5 = { 8b450c 8901 8bc1 8b4df4 64890d00000000 59 5f } - $sequence_6 = { c745e000000000 8d45b4 50 8d45e0 50 6a01 8d45e8 } - $sequence_7 = { e9???????? 8b4df0 81c104030000 e9???????? 8b4df0 81c11c030000 e9???????? } - $sequence_8 = { c745fc00000000 8b450c 894114 8b4510 894118 8b4514 89411c } - $sequence_9 = { 8d45d8 50 8d5508 8d4dc0 e8???????? 83c404 c645fc02 } + $sequence_0 = { c78540ffffff00000000 c78544ffffff00000000 c78544ffffff0f000000 c78540ffffff00000000 c68530ffffff00 803a00 7504 } + $sequence_1 = { c645fc0e 837de010 720b ff75cc e8???????? 83c404 c745e00f000000 } + $sequence_2 = { c7863401000000000000 c6862401000000 c645fc0a 83be2001000010 720e ffb60c010000 e8???????? } + $sequence_3 = { 8d34c1 ff37 8bd6 e8???????? 83c404 ff75ec 51 } + $sequence_4 = { ff750c 8bf1 ff7508 c70600000000 c7460400000000 c7460800000000 e8???????? } + $sequence_5 = { e8???????? 83c418 c645fc0a 8b4dd0 8b01 ff5004 33c0 } + $sequence_6 = { ff7620 e8???????? 83c404 c746340f000000 c7463000000000 c6462000 c745fcffffffff } + $sequence_7 = { 7505 895110 eb1a 894de8 894de4 c645fc02 c701???????? } + $sequence_8 = { ff7510 c706???????? ff7508 e8???????? c745fcffffffff 8bc6 8b4df4 } + $sequence_9 = { e8???????? 5e 84c0 7407 8b4728 83700801 8bcf } condition: 7 of them and filesize < 9012224 @@ -132612,36 +133433,36 @@ rule MALPEDIA_Win_Cur1_Downloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b4746bef-c0ea-5bd8-a0d8-b1e69c784457" - date = "2026-01-05" - modified = "2026-01-06" + id = "9711944b-1c2e-5261-8908-a67f06a6fed7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cur1_downloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cur1_downloader_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cur1_downloader_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "75283ba2057f95c8da3348505d3be061064c40e196de82d8a3f46a329333d71b" + logic_hash = "6592bb1b73c68eb722ff838e515bc632ed31472101cdddf4635e60e41a4a016d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d41ff 8b8482c81a0200 85c0 0f84c6000000 413bc7 } - $sequence_1 = { 8b4c2450 e8???????? 4889442458 48c744242000000000 4c8d8c24c8000000 448b442450 488b542458 } - $sequence_2 = { 83e10f 480fbe841100e40100 8a8c1110e40100 4c2bc0 418b40fc d3e8 } - $sequence_3 = { 4863442420 4533c0 0fb6540424 488d0d8da60200 e8???????? 48634c2420 88440c24 } - $sequence_4 = { 488bbc24e0000000 4803fa 488bd7 8b7c2440 486bff0c 488d35aa980200 4803f7 } - $sequence_5 = { 4533c9 4533c0 488d542438 488b8c24d8000000 } - $sequence_6 = { b843000000 6689842486000000 b875000000 6689842488000000 b872000000 668984248a000000 b872000000 } - $sequence_7 = { 4885c0 751e 498bc6 4c8d3d9f39ffff } - $sequence_8 = { c744242001000000 4533c9 4533c0 488d942420170000 33c9 ff15???????? 89442468 } - $sequence_9 = { 4889442478 488b4c2430 488b542420 4803d1 488bca e8???????? 488b4c2478 } + $sequence_0 = { 488bc1 4889842498000000 488b442460 4883c008 4889442458 } + $sequence_1 = { c68424b402000061 c68424b502000064 c68424b602000045 c68424b702000078 c68424b802000000 } + $sequence_2 = { ff15???????? 488905???????? 488d9424b0030000 488b4c2420 ff15???????? 488905???????? 488d942468030000 } + $sequence_3 = { c684243801000065 c684243901000079 c684243a01000045 c684243b01000078 c684243c01000057 } + $sequence_4 = { 488b9424d0000000 488d8c2498000000 e8???????? 488d8c24d0010000 e8???????? 90 488d8c2438010000 } + $sequence_5 = { c684241d0200006e c684241e02000065 c684241f02000074 c684242002000052 c684242102000065 c684242202000061 } + $sequence_6 = { 8b8c2468010000 e8???????? 4889442430 c744242040000000 488d442420 4889442428 4c8b442428 } + $sequence_7 = { c684245502000073 c684245602000074 c684245702000041 c684245802000000 c684242003000049 } + $sequence_8 = { 41b804010000 488d942400030000 33c9 ff15???????? c744245801000000 e8???????? 833d????????01 } + $sequence_9 = { c68424a101000072 c68424a201000065 c68424a301000061 c68424a401000074 c68424a501000065 c68424a601000050 c68424a701000072 } condition: 7 of them and filesize < 402432 @@ -132651,36 +133472,36 @@ rule MALPEDIA_Win_Noxplayer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52c2d792-4208-534f-9752-70135571b141" - date = "2026-01-05" - modified = "2026-01-06" + id = "626e33e3-02ab-5f81-8b18-d221f744b2f5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.noxplayer_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.noxplayer_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "39f8c0f5aeb72bc127d7da1eaa9ec4c91ef0378727bf180400ab0a14310839c7" + logic_hash = "ec1addc908444b63f85ad6df23a149da4e200cec4480ab26b21530c0b1ad02f6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 4883ec20 488b7968 488d05833a0300 488bd9 488901 4885ff } - $sequence_1 = { 33db 48391d???????? 488bf8 0f85d5000000 488d0d6fc70000 ff15???????? } - $sequence_2 = { 488d15757f0200 48894c2420 4885c9 7419 483901 750f 488b4108 } - $sequence_3 = { 488b742450 488bc3 4883c440 5b c3 488d542430 4533c9 } - $sequence_4 = { 49c7430801000000 8b530c 85d2 743e 660f1f440000 448d42ff 41d1f8 } - $sequence_5 = { eb06 488bd8 488b00 80782900 74e8 483b5908 } - $sequence_6 = { 4c8be8 0fb6465c 84c0 0f8553040000 4533e4 488b4e50 e8???????? } - $sequence_7 = { 742b 488bcf e8???????? 483b3d???????? 741a 488d05354c0200 483bf8 } - $sequence_8 = { 4c8d4204 e8???????? eb78 488b4f50 498bd4 488b01 ff5040 } - $sequence_9 = { 41390424 745d 807b1d00 754a 488b4310 80781d00 7520 } + $sequence_0 = { 750d 488bce e8???????? e9???????? 4c8d2dc5520200 8bcb 488beb } + $sequence_1 = { 742c 4c2bc0 488d4c3818 8bd3 4c2bc7 6666666666660f1f840000000000 410fb64408e8 } + $sequence_2 = { eb03 488bc3 488986d8000000 b928000000 e8???????? 4889442430 } + $sequence_3 = { e8???????? 90 488d4db0 e8???????? 488b4d28 4833cc e8???????? } + $sequence_4 = { 488d9c2490000000 488b1b 483b5d10 742a 488d4d28 488d5318 e8???????? } + $sequence_5 = { 498bcc e8???????? 3dffff0000 0f8f55070000 0f84d7060000 83f807 0f8746070000 } + $sequence_6 = { 488d4c2458 448be0 ff15???????? 83f801 7427 458d84242d010000 488d542430 } + $sequence_7 = { 488d5570 488d8de0000000 e8???????? 85c0 7421 488bce } + $sequence_8 = { 8b4108 412bd0 2bc2 ffc8 c3 8b4108 412bc0 } + $sequence_9 = { 4c895c2428 488d1597fd0200 488d4c2428 e8???????? cc 488b5c2458 4883c440 } condition: 7 of them and filesize < 742400 @@ -132690,36 +133511,36 @@ rule MALPEDIA_Win_Rtpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "48afc2d3-0fb5-53bf-8881-dc9c81c0d9e1" - date = "2026-01-05" - modified = "2026-01-06" + id = "1a9d47b5-5d7d-5030-bf52-58b9b5481b2a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rtpos_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rtpos_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "0b0f1725f7ad0b7de27494142fb6c361ef93a30e83e526a4fdbf697f28682ace" + logic_hash = "1b740bbcbb141f3c925558daa597c413a5797ae3e810355523b771c8b72d9296" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8b55d4 52 ff15???????? 8b45cc 50 ff15???????? } - $sequence_1 = { 8d8dd8fcffff 51 e8???????? 83c40c c785c4fcffff00000000 } - $sequence_2 = { 50 ff15???????? 8b4dcc 51 ff15???????? e9???????? 8b55ec } - $sequence_3 = { 8945b4 837db4ff 0f84d8010000 33c0 8945e8 8945ec } - $sequence_4 = { 0f84bc9f0000 ff7508 48 a3???????? } - $sequence_5 = { 85c0 751b 8b4dd4 51 ff15???????? } - $sequence_6 = { 6bf830 894df8 6a0a 8b048db86a4300 5b 8b543818 8955ec } - $sequence_7 = { 8b048db86a4300 f644382848 58 743a 668b55fc 663bd0 7505 } - $sequence_8 = { c745d800000000 837ddc00 7411 8b4ddc 51 } - $sequence_9 = { 6a02 8d4dfc e8???????? 8b4d08 c7410801000000 8b5108 8b049524604300 } + $sequence_0 = { c745dce4ad4200 8945bc 33db 385d18 8945c0 } + $sequence_1 = { 8d044a 8945bc 8b4dbc 0fb611 83fa3d } + $sequence_2 = { 6a05 8b4dec e8???????? 8b45ec 8b10 8b4dec } + $sequence_3 = { c1f806 033485b86a4300 f6462d01 7414 e8???????? c70016000000 } + $sequence_4 = { 68e8030000 ff15???????? 8d45e0 50 8b4ddc } + $sequence_5 = { 53 56 57 8d1c85306a4300 8b03 8b15???????? 83cfff } + $sequence_6 = { 8b4dbc 034db4 894dbc eb0c 8b55b4 } + $sequence_7 = { c1ff06 e8???????? 83e03f 6bc030 59 59 0304bdb86a4300 } + $sequence_8 = { 8b4dac e8???????? 83f801 7509 c745b001000000 eb34 8b4da8 } + $sequence_9 = { 8b4820 51 8b95f0fdffff 8b421c } condition: 7 of them and filesize < 507904 @@ -132729,36 +133550,36 @@ rule MALPEDIA_Win_Final1Stspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6b262f1e-6f1a-5a41-853b-26929c3926c7" - date = "2026-01-05" - modified = "2026-01-06" + id = "beac32f0-9535-5d04-afb4-171b3f49950a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.final1stspy_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.final1stspy_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "2890f444efdd6c719c6ff20f4502542398a3dec68f7c2fb262ec6568139d72d6" + logic_hash = "57b7ed39671ff3bcfc0a4a76a09b0a2fd05899d02fe784b6638f16c1d57de809" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 80c27a 80f219 881439 41 3bce 7cef 8bc7 } - $sequence_1 = { 8bd6 0f281d???????? 2bd0 0f10040f 0f28ca 660ffcc2 } - $sequence_2 = { 8a4803 c1e206 80f93d 7508 47 83ff03 } - $sequence_3 = { 5d c3 2d???????? 78b0 03d0 8b45fc 8a4803 } - $sequence_4 = { 7508 47 83ff03 7d3e } - $sequence_5 = { 7410 8a11 8acb 3aca } - $sequence_6 = { 81e7ff070080 7908 4f 81cf00f8ffff } - $sequence_7 = { 81cf00f8ffff 47 33f6 85ff 7e0a e8???????? } - $sequence_8 = { 84db 7410 8a11 8acb 3aca 7425 8a4801 } - $sequence_9 = { c3 2d???????? 78dc 8b55fc b9???????? } + $sequence_0 = { 8bf8 81e7ff070080 7908 4f 81cf00f8ffff 47 33f6 } + $sequence_1 = { 8bf8 81e7ff070080 7908 4f 81cf00f8ffff } + $sequence_2 = { 803900 7426 8a1d???????? 33ff } + $sequence_3 = { 5e 83c8ff 5b 8be5 5d c3 81e9???????? } + $sequence_4 = { 6690 3acd 7412 8a4801 40 84c9 } + $sequence_5 = { 81cf00feffff 47 33f6 85ff 7e0a } + $sequence_6 = { 85ff 7e0a e8???????? 46 3bf7 7cf6 } + $sequence_7 = { 57 8b7dfc 83fe20 724a 251f000080 7905 48 } + $sequence_8 = { 56 8bf0 8945fc 57 8d7e01 } + $sequence_9 = { 894df8 8bf1 8b4dfc 803900 } condition: 7 of them and filesize < 557056 @@ -132768,36 +133589,36 @@ rule MALPEDIA_Win_Dairy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8a558663-9225-5d4f-bf21-2e09f40cb6bc" - date = "2026-01-05" - modified = "2026-01-06" + id = "5c5e448f-691e-5af5-aa7a-48e35df1d492" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dairy_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dairy_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "67b1fc4dc17bcf8b0cdf2ebf4577147bbf8e49b67379d73e95b1b4864059fa48" + logic_hash = "fa5ba24ebb6bf6340630aef5ac6f2b0c6c47dcc508c49f7e64cc987880b086ca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8bf2 57 81e607000080 7905 4e } - $sequence_1 = { 8d542410 8d442414 52 68ff030000 50 } - $sequence_2 = { 8bd1 83c9ff 50 f2ae 8bca } - $sequence_3 = { 8b44241c 57 8b3e ba2037efc6 8b08 8b4004 897c2418 } - $sequence_4 = { aa e8???????? 83c40c 83f8ff 0f8514ffffff e9???????? 6a10 } - $sequence_5 = { 7f3b ba27000000 2bd1 bf???????? 83c9ff } - $sequence_6 = { f2ae f7d1 2bf9 8d5c241c 8bf7 8be9 8bfb } - $sequence_7 = { c70701000000 e8???????? 83c404 894704 b801000000 5f 5e } - $sequence_8 = { f3a4 75cc 8d7c243c 83c9ff } - $sequence_9 = { 52 68???????? 50 e8???????? 83c410 85c0 7542 } + $sequence_0 = { 83c41c f2ae f7d1 49 880431 8d442410 } + $sequence_1 = { 68???????? 6a00 890d???????? 8b0d???????? 6a02 } + $sequence_2 = { 8b74241c 46 4f 84c0 } + $sequence_3 = { 89442424 894c2428 c744241840000000 ffd7 8b35???????? } + $sequence_4 = { 8b4c2410 8b450c 8d54241c 51 52 } + $sequence_5 = { 50 ffd5 8bf0 85f6 746f 8b4e10 8b11 } + $sequence_6 = { ba27000000 2bd1 bf???????? 83c9ff 33c0 } + $sequence_7 = { eb2b 8dbc0c3d060000 83c9ff 33c0 } + $sequence_8 = { bf???????? 33c0 8d54243c f2ae f7d1 2bf9 6a0a } + $sequence_9 = { 83c9ff 33c0 46 83c502 } condition: 7 of them and filesize < 212992 @@ -132807,36 +133628,36 @@ rule MALPEDIA_Win_Campoloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "47bbab4d-d2fa-57b5-b699-26c8446d214c" - date = "2026-01-05" - modified = "2026-01-06" + id = "32f0f399-0148-51c4-a233-851dc8524a13" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.campoloader_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.campoloader_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "66a1664e5b6aaa82c7d5c893eda78f4cfabab07bd0de557bd9bf7b0222c59b17" + logic_hash = "46a55bcdc1760abb366b189bb121145e4e0e7a203cd7dc6e102cc6324749a939" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 2b4dd8 894dd4 8b55f8 0355d4 8955f8 8b45f8 } - $sequence_1 = { 7407 33c0 e9???????? c78548efffff00000000 8d8de8fcffff 898d7cefffff } - $sequence_2 = { 898568efffff 8d95f0feffff 52 ff15???????? 898550efffff 0fb78554efffff 50 } - $sequence_3 = { 8bec b8bc100000 e8???????? a1???????? 33c5 8945fc a1???????? } - $sequence_4 = { 8b55f8 0355d4 8955f8 8b45f8 } - $sequence_5 = { 8a11 8855e4 8345d001 807de400 75ee 8b45d0 2b45a4 } - $sequence_6 = { e8???????? 83c404 89856cefffff 8b958cefffff 2b956cefffff 89958cefffff c78564efffff00000000 } - $sequence_7 = { ff15???????? 898550efffff 0fb78554efffff 50 ff15???????? 66898522f1ffff b902000000 } - $sequence_8 = { 8b45e4 8945ec 8b4dec 83c101 894dd8 } - $sequence_9 = { c745f8ffffffff 8b45e8 50 8b4d08 51 ff15???????? 83c408 } + $sequence_0 = { 898d7cefffff 8b957cefffff 83c201 89954cefffff 8b857cefffff } + $sequence_1 = { 8d8d30f1ffff 51 e8???????? 83c404 89856cefffff } + $sequence_2 = { 8b510c 8b0410 8b08 898d24f1ffff 6a10 } + $sequence_3 = { 83c40c 8d8d54efffff 51 8d95ecfdffff 52 8d85f0feffff } + $sequence_4 = { 83c001 898560efffff 8b8d80efffff 8a11 88958befffff 838580efffff01 } + $sequence_5 = { c745f8ffffffff 8b45e8 50 8b4d08 51 } + $sequence_6 = { 83c418 8d8d90efffff 51 6802010000 } + $sequence_7 = { 52 ff15???????? a3???????? 68???????? 8b45f8 } + $sequence_8 = { 8945fc a1???????? 8945f4 8a0d???????? 884df8 } + $sequence_9 = { 51 e8???????? 83c410 8d55f4 899580efffff 8b8580efffff } condition: 7 of them and filesize < 66560 @@ -132846,55 +133667,55 @@ rule MALPEDIA_Win_Jaku_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5711a497-d28d-5b3a-91bd-62abf5157c12" - date = "2026-01-05" - modified = "2026-01-06" + id = "5c595214-6e53-507c-b39b-9e0798e660b2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jaku_auto.yar#L1-L277" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jaku_auto.yar#L1-L264" license_url = "N/A" - logic_hash = "bc36249d8d7142a776a25d525229620582afb8014b8d26d03d6dad8843321c84" + logic_hash = "416ce984c0d46eb134b4677dedcc369ad73398db4f37c4841cfca0c76efcbe4f" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3945f8 0f94c0 eb02 32c0 } - $sequence_1 = { 8bcf 83e107 d3eb 2bf9 895df4 83ff20 } - $sequence_2 = { b83c800000 e8???????? 53 56 57 6a38 8d45c4 } - $sequence_3 = { 33db 894618 895df4 c70601000000 e9???????? 8b4620 } - $sequence_4 = { 83c204 8bfa d3e7 8b4e14 6609beb8160000 } - $sequence_5 = { 7573 8bc3 83e00f 3c08 0f85a6000000 8b4624 83ef04 } - $sequence_6 = { 880c07 8b02 8a4df8 884c0701 8b0a 8bc6 2bc1 } - $sequence_7 = { 2bf8 83c410 85ff 7fd7 5b 56 } + $sequence_0 = { 83c40c 894618 33db 33ff 895df4 eb0b 8b4620 } + $sequence_1 = { 7320 897dec 8d7c7da8 0fb707 2bd0 85d2 } + $sequence_2 = { 837df800 0f8457040000 8b45fc 8bcf } + $sequence_3 = { c6451101 8b01 8b5510 8910 830104 8b31 8916 } + $sequence_4 = { 0f85ff000000 8b5d08 be00400000 53 56 8d85c4bfffff } + $sequence_5 = { 6a0f 58 8d4dc6 8b17 } + $sequence_6 = { 7423 8d45c8 50 e8???????? 83ff02 } + $sequence_7 = { 0f8402120000 39500c 0f84f9110000 3910 7509 } $sequence_8 = { 68???????? ff15???????? c3 b8???????? e8???????? 83ec2c } $sequence_9 = { ff742408 e8???????? c20800 8bc1 } $sequence_10 = { 53 68000000a0 6a03 53 } - $sequence_11 = { 7507 b800308000 eb02 33c0 } + $sequence_11 = { 55 56 57 6880020000 } $sequence_12 = { 7508 83c8ff e9???????? 8b839f830000 } - $sequence_13 = { 6a01 03c3 68???????? 50 e8???????? 83c40c } + $sequence_13 = { 7507 b800308000 eb02 33c0 } $sequence_14 = { 5b c3 55 8bec 833d????????00 53 56 } - $sequence_15 = { 55 56 57 6880020000 } + $sequence_15 = { 6a01 03c3 68???????? 50 e8???????? 83c40c 85c0 } $sequence_16 = { 75dd 57 e8???????? 59 } - $sequence_17 = { 0245fd 3245fe 8a4dff d2c8 } - $sequence_18 = { 50 e8???????? 59 8b4e2c } - $sequence_19 = { 85ff 897c240c 750c 5f 5e b801000000 5b } - $sequence_20 = { 56 e8???????? 59 8b4620 } - $sequence_21 = { e8???????? 59 eb57 53 } - $sequence_22 = { 016c242c 8b44242c 5f 5e 5d } - $sequence_23 = { 50 894528 e8???????? 83c410 8b3d???????? 53 } - $sequence_24 = { 53 53 53 6aff ff7528 bee9fd0000 } - $sequence_25 = { 56 57 8965f0 33ff 897dfc c645fc01 837d1c10 } - $sequence_26 = { 8bbe9b830000 33db 8d4f01 43 } - $sequence_27 = { 6a00 8b9580faffff 837a3000 750b 8b8db4f9ffff 83c904 eb06 } - $sequence_28 = { 6a00 53 56 e8???????? 83c41c 8b55f8 8345f8ff } + $sequence_17 = { 50 e8???????? 59 8b4e2c } + $sequence_18 = { e8???????? 59 eb57 53 } + $sequence_19 = { 0245fd 3245fe 8a4dff d2c8 } + $sequence_20 = { 85ff 7e23 8b414c 897c2410 83c004 8b08 03d1 } + $sequence_21 = { 016c242c 8b44242c 5f 5e 5d } + $sequence_22 = { 0175fc 8b75f8 46 8975f8 3b75f4 } + $sequence_23 = { 017dfc 3bb188000000 75a4 5f } + $sequence_24 = { 02c1 8845e9 8a45ee 80e30f } + $sequence_25 = { 02c1 8845ea 8a45ee 243f } + $sequence_26 = { 6a00 53 56 8b06 } + $sequence_27 = { 6a00 8b9580faffff 837a3000 750b 8b8db4f9ffff 83c904 } + $sequence_28 = { 6a00 53 57 8b07 } condition: 7 of them and filesize < 2220032 @@ -132908,7 +133729,7 @@ rule MALPEDIA_Win_Snake_Disk_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake_disk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.snake_disk_auto.yar#L1-L93" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.snake_disk_auto.yar#L1-L93" license_url = "N/A" logic_hash = "e3a90a61952999ecca57fcbf79005364fd6ba06d48c543b4f3fe48fb8c119e3f" score = 75 @@ -132941,36 +133762,36 @@ rule MALPEDIA_Win_Predator_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0d522826-628f-52a1-a5d4-de369cb17f76" - date = "2026-01-05" - modified = "2026-01-06" + id = "70d182a4-d8aa-5f5f-8396-da4f89b166c0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.predator_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.predator_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "226e996f5790709cd601960ccd073047c3c37841c157b9e9145c03fdc70dc2d7" + logic_hash = "ed91d564f384deb1aedc60dd168566464dbcfe6a5a4b2df6b3d9d09c38eb3ddb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8bf1 8d4dfd 57 6a0a } - $sequence_1 = { 395dec 7508 83c8ff e9???????? ff75ec e8???????? } - $sequence_2 = { 50 8bcf e8???????? e9???????? 0f2805???????? } - $sequence_3 = { 7316 8a440dc7 32c2 88440dc7 41 } - $sequence_4 = { 83c8ff e9???????? ff75ec e8???????? 59 8bf0 } - $sequence_5 = { 0fa2 8906 895e04 894e08 89560c 834dfcff 8b4df4 } - $sequence_6 = { 8b00 57 03c2 8bce 50 e8???????? 5f } - $sequence_7 = { 8906 895e04 894e08 89560c 834dfcff 8b4df4 } - $sequence_8 = { 395dec 7508 83c8ff e9???????? ff75ec e8???????? 59 } - $sequence_9 = { ff750c 8bf1 8d4dfd ff7508 } + $sequence_0 = { 8906 895e04 894e08 89560c 834dfcff 8b4df4 64890d00000000 } + $sequence_1 = { 8811 85c0 75f2 51 8d45fd } + $sequence_2 = { 8bf1 8d4dfd 57 6a0a 5f 85c0 } + $sequence_3 = { 895dfc ff7514 8b4d10 e8???????? } + $sequence_4 = { 33db 895dfc ff7514 8b4d10 } + $sequence_5 = { 56 57 8965f0 33db 895dfc ff7514 } + $sequence_6 = { 89560c 834dfcff 8b4df4 64890d00000000 } + $sequence_7 = { 8bf1 8d4dfd ff7508 e8???????? } + $sequence_8 = { 75f2 51 8d45fd 50 } + $sequence_9 = { 895e04 894e08 89560c 834dfcff } condition: 7 of them and filesize < 2211840 @@ -132980,36 +133801,36 @@ rule MALPEDIA_Win_Xiaoba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "15cc05c8-af5c-56f2-a0b2-68d5a40a2950" - date = "2026-01-05" - modified = "2026-01-06" + id = "3814b721-b47a-5aa5-bf41-c4afa4edfad5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xiaoba_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xiaoba_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "95db22137ae310cb1c06897611cc39a7bd77badcb0dab70f72ac629d2a8f20ac" + logic_hash = "da1ae2f9f4fe077f7b3e2a66e4a2169261388d6f3496e99618337de35846d804" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7407 a9???????? 7557 8b8644010000 33c9 668b8e48010000 85c9 } - $sequence_1 = { d9c0 dc642428 dd5c2440 dd442410 dc642420 dd442440 d9c1 } - $sequence_2 = { db45fc dd5dd4 dc65d4 dd5dcc db45f8 dd5dc4 } - $sequence_3 = { dc442410 dd5c2410 e9???????? db8740010000 dc6c2418 dd5c2418 e9???????? } - $sequence_4 = { dd442404 dc0d???????? c3 83c0fe 83f803 0f87cd000000 ff2485bcd24500 } - $sequence_5 = { 7414 3d00020000 741a 8d542464 52 ff15???????? ebb2 } - $sequence_6 = { ff45f8 f682c1ed660004 894d08 7457 803900 7504 33ff } - $sequence_7 = { 53 e8???????? 83c404 8b45ec e9???????? 8be5 5d } - $sequence_8 = { 64890d00000000 83c478 c20c00 8b8c2490000000 8b4658 5f 5e } - $sequence_9 = { ffd3 c786c400000000000000 57 ff15???????? 8b4c2440 5f 5e } + $sequence_0 = { bd00ffffff c1e109 c1e008 80e100 03c1 8bc8 b8abaaaa2a } + $sequence_1 = { 03f7 89542438 33ff eb04 8b742440 85c9 0f8e64010000 } + $sequence_2 = { 8b39 3937 740b 40 83c104 3bc2 7cf2 } + $sequence_3 = { 8b542410 894840 8b4c2414 c7403c01000000 894844 8b4c240c 895048 } + $sequence_4 = { 8b542424 898150010000 8b442428 899154010000 8b54242c 898158010000 8b442430 } + $sequence_5 = { 8d542448 51 52 897c2430 895c2434 89742440 ff15???????? } + $sequence_6 = { 7470 8b542418 8b442410 8d8c2484000000 51 56 57 } + $sequence_7 = { 83f8ff 0f8536ffffff 5f 5e 5d b802000000 5b } + $sequence_8 = { 8b10 52 e8???????? 83c404 8b4c2474 8901 8d4c2414 } + $sequence_9 = { 5f 8bc5 5e 5d 5b 83c45c c20400 } condition: 7 of them and filesize < 5177344 @@ -133019,58 +133840,58 @@ rule MALPEDIA_Win_Red_Gambler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "424f410a-a1db-5f80-8bc0-d2770de1bebd" - date = "2026-01-05" - modified = "2026-01-06" + id = "7c38fda1-b74b-574d-add9-dee69bde611a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.red_gambler_auto.yar#L1-L298" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.red_gambler_auto.yar#L1-L307" license_url = "N/A" - logic_hash = "b3fef0f5439e9ff88d33fd6c22b22c41979ab9321c0a109b616fbbcd9f2274a0" + logic_hash = "5abed0927198f5cce444594dd3f5b5b4ad949953e75cf8beeb7be8f4c6529b91" score = 75 - quality = 71 + quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 6800010000 8d440601 50 68???????? e9???????? 68???????? } - $sequence_1 = { 55 8bec 837d0c10 56 57 } - $sequence_2 = { 8d55fc 52 56 6a00 6880000000 6a02 ffd7 } - $sequence_3 = { 33db 68ff000000 8d44244d 53 } - $sequence_4 = { 8b1d???????? 8da42400000000 6a00 68???????? ffd3 } - $sequence_5 = { ff15???????? 85c0 7520 8b542418 52 8d84243c010000 } - $sequence_6 = { 33c8 03ff 03ff 83e1f0 } - $sequence_7 = { 90 57 8d95fcfeffff 52 } - $sequence_8 = { 52 ff15???????? 8d8594fbffff 50 } - $sequence_9 = { 7f6f c8603a0c 7364 42 e5e1 5f } - $sequence_10 = { 3d067c263c 3c3d 9e e7bd } - $sequence_11 = { 6800010000 8d8dfcfdffff 51 6a00 } - $sequence_12 = { 64f33c87 3cfb 3ccd 047e 0000 3e2a6616 2bb0775ea707 } - $sequence_13 = { ff15???????? 83c414 6a00 6a00 8d9598fbffff } - $sequence_14 = { 8d8594fbffff 50 8d4d98 51 ff15???????? } - $sequence_15 = { 2bb0775ea707 2d9e2b3706 d7 e8???????? 004f21 7ea2 } - $sequence_16 = { 6800010000 8d85fcfeffff 50 6a00 ff15???????? } - $sequence_17 = { 68???????? 8d8d98fbffff 68???????? 51 } - $sequence_18 = { 8d9598fbffff 52 68???????? 6a00 6a00 ff15???????? 8b4dfc } - $sequence_19 = { 2b2a bee7eee947 7c26 0e 6706 7e0e 2829 } - $sequence_20 = { 8d5598 52 8d8598fdffff 50 68???????? 8d8d98fbffff } - $sequence_21 = { 6800010000 8d8d98fdffff 51 8d9598feffff } - $sequence_22 = { 74be 6f 665b e17a 6c 8737 27 } - $sequence_23 = { 4c 48 44 40 } - $sequence_24 = { 6e 44 b11a dfaf4e71ac05 } - $sequence_25 = { ff96bcd60000 83c704 8d5efc 31c0 } - $sequence_26 = { ffd3 68???????? 56 8bf8 ffd3 8bd8 ffd7 } - $sequence_27 = { ff15???????? 40 68???????? 50 ff15???????? 8d8dfcfeffff } - $sequence_28 = { a1???????? a3???????? a1???????? c705????????6b214000 8935???????? a3???????? } - $sequence_29 = { c1f805 c1e606 033485c0974000 8b45f8 } - $sequence_30 = { 85f6 0f8492000000 8b1d???????? 68???????? } - $sequence_31 = { f2ae 55 ff96acd60000 09c0 7407 8903 83c304 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 52 50 ff15???????? 3975fc 761e 8d5f30 } + $sequence_1 = { 6a00 885604 8b45e8 50 6a05 56 } + $sequence_2 = { ff15???????? 85c0 7549 68ff000000 8d8df0fcffff 51 ff15???????? } + $sequence_3 = { ff15???????? 8bd8 85db 0f845c010000 68???????? 8bfb e8???????? } + $sequence_4 = { 53 8bd8 a1???????? 56 57 8945e8 } + $sequence_5 = { 56 8b35???????? 57 68???????? c745ece80f13fc ffd6 } + $sequence_6 = { 85c0 7414 8b400c 8b4004 8903 894304 } + $sequence_7 = { 7519 6a0a ffd6 68???????? 8bfb e8???????? 8bf8 } + $sequence_8 = { c1c010 86c4 29f8 01f0 ab ebe3 } + $sequence_9 = { 52 68???????? 6a00 6a00 ff15???????? 8b4dfc 33cd } + $sequence_10 = { 627627 4f 8d74c79e cf 23530e } + $sequence_11 = { 6800010000 8d85fcfeffff 50 6a00 ff15???????? } + $sequence_12 = { 6a00 6a00 8d9598fbffff 52 68???????? 6a00 } + $sequence_13 = { 7061 2dc7dc1667 3663ea 7c0e } + $sequence_14 = { 6800010000 8d8d98fdffff 51 8d9598feffff } + $sequence_15 = { 8d5598 52 8d8598fdffff 50 68???????? 8d8d98fbffff 68???????? } + $sequence_16 = { 09afba55a367 59 2f 74be 6f 665b } + $sequence_17 = { f3281c14 0c00 e779 cf } + $sequence_18 = { 3663ea 7c0e 07 642827 } + $sequence_19 = { 8d8d98fbffff 68???????? 51 ff15???????? } + $sequence_20 = { 51 8d9598feffff 52 ff15???????? 8d8594fbffff } + $sequence_21 = { 8d8594fbffff 50 8d4d98 51 } + $sequence_22 = { 51 ff15???????? 83c414 6a00 6a00 } + $sequence_23 = { e17a 6c 8737 27 97 } + $sequence_24 = { 75f7 8b07 66c1e808 c1c010 86c4 } + $sequence_25 = { 6e 44 b11a dfaf4e71ac05 } + $sequence_26 = { 4c 40 34f3 3ccf f3281c14 0c00 } + $sequence_27 = { c1f805 c1e606 033485c0974000 8b45f8 8b00 8906 8b45fc } + $sequence_28 = { 85f6 0f8492000000 8b1d???????? 68???????? } + $sequence_29 = { 40 68???????? 50 ff15???????? 8d85fcfeffff 50 } + $sequence_30 = { a1???????? a3???????? a1???????? c705????????6b214000 8935???????? a3???????? ff15???????? } + $sequence_31 = { 8bff 55 8bec 33c0 8b4d08 3b0cc5d8694000 } condition: 7 of them and filesize < 327680 @@ -133080,75 +133901,114 @@ rule MALPEDIA_Win_Skip20_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a4637b8-f789-501b-b30e-9b5c38cc0f0d" - date = "2026-01-05" - modified = "2026-01-06" + id = "dec3df97-f40d-5bae-a6a2-881223bbed7d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.skip20_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.skip20_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "37102bdc96bcca2b357e821094999917631ae97c09451ffb93720795a4f9e949" + logic_hash = "0d60cab65a8ce67ba53815adb84ac11ab0ddeeeabb42f5358aceef35f5f8b7f3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb74114 8b540824 4803d3 8b7c0820 4885d2 0f840b1d0000 } - $sequence_1 = { 488d0c40 4c8d0584fe0100 4d8b04c8 488bd7 } - $sequence_2 = { 894c2430 89542428 488d15fd2c0100 e9???????? 4c896c2450 66c744245cff25 } - $sequence_3 = { 488d0db5220100 e8???????? eb4a 4c896c2450 440fb74c2472 440fb7442470 } - $sequence_4 = { 4c8d254c540100 488b0d???????? bf01000000 897c2460 } - $sequence_5 = { 8bd6 81e200004000 747e 41ff4c2418 781e } - $sequence_6 = { ffc9 7432 ffc9 0f85150a0000 814e0400000002 4180e304 } - $sequence_7 = { e8???????? 0fb64732 ffc3 3bd8 72dd 4c21aea0000000 0fb74f18 } - $sequence_8 = { 7418 0fbae119 730a f68424b800000008 7508 41be01000000 } - $sequence_9 = { 0fb744247c 89442438 0fb74c247a 894c2430 0fb7542478 89542428 488d15652f0100 } + $sequence_0 = { b808000000 668944bb24 66834b1820 ff4d18 0f8854fcffff 488b4510 480fbe08 } + $sequence_1 = { 488bdf 4c8bef 49c1fd05 4c8d350cff0400 } + $sequence_2 = { 807a2201 7406 807a2601 7520 440fb74220 4181f86c030000 7f40 } + $sequence_3 = { 488b4110 480fbf08 48894e08 4883471002 e9???????? 4c8d05f1a2ffff 83fa04 } + $sequence_4 = { 4183f902 7505 4183483804 f6c104 7405 4183483810 4983c202 } + $sequence_5 = { 0f8440010000 b900010000 e9???????? 8b842498000000 4585e4 754a 83f805 } + $sequence_6 = { 418bb482a08a0100 eb07 4c8d15b4b2ffff 8bd6 81e200004000 747e 41ff4c2418 } + $sequence_7 = { 56 57 4154 4155 4156 4883ec38 418bf1 } + $sequence_8 = { 0f8492000000 4889442450 488d153ef0ffff 488bc8 e8???????? } + $sequence_9 = { 488bcb e8???????? 4885c0 0f847affffff 8b15???????? 488d0c52 } condition: 7 of them and filesize < 794624 } +rule MALPEDIA_Win_Snappy_Client_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "83f27e97-2259-59df-9f1e-70ff961a2f9a" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snappy_client" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.snappy_client_auto.yar#L1-L134" + license_url = "N/A" + logic_hash = "b2c5bb56f240c76bee33ebf3792ebf1b230895a24c38b64edc4f476901ebc8c5" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { eb12 8d4608 8bcb 50 8d442414 50 e8???????? } + $sequence_1 = { ff762c 894df8 ff15???????? 8bc8 83c408 85c9 751c } + $sequence_2 = { eb06 ff75e0 ff7624 8b4e08 e8???????? 8b4e08 8b01 } + $sequence_3 = { ff7514 8bf1 ff7510 8975fc e8???????? ff7508 83a6a800000000 } + $sequence_4 = { ebf8 55 8bec 51 8365fc00 56 8b7508 } + $sequence_5 = { e9???????? 8d8d10ffffff e9???????? 8d4dcc e9???????? 8d8d00ffffff e9???????? } + $sequence_6 = { ff15???????? 85c0 7428 8b9f84000000 8bb780000000 eb16 837e0803 } + $sequence_7 = { ff7110 e8???????? 83c410 5d c20400 8d412c c6410d00 } + $sequence_8 = { ff750c 895dd4 03fb 8bcf 897de0 8d4738 8945d8 } + $sequence_9 = { ff15???????? 50 ff15???????? a3???????? c605????????00 57 8b7d18 } + + condition: + 7 of them and filesize < 7315456 +} rule MALPEDIA_Win_Maggie_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "81084c1b-a8b2-52e1-b50c-8b61dc38259b" - date = "2026-01-05" - modified = "2026-01-06" + id = "2daae6e8-1c36-5fed-a4e1-516849fc64a1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maggie" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.maggie_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.maggie_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "c0bf28bd0446ea04e23665ed8ce11b5b78fa1a4a971a7efa9966e49954f77131" + logic_hash = "a15259e8d264fce12ffba896d6252cb15b4da37d28032e194285bf9073f7786f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? e8???????? 84c0 74ec e8???????? } + $sequence_0 = { ff15???????? 83f8ff 750f ff15???????? 2d33270000 f7d8 1bc0 } $sequence_1 = { ff15???????? 83f8ff 750f ff15???????? 2d33270000 } - $sequence_2 = { 663b05???????? 7505 e8???????? e8???????? } - $sequence_3 = { 7511 ff15???????? 85c0 7407 33c0 e9???????? } - $sequence_4 = { b8ff000000 663b05???????? 7505 e8???????? } - $sequence_5 = { 750f ff15???????? 2d33270000 f7d8 } - $sequence_6 = { 750f ff15???????? 2d33270000 f7d8 1bc0 } - $sequence_7 = { 663b05???????? 7505 e8???????? e8???????? 84c0 } - $sequence_8 = { 83f8ff 750f ff15???????? 2d33270000 f7d8 1bc0 } - $sequence_9 = { ff15???????? 83f8ff 750f ff15???????? 2d33270000 f7d8 } + $sequence_2 = { 83f8ff 750f ff15???????? 2d33270000 } + $sequence_3 = { ff15???????? e8???????? 84c0 74ec e8???????? e8???????? } + $sequence_4 = { 7511 ff15???????? 85c0 7407 33c0 } + $sequence_5 = { ff15???????? e8???????? 84c0 74ec e8???????? } + $sequence_6 = { b8ff000000 663b05???????? 7505 e8???????? } + $sequence_7 = { 663b05???????? 7505 e8???????? e8???????? } + $sequence_8 = { 750f ff15???????? 2d33270000 f7d8 } + $sequence_9 = { 663b05???????? 7505 e8???????? e8???????? 84c0 } condition: 7 of them and filesize < 611328 @@ -133158,42 +134018,42 @@ rule MALPEDIA_Win_Rdat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5a60ab37-0286-51c1-b368-c89969708302" - date = "2026-01-05" - modified = "2026-01-06" + id = "8eed346d-6516-5825-ab9e-5abebd121df7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rdat_auto.yar#L1-L167" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rdat_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "a3c5411cc41035f8ac417b9a4fa9bb993690d8d8e560ea34758edef8eeee5bff" + logic_hash = "a6e1af17564b891ebe92df83d60c7a538275b29576afeb836b3886f400903de1" score = 60 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8bc3 4c0f42c7 4d85c0 7504 } - $sequence_1 = { 48897020 498bf8 488bda 488bf1 b920000000 } - $sequence_2 = { 0f8d9e000000 488b4660 3b5668 7c1d } - $sequence_3 = { 0f8d83000000 488b82b0000000 443b82b8000000 7c25 442b82b8000000 48638ab8000000 488b7cc8f8 } - $sequence_4 = { 4533c9 488bfa 4c8bc1 85db 7e77 } - $sequence_5 = { 4889742410 57 4883ec20 488b02 488bf1 488bfa 488b18 } - $sequence_6 = { 0f85a8000000 83791804 0f859e000000 8b4920 } - $sequence_7 = { 6690 48ffc3 4038341a 75f7 4883791810 488b7910 7203 } - $sequence_8 = { 85c0 740b b9e8030000 ff15???????? } - $sequence_9 = { e8???????? 4898 4885c0 751e 483bfb 7313 } - $sequence_10 = { 4883ec40 48c740d8feffffff 48895808 48897020 } - $sequence_11 = { 0f8d89000000 496398b8000000 498b80b0000000 3bd3 } - $sequence_12 = { 488b7910 7203 488b09 483bfb 4c8bc3 4c0f42c7 } - $sequence_13 = { 486bd158 490314c0 eb07 488d15f6a30100 f6420820 7417 } - $sequence_14 = { 41b803000000 498b17 488d4d90 e8???????? 90 } - $sequence_15 = { 90 48c78424b80000000f000000 4c89b424b0000000 c68424a000000000 4983c9ff 4533c0 488d942470030000 } + $sequence_0 = { 85c0 740b b9e8030000 ff15???????? } + $sequence_1 = { 0f8d89000000 496398b8000000 498b80b0000000 3bd3 } + $sequence_2 = { 48634e04 488b4608 8b1488 eb07 } + $sequence_3 = { 4883c504 453bc4 7358 e9???????? } + $sequence_4 = { 4c8bc3 4c0f42c7 4d85c0 7504 8bc6 eb05 } + $sequence_5 = { 4883ec40 48c740d8feffffff 48895808 48897020 498bf8 488bda 488bf1 } + $sequence_6 = { 4533c9 4963f6 4585f6 7e45 } + $sequence_7 = { 75f7 4883791810 488b7910 7203 488b09 483bfb } + $sequence_8 = { 4883cbff 6690 48ffc3 4038341a 75f7 4883791810 488b7910 } + $sequence_9 = { 48634e68 4c8b44c8f8 7816 8d4a01 } + $sequence_10 = { 7203 488b09 483bfb 4c8bc3 4c0f42c7 4d85c0 } + $sequence_11 = { 4885c0 751e 483bfb 7313 83c8ff 488b5c2430 } + $sequence_12 = { 0f859e000000 8b4920 8d81e0fa6ce6 83f802 760c 81f900409901 0f8584000000 } + $sequence_13 = { eb05 e8???????? 4898 4885c0 751e 483bfb } + $sequence_14 = { 0f8d83000000 488b82b0000000 443b82b8000000 7c25 } + $sequence_15 = { c3 48833d????????00 488d058d330100 740f } condition: 7 of them and filesize < 1573888 @@ -133203,36 +134063,36 @@ rule MALPEDIA_Win_Bravonc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6dc4fda1-21f0-5df6-853f-1dcbad03c148" - date = "2026-01-05" - modified = "2026-01-06" + id = "53ec4987-8b1c-52a0-9a77-22ef03d18dfd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bravonc_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bravonc_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "773a75cc27f4f0e2a9753a7f457b50e9ee585cad286c778ed87544df88619b9a" + logic_hash = "654fa8468b7d40e43f12e2cf91d17e0017c1589ce6dc6ec857214f7c1dbfbedb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4838 334820 334818 33480c } - $sequence_1 = { 68???????? e8???????? e8???????? be???????? 68???????? 56 c705????????03000000 } - $sequence_2 = { 8bce e8???????? eb03 8b7d08 8b1d???????? 8d45f4 } - $sequence_3 = { 33480c 334804 51 e8???????? 8b8ec0000000 53 ff75f0 } - $sequence_4 = { 334dec 57 ff75fc 334dfc } - $sequence_5 = { 5e c9 c20c00 55 8bec 81ec80020000 53 } - $sequence_6 = { 57 8bce ff15???????? 8bc6 5f 5e c9 } - $sequence_7 = { 8945f4 8b06 f7d8 23c1 03f3 8945fc } - $sequence_8 = { 334834 6a01 334828 334814 51 } - $sequence_9 = { eb02 33db 6a01 e8???????? 84c0 59 750d } + $sequence_0 = { 034a38 034dec 8d8401d6c162ca 8945ec e8???????? } + $sequence_1 = { 8b4dec 8d8401a1ebd96e 8945ec e8???????? 8945f4 8b86c0000000 } + $sequence_2 = { 8b8ec0000000 53 ff75fc 894134 e8???????? 8b4df4 } + $sequence_3 = { ff7508 50 e8???????? 8b4dfc 83c40c 8d8578ffffff 50 } + $sequence_4 = { 83450808 ebd0 8b048590b24000 8b4b08 } + $sequence_5 = { c21000 55 8bec 81ec00010000 53 56 ff751c } + $sequence_6 = { e8???????? 8b4df4 334df8 334df0 03c1 8b8ec0000000 034118 } + $sequence_7 = { c20400 c701???????? c3 8b442404 83610c00 894104 8b442408 } + $sequence_8 = { 8945ec 8b86c0000000 6a01 8b4834 33482c 334820 33480c } + $sequence_9 = { 8bf1 8b4604 83f8ff 744c 804dffff 8d4df8 6a04 } condition: 7 of them and filesize < 131072 @@ -133242,36 +134102,36 @@ rule MALPEDIA_Win_Hunters_International_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d8636829-de8e-581c-ad4e-c31c44dd9781" - date = "2026-01-05" - modified = "2026-01-06" + id = "168ceb82-c77f-5e59-beb9-19e697c6df93" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hunters_international" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hunters_international_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hunters_international_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "9c91c92551d0b4c31eb2166ecca4cb74b9d63e524f9ede84d728adc0424bfc5e" + logic_hash = "f06415ba9729f1ab2c56fe45744096f75b2adc6457ce941b1b9a5f4b0a453714" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c641040c e9???????? c641040d e9???????? } - $sequence_1 = { e9???????? c641040d e9???????? c641040e e9???????? c641040f e9???????? } - $sequence_2 = { 241f 3c1f 750f c70100000000 c641041f } - $sequence_3 = { c641040c e9???????? c641040d e9???????? c641040e } - $sequence_4 = { c6410402 e9???????? c6410405 e9???????? c641040c e9???????? c641040d } - $sequence_5 = { c6410405 e9???????? c641040c e9???????? c641040d e9???????? } - $sequence_6 = { 750f c70100000000 c641041f c6410810 } - $sequence_7 = { c6410400 e9???????? c6410402 e9???????? c6410405 } - $sequence_8 = { c6410402 e9???????? c6410405 e9???????? } - $sequence_9 = { c641040c e9???????? c641040d e9???????? c641040e e9???????? } + $sequence_0 = { 750f c70100000000 c641041f c6410810 } + $sequence_1 = { 89d0 241f 3c1f 750f c70100000000 c641041f c6410810 } + $sequence_2 = { 3c1f 750f c70100000000 c641041f c6410810 } + $sequence_3 = { 5e c3 b840000000 c3 } + $sequence_4 = { 241f 3c1f 750f c70100000000 c641041f c6410810 } + $sequence_5 = { 241f 3c1f 750f c70100000000 c641041f c6410810 c3 } + $sequence_6 = { 3c1f 750f c70100000000 c641041f c6410810 c3 } + $sequence_7 = { c70100000000 c641041f c6410810 c3 } + $sequence_8 = { 750f c70100000000 c641041f c6410810 c3 } + $sequence_9 = { c3 b908000000 ba20010000 e8???????? } condition: 7 of them and filesize < 1377280 @@ -133281,36 +134141,36 @@ rule MALPEDIA_Win_Nefilim_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f770afff-845f-5499-a82e-ad8c0e6c9614" - date = "2026-01-05" - modified = "2026-01-06" + id = "33eab17d-97c0-5d73-a9f1-b767c75e5881" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nefilim_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nefilim_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "84fb3ca9c75650a6b701073468d1bedd054df919eaf8258d3aea8d2bb0356db2" + logic_hash = "3a27af8833785290d94c5f72bdf3db44afcefd8ef480b73988f50858a895ec4a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 ff15???????? 50 ff15???????? 57 8bf0 } - $sequence_1 = { 7304 8d442414 68???????? 50 ffd6 85c0 0f84dc000000 } - $sequence_2 = { 50 ffd6 85c0 0f849b040000 68???????? 8d8424d0000000 } - $sequence_3 = { 0f8f5d010000 8b4c2418 394c2428 0f822dffffff e9???????? } - $sequence_4 = { 3b5d0c 72b3 5e 8b8538ffffff 6a10 2bf8 } - $sequence_5 = { 33c0 50 50 ff74241c ffd7 53 8d442434 } - $sequence_6 = { 8bf0 ffd3 50 57 e8???????? } - $sequence_7 = { 68???????? 50 ffd6 85c0 0f84a0000000 8b442414 397c2428 } - $sequence_8 = { 8b4de0 a3???????? 7303 8d4de0 } - $sequence_9 = { c9 c3 55 8bec 83e4f8 81ecec020000 a1???????? } + $sequence_0 = { 8810 40 49 75f7 8b4dfc 5f 33cd } + $sequence_1 = { 7d0d 8a4c181c 8888b8e54000 40 ebe9 } + $sequence_2 = { be???????? 56 bb???????? 53 ffd7 85c0 } + $sequence_3 = { ffd6 85c0 0f8436010000 8b442414 } + $sequence_4 = { 50 ffd7 8d4df4 83ec1c } + $sequence_5 = { f7db 1adb 6a01 33ff 8d75c4 e8???????? } + $sequence_6 = { 75f7 8b4dfc 5f 33cd } + $sequence_7 = { 0f862d020000 be48e80100 eb04 8b4c2418 2b4c2428 } + $sequence_8 = { f3a5 ff2495d0324000 8bc7 ba03000000 83e904 720c } + $sequence_9 = { ff74242c 8944242c e8???????? ff74242c e8???????? be00010000 56 } condition: 7 of them and filesize < 142336 @@ -133320,36 +134180,36 @@ rule MALPEDIA_Win_Crutch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e20e20b-31c5-5834-8ab6-1f56ddff6199" - date = "2026-01-05" - modified = "2026-01-06" + id = "d63fa81a-07ba-55b3-8bb8-045f4b262f08" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crutch_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crutch_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "f4a23c9ddcadc5cf9e865fc280dcc92eecf1924dce5c0d12173bb5cf5ba3e418" + logic_hash = "213c609e9b29ee190c895c04753435a224af0226ad85ba77de7f13f29e25c692" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b5608 50 52 e8???????? 50 68???????? 56 } - $sequence_1 = { c7861840000001000000 e8???????? 83c40c eb55 8b8608400000 68???????? 68???????? } - $sequence_2 = { 771d 0fb68938370210 ff248d30370210 8b148500810610 52 68???????? eb19 } - $sequence_3 = { 762d 8b4c2444 390f 7560 8bd1 56 52 } - $sequence_4 = { 51 e8???????? 83c404 85c0 740d c744245c2a000000 e9???????? } - $sequence_5 = { 33cc e8???????? 81c4a8090000 c3 663b742414 763a 8b4c2410 } - $sequence_6 = { 8b442428 8b742420 8b38 81c630050000 e8???????? 5f 5e } - $sequence_7 = { ff7580 e8???????? 83c404 6a01 6a2f 53 e8???????? } - $sequence_8 = { e9???????? 8b44240c 68???????? 50 e8???????? 83c408 e9???????? } - $sequence_9 = { 52 e8???????? 8bf0 83c408 85f6 750f 5e } + $sequence_0 = { 8b15???????? 50 8b4240 ffd0 c744246800000000 c744246000000000 81ff12030900 } + $sequence_1 = { 50 ff15???????? 83c404 894708 85c0 7430 2b8670010000 } + $sequence_2 = { 3bce 7506 8b7c2428 eb4a 41 51 ff15???????? } + $sequence_3 = { c3 6a00 b8???????? e8???????? be???????? 56 } + $sequence_4 = { 0f4385a0fdffff 50 8d85b8fdffff 50 e8???????? 83c424 8d85b8fdffff } + $sequence_5 = { 8806 8a01 46 41 84c0 7405 83ef01 } + $sequence_6 = { 751d f686a001000001 7514 68???????? 56 e8???????? 89aea0020000 } + $sequence_7 = { 51 e8???????? 83c40c 83f801 7527 8b8e14060000 51 } + $sequence_8 = { 8b7510 83fe01 0f8cc0010000 8b048de06f0710 8b3c8ddc6f0710 2bc7 c745d464000000 } + $sequence_9 = { 51 68???????? aa e8???????? 6a0f e8???????? 8bf0 } condition: 7 of them and filesize < 1067008 @@ -133359,36 +134219,36 @@ rule MALPEDIA_Win_Temp_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "06945ffb-74bb-55c6-897c-840bc8a35717" - date = "2026-01-05" - modified = "2026-01-06" + id = "2a3d7e56-ade6-5388-9ba8-30989bb7bbe4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.temp_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.temp_stealer_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.temp_stealer_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "0687eb315a2ca722457708cc43ae8e72e82f9cde0b8833cdb29551011317ae50" + logic_hash = "911de5b49c403e2d606ceae10e3002c8ec55903f278dc5636e841d1eb2417be1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b4d08 e8???????? 4403f7 4883c330 443bb518020000 0f8c37ffffff 488b5d00 } - $sequence_1 = { 488d1537b00300 488bcb ff15???????? 488945b0 488d1533b00300 488bcb ff15???????? } - $sequence_2 = { f20f58cb f20f58cf f20f102d???????? 488d1592e10100 f20f59ee f2430f1004c1 } - $sequence_3 = { 4533c0 baa00f0000 e8???????? 488b05???????? 4c8d05f52b0300 488bd5 48c1fa06 } - $sequence_4 = { 488d0526dc0100 483947f0 741a 488b0f 4885c9 7412 833900 } - $sequence_5 = { 90 488b8d80000000 e8???????? 90 498bcd } - $sequence_6 = { 488b13 48c1e205 4883c208 488bcb e8???????? 90 4183660800 } - $sequence_7 = { 894708 488d5901 41bf20000000 418bc7 48f7e3 498d4fdf 480f40c1 } - $sequence_8 = { 48895c2478 488d5530 488d4c2460 e8???????? 90 488d5580 } - $sequence_9 = { 90 488d442440 48894558 4c897c2440 4c897c2450 48895c2458 488d153cc80300 } + $sequence_0 = { e9???????? 418bed 488d158d460200 4d8bfa e9???????? 418bc5 f7d0 } + $sequence_1 = { 410f93c1 8bd3 418bcd 488d45d7 4584c9 480f4545d7 41ffc5 } + $sequence_2 = { 48837f1808 7203 488b17 4c8bc3 488d8d00020000 e8???????? 488d9500020000 } + $sequence_3 = { 48634804 488d442430 4803c8 4533c0 8bd7 e8???????? 41f6de } + $sequence_4 = { e8???????? 408ac7 488b9c2428010000 4881c4e0000000 415f 415e 415d } + $sequence_5 = { 4c89642420 4c89642430 4c896c2438 4c8d0d697a0300 8bd3 488d4c2420 e8???????? } + $sequence_6 = { 488bd0 488d4c2440 e8???????? 488d1574670300 488d4d18 e8???????? 488bd0 } + $sequence_7 = { 483bc3 742c 488d4c2450 e8???????? 0f1003 0f11442450 } + $sequence_8 = { b908000000 4c8d058f660100 488d1590660100 e8???????? 4c8d0d9c660100 b90b000000 } + $sequence_9 = { 488d4c2458 e8???????? 488d4dc8 48395de0 480f434dc8 ff15???????? 83f8ff } condition: 7 of them and filesize < 652288 @@ -133398,36 +134258,36 @@ rule MALPEDIA_Win_Ragnarlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "115610a4-debf-5e53-866c-588d0e4a674d" - date = "2026-01-05" - modified = "2026-01-06" + id = "dcecb6b7-65a3-5c7b-bbc6-c28a6ab91975" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ragnarlocker_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ragnarlocker_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "6d88f5a9935c94f31e5ef388da569a4f1a15523f9d92a2b5d9dd3611cf9ee236" + logic_hash = "9bd773d74809dd0f10052ca16b7c6c4c8d11dfc505c74d183071444eacb20a9f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b7da4 0facd106 33fe c1ea06 33d9 8b4da8 33fa } - $sequence_1 = { c1e017 0bd8 8b45cc 0bf9 8b4dd4 33d2 } - $sequence_2 = { 33d0 03de 8b4dfc 8b75f8 8bc6 13fa c745bc00000000 } - $sequence_3 = { 8bf1 0facd113 c1e60d c1ea13 0bf2 895da8 8b957cffffff } - $sequence_4 = { 33db 0bd9 8975a4 8b8d50ffffff 8bfa 0fa4ca03 c1ef1d } - $sequence_5 = { 56 8b75f8 56 6a03 6a3b 57 ff15???????? } - $sequence_6 = { 8945e0 8b4594 8945e4 8b4590 8945e8 8b458c 8945c0 } - $sequence_7 = { 99 0bf2 c1e308 0bd8 0fb64143 0fa4de08 } - $sequence_8 = { 0bd8 0fb6410f 0fa4de08 8b4d98 99 0bf2 c1e308 } - $sequence_9 = { c1ea0e 3175fc 0bfa 8b75dc 33df 8b7de0 f7d6 } + $sequence_0 = { 8b7d90 13d6 014de8 8bf7 8bcf 13d3 33db } + $sequence_1 = { b82c000000 668945f4 8d45f4 50 56 e8???????? 83c408 } + $sequence_2 = { 3175fc 8b4db4 8bf1 3375f8 234df8 8b55f0 } + $sequence_3 = { c1ea08 0bd9 8b8d50ffffff c1e618 0bf2 8b956cffffff } + $sequence_4 = { 8d8560f9ffff 50 ffd6 6a01 8d8560f9ffff 57 50 } + $sequence_5 = { 3375f4 2375b8 8b4dd4 234df4 8b55c0 } + $sequence_6 = { 13fa 039d44ffffff 13bd38ffffff 039d18ffffff 13bd14ffffff 81c32f3b4dec 81d7cffbc0b5 } + $sequence_7 = { 660f1f840000000000 8b7508 8a840d20ffffff ff4508 3206 8b75cc 8807 } + $sequence_8 = { 8b7d08 8bd9 85ff 0f84a1010000 56 8b750c } + $sequence_9 = { 50 ff32 8b45fc 6a00 6a01 6a00 ff7004 } condition: 7 of them and filesize < 147456 @@ -133437,36 +134297,36 @@ rule MALPEDIA_Win_Rtm_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c193efe6-e068-5098-a7d3-9f677c141047" - date = "2026-01-05" - modified = "2026-01-06" + id = "37ffb73f-f9fd-5ba4-95b3-e1ad51521463" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm_locker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rtm_locker_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rtm_locker_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "2e6ca0dcb3b2e786645310d69deee5d15ea048d4739b56fdd6e98df960bfefa8" + logic_hash = "069c4670d441f7c98d084344e3ea7277dd36e7f0d4a7dcd04ed8e226563c6733" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ffd7 8b44241c 8d542410 52 8d542424 c744241400000000 } - $sequence_1 = { 8bbd38ffffff 33d0 c1c210 03ca 33f1 c1c60c } - $sequence_2 = { 0f29a424b0000000 660fd4c1 0f28e2 0f29b42410010000 660f62e0 660f6ad0 } - $sequence_3 = { 8d85e8feffff 50 6a00 ff15???????? 85c0 7440 68???????? } - $sequence_4 = { 8d8550fcffff 50 8d95c8feffff 8d8d68ffffff e8???????? 83c404 8d8d68ffffff } - $sequence_5 = { 0f1195ecfdffff 0f119dfcfdffff 0f11a50cfeffff 0f11851cfeffff 660f1f440000 8b840d2cfeffff 01840d64fcffff } - $sequence_6 = { 57 660f1f440000 3a1a 7403 42 } - $sequence_7 = { 0f108560feffff 0f118570fdffff 0f108570feffff 0f118580fdffff e8???????? 8d8d30feffff e8???????? } - $sequence_8 = { 894590 33fe c1c708 8d040f 8945ec 33c2 } - $sequence_9 = { 8b4dec 48 897dfc 897db8 894508 85c0 0f8f3ffeffff } + $sequence_0 = { 0f289d60ffffff 8d5640 8d458c 33ff 3bf0 7711 8d8550ffffff } + $sequence_1 = { 885c012e 8b0495500f4200 804c012d04 46 ebb3 ff15???????? 8945a8 } + $sequence_2 = { 8d0c9500000000 23d1 8955d8 8b55e4 81f2ffffff03 f7d2 8bca } + $sequence_3 = { 0f104598 0f118580fcffff 0f1045a8 0f118590fcffff e8???????? 8d8d68ffffff } + $sequence_4 = { 6a03 8d44241c 50 6a00 6a14 ff15???????? 5f } + $sequence_5 = { f7d7 23d9 81f6ffffff03 8bcb f7d6 c1e108 81f2ffffff01 } + $sequence_6 = { 8d8540fdffff 50 0f1185f0fcffff 8d95f0fcffff } + $sequence_7 = { 8d9518ffffff 0f104588 8d8d68ffffff 0f118538ffffff 0f104598 0f118548ffffff } + $sequence_8 = { 56 50 8b45e4 0345fc 50 } + $sequence_9 = { 8be5 5d c3 b801000000 8b4df0 64890d00000000 5f } condition: 7 of them and filesize < 598016 @@ -133477,10 +134337,10 @@ rule MALPEDIA_Win_Typeframe_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "54b5c61d-baac-5ee7-bf22-feb7211e94de" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.typeframe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.typeframe_auto.yar#L1-L148" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.typeframe_auto.yar#L1-L148" license_url = "N/A" logic_hash = "80d5f324e45f06373a108fe4a18abca87604cdaaeb894c2ac4120a591e037164" score = 75 @@ -133489,9 +134349,9 @@ rule MALPEDIA_Win_Typeframe_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -133521,36 +134381,36 @@ rule MALPEDIA_Win_Cloud_Duke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e419e016-f5fc-54fd-9e45-72cf3dfc672c" - date = "2026-01-05" - modified = "2026-01-06" + id = "059ffe60-3bb5-5a01-b4d6-b3d74894d028" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cloud_duke_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cloud_duke_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "fda6f38613671be0889a1aab772fc69d0cd906ec00d4774d2302c1e1bbcac11b" + logic_hash = "ebda66d9818e3b7150f849e275c7449bd69eed481b98c454537daf9fb0d07a44" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b8a88e8ffff 33c8 e8???????? 83c008 8b4af8 33c8 } - $sequence_1 = { 89442420 742b 48 89442414 6aff 6a00 57 } - $sequence_2 = { e8???????? 51 8bc8 c645fc13 e8???????? 83c404 c645fc11 } - $sequence_3 = { 897da4 6a13 6a00 68???????? 8bce e8???????? 83f8ff } - $sequence_4 = { 83e4f0 6aff 68???????? 64a100000000 50 81ec2c020000 } - $sequence_5 = { 50 c784240c010000ffffffff e8???????? 8b842404010000 f7d0 39442428 0f8599060000 } - $sequence_6 = { 75f5 e9???????? 83f805 0f85b8020000 } - $sequence_7 = { 8bf0 e8???????? 83c414 39b42418010000 0f8572000000 6a44 } - $sequence_8 = { 668906 8945fc 8b4310 8b7e10 83c007 c745f001000000 3bf8 } - $sequence_9 = { 0f57c0 0f43842420010000 51 8d8c24a0010000 } + $sequence_0 = { 64890d00000000 59 5f 5e 8b8c2464170000 33cc e8???????? } + $sequence_1 = { 7204 8b16 eb02 8bd6 85c0 7421 8b4d18 } + $sequence_2 = { f7e2 0f90c1 f7d9 0bc8 51 e8???????? 8d1436 } + $sequence_3 = { 0f8405010000 57 8bce e8???????? } + $sequence_4 = { c78424f400000000000000 8b08 56 50 ff511c 85c0 } + $sequence_5 = { 83c40c 85c0 0f8540060000 ffb424f8000000 83bc242001000010 8d84240c010000 ffb4241c010000 } + $sequence_6 = { 8b842404010000 f7d0 39442428 0f856c010000 ff742420 } + $sequence_7 = { 0f88b4090000 68???????? 8d85ecfbffff 6804010000 50 e8???????? } + $sequence_8 = { e8???????? 8bc8 83c404 898e80000000 85c9 } + $sequence_9 = { f30f6f05???????? f30f7f8520ffffff f30f6f05???????? f30f7f8530ffffff } condition: 7 of them and filesize < 368640 @@ -133560,36 +134420,36 @@ rule MALPEDIA_Win_Pngdowner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e2dbfe40-d617-5d1b-bbce-59a19338c6f8" - date = "2026-01-05" - modified = "2026-01-06" + id = "b53f0bc4-3876-5756-ac42-cb9aa9ca06da" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pngdowner_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pngdowner_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "c7a4cf22317ae6eb6a1b63ad8076fbfd6db12b13640e6a0471f645fcbb28ed9a" + logic_hash = "d6f30b3fcff4c56c7d3e7c33985656981c9f751feaebe05f2a5db7446ec453a2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c410 85c0 0f856d010000 8d842418020000 8d8c2498010000 50 } - $sequence_1 = { b910270000 f7f9 52 68???????? 8d942424010000 } - $sequence_2 = { 83f85a 7714 8088????????10 8ac8 80c120 888800e44000 } - $sequence_3 = { b910270000 f7f9 52 68???????? } - $sequence_4 = { 83c8ff eb1f 8bce 83e61f c1f905 8bc6 8b0c8d40e64000 } - $sequence_5 = { 99 b910270000 f7f9 8d84241c010000 } - $sequence_6 = { e8???????? 85ff 0f85cf000000 53 8b5c2428 55 } - $sequence_7 = { 8d7c2420 8d542420 f3ab 8d4c2414 51 6800000100 } - $sequence_8 = { 50 89542414 c644240d73 ff15???????? 85c0 7430 68???????? } - $sequence_9 = { 0f84e9000000 8b7508 8b7d0c 8d0520e34000 } + $sequence_0 = { f3ab b920000000 8dbc2420020000 f3ab } + $sequence_1 = { 0fb641ff 0fb6d2 3bc2 0f8794000000 808801e5400004 40 } + $sequence_2 = { 8d942430010000 51 52 e8???????? 83c420 8d442418 } + $sequence_3 = { 5f c1e204 8d4c0c0c 45 } + $sequence_4 = { 5d 5b 81c420000100 c3 8b94243c000100 83c9ff 8bfa } + $sequence_5 = { 51 89742424 e8???????? 83c414 85c0 } + $sequence_6 = { 56 57 8b348d40e64000 8d1c8d40e64000 8d3cc0 } + $sequence_7 = { 6813000020 56 896c242c c744243404000000 ffd7 85c0 } + $sequence_8 = { c744243004000000 ff15???????? 85c0 750b 5f 5e } + $sequence_9 = { 8b4d10 0bc9 0f84e9000000 8b7508 8b7d0c 8d0520e34000 } condition: 7 of them and filesize < 131072 @@ -133599,52 +134459,52 @@ rule MALPEDIA_Win_Artra_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ecf739d-5644-589e-9019-73f6778eda0f" - date = "2026-01-05" - modified = "2026-01-06" + id = "eb12c6f9-dac9-5b66-aa45-bdd20c909283" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.artra_auto.yar#L1-L273" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.artra_auto.yar#L1-L267" license_url = "N/A" - logic_hash = "47a80b3adb8b5b5a6473fc70d14da7afeb3a861c9b53c6c23d484145a04e805d" + logic_hash = "473effce9bb07cb752c362a0c1099bfec79c8ed23316cdeddeb5a35e18fbc237" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 75cc 5d 5b 8b442410 5f 5e 83c41c } - $sequence_1 = { 5f 8a08 40 84c9 75f9 2bc2 880c30 } - $sequence_2 = { 5f 5e 83c41c c21000 5f 33c0 } - $sequence_3 = { 57 33c9 8d7801 8da42400000000 8a10 40 84d2 } - $sequence_4 = { 2bc7 3bc8 72e3 8bc6 8d5001 5f } - $sequence_5 = { 800431f3 8bc6 41 8d7801 8d9b00000000 } - $sequence_6 = { e8???????? 8b3d???????? 6a00 6a00 6a00 8d442414 } - $sequence_7 = { ff15???????? 8bf8 85ff 0f8488000000 6a00 57 ff15???????? } - $sequence_8 = { 8d8c2420010000 51 8d542418 52 8d442420 50 } - $sequence_9 = { 2bc2 03fb 8a4f01 47 } - $sequence_10 = { 40 42 84c9 75f6 e8???????? } - $sequence_11 = { 8bf0 8bd1 83c404 2bf2 90 8a11 88140e } - $sequence_12 = { 90 8b542410 8d4c2410 51 56 52 ffd3 } - $sequence_13 = { 53 8b1d???????? 55 8b2d???????? 90 } - $sequence_14 = { e8???????? 8d442458 83c410 8bc8 } - $sequence_15 = { 6a00 8d54241c 52 ffd7 85c0 75cc 5d } - $sequence_16 = { 6a00 8d442414 50 ffd7 85c0 7445 } - $sequence_17 = { 7205 e8???????? 8b7c2414 8b4f3c 8b11 8b5214 8d44241c } - $sequence_18 = { 2c61 3c05 7733 885c2c18 45 83fd02 7529 } - $sequence_19 = { 8810 40 83ee01 75f3 b8???????? c6042f00 8d5001 } - $sequence_20 = { c1f805 8bcf 83e11f c1e106 8b0485e03b4100 c644080401 57 } - $sequence_21 = { c21000 a1???????? 6a00 68???????? 56 6a67 50 } - $sequence_22 = { 6a6d 56 ff15???????? be???????? 8bf8 e8???????? } - $sequence_23 = { c744241430124000 c744241800000000 c744241c00000000 89442420 ffd6 68007f0000 6a00 } - $sequence_24 = { 8b2d???????? 8b442410 8d542410 52 57 50 ffd3 } - $sequence_25 = { 8b542428 50 68???????? 6a01 } + $sequence_0 = { 51 8bc6 57 33c9 8d7801 8da42400000000 8a10 } + $sequence_1 = { 5d 5b 8b442410 5f 5e 83c41c } + $sequence_2 = { 2bc7 3bc8 72e3 8bc6 8d5001 5f 8a08 } + $sequence_3 = { 800431f3 8bc6 41 8d7801 8d9b00000000 8a10 40 } + $sequence_4 = { 83c41c c21000 5f 33c0 5e } + $sequence_5 = { 5f 8a08 40 84c9 75f9 2bc2 880c30 } + $sequence_6 = { 53 8b1d???????? 55 8b2d???????? 90 } + $sequence_7 = { 8a08 880a 40 42 84c9 75f6 e8???????? } + $sequence_8 = { bb0f000000 895c2468 897c2464 c644245400 3974244c 720d } + $sequence_9 = { 8b4c2414 51 ff15???????? 8d842488030000 8bc8 } + $sequence_10 = { 8d54241c 52 ffd7 85c0 75cc 5d 5b } + $sequence_11 = { 8d442414 50 ffd7 85c0 7445 53 8b1d???????? } + $sequence_12 = { ff15???????? 8bf8 85ff 0f8488000000 6a00 57 ff15???????? } + $sequence_13 = { 57 ff15???????? 6a6d 56 ff15???????? 8bf0 } + $sequence_14 = { 2bc2 03fb 8a4f01 47 84c9 } + $sequence_15 = { 85f6 0f8665fdffff 83f910 8bc8 7304 8d4c2418 8b542428 } + $sequence_16 = { 8b2d???????? 90 8b542410 8d4c2410 51 56 } + $sequence_17 = { 8b542418 88442410 88442415 8d84248c030000 50 6a00 } + $sequence_18 = { 83c404 83c8ff 5e 83c408 c3 8b442404 } + $sequence_19 = { 68???????? 68???????? 6802000080 c744242000200000 ff15???????? } + $sequence_20 = { c1f905 83e01f c1e006 03048de03b4100 } + $sequence_21 = { e8???????? 8be8 0fb605???????? fec8 } + $sequence_22 = { 8b2d???????? 8b442410 8d542410 52 57 } + $sequence_23 = { c744243478364000 ffd6 8d4c2404 51 89442434 } + $sequence_24 = { 8b35???????? 6a6b 50 c744240c30000000 c744241003000000 c744241430124000 c744241800000000 } + $sequence_25 = { 8bf8 e8???????? be???????? e8???????? be???????? e8???????? } condition: 7 of them and filesize < 811008 @@ -133654,36 +134514,36 @@ rule MALPEDIA_Win_Tonedeaf_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "45b13e7e-c29b-5480-ade9-d6d61b9a86df" - date = "2026-01-05" - modified = "2026-01-06" + id = "140e39cb-ebb7-5120-bb71-8b7fbfa3a192" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tonedeaf_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tonedeaf_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "ffe23054663c8cef941b8fef13d66b93a10d69fedb5bcac05b4afd2fa9414e88" + logic_hash = "ed5364153872a50fb20912ffee8d0ba11dee598860dcedf0c11f1362222a44ba" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b45ec 85c0 740b 6a08 50 } - $sequence_1 = { 2bd9 2bf1 8bc3 46 } - $sequence_2 = { 33c0 660fd645d4 33db 8945d8 } - $sequence_3 = { 8b5004 8d4af8 898c153cffffff 8d45a8 c745fc01000000 } - $sequence_4 = { 6a00 ff15???????? 56 ff15???????? 56 ff15???????? } - $sequence_5 = { 75f3 8bf3 8a03 43 84c0 } - $sequence_6 = { 33c0 660fd645d4 33db 8945d8 895dd4 } - $sequence_7 = { 75f3 8bf3 8a03 43 84c0 75f9 2bde } - $sequence_8 = { c745dc00000000 33c0 660fd645d4 33db 8945d8 895dd4 } - $sequence_9 = { 8a0e 8d7601 884c32ff 84c9 75f3 8bf3 8a03 } + $sequence_0 = { 8d7601 884c32ff 84c9 75f3 8bf3 8a03 } + $sequence_1 = { 2bf1 8bc3 46 d1e8 } + $sequence_2 = { f645e41f 7405 e8???????? 8b46fc 3bc6 } + $sequence_3 = { 46 d1e8 33d2 8bc8 03c3 } + $sequence_4 = { 8d4af8 898c153cffffff 8d45a8 c745fc01000000 } + $sequence_5 = { c745dc00000000 33c0 660fd645d4 33db 8945d8 895dd4 } + $sequence_6 = { 84c9 75f3 8bf3 8a03 43 } + $sequence_7 = { 75f3 8bf3 8a03 43 84c0 75f9 } + $sequence_8 = { ff15???????? 56 ff15???????? 56 ff15???????? 56 e8???????? } + $sequence_9 = { 75f3 8bf3 8a03 43 84c0 } condition: 7 of them and filesize < 851968 @@ -133693,36 +134553,36 @@ rule MALPEDIA_Win_Caddywiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3bfe4656-7095-5bf1-a220-b7990a8e8540" - date = "2026-01-05" - modified = "2026-01-06" + id = "6677fb29-cab7-5b91-9b6c-e9538ff26629" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.caddywiper_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.caddywiper_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "1d17e07981d8c6c1b9158309889ffc1ea6f49825b4f9491b9319c2fdd5793cb7" + logic_hash = "f72c2b5fbf59fc10e75c55723cb0482ba916adf699a13f2e8516e7fe103cb994" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c645af55 c645b073 c645b165 c645b272 c645b373 c645b400 } - $sequence_1 = { 33c0 eb69 c78564ffffff01000000 8b55a8 899568ffffff } - $sequence_2 = { c685b6fbffff65 c685b7fbffff00 c685b8fbffff72 c685b9fbffff00 c685bafbffff6e c685bbfbffff00 } - $sequence_3 = { 33c0 eb13 ff55b4 3d14050000 7504 } - $sequence_4 = { c68597feffff00 c68598feffff70 c68599feffff00 c6859afeffff69 c6859bfeffff00 c6859cfeffff33 } - $sequence_5 = { 0f85fe000000 8b55f4 8b4210 8945f0 } - $sequence_6 = { c685b8feffff72 c685b9feffff69 c685bafeffff74 c685bbfeffff79 c685bcfeffff49 } - $sequence_7 = { 85d2 7421 8b4508 0345f4 8a4dfb } - $sequence_8 = { c745fc00000000 c68538ffffff43 c68539ffffff6c c6853affffff6f c6853bffffff73 } - $sequence_9 = { 83ec70 c745f800000000 c745ec00000000 64a130000000 } + $sequence_0 = { c685befbffff6c c685bffbffff00 c685c0fbffff33 c685c1fbffff00 c685c2fbffff32 } + $sequence_1 = { 6a00 6a03 68000000c0 8b95f4f7ffff 52 ff95fcf7ffff 8945fc } + $sequence_2 = { 8d8d00f8ffff 51 8d55dc 52 e8???????? 83c408 } + $sequence_3 = { c645df54 c645e06f c645e16b c645e265 c645e36e } + $sequence_4 = { 898568ffffff c78548ffffff00000000 c685acfeffff53 c685adfeffff65 } + $sequence_5 = { 52 ff55b0 85c0 7504 } + $sequence_6 = { c6459e5c c6459f00 c645a050 c645a100 c645a248 } + $sequence_7 = { 6a00 6a00 6880070000 8d8d10f8ffff } + $sequence_8 = { c68543ffffff00 8d8d38ffffff 51 8d55b8 52 e8???????? 83c408 } + $sequence_9 = { 83c40c 8d8524f2ffff 50 8d8d38f3ffff 51 8d95d0fbffff } condition: 7 of them and filesize < 33792 @@ -133732,36 +134592,36 @@ rule MALPEDIA_Win_Floki_Bot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25c81d04-9abf-5940-8e55-7e5abeb99153" - date = "2024-10-31" - modified = "2024-11-11" + id = "c572f0c5-c659-5641-95f6-92d41599c8c4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.floki_bot_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.floki_bot_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "e2f9df61c4df036b71f6882cf4c35419384506db07aa4de7d79fcad14d6710ad" + logic_hash = "7d120f5afb63f7698268a0354a322f37741894c61b36200183a8b19c0ac00e7b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20241030" - malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4" - malpedia_version = "20241030" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { fe45ff 8a45ff 3a45fc 7285 fe45fe 8a45fe 3a4601 } - $sequence_1 = { 8bc6 8d74241c e8???????? 84c0 0f843f010000 8b442414 } - $sequence_2 = { 53 57 8bf8 8d45f8 50 33db } - $sequence_3 = { 8b4c2414 0fb713 83fa04 7516 663911 7507 8b4d10 } - $sequence_4 = { 50 53 ff35???????? 682d010000 e8???????? 83c418 } - $sequence_5 = { 50 e8???????? ff471c 015f14 8bc6 8b55fc e8???????? } - $sequence_6 = { bf???????? e8???????? ff75f0 84c0 7407 e8???????? eb08 } - $sequence_7 = { 8d45f4 50 e8???????? 6a09 6a00 8d45f4 50 } - $sequence_8 = { 744d 66391f 7448 8d4c2440 e8???????? 6a04 8d544444 } - $sequence_9 = { 84c0 744b 8b45f8 85c0 7414 ff75ec e8???????? } + $sequence_0 = { 395df8 741d 3bfb 7419 } + $sequence_1 = { 8b45f8 394508 7504 c645ff01 8a45ff 5f 5b } + $sequence_2 = { 6a64 5b ff742414 8d44241c 50 56 57 } + $sequence_3 = { 8b7f1c 85ff 75cf ff7508 ff15???????? } + $sequence_4 = { c21000 55 8bec 83ec1c 53 56 0fb6c9 } + $sequence_5 = { 0f8452010000 0fb6c0 0fb6cb 6603c1 0fb6ca 6603c1 8b4d08 } + $sequence_6 = { 3b442410 0f8391000000 8b44842c 3b442424 7506 8b442420 eb0a } + $sequence_7 = { eb0b 57 ff15???????? c645ff01 8b75f0 } + $sequence_8 = { 8b4dfc 8d75f0 e8???????? 8b75fc 8ad8 e8???????? 84db } + $sequence_9 = { 56 8bf0 6807b20100 b83f420f00 e8???????? 8b4d08 03ce } condition: 7 of them and filesize < 286720 @@ -133771,36 +134631,36 @@ rule MALPEDIA_Win_Alma_Communicator_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dd1f8f96-5178-5e9c-b517-f0f999a8d81a" - date = "2026-01-05" - modified = "2026-01-06" + id = "e0607ab0-e028-562f-b77f-2038f0a1c937" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.alma_communicator_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.alma_communicator_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "4a8409fa38b9c8a27f076e76311702617520d12f6ac449f7858d852242e0bc37" + logic_hash = "5eee702f26a54fc3007f4241649cfd89cd5c3cb8c31d6c53abbfeff285d3b0b2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83e13f 6bc930 53 8b5d10 8b0485f08f4100 56 8b7508 } - $sequence_1 = { 88040a 41 84c0 75f6 ba???????? } - $sequence_2 = { 68f4010000 e8???????? 8364242800 8bf0 59 } - $sequence_3 = { 8b0485f08f4100 56 8b7508 57 } - $sequence_4 = { 8a4f01 47 84c9 75f8 8d8de0fdffff 668907 e8???????? } - $sequence_5 = { eb06 8b9d18ddffff 57 e8???????? } - $sequence_6 = { 52 52 ff15???????? 89849da0e9ffff 43 68e8030000 } - $sequence_7 = { 0f4ecb 8bd9 7fe6 8bfe 8d4f01 } - $sequence_8 = { 59 33c9 89442414 8bf1 } - $sequence_9 = { 59 59 8945f4 8d45f8 50 } + $sequence_0 = { 8b0c95f08f4100 8844192e 8b0495f08f4100 804c182d04 ff4604 } + $sequence_1 = { 6685c0 75e8 8d8d6cfbffff 03ca 668b4102 } + $sequence_2 = { 8d55f4 e8???????? 8b45f4 8b4dec 890473 } + $sequence_3 = { 6689840d58fbffff 03cf 6685c0 75e9 8d8d58fbffff 83e902 } + $sequence_4 = { ffd3 85c0 745f 8d85f0fdffff 50 6819010200 6a00 } + $sequence_5 = { 5b 8be5 5d c3 8a55ff ebc0 } + $sequence_6 = { ff15???????? 85c0 7414 ff35???????? ff15???????? } + $sequence_7 = { 8d55e0 2bd1 8a01 88040a 41 84c0 75f6 } + $sequence_8 = { eb17 81fa00010000 7313 8a8714814100 08441619 42 } + $sequence_9 = { 8bfe 85c0 741e 0fb70c79 8d55f4 e8???????? } condition: 7 of them and filesize < 245760 @@ -133810,40 +134670,40 @@ rule MALPEDIA_Win_Finfisher_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3bd8079e-f604-51ea-b8f2-fef52df0002f" - date = "2026-01-05" - modified = "2026-01-06" + id = "9bcac734-83a9-5eb8-bd9f-91f81cab77d1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.finfisher_auto.yar#L1-L140" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.finfisher_auto.yar#L1-L147" license_url = "N/A" - logic_hash = "36bd2bd78748a7bd0a2049fe313cd0daa82b47af68134d330004d325ff7392ca" + logic_hash = "76f913b3de9bfcd2387811442187862001f4b301dd3ec54a61c44d0f0a689411" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 56 8d85ccf9ffff 50 } + $sequence_0 = { 57 56 8d85ccf9ffff 50 e8???????? } $sequence_1 = { 68???????? 6804010000 8d85ccf9ffff 50 } - $sequence_2 = { 8d85bcf7ffff 50 6a01 56 56 } - $sequence_3 = { 0f855b040000 8b85b0f7ffff 8b400c 8b8db8f7ffff 8908 89bda0f7ffff } - $sequence_4 = { 6a04 56 ff15???????? 8bd8 3bdf 7561 } - $sequence_5 = { e8???????? b982000000 8bf7 8dbddcfdffff f3a5 } - $sequence_6 = { 48 7526 8b4508 8b4028 } - $sequence_7 = { 56 53 50 ff15???????? eb05 } - $sequence_8 = { 8d45f4 50 53 897508 e8???????? } - $sequence_9 = { 8bd8 ff15???????? 8845ff 897df8 } - $sequence_10 = { 8b7508 89b5ccfdffff 85f6 7508 } - $sequence_11 = { 8bd8 3bde 0f8583030000 66c78572f7ffff0401 } - $sequence_12 = { 6824020000 68???????? e8???????? 8b7508 } - $sequence_13 = { 897de4 56 e8???????? 50 } + $sequence_2 = { 8b4710 c1e009 50 ffb5b4f7ffff ffb5c0f7ffff } + $sequence_3 = { eb3e e8???????? e8???????? 85c0 a1???????? } + $sequence_4 = { ff5604 8b3b 8b5b10 8945fc 8b4610 } + $sequence_5 = { 0f842d010000 8d85dcfdffff 8d5002 668b08 40 40 663bce } + $sequence_6 = { 740e 3daaaaaaaa 7407 3ddddddddd } + $sequence_7 = { ffb598edffff ff15???????? 89bd98edffff c3 } + $sequence_8 = { ffb5b4f7ffff ffb5c0f7ffff 33c0 397714 0f95c0 83c003 } + $sequence_9 = { 8b4dd8 8b01 83e808 50 83c108 } + $sequence_10 = { ff15???????? 8d8594f7ffff 50 8d855cf7ffff } + $sequence_11 = { 8945e4 3bc6 7409 c745e40c000000 eb54 } + $sequence_12 = { b8???????? e8???????? 33f6 46 3bc6 } + $sequence_13 = { c78578f7ffff18000000 89b57cf7ffff c78584f7ffff40020000 8d8570f7ffff 898580f7ffff 89b588f7ffff 89b58cf7ffff } condition: 7 of them and filesize < 262144 @@ -133853,36 +134713,36 @@ rule MALPEDIA_Win_Gameover_Dga_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "03fc91af-7fd0-5c49-806f-66baee40bb34" - date = "2026-01-05" - modified = "2026-01-06" + id = "d0deb00f-20bf-54ee-ac2a-b815bfa3a04c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gameover_dga_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gameover_dga_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "0d50d6a34d24e697f3e47548c11296361a501bf8307c9f90af33f306f5bb9e63" + logic_hash = "6853ca875b9922eee85be901a94422b237b8c9ab90a04ee28a8354c1b76df52d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 884617 33c0 40 e9???????? 8a4601 33db 8b6c2434 } - $sequence_1 = { 8b13 8bcb 6a01 57 56 ff742420 ff742420 } - $sequence_2 = { 8bf8 83cdff 3bfd 7504 8bc5 eb42 } - $sequence_3 = { 55 8bac2434010000 56 57 8bf9 8b4508 85c0 } - $sequence_4 = { 39442414 0f85eb060000 8b84245c010000 41 894c2420 40 50 } - $sequence_5 = { 85db 7417 6af6 6a01 ff742434 ffd3 85c0 } - $sequence_6 = { ff7064 ffd6 85c0 0f8513010000 a1???????? 68???????? ff7064 } - $sequence_7 = { 8b4c2424 b301 8901 5d 8bce e8???????? } - $sequence_8 = { 8bc2 83c204 3b54241c 7725 8a5c2428 8818 8a5c2413 } - $sequence_9 = { 0f851f010000 8b442414 8d542428 52 53 ff742450 8b08 } + $sequence_0 = { 7505 83c8ff eb27 837c240c00 7417 6b460860 6a60 } + $sequence_1 = { 8bc2 2bc1 89442474 8bc3 2bc1 0fb64d05 89442478 } + $sequence_2 = { 50 6a07 6800000080 ff7508 ff15???????? 89442410 } + $sequence_3 = { 8bdf 397e10 7625 8b460c 8d4c2418 03c3 89442424 } + $sequence_4 = { 84c0 0f8488000000 8b35???????? 57 8b3d???????? } + $sequence_5 = { 7422 6a00 6a01 ba???????? 33c9 } + $sequence_6 = { ffb4245c010000 52 8b542448 e8???????? 85c0 0f8534010000 8b6c2438 } + $sequence_7 = { 6a08 50 56 c645f400 } + $sequence_8 = { 740a 48 0f8527100000 800e80 8b542414 8a4e17 } + $sequence_9 = { 8b4c2410 eb05 6a05 58 8bc8 69f860ea0000 69c160ea0000 } condition: 7 of them and filesize < 540672 @@ -133892,35 +134752,35 @@ rule MALPEDIA_Win_Odinaff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d0d529bd-8ddc-568c-bb57-34ccb7211d4b" - date = "2026-01-05" - modified = "2026-01-06" + id = "013682c3-e6bb-5919-97ad-6f041caae471" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.odinaff_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.odinaff_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "a33fd98331eb6936af0c82dded866dcdbe45b48b5675a4678e1caee59c4bd151" + logic_hash = "e27275d11293a489601def324d479cc53d79be6f10f10ea9506cadbab7cb2509" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 c745983c000000 c745ac00010000 8955c4 c745c800080000 } + $sequence_0 = { 3db7000000 7505 33c0 c21000 68???????? 68???????? } $sequence_1 = { f7de 85c0 7408 50 } - $sequence_2 = { 83c410 f7d8 1bf6 8b45e8 f7de 85c0 } + $sequence_2 = { 56 c745983c000000 c745ac00010000 8955c4 c745c800080000 89459c } $sequence_3 = { 6a00 51 52 50 ff15???????? 8945e8 } $sequence_4 = { c745fc00010000 ff15???????? 50 ff15???????? 8bf8 8d45fc 50 } $sequence_5 = { b8???????? e8???????? 8b1d???????? 83c410 f7d8 1bf6 8b45e8 } $sequence_6 = { 53 56 57 8b3d???????? 6800001000 } - $sequence_7 = { 68???????? 68???????? 53 8bf0 ff15???????? 83c40c } - $sequence_8 = { 6a00 6a00 51 ff15???????? 8b45fc 85c0 } + $sequence_7 = { 6a08 33ff 57 57 ff15???????? 8bf0 85f6 } + $sequence_8 = { 7408 48 7555 e8???????? } $sequence_9 = { ffd3 8b3d???????? 50 ffd7 6808020000 } condition: @@ -133931,36 +134791,36 @@ rule MALPEDIA_Win_Donex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a59c3405-5607-5fba-8e4b-94db509c7ebd" - date = "2026-01-05" - modified = "2026-01-06" + id = "448d8eab-91d5-581e-9128-b8e92cc4c6d6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.donex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.donex_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.donex_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "34b4db6a7ff26120108a4a0b63d1aeaf3b7a5f8d055f37299085290aeaa32538" + logic_hash = "fd7a45034170c213dbf47788e8cec6ac0515ae637ff587ea25a68270120c3322" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b55c8 33f6 8bf8 0facd012 c1e70e 0bf0 c1ea12 } - $sequence_1 = { 55 8bec 8b4508 53 bb01000000 85c0 7503 } - $sequence_2 = { 894d18 c744b30400000000 3bce 72ae 8b4508 c1e602 56 } - $sequence_3 = { 33c8 8b45f4 c1e808 0fb6c0 c1e108 0fb680488d4300 33c8 } - $sequence_4 = { 03c2 894db0 8bd0 8945f4 c1cf02 8bcf c1c205 } - $sequence_5 = { 8b5508 8b7a0c 8b7210 8b4a08 8b5214 } - $sequence_6 = { 85ff 0f85d4030000 8b7de8 8d45c8 50 57 } - $sequence_7 = { 33c9 83c408 668908 8b45ec 83f803 7405 83f804 } - $sequence_8 = { c1e902 f3a5 8bca 83e103 f3a4 8b7df8 4f } - $sequence_9 = { 740f 83fe09 740a 83fe0d 7405 83fe0a 751a } + $sequence_0 = { 6bd830 8b04bd08a44300 f644032801 7444 837c0318ff 743d e8???????? } + $sequence_1 = { e8???????? 8bf0 83c408 85f6 0f8588010000 837df001 7203 } + $sequence_2 = { 7551 50 8d45b8 50 6a40 50 e8???????? } + $sequence_3 = { 8b5de8 c1c009 8bcb 03c6 f7d1 234de0 81c69979825a } + $sequence_4 = { 894dc4 33c6 c1c105 05d6c162ca c1ce02 0345c0 81c7d6c162ca } + $sequence_5 = { 0345c8 03c8 8b45fc 3345f4 3345f0 0345b4 0145f8 } + $sequence_6 = { 75ef 8d48fe 668b4102 8d4902 6685c0 75f4 a1???????? } + $sequence_7 = { 8b85f0fcffff 8d8df0fcffff 8945c0 8b85f4fcffff c745f440000000 8945e0 } + $sequence_8 = { 0bd3 8b5dfc 2355dc 03df 0bca 895de0 } + $sequence_9 = { c1e908 0fb6c9 0fb689487c4300 314d10 8b4d10 334dec 330d???????? } condition: 7 of them and filesize < 505856 @@ -133971,10 +134831,10 @@ rule MALPEDIA_Win_Asruex_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "899abd0f-c835-5f70-819c-92570cc9b462" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.asruex_auto.yar#L1-L112" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.asruex_auto.yar#L1-L112" license_url = "N/A" logic_hash = "a14db0e4e44f1156fe16afe843345aa29b9b1f1eb3cc060b10e0bcdf06eb97d4" score = 75 @@ -133983,23 +134843,23 @@ rule MALPEDIA_Win_Asruex_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 740e 85ed 740a } + $sequence_0 = { 740c 3c09 7408 3c0d 7404 3c0a 7516 } $sequence_1 = { e8???????? 83f8ff 7407 3d0000a000 } - $sequence_2 = { ff15???????? 85c0 7407 3d14270000 } - $sequence_3 = { 3c78 7404 3c58 7505 bb01000000 } - $sequence_4 = { 83f801 740e 83f803 7409 83f802 } - $sequence_5 = { 3c0d 7404 3c0a 7516 } - $sequence_6 = { 7404 3c58 7505 bb01000000 } - $sequence_7 = { 3c09 7408 3c0d 7404 3c0a 7516 } - $sequence_8 = { 7408 3c0d 7404 3c0a 7516 } - $sequence_9 = { 740c 3c09 7408 3c0d 7404 3c0a 7516 } + $sequence_2 = { 85c0 740e 85ed 740a } + $sequence_3 = { 7408 3c0d 7404 3c0a 7516 } + $sequence_4 = { ff15???????? 85c0 7407 3d14270000 } + $sequence_5 = { 3c09 7408 3c0d 7404 3c0a 7516 } + $sequence_6 = { 3c78 7404 3c58 7505 bb01000000 } + $sequence_7 = { 3c0d 7404 3c0a 7516 } + $sequence_8 = { 7404 3c58 7505 bb01000000 } + $sequence_9 = { 83f801 740e 83f803 7409 83f802 } condition: 7 of them and filesize < 1564672 @@ -134009,36 +134869,36 @@ rule MALPEDIA_Win_Kronos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "926e3174-18bd-5768-8bad-aee020442946" - date = "2026-01-05" - modified = "2026-01-06" + id = "4cd1b723-94a8-52c4-9801-2ce369c917e8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kronos_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kronos_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "37c4a3cedbb07e112b6f5ea1747119314006e52be9a57885219c4b994f74b249" + logic_hash = "4a5690a7048ea3c14785c1333205c85037bf3cbfcdd39de043b4f26490d43881" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 8bca e8???????? 8b4510 015f0c 8b4f0c 33d2 } - $sequence_1 = { 8b4508 8b4d10 5f 5b c70000000000 } - $sequence_2 = { e8???????? 83450810 83451010 ff4d0c 837d0c00 7fe2 } - $sequence_3 = { 8955f4 8975f8 bfff000000 3935???????? 754a c705????????01000000 53 } - $sequence_4 = { 83c40c 837dfc02 724b 8b55f4 83c208 52 8d4de0 } - $sequence_5 = { 57 56 56 8d8da0efffff } - $sequence_6 = { 8945c8 3bc6 0f8406020000 bfd8010000 57 e8???????? } - $sequence_7 = { 53 ff15???????? 8b442418 5f 5e 5b 8be5 } - $sequence_8 = { 50 8d45e8 50 ffd2 8b4804 8b7008 } - $sequence_9 = { b84d5a0000 663901 0f857f010000 8b413c 03c1 813850450000 0f856e010000 } + $sequence_0 = { 8955f8 ff15???????? 8b4df8 6a40 6800300000 51 57 } + $sequence_1 = { 8b4d10 33c0 85c9 7629 66833c4600 741d } + $sequence_2 = { ffd1 8b5dfc 83c408 83fb01 7416 85ff 7410 } + $sequence_3 = { 8b00 52 8b550c 8d8ed8000000 52 8d55d8 } + $sequence_4 = { 56 57 6a28 e8???????? 8bf8 83c404 85ff } + $sequence_5 = { 7905 49 83c9f0 41 0f85bc000000 99 } + $sequence_6 = { 894804 c7400800000000 5e 8be5 5d c20c00 8b4508 } + $sequence_7 = { 85d2 7418 8b5104 895008 85d2 } + $sequence_8 = { 0f85bc000000 99 83e20f 03c2 57 8bf8 } + $sequence_9 = { 56 e8???????? 8bf8 eb1d 81fb05000080 7408 81fb230000c0 } condition: 7 of them and filesize < 1302528 @@ -134048,42 +134908,42 @@ rule MALPEDIA_Win_Rambo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "339a4d7e-9b02-5b2f-918a-fe5abee15d73" - date = "2026-01-05" - modified = "2026-01-06" + id = "609623dc-549f-57b1-8b2d-3525d67579fa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rambo_auto.yar#L1-L180" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rambo_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "5e0ac76c4c54838a65e8020ef5ae20ae2814aaf559d8acf1871f9f9e1fb0aa1a" + logic_hash = "05f9ac9a9a64960824cdad5ca8e789cf6b2f34ae99d30e1b72925993e7a5fe3f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d85f8faffff 6a01 50 ff15???????? 80a43df8faffff00 56 } - $sequence_1 = { 8065fe00 8d45fc 50 8d85f8feffff 50 c645fc72 } - $sequence_2 = { ff15???????? 83c428 6a32 ff15???????? 8d85f8faffff 50 } - $sequence_3 = { 83c410 85f6 745e 57 6a02 } - $sequence_4 = { 8d85ecfdffff 50 8d85f0feffff 50 ff15???????? 83c41c } - $sequence_5 = { 50 68???????? e8???????? 59 59 6a01 58 } - $sequence_6 = { 81ec14020000 8d85f0feffff 56 50 6804010000 } - $sequence_7 = { 59 8d85fcfeffff 59 50 ff15???????? 33c0 } - $sequence_8 = { 0f85ba000000 8d4c241c c68424000400000f e8???????? 8d8c249c000000 c68424000400000b e8???????? } - $sequence_9 = { 33c0 50 8d4c241c c684240404000002 } - $sequence_10 = { 03dd 33c3 8d1c31 33c3 81c14786c861 2bf8 4a } - $sequence_11 = { 57 b940000000 8d7c240d 8844240c f3ab 66ab } - $sequence_12 = { 56 56 8d4c2424 e8???????? 50 8d4c246c e8???????? } - $sequence_13 = { c684240004000001 e8???????? c684240004000000 8d4c2464 e8???????? 8d4c242c c7842400040000ffffffff } - $sequence_14 = { 33ed 6804010000 6804010000 8d4c2434 89ac2408040000 e8???????? } - $sequence_15 = { 8d4c2414 6a20 51 8d4c2424 e8???????? 50 8d4c242c } + $sequence_0 = { 56 6800040000 8d85f8faffff 6a00 50 e8???????? 83c40c } + $sequence_1 = { 8d85f8feffff 50 c645fc72 c645fd62 ff15???????? 8bf0 } + $sequence_2 = { 83c420 85f6 7437 56 } + $sequence_3 = { 59 50 ff7508 ff15???????? 56 ff15???????? } + $sequence_4 = { 6a32 ff15???????? 8d85f8faffff 50 68???????? e8???????? 59 } + $sequence_5 = { 56 ff15???????? 8d85ecfdffff 50 8d85f0feffff 50 ff15???????? } + $sequence_6 = { 8d85fcfeffff 50 e8???????? 59 8d85fcfeffff 59 } + $sequence_7 = { 56 6a01 ff7508 e8???????? 59 50 ff7508 } + $sequence_8 = { 8d4c2424 c684240804000013 e8???????? 50 } + $sequence_9 = { 68???????? 6801000080 ff15???????? 85c0 756b } + $sequence_10 = { c644245135 885c2452 c644245438 c644245531 c644245637 } + $sequence_11 = { 75ef ff15???????? 5f 5e } + $sequence_12 = { e8???????? 89842494000000 8b442424 6a00 50 8d8c24a4000000 } + $sequence_13 = { c684240404000009 e8???????? 8d4c2410 c684240004000007 e8???????? 68b6000000 8d542414 } + $sequence_14 = { e8???????? b941000000 33c0 8dbc24ec000000 be???????? f3ab } + $sequence_15 = { 8d8c2488000000 e8???????? 55 55 } condition: 7 of them and filesize < 57344 @@ -134093,42 +134953,42 @@ rule MALPEDIA_Win_Gh0Sttimes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aa640a7c-0e1b-5efd-8935-4547c6b03367" - date = "2026-01-05" - modified = "2026-01-06" + id = "2028152d-f093-5075-ad77-f8733414934c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gh0sttimes_auto.yar#L1-L158" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gh0sttimes_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "9c8e02eeb25677ec870ad4e3ac6e852e1b0822d6bc7051594b5abb6da5a926f8" + logic_hash = "dc373d21fda2558878d5968a55300998ae823af397656d40689db567f48fafce" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bce 8bd6 8d85e0fdffff e8???????? 8b9dd8fdffff 56 } - $sequence_1 = { b804000000 8bcf 81f3d2b5a2c3 e8???????? } - $sequence_2 = { ff15???????? 8b5604 895608 ba00040000 } - $sequence_3 = { 894608 8b85e4fdffff 8b8de8fdffff 40 } - $sequence_4 = { 57 ff15???????? 8d443801 50 57 ff15???????? } - $sequence_5 = { 8b82ac000000 6a00 57 56 50 } - $sequence_6 = { ffd6 8b95f0fcffff 8b3d???????? 52 ffd7 68f4010000 } - $sequence_7 = { 753a 50 50 8d4d8c 51 50 } - $sequence_8 = { 488bcf e8???????? b902020000 488d542440 ff15???????? } - $sequence_9 = { 32c0 e9???????? 833d????????00 4889bc24e8000000 7412 } - $sequence_10 = { 48c747300f000000 48897728 488bcf 40887718 } - $sequence_11 = { 84c0 7515 488d8c24a0010000 e8???????? } - $sequence_12 = { 33d2 4d8b8938010000 4889442428 33c9 } - $sequence_13 = { 498d9550010000 498d8d98000000 41b804000000 e8???????? 498d8d00010000 } - $sequence_14 = { 03c2 0fb6c0 2bc2 410fb652fe } - $sequence_15 = { 48895c2408 4889742420 57 4881ecd0040000 } + $sequence_0 = { e8???????? c745fcffffffff 8b03 50 c7431400000000 e8???????? 83c408 } + $sequence_1 = { e8???????? 8be5 5d c20400 80bdd0fcffff2e 7448 f685a4fcffff10 } + $sequence_2 = { 8d95d4fcffff 52 ffd3 8b8d88fbffff } + $sequence_3 = { 6a08 68ffff0000 50 c645a301 ff15???????? 85c0 753a } + $sequence_4 = { 52 8b55bc 8d45c0 50 8d4db4 } + $sequence_5 = { 7512 8b4de0 8b55e4 898f64010000 899768010000 5e } + $sequence_6 = { 85c0 7526 8b35???????? 68???????? 8d85ecfeffff 50 ffd6 } + $sequence_7 = { 52 ffd6 85c0 752f } + $sequence_8 = { 48f7d1 488d79ff 488d8c2460020000 e8???????? 488d15674e0300 488d8c2462020000 } + $sequence_9 = { 488bb424d0020000 488bbc24a0020000 488bac24c8020000 488b8c2490020000 4833cc } + $sequence_10 = { ff15???????? 4c8d5c2458 488d942400020000 41b919010200 4533c0 48c7c100000080 4c895c2420 } + $sequence_11 = { 48c7442420feffffff 488b05???????? 4833c4 48898424e0010000 488d4c2460 } + $sequence_12 = { 488b442420 8178089a020000 0f84c5010000 488b442420 } + $sequence_13 = { 488b05???????? 4833c4 48898424a0010000 8b4158 488bf1 bf03000000 } + $sequence_14 = { 48894c2420 0f1f4000 807f2c2e 0f848f000000 f60710 4c8d4f2c } + $sequence_15 = { 4863c2 410fb652fe 420fb68c0800010000 418d0408 } condition: 7 of them and filesize < 548864 @@ -134138,97 +134998,96 @@ rule MALPEDIA_Win_Vidar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a2b64f61-0adb-5b11-ad23-70455bcfca7c" - date = "2026-01-05" - modified = "2026-01-06" + id = "43e97e64-e513-5502-b6b5-a59fd90f1172" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vidar_auto.yar#L1-L603" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vidar_auto.yar#L1-L595" license_url = "N/A" - logic_hash = "33908c4a5b34fe0467be14ef9b31f306540934b8f5c348e181dd6ed65da6d436" + logic_hash = "7338c4e5255e5f4fb62c5c4607e8f9f0037e7f8d9dd1c433751015eb236f07b9" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 25ff7f0000 c3 e8???????? 8b486c } - $sequence_1 = { 7202 8b00 8d8d68fdffff 51 50 } - $sequence_2 = { 8b8648af0100 c1e803 038644af0100 5e 5d c3 } - $sequence_3 = { 56 8b742408 8b865caf0100 57 } - $sequence_4 = { 8b7508 33ff 89b55cfdffff 89bd60fdffff 8d450c } - $sequence_5 = { e8???????? d9450c 51 8d8d58ffffff d91c24 } - $sequence_6 = { 8b7508 33db 895dd0 c746140f000000 895e10 8975cc } - $sequence_7 = { d9e0 d99d00ffffff d98500ffffff d91c24 } - $sequence_8 = { 740a b800000500 e9???????? 57 } - $sequence_9 = { 5f c6043300 8bc6 5e 5b c20400 } - $sequence_10 = { 895dfc e8???????? 83781408 c645fc01 } - $sequence_11 = { b800020000 e9???????? 8b4dc8 33c0 } - $sequence_12 = { 5e c20400 ff742408 e8???????? 59 83f8ff } - $sequence_13 = { c745f41e000000 c745f80f000000 8955fc 8bcb } - $sequence_14 = { e8???????? 56 53 8d4d80 e8???????? } - $sequence_15 = { ff15???????? 89460c 3bc3 7507 } - $sequence_16 = { f3a5 8d88e00e0000 894de4 8bcb } - $sequence_17 = { e8???????? 59 83f8ff 7503 32c0 c3 } - $sequence_18 = { 83781410 7202 8b00 50 8b45a0 } - $sequence_19 = { c1e004 8bf0 0fbe4301 50 } - $sequence_20 = { c9 c3 8b542408 85d2 7503 33c0 c3 } - $sequence_21 = { 53 68???????? 6802000080 ff15???????? 85c0 751b } - $sequence_22 = { 50 ff15???????? 8b4da0 8901 85c0 } - $sequence_23 = { 50 6a09 53 68???????? } - $sequence_24 = { 0fb605???????? 50 0fb605???????? 50 0fb605???????? 50 6a01 } - $sequence_25 = { 68???????? e8???????? 59 83f820 } - $sequence_26 = { 395df0 7411 ff75f0 53 } - $sequence_27 = { 53 50 899e6caf0600 e8???????? } - $sequence_28 = { 53 68???????? 8d8da8000000 e8???????? } - $sequence_29 = { 895df0 8d45f0 50 6a09 } - $sequence_30 = { 399e70af0600 7514 c78678af060001000000 c78670af060000000100 68fcff0100 8d8670af0400 53 } - $sequence_31 = { 7411 395df0 740c ff75f0 ff15???????? 895df0 } - $sequence_32 = { 741d ff75f0 ff15???????? 895df0 395df0 740c ff75f0 } - $sequence_33 = { c3 55 8bec 83ec0c 8365fc00 8365f400 8365f800 } - $sequence_34 = { 8d852cffffff 50 8d459c 50 } - $sequence_35 = { 0faf450c 50 e8???????? 59 } - $sequence_36 = { 8b4508 8906 8b450c 894608 8b4510 } - $sequence_37 = { e8???????? c9 c3 55 8bec 83ec18 8b450c } - $sequence_38 = { 8910 8b4120 8910 8b4130 8910 c3 56 } - $sequence_39 = { 50 ff15???????? 6a1a e8???????? } - $sequence_40 = { 6860ea0000 6a00 ff15???????? 50 } - $sequence_41 = { 5f c21000 8bff 55 8bec 6a0a } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 05c39e2600 894114 c1e810 25ff7f0000 c3 e8???????? 8b486c } + $sequence_1 = { 7202 8b00 8d8d68fdffff 51 } + $sequence_2 = { 8d8d7fffffff 8975fc e8???????? 50 } + $sequence_3 = { 8b7508 33ff 89b55cfdffff 89bd60fdffff 8d450c } + $sequence_4 = { 5f c6043300 8bc6 5e 5b c20400 } + $sequence_5 = { 740a b800000500 e9???????? 57 } + $sequence_6 = { 895dd0 c746140f000000 895e10 8975cc } + $sequence_7 = { 895dfc e8???????? 83781408 c645fc01 7202 } + $sequence_8 = { 8b8648af0100 c1e803 038644af0100 5e 5d c3 } + $sequence_9 = { 56 8b742408 8b865caf0100 57 } + $sequence_10 = { e8???????? d9450c 51 8d8d58ffffff d91c24 } + $sequence_11 = { 83781410 7202 8b00 50 8b45a0 } + $sequence_12 = { c1e004 8bf0 0fbe4301 50 } + $sequence_13 = { 50 ff15???????? 8b4da0 8901 85c0 } + $sequence_14 = { c745f80f000000 8955fc 8bcb 8db87c0f0000 } + $sequence_15 = { 6819010200 53 68???????? 6802000080 ff15???????? 85c0 751b } + $sequence_16 = { 5e c20400 ff742408 e8???????? 59 83f8ff 7503 } + $sequence_17 = { c9 c3 8b542408 85d2 7503 } + $sequence_18 = { 68???????? e8???????? 59 83f820 } + $sequence_19 = { 50 6a09 53 68???????? } + $sequence_20 = { 50 0fb605???????? 50 6a01 } + $sequence_21 = { 53 68???????? 8d8da8000000 e8???????? } + $sequence_22 = { 395df0 7411 ff75f0 53 } + $sequence_23 = { 399e70af0600 7514 c78678af060001000000 c78670af060000000100 68fcff0100 8d8670af0400 53 } + $sequence_24 = { 50 53 ff75f0 ff15???????? 3bc3 } + $sequence_25 = { 53 50 899e6caf0600 e8???????? } + $sequence_26 = { 395df0 740c ff75f0 ff15???????? 895df0 8d45f0 50 } + $sequence_27 = { 741d ff75f0 ff15???????? 895df0 395df0 740c ff75f0 } + $sequence_28 = { c3 55 8bec 83ec0c 8365fc00 8365f400 8365f800 } + $sequence_29 = { 0faf450c 50 e8???????? 59 } + $sequence_30 = { e8???????? c9 c3 55 8bec 83ec18 8b450c } + $sequence_31 = { 8d852cffffff 50 8d459c 50 } + $sequence_32 = { c20400 56 8bf1 e8???????? 6a00 ff74240c 8bce } + $sequence_33 = { 8b4120 8910 8b4130 8910 c3 56 } + $sequence_34 = { 8b4508 8906 8b450c 894608 } + $sequence_35 = { 6860ea0000 6a00 ff15???????? 50 ff15???????? } + $sequence_36 = { 50 ff15???????? 6a1a e8???????? } + $sequence_37 = { 5f c21000 8bff 55 8bec 6a0a } + $sequence_38 = { e8???????? 83c410 85c0 7404 6a99 ebcc } + $sequence_39 = { 7410 84c0 7406 3ac8 7c14 } + $sequence_40 = { 750c 8b45fc 3945f8 0f8271ffffff } + $sequence_41 = { 83f8ff 740c a810 7508 } $sequence_42 = { 5b 5d c3 b84d5a0000 } - $sequence_43 = { 83f8ff 740c a810 7508 } - $sequence_44 = { eb0b 8b45f4 0500040000 8945f4 } - $sequence_45 = { dd1c24 6a0b 6a10 e8???????? 83c41c 8be5 } - $sequence_46 = { 4c8bc7 33d2 488bc8 ff15???????? e8???????? } - $sequence_47 = { dd45f0 dd1c24 83ec08 dd4508 dd1c24 6a0b 6a10 } - $sequence_48 = { 492bc1 483d40420f00 0f87f0000000 458bc7 } - $sequence_49 = { 2bd3 03ca 4103cb 0f84de010000 4863442440 33d2 440fb6743001 } - $sequence_50 = { 83bc24a400000000 b8ea22c8aa b9a5a0bab6 0f44c1 } - $sequence_51 = { f30fe6c9 f20f58c0 f20f5cc8 f20f59ce f20f114c2458 0fbe05???????? 0fbe0d???????? } - $sequence_52 = { 83bc249400000000 b9ed1334e4 b8302e84ed 0f4fc8 e9???????? 8b8c248c000000 } - $sequence_53 = { 8bd7 8bc5 83ee04 7211 8b0a } - $sequence_54 = { 83bc249c00000000 bf9def53cd b8a3d8a22f 0f4ff8 } - $sequence_55 = { 83bc24a004000000 b9e2dadbde 0f8408ffffff b95fc85b65 } - $sequence_56 = { 492bc3 493bc2 7708 41ffc0 } - $sequence_57 = { 2bc1 f2480f2ac0 f20f59442458 f20f2cc0 894590 4863442440 } - $sequence_58 = { 492bc2 483bc1 770c 41ffc1 } - $sequence_59 = { 83bc24a007000000 b8c00c462f b92fb31014 0f44c8 } - $sequence_60 = { 8bd8 33da 80f101 898c2484000000 } - $sequence_61 = { 8bd8 23d1 8b149518d54600 c1eb08 } - $sequence_62 = { 0f57c0 f2480f2ac2 33d2 f20f59c8 f20f114c2450 0fbe05???????? } - $sequence_63 = { 492bd1 4e8d0436 6666660f1f840000000000 410fb60408 } - $sequence_64 = { 0fbe0d???????? 3bc1 7429 0fbe0d???????? 0fafcf 8d0449 } - $sequence_65 = { 0fbec8 0f57d2 0fbe05???????? 8d14d1 0fbe0d???????? 03c2 } - $sequence_66 = { 4923c2 493bc3 7742 488bc2 4923c2 493bc3 } - $sequence_67 = { 83bc249400000003 0f9c442460 8b05???????? 8d4801 } - $sequence_68 = { 0f8c0d230000 488b7c2440 8b742450 488d0d1c700200 e8???????? 488d8d10030000 ff15???????? } - $sequence_69 = { 83bc24980000000e 0f9c442464 8b05???????? 8d4801 } - $sequence_70 = { 83bc24980000000f b9fe4381ca b800af166b 0f4cc8 } + $sequence_43 = { eb0b 8b45f4 0500040000 8945f4 } + $sequence_44 = { ff15???????? 4c8bc7 33d2 488bc8 ff15???????? e8???????? } + $sequence_45 = { 83bc24ec00000000 b862fc57eb b93c51a311 0f44c1 e9???????? 3dd2a0a866 } + $sequence_46 = { 4103c0 f7f1 448bc0 0fbe05???????? 442bc0 418bc0 f2480f2ac0 } + $sequence_47 = { 4c8b542458 448b5c2470 41ffc3 e9???????? 4c8b4c2448 } + $sequence_48 = { 83bf4004000000 b8b524d5e3 b98efa4f77 0f44c1 } + $sequence_49 = { 0fbef0 e8???????? 0fbed8 e8???????? 0fbe0d???????? } + $sequence_50 = { e9???????? 81fa18070000 774c b92d000000 4c8d0d8df30000 33f6 448bd6 } + $sequence_51 = { 83bf3804000000 0f9544242f 8b05???????? 8d4801 } + $sequence_52 = { 4963c0 8b948138100000 418d40ff 89812c190000 } + $sequence_53 = { 4103d3 03ca 7409 c7459401000000 eb5a 0fbe0d???????? 418d1431 } + $sequence_54 = { 4963c0 85d2 7516 6641ff448220 } + $sequence_55 = { 8bd8 83c410 85db 0f849a000000 6a01 } + $sequence_56 = { 83bc24ec02000000 0f9544244d 8b05???????? 8d4801 } + $sequence_57 = { 8bd8 53 57 8b3d???????? ffd7 8b35???????? } + $sequence_58 = { 8bd8 895c2418 8a03 3c7f } + $sequence_59 = { 4963763c 33c0 4903f6 4c89642478 4c8b6318 } + $sequence_60 = { 83c003 83e0fc 488b4d98 8901 } + $sequence_61 = { 03c1 0fbe0d???????? 33d2 f7f1 0fbe0d???????? 41bc00000000 3bc1 } + $sequence_62 = { 4963c0 418b548500 440fb7042e 8d0413 } + $sequence_63 = { f30fe6c0 660f6ec8 f30fe6c9 f20f58c0 f20f5cc8 f20f58c9 f20f114c2448 } + $sequence_64 = { 8bd8 895dd0 8b4de4 8d04cd00000000 } + $sequence_65 = { 83bc24ec00000000 b95357d886 b82e4d30a7 0f44c8 } + $sequence_66 = { 83c0d0 4889442448 b89907161e e9???????? } + $sequence_67 = { 8bd8 895de0 c745fc00000000 8b55ec } + $sequence_68 = { 49637e3c 42813c3750450000 7416 c743280b000000 } + $sequence_69 = { 83be1804000000 b8b0882305 b95ec7b6b6 0f44c1 } condition: 7 of them and filesize < 4751360 @@ -134238,36 +135097,36 @@ rule MALPEDIA_Win_Unidentified_098_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cee1322b-e182-5772-a21f-5cf6e6750059" - date = "2026-01-05" - modified = "2026-01-06" + id = "c18aa87e-6608-590d-b3e6-6d59705994a8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_098" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_098_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_098_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "e8d2888b0e7d3535c791d7aba0e1785261ca562eca0e4741087a888aec2763e8" + logic_hash = "f4628b9d13189ec6d9ca2bc0fe1eb5e37f70ed32ec905431ab55d17bbf59580f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c89f1 e8???????? b901000000 4989c5 e8???????? 4989c4 0fb644244f } - $sequence_1 = { e9???????? 498b0424 8954244c 4c89e1 4488442440 ff5048 8b54244c } - $sequence_2 = { 488945b0 488b45c8 0fb64038 3c01 7423 84c0 0f849e000000 } - $sequence_3 = { 48397c2448 0f83b5000000 488b4310 488b5318 c644244401 4839d0 } - $sequence_4 = { 7426 662e0f1f840000000000 498b4c2408 4885c9 7446 4983c420 e8???????? } - $sequence_5 = { 4c89f7 31c0 f3aa b903000000 c744244c04010000 4989f0 4c89f2 } - $sequence_6 = { 4e8d0441 4c894220 4e8d0c49 4c894a30 41b900000080 4c39c8 7c1b } - $sequence_7 = { c744243c00000000 89442420 e8???????? b804000000 4d8d442410 488b542448 488b4c2440 } - $sequence_8 = { 3c20 7407 88842f39010000 488b8ba0000000 e8???????? 4885c0 0f84a6020000 } - $sequence_9 = { e8???????? 418b442414 83f80a 7580 0f1f00 49ff442430 49c744242800000000 } + $sequence_0 = { c4c1781150e8 4c8b49f8 4d8948f8 4839ca 75e1 4883ea18 48b9abaaaaaaaaaaaa0a } + $sequence_1 = { e8???????? 488b7320 4c8b6318 4c39e6 742e 66662e0f1f840000000000 } + $sequence_2 = { ff15???????? 0fb606 6683f808 0f85affeffff 48837e0800 0f85a4feffff 41b847490000 } + $sequence_3 = { 4883c508 48d1ea 4d8d24d0 4989e8 4d29c8 4d39e1 7617 } + $sequence_4 = { 8844242b 4189542414 498b542440 493b542448 0f85c8fbffff 4989f0 4889d9 } + $sequence_5 = { 7449 8802 48ff4340 8b4314 83f80a 750c } + $sequence_6 = { 664539d1 7ce8 49ffc4 418808 4c39e6 75bd 488b13 } + $sequence_7 = { 488d47ff 4489ca 664539c8 7d18 885001 4889c1 66440fbe48ff } + $sequence_8 = { 7fa0 4881ff00000080 7c06 89f8 85c0 7991 48837b1800 } + $sequence_9 = { 4c8949f0 4c8b48d8 4c8949e8 4939f8 7591 4c29ef } condition: 7 of them and filesize < 3345408 @@ -134277,36 +135136,36 @@ rule MALPEDIA_Win_Kins_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "743f9274-41e4-5665-bc30-911487d51855" - date = "2026-01-05" - modified = "2026-01-06" + id = "d1ff68b1-29af-5bf5-bcc3-fdc4774d6be3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kins_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kins_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "26d261757c4f136c791aeb2f4de3cf368918a3d762b525e91ab2a0dc9fc542ca" + logic_hash = "0afa78b24a996772416e4a6f9360547289ee6d4b476317e045497febe8e18e36" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5f 5e 5b c9 c3 ff0d???????? 7518 } - $sequence_1 = { e8???????? 6a2e 8d7b18 57 e8???????? 84c0 743e } - $sequence_2 = { 8b4d0c 890491 42 33c0 85f6 75c2 8b4510 } - $sequence_3 = { 33da 035dec 897dfc 8d84032211906b c1c007 03c7 8bfe } - $sequence_4 = { 89441904 33c0 eb03 33c0 40 5f } - $sequence_5 = { e8???????? 8bf0 85f6 0f8512010000 8d45dc 8bd8 e8???????? } - $sequence_6 = { e8???????? 33ff 85ff 7526 837c242800 0f85cefeffff 8b7508 } - $sequence_7 = { 56 ffd7 833d????????04 720a 56 } - $sequence_8 = { 7510 837de801 750a 8b4720 894714 c645ff01 8a45ff } - $sequence_9 = { 72f0 8d411c e8???????? 83611800 } + $sequence_0 = { 3bc1 72f5 803c1000 752b 8d48fe } + $sequence_1 = { 7f09 c745ec03000000 eb40 3d8c000000 7f09 c745ec04000000 eb30 } + $sequence_2 = { 53 57 8bd9 c745fc02000000 85c0 7507 e8???????? } + $sequence_3 = { 8bd8 85db 0f8532010000 8b442420 8b08 } + $sequence_4 = { 315dfc 8b75fc 33f0 0375f4 8db43e0c38e5fd 8b7dfc c1c617 } + $sequence_5 = { 7518 837df401 74e6 8b4510 50 8d4dec 51 } + $sequence_6 = { 8d7c2448 e8???????? 8bd8 85db 0f8560010000 8b5c2428 8d442458 } + $sequence_7 = { 035df8 8db433e0e62cfe c1c60a 03f0 } + $sequence_8 = { 889dd4fbffff ffd0 85c0 7523 3975fc } + $sequence_9 = { 8bd8 85db 0f856c040000 8d742478 e8???????? 8bd8 } condition: 7 of them and filesize < 548864 @@ -134316,36 +135175,36 @@ rule MALPEDIA_Win_Termite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "15b0d808-d79f-5784-bdde-fa38f9ed0952" - date = "2026-01-05" - modified = "2026-01-06" + id = "c5eb1093-f79a-5c91-8344-89b7de09777e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.termite_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.termite_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "3a2de453ce8083809c117db4d85515335282489c9c64cdb918c15a2c3d5282e4" + logic_hash = "2624dab4ef9cbfca02db984d603901fece0421c4d8e05f457072b1091afbc3f5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7e5e 8b45ec 8b4010 8945f0 c745f400000000 eb41 } - $sequence_1 = { 8b55f4 8b5204 891424 ffd0 8b4508 8b4010 } - $sequence_2 = { 8b45f4 89442408 8b450c 89442404 8b45f0 890424 e8???????? } - $sequence_3 = { 83f83f 771c 8b5508 8b45f4 899485f0feffff 8b85ecfeffff } - $sequence_4 = { 8945fc 8b4508 8b4004 3b45f8 7e06 837dfc00 75d7 } - $sequence_5 = { 8d85e4feffff 89442410 c744240c00000000 c744240800000000 8d85ecfeffff 89442404 891424 } - $sequence_6 = { 890424 e8???????? c745b044000000 c745dc00010000 8b45f4 8945f0 8b45f0 } - $sequence_7 = { c1e002 01d0 c1e002 05???????? c7400c00000000 8b55fc 89d0 } - $sequence_8 = { 890424 e8???????? 8b450c 8b400c c744240804000000 8d9568feffff } - $sequence_9 = { c7442404???????? 891c24 8944240c 8d45e1 } + $sequence_0 = { 83ec28 c745f400000000 837d0800 740a 8b4508 8b4010 85c0 } + $sequence_1 = { 89e5 837d0800 740a 8b4508 8b4010 85c0 7507 } + $sequence_2 = { b800000000 e9???????? c744240404000000 8d8560feffff } + $sequence_3 = { 890424 e8???????? 8945f0 837df000 7502 eb08 } + $sequence_4 = { 90 c745f400000000 eb08 90 c745f401000000 8b45f0 } + $sequence_5 = { 89e5 83ec28 e8???????? 8945f4 8b4508 89442408 } + $sequence_6 = { 8b403c 83f801 7507 b801000000 eb22 c7042401000000 e8???????? } + $sequence_7 = { 85c0 0f84bd040000 a1???????? 83c810 a3???????? a1???????? } + $sequence_8 = { 7507 b800000000 eb31 8b45f4 c7400400000000 } + $sequence_9 = { 890424 8b450c ffd0 8b4508 } condition: 7 of them and filesize < 312320 @@ -134356,10 +135215,10 @@ rule MALPEDIA_Win_Starsypound_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "70e37162-3a73-596a-8d7d-42b9d85b78f7" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.starsypound_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.starsypound_auto.yar#L1-L119" license_url = "N/A" logic_hash = "abf4ae91c4287e1227ba24bd55f61dc3c1250c1b8b21f760166157e29806933f" score = 75 @@ -134368,9 +135227,9 @@ rule MALPEDIA_Win_Starsypound_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -134394,36 +135253,36 @@ rule MALPEDIA_Win_Narilam_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "54e32c98-3d91-5f09-b5aa-2a231fe53ae4" - date = "2026-01-05" - modified = "2026-01-06" + id = "af0e4e1f-e94b-5739-b250-feb476e56fd8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.narilam_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.narilam_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "d58f6ba2ee444c0612b61b483f3c9e07a728833887fe26863735ef4c04a1aac5" + logic_hash = "da37473068a43dcf4df78c2e458b0e88b0f6e24efee8edcae0e2f184bead1d80" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 66c785b0feffff2c03 ba???????? 8d85e0feffff e8???????? ff85bcfeffff 8d95e0feffff } - $sequence_1 = { e8???????? 84c0 7434 8b4370 50 8d45d0 50 } - $sequence_2 = { e8???????? 50 ff45d8 ba???????? 8d45f4 e8???????? ff45d8 } - $sequence_3 = { ff8d4cfeffff 8d8548ffffff ba02000000 e8???????? 66c78540feffff0c02 ba???????? 8d8544ffffff } - $sequence_4 = { 8d850cffffff ba02000000 e8???????? 66c785b0feffffb402 ba???????? 8d8508ffffff e8???????? } - $sequence_5 = { 6683f822 7407 8bc3 e8???????? 5b c3 80b8ec01000001 } - $sequence_6 = { e8???????? ff4df8 ff4df8 6a00 68???????? e8???????? } - $sequence_7 = { e8???????? 8b500c 8d45f8 e8???????? 8b45f8 50 8b8378010000 } - $sequence_8 = { ff8de8feffff 8d45cc ba02000000 e8???????? 66c785dcfeffff7400 ba???????? 8d45c8 } - $sequence_9 = { 7506 803f00 7401 47 8b4508 8978fc 5f } + $sequence_0 = { e8???????? e8???????? 85c0 0f8e90000000 8bc3 e8???????? e8???????? } + $sequence_1 = { e8???????? 50 8bc3 8b10 ff527c 8bd0 4a } + $sequence_2 = { 8d7818 8d75e0 a5 a5 a5 a5 eb15 } + $sequence_3 = { ff8de8feffff 8d45c0 ba02000000 e8???????? 66c785dcfeffff9800 ba???????? 8d45bc } + $sequence_4 = { ffb50cfeffff e8???????? 59 8985f4fdffff 8b4d08 83b96003000006 0f85ff010000 } + $sequence_5 = { e8???????? eb13 8bce b201 a1???????? e8???????? e8???????? } + $sequence_6 = { 8bf2 8bd8 8bd6 8bc3 8b08 ff91d0010000 8bd6 } + $sequence_7 = { 8d8540ffffff ba02000000 e8???????? 66c785dcfeffff1802 ba???????? 8d853cffffff e8???????? } + $sequence_8 = { 8bd0 ff85e8feffff 8b4510 e8???????? 8d55f8 52 ba???????? } + $sequence_9 = { 8d8568ffffff e8???????? 8bc8 ff852cfeffff 8b95f4fdffff 8b949570e3f9ff 8b85fcfdffff } condition: 7 of them and filesize < 3325952 @@ -134433,36 +135292,36 @@ rule MALPEDIA_Win_Mofksys_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9191181-2227-59a8-bd61-7f1cd7036f61" - date = "2026-01-05" - modified = "2026-01-06" + id = "7b88b514-d29d-5b2c-8411-854add715287" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mofksys_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mofksys_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "8771c5394499398335ed69edffdfbaf6278241ddeb464ebd5620f11ca11db156" + logic_hash = "93f0c76a65e16a5a99d9cf00b6b0c0e1ab3763195cea216d67265bdd9c8539ce" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 50 ff15???????? 51 d91c24 ff15???????? 8bd0 } - $sequence_1 = { c1e003 eb0c ff15???????? 8b8dfcfeffff 8b590c 8b0c03 03d8 } - $sequence_2 = { c78558ffffff00000000 c745fcab000000 8b8d6cffffff 83c128 898d54ffffff c745fcac000000 ba???????? } - $sequence_3 = { ff15???????? 8bd0 8d4db0 ff15???????? 8d8d50fdffff ff15???????? c745fc07000000 } - $sequence_4 = { 8d4db4 ff15???????? e9???????? c745fc0a000000 833d????????00 } - $sequence_5 = { 83c410 6685f6 7413 668b0d???????? 51 ff15???????? e9???????? } - $sequence_6 = { 50 8b4dc8 51 6a01 ff15???????? 50 8b55a4 } - $sequence_7 = { c78540ffffff7ca44000 c78538ffffff08000000 ff15???????? 8b4dc0 68???????? 51 ffd7 } - $sequence_8 = { 50 8b5508 8b02 50 e8???????? ffd7 8b4da4 } - $sequence_9 = { 52 ff15???????? 8bd0 8d4dcc ff15???????? c745fc27000000 8b4dc8 } + $sequence_0 = { 6a00 68???????? 8b0f 51 8d55b4 52 ff15???????? } + $sequence_1 = { 8b426c 8b4d08 8b516c 8b4010 2b420c 0f80d40a0000 } + $sequence_2 = { 8bd0 8d4d9c ffd3 8b559c c7459c00000000 6a03 } + $sequence_3 = { 8d4dc8 ff15???????? 8bd0 b9???????? ff15???????? 8d4dc8 51 } + $sequence_4 = { 8b952cffffff 6a12 81e20080ffff 66f7da 1bd2 f7da f7da } + $sequence_5 = { 64892500000000 81ecd8000000 53 56 57 8965ec c745f0c02b4000 } + $sequence_6 = { 8b8d50ffffff 83c10c ff15???????? 8d4dc0 ff15???????? c745fccc000000 6a01 } + $sequence_7 = { ffd6 50 68???????? 68???????? ffd7 8bd0 8d4dbc } + $sequence_8 = { c7459801000000 c7459002000000 ffd3 8bd0 8d4dd4 ffd7 8d4d90 } + $sequence_9 = { 8b420c 034590 50 8b4dc8 51 8b55d8 52 } condition: 7 of them and filesize < 401408 @@ -134472,36 +135331,36 @@ rule MALPEDIA_Win_Polyvice_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a1ddf89c-1c54-5551-99ab-406b8afd6790" - date = "2026-01-05" - modified = "2026-01-06" + id = "72f6c596-4944-5bdf-b4ba-efd6261bdd4e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.polyvice_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.polyvice_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "2b6e9e23b007599969dc0f145dba20938a3646054daf998e366135a635120584" + logic_hash = "9a7188bf04d1f665a05bec4dadfcd46180fbe3c5710acdf2c2e92eebf4a4116a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1c207 4431c2 01ca 4489c9 c1c902 01d6 4189c8 } - $sequence_1 = { 41d1c1 4589ca 4589c1 4109f9 21fd 448954240c 4121c9 } - $sequence_2 = { 4c897c2420 e8???????? 488b0d???????? 4989c4 ffd3 488b2d???????? } - $sequence_3 = { 4489ef c1ef0a 4589d5 31f8 4531dd 01c2 4489e8 } - $sequence_4 = { 5b 5e 5f 5d c3 488d0de5a90100 41b804010000 } - $sequence_5 = { 41895120 0fb710 0fb64002 6641895125 41884127 488b443c48 } - $sequence_6 = { c1e80a 4131c6 4489d0 4189da 438d143e 21d8 41c1ca06 } - $sequence_7 = { 4131c0 4521d0 41c1ca02 4131d0 8d942a9979825a 4101c8 4489c9 } - $sequence_8 = { 4c8d0526d40000 c1e008 31c3 89f8 c1e818 0fb6d3 458b1c82 } - $sequence_9 = { 664139dc 0f46d9 83c201 0fb7c2 4439f0 7cdc } + $sequence_0 = { 0fb62caa 2500ff0000 09e8 89dd c1ed10 400fb6ed } + $sequence_1 = { 4431d2 21c2 4431f2 01d1 89c2 c1ca06 } + $sequence_2 = { 4589cc 4421cf 41c1cc06 31f7 8dac05015b8312 89442410 01fd } + $sequence_3 = { 44336908 410fb6580f 33590c c1e010 31c7 410fb64002 c1e008 } + $sequence_4 = { 4489e6 21ee 4521d1 4109f1 4489c6 4101c9 c1c60f } + $sequence_5 = { ffd6 ff15???????? ba00010000 4889c1 ffd6 ff15???????? ba0f000000 } + $sequence_6 = { 4189d2 83ea01 6641d1e9 6685c0 742f 4c8d4102 83e801 } + $sequence_7 = { 4421da 4409f2 4401ea 4401e2 448b612c 410fcc 4589e5 } + $sequence_8 = { 0fb7f2 488b4c1d00 89f2 4c8b041f 4883c308 e8???????? 4883fb20 } + $sequence_9 = { 44334c2408 894c240c 31eb 4131c0 4433442414 21fb c1cf02 } condition: 7 of them and filesize < 369664 @@ -134512,10 +135371,10 @@ rule MALPEDIA_Win_Bruh_Wiper_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "7c9ba4ef-4fa1-51f0-9221-ba77db229e60" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bruh_wiper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bruh_wiper_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bruh_wiper_auto.yar#L1-L126" license_url = "N/A" logic_hash = "cbaff4d5b7b91bf6e756e6a62487e97a100f6bd9c2c8d699efaa34252266d183" score = 75 @@ -134524,9 +135383,9 @@ rule MALPEDIA_Win_Bruh_Wiper_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -134550,36 +135409,36 @@ rule MALPEDIA_Win_Owlproxy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "63e3635a-b438-5b14-b4eb-af7ffdbef122" - date = "2026-01-05" - modified = "2026-01-06" + id = "5684dc95-0988-52a9-909a-4db2d57c015a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.owlproxy_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.owlproxy_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "53d3a09278d24d3abda5835aa7f0dd4ef8496154e71ad2a30bd173f4868edb33" + logic_hash = "ed3b9dde81521d76dc0039fdf7cf9a4928868d68802b5ecde1d571015fe6a6fd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b4908 410fb7f0 488bfa 4c8d442450 488d542458 c744245014000000 ff15???????? } - $sequence_1 = { 486bc000 488d0d42330200 8b542430 48891401 488d0d0b810100 e8???????? } - $sequence_2 = { 55 57 4156 488da808feffff 4881ece0020000 48c7442478feffffff 48895818 } - $sequence_3 = { e8???????? 4c8b742440 4c3b742448 7435 } - $sequence_4 = { 2bf3 448bc6 488bd3 488d8c2430010000 e8???????? 448b8424f8000000 } - $sequence_5 = { 498936 49895e08 49897e10 4883bd8800000010 7209 488b4d70 e8???????? } - $sequence_6 = { 415e 415d 415c 5f c3 488d0d2c290200 e8???????? } - $sequence_7 = { 480f4355b8 4533c0 488b4da8 ff15???????? 895db0 4c8d25f53c0200 } - $sequence_8 = { 4883ec20 488d0d53580100 ff15???????? 488d1566580100 488bc8 488bd8 ff15???????? } - $sequence_9 = { 4885db 0f8480000000 410fb60437 8803 eb77 483bdf 756a } + $sequence_0 = { 4883ec70 488b05???????? 4833c4 4889442468 4c8d4c2450 baffff0000 41b808000000 } + $sequence_1 = { ffc0 420fb61419 41ffc2 4232540eff 418851ff 48ffcf 7586 } + $sequence_2 = { 488b8d88000000 4885c9 7426 e8???????? 48c7858800000000000000 } + $sequence_3 = { ffc0 4d8d5201 413bc3 7cf2 458bc1 4c8d542420 66660f1f840000000000 } + $sequence_4 = { 6641898448b82c0300 ffc2 ebe2 8bd7 89542420 81fa01010000 } + $sequence_5 = { 483bf0 0f878c000000 4c8d7c2450 4c2bfe 483bdf 756d } + $sequence_6 = { e9???????? 488d8a20000000 e9???????? 488d8ae8000000 e9???????? 488d8a70000000 e9???????? } + $sequence_7 = { 66443920 7417 8b15???????? 488d0d28d90000 4c8bc3 ffca e8???????? } + $sequence_8 = { e8???????? eb75 4584c0 745b 4883fa08 7355 4c89742440 } + $sequence_9 = { 488d15752e0100 488bcf ff14c2 85c0 7438 488b442448 } condition: 7 of them and filesize < 475136 @@ -134589,36 +135448,36 @@ rule MALPEDIA_Win_Donot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "30399a34-f31f-510d-a9cd-b28c8f061e17" - date = "2026-01-05" - modified = "2026-01-06" + id = "afcaac87-e16e-5e45-b6a2-9d2a29dd939c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.donot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.donot_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.donot_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "b17b58b9afa5bf822376cb1f7c125d224a4976e4d102fc9c5fd48e6d7a73b698" + logic_hash = "d4c160cfebda2054e26b1cb968477da7b21003105d78aefc3dad6e44556cd440" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745fc00000000 8d8d98fdffff 6a00 c78598fdffff00000000 68???????? c785a8fdffff00000000 c785acfdffff0f000000 } - $sequence_1 = { 83e63f c1ff06 6bf638 8b04bd187b0410 807c302800 7d3c e8???????? } - $sequence_2 = { c785c0fdffff00000000 c785c4fdffff07000000 668985b0fdffff 83fa10 } - $sequence_3 = { 8d4904 8a80101c0410 8841fc 83ea01 75ec 47 83eb01 } - $sequence_4 = { c78584edffff00000000 c78588edffff0f000000 c68574edffff00 e8???????? 8d8de8edffff c645fc0f 8d5101 } - $sequence_5 = { 8d048502000000 0bc1 8bce 50 e8???????? 32c0 e9???????? } - $sequence_6 = { c645fc1a 50 e8???????? c645fc1b b8ffffff7f 8b55c8 2bc2 } - $sequence_7 = { 83ec18 c645fc06 8d85c8fdffff 8bcc 50 e8???????? 8d8580fdffff } - $sequence_8 = { 8d8598fdffff 0f438598fdffff 03f0 56 e8???????? 8b8590fdffff } - $sequence_9 = { 7269 81fbffffff3f 7349 8d041b 3dffffff7f 0f8741010000 } + $sequence_0 = { 0f438528ffffff 03f0 56 e8???????? 8b85c8fcffff 83c40c c6043000 } + $sequence_1 = { 52 51 e8???????? 83c408 8b4f10 b8ffffff7f 2bc1 } + $sequence_2 = { 8d8dd8fcffff c645fc04 e8???????? 8885d4fcffff c645fc05 8b85d8fcffff 8b4804 } + $sequence_3 = { 7409 8b34bd20b80310 eb07 8b34bdecb70310 53 46 e8???????? } + $sequence_4 = { 51 e8???????? 83c408 0f108db8fcffff 83bdccfcffff10 8db5f8feffff f30f7e85c8fcffff } + $sequence_5 = { 2bc6 8975f8 3bc2 0f8210010000 8d0416 8b7314 } + $sequence_6 = { 83c0fc 83f81f 0f87600a0000 52 51 e8???????? } + $sequence_7 = { c744243c0f000000 ff15???????? 8bf0 85f6 7416 ff15???????? } + $sequence_8 = { 8b048d187b0410 f644382848 7427 8a55ff 8d4601 8945e4 80fa0a } + $sequence_9 = { 0f871c070000 8bc2 51 50 e8???????? 83c408 } condition: 7 of them and filesize < 626688 @@ -134628,34 +135487,34 @@ rule MALPEDIA_Win_Socks5_Systemz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4e63ffd3-d637-54dc-963b-d590dcc87c41" - date = "2026-01-05" - modified = "2026-01-06" + id = "f3d82eb0-bf1c-5775-8107-51c89d306f65" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.socks5_systemz_auto.yar#L1-L105" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.socks5_systemz_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "9d56f402c3f1fd51548e0c2bff2c38c0e563ae0abe552efe04d2796d89f7c180" + logic_hash = "df438a28c628a7c5c2a4f21913d11400bd14ad4b0cf48014d16e744d5f9df954" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bf1 6a4c e8???????? 8bc8 83c404 894c240c c744241800000000 } - $sequence_1 = { 50 ff7314 ff7310 e8???????? 8b4310 83c410 } - $sequence_2 = { ff10 56 8b35???????? 6a00 ffd6 50 ffd3 } - $sequence_3 = { 83c148 e9???????? c3 b8???????? } - $sequence_4 = { 8b4dec 83c134 e9???????? 8b542408 8d42e4 8b4ae0 } - $sequence_5 = { 8975a0 e9???????? 8b45a0 6aff } - $sequence_6 = { 33ed 896c2414 eb0d 50 ff15???????? 8be8 } - $sequence_7 = { 8d44240c 50 8d4c2414 e8???????? c744241c01000000 89742420 c74424380f000000 } + $sequence_0 = { c744241800000000 c744240801000000 ff742420 8bce e8???????? 8b4640 c706???????? } + $sequence_1 = { 0f840f000000 8365ecfe 8b4df0 83c148 e9???????? c3 8b542408 } + $sequence_2 = { 50 8d442410 64a300000000 8bf1 6a4c e8???????? 8bc8 } + $sequence_3 = { 50 ffd3 56 e8???????? 83c404 83c704 3bfd } + $sequence_4 = { 7407 51 ff15???????? 897e0c 5f 8b460c 5e } + $sequence_5 = { 0f8ee5000000 f00fba2b1e 0f82da000000 8bcb e8???????? 50 e9???????? } + $sequence_6 = { 50 8d442454 50 e8???????? 50 8d442410 c78424a400000000000000 } + $sequence_7 = { 57 8d7e10 750a 51 57 e8???????? 83c408 } condition: 7 of them and filesize < 1417216 @@ -134665,36 +135524,36 @@ rule MALPEDIA_Win_Havex_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f3fbb0af-43ac-5647-9a79-89548fc57d3c" - date = "2026-01-05" - modified = "2026-01-06" + id = "7991246d-f84f-56bc-94fa-31ca00c4b2e6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.havex_rat_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.havex_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "9d2eae0c4a7abc70e6bf5636f95e7cb91a062b9062076188516a0129d3184ea5" + logic_hash = "0af582c8543e405171c63f9b74cf05a22861e4a138f7bfd62577aee523a19a0b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 50 51 ff15???????? 68???????? 8d4dd8 8bf0 } - $sequence_1 = { 83c8ff 2b4560 3bd8 7601 49 42 ebe4 } - $sequence_2 = { 8d5c242c 89642428 8938 897808 89780c 897810 } - $sequence_3 = { 8b4508 c9 c3 3b442404 741c 56 8d7004 } - $sequence_4 = { 8d8e94c90000 8955d8 0fb69002010000 0fb638 c1e210 0bd7 8951fc } - $sequence_5 = { 8d4d88 0f9445c3 c645fc05 e8???????? 385dc3 7507 } - $sequence_6 = { e8???????? ff75ec 8d450c ff75e8 8bce 50 8b4508 } - $sequence_7 = { 6a01 50 ff7514 8d44243c ff7510 50 57 } - $sequence_8 = { 83c104 ff4df8 837df800 7fe3 8b75e0 } - $sequence_9 = { ff7004 ff15???????? 8bd8 83fb02 7504 32c0 eb2f } + $sequence_0 = { e8???????? 33db 895dfc b800020000 8d773c c7472003000000 895f24 } + $sequence_1 = { 8bf0 3bf3 742f 68???????? 8d4dc0 e8???????? 8d45c0 } + $sequence_2 = { 8b0c81 8bc6 e8???????? 8b45dc 0fb7444358 0fb60c07 51 } + $sequence_3 = { 2b470c 6a1c 59 99 f7f9 8b4d08 } + $sequence_4 = { c745fc02000000 8b06 8b4004 57 c70406???????? e8???????? } + $sequence_5 = { e8???????? c3 6a1c b8???????? e8???????? 8b450c 83781810 } + $sequence_6 = { 8b7f04 eb03 83c704 33f6 56 50 53 } + $sequence_7 = { b801040000 8b4d64 5f 33cd 5e e8???????? } + $sequence_8 = { c1e704 03fe 038f94c90000 039798c90000 8b7ddc 0fb77c7b18 897de0 } + $sequence_9 = { 8d7304 8b55ec 33ff 85d2 7616 2bc8 3b7de8 } condition: 7 of them and filesize < 892928 @@ -134704,85 +135563,89 @@ rule MALPEDIA_Win_Agent_Btz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "63f52dc6-c77d-5450-96ef-d9bb7ca2e2e5" - date = "2026-01-05" - modified = "2026-01-06" + id = "86910a0f-0673-5e74-8b61-e5c4cb4d2a86" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.agent_btz_auto.yar#L1-L502" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.agent_btz_auto.yar#L1-L526" license_url = "N/A" - logic_hash = "490f9b875f186054dd3eafec04e94807f52eca52fbc5563b2ddd7496752d38c8" + logic_hash = "e21e353e99ce85bf3bdd36a6938006a6f7619e241ecf194c7febc8cbc8f928f3" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 ffd6 8d54240c 52 ffd7 } - $sequence_1 = { c74608ffffffff f644240801 7409 56 } - $sequence_2 = { 50 ffd3 85c0 75d8 5f 5e 5b } - $sequence_3 = { c706???????? c7460c00000000 895e08 895e04 c7461000000000 895e14 } - $sequence_4 = { ff15???????? b804000f00 8b4df4 64890d00000000 5f 5e 5b } - $sequence_5 = { 56 6a00 68???????? 8935???????? e8???????? } - $sequence_6 = { 6a00 50 ff15???????? 894614 33c0 } - $sequence_7 = { 740e 50 ff15???????? c74608ffffffff f644240801 } - $sequence_8 = { 8d542408 52 c744240c30000000 c744241003000000 } - $sequence_9 = { 8bf1 8b4608 c706???????? 85c0 7413 83f8ff 740e } - $sequence_10 = { 6801010000 ff15???????? 85c0 7415 } - $sequence_11 = { 6a0a 68???????? 6a01 6a00 68???????? } - $sequence_12 = { 51 6a00 6819000200 6a00 68???????? } - $sequence_13 = { 50 68???????? 6a01 68???????? e8???????? 83c410 } + $sequence_0 = { 8d4c240c 51 ffd6 8d54240c 52 } + $sequence_1 = { c74608ffffffff f644240801 7409 56 e8???????? 83c404 } + $sequence_2 = { ffd3 85c0 75d8 5f } + $sequence_3 = { b805000f00 8b4df4 64890d00000000 5f 5e 5b 8be5 } + $sequence_4 = { ff15???????? b800000f00 8b4df4 64890d00000000 } + $sequence_5 = { c706???????? c7460c00000000 895e08 895e04 c7461000000000 895e14 } + $sequence_6 = { 56 6a00 68???????? 8935???????? e8???????? } + $sequence_7 = { 6a00 50 ff15???????? 894614 } + $sequence_8 = { 8bf1 8b4608 c706???????? 85c0 7413 83f8ff } + $sequence_9 = { 740e 50 ff15???????? c74608ffffffff f644240801 } + $sequence_10 = { 8d542408 52 c744240c30000000 c744241003000000 } + $sequence_11 = { 6801010000 ff15???????? 85c0 7415 } + $sequence_12 = { 6a0a 68???????? 6a01 6a00 } + $sequence_13 = { 51 6a00 6819000200 6a00 68???????? } $sequence_14 = { 6a01 6a04 6a01 68???????? } - $sequence_15 = { 50 e8???????? 83c408 6800010000 e8???????? } - $sequence_16 = { 6a01 68???????? e8???????? 83c414 5f 5e 5b } - $sequence_17 = { 89461c 3dea000000 740b 3de5030000 } + $sequence_15 = { 50 68???????? 6a01 68???????? e8???????? 83c410 } + $sequence_16 = { 6a01 68???????? e8???????? 83c414 5f 5e } + $sequence_17 = { 50 e8???????? 83c408 6800010000 e8???????? } $sequence_18 = { 7511 e8???????? 83c020 50 } - $sequence_19 = { 0fb605???????? 66890d???????? 0fb60d???????? 660fafca } - $sequence_20 = { 83c020 50 e8???????? 83c404 33c0 } - $sequence_21 = { 68???????? 6a01 e8???????? 50 e8???????? 83c41c } - $sequence_22 = { 740d 3cff 7409 f6d0 } - $sequence_23 = { c684249200000065 c684249300000073 c684249400000073 c684249500000057 } - $sequence_24 = { 33c9 ff542458 85c0 7420 } - $sequence_25 = { c684248b00000061 c684248c00000074 c684248d00000065 c684248e00000050 c684248f00000072 c68424900000006f } - $sequence_26 = { 57 ff7508 8bf1 33db 895e10 } - $sequence_27 = { 6808020000 50 668945fa 8d85d8fdffff } - $sequence_28 = { 33ff 8d85f8f7ffff 57 50 } + $sequence_19 = { 6a01 e8???????? 50 e8???????? 83c41c } + $sequence_20 = { 89461c 3dea000000 740b 3de5030000 } + $sequence_21 = { 0fb605???????? 66890d???????? 0fb60d???????? 660fafca 6603c8 } + $sequence_22 = { 83c020 50 e8???????? 83c404 33c0 } + $sequence_23 = { 037dfc 8b4508 83c414 837df800 8938 } + $sequence_24 = { 59 6a25 58 6a30 668945f2 58 6a38 } + $sequence_25 = { c78424a000000068000000 c78424dc00000001000000 33c0 66898424e0000000 } + $sequence_26 = { c684248c00000074 c684248d00000065 c684248e00000050 c684248f00000072 } + $sequence_27 = { 8b4624 6888130000 ff7618 897dfc } + $sequence_28 = { c684249400000073 c684249500000057 c684249600000000 c684241001000047 c684241101000065 c684241201000074 } $sequence_29 = { 6a00 6a27 6a02 6a00 6a01 } - $sequence_30 = { 8b85f8feffff 53 8d8df4feffff 51 8d8df8feffff } - $sequence_31 = { ff9574ffffff 8b4de0 89410c 33c0 8be5 5d c20400 } - $sequence_32 = { c684249500000057 c684249600000000 c684241001000047 c684241101000065 c684241201000074 c68424130100004c } - $sequence_33 = { 50 8d85e8fdffff 50 c745fc04010000 } - $sequence_34 = { c684248f00000072 c68424900000006f c684249100000063 c684249200000065 } - $sequence_35 = { 50 8945f8 33ff 8d85f8f7ffff } - $sequence_36 = { 8bc8 66894de0 66894de2 59 6a70 } - $sequence_37 = { 8d8505feffff 50 e8???????? 83c40c } - $sequence_38 = { c645d316 c645d43a c645d53b c645d63b c645d730 } - $sequence_39 = { 488b4338 33d2 488bce 448d4220 } - $sequence_40 = { 488b4b38 ff5160 894330 3dea000000 } - $sequence_41 = { 488b0e 48894628 488b4638 4c8d4c2450 448bc3 } - $sequence_42 = { 488b07 896830 33c0 488b5c2458 488b6c2460 488b742468 4883c440 } - $sequence_43 = { 488b0f 894130 eb06 488b07 896830 33c0 } - $sequence_44 = { 83c904 c1e803 448bc9 440fafc8 } - $sequence_45 = { 488b4638 488b0e 4c8d442450 4533c9 } - $sequence_46 = { 488b4638 ff5060 894630 3de5030000 } - $sequence_47 = { 488bcf c744242088130000 e8???????? 488b5738 } - $sequence_48 = { 488b0f 488901 488b07 488338ff } - $sequence_49 = { 488b0f 48894108 488b0f 488b4108 48894128 488b0f } - $sequence_50 = { 85db 7415 4c8b4f38 488d4804 } - $sequence_51 = { 8d8594faffff 50 68???????? ff15???????? } - $sequence_52 = { 742e f7460800000080 7405 83c60c } - $sequence_53 = { 72e3 8b2d???????? 8d442420 50 ffd5 } - $sequence_54 = { 57 33db 8d84248c000000 6a3c 53 } - $sequence_55 = { 85ed 7506 8b4204 8b680c b86e6b0000 66394504 0f856e010000 } - $sequence_56 = { 8b4604 3938 747b 8b33 57 } - $sequence_57 = { 5e 59 c3 68???????? e8???????? 59 b815000040 } - $sequence_58 = { ff74241c ffd3 837c241000 740a } + $sequence_30 = { 740d 3cff 7409 f6d0 } + $sequence_31 = { c684249100000063 c684249200000065 c684249300000073 c684249400000073 c684249500000057 } + $sequence_32 = { 8d4df8 51 8d8df8f7ffff 51 57 } + $sequence_33 = { 8b5d0c 56 8bf0 8b4624 57 } + $sequence_34 = { 33c9 ff542458 85c0 7420 } + $sequence_35 = { 66894dea 59 6a65 668945f0 66894dec } + $sequence_36 = { ff9574ffffff 8b4de0 89410c 33c0 8be5 5d c20400 } + $sequence_37 = { 8bf1 33db 895e10 895e0c } + $sequence_38 = { c645d316 c645d43a c645d53b c645d63b c645d730 c645d836 } + $sequence_39 = { 8d8505feffff 50 e8???????? 83c40c } + $sequence_40 = { 488b4338 33d2 488bce 448d4220 } + $sequence_41 = { 488b0f 48894108 488b0f 488b4108 } + $sequence_42 = { 488b5738 488bce 8bd8 ff92e8010000 } + $sequence_43 = { 488bd6 ff90c8010000 8bf8 85c0 } + $sequence_44 = { 488b0f 894130 eb06 488b07 } + $sequence_45 = { 488bcf c744242088130000 e8???????? 488b5738 } + $sequence_46 = { 488b0f 488901 488b07 488338ff } + $sequence_47 = { 488b0f 488b4108 48894128 488b0f } + $sequence_48 = { 83c904 c1e803 448bc9 440fafc8 } + $sequence_49 = { 4155 4156 4157 4883ec40 488b4138 } + $sequence_50 = { 488b4b38 ff5160 894330 3dea000000 } + $sequence_51 = { 4883ec40 33ed 488bf9 498bf0 } + $sequence_52 = { 488b0e 48894628 488b4638 4c8d4c2450 448bc3 488bd7 } + $sequence_53 = { 488b07 896830 33c0 488b5c2458 488b6c2460 } + $sequence_54 = { 488b4638 488b0e 4c8d442450 4533c9 } + $sequence_55 = { 8d8594faffff 50 68???????? ff15???????? } + $sequence_56 = { 0304b5100b4200 59 eb05 b8???????? 8a4004 2482 } + $sequence_57 = { 8b7c2420 8d442410 ff7708 56 } + $sequence_58 = { 4e 42 0fb606 80b890fc410000 74e9 8b5ddc } + $sequence_59 = { 53 ff15???????? 85c0 7413 8d85f0fdffff 50 68???????? } + $sequence_60 = { eb2f ff742430 ff742430 53 53 ff742430 } + $sequence_61 = { 8b7e08 8b6c2430 81e7ffffff7f 85ed 7471 } + $sequence_62 = { 8b3d???????? 83c41c 33f6 0fb6442e60 } condition: 7 of them and filesize < 5577728 @@ -134792,36 +135655,36 @@ rule MALPEDIA_Win_Unidentified_020_Cia_Vault7_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50fc15f3-1120-5098-a2b0-ef6606f64bfb" - date = "2026-01-05" - modified = "2026-01-06" + id = "de16efce-7aa6-5999-a998-41c313f36a9a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_020_cia_vault7_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_020_cia_vault7_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "17fe086c6d5f4507ec1675a18ca14445f60cf526d184ed9a8460c468298fa68d" + logic_hash = "40a7ba670d6b785339317dddaefb7d17fd9bc5dd51bc097102661d6982ffacd4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 8d45f0 64a300000000 8965e8 8b7d08 c745fc00000000 8b07 } - $sequence_1 = { a1???????? 33c4 89842428080000 8b4508 53 } - $sequence_2 = { 52 8d85c6f7ffff 50 e8???????? 8bbdb8f7ffff } - $sequence_3 = { 33c0 8d8decfdffff 51 8d95c8fdffff 52 8985ccfdffff } - $sequence_4 = { 50 ff15???????? 85c0 7516 56 8945f8 } - $sequence_5 = { 68???????? 57 ff15???????? 8bd8 3bdf 742e 53 } - $sequence_6 = { 8907 897704 8b8dbcf7ffff 890f 50 } - $sequence_7 = { 837e1400 750f 6a7f ff15???????? 33c0 5e 8be5 } - $sequence_8 = { 68???????? 33f6 68???????? 56 8975fc c745f801000000 ff15???????? } - $sequence_9 = { 6aff 51 8b4d0c 6804010000 51 e8???????? 83c410 } + $sequence_0 = { 99 3b542424 7cd2 7f10 3b442420 72ca eb08 } + $sequence_1 = { 51 ff15???????? 6810040000 8d95c4f7ffff 52 6810040000 57 } + $sequence_2 = { 8d95e8fbffff 52 8d85f0fdffff 6804010000 50 e8???????? 83c40c } + $sequence_3 = { 50 e8???????? 8b550c 83c40c 5f 8932 5e } + $sequence_4 = { 8d443602 50 e8???????? 8b4d08 6aff 51 } + $sequence_5 = { 8b413c 813c0850450000 75df 8b4c0850 894a10 } + $sequence_6 = { 8b55fc a1???????? 68???????? 6a00 52 6803660000 } + $sequence_7 = { 83e11f c1e106 8b048520834100 c644080401 57 e8???????? 59 } + $sequence_8 = { 57 56 c785f0fdffff00000000 ff15???????? 85c0 } + $sequence_9 = { b9???????? e8???????? 59 e9???????? 53 ff7604 } condition: 7 of them and filesize < 253952 @@ -134831,36 +135694,36 @@ rule MALPEDIA_Win_Cradlecore_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fec2c384-0d7c-5ffa-a383-057dccfbd935" - date = "2026-01-05" - modified = "2026-01-06" + id = "e1d8d918-91ac-5925-966e-b2df61a6b207" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cradlecore_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cradlecore_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "cc04ae06802f62915d99191dfee1f4ad76dcf5fb1c40032e747d4c7261b81445" + logic_hash = "428af4f1445f6a08372e209a32c155b51411498354ff5a0338184a644f78edbd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d45d8 c645fc1c 50 e8???????? 8d4590 c645fc1d } - $sequence_1 = { 8bf8 e9???????? 8b8528e5ffff 8b0c85f01f4300 8b8524e5ffff f644080480 0f8475030000 } - $sequence_2 = { 03d9 014c2410 8b54240c 11442414 2bf1 1bf8 8b422c } - $sequence_3 = { 8d4db0 8945fc e8???????? 8b55fc 8bcf f7d1 } - $sequence_4 = { 8bc3 2b450c 741b 50 } - $sequence_5 = { 50 51 8d8c248c000000 e8???????? 8b5508 8d4c2468 } - $sequence_6 = { 395c2430 726f 837c243410 8b442420 7304 } - $sequence_7 = { c1e606 c1e910 c0e107 8b1485f01f4300 8a443224 } - $sequence_8 = { 8b7508 6a00 53 8d4c2430 e8???????? 8bc6 8b4c2444 } - $sequence_9 = { 59 85c0 7831 8b1cc55c5e4200 6a55 53 e8???????? } + $sequence_0 = { 51 50 e8???????? 88443dec 47 83ff04 7cea } + $sequence_1 = { 6a00 6a01 8d8d64ffffff e8???????? 8b4df4 8a45ef 5f } + $sequence_2 = { 8d4d80 e8???????? 83ec18 c745fc04000000 8d4580 8bcc 50 } + $sequence_3 = { 8bec 83ec44 8365fc00 8d45bc 56 52 68???????? } + $sequence_4 = { 8d4dac e8???????? 8d45ac c745fc13000000 50 8bce e8???????? } + $sequence_5 = { 8d8ed0020000 e8???????? 8d8ec0020000 e8???????? 53 57 } + $sequence_6 = { e8???????? c745e074c74200 8d45e0 68???????? 50 e9???????? } + $sequence_7 = { 8b4d08 e8???????? 50 8bce e8???????? 5e 5d } + $sequence_8 = { e8???????? 6a00 53 8d4d98 c745e050504200 e8???????? 834dfcff } + $sequence_9 = { 885f45 394c2424 8b4c243c 7543 85d2 0f853cffffff 837c243820 } condition: 7 of them and filesize < 450560 @@ -134870,41 +135733,41 @@ rule MALPEDIA_Win_Whiskerspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "129d540e-8d5c-5460-9975-895a38c68929" - date = "2026-01-05" - modified = "2026-01-06" + id = "4650a155-71e3-5ebe-a61c-a966bb9c472b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiskerspy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.whiskerspy_auto.yar#L1-L147" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.whiskerspy_auto.yar#L1-L148" license_url = "N/A" - logic_hash = "f82e28f98658c3c783c2c1731be6b16001447d83e33b49e0aaa68c9ddf787261" + logic_hash = "2630783c91cbe95946721b24ba2881caf0995b4882ab207ac281b90db6db950c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b06 8bcf d3e8 a801 } - $sequence_1 = { 33d2 488d4c2460 41b804010000 e8???????? 33d2 } - $sequence_2 = { 418b37 488bfd 488b8c2420010000 4883c510 } - $sequence_3 = { 44896ddc 498bd4 498bcd e8???????? 4c8be0 } - $sequence_4 = { 4803ca 418bc3 4c3bc1 458b4210 8b0d???????? } - $sequence_5 = { 48d3cf 4933f8 4b87bcfee0740200 33c0 488b5c2450 } - $sequence_6 = { e8???????? c6043700 488d55e0 498bce e8???????? } - $sequence_7 = { 4157 488dac24c8fcffff 4881ec38040000 488bda } - $sequence_8 = { 8d45d4 837de808 8b4db0 0f4345d4 8b16 } - $sequence_9 = { c685f9fbffff1e c685fafbffff8b 59 c685fbfbffff86 } - $sequence_10 = { c685e4feffff7b 889de5feffff 8a85b8feffff 8a840db8feffff } - $sequence_11 = { 6a06 59 f3a5 8b75e8 8b7dd8 } - $sequence_12 = { 0fbec1 83e820 83e07f 8b0cc5d43b4300 eb02 } - $sequence_13 = { 7430 8b5304 8d47f8 8d7308 } - $sequence_14 = { 33c0 f68594f9ffff02 899d9cf8ffff 89b5a0f8ffff } + $sequence_0 = { 33ff 8b06 8bcf d3e8 a801 } + $sequence_1 = { 8d4a28 8d5301 e8???????? 488bf8 } + $sequence_2 = { 2c05 3441 88840d080b0000 48ffc1 } + $sequence_3 = { 8845e0 0fb64102 8845e1 0fb64101 8845e2 } + $sequence_4 = { ba01000000 8bca e8???????? 4c8be8 488945c7 } + $sequence_5 = { e8???????? badd9a1c2d 488905???????? 488bce e8???????? } + $sequence_6 = { 6689480c 0f1045ef 488b03 0f11400e 0f104dff } + $sequence_7 = { e8???????? c7474000000000 4c8d9c24b0010000 498b5b30 498b7340 } + $sequence_8 = { 0175d0 eb0c 51 8d4dcc } + $sequence_9 = { 015508 85ff 0f8f6cffffff 7c08 } + $sequence_10 = { 015dd0 eb09 51 8d4dcc } + $sequence_11 = { 015de8 eb09 50 8d4de4 } + $sequence_12 = { 01742418 83c40c 8b412c 2930 } + $sequence_13 = { 0144241c 2bd8 83c410 8bd3 } + $sequence_14 = { 0130 8b7510 83794c00 8bd3 7451 e8???????? 8bd3 } condition: 7 of them and filesize < 591872 @@ -134914,40 +135777,42 @@ rule MALPEDIA_Win_Sidewalk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "39c1c961-da91-5a25-8ecb-047f3c9eb164" - date = "2026-01-05" - modified = "2026-01-06" + id = "7895c73e-d170-5266-8284-d4f0f0b603a8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sidewalk_auto.yar#L1-L149" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sidewalk_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "8deb72ecccbb130aa5e8724fff6a194c33523f3296434270b03ff0933ff78416" + logic_hash = "d5b2185c396626cea6c1832b84250cb70bab843e48af4b4bb04ec5b242596de2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41c1c610 4503e6 4403cb 4533d1 4403ee 41c1c210 418bc3 } - $sequence_1 = { c1c010 4403d8 4133db c1c30c } - $sequence_2 = { ff15???????? 4885c0 750e 488bcf ff15???????? } - $sequence_3 = { 33f0 418bc1 4133c6 c1c608 c1c010 4403de 4403e8 } - $sequence_4 = { 4433f2 c1c710 4403df 41c1c610 4503e6 4403cb } - $sequence_5 = { c1e810 880a c1e918 884202 884a03 4183f810 } - $sequence_6 = { 48ffc1 488d040a 483bc6 7ce2 } - $sequence_7 = { 4133db c1c30c 03d3 8bf2 } - $sequence_8 = { 4133db 418bcd c1c307 4133c8 } - $sequence_9 = { 418b09 418bc0 c1e002 4d8d4904 4863d0 } - $sequence_10 = { 8a040f 3201 41880408 48ffc1 488d040a } - $sequence_11 = { c1e108 0bc8 0fb642fe c1e108 0bc8 41890c10 488d5204 } - $sequence_12 = { 488b05???????? 83780c00 7405 e8???????? 488b0d???????? } - $sequence_13 = { 89750b 4489750f 44897d03 448965ff } + $sequence_0 = { 0bc8 41890c10 488d5204 4983e901 75d4 } + $sequence_1 = { 4533d1 41c1c208 4503fa 418bdf 33d8 } + $sequence_2 = { 8945ef 8bc2 33c6 c1c010 } + $sequence_3 = { c1c708 4403df 458bc3 4433c0 } + $sequence_4 = { c1e002 4d8d4904 4863d0 41ffc0 } + $sequence_5 = { 7d15 8a040f 3201 41880408 } + $sequence_6 = { 33d0 418bc7 33c3 c1c207 c1c00c 4403c8 4533d1 } + $sequence_7 = { 41880408 48ffc1 488d040a 483bc6 } + $sequence_8 = { 41c1c610 4503e6 4403cb 4533d1 4403ee 41c1c210 418bc3 } + $sequence_9 = { 33c6 c1c010 4403d8 4133db c1c30c } + $sequence_10 = { 33f1 4133f8 c1c610 4433f2 c1c710 4403df 41c1c610 } + $sequence_11 = { 0fb642fe c1e108 0bc8 41890c10 } + $sequence_12 = { 4133c6 c1c608 c1c010 4403de } + $sequence_13 = { c1e918 884202 884a03 4183f810 7ccc } + $sequence_14 = { 488d040a 483bc6 7ce2 4883c640 4883c340 } + $sequence_15 = { 4403de 4403e8 4133db 418bcd c1c307 4133c8 } condition: 7 of them and filesize < 237568 @@ -134957,36 +135822,36 @@ rule MALPEDIA_Win_Adhubllka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad2942ad-0768-5d25-b2fe-1ba7ec43f66b" - date = "2026-01-05" - modified = "2026-01-06" + id = "0c6b7797-a47a-53ba-9e25-f70d8efb2da1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.adhubllka_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.adhubllka_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "e47f134b0db44fb4d451c84c4568ba6117ac83a59e51548a061c4d0fcde2d289" + logic_hash = "1f957de62af1aa10d61a74da4d243cad06d99059c707a469a19ec5c8824077ff" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b45c8 894590 8b45c4 894598 8b45c0 898560ffffff } - $sequence_1 = { 03459c 8bc8 c1c307 334d94 c1c110 03f1 8bd6 } - $sequence_2 = { 33c9 25000f0000 c705????????01000000 3d000f0000 8b45d4 } - $sequence_3 = { c78424a8000000787e4100 c78424ac000000807e4100 c78424b0000000887e4100 c78424b4000000907e4100 } - $sequence_4 = { 8b4b14 894734 83c240 8b45e8 83c640 83e840 } - $sequence_5 = { ffb52cfbffff 56 ffb518fbffff 51 8b8d30fbffff e8???????? } - $sequence_6 = { 56 57 ff15???????? 68???????? 57 ff15???????? 8d85a4fdffff } - $sequence_7 = { 8b3d???????? 8b442410 8b4c2414 8b542418 d1e8 41 83ea01 } + $sequence_0 = { 0f1007 8b7df0 660ffe6580 660fefc8 } + $sequence_1 = { 83473001 7503 ff4734 837de840 0f86b1000000 } + $sequence_2 = { 85c0 740e 50 e8???????? 83a668b3410000 59 83c604 } + $sequence_3 = { 6bd738 8b0c8d68b34100 c644112800 85f6 740c 56 } + $sequence_4 = { 56 50 8b459c 03c7 50 e8???????? 8b4da4 } + $sequence_5 = { 8d040f 894dc8 8b4db0 c1c80e 33c2 8945b4 8945bc } + $sequence_6 = { e8???????? 0f108528feffff 8d9538fdffff 8d8d28feffff 0f118538fdffff 0f108538feffff 0f118548fdffff } + $sequence_7 = { e9???????? 6a00 6a00 6a00 50 ff15???????? 8bb598fdffff } $sequence_8 = { 83ff40 725c 8b45ac 8b4d9c 0f1006 8b559c 0f105610 } - $sequence_9 = { 7707 8b4310 3bd0 730e 8d463f 3bc8 773b } + $sequence_9 = { e8???????? 0f1085fcfcffff 0f1185c4feffff 0f10850cfdffff 8b9d1cfbffff 8d85c4feffff } condition: 7 of them and filesize < 253952 @@ -134997,10 +135862,10 @@ rule MALPEDIA_Win_Nvisospit_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "45693521-741e-5d7b-a1e6-3a76e159ad3c" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nvisospit_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nvisospit_auto.yar#L1-L121" license_url = "N/A" logic_hash = "ff70ccb56c3ba29da1863614e8053ff80e99b0375420038026fb05b34e9ea2b2" score = 75 @@ -135009,9 +135874,9 @@ rule MALPEDIA_Win_Nvisospit_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -135035,36 +135900,36 @@ rule MALPEDIA_Win_Acehash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4f90b1a7-3252-5dd5-ab44-388a3ba534d1" - date = "2026-01-05" - modified = "2026-01-06" + id = "e16306e5-1f4e-5876-87ba-dcbf55aba90c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.acehash_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.acehash_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "80439bed405e426456759fe4e19027929c158eaf7c7e4df93a3fc94b4a640c7d" + logic_hash = "458a01b3065c0dbc769ff876bcdff8dca9840dd5d01b83325b94bb7c7fc80936" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8455010000 0fb61438 440fb607 458be5 8bc2 418bf0 83e23f } - $sequence_1 = { 8d048504000000 4863d0 e8???????? 488bd8 4885c0 0f849d010000 } - $sequence_2 = { 83fa08 7410 b803000000 488b5c2430 4883c420 5f c3 } - $sequence_3 = { 33d2 f77304 8bfa 4c89642450 85ff 0f84f0000000 4533e4 } - $sequence_4 = { 4403848ea0dd0300 8b4b70 44338486a0e10300 8b4330 4533d0 458d0c02 41d3c1 } - $sequence_5 = { 4889742448 48897c2418 0fb6790c 41c1e208 440bd0 0fb64105 c1e708 } - $sequence_6 = { 488d0de8030300 4883c204 48c1fa02 482bd3 e8???????? 448b4608 488bd6 } - $sequence_7 = { e8???????? b9002a0b00 e8???????? 488bf8 4c8bc0 488d1586a80500 488bca } - $sequence_8 = { 4133bc8f709d0400 c1e818 0fb6c8 410fb6c0 4133bc8f70950400 4133bc8770a50400 418bc0 } - $sequence_9 = { 438b8cb9a0f10300 41338cb9a0ed0300 41338cb1a0e50300 41338c81a0f10300 33ca 334daf 8bc1 } + $sequence_0 = { 33c3 488d1dbdad0300 89471c 488d3dd7ad0300 418b4b18 4983c310 e8???????? } + $sequence_1 = { 488bc1 48c1f805 488d1554fe0d00 83e11f 486bc958 488b04c2 80640808fe } + $sequence_2 = { c3 4885d2 74f1 4885c9 } + $sequence_3 = { 0bc2 c1e008 0bc8 33d2 41894bfc 453bc2 72b7 } + $sequence_4 = { 418bc2 c1e808 0fb6c8 410fb6c2 4133948900040000 41331481 8b4518 } + $sequence_5 = { 4c8b4c2440 8b7c2420 3b7c242c 7d25 4c8b442458 4c8b542470 448b5c2424 } + $sequence_6 = { 397ddc 746c 4c8d153b94fdff 4b8b84eaa0511100 f644300848 741e ba0a000000 } + $sequence_7 = { 488905???????? ff15???????? 488d15493b0300 483305???????? 488bcb } + $sequence_8 = { 488d0de90a0300 e8???????? 83f8ff 750a b80c00e00c 4883c428 c3 } + $sequence_9 = { 8bd3 498bce 4889442420 e8???????? 4c8d3df4110300 4c8d6738 4c8d0569130300 } condition: 7 of them and filesize < 2318336 @@ -135074,160 +135939,156 @@ rule MALPEDIA_Win_Dridex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "144cf75b-1d98-530d-8c7f-b36a158181d3" - date = "2026-01-05" - modified = "2026-01-06" + id = "ce8ee0cb-6294-5d98-b0a7-3949e556a396" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dridex_auto.yar#L1-L1103" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dridex_auto.yar#L1-L1079" license_url = "N/A" - logic_hash = "ed79935f1e181816ce095f2b34e8302b3ab4d9435988ec01dc1b779e29264775" + logic_hash = "79ddc1264947a19ef351384ff8d8714b4348dcf0c77e8fb0455eeda83a0dc08b" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd6 85c0 7512 e8???????? eb03 } - $sequence_1 = { e8???????? b910270000 e8???????? e8???????? } + $sequence_0 = { e8???????? b910270000 e8???????? e8???????? } + $sequence_1 = { ffd6 85c0 7512 e8???????? eb03 } $sequence_2 = { c605????????01 c3 c605????????00 c3 } $sequence_3 = { 83f8ff 7505 e8???????? 3d34270000 } - $sequence_4 = { ffd0 e8???????? 85c0 74de } - $sequence_5 = { ffd0 85c0 751f e8???????? } + $sequence_4 = { ffd0 85c0 751f e8???????? } + $sequence_5 = { ffd0 e8???????? 85c0 74de } $sequence_6 = { 740c b9e8030000 e8???????? b301 } $sequence_7 = { 53 53 53 6a01 53 ffd0 } $sequence_8 = { eb0a e8???????? eb03 6a7f } $sequence_9 = { c3 31c0 c3 50 } - $sequence_10 = { e8???????? 85c0 7407 56 ffd0 } - $sequence_11 = { 807c241400 7409 8d4c2410 e8???????? } - $sequence_12 = { e8???????? 6880000000 53 53 } - $sequence_13 = { e8???????? 85c0 7408 6a00 ffd0 } - $sequence_14 = { 85c0 7407 685a040000 ffd0 } - $sequence_15 = { e8???????? 85c0 7404 6a7f } - $sequence_16 = { e8???????? 3db20d7897 7508 c70350000000 eb0d 3da665f63e 7506 } + $sequence_10 = { 807c241400 7409 8d4c2410 e8???????? } + $sequence_11 = { e8???????? 85c0 7407 56 ffd0 } + $sequence_12 = { e8???????? 85c0 7408 6a00 ffd0 } + $sequence_13 = { e8???????? 6880000000 53 53 } + $sequence_14 = { e8???????? 3db20d7897 7508 c70350000000 } + $sequence_15 = { e8???????? eb0a b9d0070000 e8???????? } + $sequence_16 = { 7508 c70350000000 eb0d 3da665f63e 7506 c703bb010000 } $sequence_17 = { ffd0 5b c3 33c0 } - $sequence_18 = { e8???????? 6a00 8d4e1c e8???????? } - $sequence_19 = { e8???????? eb0a b9d0070000 e8???????? } - $sequence_20 = { e8???????? 6a29 8bc8 e8???????? } - $sequence_21 = { 7411 c7461003000000 e8???????? 894614 } - $sequence_22 = { e8???????? 8d4dc4 e8???????? 5e } - $sequence_23 = { 85c0 7415 6a01 6a00 6a00 } - $sequence_24 = { 8bc8 e8???????? 6a74 8bc8 e8???????? 6a70 } - $sequence_25 = { 6a70 8bc8 e8???????? 6a73 8bc8 e8???????? } - $sequence_26 = { eb08 83ca20 eb03 83ca10 } - $sequence_27 = { 6a00 8bcf e8???????? 50 ffd6 } - $sequence_28 = { e8???????? e9???????? 807c245000 740a } - $sequence_29 = { 46 e8???????? c1e802 3bf0 } - $sequence_30 = { 6a00 6a00 8d4dfc 51 6aff } - $sequence_31 = { 890424 894c2404 75dd 8b0424 } - $sequence_32 = { 89c1 8b442424 88c2 8854240f } - $sequence_33 = { 8b442428 6689c1 66894c2458 66894c245a } - $sequence_34 = { 6a64 59 e8???????? 33c9 } - $sequence_35 = { 33c0 803900 7411 ffc0 } - $sequence_36 = { c7461002000000 eb0f c7461003000000 e8???????? } - $sequence_37 = { 8a442427 a801 7534 eb00 31c0 } - $sequence_38 = { 7414 31c0 89c1 8b442424 } - $sequence_39 = { eb0a b988130000 e8???????? 33d2 } - $sequence_40 = { 85c0 7406 6a02 ff36 ffd0 } - $sequence_41 = { 6802100000 68ffff0000 ff36 ffd0 } - $sequence_42 = { eb00 8b442404 89c1 89ca } - $sequence_43 = { 8954242c 8b44242c 89c1 89ca } - $sequence_44 = { 89442408 7598 8a442407 a801 } - $sequence_45 = { c20400 55 8bec 83ec34 8365fc00 } - $sequence_46 = { 6a01 6a02 ffd0 8906 } - $sequence_47 = { ff7508 ffd0 85c0 750e } - $sequence_48 = { 51 6880000000 68ffff0000 ff36 } - $sequence_49 = { 50 56 8bcb e8???????? 50 e8???????? } - $sequence_50 = { 7404 33c9 ffd0 33c0 } - $sequence_51 = { e8???????? 84c0 740f 6a05 } - $sequence_52 = { e8???????? 6880000000 55 55 } - $sequence_53 = { c3 55 8bec 837d0800 7422 } - $sequence_54 = { ff7508 ffd0 33c0 40 5d } - $sequence_55 = { 8d4de0 51 68???????? ffd0 } - $sequence_56 = { 6a00 6a02 ffd0 50 } - $sequence_57 = { 6a73 e8???????? 833f00 7523 } - $sequence_58 = { e8???????? 8bc8 a1???????? ff30 } - $sequence_59 = { 7403 c60000 b840000000 83fa40 0f4ed0 } - $sequence_60 = { 890424 e8???????? 31c0 83c420 5e } - $sequence_61 = { e8???????? 50 ffd7 85c0 7512 } - $sequence_62 = { eb0c e8???????? 8bf0 eb03 } - $sequence_63 = { e8???????? 50 53 8d4dd0 e8???????? 50 } - $sequence_64 = { 8b45cc 31c9 8b55d0 39c2 } - $sequence_65 = { 8038e9 89c1 8945d0 894dcc } - $sequence_66 = { 8b4838 8b5034 891424 894c2404 e8???????? 8b44241c } - $sequence_67 = { 01ca 83c205 807c0805e9 891424 74e9 } - $sequence_68 = { 8b442408 8038e9 890424 7517 8b0424 8b4801 89c2 } - $sequence_69 = { 6681394d5a 8945b8 894dc4 0f85b6000000 } - $sequence_70 = { 8b45e8 05ffff0000 25ffff0000 83c001 } - $sequence_71 = { 83797c00 8b7dbc 8945b4 8955b0 8975ac } - $sequence_72 = { 31c9 8b54241c 8b723c 8b7e3c 89f3 01fb } - $sequence_73 = { 5e c3 53 57 56 83ec20 8b442430 } - $sequence_74 = { c3 55 89e5 68???????? e8???????? 83c404 } - $sequence_75 = { 894dc4 0f85a1000000 8b45b8 83c018 8b4db8 8b5178 } - $sequence_76 = { 890424 8944241c e8???????? 89442418 e8???????? 83f800 } - $sequence_77 = { 8b55bc 8955c4 776a 31c0 8b4dac 8b510c 8b75bc } - $sequence_78 = { 56 57 53 55 81ec88010000 8bd8 } - $sequence_79 = { 25ffff0000 83c001 8b4da8 01c1 } - $sequence_80 = { c3 55 89e5 57 56 53 83ec54 } - $sequence_81 = { 89c6 8945f8 894df4 8975f0 7418 8b45f4 05ffff0000 } - $sequence_82 = { 83c454 5b 5e 5f 5d c3 55 } - $sequence_83 = { 25ffff0000 83c001 8b4df0 01c1 894de4 } - $sequence_84 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 } - $sequence_85 = { 5b 5e 5d c3 55 89e5 6a00 } - $sequence_86 = { 894df0 8b45f0 83c40c 5e 5d c3 } - $sequence_87 = { 8b4df8 01c1 894df0 8b45f0 } - $sequence_88 = { 890c24 c744240400000000 8945f0 8955ec e8???????? 8b483c 6689ce } - $sequence_89 = { 7418 8b45e4 05ffff0000 25ffff0000 } - $sequence_90 = { 89c7 8945f0 894dec 8955e8 897de4 } - $sequence_91 = { 8b4de8 81c1ffff0000 81e1ffff0000 83c101 } - $sequence_92 = { 53 57 83ec5c 8b450c } - $sequence_93 = { 894de0 7505 e9???????? 8b45e0 83c438 5f } - $sequence_94 = { 57 83ec38 8b450c 8b4d08 8945f0 } - $sequence_95 = { 5b 5d c3 8b45d0 8b4dd4 668b55d8 } - $sequence_96 = { e9???????? 8b45e0 83c45c 5f 5b 5e } - $sequence_97 = { 68???????? 50 50 ffd2 } - $sequence_98 = { 8945c4 894dc0 885dbf 8975b8 } - $sequence_99 = { 8945a0 8955cc 74bc 8b45cc 83c454 5b 5e } - $sequence_100 = { 89e5 57 53 56 83ec38 } - $sequence_101 = { 53 83ec74 8b450c 8b4d08 31d2 8b713c 89cf } - $sequence_102 = { 83c438 5e 5b 5f } - $sequence_103 = { eb06 83c414 5b 5d c3 8b45f0 8b0c8504406e00 } - $sequence_104 = { 57 83ec20 8b4508 890424 } - $sequence_105 = { 8b7dcc 39f8 8945c8 75e4 83c448 5e 5f } - $sequence_106 = { 85d2 7412 33c0 50 50 56 } - $sequence_107 = { c3 8b45f0 8b0c8504406e00 8b55f8 39d1 8945ec 894de8 } - $sequence_108 = { c605????????00 e8???????? 8bd0 85d2 7412 } - $sequence_109 = { 83ec20 a1???????? 85c0 7416 8b0d???????? e8???????? 84c0 } - $sequence_110 = { 0f85dafeffff 8b45e4 83c474 5b } - $sequence_111 = { 895c2414 660fd6442418 660fd6442420 e8???????? 84c0 } - $sequence_112 = { e9???????? 8bcd 8d8424a8010000 50 } - $sequence_113 = { 53 81ecb0000000 8b4508 8d4dd8 c745d800000000 } - $sequence_114 = { 8955dc e8???????? 8d0de8306e00 890424 894c2404 e8???????? 8d0d44306e00 } - $sequence_115 = { 8855af 8975cc 751c 8b45a4 8a4daf 31d2 8a2c0575306e00 } - $sequence_116 = { 83c470 5b 5f 5e 5d c3 } - $sequence_117 = { c3 55 89e5 56 53 57 83ec54 } - $sequence_118 = { e9???????? 8b45e0 83c45c 5e 5f 5b } - $sequence_119 = { 897dd8 8b45d8 83c444 5b 5e } - $sequence_120 = { 57 53 83ec70 8b450c } - $sequence_121 = { 74bc 8b45cc 83c454 5f 5b 5e 5d } - $sequence_122 = { 57 56 83ec5c 8b450c 8b4d08 31d2 8b7008 } - $sequence_123 = { 89e5 53 56 57 83ec38 } - $sequence_124 = { 8d0d44306e00 31d2 890c24 c744240400000000 } - $sequence_125 = { 89723c c7424004000000 c742442c0c0200 c7424800b00400 8b7de4 } - $sequence_126 = { 8a2c0575306e00 83c001 38e9 8945a0 } - $sequence_127 = { 57 83ec54 8d055a232700 31c9 8d55d8 803d????????e9 } - $sequence_128 = { 52 8bd6 e8???????? 8bcf 53 } - $sequence_129 = { 8945d0 74e4 31c0 8d0d5a238400 8b55c8 39ca } - $sequence_130 = { 8a4daf 31d2 8a2c0575308400 83c001 } - $sequence_131 = { c744240400000000 8955e0 e8???????? 8d0dd8308400 } - $sequence_132 = { 8b4d08 8d155e302f00 83ec04 891424 8945e8 } - $sequence_133 = { 8d0d44308400 31d2 8b75f8 89461c 890c24 c744240400000000 8955e4 } + $sequence_18 = { 6a00 8bcf e8???????? 50 ffd6 } + $sequence_19 = { e8???????? 8d4dc4 e8???????? 5e } + $sequence_20 = { eb08 83ca20 eb03 83ca10 } + $sequence_21 = { 85c0 7415 6a01 6a00 6a00 8d4dfc } + $sequence_22 = { 6a70 8bc8 e8???????? 6a73 8bc8 } + $sequence_23 = { e8???????? e9???????? 807c245000 740a } + $sequence_24 = { 6a74 8bc8 e8???????? 6a70 } + $sequence_25 = { 46 e8???????? c1e802 3bf0 } + $sequence_26 = { 7413 c7461003000000 e8???????? 894614 } + $sequence_27 = { 6a64 59 e8???????? 33c9 e8???????? } + $sequence_28 = { 8b442428 6689c1 66894c2458 66894c245a } + $sequence_29 = { 885c2407 89442408 7598 8a442407 a801 } + $sequence_30 = { 7534 eb00 31c0 89c1 } + $sequence_31 = { 89442404 eb00 8b442404 89c1 89ca } + $sequence_32 = { eb0a b988130000 e8???????? 33d2 } + $sequence_33 = { 8a442427 a801 7534 eb00 } + $sequence_34 = { c7461002000000 eb0f c7461003000000 e8???????? } + $sequence_35 = { 7404 33c9 ffd0 33c0 } + $sequence_36 = { c20400 55 8bec 83ec34 8365fc00 } + $sequence_37 = { 6801100000 68ffff0000 ff36 ffd0 } + $sequence_38 = { 8954242c 8b44242c 89c1 89ca } + $sequence_39 = { 57 e8???????? 50 53 8bce e8???????? 50 } + $sequence_40 = { 890424 894c2404 75dd 8b0424 } + $sequence_41 = { 89c1 8b442424 88c2 8854240f } + $sequence_42 = { 51 6802100000 68ffff0000 ff36 } + $sequence_43 = { 6a01 6a02 ffd0 8906 } + $sequence_44 = { 85c0 7406 6a02 ff36 ffd0 } + $sequence_45 = { e8???????? 84c0 740f 6a05 } + $sequence_46 = { e8???????? 6880000000 55 55 } + $sequence_47 = { ff7508 ffd0 33c0 40 } + $sequence_48 = { c3 55 8bec 837d0800 7422 } + $sequence_49 = { 8d4de0 51 68???????? ffd0 } + $sequence_50 = { 6a70 e8???????? 8bc8 6a73 e8???????? 833f00 7523 } + $sequence_51 = { 6a00 6a02 ffd0 50 } + $sequence_52 = { e8???????? 8bc8 a1???????? ff30 } + $sequence_53 = { 85c0 7403 c60000 b840000000 83fa40 0f4ed0 } + $sequence_54 = { 890424 e8???????? 31c0 83c420 5e } + $sequence_55 = { e8???????? 50 ffd7 85c0 7512 } + $sequence_56 = { eb0c e8???????? 8bf0 eb03 } + $sequence_57 = { e8???????? 50 53 8d4dd0 e8???????? 50 } + $sequence_58 = { 8038e9 89c1 8945d0 894dcc } + $sequence_59 = { 8b45cc 31c9 8b55d0 39c2 } + $sequence_60 = { 8b400c 56 57 8b780c } + $sequence_61 = { 01ca 83c205 807c0805e9 891424 74e9 } + $sequence_62 = { c3 53 57 56 83ec20 8b442430 } + $sequence_63 = { 08f3 f6c301 8b75bc 894da0 } + $sequence_64 = { 8b5034 891424 894c2404 e8???????? 8b44241c 890424 } + $sequence_65 = { 894da0 8855ab 8975c4 751c 8b45a0 8a4dab 31d2 } + $sequence_66 = { 8038e9 890424 7517 8b0424 } + $sequence_67 = { 8b4dbc 894dc4 0f85a1000000 8b45b8 83c018 } + $sequence_68 = { 8b45e8 05ffff0000 25ffff0000 83c001 } + $sequence_69 = { 891424 89742404 894c2418 e8???????? 8b4c2420 890c24 } + $sequence_70 = { 8b7dbc 8a1c17 80fb00 885dab } + $sequence_71 = { 8b44241c 890424 e8???????? 31c9 } + $sequence_72 = { eb28 8b45a4 8b4d9c 8a1408 } + $sequence_73 = { 56 57 53 55 81ec88010000 8bd8 } + $sequence_74 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 } + $sequence_75 = { 6683fa00 89c6 8945f8 894df4 8975f0 7418 8b45f4 } + $sequence_76 = { 8b450c 8b4d08 8b513c 6689d6 } + $sequence_77 = { 7418 8b45f4 05ffff0000 25ffff0000 } + $sequence_78 = { 31c0 8b4de8 81c1ffff0000 81e1ffff0000 83c101 } + $sequence_79 = { 8b45e0 31c9 83b88400000000 8945dc 894dd8 } + $sequence_80 = { 25ffff0000 83c001 8b4da8 01c1 } + $sequence_81 = { 8b713c 6689f7 6683ff00 89cb 8945f0 894dec 8955e8 } + $sequence_82 = { c3 55 89e5 57 56 53 83ec54 } + $sequence_83 = { 5b 5e 5d c3 55 89e5 6a00 } + $sequence_84 = { 8b503c 6689d6 6683fe00 89c7 8945f0 } + $sequence_85 = { 8b4df8 01c1 894df0 8b45f0 83c40c 5e 5d } + $sequence_86 = { 83c454 5b 5e 5f 5d c3 55 } + $sequence_87 = { 8945c4 894dc0 885dbf 8975b8 8955b4 } + $sequence_88 = { 53 57 83ec5c 8b450c } + $sequence_89 = { 5b 5d c3 8b45d0 8b4dd4 668b55d8 } + $sequence_90 = { 68???????? 50 50 ffd2 } + $sequence_91 = { 8945a8 0f84e2feffff e9???????? 8b45e0 83c45c 5f 5b } + $sequence_92 = { 57 83ec38 8b450c 8b4d08 8945f0 648b1518000000 } + $sequence_93 = { 83c414 5b 5d c3 8b45f0 8b0c8504406e00 } + $sequence_94 = { 8955cc 74bc 8b45cc 83c454 5b 5e } + $sequence_95 = { e9???????? 8bcd 8d8424a8010000 50 } + $sequence_96 = { c3 8b45f0 8b0c8504406e00 8b55f8 39d1 8945ec } + $sequence_97 = { c605????????00 e8???????? 8bd0 85d2 } + $sequence_98 = { 55 89e5 57 53 56 83ec38 } + $sequence_99 = { 895c2414 660fd6442418 660fd6442420 e8???????? } + $sequence_100 = { 57 83ec20 8b4508 890424 8945f0 e8???????? 8945ec } + $sequence_101 = { 895dc4 8945e4 0f85dafeffff 8b45e4 83c474 5b } + $sequence_102 = { e9???????? 8b45e0 83c438 5e 5b } + $sequence_103 = { 53 83ec74 8b450c 8b4d08 } + $sequence_104 = { 53 81ecb0000000 8b4508 8d4dd8 c745d800000000 8b504c 8b7020 } + $sequence_105 = { 8bd0 85d2 7412 33c0 50 50 56 } + $sequence_106 = { 83ec20 a1???????? 85c0 7416 8b0d???????? e8???????? } + $sequence_107 = { 39f8 8945c8 75e4 83c448 5e 5f 5b } + $sequence_108 = { e9???????? 8b45e0 83c45c 5e 5f 5b } + $sequence_109 = { 53 56 57 83ec38 } + $sequence_110 = { 894620 890c24 c744240400000000 8955e0 e8???????? 8d0dd8306e00 890424 } + $sequence_111 = { 56 53 57 83ec54 } + $sequence_112 = { 897dd8 8b45d8 83c444 5b 5e } + $sequence_113 = { 83c470 5b 5f 5e 5d c3 } + $sequence_114 = { c744240400000000 8945f4 8955f0 e8???????? 8d0da0306e00 890424 } + $sequence_115 = { 8b45e0 83c438 5f 5e 5b 5d } + $sequence_116 = { e8???????? 8d0da0302400 890424 894c2404 e8???????? 8d0d44302400 } + $sequence_117 = { 57 56 83ec5c 8b450c 8b4d08 31d2 8b7008 } + $sequence_118 = { 8b75ec 89723c c7424004000000 c742442c0c0200 c7424800b00400 8b7de4 } + $sequence_119 = { 89e5 56 57 53 83ec70 8b450c } + $sequence_120 = { 74bc 8b45cc 83c454 5f 5b 5e } + $sequence_121 = { 83ec28 8b450c 8b4d08 8d155e306e00 83ec04 891424 8945e8 } + $sequence_122 = { 8955dc e8???????? 8d0de8306e00 890424 894c2404 e8???????? 8d0d44306e00 } + $sequence_123 = { 81fa00010000 72b3 c3 56 } + $sequence_124 = { 8b75ec 89723c c7424004000000 c7424499040200 c7424800c00400 8b7de4 c787cc00000000000000 } + $sequence_125 = { 89e5 83ec10 8b4508 8d0d44302700 31d2 } + $sequence_126 = { 8b4508 8d0d30308400 31d2 890c24 c744240400000000 } + $sequence_127 = { 8d0d5a232f00 8b55c8 39ca 8945cc 0f84f9000000 8d45d8 8b0d???????? } + $sequence_128 = { 894c2404 e8???????? 8d0d44308400 31d2 8b75f8 89462c } + $sequence_129 = { 89e5 8d055a238400 5d c3 } condition: 7 of them and filesize < 1040384 @@ -135237,36 +136098,36 @@ rule MALPEDIA_Win_Wslink_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff84d0ba-7c6b-551a-aa8c-f9cc4b863272" - date = "2026-01-05" - modified = "2026-01-06" + id = "c211ad5f-a99b-5f17-9d41-ef8388b41a8d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wslink_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wslink_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "87e90a1a72b66a6938037799ecf454860aae5ad77216cc7fb9189ea554932eeb" + logic_hash = "7a76b82ca4cd8df9ef8dc5893b14fdb902f10663f86d8a5a5da353f6f43f05ea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bd0 e8???????? 4885c0 7494 48638ba0000000 488bd1 3b8ba4000000 } - $sequence_1 = { 488b8be8000000 4885c9 7405 e8???????? 488b7b08 4885ff } - $sequence_2 = { 488b05???????? 4833c4 48898424c0000000 33db 458be1 4c89442450 4183cfff } - $sequence_3 = { 4c8d0d633b0a00 448d400d e9???????? 83781000 0f859f000000 83780800 0f8495000000 } - $sequence_4 = { 418bc5 e9???????? bad9000000 4c8d0d96920700 b910000000 448d42b3 c7442420d8000000 } - $sequence_5 = { 4885c0 743d 4885f6 740e 660f1f440000 48ffce 881c06 } - $sequence_6 = { 7532 4c8d0d97450a00 8d4810 448d4008 ba9a000000 c744242048010000 e8???????? } - $sequence_7 = { 488bd8 4885c0 752b 4c8d0d885f0b00 8d506c 8d4820 448d4041 } - $sequence_8 = { 0302 6690 e11c 0100 ec 1c01 00d6 } - $sequence_9 = { e8???????? 8b8c2490000000 4885c0 746e 894b08 4d8b0f 498b5500 } + $sequence_0 = { e8???????? 33c0 4883c450 5e c3 488bc6 4883c450 } + $sequence_1 = { 8d4f25 448d476f c74424208d010000 e8???????? 33c0 4883c430 5f } + $sequence_2 = { 4c8d0db6ec0700 498d440d00 488d15caec0700 488bcd 483bc6 488d0561b40800 4c0f44c8 } + $sequence_3 = { 488bd3 0f4fc8 4c63c9 85c9 7e2b 4c8b4508 } + $sequence_4 = { e8???????? 2507000f00 3d02000100 751a c7442420da000000 4c8d0d0c6f0b00 41b8aa000000 } + $sequence_5 = { 7756 4898 8b8c867ca40400 4803ce ffe1 834f4801 eb42 } + $sequence_6 = { 418d48bd e8???????? 488bf8 4885c0 743b 48837d0000 750e } + $sequence_7 = { 750e 4883c458 415f 415d 415c 5f 5d } + $sequence_8 = { 4863c8 4c3bf9 7422 ba64000000 4c8d0dcd6e0600 c7442420be000000 8d4ac7 } + $sequence_9 = { 83f9ff 7508 b910000000 418bf3 488b457f 4c8d4d6f 33d2 } condition: 7 of them and filesize < 2007040 @@ -135276,41 +136137,41 @@ rule MALPEDIA_Win_Helminth_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5fdf8a25-7bbd-5109-b9cb-02cfb27261a2" - date = "2026-01-05" - modified = "2026-01-06" + id = "91b777dc-9a9a-53e2-ac1a-786f5d0ed930" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.helminth_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.helminth_auto.yar#L1-L157" license_url = "N/A" - logic_hash = "fef76838e29eb47ff0f2e451721fe0e767720682455a5aea55c0645b1ef1cd31" + logic_hash = "45ac2fe31629115cc6c58e0ba75e5ac93218e89992c3db653af839bde17af43a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { a1???????? 68e8030000 8907 e8???????? } - $sequence_1 = { 2bc6 3bd8 a1???????? 7f5e 8d3c81 } - $sequence_2 = { 8bd8 85db 0f84bc000000 8bcb 8d5102 668b01 83c102 } - $sequence_3 = { 83e11f c1e106 8b048570750110 80640804fe ff36 e8???????? } - $sequence_4 = { 8a441918 8881a8670110 41 ebe8 8975e4 } - $sequence_5 = { 56 ff15???????? 56 e8???????? 8b35???????? 83c404 8b0d???????? } - $sequence_6 = { 8bca 894c2408 8d9b00000000 668b02 83c202 6685c0 75f5 } - $sequence_7 = { 66893441 8b1a ff15???????? 8bc3 8d5002 668b08 } - $sequence_8 = { 83f8ff 0f84ac000000 8d442418 50 56 } - $sequence_9 = { 8945dc 8d45cc 50 6a02 } - $sequence_10 = { 51 e8???????? 8b55e8 03f6 59 } - $sequence_11 = { 8bd0 b9???????? 8995c8fbffff 2bd1 } - $sequence_12 = { f3a5 8bca 83e103 f3a4 8b7c2414 83ef02 } - $sequence_13 = { eb1c 56 ff15???????? 57 ff15???????? } - $sequence_14 = { e8???????? 8b75f0 43 59 eb31 } + $sequence_1 = { b9???????? e8???????? b9???????? e8???????? 8b35???????? b800100000 8b0d???????? } + $sequence_2 = { 897de0 8b049d70750110 0500080000 3bf8 0f839c000000 f6470401 755b } + $sequence_3 = { ffb5f4fdffff 8d85fcfdffff 6a0a 6a01 57 50 } + $sequence_4 = { c1e106 8b048570750110 804c080420 8b4d14 } + $sequence_5 = { 75f0 8b75f0 b9???????? 8bd6 2bd1 } + $sequence_6 = { 895df0 ff15???????? 50 ff15???????? 85c0 7406 8d4df4 } + $sequence_7 = { 2c2c 13142c 2c2c 2c2c } + $sequence_8 = { 2b742414 894c2424 0fb70a 66890c16 8d5202 } + $sequence_9 = { 68???????? 50 ff15???????? 8945c0 85c0 } + $sequence_10 = { e8???????? 8b75c8 59 56 } + $sequence_11 = { 66890c17 8d5202 6685c9 75f1 8b542410 33ff } + $sequence_12 = { 663b0473 7510 46 42 3bd7 7ced } + $sequence_13 = { 75f4 2b4d08 d1f9 3bd1 } + $sequence_14 = { 50 e8???????? 83c40c 89b5e8feffff } condition: 7 of them and filesize < 479232 @@ -135320,36 +136181,36 @@ rule MALPEDIA_Win_Nitol_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6668ada1-f01c-572c-b281-f0ac4f640b75" - date = "2026-01-05" - modified = "2026-01-06" + id = "07bc96c1-8d17-58a0-80ec-ae5379b402ed" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nitol_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nitol_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "67d30b435253ce01a4470efa2d653d5ffbe45043e37cc62d200042e270ffc2b7" + logic_hash = "82c2a68612e12aded4836d47bdea7c1b30040c881715db399f21276eb84f1f65" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d8554ffffff 50 e8???????? 83c420 bffa000000 } - $sequence_1 = { 8945e4 51 ff75ec 50 ff7508 ff15???????? } - $sequence_2 = { 57 ffd3 45 3bae08010000 7cd6 57 } - $sequence_3 = { 896c2434 8d442434 6a04 bd05100000 50 55 } - $sequence_4 = { 55 8bec 81ec20020000 c645e0cf c645e185 c645e2cc c645e3c4 } - $sequence_5 = { 5b 55 8bec 81ec18050000 56 } - $sequence_6 = { 50 e8???????? 83c424 8d8560ffffff 66c745f00200 50 ff15???????? } - $sequence_7 = { ff15???????? 85c0 7d16 ff742404 } - $sequence_8 = { ffd6 ffb530ffffff 668945d8 ffd6 6800e9a435 } - $sequence_9 = { 8a0c3b 880e 46 43 ebf3 43 40 } + $sequence_0 = { 8dbd7cffffff 2bfe 8a06 3c2e 7503 ff45fc 837dfc03 } + $sequence_1 = { 8d44242c 55 50 53 8b5c241c 56 53 } + $sequence_2 = { 53 56 57 e8???????? 33db a3???????? 3bc3 } + $sequence_3 = { 8d442430 55 bb7fffffff 50 53 } + $sequence_4 = { 50 ff15???????? 83c410 eb1c 8b45fc ff7485c4 8d8560ffffff } + $sequence_5 = { 6a28 e8???????? 59 40 50 8d8558f7ffff } + $sequence_6 = { e9???????? 8b8688000000 33ed 83c014 85c0 7e7f } + $sequence_7 = { 83650c00 6a0a 8d4dc0 e8???????? 8365fc00 e8???????? 8b4004 } + $sequence_8 = { c645dddb c645dec1 c645dfda c645e09d c645e1fe c645e29f c645e3c1 } + $sequence_9 = { 50 e8???????? 83c40c 33db 6a01 53 53 } condition: 7 of them and filesize < 139264 @@ -135359,43 +136220,44 @@ rule MALPEDIA_Win_Oski_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c71af2a-ab1c-54b1-b031-9d62fe7b8e58" - date = "2026-01-05" - modified = "2026-01-06" + id = "83a4db5b-986e-5c53-b5ab-f19a8f9ec3b6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.oski_auto.yar#L1-L184" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.oski_auto.yar#L1-L197" license_url = "N/A" - logic_hash = "6e592abd5f7946bd0b6a43d8ee0af2b699a6055e4a91c9728a4df01ede6824ac" + logic_hash = "c5e9f91c0675e30147932258a518bf66406d2fe6c77415bfe93e125323c7ef30" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 a1???????? 50 8d8df0feffff 51 e8???????? } + $sequence_0 = { 50 a1???????? 50 8d8df0feffff 51 } $sequence_1 = { 25ff7f0000 c3 8bff 55 8bec 83ec14 ff7510 } - $sequence_2 = { 83c40c e8???????? 50 a1???????? 50 } - $sequence_3 = { 8975f0 e8???????? cc 8bff 55 8bec 8b550c } - $sequence_4 = { 393d???????? 0f94c0 33d2 0bc8 } - $sequence_5 = { 57 e8???????? 8b4618 83c40c 6a00 6a00 } - $sequence_6 = { 56 8d85ecfeffff 50 8d8dd0fcffff 51 eb18 f685a4fcffff10 } - $sequence_7 = { 8b4508 8945b0 8b450c 33db 8bc8 } - $sequence_8 = { f3c3 e9???????? 8bff 55 8bec 83ec1c a1???????? } - $sequence_9 = { ebe9 6a02 e8???????? 59 c3 e8???????? } - $sequence_10 = { 8b5508 52 a1???????? 50 8d8de8fdffff } - $sequence_11 = { 51 e8???????? 83c40c 8985e4fdffff 83bde4fdffff00 } - $sequence_12 = { e8???????? 83c404 8b0d???????? 51 ff15???????? a3???????? } - $sequence_13 = { 8b511c 83c220 52 6a00 } - $sequence_14 = { 52 6a00 68???????? ff15???????? 8945f0 837df000 } + $sequence_2 = { 8975f0 e8???????? cc 8bff 55 8bec 8b550c } + $sequence_3 = { e8???????? 83c40c e8???????? 50 a1???????? } + $sequence_4 = { 5d c3 bf???????? 4f 90 } + $sequence_5 = { 837de810 8b45d4 7303 8d45d4 6a01 68???????? } + $sequence_6 = { f3c3 e9???????? 8bff 55 8bec 83ec1c a1???????? } + $sequence_7 = { 720f 8b8db4feffff 51 e8???????? 83c404 33d2 c745fcffffffff } + $sequence_8 = { 8d55b0 52 6a41 57 c745b001000000 ff15???????? 837dcc10 } + $sequence_9 = { e8???????? 8b4328 50 e8???????? 83c418 897b28 } + $sequence_10 = { ebe9 6a02 e8???????? 59 c3 e8???????? } + $sequence_11 = { e8???????? 83c404 8b0d???????? 51 ff15???????? a3???????? } + $sequence_12 = { 8d55f4 52 6a00 68???????? ff15???????? } + $sequence_13 = { 68???????? 6a00 e8???????? 83c40c 8985e4fdffff } + $sequence_14 = { 50 8d4df8 51 6800020000 8b55f4 52 ff15???????? } $sequence_15 = { 83c404 8b55f8 8955f4 8b45f4 50 e8???????? 83c404 } - $sequence_16 = { 51 6800020000 8b55f4 52 ff15???????? 8945f0 } + $sequence_16 = { 83c220 52 6a00 6a00 ff15???????? } + $sequence_17 = { 8b5508 52 a1???????? 50 8d8de8fdffff 51 } condition: 7 of them and filesize < 423936 @@ -135405,36 +136267,36 @@ rule MALPEDIA_Win_Splinter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d16ca329-56e4-510f-9e6c-3e0242a5a17c" - date = "2026-01-05" - modified = "2026-01-06" + id = "157b8025-0d31-54a9-894f-302690690daf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.splinter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.splinter_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.splinter_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "fbea70ebd33891fb1f580e85b1d2c0146d8b7b0ac901561f3697caf4edb74461" + logic_hash = "59034913d15f26756a9fffc3054d92ed87b462f5648ba464f507575052a3d56d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f048ff08 7510 488b4df0 4881c120020000 e8???????? 90 4883c420 } - $sequence_1 = { f048ff08 0f855dfeffff 4883c178 e8???????? e9???????? 488b8558010000 48894530 } - $sequence_2 = { 741b 4c39c0 0f847c000000 420fb61c02 80c3d0 49ffc0 80fb0a } - $sequence_3 = { e9???????? 4c8d0547ba2d00 4889c2 e8???????? 4c8d0538ba2d00 4889c1 e8???????? } - $sequence_4 = { e9???????? 8b05???????? 65488b0c2558000000 488b34c1 488d8e38020000 488d15c6f10000 e8???????? } - $sequence_5 = { f30f7f06 488b9de0030000 4885db 0f8411010000 488db550010000 488d95b0000000 41b898000000 } - $sequence_6 = { e8???????? 84c0 488bbd08040000 743b 8b05???????? 65488b0c2558000000 488b04c1 } - $sequence_7 = { e8???????? eb17 4c8955e8 4c894df0 4c8d05cc034500 4889c1 e8???????? } - $sequence_8 = { f30f7f8910020000 488b4c2448 4c89ea e8???????? 4889f1 4821c1 f30f6f040f } - $sequence_9 = { e8???????? eb2e c685c700000001 4c8d050b894c00 4c89f9 e8???????? eb16 } + $sequence_0 = { f048ff08 750d 488b45f8 488d4828 e8???????? 488b45f8 488b4818 } + $sequence_1 = { e8???????? 488d8e70030000 e8???????? 90 4883c428 5b 5f } + $sequence_2 = { ff5018 41b907000000 488d8dd0070000 488d95a0030000 4c8d05afbd5100 e8???????? 80bdf007000002 } + $sequence_3 = { eb03 4c89ca 89d0 4429c8 0402 0fb6c8 4989d3 } + $sequence_4 = { f686d101000001 0f8451010000 48ff86a0010000 4c8b8ec0010000 4983f903 0f87b7000000 440fb61a } + $sequence_5 = { e8???????? eb54 c6858600000000 488d0de0631100 4c8d0501641100 ba28000000 e8???????? } + $sequence_6 = { e9???????? 050000efff 83f808 b902000000 0f42c8 488d05587e4100 48630c88 } + $sequence_7 = { b80a000000 4881f9ffc99a3b 776b b809000000 4881f9ffe0f505 775d b808000000 } + $sequence_8 = { e8???????? e9???????? 488d0d4c4f3700 e8???????? e9???????? 488d0d234f3700 e8???????? } + $sequence_9 = { ba80000000 e8???????? eb69 48895378 488d4378 48898338010000 488d0556243700 } condition: 7 of them and filesize < 20177920 @@ -135444,36 +136306,36 @@ rule MALPEDIA_Win_Ave_Maria_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "87720f7c-76f1-51d7-aae1-49bd8d947af2" - date = "2026-01-05" - modified = "2026-01-06" + id = "38249720-fad3-5dc1-b3fc-356cdef0f657" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ave_maria_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ave_maria_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "084747828755c63e5e35ddf08ea97436090c1d46b402b58bfe29209faf23a08b" + logic_hash = "ea10d34cce69cf182e9cfd334f8022a3bc00150368fefd38d9a16b830f043f11" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 33c9 85c0 0f94c1 8bc1 c3 } - $sequence_1 = { 8a5716 f6d2 80e201 5f 5e 8ac2 5b } - $sequence_2 = { 50 e8???????? 8b37 8bcf e8???????? 50 56 } - $sequence_3 = { e8???????? 8d4de8 e8???????? 8b4508 5e c9 c20400 } - $sequence_4 = { 8bf0 ba???????? 51 8bce e8???????? ba???????? } - $sequence_5 = { 740a 8b45f0 8906 33c0 40 eb02 33c0 } - $sequence_6 = { 56 8bf1 ff15???????? 8d8ed8010000 e8???????? 8d4e30 e8???????? } - $sequence_7 = { 0f84e0000000 51 ba???????? 8bc8 e8???????? 8b4e10 ba???????? } - $sequence_8 = { 8d44240c 56 57 8b7d08 6a00 ff7708 } - $sequence_9 = { 03d1 c1cf02 8b4df0 03d3 334dac 8bc7 } + $sequence_0 = { 6aff ff30 6a00 68e9fd0000 ff15???????? 53 8d4dfc } + $sequence_1 = { 6a08 59 e8???????? 8bf0 85f6 743e c706???????? } + $sequence_2 = { 7e4c 6a05 ff75fc ff5754 6a05 ff75fc 8945b0 } + $sequence_3 = { 55 8bec 51 57 8bf9 8d5710 e8???????? } + $sequence_4 = { 7406 51 e8???????? 8b4df0 890b 897304 eb02 } + $sequence_5 = { 0bcb e8???????? 85c0 741d 8930 8d4804 } + $sequence_6 = { 83c204 e8???????? 59 50 8d4e04 e8???????? 8b4d08 } + $sequence_7 = { 8bca 0fbf07 99 0fa4c210 c1e010 03f0 8b45fc } + $sequence_8 = { 03c1 59 8bf8 f3a5 8d4d30 51 8d4828 } + $sequence_9 = { 8bc1 c74104???????? 83610800 83610c00 c3 c20400 55 } condition: 7 of them and filesize < 237568 @@ -135483,36 +136345,36 @@ rule MALPEDIA_Win_Spyder_Patchwork_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff9f13ab-f307-5c96-9d42-3d8adb391da2" - date = "2026-01-05" - modified = "2026-01-06" + id = "e926fe0c-ce8f-51e4-ad0c-37973fb70988" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder_patchwork" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spyder_patchwork_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spyder_patchwork_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "a4925947525684eeb2c63af57878906d58b4bbbd5876d1885456e41c85c55b5b" + logic_hash = "ee689a9dc445bd62269f9be04719a1d926fc0f1498db9be06b9d9ee4872531e3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3930 0f8551010000 8b4004 83f82a 7429 83f839 7424 } - $sequence_1 = { ff74246c 50 e8???????? 83c410 5f 5e 5b } - $sequence_2 = { 8904a9 8b4c2444 8b44241c c1e002 0101 8b4c2458 8b442430 } - $sequence_3 = { e9???????? 6800030000 8d44242c 50 6a07 6801990000 e8???????? } - $sequence_4 = { 743c ba80000000 be00080000 0f1f8000000000 0fb60419 0fb70445403b4400 } - $sequence_5 = { e8???????? ff7620 e8???????? 56 e8???????? 83c420 5f } - $sequence_6 = { 741f 8b542410 3bca 7617 8b4608 2bca 51 } - $sequence_7 = { 8b4c242c 8d04b0 8b28 4e ba02000000 894c2414 89442420 } - $sequence_8 = { 6689460c 8b0f 8bc1 83e002 83c800 741d 668b4648 } - $sequence_9 = { ff15???????? 6a06 6a00 ff15???????? 6a00 6a00 6a00 } + $sequence_0 = { e8???????? 83c410 5f 5e 33c0 33d2 5b } + $sequence_1 = { 85c0 89442444 8b442440 897c2428 0f8fc2feffff c744243000000000 } + $sequence_2 = { 8b7c242c 33c0 89442414 0560b10000 6a11 03c3 57 } + $sequence_3 = { 0bfa 7404 b001 eb02 32c0 ff742428 888398000000 } + $sequence_4 = { 3b6920 7311 8b491c 8a542413 881429 ff4044 8b542438 } + $sequence_5 = { 5d 5f 5b 59 c3 8b442424 8b4c2420 } + $sequence_6 = { 837c241838 0f851d010000 85f6 7506 5f 8d46fe 5e } + $sequence_7 = { e9???????? 8b0c8a 0fb6c1 c1e908 89433c 894b38 c7834004000001000000 } + $sequence_8 = { 7209 83fbff 0f8794030000 8bd3 03d0 8bc6 13c1 } + $sequence_9 = { 01448b40 807b2800 743e 85c0 0f8ec6fdffff 0f1f840000000000 3b7c2430 } condition: 7 of them and filesize < 2260992 @@ -135522,36 +136384,36 @@ rule MALPEDIA_Win_Multigrain_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f032b4ba-8128-5978-8559-debc3caa42cc" - date = "2026-01-05" - modified = "2026-01-06" + id = "a4a1cae2-1512-5d4d-8ce3-dd32c9bd5d2a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.multigrain_pos_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.multigrain_pos_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "57d310c472fb68cb78caa9b432b3db45871bc6e9132f2a98edf83ac773bc72f9" + logic_hash = "d5069ea6530260a05521f39bb3ca469cce973145cb25df99123096d23a4291a9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 68???????? eb25 807dec00 7504 33c9 } - $sequence_1 = { 8b13 50 8d8d6cffffff e8???????? 83ec18 } - $sequence_2 = { 66894508 720b ff7520 e8???????? 83c404 8ac3 } - $sequence_3 = { c746140f000000 c7461000000000 68???????? 8bce c745fc00000000 } - $sequence_4 = { c7411000000000 50 c60100 e8???????? 8d8da4feffff } - $sequence_5 = { 83f908 720d 8b0e 50 8d145a e8???????? eb2c } - $sequence_6 = { e8???????? 68???????? 8bd0 8d4dd8 c645fc03 e8???????? } + $sequence_0 = { 0fb609 83e101 c1e104 0b4df4 40 } + $sequence_1 = { 8b550c 46 83c702 3b01 0f823efeffff 8b55f8 } + $sequence_2 = { 68???????? 8bd0 8d8dd0fdffff c645fc01 } + $sequence_3 = { ff15???????? 33c0 c785ccfdffff07000000 c785c8fdffff00000000 668985b8fdffff 663985e8fdffff } + $sequence_4 = { e8???????? 894610 6800040000 8d4618 } + $sequence_5 = { 8bd0 8d4dd8 c645fc03 e8???????? } + $sequence_6 = { 8d45c0 50 e8???????? 8d45d8 50 c745fc00000000 e8???????? } $sequence_7 = { 1bc0 f7d8 5e 5d c20800 85f6 750f } - $sequence_8 = { 50 888534ffffff 8d8535ffffff 50 e8???????? 83c40c } - $sequence_9 = { 837d1c10 8bd8 8d4508 0f434508 56 } + $sequence_8 = { 83ec10 894df8 8bca 56 33c0 33f6 8955fc } + $sequence_9 = { e8???????? 83c418 8db324040000 8d5e14 } condition: 7 of them and filesize < 286720 @@ -135561,42 +136423,42 @@ rule MALPEDIA_Win_Unidentified_121_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6510632-1b9e-5c84-ab89-5f72cc6f435a" - date = "2026-01-05" - modified = "2026-01-06" + id = "803b6d69-9fea-5e26-9aac-a8930de42ad2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_121" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_121_auto.yar#L1-L169" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_121_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "2f8db882acb1a5c7d66a4cbcd4a58ef4e003ccebde890da1f9103b205ffea6c7" + logic_hash = "a09b8493f01985477064c691c4e2e92558ae7d4b7655d570ca50760a5de6ea22" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b55fc 8b421c 2540040000 750c } - $sequence_1 = { 8b55fc 8b4218 8945f0 8b4d08 83792800 7405 } - $sequence_2 = { 8b55fc 8b421c 50 68???????? 8b4d08 } - $sequence_3 = { ff15???????? 4c8d4c2438 488b0d???????? 41b804000000 488d1584810100 89c3 e8???????? } - $sequence_4 = { 0f8499000000 41b806000000 ba01000000 b902000000 ffd5 488b5320 } - $sequence_5 = { 8b55fc 8b421c 2580000000 740c } - $sequence_6 = { 4889d9 48c744245800000000 48c744246000000000 e8???????? 4889d9 ff15???????? } - $sequence_7 = { 8944244c 0f85a1000000 83430801 4d89e1 4989e8 } - $sequence_8 = { 3c54 0f857e000000 e8???????? 4d85ed ba01000000 752f } - $sequence_9 = { 8b55fc 8b4218 99 8bc8 } - $sequence_10 = { 85db 0f8589000000 488b5028 4883ea01 4883fafd 777b 4885ed } - $sequence_11 = { 7511 8b7004 85f6 7539 488907 48c70300000000 } - $sequence_12 = { e8???????? 41f6c404 488b8600010000 4889ae28010000 0f84b7000000 488d5001 483dff000000 } - $sequence_13 = { 8b55fc 8b421c 2580020000 8b4df8 } - $sequence_14 = { 8b55fc 8b421c 0d80020000 8b4dfc } - $sequence_15 = { 8b55fc 8b421c 0d00080000 8b4dfc 89411c e9???????? } + $sequence_0 = { 7466 498d4002 48894318 410fb64001 } + $sequence_1 = { 8b55fc 8b4510 894248 8d4db4 } + $sequence_2 = { 8b55fc 8b4510 8b4814 894a1c } + $sequence_3 = { 8b55fc 8b4510 8b4a08 3b481c } + $sequence_4 = { c70700000000 4889d8 4883c440 5b 5e 5f } + $sequence_5 = { 4889d9 e8???????? 488b8300010000 483dff000000 0f848a000000 } + $sequence_6 = { 4885c0 4989c1 44897b4c 7418 488b4318 803845 } + $sequence_7 = { 31d2 4889d9 e8???????? 488d0d4c440000 89c3 e8???????? 89d8 } + $sequence_8 = { 8b55fc 8b4510 8b4c9004 51 } + $sequence_9 = { 3c6d 0f84bb000000 4531ed 488d3dfc330100 b903000000 4c89e6 } + $sequence_10 = { 4883ec38 448baa90000000 4889cf 4901cd b975ee4070 e8???????? } + $sequence_11 = { 8b55fc 8b4510 8902 33c9 } + $sequence_12 = { 8b55fc 8b4510 8b0c90 51 8d5588 } + $sequence_13 = { 8b55fc 8b4510 894204 8b4dfc 51 } + $sequence_14 = { 4883ec20 488d0524590000 4889cb 488901 e8???????? } + $sequence_15 = { 8b55fc 8b4510 894220 8b4dfc } condition: 7 of them and filesize < 2419712 @@ -135606,36 +136468,36 @@ rule MALPEDIA_Win_R980_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "93137b54-f6ba-5cf4-a0be-8189c2bb31ee" - date = "2026-01-05" - modified = "2026-01-06" + id = "3a2b50e3-d3b1-5711-9fb4-a4db9a337cb5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.r980_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.r980_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "fbf84b1263b8ff37213624bd208f7542a2b35e24d52f97dbbecc6762e2858308" + logic_hash = "a77d6fcbaaa1cb45fcb17ce80450e3e67a86a243d99604c70b6302f04f1ebf1f" score = 75 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c40c e9???????? a900040000 0f84b0000000 837f1408 7204 8b07 } - $sequence_1 = { 8bc8 e8???????? 8d45d8 50 8d8d38ffffff e8???????? ff7524 } - $sequence_2 = { e8???????? 8b75e0 83c414 83fe03 7707 ff24b5c8ba4000 e8???????? } - $sequence_3 = { ff5004 c745fc07000000 8b7510 85f6 741e 8bc3 f00fc14604 } - $sequence_4 = { 68???????? e8???????? 51 6a20 50 8d8df0f9ffff c645fc04 } - $sequence_5 = { 33c1 8944960c 8b44241c 8b8810010000 8b8014010000 8d0c88 8d4204 } - $sequence_6 = { c60100 e8???????? e8???????? 8d942490000000 b9???????? e8???????? 8d842490000000 } - $sequence_7 = { 722c 8b4640 8945a4 8d0c38 894e40 8b4630 8945ac } - $sequence_8 = { 8bcf e8???????? 8a00 8806 834710ff 7509 c7470c00000000 } - $sequence_9 = { 68???????? 8d45b4 c745ac0f000000 50 c745a800000000 c6459800 e8???????? } + $sequence_0 = { 68???????? b9???????? 66a3???????? e8???????? b89a010000 c645fc1a 68???????? } + $sequence_1 = { 8d5618 c706???????? 8955f0 8d4a14 c74604???????? 8bc6 894df0 } + $sequence_2 = { 50 e8???????? 83c410 85c0 7924 3bf7 7420 } + $sequence_3 = { 0fb77706 8b01 ff500c 663bf0 7563 e8???????? 8b8d7cffffff } + $sequence_4 = { eb02 8bc7 6a0d 68???????? 8bcf c60000 e8???????? } + $sequence_5 = { 66a3???????? e8???????? b89f010000 c645fc1f 68???????? b9???????? 66a3???????? } + $sequence_6 = { 8b6c2420 8b06 8bce 8b5e38 8b7e28 ff90a4000000 } + $sequence_7 = { 8d8d08fdffff e8???????? 68???????? 8d9508fdffff c645fc01 8d8dd0fdffff e8???????? } + $sequence_8 = { 8d8d2cffffff e9???????? 8d8d14ffffff e9???????? 8d8d74feffff e9???????? 8b542408 } + $sequence_9 = { c645fc01 ba08000000 8bcc e8???????? 8d4dd4 e8???????? 68b0000000 } condition: 7 of them and filesize < 3178496 @@ -135645,36 +136507,36 @@ rule MALPEDIA_Win_Datper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "41e2fa7a-5eff-5187-bc28-c757ee1b0d1c" - date = "2026-01-05" - modified = "2026-01-06" + id = "566d9d7a-7ff0-5998-8c74-6eb7fceebef0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.datper_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.datper_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "d82b0dc20d83d1add855bab184abefd8ce45a5aa4fc977d43e37a534a15fd25f" + logic_hash = "cf0fcfe5905cbeec26802c92425349f52448afad14077584ccda016e4adfa35a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c64428ff21 45 4b 75ee 81c4a0000000 5d 5f } - $sequence_1 = { 8d8580feffff e8???????? c78588feffff04000000 33c0 } - $sequence_2 = { 41 46 4a 85d2 75e8 5f 5e } - $sequence_3 = { 8b03 e8???????? 8b95d8efffff b8???????? e8???????? } - $sequence_4 = { e8???????? 8d8500f0ffff 33c9 ba00100000 e8???????? } - $sequence_5 = { bf14000000 8d95c4d7ffff 8bcf a1???????? e8???????? } - $sequence_6 = { c78568d7ffff0c000000 33c0 89856cd7ffff c78570d7ffffffffffff 6a00 6a01 8d8568d7ffff } - $sequence_7 = { b805000000 e8???????? 83c003 8bd8 85db 7e29 b81a000000 } - $sequence_8 = { 8945f8 8d45fc ba00280000 e8???????? 8b4508 } - $sequence_9 = { 030424 13542404 83c408 0fb600 } + $sequence_0 = { 56 83c4e0 8bda 8bf0 8bc4 } + $sequence_1 = { 8d45f4 50 b902000000 ba???????? 8b45fc e8???????? 680000a000 } + $sequence_2 = { 33c9 33f6 b300 8b7dfc } + $sequence_3 = { e8???????? 8bf8 8b8574d7ffff a3???????? 68e8030000 e8???????? 8d45e4 } + $sequence_4 = { 757b 833d????????00 7414 6a00 } + $sequence_5 = { 8b55dc b8???????? e8???????? 8d45f4 e8???????? } + $sequence_6 = { e8???????? 8b45b0 50 e8???????? 8d8580feffff e8???????? } + $sequence_7 = { 8d8504faffff 50 b905000000 ba???????? 8b45fc e8???????? 8b9504faffff } + $sequence_8 = { 894dfc 33c9 894df8 4a 85d2 7c39 } + $sequence_9 = { e8???????? 8b55cc b901000000 b8???????? e8???????? 8bd8 85db } condition: 7 of them and filesize < 253952 @@ -135684,36 +136546,36 @@ rule MALPEDIA_Win_Holerun_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "79210bcf-218e-5107-a109-edeb02cfeccf" - date = "2026-01-05" - modified = "2026-01-06" + id = "6500cdb5-87da-5025-a7f6-75e98eb9bc04" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.holerun" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.holerun_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.holerun_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "089e5eef0cb363abe6346868d7bc24f6b1004eaa9f42643e6a6b76322b0e9b60" + logic_hash = "3839d3ca1765d342b01a09c2ef96808892c400bfc6ae6a3566597677e96041c8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d45c0 4989c9 4989d0 ba00040000 4889c1 e8???????? 488b85f0030000 } - $sequence_1 = { 488b85e0020000 488b4008 ba20000000 4889c1 e8???????? 488985c0020000 4883bdc002000000 } - $sequence_2 = { 750a b8ffffffff e9???????? 488b4510 488b00 8b00 3d910000c0 } - $sequence_3 = { 48837df000 751b 488b4510 488b00 488d1502380000 } - $sequence_4 = { ba20000000 4889c1 e8???????? 488945f0 48837df000 0f84dd000000 488345f001 } - $sequence_5 = { eb31 488b05???????? ffd0 89c1 488b85e0020000 } - $sequence_6 = { 488345f808 488d050f8a0000 483945f8 75d1 b801000000 4883c430 5d } - $sequence_7 = { 48c1e002 4889c2 488d0549650000 890c02 } - $sequence_8 = { 488985a0000000 c785cc02000000000000 e9???????? 8b85cc020000 4898 488b84c590000000 } - $sequence_9 = { 750c b91f000000 e8???????? eb39 488b05???????? 8b00 85c0 } + $sequence_0 = { 4989c8 4889c2 b900000000 488b05???????? ffd0 eb19 } + $sequence_1 = { 488d55ec 4889c1 488b05???????? ffd0 eb1c c745ec34120000 488b4570 } + $sequence_2 = { 8905???????? 8b15???????? 488b85d8000000 895008 488b85d8000000 48c744242800000000 c744242000000000 } + $sequence_3 = { 8b85cc030000 4881c458040000 5b 5d } + $sequence_4 = { e8???????? 488d85b0010000 488d15a57c0000 4889542438 } + $sequence_5 = { e8???????? 4889c2 488b45d0 8b400c } + $sequence_6 = { e9???????? 8b85cc020000 4898 488b84c590000000 ba00000000 } + $sequence_7 = { ffd0 eb1c c745ec34120000 488b4570 ba34120000 4889c1 488b05???????? } + $sequence_8 = { 488b8de0020000 e8???????? 85c0 750a b800000000 e9???????? } + $sequence_9 = { 4889c1 e8???????? 488d85b0010000 488d15a57c0000 4889542438 c744243000000000 c744242800010000 } condition: 7 of them and filesize < 156672 @@ -135723,36 +136585,36 @@ rule MALPEDIA_Win_Webc2_Greencat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c501ff13-71e5-5a46-9388-bd1d1013ee63" - date = "2026-01-05" - modified = "2026-01-06" + id = "8ee36097-f75d-5f23-b7c0-2b1501f10d10" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_greencat_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_greencat_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "4d09295114ba5dc3575e8f0ceeceef8f83e2061d012afdc45a6be16a472e1786" + logic_hash = "6e607d6af3a17c55b181e1e30c6195baee68c76f9aea2ce264863323620312fb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 59 0f85ab000000 bf28010000 8d85c0fdffff 57 53 } - $sequence_1 = { 50 e8???????? 53 50 894614 } - $sequence_2 = { 8d4dac ff750c e8???????? 85c0 7511 6830750000 } - $sequence_3 = { 53 ff15???????? 55 e8???????? 3bf3 59 7407 } - $sequence_4 = { e9???????? 8d45ac 50 ff750c e8???????? e9???????? 8b4508 } - $sequence_5 = { 58 e9???????? 56 be00010000 57 56 e8???????? } - $sequence_6 = { 5a 8b7508 668950f8 8950fc 668910 66895802 66895804 } - $sequence_7 = { 8d0c30 03c6 2945ec 03d9 85f6 75ac 3975fc } - $sequence_8 = { ff15???????? 83f8ff 8945ec 7411 ff15???????? 3db7000000 0f84de010000 } - $sequence_9 = { 50 ff15???????? 3bc7 59 7405 a3???????? 8a45ff } + $sequence_0 = { 59 57 57 56 68???????? 57 57 } + $sequence_1 = { 83ff05 72db 83ff05 0f849f030000 6800000100 e8???????? } + $sequence_2 = { 3bc3 59 7445 6a2f 55 885801 } + $sequence_3 = { c20400 56 8bf1 57 8b3d???????? 8b460c 85c0 } + $sequence_4 = { e8???????? be24020000 8d859cfbffff 56 53 } + $sequence_5 = { c645d1f0 c645d2d2 c645d3e6 c645d4e8 c645d540 c645d64a c645d7e6 } + $sequence_6 = { 59 0f84f8000000 802000 8d85f9fdffff 50 } + $sequence_7 = { ff750c e8???????? e9???????? 8b4508 53 } + $sequence_8 = { c6065c 50 ff15???????? 8bf8 8bc7 } + $sequence_9 = { 53 53 53 53 8d85e0fdffff 6805010000 50 } condition: 7 of them and filesize < 57344 @@ -135762,36 +136624,36 @@ rule MALPEDIA_Elf_Hideandseek_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "10c8f40f-fa57-553f-afa8-26796ff221f6" - date = "2026-01-05" - modified = "2026-01-06" + id = "e9b74920-5629-5735-98df-69cb205c30c3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/elf.hideandseek_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/elf.hideandseek_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "768ba339bd4afb32724f528de613e471a16c477a1e04b8333f9c4f37161d943f" + logic_hash = "072464902b32d7ad25d27e8687976cabb631eeb873a3f7ff9165fc0787e4dd5f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 740d 83ec0c ff36 e8???????? 83c410 56 56 } - $sequence_1 = { e8???????? eb09 83ec0c 56 e8???????? 83c410 f7df } - $sequence_2 = { 89c7 85c0 0f8947040000 e9???????? 83be4c01000018 0f87f7040000 8b864c010000 } - $sequence_3 = { 84d2 7410 8a53ff 8d43ff 3a542403 7404 84d2 } - $sequence_4 = { e8???????? 8b35???????? 83c410 8d78f0 eb45 8b442410 31d2 } - $sequence_5 = { 31f6 8b5c240c 803d????????00 7532 e8???????? 88c2 89c1 } - $sequence_6 = { b801000000 83c410 c684331001000000 c7864c0100000b000000 c7863801000000000000 eb09 b803000000 } - $sequence_7 = { e8???????? c7874801000004000000 58 5a 8d84243a010000 50 8d8710010000 } - $sequence_8 = { c1e806 f7d0 83e001 c3 31c0 c3 8b4c2404 } - $sequence_9 = { 5a 85c0 59 0f8f1dffffff 50 8b442454 } + $sequence_0 = { 8b4510 0facd008 c1ea08 88410e 8b4510 88410f } + $sequence_1 = { e8???????? c7863401000000000011 838e3001000020 c7864c01000015000000 e9???????? 83ec0c 56 } + $sequence_2 = { 757c 50 55 56 56 e8???????? } + $sequence_3 = { 59 8d0403 8d942450220000 52 50 e8???????? 891c24 } + $sequence_4 = { e8???????? 83c410 85c0 7936 50 6800100000 8d7c2418 } + $sequence_5 = { 0f8896000000 8b1d???????? be10000000 833b00 782a 89f8 2b4304 } + $sequence_6 = { ff750c e8???????? 6800400000 56 53 ff7508 e8???????? } + $sequence_7 = { 894c2408 0facd608 89d7 895c240c 8b4c2408 8b5c240c } + $sequence_8 = { 53 6800100000 8d44242c 50 57 e8???????? 83c410 } + $sequence_9 = { 339424dc000000 01c6 8b04edb8aa0508 8b8c24b4000000 11d7 0384ecf8000000 8b14edbcaa0508 } condition: 7 of them and filesize < 196608 @@ -135801,36 +136663,36 @@ rule MALPEDIA_Win_Knot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b476922-c990-533b-9ea2-55281d49e06f" - date = "2026-01-05" - modified = "2026-01-06" + id = "1b27443c-6472-55bc-9230-d5e1681f8736" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.knot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.knot_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.knot_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "9a4cc690c1caf46b1d80d5ed99f629971e8f9dd8073d7d2fdb62a67bbf85c7b7" + logic_hash = "e7c76779616ec273c9219e23fd05e0d9344e9b9df2ffaecca4f170627599a76d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 7407 c685f3fdffff00 ebbe 0fb68df3fdffff 83f901 } - $sequence_1 = { ff15???????? 85c0 0f855ffdffff 8b958cf9ffff } - $sequence_2 = { 6a00 6a02 6a00 8b4df8 51 } - $sequence_3 = { 8bec 81ec24020000 e8???????? 8945fc c785ecfdffff02000000 } - $sequence_4 = { 7507 32c0 e9???????? 6a00 6a00 6a00 6a02 } - $sequence_5 = { 8d8dd0fdffff 51 6a08 8d95c8fdffff } - $sequence_6 = { 7454 6a00 6a00 6a00 6a04 8b55f4 52 } - $sequence_7 = { 83c40c 8985e8fdffff 8b8de8fdffff 898ddcfdffff 83bddcfdffff03 7402 } - $sequence_8 = { 6a00 6a00 6800000040 8d95e0fdffff } - $sequence_9 = { e8???????? 8985d0feffff e9???????? 8b8dd4feffff 51 ff15???????? 8be5 } + $sequence_0 = { 8b55f4 52 ff15???????? 85c0 7507 32c0 e9???????? } + $sequence_1 = { 68???????? 8d8de0fdffff 51 ff15???????? 83c40c 6a00 6880000000 } + $sequence_2 = { e8???????? 83c404 6808020000 8d95f0fdffff } + $sequence_3 = { 753c 8b95e0feffff 52 6a00 6a01 ff15???????? 8985ccfeffff } + $sequence_4 = { eb3d 8d95e0fdffff 52 68???????? 8d85f0fdffff 50 ff15???????? } + $sequence_5 = { 32c0 e9???????? 8b95d8fdffff 52 6a00 } + $sequence_6 = { 6a00 68???????? 8b85e8feffff 50 } + $sequence_7 = { 8b4dfc 8b148d20514000 52 e8???????? 83c404 ebdc 6888130000 } + $sequence_8 = { 52 a1???????? 50 ff15???????? 8b4df0 51 ff15???????? } + $sequence_9 = { 8d9580f7ffff 52 ff15???????? 8d8580f7ffff 50 ff15???????? 898598fbffff } condition: 7 of them and filesize < 59392 @@ -135840,36 +136702,36 @@ rule MALPEDIA_Win_Prestige_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7f375cd-3d34-546f-b2e4-9c5bb038ef3e" - date = "2026-01-05" - modified = "2026-01-06" + id = "39e449fb-673a-581d-9626-8ac131df44ba" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prestige" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.prestige_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.prestige_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "2346660d21873b1b5b8cefaf9e99067a1424befc1ebf82fdd47e2c270ae4e270" + logic_hash = "e468a3829aeaadb3164cbdca003f7a21f463ebcadbd2a3eae9210117d0ee894f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83e920 e9???????? 83e920 e9???????? 83e904 e9???????? 83e93c } - $sequence_1 = { 0f86e4010000 85c0 7430 6bc809 8945f4 8bc3 2bc6 } - $sequence_2 = { e8???????? 51 68???????? 8d8dc0fcffff c645fc9f e8???????? 51 } - $sequence_3 = { e8???????? 51 68???????? 8d8d28fbffff c645fc8e e8???????? 51 } - $sequence_4 = { 0f9fc1 03ca 8b55ec 2bc2 3bc1 7ce0 6a0d } - $sequence_5 = { 68???????? 8d8d08faffff c645fc82 e8???????? 51 68???????? 8d8d20faffff } - $sequence_6 = { 8d55fc 6a0a ff7310 8d4de4 e8???????? 59 59 } - $sequence_7 = { 59 59 0f45fb eb6f 8845d8 8b01 8b501c } - $sequence_8 = { e8???????? 8bc6 c1e002 50 8b8598f8ffff 0fb70485bc534700 8d0485b84a4700 } - $sequence_9 = { 8bf0 8b4b2c 8b5330 3bce 7426 85d2 740f } + $sequence_0 = { eb6e 8b4508 c60004 ebe9 8b4508 8a0cb2 c60005 } + $sequence_1 = { 6a06 5e eb14 7504 8bf0 eb0e ba40420f00 } + $sequence_2 = { 90 6a08 c745d804ce4600 c745e0ffffff3f c745e402000000 e8???????? 83c404 } + $sequence_3 = { e8???????? c3 53 8bdc 51 51 83e4f8 } + $sequence_4 = { 743d ff75dc 8b75d8 56 e8???????? 59 59 } + $sequence_5 = { c745dc01000000 8b0485480a4b00 8945d4 0f8533010000 8b55d4 8bc3 } + $sequence_6 = { 8975fc f7430400080000 741c 8d45f0 c745f0982b4700 50 8d4df8 } + $sequence_7 = { 8bce c645fc01 03cf 897d0c 8b12 68???????? 13c0 } + $sequence_8 = { 55 8bec 83ec44 53 56 8bf1 8955f4 } + $sequence_9 = { 8b8590feffff 6a03 51 51 51 8d4da0 51 } condition: 7 of them and filesize < 1518592 @@ -135880,10 +136742,10 @@ rule MALPEDIA_Win_Listrix_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "ae5c6849-5b5a-5879-a75b-5bc936755797" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.listrix_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.listrix_auto.yar#L1-L122" license_url = "N/A" logic_hash = "a979992135eb70be35ff3f9edeaffae4a914b7c2e246324beb1e16b7e069112c" score = 75 @@ -135892,9 +136754,9 @@ rule MALPEDIA_Win_Listrix_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -135918,36 +136780,36 @@ rule MALPEDIA_Win_Skynet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "696c4936-7a3d-5b86-95a5-a0774cacd4ab" - date = "2026-01-05" - modified = "2026-01-06" + id = "04bd5c06-b419-506b-b9aa-2148b31bf67a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skynet" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.skynet_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.skynet_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "1d32da1d46f2bb7e98914cbd9405f4812d3bd3786d6edfb45c62833d68ff1301" + logic_hash = "f24e2c2841c1f8112cdfb00cc53eb7f1e38d3d1eca9fe92f96c64fe6ba6aed20" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8ba42438010000 4c8b4c2460 48b8ffffffffffffff7f 4c898c2430010000 4889bc2440010000 4939c4 } - $sequence_1 = { 4889d9 e8???????? 4889f1 e8???????? 488d8c24b0000000 e8???????? 4c89f1 } - $sequence_2 = { 0fb654243f 4889c8 4883e0fc 4809d0 48894520 e8???????? 488d8c24b0000000 } - $sequence_3 = { 488d059c478b00 31d2 4889f1 48894310 4883c028 48898380000000 e8???????? } - $sequence_4 = { 4889cb 488d0d21fd8900 e8???????? 4889c2 488b03 488b4008 488b04d0 } - $sequence_5 = { 4c894c2428 488d5001 e8???????? 4c8b4c2428 488b442420 4c894c2430 } - $sequence_6 = { 488b01 4889cb 480358e8 488d0586478a00 488903 488b05???????? 488d4b18 } - $sequence_7 = { 48c783b801000000000000 488983a8010000 0fb787e0000000 488d7b10 4889f9 668983b0010000 488d053dde8d00 } - $sequence_8 = { c705????????01000000 4883c010 488905???????? e8???????? 488d35d1c58b00 488b15???????? 664d0f6ec5 } - $sequence_9 = { e8???????? 488b4c2460 4c39e9 740f 488b442470 488d540002 e8???????? } + $sequence_0 = { 4c29f2 4839da 0f82fc020000 4d39f9 0f8484020000 488b9424a0000000 4839fa } + $sequence_1 = { 4883c102 0f8818080000 4c8da424a0000000 e8???????? 4c8bbc24a0000000 4989c4 } + $sequence_2 = { 488d1524788a00 48c7401800000000 48895010 c6402000 c640482e 488b4310 c640492c } + $sequence_3 = { 4889f3 e8???????? 4c89e9 e8???????? e9???????? 4889d9 4889f3 } + $sequence_4 = { e8???????? 4883f8ff 0f84b2feffff f30f6f8398000000 488b5370 31c0 } + $sequence_5 = { 4889ea 4889f1 e8???????? 488b0b 4c8b842488000000 488dbc2490000000 488b842480000000 } + $sequence_6 = { 5e c3 4989d0 4989d9 488d159e039500 488d0d08039500 e8???????? } + $sequence_7 = { c7000b000000 48895008 c3 488d1551e89400 c7001b000000 48895008 c3 } + $sequence_8 = { e9???????? e8???????? 31d2 e9???????? 488d0d4dd29700 e8???????? } + $sequence_9 = { 89542428 8b5520 89542420 4d89c1 4989c8 89c2 488d0554e09500 } condition: 7 of them and filesize < 20419584 @@ -135957,36 +136819,36 @@ rule MALPEDIA_Win_Wormhole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6f46fc51-988b-5f8d-9d00-a7686a2cf87f" - date = "2026-01-05" - modified = "2026-01-06" + id = "2660a472-0fa7-5fc7-8a67-f6ed78518542" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wormhole_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wormhole_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "e1e9db1cf90c5ec01e6303b9e0faaa3beb1eeaff1efa494e61bb4a00bebdfa38" + logic_hash = "c4f8903c84f1d17566cf9e80014bb26aef3a10f00ebffc94816ddb8e38fee7df" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 e8???????? 83c408 8d542410 6aff 6a01 52 } - $sequence_1 = { 0f85c1000000 8b15???????? 8d4c2408 51 52 } - $sequence_2 = { 6a00 6a00 ffd3 8b1d???????? 6aff 8d4c2414 6a00 } - $sequence_3 = { a1???????? 85c0 7531 8b35???????? e8???????? 85c0 7519 } - $sequence_4 = { 897c2438 8974243c ffd3 6a00 6a00 89442418 } - $sequence_5 = { 6a00 6a00 ff15???????? 85c0 a3???????? 7404 } - $sequence_6 = { 6a00 52 68???????? 6a00 6a00 89742430 } - $sequence_7 = { 6685c0 743f a1???????? 85c0 7531 } - $sequence_8 = { 68c8000000 6a00 56 e8???????? 83c410 83f8ff } - $sequence_9 = { 6a01 52 6a02 ffd3 8b35???????? } + $sequence_0 = { 7507 837c240c66 7412 56 e8???????? 83c404 83ceff } + $sequence_1 = { c3 8b542421 33c0 8917 5f } + $sequence_2 = { 57 8b7c2410 6a78 6a28 57 50 e8???????? } + $sequence_3 = { 891d???????? e8???????? 83c41c 85c0 } + $sequence_4 = { 7535 8b44241c 85c0 742d } + $sequence_5 = { b800400000 89442408 6a00 8d4c2410 50 51 56 } + $sequence_6 = { 83c408 8d542410 6aff 6a01 } + $sequence_7 = { 83c40c 83feff 7429 8d54240c 895c240c 52 56 } + $sequence_8 = { 40 83c040 89442418 50 8d442420 50 e8???????? } + $sequence_9 = { e8???????? 8b442430 8bb42434010000 83c004 6a0f 8d4c2434 } condition: 7 of them and filesize < 99576 @@ -135996,41 +136858,41 @@ rule MALPEDIA_Win_Abaddon_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "618065dd-9f8b-57c5-a1c0-0e96b509ca5a" - date = "2026-01-05" - modified = "2026-01-06" + id = "294c2b65-e107-5d8c-be1b-ff47ba55f6ac" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.abaddon_pos_auto.yar#L1-L167" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.abaddon_pos_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "6a0d0d67cac52b36a9cdcb672d29dd1257357954e73ab46b05405f9db5dca5b4" + logic_hash = "9e191dc2956f1d2565e2e1157cf5e2ccf7eb989b4be397925fe4914fe25951e2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 750a 83fb3c 7605 e9???????? } - $sequence_1 = { 7605 e9???????? 48 034510 48 0500040000 803800 } - $sequence_2 = { 43 8b86ac010000 b400 b20a f6f2 80fc00 7406 } - $sequence_3 = { 8945fc 83f800 7502 eb86 6800d00700 ff75ec } - $sequence_4 = { eb91 81be0c01000080cf0700 7607 bb80cf0700 eb06 8b9e0c010000 } - $sequence_5 = { 48 89c7 48 8d86b8010000 48 } - $sequence_6 = { 6a00 6a02 ff15???????? 8945e8 8d95c0feffff 52 } - $sequence_7 = { 81c3f8030000 8903 48 31db 48 8b96d0050000 } - $sequence_8 = { 31c0 48 31d2 8a841eb8010000 } - $sequence_9 = { ff15???????? 8b86a0010000 3b86a4010000 0f83e6030000 8b9e94010000 039ea0010000 803b33 } - $sequence_10 = { 83f809 7603 83e809 ba00000000 eb05 ba01000000 0186ac010000 } - $sequence_11 = { 80fd3e 7406 41 80fd3f 756e 49 } - $sequence_12 = { 89e5 48 83ec20 48 c7c100000000 } - $sequence_13 = { 2c30 80ea30 666bc00a 48 01d0 48 89da } - $sequence_14 = { 52 ffb558feffff ff15???????? 8d9530fdffff 52 } + $sequence_1 = { b804d00700 0faf45f4 03855cfeffff 6800d00700 50 } + $sequence_2 = { 038560feffff 6a00 6a00 50 } + $sequence_3 = { 4c 8b7d10 49 81c700040000 48 } + $sequence_4 = { 81bea001000000dc0500 740c 81bea001000000d60600 7508 } + $sequence_5 = { 89d9 ff15???????? 48 83c420 c704030d0a0000 48 } + $sequence_6 = { 48 0500040000 803800 7664 48 31c9 48 } + $sequence_7 = { 83c420 48 83c408 48 83ec30 48 c7c100000000 } + $sequence_8 = { c786b801000000000000 c786bc01000000000000 807b0100 750c c786b001000001000000 eb0a c786b001000000000000 } + $sequence_9 = { eba6 43 ebcd ffb5c8feffff } + $sequence_10 = { ff15???????? 48 83c430 48 83ec20 48 89c1 } + $sequence_11 = { 52 ff15???????? 0186a0010000 ff86a0010000 e9???????? 6a05 ff15???????? } + $sequence_12 = { 81fb00010000 7607 b800010000 eb02 89d8 } + $sequence_13 = { c786a801000000000000 fe86a8010000 42 80beb001000001 } + $sequence_14 = { 7208 48 83f80c 7702 eb05 e9???????? 48 } condition: 7 of them and filesize < 40960 @@ -136040,75 +136902,75 @@ rule MALPEDIA_Win_Magic_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "982c6058-0233-5962-b1e1-ee61f14d1ffc" - date = "2026-01-05" - modified = "2026-01-06" + id = "b69afd7e-79ae-5cb8-88fe-698aa60668a7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.magic_rat_auto.yar#L1-L109" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.magic_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "f70d7be02c5b390e3f3dfd5324abdc86d2919bb20841095d121cf5bf228f41f4" + logic_hash = "a437c8caa041fb9d81690f8ac3c3daafb778f8e344dc59fc64f52ba5b1a5090e" score = 60 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5e 5f 5d c3 660f28c8 f20f5c0d???????? } - $sequence_1 = { 89c3 e8???????? 660fefc0 f20f2ac3 } - $sequence_2 = { 660f28d8 f20f5c1d???????? f20f2cc3 660fefdb } - $sequence_3 = { 894664 8b4368 894668 8b436c } - $sequence_4 = { c1e008 29d0 c1f810 84c0 } - $sequence_5 = { 8b12 83fa01 740a 83fa02 7405 83fa03 } - $sequence_6 = { 0fb6442425 0fb6542427 c1e018 c1e210 09d0 } - $sequence_7 = { 8b02 83c001 83f801 0f8721010000 } - $sequence_8 = { be02000000 e8???????? 84c0 75d5 } - $sequence_9 = { 7410 66c1e802 0fb7c0 69d07b140000 } + $sequence_0 = { f2440f5ddd 66440f2edc 7373 488d8c2400010000 488d9424c0000000 e8???????? f20f10542470 } + $sequence_1 = { e9???????? 41b808000000 ba02000000 e8???????? e9???????? 498b4d20 660f1f440000 } + $sequence_2 = { f2440f59d7 f2450f585870 f2450f58e2 f2440f105270 f2450f586078 0f8a45010000 0f853f010000 } + $sequence_3 = { f30f2acf f3440f59e9 f3410f108a9c000000 f30f59cb 450f28fd f30f59d1 f30f2acb } + $sequence_4 = { f3440f11513c f3410f58f8 440f28c6 f3410f5cc9 f3440f59cb f30f59fa f30f59cd } + $sequence_5 = { f2410f59c0 f2440f58eb 660fefe4 f2440f5935???????? f2410f59d8 4921db 4909cb } + $sequence_6 = { f3a4 4889fa e9???????? 8a4e01 80f901 0f86ec000000 488b4b10 } + $sequence_7 = { f680b801000010 742b 488b4070 31c9 4885c0 740f 488b4008 } + $sequence_8 = { f20f103d???????? f2440f58c7 f2410f2cc0 01d0 660f2ecc 66894104 0f8350ffffff } + $sequence_9 = { f2440f2cc8 4101c9 e9???????? 66440f28c2 f2440f5c05???????? f2410f2cd0 66450fefc0 } condition: - 7 of them and filesize < 41843712 + 7 of them and filesize < 38710272 } rule MALPEDIA_Win_Madmax_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "211dedfc-7c78-54d2-bc9c-659fc1684566" - date = "2026-01-05" - modified = "2026-01-06" + id = "a885561a-5c30-5ea2-b33b-6f61469226de" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.madmax_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.madmax_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "cf6b2a7b533fb3f99bc15493e8a8779b3f938c747aabda5388a89eac12fccb62" + logic_hash = "bd0d35721058295e1505b2a5041556658b23c13113e7678219e42884319ffc8f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f605????????5a 0f85ea000000 95 8883424ceb3e 38af847bb313 8320aa d590 } - $sequence_1 = { fa 768b 872a fd 2a4f0e e8???????? b3df } - $sequence_2 = { af 2f ac 7cd6 45 98 92 } - $sequence_3 = { bf45f19eb2 ac a5 d6 34e2 1117 4c } - $sequence_4 = { e6d1 f5 9f 45 7b78 39770f d0de } - $sequence_5 = { b4bf 49 95 14c0 393f d8d3 fc } - $sequence_6 = { 7135 fd 9e 9d 50 50 9c } - $sequence_7 = { c9 09f8 96 67a4 61 52 636e85 } - $sequence_8 = { 9d 53 6a03 e8???????? 83c40c 9c f605????????e8 } - $sequence_9 = { be492ea060 c14434e19e 46 2f d3f4 fa 6be92a } + $sequence_0 = { ef 40 41 ac 285977 a4 a1???????? } + $sequence_1 = { ee 7fb8 3add ab e06d 9e 9d } + $sequence_2 = { dde8 47 6f cd6c 4b 2ed8a8dbd419a5 90 } + $sequence_3 = { 91 6a32 dc416f bb02fb8d4f 4c 39e2 1146d8 } + $sequence_4 = { ae 5e 8b14d1 3c57 8c1b 55 a3???????? } + $sequence_5 = { c1c5d4 c0e578 7b34 58 27 cd21 90 } + $sequence_6 = { c5a62706f92c bfbe20b97c ee 73dd d0e7 b7ec 9d } + $sequence_7 = { d2b100e15df3 93 395fa1 a1???????? a7 5d 95 } + $sequence_8 = { f605????????f3 757c b632 6b8e7b51885a74 b0e5 0d97cfb063 f26e } + $sequence_9 = { f5 844296 ec 8603 98 a9e110229b a8d0 } condition: 7 of them and filesize < 3227648 @@ -136119,10 +136981,10 @@ rule MALPEDIA_Win_Highnote_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "b0d28496-8673-59fb-b567-198b148df4f3" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.highnote_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.highnote_auto.yar#L1-L126" license_url = "N/A" logic_hash = "7cacc14b2d0dfaf54710df19550a1288a5ab7f5eb6146a6937a043c66ae24b0f" score = 75 @@ -136131,9 +136993,9 @@ rule MALPEDIA_Win_Highnote_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -136157,44 +137019,45 @@ rule MALPEDIA_Win_Doppelpaymer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1dc537b4-6f02-5ffb-95a3-e1931065b1d5" - date = "2026-01-05" - modified = "2026-01-06" + id = "219488d4-89aa-507f-a3b9-5b58b16e6a8e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.doppelpaymer_auto.yar#L1-L187" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.doppelpaymer_auto.yar#L1-L189" license_url = "N/A" - logic_hash = "afd64f2ddb5bd37f521cb40f0013348f346b9ab89a5e6cb99d5de3a1977e77f0" + logic_hash = "b12aaf94eae6466211c01080c895d68148cfa709c5f21789fb77a33176168e83" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7523 80790264 751d 80790561 } - $sequence_1 = { 751d 80790561 7517 80790361 7511 80790474 } - $sequence_2 = { e8???????? 8b08 e8???????? 3db6389096 } - $sequence_3 = { 80790361 7511 80790474 750b 80790173 7505 80392e } - $sequence_4 = { baffffff7f 43 e8???????? 3bd8 } - $sequence_5 = { 83ec28 6800002002 6a00 6a01 } - $sequence_6 = { 8d8c2478010000 e8???????? 8d8c246c010000 e8???????? 8d8c24dc010000 e8???????? 8d8c24cc010000 } - $sequence_7 = { e8???????? 85c0 740d 6a00 ff742440 ffd0 85c0 } - $sequence_8 = { c20800 897de0 897de4 897de8 8d4900 } - $sequence_9 = { 895ddc 0f84f0000000 e9???????? b801000000 b925155e0b } - $sequence_10 = { c20800 8b31 8955f8 8955fc } - $sequence_11 = { 8b4d0c 8b5508 83f800 8945f4 894df0 8955ec 7528 } - $sequence_12 = { 894de4 8955e0 897ddc 8975d8 } - $sequence_13 = { 8945e8 eb0c a1???????? ffd0 8945e4 ebc9 8b45e8 } - $sequence_14 = { 8945e4 ebe3 b8c6ea1451 2b45ec 8b4dd8 81c1ffff0000 } - $sequence_15 = { 8b7e38 897dc8 8955cc 893424 c744240400000000 c744240858000000 } - $sequence_16 = { 8b55d8 8bb2a0000000 8b7de4 01f7 89fb 83c304 8b55e4 } - $sequence_17 = { 8b8578ffffff b909fcb97e 2b4df0 8b55a4 39ca } + $sequence_0 = { e8???????? 8b08 e8???????? 3db6389096 } + $sequence_1 = { 80790600 7523 80790264 751d 80790561 7517 80790361 } + $sequence_2 = { 80790361 7511 80790474 750b } + $sequence_3 = { baffffff7f 43 e8???????? 3bd8 } + $sequence_4 = { 83ec28 6800002002 6a00 6a01 } + $sequence_5 = { 8b842494000000 f30f7e07 660fd64210 8d4a18 ff7008 e8???????? } + $sequence_6 = { 8d0c24 e8???????? 8bc7 83c414 5d 5b 5f } + $sequence_7 = { e8???????? ff30 8d4c2420 e8???????? 84c0 751a 6a00 } + $sequence_8 = { 0f8594000000 8b45d0 b9e8f49929 2b4dec 8b5034 8b75ec } + $sequence_9 = { e8???????? 84c0 7516 8b4d10 } + $sequence_10 = { 83f800 8945f4 894df0 8955ec 7528 } + $sequence_11 = { 8945d0 e9???????? 55 89e5 } + $sequence_12 = { 56 83ec4c 8b4508 31c9 ba04000000 bee3049a29 } + $sequence_13 = { 8b5594 8b7590 8b7dec 81f7ddeaa1f4 01fe c1ee01 } + $sequence_14 = { 8b1b 8945f0 8bf0 b856555555 } + $sequence_15 = { 033487 8945b0 894dac 8975b4 8955c0 e9???????? 8a45ca } + $sequence_16 = { 8b758c 29d6 8b7d88 01d7 89fb } + $sequence_17 = { f6c301 7415 8b4df4 51 } + $sequence_18 = { 8b4db0 11cf 893402 897c0204 } condition: 7 of them and filesize < 7266304 @@ -136204,42 +137067,42 @@ rule MALPEDIA_Win_Photolite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53c3df95-9bf0-54a3-a4f4-6196a8124e14" - date = "2026-01-05" - modified = "2026-01-06" + id = "1ba04423-e2a7-59f5-bf4b-bddf2b4f0ee9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photolite" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.photolite_auto.yar#L1-L167" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.photolite_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "f9046ee3a914a22a767c3824ddb8832f1006b7774a4b79556e164865f1d4f92c" + logic_hash = "6e3355c516dff3c27b42e85c3718986fbcdf8685ba3259a09dd178f4f9b56429" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4883f905 72e4 889db4010000 ba7e32f11a c785b801000035578374 } - $sequence_1 = { 4803cf 493bce 72e8 889d2c010000 c78530010000d857fc49 } - $sequence_2 = { c785e4020000b434516d c785e8020000813e467c c785ec02000097355758 c785f00200008022253d } - $sequence_3 = { 4c897020 55 488da858f9ffff 4881eca0070000 33db } - $sequence_4 = { c78568040000bb4e5450 c7856c040000a94d1c35 8b8560040000 8a855c040000 } - $sequence_5 = { c78530060000a8eeaa04 c78534060000a8fbc56a 8b8520060000 8a851c060000 } - $sequence_6 = { 72e8 889dd0030000 baff978142 c785d403000094f2f32c c785d80300009afbb270 c785dc030000d1f3ed2e } - $sequence_7 = { c74548ba572c54 8b4540 8a453c 84c0 7518 } - $sequence_8 = { 4885c0 0f8419010000 488b15???????? 4885d2 7517 ba01000000 33c9 } - $sequence_9 = { 488bcb 0f1f4000 66660f1f840000000000 8b448c24 35e6845659 } - $sequence_10 = { 41b8956927f2 e8???????? 488d4dd0 ffd0 b001 } - $sequence_11 = { 0f114020 0f104a30 0f114830 488b05???????? } - $sequence_12 = { 488d4c2430 41ffd0 85c0 7527 8b442420 2b442428 03442424 } - $sequence_13 = { 488d85a0010000 448838 488d4001 4883eb01 75f3 41b001 488d8da0010000 } - $sequence_14 = { 4d8d0480 0fb602 83e107 410200 41320429 } - $sequence_15 = { e8???????? b9100e0000 ffd0 488d95f0030000 4489bdf0030000 488d0d72aaffff e8???????? } + $sequence_0 = { c785d80300009afbb270 c785dc030000d1f3ed2e 8995e0030000 8b85d4030000 } + $sequence_1 = { 8b8554010000 8a8550010000 84c0 751e 488bcb 8b848d54010000 } + $sequence_2 = { 889de0020000 c785e4020000b434516d c785e8020000813e467c c785ec02000097355758 c785f00200008022253d } + $sequence_3 = { 4156 4157 4883ec20 448b7902 } + $sequence_4 = { 889d18020000 c7851c0200005488472c c785200200007a8e583b c785240200007c985d0c c7852802000025d93378 8b851c020000 8a8518020000 } + $sequence_5 = { c1c203 4c3bc3 72ee 443bca } + $sequence_6 = { eb07 498d5602 4803d1 498bcc ffd0 } + $sequence_7 = { baff204924 889dec000000 c785f0000000b7452854 c785f4000000b9522c41 8995f8000000 8b85f0000000 8a85ec000000 } + $sequence_8 = { 8d5101 41b82c819712 e8???????? 488bc8 eb2b 488b8928060000 4885c9 } + $sequence_9 = { 885c2420 c744242493f7332b c7442428d5b6783d c744242c8ae85659 } + $sequence_10 = { 4d8b06 488bd0 488bcd e8???????? } + $sequence_11 = { 41ffd2 4889442428 488bd8 4885c0 0f8407010000 } + $sequence_12 = { 75ed 8bce e8???????? 488905???????? 885c2430 c74424347d6b1d60 } + $sequence_13 = { eb2e 4d8b8028010000 4d85c0 7522 418d5001 33c9 } + $sequence_14 = { 48894598 eb04 48897d98 488d85c0000000 } + $sequence_15 = { 41b800800000 ffd0 488d9500040000 4489bd00040000 488d0d86abffff e8???????? 4439bd00040000 } condition: 7 of them and filesize < 99328 @@ -136249,36 +137112,36 @@ rule MALPEDIA_Win_Unidentified_107_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "63234ec8-e935-5a5a-a7c8-23180ee85d34" - date = "2026-01-05" - modified = "2026-01-06" + id = "d83a8059-3f06-5f8b-ad4c-9d1526372979" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_107" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_107_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_107_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "8867f317de2ddfffcab36cc6ed6aa7b70e1fee92a8d78957e157f26440f20f17" + logic_hash = "dc92ae59d2dfcbbe7aa2176f458c0990fe3a128c2f6affa3d44cf0089799d9c7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7582 4989d8 31d2 4c89e9 e8???????? 4989d8 } - $sequence_1 = { 0f1f00 8b0b ffd7 4989c4 } - $sequence_2 = { 4989c7 48c7c13b43f72a e8???????? 4883c464 488b4c2408 488b542410 4c8b442418 } - $sequence_3 = { 4883f807 7e96 8b13 4883f80b 0f8f33010000 8b03 85c0 } - $sequence_4 = { 4989cc 85db 0f8e16010000 488b05???????? 4531c9 4883c018 } - $sequence_5 = { 48b9ca0e99c700000000 e8???????? 4989c7 48b9ca0e99c700000000 e8???????? } - $sequence_6 = { 8b5208 4901d0 4d39c4 0f828a000000 4183c101 4883c028 4139d9 } - $sequence_7 = { e8???????? 8b05???????? 85c0 0f8e57ffffff 83e801 488b1d???????? 31ff } - $sequence_8 = { 85db 0f8e16010000 488b05???????? 4531c9 4883c018 0f1f840000000000 } - $sequence_9 = { 8b560c 41b830000000 488d0c10 488b05???????? } + $sequence_0 = { 48c7c12f398d13 e8???????? 4989c7 48c7c12f398d13 e8???????? } + $sequence_1 = { 75dc 4c89e9 4883c420 5b } + $sequence_2 = { e8???????? 4989c7 48c7c10f15af3d e8???????? 4883c464 } + $sequence_3 = { 0f8596010000 8b5308 83fa01 0f85cb010000 4883c30c 4c39e3 } + $sequence_4 = { 7e96 8b13 4883f80b 0f8f33010000 8b03 85c0 } + $sequence_5 = { 4883ec64 48c7c10f15af3d e8???????? 4989c7 48c7c10f15af3d e8???????? } + $sequence_6 = { 4829d1 410fb75014 498d541018 450fb74006 4585c0 } + $sequence_7 = { 4989d0 4c09f2 4585c0 490f49d0 4829c2 4c8d3c0a } + $sequence_8 = { 4989c4 4885c0 75e9 488b3d???????? 8b07 } + $sequence_9 = { 74d8 418d40ff 488d0480 4c8d4cc228 0f1f00 } condition: 7 of them and filesize < 254976 @@ -136289,10 +137152,10 @@ rule MALPEDIA_Win_Atharvan_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "dd431719-94ae-5231-a751-29bdaf0704ba" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atharvan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.atharvan_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.atharvan_auto.yar#L1-L122" license_url = "N/A" logic_hash = "19e37c8e9adb39c411ba39c49044a47b42d2c1f02c40c66504cd4acf945815d9" score = 75 @@ -136301,9 +137164,9 @@ rule MALPEDIA_Win_Atharvan_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -136327,36 +137190,36 @@ rule MALPEDIA_Win_Fuxsocy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8e4d8f81-20f8-540c-90a5-36985982ab6a" - date = "2026-01-05" - modified = "2026-01-06" + id = "5b183547-4dd5-55b2-a369-87525f1559fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fuxsocy_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fuxsocy_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "dc08d740dcf5db967ba7f125c57f76f52d4f954228326fede3bf43506bd45bbf" + logic_hash = "ca5554c5ff228c81a32a036771406cb01dcf19801297c755dac1afc1d8f67679" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b0d???????? e8???????? 8b4dfc e8???????? 46 3b35???????? 72c4 } - $sequence_1 = { 51 51 51 51 f7d8 51 } - $sequence_2 = { 50 6a01 53 ff15???????? 85c0 756e 395c2414 } - $sequence_3 = { 8b08 ff5108 8b45e4 5f 5e c9 c3 } - $sequence_4 = { ff74241c 8bda 894c2414 ff15???????? 8b7c2418 8be8 8b17 } - $sequence_5 = { 50 8d44241c 50 6a00 6a07 6a00 ff742424 } - $sequence_6 = { 8954240c 85ff 7474 8b4f04 55 8d54240c e8???????? } - $sequence_7 = { 8b45fc 6a5c 5a 66891448 } - $sequence_8 = { 83c102 e8???????? 8b16 8b4e1c 8944d104 ff06 } - $sequence_9 = { 8954241c 8be9 8364241000 8364241800 8364242400 8d442424 50 } + $sequence_0 = { 3906 5e 0f94c0 c3 6a10 68???????? e8???????? } + $sequence_1 = { 57 f7d8 57 50 ff15???????? 89442444 85c0 } + $sequence_2 = { 57 ff15???????? cc 81ecac000000 53 55 56 } + $sequence_3 = { 8bf1 57 8bca e8???????? 8bf8 8bd6 } + $sequence_4 = { c745c43c000000 c745c840c60000 c745d074944000 c745d480944000 8945d8 ff15???????? 8945cc } + $sequence_5 = { 0f88f5000000 395dfc 0f84ec000000 6804010000 8d85ccfdffff 50 ff15???????? } + $sequence_6 = { e8???????? 8b16 8b4e1c 8944d104 ff06 eb03 } + $sequence_7 = { 8d442418 50 ff742420 ff15???????? 85c0 7539 33db } + $sequence_8 = { e9???????? 6880000000 56 33ff ff15???????? 33c9 51 } + $sequence_9 = { 790f 51 ba???????? 8d4dfc e8???????? } condition: 7 of them and filesize < 131072 @@ -136366,36 +137229,36 @@ rule MALPEDIA_Win_Bka_Trojaner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef77dd44-0b56-55a7-bd80-bb8aedf02909" - date = "2026-01-05" - modified = "2026-01-06" + id = "ab7d611e-8589-59c0-a128-3e6ed12e6b70" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bka_trojaner_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bka_trojaner_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "f15473c37bfc124735dc99ab7490e1138bd0e34fbe32e10f0ddc7571161a090f" + logic_hash = "ec040cf4ee2c7fb0b4d119bcc53a7e6d4c94956afaf3fdc4fa12f39cdf46d9cf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8365d800 c745dce7384000 a1???????? 8945e0 } - $sequence_1 = { 50 56 e8???????? 83c408 8b54241c 55 } - $sequence_2 = { 83ec4c 56 8b742454 6808020000 68???????? } - $sequence_3 = { ff15???????? 8b542414 56 52 ff15???????? 8b4570 } - $sequence_4 = { 0fb6442404 8a4c240c 8488e1eb4000 751e 837c240800 7410 } - $sequence_5 = { 5e c3 56 8b742408 8b06 813863736de0 751c } - $sequence_6 = { ff7508 83c008 e8???????? 3b4514 59 752d 837df800 } - $sequence_7 = { 50 8db6b4e14000 ff36 e8???????? } - $sequence_8 = { 83ff01 751a 8b442414 8b08 8b542408 51 } - $sequence_9 = { 7508 8b4508 a3???????? 5b 33c0 5f } + $sequence_0 = { e8???????? 8bf0 ff15???????? 85f6 89442408 744c 53 } + $sequence_1 = { 51 ffd5 6a0a ff15???????? 6a00 } + $sequence_2 = { 8b742454 6808020000 68???????? 6a00 8935???????? ff15???????? } + $sequence_3 = { 750c 8b44240c 8d9078ffffff eb71 b904000000 bf???????? 8bf0 } + $sequence_4 = { 56 e8???????? 83c408 8b54241c 55 2bc6 } + $sequence_5 = { ff15???????? 8b4570 85c0 750f 8b4554 6a0c 50 } + $sequence_6 = { 85c0 7d35 8b07 8b10 } + $sequence_7 = { 8bca 83e103 8d442410 50 } + $sequence_8 = { 56 53 6a00 51 8b4c2464 2bd0 52 } + $sequence_9 = { 744d 81fb05020000 7445 81fb06020000 743d 81fb07020000 } condition: 7 of them and filesize < 221184 @@ -136406,10 +137269,10 @@ rule MALPEDIA_Win_Babyshark_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "bba62dea-b8fb-5177-af59-ee7484609223" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.babyshark_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.babyshark_auto.yar#L1-L124" license_url = "N/A" logic_hash = "170a55c792dd841a430b5276e4b7ea8cd0c0e2d28c406b503a22728951bd6c1d" score = 75 @@ -136418,9 +137281,9 @@ rule MALPEDIA_Win_Babyshark_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -136444,36 +137307,36 @@ rule MALPEDIA_Win_Unidentified_077_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c6846d21-78e4-583b-8f44-246681283285" - date = "2026-01-05" - modified = "2026-01-06" + id = "3b8ce629-be81-5718-b343-4456bf84f34b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_077_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_077_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "ae8dcec1ad8cfc6899d8fdf0b1cf7ff7e070518ed02c06d0a8c7c2869d228f4f" + logic_hash = "92845c8e7f25ff0c6256c08ed3227d9541fa707c62bf6ffcfe21d1a372a280ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4210 83c220 f30f6f0418 660fefc1 f30f7f0418 413bd1 } - $sequence_1 = { 48894640 488d05a1fcffff 48894648 8b442424 } - $sequence_2 = { 4933f8 4a87bcf1a0bf0100 33c0 488b5c2450 488b6c2458 488b742460 } - $sequence_3 = { 4c8d442470 897c2470 488d542468 897c2468 488bcb e8???????? 85c0 } - $sequence_4 = { 498bc6 4823cb 4823c3 483bc1 7354 6690 b910000000 } - $sequence_5 = { e8???????? 85c0 0f85c6000000 448b442468 } - $sequence_6 = { 488b8dd00c0000 4833cc e8???????? 4881c4f80d0000 415f 415d 415c } - $sequence_7 = { 33c0 488bb424a0000000 4c8bb424a8000000 488bac2498000000 4c8b7c2460 488b4c2450 } - $sequence_8 = { 751b ff15???????? 488bce 418907 } - $sequence_9 = { 488d0592fcffff 48894630 488d0597fcffff 48894638 488d059cfcffff 48894640 } + $sequence_0 = { e8???????? 85c0 740c 488d0dc9060000 } + $sequence_1 = { 48ffc1 3a440eff 7513 4883f907 75ed } + $sequence_2 = { 44896c2444 418d45ff 0fb68c8252400100 0fb6b48253400100 8bd9 8bf8 } + $sequence_3 = { 4c8bea 4c8be1 4883fa40 7312 } + $sequence_4 = { 48894638 488d059cfcffff 48894640 488d05a1fcffff } + $sequence_5 = { 4c8bea f04f0fb1bcf1a0bf0100 4c8b05???????? 4883cfff 418bc8 } + $sequence_6 = { 4c8bf0 4885c0 751b ff15???????? 488bce 418907 } + $sequence_7 = { 48895c2458 ff15???????? 488bf8 4885c0 } + $sequence_8 = { 7407 483bdf 747a eb73 4d8bbcf700310100 33d2 498bcf } + $sequence_9 = { 0f84be000000 8b7500 33c0 f04d0fb1bcf180bf0100 } condition: 7 of them and filesize < 270336 @@ -136483,36 +137346,36 @@ rule MALPEDIA_Win_Vermilion_Strike_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cccdd0ef-85fa-55e7-a474-5f9b069a3146" - date = "2026-01-05" - modified = "2026-01-06" + id = "49d90ef8-3759-57a0-adac-9690460f5acf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermilion_strike" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vermilion_strike_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vermilion_strike_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "fbc14feb8d48b183ee7897af8bb71c1d6c19913a32cffa9f35df20729fb944fd" + logic_hash = "d9789a266624fc4fe86b5a8e26e2b9e0a209ced3a81f68414975a2c27c03f158" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c414 51 52 b330 8d7c2438 } - $sequence_1 = { 8d4e20 51 c744241400000000 e8???????? c7463c00000000 8bc6 8b4c2408 } - $sequence_2 = { c644241400 8d7001 8d9b00000000 8a10 40 84d2 } - $sequence_3 = { 83c404 56 8bd8 6a00 53 895c2418 e8???????? } - $sequence_4 = { 3dea000000 7518 8b74241c 85f6 7410 8d442464 } - $sequence_5 = { ffd7 8bf0 83feff 7532 ffd5 } - $sequence_6 = { 895c2448 885c2438 39bc2484000000 720d 8b542470 } - $sequence_7 = { 396e18 7205 8b4e04 eb03 8d4e04 50 51 } - $sequence_8 = { e8???????? 57 50 8d7c245c c684245801000003 e8???????? 83c40c } - $sequence_9 = { eb02 8bc7 3bc3 7711 83f908 } + $sequence_0 = { 751f 833d????????10 a1???????? 7305 b8???????? 68204e0000 } + $sequence_1 = { e8???????? 83c404 53 33db c746580f000000 } + $sequence_2 = { 6a02 53 52 8bcf 89742434 e8???????? } + $sequence_3 = { e8???????? 50 a1???????? 50 e8???????? 85c0 7448 } + $sequence_4 = { 89442428 8b451c 89442430 894c2418 8b4d24 89542414 } + $sequence_5 = { 83f910 7304 8d442450 3bc3 7711 8bc2 83f910 } + $sequence_6 = { 8b0d???????? 6a00 68???????? 894e18 c7460810000000 ff15???????? } + $sequence_7 = { 03c6 885c2408 8a5802 8a4003 8844240c 83c604 } + $sequence_8 = { 884c2414 8bd0 c1fa10 8bc8 88442417 8b442410 88542415 } + $sequence_9 = { 56 8b742418 8b5618 57 8d4604 83fa08 7204 } condition: 7 of them and filesize < 540672 @@ -136522,36 +137385,36 @@ rule MALPEDIA_Win_Lolsnif_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "801276e5-64e7-59d1-a653-8ee4b7f16dc4" - date = "2026-01-05" - modified = "2026-01-06" + id = "be46f072-cae9-5531-80d1-e1a20fbb98ec" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lolsnif_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lolsnif_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "4100f8ab27f3910e5c0d280cf414b7c267c81147c4a7bc07b3262d87c3731e63" + logic_hash = "ed82ad20a3fc6cb342ecd93ac8cc890ed90601f15751e71833a782fc1792db1a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7313 57 57 57 57 53 ff75fc } - $sequence_1 = { 5b c20c00 55 8bec 83ec14 817d0c00100000 } - $sequence_2 = { b892e8ffff c3 55 8bec 83ec40 53 56 } - $sequence_3 = { e8???????? 8bf0 3bf3 7439 3bfb 7411 8b4718 } - $sequence_4 = { 33db 53 c744241001000000 bf???????? ffd6 ff7508 57 } - $sequence_5 = { f00fc108 a1???????? 83c040 50 ffd3 a1???????? 56 } - $sequence_6 = { eb06 41 894804 33ff 5b 8bc7 5f } - $sequence_7 = { 3bc6 8945f4 754d 8b4dc0 56 ff35???????? 8bc1 } - $sequence_8 = { ab ab 8d442428 50 8d44241c 50 } - $sequence_9 = { ff7704 e8???????? 3de8000000 7509 834dfcff e9???????? } + $sequence_0 = { ff7508 53 53 6808010000 eb8b 3da3dc0816 0f8482000000 } + $sequence_1 = { ff7508 53 53 680b010000 e9???????? a1???????? 83c808 } + $sequence_2 = { e8???????? 3bc3 89442414 0f84b9000000 8d4c2410 51 } + $sequence_3 = { ff7620 ff15???????? ff7620 ff15???????? 8b4610 85c0 53 } + $sequence_4 = { c9 c21400 55 8bec 83e4f8 83ec28 56 } + $sequence_5 = { 8be5 5d c21400 55 8bec 56 be???????? } + $sequence_6 = { 8d47ef beee3f0000 3bc6 7710 8d4508 50 ff7510 } + $sequence_7 = { e9???????? 33d2 42 52 53 8bc6 } + $sequence_8 = { 57 53 33ff 57 6802001000 8bf0 } + $sequence_9 = { 3bde 740d 53 ff15???????? } condition: 7 of them and filesize < 425984 @@ -136561,36 +137424,36 @@ rule MALPEDIA_Win_Gazer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "025c1d8d-e3fd-5a49-b71d-4bbc0b4928dd" - date = "2026-01-05" - modified = "2026-01-06" + id = "ea1e3f04-6a0d-5ce8-918e-abcc889e9f96" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gazer_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gazer_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "c8a8229e229bc5f71eb0c28292f412cc779922fa28387727fa389b81ee926f71" + logic_hash = "955e76171ec835d1a216195c30747a41746d43555f3a6af9673c694e152811ef" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 85c0 7511 e8???????? 84c0 7508 } - $sequence_1 = { ff15???????? 85c0 7511 e8???????? 84c0 } - $sequence_2 = { 85c0 7511 e8???????? 84c0 } - $sequence_3 = { 85c0 7511 e8???????? 84c0 7508 83c8ff e9???????? } - $sequence_4 = { ff15???????? 85c0 7511 e8???????? 84c0 7508 83c8ff } - $sequence_5 = { 85c0 7511 e8???????? 84c0 7508 83c8ff } - $sequence_6 = { 85c0 7511 e8???????? 84c0 7508 } - $sequence_7 = { 7511 e8???????? 84c0 7508 83c8ff e9???????? } - $sequence_8 = { 7511 e8???????? 84c0 7508 83c8ff } - $sequence_9 = { 41c1ca0b 4503d1 410bc2 4133c1 4103c0 } + $sequence_0 = { ff15???????? 85c0 7511 e8???????? 84c0 7508 83c8ff } + $sequence_1 = { 85c0 7511 e8???????? 84c0 } + $sequence_2 = { ff15???????? 85c0 7511 e8???????? 84c0 } + $sequence_3 = { 85c0 7511 e8???????? 84c0 7508 83c8ff } + $sequence_4 = { 7511 e8???????? 84c0 7508 83c8ff e9???????? } + $sequence_5 = { 7511 e8???????? 84c0 7508 83c8ff } + $sequence_6 = { ff15???????? 85c0 7511 e8???????? 84c0 7508 } + $sequence_7 = { 85c0 7511 e8???????? 84c0 7508 } + $sequence_8 = { 85c0 7511 e8???????? 84c0 7508 83c8ff e9???????? } + $sequence_9 = { 83e108 4433e1 418bcc c1f90a 83e107 894d6f } condition: 7 of them and filesize < 950272 @@ -136600,42 +137463,42 @@ rule MALPEDIA_Win_Ninerat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b2759270-ef98-5410-b5fe-ea53f4bf72fd" - date = "2026-01-05" - modified = "2026-01-06" + id = "f5cf35ab-55dc-52f5-a720-04d5f8f19c94" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ninerat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ninerat_auto.yar#L1-L170" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ninerat_auto.yar#L1-L152" license_url = "N/A" - logic_hash = "584fb25ea88956dd53544245e507dba7752ef5bd9498b76883c7fb9cf338d1d3" + logic_hash = "0c469c79c753cbce45144c4568d99c4969bce6aab461464cc369fc019ca5bf3f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c89ad58feffff 48894d10 48895518 488b4518 48c70000000000 48c7400800000000 48c78590feffff00000000 } - $sequence_1 = { 4c89ad60ffffff 4c89b568ffffff 4c89bd70ffffff 48894d10 } - $sequence_2 = { 4c89ad58ffffff 4c89b560ffffff 4c89bd68ffffff 48894d10 4889d3 4d89c4 498bd4 } - $sequence_3 = { 4c89ad50ffffff 4c89b558ffffff 4c89bd60ffffff 48894d10 4889d6 c68570ffffff00 488d4580 } - $sequence_4 = { 4c89ad68fcffff 4c89b570fcffff 4c89bd78fcffff 48894d10 } - $sequence_5 = { 4c89ad50ffffff 4c89b558ffffff 4c89bd60ffffff 48895518 4989cc 48c70200000000 4889d1 } - $sequence_6 = { 4c89ad60feffff 4c89b568feffff 48894d10 488d4d10 e8???????? 48898570feffff } - $sequence_7 = { 4c89ad58fdffff 4c89b560fdffff 4c89bd68fdffff 48895518 4c894520 4c894d28 } - $sequence_8 = { eb0f 488bd3 488d0d48900100 e8???????? } - $sequence_9 = { 4889842430020000 4c89642450 488b442450 4889842438020000 } - $sequence_10 = { 4889842480000000 488d1529890100 488d8c2480000000 e8???????? 90 e8???????? 90 } - $sequence_11 = { 488d842430030000 48ffc7 6644393478 75f6 } - $sequence_12 = { 4883ec38 834c2448ff 488d05a8580100 4d85c9 } - $sequence_13 = { 4a8b04e8 42385cf839 0f84c2000000 488d058dde0000 4a8b0ce8 } - $sequence_14 = { 418bd4 e8???????? f20f1000 8b5808 e9???????? 488d05cbdd0000 } - $sequence_15 = { 83fa04 7c39 458bd1 49c1ea02 418bc2 f7d8 } + $sequence_0 = { 4c899530ffffff 4d8b5808 4c039d00ffffff 4c899d38ffffff } + $sequence_1 = { 4c899530ffffff 4c8b85f8feffff 49ffc0 4c898538ffffff } + $sequence_2 = { 4c899530ffffff 4c8b4708 4a8d540310 48899538ffffff } + $sequence_3 = { 4c8975c0 4c897dc8 48894d10 4889d3 } + $sequence_4 = { 4c899538ffffff 488d9530ffffff 488b8d40ffffff e8???????? } + $sequence_5 = { 4c899540feffff 488d9540feffff b97e160000 e8???????? } + $sequence_6 = { 4c899538ffffff 7333 4c3bd2 7622 } + $sequence_7 = { 4c8985f8feffff b905000000 48898df0feffff 488d95f0feffff } + $sequence_8 = { 8a043e ffc2 4a8b8ce3f0c60100 4803cf } + $sequence_9 = { 48d1eb 4533f6 664489345e 33d2 } + $sequence_10 = { b905000000 4c8d05257b0000 488d15267b0000 e8???????? 8bcb 4885c0 740c } + $sequence_11 = { 57 4883ec20 488d055feb0000 488bf9 488901 8bda } + $sequence_12 = { 488d05a8580100 4d85c9 4d8bd0 41b801000000 } + $sequence_13 = { 488bd9 488bc2 488d0dadeb0000 0f57c0 } + $sequence_14 = { 488d1590c30000 e8???????? 4885c0 740f 488bcb } + $sequence_15 = { 5b c3 4883611000 488d05ccec0000 } condition: 7 of them and filesize < 7709696 @@ -136645,36 +137508,36 @@ rule MALPEDIA_Win_Sedll_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c98327c8-f977-5098-aace-6f65383d00ba" - date = "2026-01-05" - modified = "2026-01-06" + id = "1a7ca438-f915-59a0-affa-5dfe0da10dfc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sedll_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sedll_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "df74daada1e394daccd88b8caf7c67ee5c703bfd5e5886cc476e5ba06e59b034" + logic_hash = "ddd7994dbe083b91d1d2b24210e454bbc79a4d380f469f3c00c75fcc15ef89ca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { ff75fc f30f7f45dc 6a00 6a00 6a00 } - $sequence_1 = { 741e 8bd3 8d4a01 8d642400 8a02 } - $sequence_2 = { 5e 8908 33c0 5d c20c00 8b4510 33c9 } - $sequence_3 = { 8d55f8 52 c745f800000000 68???????? 8b08 50 ff11 } - $sequence_4 = { 7412 f30f6f05???????? 8b4520 f30f7f00 830e04 f6c101 7426 } - $sequence_5 = { 83c604 83ef04 73ef 8b4d08 8b4510 51 8908 } - $sequence_6 = { 8bf0 83c404 8975e8 85f6 7507 5f } - $sequence_7 = { 7c7e 8d9b00000000 0fb60f 83c604 c1e902 } - $sequence_8 = { 50 8b4508 03c6 50 53 ff15???????? 85c0 } - $sequence_9 = { 884e01 885602 83c603 33c9 47 3bfb } + $sequence_1 = { ff15???????? 83c408 85c0 0f85ea000000 f30f6f05???????? 68d2010000 } + $sequence_2 = { 8908 33c0 5d c20c00 8bd1 be???????? } + $sequence_3 = { 5e 8908 33c0 5d c20c00 8b4510 33c9 } + $sequence_4 = { 8d55f8 52 c745f800000000 68???????? 8b08 50 ff11 } + $sequence_5 = { ff15???????? 85f6 7508 33c0 5e } + $sequence_6 = { 7514 8b4508 4e 2bf1 5f 8930 8bc1 } + $sequence_7 = { 8bf0 83c404 8975e8 85f6 7507 5f } + $sequence_8 = { 7c7e 8d9b00000000 0fb60f 83c604 c1e902 } + $sequence_9 = { 660fd645f0 56 8bf1 85c0 740a 50 } condition: 7 of them and filesize < 65536 @@ -136685,10 +137548,10 @@ rule MALPEDIA_Win_Cloudeye_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "44608db0-2b3b-55a4-82c4-1c5317afcfea" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cloudeye_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cloudeye_auto.yar#L1-L117" license_url = "N/A" logic_hash = "54d2e3ccac7509c285f63d14127016b59266a9af9b4d7112de2a7058fc6a0ca1" score = 75 @@ -136697,9 +137560,9 @@ rule MALPEDIA_Win_Cloudeye_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -136723,42 +137586,42 @@ rule MALPEDIA_Win_Prometei_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "62ace16c-b0c3-554c-a9f7-6209373c3e72" - date = "2026-01-05" - modified = "2026-01-06" + id = "b030d67d-9353-573e-ab95-2cb9dc3e850e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.prometei_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.prometei_auto.yar#L1-L158" license_url = "N/A" - logic_hash = "9dde111159215a62fc6cb6707e61b66d4977093dee25c22cb9e592670f784bca" + logic_hash = "27c94de93d61051b48ee812ee750f904390b4f00539e2b6cf3993c0b4053b61a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 011d???????? 03c8 8b5de4 a1???????? } - $sequence_1 = { 5b 8d7db0 8907 8bc7 bf1f000000 897004 894808 } - $sequence_2 = { 33c0 85ff 742c 8b75d8 03f2 0fbe5405b8 } + $sequence_1 = { 0482 b02c dc8cbc6c1c55bb 8cc6 4b } + $sequence_2 = { 2aba2191fab2 2125???????? 346d 2a91020a2292 b5fd } $sequence_3 = { 014368 81434400020000 c7434000000000 83534800 } $sequence_4 = { 014358 8b45f0 01435c 8b45fc } - $sequence_5 = { ff15???????? 0fbe05???????? 56 8945fc ff15???????? } - $sequence_6 = { b801000000 f745c000020000 8bd1 0f44f8 } - $sequence_7 = { 833d????????00 0f85cc000000 6a00 6880000000 6a03 6a00 6a00 } - $sequence_8 = { 10d0 00bb2d784334 2cbb 8d3b 61 } - $sequence_9 = { f5 b56b 55 48 2d63d3c0b9 25809d1976 0482 } + $sequence_5 = { 55 bb8c132400 4a af } + $sequence_6 = { 8b75fc 894808 89500c b801000000 f745c000020000 0f44f8 8b45e0 } + $sequence_7 = { f745c000020000 660f7f45b0 0f44f9 c745c000000000 33c9 897dd8 0fa2 } + $sequence_8 = { 01435c 8b45fc 014360 8b45f4 } + $sequence_9 = { 83feff 741f 6a00 8d45d8 50 } $sequence_10 = { 013d???????? 8b04b5c8054400 0500080000 3bc8 } - $sequence_11 = { 01435c 8b45fc 014360 8b45f4 } - $sequence_12 = { e8???????? 44 b46b d6 1e } + $sequence_11 = { c745f800000000 33c9 c745c000000000 53 } + $sequence_12 = { 014354 8b45e8 014358 8b45f0 } $sequence_13 = { 014364 8b45e4 014368 5b } $sequence_14 = { 014360 8b45f4 014364 8b45e4 } - $sequence_15 = { 014354 8b45e8 014358 8b45f0 } + $sequence_15 = { 7532 33c0 85ff 742c 8b75d8 03f2 0fbe5405b8 } condition: 7 of them and filesize < 51014656 @@ -136768,36 +137631,36 @@ rule MALPEDIA_Win_Silentgh0St_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "291abef6-9e33-5a8d-8adc-76e9209f6497" - date = "2026-01-05" - modified = "2026-01-06" + id = "17738b3a-0b49-5455-8efd-23fa65ec83ea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.silentgh0st" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.silentgh0st_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.silentgh0st_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "9a04c7809c217e9efeaf55825390ec7954a79ff3371a97034dc7cf6c87eca139" + logic_hash = "aab932c753a170abfa6c6014ce9f5632519b221817c2d05a9d2b3f156d54a630" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c9 c3 8b45fc ff7018 ff750c e8???????? 59 } - $sequence_1 = { 33c4 89842488000000 8b8424a0000000 8b8c2494000000 53 8b9c24a0000000 55 } - $sequence_2 = { e8???????? 8bcf 85c0 7507 e8???????? ebb0 6834020000 } - $sequence_3 = { 33c9 83e701 894c2418 897c2414 a900000004 0f8596000000 c744241801030000 } - $sequence_4 = { 8bc6 c1f805 8bfe 53 8d1c8500c40e10 8b03 83e71f } - $sequence_5 = { 8d04454c950e10 8bc8 2bce 6a03 d1f9 68???????? 2bd9 } - $sequence_6 = { 83c420 e9???????? 8b96bc000000 8b8290000000 3bc5 7514 6a0a } - $sequence_7 = { 8d85f8feffff 6a5c 50 e8???????? 59 59 3bc3 } - $sequence_8 = { 8b4a10 03c0 80e108 03c0 0fb6d1 83c404 03c0 } - $sequence_9 = { 8d8304010000 8bd6 2bd0 b910000000 89542420 eb04 8b542420 } + $sequence_0 = { 8b93bc000000 897244 8b442428 8b8bbc000000 56 50 83c148 } + $sequence_1 = { 8b9084000000 51 53 55 56 ffd2 83c410 } + $sequence_2 = { 8b550c 89570c 8b4d04 8b07 53 8b5d00 56 } + $sequence_3 = { 6a01 8d8593fbffff 50 8d8e04010000 889d93fbffff e8???????? 56 } + $sequence_4 = { ffd1 83c410 85c0 7507 5d 5e 5b } + $sequence_5 = { 8b45fc 83c41c 53 53 56 ff34b8 56 } + $sequence_6 = { e8???????? 6a08 53 57 e8???????? 8b45d0 83c418 } + $sequence_7 = { e8???????? 59 83fe06 7507 53 e8???????? 59 } + $sequence_8 = { e8???????? 83e814 8945e4 33c0 c645e800 8d7de9 ab } + $sequence_9 = { e8???????? 59 59 8b460c 8b4de8 8b0408 0fb60438 } condition: 7 of them and filesize < 2065408 @@ -136807,36 +137670,36 @@ rule MALPEDIA_Win_Mm_Core_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43e09f87-25f0-5aa1-a65d-f3cf8216d568" - date = "2026-01-05" - modified = "2026-01-06" + id = "14416f23-323b-5443-a200-3c4467aca088" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mm_core_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mm_core_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "6a74d0b4f0725617f5a9081525f73e5b30645b5ad4c0ae527057295ae3a12104" + logic_hash = "b037dd787aad9408a50243733b94466535610a5636afeecd2a0457a1d2b7dcf6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33ff 8db7e8ba0010 ff36 e8???????? 83c704 } - $sequence_1 = { ff15???????? 85c0 0f8482000000 8b442410 3bc7 747a 40 } - $sequence_2 = { 6800000008 51 51 51 66894c2464 8bcb } - $sequence_3 = { 8bf0 8975d4 85f6 0f8485000000 c745fc00000000 8a0e } - $sequence_4 = { 8b84246c080000 56 57 33ff 6a3c 8bf2 } + $sequence_0 = { b9ff0f0000 8dbc24f8080000 e8???????? 83c410 8bcf 51 ffd3 } + $sequence_1 = { 8945e4 83f805 7d10 668b4c4310 66890c4524220110 } + $sequence_2 = { 6a03 57 57 50 51 } + $sequence_3 = { 0f84df030000 8b542420 8b44240c 8d4c2414 51 53 6a01 } + $sequence_4 = { 8b54241c 8d0c32 3b4c2418 761f c1e90a 41 } $sequence_5 = { 6a00 50 e8???????? 83c40c 33c0 33c9 8d542408 } - $sequence_6 = { 3bc1 0f87f5090000 ff248516540010 33c0 } + $sequence_6 = { 6a00 68???????? 8d8c2430010000 51 } $sequence_7 = { 33c0 eb1a 8bc8 83e01f c1f905 8b0c8d40400110 c1e006 } - $sequence_8 = { 83e71f c1e706 8b048540400110 8d44380c } - $sequence_9 = { c744240c01010000 ff15???????? 8d4c2418 51 8d54240c } + $sequence_8 = { ffd6 895c241c 895c2418 8b442424 8b2d???????? 50 53 } + $sequence_9 = { 51 ffd3 8bf0 8b442414 85c0 } condition: 7 of them and filesize < 319488 @@ -136846,36 +137709,36 @@ rule MALPEDIA_Win_Pubload_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb3eb2a3-33cb-52f0-8b9b-1e92524c642b" - date = "2026-01-05" - modified = "2026-01-06" + id = "4ec95f7b-fa54-5ef5-8b82-63b220f70563" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubload" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pubload_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pubload_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "cbebb262e4f807799c3d6fba9199253493785b2d8970bb9dd2ccb71611e2a01f" + logic_hash = "ab26dbed182ffe5ee41e0222a26506ab7510527ff92f8f4a95a6063d352c5a66" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c408 33c9 68???????? 66894802 } - $sequence_1 = { ff15???????? 68???????? 6a00 6a00 6a00 ff15???????? c3 } - $sequence_2 = { 6804010000 68???????? 6a00 ff15???????? 6a5c } - $sequence_3 = { ff15???????? 6a5c 68???????? e8???????? 83c408 33c9 68???????? } - $sequence_4 = { 83c408 33c9 68???????? 66894802 ff15???????? } - $sequence_5 = { 6803001f00 ff15???????? 85c0 7408 6a00 ff15???????? 68???????? } - $sequence_6 = { 68???????? 6a00 6a00 6a00 ff15???????? c3 } - $sequence_7 = { 68???????? 6a00 ff15???????? 6a5c 68???????? e8???????? 83c408 } - $sequence_8 = { 68???????? e8???????? 83c408 33c9 68???????? } - $sequence_9 = { 6a00 6a00 6a00 ff15???????? c3 } + $sequence_0 = { 6a00 ff15???????? 6a5c 68???????? e8???????? 83c408 33c9 } + $sequence_1 = { 68???????? 6a00 6a00 6a00 ff15???????? c3 } + $sequence_2 = { 7408 6a00 ff15???????? 68???????? 6a00 6a00 6a00 } + $sequence_3 = { 68???????? e8???????? 83c408 33c9 68???????? } + $sequence_4 = { 6a5c 68???????? e8???????? 83c408 33c9 68???????? 66894802 } + $sequence_5 = { 6a00 6a00 6a00 ff15???????? c3 } + $sequence_6 = { 33c9 68???????? 66894802 ff15???????? } + $sequence_7 = { 68???????? e8???????? 83c408 33c9 68???????? 66894802 } + $sequence_8 = { e8???????? 83c408 33c9 68???????? } + $sequence_9 = { 68???????? e8???????? 83c408 33c9 68???????? 66894802 ff15???????? } condition: 7 of them and filesize < 524288 @@ -136885,36 +137748,36 @@ rule MALPEDIA_Win_Hi_Zor_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cc3751c1-3c9f-5c03-98ac-f7ffbc0daf9f" - date = "2026-01-05" - modified = "2026-01-06" + id = "9b055cf4-4394-57ba-ba24-aea58c056a5f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hi_zor_rat_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hi_zor_rat_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "71847819d2d9074c6684d2c1f561750135c21371e8d9757a34aa466c08b5e5fd" + logic_hash = "a2c1787ff03f77785f6ae2f12c5efdf5e6e326205f05a629cef8eff95a6daaf5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 235014 0bda 8b501c 03df 8d9413aff7448b 8bde } - $sequence_1 = { 83c002 6685c9 75f5 8dbdc8f6ffff 2bc2 83c7fe 668b4f02 } - $sequence_2 = { c1e611 0bd6 03501c 8bfa f7d7 237810 23da } - $sequence_3 = { 33db 68fe0f0000 8d94248e080000 33c9 53 52 } - $sequence_4 = { 8bf8 52 57 ff15???????? 8b4d0c 8b5508 6a00 } - $sequence_5 = { 6a00 8bf0 8d45f0 50 56 6a00 } - $sequence_6 = { 25ffffff1f 03c0 6a40 03c0 c1ea1d } - $sequence_7 = { 50 89bb40010000 89bd58ffffff ff15???????? } - $sequence_8 = { 035858 8975fc 8b701c 8d9c335314c4ff 8b75f8 23f7 } - $sequence_9 = { 0fb6b6b4490010 ff24b594490010 52 53 8bf9 e8???????? 5f } + $sequence_0 = { 7cf1 33c0 66837445e402 40 83f80b 7cf4 33c0 } + $sequence_1 = { f7d3 23581c 0bde 03df 8b7010 8db433af0f7cff } + $sequence_2 = { 6804010000 8d8de4fdffff 56 51 } + $sequence_3 = { 85c0 0f8574ffffff 47 85ff } + $sequence_4 = { 898572ffffff 898576ffffff 89857affffff 6689857effffff c7458c10000000 ff15???????? e8???????? } + $sequence_5 = { 51 56 50 894510 e8???????? 8b5510 } + $sequence_6 = { 6a40 6a00 57 e8???????? 83c40c 6a00 8d4dfc } + $sequence_7 = { 6a00 6a05 51 ff15???????? 56 ff15???????? } + $sequence_8 = { 884612 33c0 8be5 5d } + $sequence_9 = { 83ec24 85c0 742d 68???????? 68???????? ff15???????? } condition: 7 of them and filesize < 73728 @@ -136925,10 +137788,10 @@ rule MALPEDIA_Win_Oderoor_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "8af6addc-ebdd-5e5f-9273-b365bc983ffd" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oderoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.oderoor_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.oderoor_auto.yar#L1-L128" license_url = "N/A" logic_hash = "705d5b4a266b0c2f312f72fd5cb1e86ab39ec049fd53173701ccf137ec51b933" score = 75 @@ -136937,9 +137800,9 @@ rule MALPEDIA_Win_Oderoor_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -136958,41 +137821,80 @@ rule MALPEDIA_Win_Oderoor_Auto : FILE condition: 7 of them and filesize < 13688832 } +rule MALPEDIA_Win_Dusty_Hammock_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "97ea5be3-4101-5edc-852a-56fc7838f7b4" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dusty_hammock" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dusty_hammock_auto.yar#L1-L134" + license_url = "N/A" + logic_hash = "1bee63322ab76f5fb0667f02592a8f7af8ac3ef35979026a6082ad2da61ddae5" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { c745b8e04d4600 c745bc02000000 c745c800000000 89d9 89fa 8945d0 8d45d0 } + $sequence_1 = { f20f1086c0000000 f20f108ec8000000 83f803 8986ac000000 898628010000 f20f1186b0000000 f20f118eb8000000 } + $sequence_2 = { ba28000000 68???????? e8???????? 83c404 eb40 b9???????? c786b805000003000000 } + $sequence_3 = { e8???????? 8b18 832000 85db 0f840f010000 ff02 8d4b34 } + $sequence_4 = { c745ac01000000 c745b800000000 c745b004000000 c745b400000000 c745f0ffffffff e8???????? 55 } + $sequence_5 = { c786b805000002000000 8b411c 8b4920 6a58 68???????? 50 ff510c } + $sequence_6 = { e8???????? 59 5f 3d01000080 0f85320e0000 8b8648010000 8bbe44010000 } + $sequence_7 = { 8b4820 6a01 68???????? ff701c ff510c 83c40c 2401 } + $sequence_8 = { c745f002000000 8b45d0 8975ac c745f002000000 b9???????? ba16000000 8945b0 } + $sequence_9 = { 83ec28 83c50c 8d4d8c e8???????? 8d8d78ffffff e8???????? 837dd400 } + + condition: + 7 of them and filesize < 1051648 +} rule MALPEDIA_Win_Lemonduck_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0687728c-af20-5db0-825f-c09419c968e6" - date = "2026-01-05" - modified = "2026-01-06" + id = "2d48fcac-5269-5f0d-8787-5b8524b15885" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lemonduck_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lemonduck_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "98ef4bf0b78ddc5c7161294aca17f600a297dc9e3f0789809abaca00c16061d5" + logic_hash = "0023b707dc3a00b96c075fb32bb74e99f47bf8ecc22af5c76474a720aa3589cb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8bc8 89834c010000 e8???????? 4863c8 48898b88000000 4883c420 } - $sequence_1 = { eb0f 488bd3 488d0deb090a00 e8???????? 33c9 85c0 480f44cb } - $sequence_2 = { c1e808 0bc8 41c1e808 c1e218 4133ca 440bc2 41894f10 } + $sequence_0 = { eb0a c0ea06 f6c201 7408 8b00 8905???????? 498b06 } + $sequence_1 = { e9???????? 488b8a70000000 4883c158 e9???????? 488b8a70000000 4883c168 e9???????? } + $sequence_2 = { e8???????? 90 40f6c701 743d 488b542478 4883fa10 7232 } $sequence_3 = { ff15???????? 488bf8 4885c0 0f841f020000 33c0 f0480fb13d???????? 488bf0 } - $sequence_4 = { 7404 893b eb34 3bfe 7330 2bf7 488d14bd00000000 } - $sequence_5 = { e8???????? e9???????? 488b8e50010000 488d85e8000000 4c8d8dd0000000 4889442420 4c8d85e0000000 } - $sequence_6 = { e8???????? 85c0 7419 41b80a000000 488d15eab90500 488bcb e8???????? } - $sequence_7 = { e8???????? e9???????? 664183780e03 0f85e0010000 488d1d8bee1500 4c8d3dacee1500 0f1f4000 } - $sequence_8 = { 75f7 8945c8 33c0 488945d8 488945e0 66448965e6 488b45e0 } - $sequence_9 = { ff5018 f6d8 1bdb 83c302 b978000000 e8???????? 488bf8 } + $sequence_4 = { e9???????? 66837e0e03 0f8547010000 488bcf 4883fb01 0f852f010000 488b07 } + $sequence_5 = { ffe0 418b03 0fafc3 418903 eb4e 418b4154 03c3 } + $sequence_6 = { 660f7f85c0000000 e8???????? 660f7f85d0000000 488bcf 4883f120 498bc6 48f7e7 } + $sequence_7 = { e8???????? eb36 488d8ea8000000 488d55e8 e8???????? 90 488d0d24cd1400 } + $sequence_8 = { e8???????? 488d6c2450 eb07 488d2d3d081300 488b03 488bcb ff5018 } + $sequence_9 = { f30f7f07 488d4c2420 f30f6f8780000000 660f7f442420 660f7f4c2430 e8???????? f30f6f9700ffffff } condition: 7 of them and filesize < 10011648 @@ -137002,36 +137904,36 @@ rule MALPEDIA_Win_Faketc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "20700f38-ca76-52c3-a2fd-e577561f7238" - date = "2026-01-05" - modified = "2026-01-06" + id = "8c126587-3e07-5c7a-9023-e24f5c209fe2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.faketc_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.faketc_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "88cb80bbffbb5dd33ed57d116a0c91ab50887b3cc89797bc963aaa34348dde48" + logic_hash = "f7a97adeb3040f37295c7f4761ab9ee4e5ac86721a666153d19aff9cd8d66c3f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? bd01000000 89ac2460010000 84db 7405 c644246c01 097c2470 } - $sequence_1 = { c645fc10 e8???????? 83bdd0fdffff08 720f 8b95bcfdffff 52 e8???????? } - $sequence_2 = { e8???????? 83c41c c3 8b4c2424 5f 5e 5d } - $sequence_3 = { 8b91f0860000 83c201 8b81f4860000 83d000 8b4d08 8991f0860000 8981f4860000 } - $sequence_4 = { e8???????? 83c40c 85c0 740f 8b45f8 c74048ffffffff e9???????? } - $sequence_5 = { e8???????? 50 8d85b8060000 50 c645fc0c e8???????? 83c40c } - $sequence_6 = { c1ef10 c1ed18 330cad18d45f00 81e7ff000000 2b0cbd18d85f00 8b7808 33f1 } - $sequence_7 = { e8???????? 83c40c c744241401000000 89742418 c744241c00000000 83fe08 0f87c2010000 } - $sequence_8 = { e8???????? a1???????? 33c4 89842450010000 53 55 8bac2460010000 } - $sequence_9 = { e8???????? 83c408 85c0 7473 8b4df0 8b91a8020000 8b45f0 } + $sequence_0 = { c784246c01000007000000 e8???????? 8d8c24b0000000 c7842460010000ffffffff e8???????? 32c0 e9???????? } + $sequence_1 = { ebd2 837d0c00 7411 68???????? 8b4508 50 e8???????? } + $sequence_2 = { 8b8200030000 f7d8 1bc0 83e016 e9???????? 8b4508 83b8fc01000000 } + $sequence_3 = { e8???????? 83c408 eb24 8b45f0 83c028 50 6a00 } + $sequence_4 = { e8???????? 8b4df8 8981dc850000 8b55f8 83badc85000000 750a b81b000000 } + $sequence_5 = { e8???????? 68???????? b9???????? e8???????? 8b45e8 83c408 68ff010f00 } + $sequence_6 = { c20c00 ff15???????? 8b1d???????? 8b54241c 2bd8 33f6 89442418 } + $sequence_7 = { be20d182d0 bed0bad0b5 d0bdd0b020d0 b1d0 b5d0 b7d0 bed0bfd0b0 } + $sequence_8 = { 0f84df040000 83e801 0f8548050000 0fb78570150000 3d4d040000 0f8fa0010000 0f840e010000 } + $sequence_9 = { e8???????? 83c40c c78570f7ffff9de16300 c7856cf7ffff00000000 c78568f7ffff00000000 c78564f7ffff00000000 c78560f7ffff00000000 } condition: 7 of them and filesize < 6864896 @@ -137041,36 +137943,36 @@ rule MALPEDIA_Win_Kleptoparasite_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b0b0b352-347f-55af-9ff0-490ede9b4160" - date = "2026-01-05" - modified = "2026-01-06" + id = "06b97f9c-c82e-5df6-a654-2e7628dba3c6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kleptoparasite_stealer_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kleptoparasite_stealer_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "e5b373205c1fe87c3fe6e4fda207e494d76c79369af53b1f38b96981f46a089f" + logic_hash = "fc2466cea73a855fcfd2de88968e4d3e86dac2cd151f47d6ba7eecc9606cfce3" score = 60 quality = 35 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c3 e9???????? 55 8bec 56 e8???????? 8bf0 } - $sequence_1 = { cc 55 8bec 56 e8???????? 8b7508 6a02 } - $sequence_2 = { b8???????? c3 e9???????? 55 8bec 56 e8???????? } - $sequence_3 = { 895104 8be5 5d c3 3b0d???????? 7502 f3c3 } - $sequence_4 = { 7405 8901 895104 8be5 5d c3 3b0d???????? } - $sequence_5 = { cc 55 8bec 56 e8???????? 8b7508 } + $sequence_0 = { b8???????? c3 e9???????? 55 8bec 56 e8???????? } + $sequence_1 = { 8901 895104 8be5 5d c3 3b0d???????? } + $sequence_2 = { 50 e8???????? cc 55 8bec 56 e8???????? } + $sequence_3 = { cc 55 8bec 56 e8???????? 8b7508 6a02 } + $sequence_4 = { 895104 8be5 5d c3 3b0d???????? 7502 } + $sequence_5 = { 7405 8901 895104 8be5 5d c3 3b0d???????? } $sequence_6 = { 59 c3 6a10 68???????? e8???????? 33ff 897de0 } - $sequence_7 = { 895104 8be5 5d c3 3b0d???????? } - $sequence_8 = { 895104 8be5 5d c3 3b0d???????? 7502 } - $sequence_9 = { e8???????? cc 55 8bec 56 e8???????? 8b7508 } + $sequence_7 = { e8???????? cc 55 8bec 56 e8???????? 8b7508 } + $sequence_8 = { cc 55 8bec 56 e8???????? 8b7508 } + $sequence_9 = { 895104 8be5 5d c3 3b0d???????? } condition: 7 of them and filesize < 3006464 @@ -137080,36 +137982,36 @@ rule MALPEDIA_Win_Rarstar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ce52f31-509a-51ae-aa52-a887d95b1b86" - date = "2026-01-05" - modified = "2026-01-06" + id = "d0620684-8600-5511-bc51-0ffc28b8ce5a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rarstar_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rarstar_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "d80756ef2e17ab1b1759226b804a9ad7a0323babf981d01e1610768c38e321da" + logic_hash = "e96cd2652260a313f34f66f12f9d9deda221648c32b257c4a5d597ef28e7ad1e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89742410 33ed ff15???????? 8b542418 8b3d???????? 52 89442430 } - $sequence_1 = { eb26 8d4508 8db664c54000 6a00 50 ff36 } - $sequence_2 = { f7d1 2bf9 899c2430030000 8bc1 8bf7 8bfa 899c242c030000 } - $sequence_3 = { 8bc6 5e c20400 81ec24030000 53 } - $sequence_4 = { 8b0485c0d94000 03c6 8a5004 f6c201 0f849e010000 } + $sequence_0 = { 8a540c28 8b4c241c 89942430030000 51 } + $sequence_1 = { 895c241c c744243802000000 895c243c 894c2440 } + $sequence_2 = { 8d942418010000 f3ab 8d8c2420030000 51 52 } + $sequence_3 = { 41 8a9230924000 8851ff 8a5601 83e20f 41 } + $sequence_4 = { 6804010000 51 50 ff15???????? 8d542404 } $sequence_5 = { 33db 8a940c20010000 8a5c0c20 03c2 03c3 25ff000080 7907 } - $sequence_6 = { 81e200008000 52 6a00 6a00 } - $sequence_7 = { 899c242c030000 899c2428030000 899c2424030000 899c2420030000 bf???????? 83c9ff } - $sequence_8 = { 7405 be01000000 8b442418 57 } - $sequence_9 = { 0f8412010000 85f6 779a 8b5c241c 6a00 } + $sequence_6 = { 50 f3ab 8b44241c 8d4c2424 51 8d942484000000 6800100000 } + $sequence_7 = { f3ab 8d442418 50 ffd6 8d4c2414 68???????? } + $sequence_8 = { 33db 8a940c24010000 8a5c0c24 03c2 03c3 } + $sequence_9 = { 5e 5d 8a149530924000 5b 8851ff } condition: 7 of them and filesize < 122880 @@ -137119,75 +138021,75 @@ rule MALPEDIA_Win_Medusa_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d20a8f8a-0c40-56df-b905-5b8d6ebe61b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "c1c9fc70-974d-5123-8924-52a7b17350e4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.medusa_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.medusa_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "bf22f346b79f830cfb557e80bea02849fba4fc00ac522de893ed484b5992cd17" + logic_hash = "3217fd5215226c2339ad3e0a702f895dc2b1ce667e41be3d72eb99486b7f3255" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e1fb 1cc9 3ca5 2c8e a1???????? d528 } - $sequence_1 = { ff7100 52 ff7200 53 ff7300 54 } - $sequence_2 = { 6a00 4b ff6b00 4c ff6c004d ff6d00 4e } - $sequence_3 = { 0050ff 7000 51 ff7100 } - $sequence_4 = { 53 ff7300 54 ff740055 ff7500 56 } - $sequence_5 = { 8b4c6386 8608 5f e1fb 1cc9 3ca5 2c8e } - $sequence_6 = { 0c48 b5f9 43 324dd5 1ddf859f31 } - $sequence_7 = { 0000 aa 05854cffab 004893 } - $sequence_8 = { 05854cffab 004893 3eb35b 813bf80937dc 8b4c6386 } - $sequence_9 = { 1cc9 3ca5 2c8e a1???????? d528 32f4 } + $sequence_0 = { 8d8d68fdffff e8???????? 80bdb7fdffff00 743b 8b5704 83fa01 0f860effffff } + $sequence_1 = { 40 83f83c 72f3 56 57 8d8528ffffff 68???????? } + $sequence_2 = { c745e000000000 c745e400000000 6a00 c745fc00000000 8b35???????? 6a00 ffd6 } + $sequence_3 = { 66f3ab 33c0 6689045a 8b45d0 8955d4 8b55cc c745fc00000000 } + $sequence_4 = { 8d4f01 81f900100000 7236 8d4123 3bc1 0f8612010000 eb0a } + $sequence_5 = { c70600000000 83c604 8941fc 3bf2 75eb 8b33 85f6 } + $sequence_6 = { 83ec18 a1???????? 33c5 8945fc 64a12c000000 c745f86c696d2e 8b08 } + $sequence_7 = { 8be5 5d c3 50 e8???????? ba03000000 8d4db0 } + $sequence_8 = { 8b7de4 803d????????00 7512 83fe08 8d4dcc 0f434dcc } + $sequence_9 = { 8bc1 83fa08 7202 8b01 668378045c 7432 b803000000 } condition: - 7 of them and filesize < 1720320 + 7 of them and filesize < 1386496 } rule MALPEDIA_Win_Meow_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8ae50208-eda0-5ebd-a6a9-2e33c00b8273" - date = "2026-01-05" - modified = "2026-01-06" + id = "b5de81e8-1f44-5e30-8176-d20d508f6961" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meow" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.meow_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.meow_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "bb1378303eade72e8b389282cb73ba0dc64a8fed8abbcfd4aff9fb59d7155dea" + logic_hash = "19192ecf084d89611de05e02f6080f20d3a66cb4fa252b82b0945c52f2f7f8e2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c68561ffffff16 c68562ffffff23 c68563ffffff12 c68564ffffff23 c68565ffffff70 c68566ffffff23 } - $sequence_1 = { 8985ccfdffff 85c0 0f8431020000 8b483c 03c8 0fb74118 3b85c4fdffff } - $sequence_2 = { 7431 b802000000 2bc1 0345f0 8945f0 8b45f0 99 } - $sequence_3 = { f7fb 88540df1 41 83f90a 72de 8d45f1 898588feffff } - $sequence_4 = { 33c5 8945fc 53 56 0f57c0 894de8 33f6 } - $sequence_5 = { 83c408 eb35 0fb605???????? b225 50 } - $sequence_6 = { 51 52 e8???????? 83c408 8b8c24f4050000 } - $sequence_7 = { 6849372c4f ba0f000000 8d1c3f e8???????? 83c408 68???????? } - $sequence_8 = { 7415 83e801 0f8595010000 c745e498024300 e9???????? 894de0 } - $sequence_9 = { 8bf7 8d7b75 0f1f4000 8a06 8d7601 0fb6c8 83e953 } + $sequence_0 = { c685eafeffff03 c685ebfeffff7a c685ecfeffff03 c685edfeffff70 c685eefeffff03 c685effeffff04 c685f0feffff03 } + $sequence_1 = { 8b5df0 2bc3 8b7d30 3bf8 772f 83f908 8d043b } + $sequence_2 = { 0f434d08 57 8975ec 66837c41fe5c 0f859d000000 c645f800 } + $sequence_3 = { 8d4d90 c6459000 c645916c c6459205 c645936d } + $sequence_4 = { 0fb6c0 83e848 8d04c0 99 f7fb 8d427f 99 } + $sequence_5 = { c685f5f9ffff6d c685f6f9ffff0f c685f7f9ffff5b c685f8f9ffff0f 8d8df0f9ffff c685f9f9ffff0f } + $sequence_6 = { c68555f8ffff52 c68556f8ffff05 c68557f8ffff63 c68558f8ffff05 c68559f8ffff77 c6855af8ffff05 8d8d50f8ffff } + $sequence_7 = { c6858ffeffff6c c68590feffff29 c68591feffff0a c68592feffff29 c68593feffff7c } + $sequence_8 = { c6459b28 c6459c5f c6459d55 c6459e5f c6459f67 c645a05f } + $sequence_9 = { 7540 33f6 8d7e7f 0f1f4000 0f1f840000000000 8a843545ffffff 0fb6c8 } condition: 7 of them and filesize < 492544 @@ -137197,36 +138099,36 @@ rule MALPEDIA_Win_Navrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0af75ae7-7ace-560b-b2d7-c19b71f71863" - date = "2026-01-05" - modified = "2026-01-06" + id = "866ac8f6-d62a-553b-9f19-633549606dfa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.navrat_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.navrat_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "ae93408812c109848736690d96b263c956c354ad0be060f7ff964bd9ca44b655" + logic_hash = "4cbae2ca94cefd1e952449872598cc5d837176760c350dc9d118e5d9a129fc66" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1e610 0bf0 56 e8???????? } - $sequence_1 = { 7707 0fbec0 83e847 c3 8d48d0 80f909 } - $sequence_2 = { 1bf6 f7de 56 68???????? e8???????? } - $sequence_3 = { 8d48bf 80f919 7707 0fbec0 83e841 } - $sequence_4 = { 8d85a4feffff 50 6801000080 ff15???????? } - $sequence_5 = { 56 50 57 a3???????? ff15???????? 57 ff15???????? } - $sequence_6 = { 0fbec0 83e847 c3 8d48d0 80f909 7707 } - $sequence_7 = { 7503 884702 85f6 7407 8b7608 } - $sequence_8 = { fec8 2440 fec8 c3 } - $sequence_9 = { 884702 85f6 7407 8b7608 } + $sequence_0 = { 0fbec0 83c004 c3 3c2b 7503 } + $sequence_1 = { 50 8d85f0feffff 8bf1 50 } + $sequence_2 = { c745dc726f736f c745e066745c57 c745e4696e646f c745e877735c43 } + $sequence_3 = { c745e066745c57 c745e4696e646f c745e877735c43 c745ec75727265 c745f06e745665 c745f47273696f 66c745f86e5c } + $sequence_4 = { 68???????? 50 8d85f0feffff 8bf1 } + $sequence_5 = { c3 8d48d0 80f909 7707 0fbec0 83c004 } + $sequence_6 = { ff15???????? 8bf0 f7de 1bf6 f7de 56 68???????? } + $sequence_7 = { 884702 85f6 7407 8b7608 } + $sequence_8 = { 884702 85f6 7407 8b4608 83401804 } + $sequence_9 = { c745dc726f736f c745e066745c57 c745e4696e646f c745e877735c43 c745ec75727265 c745f06e745665 c745f47273696f } condition: 7 of them and filesize < 352256 @@ -137236,36 +138138,36 @@ rule MALPEDIA_Win_Wininetloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "362a277f-08db-55d6-afc8-115b8717311e" - date = "2026-01-05" - modified = "2026-01-06" + id = "a3abc831-3617-5eb4-be31-efdfe45c48fa" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wininetloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wininetloader_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wininetloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "8b4c276c165b1cb748209b41360afa408d3bb0ddb28615bc03dcc23e6420b5ed" + logic_hash = "86fa7c92cd506c06fe8c95af003b4c9146bc66cb0172f256cc2267584d86db42" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 66490f7ed9 4c8d050cb70500 ba28000000 488d4ddf e8???????? 4863d8 498b4540 } - $sequence_1 = { c3 488b0d???????? ba51230000 ff15???????? 488b0d???????? ba53230000 4889442430 } - $sequence_2 = { 5b c3 803d????????00 0f8459ffffff 498bd1 488bcb 4883c430 } - $sequence_3 = { 458d4118 488bce ff15???????? 8b442430 4038bc24e0000000 0f45442434 4c63c0 } - $sequence_4 = { 48891d???????? 48c705????????0f000000 881d???????? 448d431b 488d15d9be0f00 488d0d522e1200 e8???????? } - $sequence_5 = { eb02 b301 4883fa10 722d 48ffc2 488bc1 4881fa00100000 } - $sequence_6 = { c6430600 eb21 48c744242006000000 4c8d0dc3d10b00 4533c0 418d5006 488d4c2430 } - $sequence_7 = { 803a5c 752a 4c8d4201 4c3bc0 7421 f6c108 750a } - $sequence_8 = { e9???????? 488d8aa8000000 4883c108 e9???????? 488d8aa8000000 e9???????? 4055 } - $sequence_9 = { 5e 5d c3 ba5e230000 488b4e18 ff15???????? 488bc8 } + $sequence_0 = { 410fb6de ff15???????? 488bc8 8bd3 ff15???????? 488bcf 488b5c2450 } + $sequence_1 = { e8???????? ffc3 83fb0a 0f8ef8feffff 418bde 83f301 8d145d7c230000 } + $sequence_2 = { 4d8bf0 eb0b 4c8d3410 4d3bf0 4d0f42f0 4c89742428 498bd6 } + $sequence_3 = { 771c 4883f901 745b 48ffc9 4883c002 410fb71402 440fb700 } + $sequence_4 = { 4c8b7537 488b751f 0f1000 0f114597 0f104810 0f114da7 4c897810 } + $sequence_5 = { e9???????? 488d0d84870400 e9???????? 488d0da8830400 4881c1a8030000 e9???????? 488d0dad870400 } + $sequence_6 = { 807c243000 741f 48897580 4c8bc3 488bd7 488d8d78010000 e8???????? } + $sequence_7 = { 7479 4c8d5238 33c9 0f1f8000000000 33c0 488d5260 4d8d5260 } + $sequence_8 = { 4c8b642450 8b742434 488b4c2448 807c0c6c20 7512 400fb6f6 84db } + $sequence_9 = { 83e3fb 488d4d98 e8???????? 90 f6c302 740d 83e3fd } condition: 7 of them and filesize < 2659328 @@ -137275,36 +138177,36 @@ rule MALPEDIA_Win_Avrecon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e925dd84-abb8-59f0-bccd-32907a99e474" - date = "2026-01-05" - modified = "2026-01-06" + id = "eca3a971-f511-5ef2-89a0-7adb756955b0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avrecon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.avrecon_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.avrecon_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "765f86e5cde1b429c99a3eaacfdc82ca40acf684e216c378122ba2b0c85c22ec" + logic_hash = "a9e3b0d5f08e716474ed1f20e93ae72ff4e589fa38c1d5f2c68ac50a3376f653" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a24 8d4554 50 e8???????? } - $sequence_1 = { 8d45f8 50 53 ff75ec c745f801000000 ffd7 83f8ff } - $sequence_2 = { 83791c01 7511 6a00 8d4514 50 56 57 } - $sequence_3 = { 8d4401fc c7457401000000 894570 8d7c1f04 837d7000 } - $sequence_4 = { 807d7301 7508 e8???????? 885d73 8d85a8f3ffff 50 } - $sequence_5 = { 8d85a8f7ffff 50 c7454000040000 ff15???????? } - $sequence_6 = { 51 894d30 33c0 8d8d18feffff 40 51 50 } - $sequence_7 = { 50 bb7f660440 53 ff7508 c745f801000000 ffd7 83f8ff } - $sequence_8 = { 50 e8???????? 85c0 7466 6a0e 68???????? } - $sequence_9 = { 83650800 b8e8030000 660105???????? 0fb705???????? 50 ffd6 668945de } + $sequence_0 = { 50 ff15???????? e9???????? 55 8bec 83ec54 53 } + $sequence_1 = { 7411 8a0a 84c9 740b 380e 7507 46 } + $sequence_2 = { 8d85c8fbffff 50 897548 c7455c00001000 e8???????? } + $sequence_3 = { c645d600 c645d701 c645d500 ff15???????? 83f8ff 0f8454020000 8b3d???????? } + $sequence_4 = { 741d 4e 4e 753c ff7554 8b757c } + $sequence_5 = { 50 6880000000 57 ff7508 ffd6 6a04 8d45f8 } + $sequence_6 = { 57 ff7558 ff756c e8???????? 85c0 7e61 } + $sequence_7 = { 297558 eb03 897578 017564 } + $sequence_8 = { 8bd8 3bdf 0f8e88010000 6a20 8d4524 50 e8???????? } + $sequence_9 = { 57 c705????????01000000 ff15???????? 33c0 40 898584fbffff 898588fcffff } condition: 7 of them and filesize < 360448 @@ -137314,79 +138216,79 @@ rule MALPEDIA_Win_Korlia_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "506d7e40-9719-5cd2-8082-4c83f4ea46d2" - date = "2026-01-05" - modified = "2026-01-06" + id = "c7dea4f6-fee3-5525-afd7-ce607af66cca" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.korlia_auto.yar#L1-L483" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.korlia_auto.yar#L1-L475" license_url = "N/A" - logic_hash = "35dbce2c60635b96058b21e359bfd25de3754320395854f3bf9872914070ac08" + logic_hash = "726fc54991a81f4aee90ee4555ecd5db6b457d4fd75051b4c68d02dd572c22db" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a28 68???????? 6aff 53 } - $sequence_1 = { 8bfa f7ef c1fa14 8bc2 c1e81f } - $sequence_2 = { 0f9445e4 5b 59 5a c745fcffffffff } - $sequence_3 = { c3 85db 7410 6a28 } - $sequence_4 = { 53 6a00 6a00 ffd6 ff15???????? 8bf8 b83bd4b531 } - $sequence_5 = { 51 68???????? 68???????? ffd6 b905000000 } - $sequence_6 = { 85c0 7507 53 ff15???????? 55 } - $sequence_7 = { ffd6 8bc7 b980ee3600 99 f7f9 b873b2e745 } + $sequence_0 = { f7ea c1fa0e 8bc2 c1e81f 03d0 } + $sequence_1 = { 33c0 f2ae f7d1 49 83f90f 7604 } + $sequence_2 = { ffd6 ff15???????? 8bf8 b83bd4b531 f7ef } + $sequence_3 = { 6a00 ffd6 68???????? c705????????1c010000 ff15???????? } + $sequence_4 = { 8bc7 b9005c2605 99 f7f9 b859be904a } + $sequence_5 = { 6a28 68???????? 6aff 53 6a00 6a00 } + $sequence_6 = { ffd6 b905000000 be???????? bf???????? } + $sequence_7 = { 0f9445e4 5b 59 5a c745fcffffffff } $sequence_8 = { 53 6a01 53 53 53 51 ff15???????? } - $sequence_9 = { 8b442404 56 6a00 6a00 6a01 } - $sequence_10 = { 6a01 6a00 6a00 6800000040 50 ff15???????? 8bf0 } - $sequence_11 = { e8???????? 8a4c2404 6a01 884814 8b4c240c } - $sequence_12 = { 7423 8b542410 8b44240c 8d4c2408 6a00 51 } - $sequence_13 = { 8b4c240c 898840200000 58 c20800 e9???????? } - $sequence_14 = { 50 56 ff15???????? 56 ff15???????? b001 } - $sequence_15 = { 59 59 c3 8b65e8 ff7588 ff15???????? 833d????????ff } - $sequence_16 = { ff15???????? 833d????????ff 750c ff742404 ff15???????? 59 c3 } - $sequence_17 = { ff15???????? 8bf0 83feff 7423 8b542410 } - $sequence_18 = { f2ae f7d1 2bf9 6810270000 } - $sequence_19 = { ff742410 ff742410 ff742410 e8???????? c21000 e8???????? 8a4c2404 } - $sequence_20 = { 8bf9 81e7ff000000 03f2 03f7 } - $sequence_21 = { b8447c0000 e8???????? 53 56 57 } - $sequence_22 = { 6a00 680030c800 6a00 6a00 68???????? } - $sequence_23 = { 8b542438 83c504 50 895500 } - $sequence_24 = { 8d442444 894d00 8b542438 83c504 } - $sequence_25 = { 6a00 6880000000 6800000400 8bce e8???????? } + $sequence_9 = { 6a01 6a00 6a00 6800000040 50 ff15???????? 8bf0 } + $sequence_10 = { 8b442404 56 6a00 6a00 6a01 } + $sequence_11 = { f2ae f7d1 2bf9 6810270000 } + $sequence_12 = { e8???????? 8a4c2404 6a01 884814 8b4c240c 898840200000 } + $sequence_13 = { ff15???????? 833d????????ff 750c ff742404 ff15???????? 59 c3 } + $sequence_14 = { ff742410 ff742410 e8???????? c21000 e8???????? 8a4c2404 6a01 } + $sequence_15 = { 52 50 56 ff15???????? 56 ff15???????? b001 } + $sequence_16 = { c3 8b65e8 ff7588 ff15???????? 833d????????ff 750c } + $sequence_17 = { 8b4c240c 898840200000 58 c20800 e9???????? 6800060000 6a00 } + $sequence_18 = { 8bf0 83feff 7423 8b542410 8b44240c } + $sequence_19 = { 6a00 680030c800 6a00 6a00 68???????? } + $sequence_20 = { b8447c0000 e8???????? 53 56 57 } + $sequence_21 = { 894d00 8b542438 83c504 50 895500 } + $sequence_22 = { 6a00 6880000000 6800000400 8bce e8???????? } + $sequence_23 = { 8bf9 81e7ff000000 03f2 03f7 } + $sequence_24 = { 83e103 03e8 f3a4 b982000000 33c0 } + $sequence_25 = { 51 ff15???????? a1???????? b981000000 } $sequence_26 = { ffd6 8d44240c 6804010000 50 } - $sequence_27 = { 51 ff15???????? a1???????? b981000000 } - $sequence_28 = { 6a00 6a00 6a00 50 8bce e8???????? 6a00 } - $sequence_29 = { 85c0 750c ff15???????? 53 } - $sequence_30 = { 7403 50 ffd6 b912010000 } - $sequence_31 = { 56 57 b940000000 8d7c2411 88442410 f3ab } - $sequence_32 = { ff15???????? 50 ff15???????? 68d0070000 ff15???????? } - $sequence_33 = { 8d4c2410 6804010000 51 aa ff15???????? } - $sequence_34 = { 3bc3 57 740b 8b35???????? 50 ffd6 } - $sequence_35 = { ffd6 eb06 8b35???????? a1???????? 3bc3 7403 50 } + $sequence_27 = { 85c0 750c ff15???????? 53 e9???????? } + $sequence_28 = { 33c0 8dbc245e020000 66899c245c020000 f3ab } + $sequence_29 = { 68???????? 6801000080 ff15???????? 85c0 0f8599000000 53 } + $sequence_30 = { 56 68ff0f1f00 ff15???????? 85c0 740a } + $sequence_31 = { 5e 24fe 5b 40 } + $sequence_32 = { 51 aa ff15???????? bf???????? 83c9ff 33c0 8d542410 } + $sequence_33 = { 8b35???????? 50 ffd6 eb06 8b35???????? a1???????? } + $sequence_34 = { 8b35???????? a1???????? 3bc3 7403 } + $sequence_35 = { 57 740b 8b35???????? 50 } $sequence_36 = { 83c414 e8???????? 6a00 6a00 8d542414 } - $sequence_37 = { 6a00 8d542414 6a00 52 68???????? 6a00 } - $sequence_38 = { 68???????? 6801000080 ff15???????? 85c0 0f8599000000 53 56 } - $sequence_39 = { 33c0 8dbc245e020000 66899c245c020000 f3ab } - $sequence_40 = { 56 68ff0f1f00 ff15???????? 85c0 740a 56 } - $sequence_41 = { f3ab aa b9f9000000 33c0 } - $sequence_42 = { 5e 24fe 5b 40 81c408010000 c3 83c8ff } - $sequence_43 = { 83c41c 8d5c1850 83c520 41 81fb00200000 } - $sequence_44 = { 52 ff15???????? 85c0 8945dc } - $sequence_45 = { e9???????? c745e0a08b4100 e9???????? c745e0a88b4100 e9???????? } - $sequence_46 = { 8d8c24782c0000 50 51 e8???????? 83c41c 85c0 7443 } - $sequence_47 = { 8a443b28 88443328 46 88543b28 81fe80000000 7ccb 8b4dfc } - $sequence_48 = { 68???????? 50 c745c8f4010000 ff15???????? 8b4dec 8bf0 51 } - $sequence_49 = { 57 8d1c8584bf4100 33c0 f00fb10b 8b15???????? 83cfff 8bca } - $sequence_50 = { c785e4edffff0c000000 c785e8edffff00000000 c785ecedffff01000000 ff15???????? 8d8580edffff 50 ff15???????? } - $sequence_51 = { 50 8d8424ac010000 50 51 } - $sequence_52 = { 83e908 8d7608 660fd60f 8d7f08 8b048d144e4000 ffe0 f7c703000000 } + $sequence_37 = { 7403 50 ffd6 b912010000 } + $sequence_38 = { 8d7c2411 88442410 f3ab 66ab 8d4c2410 6804010000 51 } + $sequence_39 = { 8d442400 50 6806000200 6a00 } + $sequence_40 = { 56 3bc3 57 740b } + $sequence_41 = { 8b4620 53 ffd0 85c0 7433 8b45fc } + $sequence_42 = { ff15???????? 8bf0 6a00 85f6 7510 8b35???????? } + $sequence_43 = { 8b0cc57c944100 894de4 85c9 7455 8b4510 } + $sequence_44 = { 8d843c8d280000 56 50 51 ffd5 } + $sequence_45 = { 0f118574ddffff ff15???????? 8d9564ddffff 8bf2 0f1f840000000000 668b02 83c202 } + $sequence_46 = { 56 ff15???????? 8d4c240c 6a00 51 8d942420020000 } + $sequence_47 = { 897ddc 897dfc ff15???????? 3bc7 8945e8 7415 } + $sequence_48 = { 0f8444020000 b9???????? 8d85f4f8ffff 0f1f4000 8a10 3a11 } + $sequence_49 = { 8b8decefffff 8d85fcefffff 50 e8???????? } + $sequence_50 = { 8b6c244c 66ab 8d442454 8d8c245c020000 50 51 } + $sequence_51 = { 52 ffd3 68f4010000 8d85c4fdffff 68???????? 50 } + $sequence_52 = { c0ec07 8845fa 8a4302 8845ff } condition: 7 of them and filesize < 263168 @@ -137396,36 +138298,36 @@ rule MALPEDIA_Win_Bottomloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bdd8fe32-22cd-5060-a395-421a392e2bd1" - date = "2026-01-05" - modified = "2026-01-06" + id = "46f34a43-3db5-5ef1-9958-b6c9596ba25b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bottomloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bottomloader_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bottomloader_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "b7681a0b4dfc773cac57468dbf0ac81e795dbff01a4fc0df233a09abd9d3252c" + logic_hash = "b0d59c0f9fc58fd278ab5fcc06a80a7243ece9019c1e96be659c478b7b007c4d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 488d3537d60700 488975c8 48c745c00e000000 488d4dc0 e8???????? 488d051bd60700 } - $sequence_1 = { e8???????? 4889c6 488d0579400600 488945c8 48c745c016000000 488d55c0 48899578feffff } - $sequence_2 = { 48897de8 e8???????? 4889c7 4885ff 746f 488d0ddcda0700 e8???????? } - $sequence_3 = { 4889bdd8fdffff 8b05???????? 65488b0c2558000000 488b14c1 bbf0090000 4c8b441a08 4c0b041a } - $sequence_4 = { 488975f8 488d55f0 488d8d70ffffff e8???????? 488d8d70ffffff e8???????? 488b9d60ffffff } - $sequence_5 = { ba43010000 488d0d57dc0700 e8???????? 4d8b542408 410fb63412 eb05 beff000000 } - $sequence_6 = { 488d0dc5800b00 4883ec20 e8???????? 4883c420 48898550ffffff 48899558ffffff 4c8b8550ffffff } - $sequence_7 = { c3 48895518 488d058b140b00 488945f8 48c745f027000000 488d55f0 8bce } - $sequence_8 = { 7442 4883fa02 7472 e9???????? 4d8bc4 488d5520 488d8db0feffff } - $sequence_9 = { 4531c0 ba86100000 488d0db8fd0500 e8???????? 4a8d0c0b 488b55f8 e8???????? } + $sequence_0 = { 488b5708 488b07 48898500ffffff 48899508ffffff 4c8d8d00ffffff 448b4520 498b542408 } + $sequence_1 = { 4c8b8d58fcffff 450fbe2431 488d0d6e3b0800 4883ec20 e8???????? 4883c420 4989c6 } + $sequence_2 = { 4883ec30 498bf9 8b0a e8???????? 90 488d1dfa5b0400 488d35bb140200 } + $sequence_3 = { 488b02 488b5208 488945e0 488955e8 4c8d4de0 4c8b4520 488d0d06500a00 } + $sequence_4 = { 4989f8 ba47050000 488d0de8710800 e8???????? 488bc6 482bc7 488945f0 } + $sequence_5 = { 488d056a1e0400 488945d8 48c745d00f000000 488d55d0 b903000000 } + $sequence_6 = { 488985f0feffff 488995f8feffff 488d8df0feffff 488b9570feffff 4883ec20 e8???????? 4883c420 } + $sequence_7 = { 654c8b142558000000 4f8b24ca bac00a0000 498b3c14 4c8b8788000000 4983c008 4c8945e0 } + $sequence_8 = { 4531c9 4d89c8 ba9f090000 488d0d4a190b00 e8???????? 4c8b9508ffffff 410fb632 } + $sequence_9 = { 48894590 41b901000000 4531c0 bafe060000 488d0d10e80500 e8???????? 488b5e08 } condition: 7 of them and filesize < 1955840 @@ -137435,36 +138337,36 @@ rule MALPEDIA_Win_Roll_Sling_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "291394b2-c9d5-58b3-b157-b1e8265d7d6c" - date = "2026-01-05" - modified = "2026-01-06" + id = "c7529b87-37b3-50a4-992c-7b1806af797c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roll_sling" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.roll_sling_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.roll_sling_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "fde2b7753670b142ee16bd9c69d80bdb5da3ac212825981d31dd1e2015cde6f5" + logic_hash = "e71dd941a58b182188ea7f2aca36af69916fce13d6136739ddc809de547c8460" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ba04000000 488bcf e8???????? 498bce 48833d????????10 480f430d???????? } - $sequence_1 = { 492bd0 4803d7 e8???????? 4533c9 4533c0 } - $sequence_2 = { 42385cf839 0f84ca000000 488d05a9ee0000 4a8b0ce8 488d55f0 4a8b4cf928 } - $sequence_3 = { 4c8d0d63b40000 8bda 4c8d0552b40000 488bf9 488d1550b40000 b904000000 e8???????? } - $sequence_4 = { 440f44d2 0fb74806 41ffc4 4c8b442468 4883c328 443be1 } - $sequence_5 = { 4883c227 4d8b6df8 492bc5 4883c0f8 4883f81f 0f877c040000 498bcd } - $sequence_6 = { 483bc3 7306 4c8bf3 488bd8 4533c9 4c8bc3 } - $sequence_7 = { 448bb090000000 4d03f7 498bce ff15???????? 85c0 0f8530010000 } - $sequence_8 = { eb14 4889742420 4c8d4da0 488bd6 } - $sequence_9 = { 4c89742428 4c897c2420 e8???????? 488bcb 488bf0 e8???????? } + $sequence_0 = { 488d15db6c0100 488d4c2420 e8???????? cc 48895c2410 4889742418 57 } + $sequence_1 = { 4d8be1 498be8 4c8bea 498b84ff90f20100 4983ceff 493bc6 0f84ea000000 } + $sequence_2 = { 8b84865cf50000 4803c6 ffe0 660f73d901 eb60 660f73d902 } + $sequence_3 = { 4c8d6fff 4883fa01 b80d000000 41bf0a000000 440f44f8 33db } + $sequence_4 = { 44397718 7e2d 498bde 6690 488b4f10 488b040b 4885c0 } + $sequence_5 = { 488d4c2438 e8???????? 41b808000000 488bd0 488d4c2458 e8???????? } + $sequence_6 = { 4c8bea 4b8b8cfe90f70100 4c8b15???????? 4883cfff 418bc2 } + $sequence_7 = { 0fb60a 83e10f 4a0fbe841940340100 428a8c1950340100 482bd0 8b42fc d3e8 } + $sequence_8 = { 4883c0f8 4883f81f 0f87ee040000 e8???????? 488b0d???????? 488b15???????? } + $sequence_9 = { 488bd9 488d1583820000 b916000000 4c8d056f820000 } condition: 7 of them and filesize < 299008 @@ -137474,41 +138376,41 @@ rule MALPEDIA_Win_Buhtrap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "05b4ba66-68ba-54c1-8d1c-18fdeb619511" - date = "2026-01-05" - modified = "2026-01-06" + id = "ec0d633d-f726-5533-a1eb-663afc320fe0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.buhtrap_auto.yar#L1-L156" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.buhtrap_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "eac17ec81dd5c0445bcaac0e052f572182cee6f02fda0d2839f8933537f248ba" + logic_hash = "ed60490c21bc1b3352b78afbc750c7d4550d0a80c764f1584e5e48f6256ee492" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 59 59 84c0 0f8435010000 } - $sequence_1 = { ff5010 837df000 0f84e7000000 85c0 0f85c9000000 } - $sequence_2 = { 8d442454 50 53 6a0a 5a e8???????? 50 } - $sequence_3 = { 53 ffd6 8bd8 2b5dfc 895dec } - $sequence_4 = { 66895dec 8bf3 8afb 8bc6 8a9c35ecfeffff } - $sequence_5 = { 8d4df0 51 8d4df8 51 6a01 6aff 52 } - $sequence_6 = { 57 ffd6 57 8945fc ffd6 59 59 } - $sequence_7 = { ba0a010000 b9???????? e8???????? 83ec0c be???????? } - $sequence_8 = { ff75f4 ff15???????? 8b45e8 5e } - $sequence_9 = { 8d742414 c744241401234567 c744241889abcdef c744241cfedcba98 } - $sequence_10 = { 8945fc 8a040a 8801 41 } - $sequence_11 = { c645ff00 897df8 3bdf 0f84ad010000 8b4634 } - $sequence_12 = { 807d1000 50 ff7508 740c } - $sequence_13 = { 8b4508 c7403401000000 8b45f8 3bc6 } - $sequence_14 = { 765c 837c241000 7655 51 e8???????? 59 } + $sequence_0 = { 59 59 84c0 0f8435010000 } + $sequence_1 = { 8bec 81ec10010000 803d????????00 7407 32c0 e9???????? 8b450c } + $sequence_2 = { 50 6a1e 5a e8???????? 8d542420 8bc8 } + $sequence_3 = { 740f 8a10 80fa5c 7405 } + $sequence_4 = { 744d 8b5dfc b9???????? 6a04 5a e8???????? 8bc8 } + $sequence_5 = { 8bec 83e4f8 81ec44030000 53 56 57 33db } + $sequence_6 = { ab 8d55d8 6a00 6a00 52 ab } + $sequence_7 = { 881d???????? ebde 55 8bec 81ec0c010000 } + $sequence_8 = { 0f8487000000 2df5010000 743f 83e805 } + $sequence_9 = { 83c414 53 ff7510 8945fc 8b4514 ff750c } + $sequence_10 = { ff770c ff750c 50 ff15???????? eb06 } + $sequence_11 = { 8d45fc 50 53 6a01 ff750c 897dfc } + $sequence_12 = { 6a08 68???????? e8???????? 33f6 8975fc 397508 } + $sequence_13 = { 6854ca559f 6a02 68???????? 890e } + $sequence_14 = { e8???????? 59 894638 ff7708 } condition: 7 of them and filesize < 131072 @@ -137518,36 +138420,36 @@ rule MALPEDIA_Win_Havoc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5b73e703-1ccd-5166-ac2d-206885cae394" - date = "2026-01-05" - modified = "2026-01-06" + id = "5c9a5c6e-7119-5672-9d7d-68e09256b0ee" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.havoc_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.havoc_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "81f90ef0d0bf3fd238a11a66b3faf732476c67ba4c05a3cc03c8bd35850d8f8f" + logic_hash = "3c6ad302b235fd674b56883bc66d46b6d6860824c99911a7dfd5d00f6ea0425a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7512 31c0 80bc245e01000001 0f94c0 } - $sequence_1 = { 4489c0 4501c0 c0e807 4531cf 448a4afe } - $sequence_2 = { 884c2439 8a4c243a 8844243a 8a442436 884c2432 8a4c243e 8844243e } - $sequence_3 = { 4154 55 89cd b940000000 } - $sequence_4 = { 83f902 7512 31c0 80bc245e01000001 0f94c0 } - $sequence_5 = { 488b01 ff5018 85c0 75e2 488b0b } - $sequence_6 = { 4889cb 4883ec78 4885c9 7507 31c0 e9???????? 4889d1 } - $sequence_7 = { 4883ec20 e8???????? 488b06 488b5608 488983f0000000 488993f8000000 488d65f0 } - $sequence_8 = { 4989d0 31d2 4c898c2488000000 498b0424 4c8d8c2480000000 4c894c2438 4c894c2428 } - $sequence_9 = { 7407 488b442428 eb1b 488b06 4883c9ff } + $sequence_0 = { 488b3b 48b84f6c654175743332 4889442430 e8???????? } + $sequence_1 = { 53 4c89c3 4883ec40 4983782200 488b2d???????? 4889542478 } + $sequence_2 = { 8a4c2435 8a442431 884c2431 8a4c2439 884c2435 8a4c243d 8844243d } + $sequence_3 = { 41b914000008 f3ab 488b05???????? b901000000 488b00 } + $sequence_4 = { 488b8424c8000000 4889442430 488d442458 4889442420 e8???????? 4883c478 5b } + $sequence_5 = { ff5010 488d65c8 5b 5e } + $sequence_6 = { 4c39e0 7e07 31c0 e9???????? 8901 } + $sequence_7 = { 53 448a0402 44880401 448a440201 } + $sequence_8 = { 4889d7 ba38000000 56 4489ce 53 4489c3 4883ec20 } + $sequence_9 = { 4183e920 6bc021 450fb6c9 49ffc2 } condition: 7 of them and filesize < 164864 @@ -137557,42 +138459,41 @@ rule MALPEDIA_Win_Necurs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "86cbd739-582e-5cdb-a27a-e3c4138c2a5e" - date = "2026-01-05" - modified = "2026-01-06" + id = "34c696ae-bbd3-5931-a063-4c7c98e19dba" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.necurs_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.necurs_auto.yar#L1-L151" license_url = "N/A" - logic_hash = "39922dfc2893e9d4c51db465a227b3ce728857825f7b204e465cc4626e505419" + logic_hash = "9d9a8c9fa7d307e1e387078103df96497534e03b48f5899bf7f62c97d14baf14" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8bf2 ba06e0a636 f7e2 } - $sequence_1 = { 13f2 a3???????? 8935???????? 890d???????? 8bc1 } - $sequence_2 = { 33d2 030d???????? a3???????? a1???????? } - $sequence_3 = { 397508 7604 33c0 eb12 } - $sequence_4 = { 890d???????? 8bc1 5e c3 55 8bec } - $sequence_5 = { 46 f7f6 8bc2 034508 5e 5d c3 } - $sequence_6 = { 0f31 8bc8 a1???????? 56 } - $sequence_7 = { 33c0 eb12 e8???????? 2b7508 } - $sequence_8 = { 8d85ecfbffff 57 50 e8???????? 83c410 } - $sequence_9 = { 33d7 33c1 52 50 } - $sequence_10 = { ffd6 8bf8 59 59 85ff 74df } - $sequence_11 = { 5e 5f c9 c3 8b35???????? } + $sequence_0 = { 8935???????? 890d???????? 8bc1 5e } + $sequence_1 = { a1???????? 13f2 a3???????? 8935???????? } + $sequence_2 = { 8bf2 ba06e0a636 f7e2 03c8 } + $sequence_3 = { f7f6 8bc2 034508 5e 5d } + $sequence_4 = { 8bc8 a1???????? 56 8bf2 ba06e0a636 } + $sequence_5 = { 33c0 eb12 e8???????? 2b7508 33d2 46 } + $sequence_6 = { 03c8 a1???????? 13f2 33d2 } + $sequence_7 = { 8d85ecfbffff 57 50 e8???????? 83c410 } + $sequence_8 = { 33d7 33c1 52 50 } + $sequence_9 = { ffd6 8bf8 59 59 85ff 74df } + $sequence_10 = { 33c0 33d2 5e 5f } + $sequence_11 = { 8bd7 e9???????? 83caff 8bc2 e9???????? } $sequence_12 = { 99 6848640300 68da279b71 33d7 } - $sequence_13 = { 8bc1 8bd7 e9???????? 83caff 8bc2 e9???????? } - $sequence_14 = { 57 57 57 8d8574ffffff 50 } - $sequence_15 = { 8bc1 0bc7 7409 8bc1 8bd7 e9???????? } + $sequence_13 = { 8bc1 0bc7 7409 8bc1 8bd7 } + $sequence_14 = { 6a7d 50 ffd6 59 59 85c0 74ce } condition: 7 of them and filesize < 475136 @@ -137602,53 +138503,53 @@ rule MALPEDIA_Win_Hancitor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "816fbcdd-d0a4-5ec6-aee7-dc5bd967236b" - date = "2026-01-05" - modified = "2026-01-06" + id = "91f90cd8-2c17-5972-99f3-0f2db1505cdf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hancitor_auto.yar#L1-L255" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hancitor_auto.yar#L1-L262" license_url = "N/A" - logic_hash = "92b7f15d306c0b7e353f23f95c271bcb97f7f829d7a8b924160714a7ac9e4284" + logic_hash = "c235e09ea03cf82c8665b90fa1c4d6233a4fb7acd34f936d686bc561cd8479d6" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 6a00 6824040000 6a00 6a00 } - $sequence_1 = { 6800010000 6a40 68???????? e8???????? } - $sequence_2 = { 750d e8???????? 83c010 a3???????? } - $sequence_3 = { 6a20 68???????? 68???????? e8???????? 83c410 } - $sequence_4 = { 55 8bec 81ec58010000 6a44 } - $sequence_5 = { c745f800000000 c745fc00000000 c745e800000000 6a40 6800300000 8b45f0 50 } - $sequence_6 = { 57 8b483c 33f6 03c8 6a40 } - $sequence_7 = { 50 c60600 ff15???????? 8b3d???????? } - $sequence_8 = { 8b01 2b4234 03450c 8b4de0 8901 8b55f8 83c202 } - $sequence_9 = { 8b4dec 8b5150 8955f0 c745f800000000 } - $sequence_10 = { 8bec 8b4d08 6a00 6a01 } - $sequence_11 = { 8b4508 0fbe08 83f97b 750b 8b5508 83c201 895508 } - $sequence_12 = { 8955dc 8b45dc 8b08 894dd8 8b5508 } - $sequence_13 = { 83f941 72ed 881d???????? c705????????01000000 } - $sequence_14 = { 8b4c1010 51 6b55fc28 8b45f4 8b4d08 034c1014 51 } - $sequence_15 = { c745fc00000000 b901000000 85c9 7448 8b5508 } - $sequence_16 = { 41 3bc8 72f7 c6043000 40 } - $sequence_17 = { 6a01 51 8b413c 8b440828 03c1 } - $sequence_18 = { 83c410 83f801 750e 57 ff15???????? 8bd8 } - $sequence_19 = { f9 a6 c3 4b fd 008d4556f400 08640f08 } - $sequence_20 = { 40 8945d0 8b45c0 83c008 8945c0 8b45b8 } - $sequence_21 = { 8b45a0 05c8d45566 7440 c745880a000000 eb07 8b4588 } - $sequence_22 = { 55 08709e 891f 3e50 } - $sequence_23 = { 2345e4 8945d8 c645f300 c645fc65 } - $sequence_24 = { a1???????? 8945b4 a1???????? 83c044 a3???????? } - $sequence_25 = { 8b45b4 83e803 8945b4 eb22 } - $sequence_26 = { 0305???????? a3???????? a1???????? 0faf45bc a3???????? ebc5 8365d400 } + $sequence_0 = { 6a00 6a00 6824040000 6a00 } + $sequence_1 = { 6824040000 6a00 6a00 6a00 } + $sequence_2 = { 6800010000 6a40 68???????? e8???????? 83c40c } + $sequence_3 = { 750d e8???????? 83c010 a3???????? } + $sequence_4 = { 6a20 68???????? 68???????? e8???????? 83c410 83f801 } + $sequence_5 = { 55 8bec 81ec58010000 6a44 } + $sequence_6 = { 8945f8 8b4df8 894df4 6a00 6a01 8b5508 52 } + $sequence_7 = { 7507 33c0 e9???????? 837de800 0f849a000000 8b4df4 8b5104 } + $sequence_8 = { 8bec 8b4d08 6a00 6a01 51 } + $sequence_9 = { 66894dfc 0fb755fc 83fa03 752b 8b45f4 8b4d08 0308 } + $sequence_10 = { 8b5950 8b4134 53 50 ff7508 } + $sequence_11 = { 3bc8 72f7 c6043000 40 5e } + $sequence_12 = { 8bd8 83fbff 7509 6a00 } + $sequence_13 = { 8bec 83ec2c 8b4508 8945e4 8b4de4 8b5508 03513c } + $sequence_14 = { 53 56 57 8b483c 33f6 03c8 6a40 } + $sequence_15 = { 33c0 eb7b 8b4508 0fbe08 83f97b 750b 8b5508 } + $sequence_16 = { 51 e8???????? 83c404 ebb1 } + $sequence_17 = { 8b4dfc 85c0 7402 8908 8b5518 85d2 } + $sequence_18 = { 8b413c 8b440828 03c1 ffd0 33c0 } + $sequence_19 = { a3???????? ebc5 8365d400 c745d0049d4000 a1???????? 8945d8 } + $sequence_20 = { 8b69e8 1540003708 088f65497d4d 89ec 7973 } + $sequence_21 = { 83c05b a3???????? a1???????? 0345cc } + $sequence_22 = { c705????????053f0f00 c745c007000000 c745dcc8954000 a1???????? 8945ec 8b45d8 2345e4 } + $sequence_23 = { a3???????? b9382baa99 c7458ce4f25701 ff15???????? 894da0 a1???????? } + $sequence_24 = { 83c044 a3???????? 8b45b4 83e803 } + $sequence_25 = { 8b45d8 2345e4 8945d8 c645f300 c645fc65 } + $sequence_26 = { a1???????? a3???????? b9382baa99 8d45fc 50 6a00 6a00 } condition: 7 of them and filesize < 106496 @@ -137658,42 +138559,42 @@ rule MALPEDIA_Win_Citadel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "405c8c54-58ec-5453-982e-e98970e4bd4a" - date = "2026-01-05" - modified = "2026-01-06" + id = "ae8e7236-0008-59d9-b25b-2f4e4ce0fb70" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.citadel_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.citadel_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "9d24b0310c4a8508a9f96dd7e09a8073428bd68f73c4d97c0967ade9f8cc7c1c" + logic_hash = "2ea1755e280357833299c68e03bd91e76adb6bee21b3adff71679409787c95ea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb0e 6800800000 53 57 } - $sequence_1 = { 03f7 6a0d 5f e8???????? } - $sequence_2 = { 3d00002003 7715 8b4d08 890e } - $sequence_3 = { 50 57 e8???????? 33db 3c01 } - $sequence_4 = { 41 66395802 7405 83c002 } - $sequence_5 = { a1???????? 57 e8???????? 8945fc 3bc3 } - $sequence_6 = { ff15???????? 85c0 0f8566010000 57 57 57 } + $sequence_0 = { eb0e 6800800000 53 57 56 ff15???????? } + $sequence_1 = { ff15???????? 85c0 0f8566010000 57 } + $sequence_2 = { 41 66395802 7405 83c002 } + $sequence_3 = { 3d00002003 7715 8b4d08 890e } + $sequence_4 = { 0f8566010000 57 57 57 } + $sequence_5 = { 50 57 e8???????? 33db 3c01 } + $sequence_6 = { 03f7 6a0d 5f e8???????? 59 59 } $sequence_7 = { 33c9 663918 7507 41 } - $sequence_8 = { eb81 d0e9 3aca 73fa 0fb6c9 8b04c8 ebae } - $sequence_9 = { 8b5004 0310 8d7101 3bf2 } - $sequence_10 = { 6685c0 7432 66ff460e 6639460e 7228 } - $sequence_11 = { 33c0 85c0 7409 3255fd } - $sequence_12 = { 6685c0 7432 66ff460c 6639460c } - $sequence_13 = { 5b b001 eb30 d0e8 } - $sequence_14 = { 85c0 740b 8a5604 8a4e01 ffd0 884601 33c0 } - $sequence_15 = { ffd0 8807 fe45ff 8a45ff 3a06 72c4 0fb7460a } + $sequence_8 = { 33c0 6689460e 0fb74606 6685c0 7432 66ff460c } + $sequence_9 = { 8bf8 c745f801000000 85f6 0f842b010000 837e1000 0f8421010000 807e1400 } + $sequence_10 = { 0f8525ffffff 5b b001 eb30 d0e8 } + $sequence_11 = { 0f8421010000 807e1400 0f8417010000 85ff 0f84dd000000 53 837df800 } + $sequence_12 = { 7432 66ff460e 6639460e 7228 8b4610 8a4e09 } + $sequence_13 = { eb30 d0e8 3ac3 73fa } + $sequence_14 = { 85c0 7409 3255fd 8a0f ffd0 8807 } + $sequence_15 = { 7404 84d2 7575 33c0 85c0 740b } condition: 7 of them and filesize < 1236992 @@ -137703,36 +138604,41 @@ rule MALPEDIA_Win_Squidloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7aae3b25-945a-5fb1-9acc-809b1e90e6e6" - date = "2026-01-05" - modified = "2026-01-06" + id = "880e5cfd-65b9-5155-bdca-f0b181dd0fc6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squidloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.squidloader_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.squidloader_auto.yar#L1-L141" license_url = "N/A" - logic_hash = "a855ddb0a2fda3c6498fbc6ae734c571ea8f3a4a311f9d9ebae8f8d336ad0dd5" + logic_hash = "08e73611ff510864284fa4726068d2ac97ebb221740f8af107ba572135ffefa1" score = 60 quality = 55 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 0f114c2440 0f114c2450 0f114c2460 0f114c2470 } - $sequence_1 = { 5f 5e c3 4053 4883ec30 488bd9 8b4934 } - $sequence_2 = { c3 4053 4883ec30 488bd9 8b4934 83e902 } - $sequence_3 = { 57 4881ec90000000 488b05???????? 4833c4 4889842480000000 488bda 488bf9 } - $sequence_4 = { 5e c3 4053 4883ec30 488bd9 8b4934 } - $sequence_5 = { c3 4053 4883ec30 488bd9 8b4934 83e902 746a } - $sequence_6 = { c3 4053 4883ec30 488bd9 8b4934 } - $sequence_7 = { 5e c3 4053 4883ec30 488bd9 8b4934 83e902 } - $sequence_8 = { ffd3 48837c242800 0f84ae000000 b8ffffffff f00fc105???????? 85c0 7f0c } - $sequence_9 = { e8???????? f30f108424a0010000 f30f108c24a4010000 e8???????? f20f108c2420010000 0f16d1 0fc6c000 } + $sequence_1 = { 498bd7 488d4d9f e8???????? 90 } + $sequence_2 = { 0f104f10 0f114a10 0f1102 488b4718 48894228 48894220 } + $sequence_3 = { 0fb60a 83e10f 4a0fbe8431c0690200 428a8c31d0690200 } + $sequence_4 = { 0f104f10 0f114e34 0f114624 488b4c2468 } + $sequence_5 = { 0f104f10 0f114e50 0f114640 896e68 } + $sequence_6 = { 8b040a 3905???????? 7e38 488d0d22140300 } + $sequence_7 = { 0f104f10 0f114e10 0f1106 0f104728 } + $sequence_8 = { 488bcf 41b80a000000 e8???????? 8bc3 } + $sequence_9 = { 4889442430 488bb424a0000000 4c8d15d35e0100 4533db } + $sequence_10 = { 0f104f10 0f114e28 0f114618 488b0b } + $sequence_11 = { 48837da008 488d1511760200 48897c2478 4c0f434588 } + $sequence_12 = { 488d0d9a930200 ffd0 40b601 e8???????? } + $sequence_13 = { 0f104f10 0f114e14 0f114604 0f10442428 } + $sequence_14 = { 0f104f10 0f114c0810 0f110408 807e1800 } condition: 7 of them and filesize < 18701312 @@ -137743,10 +138649,10 @@ rule MALPEDIA_Win_Dramnudge_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "4e1e9905-62de-5567-9ed7-a82928870a8c" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dramnudge_auto.yar#L1-L90" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dramnudge_auto.yar#L1-L90" license_url = "N/A" logic_hash = "221dd8bcd930b6121a924fbe6761de15c83c657ddce0c9178183beb8828f75f7" score = 75 @@ -137755,9 +138661,9 @@ rule MALPEDIA_Win_Dramnudge_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -137779,36 +138685,36 @@ rule MALPEDIA_Win_Deeppost_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "26540ba9-fd06-58b9-819a-14fd842afc11" - date = "2026-01-05" - modified = "2026-01-06" + id = "cf005a01-c53e-58bb-8569-2f3097da407f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deeppost" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.deeppost_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.deeppost_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "728aa018aa6f90f3b8f03324b5446d97f2579b8aa528bcd211ab4ccdadb166ba" + logic_hash = "99708e0375c17502dcd5554f372b6738d2c5a1793b968522a2741e8f5c6d1484" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff7640 e8???????? 83c410 8b4e3c 85c9 740e 8b06 } - $sequence_1 = { e8???????? 83c40c 85c0 7440 6a06 68???????? 56 } - $sequence_2 = { c1e708 0bca 0bf8 8b03 f780b800000000080000 7509 } - $sequence_3 = { 8bc3 c1e810 8bd6 0fb6c0 c1c208 0fb688589a4800 8bc3 } - $sequence_4 = { 8d85f0feffff 8bd7 53 ff7518 8bce 50 ff7510 } - $sequence_5 = { 8bd3 e8???????? 85c0 0f85ce000000 8d8694000000 8d8f94000000 8945fc } - $sequence_6 = { e8???????? 83c40c 837e1410 8b4d0c 894e10 720f 8b06 } - $sequence_7 = { e8???????? 83c408 85c0 0f84b4000000 6a00 c7404c805d4000 e8???????? } - $sequence_8 = { e8???????? 83c40c 8d0cb500000000 51 8b4dfc ff7108 ff7708 } - $sequence_9 = { e8???????? 83c404 85c0 0f8533080000 b901000000 894dfc e9???????? } + $sequence_0 = { a818 7507 8bce e8???????? 8b4dfc 5f 5e } + $sequence_1 = { a1???????? 660f57c0 31e8 89842418040000 660f29842400040000 660f298424f0030000 660f298424e0030000 } + $sequence_2 = { ff7650 52 6a0a 56 ffd0 83c410 8b4e34 } + $sequence_3 = { 8bca c1e910 52 880c03 8bca 8b87cc000000 c1e908 } + $sequence_4 = { c1f810 68???????? 8bc6 0facc108 68c6090000 884a02 68???????? } + $sequence_5 = { 8d7dec 8d4ded c745e804000000 2bc8 8bd7 33db 894de0 } + $sequence_6 = { 8d45ea 885de9 50 e8???????? 0175b8 83c40c 2bde } + $sequence_7 = { 8bd6 8b4df0 d3ea 0bc2 8bd0 8bc8 c1e910 } + $sequence_8 = { 8d4c2418 e8???????? 8bf0 85f6 0f858c030000 8b5304 8d4c2444 } + $sequence_9 = { 85c0 0f85a4000000 6a08 8d55f4 8bcf e8???????? 83c404 } condition: 7 of them and filesize < 1332224 @@ -137818,36 +138724,36 @@ rule MALPEDIA_Win_October_Seventh_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c923fdd4-c954-5dde-bdcd-f3b77326ae47" - date = "2026-01-05" - modified = "2026-01-06" + id = "df17ccb1-ed0e-5b55-8d0f-b866790b20ff" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.october_seventh" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.october_seventh_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.october_seventh_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "552e719a27839e5d3f04d1c3619c82bb79d38c4fb51bdf6c68df34e2e7210a4c" + logic_hash = "8dff7d768c355bc200b087342427514c6a8936d5b58282b0cb8753f308701a1f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81784870034200 7409 ff7048 e8???????? 59 8b45fc } - $sequence_1 = { 80ba????????3f 76f3 2bcf 49 8d4103 99 } - $sequence_2 = { 50 8b8598f8ffff 0fb7048544cb4100 8d048540c24100 } - $sequence_3 = { ff35???????? 89442410 e8???????? 8bf0 83c408 } - $sequence_4 = { 8b0cbdd08fd500 c644112900 837dfc00 7507 b800800000 eb1e 84db } - $sequence_5 = { 8b45d4 0345b4 48 e9???????? 8b0c85d08fd500 } - $sequence_6 = { 33c0 5b 8be5 5d c3 8b4018 33f6 } - $sequence_7 = { 68???????? a3???????? ffd0 ba???????? b9???????? 8bf0 } - $sequence_8 = { 7470 eb17 be???????? 68???????? e8???????? 83c404 } - $sequence_9 = { 46 3b75f0 72c5 eb0f 8b45f4 8b7dfc 0fb70470 } + $sequence_0 = { 752f 8b4dfc 8b5010 0fb7c9 3bca 7219 8b4014 } + $sequence_1 = { 50 e8???????? 8bc6 c1e002 50 8b8598f8ffff 0fb7048544cb4100 } + $sequence_2 = { 7211 8b45fc 8a0e 46 8b0485d08fd500 884c072b } + $sequence_3 = { 83e03f 6bc838 8b0495d08fd500 8a5c0828 80e3fe } + $sequence_4 = { 6bf838 8955fc 8b0495d08fd500 8945f8 } + $sequence_5 = { 58 ebdc 8b55f8 8b1495d08fd500 } + $sequence_6 = { 47 f7fe 8b45f4 8a0402 8b55f8 32040a 8801 } + $sequence_7 = { 3bc8 1bc0 23c1 83c008 5d c3 8b04c5fc8e4100 } + $sequence_8 = { c745b814dd4100 c745c801000000 50 ffd7 5b 85c0 7470 } + $sequence_9 = { 56 ff15???????? 85c0 75c5 56 ff15???????? 8d442410 } condition: 7 of them and filesize < 19859456 @@ -137858,10 +138764,10 @@ rule MALPEDIA_Win_Blackshades_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "be0044cc-ffdd-5ce8-9261-6f20deb49ec5" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blackshades_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blackshades_auto.yar#L1-L117" license_url = "N/A" logic_hash = "5be1fd8de19e4a88da957f4843427153e72a697b528878c27f4d0e3032429536" score = 75 @@ -137870,9 +138776,9 @@ rule MALPEDIA_Win_Blackshades_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -137896,36 +138802,36 @@ rule MALPEDIA_Win_Bundestrojaner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "47ea5615-8136-5cb4-9bef-7286571c39f9" - date = "2026-01-05" - modified = "2026-01-06" + id = "5a0ad8fe-edda-530e-b01e-26728b2934df" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bundestrojaner_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bundestrojaner_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "fd1e7fa09fb34d70736eb8553b933219d912c7ea6e3c9d3818f4d8762292bdc7" + logic_hash = "27a04b06b3f87d41d1a3b9508badad7c9850aecb8e96a0f4c4d9fa440d529667" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 7e15 8bc5 2bdd d90403 d800 41 } - $sequence_1 = { 3bca 7e5a 8b4e10 85c9 7443 c1f803 8d542801 } - $sequence_2 = { 33d5 89a8c4000000 33f2 89542418 8990c8000000 8bd6 } - $sequence_3 = { 895610 89560c 895614 7415 8b44240c 3bc2 740d } - $sequence_4 = { 8b7e1b 8ac8 80e902 f6d9 1bc9 2c02 83e102 } - $sequence_5 = { 740f 6a00 6a00 6a27 8bc8 e8???????? eb02 } - $sequence_6 = { 8b44243c c68424c800000002 8b4830 51 8bce e8???????? } - $sequence_7 = { 8bcf 8b442418 8d1476 896c2460 f7d9 8bac2430010000 83e103 } - $sequence_8 = { 50 8986b4000000 e8???????? 83c420 b802000000 89bec0000000 89bec4000000 } - $sequence_9 = { 50 e8???????? 8b4c2410 8b542408 51 50 } + $sequence_0 = { dfe0 f6c441 7505 d94668 eb33 d94664 d9466c } + $sequence_1 = { 8b4618 40 894618 5e c3 8b4618 c7461402000000 } + $sequence_2 = { 895068 8bd6 8bde 89706c c1ea18 c1eb10 8b1495c8f40310 } + $sequence_3 = { f2ae f7d1 2bf9 8d6c2418 8bc1 8bf7 c1e902 } + $sequence_4 = { 6a00 50 a1???????? 8d4c2424 6a04 51 52 } + $sequence_5 = { 894c2418 03ea 8bcd 2bc8 894c2420 8bcd } + $sequence_6 = { 83c9ff 33c0 f2ae 8b5c2418 8b6c241c f7d1 49 } + $sequence_7 = { 8945f4 8b4514 c745f0e8d60210 40 894df8 8945fc 64a100000000 } + $sequence_8 = { 894c2420 7581 8b54244c 8b442434 3b442438 7f6a 8bce } + $sequence_9 = { d94630 dc0d???????? ded9 dfe0 f6c441 7422 } condition: 7 of them and filesize < 729088 @@ -137935,42 +138841,42 @@ rule MALPEDIA_Win_Torrentlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7392e065-18c2-5313-a3d1-b30d3efcbeb2" - date = "2026-01-05" - modified = "2026-01-06" + id = "a7268eb3-9836-5145-8959-ef5b192b0dda" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.torrentlocker_auto.yar#L1-L169" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.torrentlocker_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "9e477f7e8b8247df899448f8dfaacbe7088b9d7adf1371f318f6d0bbdd12c5e7" + logic_hash = "a1fce559bd3aa25c3f6a13bbb43e0a95dce9eb217585addbc7ce38e86ec1f760" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { c3 83f801 7405 83f802 } - $sequence_1 = { 6a01 68???????? ff15???????? 85c0 7510 6a78 50 } - $sequence_2 = { 6a02 e8???????? 83c430 85c0 } - $sequence_3 = { 41 81f9f1ff0000 7206 81e9f1ff0000 } - $sequence_4 = { 6a03 e8???????? 83c410 83f8ff 7404 a810 } - $sequence_5 = { 6685d2 75f1 8bcf 8bf7 668b11 83c102 } - $sequence_6 = { 7526 68400000f0 50 6a00 6a00 } - $sequence_7 = { 51 52 50 ff15???????? 85c0 7519 } - $sequence_8 = { 7415 81f9340000c0 7407 85c9 750e 33c0 } - $sequence_9 = { 85c0 740a c705????????ffffffff 8b15???????? 6a00 6a01 } - $sequence_10 = { 56 6a00 52 ff15???????? 5e 8bc7 } - $sequence_11 = { 751f ff15???????? 3d16000980 753d 68080000f0 } - $sequence_12 = { 6a18 6a00 6a00 68???????? ffd6 83f801 7526 } - $sequence_13 = { 750b 68???????? ff15???????? 8bc3 } - $sequence_14 = { 51 ff15???????? c705????????00000000 eb39 8b15???????? 6a0c } - $sequence_15 = { 8bc6 5e 5f c3 be04000000 } + $sequence_1 = { 750b 68???????? ff15???????? 8bc3 } + $sequence_2 = { 7522 68???????? ff15???????? 85c0 7413 68???????? 50 } + $sequence_3 = { 6a01 68???????? 8bf0 ffd7 85c0 } + $sequence_4 = { 682c020000 6a00 50 ff15???????? } + $sequence_5 = { 68???????? ff15???????? 85c0 7514 e8???????? 3d00000600 1bc0 } + $sequence_6 = { 740a 48 85c0 7ff4 5f } + $sequence_7 = { bb???????? e8???????? 83c404 85c0 740a } + $sequence_8 = { 6685c9 75f5 2bc2 d1f8 8d4c0010 } + $sequence_9 = { 83ec0c 56 8b35???????? 57 6a14 6a08 } + $sequence_10 = { 6a00 6a01 68???????? ff15???????? 85c0 7522 68???????? } + $sequence_11 = { 8b0d???????? 6a00 6a00 57 51 ff15???????? } + $sequence_12 = { 7ff4 5f 33c0 5e c3 } + $sequence_13 = { 0fb60e 41 81f9f1ff0000 7206 81e9f1ff0000 } + $sequence_14 = { ff15???????? 85c0 744f 56 b9???????? } + $sequence_15 = { 6685c0 75ef 03fb b8???????? 8d143f 2bd0 } condition: 7 of them and filesize < 933888 @@ -137980,36 +138886,37 @@ rule MALPEDIA_Win_Carbanak_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aedde496-1e00-538c-b489-6c77c5599b0a" - date = "2026-01-05" - modified = "2026-01-06" + id = "d443c4eb-117e-543b-842f-04abefc5e43f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.carbanak_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.carbanak_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "0f833e010e6f92f115d02deffe6d957025aee9eed313be7bf6c5b84cdc07ff91" + logic_hash = "71ed38a5ff55b516374f3619e95181d4146ba8b0f08e1589778a60f18480a8eb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7c0d e8???????? 84c0 7504 33c0 } - $sequence_1 = { 7907 32c0 e9???????? 7507 } - $sequence_2 = { 85c0 7509 e8???????? b001 } - $sequence_3 = { e9???????? 7507 b001 e9???????? } - $sequence_4 = { e9???????? 3d2c5c0700 750a e8???????? e9???????? } - $sequence_5 = { 488d4dc8 4183c8ff 488bd0 488bd8 e8???????? 488bcb } - $sequence_6 = { 41ffc1 ba23000000 48895c2428 48895c2420 e8???????? } - $sequence_7 = { ff75fc 8ad8 e8???????? 83c414 84db 7511 } - $sequence_8 = { 6aff 68???????? 6a01 8d4dec 51 } - $sequence_9 = { 50 50 ff7510 ff750c 50 ff7508 } + $sequence_0 = { 85c0 7509 e8???????? b001 } + $sequence_1 = { 7c0d e8???????? 84c0 7504 33c0 } + $sequence_2 = { 7907 32c0 e9???????? 7507 b001 } + $sequence_3 = { 3d2c5c0700 750a e8???????? e9???????? } + $sequence_4 = { 488364242000 418d57e3 488d0d0cb40100 448bce 4c8bc7 e8???????? } + $sequence_5 = { e8???????? 40b701 bac9470e0c 418bcf e8???????? } + $sequence_6 = { ffd0 85c0 745e 418d4e09 bac1f86d09 e8???????? 4c8b454f } + $sequence_7 = { 48 7407 48 7513 6a08 eb0a } + $sequence_8 = { e9???????? 8b4104 52 ff7510 ff36 ff33 ff30 } + $sequence_9 = { ffd0 5f 8b45f8 5b c9 c3 } + $sequence_10 = { 8b8568ffffff 83c420 85c0 0f85c4000000 8d45f4 } condition: 7 of them and filesize < 658432 @@ -138019,36 +138926,36 @@ rule MALPEDIA_Win_Hellokitty_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "70edbf2a-39f7-5f31-a1a6-369fa9a6babf" - date = "2026-01-05" - modified = "2026-01-06" + id = "7f7e13cb-8f16-592b-9cdf-550e42154a26" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hellokitty_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hellokitty_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "69c3664f3b1b0dc034046821a230bddd8509bf97c9fd256224c800e384d6c7d3" + logic_hash = "38fc126018b08f7da21abe6b7002759091cc983674bad64a5b9c66c8e4d42294" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89542414 3d00010000 0f8f27010000 8bcb e8???????? 8bf0 } - $sequence_1 = { 6a08 58 75a4 5b 5f 5e c9 } - $sequence_2 = { 50 ffd6 8bd8 8945fc 83c8ff 3bd8 0f846b020000 } - $sequence_3 = { 8b45fc 8b4048 f00fc118 4b 7515 8b45fc 817848c0044200 } - $sequence_4 = { 03c8 8b45f0 03ce 8b75fc 894df8 c1c105 8b4034 } - $sequence_5 = { 8d4c242c e8???????? 837c243c08 8d442428 0f43442428 33ff 57 } - $sequence_6 = { 8b7508 2bdf ba10000000 660f1f440000 8a0c06 8d4001 3248ff } - $sequence_7 = { 0fb689303b4200 33f9 333d???????? 33fa 8bd7 89b880000000 33d6 } - $sequence_8 = { c1c806 33c8 8b45dc 3345e8 034dac 23f0 3375dc } - $sequence_9 = { c1c10e 33c8 8bc2 8b55cc 8bf2 c1e803 33c8 } + $sequence_0 = { 6a00 50 e8???????? 8b75d0 668b570e } + $sequence_1 = { 0bc1 8b4de0 03c6 8b7594 03c2 8bd1 } + $sequence_2 = { 6a00 51 e8???????? 8a751c 83c40c 8b4dec 0fb6c3 } + $sequence_3 = { 8bd3 6a21 e8???????? 59 85c0 0f85fe000000 } + $sequence_4 = { 807e0103 7575 53 33d2 57 8bca bf???????? } + $sequence_5 = { 8b75fc c1e80a 33d0 8bc6 03d1 8bce 0355cc } + $sequence_6 = { c1c105 33c6 c1cf02 0345c0 81c6d6c162ca 03c2 } + $sequence_7 = { 8b34cd70b34100 8b4d08 6a5a 2bce 5b 0fb70431 663bc7 } + $sequence_8 = { 33148d60554200 3316 83c604 8b4df8 c1e910 8955d4 8955c4 } + $sequence_9 = { 0fb64208 c165fc08 0945fc 8b45fc 8945dc 8975f4 3306 } condition: 7 of them and filesize < 319488 @@ -138059,10 +138966,10 @@ rule MALPEDIA_Win_Sphijacker_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "077eac03-f3ac-5e2b-a96b-7f5530f41d45" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sphijacker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sphijacker_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sphijacker_auto.yar#L1-L122" license_url = "N/A" logic_hash = "99b2b9f410e1eea51f0fdbb2a2e5758813b393a388e6990a38118e63ac79cf3a" score = 75 @@ -138071,9 +138978,9 @@ rule MALPEDIA_Win_Sphijacker_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -138097,36 +139004,36 @@ rule MALPEDIA_Win_Makloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "26ebb112-b6ed-51a4-bad8-c324e66e4906" - date = "2026-01-05" - modified = "2026-01-06" + id = "44d34284-1d64-5cab-a791-7c5c72650780" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.makloader_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.makloader_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "854a6b1744de222da9ac653a892bbe0900bac42ce1325f6f01c3e73dc26cfb28" + logic_hash = "f9f1d012b45aaac9ff386bc946681b8c289d21f1426a975130a7b081c5b7f815" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6bca00 8b440dbc 8b540dc0 b127 } - $sequence_1 = { c7857cebffff00000000 c78580ebffff00000000 8d8554e5ffff 898584ebffff c78588ebffff00000000 8d8d74ebffff } + $sequence_0 = { 7419 8b8d20e6ffff 51 e8???????? 83c404 b801000000 } + $sequence_1 = { 55 8bec 8b4508 53 57 8d1c85e05f4200 8b03 } $sequence_2 = { 33d2 8b45fc 83c003 8810 8b45fc 8be5 } - $sequence_3 = { a1???????? 33c5 8945fc c745c000100000 } - $sequence_4 = { 8b94d530fdffff b103 e8???????? 0bd8 8b8520fdffff 0bc2 33f3 } - $sequence_5 = { e8???????? 8818 ebbf 6a09 8b4df8 83c101 e8???????? } - $sequence_6 = { 8b540dc0 b122 e8???????? 8bd8 } - $sequence_7 = { 89856ce6ffff 33d2 899514e5ffff 899518e5ffff } - $sequence_8 = { 8b08 8b55cc 52 8b410c } - $sequence_9 = { 884130 ba01000000 6bc230 8b4d08 0fb61401 52 8b4dfc } + $sequence_3 = { 50 e8???????? 83c410 89856ce6ffff 8d956cfeffff 8995c4ebffff 0fb685eee5ffff } + $sequence_4 = { 50 8b95a4e5ffff 52 0fb685f6e5ffff 50 } + $sequence_5 = { 52 68???????? 8d8d2ce9ffff e8???????? 8bc8 e8???????? } + $sequence_6 = { 6804010000 6a00 8d8de0fbffff 51 e8???????? 83c40c } + $sequence_7 = { 8d8ddce9ffff e8???????? 8bc8 e8???????? } + $sequence_8 = { 50 e8???????? 83c410 89856ce6ffff 83bd6ce6ffff00 0f848f010000 8b8528e6ffff } + $sequence_9 = { 6b45e430 8945e0 8d8000564200 8945e4 803800 8bc8 } condition: 7 of them and filesize < 335872 @@ -138136,36 +139043,36 @@ rule MALPEDIA_Win_Unidentified_037_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96c11217-51d7-5f4b-bf36-23d830fdb069" - date = "2026-01-05" - modified = "2026-01-06" + id = "f66674ea-c7b1-5d61-8f3a-4fbeef4b48f6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_037_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_037_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "8c50fe3091c6eb5a168263d841c7329778565aaf5d56b9bbcef638ccc0102861" + logic_hash = "2d6fe9b1eae41be1b1b92374394bcc259a42d5631bf3a2af6adcc5352dcfd8bb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { fec8 8801 eb09 51 e8???????? 83c404 899ef4000000 } - $sequence_1 = { eb63 a802 7462 68???????? eb58 663d0900 7524 } - $sequence_2 = { b9ff010000 33c0 8dbc242e080000 f3ab 66ab 8d44242c 50 } - $sequence_3 = { 8b35???????? 3bf5 0f8439010000 8b0d???????? b8c12787cb 2bce f7e9 } - $sequence_4 = { e8???????? 68???????? 68???????? 6802000080 e8???????? e8???????? a1???????? } - $sequence_5 = { 51 52 e8???????? 8d85cce0ffff 56 50 } - $sequence_6 = { 885e40 895c2418 884e44 895e48 895e4c 895e50 } - $sequence_7 = { 897dcc 3bfe c645fc04 742f 68???????? 897704 c7470801000000 } - $sequence_8 = { 51 ff15???????? 8d94241c020000 6a00 } - $sequence_9 = { ff15???????? 56 bf01000000 ff15???????? 56 ff15???????? 8bc7 } + $sequence_0 = { 8b45f4 8b7c2420 2bc2 8b5104 03c2 894108 } + $sequence_1 = { 8d54ad00 8bc3 c1e205 03d5 895c2424 c1e202 2bc2 } + $sequence_2 = { 0f849c020000 8d442410 57 8b3d???????? 50 66c7060000 ffd7 } + $sequence_3 = { 8b7108 8b6c2428 8bd6 2bd3 c1fa04 2bfa 7415 } + $sequence_4 = { 68???????? eb22 8a8424ac000000 a880 7407 68???????? eb10 } + $sequence_5 = { 895e58 895e5c 895e60 8b4648 3bc3 741d 8d48ff } + $sequence_6 = { 6a00 ff15???????? 50 ff15???????? 83c408 33ff e8???????? } + $sequence_7 = { 50 8b442428 51 8b4c243c } + $sequence_8 = { 83c008 50 8d85a0ebffff 50 e8???????? } + $sequence_9 = { 84d2 7414 3ad3 7410 55 51 8d4c2418 } condition: 7 of them and filesize < 167936 @@ -138175,36 +139082,36 @@ rule MALPEDIA_Win_Crackedcantil_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cc3fcc34-6200-516b-a930-713cd7528fd1" - date = "2026-01-05" - modified = "2026-01-06" + id = "44cd4499-b025-500a-9e4a-ceab4886b3d5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crackedcantil" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.crackedcantil_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.crackedcantil_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "63fa5a97e37e9297a9b2c0a9f33b3e3f4a0c35e0f5f733be56805a4bbd636bfb" + logic_hash = "46210c21bdb39f40cde9c910952d8d4440c720d01f7d9f750ecc9c620fcf5ae1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffc8 89442420 837c242400 7e45 488b442428 4883780800 7429 } - $sequence_1 = { e8???????? 90 488d8c24e06f0000 e8???????? 488d842483000000 488bf8 33c0 } - $sequence_2 = { f7d9 81e9b2638081 29cb 59 81c3e75cef77 81ebcdbddaf2 01d8 } - $sequence_3 = { ffc9 8bc9 488b542478 88040a 488b542438 488b4c2478 e8???????? } - $sequence_4 = { f3aa 0fb684248e000000 88842490040000 660f6f842490570000 660f7f842470350000 488b8424c80f0000 f30f6f00 } - $sequence_5 = { e8???????? 90 488d842470030000 4889842478030000 488b942478030000 488d0de1993000 e8???????? } - $sequence_6 = { e8???????? 488bc8 e8???????? 488bc8 e8???????? 898424301c0000 ba08000000 } - $sequence_7 = { f3aa 488d8424b8020000 488bf8 33c0 b901000000 f3aa 488d8424b9020000 } - $sequence_8 = { ffc0 89442430 488b442478 0fb74060 ffc8 39442430 7d3d } - $sequence_9 = { e9???????? 9c 4156 4883ec08 4c893424 ff3424 415e } + $sequence_0 = { f30f6f00 660f7f8424708c0000 660f6f8424708c0000 660fef8424808c0000 660f7f8424908c0000 488b842490250000 660f6f8424908c0000 } + $sequence_1 = { e9???????? 8b8424e8000000 8b8c2490000000 03c8 8bc1 488b8c2498000000 894108 } + $sequence_2 = { e8???????? 4e89a424a5f27fe8 4a8bac24b5f27fe8 4e89a42495f27fe8 e8???????? 80ea3e f6d2 } + $sequence_3 = { e8???????? 89842404030000 b904000000 486bc905 8b8c0ce8030000 e8???????? 8b8c2404030000 } + $sequence_4 = { f30f6f00 660f7f8424c0580000 660f6f8424c0580000 660fef8424d0580000 660f7f8424e0580000 488b842448270000 660f6f8424e0580000 } + $sequence_5 = { c3 4055 4883ec20 488bea 488d8d50150000 e8???????? 4883c420 } + $sequence_6 = { f3aa 488d8424c9000000 488bf8 33c0 b901000000 f3aa 0fb68424c7000000 } + $sequence_7 = { ffc8 89842438010000 83bc240801000002 0f85c8000000 488b442440 8b402c 83e001 } + $sequence_8 = { ff742400 9d 488d642408 e8???????? 0f05 e8???????? 48c7442400d1a719a7 } + $sequence_9 = { e8???????? 90 488d842448b50000 4889842440530000 488d8424f5020000 488bf8 33c0 } condition: 7 of them and filesize < 37863424 @@ -138214,36 +139121,36 @@ rule MALPEDIA_Win_Balkan_Door_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "da1553c8-1e46-5d28-bd8e-ffaf0075dca2" - date = "2026-01-05" - modified = "2026-01-06" + id = "3f867a1b-a5e3-5abc-b02a-84ebb0887e42" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.balkan_door_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.balkan_door_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "8fad6b0583675ac5acd98c6d6d2bed42312dfeea01b9aec6dd08e0296e917b26" + logic_hash = "e6a3ad2349505bf9d71b10c290472c626714ce6ce0f7c72bae4dac3e20437a6a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ffd7 50 56 68???????? } - $sequence_1 = { ffd7 5e 32c0 5f c3 32c0 } - $sequence_2 = { ffd7 5e 32c0 5f } - $sequence_3 = { 50 57 6a00 6a16 ffb53cefffff ff15???????? 85c0 } - $sequence_4 = { 6a26 ffb53cefffff ff15???????? 85c0 750c ff15???????? 8986f8000000 } - $sequence_5 = { 740b 6a00 6a00 56 ff15???????? 57 8b3d???????? } - $sequence_6 = { 68c0270900 ffd7 6a00 ff35???????? } - $sequence_7 = { d1f8 33d2 50 51 8d4dd8 } - $sequence_8 = { ffd7 85c0 741a 8d85d0fdffff c785d0fdffff2c020000 50 } - $sequence_9 = { ff15???????? 8bf0 85f6 740b 6a00 6a00 56 } + $sequence_0 = { 8bf0 85f6 740b 6a00 6a00 56 ff15???????? } + $sequence_1 = { 56 683f000f00 68???????? 57 } + $sequence_2 = { 57 6a00 6a16 ffb53cefffff } + $sequence_3 = { 8b4dfc 8b85ccfdffff 33cd 5e e8???????? } + $sequence_4 = { 8d85f4fdffff 50 ffd7 85c0 741a 8d85d0fdffff } + $sequence_5 = { ffd7 85c0 741a 8d85d0fdffff } + $sequence_6 = { 85ff 7438 56 683f000f00 68???????? 57 ff15???????? } + $sequence_7 = { ff15???????? 8bf8 85ff 7438 56 683f000f00 68???????? } + $sequence_8 = { ff15???????? 8bf0 85f6 740b 6a00 6a00 56 } + $sequence_9 = { 8bf8 85ff 7438 56 683f000f00 68???????? 57 } condition: 7 of them and filesize < 352256 @@ -138253,75 +139160,114 @@ rule MALPEDIA_Win_Rising_Sun_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "afe0dde0-e37a-56f6-a5c0-50cfaffa0977" - date = "2026-01-05" - modified = "2026-01-06" + id = "a90816d7-758f-5ed8-a6f9-60343fe66c0f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rising_sun_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rising_sun_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "40765e7d19d635bf8650e8be6d9d37fa72ae2ec05839a775bf402065a6579e22" + logic_hash = "a2f16cb1444b180d9568dbc640c2c22efcb7c8188d91dae3c13d77a956bc608b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 488d8c2420080000 e9???????? 483b05???????? 750a e8???????? } - $sequence_1 = { 488b05???????? 4833c4 48898424a0080000 488bd9 488d8c24a1020000 33d2 41b8fb050000 } - $sequence_2 = { 7905 83c8ff eb28 498bc6 4c3b7710 720b b957000780 } - $sequence_3 = { 42890421 488b442428 83c30f 4863cb 83c308 4a890421 } - $sequence_4 = { e8???????? 48c744247000010000 4c89642448 4c89642450 488bfe 4c89642420 4885ff } - $sequence_5 = { 488b8828010000 488b01 8a08 880a 33c9 4c8d058e760000 388c2498000000 } - $sequence_6 = { 488985e0080000 448bea 488bd9 c744245018d32263 c744245407137a55 c744245883e85ad2 c744245cee3ed142 } - $sequence_7 = { 4c89642458 4c89642460 4c89642468 4c89642470 4c89642478 44896580 4489642440 } - $sequence_8 = { c74538a9bcad89 c7453ca6ac81a6 c74540a1bca1a9 c74544a4a1b2ad c745489ba1acc8 c7454cc8c8c8c8 } - $sequence_9 = { eb39 6683f93f 0f8510040000 4883c002 } + $sequence_0 = { 4c8dbdc0000000 be02000000 448be0 48897c2450 666666666666660f1f840000000000 418bd4 8bce } + $sequence_1 = { c78514020000c80ae51e c7851802000004d34ed7 c7851c0200003e3054ad c7852002000046c2e664 c7852402000018a189fe } + $sequence_2 = { e9???????? 488d052b740100 4a8b0ce0 41f6440f0880 0f84fe020000 33db } + $sequence_3 = { 4881ec18030000 48895808 48897010 48897818 4c8968e8 0f2970d8 } + $sequence_4 = { 0f847affffff 488d54246d 488bc8 ff15???????? 488905???????? 4885c0 0f845cffffff } + $sequence_5 = { 4883ec20 488bd9 e8???????? 4c8d1d3f830000 4c891b 488bc3 4883c420 } + $sequence_6 = { 6644897d04 c745e631000000 ff15???????? 488d9530220000 b900040000 ff15???????? 4c8d8d100c0000 } + $sequence_7 = { 85c0 7908 83c8ff e9???????? 488b4710 4863f6 483bf0 } + $sequence_8 = { ffe1 48ffc3 ebc5 410fb74500 493944f408 0f85c0010000 } + $sequence_9 = { c744247ca6aea79f c74580c8c8c8c8 c74584a9acbea9 c74588b881fbfa c7458ce6ac8484 c74590c887b8ad c74594a698baa7 } condition: 7 of them and filesize < 409600 } +rule MALPEDIA_Win_Karsto_Rat_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "c34bf4f5-4b74-55dd-a22e-8744ec3fa2a0" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karsto_rat" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.karsto_rat_auto.yar#L1-L131" + license_url = "N/A" + logic_hash = "9bd1e4ab59a6417a010bca0942b95855a3ad41d78472f9a8e3faff9facca4a0f" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { c744242000000080 4533c9 4533c0 498bce ff15???????? 4c8bf8 4885c0 } + $sequence_1 = { 4883e6e0 488946f8 eb08 e8???????? 488bf0 4c8bc7 } + $sequence_2 = { d2e0 2206 48ffc6 0ad0 8817 48ffc7 498bd9 } + $sequence_3 = { 83ff02 0f84b1020000 83f802 0f84a8020000 f7437000010000 440fb67374 742b } + $sequence_4 = { 4883f90f 7603 488b3b 488d05f26a0100 41bc1c000000 4c8d3dc96a0100 } + $sequence_5 = { 483bd8 773f 48897c2440 488d0419 48894610 488bc6 4983f80f } + $sequence_6 = { 0f104f10 0f114b10 0f1117 0f115f10 4883c420 415e } + $sequence_7 = { ff15???????? 488d4de8 48837d000f 480f474de8 4533c9 4533c0 33d2 } + $sequence_8 = { 837b7c5e 488d737c 7569 488b4348 83700c01 488b03 488b5310 } + $sequence_9 = { 48ffc1 4883c90f 493bcf 7613 498bff 48b90000000000000080 4883c127 } + + condition: + 7 of them and filesize < 336896 +} rule MALPEDIA_Win_Minibus_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9a553746-bfda-50b5-bcb8-f78a742705c0" - date = "2026-01-05" - modified = "2026-01-06" + id = "3c876e13-ffc9-5d40-abf3-af4877d9ddbb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.minibus_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.minibus_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "633d35aef0c45891bfd2d9690e003786b5685be07a68c0378a6a4c37c3387340" + logic_hash = "353f1ee48b346ff5b65682901348afe0765a3eb1fbf5ad21bca409f094f49962" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7cc3 eb25 85db 7421 83ceff 8bc6 } - $sequence_1 = { 0fb742fe 83f85c 7438 83f82f 7433 8b4de4 } - $sequence_2 = { 50 8d7720 e8???????? 8b9590fdffff 8b8584fdffff } - $sequence_3 = { e8???????? 8945f8 3bd8 0f841d010000 } - $sequence_4 = { 8d4701 3dffffff7f 0f87e8000000 03c0 3d00100000 722a } - $sequence_5 = { 83fa08 7202 8b3e 8d041b 50 ff75f8 } - $sequence_6 = { 33ff 33db 897de4 895de8 85f6 7421 } - $sequence_7 = { e8???????? 8b4de8 83c40c 83f908 7234 } - $sequence_8 = { 8bf1 8975b8 8975ac c745b000000000 c7461000000000 c7461400000000 c70600000000 } - $sequence_9 = { 8bd1 57 c70600000000 c74604ffff0000 8b4a1c 8bc1 } + $sequence_0 = { 81f900100000 7227 8d4123 3bc1 7674 } + $sequence_1 = { 7202 8b1f 8b4f10 894dd8 } + $sequence_2 = { ff15???????? 57 56 e8???????? 8b5510 83c40c 85d2 } + $sequence_3 = { 894dd8 8d0409 8d1418 8945e8 8955f8 8bd0 } + $sequence_4 = { 0f4255e0 894dec 85d2 7429 8b45f4 } + $sequence_5 = { 8975f4 8945e4 83f808 7205 8b0e 894df4 } + $sequence_6 = { c70700000000 c7471000000000 c7471400000000 83781410 } + $sequence_7 = { 2bda 8d43fc 83f81f 7719 8bda 51 } + $sequence_8 = { 765a 51 e8???????? 83c404 85c0 740b 8d7823 } + $sequence_9 = { 8b4de4 83f908 7234 8b55d0 8d0c4d02000000 8bc2 } condition: 7 of them and filesize < 324608 @@ -138331,35 +139277,35 @@ rule MALPEDIA_Win_Makop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e214999d-16a1-514d-bedc-c66a8b25498d" - date = "2026-01-05" - modified = "2026-01-06" + id = "be31a605-227a-575d-91b3-04c54b900ba0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.makop_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.makop_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "fab88e1b8315d53c8f1d019ae0fd200eb0984fdd471585289f6762a4445cd571" + logic_hash = "58c414593cac7aafdac3aa147f8cdd29a61009e537f3bfd139fcb6583a051cea" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5e 5b 83c41c c3 ffd7 50 e8???????? } - $sequence_1 = { 8bc6 e8???????? 894630 8b4500 8903 8b0f } - $sequence_2 = { 894118 8b0e c6412800 e8???????? } - $sequence_3 = { ff15???????? 8bf0 83feff 744f 8bc7 8a08 83c001 } - $sequence_4 = { 8d04b8 7414 8b00 50 6a00 ffd5 50 } - $sequence_5 = { 833e00 8b35???????? c744240c00000000 7645 8b5c2410 8da42400000000 8b0b } - $sequence_6 = { 53 a3???????? ff15???????? 50 ff15???????? 8d742418 e8???????? } - $sequence_7 = { 56 e8???????? 8d4e28 51 6a0a 8bc6 e8???????? } - $sequence_8 = { c3 ffd7 50 e8???????? 83c404 5f 5e } + $sequence_0 = { 56 8bd8 57 8d442428 } + $sequence_1 = { 50 6a00 ffd7 50 ff15???????? eb06 8bc1 } + $sequence_2 = { 6a00 6a01 ffd5 8bf0 85f6 7410 } + $sequence_3 = { 663d5a00 7703 83c020 0fb7c8 0fb706 663d4100 } + $sequence_4 = { 7439 53 55 8b2d???????? 57 8bde 8b3b } + $sequence_5 = { 33c0 8d4c2414 51 a3???????? a1???????? 6a02 e8???????? } + $sequence_6 = { 0fb7f9 2bc7 751a 6685c9 7415 0fb74e02 0fb74202 } + $sequence_7 = { ff15???????? 83c414 eb1c 8d54243c } + $sequence_8 = { 7504 8907 eb44 6a2c 6a00 ff15???????? 50 } $sequence_9 = { 6a00 8d4c2414 51 52 57 55 c744242800000000 } condition: @@ -138370,75 +139316,75 @@ rule MALPEDIA_Win_Xpan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c9e2899-7c42-5d4a-8e72-8695f33e2151" - date = "2026-01-05" - modified = "2026-01-06" + id = "8315121e-0178-5904-bfcc-ec3b80b1a4a0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xpan_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xpan_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "02ec4378c7469aa379433aa31077402814d90eca993bb596a3f9dbc0c47c27e0" + logic_hash = "893fbe47e0ab77393e6565561b0f8b292a9d2bbdf68cd748514be929dc22f872" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b16 899310010000 8b542414 e8???????? 89b310010000 e9???????? 8b6904 } - $sequence_1 = { 8b4d10 85c9 0f84cdfdffff 66837d14ff bb01000000 0f84d7000000 8b4d08 } - $sequence_2 = { 0fb64c2454 8b442440 896c2408 88542418 890424 894c2404 } - $sequence_3 = { 8b4508 c685f0feffff00 890424 e8???????? 8d8d60ffffff 8985d4feffff e8???????? } - $sequence_4 = { b904000000 89f5 e9???????? 8b8c24b0000000 8b5004 8b00 } - $sequence_5 = { 89eb 0f841dffffff f744245400040000 7483 0fb6442454 89742408 892c24 } - $sequence_6 = { 8b4bf4 85c9 7438 807dc600 8d45e4 8945c8 } - $sequence_7 = { 89d3 75ed 8b4728 83f8ff 7475 39f0 0f4df0 } - $sequence_8 = { 7412 85ff 0f846e010000 85c0 ba???????? 0f44c2 85f6 } - $sequence_9 = { 85d2 89742418 8b6c2444 8b74241c 0f8571feffff c647ff00 b801000000 } + $sequence_0 = { 0f861f010000 8b79f4 85ff 0f8514010000 8b4520 31d2 668910 } + $sequence_1 = { e8???????? 85c0 0f84d5010000 29f0 8b75c0 8d50fa 83f810 } + $sequence_2 = { 8b0b be16000000 85c9 740d 83f9ff 742b 8139edf0b1ba } + $sequence_3 = { 8b5d84 89c7 8b458c 8d743030 8945a0 897594 } + $sequence_4 = { 31ff 8d4203 89d3 83f803 7742 89f0 e8???????? } + $sequence_5 = { 8b45c0 0fb65010 84d2 0f85c3020000 8b45c0 0fb77024 6639de } + $sequence_6 = { 0f84ba020000 807db200 0f84b0050000 8b55c0 385a4c 7409 385a4d } + $sequence_7 = { f7db f00118 892c24 ff15???????? 83ec04 b816000000 } + $sequence_8 = { 85c0 751a c7459000000000 c7459418000000 c745a000000000 e9???????? } + $sequence_9 = { c645bf01 85c9 0f85fbfdffff 90 8b4d10 85c9 0f843dfeffff } condition: - 7 of them and filesize < 3235840 + 7 of them and filesize < 3232768 } rule MALPEDIA_Win_Classfon_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a555a1ed-ff7a-5a40-964f-e4a3266a1aa9" - date = "2026-01-05" - modified = "2026-01-06" + id = "98c36664-9615-567e-b569-e03349b6a8f9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.classfon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.classfon_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.classfon_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "4a5e61a984c75da7dda5bee4683bb4bb3bc0f6865b6aa2b1e5cfe06d77a7200c" + logic_hash = "2e325492642d1a7d03123bb8a5e7c2d42eb730b5c05ad8d1538a0bf1f36caa6b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f855c010000 8a442424 8d7c2424 84c0 742a 8b1d???????? a1???????? } - $sequence_1 = { 89be04020000 8b8600020000 3bc7 740e 83f8ff } - $sequence_2 = { 57 b985000000 33c0 8d7c240d c644240c00 f3ab 66ab } - $sequence_3 = { 53 56 8b35???????? 57 8bbc24dc070000 6800010000 8b07 } - $sequence_4 = { 7520 8b4350 6a04 6800200000 } - $sequence_5 = { 6a20 68ff010f00 6a00 8bd0 } - $sequence_6 = { 8bf0 3bf5 0f859d010000 8d4c241c 8d542424 51 8b4c2414 } - $sequence_7 = { 683f000f00 6a00 51 52 ff15???????? 8bf0 85f6 } - $sequence_8 = { 6a01 6800000080 57 ff15???????? 8b742418 83f8ff } - $sequence_9 = { 8b442418 8d4c2400 c744240000000000 51 68???????? } + $sequence_0 = { f3ab 66ab 6804010000 8d4c241c } + $sequence_1 = { e8???????? a1???????? 83c410 682b010000 } + $sequence_2 = { 52 57 ffd6 8b742418 8b4b54 } + $sequence_3 = { 6800010000 8d842450030000 52 50 } + $sequence_4 = { 7429 03c6 85c0 740b 6a00 6a01 56 } + $sequence_5 = { 33c0 8dbc244d040000 889c244c040000 f3ab 66ab aa 8d84241c010000 } + $sequence_6 = { 6a04 52 ff15???????? 898608020000 5f b801000000 } + $sequence_7 = { 897d04 89450c 894508 894510 8b4b50 } + $sequence_8 = { 6a04 e8???????? 8b8424f0070000 83c418 83f801 7e16 } + $sequence_9 = { 68???????? 6802000080 c744242402000080 896c242c } condition: 7 of them and filesize < 73728 @@ -138449,10 +139395,10 @@ rule MALPEDIA_Win_Dustman_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "371d6ab3-949b-5c9d-8033-67b6c55ea566" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dustman_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dustman_auto.yar#L1-L122" license_url = "N/A" logic_hash = "b063597b5a4ae400c5fb648bc847f945a242473e9377f95d15455828ca13e94a" score = 75 @@ -138461,9 +139407,9 @@ rule MALPEDIA_Win_Dustman_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -138487,36 +139433,36 @@ rule MALPEDIA_Win_Hackbrowserdata_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fcd73865-5a53-59f1-9e25-a98b05a9abde" - date = "2026-01-05" - modified = "2026-01-06" + id = "92ddeb6c-72b7-57ff-b845-90680cf5da41" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackbrowserdata" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hackbrowserdata_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hackbrowserdata_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "3594c5bb7e78e08e9a84a6093ffe67652863ced1d7b7424d638f7eb8af56002c" + logic_hash = "3b3248f3d8d67a60a4cecec0e33cdc9a43a8ea275592fdb43271cadfd1931f98" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffc1 4d89ea 4d89fc 4989fd 4d89e7 41394c2428 0f8e0dfaffff } - $sequence_1 = { f20f1005???????? 31db 49c7c0ffffffff eb3d 48890437 488bb424a0000000 4883c618 } - $sequence_2 = { e8???????? 488b542450 48895008 833d????????00 750a 488b9424d8000000 eb10 } - $sequence_3 = { e8???????? e9???????? 488b1d???????? 4881c368960000 488b442478 488b4c2448 e8???????? } - $sequence_4 = { ffd3 833d????????00 7507 488b742408 eb15 e8???????? 498903 } - $sequence_5 = { e9???????? 488d4f54 4889ca 0fb619 ffcb 8819 480fbe0a } - $sequence_6 = { f20f59d8 f20f581d???????? f20f59d8 f20f581d???????? f20f59d8 f20f581d???????? f20f59d9 } - $sequence_7 = { ffc1 39d1 7d5d 4889f7 488b7640 4c63c1 4a8d34c6 } - $sequence_8 = { eb13 4883c420 5d c3 48bfffffffffffff0300 4989da 4585c0 } - $sequence_9 = { e8???????? 498913 48895018 488b942480000000 488b5c2470 4889f9 4c89c7 } + $sequence_0 = { eb2f 488b842478010000 4c89c1 bf01000000 488d358dda9e00 e8???????? 488b942490010000 } + $sequence_1 = { eb9f 4889f0 4c89c1 e8???????? 0f1f00 e8???????? 4889d9 } + $sequence_2 = { eb51 488b9c2490010000 488b842488050000 4c89e2 4d89fc 4589cf 4488542447 } + $sequence_3 = { ff02 488b942440010000 418d5f01 8b12 4c8bbc24d8020000 4d85ff 0f854b020000 } + $sequence_4 = { ffd1 488b4c2438 48895928 833d????????00 7410 e8???????? 498903 } + $sequence_5 = { f20f1100 eb08 488b8c24a0000000 4889c8 488b5c2460 8b7c2440 4c8b442448 } + $sequence_6 = { f20f11442468 4c89842490000000 498b02 4889cb e8???????? 488b4c2440 488b942430010000 } + $sequence_7 = { eb80 895628 4889da 837a2802 7f64 488b5220 488db3b8020000 } + $sequence_8 = { ffd6 488b942468010000 48891a 833d????????00 7410 e8???????? 49890b } + $sequence_9 = { e8???????? 498903 4c8b44daf8 4d894308 ebad 48895c2440 4889542468 } condition: 7 of them and filesize < 42451968 @@ -138526,34 +139472,34 @@ rule MALPEDIA_Win_Unidentified_045_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7710c8cf-a592-5c63-bf57-74d2e907d9db" - date = "2026-01-05" - modified = "2026-01-06" + id = "40a40ddb-c11e-5d8c-8982-cd9cb4fd36c3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_045_auto.yar#L1-L98" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_045_auto.yar#L1-L104" license_url = "N/A" - logic_hash = "2c83bad8d9cfd5aadbf00585cf334eb826afab5840caeb0b4d10dd25220749b4" + logic_hash = "efeaa9798ec2b87dd7b8f92c23612419ddf67b2b001ffe8d91af2c86392a4770" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6800040000 53 53 681f000f00 50 } - $sequence_1 = { 83e70f 5b 83ff03 7205 83ff08 } - $sequence_2 = { 33db 6a68 8d45b8 53 50 895d70 } - $sequence_3 = { 7517 ff7638 8b4810 e8???????? } - $sequence_4 = { ff7510 8d45f0 56 6a0c 50 } - $sequence_5 = { ff7508 897dac 56 ff15???????? } - $sequence_6 = { 8901 8b8538ffffff 8b0d???????? 8901 } - $sequence_7 = { 03f0 0500040000 894508 8d8ef8000000 3bc8 0f87d6030000 b850450000 } + $sequence_0 = { 8901 e8???????? a3???????? 6a02 53 8b4598 } + $sequence_1 = { 8d4dfc 51 6a28 50 8945f8 } + $sequence_2 = { eb3a 81f911111111 7507 a3???????? eb2b } + $sequence_3 = { 80f901 730a 51 8b4df8 d345fc 59 eb08 } + $sequence_4 = { 53 53 ffd7 8b4d70 ff4570 } + $sequence_5 = { 7434 40 8944240c bf???????? 381d???????? 7422 } + $sequence_6 = { 3c41 742c 3c42 7428 56 ff15???????? } + $sequence_7 = { 8945ac 0fb74606 6bc028 8dbc30f8000000 8d4f28 8b45dc } condition: 7 of them and filesize < 73728 @@ -138563,36 +139509,36 @@ rule MALPEDIA_Win_Vmzeus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b33099d-6223-5a8a-8424-386c7b1a44ee" - date = "2026-01-05" - modified = "2026-01-06" + id = "2dd08261-5ed4-5bf6-9a6c-abcc046dbcdf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vmzeus_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vmzeus_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "17e1987d98b8da94f97f8bd71f2765f1dddeafbd1967101797951278b17d5b65" + logic_hash = "3de0be61c2ba3fb6b22e931cacee9a5f7e80daa1f5cffeee336ac255a7face9e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f3a4 b001 eb02 32c0 } + $sequence_0 = { 32c0 6a4c 8d7c242c 59 f3aa } $sequence_1 = { 7508 6a04 58 e9???????? 32c0 6a4c } - $sequence_2 = { 6a4c 8d7c242c 59 f3aa } + $sequence_2 = { 57 6a44 5a 32c0 8bca } $sequence_3 = { f3a4 b001 eb02 32c0 5f 5e } - $sequence_4 = { 58 e9???????? 32c0 6a4c 8d7c242c 59 f3aa } - $sequence_5 = { e9???????? 32c0 6a4c 8d7c242c } - $sequence_6 = { 58 e9???????? 32c0 6a4c 8d7c242c } - $sequence_7 = { 7508 6a04 58 e9???????? 32c0 } - $sequence_8 = { 6a10 32c0 59 8bfb } - $sequence_9 = { 6a04 58 e9???????? 32c0 6a4c } + $sequence_4 = { 6a04 58 e9???????? 32c0 6a4c 8d7c242c } + $sequence_5 = { f3a4 b001 eb02 32c0 } + $sequence_6 = { 58 e9???????? 32c0 6a4c 8d7c242c 59 f3aa } + $sequence_7 = { 6a10 32c0 59 8bfb f3aa } + $sequence_8 = { 7508 6a04 58 e9???????? 32c0 6a4c 8d7c242c } + $sequence_9 = { 6a04 58 e9???????? 32c0 6a4c 8d7c242c 59 } condition: 7 of them and filesize < 475136 @@ -138603,10 +139549,10 @@ rule MALPEDIA_Win_Windealer_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "87b31818-e67b-5c82-9927-08d581ce1fca" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.windealer_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.windealer_auto.yar#L1-L114" license_url = "N/A" logic_hash = "cda4114916f5f955b9ea27c4701626023386bb93ae37a566cf799b5d0e98aca8" score = 75 @@ -138615,23 +139561,23 @@ rule MALPEDIA_Win_Windealer_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 ff15???????? 85c0 7407 50 ff15???????? 6a01 } + $sequence_0 = { 8b4d08 668b91d2070000 8a89d0070000 52 } $sequence_1 = { 6a04 50 6a04 68???????? 68???????? } - $sequence_2 = { 668b91d2070000 8a89d0070000 52 51 } - $sequence_3 = { 56 57 68da070000 e8???????? } - $sequence_4 = { 8b4d08 668b91d2070000 8a89d0070000 52 51 } - $sequence_5 = { 6a01 50 56 e8???????? 83c410 8bc7 } - $sequence_6 = { 53 56 57 68da070000 } - $sequence_7 = { 50 56 e8???????? 83c410 8b4618 } - $sequence_8 = { ff15???????? 85c0 7407 50 ff15???????? 6a01 } - $sequence_9 = { 8b4d08 668b91d2070000 8a89d0070000 52 } + $sequence_2 = { 56 57 68da070000 e8???????? } + $sequence_3 = { ff15???????? 85c0 7407 50 ff15???????? 6a01 } + $sequence_4 = { 50 56 e8???????? 83c410 8b4618 } + $sequence_5 = { 53 56 57 68da070000 } + $sequence_6 = { 6a00 ff15???????? 85c0 7407 50 ff15???????? 6a01 } + $sequence_7 = { 6a01 50 56 e8???????? 83c410 8bc7 } + $sequence_8 = { 8b4d08 668b91d2070000 8a89d0070000 52 51 } + $sequence_9 = { 668b91d2070000 8a89d0070000 52 51 } condition: 7 of them and filesize < 770048 @@ -138641,36 +139587,36 @@ rule MALPEDIA_Win_Bibi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c2df99bb-e2c1-5d6e-93f4-9c5f5dcb8fbb" - date = "2026-01-05" - modified = "2026-01-06" + id = "527fb14e-42e6-5a4f-be3b-f8e5c98035c2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bibi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bibi_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bibi_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "3d7402c133784a89b3daa278c9e13f3e526d55f5078582b8c7ac35078977c2ac" + logic_hash = "18456800e8bff07689fd1b8fbbf909127adefee593609ba9eb6396777b198069" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f840b010000 488d05a2af0100 4a8b04e8 42385cf838 0f8df5000000 e8???????? } - $sequence_1 = { 754a 483bc2 0f84cc000000 660f1f440000 4c8929 4c896910 4c896918 } - $sequence_2 = { 488b45bf 488b1cd0 488b5318 4883fa08 } - $sequence_3 = { 89442424 488b4c2420 48898b78020000 488bc3 4c8d5c2460 } - $sequence_4 = { 483bd9 7522 483bc1 7468 0f1f4000 0f1008 } - $sequence_5 = { 488d15645c0100 e8???????? 85c0 7416 } - $sequence_6 = { 7716 488bc6 4983f810 7203 488b06 48894e10 c6040800 } - $sequence_7 = { 0f84a1000000 b901000000 e8???????? 483bd8 7509 488d3d70c00100 eb16 } - $sequence_8 = { 6690 83fb0a 7d65 ba3d000000 e8???????? } - $sequence_9 = { 4c8d04c0 498b84d140310300 42f644c03848 7430 8a8c2480000000 4c8b942490000000 80f90a } + $sequence_0 = { 8bda 4c8d05a25a0100 488bf9 488d1538470100 b904000000 e8???????? 8bd3 } + $sequence_1 = { 7403 48ffcf 410fb6d3 4c8d0d07f10000 83f201 03d2 8bc2 } + $sequence_2 = { 8bc7 f00fc14108 83f801 0f8540f4ffff } + $sequence_3 = { 66f3ab 498d0410 6645892441 eb0b 4c8bca 488bce e8???????? } + $sequence_4 = { 4883ec20 33f6 4533f6 4863ce 488d3db8e70100 } + $sequence_5 = { c5fb102d???????? c4e2c9abe9 f2410f1004c1 488d15a2bf0000 } + $sequence_6 = { e8???????? 33c0 884548 b801000000 864548 458bf5 } + $sequence_7 = { 488d41f8 4883f81f 773e 498bc8 e8???????? 4d896710 49c7471807000000 } + $sequence_8 = { 488bcb 48837b1808 7208 488b0b 0f1f440000 48ffc0 66833c4100 } + $sequence_9 = { 44897c2420 0f57c0 0f1145c7 f30f7f45b7 4c897dc7 } condition: 7 of them and filesize < 462848 @@ -138680,36 +139626,36 @@ rule MALPEDIA_Win_Rc2Fm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c250c949-1a89-5be3-9c88-097a9b8f6b70" - date = "2026-01-05" - modified = "2026-01-06" + id = "a08a9a06-9998-5e1d-a729-c63a91aa11fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rc2fm_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rc2fm_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "986b120a9f724a13ca09bdf0fceb457439c7912247f9f7f547406d208ddfc0d0" + logic_hash = "70864d4a72a67efe883f8d2dfa51c4b27e988571cf0f95ac8e7ae0d473a661a2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4885c0 7431 8b542420 488b4c2428 4533c0 e8???????? 448b442420 } - $sequence_1 = { 8bc1 d1e9 83e001 418b0481 33c1 3305???????? 33d2 } - $sequence_2 = { 48c1e004 4c89642430 4803c1 4889442438 } - $sequence_3 = { 33d2 ff15???????? 488b0d???????? ff15???????? e9???????? 40b70d e9???????? } - $sequence_4 = { 0f8736080000 4883791000 0f842b080000 48833900 750a 83790800 0f851b080000 } - $sequence_5 = { 41b804000000 488bc8 4889742470 4032ed 48c744242000000000 ff15???????? 85c0 } - $sequence_6 = { ff5010 eb62 448bc0 ba03000700 b900000100 e8???????? } - $sequence_7 = { ff90a8000000 85c0 792c 448bc0 ba07000a00 b903000100 e8???????? } - $sequence_8 = { 5e c3 ff15???????? ba06000600 b911000100 448bc0 e8???????? } - $sequence_9 = { 0f8781010000 83fd09 0f8778010000 448b642478 4183fc04 0f8769010000 488b4938 } + $sequence_0 = { 488d4c2448 c605????????01 e8???????? 84c0 7531 } + $sequence_1 = { 488d4507 4403c9 488d156d6c0100 4c8bc3 33c9 4889442420 e8???????? } + $sequence_2 = { 0fb64c246a 884c245e 0fb64c246e 88442461 0fb6442474 884c245f 0fb64c2470 } + $sequence_3 = { 4c8ba42460050000 4885c0 7412 488b0d???????? 4c8bc0 33d2 ff15???????? } + $sequence_4 = { 0fb7d5 4c8908 8b07 6642893408 830702 8b07 46892408 } + $sequence_5 = { 48f7d9 4d8d82a0b00200 4d8d8aa1b00200 4c03c1 4c03c9 b9000a0000 6666660f1f840000000000 } + $sequence_6 = { 4055 53 4154 4155 488dac24a8fdffff } + $sequence_7 = { 448bf2 418be8 4c8bf9 8d5707 3bc7 } + $sequence_8 = { 4885c0 7431 4533c9 4533c0 33c9 418d5101 48896bf8 } + $sequence_9 = { 448d4804 0fb60a 80f961 7203 80c1e0 c1c80b 0fb6c9 } condition: 7 of them and filesize < 410624 @@ -138719,34 +139665,34 @@ rule MALPEDIA_Win_Doplugs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4aa6b45e-3a15-5665-b8ab-574c45e7a423" - date = "2026-01-05" - modified = "2026-01-06" + id = "85a7d874-0e21-5e9f-a423-f534488b3e6a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doplugs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.doplugs_auto.yar#L1-L105" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.doplugs_auto.yar#L1-L97" license_url = "N/A" - logic_hash = "3a8a777ec93c3f944683664500df734649c491983fb906ea5cefcf412da3de95" + logic_hash = "2a8b95fa4ab90b59613d8751c2350b84d6a1b855d9497b29273d2d01261af359" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 01fe 21f3 f7d6 21d6 09de } - $sequence_1 = { 83e13f c1f806 6bc938 8b0485b0390a10 0fb6440828 83e040 5d } - $sequence_2 = { ff15???????? 8b04bdb0390a10 834c0318ff 33c0 eb16 e8???????? c70009000000 } - $sequence_3 = { 6bc938 8b0485b0390a10 f644082801 7406 8b440818 5d } - $sequence_4 = { 89d3 83e2bf f7d3 83e340 09da } - $sequence_5 = { 57 8db8a4350a10 57 ff15???????? ff0d???????? 83ef18 } - $sequence_6 = { 31c0 8b4c2414 8b542438 8b521c 29d0 } - $sequence_7 = { 8b0c24 89ca 80e1ad f6d2 80e252 08d1 } + $sequence_0 = { 8db810380a10 57 ff15???????? ff0d???????? 83ef18 83ee01 75eb } + $sequence_1 = { 6808020000 56 6a00 ffd0 6a5c 56 } + $sequence_2 = { e8???????? 89c6 6a05 e8???????? } + $sequence_3 = { 89ca 80e1ed f6d2 80e212 } + $sequence_4 = { 8b86b0010000 6880020000 6a00 ffb6b0010000 } + $sequence_5 = { f7d2 83e201 09d1 89c2 21f0 } + $sequence_6 = { 8b5630 89d7 f7d7 21c7 } + $sequence_7 = { 89ca 80e1ee f6d2 80e211 08d1 } condition: 7 of them and filesize < 1355776 @@ -138757,10 +139703,10 @@ rule MALPEDIA_Win_Gold_Dragon_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "991ba939-2d9f-52cd-813d-6925dfb8d9c9" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gold_dragon_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gold_dragon_auto.yar#L1-L124" license_url = "N/A" logic_hash = "1d3ddf008eb509566d50c074a1778063d25aa540d5f914350cb60f472b9c159b" score = 75 @@ -138769,9 +139715,9 @@ rule MALPEDIA_Win_Gold_Dragon_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -138795,36 +139741,36 @@ rule MALPEDIA_Win_Pipcreat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff44b514-0bd0-5060-9863-69f45ed3246f" - date = "2026-01-05" - modified = "2026-01-06" + id = "6abf6734-81ae-5edc-9e45-8fa566cd8793" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pipcreat_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pipcreat_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "8b0c4b69f4a54d875f228245ca03fbe66625db30fecf518efb33a362af79adb3" + logic_hash = "5f00e1992b447d47469ce79631d7be32636c97e5dd1e1738d8ab306966232021" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6800100000 50 ff35???????? e8???????? 83c40c 5f } - $sequence_1 = { 6a00 8d442420 6a00 50 6a01 6a02 6a20 } - $sequence_2 = { 83c418 85c0 7436 56 ff35???????? ff15???????? } - $sequence_3 = { 33c0 c3 8b0d???????? 51 ff15???????? } - $sequence_4 = { e8???????? 83c40c ff15???????? 6a3f a3???????? 33db } - $sequence_5 = { 6a02 6a20 68ff010f00 53 57 52 ffd5 } - $sequence_6 = { 40 3b4510 7cf6 ff35???????? ff15???????? 5f 8bc3 } - $sequence_7 = { 6a00 57 ff15???????? 83c002 83c408 8bf8 66833f00 } - $sequence_8 = { 6a30 6868420010 eb07 6a28 } - $sequence_9 = { a5 50 33db ff35???????? a4 ff15???????? } + $sequence_0 = { a1???????? 83f8ff 0f84df000000 8b4d0c } + $sequence_1 = { 53 ff7510 56 ff7508 ffd0 } + $sequence_2 = { 83c418 891d???????? 391d???????? 7450 6810270000 ffd6 c745fc03000000 } + $sequence_3 = { 66833d????????39 7410 8b8c2404080000 51 e8???????? 83c404 } + $sequence_4 = { e8???????? 295dfc 8d85fcdfffff ff75fc 50 } + $sequence_5 = { 85c0 7436 56 ff35???????? ff15???????? 8b35???????? 68c8000000 } + $sequence_6 = { 68ff010f00 53 57 52 ffd5 8bf0 } + $sequence_7 = { ff30 8d45f4 50 e8???????? 66a1???????? } + $sequence_8 = { ffd6 ff35???????? ff15???????? 6a64 ffd6 } + $sequence_9 = { 0f847a010000 53 53 53 68ec210010 } condition: 7 of them and filesize < 65536 @@ -138834,36 +139780,36 @@ rule MALPEDIA_Win_Acidbox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e7057136-2c24-5d9e-851b-e4da203a95ed" - date = "2026-01-05" - modified = "2026-01-06" + id = "81297597-76c5-56db-bea0-d8ea81c9989d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.acidbox_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.acidbox_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "b9bd6906be69a76719ed536d0340b9bf2024c75961d5ef4e84e1394f2a4d90af" + logic_hash = "8852c904fa63e0e82ec42c1326743df652cf248d5a9f4890e48ff6274af9d761" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 89442430 85c0 0f841a010000 } - $sequence_1 = { 33d2 e9???????? 41c1ee04 33d2 83c6fc 418bce 83e10f } - $sequence_2 = { 488bce e8???????? 397e18 750b 834b40ff 33c0 e9???????? } - $sequence_3 = { 48895c2408 57 4883ec30 488bfa 33db 4885c9 7479 } - $sequence_4 = { 4883ec58 488bf1 bf01200480 8978a8 33db 48895818 448bf3 } - $sequence_5 = { e8???????? 3b4704 7513 4d897500 8b4708 33db 418907 } - $sequence_6 = { 4d85f6 741a 33d2 41b880010000 498bce ff15???????? 498bce } - $sequence_7 = { 488b7128 4885ff 0f84e1000000 4885f6 0f84d8000000 488d8424c0000000 4889442420 } - $sequence_8 = { 81790800000306 7308 418bc6 e9???????? 488d842418010000 4889442420 41b9a0000000 } - $sequence_9 = { 897918 488b03 488b8898000000 89791c 488b03 488b8898000000 c7413809000000 } + $sequence_0 = { 4883ec30 488bfa 33db 4885c9 7479 4885d2 7474 } + $sequence_1 = { c1e91f 03d1 6bc21a 442bc0 4488442420 410fbed8 458d6c2461 } + $sequence_2 = { 66c74424406e74 66c74424486c00 c644244264 c64424476c c7442437322e646c c74424336e656c33 66c74424306b65 } + $sequence_3 = { 7750 85d2 7413 8b477c 6644898c4788000000 ff477c ffca } + $sequence_4 = { 488908 48894108 498b00 488b4810 } + $sequence_5 = { 488b8898000000 c7413809000000 488b03 89a810010000 488b03 89b814010000 eb30 } + $sequence_6 = { 0f95c0 894a08 488bca 4189424c 488d82bc000000 } + $sequence_7 = { 488d4fff 4883f9fd 7709 488bcf ff15???????? 488b6c2460 } + $sequence_8 = { 44017328 897e4c c7430871000000 397b28 7418 488bce e8???????? } + $sequence_9 = { 395308 7708 41b9070a00a0 eb36 488d8e50010000 4c8bca 4c8bc3 } condition: 7 of them and filesize < 589824 @@ -138873,36 +139819,36 @@ rule MALPEDIA_Win_Polpo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4ff250ea-14e5-5ddf-884d-81a7a2123b4c" - date = "2026-01-05" - modified = "2026-01-06" + id = "43654109-340c-5f1f-a65b-5de0d075aa78" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polpo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.polpo_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.polpo_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "c5c58623683189d984bf95794fae6745283628eb524957fe3fb712a317c0fbc7" + logic_hash = "de9ef3976e841593875b59293f8ebed4eebad224ab175b46ffa6434e01acd02c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 66895004 8a0d???????? 884806 8b45b4 8bf0 8da42400000000 8a08 } - $sequence_1 = { f3a5 8bc8 83e103 f3a4 8d45dc } - $sequence_2 = { 3acb 75f9 2bc6 8dbd4cf7ffff 4f 8a4f01 47 } - $sequence_3 = { 8bc8 c1e902 f3a5 8bc8 83e103 837d0c00 } - $sequence_4 = { 6a00 52 898df4faffff e8???????? b908000000 } - $sequence_5 = { 2bfe 8d9b00000000 8b1437 8b4c3708 } - $sequence_6 = { 33cd e8???????? 8be5 5d c20800 81ff00001000 0f8387000000 } - $sequence_7 = { 85c0 753e 6a02 56 } - $sequence_8 = { 83e03f 0fb680c0940120 83e23f 41 884602 8a92c0940120 885603 } - $sequence_9 = { 8985edfeffff 668985f1feffff 8885f3feffff 8845ec 8945ed 8945f1 } + $sequence_0 = { 8bf2 c1e902 f3a5 8bc8 83e103 f3a4 83bd20f7ffff50 } + $sequence_1 = { 56 50 52 e8???????? 8b870c020000 56 } + $sequence_2 = { e8???????? 83c410 8b9528f7ffff 8916 } + $sequence_3 = { e8???????? 8bf0 b867666666 f7ee 8b4d08 d1fa 8bc2 } + $sequence_4 = { 83c410 83feff 0f844e010000 6800040000 } + $sequence_5 = { 68???????? e8???????? 8bf0 83c41c 83feff 0f8413ffffff 6a00 } + $sequence_6 = { 8d4c3004 51 8dbe00040000 57 e8???????? 6800040000 } + $sequence_7 = { e8???????? 83c40c 85c0 7561 6800010000 8d85fcfeffff 6a00 } + $sequence_8 = { 8945cd 8945d1 8945d5 668945d9 8845db c745dc504f5354 c745e0202f7061 } + $sequence_9 = { c645dc00 e8???????? 83c40c 85f6 0f84af000000 56 57 } condition: 7 of them and filesize < 250880 @@ -138912,36 +139858,36 @@ rule MALPEDIA_Win_Moriagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e0e8552c-2a56-5880-9b39-e228e0ca2c36" - date = "2026-01-05" - modified = "2026-01-06" + id = "8cf65ede-d703-5568-83f2-878021165f0a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.moriagent_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.moriagent_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "f619de3127e38febd0ef7c0dec89df2ad37cda3381275176b5456add134d4a40" + logic_hash = "1452f9a161675a1fc5d785cda904da30f21bf33db11d60376758a624f2a6a750" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c408 8b55c4 8b45f0 40 } - $sequence_1 = { 47 8b048500844200 885c012e 3bfa 7cea 8b7ddc } - $sequence_2 = { c785e4efffff00000000 c785e8efffff00000000 c785ecefffff00000000 83fa10 722f } - $sequence_3 = { 3bc1 7767 85ff 7425 41 8d0442 56 } - $sequence_4 = { eb4c 8b4714 8bd9 2bda 2bc2 3bd8 7727 } - $sequence_5 = { 8bc1 c785e4fdfffffc010000 0f43d6 c785f0fdffff07000000 c785f4fdffff01800000 2bd0 0f1f4000 } - $sequence_6 = { 8d8dccefffff e8???????? 8d8dd4efffff e8???????? } - $sequence_7 = { 8b5d08 8b048500844200 56 57 8bfb 8b440818 } - $sequence_8 = { 83c408 85c0 742a f68568feffff10 7521 8b4704 8d4da8 } - $sequence_9 = { 7467 8b45e4 3bc8 7713 837de010 8bc7 894f10 } + $sequence_0 = { 8841ff 84c0 75f3 68027f0000 6a00 ff15???????? } + $sequence_1 = { 8b4528 c78564efffff00000000 c78568efffff0f000000 c68554efffff00 89b5d0eeffff 898500efffff 3bf0 } + $sequence_2 = { 3b7814 7308 8bc7 5f 5e 8be5 5d } + $sequence_3 = { e8???????? 03c7 8985d8eeffff 3bb550efffff 7432 52 c7461000000000 } + $sequence_4 = { 50 c785e8feffff00000000 ff35???????? ff15???????? 50 8d85ecfeffff c7461000000000 } + $sequence_5 = { 7202 8b01 8bb5bceeffff 66893410 c644100200 eb1d 6a02 } + $sequence_6 = { 8b9568efffff 83fa10 722f 8b8d54efffff } + $sequence_7 = { e8???????? 83c408 8b45f0 03c7 893b 894304 8b45f8 } + $sequence_8 = { 3bc6 0f42c6 3daaaaaa0a 0f872f010000 8d3c40 c1e703 81ff00100000 } + $sequence_9 = { 51 52 8d4dc8 e8???????? 8b45e4 8d4dc8 3bc1 } condition: 7 of them and filesize < 720896 @@ -138951,35 +139897,35 @@ rule MALPEDIA_Win_Mirrorkey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23fdf476-29dd-5c48-a2d0-67c951326855" - date = "2026-01-05" - modified = "2026-01-06" + id = "0eb308b5-3815-5b9c-81c4-a78cbb0d1b3d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorkey" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mirrorkey_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mirrorkey_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "23c2e6c1488c0365d27087d2deccf67b069663ff42f157533379a432751ee152" + logic_hash = "8d65dba7f9bead9137a917a1b3b1727a25c3d194aa105ebabd30da323bba34f8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8d4db8 c745cc0f000000 c745c800000000 c645b800 } - $sequence_1 = { 50 68???????? 53 c745a400000000 e8???????? 0fbe4317 8d4da8 } + $sequence_0 = { 5d c20800 e9???????? 3b0d???????? f27502 f2c3 f2e9ca030000 } + $sequence_1 = { 57 8b13 0f57c0 8b7d0c 83c2e0 50 } $sequence_2 = { 8b06 eb02 8bc6 c60000 c745fc00000000 8bce a1???????? } - $sequence_3 = { 7406 8a740608 eb03 8a76fc 85c0 752f } - $sequence_4 = { 88442433 8d7808 0f1f440000 53 } + $sequence_3 = { 68???????? ff15???????? 57 8b7d18 } + $sequence_4 = { 6aff 6a00 56 8d4db8 c745cc0f000000 c745c800000000 c645b800 } $sequence_5 = { 50 e8???????? ff75fc 8d45fc ff75f8 50 } - $sequence_6 = { 8b85f4feffff 33f6 3930 7446 33db } + $sequence_6 = { 51 e8???????? ff7004 ff30 ff15???????? 83c41c } $sequence_7 = { 56 ff15???????? 5f 5e c7430400000000 } - $sequence_8 = { 32d3 2503000080 7905 48 } + $sequence_8 = { 46 3bf3 7ccf 8b4dfc } $sequence_9 = { 85c0 7405 8a0c06 eb03 8a4ef4 } condition: @@ -138990,73 +139936,112 @@ rule MALPEDIA_Win_Void_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "941d9913-0086-5f92-b6d2-4c2b84e02b90" - date = "2026-01-05" - modified = "2026-01-06" + id = "520554d1-50a6-5254-9339-189e481c5a01" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.void" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.void_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.void_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "0a42c2ab7a2695a1845afe0b2eb12bba423d7c94d695c9222413c48eaaabdfac" + logic_hash = "b331ddf21f2b10083589dea5970e702d96b004b974032e66df6edad2f4615dec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83e001 0f840c000000 8365ecfe 8d4db8 e9???????? c3 8d8dd4feffff } - $sequence_1 = { 8b4564 83e004 0f840c000000 836564fb 8d4dac e9???????? c3 } - $sequence_2 = { 6a02 8d4d48 e8???????? 8d4548 c745fc02000000 bb01000000 8bce } - $sequence_3 = { 7504 c645f301 8d4db8 c745fcffffffff e8???????? 807df300 0f8569060000 } - $sequence_4 = { 83e914 e9???????? 83e918 e9???????? 83e93c e9???????? 83e904 } - $sequence_5 = { 50 8d4dd8 e8???????? 8d45d8 8d732c 50 8bce } - $sequence_6 = { 50 8bcf e8???????? 8d8d64ffffff c645fc0c e8???????? 33f6 } - $sequence_7 = { 0f8510010000 8b85b8feffff 66c745840100 889d71ffffff c78578ffffff00000000 8b4004 8b8c05f0feffff } + $sequence_0 = { 68???????? 50 8d4d30 c745fc03000000 e8???????? 68???????? 8d4530 } + $sequence_1 = { 747e 6a01 8d8d64ffffff e8???????? 8d47a0 c745fc0f000000 50 } + $sequence_2 = { 6a01 8d4ddc 895d68 e8???????? 8b5d64 8bc7 83c80c } + $sequence_3 = { 83c40c 8d8d34ffffff 57 e8???????? 8b55ec 83fa10 7228 } + $sequence_4 = { 83c404 c645fc09 8d4ddc ff751c e8???????? 83e3df 895d6c } + $sequence_5 = { 50 ff75e8 8d45bc c645fc0c 50 ff5214 8bf0 } + $sequence_6 = { 56 e8???????? 8b74242c 83c40c 8b7c242c 8d460c 50 } + $sequence_7 = { 0f8c0affffff e9???????? 803d????????00 0f8599000000 33c0 bfc2010000 66a3???????? } condition: 7 of them and filesize < 2744320 } +rule MALPEDIA_Win_Morpheus_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "d59d5386-4e48-5a99-85db-1ed927c0ccb2" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.morpheus" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.morpheus_auto.yar#L1-L115" + license_url = "N/A" + logic_hash = "4294f914e84ba716ddff6f65692b975cbfaffc61dbbfbfefce5705efe03c25c4" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 8b44244c ffc0 8944244c ebc4 } + $sequence_1 = { 8b8424dc010000 8b4c242c 488b942428040000 488b5210 488904ca } + $sequence_2 = { 0f845a020000 b808000000 486bc002 488b8c24f0000000 } + $sequence_3 = { 488b8c2400010000 ff15???????? 488b8c2400010000 ff15???????? e9???????? } + $sequence_4 = { 4883c002 4889842468010000 83bc241401000000 740c 8b442444 ffc0 89442444 } + $sequence_5 = { b85f000000 66898424c4000000 b82e000000 66898424c6000000 } + $sequence_6 = { ebb1 33c0 488b8c24a8000000 668901 } + $sequence_7 = { 39442440 731f 8b442440 488b4c2450 0fbe0401 33442444 } + $sequence_8 = { ff15???????? c744242000000000 c744242800000000 eb0a 8b442420 ffc0 } + $sequence_9 = { 4c8bc0 ba08000000 488b0d???????? ff15???????? 488b4c2438 48894110 } + + condition: + 7 of them and filesize < 74752 +} rule MALPEDIA_Win_Ice_Event_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "efa7e53a-c463-50f7-ba83-6d9ec3219251" - date = "2026-01-05" - modified = "2026-01-06" + id = "fee8c92d-3778-5bb8-8de5-578c0e236fc4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_event" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ice_event_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ice_event_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "ef09062340f20eb30ff347046cee2303e5aa0ba34beeb1b65aa69fb96594e3f6" + logic_hash = "c72030883c1483053b00186d6d00edd861125a16d836c1fbe0abb8100770d8ac" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48c74424780f000000 c644246000 488b4598 4883f810 } - $sequence_1 = { 3b0d???????? 7326 4863c9 488d15b4080100 488bc1 83e13f } - $sequence_2 = { 48c743180f000000 c60300 8bc6 488b4c2478 4833cc e8???????? 4c8d9c2480000000 } - $sequence_3 = { 4863f8 4803f7 4983c9ff 4c8bc7 488d542430 488d4dc8 } - $sequence_4 = { 4156 4883ec28 488b4210 498bf9 498bf0 } - $sequence_5 = { 660f28d1 660f28c1 4c8d0d8b9f0000 f20f101d???????? f20f100d???????? } - $sequence_6 = { 488bcb 4a8d1441 482bf5 4c8d3436 } - $sequence_7 = { 4833cc e8???????? 488b9c24a0110000 4881c470110000 5f } - $sequence_8 = { 8bce 894d30 8bc6 894538 ffc3 83fb3c 0f8c6cffffff } - $sequence_9 = { 488bce e8???????? eb55 4c896d68 48c745700f000000 } + $sequence_0 = { 4533c0 488d55c8 488d4c2430 e8???????? 488d4c2430 e8???????? } + $sequence_1 = { 4533c0 33d2 33c9 ff15???????? 488d0d8f870100 eb0c 83f901 } + $sequence_2 = { 8d41ff 8b848218e40100 85c0 745b 83f801 } + $sequence_3 = { cc 488bc8 e8???????? 4c896c2450 48c74424580f000000 } + $sequence_4 = { c645e800 488b4520 4883f810 0f822c020000 48ffc0 488b4d08 483d00100000 } + $sequence_5 = { 448905???????? 33c0 4883c410 5b c3 4883ec38 488d05659a0000 } + $sequence_6 = { 7225 4883f927 7719 488bc8 e8???????? } + $sequence_7 = { 90 4c8d051cbe0100 488bd0 488d4da0 e8???????? 90 4c8bc3 } + $sequence_8 = { 83f8ff 7504 32c0 eb1b 488d15c6b10100 8bc8 e8???????? } + $sequence_9 = { 488d55e8 488d4da8 e8???????? 90 4c8d4508 488d15f0e90100 488d4c2458 } condition: 7 of them and filesize < 331776 @@ -139066,36 +140051,36 @@ rule MALPEDIA_Win_Iconic_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7673e219-b974-5ee5-b8e5-79ce461f9ab7" - date = "2026-01-05" - modified = "2026-01-06" + id = "78d0531f-cb60-5e1b-b308-a28befc6e8f0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.iconic_stealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.iconic_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "5bc33a8c1cdbea6882940424bec9a55b2f154b2fa412fc3e5ed34989f79a9444" + logic_hash = "f9fdaf5eeb127db1a364ec0c3c0cd341bb3ef0d9c84f03f63d4efe4393d5c87c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ebc9 4885f6 740f ba68000000 488bce e8???????? eb0a } - $sequence_1 = { 498b4a18 8b4148 034144 7912 458bc6 498bd2 e8???????? } - $sequence_2 = { ff8bdc000000 c687c500000003 40387367 7407 c7473407000000 b805000000 394734 } - $sequence_3 = { e9???????? f7430400000001 488b0e 4489642454 48894c2468 4c896598 0fb64164 } - $sequence_4 = { e9???????? 41f7450400000100 0f8480020000 4889bc2458010000 498b3e 4c396648 7414 } - $sequence_5 = { e8???????? 488be8 4885c0 0f849d020000 80783f02 0f8493020000 488b542438 } - $sequence_6 = { ff15???????? 85c0 0f8494000000 39bc2480000000 0f8487000000 498bd6 4c8d1d8d6c0300 } - $sequence_7 = { b8e08004e0 48094330 44896374 4c89a378020000 4c89a370020000 4c89a380020000 4c89a330020000 } - $sequence_8 = { 744d 4c8bc1 eb48 4c8d442440 4889742440 488d150c780300 4489742448 } - $sequence_9 = { 4d85c0 741a 410fb74010 6685c0 7f05 6603c8 eb0b } + $sequence_0 = { eb19 453b7e28 7ef3 45896e2c 448b6c2430 45897e28 eb04 } + $sequence_1 = { e8???????? e9???????? 80be2c01000002 0f83b3000000 498b4c2460 bb0080ffff 4885c9 } + $sequence_2 = { 4c8d7f10 488b5708 488bce e8???????? 418b07 c6043000 4885f6 } + $sequence_3 = { 8d506c 448d4001 e8???????? eb33 8d4101 ba03000000 41894500 } + $sequence_4 = { 458bc2 418bd3 488bcb e8???????? eb39 4183fa01 743b } + $sequence_5 = { 4c63c7 4c03c0 4c89ac2410010000 488b842498000000 4533ed 4883c0e0 4c89442458 } + $sequence_6 = { 8b4c2460 85c9 7412 0fb6461f 3c08 730a 898c86e0000000 } + $sequence_7 = { f30f7f45cf 4885ff 740c 488bd7 488d4db7 e8???????? 4488b32c010000 } + $sequence_8 = { e8???????? 488945b7 4c8be8 4885c0 0f8439030000 498b542430 4533c9 } + $sequence_9 = { f6406008 7504 c6452301 488bcd e8???????? 4c8b942488000000 488bd8 } condition: 7 of them and filesize < 2401280 @@ -139105,36 +140090,36 @@ rule MALPEDIA_Win_Ransomlock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1d9f68b5-bde6-5cf8-8d3e-ce79b7904787" - date = "2026-01-05" - modified = "2026-01-06" + id = "d7443819-1ab1-5a06-8cb1-829a4d05df6d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ransomlock_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ransomlock_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "ae6cb71ec68ff479f995cb168a9a85eebf5d8c257dade2208e4eb2660cdda6fe" + logic_hash = "19ddaf1c55a9f4ceb06bfb208731f988829a49a3192ed1fdb71ca2a94bb323e4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b5120 56 50 ffd2 85c0 } - $sequence_1 = { 51 50 66894802 ff15???????? 53 8d9decfbffff } - $sequence_2 = { 8b5120 56 50 ffd2 85c0 7807 c745ec01000000 } - $sequence_3 = { 83c0ec 52 50 8b01 ffd0 } - $sequence_4 = { 8d45b8 50 ff15???????? 6804010000 68???????? ff15???????? e9???????? } + $sequence_0 = { f3aa 8d7df0 b910000000 f3aa 8d45f0 50 8d4da8 } + $sequence_1 = { 55 8bec 8b4508 8b48f8 8b5104 } + $sequence_2 = { c705????????54614000 ff15???????? 8b55dc 8b45e0 } + $sequence_3 = { 8b4810 3bd1 7509 b801000000 5d } + $sequence_4 = { 8d85a0f9ffff 50 ffd7 8d8da8fbffff 51 } $sequence_5 = { 53 53 6a01 68???????? ff15???????? 8bf0 85f6 } - $sequence_6 = { 8be5 5d c3 83f801 7408 } - $sequence_7 = { 8b7510 8bce ba???????? e8???????? 85c0 7414 8b5514 } - $sequence_8 = { 8b5104 57 ffd2 5f 5e } - $sequence_9 = { 8d95a0f9ffff 68???????? 52 ffd3 83c414 8dbdb0fdffff 32c0 } + $sequence_6 = { 741f 8b08 8b5110 68???????? 68???????? 50 ffd2 } + $sequence_7 = { ffd3 57 6a00 ff15???????? 50 ffd3 68???????? } + $sequence_8 = { 8d95d0fdffff 52 57 ff15???????? 85c0 744d 8d4900 } + $sequence_9 = { 52 8d8574fdffff 68???????? 50 ff15???????? 83c410 6a01 } condition: 7 of them and filesize < 360448 @@ -139144,36 +140129,36 @@ rule MALPEDIA_Win_Turla_Silentmoon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "711d8460-3e95-57e5-96e4-0d30c9eba978" - date = "2026-01-05" - modified = "2026-01-06" + id = "5fcabfc7-b4f2-581a-bd2c-6cd3f94747e4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.turla_silentmoon_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.turla_silentmoon_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "3d4cfb37bdf5585573f2013bd7786899d7b9f149ed83fd0e028e64c3f10d7b64" + logic_hash = "94a93cf7a1d904612821d8be1bdfdbb96f40dda3d11c7dcd42229d5c1470058d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4df4 83c404 51 ffd7 83c404 8d95e4f7ffff } - $sequence_1 = { 7ce0 8b55d4 47 03c9 897dd0 3bfa 7ec7 } - $sequence_2 = { 41 3b4df0 7ce3 8955d4 83fa11 0f8fe8000000 83f801 } - $sequence_3 = { 50 6a01 8d4dff 51 56 c645ffec 895dec } - $sequence_4 = { ff15???????? 8b4ddc 8b35???????? 51 ffd6 8b55e0 52 } - $sequence_5 = { 85c0 7407 32c0 5e 8be5 5d c3 } - $sequence_6 = { 8955fc 8bd9 8975f4 8bc6 8bff 3bc8 7f24 } - $sequence_7 = { 09be58020000 8b7df8 898e5c020000 0fb77c7b52 897df4 8b3cba 897dd4 } - $sequence_8 = { 83f801 752e 8b4508 8b7c245c } - $sequence_9 = { 5f 8be5 5d c3 8b55fc 6a04 8d4df8 } + $sequence_0 = { 7468 8b15???????? 56 57 8d3c1b 8d4f02 51 } + $sequence_1 = { ff15???????? 85c0 0f858b010000 8d95e4f7ffff 52 e9???????? 6a02 } + $sequence_2 = { 7516 8bc6 e8???????? 84c0 757d eb09 83f802 } + $sequence_3 = { 6a00 8d54241c 52 6a08 68???????? 56 ff15???????? } + $sequence_4 = { ff15???????? 8d85e4f7ffff 50 6a00 68???????? 8d8de4efffff 51 } + $sequence_5 = { 8d9598feffff 52 6800020000 6a00 ff15???????? 8bc7 c6043e00 } + $sequence_6 = { 8d0cbb 894de0 33c0 8d4900 8b11 81e2ffffdfff 899405e0f6ffff } + $sequence_7 = { 8d44247c 56 50 c644245800 } + $sequence_8 = { 83c404 6a08 b953000000 e8???????? 83c404 6a08 b959000000 } + $sequence_9 = { 8d8decf7ffff 90 833900 750b 40 83bc85ecf7ffff00 74f5 } condition: 7 of them and filesize < 204800 @@ -139183,36 +140168,36 @@ rule MALPEDIA_Win_Domino_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "10f793c1-4d4b-5de7-9702-d644c24734c3" - date = "2026-01-05" - modified = "2026-01-06" + id = "e051c434-344d-550a-8a47-2bc4584cb45c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.domino" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.domino_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.domino_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "e26eed1b473d3625fb435dacac72b22f0ae1cadfb46f5a5ee8d2f38a588ca275" + logic_hash = "742a32c7bd56c73b3463e4bce120cb5f28a09fd1ae810026d0448c66ef845310" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41b800300000 488bd6 33c9 4c8bf6 ff15???????? } - $sequence_1 = { 488bd1 b940000000 ff15???????? 448b442438 } - $sequence_2 = { 7509 488b5b08 483b1f 75e9 } - $sequence_3 = { 488b4de7 ff15???????? 488b4def 33d2 ff15???????? 4c8d9c24a0000000 8bc3 } - $sequence_4 = { 488d942450010000 b904010000 ff15???????? 4c8d4c2440 } - $sequence_5 = { 7518 66c7030206 ff15???????? 894302 b806000000 e9???????? } - $sequence_6 = { 750f 66c7030101 b802000000 e9???????? 488d942450010000 b904010000 ff15???????? } - $sequence_7 = { ff15???????? 85c0 7434 488b4d7f } - $sequence_8 = { ff15???????? 488bf0 4885c0 7513 66c7030203 ff15???????? } - $sequence_9 = { ff15???????? 488bcf 894302 ff15???????? } + $sequence_0 = { ff15???????? 488d4c2440 e8???????? 84c0 7510 66c7030205 } + $sequence_1 = { 488bf9 41c60000 c744246801000000 e8???????? 84c0 750f } + $sequence_2 = { 894302 ebd2 b801000000 4c8d9c2460020000 } + $sequence_3 = { e8???????? 85c0 7f20 488b0b 4885c9 7406 ff15???????? } + $sequence_4 = { ff15???????? 8b5d7f 488b4de7 ff15???????? 488b4def } + $sequence_5 = { ff15???????? 85c0 741a 488b4c2458 ff15???????? 488b4c2450 ff15???????? } + $sequence_6 = { e8???????? eb14 41b701 eb72 } + $sequence_7 = { 8b5d7f 488b4de7 ff15???????? 488b4def 33d2 ff15???????? } + $sequence_8 = { 488938 8bc6 4881c470010000 415f 415e 415d 415c } + $sequence_9 = { 83cbff 8bc3 4c8d9c2450020000 498b5b10 } condition: 7 of them and filesize < 50176 @@ -139222,36 +140207,36 @@ rule MALPEDIA_Win_Vshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9d00442f-4008-5c2c-a89f-67c6ad34a468" - date = "2026-01-05" - modified = "2026-01-06" + id = "3332723f-406f-52de-a78b-40e7bfc7b267" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vshell_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vshell_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "af7100cec7361ef2656c4b43a7045079d3f82b2662234a4759041cc9664982f0" + logic_hash = "131546b9263b4b6ad1aed326437388de895073eedea5b48b292e2dbc7e3ad8f5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 90 bf01000000 90 e8???????? 488b942480000000 48894a70 } - $sequence_1 = { eb50 488b842498000000 48c740280b000000 eb3e 488b842428010000 488b9c2430010000 e8???????? } - $sequence_2 = { e8???????? 48c70019000000 e8???????? 4889c1 4889df 488d05419d5d00 488b9c2490000000 } - $sequence_3 = { eb1b 440fb64c3c27 418d3431 8d76cd 4088741427 4488443c27 4883c002 } - $sequence_4 = { eb38 488b8c2488000000 488b4110 e8???????? 4889c3 488d053d4ca100 488b6c2478 } - $sequence_5 = { eba7 4885c9 741c 48894c2440 48899c2498000000 31c0 31d2 } - $sequence_6 = { e8???????? e8???????? 4889842478040000 e8???????? 4889842470040000 48899c24d8010000 e8???????? } - $sequence_7 = { eb0c 488d3da654b000 e8???????? 4885db 7410 4889d8 4889cb } - $sequence_8 = { e8???????? eb38 488b7c2428 488b07 488b5f08 488b4f10 440f117f08 } - $sequence_9 = { c744242c4e67d48a 48ba22266cf93b139a0b 4889542418 c74424206ecc42ee 31c0 eb1a 0fb6540424 } + $sequence_0 = { eb1c 4889c7 488b8c2430210000 e8???????? 488d3dd3929600 e8???????? e8???????? } + $sequence_1 = { eb23 488b842488020000 488b9c2490020000 e8???????? eb0c e8???????? 0f1f8000000000 } + $sequence_2 = { eb1c 4889c7 488b8c24e81c0000 e8???????? 488d3d6bb99600 e8???????? e8???????? } + $sequence_3 = { eb1a 440fb64c3419 418d1411 8d5249 88543c19 4488443419 4883c002 } + $sequence_4 = { ffd1 0f1f4000 4883f808 0f84e90d0000 488b8c2460010000 488b5170 488b842468010000 } + $sequence_5 = { eb47 488d05fead5500 e8???????? 488b9424f8030000 48898ae0000000 833d????????00 7509 } + $sequence_6 = { eb1c 4889c7 488b8c24b8220000 e8???????? 488d3d9b879600 e8???????? e8???????? } + $sequence_7 = { ffd2 660f1f440000 4883f807 745f e8???????? 440f11bc24a0000000 488b4c2460 } + $sequence_8 = { f3430f6f540420 f3430f6f5c0430 f3430f6f640500 f3430f6f6c0510 f3430f6f740520 f3430f6f7c0530 660fefc4 } + $sequence_9 = { eb7f 48899c2438010000 4889442470 488d057d7b7f00 e8???????? 488b4c2470 488908 } condition: 7 of them and filesize < 39452672 @@ -139261,36 +140246,36 @@ rule MALPEDIA_Win_Xtinyloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "18e6856e-e403-5601-8fbf-f7925fca3610" - date = "2026-01-05" - modified = "2026-01-06" + id = "0f3f3fc1-1972-5fbe-93dc-e960b14ce813" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtinyloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xtinyloader_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xtinyloader_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "b857d545e3495e8e215ff8dbc4483cf1ba89c02a05d887dc31b61d1a2d74f26a" + logic_hash = "871e75fa34499427fd023811dff4e0c8c69560f4bfd8df1c057ed2bb040f0585" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff35???????? e8???????? 8b35???????? 83c448 8944241c 85db 7409 } - $sequence_1 = { 7437 57 ff15???????? 85c0 7425 56 } - $sequence_2 = { e8???????? 50 ff35???????? e8???????? a3???????? 0fb605???????? 83c444 } - $sequence_3 = { ff45fc 8b45fc 3b45f4 72be 33c0 5f 5e } - $sequence_4 = { 8d45f8 50 8b450c 2bc7 } - $sequence_5 = { 85c0 7442 8b45fc 8b0c86 8b450c } - $sequence_6 = { 8b5d08 b84d5a0000 663903 7407 33c0 e9???????? } - $sequence_7 = { 57 ff15???????? 85c0 0f8450010000 8d45f8 } - $sequence_8 = { 57 895de4 895df4 895dec } - $sequence_9 = { 7459 393d???????? 7451 393d???????? } + $sequence_0 = { c3 3bfb 7615 8b4d08 2bce 8bd7 8a1c01 } + $sequence_1 = { ff15???????? 43 83fb05 72e7 56 ff15???????? 85c0 } + $sequence_2 = { 56 33f6 57 397508 0f84da000000 0fb605???????? 50 } + $sequence_3 = { ff35???????? ff35???????? e8???????? 50 53 ff15???????? 83c414 } + $sequence_4 = { 393d???????? 0f8459010000 393d???????? 0f844d010000 393d???????? } + $sequence_5 = { ff15???????? eb8e 53 56 ff15???????? 8b4c240c 0fb719 } + $sequence_6 = { 83c40c 3bde 750a 57 ff15???????? } + $sequence_7 = { a1???????? 85c0 746a 8d4dbc 51 ffd0 66837dbc09 } + $sequence_8 = { 894508 ff15???????? 397508 75cd } + $sequence_9 = { 59 6a5c 6689480a 59 } condition: 7 of them and filesize < 50176 @@ -139301,10 +140286,10 @@ rule MALPEDIA_Win_Gooseegg_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "d8132454-9f6e-5d45-ae4a-e06046e4b7c3" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gooseegg" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gooseegg_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gooseegg_auto.yar#L1-L120" license_url = "N/A" logic_hash = "8983b8f0c526551207a00c2d480777794912cb3a61999ef4b05b249edd7a0003" score = 75 @@ -139313,9 +140298,9 @@ rule MALPEDIA_Win_Gooseegg_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -139339,42 +140324,42 @@ rule MALPEDIA_Win_Oceansalt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "02715696-fd80-57ea-b24d-396ae324dbb5" - date = "2026-01-05" - modified = "2026-01-06" + id = "f3f30d46-09bc-5976-949b-48f2d51cf5ea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.oceansalt_auto.yar#L1-L171" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.oceansalt_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "02d347ca93ad6009e5025efa6ae57d6d731ae049bbef6bfc036d024dce1ca79a" + logic_hash = "eeb60cea9c143f55636431cb2279743329ec4e5e7acfd3778798b6d43fdbb915" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 56 8b7508 57 6a00 6804020000 8d85f8f9ffff 50 } - $sequence_1 = { 0f8492000000 53 6a00 6a00 6a00 6802000008 } - $sequence_2 = { 50 56 ffd3 6a00 6880000000 6a02 } - $sequence_3 = { 8b4508 6a00 52 57 50 } - $sequence_4 = { 6a07 8d45f4 50 56 c645f400 ff15???????? 6a00 } - $sequence_5 = { 85c9 7e0d 80b405fcfdffff77 40 3bc1 7cf3 56 } - $sequence_6 = { 85ff 743c 6a00 56 } - $sequence_7 = { 83c404 85c0 75ce 8b8dc4fdffff } - $sequence_8 = { 8be8 85c0 0f841e010000 48899c24a8010000 } - $sequence_9 = { 442b44247c 41c1e80a e8???????? f644246010 740a } - $sequence_10 = { 4c8d0d2ba3ffff 41bb00020000 408a2f 413aea 0f8524f9ffff 4438942490000000 } - $sequence_11 = { bb00080000 3918 0f4c18 bf01000000 3bcb 0f8d8d000000 4c8d35f4c60000 } - $sequence_12 = { 4883c440 5d c3 4055 4883ec20 488bea 488b01 } - $sequence_13 = { eb4e 488b0d???????? 488d542434 e8???????? eb3b } - $sequence_14 = { e8???????? 4c8d9c2470060000 498b6b20 498b7328 498be3 } - $sequence_15 = { 488d0d54e30000 f6410820 7417 33d2 } + $sequence_0 = { 743c 6a00 56 ff15???????? 8b4d08 } + $sequence_1 = { 50 51 8d95fcfbffff 6800020000 52 e8???????? 83c410 } + $sequence_2 = { 8b95d4fdffff 8955f4 8d642400 6a00 6808010000 } + $sequence_3 = { 57 6a00 6a00 6a00 6a04 53 } + $sequence_4 = { 3bc1 7cf3 56 51 } + $sequence_5 = { 8b4508 50 ff15???????? 85c0 750a ff15???????? 8be5 } + $sequence_6 = { 8945fc 8b4d08 56 8d450c 50 } + $sequence_7 = { 8b450c 56 6a00 6800000008 } + $sequence_8 = { ff15???????? 4533c9 488d542420 458d4102 } + $sequence_9 = { b81a000000 eb78 33c9 488d15afdf0000 48891401 4883c230 4883c108 } + $sequence_10 = { 4889442458 4889442460 48895c2450 c744247068000000 e8???????? } + $sequence_11 = { 458d4108 488d942450030000 ff15???????? 488d942450030000 488d0d36be0000 e8???????? } + $sequence_12 = { 458d4107 488bcb ff15???????? 488b4c2428 4833cc } + $sequence_13 = { ff15???????? 488b0d???????? 4c8d0d92150100 488d942400010000 } + $sequence_14 = { 482bd8 660f1f840000000000 0fb601 48ffc1 } + $sequence_15 = { 0f856efeffff 4903df 803b20 74f8 488d15ae960000 41b805000000 488bcb } condition: 7 of them and filesize < 212992 @@ -139384,36 +140369,36 @@ rule MALPEDIA_Win_Gaudox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e48a9725-6218-5ef6-9a1a-6786debab3b4" - date = "2026-01-05" - modified = "2026-01-06" + id = "55b8a38f-d0f1-5d6a-9e71-e584348f7b8a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gaudox_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gaudox_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "cc9ffbe1e9e9b635f7f04ba1adabaa59f1b5b2df83ed09fa49e4be99cd0578aa" + logic_hash = "b5d4d602b04c775c96411f3dd647bb34f0110cd50107432ce9277dcb80780beb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5f 5e 8be5 5d c20400 8b7c240c 8d44244c } - $sequence_1 = { 50 e8???????? a1???????? 8bb858010000 83ff20 772c 68???????? } - $sequence_2 = { 745c 85d2 7458 56 8b7508 85f6 } - $sequence_3 = { 660f7f842460030000 660f7f842470030000 660f7f842480030000 f3ab b982000000 89842460060000 } - $sequence_4 = { 8b4708 2bca 83c0fb 03c1 894201 8d45c4 } - $sequence_5 = { 8bc1 b9???????? 50 e8???????? 8b4c2440 8bc1 803900 } - $sequence_6 = { 8d8548feffff 50 e8???????? a1???????? 8bb888010000 83ff1c 7731 } - $sequence_7 = { 0f88ce000000 8b15???????? b8???????? ff7750 8b7c2450 2bc2 8944245c } - $sequence_8 = { 6a01 e8???????? 8b55fc 8bc8 8b45f4 890c82 85c9 } - $sequence_9 = { 731a 8bd1 b9???????? e8???????? 85c0 0f88a7000000 8b74240c } + $sequence_0 = { 897dfc 46 3b75f8 76c7 5e 5b 33c0 } + $sequence_1 = { 6a08 6a00 e8???????? 5f 8bc6 } + $sequence_2 = { 6a00 53 52 51 e8???????? 8bc8 46 } + $sequence_3 = { 6a00 8d45dc c745c418000000 8945cc 8d45e4 50 8d45c4 } + $sequence_4 = { 8b400c 83c00c 89442424 8b18 85db 0f84db000000 b90a020000 } + $sequence_5 = { 50 8d442414 50 6a00 6a00 6a32 6a00 } + $sequence_6 = { 8b4508 33ce 897804 5f 8908 8b4dfc 5e } + $sequence_7 = { 6a00 6a00 6a32 6a00 e8???????? 85c0 0f8859020000 } + $sequence_8 = { 8d0c36 8d7804 8908 51 8bcf e8???????? 85ff } + $sequence_9 = { c705????????00000000 e8???????? a3???????? 85c0 0f8466020000 6a50 6a08 } condition: 7 of them and filesize < 155648 @@ -139423,36 +140408,36 @@ rule MALPEDIA_Win_Fog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d28c9493-ded7-5c6b-96f1-79a637f3ec06" - date = "2026-01-05" - modified = "2026-01-06" + id = "27093879-8447-569c-ae55-3e1d5a8c1427" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fog" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.fog_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.fog_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "65c8cd27a3044c0ed114d45adeda01dfdb815d1dce8b0ed05ceb7d08d13dca8c" + logic_hash = "b2379271b457633feb71d63c90b505115c440680fbd3f3ea65f8eff573cb5e89" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a64 57 6a00 6800020000 e8???????? 0f1006 8b4514 } - $sequence_1 = { 50 8d45fc 50 8d45f0 50 ffd6 8b4510 } - $sequence_2 = { 8b8db8f6ffff 85c9 7445 8b3c8dd42b0110 85ff 0f8588000000 33c0 } - $sequence_3 = { 83c40c 6b45e430 8945e0 8d8028a10110 8945e4 803800 } - $sequence_4 = { 83c408 8bd8 8b4720 6a00 56 53 6a10 } - $sequence_5 = { 038c8300180000 0fb6c2 038c8300140000 0fb68308200000 038c8300100000 334cb338 314f38 } - $sequence_6 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d901ca10110 } - $sequence_7 = { 0f8eac000000 660f1f440000 8d0c8500000000 83bc0d0cffffff02 0f857f000000 8db574ffffff 03f1 } - $sequence_8 = { 8b4604 03c3 50 ff36 e8???????? 8b4e04 } - $sequence_9 = { 0fb74004 6685c0 7527 ff4508 83c304 } + $sequence_0 = { ffd6 8d87e0140000 50 ff35???????? } + $sequence_1 = { 33c9 0f1f4000 660fbed3 6689944d50fbffff } + $sequence_2 = { ffd6 8b7df0 83c704 83eb01 897df0 895dec 0f85b4fdffff } + $sequence_3 = { 0f44f0 8b87500e0000 8975e8 c7400801000000 8a02 84c0 7432 } + $sequence_4 = { 5d c3 55 8bec 81ecf0000000 56 68???????? } + $sequence_5 = { 8b4d0c 85f6 75ba 5f 5b 33c0 5e } + $sequence_6 = { e8???????? 8b5d08 0bf0 8b45ec 0bfa 8b55f4 } + $sequence_7 = { 8bca 898300200000 8bc2 c1e918 c1e810 } + $sequence_8 = { 038c8300180000 c1ea08 0fb6c2 038c8300140000 0fb68338200000 038c8300100000 8b45fc } + $sequence_9 = { 85ff 7e37 8b550c 53 8b5d08 2bda 837d1400 } condition: 7 of them and filesize < 244736 @@ -139462,36 +140447,36 @@ rule MALPEDIA_Win_Qaccel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f1f0f47f-9fac-5c10-a4e8-a1707e10823b" - date = "2026-01-05" - modified = "2026-01-06" + id = "9142e369-6835-51aa-80c4-a643b5e9706c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.qaccel_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.qaccel_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "3da505a80435da5e26f3793d381f00e69d927d9829311958eb99f2abec85d62f" + logic_hash = "ed4971af2e3db4fc751d3393103c785f3b6d5ff70671ae987598bcc460cbccec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 0f842b010000 8b7d0c 85ff 0f8420010000 8b4d10 85c9 } - $sequence_1 = { 0f880a000000 0f8904000000 5f 5f } - $sequence_2 = { 41 83c210 894df8 8b1b } - $sequence_3 = { ff15???????? 50 ff15???????? 85db 7525 b941000000 } - $sequence_4 = { 8bf9 81e1ffff0000 83c102 51 ff15???????? 8bf0 } - $sequence_5 = { 8b35???????? 83c408 ffd6 99 b91a000000 } - $sequence_6 = { 5f 8b4d24 85c9 740a 8b45e0 } - $sequence_7 = { 85c0 0f8439010000 8b55fc 81e2ffff0000 } - $sequence_8 = { 5f 8b86f0000000 8b550c 50 52 ff15???????? 83c408 } - $sequence_9 = { 83c9ff f2ae f7d1 2bf9 8d95fcfeffff 8bf7 } + $sequence_0 = { 85f6 0f849a000000 8d4d0c e8???????? 8b4608 8d4d0c } + $sequence_1 = { a3???????? 74df 0f8816000000 0f8910000000 } + $sequence_2 = { a3???????? 8b0d???????? 53 8b1d???????? 8bd1 } + $sequence_3 = { 83c408 85c0 75da 8b9de0feffff } + $sequence_4 = { f3ab 8d8dfcfeffff 51 e8???????? } + $sequence_5 = { f3ab 66ab aa 0f8813000000 0f890d000000 } + $sequence_6 = { 5f 5f 5f 5f 8b4518 c70001000000 } + $sequence_7 = { 2bc2 2bc3 40 99 2bc2 8b55a0 d1f8 } + $sequence_8 = { ffd7 6a01 66894302 ffd7 66894304 33c0 6a01 } + $sequence_9 = { 64a100000000 50 64892500000000 81ecf4000000 56 8bf1 e8???????? } condition: 7 of them and filesize < 106496 @@ -139501,42 +140486,42 @@ rule MALPEDIA_Win_Compfun_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c3d00d25-914d-52b8-aa23-a416041c458d" - date = "2026-01-05" - modified = "2026-01-06" + id = "41d8f613-746c-5500-b816-c3a4b550704d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.compfun_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.compfun_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "8284624d97f6e1919129028ed727636c96197862138001108f45d962bbade24e" + logic_hash = "723a41bb6acfefce75ab3d4affb763bfe86d9c1aac2b18b87326286e6f0b38a2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a00 56 e8???????? 83c40c c7460c57202020 c70652656745 c746046e756d4b } - $sequence_1 = { c7460475705072 c746086976696c c7460c65676556 c74610616c7565 c6461500 8bc6 5e } - $sequence_2 = { c7460c62757465 c6461200 8bc6 5e 5d } - $sequence_3 = { 742d 53 8d85d8fdffff 50 a1???????? } - $sequence_4 = { c746144533442d c7461843343537 c7461c39323931 c7462036393245 c6462500 } - $sequence_5 = { e8???????? 59 50 57 ffd3 894650 85c0 } - $sequence_6 = { 83c40c c746086c655720 c70643726561 c7460474654669 } - $sequence_7 = { e8???????? 83c40c c706466c7573 c746046846696c c7460865427566 c7460c66657273 } - $sequence_8 = { 488b8424a0000000 ff5030 85c0 7508 } - $sequence_9 = { 837c2428ff 740a c744244401000000 eb08 } - $sequence_10 = { 488b842438010000 8908 488b842438010000 8b08 } - $sequence_11 = { ff15???????? 4c8bd8 488b442460 4c895848 } - $sequence_12 = { 8b9424a4000000 488b8c2498000000 488b442438 420fb60400 } - $sequence_13 = { 488b442420 48890424 488b0424 c70073766368 } - $sequence_14 = { 483904d1 750a 8b442438 89442420 } - $sequence_15 = { 488b442450 0fb600 3de9000000 740f } + $sequence_0 = { 56 e8???????? 83c40c c70648656170 } + $sequence_1 = { 85c0 7433 68???????? e8???????? 59 50 57 } + $sequence_2 = { e8???????? 83c40c c70661647661 c7460470693332 } + $sequence_3 = { 57 ffd3 898688000000 85c0 } + $sequence_4 = { c7460c73736573 c746105c576f77 c7461436343332 c746184e6f6465 c7461c5c434c53 } + $sequence_5 = { e9???????? 57 8b7d0c 85ff 7507 33c0 e9???????? } + $sequence_6 = { c7460c65786520 c70673706964 c7460465726167 c74608656e742e c6460f00 8bc6 } + $sequence_7 = { e8???????? 83c40c c746106e666f20 c7064765744e } + $sequence_8 = { 034c2460 488b442450 894820 488b4c2450 } + $sequence_9 = { 034c242c 488b442470 894820 488d542440 } + $sequence_10 = { 0344242c 8bc8 e8???????? 4889442448 } + $sequence_11 = { 03c1 89442420 8b442420 83c001 } + $sequence_12 = { 03c1 89442420 8b4c2438 488b442450 } + $sequence_13 = { 03c1 4863d0 488b4c2430 488b442438 } + $sequence_14 = { 03c1 89442420 8b542438 486bd218 } + $sequence_15 = { 03c1 89442434 8b442430 39442434 } condition: 7 of them and filesize < 402432 @@ -139546,42 +140531,42 @@ rule MALPEDIA_Win_Mechanical_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f673020e-2414-508c-b896-8bd1153a2a5f" - date = "2026-01-05" - modified = "2026-01-06" + id = "e88d5eb7-0499-5304-86b2-33ae2ce1eca4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mechanical_auto.yar#L1-L161" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mechanical_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "bdb95de618c80d698fcb0c6f336b0430b26a5d0b33d6a5403bc772ebe314b16e" + logic_hash = "e8ef1a24ec6265b6d043f6149c8cbefb595de6561a93ba80907aaba8fa8b1d99" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 03c7 3bca 72ed 5f } - $sequence_1 = { 4883c201 4983e901 0f855dfeffff 488d9424000a0000 } - $sequence_2 = { 030495c0e54200 eb05 b8???????? f6400420 } - $sequence_3 = { 4883ec28 488d15056a0200 e8???????? 4885c0 } - $sequence_4 = { 0f84e4e30000 488b8500730200 488d8c2410600000 33d2 488901 8b8508730200 41b8f5000000 } - $sequence_5 = { 0401 3cbe 8844240b 76e2 } - $sequence_6 = { 033485c0e54200 8b45e4 8b00 8906 } + $sequence_0 = { 83c0df 83f85c 0f8778010000 4898 0fb68428984c0100 8b8c85c44b0100 } + $sequence_1 = { 488d15e768feff 48898c24b0000000 eb54 448b742448 bdffffffff 896c2444 ebb0 } + $sequence_2 = { 03c7 3bca 72ed 5f } + $sequence_3 = { 4585c0 0f84d0010000 488d9424103e0000 458bc8 } + $sequence_4 = { 03c1 1bc9 0bc1 59 e9???????? e8???????? ff742404 } + $sequence_5 = { 48894716 8b05???????? 89471e e8???????? } + $sequence_6 = { c6023c eb35 c60228 eb30 c60224 eb2b } $sequence_7 = { 03ce c6840c3801000000 8d8424a05c0000 33f6 } - $sequence_8 = { 488bf3 48c1fe05 4c8d2547e50000 408afb 83e71f 48c1e706 } + $sequence_8 = { 488d942480120000 458bc8 66666690 66666690 0fb602 458bc4 } $sequence_9 = { 00686c 42 0023 d18a0688078a } - $sequence_10 = { 03c1 1bc9 0bc1 59 e9???????? e8???????? ff742404 } - $sequence_11 = { 4585c0 0f84b6010000 488d9424f05d0000 458bc8 66666690 66666690 0fb602 } - $sequence_12 = { 033485c0e54200 c745e401000000 33db 395e08 } - $sequence_13 = { 0fb785107a0200 66894108 0fb685127a0200 88410a 488d8c248b010000 } - $sequence_14 = { 33d2 41b803010000 4488a42460430000 488905???????? e8???????? 4c8d1de50a0200 498bcc } - $sequence_15 = { 4489642430 4488a424100b0000 e8???????? 4c8d1dfcd60100 } + $sequence_10 = { 030495c0e54200 eb05 b8???????? f6400420 } + $sequence_11 = { 033485c0e54200 8b45e4 8b00 8906 } + $sequence_12 = { 0f84d6010000 488d942470440000 458bc8 66666690 0fb602 } + $sequence_13 = { 8b442430 488d8c2461430000 33d2 41b803010000 4488a42460430000 488905???????? e8???????? } + $sequence_14 = { 033485c0e54200 c745e401000000 33db 395e08 } + $sequence_15 = { 0401 3cbe 8844240b 76e2 } condition: 7 of them and filesize < 434176 @@ -139591,36 +140576,36 @@ rule MALPEDIA_Win_Furtim_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad577b23-66c9-5c51-817c-414dfaa85803" - date = "2026-01-05" - modified = "2026-01-06" + id = "997496b4-68e2-55bd-9790-724c9dca1765" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.furtim_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.furtim_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "d317e4f334ec1dda33c613c0848248b97fb2b5924cd44cad020709ead778cee8" + logic_hash = "021866744ccba840eb17e7885794bb12bfcecfd8614d8904503788a79f60e019" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c3 55 8bec 83ec68 53 56 68???????? } - $sequence_1 = { 85c0 7413 8b4c2424 8bd1 2bd6 8a12 8811 } - $sequence_2 = { 55 8bec 8b4508 ff34c5d0404100 ff15???????? 5d c3 } - $sequence_3 = { 5e 5b c9 c20800 56 8bf1 ff96d4060000 } - $sequence_4 = { 8bf8 68???????? 57 ff961c070000 83c40c 6a0b 57 } - $sequence_5 = { 33db 895de8 8d7dec ab ab ab 8d45fc } - $sequence_6 = { ff969c020000 85c0 0f850d010000 33db 399e08060000 0f84f7000000 33c0 } - $sequence_7 = { 895df4 ff9660060000 85c0 7532 385dfc 742d 0fb645fc } - $sequence_8 = { 7405 8bce ff5614 53 53 56 ffb640070000 } - $sequence_9 = { 56 53 ffb360020000 8975fc 56 } + $sequence_0 = { 5b 5e 83c578 c9 c3 8bff 56 } + $sequence_1 = { 8bce 84c0 74e7 bf???????? eb0d 6a64 5a } + $sequence_2 = { 52 8d45f4 8bf1 50 ff963c050000 8b4508 } + $sequence_3 = { 895dfc ff960c030000 85c0 740f } + $sequence_4 = { 5b c3 56 8bf1 57 b9feff0000 ff96b8020000 } + $sequence_5 = { 57 c786500600006ec74000 c7862404000020db4000 c7869c03000068434000 c78698030000aa314000 c7863806000088c54000 c786c80500000c8d4000 } + $sequence_6 = { ba???????? 8bce ff9664060000 68???????? ff9688050000 8bf8 } + $sequence_7 = { 817dfce8030000 0f8f8c000000 8b5df8 83c310 68???????? 53 ff96c8040000 } + $sequence_8 = { ffd0 85c0 7467 397df8 7462 ff75fc ff96bc040000 } + $sequence_9 = { 83e6f8 33c9 8b3c8a 83e7f8 3bfe 740b 41 } condition: 7 of them and filesize < 622592 @@ -139630,36 +140615,36 @@ rule MALPEDIA_Win_Stration_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "41dc722e-36ee-57b1-9a26-7229c2369407" - date = "2026-01-05" - modified = "2026-01-06" + id = "0f1011b4-1d65-54be-be3f-0dcec39901b3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stration_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stration_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "e64d83d58a5476627a814f6a3e2d0bd532d00a922e21b2d066d65b8e0bc95a9c" + logic_hash = "1de0c732e3e1353612dddc1bb123542daa60f0a724e03b3bdb47ccce504de6d8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7407 6a01 e8???????? 8a15???????? } - $sequence_1 = { 8b4c2434 c1e908 32c8 884c2435 8b542434 c1ea10 } - $sequence_2 = { 56 89442420 b37b e8???????? 85ff } - $sequence_3 = { 8d4c240c b81f85eb51 f7e9 8bc1 c1fa05 50 } - $sequence_4 = { 85db 7474 57 e8???????? 83c404 85c0 } - $sequence_5 = { 56 8be8 e8???????? 6a64 } - $sequence_6 = { 50 ba11010000 8bcf e8???????? 83fe66 } - $sequence_7 = { 83ec14 85c0 756f a1???????? 8b0d???????? } - $sequence_8 = { ff15???????? 8a0d???????? 22cb 85f6 8935???????? } - $sequence_9 = { 68???????? e8???????? a1???????? 0fafc6 } + $sequence_0 = { 57 8d54240c 52 33f6 56 8d442418 50 } + $sequence_1 = { 8bc8 e8???????? 85c0 744b 8d442414 50 } + $sequence_2 = { c744241000000000 eb0c 8a0d???????? 880d???????? 6a01 56 } + $sequence_3 = { 52 e8???????? a3???????? 8b4c2420 51 } + $sequence_4 = { ba11010000 8bce e8???????? c705????????00000000 } + $sequence_5 = { 8b15???????? 89442404 a1???????? 894c2408 8a0d???????? 89442410 8954240c } + $sequence_6 = { 83f80d 7cec 57 8d54240c 52 33f6 56 } + $sequence_7 = { 894c2408 8954240c 33c0 8d9b00000000 } + $sequence_8 = { 7451 85ed 744d 85c0 7449 56 } + $sequence_9 = { 83f825 7cec 8b3d???????? 68???????? } condition: 7 of them and filesize < 49152 @@ -139669,36 +140654,36 @@ rule MALPEDIA_Win_Romcom_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52944eb3-a8b3-598a-bd5c-c9c0b8dd95ba" - date = "2026-01-05" - modified = "2026-01-06" + id = "3df8a6c8-8cad-530b-8fa5-c51892c15404" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.romcom_rat_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.romcom_rat_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "94e8976d75fd26e2288ab3e032c369598bcb0480813fc775078fe15324b5e802" + logic_hash = "329446130971e3e9d98f830b9af67bc4ad5f748c380e9572e174475f4a618fbe" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33d2 448d4240 488d8d60100000 e8???????? 488d0d9a6e0100 e8???????? 4c8bc0 } - $sequence_1 = { 488945a0 488d0592d20400 4885db 7424 83630800 488903 } - $sequence_2 = { c7442434323b3831 c74424383738363a c744243c02005b00 c74424407e006900 c744244461005d00 c74424485e005200 c744244c52005400 } - $sequence_3 = { f30f7f458f 482bf3 4889742420 4c8d458f 488d55a7 498bce e8???????? } - $sequence_4 = { 488d8a50000000 e9???????? 4055 4883ec20 488bea 8b8598000000 83e002 } - $sequence_5 = { eb24 488d152e6b0600 488d4b02 483bce 7714 41803c1f30 750d } - $sequence_6 = { c7442460474e595a c7442464080a5d0d c74424685b5a4659 c744246c10475f51 c7442470141e5e19 c74424744b4b5f4f c744247848262600 } - $sequence_7 = { 498bd6 498bcd ff5038 498b4740 488b4808 48894d97 488b01 } - $sequence_8 = { ebd7 488d053e4d0300 ba80000000 0f1000 410f1106 0f104810 410f114e10 } - $sequence_9 = { 894c2420 ff15???????? eb0c 48630d???????? e8???????? } + $sequence_0 = { 4c8bf2 4d8903 488907 4d8b13 4d3bd1 0f84ec000000 483b442440 } + $sequence_1 = { 83f801 0f8440ffffff 488b8da0020000 4833cc e8???????? 4c8d9c24b0030000 498b5b38 } + $sequence_2 = { 48895c2408 57 4883ec20 488bd9 488d05341b0600 488901 } + $sequence_3 = { 0f100d???????? 0f114810 488d8de0100000 492bcf 4903cf 443821 75f8 } + $sequence_4 = { 0fb6b48213d80600 8bd9 48c1e302 33d2 4c8bc3 8d040e 488d8d44030000 } + $sequence_5 = { 41b801000000 8bd0 498bce e8???????? 4883f801 7405 418bc4 } + $sequence_6 = { 8a4118 c3 4053 55 56 57 } + $sequence_7 = { 4883ec20 488d05af930500 488bf9 488901 8bda 488b4918 e8???????? } + $sequence_8 = { 4c63c0 4c8d0d4ddb0400 4c8d1df6050500 498bd0 418d4802 83f901 761b } + $sequence_9 = { 458802 49ffc2 4883ee01 0f8574ffffff 418b7e10 458b8ea8000000 448bc7 } condition: 7 of them and filesize < 1211392 @@ -139708,73 +140693,112 @@ rule MALPEDIA_Win_Pocodown_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "24fa8c2b-d3e1-5926-9dee-69a93fed8b3c" - date = "2026-01-05" - modified = "2026-01-06" + id = "0b6f4bfa-cba5-5281-91ed-08423b809fc5" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pocodown_auto.yar#L1-L90" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pocodown_auto.yar#L1-L104" license_url = "N/A" - logic_hash = "81ce65c7d22552fcdf6138ce3c49e38f993fc4ab399006dba75fe36bc9807464" + logic_hash = "7da590f358fe51b025a303cdaeea6d5ff9e77b166f44142295f4a671de6f9f83" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b8c2488000000 e8???????? 85c0 0f849d010000 } - $sequence_1 = { 8b8c2488000000 e8???????? 03442460 89842488000000 } - $sequence_2 = { 8b8c2488000000 8d840801fcffff 8944244c 837c244c00 } - $sequence_3 = { 8b8c2488000000 e8???????? 89842488000000 488b442478 } - $sequence_4 = { 8b8c2488000000 8d8401f33e706d 89842488000000 ba05000000 } - $sequence_5 = { 8b8c2488000000 e8???????? 4885c0 7529 } - $sequence_6 = { 8b8c2488000000 e8???????? 4883bc249000000000 741a } - $sequence_7 = { 8b8c2488000000 ff15???????? 85c0 7519 } + $sequence_0 = { 8b8c2480000000 23c8 8bc1 85c0 7505 e9???????? } + $sequence_1 = { 8b8c2480000000 3bd3 7206 3bcf } + $sequence_2 = { 8b8c2480000000 448b8c2488000000 41890a c70600000000 } + $sequence_3 = { 8b8c2480000000 03c8 8bc1 89842454010000 ba05000000 8b4c2454 e8???????? } + $sequence_4 = { 8b8c2480000000 394814 0f8d80000000 488b442440 c7401400000000 48837c244800 } + $sequence_5 = { 8b8c2480000000 23c8 8bc1 89842480000000 83bc248000000000 750d c744246000000000 } + $sequence_6 = { 8b8c2480000000 03c8 8bc1 89842414010000 ba05000000 8b4c2428 e8???????? } + $sequence_7 = { 8b8c2480000000 2bc8 8bc1 8bc0 8b4c2420 } condition: 7 of them and filesize < 6703104 } +rule MALPEDIA_Win_Foalshell_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "1f0e5fe4-66f4-59c0-81ef-bf98ddf84d87" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.foalshell" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.foalshell_auto.yar#L1-L123" + license_url = "N/A" + logic_hash = "9a656b5c69e181d13eefd8b3c96090fbd64319ffe7dcc64f03d99e60f15d0937" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 4883ec58 48837c246800 750c 48c7c0ffffffff e9???????? 488b442468 48ffc8 } + $sequence_1 = { 4883ea10 660f74c1 660fd7c0 85c0 7507 483bd1 } + $sequence_2 = { a801 0f84da000000 488bd6 498bce } + $sequence_3 = { 4d03f6 4b8b94f7d07b0100 e8???????? 85c0 } + $sequence_4 = { 25ffffff1f 3d21059319 0f82fa000000 48635e20 85db 740a } + $sequence_5 = { 4b0394d840f90100 8a02 88440dff 48ffc1 48ffc2 493bce } + $sequence_6 = { c705????????01000000 488d1510ed0000 488d0dd1ec0000 e8???????? 85c0 740a } + $sequence_7 = { 0f85b8020000 8b4720 3d20059319 740e 05dffa6ce6 83f801 0f87a0020000 } + $sequence_8 = { c3 4053 4883ec20 488bd9 488bc2 488d0d49f00000 0f57c0 } + $sequence_9 = { 0f8d26010000 488b4f28 ebce 4c8bc3 488bd6 498bce } + + condition: + 7 of them and filesize < 520192 +} rule MALPEDIA_Win_Sparrow_Door_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91053f9d-da7f-5861-a669-343fc4d9f35e" - date = "2026-01-05" - modified = "2026-01-06" + id = "ddbb95e9-813e-5dc2-a2bd-3bb6540f1431" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sparrow_door_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sparrow_door_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "c57cb5bf7003c0c8f6009858f16b398bf1f07f6fd24e51a6f375d303f48a1e92" + logic_hash = "72d28c62f23d5165e95cd2abe6359e219511d2b68b9a823f4761e214b0687cbf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4c242c 33ed 03e8 13cb } - $sequence_1 = { ffd7 8b1d???????? 50 ffd3 3bc5 740c } - $sequence_2 = { 53 51 885c241c e8???????? 83c40c 6882050000 8d542454 } - $sequence_3 = { 83c414 8d542450 52 57 ff15???????? 85c0 0f8599feffff } - $sequence_4 = { 50 c684242401000000 e8???????? 68f3010000 8d8c241d030000 56 } - $sequence_5 = { 85c0 743c 8b442418 8d4c2414 51 6a0b } - $sequence_6 = { 53 55 8b6c240c 57 6a00 6880000000 6a03 } - $sequence_7 = { 8b35???????? ffd6 8b0d???????? 6a64 } - $sequence_8 = { 837c242064 0f8d58010000 d16c241c 7508 } - $sequence_9 = { 68ff1f0000 8d8c24c9000000 6a00 51 895c241c } + $sequence_0 = { 52 885c2438 e8???????? 83c40c 6803010000 8d842441020000 } + $sequence_1 = { 395c240c 7514 8b4e04 51 } + $sequence_2 = { e8???????? 83c404 6803010000 8d942439010000 } + $sequence_3 = { 8b54241c 6a2b 52 ffd7 8b542430 8bc2 } + $sequence_4 = { 7505 e8???????? 33db 6803010000 8d9424dd050000 53 52 } + $sequence_5 = { 56 895c241c ff15???????? 56 } + $sequence_6 = { 8d9424dd050000 53 52 889c24e4050000 e8???????? } + $sequence_7 = { ffd5 68d0070000 ff15???????? 6803010000 } + $sequence_8 = { 8d4c2424 83c40c 51 e8???????? 83c404 } + $sequence_9 = { e8???????? 6803010000 8d942435010000 53 52 889c243c010000 e8???????? } condition: 7 of them and filesize < 155648 @@ -139784,36 +140808,36 @@ rule MALPEDIA_Win_Teleport_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8775bf50-843a-53a5-99d2-7f1e8df96bef" - date = "2026-01-05" - modified = "2026-01-06" + id = "ecff15ec-eb29-5c04-ad66-6f615eebdafc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.teleport" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.teleport_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.teleport_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "faedc771daee9d9167e2f4449bf3e87076b81c367250e9b9589a86138f934d43" + logic_hash = "b4a1cc742a06dd541ec9dd1bd150a1a96a01f0443a4ed9b059fce3017d8de331" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 894768 893d???????? ff15???????? } - $sequence_1 = { 894824 c6401c01 894dfc 8d85d0feffff b912000000 eb50 } - $sequence_2 = { 8b04bde83e4300 ff743018 ff15???????? 85c0 0f95c0 5f 5e } - $sequence_3 = { 8b01 6a01 ff10 8b4608 8d7e08 8b08 8900 } - $sequence_4 = { 83c404 8b4dc0 0f1003 0f110401 83c010 8945c8 eb06 } - $sequence_5 = { 8b45ec c1e810 0fb6c0 330c85a0fe4200 0fb6c2 330c85a0f64200 334fe8 } - $sequence_6 = { 3bf0 745a 0f1f440000 68???????? 8bcf e8???????? 837e1c08 } - $sequence_7 = { 8b4104 8987a4000000 8b5108 8945f8 8bc2 8997a8000000 8b590c } - $sequence_8 = { 894820 894824 c6401c01 8d45c0 c745fc08000000 be00100000 } - $sequence_9 = { 0fb6c3 8b5de8 331485a0f64200 3357ac 8bc2 c1e808 0fb6c8 } + $sequence_0 = { eb05 1bc0 83c801 85c0 0f84c7000000 8d8564fdffff } + $sequence_1 = { 83f81f 0f87970c0000 52 51 e8???????? 83c408 8d8d30ffffff } + $sequence_2 = { 8945f8 8bc2 c1e810 0fb6c0 c1e918 8b1c8d60c24200 331c8560be4200 } + $sequence_3 = { 8b4508 57 8d3c850c3d4300 8b07 8b15???????? 8bca } + $sequence_4 = { c745fc02000000 e8???????? c707???????? c7472800000000 c7472c0f000000 c6471800 c645fc04 } + $sequence_5 = { 0f84fa030000 8b4640 8b8d70f7ffff 8a80c3000000 84c0 0f849d030000 } + $sequence_6 = { 894660 8b4640 895664 8b5668 03d2 895668 } + $sequence_7 = { 660fefc8 0f114c05fc 0f1044050c 0f104c0720 660fefc8 0f114c050c 0f1044051c } + $sequence_8 = { 897318 8b4704 894320 8b4708 894324 } + $sequence_9 = { 6a28 85f6 7447 c7459c80b54200 e8???????? 8945a8 33c9 } condition: 7 of them and filesize < 458752 @@ -139823,35 +140847,35 @@ rule MALPEDIA_Win_Revenant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d3da3715-670e-5d1a-8c9a-150b3eadfd7c" - date = "2026-01-05" - modified = "2026-01-06" + id = "6753dc62-5f76-5215-97ad-3a994241e584" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenant" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.revenant_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.revenant_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "bc25d04495c8de2d240671fc2471b933071b7fc14621d4283ee86183238cabeb" + logic_hash = "93e08a376b4592c0adfe0e614b23602d5bc006d17b5a20a6bf8aaa7547387746" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 41803c1c20 488d4301 7405 4889c3 ebeb 8d4b01 } - $sequence_1 = { 7592 41c744240801000000 b801000000 4881c458010000 } - $sequence_2 = { 31c9 488b2d???????? 4989f0 ffd5 4c8b35???????? 85c0 7521 } - $sequence_3 = { 488b542420 e8???????? 4c8b442428 31d2 488b4c2420 e8???????? } - $sequence_4 = { e8???????? 4885c0 4889c6 7465 } - $sequence_5 = { 4531c9 440fb74738 488b4c2448 e8???????? 4885c0 } - $sequence_6 = { f3a4 488b7c2438 8b4c2448 f3aa } - $sequence_7 = { 4889f1 ff15???????? b940000000 89c5 4889ea } - $sequence_8 = { ff15???????? 488d0dc82d0000 31f6 89c2 e8???????? e9???????? 837f3c00 } + $sequence_0 = { 4883c308 e8???????? 4839df 75cd 4c01e7 } + $sequence_1 = { 4883ec60 4889cb e8???????? 488d0dea380000 e8???????? } + $sequence_2 = { 85c0 7521 488b542428 b940000000 41ffd6 4885c0 4889c2 } + $sequence_3 = { 4883ec28 4889cd 4889d3 4c89c7 4a8d0c0a 4c89ce } + $sequence_4 = { 4c8b3d???????? 4889c3 488d44244f 31d2 4d89f1 4889542420 41b800040000 } + $sequence_5 = { ff15???????? f644245c01 41b90a000000 7406 440fb74c2460 } + $sequence_6 = { 5f c3 4889c8 803800 7405 } + $sequence_7 = { b90a000000 f3ab 4889d9 4889f0 4883c420 5b 5e } + $sequence_8 = { 0fb7942448010000 4889d9 e8???????? 8b542440 4889d9 e8???????? 418b542404 } $sequence_9 = { 89c5 4889ea 896c244c ff15???????? 448b44244c } condition: @@ -139862,42 +140886,42 @@ rule MALPEDIA_Win_Powerpool_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4f7d376-91ac-5fba-b394-2196d4883657" - date = "2026-01-05" - modified = "2026-01-06" + id = "4046eb45-b2f2-5bce-b3dd-0334d5e17c4e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.powerpool_auto.yar#L1-L156" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.powerpool_auto.yar#L1-L156" license_url = "N/A" - logic_hash = "dfb0ae2ebf3333eb0ea72de9c6611cca01721c6596963f45a9f1a6121b1e8024" + logic_hash = "0aebd09d801cb2fd36f99fc45e54a2cf64751638ba78cc0945e25bd5705fb8bb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 7412 8b04b0 50 e8???????? } - $sequence_1 = { 7412 837de810 8b45d4 895de4 } - $sequence_2 = { 895e64 33db 894e68 53 53 56 } - $sequence_3 = { 7412 8b4904 80e103 80f901 } - $sequence_4 = { 006711 40 0000 0303 } - $sequence_5 = { 7412 6a00 e8???????? 84c0 7407 b802000000 5f } - $sequence_6 = { 7412 83e903 0f8515010000 c745dcfcae4400 } - $sequence_7 = { 895e64 ff15???????? 8b4c2418 51 } + $sequence_1 = { 7412 83e903 0f8515010000 c745dcfcae4400 } + $sequence_2 = { 895e30 5b 89462c 5f 33c0 5e 5d } + $sequence_3 = { 7412 8b45a4 83c01f 3945b0 } + $sequence_4 = { 7412 837de810 8b45d4 895de4 7303 } + $sequence_5 = { 005311 40 005d11 40 006711 } + $sequence_6 = { 7412 8b4d08 833c8800 7409 } + $sequence_7 = { 7443 8b45d4 83ff10 7303 8d45d4 fe0418 } $sequence_8 = { 7412 8b45d0 2403 3c01 } - $sequence_9 = { 895e64 e9???????? 53 57 } - $sequence_10 = { 8b6c2468 55 6a02 33db 33ff ff15???????? 8bf0 } - $sequence_11 = { 7443 8b45d4 83ff10 7303 } - $sequence_12 = { 005311 40 005d11 40 006711 } - $sequence_13 = { 8965f0 85c9 7504 33ff eb16 } - $sequence_14 = { 895e64 ff15???????? 8b442414 50 } - $sequence_15 = { 7412 8b45a4 83c01f 3945b0 } + $sequence_9 = { 8b6c2440 83c428 55 e8???????? 8b742424 83c404 33ed } + $sequence_10 = { 006711 40 0000 0303 } + $sequence_11 = { 895e64 e9???????? 53 57 } + $sequence_12 = { 895e64 33db 894e68 53 } + $sequence_13 = { 7412 8b4904 80e103 80f901 } + $sequence_14 = { 895e48 0fb70458 66890451 0fb7466c } + $sequence_15 = { 895e64 ff15???????? 8b442414 50 } condition: 7 of them and filesize < 819200 @@ -139907,36 +140931,36 @@ rule MALPEDIA_Win_Sysjoker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b72fee4-7a5b-522c-b325-1510979cb981" - date = "2026-01-05" - modified = "2026-01-06" + id = "21284a89-8752-54a0-93d5-e4ccc3ab651b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sysjoker_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sysjoker_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "a2a2517e767f1ff0b106f5e891c93f19537f3a0c72ffc8109655f6e04ec30bb0" + logic_hash = "c28d70b4383688831fd9414587b1779fa5c5c837f9d11f2190ec7897fa815774" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4f24 3b4f18 0f83ad060000 8b4714 46 891488 e9???????? } - $sequence_1 = { c745d40f000000 c645c000 c78564ffffff90a34400 e8???????? 8d8558ffffff c78554ffffff90a34400 50 } - $sequence_2 = { c78500fdffff00000000 33f6 8b3d???????? 89bde0fcffff 0f1f8000000000 } - $sequence_3 = { 0f837a100000 8b8fd8000000 85c9 742f 83bfdc00000008 8d87c8000000 } - $sequence_4 = { 0f84aafeffff 8b8d6cffffff 2bca 8bc2 83e1fc 81f900100000 } - $sequence_5 = { e8???????? 8b45ec 80780d00 74ae 3975dc 0f845e010000 } - $sequence_6 = { 8901 51 8bcc c645fc2a 68???????? e8???????? 8d4dc8 } - $sequence_7 = { 0f8714010000 52 51 e8???????? 83c408 c645fc01 8b8d48feffff } - $sequence_8 = { 52 8b01 ff5004 51 8bf4 89a5f4fcffff } - $sequence_9 = { 8906 c645fc12 e8???????? 83c408 e8???????? 8bc8 85c9 } + $sequence_0 = { 0faee8 0fb688e0e04400 83e10f eb02 33c9 8b450c 0fb684c800e14400 } + $sequence_1 = { 7522 6685c9 7415 668b4802 663b4a02 7513 83c004 } + $sequence_2 = { 7202 8b07 c60000 8b4620 894624 8a4e0c 884dbf } + $sequence_3 = { 750d 68???????? 8d4db8 e8???????? 8d45b8 c645fc27 50 } + $sequence_4 = { 8b432c 8b00 85c0 7430 8b7d08 3bc1 8bf1 } + $sequence_5 = { 2bd6 8d4dd4 d1fa 52 50 e8???????? 51 } + $sequence_6 = { 8b55f0 894f18 8b4f24 3b4f18 0f83ad060000 8b4714 46 } + $sequence_7 = { b901000000 2b4afc 2bc6 0bc8 7d0a 56 8bcf } + $sequence_8 = { 83e73f c1f806 6bcf38 8945f4 8b0485c0fc4500 894df0 8a440129 } + $sequence_9 = { c645fc05 50 8d4dbc e8???????? 8b458c 33d2 8b7d98 } condition: 7 of them and filesize < 832512 @@ -139946,58 +140970,58 @@ rule MALPEDIA_Win_Flawedammyy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e3c09ec0-5af5-5a07-8c2f-fc3c122b7323" - date = "2026-01-05" - modified = "2026-01-06" + id = "692cccae-70e4-59bd-9f4c-4cec2e24e49a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.flawedammyy_auto.yar#L1-L303" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.flawedammyy_auto.yar#L1-L300" license_url = "N/A" - logic_hash = "4b49ab8817339f4687e717d3eeefa35a990a787f8625678c6db9867d20e78208" + logic_hash = "d4a9eb44c8eb6a1198553be73c7e6f45ced8197a87f3f24259346faa71626757" score = 75 quality = 33 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 0022 8a4200 828a4200bb8a42 00ff } - $sequence_1 = { 004bbf 42 0062bf 42 } - $sequence_2 = { ffd3 f30f7e45ec 8b4df4 83ec10 8b11 } - $sequence_3 = { 68???????? 8d4df0 e8???????? 8b00 85c0 7404 8b10 } - $sequence_4 = { 8d8da0f6ffff 6a00 6a23 51 6a00 ffd0 8b35???????? } - $sequence_5 = { 0062bf 42 0079bf 42 } - $sequence_6 = { 68f1cbf7ae 6a01 e8???????? 83c408 } - $sequence_7 = { 002a e342 0039 e342 } - $sequence_8 = { ff5108 8b45fc 50 8b08 ff5108 8b45e4 } - $sequence_9 = { 59 8b7d08 833cfde897410000 755b } - $sequence_10 = { 0039 e342 0048e3 42 } - $sequence_11 = { 0000 0404 0404 0404 0401 } - $sequence_12 = { 83ec10 660fd600 f30f7e45ac 660fd64008 f30f7e8578ffffff 8bc4 } - $sequence_13 = { c78508ffffff44000000 66898538ffffff e8???????? 83c404 85c0 7511 68???????? } - $sequence_14 = { 00b3854200e5 854200 37 864200 } - $sequence_15 = { 0018 874200 58 874200 } - $sequence_16 = { 7e09 8a0e 880a 4a 4e 48 75f7 } - $sequence_17 = { ff75ac 8b3d???????? ffd7 ff75a8 } - $sequence_18 = { 5e 5b c3 55 8bec 81ec5c040000 } - $sequence_19 = { e9???????? 33c0 8b7df4 8b0c855c303400 c1e705 } - $sequence_20 = { 53 ff75dc 6813100000 ff35???????? ffd6 } - $sequence_21 = { ff15???????? eb08 6a64 ff15???????? 53 ff75a8 ff15???????? } - $sequence_22 = { eb0e 8b14957c303400 49 0fafd1 0155fc } - $sequence_23 = { 7426 8b483c ba???????? 03c8 50 66c741160e01 66c7415c0300 } - $sequence_24 = { 8b0c855c303400 c1e705 33d2 03fe } - $sequence_25 = { 0f872affffff 0fb6805a213400 ff2485f6203400 8b8614080000 3b45f4 7e03 8945f4 } - $sequence_26 = { 7516 68???????? e8???????? 53 ff15???????? e9???????? } - $sequence_27 = { 56 8a0a 80f930 7569 } - $sequence_28 = { c745e8ff000000 8b3c857c303400 c745ecffff0000 0faff9 83f801 c745f0ffffff00 741f } - $sequence_29 = { 8b4d08 8a0408 a2???????? eb07 c605????????00 c705????????4c403400 ff7508 } - $sequence_30 = { 7518 8b46f8 8b04855c303400 c1e002 50 6a40 } - $sequence_31 = { 83f907 0f8781000000 ff248dfd243400 881f eb76 ff30 eb63 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { 3b560c 7412 51 8d4e18 } + $sequence_1 = { 3b573c 7ca8 8b5d1c 8b87dc000000 } + $sequence_2 = { 3b58fc 0f8ebc000000 85c0 7514 } + $sequence_3 = { 0000 0404 0404 0404 0401 0404 } + $sequence_4 = { 3b5634 7d22 8b4df8 8d4206 } + $sequence_5 = { 3b7d08 758e 8b75ec 8b7de8 } + $sequence_6 = { 50 e8???????? 8d8598f4ffff 50 8d85a8f8ffff 50 e8???????? } + $sequence_7 = { 8d85b4faffff 50 8d85c0fdffff 68???????? 50 ff55f4 } + $sequence_8 = { 3b5634 7ce8 eb76 8b4604 } + $sequence_9 = { 81ec6c0c0000 53 56 57 68???????? 33db ff15???????? } + $sequence_10 = { 6a00 6a00 6800000080 8d85b8fcffff 50 ff15???????? } + $sequence_11 = { 8b87a4000000 03ca 33db 56 8945e4 894dfc } + $sequence_12 = { 85c0 0f8402030000 68b80b0000 e8???????? 8d85b8fbffff } + $sequence_13 = { 3b5808 7e0f 8bce e8???????? } + $sequence_14 = { ffd3 8b45fc 80384d 0f85e6020000 } + $sequence_15 = { 68f572993d 6a01 e8???????? 83c408 } + $sequence_16 = { c1e702 eb60 8b46f8 834de4ff 49 c745e8ff000000 8b3c857c303400 } + $sequence_17 = { 56 53 8d85ccfdffff 68???????? 50 } + $sequence_18 = { c3 55 8bec 83ec28 53 57 6a09 } + $sequence_19 = { eb07 c605????????00 c705????????4c403400 ff7508 ff15???????? } + $sequence_20 = { 3bc3 895dc4 895dd0 891d???????? 741f 8b3d???????? } + $sequence_21 = { ff15???????? 8bcf 83e809 2b4dfc } + $sequence_22 = { 33c0 59 8dbd54ffffff c78550ffffff44000000 c745b80c000000 } + $sequence_23 = { 68000000c0 56 ff15???????? 53 53 53 8bf8 } + $sequence_24 = { ff75e8 ff15???????? 395df0 0f8476010000 } + $sequence_25 = { 8b480c 8b55fc 8d0c8a 894dfc eb0e 8b14957c303400 } + $sequence_26 = { 8b14957c303400 49 0fafd1 0155fc 46 } + $sequence_27 = { 8b06 83661c00 83f807 0f87c9000000 ff248580233400 832700 } + $sequence_28 = { 7518 8b46f8 8b04855c303400 c1e002 50 6a40 ff15???????? } + $sequence_29 = { 0f8781000000 ff248dfd243400 881f eb76 ff30 eb63 } + $sequence_30 = { ff15???????? 8b75d8 e9???????? 8d85d0feffff } + $sequence_31 = { 83f855 0f872affffff 0fb6805a213400 ff2485f6203400 8b8614080000 3b45f4 7e03 } condition: 7 of them and filesize < 1350656 @@ -140008,10 +141032,10 @@ rule MALPEDIA_Win_Calmthorn_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "cf990769-6e13-5a67-bc05-b21c727d36bf" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.calmthorn_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.calmthorn_auto.yar#L1-L134" license_url = "N/A" logic_hash = "a1bc3f3172ae049034dbbb2cc969035914c9181e535af50f1d71d6e16050356b" score = 75 @@ -140020,9 +141044,9 @@ rule MALPEDIA_Win_Calmthorn_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -140046,42 +141070,42 @@ rule MALPEDIA_Win_Latrodectus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8cce3c90-39d6-56c7-a70d-a97dc872745e" - date = "2026-01-05" - modified = "2026-01-06" + id = "2928dfe2-85b2-58d3-a666-1ead3df853ac" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.latrodectus_auto.yar#L1-L177" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.latrodectus_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "db1ab846766f29e28e7ba8cb8d168586ae215020b0ee3fc8ee79e547f904c4d9" + logic_hash = "79e5ef3590e1035aa82cbf55521fc9e78790fc9555e1c31b8423a3b8d2baaa49" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b4c2430 8801 488b442430 48ffc0 4889442430 8b44242c } - $sequence_1 = { 33c0 6689842430010000 ba18000000 488d8c24d0000000 e8???????? 488d8424d0000000 } - $sequence_2 = { 33c9 ff15???????? 488905???????? 48833d????????00 7414 } - $sequence_3 = { 488b542458 488d4c2428 e8???????? 488b4c2458 e8???????? 488b442420 } - $sequence_4 = { 488b00 488b4818 e8???????? 488b442430 488b00 4883782000 } - $sequence_5 = { 89442420 8b442420 4883f825 7336 8b442420 486bc018 } - $sequence_6 = { 488bc1 488b4c2450 0fb709 488d0488 4889442438 488b442438 } - $sequence_7 = { e8???????? 89442420 ba68000000 488d4c2430 e8???????? c744243068000000 } - $sequence_8 = { 4883e808 4883f81f 0f87ab000000 e8???????? 488bc3 488b8dd0050000 } - $sequence_9 = { 410fb6f0 e9???????? 80fb05 7405 80fb0b 7508 } - $sequence_10 = { 480f474d70 488b8580000000 4889442430 48894c2428 4889542420 4c8d05fd2d0600 } - $sequence_11 = { 4833c4 4889842448010000 498bf1 4d8bf0 8bfa 4c89442458 } - $sequence_12 = { 41b826000000 488d1591b10b00 488d4c2430 e8???????? 90 488b7c2440 } - $sequence_13 = { 4883ec30 488b442460 498bf9 492bf8 488bf2 482bf1 } - $sequence_14 = { 0f87dc030000 0faee8 e8???????? 660f6f05???????? f30f7f442478 664489642468 } - $sequence_15 = { 0fb605???????? 884130 c6413100 0f57c0 0f11442438 488d3da9630d00 } + $sequence_0 = { 488b8c2448010000 480301 448b442420 488d542430 488bc8 e8???????? } + $sequence_1 = { 488b542460 488d8c24f0010000 ff15???????? 488d442468 4889442448 488d842480010000 } + $sequence_2 = { 8b442420 4839442448 7308 8b442448 89442420 448b442420 } + $sequence_3 = { eb0d 488d842480000000 4889442458 b808000000 486bc000 488b542458 } + $sequence_4 = { 880424 4863442430 48634c2428 488b542420 4c8b442420 418a0400 } + $sequence_5 = { 8b00 488b4c2430 488b09 c6040100 48630424 488b4c2430 } + $sequence_6 = { 488b442440 48638004010000 488b4c2440 0fb60401 488b4c2440 8b8908010000 } + $sequence_7 = { 0fbf440438 c1e006 b902000000 486bc903 0fbf4c0c38 0bc1 } + $sequence_8 = { 4883fa0f 7630 48ffc2 488b4d17 488bc1 4881fa00100000 } + $sequence_9 = { 0f1145e0 0f1145f0 48894500 41b8ffff1f00 488d55d0 488bcb } + $sequence_10 = { 4180397d 752b 49ffc1 498bc1 4883c428 c3 } + $sequence_11 = { 488901 488bc1 c3 488d05cc700b00 48c7410802000000 488901 } + $sequence_12 = { 410fb6fa 41be04000000 41b470 eb47 410fb6fa b806000000 } + $sequence_13 = { 480fafc2 480faf542428 4c03e0 48d3eb 49d3ec 4803fa } + $sequence_14 = { 4883ec60 488b05???????? 4833c4 4889442458 4d8bf1 498bd8 } + $sequence_15 = { 448bc3 8bda 41f7e0 418bc3 4183c304 482bc8 } condition: 7 of them and filesize < 2467840 @@ -140091,36 +141115,36 @@ rule MALPEDIA_Win_Pitou_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f9c8da4e-505e-547b-8240-9df48ee9f72d" - date = "2026-01-05" - modified = "2026-01-06" + id = "a85d14cb-57d7-5575-a7a3-11de7e655235" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pitou_auto.yar#L1-L112" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pitou_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "c7a5a733d5fc2416ed190ff88c1bcfd8fd875daba5df81cd77a3f96c787c1800" + logic_hash = "0c844ca803e649590adcc11786a8814d8ac20af16e71364a714b606241e79edd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bda c1e305 03c3 8bda } - $sequence_1 = { ac 8bda c1e305 03c3 8bda c1eb02 } - $sequence_2 = { 33c0 ac 8bda c1e305 03c3 } - $sequence_3 = { c1e305 03c3 8bda c1eb02 03c3 } - $sequence_4 = { 8a6201 80f457 8acc 80e103 } - $sequence_5 = { 8bda c1e305 03c3 8bda c1eb02 } - $sequence_6 = { 33c0 ac 8bda c1e305 } - $sequence_7 = { 8acc 80e103 8aec c0ed03 } - $sequence_8 = { 8a6201 80f457 8acc 80e103 8aec c0ed03 80e507 } - $sequence_9 = { 80e703 c0eb05 80e303 80ff00 } + $sequence_0 = { c1e305 03c3 8bda c1eb02 } + $sequence_1 = { 8bc2 5e 5a 59 5b } + $sequence_2 = { 80f457 8acc 80e103 8aec } + $sequence_3 = { ac 8bda c1e305 03c3 } + $sequence_4 = { 8acc 80e103 8aec c0ed03 80e507 } + $sequence_5 = { 8a12 80f257 8ada c0eb02 } + $sequence_6 = { 80e703 c0eb05 80e303 80ff00 } + $sequence_7 = { 33c0 ac 8bda c1e305 03c3 8bda } + $sequence_8 = { 8bda c1e305 03c3 8bda c1eb02 03c3 33d0 } + $sequence_9 = { 80f457 8acc 80e103 8aec c0ed03 } condition: 7 of them and filesize < 1106944 @@ -140130,36 +141154,36 @@ rule MALPEDIA_Win_Nimrev_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "45a43e4c-b390-5a59-8f10-bde6512a2548" - date = "2026-01-05" - modified = "2026-01-06" + id = "736b20de-2d0d-5fb4-8b81-528b8f5419bf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimrev" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nimrev_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nimrev_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "cfe876922fc1333031ee5c82f8f6e15e7c6a81cc34499037bfc98c907bd66dbf" + logic_hash = "c5b9c2e28bc6c7850dc3d9535c11cdf0b1bd6222eadacb0a45fb776dfbe779f8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8845ef eb01 90 807def00 } + $sequence_0 = { 8845f5 eb01 90 807df500 } $sequence_1 = { 0fb600 3c5f 7507 b801000000 } - $sequence_2 = { 3c7d 7407 b801000000 eb05 } - $sequence_3 = { 7507 b801000000 eb05 b800000000 8845f7 eb01 90 } - $sequence_4 = { 0fb600 3c7d 7407 b801000000 eb05 b800000000 } - $sequence_5 = { ffd0 90 e9???????? 90 b9d0070000 } - $sequence_6 = { c1e002 01d0 01c0 29c1 89c8 83c030 89c1 } - $sequence_7 = { 89c2 89d0 c1e002 01d0 01c0 29c1 89c8 } - $sequence_8 = { 83f001 84c0 7408 90 e8???????? eb01 } - $sequence_9 = { 0f9ec0 8845ef eb01 90 807def00 } + $sequence_2 = { 01d0 01c0 29c1 89c8 83c030 89c1 } + $sequence_3 = { 7f06 90 e9???????? 90 } + $sequence_4 = { ffd0 90 e9???????? 90 } + $sequence_5 = { 0f95c0 8845f6 eb01 90 0fb645f6 8845f7 807df700 } + $sequence_6 = { 83f001 84c0 7408 90 } + $sequence_7 = { b801000000 eb05 b800000000 8845f7 eb01 90 0fb645f7 } + $sequence_8 = { 7408 90 e8???????? eb01 90 } + $sequence_9 = { eb05 b800000000 8845f7 eb01 90 0fb645f7 } condition: 7 of them and filesize < 1141760 @@ -140169,36 +141193,34 @@ rule MALPEDIA_Win_Sadbridge_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d5c20ad4-43c0-50c3-9d4c-1a951b87b122" - date = "2026-01-05" - modified = "2026-01-06" + id = "2935189c-81b1-54e7-84ac-fe30d1953627" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sadbridge" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sadbridge_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sadbridge_auto.yar#L1-L93" license_url = "N/A" - logic_hash = "d280954e74300d3f9a45abc8f0031561691484da682361fb4efd2fdc22668bb8" + logic_hash = "5e43c997002f07d0fb4ad79ebd11a7943e10bedf71c395e9e9f46a03502f1cc5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48c7435800000000 4c89e1 48c7436000000000 48c7436800000000 48c7437000020000 66894378 } - $sequence_1 = { 31d2 83e001 05ffffff7f 8944245c 41f7f5 89442458 488d869c000000 } - $sequence_2 = { 0f8568fcffff 488b4570 448920 e9???????? 488b01 ff5048 83f8ff } - $sequence_3 = { 53 4883ec28 4889542478 4989cd 4c89842480000000 4839d1 0f843f010000 } - $sequence_4 = { 400f94c6 4885c0 0f94c2 4809c1 0f8489020000 8b842498000000 4531f6 } - $sequence_5 = { 31d0 29d0 83f864 0f9fc0 0fb6c0 4883c428 5b } - $sequence_6 = { 49c744240800000000 498d4c2438 49c744241000000000 488d7810 49893c24 49c744241800000000 49c744242000000000 } - $sequence_7 = { 41ba01000000 4885c9 741e 488b4110 483b4118 0f83ad020000 0fb700 } - $sequence_8 = { 488b4c2470 448b6c2478 4885c9 740a 4183fdff 0f84a7030000 4084ff } - $sequence_9 = { 745c 498b4c2410 4839cb 7732 4d85c0 7416 4a8d0c50 } + $sequence_0 = { 014348 4439c1 0f8dae000000 4c63e1 } + $sequence_1 = { 0075cd baff000000 4d8b842418010000 4c89e1 } + $sequence_2 = { 019c24a8000000 48898424b8000000 e9???????? 4c8da424b0000000 488d154cc6c000 } + $sequence_3 = { 014348 0fb60a 89c8 80f943 } + $sequence_4 = { 01c0 4189c2 4183ca01 f6c202 410f45c2 4883e902 } + $sequence_5 = { 0000 4c89e1 41c68424ff00000000 41ff942410010000 } + $sequence_6 = { 0000 498b842400010000 483dff000000 0f841d0f0000 } + $sequence_7 = { 004489c2 4909d6 4183f8ff 4889c3 } condition: 7 of them and filesize < 25882624 @@ -140209,10 +141231,10 @@ rule MALPEDIA_Win_Veletrix_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "a5f5b762-13c6-553b-b699-839d4e6ceb4f" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.veletrix" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.veletrix_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.veletrix_auto.yar#L1-L125" license_url = "N/A" logic_hash = "caf3f0b619f428452505d9ee8537497d80964f351312a5e0d2c1e4059a2feec7" score = 75 @@ -140221,9 +141243,9 @@ rule MALPEDIA_Win_Veletrix_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -140248,10 +141270,10 @@ rule MALPEDIA_Win_Longwatch_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "ce0e9c11-46ca-5532-8823-1deb885f5c74" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.longwatch_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.longwatch_auto.yar#L1-L118" license_url = "N/A" logic_hash = "9dae6296ff953841361d58c7b1fa7eff6214a00cb7112d7c5966dd21deae5ffb" score = 75 @@ -140260,9 +141282,9 @@ rule MALPEDIA_Win_Longwatch_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -140287,10 +141309,10 @@ rule MALPEDIA_Win_Gemcutter_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "f2a59f86-1075-5464-b91b-cb447c183566" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.gemcutter_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.gemcutter_auto.yar#L1-L122" license_url = "N/A" logic_hash = "9745c8061ab88116351043d55251d3e8c32737ca442027c8a6620480abc8c8bf" score = 75 @@ -140299,9 +141321,9 @@ rule MALPEDIA_Win_Gemcutter_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -140325,42 +141347,41 @@ rule MALPEDIA_Win_Slothfulmedia_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "12866e57-5c22-5ece-ab6b-edebb824500e" - date = "2026-01-05" - modified = "2026-01-06" + id = "d9174ca3-ebdf-520c-93d3-8be8e8089548" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.slothfulmedia_auto.yar#L1-L175" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.slothfulmedia_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "8cdce0e96c9b360c003407b809360fea7e440aeaa30b884d65090695657af8b0" + logic_hash = "0aba1adc88768da0c3eac6ae989ab23135f3cd09cdcdff04b83568cc95cb6407" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8365f000 837d1400 53 56 57 0f86a0000000 8b5d10 } - $sequence_1 = { 68df3d7a6b 50 e8???????? 57 ff15???????? 57 } - $sequence_2 = { d1f8 8b45fc 7505 b8???????? 50 57 } - $sequence_3 = { 397df4 0f8640ffffff 8b4508 e8???????? cc 55 8bec } - $sequence_4 = { 33c0 eb17 57 ff750c } - $sequence_5 = { ff7320 6a00 6a00 ffb33c020000 ff15???????? 8945f8 } - $sequence_6 = { ff7514 56 ff15???????? 56 ff15???????? 8b4508 eb02 } - $sequence_7 = { 1bd2 83daff 85d2 7422 83f805 761f } - $sequence_8 = { ff15???????? 8b8c2410020000 5f 5e 33cc } - $sequence_9 = { 6689442414 e8???????? 83c40c 6a00 ff15???????? 8b35???????? 8b3d???????? } - $sequence_10 = { 83c40c 6804010000 8d44240c 50 6a00 } - $sequence_11 = { 85c0 7507 ffd7 83f805 74ee 6804010000 } - $sequence_12 = { 8b35???????? 8b3d???????? 90 68???????? ffd6 85c0 } - $sequence_13 = { 8d4c2410 51 ff15???????? 8b8c2410020000 } - $sequence_14 = { e8???????? 81c40c020000 c21000 3b0d???????? 7502 } - $sequence_15 = { 6804010000 8d54240c 6a00 52 e8???????? 83c40c } + $sequence_0 = { 56 57 33c0 33ff 6806020000 668985ecfdffff 8d85eefdffff } + $sequence_1 = { 89443110 8bc3 5b 5e c9 c3 } + $sequence_2 = { 8b86540e0000 3bc7 7438 57 } + $sequence_3 = { 8bf8 ff15???????? 56 6a00 50 8945fc e8???????? } + $sequence_4 = { 8bd8 895df0 3bdf 0f8434020000 } + $sequence_5 = { 6a07 5a 3bc2 0f8756090000 ff2485ed374000 838de8fdffffff 89b5c4fdffff } + $sequence_6 = { 0f84db000000 80bb3802000000 0f85ce000000 ff742410 ff15???????? } + $sequence_7 = { ff15???????? eb0a 53 8b1b } + $sequence_8 = { ffd6 85c0 7507 ffd7 83f805 } + $sequence_9 = { e8???????? 83c40c 6804010000 8d44240c 50 6a00 ff15???????? } + $sequence_10 = { 89842408020000 56 57 68d0070000 ff15???????? 33c0 } + $sequence_11 = { 6a00 8d4c2410 51 ff15???????? 8b8c2410020000 5f } + $sequence_12 = { 6689442414 e8???????? 83c40c 6a00 } + $sequence_13 = { 83f805 74ee 6804010000 8d54240c 6a00 52 e8???????? } + $sequence_14 = { 33c0 e8???????? 81c40c020000 c21000 3b0d???????? 7502 } condition: 7 of them and filesize < 122880 @@ -140370,36 +141391,36 @@ rule MALPEDIA_Win_Remy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e336b399-c824-5cff-9d79-2b28637c647b" - date = "2026-01-05" - modified = "2026-01-06" + id = "4fd49031-cc3c-54fe-bbeb-7fecb98a473f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.remy_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.remy_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "78b349d77eab72ccd2cb565c0bcdfc5bac491569a0a70fac7617d2ce3551a21d" + logic_hash = "05547b7ea61110404e982af5f60cdc55cc16ba8fc93ea7a1a41cb545e334bd46" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 668945e1 8845e3 8b4508 885ddc 50 b808000000 8d5ddc } - $sequence_1 = { 899c24a0000000 89bc24c0000000 899c24c4000000 899c24c8000000 8b442410 8d542418 52 } - $sequence_2 = { 83c404 8db558ffffff e8???????? c645fc01 8b08 8bb564ffffff 8d41f0 } - $sequence_3 = { 746e 50 e8???????? 8bf0 eb66 8d4de0 } - $sequence_4 = { 8b4d20 b802000000 c745fc00000000 51 6689459c ff15???????? } - $sequence_5 = { 8d8d4cffffff 8d9548feffff 898500feffff 898d04feffff 899508feffff 8d853cffffff 8d8d94feffff } - $sequence_6 = { c70001000000 8b4620 50 895dac 895da8 ff15???????? 83f8ff } - $sequence_7 = { c684243003000002 c7842480010000fe454c35 66c7842484010000fe4c c684248601000000 8d842480010000 800027 40 } - $sequence_8 = { 52 6806100000 68ffff0000 56 ff15???????? 6a04 8d45d0 } - $sequence_9 = { 8bce e8???????? 837e1410 7202 8b36 8d472c } + $sequence_0 = { 8985acfeffff 3bfb 0f8412020000 399db0feffff 0f8406020000 8bb5c4feffff 3bf3 } + $sequence_1 = { 8985b0feffff 8d8d68ffffff 8d9540ffffff 898da8feffff 8995acfeffff 8d8510ffffff 8d4dc4 } + $sequence_2 = { c745c40f000000 e8???????? 83ec1c c645fc04 8bf4 c746140f000000 } + $sequence_3 = { 33c9 32d2 895c2460 e8???????? 83c40c 83f805 } + $sequence_4 = { 8d4dd4 800127 41 3819 75f8 8bfa } + $sequence_5 = { c745fcfeffffff eb7a 8d9648100000 2bc1 8902 8d4c3148 898e4c100000 } + $sequence_6 = { 837d1c10 8b4508 7303 8d4508 8b4d18 51 50 } + $sequence_7 = { e8???????? 83c404 891f 895f04 } + $sequence_8 = { 8d443464 50 51 ff15???????? 3bc3 7e08 2bf8 } + $sequence_9 = { c7459c493e472b c745a03e4a4e3e 66c745a44c4d c645a600 c745d030424721 c745d44d4d492b c745d83e3a3d1d } condition: 7 of them and filesize < 507904 @@ -140409,36 +141430,36 @@ rule MALPEDIA_Win_Darkme_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1036dced-69e3-5dff-8a15-6ed9a4e7c833" - date = "2026-01-05" - modified = "2026-01-06" + id = "deefd4f1-d0de-5af5-8862-7704eff8b886" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkme" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkme_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkme_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "816ab6c03be8b7c8209c8913616f17d58c6b5480cc780d2ab0b0d2412d8ca815" + logic_hash = "36191b5482269d96cf5b331d3d9778609d3d126bc58522442758836221adae30" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 40 f7d8 668985f0feffff 8d4d84 ff15???????? 8d8d70ffffff ff15???????? } - $sequence_1 = { eb12 8b95ecfeffff 81c2???????? 8995a8feffff 8b85a8feffff 8b08 8b95a8feffff } - $sequence_2 = { 8d4ddc 898d90feffff 8b9590feffff 8b02 8985e4feffff 6a00 8b4dc8 } - $sequence_3 = { 8b8504ffffff 8b08 8b01 52 ff9098030000 50 } - $sequence_4 = { c745f8???????? c745fc00000000 8b7508 8b06 56 ff5004 668b4d0c } - $sequence_5 = { 7459 c745fc08000000 6a10 8b55cc 52 8d45d0 50 } - $sequence_6 = { c745b801000000 c745b002000000 8b55d4 52 8d45b0 50 d9856cffffff } - $sequence_7 = { 898d24ffffff eb12 8b9530ffffff 81c2???????? 899524ffffff 8b8524ffffff 8b08 } - $sequence_8 = { 8b1491 52 68???????? e8???????? 8bd0 8d4dac ff15???????? } - $sequence_9 = { 6a00 6a00 6a01 6a08 8b9530ffffff 81c2???????? 52 } + $sequence_0 = { f7da 8955dc 8d4db8 ff15???????? ff15???????? } + $sequence_1 = { 8b55d4 8b02 8b4dd4 51 ff501c dbe2 } + $sequence_2 = { 7d23 6a6c 68???????? 8b4508 8b4858 51 8b95e4feffff } + $sequence_3 = { 898544ffffff 68???????? 897dd4 897dd0 897dcc 897dc8 897db8 } + $sequence_4 = { 8d45a4 50 c78558ffffff89e060bb c78560ffffff89c5ff73 c78564ffffff04ff530c c78568ffffff740ae859 } + $sequence_5 = { 52 8d4584 50 8d4d88 51 6a04 } + $sequence_6 = { 8b95a8feffff 8d4d9c ff15???????? 50 e8???????? } + $sequence_7 = { 50 ff15???????? 8b35???????? bb01000000 8945b0 8bfb 3b7db0 } + $sequence_8 = { c745fc06000000 ff15???????? 50 8d4dd4 51 ff15???????? 894584 } + $sequence_9 = { 8d4dac 51 6a0d ff15???????? 83c438 e9???????? c745fc42000000 } condition: 7 of them and filesize < 1515520 @@ -140448,36 +141469,36 @@ rule MALPEDIA_Win_Hopscotch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e03bc4c7-2cba-5076-a6ca-4697985738a4" - date = "2026-01-05" - modified = "2026-01-06" + id = "35e77e89-7a86-5a92-a823-b27091293f85" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hopscotch" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hopscotch_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hopscotch_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "9400f209885075e787eb0bd6132b5f0672b265a98357e610aebd52f7df050985" + logic_hash = "f2700d359ac062d39e21d9eedbf1d58d1fc3cd64739ba95f4134fecbc5877244" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d0480 8d0480 c1e002 50 ffd7 } - $sequence_1 = { 55 ffd3 8bf0 85f6 0f8569ffffff 68???????? e8???????? } - $sequence_2 = { a1???????? 83c420 85c0 5f 5e 5b } - $sequence_3 = { 6800800000 8b0d???????? 8b5150 52 ffd6 53 } - $sequence_4 = { 85c0 5f 5e 5b 7414 } - $sequence_5 = { 83c724 3bf0 72d8 eb2a 8b942430020000 8b4c2410 } - $sequence_6 = { c3 81ec08020000 8d442400 56 8d4c2408 } - $sequence_7 = { 6a21 50 e8???????? 83c408 c78424a400000002000000 8db42428010000 } - $sequence_8 = { 833d????????01 750d 8b442404 50 e8???????? 83c404 } - $sequence_9 = { 8b3d???????? 83c408 8d442408 50 ffd7 } + $sequence_0 = { 6aff 51 6a02 57 e8???????? } + $sequence_1 = { e8???????? 83c40c 8d8424a0050000 8d8c2490000000 6800010000 50 6aff } + $sequence_2 = { 7517 68???????? e8???????? 83c404 32c0 5e 81c408020000 } + $sequence_3 = { c744241c00000000 b301 ff15???????? 8bf0 85f6 7511 } + $sequence_4 = { 72d8 eb2a 8b942430020000 8b4c2410 8d04f6 } + $sequence_5 = { ff15???????? 8d4c2410 51 6a01 56 ff15???????? } + $sequence_6 = { 51 e8???????? 8b942478080000 8bb42474080000 52 } + $sequence_7 = { 32c0 5b 81c4a0030000 c3 8d4c2410 6a14 } + $sequence_8 = { 53 8d442424 6a08 50 e8???????? 56 53 } + $sequence_9 = { 6a00 83cfff c744241c00000000 b301 ff15???????? 8bf0 } condition: 7 of them and filesize < 1143808 @@ -140487,58 +141508,58 @@ rule MALPEDIA_Win_Cobalt_Strike_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aab8f287-0819-52fa-8447-761ad2e94a18" - date = "2026-01-05" - modified = "2026-01-06" + id = "0368001f-2097-5ad0-a8cc-9f3157226350" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cobalt_strike_auto.yar#L1-L289" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cobalt_strike_auto.yar#L1-L294" license_url = "N/A" - logic_hash = "6946d3d1b89ab18cd12b0ef58b50d5d28d283228462e1be6da78da0efd49ddbb" + logic_hash = "31216c950a7137c94bf3f4288b8613a4e99b697ec3135af46a44daf232429edc" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3bc7 750d ff15???????? 3d33270000 } - $sequence_1 = { e9???????? eb0a b801000000 e9???????? } - $sequence_2 = { ff15???????? 85c0 741d ff15???????? 85c0 7513 } - $sequence_3 = { ff7608 83660400 e8???????? 59 } - $sequence_4 = { ff15???????? 59 a807 7501 4e } - $sequence_5 = { ff75f8 ff75fc ff15???????? 83c40c eb15 ff75fc } - $sequence_6 = { ff7604 ff75fc ff15???????? 83c410 } - $sequence_7 = { ff15???????? 59 c70601000000 e9???????? } - $sequence_8 = { ff7604 e8???????? 014604 83c410 014608 } + $sequence_0 = { e9???????? eb0a b801000000 e9???????? } + $sequence_1 = { 3bc7 750d ff15???????? 3d33270000 } + $sequence_2 = { e8???????? 83c40c eb13 6a02 56 6a01 6820bf0200 } + $sequence_3 = { ff15???????? 85c0 741d ff15???????? 85c0 7513 } + $sequence_4 = { eb25 53 8d45fc 50 53 } + $sequence_5 = { eb09 8b45f8 83c001 8945f8 8b4514 } + $sequence_6 = { ff15???????? 59 85c0 7510 83c604 } + $sequence_7 = { ff5510 83c40c ebd6 55 } + $sequence_8 = { ff5510 57 e8???????? 83c434 8b750c } $sequence_9 = { 85c0 7405 e8???????? 8b0d???????? 85c9 } $sequence_10 = { e9???????? 833d????????01 7505 e8???????? } $sequence_11 = { 8bd0 e8???????? 85c0 7e0e } - $sequence_12 = { f7d8 1bc9 4423f9 488d4ddf e8???????? } - $sequence_13 = { c1ef03 8bc7 ffc0 81ff80000000 720b eb05 } - $sequence_14 = { 488bd7 488bcf e8???????? 85c0 7569 498bcf } - $sequence_15 = { 83f801 750e e8???????? 4c8d2dca1e0000 eb16 e8???????? 8bd8 } - $sequence_16 = { 7409 c745f040000000 eb07 c745f004000000 } - $sequence_17 = { 52 8b4508 8b08 ffd1 85c0 } + $sequence_12 = { 7cec 488b4d1f 8bd3 3b1e 7d13 } + $sequence_13 = { 498b4610 8bcb 41b801000000 2bf3 } + $sequence_14 = { eb0b 8b4328 c644182c00 ff4328 837b2838 72ef 8a4307 } + $sequence_15 = { eb0b b810000000 eb09 418d4102 418900 33c0 4883c420 } + $sequence_16 = { 2500800000 7409 c745f040000000 eb07 c745f004000000 } + $sequence_17 = { 50 6a20 8b4d10 51 8b550c 52 8b4508 } $sequence_18 = { 837d0c00 7422 837d1000 761c 837d1404 } - $sequence_19 = { 6a20 8b4d10 51 8b550c 52 } - $sequence_20 = { 8b5514 52 8b450c 8b4850 } - $sequence_21 = { 56 57 8b4510 8b4850 } + $sequence_19 = { 8b5514 52 8b450c 8b4850 } + $sequence_20 = { 52 8b4508 8b08 ffd1 85c0 } + $sequence_21 = { 32c0 b940000000 f3aa 5f 5e 8be5 } $sequence_22 = { 8b4510 8b4850 8b550c 8d440ac0 } - $sequence_23 = { b940000000 f3aa 5f 5e } - $sequence_24 = { 488b842490000000 8b4050 488b8c2488000000 488d4401c0 } - $sequence_25 = { c644246856 c644246969 c644246a72 c644246b74 c644246c75 } - $sequence_26 = { 4889442418 48837c242800 0f8496010000 488b0424 0fb700 66c1e80c } - $sequence_27 = { 4803c8 488bc1 4889442408 488b442410 8b4004 4883e808 33d2 } - $sequence_28 = { 488bc1 4889442450 488b442450 4883c002 488b7c2420 } - $sequence_29 = { 488b842490000000 ff5008 488b8c2490000000 48894110 488d542458 488b4c2420 } - $sequence_30 = { 488b0c24 0fb709 6623c8 0fb7c1 0fb7c0 488b4c2408 488b0401 } - $sequence_31 = { c644247600 488d4c2428 488b842490000000 ff10 4889442420 } + $sequence_23 = { 56 57 8b4510 8b4850 } + $sequence_24 = { 488b542408 0fb70402 03c1 b9ff0f0000 488b1424 0fb712 } + $sequence_25 = { 486bc005 488b4c2448 488d840188000000 4889442418 488b442418 83780400 } + $sequence_26 = { 488bc1 4889442408 488b442408 c70000000000 } + $sequence_27 = { 4889442428 488b442418 48ffc8 4889442418 48837c242800 0f8496010000 488b0424 } + $sequence_28 = { 4889542410 48894c2408 4883ec38 488b442448 488b4030 } + $sequence_29 = { 488bc1 4889442428 488b442428 813850450000 7502 } + $sequence_30 = { 3d00000020 7518 488b442468 488b4c2410 488908 } + $sequence_31 = { c644242f32 c644243000 c64424384c c64424396f c644243a61 } condition: 7 of them and filesize < 1015808 @@ -140548,36 +141569,36 @@ rule MALPEDIA_Win_Unidentified_031_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a627a0b9-017e-5461-a9b3-c89e0fe42650" - date = "2026-01-05" - modified = "2026-01-06" + id = "77de712f-509a-5bd9-ac06-6a495b0af267" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_031_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_031_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "005409f0a75d0a6c7e76852a5fa0d497560f223da31bb6e0d79d2b1a3b3dfeb4" + logic_hash = "9cca10a3297d9a7590bafcb743e4efb81d784e6f90c0ccf678132212f3cb6c5a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 e8???????? 897de8 89bd40ffffff e9???????? 817d8004000400 754f } - $sequence_1 = { 3935???????? 7510 68???????? 68???????? ff15???????? 8b35???????? 8d9544ffffff } - $sequence_2 = { 83bd78ffffff03 0f82e5feffff 33c0 8b4dfc 5f 5e 5b } - $sequence_3 = { 51 52 6a12 ff15???????? 83c44c 8d4da0 ff15???????? } - $sequence_4 = { 898bb8200000 898bbc200000 57 8d83b81e0000 50 ffd6 6810140001 } - $sequence_5 = { 3d05000780 0f858c000000 837d2001 0f85e3000000 8d4de4 e8???????? 85c0 } - $sequence_6 = { e8???????? 8bf8 897dd4 85ff 747f 6a00 53 } - $sequence_7 = { 64a100000000 50 64892500000000 81ec04030000 53 56 57 } - $sequence_8 = { eb03 33f6 46 ff75c0 ff15???????? 59 8bc6 } - $sequence_9 = { 33c0 e9???????? 53 56 ff7508 8d85ecfdffff 50 } + $sequence_0 = { 8b0e 8d55e0 52 57 57 50 56 } + $sequence_1 = { 8d5dc4 53 83ec10 8bdc 8913 8b9568ffffff 895304 } + $sequence_2 = { 8d45c8 8d8d6cfeffff 50 51 ffd3 50 8d55b0 } + $sequence_3 = { 7510 68???????? 68???????? ff15???????? 8b35???????? 8d8dc4feffff 51 } + $sequence_4 = { 898500020000 53 8d8508020000 50 c7850402000010d01800 ffd6 6a70 } + $sequence_5 = { 8b4604 b900000700 3bc1 7727 7441 3d00000200 743a } + $sequence_6 = { 8bcf e8???????? 8945dc 50 8bce e8???????? 8bf8 } + $sequence_7 = { 5a 899530ffffff be601b0001 8dbd34ffffff a5 a5 } + $sequence_8 = { ab ab ab 8365f400 83c630 8bce c745f009000000 } + $sequence_9 = { 53 ff30 ff75d4 e8???????? ff45d0 83c72c 8b45d0 } condition: 7 of them and filesize < 1998848 @@ -140587,36 +141608,36 @@ rule MALPEDIA_Win_Polyglotduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c295965-8bd5-593f-b721-c3ba45184139" - date = "2026-01-05" - modified = "2026-01-06" + id = "bd1cdf0e-15dd-5c4c-ab72-fd36e70c90c4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.polyglotduke_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.polyglotduke_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "02803fa0214e774a255c3af744ecd162ea9c7b022e39aa2c1104c52737c743df" + logic_hash = "d064f7fc396b35b48b1d6e8322ade65ed162888536ee04d4d1c2c231e2a4ff25" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488bcb 4803f7 e8???????? eb38 488d0d190f0100 e8???????? b905000000 } - $sequence_1 = { f6431840 4c8d0d0269ffff 0f85a5000000 488bcb e8???????? 488d15fdd30000 413bc6 } - $sequence_2 = { 4c8bf8 e8???????? 488d0d86d20000 4c8bf0 e8???????? 488d0d7fd20000 4c8be8 } - $sequence_3 = { 48894608 4803c8 e8???????? 8b54244c } - $sequence_4 = { 8a4f02 4c8bf0 884803 488bcf e8???????? 8b06 } - $sequence_5 = { 4c8d0d35db0000 33c0 498bd1 448d4008 3b0a 742b ffc0 } - $sequence_6 = { ff15???????? 488b5c2430 488bcb 8d78fb ff15???????? 03c7 } - $sequence_7 = { 498bd5 498bce ff15???????? 33ff } - $sequence_8 = { 7e74 817d0063736de0 7528 48833d????????00 741e 488d0d79db0000 } - $sequence_9 = { e9???????? 488bca ff15???????? 83f847 75eb 488bcd ff15???????? } + $sequence_0 = { 49ffc1 4d3bca 7cbd e9???????? 488b7c2430 498bcc e8???????? } + $sequence_1 = { 0f44cf 4863f1 488d4c3602 e8???????? 448d4601 488bd8 } + $sequence_2 = { 482bc8 48c1e903 8bc1 488b7cc420 488bcf ff15???????? 8d5801 } + $sequence_3 = { 418bd4 488bce 4983c010 e8???????? 488bcb e8???????? 488bc6 } + $sequence_4 = { 488d0d67d20000 488bd8 e8???????? 488b542430 488b8c24c0000000 488bf8 e8???????? } + $sequence_5 = { 488bf2 488be9 4885c9 7507 33c0 e9???????? 488bca } + $sequence_6 = { ff15???????? 4889742420 c744242803000000 4863c8 488d85b0010000 4889742438 6689b44db2010000 } + $sequence_7 = { 488bd8 e8???????? 41bc04010000 418bcc e8???????? } + $sequence_8 = { 4c8b6c2430 418bfc e9???????? 448b03 488b5308 488b4c2438 } + $sequence_9 = { 7455 8d5011 488d0d27570100 e8???????? 488bc8 488bf8 e8???????? } condition: 7 of them and filesize < 222784 @@ -140626,36 +141647,36 @@ rule MALPEDIA_Win_Cloudwizard_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "abbdc257-eb7b-5dbc-b89d-fa521addbb7b" - date = "2026-01-05" - modified = "2026-01-06" + id = "001ffb66-fb9f-588e-81cc-d9d838c75b00" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudwizard" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cloudwizard_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cloudwizard_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "73a241c1b717ddfac0eb8392f69e9bf260621defdb3bc053842ea74bc39dad65" + logic_hash = "cc04a1e416def0385ae590198639f0e04c657373d99e5744a8a882094c1f4328" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4802 668b38 40 40 6685ff } + $sequence_0 = { 40 6685d2 75f6 2bc1 8bce d1f8 } $sequence_1 = { d1f8 51 8d844618060000 50 e8???????? bf???????? 8bc7 } - $sequence_2 = { 57 50 e8???????? 8d4570 83c40c } - $sequence_3 = { 8bc6 8975ec e8???????? ff750c 8b06 ff7508 8bce } - $sequence_4 = { 6a5a 58 6a5d 66894544 } - $sequence_5 = { 58 6a44 668945a8 58 6a1b } - $sequence_6 = { 8986fc010000 897e70 c686c800000043 c6864b01000043 c7466838d54000 } - $sequence_7 = { 58 6a49 668945e4 58 668945e6 6a5d 58 } - $sequence_8 = { c645cf4a c645d044 c645d14d c645d27f 885dd3 8d45bc 59 } - $sequence_9 = { 8bce ff5010 6a04 33d2 59 } + $sequence_2 = { c645c74d c645c846 c645c95c c645ca7e c645cb49 c645cc5a } + $sequence_3 = { 33c0 8945ec 8365fc00 6a10 50 } + $sequence_4 = { 8b35???????? 8365fc00 57 8965f0 6a05 } + $sequence_5 = { 663930 75f5 8d45e8 50 } + $sequence_6 = { 668945f0 58 668945f2 6a47 58 668945f4 6a46 } + $sequence_7 = { ff7508 8bce ff5004 6a04 33d2 59 8bc6 } + $sequence_8 = { 7506 56 e8???????? 6860ea0000 ff15???????? 837e3000 } + $sequence_9 = { c9 c3 55 8d6c2488 81ec9c040000 } condition: 7 of them and filesize < 134144 @@ -140665,36 +141686,36 @@ rule MALPEDIA_Win_Formbook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c050ce6-9039-5f0c-9eda-53d46123b24c" - date = "2026-01-05" - modified = "2026-01-06" + id = "81889d2e-08ce-5dbd-bb7f-c541d6e4e642" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.formbook_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.formbook_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "986f42b5e94183a87a4b3ecc04f39bd7a6cdd90998ce87e5be2a2b4f7bf3d394" + logic_hash = "4b6cf3ac0bb4cedf394d7a457c0e7108ea8a44fd4176cd32ba35519f56569548" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8be5 5d c3 8d48f8 80f903 771e 8b5518 } - $sequence_1 = { 8bec 8b4508 8b4810 56 6a0d 6a00 } - $sequence_2 = { 56 e8???????? 56 e8???????? 40 50 8b450c } - $sequence_3 = { e8???????? 83c418 8986dc020000 85c0 780c 8b4d0c } - $sequence_4 = { 85ff 7439 8b550c 85d2 7432 8b4d10 33c0 } - $sequence_5 = { 33c0 85d2 741b 8d0c79 53 8d642400 668b1c46 } - $sequence_6 = { 80fa03 0f862cffffff 3c34 0f8446ffffff 3c35 0f8460ffffff 8d48c8 } - $sequence_7 = { e8???????? 8b4508 8d4df8 51 8d55f0 52 6a00 } - $sequence_8 = { 53 56 57 8b7d10 8d8768480000 50 8db768080000 } - $sequence_9 = { 51 57 e8???????? 83c410 85c0 7915 8b13 } + $sequence_0 = { 8bec 8b450c 85c0 7504 33c0 5d c3 } + $sequence_1 = { 51 57 8996e4020000 c70318000000 c786d00200001a000000 e8???????? } + $sequence_2 = { 3a040e 7510 47 41 } + $sequence_3 = { 8b7508 8b465c 57 c644301c80 bf01000000 017e5c } + $sequence_4 = { 51 52 e8???????? 83c448 8d4590 50 83c3fe } + $sequence_5 = { 33c0 68fe030000 50 8d8d02fcffff } + $sequence_6 = { 3b450c 7290 5b 5f 5e 8be5 } + $sequence_7 = { 52 e8???????? 83c40c 85c0 7510 47 83c318 } + $sequence_8 = { 894df8 e8???????? 830702 83c40c 830603 8b06 8a4c1801 } + $sequence_9 = { 83c408 50 e8???????? 83c410 85c0 7523 8d8de4fdffff } condition: 7 of them and filesize < 371712 @@ -140704,36 +141725,36 @@ rule MALPEDIA_Win_Chewbacca_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "847304aa-d95d-5b53-bfb8-fe0eb8b688d2" - date = "2026-01-05" - modified = "2026-01-06" + id = "540af0df-c476-50dc-baf1-115807795d55" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.chewbacca_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.chewbacca_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "f5f29df4947aa2192c20ef975dcc6c403a1b166aed455b80e47ce170d12533bf" + logic_hash = "742822157bec8dd9ee72aed765221c6cf83fa642a836fe167c2ac418ecc29121" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? b909000000 89ee 8b7c2430 f3a6 0f8558010000 89c6 } - $sequence_1 = { e8???????? c7442414c4796800 c7442410cd846800 c744240c1c070000 89442408 c7442404???????? a1???????? } - $sequence_2 = { 8b4324 85c0 7461 c744240c00000000 8d54242c 89542408 c744240400000000 } - $sequence_3 = { e9???????? 8b45fc e8???????? 52 50 8d45b8 e8???????? } - $sequence_4 = { e8???????? c744241cd4686500 c7442418a0836500 c74424147b110000 89442410 c744240c44446500 c7442408???????? } + $sequence_0 = { e8???????? eb55 8b442478 89442414 895c2410 c744240c9c976600 c7442408???????? } + $sequence_1 = { ff33 74fd 0389cfc1ef10 81e7ff000000 3374fd02 89d7 c1ef18 } + $sequence_2 = { e8???????? c744241426a36700 c744241048cf6700 c744240c20060000 89442408 c7442404???????? a1???????? } + $sequence_3 = { a3???????? 8b442424 89442408 8b442420 89442404 a1???????? 890424 } + $sequence_4 = { c7042424040000 e8???????? 89c2 85c0 0f84a0000000 89c7 be24040000 } $sequence_5 = { e8???????? c7042401000000 e8???????? e8???????? 89c3 e8???????? 895c2410 } - $sequence_6 = { e8???????? e8???????? 50 85c0 0f8540040000 b801000000 8d5584 } - $sequence_7 = { e8???????? c744241c84006700 c7442418b7026700 c7442414eb010000 89442410 c744240c64fd6600 c7442408???????? } - $sequence_8 = { e8???????? e8???????? 50 85c0 7516 8d55d4 89d8 } - $sequence_9 = { e8???????? c7442414cb246800 c7442410f3296800 c744240cec040000 89442408 c7442404???????? a1???????? } + $sequence_6 = { eb0c be00000000 eb05 be00000000 89f0 83c410 5b } + $sequence_7 = { f2ae f7d1 8b442440 8d4408ff 89442440 e9???????? 89e8 } + $sequence_8 = { 8945fc 89d3 89ce 8a4508 84c0 7409 8b45fc } + $sequence_9 = { 8b542454 8b442450 e8???????? 85c0 740b 83c43c 5b } condition: 7 of them and filesize < 9764864 @@ -140743,36 +141764,36 @@ rule MALPEDIA_Win_Blacklotus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6d41c095-e739-5655-a8fc-e5651a304950" - date = "2026-01-05" - modified = "2026-01-06" + id = "d42cbe72-e785-5fef-a32b-e74b59c876d0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.blacklotus_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.blacklotus_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "69ee2c520b98a8fc48e03d945b290dd8e5b47d8c94f1557274f7c175df20640a" + logic_hash = "2d20a8fdb754913b5c048ddcf6b114f120d6fc7b1bb4332f4602a2e54686d4b8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 884102 488d4904 4983e801 75dc 428d149dfcffffff 460fb60412 8d4201 } - $sequence_1 = { 7507 488b4b38 c601c3 488b1b 483bdf } - $sequence_2 = { 4883c104 e8???????? 488b4d30 0fb65103 0fb64102 48c1e208 } - $sequence_3 = { 44884301 88430b e8???????? 4c8bc6 488bd3 408acf } - $sequence_4 = { 2bcf ffc7 4103c9 6633544d08 8d41ff 6689544508 } - $sequence_5 = { 408a7c3c30 428d149de0ffffff 46320412 8d4201 } - $sequence_6 = { 4883ec30 418be8 488bfa 488bf1 488d15d41a0100 488b0d???????? } - $sequence_7 = { 7508 4d85c0 75ea 33c0 c3 1bc0 } + $sequence_0 = { 488bf0 e8???????? 4533c0 8d530d 488d0da31c0000 } + $sequence_1 = { 4c8bf0 e8???????? 4c8bf8 4885f6 } + $sequence_2 = { 663905???????? 0f85c2000000 be06000000 488d15741d0000 448bc6 488bcb } + $sequence_3 = { 7c10 6642837cc11010 7507 42395cc114 } + $sequence_4 = { c745487fff0400 e8???????? 488bcf 488bd8 e8???????? 498bce 488bf8 } + $sequence_5 = { 418a400e 4188480a 418a4806 41884006 418a4007 4188480e } + $sequence_6 = { 488b4940 e8???????? 3db01d0000 7277 3df0230000 } + $sequence_7 = { 4889742410 57 4883ec20 488364244000 488bf2 } $sequence_8 = { ffc8 03c3 44888430d8070000 453bd1 72b9 8b15???????? ffca } - $sequence_9 = { 4c8d054e140100 488bd7 488bd8 e8???????? 488b05???????? } + $sequence_9 = { 8bda 488bf9 83fa02 0f824d010000 488d35b1160100 4585c0 } condition: 7 of them and filesize < 181248 @@ -140782,36 +141803,36 @@ rule MALPEDIA_Win_Goopic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3dc4c257-a5c8-5a4d-ab14-c83ca28cb2ec" - date = "2026-01-05" - modified = "2026-01-06" + id = "87255f09-7c70-5d6b-8dc8-e0d14280a7e6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.goopic_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.goopic_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "44b46e1ba9017c5fbd258e5f68a3335c35049c2540cd88d9310017d21c5cf5d5" + logic_hash = "dc8bae025cea8d276a5a245fb8b4ee54c2d43008c69ee8128e3b46c01cf6a095" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89742414 ff15???????? 50 ff15???????? 85c0 7427 } - $sequence_1 = { 0f84c6000000 833d????????00 740d 8d85f0fdffff 50 } - $sequence_2 = { 85c0 7411 e8???????? ba01000000 } - $sequence_3 = { c785d0fdffff2c020000 ff15???????? 8bf0 8d85d0fdffff 50 56 89b5ccfdffff } - $sequence_4 = { 58 6bc000 c7803430400002000000 6a04 58 } - $sequence_5 = { 68???????? 6a01 6a00 68???????? ff15???????? 85c0 0f888e000000 } - $sequence_6 = { be00010000 33c0 66c787000100000000 8801 8d4901 40 663bc6 } - $sequence_7 = { ffd7 e8???????? e8???????? 8bd6 } - $sequence_8 = { b9???????? e8???????? 83c404 8d85f8dfffff } - $sequence_9 = { c785c0fdffff305d4000 eb0a c785c0fdffff245d4000 8d85b4fdffff c785c4fdffff3c5d4000 50 } + $sequence_0 = { ffd3 85c0 7534 6a11 ffd7 } + $sequence_1 = { 57 ffd6 8945f8 83f8ff 74dd 6a00 } + $sequence_2 = { 85c0 752f 8d85f4efffff 50 8d85fcefffff } + $sequence_3 = { 57 8945f4 a1???????? 68???????? 8945f8 e8???????? } + $sequence_4 = { 8bec b8646a0000 e8???????? a1???????? 33c5 8945fc } + $sequence_5 = { 8b7d08 32db 668955fe 8bcf 32f6 be00010000 33c0 } + $sequence_6 = { 68???????? ff15???????? 50 ff15???????? ffb5f0efffff ffb5dcefffff ffd0 } + $sequence_7 = { 50 ffb5dcefffff ff15???????? 33c0 c785ecefffff00000000 663b4706 7353 } + $sequence_8 = { 50 6aff 68???????? 6a00 6a00 ffd7 8d842448190000 } + $sequence_9 = { 8d45e0 8bfa 50 8bd9 ff15???????? 85c0 } condition: 7 of them and filesize < 114688 @@ -140821,36 +141842,36 @@ rule MALPEDIA_Win_Billgates_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "936ce7c3-e0bc-5e8a-a94c-d204107ad6c9" - date = "2026-01-05" - modified = "2026-01-06" + id = "0a91e8fb-e1e0-52f0-8fef-d1068e9e713a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.billgates_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.billgates_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "0d1344c595e66a8a3fe952afc687de569fadd20ac0c050f652fba5100e4b414d" + logic_hash = "8ead401d7cff839b80d25647d0fc797e194b191a9924c059ff444cbd82bd8a8c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7408 3c22 7404 3c30 7504 } - $sequence_1 = { 3c21 7408 3c23 7404 3c24 } - $sequence_2 = { 7404 3c58 7507 b802000000 eb02 } - $sequence_3 = { 740c 3c11 7408 3c22 7404 3c30 7504 } - $sequence_4 = { 3c11 7408 3c22 7404 3c30 7504 } - $sequence_5 = { 3c21 7408 3c23 7404 } - $sequence_6 = { ff15???????? 83f8ff 7508 ff15???????? f7d8 85c0 } + $sequence_0 = { 3c10 740c 3c11 7408 3c22 } + $sequence_1 = { 3c21 7408 3c23 7404 } + $sequence_2 = { 83f8ff 750c ff15???????? 8bd8 f7db } + $sequence_3 = { 740c 3c11 7408 3c22 7404 3c30 } + $sequence_4 = { 3c58 7507 b802000000 eb02 } + $sequence_5 = { 7408 3c22 7404 3c30 } + $sequence_6 = { 69c0e8030000 99 81e2ff070000 03c2 } $sequence_7 = { 3c10 740c 3c11 7408 3c22 7404 3c30 } - $sequence_8 = { 740c 3c11 7408 3c22 7404 } - $sequence_9 = { 3c10 740c 3c11 7408 } + $sequence_8 = { 740c 3c11 7408 3c22 7404 3c30 7504 } + $sequence_9 = { ff15???????? 83f8ff 7508 ff15???????? f7d8 85c0 } condition: 7 of them and filesize < 801792 @@ -140860,36 +141881,36 @@ rule MALPEDIA_Win_Sharpknot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "45650ffc-30fa-59dd-9298-17c525a596bf" - date = "2026-01-05" - modified = "2026-01-06" + id = "82220543-0e2d-5853-bc30-f58233c0a35a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sharpknot_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sharpknot_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "f79cb6af16b4be17278bbf2846f42541c5c87bd486108c50193c9587c9073fc1" + logic_hash = "c762276839136acbaa67366b68dd4a56fd80a27286d11e518c5431262a091bed" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d8c246c020000 c7842498050000ffffffff e8???????? 8b8c2490050000 } - $sequence_1 = { 8d542420 8bcf b8abaaaa2a 2bcd 52 f7e9 c1fa02 } - $sequence_2 = { 8bca 897c2430 c1e91f 03d1 83fa01 0f83b3000000 8bcb } - $sequence_3 = { e8???????? 8b8c2490050000 5f 5e 5d 33c0 5b } - $sequence_4 = { 8a8681f84400 2410 3c10 7508 660fb6b680f74400 } - $sequence_5 = { 7f08 81f90000a000 7616 6800001000 8d542414 6a01 } - $sequence_6 = { 51 e8???????? 89442448 89442428 8b44243c 895c2434 8954244c } - $sequence_7 = { 7522 8d44240c 50 e8???????? 8bf0 83c408 85f6 } - $sequence_8 = { f3a4 b910000000 8d7c2414 f3ab 8d442454 8d4c2410 50 } - $sequence_9 = { 8b520c 52 e8???????? 83c404 } + $sequence_0 = { 8d442420 8bce 50 2bcd b8abaaaa2a f7e9 } + $sequence_1 = { 85d2 763d 85db c744241000000000 7f10 7c0a 817c241400000400 } + $sequence_2 = { 8b7308 8d442420 8bce 50 } + $sequence_3 = { 8b450c 8365ec00 8b4d08 8945f4 8b4514 c745f05b364000 40 } + $sequence_4 = { ff15???????? 6a01 e8???????? c705????????07000000 } + $sequence_5 = { 8bf1 c1e603 3b9670da4000 0f851c010000 a1???????? 83f801 } + $sequence_6 = { 33c0 8d7c2421 88542420 f3ab 66ab 33c9 aa } + $sequence_7 = { 3c10 7508 660fb6b680f74400 663bfe 751f 6685ff 742d } + $sequence_8 = { 8bb620dd4000 3bce 7e20 83e907 eb1b 8b4514 f6c303 } + $sequence_9 = { 83651003 8bf0 750b c1e602 8b86e8dc4000 eb09 c1e602 } condition: 7 of them and filesize < 1032192 @@ -140899,34 +141920,36 @@ rule MALPEDIA_Win_Hunter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "114c619e-d3db-54d7-bef7-7645d901bc94" - date = "2026-01-05" - modified = "2026-01-06" + id = "dab65f12-fbda-54d9-b5d7-92d22a1c6af2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hunter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hunter_auto.yar#L1-L90" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hunter_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "776a5d8eb049aeb15b1138e40f903b0e7294cf0475240df008d707aa37c36610" + logic_hash = "429cf73f5b5e3785a6d3b817e47c0ff838d12f10b8daefb3185e67bb1d873a59" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0000 9c 35a035a435 a835 } - $sequence_1 = { 0145f4 8d45b4 8b55f0 8b4de4 } - $sequence_2 = { 01442428 59 11742428 85db } - $sequence_3 = { 0145e8 8d838e000000 3bc2 8b45e8 } - $sequence_4 = { 01442444 53 11542444 51 } - $sequence_5 = { 0103 115304 e9???????? 8b4c241c } - $sequence_6 = { 014140 89413c 899604010000 e9???????? } - $sequence_7 = { 00443907 8a043a 88043b 8a443a01 } + $sequence_0 = { e8???????? 59 83e80d 8d8d38feffff 50 53 8d858cfdffff } + $sequence_1 = { e8???????? 8b4d08 33d2 8945fc 8bdf 8b09 8b4108 } + $sequence_2 = { f6461801 66894602 750a 8d5614 52 e8???????? 59 } + $sequence_3 = { 8b55f0 8b4008 ff3410 ff37 ff31 8bce 6a1d } + $sequence_4 = { e8???????? 59 68???????? 8bd0 c645fc2c 8d8d04ffffff e8???????? } + $sequence_5 = { 8bc8 c645fc03 e8???????? 50 8d8d7cffffff e8???????? 57 } + $sequence_6 = { 8b45e0 85ff 75b7 66895612 3b55ec 0f8dbafeffff c60601 } + $sequence_7 = { 8db7c8000000 8d9795000000 0f4cc2 8d5701 03c8 8d473b 03c2 } + $sequence_8 = { 8bd3 5f 52 8d4dec e8???????? 898495e8feffff 42 } + $sequence_9 = { c6040622 46 eb0f 880c06 46 803f22 7505 } condition: 7 of them and filesize < 1056768 @@ -140936,74 +141959,73 @@ rule MALPEDIA_Win_Silence_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "76b63199-cbb5-5cad-8141-09f38a80148d" - date = "2026-01-05" - modified = "2026-01-06" + id = "104bce43-dab3-5281-977b-dd4f89a33118" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.silence_auto.yar#L1-L414" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.silence_auto.yar#L1-L413" license_url = "N/A" - logic_hash = "ca0b6959891210b6329cb5e65869406530d9a0a78093846319a985c972eb2ee3" + logic_hash = "66e1cc98865e9843fd031a754f5ef15eb719cb45998b96ed684c134433ef7575" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? cc 8325????????00 c3 6a08 } - $sequence_1 = { 8a4801 40 84c9 75f4 eb05 } - $sequence_2 = { 50 6a00 6a00 68???????? c745fc00000000 } + $sequence_0 = { 8b4908 e8???????? cc 8325????????00 c3 6a08 } + $sequence_1 = { 50 6a00 6a00 68???????? c745fc00000000 } + $sequence_2 = { 40 84c9 75f4 eb05 803800 } $sequence_3 = { 50 683f020f00 6a00 68???????? 6801000080 ff15???????? 68???????? } - $sequence_4 = { 6801000080 ff15???????? 56 8d85f8feffff 50 } - $sequence_5 = { ff15???????? 6a00 6800000004 6a00 } - $sequence_6 = { 7502 f3c3 e9???????? e8???????? e9???????? 6a14 68???????? } - $sequence_7 = { 68???????? ffd6 8b45fc 85c0 } - $sequence_8 = { 6800040000 ff30 c745fc00000000 57 ff15???????? } - $sequence_9 = { 55 8bec 51 56 8b35???????? 6a00 6a00 } - $sequence_10 = { 8b35???????? 6a00 6a00 6a00 6a00 8d45fc } - $sequence_11 = { 84c9 75f4 eb0d 803800 7408 8a5a01 42 } - $sequence_12 = { 3acb 740a 8a4801 40 } - $sequence_13 = { 5b 5d c3 c60200 42 } - $sequence_14 = { 8bf8 6a00 57 ff15???????? 8d45fc } - $sequence_15 = { 50 56 ff15???????? 8b85b8f7ffff 85c0 75b6 ffb5acf7ffff } - $sequence_16 = { 8d85b8f7ffff 50 6800080000 8d85bcf7ffff 50 } - $sequence_17 = { 6a00 8d8db4f7ffff 51 50 8d85bcf7ffff } - $sequence_18 = { e8???????? ff76f8 e8???????? 83c41c 895ef8 897ef0 5b } - $sequence_19 = { 8b46f8 0346f4 57 ff7508 50 } - $sequence_20 = { 8b01 52 8d95f0fdffff 52 } - $sequence_21 = { e8???????? ff37 8b35???????? ffd6 } - $sequence_22 = { 898df8fbffff 8d8dfcfbffff 51 ffb5f0fbffff } - $sequence_23 = { ff5210 8b17 8bcf ff5208 } - $sequence_24 = { 52 ff10 8b95ecfdffff 03fa } - $sequence_25 = { e8???????? 8b4ef4 8bc7 2bc1 } - $sequence_26 = { 99 83e203 03c2 c1f802 89442448 } - $sequence_27 = { ff15???????? ba180c0000 b940000000 ff15???????? } - $sequence_28 = { 8b05???????? d3e0 8b0d???????? 03c8 } - $sequence_29 = { d3e0 0fb6c8 8b05???????? d3e0 } + $sequence_4 = { 7502 f3c3 e9???????? e8???????? e9???????? } + $sequence_5 = { 68???????? ffd6 8b45fc 85c0 } + $sequence_6 = { 46 56 8d85f8feffff 50 } + $sequence_7 = { ff15???????? 6a00 6800000004 6a00 6a00 } + $sequence_8 = { 6801000080 ff15???????? 56 8d85f8feffff } + $sequence_9 = { 3acb 740a 8a4801 40 84c9 } + $sequence_10 = { 8bec 51 56 8b35???????? 6a00 6a00 } + $sequence_11 = { 84c9 75f4 eb0d 803800 } + $sequence_12 = { 8bc6 5e 5b 5d c3 c60200 } + $sequence_13 = { 8bd8 68???????? 53 ff15???????? 6a00 } + $sequence_14 = { eb0d 803800 7408 8a5a01 42 84db } + $sequence_15 = { 6a00 8d8db4f7ffff 51 50 } + $sequence_16 = { ff15???????? 8d85b8f7ffff 50 6800080000 } + $sequence_17 = { 8b85ecfbffff 85c0 7404 3bc6 } + $sequence_18 = { 51 ffb5f0fbffff 8bcb ff5038 } + $sequence_19 = { e8???????? ff37 8b35???????? ffd6 ff7704 ffd6 ff770c } + $sequence_20 = { 897ef0 5b 5f 5e } + $sequence_21 = { 85c9 7408 8b06 51 8bce ff501c } + $sequence_22 = { ff76f8 e8???????? 83c41c 895ef8 897ef0 } + $sequence_23 = { 8b01 52 8d95f0fdffff 52 ff10 8b95ecfdffff } + $sequence_24 = { 03d7 3b56f0 7611 8b46ec } + $sequence_25 = { 55 8bec ff4d08 755d 833d????????04 7554 } + $sequence_26 = { 68???????? ff15???????? c20800 53 8b1d???????? } + $sequence_27 = { 8b05???????? d3e0 8b0d???????? 03c8 } + $sequence_28 = { ff15???????? a3???????? 85c0 750e 68???????? ff15???????? } + $sequence_29 = { ff15???????? 41b804010000 488d542430 488d4c2430 ff15???????? 85c0 } $sequence_30 = { e8???????? ba00040000 b940000000 ff15???????? } - $sequence_31 = { ff15???????? 41b804010000 488d542430 488d4c2430 ff15???????? 85c0 } - $sequence_32 = { d3f8 0fb60d???????? d3e0 85c0 } - $sequence_33 = { ff15???????? 488d542430 488d8c2440020000 ff15???????? } - $sequence_34 = { 8d0441 33d2 b905000000 f7f1 } - $sequence_35 = { 750e 68???????? ff15???????? c20800 53 8b1d???????? } - $sequence_36 = { 8bec ff4d08 755d 833d????????04 } - $sequence_37 = { c705????????00000000 c705????????04000000 ff15???????? 85c0 750b } - $sequence_38 = { 7507 68???????? ffd7 6a00 6a00 6a01 } + $sequence_31 = { 99 83e203 03c2 c1f802 89442448 } + $sequence_32 = { c705????????03000000 c705????????00000000 c705????????04000000 ff15???????? 85c0 750b } + $sequence_33 = { ff15???????? 85c0 750b 68???????? ff15???????? ff35???????? ff15???????? } + $sequence_34 = { d3e0 0fb6c8 8b05???????? d3e0 } + $sequence_35 = { ff15???????? 68c0d40100 ff15???????? e9???????? } + $sequence_36 = { 85c0 7507 68???????? ffd7 6a00 6a00 } + $sequence_37 = { d3f8 0fb60d???????? d3e0 85c0 } + $sequence_38 = { ff15???????? 488d542430 488d8c2440020000 ff15???????? } $sequence_39 = { 53 8b1d???????? 57 0f57c0 } - $sequence_40 = { 68???????? ff15???????? a3???????? 85c0 750e 68???????? ff15???????? } - $sequence_41 = { ff15???????? 68c0d40100 ff15???????? e9???????? } - $sequence_42 = { ffd3 5e 85c0 7507 68???????? ffd7 5f } - $sequence_43 = { c705????????00000000 c705????????00000000 ffd3 8b3d???????? } - $sequence_44 = { 0305???????? 0b45f0 3305???????? a3???????? } - $sequence_45 = { 03048db0354200 eb05 b8???????? f6402820 } - $sequence_46 = { 03048db0354200 eb02 8bc6 80782900 } - $sequence_47 = { 03048db0354200 50 ff15???????? 5d } + $sequence_40 = { c705????????00000000 c705????????00000000 ffd3 8b3d???????? 85c0 7507 68???????? } + $sequence_41 = { ff15???????? ba180c0000 b940000000 ff15???????? } + $sequence_42 = { 8d0441 33d2 b905000000 f7f1 } + $sequence_43 = { ff15???????? 98 85c0 0f845d0a0000 6a01 68ea000000 } + $sequence_44 = { 0b8dacfeffff 66890d???????? 0fbf05???????? 0faf45e8 33d2 b947030000 } + $sequence_45 = { 0fbf0d???????? 034db8 66890d???????? 833d????????00 742e } + $sequence_46 = { d3e2 0fbf05???????? 23c2 66a3???????? 0fbe0d???????? 0fbe55ff } condition: 7 of them and filesize < 70128640 @@ -141013,36 +142035,36 @@ rule MALPEDIA_Win_Neconyd_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0a26010e-37e7-5246-804a-229e327c846f" - date = "2026-01-05" - modified = "2026-01-06" + id = "02e9a580-1315-5c61-8d86-76045bc10ac0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neconyd" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.neconyd_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.neconyd_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "a947c838b71e86e1d4014575969fcaf0468066058b0d2c62ee2db801fb092cd0" + logic_hash = "c6ad4bf4a33c586ad4f5b3b88246df7170eb56d8f0263cd7914777bf201f111f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 74c7 ff75fc 8d85f0efffff 50 8d0437 50 } - $sequence_1 = { c6466701 c6466804 89460c 894e60 397d18 0f85b0000000 8b15???????? } - $sequence_2 = { c6466500 c6466b00 c6466c00 8b442418 898680000000 33c0 } - $sequence_3 = { c3 56 66c7003000 57 40 40 } - $sequence_4 = { 8365fc00 8d45fc 50 6a27 6a5e 8d45d4 } - $sequence_5 = { 57 bb???????? 50 8bd3 e8???????? b9???????? } - $sequence_6 = { 66c745ae5814 66c745b0d104 66c745b2c19d 66c745b42070 66c745b66afc 66c745b88fed } - $sequence_7 = { eb06 81c1ffff0000 880e 46 ff45fc } - $sequence_8 = { 29450c 83c40c 03f0 8d45fc 50 6800100000 8d85f0efffff } - $sequence_9 = { 394d18 0f8d35010000 8b0d???????? 3bcf 750c 66c745d83000 } + $sequence_0 = { 50 ba???????? e8???????? 83c410 8bce 8d85acf7ffff e8???????? } + $sequence_1 = { 4a 7414 4a 7531 394510 7404 41 } + $sequence_2 = { e8???????? 59 59 8d4dac 8d85ace7ffff e8???????? 57 } + $sequence_3 = { ff15???????? 8bc3 eb03 83c8ff 5e 5b } + $sequence_4 = { 830f04 eb7d 53 53 8d45ec 50 } + $sequence_5 = { 5b 8be5 5d c3 55 8bec b800200000 } + $sequence_6 = { 85c0 0f85e1010000 8d44245c 50 ba???????? } + $sequence_7 = { 6a06 58 e9???????? 8b7d68 83ff01 7405 83ff03 } + $sequence_8 = { 8945f0 c745fc02000000 bb04010000 53 ff7435ec 8dbdd0fcffff ff7435e4 } + $sequence_9 = { ff7508 8935???????? 6a05 6a05 68???????? } condition: 7 of them and filesize < 326182 @@ -141052,43 +142074,43 @@ rule MALPEDIA_Win_Redleaves_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b12b9704-a80b-52f8-bcf2-a2bc41cbf847" - date = "2026-01-05" - modified = "2026-01-06" + id = "84ceb8bc-1fa5-579e-97fa-45477db13d3e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.redleaves_auto.yar#L1-L165" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.redleaves_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "462d228f5e12ac81384499c032e83f48dca27fd714ed17b6018f4ee42f07e472" + logic_hash = "67014e27ad6028e3d20f6df35ede10c53bc408e8dd6004f7ba5aa8a0c36cb659" score = 75 quality = 69 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 54 53 51 7565 7279 55 } - $sequence_1 = { 59 89f9 8d64241c d2c0 } - $sequence_2 = { 8d64241c d2c0 8a01 9c } - $sequence_3 = { 89d0 29f8 5f 5b } - $sequence_4 = { 9c 894504 9c 9c } - $sequence_5 = { 7279 55 7365 7254 } - $sequence_6 = { 47 657449 7041 64647254 } - $sequence_7 = { 8bb6e4010000 85f6 7407 56 } - $sequence_8 = { 899e8c010000 66898e7c010000 89beac010000 899ea8010000 66898e98010000 b830750000 8d8e14020000 } - $sequence_9 = { 9c 9c 8f442420 9c } - $sequence_10 = { 7443 399df4fbffff 743b 7612 8b8df0fbffff 8b01 8d95f8fbffff } - $sequence_11 = { 6880000000 50 e8???????? 8b85a4fdffff } - $sequence_12 = { 85c0 7507 32c0 e9???????? 33c0 898598fdffff 399da0fdffff } - $sequence_13 = { 7443 8d85acfeffff 68???????? 50 } - $sequence_14 = { 50 53 53 c78580fdffff4a000000 } - $sequence_15 = { 6a0d 59 663bc8 0f84c6000000 } - $sequence_16 = { 54 9c 60 9c } + $sequence_0 = { 8d64241c d2c0 8a01 9c } + $sequence_1 = { 7279 55 7365 7254 } + $sequence_2 = { 47 657449 7041 64647254 } + $sequence_3 = { 59 89f9 8d64241c d2c0 } + $sequence_4 = { 89d0 29f8 5f 5b } + $sequence_5 = { 9c 894504 9c 9c } + $sequence_6 = { 57 54 53 51 7565 7279 55 } + $sequence_7 = { 33c5 8945fc 53 56 57 8b7d08 be00040000 } + $sequence_8 = { e8???????? 895500 9c e8???????? } + $sequence_9 = { 7449 833d????????00 7440 ff7508 } + $sequence_10 = { 8bbe10020000 ab 5f 899e3d020000 } + $sequence_11 = { 7443 8d85acfeffff 68???????? 50 e8???????? } + $sequence_12 = { 54 9c 60 9c } + $sequence_13 = { 6880000000 50 e8???????? 8b85a4fdffff } + $sequence_14 = { 6a0d 59 663bc8 0f84c6000000 } + $sequence_15 = { 8b06 ff7508 56 ff5038 8bf8 85ff 790c } + $sequence_16 = { 8bbe0c020000 898615020000 83c40c 899ed8010000 } condition: 7 of them and filesize < 1679360 @@ -141098,36 +142120,36 @@ rule MALPEDIA_Win_Stealbit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5dce69d0-a61c-561d-bb3f-783619cef52d" - date = "2026-01-05" - modified = "2026-01-06" + id = "b28885ed-d032-5a13-a98a-1bebd078f4f4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stealbit_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stealbit_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "90bb65634be35c442101bb71a7db5f26606dba88a1c52cacba38d15f6d5908ea" + logic_hash = "d19e7a67b988c2a58ac0fbce95eff595af4abb2567d6bc8ccc7a129d170a6321" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 66899528feffff 6689bd30feffff 66899d38feffff 6689bd3efeffff 6689bd42feffff 66894dbc 66895dc0 } - $sequence_1 = { 0f8544010000 6a07 5b 53 8d45bc 8bd6 } - $sequence_2 = { 8bc2 5d c20400 8bd1 8b0a e8???????? 8bc8 } - $sequence_3 = { 8d47f1 c745f877caeb85 03c3 bf28442324 8365fc00 be4f86c861 } - $sequence_4 = { 2ac8 8ac1 5d c20400 55 8bec } - $sequence_5 = { 88460d 57 886e0e 884e0f 6a25 885610 e8???????? } - $sequence_6 = { 8b450c 48 83e801 740e 83e801 750f 8b4508 } - $sequence_7 = { 33c0 66898518ffffff 58 6a74 66898506ffffff 6689b540ffffff } - $sequence_8 = { 8945f8 e8???????? 03c0 8bce 8bd0 e8???????? 6a0c } - $sequence_9 = { 6a20 66899524ffffff 6689952effffff 5a 6a6e 58 6a6d } + $sequence_0 = { e8???????? ffd0 8b55f8 8bc8 e8???????? 85c0 } + $sequence_1 = { 6a6b 668945a4 58 668945a6 33c0 6a61 668945a8 } + $sequence_2 = { 85c0 740c f0ff8eac020000 e9???????? ff74241c 8d86b8020000 ff74241c } + $sequence_3 = { 8b4508 83e801 7410 83e801 740b 83e801 750a } + $sequence_4 = { 8bcf e8???????? 85c0 7529 6a05 8d45dc 8bd6 } + $sequence_5 = { 33ff 85c9 7469 a1???????? } + $sequence_6 = { 6a03 8d45f4 897ddc 50 8d45c8 c745e8806967ff 50 } + $sequence_7 = { 6689bd84feffff 6689bd76feffff 66898560feffff 6a73 58 6a2e } + $sequence_8 = { a1???????? ff34b0 e8???????? ffd0 } + $sequence_9 = { e8???????? 668bc8 66894a06 6a33 66894a08 e8???????? 6a32 } condition: 7 of them and filesize < 131072 @@ -141138,10 +142160,10 @@ rule MALPEDIA_Win_Mebromi_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "3d64e85a-906f-5ddb-9f75-04eb426f7ebc" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mebromi_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mebromi_auto.yar#L1-L119" license_url = "N/A" logic_hash = "051f5b8119e90ef14be758def00ef62b697ce727969ed9523ac57414d0773faf" score = 75 @@ -141150,9 +142172,9 @@ rule MALPEDIA_Win_Mebromi_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -141176,36 +142198,36 @@ rule MALPEDIA_Win_Romeos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57e36ea9-25df-5535-9507-4e3e8861391a" - date = "2026-01-05" - modified = "2026-01-06" + id = "12495197-7596-5c2e-ab04-63a6332561ed" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.romeos_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.romeos_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "b103a70d5f0d023abb4fa14da56c910d4eba9e43552b97af05cf92b055758e46" + logic_hash = "bf09e333d14ab00f5e904284a96a914721f903efe98848731f5de75ba7f94542" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5e 5d 5b 81c438200000 c20400 5f 5e } - $sequence_1 = { 83c408 807c24480e 7406 43 83fb08 7cb6 e8???????? } - $sequence_2 = { 85c0 0f85ef000000 85db 751d 807c244802 0f85e0000000 } - $sequence_3 = { 50 bd30000000 e8???????? 8bbc2454200000 } - $sequence_4 = { 83c408 807c24480e 7406 43 } - $sequence_5 = { 7406 43 83fb08 7cb6 e8???????? 99 } - $sequence_6 = { 6a16 8d4c244c 6800200000 51 } - $sequence_7 = { 81c438200000 c20400 5f 5e } - $sequence_8 = { 8bf1 57 b9ff070000 33c0 8d7c2449 c644244800 6a16 } - $sequence_9 = { 0f850d010000 33db 6a16 8d4c244c 6800200000 } + $sequence_0 = { b9ff070000 33c0 8d7c2449 c644244800 6a16 } + $sequence_1 = { 85f6 750a 5e 33c0 5b 83c408 c20c00 } + $sequence_2 = { 85ed 7e0e e8???????? 88441c18 } + $sequence_3 = { 83c408 807c24480e 7406 43 83fb08 7cb6 e8???????? } + $sequence_4 = { 7406 43 83fb08 7cb6 e8???????? } + $sequence_5 = { 43 3bdd 7cf2 8b542414 6a16 8d44244c 52 } + $sequence_6 = { f3ab 66ab aa 8d44244c c644241701 50 } + $sequence_7 = { 85c0 754c 6a16 8d54241c 55 52 57 } + $sequence_8 = { 754c 6a16 8d54241c 55 } + $sequence_9 = { 5b 81c438200000 c20400 5f 5e } condition: 7 of them and filesize < 294912 @@ -141215,36 +142237,36 @@ rule MALPEDIA_Win_Webc2_Cson_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6b87b7d-9114-5579-a68c-0816423dfdd5" - date = "2026-01-05" - modified = "2026-01-06" + id = "a3b064c1-e377-5476-b431-57d7ecf004e6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_cson_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_cson_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "6b0f4d165f53805d0d2ba6ef3f6dd5489f1ced5c22f12be382e768df751280a7" + logic_hash = "861ac16bbeea9202559a0e9282ce7e10d6c2469e48863b1302f01e593710e202" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 ff35???????? ff15???????? 33ff e9???????? } - $sequence_1 = { ff15???????? 395dfc 7463 8d8540fdffff 6800020000 50 } - $sequence_2 = { e8???????? 68???????? 56 e8???????? 8d85f0feffff } - $sequence_3 = { 3bc3 8945f8 7513 68???????? ff15???????? 59 33c0 } - $sequence_4 = { 57 68???????? 6a50 68???????? } - $sequence_5 = { 3bf3 8975f8 0f8480010000 53 68???????? b8???????? 6a03 } - $sequence_6 = { 83c420 6a01 58 eb02 33c0 5f 5e } - $sequence_7 = { 8d85ec6bfeff 50 e8???????? 59 68e8030000 } - $sequence_8 = { 7512 55 ffd6 57 ffd6 68???????? ff15???????? } - $sequence_9 = { 83c418 50 ff15???????? e9???????? 8d45c0 } + $sequence_0 = { e9???????? 8d45f4 53 50 8d8540ffffff 50 } + $sequence_1 = { 33c0 8dbd01fcffff f3ab 66ab 6a00 } + $sequence_2 = { 8dbded6bfeff 889dec6bfeff f3ab 66ab aa 8d45ec } + $sequence_3 = { 57 ff15???????? 8b35???????? 8be8 } + $sequence_4 = { 8d85acfeffff 6800010000 50 ff15???????? 8d85acfeffff } + $sequence_5 = { 68???????? 50 ff15???????? 8bf8 3bfb 7511 } + $sequence_6 = { 3bf3 59 7428 56 ff75fc 6a01 ff75f0 } + $sequence_7 = { 33c0 59 8dbd41ffffff 889d40ffffff 68???????? f3ab 66ab } + $sequence_8 = { 50 ff15???????? e9???????? 8d45c0 68???????? 50 ff15???????? } + $sequence_9 = { 8b35???????? 8d45f4 53 50 8d45e0 c745f410000000 50 } condition: 7 of them and filesize < 98304 @@ -141254,36 +142276,36 @@ rule MALPEDIA_Win_Unidentified_076_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "320fec8e-f3fe-5339-a2f9-df370980c853" - date = "2026-01-05" - modified = "2026-01-06" + id = "4aac4f6a-0ad2-5a3d-8c22-f68bd89c2176" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_076_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_076_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "d906c6adbfb453b72e8affe711020332823b8e590c569caecb0bdba54a063334" + logic_hash = "c53f44d934f31243451206accc801c3ce4f30b9ff0072fe283950159f10fde1f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f95c3 488b6c2438 488b742440 488b7c2448 8bc3 488b5c2430 4883c420 } - $sequence_1 = { 85c0 7f2d 488b86c8000000 33db ff9050010000 41b8fe010000 488bce } - $sequence_2 = { 4155 4156 4881ec20010000 488b81c8000000 488bd9 488bf2 488d4c2440 } - $sequence_3 = { 498bcc ff9020070000 488b8e50020000 488b96c8000000 4963c6 4869d814030000 } - $sequence_4 = { 03d0 41ffc9 75f0 443bda 0f8524010000 44895f30 896f34 } - $sequence_5 = { 41b900008000 ba0e660000 4c89742420 ff9080050000 85c0 7522 488b87c8000000 } - $sequence_6 = { ffc1 448bf2 483bc8 0f86b2000000 bf08000000 eb03 4803ff } - $sequence_7 = { 488b81c8000000 498bc8 ff9080000000 33c9 33d2 4c63c0 85c0 } - $sequence_8 = { 488bcb 448d4202 e8???????? 488b93c8000000 488d4df0 ff92f0070000 83a3c802000000 } - $sequence_9 = { 0fb74603 440fb6c0 c1e808 41c1e008 440bc0 41833e00 44894530 } + $sequence_0 = { 488bcb ff9040070000 488b87c8000000 4c634e04 8b8f48030000 4c8bc3 ba78000000 } + $sequence_1 = { 488bcf e8???????? 448b8c2418010000 4181f9c8000000 0f8f46ffffff 498bc4 803c03ad } + $sequence_2 = { 44897dff 48894503 4889450b 48894513 89451b 44897d1f 48894527 } + $sequence_3 = { ff15???????? ff15???????? 448bc0 b8d34d6210 41f7e8 c1fa04 8bca } + $sequence_4 = { eb02 33ff 488b5c2440 488b6c2448 488b742450 8bc7 488b7c2458 } + $sequence_5 = { 668993b0080000 66898bb2080000 8b8bf00a0000 413bcc 7509 4489a3dc020000 eb28 } + $sequence_6 = { 0f8ec2000000 3b7708 488b8708010000 448bee 440f4f6f08 33c9 41b800100000 } + $sequence_7 = { 488bcf e8???????? eb54 8d41fc 83f802 } + $sequence_8 = { 41b800100000 8bd7 33c9 ff95f8000000 41b904000000 41b800100000 8bd7 } + $sequence_9 = { 488d8fbc050000 48898424a0000000 49891f ff97e8000000 } condition: 7 of them and filesize < 114688 @@ -141293,36 +142315,36 @@ rule MALPEDIA_Win_Bunnyloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0daa091a-7685-5a2e-b265-d5329b5c0a21" - date = "2026-01-05" - modified = "2026-01-06" + id = "d2ee09f0-5e63-52ce-b9fb-e32aba97f798" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunnyloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bunnyloader_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bunnyloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "b53a936a0dceb8c6261eaef889e6613b1973524457e163036a774308b6a54923" + logic_hash = "d5d4ce1c23955cdd730dcc3b0ecdcfd6f30d7861a4ecc26e0d316c2368b4fdf3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff742414 ba40000000 8bcf ff750c 50 e8???????? 83c40c } - $sequence_1 = { e9???????? 8b4318 8b560c 89542420 a828 745a b9???????? } - $sequence_2 = { c745dc00000000 89857cffffff 7432 50 8d4dd4 e8???????? ffb57cffffff } - $sequence_3 = { 894df4 85c9 743a 8bc8 33c0 83c101 13c0 } - $sequence_4 = { c6853fffffff00 8d95b8feffff ffb53fffffff 8d8df8fdffff c645fc2d e8???????? 83c404 } - $sequence_5 = { e8???????? 8b4df8 83c408 8b550c 6689044a 8a06 3c20 } - $sequence_6 = { 8d5e54 8bd3 894650 8bcf e8???????? 8bbd64feffff eb2d } - $sequence_7 = { e8???????? 83c408 e9???????? 8b442420 807c241700 0f8418030000 807e5700 } - $sequence_8 = { e8???????? 8bf8 8b45e4 03fe 13d3 83c701 13d3 } - $sequence_9 = { c6464400 8a4201 884645 803a00 746e 0fb64201 33c9 } + $sequence_0 = { c68538feffff00 c645fc3e 8b5584 83fa10 722f 8b8d70ffffff 42 } + $sequence_1 = { e9???????? 83f92d 751c 8b4c2438 b880000000 03c1 23442444 } + $sequence_2 = { c745ac0f000000 c6459800 83fa10 722f 8b8d50ffffff 42 8bc1 } + $sequence_3 = { e8???????? 8bc8 83c404 894c247c 85c9 742b 8b442424 } + $sequence_4 = { 89466c 8d0c89 8b4668 c7048843000000 895c8804 89548808 c744880c01000000 } + $sequence_5 = { c744242000000000 8b442418 bb01000000 ff442410 89442428 8b4514 c744244002000000 } + $sequence_6 = { e8???????? 8bf8 8b45e4 03fe 13d3 83c701 13d3 } + $sequence_7 = { e8???????? 8b4304 8b4c240c 8b00 8b89c8010000 894c2418 8b4040 } + $sequence_8 = { eb29 85c0 7425 833800 7e20 8d7008 33db } + $sequence_9 = { e8???????? 8d8d44fbffff e8???????? 8d8d28fbffff c645fc67 e8???????? 68???????? } condition: 7 of them and filesize < 2998272 @@ -141332,36 +142354,36 @@ rule MALPEDIA_Win_Ngioweb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c36bfdd-8dfc-5ce2-bea9-f354084a9adc" - date = "2026-01-05" - modified = "2026-01-06" + id = "c763819e-4aaa-5c9f-913e-013834fdaa69" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ngioweb_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ngioweb_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "63470bb29a6555e27026baafc523ffac609f0c101ccb6a3d82cc98debb8823c5" + logic_hash = "cedd8cfeb86d6daa6d34fd75eca77e1232d1935f581d3c8d19407cbf918366c7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3bfb 763d 33c0 395d14 8d747efe 0f95c0 894508 } - $sequence_1 = { 7569 8b4510 2b45cc 6a16 6a05 50 ff750c } - $sequence_2 = { 03c0 50 56 e8???????? 57 56 8945e8 } - $sequence_3 = { 8b442404 85c0 7408 8b809c000000 eb02 33c0 c20400 } - $sequence_4 = { 50 6a10 8d4604 50 e8???????? eb46 80fa03 } - $sequence_5 = { 51 ffd0 8b5f14 68159fa331 56 e8???????? 53 } - $sequence_6 = { ff742408 e8???????? 6a00 56 e8???????? 33c0 5e } - $sequence_7 = { ff7508 e8???????? 85c0 7531 ff7508 e8???????? 6a00 } - $sequence_8 = { 66c745f86900 66c745f67600 66c745f46700 66c745f26200 66c745f06400 668975ee 66c745ec4700 } - $sequence_9 = { 395d0c 750d 8b85d8fdffff 85c0 8945fc 7519 } + $sequence_0 = { a5 50 a5 ff5128 85c0 7c5b 8d45ec } + $sequence_1 = { 7308 0fb645b0 3bf8 7572 8b45f8 8d3407 56 } + $sequence_2 = { ff35???????? e8???????? e8???????? 8bf0 81c630750000 8b3d???????? 68012d8451 } + $sequence_3 = { 5e 8bc7 5f c20c00 ff742408 ff742408 6a10 } + $sequence_4 = { 895dfc 0f8494000000 395d0c 0f848b000000 57 6890f98572 } + $sequence_5 = { 6890f98572 68029fe66a 83c658 e8???????? 56 } + $sequence_6 = { ffd0 5f 8b45fc 5e 5b c9 c21800 } + $sequence_7 = { 750b 8b5e08 837b0c00 7513 33c0 83f803 750c } + $sequence_8 = { 6a00 57 e8???????? 5e 5d 5b 5f } + $sequence_9 = { 88851cffffff 88851dffffff 88851effffff c6851fffffffbf 888520ffffff 888521ffffff 888522ffffff } condition: 7 of them and filesize < 204800 @@ -141371,36 +142393,36 @@ rule MALPEDIA_Win_Powerduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1a14b33-ddbf-5df6-8a25-665602dd43b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "658a1cda-5f77-56de-9f18-f831b8e1b259" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.powerduke_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.powerduke_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "b0e443670552cebb99307ce5c81f7553239dfaab3a0b54a91654aba975b30757" + logic_hash = "d2182db867ff6a53a7d17e85e856d89d6c3d1d584f315f5e805e29753b64695e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8401030000 8945bc 6a00 6800400000 68???????? ff75bc ff15???????? } - $sequence_1 = { ebea ad 89c2 81fa68747470 0f8586010000 } - $sequence_2 = { 681b000200 6a00 68???????? 6801000080 ff15???????? 09c0 0f8597000000 } - $sequence_3 = { 7518 8d85f4f7ffff 6800040000 50 ff35???????? ff15???????? 8d85f4f7ffff } - $sequence_4 = { 6a00 ff35???????? ff15???????? c705????????00000000 837dfc01 } - $sequence_5 = { 55 ff15???????? 5a 59 } - $sequence_6 = { c745fc01000000 eb11 c745d001000000 8b451c } - $sequence_7 = { 7403 41 ebf1 c6040e00 51 } - $sequence_8 = { 7419 a3???????? ff7514 50 ff15???????? c705????????01000000 31c0 } - $sequence_9 = { ff75e4 ff15???????? ff75c4 ff15???????? } + $sequence_0 = { 09c0 7434 0345cc 3b4518 0f87f5010000 } + $sequence_1 = { 50 ffb5f8fbffff ff15???????? 58 c9 } + $sequence_2 = { 56 ff15???????? 09c0 742f 89c7 6a00 } + $sequence_3 = { 09c0 7518 8d85f8f3ffff 8d8dfcfbffff 51 50 } + $sequence_4 = { 55 89e5 81ec08100000 56 57 8d85f8efffff } + $sequence_5 = { 8b451c c70000000000 837d2000 740f 8b4520 8945dc c745e000000000 } + $sequence_6 = { c645e000 c745e177696e68 c745e57474702e 66c745e9646c c645eb6c } + $sequence_7 = { 56 57 8d85f8efffff 50 6819000200 6a00 68???????? } + $sequence_8 = { 8d8df8f3ffff 51 68???????? 50 ff15???????? 83c40c b9???????? } + $sequence_9 = { 8f05???????? c705????????03000000 c745f803000000 ff75dc 8f45f0 ff75e0 8f45f4 } condition: 7 of them and filesize < 57344 @@ -141410,34 +142432,34 @@ rule MALPEDIA_Win_Bh_A006_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f37d05fc-fa47-5fd7-bb26-823ae04185f6" - date = "2026-01-05" - modified = "2026-01-06" + id = "383e4384-0d14-5032-a0a2-bfc193233fc4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bh_a006" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bh_a006_auto.yar#L1-L100" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bh_a006_auto.yar#L1-L103" license_url = "N/A" - logic_hash = "e3efc1dc1d935b6057dbf735dfbafda7bd291fd107bd55d1d22343cc85bf6fea" + logic_hash = "4b0e78271dbfb1b5e1be607c68f286ec7189504824d2a120277cb88202a74c29" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bca 2b08 03cb 8930 } - $sequence_1 = { 6683bdecdfffff00 8dbdecdfffff 7436 57 } - $sequence_2 = { 88041a 42 884517 8955f4 e9???????? 2bf0 } - $sequence_3 = { 85ff 7472 8d45fc 50 } - $sequence_4 = { 8b95e4deffff 59 83e201 c1e202 6a04 59 } - $sequence_5 = { 8985d4ddffff 8985d8ddffff 8985dcddffff 8945fc } - $sequence_6 = { 898de4deffff 3bcb 7cbb 8bb5d8deffff 33db 8b85d0deffff 56 } - $sequence_7 = { 50 68???????? 8d85b8f5ffff 50 e8???????? 85c0 7922 } + $sequence_0 = { 7507 b857000780 eb28 33c0 57 } + $sequence_1 = { 8985dcdeffff 8d85dcdeffff 50 6a04 53 56 ff37 } + $sequence_2 = { 8bfe 83e71f c1e706 8b049dd8e04100 0fbe443804 83e001 } + $sequence_3 = { 53 6a03 ff15???????? 8bc8 85c9 0f846fffffff } + $sequence_4 = { 33f6 397510 0f84b1000000 6a5c 57 89b5c8ddffff } + $sequence_5 = { e8???????? 59 59 eb19 6a03 } + $sequence_6 = { c1ff05 83e61f c1e606 8b0cbdd8e04100 f6440e0401 743d } + $sequence_7 = { 8b4508 ff34c510cc4100 ff15???????? 5d } condition: 7 of them and filesize < 430080 @@ -141451,7 +142473,7 @@ rule MALPEDIA_Win_Unidentified_075_Auto : FILE date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_075_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_075_auto.yar#L1-L115" license_url = "N/A" logic_hash = "10617fdfd534147bc5e0f7e922724e69d45c37af66d21f98c629fa1bac685120" score = 75 @@ -141486,36 +142508,36 @@ rule MALPEDIA_Win_No_Justice_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5b7b9773-a26f-59ba-b88a-0b2ca96e9a3c" - date = "2026-01-05" - modified = "2026-01-06" + id = "aca47e83-84a2-5108-a369-f472d0d5843a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.no_justice" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.no_justice_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.no_justice_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "8d1e9903aebd9a1a139d570c6e8c7d10c9b765f1e0f83bd5a67cde88d712e8e8" + logic_hash = "3a31a46c0abcc6bf9e50fa2b25fe13a39c2c8607e75eadf0d2c2ccf83361fbaf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7720 0fb680ac5c4000 ff2485985c4000 33c0 40 5d } - $sequence_1 = { 8a0a 884c382e 8b45bc 8b048570be4100 804c382d04 } - $sequence_2 = { 0f84e8000000 8b04952c6b4100 898588f8ffff 85c0 0f84ad000000 3bc3 0f84cb000000 } - $sequence_3 = { e8???????? c9 c3 c705????????08b14100 b001 } - $sequence_4 = { c1e002 50 8b85a8f8ffff 0fb70485946a4100 8d048590614100 50 8d8590faffff } - $sequence_5 = { 8b148d70be4100 0355b0 8a0c03 03d3 43 } - $sequence_6 = { c745e003000000 c745e4508e4100 e9???????? 83e80f } - $sequence_7 = { 57 e8???????? 59 59 e9???????? 8b049570be4100 f644082840 } - $sequence_8 = { f7d0 a801 74a5 8b55ec 33f6 8b049570be4100 } - $sequence_9 = { 0f8414020000 eb4f 0fb602 0fbe8860b74100 41 894db4 3bcf } + $sequence_0 = { 50 e8???????? 83a670be410000 59 83c604 81fe00020000 72dd } + $sequence_1 = { 8bd7 c1fa06 8934b8 8bc7 83e03f 6bc838 8b049570be4100 } + $sequence_2 = { 833d????????00 0f84da190000 83ec08 0fae5c2404 } + $sequence_3 = { 53 56 8d1c8538c24100 8b13 } + $sequence_4 = { 3b0cc5d84e4100 7427 40 83f82d 72f1 } + $sequence_5 = { 8b45b8 0fb600 0fbe8060b74100 40 8945c8 } + $sequence_6 = { 83c414 ebe1 8b55ec 8b4de8 8b049570be4100 807c082800 7d55 } + $sequence_7 = { 6bde38 8b04bd70be4100 807c182800 7d46 8b750c } + $sequence_8 = { 8b5d08 8b048570be4100 56 57 } + $sequence_9 = { 8b55ec 8b4de8 8b049570be4100 807c082800 } condition: 7 of them and filesize < 253952 @@ -141525,42 +142547,42 @@ rule MALPEDIA_Win_Upatre_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "040bdafc-33da-58ba-b810-486451f4b678" - date = "2026-01-05" - modified = "2026-01-06" + id = "96b27277-69b4-5ef7-88e6-53287fcc07fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.upatre_auto.yar#L1-L173" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.upatre_auto.yar#L1-L175" license_url = "N/A" - logic_hash = "3a267d65c074b009b5eb1fad7789aa126fe3aa82fa66dade27c6fa55c83ed7ca" + logic_hash = "da7ee5c935fa14fecc7f9d31706ae6171146a0cd72cc19d53b0fb2579e8acdae" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { b02f 66ab 8b45a8 ff5504 33c9 8ac8 ff5508 } - $sequence_1 = { b400 66ab b02f 66ab ff7590 33c0 } - $sequence_2 = { 81c60e010000 ac 3c01 740c b053 66ab } - $sequence_3 = { 6a00 8d4dc0 51 ff75e0 ff75bc ff75ec } - $sequence_4 = { 58 6a00 8d4de0 51 50 } - $sequence_5 = { 33c0 b404 57 03f8 8bf7 } - $sequence_6 = { b404 895d98 8bfb 03d8 b91c010000 } - $sequence_7 = { 33c0 66ab bbff0f0000 8b75f0 56 53 } - $sequence_8 = { 68d770a437 8b4dd4 51 e8???????? 8945e8 } - $sequence_9 = { 83c404 0fb7c0 3b4510 7411 8b4de0 51 } - $sequence_10 = { 83c410 eb58 8b4df4 8b510c 52 e8???????? } - $sequence_11 = { 1f c011a0 6b20bd 80978041a0e3b2 34c0 8fc0 81205b606d00 } - $sequence_12 = { 83c108 894dfc 8b55fc 8b02 50 e8???????? } - $sequence_13 = { 0fb745f8 0fb74df4 99 f7f9 } - $sequence_14 = { 0f8416010000 8b55f4 8b420c 50 e8???????? } - $sequence_15 = { 7529 8b4df4 8b5110 81c200100000 8955f0 8d45f0 } + $sequence_0 = { 33c0 aa b404 895d98 8bfb 03d8 } + $sequence_1 = { 8945d0 03c1 8945fc 8bd8 03c1 8bf8 } + $sequence_2 = { 8b7df4 33c0 b02f 66ab 8b45a8 } + $sequence_3 = { ebf5 8b7594 33c9 66ad 6685c0 7404 66ab } + $sequence_4 = { ad 0430 66ab 81c60e010000 ac 3c01 740c } + $sequence_5 = { 66ab b02f 66ab 8bc1 0430 } + $sequence_6 = { e9???????? 8d4590 50 6a40 } + $sequence_7 = { 897d9c b988130000 51 56 } + $sequence_8 = { 3bd0 7508 8b4dd4 894df4 eb0e } + $sequence_9 = { 741b e0d6 b454 d2ea 54 b2f2 37 } + $sequence_10 = { 894dfc c645bc6a c645bd09 c645c46a c645c501 c645c3e8 c645cfc3 } + $sequence_11 = { eb2b 8b55f4 8b420c 50 e8???????? 83c404 0fb7c8 } + $sequence_12 = { 83c404 0fb7c0 83f805 7514 8b4df8 } + $sequence_13 = { e8???????? 8b55d0 52 e8???????? e9???????? 8b4514 8b4de8 } + $sequence_14 = { 668b4508 668945ec 0fb74dec 81f9007d0000 } + $sequence_15 = { 8b510c 52 e8???????? 83c404 0fb7c0 83f803 7534 } condition: 7 of them and filesize < 294912 @@ -141570,36 +142592,36 @@ rule MALPEDIA_Win_Greetingghoul_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ab352bb6-0e90-5ea4-81b4-0f0ddff67e2f" - date = "2026-01-05" - modified = "2026-01-06" + id = "6c14af68-da6d-5b24-80f0-48ba293ab79e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.greetingghoul" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.greetingghoul_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.greetingghoul_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "05f8eb95e67f4d995ab80e8300d436e31d93b18d0182fa8edc0fa057e1e63b5a" + logic_hash = "a220e01958d87b5b4883dc4814107cea0d517f5f46c560bd7a2ca6b3d563b9c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945f4 33c9 894df8 380f 7409 } - $sequence_1 = { 57 660fd603 33ff c6430800 c70600000000 } - $sequence_2 = { ff15???????? 85c0 7e06 03f0 2bf8 75ea } - $sequence_3 = { 750c 6a21 e8???????? 83c404 eb0d 8d4721 } - $sequence_4 = { c3 0fbec8 0fbec3 8b5dfc 2bc8 74e1 } - $sequence_5 = { 75eb 8b5dfc 83c8ff 3b5df8 5f 0f44d8 5e } - $sequence_6 = { 7e06 03d8 2bf0 75ea } - $sequence_7 = { 33f6 8a17 80fa20 740a } - $sequence_8 = { e8???????? 83c404 eb10 8d4701 03c3 50 } - $sequence_9 = { 5d c3 5f c7462800000000 8bc3 5e 5b } + $sequence_0 = { 8d7f01 8a08 886dff 3acd 750c 40 } + $sequence_1 = { 7409 8b7df8 4e 43 85f6 } + $sequence_2 = { 891e 85db 746f 8b7508 } + $sequence_3 = { 41 84c0 7405 83ea01 75eb 8b5dfc } + $sequence_4 = { 8d1438 6a20 8903 e8???????? 83c404 85c0 } + $sequence_5 = { 6a01 e8???????? 83c404 85c0 7e02 } + $sequence_6 = { 8b7508 0f57c0 57 660fd603 33ff c6430800 c70600000000 } + $sequence_7 = { 3bcb 7d24 83c8ff 33d2 f7f3 } + $sequence_8 = { 8d4801 51 e8???????? 8b0b 83c404 } + $sequence_9 = { 8bd0 8bcf 85c0 7442 85ff 743e 0f1f4000 } condition: 7 of them and filesize < 696320 @@ -141609,36 +142631,36 @@ rule MALPEDIA_Win_Tmanger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "790b1a6e-9331-5562-a8a4-895a06f4f290" - date = "2026-01-05" - modified = "2026-01-06" + id = "4eacf4e2-1b3a-5e6c-a0ba-cb78c4b08ef2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tmanger_auto.yar#L1-L110" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tmanger_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "747dcecd7ac42c73ae2cafbcc412928abf59ab04c5fc33f549cfda9aa11d6334" + logic_hash = "976824bd29789f529b79cbf7d3210cc4c5e0a37748a7931c3f4279273ea11987" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c74161d47bdb0f c741651f013f62 c74169388b8e92 c7416d9b14f6a0 } - $sequence_1 = { c7416d9b14f6a0 c7417180fcd6bb c74175d7401d36 c7417958fffa19 } - $sequence_2 = { c7412425d933d1 c7412861fdc72a c7412cdf9134d2 c74130324d251d } - $sequence_3 = { c7415d382cd7bd c74161d47bdb0f c741651f013f62 c74169388b8e92 } - $sequence_4 = { c741651f013f62 c74169388b8e92 c7416d9b14f6a0 c7417180fcd6bb c74175d7401d36 } - $sequence_5 = { c741594d68b93a c7415d382cd7bd c74161d47bdb0f c741651f013f62 c74169388b8e92 c7416d9b14f6a0 c7417180fcd6bb } - $sequence_6 = { c74145aed72316 c74149ff663a9d c7414dd22a7e91 c741510f9f2997 c7415565449eac } - $sequence_7 = { c741510f9f2997 c7415565449eac c741594d68b93a c7415d382cd7bd } - $sequence_8 = { c7410c16d9fdf8 c741103a71c135 c74114c2a02ab0 c74118d95dc845 } - $sequence_9 = { c7412861fdc72a c7412cdf9134d2 c74130324d251d c74134375ec19d c7413893c82e55 } + $sequence_0 = { c7415565449eac c741594d68b93a c7415d382cd7bd c74161d47bdb0f } + $sequence_1 = { c74118d95dc845 c7411cf8f0564e c7412066b8276e c7412425d933d1 c7412861fdc72a } + $sequence_2 = { c741594d68b93a c7415d382cd7bd c74161d47bdb0f c741651f013f62 c74169388b8e92 } + $sequence_3 = { c7412066b8276e c7412425d933d1 c7412861fdc72a c7412cdf9134d2 c74130324d251d } + $sequence_4 = { c74169388b8e92 c7416d9b14f6a0 c7417180fcd6bb c74175d7401d36 c7417958fffa19 66c7417dfc19 } + $sequence_5 = { c741103a71c135 c74114c2a02ab0 c74118d95dc845 c7411cf8f0564e c7412066b8276e c7412425d933d1 } + $sequence_6 = { c7411cf8f0564e c7412066b8276e c7412425d933d1 c7412861fdc72a c7412cdf9134d2 c74130324d251d c74134375ec19d } + $sequence_7 = { c74149ff663a9d c7414dd22a7e91 c741510f9f2997 c7415565449eac c741594d68b93a c7415d382cd7bd } + $sequence_8 = { c741594d68b93a c7415d382cd7bd c74161d47bdb0f c741651f013f62 c74169388b8e92 c7416d9b14f6a0 } + $sequence_9 = { c741510f9f2997 c7415565449eac c741594d68b93a c7415d382cd7bd } condition: 7 of them and filesize < 8252416 @@ -141648,36 +142670,36 @@ rule MALPEDIA_Win_Snifula_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "afa48786-d5fc-5366-8008-6b70f692e7c3" - date = "2026-01-05" - modified = "2026-01-06" + id = "a4b2ce53-5ea1-5e0e-9fea-02a78338e8a2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.snifula_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.snifula_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "7c279f7057df8c5886f1d459f9399bd6a55001fc2186a62b783d87332b8a3375" + logic_hash = "7d31e41108e2ab7d945ef9825e8762a685b43c2aec97e795026a5cc2e8876fc6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 33f6 8d936c0e0000 6a05 58 50 56 } - $sequence_1 = { 57 8d4c2420 e8???????? 8bd8 3bdd 7524 57 } - $sequence_2 = { 40 8907 8d442414 50 56 56 8d7904 } - $sequence_3 = { 7436 8b4728 a820 7416 ff7710 8b4708 } - $sequence_4 = { 8345ec04 3b45e8 7295 eb1b 8b4df8 8b45f4 8b0488 } - $sequence_5 = { bf???????? 57 53 ff15???????? 8bf0 85f6 7414 } - $sequence_6 = { 7602 8bf0 8b4d10 6a00 56 ff7508 e8???????? } - $sequence_7 = { 8bf8 ff35???????? 8b35???????? ffd6 53 89442414 } - $sequence_8 = { 6a04 8d45fc 50 6a04 56 68???????? ff7508 } - $sequence_9 = { 5e 5b c9 c20400 8d4804 ba1e010000 56 } + $sequence_0 = { 8933 c745fc01000000 5e 8b45fc c9 c20c00 55 } + $sequence_1 = { e8???????? 8d83b80f0000 50 e8???????? 8b03 f70000000040 752b } + $sequence_2 = { 0f8451ffffff 55 6a01 57 33f6 e8???????? 57 } + $sequence_3 = { 830d????????ff 6a00 57 ffd6 a1???????? 69c0e8030000 50 } + $sequence_4 = { 0f8439010000 6a04 33c0 55 896c2428 8d7c242c ab } + $sequence_5 = { ba???????? 8bc6 e8???????? 85c0 7504 6a05 eb18 } + $sequence_6 = { e8???????? 85c0 7420 ff7508 53 ff35???????? ff15???????? } + $sequence_7 = { ff15???????? 3bc3 0f84ce010000 8d4dfc 51 6a30 8d4da8 } + $sequence_8 = { a3???????? 83f805 7304 6a05 eb07 83f878 7608 } + $sequence_9 = { 53 89460c a1???????? 56 894610 a1???????? 68???????? } condition: 7 of them and filesize < 188416 @@ -141687,36 +142709,36 @@ rule MALPEDIA_Win_Jripbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6dca0814-ee58-53a7-824c-c626a6b40b02" - date = "2026-01-05" - modified = "2026-01-06" + id = "d5bbc6d4-8365-5970-8994-ff394b22a6db" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jripbot_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jripbot_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "177d4eed69a2789f1363a5a38a7b17a6a4de0acf1062d48112f06f3ff8f9a1ab" + logic_hash = "ed82cada71af918d82ab4465db2c4c4302d752a6f6ec1141497a67d5f8051dc5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 52 51 50 0fbf45ee 50 be???????? e8???????? } - $sequence_1 = { 50 ff15???????? eb61 ff742434 8d842464010000 ff742414 e8???????? } - $sequence_2 = { 7436 830804 f6c302 742e 56 ff15???????? 50 } - $sequence_3 = { 8d85a8fcffff 8d5001 8a08 40 3acb 75f9 2bc2 } - $sequence_4 = { 50 8d442418 50 894c2420 ff15???????? 83c40c 85c0 } - $sequence_5 = { 6a30 ff750c 8d75fc 8bcf e8???????? 83c408 } - $sequence_6 = { 8b8de0fdffff 8bc3 668b10 663b11 751e 663bd7 7415 } - $sequence_7 = { 33fb 037dfc 8b5ddc 235df4 0bf3 03f7 8b7d88 } - $sequence_8 = { 8bf8 83c40c 85ff 0f85da000000 ff742410 8d442448 e8???????? } - $sequence_9 = { 8d443718 50 e8???????? 83c40c 8d4618 8bce e8???????? } + $sequence_0 = { ff15???????? 50 ff15???????? 89442410 85c0 7511 56 } + $sequence_1 = { ff7368 e8???????? 8b436c 83c424 83c010 e8???????? } + $sequence_2 = { 895c2424 85db 7527 03ff 8b442418 7407 c60000 } + $sequence_3 = { 2bc2 d1f8 51 89442460 e8???????? 59 89442430 } + $sequence_4 = { 33c0 e8???????? 8b3d???????? 83c410 33db 85c0 7465 } + $sequence_5 = { e8???????? 50 be???????? e8???????? 50 8d44242c 50 } + $sequence_6 = { ff7508 8945e4 ffd7 33f6 895de0 395d10 725e } + $sequence_7 = { 75e3 eb06 33d2 85d2 7505 6ad2 58 } + $sequence_8 = { 7418 8bc6 8d7802 668b10 83c002 663bd3 75f5 } + $sequence_9 = { 837c240c00 7477 57 ff15???????? a1???????? 8935???????? 85c0 } condition: 7 of them and filesize < 507904 @@ -141726,36 +142748,36 @@ rule MALPEDIA_Win_Voidoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "21b775d6-fc03-5dd6-a228-147ffaddc7f0" - date = "2026-01-05" - modified = "2026-01-06" + id = "aba8a76a-42a2-5ac4-9441-bb1b2a2bc429" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.voidoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.voidoor_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.voidoor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "3d15a11c9349ebbd78b8b5ac32c650a51c9ca8251bf91feba17b7b25a2692cb6" + logic_hash = "7b72e80b0081ca865f1c4112c1672273998fb9973e7c23910bfeb94d886f20ca" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 740d 83cb40 eb66 81cb80000000 eb5e 83cb20 eb59 } - $sequence_1 = { 83c404 837c241000 7509 55 e8???????? 83c404 5b } - $sequence_2 = { c786a805000002000000 5e c3 83f901 74bf 68???????? 50 } - $sequence_3 = { c7461807000000 eb36 803f0a 756d 47 83c3ff c7461807000000 } - $sequence_4 = { 0f8498000000 83f801 0f848f000000 83f8ff 0f8486000000 f6470c82 7551 } - $sequence_5 = { e8???????? 83c404 85c0 0f8547010000 817e782c010000 0f8cdc000000 39850c030000 } - $sequence_6 = { ff33 ffd6 ff7304 ffd6 8b4c243c 5f 5e } - $sequence_7 = { e9???????? 8d8de8fdffff e9???????? 8d8d48feffff e9???????? 8b8d78fcffff e9???????? } - $sequence_8 = { c78424e005000001010101 c78424e405000001010101 66c78424e80500000100 33c9 8bff 8a848c08050000 3422 } - $sequence_9 = { e9???????? 57 33ff 8bcf 894de4 8bc7 3998f8f14b00 } + $sequence_0 = { c784246803000001010101 c784246c03000001010101 c784247003000001010101 c784247403000001010101 c784247803000001010101 c784247c03000001010101 c784248003000001010101 } + $sequence_1 = { c78580feffff45000000 c78584feffff45000000 c78588feffff45000000 c7459831313131 c7459c31313131 c745a031313131 c745a431313131 } + $sequence_2 = { e8???????? 83c42c 85c0 75a2 56 ff15???????? 57 } + $sequence_3 = { c6450c00 720b ff7524 e8???????? 83c404 8ac3 8b4df4 } + $sequence_4 = { 660fd64008 e8???????? 83c420 52 50 68???????? 57 } + $sequence_5 = { c785c4feffff31313131 c785c8feffff31313131 c785ccfeffff31313131 c785d0feffff31313100 e8???????? 83c404 8bc1 } + $sequence_6 = { c645fc0f e8???????? 83c404 c645fc11 83bd1ceeffff10 720e ffb508eeffff } + $sequence_7 = { ffb42410050000 8d8424a8020000 55 68???????? 6858020000 50 83c305 } + $sequence_8 = { b815000000 0f44f0 ff742418 ff15???????? ff742424 ff15???????? 83c408 } + $sequence_9 = { 33c0 e9???????? c7872811000001000000 8b464c 85c0 7411 50 } condition: 7 of them and filesize < 1744896 @@ -141765,36 +142787,36 @@ rule MALPEDIA_Win_Unidentified_041_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9647b3bf-4e79-5038-aba8-fe9b062b7eaf" - date = "2026-01-05" - modified = "2026-01-06" + id = "c94896cf-dff1-58d2-9557-85d145802d83" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_041_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_041_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ad11b25191c5069b1a65640fe7bbe0cd58f54821b3d55fbf4025b9ccae632082" + logic_hash = "c911ec4ebf90b9860f0b3869734b22d8292c9282da202086c19a7064e6360107" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8913 8b4dfc 8bc3 5f 5e 33cd 5b } - $sequence_1 = { 668945be 59 668b440dbc 6603440ddc 6689440dbe 83c102 83f91e } - $sequence_2 = { ff7508 57 53 ff15???????? 83f8ff 74c4 eb03 } - $sequence_3 = { 5d c20800 8325????????00 c3 55 8bec 8b4508 } - $sequence_4 = { 85ff 7428 3bf9 741c 8b75f8 8bd9 6a00 } - $sequence_5 = { 8d4dc4 c645fc00 e8???????? 8b4dec 6a18 58 03c8 } - $sequence_6 = { ff7508 68???????? 6a40 50 e8???????? 83c414 8d8578ffffff } - $sequence_7 = { 57 33db 53 ff15???????? 85c0 7552 ff15???????? } - $sequence_8 = { 72ee 81fbffffff7f 76e6 57 53 8d4dc0 e8???????? } - $sequence_9 = { 5d c20400 6a1c b8???????? e8???????? 8bf1 33db } + $sequence_0 = { 50 53 e8???????? 83c430 33f6 eb24 837c245408 } + $sequence_1 = { 837c245410 720c ff742440 e8???????? 83c404 8b4c2438 83c8ff } + $sequence_2 = { e8???????? 59 ff742410 8bd0 c68424e48300000c 8d4c2458 e8???????? } + $sequence_3 = { 895dcc e8???????? 83f8ff b9???????? be???????? 0f45f1 56 } + $sequence_4 = { 884daf eb03 8a4daf 8b7618 8975a4 85f6 75b4 } + $sequence_5 = { e8???????? 8d4c2444 83c418 6a00 6a01 e8???????? 8b4c2448 } + $sequence_6 = { eb0a c70600000000 c6460401 8b5d9c 85db 0f859f000000 8b5da0 } + $sequence_7 = { 895dfc 391cfd28f64700 7518 53 68a00f0000 56 e8???????? } + $sequence_8 = { c645fc08 837a1408 7202 8b12 8b856cffffff 8b0d???????? ff707c } + $sequence_9 = { 8b4754 8d4f04 ff7768 89474c 8907 e8???????? ff7768 } condition: 7 of them and filesize < 1097728 @@ -141804,36 +142826,36 @@ rule MALPEDIA_Win_Magala_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d1b8c98-54ed-55c3-acdc-c42ca1617fa1" - date = "2026-01-05" - modified = "2026-01-06" + id = "36529db5-9dd6-59f4-b278-62b271dedc5c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.magala_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.magala_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "3f293fe262d0ce646006496753cf31d4b0409f545d9ecd746ba425bd758b2984" + logic_hash = "682f0a36108582151ac6d68c5838e48c5cfa62449984faabe748abfa61c11208" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 57 8d0451 e9???????? 8b4614 3bf7 746d } - $sequence_1 = { c745ec07000000 668945d8 e8???????? 837dec08 8d4dc4 6a04 51 } - $sequence_2 = { 50 8d8dd0fdffff e8???????? 6a1f 68???????? } - $sequence_3 = { 8da5f4feffff 8b4df4 64890d00000000 59 5f } - $sequence_4 = { 83bd8cfdffff00 7435 51 8d8d94fdffff e8???????? } - $sequence_5 = { e8???????? 83c404 ffd6 2bc7 3de0930400 76cf 68???????? } - $sequence_6 = { 56 8bf1 8b4e10 3bca 0f8214020000 8b450c 53 } - $sequence_7 = { c745c000000000 8b08 50 ff5108 8b45b8 8d55c0 } - $sequence_8 = { 6a00 8bcf e8???????? 8b4db4 85c9 7444 ff75b0 } - $sequence_9 = { 85db 744e 8bcb 8d5101 6690 8a01 } + $sequence_0 = { a1???????? 894108 a1???????? 89410c 33c0 8d8d9cfdffff c745cc00000000 } + $sequence_1 = { 51 e8???????? 83c404 6a11 33c0 c745e800000000 68???????? } + $sequence_2 = { 0f84ab000000 0f1f440000 6808020000 8d85f4fdffff 6a00 50 e8???????? } + $sequence_3 = { 8b4e08 e8???????? 50 68???????? } + $sequence_4 = { 6a00 8d45d4 50 ffd6 85c0 75e2 6aff } + $sequence_5 = { 397d9c 0f84ca000000 c645fc07 8b45c4 85c0 7406 8b08 } + $sequence_6 = { 8b4d0c 85c9 0f8409010000 56 33f6 } + $sequence_7 = { e8???????? 6a07 6a1a 8d85ccfbffff 50 8d8d9cfbffff e8???????? } + $sequence_8 = { c645fc03 50 8d4db0 e8???????? 8d4dd4 c645fc02 } + $sequence_9 = { 7906 c70700000000 85f6 7406 8b06 } condition: 7 of them and filesize < 589824 @@ -141843,94 +142865,134 @@ rule MALPEDIA_Win_Rikamanu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6aa1bb34-6dad-5a44-a7b0-10e6f22d5ad7" - date = "2026-01-05" - modified = "2026-01-06" + id = "fa68f79b-ff53-513e-a7cc-3d1689f3ed1d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rikamanu_auto.yar#L1-L301" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rikamanu_auto.yar#L1-L301" license_url = "N/A" - logic_hash = "bec31db5b7da98c4f1592bb94bd04c2338666fc78eaa33ae09c8491dda001ca5" + logic_hash = "bfd5ac9a751697f93978ed736ffc8cd489b9d0cd0c6135d299b074b527866109" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 6a14 ff15???????? a801 } - $sequence_1 = { 50 ff15???????? 8b35???????? 3d80969800 } - $sequence_2 = { 40 3acb 75f9 57 8dbdf4fdffff 2bc2 4f } - $sequence_3 = { 8d4c2414 51 56 ff15???????? 8b542414 52 } - $sequence_4 = { 0fb6da f68321ae400004 740c ff01 85f6 } - $sequence_5 = { 33c0 890d???????? bf???????? 890d???????? 890d???????? 890d???????? } - $sequence_6 = { 7423 83c604 803e00 7587 53 57 ff15???????? } - $sequence_7 = { 58 668986b8000000 668986be010000 c74668b02f4100 83a6b803000000 6a0d } - $sequence_8 = { 83d8ff 85c0 0f841f020000 83c9ff } - $sequence_9 = { e8???????? 59 3bc3 7511 391d???????? 7509 ff750c } - $sequence_10 = { 59 8b7508 8d34f570902400 391e 7404 8bc7 eb6d } - $sequence_11 = { 33c5 8945fc 8b0d???????? 53 6804010000 33db 8d85f8feffff } - $sequence_12 = { 888800962400 40 ebe9 33c0 8945e4 3d00010000 7d10 } - $sequence_13 = { 8b842470020000 03f8 57 56 ff15???????? 5f 5e } - $sequence_14 = { ff15???????? 8b8df0fdffff 8b35???????? 51 ffd6 8b95e8fdffff 52 } - $sequence_15 = { ff35???????? ff15???????? c3 ff35???????? ff742408 } - $sequence_16 = { f3a5 8bca 83e103 f3a4 8dbc243c020000 83c9ff f2ae } - $sequence_17 = { 7229 f3a5 ff2495d85a4000 8bc7 ba03000000 83e904 720c } - $sequence_18 = { ffd6 85c0 74c2 8b85ccfdffff 6aff } - $sequence_19 = { f3a5 8bca 6880000000 83e103 6a04 f3a4 } - $sequence_20 = { 52 ff15???????? 8b8c2470020000 8bf8 8d442414 } - $sequence_21 = { 53 56 6a01 68???????? e8???????? 6a01 } - $sequence_22 = { e8???????? 68ff000000 8d85e9f9ffff 889de8f9ffff 53 50 e8???????? } - $sequence_23 = { 50 a3???????? e8???????? 8db67c774000 bf???????? a5 a5 } - $sequence_24 = { c1f905 83e21f 8b0c8de0b84000 f644d10401 7425 50 e8???????? } - $sequence_25 = { 83c9ff 33c0 8b1d???????? f2ae f7d1 6a00 } - $sequence_26 = { 55 6803000010 57 ffd6 3b442410 0f8584040000 b940000000 } - $sequence_27 = { ff7510 50 ff7508 ff15???????? 5e 5d c21000 } - $sequence_28 = { 56 57 8b7d0c 85db 0f84b2000000 85ff 0f84aa000000 } + $sequence_0 = { 50 ff15???????? 8b35???????? 3d80969800 } + $sequence_1 = { e8???????? 6a14 ff15???????? a801 } + $sequence_2 = { 8d942440060000 51 52 e8???????? 83c408 85c0 7524 } + $sequence_3 = { 6a00 6a00 55 ffd7 bf???????? 83c9ff } + $sequence_4 = { ff35???????? ffd7 56 e8???????? 59 5e } + $sequence_5 = { 8d942434020000 83e103 53 f3a4 } + $sequence_6 = { 8d4c2410 68???????? 51 c744241810724000 e8???????? } + $sequence_7 = { 56 57 33f6 bf???????? 833cf57490240001 } + $sequence_8 = { f3a5 8bca 83e103 f3a4 6a14 } + $sequence_9 = { 8365fc00 8b049d383f4100 f644380401 740b 56 e8???????? 59 } + $sequence_10 = { 50 6830040000 53 53 53 8d8df4fdffff 51 } + $sequence_11 = { 52 891d???????? c705????????01000000 ffd6 8b4dfc 5e } + $sequence_12 = { 7219 83f85a 7714 8088????????10 8ac8 80c120 8888a0a64000 } + $sequence_13 = { 6880000000 83e103 6a04 f3a4 } + $sequence_14 = { 0f841f020000 83c9ff bf???????? 33c0 68???????? f2ae f7d1 } + $sequence_15 = { 33c0 c3 8bc8 83e01f c1f905 8b0c8de0b84000 8a44c104 } + $sequence_16 = { e8???????? 59 8bcf 83e71f c1f905 c1e706 8b0c8d383f4100 } + $sequence_17 = { 0f94c1 5e 890d???????? 5b c3 663d1100 7525 } + $sequence_18 = { 53 50 e8???????? 68ff000000 8d85e9f9ffff } + $sequence_19 = { 57 8dbdf4fdffff 2bc2 4f 8a4f01 47 } + $sequence_20 = { 52 8b15???????? 50 51 81e2ffff0000 52 68???????? } + $sequence_21 = { 33c5 8945fc 53 56 6a01 68???????? } + $sequence_22 = { 8d85ecfbffff 68???????? 50 e8???????? 83c410 8d85ecfbffff } + $sequence_23 = { 2bf9 8bf7 8bd1 83c9ff bf???????? } + $sequence_24 = { a801 740a c705????????01000000 8b442414 8b4c2410 50 } + $sequence_25 = { 837d0001 0f85f5030000 ff15???????? 8be8 8d842430010000 } + $sequence_26 = { 898518e5ffff 8b8528e5ffff 8b0485383f4100 89853ce5ffff 397c0138 741c } + $sequence_27 = { c705????????04000000 ffd6 e8???????? 8b15???????? 68???????? 52 891d???????? } + $sequence_28 = { 8b85ccfdffff 6aff 50 ff15???????? 8b8df0fdffff 8b35???????? 51 } + $sequence_29 = { 888808972400 40 ebe6 ff35???????? ff15???????? 85c0 } condition: 7 of them and filesize < 212992 } +rule MALPEDIA_Win_Grayrabbit_Auto : FILE +{ + meta: + description = "autogenerated rule brought to you by yara-signator" + author = "Felix Bilstein - yara-signator at cocacoding dot com" + id = "c2e89e99-c0d9-58d5-9bab-e74711bfc790" + date = "2026-05-04" + modified = "2026-05-18" + reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grayrabbit" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grayrabbit_auto.yar#L1-L133" + license_url = "N/A" + logic_hash = "9c848249c3b6d7997b173a7fd3849fe0c26d1418b07ba90a3cb40bb13bdfa50f" + score = 75 + quality = 75 + tags = "FILE" + version = "1" + tool = "yara-signator v0.6.0" + signator_config = "callsandjumps;datarefs;binvalue" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { ff30 e8???????? 8b4708 8b771c 660f6ec0 f30fe6c0 c1e81f } + $sequence_1 = { c7410400000000 e8???????? 8d87e0000000 8d8be0000000 3bc8 7411 8b10 } + $sequence_2 = { 6a01 68???????? 8d3408 56 51 e8???????? } + $sequence_3 = { 83e03f c1fa06 57 6bf838 8955fc 8b0495f8630510 8945f8 } + $sequence_4 = { 243f 0c80 80c980 884df2 b903000000 8845f1 eb52 } + $sequence_5 = { 8bf9 837f4c00 7427 56 e8???????? 8bcf e8???????? } + $sequence_6 = { 53 8bd9 56 57 817b0824499204 0f849c010000 8d4304 } + $sequence_7 = { 894dcc c745d000000000 c645d400 8955d8 8a4608 c0e803 2401 } + $sequence_8 = { f7d0 c1e805 8d048504000000 2bd8 eb0c 03d3 8bf2 } + $sequence_9 = { 85c0 0f84ae010000 83f802 0f8466020000 f7464000080000 0f8411010000 8a07 } + + condition: + 7 of them and filesize < 744448 +} rule MALPEDIA_Win_Cycbot_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aad0afc1-3e31-5a15-bed5-ae0a7936ed7d" - date = "2026-01-05" - modified = "2026-01-06" + id = "fa04896a-3166-5fe4-a6d5-dcaeaa662dc7" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cycbot_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cycbot_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "653a5c288b88440ecab3bfd86c4c4b0d9e0fe555f9cf936dfb136b22da063d90" + logic_hash = "23fb15c77ba00892df9991b6749b20d3b9f3215c21d5ff20efa2a5f792d371c4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c705????????480f4200 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 } - $sequence_1 = { 895dfc 51 8d4db8 8945cc 895dc8 885db8 e8???????? } - $sequence_2 = { 741a ff7590 ff15???????? 85c0 750d ff7590 e8???????? } - $sequence_3 = { c68424c805000001 e8???????? 53 6a01 8d4c2474 8bf0 } - $sequence_4 = { e8???????? 83c418 6a00 8d842488000000 50 8d8c2494010000 51 } - $sequence_5 = { 48 7514 8d8550ffffff eb08 8d45c8 eb03 8d45a0 } - $sequence_6 = { 59 898580deffff 3bc7 7433 83bd9cdeffff10 8b8588deffff 7306 } - $sequence_7 = { 50 ff5110 8985b4fbffff 3bc7 0f857e010000 8b85a8fbffff 8b08 } - $sequence_8 = { 50 8d4c2430 e8???????? 8bf0 59 3bf3 752f } - $sequence_9 = { 33c0 66898580fbffff 6a04 5b 899dbcfbffff c785c0fbffff02000000 899dc4fbffff } + $sequence_0 = { 59 59 85c0 7430 ffb730f8ffff ff15???????? } + $sequence_1 = { 81bd7cf5ffff90010000 742a ffb57cf5ffff 8d8584f5ffff ffb56cf5ffff 68???????? 68???????? } + $sequence_2 = { 8d4df4 c7450800000000 e8???????? 68???????? 8d4df4 51 c745f4e0634300 } + $sequence_3 = { 0f8519020000 39842414010000 0f850c020000 39442420 0f8402020000 8d842420010000 50 } + $sequence_4 = { 83c40c 33c9 c705????????f0874800 c705????????e8864800 c705????????e0854800 e8???????? 50 } + $sequence_5 = { 8d9568ffffff 52 50 53 ff511c 8bf0 33ff } + $sequence_6 = { 8908 895804 eb02 33c0 6a08 8945fc e8???????? } + $sequence_7 = { a5 66a5 a4 8b5d0c 8b4508 be???????? 8d7d94 } + $sequence_8 = { 8d8518ffffff 50 8d85f0feffff 50 8d8528ffffff 50 8d8508ffffff } + $sequence_9 = { 53 e8???????? 59 e8???????? cc 6a4c } condition: 7 of them and filesize < 1163264 @@ -141940,36 +143002,36 @@ rule MALPEDIA_Win_Buterat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0069324a-e70e-54da-b752-be0a297a08d5" - date = "2026-01-05" - modified = "2026-01-06" + id = "50d92a3f-78d1-58e1-8ee4-7ac7cabb0190" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.buterat_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.buterat_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "2a55e665ba3ad4c5f4e76ca6aa40a42d86bc8aa495194478ad6bc52271aa15de" + logic_hash = "f18323dbd62ec255a3bc886f59587abbdccfc69605ccff661141521c212ccc12" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7644 8b9ea05b4100 8d8e645a4100 8b11 395508 7305 895508 } - $sequence_1 = { 7e27 8b04b5e8034100 66833800 7508 8bc3 eb0d 33c0 } - $sequence_2 = { 85f6 7508 81ffb7000000 7514 8d8590f5ffff 50 be???????? } - $sequence_3 = { ff15???????? 85c0 8b4d14 8901 7505 2145fc } - $sequence_4 = { 85c0 0f849c010000 8d4dfc 51 53 68???????? e8???????? } - $sequence_5 = { 50 e8???????? 83c414 85c0 744e 68???????? 53 } - $sequence_6 = { 397df4 7477 813d????????60010000 7e6b 393d???????? 7463 bb00100000 } - $sequence_7 = { 8945fc 53 6800000080 53 53 ff7508 ff35???????? } - $sequence_8 = { 50 53 ffd7 b9???????? 8d8500f8ffff e8???????? 6a01 } - $sequence_9 = { c3 55 8bec b840180000 e8???????? ff15???????? 66833d????????00 } + $sequence_0 = { 59 50 8d85fcf7ffff 50 57 ff15???????? } + $sequence_1 = { 8b4e04 894c2418 51 752c 8b9700ec4100 e8???????? 8b9700ec4100 } + $sequence_2 = { 1bc0 2500000100 0bf0 837df400 740b ff75f4 e8???????? } + $sequence_3 = { 56 57 6a02 56 56 68000000c0 } + $sequence_4 = { 0bf0 8b45e8 85c0 7407 } + $sequence_5 = { 39742408 8944240c 741c 8d4c2410 } + $sequence_6 = { 7520 e8???????? 8b3c9d68f24100 2bf9 99 f7ff 42 } + $sequence_7 = { 83ff04 7530 837df001 7e2a ff75f4 8d45f8 } + $sequence_8 = { 744c 7e45 8d8df4efffff 8d4601 51 bb???????? } + $sequence_9 = { 895dfc e8???????? 8d85b8fdffff 50 ba???????? } condition: 7 of them and filesize < 278528 @@ -141979,36 +143041,36 @@ rule MALPEDIA_Win_Icefog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5a2327d1-90cc-5721-943f-064b1c43e2e0" - date = "2026-01-05" - modified = "2026-01-06" + id = "cc8b0f3d-9717-5105-9e3b-41e4fe196b62" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.icefog_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.icefog_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ccfebce12d112e2d237d6de3048b8cc676f213fd05f617884709a0f4f9ea859a" + logic_hash = "1c16c101c934ef1a46234c587ad6e92790423a1b58f34a77b73cadff69a575c9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895de0 c745e400ff0000 e9???????? 8b5e04 c1e310 895de0 c745e40000ff00 } - $sequence_1 = { e8???????? 8b759c 53 c60300 e8???????? 8b45b4 83c404 } - $sequence_2 = { 8b4d0c 50 51 e8???????? 83c408 8bf0 5e } - $sequence_3 = { c6470300 8b7d08 75a0 8b5d0c 8b45f4 015f0c 5f } - $sequence_4 = { b807000000 5b 8be5 5d c3 8945fc 394604 } - $sequence_5 = { 8b4dfc 50 51 e8???????? 56 8947f6 e8???????? } - $sequence_6 = { c3 56 57 e8???????? 83c408 894590 85c0 } - $sequence_7 = { dd8570feffff dec3 d9ca dd9560feffff d8d1 dfe0 ddd9 } - $sequence_8 = { a1???????? 891490 8b0d???????? 42 3bd1 7ced a1???????? } - $sequence_9 = { 8b4508 85c0 7416 56 8b7010 50 e8???????? } + $sequence_0 = { e8???????? 8b5508 8b430c 52 50 57 e8???????? } + $sequence_1 = { 8d7801 83f701 4f 83c0ed 897df4 83f83b 0f8798010000 } + $sequence_2 = { 8b95a8feffff 894b38 89533c 8b4818 894b2c 8b5014 3b5024 } + $sequence_3 = { e8???????? 8b5d20 8b55f8 53 52 6a6d 56 } + $sequence_4 = { 8b4df8 50 68???????? 51 e8???????? 83c40c eb10 } + $sequence_5 = { 8d46c4 50 53 895de0 e8???????? 83c418 837ee400 } + $sequence_6 = { 8b4ddc 8b5508 833c9100 7e18 8b45f8 8b4d08 6a00 } + $sequence_7 = { 8b04d0 50 8945f8 e8???????? 8b55fc 8d0c00 83e201 } + $sequence_8 = { 8945dc 8b45e0 33db 83c404 3918 7e4b 895dd4 } + $sequence_9 = { 898578ffffff 0fb75310 8b7d0c 46 897590 3bf2 0f8c9afeffff } condition: 7 of them and filesize < 1187840 @@ -142018,36 +143080,36 @@ rule MALPEDIA_Win_Sarhust_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1f82eb40-7df1-5fcd-972c-65036c547e83" - date = "2026-01-05" - modified = "2026-01-06" + id = "65dcceb1-0ef3-5ff3-9c6f-7eb3a6e0ce83" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sarhust_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sarhust_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "6be2d8277b702e649c294d54fc6ec35174e3abad1edfa4501c6a9845d06e8218" + logic_hash = "94deaa425f6c0cc7250fe7a5594cffd93c4bf9860b1c837434eecaf5aa48780f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d8d4cffffff e8???????? 6a00 ff15???????? } - $sequence_1 = { 8d8d4cffffff e8???????? 6a00 ff15???????? } - $sequence_2 = { 6801000080 ff15???????? 85c0 7408 ff15???????? } + $sequence_0 = { 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? } + $sequence_1 = { 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 6a00 } + $sequence_2 = { 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 6a00 } $sequence_3 = { 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 6a00 ff15???????? } - $sequence_4 = { eb08 8b4520 8b4d0c 8908 } - $sequence_5 = { 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 6a00 } + $sequence_4 = { 6801000080 ff15???????? 85c0 7408 ff15???????? } + $sequence_5 = { e8???????? 8d8d4cffffff e8???????? 6a00 ff15???????? } $sequence_6 = { 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff } - $sequence_7 = { e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 6a00 ff15???????? } - $sequence_8 = { e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 6a00 } - $sequence_9 = { 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? } + $sequence_7 = { e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 6a00 } + $sequence_8 = { e8???????? 8d8d4cffffff e8???????? 8d8d4cffffff e8???????? 6a00 ff15???????? } + $sequence_9 = { eb08 8b4520 8b4d0c 8908 } condition: 7 of them and filesize < 114688 @@ -142057,36 +143119,36 @@ rule MALPEDIA_Win_Unidentified_109_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b6061e05-3237-58ca-ad8b-3aa8b32dd728" - date = "2026-01-05" - modified = "2026-01-06" + id = "e8489668-cc3b-5dcb-a4f3-6545c1da6985" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_109" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_109_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_109_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "d68f70d66f63488c08e0a968d9091c8e5c1c07bcbe7d2942849c574944ebfcba" + logic_hash = "c1c5ef275d8dcd4f48c737a49bb0b518c7dcd8febb350184455b4fea9d78c5ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bc8 d1e8 410bc1 83e101 41ffc8 894204 448bc9 } - $sequence_1 = { 488bd9 418bf9 498bf0 448bd2 b1e4 85d2 } - $sequence_2 = { 418bc8 0bcb 41c1c01e 418bd1 4123cb c1c205 0bc8 } - $sequence_3 = { 410fb7c0 6641ffc0 c644080433 664585c9 0f84e0000000 410fb7c0 6641ffc0 } - $sequence_4 = { ffc8 410f48c6 4585c0 7e38 4898 660f1f440000 493bc6 } - $sequence_5 = { 0fb6d2 83e27f 8d041a 3bc6 0f8742010000 85d2 7416 } - $sequence_6 = { 7453 85db 744b 48897c2430 0f1f4000 498d8ef8000000 488bd6 } - $sequence_7 = { 488945d0 488945d8 488945e0 488d4de8 498bd9 418bf6 4c8975f8 } - $sequence_8 = { 790a c705????????00000000 488d0dfaf80400 ff15???????? 85db 488b5c2420 7441 } - $sequence_9 = { 8bc1 448bc1 2bc6 03c2 413bc1 77de 03ca } + $sequence_0 = { 8b5828 4133cb 418bc0 418bfc 33fb c1c005 33ca } + $sequence_1 = { 7507 c7430800000000 8bc7 e9???????? 448b13 488b7b10 c7430800000000 } + $sequence_2 = { 0f8726feffff 418bc0 4c8d8ec0000000 488d9680000000 c1e802 448981f4000000 896c2420 } + $sequence_3 = { 4403da 498bd5 4123c3 4133c1 03c3 03c8 418bc2 } + $sequence_4 = { 66898170020000 33c0 c3 0fb78170020000 a808 75c0 6683c808 } + $sequence_5 = { 894c2420 85f6 759f 458bee 448b4558 488b5550 488d4c2420 } + $sequence_6 = { 3bce 7cea 488d542420 488d4da7 4c8d45a7 e8???????? 4c8b65b7 } + $sequence_7 = { 758a 4c8b642450 488b7c2448 488b5c2440 33c0 4c8b742458 4883c420 } + $sequence_8 = { c1c20a 4133c0 458d93e68ba250 41034738 4403c8 8bc2 } + $sequence_9 = { 488b4808 c6440bff00 493bdf 7ceb 33c0 eb05 b853ffffff } condition: 7 of them and filesize < 723968 @@ -142096,36 +143158,36 @@ rule MALPEDIA_Win_Threebyte_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "799d81f4-c3a7-51cd-8c7b-153e88acd8dd" - date = "2026-01-05" - modified = "2026-01-06" + id = "6710c627-853f-55f1-b09e-51d3e8973476" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.threebyte_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.threebyte_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "2ca2547a0ff0213816f73a796ceafd61c5b00d7d4af221dfd97f4e43556e0e8c" + logic_hash = "636e5426e0b4c2cdffa32f84e4122aae5c8e6c8a29ac9a00b1764152ef7dcd6f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b9598fbffff 52 8d859cfbffff 50 8d8d4cf7ffff 51 8d956cf7ffff } - $sequence_1 = { 6a20 68cc000000 8d8de0fdffff 51 e8???????? 83c40c } - $sequence_2 = { c68531faffff6d c68532faffff65 c68533faffff00 8d8d28faffff 51 8b95a8faffff 52 } - $sequence_3 = { 52 8d8544feffff 50 8d8dccfeffff 51 e8???????? } - $sequence_4 = { ff15???????? 8d95ccfcffff 52 8d8510f8ffff 50 8d8dd0fdffff 51 } - $sequence_5 = { c685b1fdffff00 ff15???????? 50 8d8d94fdffff 51 } - $sequence_6 = { 81bda4f7fffff6010000 7507 b8faffffff eb05 b8f9ffffff 5f 8be5 } - $sequence_7 = { e8???????? 83c404 e9???????? 6a02 6a00 6a00 8b95d0fdffff } - $sequence_8 = { 50 e8???????? 83c408 89853cffffff 83bd3cffffff00 } - $sequence_9 = { 3b4d0c 7d15 8b5508 33c0 8a02 8945e0 8b4d08 } + $sequence_0 = { 55 8bec 51 894dfc 8b45fc c7403000000000 8b4dfc } + $sequence_1 = { f7f9 8945e8 8b550c c1e203 8b45e8 6bc006 } + $sequence_2 = { c645b700 8d55a4 52 8b4590 50 ff15???????? } + $sequence_3 = { 8d95acf7ffff 52 8d45f4 50 8b4df0 51 8b955cf7ffff } + $sequence_4 = { e8???????? 83c40c e9???????? c68508fdffff5b } + $sequence_5 = { 8b55f8 52 ff5138 8945fc 837dfc00 7d12 68???????? } + $sequence_6 = { 50 8b4df8 8b11 8b45f8 50 ff523c } + $sequence_7 = { 8bec 81ecd4020000 57 c685d8fdffff43 c685d9fdffff4f c685dafdffff4d } + $sequence_8 = { 8d8dfcfeffff 51 e8???????? 83c408 8d95fcfeffff 52 8d85dcecffff } + $sequence_9 = { c78570ffffff00000000 b90f000000 33c0 8dbd74ffffff f3ab c645b057 c645b169 } condition: 7 of them and filesize < 180224 @@ -142135,36 +143197,36 @@ rule MALPEDIA_Win_Hermes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40977080-f0db-509f-ad36-9106e881ac17" - date = "2026-01-05" - modified = "2026-01-06" + id = "e0c70b37-3534-5ec9-896d-df28d37ac83b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hermes_auto.yar#L1-L110" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hermes_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "ec38569492fc62621d2bfb5ebe2db77f57521b3e9d7ddcf1c5d737c6a9cf9c68" + logic_hash = "9cebd3f3b9d2e80976fdbd5c01dc9dd949fb2f357cdc451f1c746e813ef31267" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33d2 6a79 59 f7f1 } - $sequence_1 = { 6a01 6810660000 ff75fc ff15???????? } - $sequence_2 = { 50 8b4508 83c801 50 } - $sequence_3 = { 83c801 50 6a01 ff75fc } - $sequence_4 = { 7508 6a01 ff15???????? 8be5 5d c3 } - $sequence_5 = { 7508 6a01 ff15???????? 8be5 5d } - $sequence_6 = { 6a04 6800100000 6888130000 6a00 ff15???????? } - $sequence_7 = { 83c801 50 6a01 ff75fc ff15???????? } - $sequence_8 = { 50 6a01 6810660000 ff75fc ff15???????? } - $sequence_9 = { 7508 6a01 ff15???????? 8d45fc } + $sequence_0 = { e8???????? 59 59 6890010000 } + $sequence_1 = { 50 6a01 6810660000 ff75fc ff15???????? 85c0 } + $sequence_2 = { 50 6a01 6810660000 ff75fc ff15???????? } + $sequence_3 = { 6a01 ff15???????? 8d45fc 50 } + $sequence_4 = { 83c801 50 6a01 ff75fc } + $sequence_5 = { 6800100000 6888130000 6a00 ff15???????? } + $sequence_6 = { 50 8b4508 83c801 50 6a01 ff75fc ff15???????? } + $sequence_7 = { 8b4508 83c801 50 6a01 } + $sequence_8 = { ff15???????? 6a07 59 be???????? } + $sequence_9 = { 8d45fc 50 ff15???????? 6a20 } condition: 7 of them and filesize < 7192576 @@ -142175,10 +143237,10 @@ rule MALPEDIA_Win_Touchmove_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "522c2cac-142c-5982-9c6b-182b0f82e223" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.touchmove" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.touchmove_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.touchmove_auto.yar#L1-L118" license_url = "N/A" logic_hash = "b909bee1078b375a3a52a6b366cfda1d518438076dcea1e60cd1ece67d92cd0d" score = 75 @@ -142187,9 +143249,9 @@ rule MALPEDIA_Win_Touchmove_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -142213,36 +143275,36 @@ rule MALPEDIA_Win_Jupiter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "75f69a27-2335-5e55-aba0-ab6c4b24c511" - date = "2026-01-05" - modified = "2026-01-06" + id = "d9220db8-91c0-5c23-a28c-6e51bd3bc3bb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupiter" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.jupiter_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.jupiter_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "9a9545049cbc95230bffe2c6ee7b65da4bdadff47104616baed37c8cd6306b50" + logic_hash = "9cc18fe3f079c573188997534ca39e0f851f6d6285db5133c3f30b49aa4b97ad" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c605????????01 66c705????????0101 c605????????01 c605????????01 } - $sequence_1 = { 8a4147 884104 8a4146 884105 8b4144 c1f808 884106 } - $sequence_2 = { 884104 8a4146 884105 8b4144 c1f808 884106 8a4144 } - $sequence_3 = { 8a4146 884105 8b4144 c1f808 884106 } - $sequence_4 = { c605????????01 c605????????01 66c705????????0101 c605????????01 } + $sequence_0 = { 884104 8a4146 884105 8b4144 c1f808 884106 8a4144 } + $sequence_1 = { 884105 8b4144 c1f808 884106 8a4144 } + $sequence_2 = { 8a4146 884105 8b4144 c1f808 } + $sequence_3 = { c605????????01 66c705????????0101 c605????????01 c605????????01 66c705????????0101 c605????????01 } + $sequence_4 = { c605????????01 66c705????????0101 c605????????01 c605????????01 66c705????????0101 } $sequence_5 = { 8a4147 884104 8a4146 884105 } - $sequence_6 = { c605????????01 66c705????????0101 c605????????01 c605????????01 66c705????????0101 c605????????01 } - $sequence_7 = { 884104 8a4146 884105 8b4144 } + $sequence_6 = { 8a4146 884105 8b4144 c1f808 884106 8a4144 } + $sequence_7 = { c605????????01 c605????????01 66c705????????0101 c605????????01 } $sequence_8 = { 52 52 6802000000 6803000000 } - $sequence_9 = { 8a4146 884105 8b4144 c1f808 } + $sequence_9 = { 884104 8a4146 884105 8b4144 } condition: 7 of them and filesize < 224112 @@ -142252,36 +143314,36 @@ rule MALPEDIA_Win_Unidentified_099_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6834d9d3-6a75-5c68-b5d3-9237e184ef6d" - date = "2026-01-05" - modified = "2026-01-06" + id = "2a559c81-2ac2-5893-a022-03b84cb58686" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_099" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_099_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_099_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "7fd05f1e717b782bb9ac06a7756c0dc03e1b36f5a16d932168b1c5d5cda9cc3a" + logic_hash = "5f10c991479f5fb48cd31b8a6a1c9c6b74ad83829903c4aefe61e65e99e65538" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48895c2408 4889742410 57 4883ec20 488d1d7e700100 } - $sequence_1 = { 498bcd ff15???????? b974000000 e8???????? 4c8bd0 } - $sequence_2 = { 488d05fb9d0000 49c1e302 4889452f 83e202 8bc2 4903c3 4c8945ef } - $sequence_3 = { f3aa 488d8520030000 33c9 4533c9 4889442420 4533c0 ff15???????? } - $sequence_4 = { 4885c0 0f8421040000 4d8bc5 488d1506950100 488d4c2450 } - $sequence_5 = { 7410 488d0d2cb50100 4883c428 e9???????? e8???????? 85c0 } - $sequence_6 = { 752c 4985df 7527 488b9540070000 4c8d0502860000 498bcd 44897604 } - $sequence_7 = { 41b880000000 e8???????? 4533ed 488d8d50040000 33d2 44896c2468 } + $sequence_0 = { 488bce c744244c40000000 4533c0 33d2 } + $sequence_1 = { 4889442438 4889442440 c74424481c000000 ff15???????? } + $sequence_2 = { 0fb7442440 0f1101 66894110 488d4b26 4885c9 7512 } + $sequence_3 = { baffff1f00 48894c2440 48894c2438 c744243005000000 } + $sequence_4 = { 4d8bc6 ba05000000 ff15???????? 498bce } + $sequence_5 = { 33c0 b95f000000 f3aa 488bfb 488d052feaffff } + $sequence_6 = { ba02000000 660f1f440000 488d8980000000 0f1000 0f104810 } + $sequence_7 = { 4c8b1b 33f6 448bce 6690 428d148d00000000 41ffc1 } $sequence_8 = { 488d8c2490200000 4533c9 48897c2430 897c2428 ba00000080 c744242003000000 } - $sequence_9 = { 488d7f01 4883fa2d 7ce7 4c8d8510020000 } + $sequence_9 = { 4883c203 880f 488d7f01 4881fa84000000 } condition: 7 of them and filesize < 314368 @@ -142291,36 +143353,36 @@ rule MALPEDIA_Win_Lowball_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "54da57b9-ab1c-5339-aa9f-22bb43699408" - date = "2026-01-05" - modified = "2026-01-06" + id = "97a18ac2-485c-507c-8ccf-e6257898d15d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lowball_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lowball_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "6556d6fae2a4a8629aa4a1cdf4ec37ace65e626c581801de62deac1b596c79de" + logic_hash = "f0cfaf3c86d2a26a3fc0cf781b4702870c4026afd625423d383fbc1a5ca3d73e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 0f848d000000 8d842434070000 68???????? } - $sequence_1 = { 8d4b01 51 e8???????? 56 } - $sequence_2 = { 85f6 89742410 0f84bf000000 8b8c241c020000 } - $sequence_3 = { 6810270000 ff15???????? bf???????? 83c9ff } - $sequence_4 = { 0f840c010000 8b8c2424020000 53 55 55 } - $sequence_5 = { 896c2418 c744242400020000 aa e8???????? 55 } - $sequence_6 = { 84c0 750b 33c0 81c4400e0000 c21000 } - $sequence_7 = { 68???????? e8???????? 83c410 85c0 0f848d000000 8d842434070000 } - $sequence_8 = { 85c0 752d 68b80b0000 ffd3 8d84242c050000 8d8c241c010000 50 } - $sequence_9 = { 8b742420 53 ff15???????? 5b 56 ff15???????? 8b44240c } + $sequence_0 = { 8bfa 8d94244c0d0000 c1e902 f3a5 8bc8 } + $sequence_1 = { 81ec14020000 a0???????? 55 56 57 88442420 b97f000000 } + $sequence_2 = { 0f848c000000 8b942420020000 55 6a00 } + $sequence_3 = { f3ab aa 83c9ff bf???????? } + $sequence_4 = { 57 ff15???????? 8be8 85ed 7459 } + $sequence_5 = { 85f6 7e13 8a4c2410 53 8a1c10 32d9 881c10 } + $sequence_6 = { 85f6 89742410 0f84bf000000 8b8c241c020000 } + $sequence_7 = { ff15???????? 83c408 be???????? 8bc5 8a10 8a1e } + $sequence_8 = { 8b942428060000 55 6a00 6800058084 6a00 6a00 68???????? } + $sequence_9 = { f7d1 49 8be9 8b842434020000 68???????? } condition: 7 of them and filesize < 40960 @@ -142330,36 +143392,36 @@ rule MALPEDIA_Win_Darkloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad9df5bd-cb17-5a57-841e-d7169dd29ac7" - date = "2026-01-05" - modified = "2026-01-06" + id = "a4a944bc-3afd-55d4-b5d0-aa6d38e3208f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkloader_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkloader_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "0e3b5f14c9565dba5f89e209f471d5ea4bec46d1f1cc2d6a50fe986d74ec01f7" + logic_hash = "683b73d2111030cfe2ecdd53143ff7aa9e925864ed2af0f970b93ccaf4f5eccc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 8365fc00 ff15???????? 59 85c0 b9???????? } - $sequence_1 = { 68???????? ffb7dc010000 8987d4010000 ffd6 } - $sequence_2 = { 83f9ff 75bb 8bb42424020000 8dbe10a10010 ff742418 e8???????? 59 } - $sequence_3 = { 8931 e8???????? 83c410 33c0 40 ebaf 83ec18 } - $sequence_4 = { 8b01 ff90d0000000 83f809 7555 } - $sequence_5 = { 68???????? eb38 8d042f 50 e8???????? } + $sequence_1 = { 53 e8???????? 8bb42434020000 c1e607 68???????? 89b42438020000 } + $sequence_2 = { ffd6 6a03 59 2bcf 6a2f 8d2c01 } + $sequence_3 = { 89442418 8b4818 894c241c 85c9 0f84b3000000 8b4020 } + $sequence_4 = { ffd5 a1???????? 40 85c0 7e5e 8bfe 8d8f10610010 } + $sequence_5 = { 8d042f 50 e8???????? 8b6c2428 8bf0 ff7510 53 } $sequence_6 = { 56 57 e8???????? 8bd8 59 59 85ff } - $sequence_7 = { ffb7dc010000 894704 ffd6 68???????? } - $sequence_8 = { 6a08 8bf8 be???????? 59 8d442414 f3a5 } - $sequence_9 = { a3???????? 5e c3 55 8bec 81ec04040000 33c9 } + $sequence_7 = { 51 50 e8???????? 8b4c242c 83c41c 83f9ff } + $sequence_8 = { 6bc503 40 50 e8???????? be???????? 8d7c2418 } + $sequence_9 = { ff15???????? 6a3b 8d7003 56 ff15???????? } condition: 7 of them and filesize < 124928 @@ -142370,10 +143432,10 @@ rule MALPEDIA_Win_Woolger_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "69dafade-30c5-5734-830c-150b438e6d59" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.woolger_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.woolger_auto.yar#L1-L121" license_url = "N/A" logic_hash = "a68ced9b21a66c947cc315eb8f76a9ad3604356e88ce1c4ffa9af9c48a2ada10" score = 75 @@ -142382,9 +143444,9 @@ rule MALPEDIA_Win_Woolger_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -142408,36 +143470,36 @@ rule MALPEDIA_Win_Hardrain_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25398ca8-a4b7-5603-875f-04e6efbaac2b" - date = "2026-01-05" - modified = "2026-01-06" + id = "2ffd1467-5498-56f3-a939-18fd49a9b53c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hardrain_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hardrain_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "bee47eae17e07c9e5633e3c8b1ddd3c37741eaa6fac55010942faf387fc2a537" + logic_hash = "c4a3b4f95e5c8b2942ed8c937b9a15dd4ff46579fa79fc2e047695a69c217b33" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83ec0c 8b4c2414 8b442410 56 57 8b7904 8b7004 } - $sequence_1 = { 5e 81c418010000 c20400 83ec0c } - $sequence_2 = { 83ec10 56 57 8b7c241c 6685ff } - $sequence_3 = { 52 e8???????? 33c0 b910000000 89442448 } - $sequence_4 = { 5e 83c418 c3 33c9 33c0 8b542424 894c2410 } - $sequence_5 = { c3 68ffffff7f 56 ff15???????? 85c0 } - $sequence_6 = { 32d0 88143e 46 3bf3 7cea 5f 8d4c2408 } - $sequence_7 = { 52 8bce e8???????? 85c0 7413 6a16 8d44241c } - $sequence_8 = { e8???????? 50 8bce e8???????? 85c0 0f84da000000 } - $sequence_9 = { 5d b801000000 5b 59 c20400 8b4c2410 895910 } + $sequence_0 = { c1e902 f3a5 8bc8 8b442420 83e103 83f801 f3a4 } + $sequence_1 = { 668944244c 885c244e ff15???????? 8bcd 8db4240c010000 8bd1 8d7c244d } + $sequence_2 = { 743a 6a16 8d4c241c 55 } + $sequence_3 = { f3a4 888390020000 b90c000000 33c0 } + $sequence_4 = { e8???????? 83c408 68???????? ff15???????? 8b442404 50 } + $sequence_5 = { 8bcd 57 8bc1 8bfb } + $sequence_6 = { 895c242c c744243000000000 ff15???????? 85c0 7eca } + $sequence_7 = { 5e 83c418 c3 33c9 33c0 8b542424 894c2410 } + $sequence_8 = { 50 56 6857340000 51 e8???????? } + $sequence_9 = { e8???????? 85c0 0f85e0000000 66a1???????? 53 56 57 } condition: 7 of them and filesize < 368640 @@ -142448,10 +143510,10 @@ rule MALPEDIA_Win_Ntospy_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "8131d4ba-7ab9-5f25-bfe1-80fb81c429a4" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ntospy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ntospy_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ntospy_auto.yar#L1-L117" license_url = "N/A" logic_hash = "8fbd4c5ffc79f2d95a93b5deb7321b5b82d08f35463db086df64bd3e92a52647" score = 75 @@ -142460,9 +143522,9 @@ rule MALPEDIA_Win_Ntospy_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -142486,34 +143548,34 @@ rule MALPEDIA_Win_W32Times_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8d0ca9de-72d5-5416-8ea3-4ffe99cecdda" - date = "2026-01-05" - modified = "2026-01-06" + id = "4d876c62-84d3-5be7-9698-90c8d727e921" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.w32times_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.w32times_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "f7e65aa826ad4cf269428f43fa98d18142b27ed083ec25ea57e656102267e97a" + logic_hash = "7fb983b5fb8e35d2ac59156f538b22b48c46f96e049ac758865b4f2417ba653e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d44240c 6a00 50 53 57 56 c744242000000000 } - $sequence_1 = { 6a03 55 6a01 8d8c2410080000 6800000080 } - $sequence_2 = { 51 ffd6 8b4500 8d54242c } - $sequence_3 = { 8bcd 4f c1e902 f3a5 8bcd 8d9424ec010000 83e103 } - $sequence_4 = { 3b9c24000d0000 0f84cc090000 8a8424f0020000 84c0 0f84bd090000 8a8424e8000000 84c0 } - $sequence_5 = { 7534 8b2d???????? 46 56 68???????? } + $sequence_0 = { ffd3 837c241404 7416 68e8030000 ffd7 8d542410 } + $sequence_1 = { 7416 83f8ff 7411 50 ffd6 a1???????? 50 } + $sequence_2 = { 68???????? 68???????? ff15???????? 83c41c e9???????? 8d9424ec010000 } + $sequence_3 = { 6a00 ff15???????? 89442430 8bf0 } + $sequence_4 = { 57 56 c744242000000000 ff15???????? 56 ff15???????? 5f } + $sequence_5 = { 8bfd 83c9ff 33c0 8d9424ec010000 f2ae f7d1 2bf9 } $sequence_6 = { 8bd8 ffd7 56 ffd7 53 ff15???????? } - $sequence_7 = { ebd7 68???????? ff15???????? 8b1d???????? 68???????? ff15???????? 85db } + $sequence_7 = { a1???????? 50 ffd3 892d???????? 68???????? ff15???????? 833d????????01 } $sequence_8 = { b941000000 bf???????? f3ab b941000000 8dbc24f8050000 } $sequence_9 = { 83c40c 85c0 0f85e00c0000 8b4b04 6a04 } @@ -142525,36 +143587,36 @@ rule MALPEDIA_Win_Giftedcrook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fdb2b54b-eafe-53d8-b9a6-9bb6fa7e1261" - date = "2026-01-05" - modified = "2026-01-06" + id = "f970c69b-e37d-55b6-8e45-640dbfe8fd22" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.giftedcrook" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.giftedcrook_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.giftedcrook_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "c55ae29646ee6e1fa6528687183d61d605ab3a357e4390ae9837f246340b30d4" + logic_hash = "fee375a34ba026c88ecb017c941c459856b39d254fbc114d61d348631640d57d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 744f 4c8bca 4c8d05da9d0400 ba80000000 488d4c2430 e8???????? 0fb69f550a0000 } - $sequence_1 = { 488983300d0000 488d15b0720800 c683500d000001 488bcb e8???????? 488b457f 33ff } - $sequence_2 = { 4c8bc6 488d154a270500 488bcf e8???????? ba01000000 488bcf e8???????? } - $sequence_3 = { 0fbe4550 83c0d3 83f846 0f8794feffff 4898 0fb68402e00e0300 8b8c82bc0e0300 } - $sequence_4 = { e8???????? 4c8bf0 4885c0 7512 48396f60 740c 4c8d35bbff0700 } - $sequence_5 = { 4c8b8d50070000 4c8d05aa0f0500 488d9598060000 e8???????? 8bf8 85c0 750a } - $sequence_6 = { 4489442440 488d4c2450 89542438 4c8d05d2240500 44895c2430 ba18000000 4489542428 } - $sequence_7 = { 4c8d05d21a0500 e8???????? 8bf8 85c0 } - $sequence_8 = { 8bf2 4c8d0d3d500200 488be9 4c8d052b500200 488d152c500200 b901000000 e8???????? } - $sequence_9 = { 48896c2420 4c8d2d28dc0600 448bcf 4d0f45e8 488d1522dc0600 4d8bc5 498bcc } + $sequence_0 = { 33ff 48895c2470 488d0db4f30200 897c2468 4d8d5608 48896c2460 4d8d5e06 } + $sequence_1 = { 48c1f806 488d0df8c60300 4183e23f 4903e8 498bf0 488b04c1 4b8d14d2 } + $sequence_2 = { 48c744242005000000 41b811000000 488d15f17b0600 488bcf e8???????? 84c0 0f8454fbffff } + $sequence_3 = { 488d1528600500 e8???????? 41bf40000000 eb0e 488bcb 488bd5 e8???????? } + $sequence_4 = { 488d15e43c0400 488bce 4c8b04d8 498b4008 4d8b08 4889442428 418b4018 } + $sequence_5 = { 7427 c6436301 e9???????? be03000000 eb23 be06000000 eb1c } + $sequence_6 = { 4c0f45eb 48898c24b0000000 488d0d07110700 83f808 741a 83f810 740c } + $sequence_7 = { 4c8d0de6100700 eb07 4c8d0dd9100700 8b470c 83f808 741a 83f810 } + $sequence_8 = { eb24 482bc3 4883f802 7205 488bdd eb3b 488d0d45defeff } + $sequence_9 = { 84c0 7505 397764 7423 440fb74f66 488d15d72f0600 } condition: 7 of them and filesize < 1605632 @@ -142564,42 +143626,42 @@ rule MALPEDIA_Win_Strongpity_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14bad2bc-8b1c-5604-a8c5-9e952bb2db14" - date = "2026-01-05" - modified = "2026-01-06" + id = "729d69d4-d6e0-504a-8071-f11ea4c48559" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.strongpity_auto.yar#L1-L178" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.strongpity_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "489b26cd26695d5bf1487fe83576061d12be04bfa204a50dba999c14e24baf44" + logic_hash = "013a260ea48cfe398e841cb0fbf0cd5fb1bf64bd8808cbc243d74f55db88ed8f" score = 60 quality = 45 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 85c0 74b8 6a14 59 } - $sequence_1 = { 6a1f 56 ff15???????? 33c0 50 ff7710 } - $sequence_2 = { 8b45ec 6a02 5a 663938 750d 49 03c2 } - $sequence_3 = { 740d 817df4c8000000 7504 8bc6 } - $sequence_4 = { 85ff 7507 33c0 e9???????? b90a020000 33d2 8810 } - $sequence_5 = { 83e901 75f8 8bcb 897dd0 c745d404010000 } - $sequence_6 = { 7433 53 56 ff15???????? 85c0 7427 53 } - $sequence_7 = { 8819 41 83e801 75f8 ff75d0 68???????? } - $sequence_8 = { 5e 5d 8d432f 5b 8b4c2418 } - $sequence_9 = { 5e 5d 8bc3 5b 83c410 c3 8b464c } - $sequence_10 = { 5e 5d b803000000 5b 59 c3 8b06 } - $sequence_11 = { 5e 5d 8d431b 5b 8b8c24a8090000 } - $sequence_12 = { 5e 5d 8919 33c0 5b 59 } - $sequence_13 = { 5e 5d 8bc3 c7826c02000001000000 5b 83c410 } - $sequence_14 = { 5e 5d b809000000 5b 83c408 c3 8b4640 } - $sequence_15 = { 7410 5f c7866c02000001000000 5e 83c410 c3 } + $sequence_0 = { 6a68 668945ea 58 6a3a 668945ee 58 6a20 } + $sequence_1 = { ff75d0 68???????? ff36 e8???????? 8b45d4 83c40c 894604 } + $sequence_2 = { 6a65 59 6a2d 668945d6 } + $sequence_3 = { 680c020000 8945c8 8945d4 8945f0 } + $sequence_4 = { 50 6aff 53 56 ff15???????? 85c0 } + $sequence_5 = { ba???????? f3a5 8bf2 668b02 } + $sequence_6 = { 8818 40 83e901 75f8 395dd0 7463 } + $sequence_7 = { c745f800100000 85c0 750b 56 } + $sequence_8 = { 0107 83be8800000002 8b07 0f85ad000000 83f814 } + $sequence_9 = { 5f c3 8b4c2414 85c9 } + $sequence_10 = { 5f c3 56 6a08 ff15???????? 83c404 85c0 } + $sequence_11 = { 5f c3 8b74240c c7400400000000 } + $sequence_12 = { 012e 885c240a ebc3 80fb5d 7520 837c240c00 0f85fe020000 } + $sequence_13 = { 5f c70001000000 33c0 5d 8b4c2450 } + $sequence_14 = { 012e 885c240a e9???????? 84db 0f8434020000 } + $sequence_15 = { 7418 8bd3 52 c786c800000001000000 } condition: 7 of them and filesize < 999424 @@ -142609,36 +143671,36 @@ rule MALPEDIA_Win_Glassrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9bc70a4-a165-546a-8b42-f2a0c16e09f0" - date = "2026-01-05" - modified = "2026-01-06" + id = "f8a6e9f1-2316-5505-905f-c231b2b4c23c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.glassrat_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.glassrat_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "fbe939a1762c88ca3785e6b1a0e31abcf86d2dba3555094a224ffc73c72353a2" + logic_hash = "0bec3c726d0ad874e11ab5ede48aa2be068822b1935ab31e541a262f0fd12ab3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 32c0 5d 83c408 c21400 53 56 8d4524 } - $sequence_1 = { 895904 894108 89790c 8b4a04 e8???????? } - $sequence_2 = { 0f8598000000 bf02000000 ff15???????? 6a00 8b95c4feffff } - $sequence_3 = { 6860ea0000 ff15???????? 8d8c242c010000 c784243c020000ffffffff e8???????? 46 83fe05 } - $sequence_4 = { 8d5004 8945ec 8930 b941000000 33c0 8bfa } - $sequence_5 = { 8d9578feffff 53 53 6a02 } - $sequence_6 = { c7857cffffff44000000 c745a801010000 668975ac 895db8 895dbc } - $sequence_7 = { 8dbd85feffff 8945e0 8945e4 889d84feffff f3ab 66ab } - $sequence_8 = { 33ed 68905f0100 ff15???????? 6a00 } - $sequence_9 = { e8???????? 53 55 56 33c0 8bf1 89442410 } + $sequence_0 = { ff15???????? 85c0 7f0e 5f } + $sequence_1 = { 7408 6a00 ff15???????? 8b842424010000 8b8c2420010000 8b942418010000 } + $sequence_2 = { 895de0 50 56 ff15???????? } + $sequence_3 = { 68007f0000 53 89442438 ff15???????? 53 89442438 } + $sequence_4 = { 8b3d???????? 8d542404 56 52 33f6 ffd7 85c0 } + $sequence_5 = { 8b45cc 50 51 ff15???????? 8b95c4feffff } + $sequence_6 = { 53 ffd5 8b5e24 8d542410 52 } + $sequence_7 = { 8bc8 8b4504 83e103 83f8ff f3a4 741a 6a02 } + $sequence_8 = { 8b5e28 8d442410 50 53 ffd7 85c0 7403 } + $sequence_9 = { 2bc2 3bc8 b802000000 0f85b4000000 } condition: 7 of them and filesize < 81920 @@ -142648,36 +143710,36 @@ rule MALPEDIA_Win_Bs2005_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c222daf1-0291-5b44-a14d-9520773ee0b6" - date = "2026-01-05" - modified = "2026-01-06" + id = "c4befd31-9531-5de2-aa5e-ea082e375341" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bs2005_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bs2005_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "2de8be623d8c0993a0484485024d355fd2aa58f75e717b2fbd75b321c706b20a" + logic_hash = "190262bb63093685e83b8f09df7185445a30ae67220a772f1f0045c2ececafe5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 40 84c9 75f9 6a00 8d8dccfeffff 51 2bc2 } - $sequence_1 = { c705????????14864000 a3???????? c705????????408f4000 c705????????30864000 c705????????92854000 } - $sequence_2 = { 8bcf 2bce 81e91c010c00 51 8d5705 52 83c020 } + $sequence_0 = { 53 68???????? 57 ff15???????? 8bc7 83c418 8d4801 } + $sequence_1 = { 5d c3 8d5a9f 80fb19 771c 0fbeca } + $sequence_2 = { 898844000400 8b974c060000 8b02 c6404037 8b8f54060000 } $sequence_3 = { 52 6a04 50 8945e4 8b45e8 68???????? 50 } - $sequence_4 = { 8945f8 ba00040000 8bcf c60100 } - $sequence_5 = { 8b8e04010000 6a00 6a00 50 51 c745fc00000000 } - $sequence_6 = { 8b06 85c0 7425 8b10 50 } - $sequence_7 = { 75f9 b900000400 8d860c010c00 c60000 40 49 75f9 } - $sequence_8 = { 8b860c010000 3d00000200 7205 b800000200 8b8e04010000 6a00 } - $sequence_9 = { 6a00 8d55fc 52 50 8d8612010000 50 51 } + $sequence_4 = { 40 84c9 75f9 8b8f4c060000 2bc2 } + $sequence_5 = { 52 e8???????? 8b4dfc 83c40c 50 } + $sequence_6 = { c1f918 884cb5ec 8bd0 8bc8 c1fa10 c1f908 8854b5ed } + $sequence_7 = { ffd2 8b06 8b08 8b5108 } + $sequence_8 = { e8???????? 8d8f14010000 8bc1 83c40c 8d7001 8bff 8a10 } + $sequence_9 = { 85c0 749c 8b55cc 52 } condition: 7 of them and filesize < 212992 @@ -142687,36 +143749,36 @@ rule MALPEDIA_Win_Murkytop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09dd87b2-848c-59f6-89b2-09fd740bcdeb" - date = "2026-01-05" - modified = "2026-01-06" + id = "1a665249-254d-5c04-9dec-672dd61ba6b1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.murkytop_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.murkytop_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "d0c9a9dcefc5b4fab8d861110dfc72a07f2978208e468d91616835a5f37c61c4" + logic_hash = "401cb7ebf79c087a4975a12c90fb689e3e0df0a36ec46e807d1b933b33fbd494" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bc6 c1f805 57 83e61f 8d3c85e0f54100 8b07 } - $sequence_1 = { 0f8827040000 8b5d08 8d7dec e8???????? 85c0 0f8814040000 6803010000 } - $sequence_2 = { 50 68???????? e8???????? 8b45fc 8b4868 51 } - $sequence_3 = { 8b4de8 51 68???????? e8???????? 8b55f0 } - $sequence_4 = { 3bc6 7377 8bce e8???????? c745fc00000000 } - $sequence_5 = { 50 68???????? e8???????? 8b45fc 8b4824 51 e8???????? } - $sequence_6 = { 7551 8b4d08 85c9 745e 8b7918 b889888888 f7ef } - $sequence_7 = { 3bc7 7629 8bcf 8bd1 d1ea beffffff3f 2bf2 } - $sequence_8 = { b902000000 66894dc4 53 ff15???????? 668945c6 } - $sequence_9 = { 3c69 7404 3c49 757f c645fa01 e9???????? c645fe01 } + $sequence_0 = { 3b0cc508714100 740a 40 83f816 72ee 33c0 5d } + $sequence_1 = { 897df4 ff15???????? 85c0 0f84d0000000 33c0 8945cc } + $sequence_2 = { 51 6a00 6a03 52 56 57 ffd3 } + $sequence_3 = { 50 ff15???????? eb3d 8b7df8 33db 3975fc } + $sequence_4 = { ebeb 8bff 55 8bec 83ec4c 56 8d45b4 } + $sequence_5 = { 8945c4 33c9 66894db0 8945b2 } + $sequence_6 = { 56 8b35???????? 3bf0 7412 6a00 50 56 } + $sequence_7 = { 8d0440 8d04851c000000 3901 7312 6a7a 8901 } + $sequence_8 = { 68???????? 50 e8???????? 83c408 85c0 7513 68???????? } + $sequence_9 = { c745d801000000 eb10 8b5de0 8b75dc 8b7de4 c745d800000000 } condition: 7 of them and filesize < 294912 @@ -142726,36 +143788,36 @@ rule MALPEDIA_Win_Conficker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2292bd3e-30fc-5fd2-b5f2-54da12682502" - date = "2026-01-05" - modified = "2026-01-06" + id = "f5ebe341-9b10-5ce9-bd1c-0a4c8341ef66" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.conficker_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.conficker_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "516f879a278afd371cf4391eda00f14d5a379f5084ac579457d7a12528cabf86" + logic_hash = "f274d7abbd8b45529c5a61dfb9a60c03c56b48af05817053d221cb95ba6b0b13" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 81f9a9fe0000 743b 8bce 81e1fffe0000 81f9c6120000 } - $sequence_1 = { 0fb6d3 8b5c9008 46 3b7510 891f 894c9008 } - $sequence_2 = { f2ae 61 7502 4a 4a 3c09 } - $sequence_3 = { ff15???????? 8945e4 8365fc00 85c0 7420 68???????? } - $sequence_4 = { 85c0 750a 2145fc c745f8b0ae6243 ff15???????? 3345f8 } - $sequence_5 = { 743b 8bce 81e1fffe0000 81f9c6120000 } - $sequence_6 = { 894d08 8b0e 894c9808 02ca 8916 8b750c } - $sequence_7 = { 8955fc bfffffff7f 23d7 8945f0 8955f4 } - $sequence_8 = { 395df8 7507 c745fc01000000 57 } - $sequence_9 = { 81e1fffe0000 81f9c6120000 742b 8bce } + $sequence_0 = { 741e 3c08 7422 42 3c04 } + $sequence_1 = { 57 8b7c2414 33f6 85ff 7e18 ff15???????? 6a1a } + $sequence_2 = { 60 b067 f2ae 61 7509 80ea03 fec8 } + $sequence_3 = { e2f4 8bc2 c1e805 8b0483 8bca 83e11f } + $sequence_4 = { fec8 74c1 80c204 ebbc 663d0006 75b6 42 } + $sequence_5 = { 33ff 397d10 7e38 56 fec3 } + $sequence_6 = { ebbc 663d0006 75b6 42 ebb2 3c00 75ae } + $sequence_7 = { 4a 0f8968ffffff 5f 5e 5d c3 } + $sequence_8 = { be00000080 2175fc df6df8 8365f800 894dfc } + $sequence_9 = { 1907 8d7604 8d7f04 e2f4 } condition: 7 of them and filesize < 335872 @@ -142765,36 +143827,36 @@ rule MALPEDIA_Win_Waterspout_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b586bd54-931a-56de-aa91-0c07bfde94ab" - date = "2026-01-05" - modified = "2026-01-06" + id = "a79b4efb-da39-5f20-bd9b-fe533bfadaa3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.waterspout_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.waterspout_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "d8e2787076e89338cd714382e58eddd7d135aa9f7451f2a43ebcaaaa612febc9" + logic_hash = "5954a59154eda57d5dc5c820e0686ecc0875a821c4ee0c4304b80ad4914b4bc7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? 56 e8???????? 83c418 84c0 751e 6a01 } - $sequence_1 = { 56 8d4c2420 8802 ff15???????? bf???????? 83c9ff } - $sequence_2 = { 88442424 32c3 50 e8???????? 8a4c2420 8ad3 32d1 } - $sequence_3 = { 83fe01 f3aa 8a842470200000 884500 } - $sequence_4 = { 57 57 50 ff15???????? 85c0 7540 8b0e } - $sequence_5 = { 83c408 8d4c2414 c744241430750000 6a04 51 } - $sequence_6 = { c68424870000008f c684248800000092 c68424890000009d c684248a00000038 c684248b000000f5 c684248c000000bc c684248d000000b6 } - $sequence_7 = { 8bb4240c200000 8d442410 6a00 50 6a00 6a00 6a00 } - $sequence_8 = { 8dbc24ac030000 f3ab 8d442410 8d4c2418 50 8b842490630000 51 } - $sequence_9 = { 33ff 3bdf 897d00 7403 53 ffd6 } + $sequence_0 = { c6842491000000ff c6842492000000f3 c6842493000000d2 c6842494000000cd c68424950000000c c684249600000013 } + $sequence_1 = { 885c2412 885c2413 be???????? bf08000000 bd34000000 8b46fc } + $sequence_2 = { ff15???????? 8bb4246c200000 3bc5 8906 751c a1???????? } + $sequence_3 = { 81fe00040000 77bf 8b442420 8b4c241c 8b542414 6a02 03f8 } + $sequence_4 = { be04000000 8a18 83c004 8819 41 4e } + $sequence_5 = { f3ab 8b420c 8b08 8b11 52 e8???????? 8bf8 } + $sequence_6 = { 33c0 be???????? f2ae 8b44240c f7d1 49 8db882000000 } + $sequence_7 = { 50 8d85fcfeffff 58 50 } + $sequence_8 = { 89442428 c1f808 88442413 8b02 2b44241c 83f801 7706 } + $sequence_9 = { 33c0 56 89442409 57 89442411 } condition: 7 of them and filesize < 98304 @@ -142804,36 +143866,36 @@ rule MALPEDIA_Win_Farseer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a66e9913-f269-5edc-a360-d1e8d3201a95" - date = "2026-01-05" - modified = "2026-01-06" + id = "b9e1ec5a-207e-5b86-84a8-e5b1dcbfca41" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.farseer_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.farseer_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "a0cc6c15e80fbd6ad14902af9a89ab7d523ee3b95c547b4caf6b73d387698705" + logic_hash = "db9050c30c3124b27868db94d5a263797cad39a1a8e986e386ae1258226aec77" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b46f4 8b4804 c74431f49c064200 8b56fc 8b4204 c74430fc???????? 8b4ef4 } - $sequence_1 = { 8b4d0c 8bfb e8???????? 8b4c2414 8b3d???????? } - $sequence_2 = { 68???????? 8d4c2440 c74424580f000000 c744245400000000 c644244400 e8???????? } - $sequence_3 = { 8b7d14 8bc7 3bc7 7300 8bd7 83ff01 7205 } - $sequence_4 = { 51 c78424a000000002000000 e8???????? 68???????? 8d542450 52 } - $sequence_5 = { ffd5 85c0 7e2f 03f0 81fe00040000 7ce1 33c0 } - $sequence_6 = { 6a00 51 c684241409000000 e8???????? 83c40c 8dbc2408090000 } - $sequence_7 = { ff15???????? 6804010000 8d54245a b901000000 52 } - $sequence_8 = { 8d048520634200 83e31f 8985e4efffff 8b00 c1e306 03c3 8a4824 } - $sequence_9 = { 64890d00000000 59 5f 5e 5d 5b 8b8c24a0020000 } + $sequence_0 = { 0f85ac000000 83bc24fc02000010 0f8206020000 8b9424e8020000 52 e9???????? 8bd8 } + $sequence_1 = { 0f8e60010000 8d7c2458 e8???????? 56 33c9 8d74243c 8d942490000000 } + $sequence_2 = { 53 50 889c2428030000 e8???????? 83c40c 6804010000 8d8c2420030000 } + $sequence_3 = { a1???????? 8d0c90 890d???????? b8???????? 5f } + $sequence_4 = { 83c404 8b44246c 33ff 85c0 0f86f9000000 b308 8d6f10 } + $sequence_5 = { 52 e8???????? 83c408 89442418 3bc5 0f850a020000 68c8000000 } + $sequence_6 = { 83f801 752b 8d4c2430 38842466010000 750f } + $sequence_7 = { 59 8945e0 85c0 7461 8d0cbd20634200 8901 8305????????20 } + $sequence_8 = { 8b9424cc000000 52 e8???????? 83c404 89bc24e0000000 89ac24dc000000 c68424cc00000000 } + $sequence_9 = { 3d00010000 7d10 8a8c181d010000 8888f84b4200 40 ebe6 } condition: 7 of them and filesize < 347328 @@ -142847,7 +143909,7 @@ rule MALPEDIA_Win_Sinowal_Auto : FILE date = "2026-01-05" modified = "2026-01-06" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sinowal_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sinowal_auto.yar#L1-L118" license_url = "N/A" logic_hash = "54091d4d3127abdf4debf8514f31e0539d3fa9d766e80cf864467b06870782b4" score = 75 @@ -142882,36 +143944,36 @@ rule MALPEDIA_Win_Deputydog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cfca8e79-f926-56a2-8c99-b5468ee055dd" - date = "2026-01-05" - modified = "2026-01-06" + id = "c30dcd67-a506-5def-9467-877b9060464c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.deputydog_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.deputydog_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "ed5d5b1067c36186826e4424b2a432496a63ccbe3c2d0e290408a4c31dcb8d3d" + logic_hash = "2864a4571f8945067ad9dd293d386798d176f315974be845e32b1eda5fe08ad3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c20c00 56 8bf1 6a04 ff74240c 8d4624 50 } - $sequence_1 = { ff15???????? 85c0 7424 8b45d8 8b55dc 6a14 } - $sequence_2 = { 8b7508 ff75f0 ff15???????? 57 6880000000 } - $sequence_3 = { 8b45f0 59 885dfc 59 8906 57 } - $sequence_4 = { c0e102 884dff eb35 83fa01 7511 8ac1 c0e804 } - $sequence_5 = { 6a14 59 e8???????? 8b55d4 6a14 8945e4 8b45d0 } - $sequence_6 = { 6a15 be???????? 59 bf???????? f3a5 8d8d74ffffff e8???????? } - $sequence_7 = { c645fc0a ff15???????? 8d8dccfeffff c645fc05 e8???????? 8d45cc } - $sequence_8 = { 2bc8 c1f905 394df0 0f83e2000000 03c7 56 50 } - $sequence_9 = { 8808 eb53 83ff01 7518 8a0e } + $sequence_0 = { 5b 8bcb f7f1 8b4d0c 8d048504000000 } + $sequence_1 = { 56 8d4de0 c645fc05 ff15???????? 8d45d0 50 } + $sequence_2 = { 8bc8 e8???????? 8bf0 ff7514 8b06 834dfcff } + $sequence_3 = { 33c0 8dbd1ef9ffff f3ab 66ab 8d851cf9ffff 50 56 } + $sequence_4 = { 0f95c1 8d85ccfeffff 41 50 } + $sequence_5 = { 8d85a4fbffff 50 ffd6 8b4dfc 83c410 8d85a4fbffff 50 } + $sequence_6 = { 8d45ed 50 e8???????? 8d45e8 6a09 50 } + $sequence_7 = { 33c0 8dbdbafbffff f3ab 66ab 8d85b8fbffff 6804010000 } + $sequence_8 = { 32c0 e9???????? 57 bf???????? 6683bdd8fdffff2e 7448 f685acfdffff10 } + $sequence_9 = { 7575 6a2c e8???????? 59 894508 3bc6 8975fc } condition: 7 of them and filesize < 90112 @@ -142921,41 +143983,41 @@ rule MALPEDIA_Win_Moontag_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cd77d4b0-0d98-5f5e-a57c-397ee34a65ee" - date = "2026-01-05" - modified = "2026-01-06" + id = "a29dbcf4-d3cd-56b7-84a6-7101c3b54311" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moontag" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.moontag_auto.yar#L1-L168" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.moontag_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "8b060f50d5b5253ee18a9ffafa5845b2d3ee94dd99bd63bfd885c3444be1c8ca" + logic_hash = "484ced89483984d52a45f1adfdfe4856f8950f05e6c0d6c06cf6f7db7aa5a27e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4833c4 4889842430040000 488bd9 498d7b10 e8???????? 48897c2428 } - $sequence_1 = { 4885d2 480f4415???????? 483b15???????? 480f4405???????? 488905???????? c3 4885c9 } - $sequence_2 = { 4881ec60010000 488b05???????? 4833c4 48894550 488d4c2440 } - $sequence_3 = { 4d8be6 482bea 4d2be7 4d3bf7 7343 } - $sequence_4 = { 48c74424680f000000 c644245000 483bd9 0f82c0010000 482bd9 49c7c0ffffffff 493bd8 } - $sequence_5 = { 4883c420 5f c3 488bca e8???????? 488bf8 4885c0 } - $sequence_6 = { 488b36 4885f6 758a e9???????? 48837e3800 } - $sequence_7 = { c3 48833a00 7508 488b4208 49894008 } + $sequence_0 = { 7408 488d58ff 48895db8 4885f6 7407 } + $sequence_1 = { 4d85c0 7454 4885d2 744f 41f7401800020000 750f 498b4838 } + $sequence_2 = { 0f8396010000 4c8b4210 48ffc0 48894218 } + $sequence_3 = { 488bf2 488bf9 4885c9 0f8494000000 4885d2 0f848b000000 48895c2430 } + $sequence_4 = { 7708 0fb6c1 8d48c9 eb11 8d419f 3c05 0f87ef000000 } + $sequence_5 = { 81c7204e0000 833d????????00 758a b801000000 488b8c2430010000 4833cc e8???????? } + $sequence_6 = { 7f13 0f8cff040000 0fb744244c 3bc2 0f8cf2040000 33d2 } + $sequence_7 = { 493bc0 4c8b4718 4c0f42f8 4d3bfe } $sequence_8 = { 03c1 68???????? 50 ffd3 83c40c 85c0 } - $sequence_9 = { 033d???????? 837d8400 0f4e3d???????? 83c734 } + $sequence_9 = { 03c2 3bf8 0f838f010000 8b0d???????? } $sequence_10 = { 03c1 3bf8 0f42f8 33c9 8bc7 83c001 56 } - $sequence_11 = { 014e08 b801000000 5f 5e 5b 8b4c2458 } + $sequence_11 = { 033d???????? 837d8400 0f4e3d???????? 83c734 } $sequence_12 = { 03c1 50 898570ecffff 8d8574ecffff } - $sequence_13 = { 03c2 3bf8 0f838f010000 8b0d???????? } - $sequence_14 = { 03c1 8b0d???????? a3???????? 3bc1 } + $sequence_13 = { 03c1 8b0d???????? a3???????? 3bc1 } + $sequence_14 = { 014e08 b801000000 5f 5e 5b 8b4c2458 } $sequence_15 = { 03421c 03c6 3bc8 760c } condition: @@ -142966,49 +144028,49 @@ rule MALPEDIA_Win_Zeus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a7137ca7-f65f-570e-b179-06b94ad7a971" - date = "2026-01-05" - modified = "2026-01-06" + id = "9cff0bfd-9b06-576a-8e72-e4d85e4ecc7f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zeus_auto.yar#L1-L225" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zeus_auto.yar#L1-L222" license_url = "N/A" - logic_hash = "3d703221ad7e27ff4fc081759a0590d4715ffa458d7987388aee7eef0fc141ff" + logic_hash = "66e72d904644f02d2fc5f424827c224768e932373fac617050d2c0bc5f04cb35" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { eb58 833f00 7651 8b5f08 } - $sequence_1 = { 8d461c 50 8d45f0 50 e8???????? 6a10 8d460c } - $sequence_2 = { 8d461c 50 8d460c 50 e8???????? } - $sequence_3 = { 8d440810 8bc8 2bca 8b12 } - $sequence_4 = { 8d460c 8d4df0 e8???????? f7d8 1ac0 fec0 c9 } - $sequence_5 = { 85c0 7438 83600400 8918 8b4e08 } - $sequence_6 = { 8906 85ff 760c 8b550c } - $sequence_7 = { 83f801 7516 51 e8???????? } - $sequence_8 = { 8bf3 6810270000 ff35???????? ff15???????? } - $sequence_9 = { 891d???????? 891d???????? ffd6 68???????? } + $sequence_1 = { 885dff 53 53 6a03 } + $sequence_2 = { 83e900 741e 49 740c } + $sequence_3 = { 8b0d???????? 03c8 830904 8b0d???????? } + $sequence_4 = { 83e81c 50 8d461c 50 8d45f0 50 e8???????? } + $sequence_5 = { 8d4301 8d75fc e8???????? 8b75fc } + $sequence_6 = { ebd7 8b4514 85c0 7409 8338ff } + $sequence_7 = { 885dff 395d0c 7415 ff750c 53 683a040000 ff15???????? } + $sequence_8 = { 891d???????? 891d???????? ffd6 68???????? } + $sequence_9 = { 8bf3 6810270000 ff35???????? ff15???????? } $sequence_10 = { e8???????? 84c0 7442 6a10 } $sequence_11 = { 8d8db0fdffff e8???????? 8ad8 84db } $sequence_12 = { c20400 55 8bec f6451802 } - $sequence_13 = { ff15???????? 5e 8ac3 5b c20800 55 } - $sequence_14 = { b364 6a14 eb18 81fb5a5c4156 } - $sequence_15 = { 8d470c 50 c707000e0000 c7470809080002 e8???????? 83674200 6a78 } - $sequence_16 = { 3509080002 3d5c5b4550 740b 3d59495351 0f85ca000000 807b0420 0f85c0000000 } - $sequence_17 = { 0f873d020000 83fe06 0f86e3000000 8b03 3509080002 3d5c5b4550 740b } - $sequence_18 = { 68???????? 6809080002 8bc6 50 8d45fc } - $sequence_19 = { 56 68???????? ff750c 51 ff7508 ff15???????? 8bf8 } - $sequence_20 = { 8d75a8 b8d5000000 e8???????? 68e6010000 68???????? 6809080002 } - $sequence_21 = { 6813270000 6a04 5b 8bc6 c745f809080002 e8???????? 8ad8 } - $sequence_22 = { 807b0244 7429 83fe04 0f82ec000000 8b1b 81f309080002 } + $sequence_13 = { 5e 8ac3 5b c20800 55 8bec 83e4f8 } + $sequence_14 = { 894736 8d470c 50 c707000e0000 c7470809080002 e8???????? } + $sequence_15 = { b001 5b 8be5 5d c3 66833d????????00 56 } + $sequence_16 = { 0f84ac000000 b809080002 3945f4 7713 } + $sequence_17 = { 5b 8bc6 c745f809080002 e8???????? 8ad8 f6450c04 7473 } + $sequence_18 = { 68e6010000 68???????? 6809080002 8bc6 50 8d45fc } + $sequence_19 = { 3d59495351 0f85ca000000 807b0420 0f85c0000000 33c0 } + $sequence_20 = { 740c 81fb45415356 0f85b2000000 b365 6a15 } + $sequence_21 = { 2501000080 7905 48 83c8fe 40 ff75f4 f7d8 } + $sequence_22 = { 81fb5d515047 7410 81fb4f4d4156 7408 81fb59495354 7506 } condition: 7 of them and filesize < 319488 @@ -143018,36 +144080,36 @@ rule MALPEDIA_Win_Spaceship_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9646ae9-48ad-52ca-8e30-ca37f230b031" - date = "2026-01-05" - modified = "2026-01-06" + id = "564fde1c-48da-5ed5-9400-223c89b4213c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.spaceship_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.spaceship_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "918a94f75a146e2a40061812363f222c7587d1698068cc2f3629d9e72d72f097" + logic_hash = "2373253bd0b09a3a88f0a619a8d16cf72800c2135bc0b5d4189a7d469dd5a3b9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 68???????? f2ae 8bcb 4f c1e902 f3a5 8bcb } - $sequence_1 = { 66395cc416 f3a4 74c1 81e2ffff0000 83c9ff 03d0 33c0 } - $sequence_2 = { 66c78424bc0100000d00 66898424be010000 c78424c00100001c6b4100 66c78424c40100002500 } - $sequence_3 = { 8bcb 83e103 f3a4 83c9ff bf???????? f2ae f7d1 } - $sequence_4 = { f2ae 8bcb 4f c1e902 f3a5 8b45f0 } - $sequence_5 = { 80a0c0d9410000 40 3bc6 72be 5e c9 c3 } - $sequence_6 = { 6a00 6810040000 ff15???????? 8bf0 56 ffd5 } - $sequence_7 = { 66899c24e6040000 c78424e80400001c674100 66c78424ec0400004a00 66899c24ee040000 c78424f004000014674100 66c78424f40400001e00 66899c24f6040000 } - $sequence_8 = { 8a441c0c 8d741c0c 84c0 75bc 5f 5e } - $sequence_9 = { c7842408050000f8664100 66c784240c0500002000 6689ac240e050000 c7842410050000f0664100 66899c2414050000 6689842416050000 c7842418050000e4664100 } + $sequence_0 = { 46 eb0f 0fb6d2 f682c1da410004 7403 40 ff01 } + $sequence_1 = { 895dfc c1e604 aa 8d9e68764100 803b00 8bcb } + $sequence_2 = { 51 47 e8???????? 83c404 83f843 7c16 } + $sequence_3 = { 85c0 7576 8bfd 83c9ff f2ae f7d1 2bf9 } + $sequence_4 = { 8d6c241c c1e902 f3a5 8bc8 } + $sequence_5 = { 807c24602e 0f8473010000 8d7c2460 83c9ff } + $sequence_6 = { 6a19 68???????? e8???????? 6a10 68???????? } + $sequence_7 = { c7842488010000786b4100 66c784248c0100000700 668984248e010000 c7842490010000686b4100 66c78424940100000800 6689842496010000 c78424980100005c6b4100 } + $sequence_8 = { 8d442404 57 50 68???????? c744241000010000 ff15???????? } + $sequence_9 = { 8bcb 83e103 f3a4 8dbc24ec000000 83c9ff f2ae } condition: 7 of them and filesize < 262144 @@ -143057,36 +144119,36 @@ rule MALPEDIA_Win_Bernhardpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "252fe43d-34d2-5ba3-916c-e631fcda4c17" - date = "2026-01-05" - modified = "2026-01-06" + id = "73619bab-eb2e-58bd-b80e-9b55f0bc14d1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bernhardpos_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bernhardpos_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "a85fc3a62e77b7c1681166d26b96a4f5d23c2afe6eddbdde5dc49efbc64461ae" + logic_hash = "2f13c921af91c79ccbd30a2cdd5ffa742762642d6c7b9bd20077ad70bdffc8bf" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4508 50 ff15???????? 8945fc c745f800000000 c745f400000000 } - $sequence_1 = { 884a02 6a01 ff15???????? 8b8d58feffff } - $sequence_2 = { 50 8d8dc8fbffff 51 ff15???????? 6a00 } - $sequence_3 = { 8bec 81ec84040000 53 56 57 6a04 } - $sequence_4 = { 85c0 0f8488010000 8b45fc 8b4844 51 } - $sequence_5 = { 8d8550feffff 50 8d8d5cfeffff 51 6a00 } - $sequence_6 = { 8b4dec c1e108 0345e8 03c8 } - $sequence_7 = { 8b45e4 c1e806 83e03f 8b4d0c 034df4 } + $sequence_0 = { c1e806 83e03f 8b4d0c 034df4 8a9020544100 } + $sequence_1 = { 8b4d08 03483c 894df4 b808000000 } + $sequence_2 = { e8???????? 83c404 8d85c4feffff 50 ff15???????? } + $sequence_3 = { 8d45d8 50 ff15???????? a3???????? 8d45d8 50 e8???????? } + $sequence_4 = { ff15???????? 81bdccfdffffd8010000 0f85d2000000 6a40 8d45a8 } + $sequence_5 = { 8bec 83ec48 53 56 57 c745fc00000000 c745f800000000 } + $sequence_6 = { 83e863 5f 5e 5b } + $sequence_7 = { 50 6a04 6a40 b904000000 } $sequence_8 = { e8???????? a3???????? 68a86b4aa0 a1???????? 50 e8???????? } - $sequence_9 = { e8???????? a3???????? 684f5b51f2 a1???????? 50 e8???????? a3???????? } + $sequence_9 = { b801000000 6bc800 81c1???????? 898d58feffff 6a65 ff15???????? 8b8d58feffff } condition: 7 of them and filesize < 368640 @@ -143096,36 +144158,36 @@ rule MALPEDIA_Win_Tor_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3efe54eb-a7c6-56b3-9bd1-ec8766a85b3b" - date = "2026-01-05" - modified = "2026-01-06" + id = "f571352d-fc66-5a66-ba46-fe3c570d3248" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tor_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tor_loader_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tor_loader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "9c749aa4d74905eff81845b43499929e58555479c62182eca79940824f3864ac" + logic_hash = "c2d848c7e05d939cb93f16e650363df5751636d1df031ac1756188062f0ee650" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 90 eb25 4839c8 0f831a030000 4c8d5001 4c39d1 0f8602030000 } - $sequence_1 = { bf03000000 488d358e732800 e8???????? 0fb6542447 488b7c2460 4c8b442458 4889c6 } - $sequence_2 = { eb0f 488b442438 c6808800000001 4889c7 ba01000000 e9???????? 81fa2251f4eb } - $sequence_3 = { 7659 488b842428010000 488b9c2430010000 488b9424f0000000 488b0a 488b7a08 488b7210 } - $sequence_4 = { eb29 4889d3 4889c1 4889f0 e8???????? 488b542448 488bb424d0000000 } - $sequence_5 = { ebd4 833d????????00 750d 48c705????????00000000 eb0e 488d3dfc515b00 31c9 } - $sequence_6 = { eb23 488d056b4d6100 31db 488b6c2410 4883c418 c3 0fb75052 } - $sequence_7 = { eb09 4889c7 90 e8???????? 488d0554112200 488b5c2428 488d0d86392700 } - $sequence_8 = { 48c7400813000000 488d0deaf90a00 488908 488b4c2410 48894810 4889c3 488d05ad3e0500 } - $sequence_9 = { bf04000000 e8???????? 6690 4883fb01 7509 80382d 7504 } + $sequence_0 = { e8???????? 488d05943d2200 488b5c2438 488d0dc4b92700 bf12000000 0f1f00 e8???????? } + $sequence_1 = { e8???????? 488b4c2478 4889c8 0f1f00 e8???????? 488b6c2468 4883c470 } + $sequence_2 = { eb20 4889c7 488d059d9a1500 e8???????? 488d3d3c073c00 488b442420 e8???????? } + $sequence_3 = { eba7 0fb64c2413 84c9 0f94c0 eb9b e8???????? 488d058c4d2c00 } + $sequence_4 = { e8???????? 4889c1 488d05b1323200 440f11bc24a0000000 4889842490000000 48898c2498000000 0fb674242f } + $sequence_5 = { 833d????????00 7519 488b9424e8000000 48895068 488b942400010000 4885d2 eb1f } + $sequence_6 = { eb05 e8???????? 488d055ece0700 e8???????? 48c7400802000000 48c78424c003000002000000 48c78424c803000002000000 } + $sequence_7 = { eb4c 4c8ba424f8000000 4d89e5 4d89fc 4c8bbc2488000000 4c89a42490000000 4d85e4 } + $sequence_8 = { eb10 4889c7 488b9424c8000000 e8???????? 31db 488d0d830a2100 4889c7 } + $sequence_9 = { 8b44242c e8???????? 488d0df2910d00 48894c2470 4889442478 488b4c2430 0f1f00 } condition: 7 of them and filesize < 13050880 @@ -143135,36 +144197,36 @@ rule MALPEDIA_Win_Darkmegi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e022205f-532d-5998-8adc-7461a155f6b2" - date = "2026-01-05" - modified = "2026-01-06" + id = "16948d4e-0905-5953-bba2-03b9cf86640e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkmegi_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkmegi_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "186562bccca029dc0a54ad2573032322c99b928af1a23f4cf752d54c2cfd880f" + logic_hash = "89c060c560a9e4be803246e0865acc99796bfbee031faaea9ee388f598eb37b2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33f6 6804010000 50 56 ff15???????? 8d8c2488090000 } - $sequence_1 = { 3bd9 7cd2 8806 5f 5e 5d 5b } - $sequence_2 = { 57 8b7c2414 57 e8???????? 8b542414 83c404 8d4c2408 } - $sequence_3 = { 8d0440 8b8c8420010000 c6040a00 8b442410 } + $sequence_0 = { 6a03 6a00 6a00 8d542478 6800000080 } + $sequence_1 = { 5d 33c0 5b 81c474100000 c3 55 8b2d???????? } + $sequence_2 = { 52 e8???????? 83c404 8bd8 85f6 7426 8b35???????? } + $sequence_3 = { 7425 0fb6d2 f6820196b40204 740c } $sequence_4 = { f2ae 8bcd 4f c1e902 f3a5 8b842464020000 } - $sequence_5 = { 85c0 0f849f000000 8dbc246c020000 83c9ff 33c0 } - $sequence_6 = { 8d04c0 8b0c8d40a7b402 f644810401 8d0481 7403 8b00 } - $sequence_7 = { 5d 5b c3 8b542414 5f 5e 5d } - $sequence_8 = { 8bac24a8020000 53 66ab aa } - $sequence_9 = { 3bf8 0f8d43010000 8d4c2414 8d942498030000 51 } + $sequence_5 = { 0f8c74ffffff 5f 5e 8bc3 5d } + $sequence_6 = { b941000000 33c0 8d7c2414 5b f3ab 837c240c05 7556 } + $sequence_7 = { f7d1 2bf9 c644246300 8bf7 8be9 8bfa } + $sequence_8 = { 6a00 ff15???????? 8bf0 ff15???????? 3db7000000 7517 } + $sequence_9 = { 66899c247c060000 f3ab 85d2 66ab 0f8ea1010000 53 8d442448 } condition: 7 of them and filesize < 90304 @@ -143174,36 +144236,36 @@ rule MALPEDIA_Win_Unidentified_044_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "34c20231-5d6b-58d1-a551-535378ccd58f" - date = "2026-01-05" - modified = "2026-01-06" + id = "c99625f4-50c0-5adb-b7ce-8529cdc0b158" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_044_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_044_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "73cc874ec97680c4006726eab010d16567bb76aa0c2f93b41df5ce3208d81ea0" + logic_hash = "51fe65afa9e739138bbb0b3d76fe184881b1f0bf50e4b1db118721c4d219c2ba" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd6 a1???????? 85c0 75e2 5e c3 a1???????? } - $sequence_1 = { 660bfb 66897c0102 8b4c2410 49 894c2410 85c9 } - $sequence_2 = { 8d8570feffff 50 6802020000 891d???????? } - $sequence_3 = { 83f801 0f85fd000000 8b542418 8d4c2424 } - $sequence_4 = { 803d????????00 5f 740d 8b0d???????? 51 } - $sequence_5 = { 8b442414 52 50 55 83c8ff } - $sequence_6 = { a3???????? 7e0d 6a00 68???????? ff15???????? } - $sequence_7 = { 50 ffd7 85c0 7544 8b2d???????? 8b1d???????? 90 } - $sequence_8 = { 66c1c208 50 6689542426 ff15???????? 8bf8 83ffff } - $sequence_9 = { 55 e8???????? 83c40c 84c0 74a0 8a442413 } + $sequence_0 = { 6a01 8d4c2416 51 55 e8???????? 83c40c } + $sequence_1 = { c744242800000000 c744242c01000000 897c2430 ff15???????? 83f801 7533 6a00 } + $sequence_2 = { 85c0 7407 83c8ff 83c420 c3 } + $sequence_3 = { 03c0 51 e8???????? 83c404 5f 5e 5d } + $sequence_4 = { be01000000 50 89742420 ffd5 01742414 } + $sequence_5 = { e8???????? eb0a 3c04 7509 56 e8???????? 83c404 } + $sequence_6 = { be01000000 7512 8b4704 8b480c 6aff 51 } + $sequence_7 = { 81e5ffff0000 2bd5 8b6c241c 2bd3 } + $sequence_8 = { 660137 ff4c2418 4a 83ef02 89542410 } + $sequence_9 = { 83c404 e8???????? e8???????? 53 e8???????? 83c404 } condition: 7 of them and filesize < 90112 @@ -143213,56 +144275,57 @@ rule MALPEDIA_Win_Cryptbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c80588a6-d143-5e79-9f26-778ded8c5ced" - date = "2026-01-05" - modified = "2026-01-06" + id = "9f454949-4119-5d54-89a8-d6d06774000f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.cryptbot_auto.yar#L1-L256" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.cryptbot_auto.yar#L1-L268" license_url = "N/A" - logic_hash = "a7dadf34e757866bd3311ff7a46036d085711fdb75a64818e7cbce0bd5b48b23" + logic_hash = "cc8457aa1a1b960f17f2261fdfd7a0ee15b56bbe03933482c6401c550f37f6a5" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 33c0 85ed 0f94c0 8be8 } - $sequence_1 = { 760f b990ec0000 e8???????? e9???????? } - $sequence_2 = { e9???????? b949dc0000 e9???????? b944dc0000 e9???????? b964dc0000 } - $sequence_3 = { 7f0a 83fd1e 7f05 83ff13 } - $sequence_4 = { eb0c b99fed0000 e8???????? 8907 } - $sequence_5 = { 33c0 eb0a b917d90000 e8???????? } - $sequence_6 = { 7511 b9d7d80000 e8???????? 8907 } - $sequence_7 = { 750f b955960100 e8???????? e9???????? } - $sequence_8 = { 7414 3c7a 7508 8b4610 803874 7408 41 } - $sequence_9 = { 83caff 8bcf e8???????? 83caff } - $sequence_10 = { 7419 8b542408 83fa01 7c10 0fbf4846 } - $sequence_11 = { 744e 0fb74802 83e103 3bcb } - $sequence_12 = { 7508 85f6 7404 c6464101 5e c3 } - $sequence_13 = { 1ac9 2403 80e110 8ad1 3c02 7509 } - $sequence_14 = { 7505 89410c 8bc1 ffb42484000000 } - $sequence_15 = { 85c0 742c 8bd6 8bcb } - $sequence_16 = { e8???????? 8b5720 8bce e8???????? 8b5724 } - $sequence_17 = { 8b4d34 894c245c dd85b8fbffff dd5c2454 } - $sequence_18 = { 014710 83571400 83c301 8bbe4c010000 8355fc00 } - $sequence_19 = { 8b4d18 8901 895104 e9???????? } - $sequence_20 = { 015e58 8bd7 8b4e60 83565c00 } - $sequence_21 = { 015f28 8bc2 13472c 89472c } - $sequence_22 = { 8b4d14 898d38ffffff 8b8580000000 898534ffffff } - $sequence_23 = { 8b4d20 894c2468 8b4d5c 894c2464 } - $sequence_24 = { 8b4d18 8b09 81c1fc030000 8b448808 } - $sequence_25 = { 014e10 134614 837de000 894614 } - $sequence_26 = { 8b4d24 894c247c dd85b0fbffff dd5c2474 } - $sequence_27 = { 8b4d28 898d30ffffff 8b958c000000 89952cffffff } - $sequence_28 = { 018330af0100 8b45d8 85c0 7416 } - $sequence_29 = { 8b4d18 8b09 83c101 81c1fc030000 } + $sequence_1 = { e8???????? 85c0 750f b955960100 e8???????? e9???????? } + $sequence_2 = { e8???????? 84c0 7514 b800000002 } + $sequence_3 = { e9???????? b944dc0000 e9???????? b964dc0000 e9???????? b95ddc0000 } + $sequence_4 = { 33c0 eb0a b917d90000 e8???????? } + $sequence_5 = { e8???????? 85c0 750c b961030200 e8???????? } + $sequence_6 = { e8???????? 85c0 750e b9ca070200 } + $sequence_7 = { eb0c b99fed0000 e8???????? 8907 } + $sequence_8 = { 7424 807e4100 7404 33c0 5e c3 } + $sequence_9 = { 7414 3c7a 7508 8b4610 803874 } + $sequence_10 = { 1ac9 2403 80e110 8ad1 3c02 7509 } + $sequence_11 = { 7422 8b4d00 8bd3 6a00 } + $sequence_12 = { 744e 0fb74802 83e103 3bcb } + $sequence_13 = { 7419 8b4218 3b4114 7211 } + $sequence_14 = { 83caff 8bcf e8???????? 83caff } + $sequence_15 = { 750d 83bed000000000 7504 c6461005 8bc7 5f } + $sequence_16 = { 85c0 742c 8bd6 8bcb } + $sequence_17 = { 8b5720 8bce e8???????? 8b5724 8bce } + $sequence_18 = { 8b959cfeffff 8b85acfeffff 33c9 3808 } + $sequence_19 = { 8b4d08 8b4910 8b19 89542404 } + $sequence_20 = { 8b4d08 8b09 83c002 83d200 } + $sequence_21 = { 8b958cfeffff 2bc2 8bb5a0feffff 03f0 } + $sequence_22 = { 8b4d08 8b09 01f0 11fa 894178 } + $sequence_23 = { 8b95a0feffff 6a00 6a00 8b08 } + $sequence_24 = { 8b94b1f80f0000 8b45f4 8b7df8 0fb700 0fb73c97 663bc7 7232 } + $sequence_25 = { 8b4d08 8b09 8b09 8b09 } + $sequence_26 = { 8b4d08 8b09 8b896caf0600 8b9274af0600 } + $sequence_27 = { 8b4d08 8b09 8901 c745e41b000000 } + $sequence_28 = { 8b4d08 8b09 81c3fc030000 8b549a08 } + $sequence_29 = { 8b4d08 8b4914 8b19 8954240c } + $sequence_30 = { 8b959cfeffff 8bca 85d2 742a } condition: 7 of them and filesize < 17138688 @@ -143272,36 +144335,36 @@ rule MALPEDIA_Win_Lowkey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3f77a0d8-5e74-59a7-b36b-5b8da053f1d8" - date = "2026-01-05" - modified = "2026-01-06" + id = "19e3bfd0-ab29-5930-b477-5c09b57297cd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lowkey_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lowkey_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "d5431f0409ef1f2ee256c5cdc4b5f0e543f06b3c2bf47f27531adb7ea173b9db" + logic_hash = "5ef5eed822dc0e0f85f64576919804edb4b07959e4592eb6f0f337b8d69b0b0a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8bf2 488d8d70010000 33d2 41b800020000 e8???????? } - $sequence_1 = { 83bb7004000002 0f848d010000 83cfff 488d2db7310100 83635000 83632c00 e9???????? } - $sequence_2 = { 498bc2 458bf1 48c1f806 488d0df41e0300 4183e23f 4d03f0 } - $sequence_3 = { 3b15???????? 7350 488bca 4c8d05c9230300 83e13f 488bc2 } - $sequence_4 = { 48898424d0000000 4533c0 488b4708 488bd5 48898424e0000000 } - $sequence_5 = { 488b0d???????? 488b5210 488b8900040000 ff15???????? 488b15???????? 4533c0 } - $sequence_6 = { 85c0 0f94c3 8bc3 488b4c2478 } - $sequence_7 = { 33d2 488bc8 ff15???????? 488d1556260200 } - $sequence_8 = { 488bcf e8???????? 488d4df7 e8???????? 488d155cfd0100 488d4df7 e8???????? } - $sequence_9 = { 488d15c10d0200 4533c0 48895c2420 488b01 ff5020 488b4c2450 4c8d4de8 } + $sequence_0 = { f20f114c2430 4533c9 41b800080000 488d542450 660f73da08 } + $sequence_1 = { 747e 488b05???????? 4823c2 483b05???????? 756b 488d0574490100 48c74424580f000000 } + $sequence_2 = { 4c8d4c2428 48895c2420 448d4308 895c2428 488d542420 488bcf ff15???????? } + $sequence_3 = { 48895c2458 ff15???????? 48895c2440 4533c9 895c2438 4533c0 } + $sequence_4 = { 488d45e8 48894de8 488945f0 488d15689d0000 } + $sequence_5 = { 4c8d442450 4088740450 488d542438 66896c243d 89442440 e8???????? } + $sequence_6 = { 4c63c7 e8???????? 017e20 8b4620 39461c 0f94c0 884609 } + $sequence_7 = { 488bc2 488bf1 33db bd01000000 48895c2430 4533c9 } + $sequence_8 = { ff15???????? 488b4c2478 ff15???????? 90 33c0 e9???????? 48897c2438 } + $sequence_9 = { 488d4c2470 e8???????? 83caff 488bcb ff15???????? eb17 b866000000 } condition: 7 of them and filesize < 643072 @@ -143311,75 +144374,75 @@ rule MALPEDIA_Win_Mystic_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff6d02a5-11a9-5b9c-bc25-58f6a66b5d47" - date = "2026-01-05" - modified = "2026-01-06" + id = "669e0d29-c98f-59de-8cf5-902f29ae3a52" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mystic_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mystic_stealer_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mystic_stealer_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "ec33f5bc78df8bf32bd1dfa20b10a2a5389598f3b75f6130cffa6e3d8120ea9d" + logic_hash = "21ec795eb8ab4014e3a067a382badfa4fd3bac788790ebafb7beb557561dc9fc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7509 3bef 7505 33db 43 eb02 33db } - $sequence_1 = { 741f 8b0e 50 8b510c e8???????? 8b06 59 } - $sequence_2 = { 3b5c242c 7f59 66ff84463c0b0000 33c9 } - $sequence_3 = { e8???????? 83bd5014000002 59 59 } - $sequence_4 = { 8bc2 41 3bca 8b542418 0f4ec1 8b4c2414 89442430 } - $sequence_5 = { 8bcf c7460471000000 e8???????? 33c9 394e14 } - $sequence_6 = { 5b e9???????? a1???????? 8bcf c746049a020000 894718 e8???????? } - $sequence_7 = { 3bca 7420 0fb7449d02 8bca } - $sequence_8 = { 80ea03 c6040101 8b8ea0160000 8b8698160000 41 898ea0160000 c6040100 } - $sequence_9 = { 57 ffb42444010000 ffb4244c010000 50 } + $sequence_0 = { c7460445000000 8b4e04 8d6e1c 83f945 } + $sequence_1 = { 234754 83bfb416000000 894748 7452 8b4738 8b4f58 } + $sequence_2 = { 668bc7 66d3e0 660bc5 0fb7c8 } + $sequence_3 = { 8b4c241c 83c40c 8b4500 034e14 894e14 } + $sequence_4 = { 8d040a 0fb78fb8160000 660bf1 0fb7ce } + $sequence_5 = { 8386bc160000f3 b110 2ac8 66d3ef 0fb7c7 } + $sequence_6 = { 80ea03 c6040101 8b8ea0160000 8b8698160000 41 898ea0160000 c6040100 } + $sequence_7 = { 59 59 ffd0 8be8 } + $sequence_8 = { 898550140000 898c855c0b0000 33c0 40 6689048b c684295814000000 ff8da8160000 } + $sequence_9 = { 33db 668987b8160000 85ed 0f8ea0000000 } condition: - 7 of them and filesize < 465920 + 7 of them and filesize < 512000 } rule MALPEDIA_Win_Netkey_Auto : FILE { meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d0a2d0e1-28d1-5f88-b1cb-dda359954bd2" - date = "2026-01-05" - modified = "2026-01-06" + id = "cebad505-70c0-5a27-bc92-bc043fe74d2b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netkey" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.netkey_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.netkey_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "daf69a83c7310935a12c421c94563aee301c2dd28fd19c71dd25e72dc29acd85" + logic_hash = "28c40c311262c3777ed829896914bd7c91f10e0be298652d07d4d78191bd69e1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bca 0fa4c103 c1e003 03f0 13d1 0fa4f202 c1e602 } - $sequence_1 = { 786d 8b4d08 8bd6 e8???????? 85c0 } - $sequence_2 = { 83fa03 7511 8b45fc 8b0c85a8214400 8a06 } - $sequence_3 = { 83c40c 8d85f0dfffff 6800080000 50 6a00 56 ff15???????? } - $sequence_4 = { 83e10f eb02 33c9 8b450c 0fb684c8b02e4300 c1e804 } - $sequence_5 = { 05b0407c05 3146e8 8b4714 059ea0eb01 3146ec 8b4718 05???????? } - $sequence_6 = { 8b95b4efffff 46 8985f8efffff 8bc2 c1e802 40 3bf0 } - $sequence_7 = { e8???????? 51 e8???????? a3???????? 85c0 7974 } - $sequence_8 = { 8bc1 c1f806 83e13f 6bc930 8b0485a8214400 80640828fe ff36 } - $sequence_9 = { 3a4801 751c 83c702 83c002 84c9 75e4 } + $sequence_0 = { 85c0 0f94c3 8d1c5dffffffff eb03 83cbff 8b45ec 83f810 } + $sequence_1 = { 56 8b7508 81c1f0000000 6aff } + $sequence_2 = { 6a3a 8d4de0 660fd645e0 e8???????? 83c404 c645fc01 b8abaaaa2a } + $sequence_3 = { 8bec 836d0801 7414 8b0d???????? 6a00 e8???????? 83c404 } + $sequence_4 = { ff15???????? 85c0 0f84ae010000 68???????? 50 ff15???????? 8d8da0fdffff } + $sequence_5 = { e8???????? 8bd0 52 e8???????? 83c404 c745f00f000000 c745ec00000000 } + $sequence_6 = { 8b4708 8d7620 05d8a16e00 3146e0 8b470c 0555fcc002 } + $sequence_7 = { 8bce e8???????? 85c0 7855 660f1f440000 8b7f04 } + $sequence_8 = { 8d4d90 e8???????? 68???????? 8bd0 c645fc07 8d4da8 e8???????? } + $sequence_9 = { 6a40 6800300000 ff7350 ff7334 ff36 ff15???????? 898524fdffff } condition: 7 of them and filesize < 606208 @@ -143389,36 +144452,36 @@ rule MALPEDIA_Win_Rofin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9b1467e-a51a-5bb8-8a94-4fccc519267e" - date = "2026-01-05" - modified = "2026-01-06" + id = "33bca745-2a20-5890-99dc-d81f3ede61d8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rofin_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rofin_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "d75f02a0b301194d004b242ba71e57b27fdd5fa1479d807d198f353683f5f00e" + logic_hash = "52f7ad6a2c04eb909346f30aee37ae4da04aafeb64b6808a3f4b4d476715f4ff" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83f804 753f 8b11 8a02 3c30 7507 8b5108 } - $sequence_1 = { 837c241801 7407 33db e9???????? 6a00 6a00 56 } - $sequence_2 = { 56 57 8b7c2414 33c0 33f6 85ff } - $sequence_3 = { e8???????? 8bf0 83c404 803e00 7453 6a0a } - $sequence_4 = { 8a4802 84c9 743f 8a4801 84c9 750e 8a4802 } - $sequence_5 = { 56 3b0d???????? 57 7358 8bc1 c1f805 8d3c85209e4200 } - $sequence_6 = { 45 f2ae 8b442410 f7d1 2bf9 83c00d 8bd1 } - $sequence_7 = { 89b42434010000 c744242800000000 ff15???????? 8d4c2418 51 56 e8???????? } - $sequence_8 = { 59 c3 8b8d90fcffff e9???????? 8b8d90fcffff 81c168030000 e9???????? } - $sequence_9 = { 8b442424 6a40 68???????? 50 e8???????? 83c41c 5f } + $sequence_0 = { ffd5 85c0 740e 837c241801 7407 33db e9???????? } + $sequence_1 = { f3ab 53 8d442410 6a25 50 53 } + $sequence_2 = { f2ae f7d1 2bf9 8944241c 89442420 8d542424 } + $sequence_3 = { 81e1ff000000 83c920 eb0c 8b742414 8bce 81e1ff000000 } + $sequence_4 = { 8b442414 85c0 0f845a010000 b9ff000000 33c0 8dbc2491000000 } + $sequence_5 = { 0f841a090000 ff15???????? 8b942404090000 8b4c2478 52 66c78424880000000200 898c248c000000 } + $sequence_6 = { 8a442407 895a18 895a1c 895a20 884a24 8a4c2407 55 } + $sequence_7 = { e8???????? f7d8 1bc0 f7d8 89442444 68???????? 8d8c2498000000 } + $sequence_8 = { e8???????? eb73 bf???????? 83c9ff 33c0 f2ae f7d1 } + $sequence_9 = { ff15???????? 2b442424 3d30750000 770e 3bf5 0f855bfbffff eb04 } condition: 7 of them and filesize < 409600 @@ -143428,36 +144491,36 @@ rule MALPEDIA_Win_Funny_Dream_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7c5b8541-25d5-552c-920a-b086563867d9" - date = "2026-01-05" - modified = "2026-01-06" + id = "c095950e-5e09-5242-9d6f-90b3e1d697b6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.funny_dream_auto.yar#L1-L123" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.funny_dream_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "d6d8f879d884c791eab9cf877f711b463f1b8fd3433301e06ffb4b2f059a3774" + logic_hash = "993ea95e4e85b2130f6eebbb9c3dd0eae5b28bc29094cd689248b844bcefa621" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8bd8 c745f025735c2a 56 8d45f0 } - $sequence_1 = { 8d7f01 88443bff 84c0 75f3 8b4df8 } - $sequence_2 = { 50 8d4701 c785e0f5ffff0a000000 50 } - $sequence_3 = { 50 e8???????? 68ff010000 8d85fdfdffff 6a00 } - $sequence_4 = { f3a4 50 e8???????? 8b742414 83c408 85c0 748d } - $sequence_5 = { 83bdacfeffff00 744b 8d85a0feffff c785a0feffff00010000 50 ffb59cfeffff } - $sequence_6 = { 57 8bf9 6a00 8db750100000 56 ff15???????? 85c0 } - $sequence_7 = { 56 8b7508 57 8b3d???????? 6aff ff7608 ffd7 } - $sequence_8 = { 53 8a4810 8d4602 50 884e01 e8???????? 8b4508 } - $sequence_9 = { 0f118424e0000000 0f10842458010000 0f118424f0000000 e8???????? 898424c8000000 8b4508 } + $sequence_0 = { 6a00 ff7724 ff15???????? 8b4714 8b35???????? 85c0 } + $sequence_1 = { 0fb6c9 ba01000000 0f44ca 898df4f9ffff 8d85f8f9ffff c785f8f9ffff00000000 } + $sequence_2 = { ff15???????? 85c0 7513 68???????? ff15???????? 85c0 0f84a5000000 } + $sequence_3 = { ff15???????? 85c0 747e 8b9df8fdffff 8d4304 } + $sequence_4 = { ffb5b4feffff ffd7 5f 5e b001 5b 8b4dfc } + $sequence_5 = { 8bce 85c0 741e 83c009 50 57 e8???????? } + $sequence_6 = { 8bf2 50 0f1184242c010000 8d84242c010000 0f2805???????? 50 0f11842420010000 } + $sequence_7 = { ffb5a0fdffff ffd3 ffb594fdffff ff15???????? } + $sequence_8 = { 8db5d0fdffff 2410 8d4e01 88041f 47 6690 8a06 } + $sequence_9 = { 8d95f9f7ffff 668985f2f7ffff c785f4f7ffff00000001 8bce 2bd6 } condition: 7 of them and filesize < 393216 @@ -143467,36 +144530,36 @@ rule MALPEDIA_Win_Kiwistealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7bc76ddb-b6a4-53dd-88a7-f41bc1cc2494" - date = "2026-01-05" - modified = "2026-01-06" + id = "03031c87-ec9e-548f-8440-76f03c3e7c2a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kiwistealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kiwistealer_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kiwistealer_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "27341d3fac694e410d992d38e84f32a2cf2b6688bb4c9bbb3f17b7cb4866a5bf" + logic_hash = "f883b5c67ed6c65669f99076aeae0c368f0044861db0cb06fafc1de5c8e39db3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4585c9 7462 4183e901 740f 4183f901 0f85d6000000 } - $sequence_1 = { 4885c0 740e 488d7027 4883e6e0 488946f8 eb14 ff15???????? } - $sequence_2 = { 488b05???????? 4885c9 480f45c1 483b05???????? 747e 4c8bc6 488d542470 } - $sequence_3 = { 0f118424b0020000 0f104810 0f118c24c0020000 4c896010 48c740180f000000 c60000 4c8d8c2458030000 } - $sequence_4 = { e9???????? 4983c5c0 4c896c2428 493bdc 0f85bc000000 4983ee40 4c89742420 } - $sequence_5 = { e8???????? 43c6042e00 4533f6 488d45d8 48837df010 480f4345d8 4c89742438 } - $sequence_6 = { 488b05???????? 488905???????? 488d0d3d110200 e8???????? 8bc8 486bc10b 83f803 } - $sequence_7 = { 0f118590000000 418d4c2440 e8???????? 488bd8 4889442428 33d2 488bc8 } - $sequence_8 = { 41c70005000000 49894008 498bc0 41c6400401 c3 8bca 81e9d4040000 } - $sequence_9 = { 4883ec70 488bf9 4533f6 44897098 488d2db0920000 488968a0 0f57c0 } + $sequence_0 = { e8???????? 4885c0 751f 488b442460 48634804 488d442460 4803c8 } + $sequence_1 = { 744b 4c8bcb 48837b1808 7203 4c8b0b 488b5310 488b4618 } + $sequence_2 = { 663bd5 7509 410fb7c7 e9???????? 488b4140 488b38 488b4158 } + $sequence_3 = { 488d15ec550100 488d8c2498030000 e8???????? 90 4c8d842498030000 488d942460080000 488d8c2430060000 } + $sequence_4 = { c3 488d0541da0100 41c70074000000 49894008 498bc0 41c6400401 c3 } + $sequence_5 = { 4883f81f 7607 ff15???????? cc e8???????? 660f6f05???????? f30f7f842420020000 } + $sequence_6 = { 660f1f440000 488b4120 48898390000000 4885c0 7507 4889ab98000000 } + $sequence_7 = { 488bcf 4b8d1c3e 488d53c0 e8???????? 488d53e0 488d4f20 e8???????? } + $sequence_8 = { 48f7fb 4869c800ca9a3b 498bc0 4899 48f7fb 4869c200ca9a3b 4899 } + $sequence_9 = { 4803c8 b20a ff15???????? 440fb6c0 488d9424d8060000 488d8c24e0070000 e8???????? } condition: 7 of them and filesize < 403456 @@ -143506,42 +144569,42 @@ rule MALPEDIA_Win_Babar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b29cd175-863b-5025-9e64-c8f5753d1c62" - date = "2026-01-05" - modified = "2026-01-06" + id = "1cb71fd6-ee2c-530b-8284-7d5064bf9657" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.babar_auto.yar#L1-L162" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.babar_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "2b221179b5f8ee2ea03d97e07ac34f9970eda994151497ddf7357451a1c3d5d6" + logic_hash = "698b85276aaa7c0f40098f9036009135b95c4555415cadef1b9a24dd2163f0ec" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3bd6 7505 8d55e0 eb16 } - $sequence_1 = { 3bd6 721b 57 8bcb e8???????? 8bc8 } - $sequence_2 = { 3bd6 7503 8d5014 895010 } - $sequence_3 = { 3bd7 0f8440010000 397e14 0f8437010000 } - $sequence_4 = { 46 ddd9 83fe03 ddd8 } + $sequence_0 = { 3bd6 7503 8d5014 895010 8931 8b4810 8931 } + $sequence_1 = { 46 e8???????? 0137 2933 33c0 } + $sequence_2 = { 3bd7 7305 e8???????? 8bd0 2bd1 8d0c3a } + $sequence_3 = { 3bd7 7215 7704 3bc3 } + $sequence_4 = { 3bd7 7305 e8???????? 03c7 3bd8 0f83be000000 } $sequence_5 = { 3bd6 7505 8d55d8 eb16 } - $sequence_6 = { 3bd7 7215 7704 3bc3 } - $sequence_7 = { 3bd6 72d9 33f6 eb08 } - $sequence_8 = { 7506 807a0100 751c 8bc6 83c301 } - $sequence_9 = { 83c104 5f 8bc1 2b442414 5e c60100 } - $sequence_10 = { eb4b 8b4c2428 55 6800014004 55 55 55 } - $sequence_11 = { 8b5308 8b03 8bf9 33fa } - $sequence_12 = { 89542448 ffd5 50 53 ff15???????? 85c0 } - $sequence_13 = { 8b15???????? 5f 895608 8bc6 5e 8b8c2408060000 33cc } - $sequence_14 = { 8d442418 50 6a00 57 51 } - $sequence_15 = { 0fb65002 83e23f 0fb61432 885103 83c003 83c104 } + $sequence_6 = { 3bd7 0f8440010000 397e14 0f8437010000 } + $sequence_7 = { 3bd6 7505 8d55e0 eb16 } + $sequence_8 = { 8906 7518 5f 5e 5b } + $sequence_9 = { a1???????? 83c414 85c0 7432 50 ff15???????? 8d443001 } + $sequence_10 = { 5d 33c0 5b 83c414 c3 6a00 6a00 } + $sequence_11 = { 83c414 85ff 752d 6a0c e8???????? 68???????? 8bf0 } + $sequence_12 = { 03fe e8???????? 8bd8 83c408 85db 0f84a8000000 3bdf } + $sequence_13 = { 6801000080 e8???????? 8d442424 50 8d4c242c 51 53 } + $sequence_14 = { b801000000 83c408 c3 8b0c24 53 } + $sequence_15 = { 59 5e c3 56 57 33f6 ff74240c } condition: 7 of them and filesize < 1294336 @@ -143551,35 +144614,35 @@ rule MALPEDIA_Win_Atmitch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40b30c3c-57b4-5224-a4e5-a107d24cada9" - date = "2026-01-05" - modified = "2026-01-06" + id = "d46e4955-9c99-5429-9db9-d72f11678fb3" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.atmitch_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.atmitch_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "71ef7f74c9366c16202f9b9ae280ad39b24b004194d9f9aea8b4282ba76a3264" + logic_hash = "47e8cf221fe7216b11c686530de58bb5caeb8ac20fac4ae14e17077791312d91" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 7407 8b542418 895004 837c242400 740c 8b442420 50 } - $sequence_1 = { ff15???????? 8d4c2414 ff15???????? 8d4c2410 ff15???????? } + $sequence_1 = { 8b4204 50 51 8bcc 8964241c 68???????? ff15???????? } $sequence_2 = { ff15???????? c744242000000000 833d????????02 7f05 e8???????? a1???????? } $sequence_3 = { 8b4818 83c408 51 51 8bcc 8964241c } - $sequence_4 = { 50 680300020b ff15???????? 8d4c240e 51 51 8bcc } - $sequence_5 = { c645fc01 8b06 8b4804 8b443110 25c0010000 } - $sequence_6 = { 6aff 8d4c2414 ff15???????? 6a00 6a0a 8d4c2418 ff15???????? } + $sequence_4 = { eb1b 50 51 8bcc 8964241c 68???????? ff15???????? } + $sequence_5 = { ff15???????? 50 ff15???????? 6aff b9???????? 8bf0 ff15???????? } + $sequence_6 = { ff15???????? 8d4c2420 c644244803 ff15???????? } $sequence_7 = { 8bf8 83c404 33c9 33d2 33c0 6a11 } - $sequence_8 = { 8bcc 89642410 68???????? ff15???????? e8???????? 83c404 a1???????? } + $sequence_8 = { 83ec2c a1???????? 33c4 89442428 0fb705???????? 53 } $sequence_9 = { 8b0e 0fb7412c 83c408 83f809 774d ff2485f4200010 b8???????? } condition: @@ -143590,36 +144653,36 @@ rule MALPEDIA_Win_Bitter_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b191a00c-6fde-5571-a34e-d2213ef4e8fa" - date = "2026-01-05" - modified = "2026-01-06" + id = "faebc047-8d7f-56a8-b0ad-5c259193b72f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bitter_rat_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bitter_rat_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "a43bde583e40f1f224309d84df87c4be4d19f266b740acdb3a4dfc9719f341d8" + logic_hash = "ebc10ce2b5ea21ea0348b4912379ee44de80b0d641267070991896dcd5ddab9a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 42 00542f42 00cf 2f } - $sequence_1 = { 68d4070000 e8???????? 83c414 a1???????? } - $sequence_2 = { 6a02 6a04 8d85d4fdffff 50 ff15???????? } - $sequence_3 = { 83e11f c1e106 8b048500124700 c644080401 57 } - $sequence_4 = { 51 8b954cd9ffff 8d84157cdcffff 50 e8???????? 83c40c 8b854cd9ffff } - $sequence_5 = { f3ab c745f8???????? b80a000000 668945ec b802000000 668945e0 0fbf45ec } - $sequence_6 = { 03048d00124700 eb02 8bc2 f6402480 0f8567ffffff 33c0 } - $sequence_7 = { 03c7 03cf 83ff1f 0f87da030000 ff24bda8864200 8bc6 e9???????? } - $sequence_8 = { 8bf4 8d8568feffff 50 6a02 ff15???????? 3bf4 } - $sequence_9 = { 8d8d68faffff 51 e8???????? 83c408 8bf4 8d85acfeffff } + $sequence_0 = { ff2485fcb14200 838de8fdffffff 89b590fdffff 89b5c0fdffff 89b5ccfdffff 89b5d0fdffff 89b5f0fdffff } + $sequence_1 = { 8985dcd8ffff c785d8d8ffff10270000 c785ccd8ffff00000000 c785c0d8ffff00000000 b801000000 85c0 } + $sequence_2 = { 8b8dbcfeffff 81e9d0070000 898dbcfeffff 83bdbcfeffff19 0f8771050000 8b95bcfeffff ff2495b0e04100 } + $sequence_3 = { 83c408 8b8558f0ffff 6bc018 8b4df4 8b540104 899548c8ffff 8b8548c8ffff } + $sequence_4 = { c745f00c000000 c745f801000000 c745f400000000 8bf4 6a00 8d45f0 } + $sequence_5 = { e9???????? 8bf4 6a00 a1???????? 50 ff15???????? 3bf4 } + $sequence_6 = { f3ab c745f80a000000 6a02 a1???????? 0345f8 50 68???????? } + $sequence_7 = { 0f84f6030000 8b85acfeffff 83e010 0f8406010000 0fbe85d8feffff } + $sequence_8 = { 8d8594fcffff 50 8b4de8 8b11 } + $sequence_9 = { 8b855cecffff 83c001 89855cecffff 8b8568ecffff } condition: 7 of them and filesize < 1130496 @@ -143630,10 +144693,10 @@ rule MALPEDIA_Win_Devopt_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "c196c87a-940f-5170-bdeb-5480f0772987" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.devopt" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.devopt_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.devopt_auto.yar#L1-L134" license_url = "N/A" logic_hash = "d44283c361e67f2f245bfc24e6c20517af3480cb8098b2e4e26bd4743afb76d5" score = 75 @@ -143642,9 +144705,9 @@ rule MALPEDIA_Win_Devopt_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -143668,36 +144731,36 @@ rule MALPEDIA_Win_Tapaoux_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "92f6e706-3399-5d0e-9b67-afc2a01b11c8" - date = "2026-01-05" - modified = "2026-01-06" + id = "7ae16ee2-650b-5beb-859e-6b9f61b4dfa1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tapaoux_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tapaoux_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "d4ad8726a2edee7cde7a56aa56890c668a33f52c080a12cbfff5c16b6a3c4a03" + logic_hash = "bc8c850a2b8a5df6e802bde689c4216d3506b61e30c3fb9113456f3d91d70717" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 57 8d442418 68???????? 50 e8???????? 8b07 } - $sequence_1 = { 8b4c243e 81e2ffff0000 25ffff0000 52 8b54243e 50 8b442440 } - $sequence_2 = { ff15???????? 8a842410050000 83c410 33db } - $sequence_3 = { 5b 81c408040000 c3 8b84241c040000 8b4b04 } - $sequence_4 = { 83c40c 85c0 56 7d16 } - $sequence_5 = { 8d442410 50 e8???????? 8b8c2428010000 83c404 } - $sequence_6 = { 8b44241c 8d542410 52 8d8c24d8060000 50 51 57 } - $sequence_7 = { 83c410 85c0 7507 b850000000 eb09 50 e8???????? } - $sequence_8 = { 8be8 0fbe03 50 e8???????? 83c408 3bc5 } - $sequence_9 = { 84c0 74c5 3bf7 7ccf 5f 5e 5d } + $sequence_0 = { 85c9 a3???????? 7411 8b0d???????? } + $sequence_1 = { 8b8c2498000000 c6040f00 5f 5e 5d 5b 81c484000000 } + $sequence_2 = { f3a5 8bcd 83e103 f3a4 8d7c2430 83c9ff 8d9424b0000000 } + $sequence_3 = { 75d5 53 ff15???????? 5e 8bc7 5d 5f } + $sequence_4 = { 8d8c24d8060000 50 51 57 e8???????? 85c0 7517 } + $sequence_5 = { 50 51 e8???????? 8bf0 83c40c 85f6 0f8452010000 } + $sequence_6 = { 8b44240c 8b542404 8b4c2408 50 8b4204 51 8b4808 } + $sequence_7 = { 85c0 0f848c000000 6a0e 8d442414 } + $sequence_8 = { 5d b8fcffffff 5b 81c4c40e0000 c3 8b442414 8d542410 } + $sequence_9 = { 8bf0 83c418 85f6 0f8430010000 56 } condition: 7 of them and filesize < 292864 @@ -143708,10 +144771,10 @@ rule MALPEDIA_Win_Snojan_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "9f201807-eca2-5671-8fb1-4c54ce96e5b1" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.snojan_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.snojan_auto.yar#L1-L124" license_url = "N/A" logic_hash = "1d25311cfd419aa863c883b495c4bbb0986a7541ebe6286749992456a12c9723" score = 75 @@ -143720,9 +144783,9 @@ rule MALPEDIA_Win_Snojan_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -143746,34 +144809,34 @@ rule MALPEDIA_Win_Mongall_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "084e4b5d-8f53-5615-8d00-9dc87d5afd58" - date = "2026-01-05" - modified = "2026-01-06" + id = "03718745-4a20-5f11-8c49-ba07375d1462" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mongall" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mongall_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mongall_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "a7343b890bc7cfe685e1d8a81a17e49736fde69b19000c5c5f4d58892316ec5a" + logic_hash = "d6d636cdb8a13c0a4cd956dbb80c2d5a73c159bd69bf56599b6f6938ee91dc2a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 75ef 57 bf???????? e8???????? 6a7f } - $sequence_1 = { 57 8bc2 c1f805 8b0485603f4100 8bfa 83e71f c1e706 } + $sequence_1 = { 6800000080 8d8df8feffff 51 ff15???????? 8bf8 83ffff 7413 } $sequence_2 = { 83c404 5e b801000000 5b c3 83f806 7543 } - $sequence_3 = { 83c40c 8bdf 895df4 85c0 } - $sequence_4 = { ff15???????? 85f6 7413 6a00 6a00 6a00 } + $sequence_3 = { 75f9 8bbd68d7ffff 2bc6 4f 8a4f01 47 } + $sequence_4 = { ffd7 a1???????? 3bc6 7415 8b4d0c 8b5508 56 } $sequence_5 = { 85f6 7fdf eb07 838de4fdffffff 83bdccfdffff00 8b9de0fdffff 7457 } $sequence_6 = { c745fc00000000 8b7df8 85ff 7509 } - $sequence_7 = { c745fc00000000 8b7df8 85ff 7509 5f 5e } + $sequence_7 = { 7523 3985a0fdffff 741b ffb5a0fdffff 8d85e4fdffff 8d4df4 e8???????? } $sequence_8 = { 0fbe8028e24000 83e00f eb02 33c0 } $sequence_9 = { 33c9 68???????? 51 6a03 } @@ -143785,36 +144848,36 @@ rule MALPEDIA_Win_Linseningsvr_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "68c65b63-e40e-59ed-9f87-895cfc0dec94" - date = "2026-01-05" - modified = "2026-01-06" + id = "9dcd591f-d0ec-5190-8dad-c6b3b9eab825" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.linseningsvr" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.linseningsvr_auto.yar#L1-L117" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.linseningsvr_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "e8f369f7ec61592e2a3b3fecf4bc420063f67a74461c185ad8f3d77705dffe45" + logic_hash = "0cfff1e97d9fd891165604e0b9cd757922199a1abb3f822338fa50a684f756d6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c0 8dbc24dd090000 c644241000 f3ab 66ab aa } - $sequence_1 = { 8d542464 6a01 52 89442464 894c2468 e8???????? } - $sequence_2 = { 8dbc24dd090000 c644241000 f3ab 66ab } - $sequence_3 = { 8b0485c08d4000 03c6 8a5004 f6c201 } - $sequence_4 = { e8???????? 57 e8???????? 83c418 8d44244c } - $sequence_5 = { 742e 85f6 7419 0fb6da f683818c400004 } - $sequence_6 = { c705????????01000000 50 a3???????? e8???????? 8db6bc884000 } - $sequence_7 = { e8???????? 83c40c c3 53 56 be???????? 57 } - $sequence_8 = { 8a4c3c4c 51 68???????? e8???????? 83c408 } - $sequence_9 = { e8???????? 83c404 ebc2 8b0d???????? 68???????? 51 } + $sequence_0 = { 8d34b558874000 832600 83c60c 4a 75f7 8b00 8b35???????? } + $sequence_1 = { 47 3bfe 7ce7 68???????? e8???????? 8b15???????? b900010000 } + $sequence_2 = { 83f908 7229 f3a5 ff2495982c4000 8bc7 ba03000000 } + $sequence_3 = { e8???????? b900010000 33c0 8dbc2450040000 55 } + $sequence_4 = { 8d3c8dc08d4000 c1e603 8b0f f644310401 7456 50 e8???????? } + $sequence_5 = { 7c13 80fb78 7f0e 0fbec3 8a801c714000 } + $sequence_6 = { 52 56 66895c2448 6689442456 ff15???????? 8bd8 } + $sequence_7 = { 8944241c 33ff 8bc8 83f940 5d } + $sequence_8 = { 8088818c400008 40 3dff000000 72f1 56 } + $sequence_9 = { 8ac8 80c120 8888808b4000 eb1f 83f861 7213 83f87a } condition: 7 of them and filesize < 81360 @@ -143825,10 +144888,10 @@ rule MALPEDIA_Win_Hawking_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "ec9f39f6-86ba-5455-97b7-92972ad75506" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawking" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hawking_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hawking_auto.yar#L1-L121" license_url = "N/A" logic_hash = "38946ce524bb812dc9a51e3c54c74cdb8d87a613cbaf2402323bc2266d8ec447" score = 75 @@ -143837,9 +144900,9 @@ rule MALPEDIA_Win_Hawking_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -143863,36 +144926,36 @@ rule MALPEDIA_Win_Pipemagic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fdb60c65-afb1-53e4-9d93-0cc68c23b592" - date = "2026-01-05" - modified = "2026-01-06" + id = "fc586d45-01d1-57cb-98e6-483c3e362589" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemagic" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pipemagic_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pipemagic_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "1b197c324b04c72fd062b82fb8bf23069786730f7c016ad9418e03227253d020" + logic_hash = "b69872cffbb41fb04282047f015d345556dcd59f00f511bd534f119320daeea5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8bcf e8???????? 8bc8 85c9 7510 53 } - $sequence_1 = { ff15???????? 59 c7431003000000 5f 5e 5b c9 } - $sequence_2 = { 0f8722010000 8b513c 03d1 8955f8 8d82f8000000 3bc3 0f870c010000 } - $sequence_3 = { 8945e4 85db 0f8499020000 8b5508 8a01 } - $sequence_4 = { e8???????? a1???????? 33c9 894dd8 } - $sequence_5 = { 8b00 eb03 8b4508 6a04 } - $sequence_6 = { 59 51 8b4dec 57 e8???????? 57 } - $sequence_7 = { 83e801 7404 32c0 eb23 e8???????? eb1a e8???????? } - $sequence_8 = { 8d542410 8bce e8???????? e9???????? 83f803 750e } - $sequence_9 = { 7404 8b38 eb03 8b7dfc 807e0c00 7530 53 } + $sequence_0 = { ffd6 8b5df0 57 668903 ffd6 59 } + $sequence_1 = { ff36 53 ff15???????? 85c0 0f84b0000000 8b45f0 } + $sequence_2 = { 83f820 0fb6ca 1bf6 23f0 0fb68600804000 03c7 03c8 } + $sequence_3 = { 03c7 03c8 0fb6f9 8a843df0feffff 88841df0feffff 43 } + $sequence_4 = { 8bd9 57 6a04 8b730c 8bce e8???????? 85c0 } + $sequence_5 = { e8???????? 8b1d???????? 57 ffd3 8d4c2410 e8???????? 8d4c2410 } + $sequence_6 = { 8b4b0c e8???????? 85c0 7404 8b00 eb03 8b45f8 } + $sequence_7 = { 33ff 47 eb2e 8b45dc 8bc8 48 8945dc } + $sequence_8 = { 8b4dfc 3bca 0f8709010000 2bd1 8955e4 8b55e0 85c9 } + $sequence_9 = { 59 84c0 7430 a1???????? 8d4f14 894604 c706???????? } condition: 7 of them and filesize < 87040 @@ -143903,10 +144966,10 @@ rule MALPEDIA_Win_Badencript_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "ddb7f1a7-8259-5ec8-9b35-e98fb67b2310" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.badencript_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.badencript_auto.yar#L1-L118" license_url = "N/A" logic_hash = "4aaa48768d97770f6e85ee594f356b88c6dabd160111a6a927596e69e9ca03f4" score = 75 @@ -143915,9 +144978,9 @@ rule MALPEDIA_Win_Badencript_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -143941,36 +145004,36 @@ rule MALPEDIA_Win_Oni_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "de723d64-30bf-5667-a979-f8186ef8b8cb" - date = "2026-01-05" - modified = "2026-01-06" + id = "a0f25e02-7b78-57b8-8594-38d2c2b2f26a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oni" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.oni_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.oni_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "e7a58256b76e741c7c3e2e9d7af61ce1190ab07a3a92bb457114a7c15de62838" + logic_hash = "d72b50d34d0cd90d90022123b45db6a8a537ff1e016f2c9185af8e30808dcd21" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d8c24f0000000 c78424040100000f000000 c784240001000000000000 c68424f000000000 } - $sequence_1 = { 83f904 0f828d000000 83f923 0f8789000000 8bc8 } - $sequence_2 = { 8b4804 8d41f8 89840d14ffffff 8d4580 50 c74580b83a4300 e8???????? } - $sequence_3 = { 7603 6a26 58 0fb60c8536bf4200 0fb6348537bf4200 8bf9 8985b4f8ffff } - $sequence_4 = { 7420 6bc618 57 8db86c854300 57 ff15???????? } - $sequence_5 = { 8bc1 83e13f c1f806 6bc930 8b048590884300 f644082801 7406 } - $sequence_6 = { 83e03f c1ff06 6bd830 8b04bd90884300 f644032801 7444 837c0318ff } - $sequence_7 = { 8b550c 3b5df0 0f82cefeffff eb20 8b0c8d90884300 } - $sequence_8 = { 8d85f8fdffff 6a00 50 e8???????? 83c40c 8d85f8feffff } - $sequence_9 = { eb02 33f6 53 8d4dd0 e8???????? 807dd400 750a } + $sequence_0 = { 7253 83f923 7753 8bc8 51 e8???????? } + $sequence_1 = { 50 ff15???????? 85c0 740f e8???????? 6a01 ff15???????? } + $sequence_2 = { 83c404 8b85dcfdffff c785c4fdffff0f000000 c785c0fdffff00000000 c685b0fdffff00 } + $sequence_3 = { c3 c744243c0f000000 c744243800000000 c644242800 } + $sequence_4 = { 8955ec 3b5310 0f8261ffffff 8d4df0 e8???????? } + $sequence_5 = { 8d4ff8 395310 0f869f000000 837b1410 7204 8b03 eb02 } + $sequence_6 = { 6aff 40 c745dc0f000000 50 8d45e0 c745d800000000 50 } + $sequence_7 = { c645b400 83f810 723e 8b4dcc 40 3d00100000 722a } + $sequence_8 = { 7241 8b8d98fdffff 40 3d00100000 722a f6c11f } + $sequence_9 = { 2bc8 83f904 0f8231010000 83f923 0f872d010000 } condition: 7 of them and filesize < 499712 @@ -143980,36 +145043,36 @@ rule MALPEDIA_Win_Simda_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "27bb9bc3-3123-59db-b496-71430a74b58c" - date = "2026-01-05" - modified = "2026-01-06" + id = "aa304c72-72d4-549a-ba4f-f63f8efa0a94" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.simda_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.simda_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "e9f68a5c932750dc8dc15c371abf1fcbed20271ad653ffccba6ba46621ea82a8" + logic_hash = "945beb5f8ffd66c84ce2c6df7a6662ff804e95b9a56c15b871a19f21206edd7c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8955ec 897de0 3bce 0f8278feffff 5b } - $sequence_1 = { 83c424 33c0 668945d0 8845fe } - $sequence_2 = { 8b85e8feffff 85c0 7505 8d41ff eb0f 83f801 } - $sequence_3 = { 33f6 68ff000000 8d85f1feffff 56 50 } - $sequence_4 = { 83ec24 53 56 57 50 6800040000 } - $sequence_5 = { 83c408 8945f0 85c0 7508 6a01 } - $sequence_6 = { 8bf8 0faf7dfc c1e210 0b55f8 3bfa } - $sequence_7 = { b910000000 be???????? 8d7db4 f3a5 66a5 } - $sequence_8 = { 8bd1 c1ea10 8955ec 8bf8 } - $sequence_9 = { 85c0 75dd 8b4d0c 8bc3 2bc2 } + $sequence_0 = { 8b5487fc b900000080 90 85d1 7504 d1e9 } + $sequence_1 = { 66894df4 8855f6 c685c8fcffff00 e8???????? 6803010000 } + $sequence_2 = { 51 c685f8feffff00 e8???????? 8b35???????? } + $sequence_3 = { 40 84c9 75f9 8b4dfc 2bc2 40 50 } + $sequence_4 = { 8b0c30 3b0e 750d 83ef04 83c604 83ff04 } + $sequence_5 = { 80f903 7536 8b8de4feffff 83f905 750d 3985e8feffff 7523 } + $sequence_6 = { 03c7 3bc7 7301 42 } + $sequence_7 = { 74e4 6a0a 6a00 56 } + $sequence_8 = { ffd7 8b1d???????? 6a00 6a01 8d8df8feffff } + $sequence_9 = { 41 eb08 83c102 eb03 83c103 } condition: 7 of them and filesize < 1581056 @@ -144019,36 +145082,36 @@ rule MALPEDIA_Win_Eyservice_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "01143abf-4326-5001-b471-74ce2f23b942" - date = "2026-01-05" - modified = "2026-01-06" + id = "51ce8d77-e6f4-521a-a803-c8f5ede63dea" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.eyservice_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.eyservice_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "cec2c9ebe5b9e4768a39fd8dee155ccbac651c379b500243ead7740363768937" + logic_hash = "44cbd9c2567ec5141176963e26b9cf70b99c1f6589ca143e5390d11cf5ae3e35" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 8d4c2408 8bf0 c7842460080000ffffffff e8???????? } - $sequence_1 = { 0f85e5000000 c70600000000 c70702000000 e9???????? 83f85a 0f85cb000000 } - $sequence_2 = { 83bef800000000 747c 8d4c2408 e8???????? a1???????? 8d4c2408 51 } - $sequence_3 = { 50 b9???????? c7442454ffffffff e8???????? 46 3bf7 } - $sequence_4 = { 56 8bc8 e8???????? eb02 33c0 89442410 8d442410 } - $sequence_5 = { 5f 5e 59 c21000 53 8bfb 53 } - $sequence_6 = { 83c404 894de8 c645fc01 3bce 7417 e8???????? 8b4df4 } - $sequence_7 = { ffd3 8d442434 68???????? 50 ff15???????? 68???????? 8d8c2444010000 } - $sequence_8 = { 888654720000 66099652720000 3c08 76bc 0fb78652720000 808654720000f8 0fb7c8 } - $sequence_9 = { 894e0c 8b5010 895610 8b4814 894e14 8b5018 895618 } + $sequence_0 = { 0fb692bc844000 ff2495a8844000 56 e8???????? 894610 8b442418 83782400 } + $sequence_1 = { 50 6a00 68???????? 51 896c2430 895c2438 ffd7 } + $sequence_2 = { 8b8ea0000000 57 68cb000000 6a01 51 ffd0 5f } + $sequence_3 = { 6a01 51 ffd6 57 6a01 6a01 68???????? } + $sequence_4 = { 85c0 7511 55 ff15???????? 5e b80c000000 } + $sequence_5 = { 8d442424 50 6802000080 ff15???????? 85c0 } + $sequence_6 = { 51 e8???????? 85c0 8b44241c 74d0 85c0 7407 } + $sequence_7 = { 8d4c2408 c7842460080000ffffffff e8???????? 33c0 eb40 8d84244c060000 50 } + $sequence_8 = { 5d 83c8ff 5b 59 c20400 8b7c2418 57 } + $sequence_9 = { c20400 83f802 751e bf???????? bee8660000 e9???????? bf???????? } condition: 7 of them and filesize < 452608 @@ -144058,41 +145121,41 @@ rule MALPEDIA_Win_Anchormtea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "32582435-d23f-5bf2-99b8-f6c7ec2febef" - date = "2026-01-05" - modified = "2026-01-06" + id = "18d81673-6908-5576-8bf2-16c50223836a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormtea" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.anchormtea_auto.yar#L1-L158" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.anchormtea_auto.yar#L1-L154" license_url = "N/A" - logic_hash = "0d56b6ebc1869a5136446b1b05f633dc23ded4ac41169656ca6cd600d19c6d7b" + logic_hash = "423335a0396b30079660bf8c19aabbadc6d6e2c8e4cc037968b34528cc3c2347" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { e9???????? f7d8 1bc0 83e002 } - $sequence_1 = { 4883f81f 0f87fd170000 488bce e8???????? 4c8d8b44010000 4c8d05255f0200 } - $sequence_2 = { 898d68f7ffff 89b564f7ffff 3bd0 7741 } - $sequence_3 = { 8bc2 c1e81f 03c2 8945fc b8619e426b f7e9 } - $sequence_4 = { 4533c0 48c7c100000080 897c2420 ff15???????? 85c0 7563 } - $sequence_5 = { 89442450 8b45dc 89542448 418bd2 } - $sequence_6 = { 8bd9 4c8d0d69cc0000 b904000000 4c8d0555cc0000 488d15c6af0000 e8???????? } - $sequence_7 = { 6800010000 ff761c e8???????? ff75e0 668b45cc 6824080000 } - $sequence_8 = { 4585ff 0f84d3000000 33ff 4d63e7 } - $sequence_9 = { 83c414 c744241000000000 57 ff15???????? } - $sequence_10 = { ff15???????? 488bf8 4885c0 7410 33d2 } - $sequence_11 = { 55 8bec 81ec8c030000 a1???????? 33c5 8945fc ff05???????? } - $sequence_12 = { c7471c40300010 894714 c7472060300010 c7472480300010 c7472890300010 c7472cb0300010 } - $sequence_13 = { 51 e8???????? 83c408 8bb70c010000 89b568f7ffff 85f6 0f846c010000 } - $sequence_14 = { 4c897e10 4903c5 488bcb 4c8d3c12 } + $sequence_1 = { 85c0 0f899d000000 51 68???????? } + $sequence_2 = { 4489442430 488d542438 4533f6 458be9 4c89742440 4c8d4328 } + $sequence_3 = { 66c1e008 0fb7c8 0fb68580fcffff 0bc8 } + $sequence_4 = { b901000000 3bc1 0f44f9 4885db 7409 } + $sequence_5 = { 4885c9 740a ff15???????? 48897b40 488b4b30 } + $sequence_6 = { 0f8408ffffff 6808020000 6a00 56 } + $sequence_7 = { ffb564f7ffff 52 e8???????? 8b8d70f7ffff c645fc00 8b8584f7ffff } + $sequence_8 = { 492bed 48897e18 482be8 4c897e10 4903c5 488bcb } + $sequence_9 = { c70016000000 eb2a 488bcb 4c3bfe 720d } + $sequence_10 = { ba3c000000 488bce e8???????? 488bd8 4885c0 } + $sequence_11 = { 8bec 83ec1c 53 8bd9 b9feffff7f 8bc1 } + $sequence_12 = { 6a00 6a00 68???????? ffb51cf3ffff ffd7 } + $sequence_13 = { 899fb0020000 2bde 8987b4020000 5f } + $sequence_14 = { ba00040000 83f904 488d4df0 740e 4c8d0549600200 e8???????? } condition: 7 of them and filesize < 839680 @@ -144102,36 +145165,36 @@ rule MALPEDIA_Win_Phantomcore_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2be56282-528c-5044-bd7b-3727ed618862" - date = "2026-01-05" - modified = "2026-01-06" + id = "d6c311eb-178f-58fc-8bfd-681ca59fa521" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phantomcore" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.phantomcore_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.phantomcore_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "ee848610d848563fe98dd89814048251462308bba35e0801488bbe21ef0c4142" + logic_hash = "79491ef7aca9ea04d096da343e603c2ec314a4ac27633790981743e1b4a691d8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d45d0 8d4da8 68???????? 50 e8???????? c745f001000000 8d45c0 } - $sequence_1 = { e9???????? 8b16 0f57c0 0f1145c8 83f803 bf03000000 0f42f8 } - $sequence_2 = { 8b65e8 83c50c c745f0ffffffff ff75d8 ff15???????? ff75d8 ff15???????? } - $sequence_3 = { c78634020000cc734b00 c7864402000018714b00 8d8648020000 50 e8???????? 83c404 c7863402000018714b00 } - $sequence_4 = { eb11 8975d8 50 e8???????? 83c404 89c1 8b45d8 } - $sequence_5 = { c745c818714b00 8d4dcc c745d000000000 c745cc00000000 c745c026f64b00 c645c401 8d45c0 } - $sequence_6 = { c7443a480f000000 c6443a3400 8d1c3a 83c34c 83c74c 39cb 0f8571ffffff } - $sequence_7 = { e8???????? 83c410 68???????? 8d852cffffff 50 e8???????? 83c408 } - $sequence_8 = { ff431c c7431800000000 c74344e1c94b00 b80e000000 e9???????? c745f0ffffffff 0fb64dac } - $sequence_9 = { ff7514 ff74240c 6a01 57 e8???????? 8b0e 8b01 } + $sequence_0 = { 8b7930 8d5001 81fa00100000 7216 8b57fc 83c7fc 29d7 } + $sequence_1 = { 8d4afe 89c8 890c24 3b4c2410 72d3 7611 8d4704 } + $sequence_2 = { 6a0f ff5018 b900000000 84c0 7405 b901000000 ba???????? } + $sequence_3 = { f6464104 0f8528010000 31c0 e9???????? f6464104 0f856a010000 31c0 } + $sequence_4 = { e8???????? 83c410 8b45e8 64a300000000 8b45d8 83c42c 5e } + $sequence_5 = { 0fb6c7 0f43c5 0fbeeb 83c5bf 0fb6cb 80c320 83fd1a } + $sequence_6 = { e9???????? 39ca 0f8494000000 0f57c0 31ff 0f10143a 0f105c3a0c } + $sequence_7 = { 8b5d10 8933 898c24a8000000 898424ac000000 8b442444 89842498000000 8b442460 } + $sequence_8 = { 8d8e20010000 e8???????? 83c430 5d c3 55 83ec30 } + $sequence_9 = { e8???????? 83c414 8b4580 837d8410 8d8d70ffffff 7206 8b8d70ffffff } condition: 7 of them and filesize < 1840128 @@ -144141,36 +145204,36 @@ rule MALPEDIA_Win_Sappycache_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7cc3c8f2-16b3-5753-b1dc-441bde2f37db" - date = "2026-01-05" - modified = "2026-01-06" + id = "40e5397b-f9d2-5d39-9f00-00f93e2394d6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sappycache_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sappycache_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "69868e0b80392ecc35dcd562f65c813ca6117f731788d5ab611817e1e3bff002" + logic_hash = "e297a368e2ceb4e7a200380f3ff8cb73a2cf4cfaf9a62384f9af2e6b9941450c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 4c8bc3 33d2 488bc8 488907 488be8 e8???????? } - $sequence_1 = { 0f84a0000000 817c242000140000 0f8592000000 488d05b8600100 b928000000 } - $sequence_2 = { 4863c9 488d1556fa0000 488bc1 83e13f 48c1f806 } - $sequence_3 = { 4c8d442440 8bca 488d542448 48c1e109 4903cc e8???????? 488b5c2448 } - $sequence_4 = { 488bfb 48895c2420 8b05???????? 3bf0 7c3b 4c8d3db7fa0000 } - $sequence_5 = { 4889442478 488bd8 4885c0 0f840d060000 4889bc2488630000 } - $sequence_6 = { 488bcf ff15???????? b801000000 488b6c2440 488b742448 488b7c2450 488b4c2428 } - $sequence_7 = { ff15???????? 488d4540 498bd7 48ffc2 44382c10 } - $sequence_8 = { 488d15bdcbffff 488d0c10 813950450000 755f b80b020000 66394118 7554 } - $sequence_9 = { 4883ec68 488b05???????? 4833c4 4889442450 33ff 33db } + $sequence_0 = { f6c101 7412 b9c1000000 ff15???????? 33c0 e9???????? 410fb74614 } + $sequence_1 = { 7509 418b4e38 f6c101 7412 b9c1000000 ff15???????? 33c0 } + $sequence_2 = { 8bea 0f1f8000000000 e8???????? 448bf0 } + $sequence_3 = { 488bcf ff15???????? 33c0 488bac2480000000 488b5c2478 488bbc2488000000 488b4c2450 } + $sequence_4 = { 33db 4c8bfa 4c8be1 4883fa40 7312 b90d000000 } + $sequence_5 = { 33d2 488d4d40 41b800010000 e8???????? 33d2 488d8d40010000 41b800010000 } + $sequence_6 = { e9???????? 4d3bc1 0f84a3000000 8b7500 498b9cf720860100 4885db 7407 } + $sequence_7 = { 754c 488d15131a0100 498bcc ff15???????? 488d15631a0100 488d0d4c610100 ff15???????? } + $sequence_8 = { 482be0 488b05???????? 4833c4 48898520620000 4c89442468 } + $sequence_9 = { 488d05133c0100 ffcb 488d0c9b 488d0cc8 ff15???????? ff0d???????? 85db } condition: 7 of them and filesize < 262144 @@ -144180,36 +145243,36 @@ rule MALPEDIA_Win_Ramdo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5dab1d9-452a-5887-a4af-58f6481f5f6c" - date = "2026-01-05" - modified = "2026-01-06" + id = "821106b8-bc4c-5bc5-966d-53c11374d99b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ramdo_auto.yar#L1-L105" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ramdo_auto.yar#L1-L104" license_url = "N/A" - logic_hash = "8755ec08f63d4c02872dc91cf7ac7496e98fc865f5e95d3244691dbde1a5dad8" + logic_hash = "84d0d18c827e8f979b1dc908e8f3c43f305076e36c820030e03c36d7f9376b49" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 68b3030442 6a00 6a00 e8???????? } - $sequence_1 = { 68bc882a42 6a03 6a00 e8???????? } - $sequence_2 = { 6894dac0dc 6a00 6a00 e8???????? } - $sequence_3 = { ff55f8 8945fc 837dfcff 7411 } - $sequence_4 = { 68dd786eac 6a03 6a00 e8???????? } - $sequence_5 = { 68c07b3072 6a03 6a00 e8???????? } - $sequence_6 = { 68b6b2cff5 6a03 6a00 e8???????? } - $sequence_7 = { 68b928ece1 6a03 6a00 e8???????? } - $sequence_8 = { 68b900308a 6a01 6a00 e8???????? } - $sequence_9 = { 68c29e34ea 6a03 6a00 e8???????? } + $sequence_0 = { 687e1ca712 6a03 6a00 e8???????? } + $sequence_1 = { 688fe57c18 6a03 6a00 e8???????? } + $sequence_2 = { 68b900308a 6a01 6a00 e8???????? } + $sequence_3 = { 685448005b 6a00 6a00 e8???????? } + $sequence_4 = { 682c7206cb 6a00 6a00 e8???????? } + $sequence_5 = { 68f53f0367 6a03 6a00 e8???????? } + $sequence_6 = { 6805c7a481 6a00 6a00 e8???????? } + $sequence_7 = { 68bb3d230a 6a05 6a00 e8???????? } + $sequence_8 = { 68e9b528b6 6a03 6a00 e8???????? } + $sequence_9 = { 685ce91101 6a03 6a00 e8???????? } condition: 7 of them and filesize < 548864 @@ -144219,36 +145282,36 @@ rule MALPEDIA_Win_Decaf_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c019d263-a899-5660-aa15-798e52adcd92" - date = "2026-01-05" - modified = "2026-01-06" + id = "688421e5-50f3-54a6-afcf-ed3cc43c3379" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.decaf_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.decaf_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "8c05c17767eead1f69d9ac7eb9dd704aba24d34223075b108957952ecaf7a6e5" + logic_hash = "bc13d1aabe60e36a979a1ab19aaf3f220b675ec157b071ae53bdc10a73fed48d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d6c2460 48c744247000000000 31c0 31c9 31d2 bb02000000 be67000000 } - $sequence_1 = { eb11 488d7818 488b8c2438240000 e8???????? 488b8c2470060000 48894808 833d????????00 } - $sequence_2 = { 44886c2446 440fb66c2464 44886c2445 440fb66c245d 44886c2444 440fb66c2466 44886c2443 } - $sequence_3 = { e9???????? 4983f806 754d 4c8d4301 4c39c6 7331 488d051d4d0f00 } - $sequence_4 = { eb14 488d7818 488b8c24081b0000 0f1f00 e8???????? 488b8c24080b0000 48894808 } - $sequence_5 = { e8???????? 488b0d???????? 48898c24e0000000 488d052c9c1300 e8???????? 833d????????00 750e } - $sequence_6 = { 488b6c2410 4883c418 c3 488d05f5bb1b00 48890424 e8???????? 450f57ff } - $sequence_7 = { e8???????? b911000000 4889c7 4889de 31c0 488d1d94e71700 e8???????? } - $sequence_8 = { e8???????? 488b442478 488b4c2470 488b942488000000 ebbd 90 488d05bfff1d00 } - $sequence_9 = { eb14 488d7818 488b8c2470220000 0f1f00 e8???????? 488b8c24a8030000 48894808 } + $sequence_0 = { eb14 488d7818 488b8c2448200000 0f1f00 e8???????? 488b8c24d0050000 48894808 } + $sequence_1 = { 488d0d69f20800 488908 488d0d02080c00 48890d???????? 833d????????00 7509 488905???????? } + $sequence_2 = { 488d05ac221c00 bb27000000 e8???????? 488d05f3111c00 bb20000000 e8???????? 48ffc1 } + $sequence_3 = { e8???????? e8???????? 4889842430110000 48899c2470020000 90 488d050a9d0c00 e8???????? } + $sequence_4 = { bb19000000 e8???????? 488d053fcd1900 bb1c000000 e8???????? 90 4889442408 } + $sequence_5 = { e8???????? 488d0554a41400 488b5c2438 488d0d28ff1600 bf07000000 0f1f00 e8???????? } + $sequence_6 = { 663913 754e 0fb75002 66395302 7544 4889442428 48895c2430 } + $sequence_7 = { e8???????? 488d3de3581f00 e8???????? e8???????? 48898424f8100000 48899c24200a0000 488b0d???????? } + $sequence_8 = { c6041ff9 31c9 e9???????? 4983f806 754b 4c8d4301 4c39c6 } + $sequence_9 = { 488d6c2430 48ba059ac5d4c613bccd 4889542425 48bad4c613bccd3f86c5 4889542428 48ba46f582b1b25cdea7 488954241a } condition: 7 of them and filesize < 7193600 @@ -144259,10 +145322,10 @@ rule MALPEDIA_Win_Skinnyboy_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "24a64f43-deef-557c-9fd6-67c28ce40905" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skinnyboy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.skinnyboy_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.skinnyboy_auto.yar#L1-L127" license_url = "N/A" logic_hash = "e1fe3c77c85dc8fb19abbee4d29db040d7e39adcf95610e368b642b3c9a51b2e" score = 75 @@ -144271,9 +145334,9 @@ rule MALPEDIA_Win_Skinnyboy_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -144297,36 +145360,36 @@ rule MALPEDIA_Win_Nim_Blackout_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52c7d5e9-12a7-539a-90b8-852642880eb0" - date = "2026-01-05" - modified = "2026-01-06" + id = "048267f7-62fb-507b-b119-68debffc7bf9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nim_blackout" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nim_blackout_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nim_blackout_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "6c5cae00e9c851f788aea7ba4107707f8738f1e8e9b098f9929e9947fb70cddd" + logic_hash = "06823db7fdc0487e1c01e7b7292944b80bcc51abb9b98ed51feb95984ce49f66" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 55 4889e5 4883ec30 48894d10 488b05???????? 4885c0 750d } - $sequence_1 = { 488b00 eb05 b800000000 483b85a8000000 7f30 4883bdf800000000 } - $sequence_2 = { 48c745c0c0000000 488d05ad7e0100 488945c8 488b45f0 488945f8 eb40 90 } - $sequence_3 = { 48c1e003 4801d0 488b00 4885c0 741a 488b4510 488b5008 } - $sequence_4 = { 488905???????? 488b05???????? 4885c0 750c 488d0d229c0100 e8???????? 488b05???????? } - $sequence_5 = { 488b45f8 488905???????? eb01 90 e8???????? 90 4883c460 } - $sequence_6 = { 488d05dd770100 488945e8 488b4510 488b00 ba08000000 4889c1 e8???????? } - $sequence_7 = { 488945f8 48c745d07b000000 488d05d02a0200 488945d8 488b45f8 488d14c500000000 488b4518 } - $sequence_8 = { 488d05ed680100 48894558 ba00000000 488b85b8000000 4883c001 7105 ba01000000 } - $sequence_9 = { 488d05d2af0200 488945e8 488b5510 488b05???????? 488d4818 e8???????? e8???????? } + $sequence_0 = { 4889e5 4881ecf0000000 48894d10 48895518 488d0589840200 48898538ffffff 488d0536820200 } + $sequence_1 = { 782e 488b85a0000000 488b4040 4885c0 } + $sequence_2 = { 488d14c500000000 488b4518 4801d0 488b00 4885c0 742d 48c745d07d000000 } + $sequence_3 = { 488d45c8 488910 4889c8 83e001 84c0 7405 e8???????? } + $sequence_4 = { eb05 b800000000 4801d0 4889c1 e8???????? 48898588000000 488b9580000000 } + $sequence_5 = { e8???????? 488b45b0 488945f8 48c745d025010000 488d0592090100 488945d8 } + $sequence_6 = { 4821c2 488b4510 488910 48c745c0a8000000 488d0591790200 488945c8 488b4510 } + $sequence_7 = { 488b45f0 488945f8 e9???????? 90 48c745c0bb000000 488d0559820100 488945c8 } + $sequence_8 = { 0f8e9e040000 c64424302e 488d442431 c60030 488d5801 458b54240c bd02000000 } + $sequence_9 = { 488945d8 c645f600 48837d1800 7409 488b4518 488b00 eb05 } condition: 7 of them and filesize < 1068032 @@ -144336,36 +145399,36 @@ rule MALPEDIA_Win_Kaolin_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9e8556c-d2a8-55c8-b1a4-294ebe1251e5" - date = "2026-01-05" - modified = "2026-01-06" + id = "383aa290-3a27-58c9-9e83-85dd180123f8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kaolin_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kaolin_rat_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kaolin_rat_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "f64c57e6849676b495ac58f80cd5164da6e94327fa0e0172abebd0301649988c" + logic_hash = "8e2eac05eb52f1ffb8056816644564527788e0660af77ac882b4962a5d640107" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 44897c2428 44897c2420 4533c9 4533c0 488bd0 33c9 } - $sequence_1 = { 66c704083f00 eb1d 48c744242001000000 4c8d0df8af0200 ba01000000 498bcc e8???????? } - $sequence_2 = { 488bd7 488d4d08 e8???????? 488b4d18 488b5520 488bc2 482bc1 } - $sequence_3 = { 488b8a30000000 e9???????? 488b8a60000000 e9???????? 4055 4883ec20 488bea } - $sequence_4 = { 48833d????????10 480f4305???????? 448828 418bdd 48391d???????? } - $sequence_5 = { 4c8d0dab4c0200 ba03000000 488bcf e8???????? } - $sequence_6 = { 4885c0 750a b9c8000000 e9???????? 4c8b6008 488b00 83b88c00000000 } - $sequence_7 = { ba04010000 488d8db0000000 e8???????? 418bcf 48890d???????? 488d3d5eae0300 488d1517b00300 } - $sequence_8 = { 4883fa10 480f431d???????? 4803d9 4d8bc6 498bd5 488bcb e8???????? } - $sequence_9 = { 482bc1 4883f801 721d 488d4101 488945d0 488d45c0 4883fa10 } + $sequence_0 = { 4883ec20 488bd9 488bc2 488d0dc5d30200 0f57c0 488d5308 48890b } + $sequence_1 = { 4c8b75c8 488b75c0 4c8d4db0 4c8b7db0 4983fe10 4d0f43cf 488b0d???????? } + $sequence_2 = { 4883f8ff 7512 ff15???????? 8bc8 e8???????? e9???????? 488d542468 } + $sequence_3 = { 448b05???????? 41c1e00a 48897df0 488975f8 c645e000 4c3905???????? 4c0f4205???????? } + $sequence_4 = { 48895c2408 48897c2410 8b01 488d3d3d700300 4533c0 4c8bda } + $sequence_5 = { 488b4220 48898810010000 488d0d43570300 488b4220 } + $sequence_6 = { 77b9 442bc9 4183f90f 7779 428b8c8ed8bf0200 4803ce } + $sequence_7 = { 480f43442460 66c704082e00 eb1f 48c744242001000000 4c8d0d76480300 ba01000000 488d4c2460 } + $sequence_8 = { 57 4883ec20 33f6 488d1d281b0200 488d05391b0200 483bc3 481bff } + $sequence_9 = { 480f435590 488d442458 4889442420 41b93f000f00 4533c0 48c7c102000080 } condition: 7 of them and filesize < 581632 @@ -144376,10 +145439,10 @@ rule MALPEDIA_Win_Backconfig_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "18fd149c-ad9b-5433-8651-ac1dcd92de05" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.backconfig_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.backconfig_auto.yar#L1-L127" license_url = "N/A" logic_hash = "dc29e43fa81d60d5f53e6f4d5e158937c417e8f12650929b20d71338a8cb5ead" score = 75 @@ -144388,9 +145451,9 @@ rule MALPEDIA_Win_Backconfig_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -144415,10 +145478,10 @@ rule MALPEDIA_Win_Dorshel_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "550d8628-f52a-56de-91a7-ece0c38b96fb" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dorshel_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dorshel_auto.yar#L1-L124" license_url = "N/A" logic_hash = "364203df24c6a83e17731caab6caa244bb9a531055fdc65fef6d763de8c4fb40" score = 75 @@ -144427,9 +145490,9 @@ rule MALPEDIA_Win_Dorshel_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -144453,36 +145516,36 @@ rule MALPEDIA_Win_Unidentified_112_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "088f625c-ef85-5039-b4a6-57af0a7b0b6b" - date = "2026-01-05" - modified = "2026-01-06" + id = "8f51d074-2baf-5589-8536-2bd347f984f8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_112_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_112_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "fc462a31ea1db66fb5cf9697b2cccafd272c6a5cfa6825d7930166b5fbdba921" + logic_hash = "7d4bb0d8583f1d9c9411db0ebd43dc391c4ec8d35a6a3f1d363080592641f11b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 53 4883ec38 488daa80000000 48817d70ff7f0000 762e c6858f00000000 c6858e00000000 } - $sequence_1 = { e8???????? 84c0 0f8496000000 b12c e8???????? 84c0 0f8487000000 } - $sequence_2 = { 498d4850 498b5040 4d8b4048 ff5010 4883bde001000000 7525 488b85d8020000 } - $sequence_3 = { e8???????? 498b4e50 ba50000000 41b808000000 e8???????? 488b45f0 49894650 } - $sequence_4 = { c1ea13 448d0c12 478d0c89 4429c8 0c30 8841ff 48ffc9 } - $sequence_5 = { e8???????? 84c0 0f841bf5ffff 488b05???????? 488b08 488b4138 4885c0 } - $sequence_6 = { 56 57 53 4883ec28 488daa80000000 488b8d48100000 488bb550100000 } - $sequence_7 = { c685de01000000 488d8d50010000 e8???????? eb71 488b8550010000 488b8d58010000 488b9560010000 } - $sequence_8 = { ba22000000 e8???????? e9???????? c685e305000001 488d0d4bd01500 4c8d053cd31500 ba22000000 } - $sequence_9 = { eb56 31f6 4989dd bf03000000 eb4a 0fb7ca 25ff030000 } + $sequence_0 = { e9???????? c6452701 488d0dc0661200 4c8d0501671200 ba46000000 e8???????? eb5c } + $sequence_1 = { f048ff08 7505 e8???????? 4c8936 0f288540100000 0f288d50100000 660f6f9560100000 } + $sequence_2 = { e8???????? eb18 488d0d62501500 4c8d0583511500 ba22000000 e8???????? 0f0b } + $sequence_3 = { e9???????? 488d15ee980d00 41b809000000 488b742460 4889f1 e8???????? 40b501 } + $sequence_4 = { e8???????? 0f0b 488d05619e0d00 4889442420 4c89e1 4889fa 4531c0 } + $sequence_5 = { e8???????? 0f0b 488b4de0 488b45e8 ff10 488b45e8 488b5008 } + $sequence_6 = { e9???????? 0f1005???????? 0f298510010000 0f1005???????? 0f298500010000 488dbd30010000 488d9d00010000 } + $sequence_7 = { e8???????? 0fb645a8 83f805 0f84a8000000 83f806 0f85af010000 488b85e0000000 } + $sequence_8 = { be01000000 f0480fc130 4989f5 4983e5e0 4c8b37 4c89e8 492b8600230000 } + $sequence_9 = { c685e502000000 0f28742420 4883c438 5b 5f 5e 415c } condition: 7 of them and filesize < 7317504 @@ -144492,36 +145555,36 @@ rule MALPEDIA_Win_Icexloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9728ecc3-5098-572d-97ec-dd9f0ce4c650" - date = "2026-01-05" - modified = "2026-01-06" + id = "e67eae07-fb93-5b45-9602-470a196337dd" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icexloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.icexloader_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.icexloader_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "b722e25be5e83e6d5656f0c81a7b7a7da3a63f2b0bd49196ee8eb2c89a1c5431" + logic_hash = "e7d8b7bb37a7ff9b0391c595d5a3e089e1233fa9d3012ba9f46251bb3d0e3e70" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd7 890424 ffd6 c744240400800000 890424 ffd3 83c41c } - $sequence_1 = { 807de47e 0fb6d8 0f85d9000000 eb53 8b1e 83eb05 39da } - $sequence_2 = { c705????????04000000 c705????????04000000 66c705????????1503 c705????????00c64300 c705????????04000000 c705????????04000000 } - $sequence_3 = { e8???????? 85c0 7405 833800 7515 c70424???????? } - $sequence_4 = { 89d3 e8???????? 85c0 740f 837cd87800 7406 8d44d878 } - $sequence_5 = { 46 e8???????? 89da e8???????? ebc8 83c41c 5b } - $sequence_6 = { 8b00 85c0 7405 8b00 8945d4 c645db00 31ff } - $sequence_7 = { 89c6 e8???????? 8b55e4 895c2408 89f3 c744241c00000000 c744241800000000 } - $sequence_8 = { 8d4314 e8???????? 8d4310 e8???????? 58 89d9 5b } - $sequence_9 = { 89e5 83ec10 8b4508 83c014 8945fc 8b4508 8b4010 } + $sequence_0 = { 5d c3 55 89e5 53 83ec74 e8???????? } + $sequence_1 = { 89d9 89d0 31db 31d2 01c8 8b4dd4 11da } + $sequence_2 = { 8b4508 83c014 8945f8 8b4508 8b4010 8945f4 8b450c } + $sequence_3 = { 5d e9???????? c705????????18000000 c705????????04000000 c605????????11 c705????????a0c54300 c705????????00000000 } + $sequence_4 = { 744b 8b5210 897d08 8d65f4 89f1 5b 5e } + $sequence_5 = { 55 ba7c000000 89e5 56 53 83ec30 894de4 } + $sequence_6 = { 0f841a010000 8b85ecfeffff 8b95ecfeffff 8b5210 83ea01 83c204 } + $sequence_7 = { 0fb7444b08 8d7101 8d9000280000 6681faff07 7718 0fb7547308 8d7102 } + $sequence_8 = { 898554ffffff c78510ffffff00000000 c745a000000000 8b45a0 89459c 8b459c 894590 } + $sequence_9 = { f7d8 eb03 42 eb94 83c40c 5b 5e } condition: 7 of them and filesize < 656384 @@ -144531,36 +145594,36 @@ rule MALPEDIA_Win_Slub_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c0a27b8-13ae-509d-aab0-4967f12001e1" - date = "2026-01-05" - modified = "2026-01-06" + id = "afb64038-3887-582c-a464-a4deb1922e69" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.slub_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.slub_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "264575ee79f35f47d39754d10976636a28b6cb6786a3fc3ffd41fec9d7f59aa5" + logic_hash = "f95e0250979b7acd86c155722c9bec9ce8d849d5f742b2a4065d39eac37e1e53" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d8520fbffff 50 68???????? 8d8d08fbffff e8???????? 8bc8 e8???????? } - $sequence_1 = { 0f848d000000 833801 56 8b74240c 0f8581000000 80bf3803000000 53 } - $sequence_2 = { 55 33f6 c644242400 53 89742420 e8???????? } - $sequence_3 = { 837f2c00 8b6c2428 89473c 897740 7527 3b6b10 0f84d90f0000 } - $sequence_4 = { 85db 741a 33f6 85ed 7e14 56 } - $sequence_5 = { c645fc16 8d8d80fdffff 8b85d4fdffff 83c018 50 e8???????? c645fc17 } - $sequence_6 = { 0f842c060000 85c0 8b44241c 0f95c1 888815040000 8b4008 85c0 } - $sequence_7 = { 83c418 85ff 7425 57 e8???????? 50 57 } - $sequence_8 = { 8bf8 83c408 85ff 75cf 38442411 0f84700a0000 6a01 } - $sequence_9 = { 8d8358020000 50 8d8664040000 50 e8???????? 83c408 84c0 } + $sequence_0 = { 83c404 e9???????? 68???????? 56 e8???????? 83c408 89442410 } + $sequence_1 = { e8???????? 83c40c eb1b 8b5c2414 57 c6858302000000 ff15???????? } + $sequence_2 = { 660fd60f 8d7f08 8b048d44918a00 ffe0 f7c703000000 7413 8a06 } + $sequence_3 = { 0f85580b0000 3986f0050000 7425 ff742418 ff15???????? ffb6f0050000 ff15???????? } + $sequence_4 = { 8a06 46 84c0 75f9 2bf1 837d6c00 740d } + $sequence_5 = { 53 8b08 83c110 e8???????? 84c0 7427 8b45ec } + $sequence_6 = { 40 8d8db0f9ffff 50 ffb5b0f9ffff e8???????? 8d8580f9ffff 50 } + $sequence_7 = { 6a01 6a00 6a00 56 e8???????? 83c410 8986c8060000 } + $sequence_8 = { e8???????? 8bf8 83c418 85ff 7425 57 e8???????? } + $sequence_9 = { 89861c020000 8b45e0 8d4e0c 6a06 8d901c889000 5f 668b02 } condition: 7 of them and filesize < 1785856 @@ -144571,10 +145634,10 @@ rule MALPEDIA_Win_Dnwipe_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "1dfcf0b7-155d-5531-9418-b3b6f7b47f6c" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnwipe" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dnwipe_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dnwipe_auto.yar#L1-L120" license_url = "N/A" logic_hash = "a0d87818c953765cbf35eb3a0b4d4fff142998a549a84312b85c4d079e960955" score = 75 @@ -144583,9 +145646,9 @@ rule MALPEDIA_Win_Dnwipe_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -144609,42 +145672,42 @@ rule MALPEDIA_Win_Stegoloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b6a7b2b-6883-5a49-84ad-5eb99ca2dffd" - date = "2026-01-05" - modified = "2026-01-06" + id = "2b193d9f-cb83-5602-8457-b0864d957d0c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.stegoloader_auto.yar#L1-L176" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.stegoloader_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "0fc5c31b9f64d477e89b80a8b4c8cba676e173d514623e0201d322a0680fd5e3" + logic_hash = "d4b2a6accdbe8620fa269b3623bd276bf0e5f50ac8d5537bc331ef583e74a22c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 759d 8b043e 0345fc eb03 } - $sequence_1 = { 51 51 8b4514 8b4d18 53 56 57 } - $sequence_2 = { 8d4b01 40 57 894c2414 89442410 8d4c2410 } - $sequence_3 = { 881e 8811 0fb68801010000 0fb69000010000 8a0c01 020c02 8b55fc } - $sequence_4 = { 897dfc 8bf7 3bf7 743a 8bce } - $sequence_5 = { 50 8d45f0 50 53 53 ff75f8 e8???????? } - $sequence_6 = { 8945f0 894dfc 394dfc 753c 394e18 } - $sequence_7 = { 8bd3 e8???????? 03f3 59 8945f4 85c0 } - $sequence_8 = { 2b4c2408 8b542414 8a09 ff442414 48 880a } - $sequence_9 = { 895e04 895e08 895e0c 7611 53 } - $sequence_10 = { ff7108 e8???????? c3 56 8bf1 e8???????? f644240801 } - $sequence_11 = { 49 49 51 ff7004 8b4f04 } - $sequence_12 = { ff442414 48 880a 75e9 eb5b 83e803 eb02 } - $sequence_13 = { 8bf8 33f6 8b1c3e 6a40 83c604 8b043e } - $sequence_14 = { 83ceff 394c240c 7629 57 8b44240c 0fb61401 6a08 } - $sequence_15 = { c645ff00 8bc8 8bc7 f7f1 } + $sequence_0 = { 8b5204 8b5208 85d2 7405 895128 fec0 } + $sequence_1 = { 8a09 ff442414 48 880a 75eb 89742408 } + $sequence_2 = { eb02 33f6 3bf3 7477 8b06 53 } + $sequence_3 = { 50 8d45f4 50 8b4508 53 53 ff5008 } + $sequence_4 = { 53 53 6a04 53 53 c70044000000 c7402c01000000 } + $sequence_5 = { 50 ff75f4 8d45e8 50 83c604 } + $sequence_6 = { 8945ec e8???????? 8b7d08 33f6 8945f0 } + $sequence_7 = { 59 747c 56 57 6a14 e8???????? } + $sequence_8 = { c645f36c c645f46c c645f500 56 } + $sequence_9 = { c645e874 c645e972 c645ea6f c645eb6c c645ec5f } + $sequence_10 = { eb0c 895804 895808 897e24 897e28 897e20 } + $sequence_11 = { d1e9 741b 85c0 741b 8b542414 8b742414 } + $sequence_12 = { 84c0 7414 ff75ec 8b3d???????? } + $sequence_13 = { 8b4004 6a40 8945f8 6800300000 8d45f8 50 } + $sequence_14 = { 85db 59 59 7417 57 56 e8???????? } + $sequence_15 = { 8bec 81ec0c020000 53 8d85f4fdffff } condition: 7 of them and filesize < 802816 @@ -144654,36 +145717,36 @@ rule MALPEDIA_Win_Playwork_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "253bcdde-b9c7-5158-90ca-b4dcc36f9889" - date = "2026-01-05" - modified = "2026-01-06" + id = "067a3320-4bd1-5237-927c-4703bf4eee96" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.playwork_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.playwork_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "93e0526e64b6e0ff6fb1dc40df8f238384033948c1e004d69238a8eee94e726f" + logic_hash = "6265b4953c4af6193b57b28e31e934be24e04932a330ad3d64b0042a0555d1d0" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 59 8945f0 0f84d4010000 8d4df4 } - $sequence_1 = { eb02 32db 8ac3 8acb c0e807 d0e1 } - $sequence_2 = { 57 8d857ce9ffff 56 50 6800004004 8d4de0 ff7510 } - $sequence_3 = { 8bd0 8d85e8afffff 50 8955ec ffd3 8b4dec } - $sequence_4 = { 53 50 8d4510 6a08 50 57 ffd6 } - $sequence_5 = { c1eb18 330c95344b3f00 8b55e0 8b349d34573f00 c1ea10 } - $sequence_6 = { 50 8d85b8ebffff 68???????? 50 e8???????? 83c444 8d85b8ebffff } - $sequence_7 = { e8???????? 8b45fc 83c40c 668b4008 50 ff15???????? 0fb7c0 } - $sequence_8 = { a4 284405c8 40 83f822 7cf6 } - $sequence_9 = { 8bce 8975e8 c1e918 8b3c8d34573f00 8b4de0 333c9534533f00 } + $sequence_0 = { 59 837c242000 744c 56 6a00 ff742428 e8???????? } + $sequence_1 = { 8d45bc 56 50 897510 ff7308 897508 } + $sequence_2 = { 53 ffd7 ff742418 e8???????? 8b2d???????? 59 837c241c00 } + $sequence_3 = { 8b45f8 6a2c ff7008 ffd7 } + $sequence_4 = { 57 ff75e8 ff15???????? 3d03010000 0f8442030000 8d8598f9ffff 50 } + $sequence_5 = { 57 8d450c 56 50 bf08010000 8d85f8feffff 57 } + $sequence_6 = { ffd6 03d8 81fb00a00000 0f8d09010000 8d85e8f7ffff 50 ff7508 } + $sequence_7 = { 0fb6c0 33149d5c703f00 3314855c6c3f00 3351f0 3317 83c704 8bc2 } + $sequence_8 = { 83e0f0 5f 7624 53 8b5c2410 56 } + $sequence_9 = { 8b1d???????? 56 ffd3 d1e0 50 56 } condition: 7 of them and filesize < 360448 @@ -144693,36 +145756,36 @@ rule MALPEDIA_Win_Aukill_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "efca2687-336d-54b6-b9e5-6006cad01a63" - date = "2026-01-05" - modified = "2026-01-06" + id = "29f3bf29-e1fb-5dd5-9c74-7f55118e2b65" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aukill" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.aukill_auto.yar#L1-L115" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.aukill_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "5efb284cf60297ddb14dee519095e9a3fbc8f6f4ea4b889dc99b33d704551ec0" + logic_hash = "66d21229612adc1e14001dfcd4c2eb0216894dbbdc136931825092ed2004b0e8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33d2 b940040000 ff15???????? 488bd8 } - $sequence_1 = { 488b442460 4c8d442430 488b4c2458 33d2 4889442434 } - $sequence_2 = { 48894c2430 ba04003583 894c2428 48894c2420 448d4920 48894c2450 488b0d???????? } - $sequence_3 = { 771c 488b0b ff15???????? 0fb608 } - $sequence_4 = { 33c9 48895c2440 48894c2438 4c8d442440 48894c2430 ba04003583 } - $sequence_5 = { 488b442460 4c8d442430 488b4c2458 33d2 } - $sequence_6 = { 48894c2420 448d4920 48894c2450 488b0d???????? } - $sequence_7 = { 448d4920 48894c2450 488b0d???????? 48897c2458 4889442448 } - $sequence_8 = { ff15???????? 85c0 751d 488bcb ff15???????? ff15???????? } - $sequence_9 = { 8905???????? c705????????02000000 48c705????????04000000 ff15???????? 488905???????? 4885c0 } + $sequence_0 = { 48895c2408 57 4883ec40 0fb7da 8bf9 e8???????? } + $sequence_1 = { b940040000 ff15???????? 488bd8 4885c0 } + $sequence_2 = { f20f11442438 660f7ec8 3bc7 751d 488b442428 48c1e830 } + $sequence_3 = { 0fb7da 8bf9 e8???????? 4c8bc8 } + $sequence_4 = { 57 4883ec60 488bfa 8bd9 e8???????? 33c9 } + $sequence_5 = { 85c0 751f 488b4c2458 ff15???????? ff15???????? } + $sequence_6 = { 33c0 4889442428 c744243001000000 c744243c02000000 448d4810 4889442420 ff15???????? } + $sequence_7 = { 488b0d???????? 48897c2458 4889442448 ff15???????? } + $sequence_8 = { 7346 4b8d1440 410f104cd108 0f114c2428 f2410f1044d118 f20f11442438 } + $sequence_9 = { 48895c2408 57 4883ec60 488bfa 8bd9 e8???????? 33c9 } condition: 7 of them and filesize < 446464 @@ -144732,36 +145795,36 @@ rule MALPEDIA_Win_Rad_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8a099829-2dbe-5073-9ece-c0e3e763fe4a" - date = "2026-01-05" - modified = "2026-01-06" + id = "bf437c6c-14d0-537d-97ae-1c65837a3a49" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rad" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rad_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rad_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "2d90510a72fef277223444468a95d2c25d3c61f771625c4fd1893b29c13678f2" + logic_hash = "e5fba2ffd5efbadf6e64d5a24283e834d8ffc08c1ab2e8bef97a1d4aa25567b7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d8d9cfdffff c645fc1a ff15???????? c645fc19 } - $sequence_1 = { 51 ff15???????? 83c404 33c0 8945c8 } - $sequence_2 = { 5b c3 83fefe 760b } - $sequence_3 = { 8d8f10030000 c684240c06000016 ff15???????? 8d4c2458 c684240806000015 ffd3 39742450 } - $sequence_4 = { 89742410 c684240001000006 85f6 7447 8bce ff15???????? c706???????? } - $sequence_5 = { e8???????? 8d4c2434 68???????? 51 e8???????? 8b35???????? 6a14 } - $sequence_6 = { ff25???????? 8db514faffff e9???????? 8db530faffff e9???????? 8d8d4cfaffff } - $sequence_7 = { 8b75e0 8bd6 83fe06 7205 } - $sequence_8 = { 8975b0 eb03 897db0 8b55b0 8955ac c645fc04 } - $sequence_9 = { 59 8be5 5d c20400 8d4df0 c645fc00 ff15???????? } + $sequence_0 = { 8d4dd4 c745e80f000000 e8???????? 8975fc 8b75b4 8d45d4 } + $sequence_1 = { 05c8030000 50 8d8db8feffff ff15???????? 8d8db8feffff c645fc15 ff15???????? } + $sequence_2 = { e8???????? 8be5 5d c3 be26000000 b8???????? 8d4c243c } + $sequence_3 = { 898415ccfeffff ff15???????? 8b8d68ffffff 8bb574ffffff 83e980 51 8d9570ffffff } + $sequence_4 = { be12000000 b8???????? 8d4c2418 895c2428 885c2418 e8???????? } + $sequence_5 = { c745fc00000000 e8???????? 8b5dac 8b03 8b5004 8bcb } + $sequence_6 = { 83fb0b 0f95c0 85c0 0f94c0 84c0 740e 8b442418 } + $sequence_7 = { e9???????? 8db514faffff e9???????? 8d8d4cfaffff ff25???????? 8db530faffff } + $sequence_8 = { 8b06 2bc8 51 50 57 ff15???????? 8b06 } + $sequence_9 = { 8b35???????? 50 8d8c2400020000 ffd6 8d8c2474010000 51 8bc8 } condition: 7 of them and filesize < 207872 @@ -144771,36 +145834,36 @@ rule MALPEDIA_Win_Tiop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7759473d-7c21-529d-8c5c-8c80ad3dfcde" - date = "2026-01-05" - modified = "2026-01-06" + id = "30114694-306b-517d-83d9-2cb7f6fc8531" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tiop_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tiop_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "9d95462dbb557911b61e12f852944c9e17315546dfa96a6eb7c9f227ec2b38c0" + logic_hash = "29f3dcd0b60fbfc45bb51d0b758fbb00fef1cbc5490ebbf83041a8996bdb57fb" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd7 8d4c241c a3???????? e8???????? 8b10 53 8bc8 } - $sequence_1 = { 57 8965e8 8b4508 8d7004 8975e4 } - $sequence_2 = { 51 50 ffd7 83c408 85c0 7555 8b4604 } - $sequence_3 = { 64a100000000 50 64892500000000 83ec08 b8fc120000 e8???????? } - $sequence_4 = { 51 55 ff15???????? 8b7c2410 56 8b35???????? } - $sequence_5 = { 8d542414 68???????? f3ab 52 ffd3 83c414 85c0 } - $sequence_6 = { 68???????? 64a100000000 50 64892500000000 83ec08 56 33f6 } - $sequence_7 = { c64424388d c6442439b5 c644242c81 c644242dc3 c644243e85 c644243fff } - $sequence_8 = { 8d542410 53 8944247c 53 894c2468 89542474 } - $sequence_9 = { 8bf8 ff5204 894708 a1???????? 50 57 } + $sequence_0 = { ffd5 8b442418 83c610 48 } + $sequence_1 = { ffd6 85c0 75ed 5f } + $sequence_2 = { 8b3d???????? 68???????? 56 ffd7 83c408 3bc6 752e } + $sequence_3 = { 8dbab4050000 f3ab 66ab b90c000000 33c0 8dbae6050000 f3ab } + $sequence_4 = { 53 8d8c2424010000 50 51 ff942478030000 } + $sequence_5 = { c60600 ff15???????? 56 e8???????? 83c404 85c0 7507 } + $sequence_6 = { 83c404 83ffff 7412 8d442418 50 57 e8???????? } + $sequence_7 = { 8b542410 83c404 8d4c240c 8bf0 6a00 51 } + $sequence_8 = { b940000000 33c0 8dbc240d010000 c684240c01000000 f3ab 66ab 68???????? } + $sequence_9 = { 8b542418 8b4c2420 8b3d???????? 8944240c 8b44242c 89542408 8b542424 } condition: 7 of them and filesize < 712704 @@ -144810,55 +145873,55 @@ rule MALPEDIA_Win_Tidepool_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "79b9a91d-2f80-54a4-850d-1eac43bf12cc" - date = "2026-01-05" - modified = "2026-01-06" + id = "dd2e5f28-abfd-58a8-a2a8-ea28faa244be" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tidepool_auto.yar#L1-L262" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tidepool_auto.yar#L1-L262" license_url = "N/A" - logic_hash = "a70dd848875168b4bad1ed7e445677eb0934ca243a590965d7d194a18350ca55" + logic_hash = "aa178d415beb9c4997246c9f1636848425691dbac0fb28e937331daca515c23b" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5f 5e 5b 8b8d00030000 } - $sequence_1 = { 8b8d00030000 33cd e8???????? 81c504030000 } - $sequence_2 = { 6a00 50 8b08 ff91a4000000 } - $sequence_3 = { 8bc6 5e c20400 80790800 c701???????? 740e 8b4904 } - $sequence_4 = { 53 6a02 8bf1 e8???????? } - $sequence_5 = { 83c40c 803d????????37 7518 68???????? } - $sequence_6 = { 6800000040 8d4500 50 ff15???????? } - $sequence_7 = { 83e906 51 83c006 50 6a02 } - $sequence_8 = { 681f000200 56 68???????? 6801000080 } - $sequence_9 = { 5e 5f 5b c9 c3 ff25???????? 51 } - $sequence_10 = { e8???????? 68???????? 68???????? 68???????? 8d4500 } - $sequence_11 = { 75f9 b8???????? b900000400 c60000 40 49 } - $sequence_12 = { 8b08 ff91a4000000 8b4654 6a01 } - $sequence_13 = { 8d5658 52 50 ff91d0000000 } - $sequence_14 = { 6810270000 ff15???????? 8b45ec 8b08 } - $sequence_15 = { 7509 8b4654 50 8b08 ff5138 47 } - $sequence_16 = { 40 49 75f9 b8???????? b900000400 } - $sequence_17 = { 8d45ec 50 681f000200 53 68???????? } - $sequence_18 = { 56 8bf1 e8???????? 8b4654 6a00 } - $sequence_19 = { 6802020000 ff15???????? 68???????? ff15???????? 8bf8 } - $sequence_20 = { 2bca 33d2 85c9 894c2410 89542414 } - $sequence_21 = { 89442424 7e13 51 8d542428 } + $sequence_0 = { 6a00 50 8b08 ff91a4000000 } + $sequence_1 = { 5b 8b8d00030000 33cd e8???????? 81c504030000 } + $sequence_2 = { 5e c20400 80790800 c701???????? 740e 8b4904 85c9 } + $sequence_3 = { e8???????? 83c404 8bc6 5e c20400 80790800 } + $sequence_4 = { 64890d00000000 59 5f 5e 5b 8b8d00030000 } + $sequence_5 = { 33db 53 6a02 8bf1 e8???????? } + $sequence_6 = { 51 83c006 50 6a02 } + $sequence_7 = { 2bc8 83e906 51 83c006 } + $sequence_8 = { e8???????? 83c40c 803d????????37 7518 68???????? } + $sequence_9 = { 6800000040 8d4500 50 ff15???????? } + $sequence_10 = { 8b08 ff91a4000000 8b4654 6a01 50 } + $sequence_11 = { 6810270000 ff15???????? 8b45ec 8b08 } + $sequence_12 = { 52 50 8b08 ff91f8000000 } + $sequence_13 = { 83ff14 7509 8b4654 50 } + $sequence_14 = { 740c 8b470c 83c604 833c0600 } + $sequence_15 = { 741d 6a00 68b80b0000 ffd3 } + $sequence_16 = { 8bf1 e8???????? 8b4654 6a00 50 } + $sequence_17 = { e8???????? 68???????? 68???????? 68???????? 8d4500 } + $sequence_18 = { 49 75f9 b8???????? b900000400 } + $sequence_19 = { 681f000200 56 68???????? 6801000080 } + $sequence_20 = { eb06 8b3d???????? 8d45fc 50 } + $sequence_21 = { 8d0c40 8d148500000000 89442414 894c2410 89542418 8b5500 } $sequence_22 = { ff75ec ff15???????? 8b35???????? 6a04 } - $sequence_23 = { 53 50 ff75f8 ff75e4 ff75fc ff15???????? } - $sequence_24 = { 7504 802000 4b 57 } - $sequence_25 = { 59 ff15???????? 8b4df8 8945d8 8b45fc 8d840832010000 } - $sequence_26 = { 56 e8???????? 8b7d08 57 e8???????? d1e0 } - $sequence_27 = { 895dd4 895dac 895de0 885def 895de8 66ab } - $sequence_28 = { 3bf3 7e16 e8???????? 6a1a } + $sequence_23 = { 8d85b8fcffff 89bdb8fcffff 50 ffd6 8d45e8 } + $sequence_24 = { ff15???????? 8d45a4 50 ffd6 8d55b4 } + $sequence_25 = { e8???????? 83c414 a3???????? ff35???????? 56 8b35???????? } + $sequence_26 = { 0f85d1000000 807c19ff20 8d4419ff 7504 802000 4b 57 } + $sequence_27 = { 741b ff75f8 e8???????? 84c0 59 } + $sequence_28 = { d1e1 51 50 ff75fc e8???????? 83c414 } condition: 7 of them and filesize < 1998848 @@ -144868,36 +145931,36 @@ rule MALPEDIA_Win_Moonbounce_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "300bd16a-9128-501e-b6a9-aa7b7927b326" - date = "2026-01-05" - modified = "2026-01-06" + id = "2da98614-65a4-5227-bf42-e140c3206599" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonbounce" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.moonbounce_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.moonbounce_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "07326c1e5d89427ce612fcc5180ad0922ace80e6e89b51e53f272b71223e0de4" + logic_hash = "c88f40d1d857bf1c76177c0c7eb43f16650b71d1b80bdf0f0745bd71c4b7c892" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b4dd4 0500100000 83c418 8901 } - $sequence_1 = { b9???????? 2bc8 51 50 8b4508 83c014 50 } - $sequence_2 = { 8945d8 53 8d45dc 50 ff15???????? 8d45d0 8945f8 } - $sequence_3 = { 034004 83780400 7798 8d8680000000 83780400 } - $sequence_4 = { 57 57 83c60c 56 ff15???????? 5f } - $sequence_5 = { ff7508 ff15???????? 6a40 6800300000 8d45fc 50 } - $sequence_6 = { 84c0 7518 8b4310 56 } - $sequence_7 = { 8365f400 8d5008 895508 8b5004 03cb 83c2f8 894df0 } - $sequence_8 = { 8b45f0 0fb70448 8b4f1c 8d0c81 8b4508 8b1c01 03d8 } - $sequence_9 = { 8d450c 50 ff750c 33db ff15???????? } + $sequence_0 = { 8b4120 83c114 894df8 85c0 0f857bffffff eb04 } + $sequence_1 = { f7c2feffffff 7640 eb03 8b4df0 8b5508 } + $sequence_2 = { 50 ffd6 8b4310 33f6 } + $sequence_3 = { ff15???????? 57 57 83c60c } + $sequence_4 = { 7439 3bc6 7435 6a30 } + $sequence_5 = { 55 8bec 83ec30 53 33db 53 } + $sequence_6 = { 56 8b30 57 8b7d08 6a05 } + $sequence_7 = { 33d2 8d443018 663b5606 7342 } + $sequence_8 = { 50 e8???????? 8b7d08 81c700080000 b980000000 } + $sequence_9 = { c745f4d2070100 895dec ff15???????? 53 6a01 53 } condition: 7 of them and filesize < 70912 @@ -144908,10 +145971,10 @@ rule MALPEDIA_Win_Mgbot_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "dd03dc94-bb3a-5cad-8f13-4bbe4b7f90a6" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mgbot_auto.yar#L1-L114" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mgbot_auto.yar#L1-L114" license_url = "N/A" logic_hash = "7310ce51cc81391fc78e9881bf8f490b2a783d4789728f7661df3e6bdca512d7" score = 75 @@ -144920,23 +145983,23 @@ rule MALPEDIA_Win_Mgbot_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 8be5 5d c20800 6808020000 e8???????? } - $sequence_1 = { 6808020000 e8???????? 6804010000 8bf0 } - $sequence_2 = { 5d c20800 6808020000 e8???????? } - $sequence_3 = { 6808020000 e8???????? 6804010000 8bf0 6a00 56 e8???????? } - $sequence_4 = { 5b 8be5 5d c20800 6808020000 } + $sequence_1 = { 5d c20800 6808020000 e8???????? } + $sequence_2 = { 8be5 5d c20800 6808020000 } + $sequence_3 = { 5b 8be5 5d c20800 6808020000 e8???????? } + $sequence_4 = { 6808020000 e8???????? 6804010000 8bf0 6a00 56 } $sequence_5 = { 6808020000 e8???????? 6804010000 8bf0 6a00 } - $sequence_6 = { 0f8553ffffff 5f 33c0 5e } - $sequence_7 = { 8be5 5d c20800 6808020000 } - $sequence_8 = { 6808020000 e8???????? 6804010000 8bf0 6a00 56 } - $sequence_9 = { 5b 8be5 5d c20800 6808020000 e8???????? } + $sequence_6 = { 5b 8be5 5d c20800 6808020000 } + $sequence_7 = { 0f8553ffffff 5f 33c0 5e } + $sequence_8 = { 6808020000 e8???????? 6804010000 8bf0 } + $sequence_9 = { 6808020000 e8???????? 6804010000 8bf0 6a00 56 e8???????? } condition: 7 of them and filesize < 1677312 @@ -144946,36 +146009,36 @@ rule MALPEDIA_Win_Kwampirs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a88d76d0-b266-5ba2-9e4c-b6324e74f1af" - date = "2026-01-05" - modified = "2026-01-06" + id = "dc29c1c5-d8aa-5f9b-ab7e-e64a4c5c99fb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kwampirs_auto.yar#L1-L112" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kwampirs_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "47dcb9c842442be04bc0bae4d6dd96d075eca81ceae0f2c5424da9336b167768" + logic_hash = "9140abf3e9907c131bb7364474e683e8b11d54a3735784351b90378dc1735bd8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 391f 0f95c0 8b4df0 64890d00000000 59 5f 5e } - $sequence_1 = { 83c418 85c0 7512 8b07 50 e8???????? 83c404 } - $sequence_2 = { 391f 0f95c0 8b4df0 64890d00000000 } - $sequence_3 = { 52 50 8d8dbcf3ffff 51 } - $sequence_4 = { 33d2 668955f6 e8???????? 83c40c } - $sequence_5 = { ffd6 8b45c0 50 ffd6 } - $sequence_6 = { 50 ffd6 8b4dc4 51 ffd6 } - $sequence_7 = { 668955f6 e8???????? 83c40c 33d2 } - $sequence_8 = { c745fcfeffffff e8???????? b001 8b4df0 } - $sequence_9 = { 33d2 6816060000 52 8d85bef3ffff 50 } + $sequence_0 = { 8bec 81ec580c0000 a1???????? 33c5 8945f8 8b4508 53 } + $sequence_1 = { 8d45f0 64a300000000 8965e8 8bf9 33db } + $sequence_2 = { 81ec580c0000 a1???????? 33c5 8945f8 8b4508 } + $sequence_3 = { c745fcfeffffff 8b45e0 85c0 7409 50 } + $sequence_4 = { e8???????? b001 8b4df0 64890d00000000 59 } + $sequence_5 = { 33c9 b80d000000 ba02000000 f7e2 } + $sequence_6 = { 50 6a01 56 8b0f 51 e8???????? } + $sequence_7 = { 6a01 56 8b0f 51 e8???????? } + $sequence_8 = { c745fcfeffffff 8b45e0 85c0 7409 } + $sequence_9 = { 83c418 85c0 7512 8b07 } condition: 7 of them and filesize < 2695168 @@ -144985,42 +146048,42 @@ rule MALPEDIA_Win_Nabucur_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9022825e-08e1-5228-a8ab-7502f1d2e737" - date = "2026-01-05" - modified = "2026-01-06" + id = "30149a16-f5f4-5678-9c69-fb692298335c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nabucur_auto.yar#L1-L155" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nabucur_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "1073a8071d9c420307c019b8193b4c07d15bc5ab7630e60f5042626f0d12ed0f" + logic_hash = "2b7c3d756500fa20c23843b84a9086b4c85fb7c4fe41352a8b5ff7a1dfee359e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 48 894500 85c0 7fee } - $sequence_1 = { 48 8944241c 85c0 7fd1 } - $sequence_2 = { 48 83f801 89442418 0f8f15ffffff } - $sequence_3 = { 48 83e908 85c0 75f0 57 } - $sequence_4 = { 48 8906 8d442410 50 } - $sequence_5 = { 009eaa030000 0fb686aa030000 57 83f80a 0f876d010000 } - $sequence_6 = { 33ff 397c242c 7e61 8b6c242c 8b03 8d4c0001 81f900020000 } - $sequence_7 = { 48 89442414 85c0 0f8f68ffffff } - $sequence_8 = { 89728e 5f 5c ab } - $sequence_9 = { e9???????? ffd6 e9???????? 5e e9???????? 68ad009a0c } - $sequence_10 = { ba0eb4d3fc 83c604 eb0c 83f901 } - $sequence_11 = { 8bec 68???????? e8???????? 813d????????1d932600 } - $sequence_12 = { e022 0884df221d84c2 221b 84dd 223c84 } - $sequence_13 = { b4d6 98 db3e d35f9e c25a1a } - $sequence_14 = { af 6abb 8ed5 3155fc } - $sequence_15 = { 91 039109861780 60 96 } + $sequence_1 = { 49 23cf 894c241c 3bc3 } + $sequence_2 = { 33ff 33f6 4a c744244001000000 89542434 8b6c2438 } + $sequence_3 = { 49 23cb 894d08 5d } + $sequence_4 = { 009eaa030000 0fb686aa030000 57 83f80a 0f876d010000 } + $sequence_5 = { 49 03d3 40 85c9 } + $sequence_6 = { 49 23ce 894f18 8bf0 85c0 0f8521040000 } + $sequence_7 = { 49 3b442430 891e 8944241c } + $sequence_8 = { bb95c9c7fe e8???????? 81f2cf3a3100 81f3db2737fd } + $sequence_9 = { e9???????? 837d0c00 750c ffb5a4fdffff 8f05???????? } + $sequence_10 = { baaf746bf8 81f2d2b424fb e8???????? 81f2e5b3d7f7 bbee904bf8 } + $sequence_11 = { 8706 85c0 75f5 61 c3 60 } + $sequence_12 = { 2d4c67d056 0e 67389db266 d07d0b 80ab140ee42859 } + $sequence_13 = { bbb76d15f9 e8???????? bb1ddfc5f7 81f2560b5efd ba3be69bfc } + $sequence_14 = { bafa2649fd 83f901 7db6 ba8fb4a3fb ebb8 83e904 } + $sequence_15 = { a1???????? a6 48 207b98 } condition: 7 of them and filesize < 1949696 @@ -145030,36 +146093,36 @@ rule MALPEDIA_Win_Ktlv_Door_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e065a03-91ac-5e12-9f0d-2a07114a6941" - date = "2026-01-05" - modified = "2026-01-06" + id = "b72e81ca-7d5e-5297-bbe9-6aa7902659a6" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ktlv_door" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.ktlv_door_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.ktlv_door_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "7086a37fac571e3e072f3722403d024774dd0aed3f77f3425014c9e7e0c7108d" + logic_hash = "5ac69720388308c80b5a37adfc511292d61061e883af5a51db60316becc21ed1" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffc2 85d2 7d10 488d053ed25900 31db 31c9 e8???????? } - $sequence_1 = { eb0e 488d3d1a475800 6690 e8???????? 488d0594b92c00 e8???????? 48c7400836000000 } - $sequence_2 = { eb25 488b8424a00c0000 4889c3 488d8c24780a0000 0f1f4000 e8???????? 488b542430 } - $sequence_3 = { eb11 488d7818 488b8c2440080000 e8???????? 48c7400810000000 488d0da4e81900 488908 } - $sequence_4 = { ffd0 488bac24c8010000 4881c4d0010000 c3 48899c2450020000 48898c2458020000 c644243700 } - $sequence_5 = { eb0c 488d3d9bba4000 e8???????? 488b0d???????? 48898c2458050000 488d05800f1700 e8???????? } - $sequence_6 = { eb0d 488bbc24a8000000 e8???????? 4889c6 4889d9 488b842490000000 488b5c2460 } - $sequence_7 = { eb0e 488d7818 488b4c2418 e8???????? 4889c3 488d05371d3d00 488b6c2428 } - $sequence_8 = { eb11 488d7838 488b8c24e8010000 e8???????? 488d0d529c2900 4889c2 4889842400010000 } - $sequence_9 = { e8???????? 440f11bc24e0010000 440f11bc24f0010000 488b8c24e0000000 48898c24e0010000 488b8c24c8010000 48898c24e8010000 } + $sequence_0 = { ffd0 488b5c2440 488b442430 488b4c2448 488b6c2458 4883c460 c3 } + $sequence_1 = { 4c8d4301 4901c9 4983f804 0f8ca1feffff 4c89d3 4889d9 488bbc24d8000000 } + $sequence_2 = { eb6a 488d942460010000 4889942460010000 488b8c2470010000 488d7101 488b9c2468010000 488bbc2478010000 } + $sequence_3 = { c3 4889c1 90 e8???????? 90 4889442408 48895c2410 } + $sequence_4 = { 90 e8???????? 48c7400825000000 488d0dbd902a00 488908 488b8c24d0000000 488b9424d8000000 } + $sequence_5 = { e8???????? 488d0574451000 488b9c24e8010000 488b8c24e0010000 488bbc2408010000 e8???????? 48c7400801000000 } + $sequence_6 = { c3 81f9ce80d5ec 7510 488d0dc75e3000 4839c8 7436 6690 } + $sequence_7 = { 4c89ac2440010000 4c89e7 4c89f9 e8???????? 488d05814b1b00 4c89eb e8???????? } + $sequence_8 = { e8???????? 48c7400819000000 488d0d0d502f00 488908 31db 31c9 488d3d8d8e3900 } + $sequence_9 = { e8???????? 488b842488000000 0fb610 488b4c2458 4889cb 48c1e103 4c8b9c24c0000000 } condition: 7 of them and filesize < 14630912 @@ -145069,36 +146132,36 @@ rule MALPEDIA_Win_Soundbill_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fc6eb91d-5824-524d-bbb8-b5d2b50f1e71" - date = "2026-01-05" - modified = "2026-01-06" + id = "8bd1eb00-9546-5eee-9a61-9315c9b8c69d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbill" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.soundbill_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.soundbill_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "23246153789cca2dc7fd1119b61492f6729a30eebbbf9247088b38725417e92a" + logic_hash = "e1009b33f7017cb61c5eebcf50230f014bdf3b5dbedf7d9e866f7fe5b90ea606" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 55 56 4881ecb0030000 488b05???????? 4833c4 4889842470030000 488b8424f0030000 } - $sequence_1 = { 488b8da0000000 e8???????? 4883c420 5d c3 488d8a70000000 e9???????? } - $sequence_2 = { 750e 85c9 0f95c0 8806 83f901 760c eb03 } - $sequence_3 = { 48894a08 488d4808 e8???????? 488d0579b00200 488903 488bc3 4883c420 } - $sequence_4 = { f20f5ce9 f2410f1004c1 488d15562b0100 f20f1014c2 } - $sequence_5 = { c644243001 44397c2440 7f10 ff442434 4885c9 7426 c644243c01 } - $sequence_6 = { 483305???????? 488d1516b70200 488bcb 488905???????? ff15???????? 483305???????? } - $sequence_7 = { ffd7 4c8bf0 4885c0 751e 498bcf ff15???????? 488bce } - $sequence_8 = { 418d542416 488d0d3f4b0100 e8???????? 488b0b 66443921 488bcb 744d } - $sequence_9 = { 8b4018 25c0010000 83f840 0f84e7010000 } + $sequence_0 = { 4c8d0dffb30100 b904000000 4c8d05ebb30100 488d15ecb30100 e8???????? 4c8d0df8b30100 b907000000 } + $sequence_1 = { 4983ff10 490f43c6 3a1438 753a 4885ff 7510 } + $sequence_2 = { 83f8ff 7453 c6430800 33ff 4c8b742430 85f6 0f85f4000000 } + $sequence_3 = { 4c8d05c6440400 4c8905???????? 4c8bd1 4d85c9 7413 498b01 48635004 } + $sequence_4 = { 488d55c0 488d4c2470 e8???????? 90 660f6f05???????? f30f7f442460 c644245000 } + $sequence_5 = { 8bcf e8???????? 488bd7 4c8d0557a30200 83e23f 488bcf } + $sequence_6 = { 0f87a3030000 e8???????? 0f10442428 0f11442450 } + $sequence_7 = { 660f73d908 66480f7ec8 4883f810 480f43ca e8???????? 4885c0 } + $sequence_8 = { 488d1d64fe0300 488d0575fe0300 480f44d8 ba01000000 488d4c2428 e8???????? 4c8bc0 } + $sequence_9 = { ba01000000 488d4daf e8???????? 90 33ff 498bd7 488bcb } condition: 7 of them and filesize < 973824 @@ -145108,36 +146171,36 @@ rule MALPEDIA_Win_Targetcompany_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4c6c1b9e-4647-5918-893c-d13ce0b5fa25" - date = "2026-01-05" - modified = "2026-01-06" + id = "11ed9b92-814d-55ea-be2b-897441519d4d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.targetcompany" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.targetcompany_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.targetcompany_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "47a23feab60239622d1061098dd7caa46d2a81895190e3a3f7d203abbeea4b5b" + logic_hash = "4a0748650a37ff73f23e623d657be6fe08f1a469d6884f8d163fadec988603a5" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8955f4 e8???????? ff75b4 8bf8 53 } - $sequence_1 = { e8???????? 8d45b0 50 8d85c0feffff 50 8d8d10ffffff e8???????? } - $sequence_2 = { 8bcf 83f808 7207 8b17 89550c eb03 897d0c } - $sequence_3 = { 57 6a0f 5a 8bce 8d45e0 e8???????? } - $sequence_4 = { 50 ff15???????? be08000100 56 8944242c 8d842430450000 53 } - $sequence_5 = { 53 895db0 8955b4 e8???????? ff75b4 8906 8b4708 } - $sequence_6 = { 0f85a0000000 56 50 68???????? e8???????? 83c40c 83bdbcfeffff20 } - $sequence_7 = { 8945c0 8b75c0 8d7d9c a5 } - $sequence_8 = { ab ab 53 53 ab 8b442424 6801200000 } - $sequence_9 = { 83fe50 72d0 8db564ffffff e8???????? } + $sequence_0 = { a5 a5 a5 51 8d75ec e8???????? 59 } + $sequence_1 = { 13da 53 57 e8???????? ff75c4 894618 ff75c0 } + $sequence_2 = { 8b4914 83f9ff 7302 8bd9 2b4508 83c9ff 2bcb } + $sequence_3 = { 0f84a5000000 8d75b4 e8???????? 837dec08 8b4dd8 7303 8d4dd8 } + $sequence_4 = { 50 895c245c 895c2460 895c2454 895c2458 56 e9???????? } + $sequence_5 = { 7639 8b4d0c 8d75f4 894df4 8945f8 e8???????? 0fb70b } + $sequence_6 = { 8d4de8 ffb5c4feffff ffb5c4feffff e8???????? 83c410 53 53 } + $sequence_7 = { 5e c60000 5b c3 55 8bec 83ec34 } + $sequence_8 = { 50 ff36 8d4c2428 e8???????? 83c410 68???????? } + $sequence_9 = { 7205 8b4e04 eb03 8d4e04 50 52 51 } condition: 7 of them and filesize < 328704 @@ -145147,48 +146210,48 @@ rule MALPEDIA_Win_Hive_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "afed1177-c874-5c40-8ff0-eb8fbf356303" - date = "2026-01-05" - modified = "2026-01-06" + id = "62395fb2-a697-5968-a6d7-8b850bc3ffbe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hive_auto.yar#L1-L195" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hive_auto.yar#L1-L193" license_url = "N/A" - logic_hash = "2741699b9ca4dafd7c3cf41d98fd9bcda89c6f9e810164b470706ce97b3270bd" + logic_hash = "cfbb7f8959e19a195b0f086d4aa400c0364275db029c50731f180db81fe1d961" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 31c0 b91d000000 31d2 31db } - $sequence_1 = { 31c9 eb12 0fb6540c12 0fb63408 } - $sequence_2 = { 89c2 e8???????? b801000000 e8???????? } - $sequence_3 = { 31c9 31d2 31db 31f6 31ff eb09 } - $sequence_4 = { 31c0 31c9 31d2 bb01000000 beae000000 } - $sequence_5 = { 89d1 e8???????? b802000000 e8???????? } - $sequence_6 = { 81c4b0000000 c3 e8???????? 90 } - $sequence_7 = { 0fb6b40495000000 89d7 31f2 01c2 } - $sequence_8 = { 89d1 e8???????? b901000000 e8???????? } - $sequence_9 = { 0fb7442404 8b0c24 894c246a 668944246e 8b4c246a } - $sequence_10 = { 0fb7744c12 89d7 31f2 01ca } - $sequence_11 = { 31c9 31d2 bb04000000 beb8000000 } + $sequence_1 = { 89c2 e8???????? b801000000 e8???????? } + $sequence_2 = { 89d1 e8???????? b802000000 e8???????? } + $sequence_3 = { 7f1e 0fbae000 73ed 90 } + $sequence_4 = { 31c9 31db 31ff eb31 } + $sequence_5 = { 0fb7442404 8b0c24 894c246a 668944246e } + $sequence_6 = { 31c0 31c9 31d2 bb54000000 } + $sequence_7 = { 80fa80 7331 89d6 c0ea04 80fa20 19ff 83e60f } + $sequence_8 = { 0fb6b40495000000 89d7 31f2 01c2 } + $sequence_9 = { 89d1 e8???????? b901000000 e8???????? } + $sequence_10 = { 81c4b0000000 c3 e8???????? 90 } + $sequence_11 = { 0fb7744c12 89d7 31f2 01ca } $sequence_12 = { 01c1 83c101 83f90c 0f820fffffff } - $sequence_13 = { 89bc2478020000 81c438020000 c3 97 88442443 97 892c24 } - $sequence_14 = { 01c8 89c1 c1e91f ffc9 } - $sequence_15 = { 89bc2480000000 89b424c4000000 29ce 46 } - $sequence_16 = { 01c1 c1e106 0fb6c2 01c8 } - $sequence_17 = { 01c2 b8ffffff03 21c5 21c3 } - $sequence_18 = { 01c8 c1e006 400fb6cf 01c1 } - $sequence_19 = { 01c1 c1e106 400fb6d6 01ca } - $sequence_20 = { 01ca c1e206 0fb6c3 01d0 } - $sequence_21 = { 01c0 4000f8 0fb6c0 48898424b0000000 } + $sequence_13 = { 01c1 c1e106 400fb6d6 01ca } + $sequence_14 = { 01ca c1e206 0fb6c3 01d0 } + $sequence_15 = { 01c8 89c1 c1e91f ffc9 } + $sequence_16 = { 01c2 b8ffffff03 21c5 21c3 } + $sequence_17 = { 89b424c4010000 8d74d56c 89b424c0010000 8d74d574 89b424bc010000 8d74d57c } + $sequence_18 = { 01c0 4000f8 0fb6c0 48898424b0000000 } + $sequence_19 = { 01c1 c1e106 0fb6c2 01c8 } + $sequence_20 = { 01c8 c1e006 400fb6cf 01c1 } + $sequence_21 = { 89b424c8000000 897c2438 8b7c2460 0fb7742426 } condition: 7 of them and filesize < 7946240 @@ -145198,42 +146261,42 @@ rule MALPEDIA_Win_Snatch_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e84bc4db-d72c-55c7-8127-5b70bf9d85b1" - date = "2026-01-05" - modified = "2026-01-06" + id = "e9ca2700-27c0-5d6b-98c9-5a2ddbfa9eb8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.snatch_loader_auto.yar#L1-L176" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.snatch_loader_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "71f941ef8f08c99c9d42e26dfa505e9884dda28bb1bd06c93b12ee312c92bc07" + logic_hash = "80a133ba734986340b80049c5adabe47993c8143bb78dd7386ee1b2f1e07639d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 895dfc e8???????? 8bf0 85f6 744b 33c0 66894606 } - $sequence_1 = { eb0e 8d4dfc 51 8d4df4 51 56 } - $sequence_2 = { 7505 8b45fc eb0d 53 53 } - $sequence_3 = { 57 8bfa 85c0 751d } - $sequence_4 = { 8b7dfc eb04 ffd0 8bf8 a1???????? } - $sequence_5 = { 8bc8 e8???????? a3???????? 85c0 7403 57 } - $sequence_6 = { 8bf8 a1???????? 85c0 7522 6a02 59 } - $sequence_7 = { 32c3 43 8802 42 } - $sequence_8 = { 76d8 33c0 48 5a 59 5f 5e } - $sequence_9 = { 59 5b 5a c9 c20c00 55 8bec } - $sequence_10 = { 8bec 83c4f8 53 56 57 51 52 } - $sequence_11 = { 0bc0 7454 394508 734f ff7510 } - $sequence_12 = { 33d2 33c9 8a0431 0ac0 741f } - $sequence_13 = { 3b45fc 773b 8b750c 8b7d10 037508 8bde } - $sequence_14 = { 741f 3a0439 7514 41 3b4df8 72ee 8bc2 } - $sequence_15 = { 57 56 8b36 56 8b33 33c0 48 } + $sequence_0 = { c3 56 33f6 49 } + $sequence_1 = { a3???????? 85c0 7505 8b7dfc eb04 ffd0 } + $sequence_2 = { 8bf8 a1???????? 85c0 7522 6a02 59 e8???????? } + $sequence_3 = { 8bc8 e8???????? a3???????? 85c0 7404 } + $sequence_4 = { 57 33db bfe71edec0 895dfc } + $sequence_5 = { 85c0 7406 57 6a00 56 ffd0 } + $sequence_6 = { 85c0 7408 53 6a08 57 ffd0 } + $sequence_7 = { 8bf0 85f6 744b 33c0 66894606 } + $sequence_8 = { 7454 394508 734f ff7510 e8???????? 8945f8 0bc0 } + $sequence_9 = { ff750c ff7508 6a00 6a00 e8???????? 8945fc } + $sequence_10 = { 8b7508 56 e8???????? 0bc0 } + $sequence_11 = { 72ee 8bc2 034508 5a 59 } + $sequence_12 = { 8b5278 035508 8b5a20 035d08 33c9 833f00 } + $sequence_13 = { 33d2 33c9 8a0431 0ac0 741f } + $sequence_14 = { 7440 3b45fc 773b 8b750c 8b7d10 } + $sequence_15 = { e8???????? 8945fc 0bc0 7454 } condition: 7 of them and filesize < 262144 @@ -145243,36 +146306,36 @@ rule MALPEDIA_Win_Karma_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "24be30a8-d096-5dc7-8e51-b42bf2a52649" - date = "2026-01-05" - modified = "2026-01-06" + id = "09949eae-9164-5d33-929a-4f9c0429a9c8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.karma_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.karma_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "35cdf75103d6b4a50883eb5678dfe204820b04234b8d7ece3879561247948adf" + logic_hash = "561763d00262287b440f7b14f63b126e00552944213d05edf97643d72840507e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a08 6a00 8944243c ffd6 50 ffd3 6a40 } - $sequence_1 = { 8b450c 751c 41 83f908 72f1 } - $sequence_2 = { 8b0d???????? 33c0 3801 740a } - $sequence_3 = { 8bf1 33d2 57 663916 7409 } - $sequence_4 = { 668901 8d5202 6685c0 75ef 8bcf ba???????? } - $sequence_5 = { 750e 6685db 0f8478040000 83c702 ebc8 33ff } - $sequence_6 = { c1c80e 33c7 8b7b14 8903 8d0437 c1c007 314324 } - $sequence_7 = { 8bf1 eb02 33f6 0fb74102 } - $sequence_8 = { 6685c0 7429 0fb7d0 6683fa5c 7410 } - $sequence_9 = { 66833c45f051400000 75f4 33d2 663915???????? 7415 660f1f840000000000 } + $sequence_0 = { 83c010 83f820 7ce5 33c0 } + $sequence_1 = { 0f8570ffffff 8b45f8 8b4df4 33d2 5f 66891471 8b4df0 } + $sequence_2 = { d1f8 40 8d1400 660f1f440000 0fb70411 8d4902 668901 } + $sequence_3 = { e8???????? 8b4e04 e8???????? eb16 e8???????? 33d2 b9???????? } + $sequence_4 = { 0f1f4000 8b51fc 8d49fc 85d2 } + $sequence_5 = { 83c102 8bf0 6685c0 75e3 85d2 } + $sequence_6 = { 668908 83c002 8a4dfd c645fe00 c645ff01 eb1f 807dff00 } + $sequence_7 = { 0f1f00 0f104405dc 0f1088b8404000 660fefc8 0f114c05dc } + $sequence_8 = { 0fb702 8d4902 668901 8d5202 6685c0 75ef 33c9 } + $sequence_9 = { 7469 8b01 8b4904 56 33f6 8945ec 894df0 } condition: 7 of them and filesize < 49208 @@ -145282,42 +146345,42 @@ rule MALPEDIA_Win_Tflower_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c8b749a8-7605-5cc7-b1f5-9714e975ddf7" - date = "2026-01-05" - modified = "2026-01-06" + id = "b6b318ab-da35-5322-bfc0-6904101036e2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tflower_auto.yar#L1-L157" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tflower_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "b74bf6ff044f2b1de7c6b08182f1378f15e5cf0c006209455268705fb05e00e4" + logic_hash = "363250cdff28fcd23eda1338c19846d3acf92b9a2757198928248141924dee73" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0001 0200 0103 0303 } - $sequence_1 = { 000f 7708 0001 7708 } - $sequence_2 = { 0002 7408 00f7 7308 } - $sequence_3 = { 89442414 8b06 83f804 0f8728010000 ff2485249d4a00 6a02 6a01 } - $sequence_4 = { 001a 0c05 003c0c 05004e0c05 } - $sequence_5 = { 8b148dc0064f00 331485c0024f00 8bc3 c1e808 } - $sequence_6 = { 83fa07 8b542410 775e 8b6c2414 ff24ad9ce34600 0fb679ff } - $sequence_7 = { 000b 8605???????? 007885 0500788605 } - $sequence_8 = { 33148520c54e00 33f2 2bde d3c3 8bc3 } + $sequence_0 = { ff15???????? 85db 7423 895e04 } + $sequence_1 = { 8bde ff36 8d85e8fdfdff c7460400000000 68???????? } + $sequence_2 = { 0001 0200 0103 0303 } + $sequence_3 = { 8bba446f4f00 c1e104 33b1416f4f00 33b9456f4f00 0fb6cc 8b842494000000 } + $sequence_4 = { 0fb60c85167c4b00 0fb63485177c4b00 8bf9 8985b4f8ffff c1e702 57 } + $sequence_5 = { 0008 7408 0002 7408 } + $sequence_6 = { 0001 7708 00f3 7608 } + $sequence_7 = { 000f 7708 0001 7708 } + $sequence_8 = { 6a2f 68???????? 56 e8???????? 83c40c 5e } $sequence_9 = { 0010 740b 0021 740b } - $sequence_10 = { c745e0787f4b00 e9???????? c745e0647f4b00 e9???????? c745dc02000000 } - $sequence_11 = { 0001 7708 00f3 7608 } - $sequence_12 = { 0008 7408 0002 7408 } - $sequence_13 = { c1e818 8b4d2c c1eb10 03148520c14e00 0fb6c3 8b5d28 } - $sequence_14 = { 0fb6c0 8b0c8d20ed4e00 330c8520f14e00 8bc3 c1e818 c1eb10 } - $sequence_15 = { 0fbec0 8d89f8feffff 8d0c48 3b0c95788f4f00 } + $sequence_10 = { 001a 0c05 003c0c 05004e0c05 } + $sequence_11 = { 330cb5189c4e00 8b5734 33e9 8b7730 33d5 c1ca04 } + $sequence_12 = { 000b 8605???????? 007885 0500788605 } + $sequence_13 = { 0002 7408 00f7 7308 } + $sequence_14 = { 83e03f 330c8518964e00 330c95189d4e00 8b5764 } + $sequence_15 = { 8bc2 c1e818 894efe 0fb60c8520dd4e00 } condition: 7 of them and filesize < 6578176 @@ -145327,76 +146390,76 @@ rule MALPEDIA_Win_Microcin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dddf9fba-fce1-5368-9223-75a8c16c13ed" - date = "2026-01-05" - modified = "2026-01-06" + id = "d1e7b2bc-57fb-5d85-8ced-34bcde1a9311" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.microcin_auto.yar#L1-L452" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.microcin_auto.yar#L1-L445" license_url = "N/A" - logic_hash = "ab06ef293989aa12cd44a7f8f720c88cb322c4fba8d50dd4025a69de4fec24e0" + logic_hash = "db507d2610f33cfa3cd120e6427023d53ed38dcca91f15a5c8c75f23b5770e79" score = 75 quality = 44 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { c7461401000000 4d8d8680000000 418900 4989b688000000 41c7868400000004000000 4533c9 } - $sequence_1 = { ff15???????? 488bcb 664489642438 488bf0 ff15???????? 0fb7cf } - $sequence_2 = { 897e04 5b 5f 5e 5d c20400 55 } - $sequence_3 = { 8d45ac 50 6801000080 ff15???????? } - $sequence_4 = { 85c0 7e18 80bc35a8feffff3a 741f 8d85a8feffff } - $sequence_5 = { ff15???????? 4863c8 c6840d8002000068 488d8d80020000 } - $sequence_6 = { 488b0d???????? ff15???????? 4885c0 742b 488b4018 } - $sequence_7 = { 4885c0 742b 488b4018 488b08 8b09 ff15???????? 488bf8 } - $sequence_8 = { 50 6805100000 68ffff0000 56 8b35???????? ffd6 } - $sequence_9 = { 8d85f8feffff 6804010000 50 ff15???????? 8d85f8feffff } - $sequence_10 = { ff15???????? 4863c8 807c0c5f5c 7413 488d4c2460 ff15???????? 4863c8 } - $sequence_11 = { ff15???????? 8b3d???????? 8d85e0feffff 50 } - $sequence_12 = { 33f6 50 ffd3 85c0 7e18 } - $sequence_13 = { 488b05???????? 4833c4 488985f0040000 4c8b3d???????? 4533c0 8bfa } - $sequence_14 = { 8b1d???????? 8d85a8feffff 50 ffd3 } - $sequence_15 = { 488b1d???????? 488903 48894308 488b0d???????? } - $sequence_16 = { 7647 498bcd e8???????? 4c8d05b7120100 41b903000000 488d4c45bc 488bc1 } - $sequence_17 = { 6828010000 8d85ccfeffff 6a00 50 } - $sequence_18 = { 488d0d950c0100 ff15???????? 4885c0 7419 } - $sequence_19 = { 7419 488d15730c0100 488bc8 ff15???????? } - $sequence_20 = { 7541 8b4df0 83c108 51 } - $sequence_21 = { 7370 696465726167656e 742e 657865 } - $sequence_22 = { 83ec08 894df8 c745fc00a40000 6a40 6800100000 } - $sequence_23 = { 53 53 56 43 } - $sequence_24 = { 498bd5 ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 8bd7 } - $sequence_25 = { 8b8c8d78feffff 890c90 ebc8 e9???????? 33c0 } - $sequence_26 = { c745f46d737664 c745ec5f6c6569 0fbe4dee 83c101 884dee c745f872742e64 } - $sequence_27 = { 8d8da0f4ffff e8???????? 8b8574dfffff 5e 8be5 } - $sequence_28 = { 8b4dfc 83c108 51 ff15???????? 8b4dfc } - $sequence_29 = { 4883ec20 8bd9 488d0d950c0100 ff15???????? } - $sequence_30 = { 8b4508 0fb608 81e107000080 7905 49 83c9f8 41 } - $sequence_31 = { e8???????? 85c0 751a 488d15f8110100 } - $sequence_32 = { e8???????? cc 4c8d056c120100 498bd4 488bcd } - $sequence_33 = { 83c208 52 ff15???????? 6a06 ff15???????? ebcd 8be5 } - $sequence_34 = { 726f 6e 6d 656e 7400 } - $sequence_35 = { fa fa fa fa fa } - $sequence_36 = { 4c8d0574130100 488bcd 418bd4 e8???????? 33c9 85c0 } - $sequence_37 = { 636373 7673 6873742e65 7865 } - $sequence_38 = { 660fd645ec 660fd645f4 3d89000000 0f87b2010000 0fb68030184000 ff2485d8174000 68???????? } - $sequence_39 = { 63f6 48 89d9 6a08 41 58 4f } - $sequence_40 = { 50 56 c785a4fcffff24020000 ff15???????? 85c0 7431 } - $sequence_41 = { 8d85f0feffff 6a00 50 e8???????? 83c408 8d95f0feffff } - $sequence_42 = { 680000cf00 68???????? 8d842480000000 50 6a00 ff15???????? } - $sequence_43 = { 68???????? e8???????? 8b7508 c7465cf8814000 } - $sequence_44 = { c785b4feffff00000000 ff15???????? 50 56 ff15???????? 85c0 7e0f } - $sequence_45 = { e8???????? 3d1f047008 754e 49 8b4d08 49 8b5510 } - $sequence_46 = { 7523 56 8d44245c 50 } - $sequence_47 = { 40 ebf8 55 8bec 8b450c } - $sequence_48 = { 8b4060 6a40 6800100000 680c200000 6a00 8945f8 } - $sequence_49 = { 7521 4c 89e1 33d2 41 b800800000 41 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { ff15???????? 8b3d???????? 8d85e0feffff 50 ffd7 } + $sequence_1 = { 488bcb 664489642438 488bf0 ff15???????? } + $sequence_2 = { ff75d4 e8???????? 83c40c 8bc7 } + $sequence_3 = { 488bc6 488b8df0040000 4833cc e8???????? 4881c400060000 415f 415e } + $sequence_4 = { 6a10 50 56 ff15???????? 85c0 0f45f7 } + $sequence_5 = { 488d4d90 ff15???????? 4863c8 807c0d8f5c 7412 488d4d90 ff15???????? } + $sequence_6 = { 4863c8 c6840d8002000077 488d8d80020000 ff15???????? 4863c8 c6840d8002000075 } + $sequence_7 = { ffd3 85c0 7e18 80bc35a8feffff3a 741f 8d85a8feffff } + $sequence_8 = { 6804010000 50 ff15???????? 8d85f8feffff } + $sequence_9 = { ffc3 48ffc7 ff15???????? 3bd8 7ce8 } + $sequence_10 = { 488d8d80020000 ff15???????? 4863c8 c6840d8002000076 488d8d80020000 ff15???????? 4863c8 } + $sequence_11 = { 4833c4 488985f0040000 4c8b3d???????? 4533c0 8bfa } + $sequence_12 = { 488d4c2460 ff15???????? 4863c8 807c0c5f5c } + $sequence_13 = { 68ffff0000 56 8b35???????? ffd6 } + $sequence_14 = { 8b1d???????? 8d85a8feffff 50 ffd3 85c0 } + $sequence_15 = { ff15???????? 85c0 7426 8b400c } + $sequence_16 = { 8b45f8 8b4dfc 894820 8b55f8 83c208 } + $sequence_17 = { 488d15f8110100 41b810200100 488bcd e8???????? e9???????? 4533c9 4533c0 } + $sequence_18 = { fa fa fa fa fa fa } + $sequence_19 = { 53 53 56 43 } + $sequence_20 = { 4883ec20 8bd9 488d0d950c0100 ff15???????? 4885c0 7419 } + $sequence_21 = { 8b55fc c7422400000000 8b45fc 83c008 50 } + $sequence_22 = { 4c8d056c120100 498bd4 488bcd e8???????? 85c0 } + $sequence_23 = { ff15???????? 8b4df4 8b5124 83c201 8b45f4 895024 } + $sequence_24 = { 6828010000 8d85ccfeffff 6a00 50 } + $sequence_25 = { 7370 696465726167656e 742e 657865 } + $sequence_26 = { 8b85c4f4ffff 83e802 898558ffffff 8b8dc4f4ffff 6bc903 894d9c } + $sequence_27 = { 4c8d0502130100 8bd7 498bcd e8???????? } + $sequence_28 = { 636373 7673 6873742e65 7865 } + $sequence_29 = { 4885c0 7419 488d15730c0100 488bc8 ff15???????? } + $sequence_30 = { e8???????? 85c0 751a 488d15f8110100 41b810200100 } + $sequence_31 = { 0f8404010000 8b4508 8b8804010000 83c103 8b5508 } + $sequence_32 = { 5d c3 8b04cdf4314100 5d c3 0544ffffff 6a0e } + $sequence_33 = { 726f 6e 6d 656e 7400 } + $sequence_34 = { ff15???????? 418d7c24e7 85c0 752a 4c8d0502130100 8bd7 } + $sequence_35 = { 898a04010000 c7857cffffff00000000 eb0f 8b857cffffff } + $sequence_36 = { 8b4df8 83c101 894df8 837df81a 0f8d67010000 } + $sequence_37 = { 41bc14030000 4c8d0574130100 488bcd 418bd4 e8???????? 33c9 85c0 } + $sequence_38 = { 50 68???????? 8935???????? ff15???????? 8d85d4f4ffff 50 } + $sequence_39 = { 8d85d4f4ffff 50 ff15???????? 6804010000 8d85f0feffff } + $sequence_40 = { 83c438 40 5f 5e 5d } + $sequence_41 = { 83c408 8d95f0feffff 8bce e8???????? 83c404 } + $sequence_42 = { 7411 50 ff15???????? c705????????00000000 e8???????? 85c0 } + $sequence_43 = { 0f85a5000000 8d85b8feffff 50 ff15???????? 0fb785c4feffff 50 } + $sequence_44 = { 8b4f08 49 8b5710 e8???????? 41 } + $sequence_45 = { ff15???????? 83c40c 8d45dc 50 ff15???????? 8bf0 85f6 } + $sequence_46 = { 48 8d542450 c70238020000 ffd3 } + $sequence_47 = { a3???????? 33c0 5e 8b4dfc } + $sequence_48 = { 4c 89e1 03d0 e8???????? eb0b 4c } + $sequence_49 = { 6a00 ff55dc 85c0 0f8496010000 } condition: 7 of them and filesize < 417792 @@ -145406,73 +146469,75 @@ rule MALPEDIA_Win_Sedreco_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f5874626-d0e0-58d9-91c8-0db502ae6b52" - date = "2026-01-05" - modified = "2026-01-06" + id = "fda3c98f-680e-5a99-b2de-60d8a3e56562" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sedreco_auto.yar#L1-L422" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sedreco_auto.yar#L1-L437" license_url = "N/A" - logic_hash = "f4bff7c9ba602579624cb55726a1e993d47a39a8f6d5c8006861ce5f5842d524" + logic_hash = "52edd554ec3fb1ec3d4e741e2e4c3380154ed7d6d30c1418173005965ddca964" score = 75 quality = 50 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 51 836d0804 53 56 8b750c } + $sequence_0 = { 55 8bec 51 836d0804 53 } $sequence_1 = { 8b750c 56 e8???????? 6a08 } - $sequence_2 = { e8???????? 89450c 56 85c0 } - $sequence_3 = { 55 8bec 51 836d0804 } - $sequence_4 = { c645ff30 e8???????? 85c0 7505 } + $sequence_2 = { c645ff30 e8???????? 85c0 7505 e8???????? } + $sequence_3 = { 836d0804 53 56 8b750c } + $sequence_4 = { e8???????? 89450c 56 85c0 } $sequence_5 = { 50 68???????? 6a0d 68???????? } - $sequence_6 = { 7411 6a04 68???????? 68???????? } + $sequence_6 = { 51 6802020000 68???????? 50 } $sequence_7 = { 7ce0 a1???????? 5e 85c0 } - $sequence_8 = { 51 6802020000 68???????? 50 } - $sequence_9 = { 56 be???????? 8b06 85c0 740f 50 } - $sequence_10 = { ffd6 8b0d???????? 894104 85c0 } - $sequence_11 = { 751d 6afe 8d45f0 50 } - $sequence_12 = { 83c40c b801000000 8b4df0 64890d00000000 59 5f } - $sequence_13 = { 83c604 81fe???????? 7ce0 a1???????? } - $sequence_14 = { ffd6 8b0d???????? 898138010000 85c0 } - $sequence_15 = { 488b05???????? ff90e8000000 488b0d???????? 488b05???????? ff5028 48c705????????00000000 } - $sequence_16 = { c744242004000000 4533c9 4533c0 ba000000c0 488b0d???????? 488b05???????? } + $sequence_8 = { 7411 6a04 68???????? 68???????? } + $sequence_9 = { ffd6 8b0d???????? 89417c 85c0 } + $sequence_10 = { ff15???????? 83c604 81fe???????? 7ce0 a1???????? } + $sequence_11 = { 83c40c b801000000 8b4df0 64890d00000000 59 5f 5e } + $sequence_12 = { 56 be???????? 8b06 85c0 740f 50 } + $sequence_13 = { ffd6 8b0d???????? 894104 85c0 } + $sequence_14 = { ffd6 8b0d???????? 898158010000 85c0 } + $sequence_15 = { 6a00 68???????? 6aff 68???????? 6a00 6a00 ffd6 } + $sequence_16 = { 488b05???????? ff90e8000000 488b0d???????? 488b05???????? ff5028 48c705????????00000000 } $sequence_17 = { 68???????? e8???????? 8b35???????? 83c404 6a00 } - $sequence_18 = { 488b05???????? ff90e8000000 ba10270000 488b0d???????? 488b05???????? } - $sequence_19 = { 68???????? 6a00 6a00 ffd6 8b4dfc 5f } - $sequence_20 = { 4883c010 4883c428 c3 48890d???????? c3 48895c2410 } - $sequence_21 = { 33d2 33c9 488b05???????? ff90f0000000 488905???????? } - $sequence_22 = { 6800010000 6a00 68???????? e8???????? 6800020000 6a00 68???????? } - $sequence_23 = { 488b05???????? ff90e0000000 488b0d???????? 488b05???????? ff90a8010000 } - $sequence_24 = { 6a00 ffd6 50 68???????? 6aff 68???????? } - $sequence_25 = { 41b906000200 4533c0 488b15???????? 48c7c101000080 488b05???????? ff9038010000 } - $sequence_26 = { 8b442458 89442428 488b442450 4889442420 41b903000000 4533c0 488b15???????? } + $sequence_18 = { 8b442458 89442428 488b442450 4889442420 41b903000000 4533c0 } + $sequence_19 = { 6a00 ffd6 50 68???????? 6aff 68???????? 6a00 } + $sequence_20 = { 33d2 33c9 488b05???????? ff90f0000000 488905???????? } + $sequence_21 = { 4533c0 488b15???????? 48c7c101000080 488b05???????? ff9038010000 } + $sequence_22 = { 4533c9 4533c0 ba000000c0 488b0d???????? 488b05???????? } + $sequence_23 = { 4533c9 4533c0 33d2 488bc8 488b05???????? } + $sequence_24 = { 6800010000 6a00 68???????? e8???????? 6800020000 6a00 } + $sequence_25 = { 488b05???????? ff90e8000000 ba10270000 488b0d???????? 488b05???????? ff5010 } + $sequence_26 = { 4883c010 4883c428 c3 48890d???????? c3 48895c2410 } $sequence_27 = { 7cd5 68???????? e8???????? 8b4dfc } - $sequence_28 = { 8b4dfc 5f 5e 33cd b8???????? 5b } - $sequence_29 = { 6a0a 8d45f4 50 51 e8???????? } - $sequence_30 = { 6800000080 8d85f0fdffff 50 ff15???????? 8bf0 83feff } - $sequence_31 = { 894df0 ff15???????? 8945fc 8b45f0 8945f4 8b45f4 50 } - $sequence_32 = { 57 c785ecfeffff01000000 c785e8feffffe197af54 0f6e85e8feffff } - $sequence_33 = { 53 56 57 894df0 ff15???????? 8945fc } - $sequence_34 = { 8bf1 8b06 50 8b08 ff9180000000 } - $sequence_35 = { 50 ff512c 8bce 8bd8 } - $sequence_36 = { 6aff 50 6a00 6a00 ff15???????? 5e } - $sequence_37 = { 53 56 57 c745dce197af54 0f6e45dc 0f72f002 } - $sequence_38 = { 6a07 68???????? e8???????? 85c0 7402 eb0d 68e0930400 } - $sequence_39 = { 52 50 8bce e8???????? 50 ffd7 85c0 } - $sequence_40 = { 895e30 895e2c 895e34 8bc6 5f 5e } - $sequence_41 = { c645fc04 50 e8???????? 83c418 6a01 } - $sequence_42 = { e8???????? 8b4e2c 8b5610 89442424 6aff 8d442428 6a00 } - $sequence_43 = { fe40ff eb3d 8b742448 6a01 53 } - $sequence_44 = { 8b4c2474 8b7c2478 8944241c 56 89442424 6a01 } - $sequence_45 = { 8bf0 8b442414 85c0 7505 a1???????? } - $sequence_46 = { ff15???????? 85c0 894604 7522 8d4de4 } + $sequence_28 = { ffd6 8b4dfc 5f 5e 33cd b8???????? } + $sequence_29 = { e8???????? 83c40c 6a01 ff15???????? ff15???????? } + $sequence_30 = { 7411 8a4a03 3a4803 7409 } + $sequence_31 = { 3a4801 751a 83fefe 741e 8a4a02 3a4802 } + $sequence_32 = { 6a08 6a01 68???????? 68???????? 8d45f8 } + $sequence_33 = { 68???????? e8???????? 85c0 7402 eb0d } + $sequence_34 = { 8b85ecfeffff 8b4df4 64890d00000000 5f 5e 5b } + $sequence_35 = { 57 50 ff512c 8bce 8bd8 } + $sequence_36 = { ff512c 8bf0 f7de 1bf6 46 } + $sequence_37 = { 56 57 c785ecfeffff01000000 c785e8feffffe197af54 } + $sequence_38 = { 8bec 83ec10 53 56 57 894df0 ff15???????? } + $sequence_39 = { 57 894df0 ff15???????? 8945fc 8b45f0 8945f4 } + $sequence_40 = { 8b85e4feffff 8945f0 8b4df0 e8???????? } + $sequence_41 = { 8bce ff15???????? eb58 3bfb } + $sequence_42 = { 8bcb 57 897de4 ff15???????? } + $sequence_43 = { 8d4c2410 51 52 ffd7 8b442410 8b4e2c } + $sequence_44 = { 5d 5b 83c460 c20800 8d4c2474 c744247454522500 } + $sequence_45 = { 8d4c2428 50 51 e8???????? 8b15???????? c684244010000002 8b0a } + $sequence_46 = { 0f849e020000 8b15???????? 8b442448 8bca 8b4004 85c0 } + $sequence_47 = { 0f8484010000 8b442410 32db 3bc5 0f864e010000 b900010000 33c0 } + $sequence_48 = { 8d442428 6a00 50 ffd7 85c0 89462c 7526 } condition: 7 of them and filesize < 1586176 @@ -145482,36 +146547,36 @@ rule MALPEDIA_Win_Hermeticwiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "26ab54c0-79a4-58b9-ba8b-0324b07af9f4" - date = "2026-01-05" - modified = "2026-01-06" + id = "18d5a8b9-b317-5c4b-9c63-dec6f28a123a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.hermeticwiper_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.hermeticwiper_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "0d202d4a6b1fd92490b3e5fc04dc1683d573bc3458e17749b676604435662c74" + logic_hash = "c6efe8f4f6375004867b0f13ba138230f4887f7bb79fd5fa6b7089aa249855b2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83d1ff 894dbc 03ff 83cf01 ebe7 8b75d4 } - $sequence_1 = { 68???????? eb2f ff15???????? 3d7e040000 0f8522040000 837df800 } - $sequence_2 = { 0f86fe000000 8b55d0 8d4630 8945f8 6690 8b00 85c0 } - $sequence_3 = { 53 51 51 52 b980000000 e8???????? 8b4c2428 } - $sequence_4 = { 8845fb 84e4 0f856dfeffff 5f 5e 5b 8be5 } - $sequence_5 = { 8b4e10 8b7e08 03cf 8b560c 8b4614 13c2 89542418 } - $sequence_6 = { 83ee02 eb02 8bf3 397df0 7531 6a5c 6a00 } - $sequence_7 = { 8b401c 83c118 03c1 8b4c2414 89442424 3bf0 736e } - $sequence_8 = { 57 56 ff15???????? 85c0 752a ff15???????? 33ff } - $sequence_9 = { 5e b801000000 5b 8be5 5d c20c00 8b7510 } + $sequence_0 = { 33d2 f7f1 89459c ffd3 8b3d???????? 50 } + $sequence_1 = { 8d5710 894c244c 8b7f08 89542430 8d54245c 8b4c2430 57 } + $sequence_2 = { 8b4de4 897060 897864 895858 } + $sequence_3 = { 50 53 ff15???????? 8bf0 85f6 0f88bf000000 } + $sequence_4 = { 8b7c2414 83c404 e9???????? 8b7c2410 e9???????? } + $sequence_5 = { 894854 8b4de4 897060 897864 895858 } + $sequence_6 = { 3931 762b 8d7918 6a00 52 ff7704 } + $sequence_7 = { 8bc8 8bfa 8b45e8 3bc3 } + $sequence_8 = { 50 ff15???????? 8d8578fcffff 8d5002 668b08 83c002 6685c9 } + $sequence_9 = { 8d4c2414 68???????? 51 8944241c ffd7 85c0 7509 } condition: 7 of them and filesize < 247808 @@ -145521,36 +146586,36 @@ rule MALPEDIA_Win_Dnschanger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0fa9e2eb-93b3-59e8-87b9-56660e0e1de0" - date = "2026-01-05" - modified = "2026-01-06" + id = "0abc0d8f-0c47-5961-9fc1-93ac5eb34160" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnschanger" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dnschanger_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dnschanger_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "a0798da45c8d16b6b8cbe6087cae140990ddc919bfe764b8983fff724ffd7558" + logic_hash = "826d79ecd3b5afc7f4d000794bc90fbb5c768a4381a826906cf8dfcf76b4b7fd" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c418 8d542410 8d442414 52 6806000200 6a00 50 } - $sequence_1 = { 8d442414 52 6806000200 6a00 50 } - $sequence_2 = { 6a08 32db ffd5 50 ff15???????? } - $sequence_3 = { 32c0 eb0b ff15???????? 85c0 } - $sequence_4 = { 8d442410 8b8b9c010000 50 57 51 e8???????? 83f86f } - $sequence_5 = { 57 e8???????? 8b2d???????? 6880020000 6a08 } - $sequence_6 = { 2ad1 f6da 1bd2 f7d2 23c2 } - $sequence_7 = { 8bf0 8d45f8 50 ff75f8 56 6a03 ff75fc } - $sequence_8 = { 84d2 7407 8a11 8816 46 } - $sequence_9 = { 8b442410 85c0 742a 83f80a 7415 } + $sequence_0 = { 85f6 75e2 8b4c2420 8b54241c 51 52 } + $sequence_1 = { 8b3d???????? ffd3 39742414 741a 6a64 ffd7 39742414 } + $sequence_2 = { 83c410 85c0 7403 c60020 8b2d???????? } + $sequence_3 = { 8844240f e8???????? 8b442414 83c40c 89442400 } + $sequence_4 = { 756b 8b44240c 83f804 7705 be06000000 } + $sequence_5 = { 6a64 ffd7 39742414 7410 8d4c2410 51 } + $sequence_6 = { 6a00 6a03 ff75fc ffd7 } + $sequence_7 = { e8???????? 8b2d???????? 6880020000 6a08 } + $sequence_8 = { 6a00 ff15???????? 50 ff15???????? 8d8594feffff 50 } + $sequence_9 = { ff15???????? 8d542408 52 e8???????? 85c0 5f 5e } condition: 7 of them and filesize < 49152 @@ -145560,36 +146625,36 @@ rule MALPEDIA_Win_Helauto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b795cd97-f81e-5b0c-b86f-eb6142e4a506" - date = "2026-01-05" - modified = "2026-01-06" + id = "71861316-2986-520d-9c86-3a6678914d81" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.helauto_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.helauto_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "77b1dbe0537fbb57df2196994395215daf625d1b39e62bbfe2e9527b9343a123" + logic_hash = "18de7897ef38c2c7f315e763107cb199bcc085f16b0148680711dc98d61d5e4a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33c0 8d7dc0 895dbc f3ab 8b4510 69c0f4010000 } - $sequence_1 = { 753b 6a08 be???????? 59 8d7d98 f3a5 } - $sequence_2 = { ff75f0 ff15???????? 8b45f4 8b7dec 2b4510 } - $sequence_3 = { 68???????? 8d85a8f9ffff 50 e8???????? 8d85a8f9ffff } - $sequence_4 = { 53 8d85a8f8ffff 68???????? 50 e8???????? } - $sequence_5 = { 50 6a1f ff75fc ffd6 8d45c8 57 50 } - $sequence_6 = { 53 53 6a01 53 8d8528feffff 53 } - $sequence_7 = { 59 0f85b3000000 53 6a08 } - $sequence_8 = { 6a01 58 c20c00 b8???????? e8???????? 81ec00010000 } - $sequence_9 = { 6a1f ff75fc 897dc4 ff15???????? 8b35???????? 804ddd01 } + $sequence_0 = { 0f841f010000 8b3d???????? 6a05 8d85a8f3ffff 68???????? } + $sequence_1 = { 3945f8 7d03 8945f8 ff75f8 } + $sequence_2 = { 68???????? ff75e4 8945f0 ff15???????? } + $sequence_3 = { b902010000 33c0 8dbd9de5ffff c6859ce5ffff30 f3ab 66ab } + $sequence_4 = { c745c001000000 ffd6 8d45b8 53 50 } + $sequence_5 = { ff15???????? 8d859ce5ffff 50 e8???????? 83c410 50 8d859ce5ffff } + $sequence_6 = { 8d8598f3ffff 50 ff7508 e8???????? 83c414 84c0 0f8421ffffff } + $sequence_7 = { 8d859ce5ffff 50 53 53 ff75fc ff15???????? } + $sequence_8 = { 68ff030000 50 8d85a8ebffff 50 } + $sequence_9 = { 837d0801 7e21 56 8d85f4feffff ff7704 50 } condition: 7 of them and filesize < 57344 @@ -145599,36 +146664,36 @@ rule MALPEDIA_Win_Darkbit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "376307d8-f183-5168-b430-3c79d528468e" - date = "2026-01-05" - modified = "2026-01-06" + id = "dc33b31b-87dd-5cc5-b322-adc3955b0e56" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkbit" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.darkbit_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.darkbit_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "3345b8391d558255e8d42c00573b9e9bb419b0424b0535da1de4bc7f3c804298" + logic_hash = "75a82b2d5c03ccdd4b46d627f94c2dfbfa9055f5af2e5aec68ed45453358bf36" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 488b8c2480050000 48894808 833d????????00 7515 488b8c24b0210000 488908 } - $sequence_1 = { 488d0505c50f00 4889d9 4889fb 4889f7 4c89c6 e8???????? 488b542450 } - $sequence_2 = { eb1a 440fb64c341e 418d1411 8d5293 88543c1e 448844341e 4883c002 } - $sequence_3 = { 4c8d4301 4c39c6 7331 488d05052b1700 4889d9 4889fb 4889f7 } - $sequence_4 = { eb1c 4889c7 488b8c24d0200000 e8???????? 488d3d4f2a2200 e8???????? 6690 } - $sequence_5 = { e8???????? 4889842460100000 48899c2400010000 488b842480000000 48c7c3ffffffff e8???????? 48899c2480140000 } - $sequence_6 = { e8???????? 488d0546a23800 bb26000000 e8???????? 90 4889442408 48895c2410 } - $sequence_7 = { e8???????? 48898424581c0000 48895c2428 488b0d???????? 48898c24980e0000 488d0547db0700 e8???????? } - $sequence_8 = { 488b8c24a8060000 48894808 833d????????00 7514 488b8c24d8220000 488908 488905???????? } - $sequence_9 = { 4d89d3 49c1ea2a 4983fa40 0f83d6060000 4c8d25576e5200 4f8b14d4 418402 } + $sequence_0 = { eb1c 4889c7 488b8c24f8250000 e8???????? 488d3d1b882200 e8???????? e8???????? } + $sequence_1 = { e8???????? 488d3d4bb92200 e8???????? e8???????? 4889842488280000 48899c24580c0000 488b0d???????? } + $sequence_2 = { ffd0 488b8c24f8000000 488b9c2410010000 488bbc2400010000 488b842408010000 488bac2420010000 4881c428010000 } + $sequence_3 = { e8???????? 4889842478070000 4889d9 488b9c2490000000 31c0 e8???????? 48898424f80a0000 } + $sequence_4 = { c6041fc8 b903000000 e9???????? 4983f805 7545 4c8d4301 4c39c6 } + $sequence_5 = { 4983f802 729b e9???????? 48894c2470 4889442460 48895c2468 488d442430 } + $sequence_6 = { eb7d 488d5104 4889542468 488d05453c1700 4889cb 4889d1 e8???????? } + $sequence_7 = { e8???????? 48899c24e0010000 4889d8 48c7c3ffffffff e8???????? 48898424e0030000 48899c24b0050000 } + $sequence_8 = { e9???????? 4889842490010000 440f11bc24d0000000 440f11bc24d8000000 440f11bc24e8000000 488d8c24d0000000 48890c24 } + $sequence_9 = { eb23 488b8424e8000000 48ffc0 488b942480010000 488bb424500b0000 488bbc24480b0000 4839d0 } condition: 7 of them and filesize < 11612160 @@ -145638,36 +146703,36 @@ rule MALPEDIA_Win_Grok_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b9ba5cb5-3752-5e96-9a74-900c3065fa33" - date = "2026-01-05" - modified = "2026-01-06" + id = "56d56cfd-9b44-5438-b618-a5732364b0ad" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grok_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grok_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "0c97c5be712250fba8ecf0a25a041d30466c220a206e99d1c5c73f4b7d759714" + logic_hash = "acca2d27a0cfed73ac704f5cc4e8100a0da2a665e7dc91b24266d10df76b9aa7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 3945f4 7308 8b4df4 c60100 ebe4 8b55f8 c7420900000000 } - $sequence_1 = { 8b8de0fdffff 8a11 8895dffdffff 8b85e4fdffff 3a10 7546 } - $sequence_2 = { 837d1004 7307 b8060200c0 eb0e 8b4508 8b403c c70030120000 } - $sequence_3 = { 0f8ca4000000 53 ff15???????? 8b0d???????? 3b01 8b3d???????? } - $sequence_4 = { 0f85a2000000 681c010000 8d85c8feffff 50 6a00 8b4d08 51 } - $sequence_5 = { 8975dc ff15???????? 85c0 8b1d???????? 7d11 be2a0000c0 ff75f8 } - $sequence_6 = { a1???????? 83c40c c780bc01000001000000 33c0 5f 5e 5d } - $sequence_7 = { b81a0000c0 eb5c 50 8d460a 56 50 e8???????? } - $sequence_8 = { b89a0000c0 eb51 8d45f8 50 ff75f8 56 6a01 } - $sequence_9 = { 85c0 0f842d010000 8b742410 8b3d???????? 6a00 6a10 6a01 } + $sequence_0 = { ff35???????? 57 e8???????? a1???????? 3bc6 740d 50 } + $sequence_1 = { ff15???????? 6a20 53 53 6a01 53 56 } + $sequence_2 = { 8d8c3080000000 8b01 85c0 0f8483000000 8b4904 85c9 747c } + $sequence_3 = { c6855cfeffff50 c6855dfeffff72 c6855efeffff6f c6855ffeffff62 c68560feffff65 c68561feffff46 c68562feffff6f } + $sequence_4 = { e8???????? 8d87a0000000 8b08 85c9 7411 8b4004 85c0 } + $sequence_5 = { 59 33c0 3bd3 59 7621 03f6 8b4de8 } + $sequence_6 = { 8b8094010000 68c8000000 894703 8d4708 53 50 e8???????? } + $sequence_7 = { c645f553 c645f644 c645f772 c645f869 c645f976 c645fa65 } + $sequence_8 = { 894615 a1???????? eb02 f390 } + $sequence_9 = { 0fb7450c 83f803 7405 83f80a 7508 } condition: 7 of them and filesize < 84992 @@ -145677,36 +146742,36 @@ rule MALPEDIA_Win_Colibri_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c5670290-4724-5847-ad87-e4a198921e3b" - date = "2026-01-05" - modified = "2026-01-06" + id = "4087b9fc-1e99-559d-bc59-bc0ead8d5030" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.colibri_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.colibri_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "07fa90a8bd47a0724796f8c6b0b275796c3daebded1dd7bb4e8069ed71142d39" + logic_hash = "69042c794b7b04a73fccadff8eb54a2f609e7a127591e0c5759db62a0429a075" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d8598fdffff 6804010000 50 6a02 59 } - $sequence_1 = { 50 6a02 59 e8???????? babab69c31 8bc8 } - $sequence_2 = { a1???????? 81ec90080000 53 56 57 8d0c4502000000 e8???????? } - $sequence_3 = { 59 e8???????? ba980aa4bf 8bc8 e8???????? ffd0 8945ec } - $sequence_4 = { 8b4dd0 8d144502000000 e8???????? a1???????? 8b4dcc 8d144502000000 e8???????? } - $sequence_5 = { e8???????? 53 8bf0 56 6aff 57 6a00 } - $sequence_6 = { 8365f800 50 e8???????? 59 85c0 7413 8b4dfc } - $sequence_7 = { ffd0 e8???????? 8b75d0 85c0 } - $sequence_8 = { 8945fc b944000000 b000 8b7dfc } - $sequence_9 = { 50 68e9fd0000 6a02 59 e8???????? bac0bc4316 8bc8 } + $sequence_0 = { 8d0c4502000000 e8???????? 89442440 be???????? 8bfc 8bc8 } + $sequence_1 = { ff75f4 6a02 59 e8???????? ba49f6fd69 8bc8 } + $sequence_2 = { 8b4df0 e8???????? 8bf8 8bcf e8???????? } + $sequence_3 = { 8902 83c204 8955f8 8b01 85c0 } + $sequence_4 = { 8b4df8 8d144502000000 e8???????? a1???????? 8b4df4 } + $sequence_5 = { 8b75f8 85c0 745c 57 8d85ecfdffff } + $sequence_6 = { 8bd8 56 895c2444 53 6a02 59 } + $sequence_7 = { e8???????? 83c410 b8???????? 68???????? 50 53 8b5dfc } + $sequence_8 = { 8365f800 50 e8???????? 59 85c0 7413 8b4dfc } + $sequence_9 = { ba5986c991 8bc8 e8???????? ffd0 89442444 eb43 } condition: 7 of them and filesize < 51200 @@ -145716,36 +146781,36 @@ rule MALPEDIA_Win_Rekoobew_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4672783-76e3-563a-8027-eca1db960fbe" - date = "2026-01-05" - modified = "2026-01-06" + id = "8ee2b2ef-cb3c-5ded-93b0-251a94d316dc" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rekoobew_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rekoobew_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "58559e9eb7cf00c4472271b9f2f8096ac74daa9182ac5f503ca473672c8d4ebd" + logic_hash = "611d5d6376ad3bfd0022c8516f8f73ea917b68256cff7e917d5134c7e5ac0c95" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b75bc 3375c4 3375d8 3375ec } - $sequence_1 = { 0fb6fe 89ca 3314bde08c4000 0fb6f2 8b3cb5e0904000 } - $sequence_2 = { 894714 83c201 83fa08 7588 } - $sequence_3 = { 33348de0704000 8b4de8 c1e910 0fb6c9 33348de0744000 8975e0 } - $sequence_4 = { 3c0d 745e 80f93d 0f85a0feffff 89f0 eb53 b8ffffffff } - $sequence_5 = { 894de0 0fb67004 c1e618 0fb65005 c1e210 09f2 0fb67007 } - $sequence_6 = { 0f84c5000000 8b5078 85d2 0f84ba000000 8b35???????? 85f6 } - $sequence_7 = { 33735c 89d7 c1ef18 3334bde0844000 89cf c1ef10 81e7ff000000 } - $sequence_8 = { 09d7 0fb64827 09cf 0fb65026 c1e208 09d7 897dc8 } - $sequence_9 = { e8???????? 85c0 7916 c704240f000000 e8???????? b828000000 e9???????? } + $sequence_0 = { 29d8 89442408 89742404 8b4508 890424 e8???????? 85c0 } + $sequence_1 = { c740241cb04000 8910 c7401898654000 c7401ca06a4000 c74020a86a4000 c74044b06a4000 } + $sequence_2 = { 0f85c4020000 a1???????? 8945d8 a1???????? 8945dc a1???????? 8945e0 } + $sequence_3 = { 8b47fc 8b3495e0984000 3377e0 0fb6d8 8b1c9de0944000 c1e308 31de } + $sequence_4 = { 334dec d1c1 894dd8 8d8408a1ebd96e 8945f0 89d0 31f8 } + $sequence_5 = { 884610 0fb7431a 884611 8b4318 c1e808 884612 } + $sequence_6 = { c1ea10 0fb6d2 333495e0884000 0fb6d5 8b1495e08c4000 31f2 8955e8 } + $sequence_7 = { 897dc8 8d9c3bdcbc1b8f 89d7 09cf 21c7 897d98 89d7 } + $sequence_8 = { 8b7d08 8807 83c701 897d08 80f93d } + $sequence_9 = { 89c2 c1ea08 8855f6 8845f7 c1e803 83e03f 83f837 } condition: 7 of them and filesize < 248832 @@ -145755,36 +146820,36 @@ rule MALPEDIA_Win_Mirai_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6b007e0f-a886-5f64-abd3-07f6ed5e9b2a" - date = "2026-01-05" - modified = "2026-01-06" + id = "f1a5559e-b7dd-577d-b0bf-7dc300a73e33" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mirai_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mirai_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "63027a45f46dffdd65577fa0ba420730c7c3c1478a8b6e1e30240b9df0cbea70" + logic_hash = "eb9d164f1fc6d494d54ce3ec2a540e9d00227e6b4cba50e84e12f7ec9c930c38" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b00 8b4dfc 668b00 668981a00b0000 8b4508 8b00 40 } - $sequence_1 = { e8???????? 59 50 ff7508 8b4da0 e8???????? 0fb6c0 } - $sequence_2 = { c3 8d88dfa9ffff 83f95d 7709 0fb704458ebf6b00 c3 8d90dfa8ffff } - $sequence_3 = { 8bcf e8???????? 8b38 85ff 7447 8b4f08 51 } - $sequence_4 = { 8b9654040000 68b3fe654f 51 6a64 6a02 68???????? 52 } - $sequence_5 = { 8bce e8???????? 8bf8 3bfb 0f840cffffff 8bce e8???????? } - $sequence_6 = { c3 bac8c50000 663bc2 720a b9f0c50000 663bc1 7610 } - $sequence_7 = { ff15???????? 8945fc 837dfc00 7c33 ff75f8 ff15???????? 8945fc } - $sequence_8 = { 8b85d4fdffff 8a00 8885cffdffff ff85d4fdffff 80bdcffdffff00 75e3 8b85d4fdffff } - $sequence_9 = { 8b5e08 eb12 8b4e08 8b4604 6a00 52 51 } + $sequence_0 = { e8???????? 8365fc00 8b45ec 83c801 8945ec 8b4508 8b4df4 } + $sequence_1 = { 8d957cf8ffff e8???????? 83c418 33c9 33c0 8b9405fcfbffff 0394057cfbffff } + $sequence_2 = { eb02 33f6 57 e8???????? 53 e8???????? 8b8df4feffff } + $sequence_3 = { a1???????? 33c4 89842490060000 8b8c249c060000 8b842498060000 56 8bb424a4060000 } + $sequence_4 = { 8b968c040000 57 894218 e8???????? 8bd8 689f010000 895dfc } + $sequence_5 = { 8bb40df4feffff 8bd6 2bd3 c1ea1f 8bfa c1e708 2bfb } + $sequence_6 = { b001 eb22 0fb64508 83f83a 740f 0fb64508 83f85f } + $sequence_7 = { c9 c3 55 8bec 51 894dfc 837d0c01 } + $sequence_8 = { 8b4dfc 52 50 51 68???????? 68???????? 6a02 } + $sequence_9 = { 8d4c244c e8???????? 85ff 75e3 8b442460 85c0 7504 } condition: 7 of them and filesize < 7086080 @@ -145794,36 +146859,36 @@ rule MALPEDIA_Win_Scarabey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df55f2c4-936e-5089-bf63-ab8881b2ccec" - date = "2026-01-05" - modified = "2026-01-06" + id = "9c0b9a74-1a90-5260-a473-5d380455a6f2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarabey" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.scarabey_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.scarabey_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "ab0b8e9df053b2dde174abe1928026d6e032765d40449a0cf5be9cf6e0235b67" + logic_hash = "db5d2af30b20f9b528b3db02b616eed9c133bd32d757d9755b55be4831b02809" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a01 ff5004 899e58030000 e9???????? c78778010000acab5700 } - $sequence_1 = { 51 50 8d45c0 50 ffd7 897598 c74594fc2f5300 } - $sequence_2 = { 51 ff15???????? 8d8dc0d6ffff e8???????? 8b95c0d6ffff 52 } - $sequence_3 = { 8b442408 8b4c2404 6a00 6a00 6a00 6a00 50 } - $sequence_4 = { ff15???????? 6a01 8d8d14d1ffff 51 ff15???????? 6a00 6a00 } - $sequence_5 = { 894608 89460c c706???????? c74604???????? c74610541e5300 e8???????? 8bc6 } - $sequence_6 = { e9???????? 837dec00 0f851a010000 6683f80c 0f8510010000 6a0a } - $sequence_7 = { 8bf0 83f907 7771 ff248d690c4700 4e eb26 } - $sequence_8 = { c745bc06000000 897dd0 c745c404885300 c745cc64000000 ff9060010000 } - $sequence_9 = { c745cc18405300 e8???????? 33c0 40 e8???????? c20400 6a08 } + $sequence_0 = { c786900d000054865300 8986940d0000 8986a00d0000 89869c0d0000 8986980d0000 } + $sequence_1 = { e8???????? 8d4de4 c745e4fc2f5300 e8???????? b805400080 e9???????? 8b8354ffffff } + $sequence_2 = { 50 83c2f8 52 56 51 ff15???????? } + $sequence_3 = { 2bfa 0fb715???????? 2bfa 01bdf0d6ffff 0fb6f8 2bbd14d7ffff 2bfb } + $sequence_4 = { 8b0485c0375800 8bfa 83e71f c1e706 8b0407 } + $sequence_5 = { 8d42fe 83f814 776c ff248510da4100 8b4114 eb67 8b4118 } + $sequence_6 = { c705????????68405100 c705????????1c405100 c705????????55405100 c705????????be3f5100 a3???????? c705????????ea485100 c705????????da3f5100 } + $sequence_7 = { e8???????? ff75d0 8bcb e8???????? 8d4dc8 c645fc00 c745c868025300 } + $sequence_8 = { 8bce e8???????? 834dfcff 8d8d3cffffff c7853cffffff74865300 e8???????? } + $sequence_9 = { 8d8df8fcffff c785f8fcffff90825300 e8???????? 83bd2cfdffff00 } condition: 7 of them and filesize < 3580928 @@ -145833,42 +146898,42 @@ rule MALPEDIA_Win_Zebrocy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a5288975-5a36-5a4a-9025-084c7ee804a2" - date = "2026-01-05" - modified = "2026-01-06" + id = "0c26eaee-ceca-571b-b5d3-25fb9badb48b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.zebrocy_auto.yar#L1-L166" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.zebrocy_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "31a3a19dc89466809ccbf56c8c805a07b997358dbb942052f14c84a36be45691" + logic_hash = "89617f1d3dcb35789544bd09fa73885d6783a0c2248e99f8d5ce1abc3cd36b06" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c605????????03 c705????????04000000 c605????????11 c705????????00000000 } - $sequence_1 = { e8???????? 84c0 8b4de0 7507 } - $sequence_2 = { 50 8d45f4 64a300000000 6aff 33ff c745fc01000000 } - $sequence_3 = { 8be5 5d c21000 8b4d14 51 56 } - $sequence_4 = { e8???????? 83c41c 83ec1c 8bcc 89a5f4f4ffff } - $sequence_5 = { ff25???????? ebb5 55 b9???????? 89e5 } - $sequence_6 = { f2ae 89c8 f7d0 8d5402ff } - $sequence_7 = { 8bd8 3bc7 7e63 8d642400 6a02 } - $sequence_8 = { 397de0 7f57 8b03 85c0 } - $sequence_9 = { 8d45f4 64a300000000 33db 897d90 895d94 6aff c745fc01000000 } - $sequence_10 = { 89d8 e8???????? 8d9510fcffff 89c6 8d8500fcffff 89d7 } - $sequence_11 = { 89c7 eb2f 89f2 89d9 e8???????? } - $sequence_12 = { 325032 7032 7c32 9c 32a432ac32c432 d432 e8???????? } - $sequence_13 = { 33c0 894e14 894710 894714 c645fc00 837de810 720c } - $sequence_14 = { 66c705????????6046 8915???????? ba???????? a3???????? e8???????? } - $sequence_15 = { 89b5c4f7ffff 899dc0f7ffff 889db0f7ffff 39bd38f7ffff } + $sequence_0 = { 8bf3 e8???????? c645fc00 837dd410 720c 8b4dc0 51 } + $sequence_1 = { 56 53 83ec0c 837d0800 7e3a } + $sequence_2 = { 55 ba???????? b9???????? 89e5 83ec08 e8???????? } + $sequence_3 = { 8bf3 c745fc01000000 e8???????? 837db010 0f8291020000 8b459c } + $sequence_4 = { 66891478 8bc6 5f c3 8bff } + $sequence_5 = { c705????????50c34100 c705????????43f74000 c705????????02000000 c605????????02 } + $sequence_6 = { 8b55ec 33ff 897c1820 897c1824 } + $sequence_7 = { 884dc8 8a4c3b0a 83c703 8975b4 c1ee02 884db8 } + $sequence_8 = { 897e10 897e14 837dd410 720c } + $sequence_9 = { 8b4a04 8b55ec 03cb 85d2 7420 8b410c } + $sequence_10 = { c705????????04000000 c605????????16 c705????????a4c34100 c605????????02 c705????????01000000 } + $sequence_11 = { 83e13f 8a89e8f64000 884c100b 8b4de0 394ddc 7e08 } + $sequence_12 = { 7409 c745e400000000 eb53 31d2 } + $sequence_13 = { 8d8508f7ffff 8a1c38 8db598f6ffff e8???????? } + $sequence_14 = { 83e71f c1e706 8b0485c0a84200 8d44380c 50 ff15???????? 8b45e4 } + $sequence_15 = { 31db 84d2 742f 39c3 0f9ec2 7f21 } condition: 7 of them and filesize < 393216 @@ -145878,52 +146943,52 @@ rule MALPEDIA_Win_Xagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "858895d8-2a97-5541-a089-3de82693028e" - date = "2026-01-05" - modified = "2026-01-06" + id = "e6749351-2438-58b5-875e-9b65c6d4bb5f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xagent_auto.yar#L1-L243" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xagent_auto.yar#L1-L244" license_url = "N/A" - logic_hash = "6bd2f7e71d8c01d128cc02e9a985eec56e3c9b4bd52be45a95e998c8268d5099" + logic_hash = "108c073665fdca68ab6c156d2bd80d154df30e277e99e8f7d93b99eb208d6ddb" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { c1ea02 6bd20d b801000000 2bc2 } $sequence_1 = { ff15???????? 8bd8 e8???????? 03d8 } - $sequence_2 = { 7702 2bc7 8b5204 8b0482 8b0488 8b4e10 85c9 } - $sequence_3 = { 33d2 eb02 8b11 8b4808 8bc1 57 8b7a08 } - $sequence_4 = { 8b7a08 c1e802 83e103 3bf8 7702 2bc7 8b5204 } - $sequence_5 = { 55 8bec 33c0 83ec0c 39412c } - $sequence_6 = { 7507 c7460c00000000 5f 5e 8be5 } - $sequence_7 = { e8???????? 8b4604 85c0 7407 8b4d08 8b11 8910 } + $sequence_2 = { ff460c 03ff 03ff 3b7e0c 7707 c7460c00000000 49 } + $sequence_3 = { c7460c00000000 49 894e10 7507 c7460c00000000 } + $sequence_4 = { c20400 8d4de4 e8???????? b8???????? c3 83c8ff } + $sequence_5 = { 8b0482 8b0488 8b4e10 85c9 7423 8b7e08 ff460c } + $sequence_6 = { e8???????? 8b4604 85c0 7407 8b4d08 8b11 } + $sequence_7 = { 8b7a08 c1e802 83e103 3bf8 7702 2bc7 8b5204 } $sequence_8 = { ff15???????? 6a08 e8???????? 83c404 85c0 } - $sequence_9 = { 03ff 3b7e0c 7707 c7460c00000000 49 894e10 7507 } - $sequence_10 = { 7509 488b03 488bcb ff5008 488b7d8f 4883c610 488d46f8 } - $sequence_11 = { e8???????? 48833b00 740a 488b4308 } - $sequence_12 = { 4883ec30 4883792800 498bf9 498bf0 } - $sequence_13 = { 740c 488b07 4c8b13 488903 4c8917 488b13 488b0e } + $sequence_9 = { eb02 8b11 8b4808 8bc1 57 8b7a08 c1e802 } + $sequence_10 = { 740c 488b07 488b0b 488903 48890f 488b5c2430 488b6c2438 } + $sequence_11 = { 740c 488b07 4c8b13 488903 4c8917 488b13 488b0e } + $sequence_12 = { 4883792800 498bf9 498bf0 488bea } + $sequence_13 = { e8???????? 48833b00 740a 488b4308 } $sequence_14 = { e8???????? 488b4328 4c8bcf 4c8bc6 } - $sequence_15 = { 0f92c3 488d4c2430 e8???????? 90 } - $sequence_16 = { e8???????? 90 0fb705???????? 6689442420 } - $sequence_17 = { 740c 488b07 488b0b 488903 48890f 488b5c2430 488b6c2438 } + $sequence_15 = { e8???????? 90 0fb705???????? 6689442420 } + $sequence_16 = { 7509 488b03 488bcb ff5008 488b7d8f } + $sequence_17 = { 4053 4883ec20 488b5910 4885db 7416 } $sequence_18 = { b803b57ea5 f7e6 c1ea06 6bd263 } - $sequence_19 = { 75f8 488d8c2430010000 482bc1 488d8c0430010000 } - $sequence_20 = { 75f8 488bf9 482bfe 2bfb } - $sequence_21 = { 75f8 488bf9 482bfb 448bcf } - $sequence_22 = { 75f8 488d4c2420 482bc1 488d4c0420 } - $sequence_23 = { 75f8 488bf9 482bfa 4c8bc7 } - $sequence_24 = { 75f8 488bf8 482bfa 488b4b28 } - $sequence_25 = { 75f8 492bc3 488bcf 6645892c03 } + $sequence_19 = { 75f8 492bca 4963c1 483bc1 } + $sequence_20 = { 75f8 492bc9 8bc3 483bc1 737f 4c8b4718 } + $sequence_21 = { 75f8 492bdc 498bfe 4d85f6 } + $sequence_22 = { 75f8 492bfc 498bf5 4d85ed } + $sequence_23 = { 75f8 492bf5 ff15???????? 8d0c3e } + $sequence_24 = { 75f8 492bdd 488bf7 4885ff } + $sequence_25 = { 75f8 492bf5 488bfb 4885db } condition: 7 of them and filesize < 729088 @@ -145933,36 +146998,36 @@ rule MALPEDIA_Win_Asprox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "760d5ba5-eb2e-56fe-8b68-64c041182dd0" - date = "2026-01-05" - modified = "2026-01-06" + id = "2f74538e-f933-5aef-aa2f-b7ab3bb0119c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.asprox_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.asprox_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "0433055da9e2395dd1bdc28ed8f399d8aecafba94a64506b61f0a5f3795ff961" + logic_hash = "a6a9230d1bd8a95689910db672c674c35c5bb3455366aaba88aa83587782dde4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8955d4 eb05 e9???????? 8b45d4 898538ffffff c6459447 } - $sequence_1 = { e9???????? 8b03 83780400 0f84fe070000 8b10 0fb612 8b4b1c } - $sequence_2 = { 038cfe94c90000 0394fe98c90000 668945d0 c1e810 66894dd4 c1e910 668955d8 } - $sequence_3 = { c645f300 6800100000 6a00 a1???????? 50 ff15???????? 8945f8 } - $sequence_4 = { 49 7407 33c0 e9???????? 3bd3 0f858d000000 8b4e0c } - $sequence_5 = { e8???????? 83c414 8b55e8 8955f0 c745e400000000 6a10 8d45e4 } - $sequence_6 = { 895e04 40 eb20 8bc3 eb1c e8???????? } - $sequence_7 = { 52 8b45fc 50 ff15???????? 83c408 68???????? 8b4dfc } - $sequence_8 = { 51 8b952cffffff 52 ff15???????? 898558ffffff 8b8560ffffff 898570ffffff } - $sequence_9 = { 6a00 8b55e4 52 ff15???????? 8a45fb 8be5 } + $sequence_0 = { 0f84a1000000 0fb69567fcffff 85d2 0f8592000000 c68567fcffff01 8d85e8fdffff 50 } + $sequence_1 = { c685d5feffff65 c685d6feffff74 c685d7feffff50 c685d8feffff72 c685d9feffff6f c685dafeffff63 c685dbfeffff41 } + $sequence_2 = { 52 6a00 a1???????? 50 ff15???????? 8b4df8 51 } + $sequence_3 = { 8b450c 0345fc 0fb608 0bca 8b550c 0355fc 880a } + $sequence_4 = { ff15???????? 898558ffffff 8b5580 8b4580 03423c } + $sequence_5 = { 53 6a02 5b 8b4e04 49 0f84d8000000 49 } + $sequence_6 = { 8b450c 50 ff15???????? 83c404 50 8b4d0c 51 } + $sequence_7 = { c685dafeffff63 c685dbfeffff41 c685dcfeffff64 c685ddfeffff64 } + $sequence_8 = { 6a00 6a00 8d8560ffffff 50 8b8d5cffffff } + $sequence_9 = { 6890000000 8d8d10ffffff 51 8b9548fdffff 52 8b45c0 50 } condition: 7 of them and filesize < 155648 @@ -145972,36 +147037,36 @@ rule MALPEDIA_Win_Glooxmail_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "69068c2d-618b-514f-89ee-0c12a27c7775" - date = "2026-01-05" - modified = "2026-01-06" + id = "ee27c053-4b40-5b4d-9153-7e649de368b4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.glooxmail_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.glooxmail_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "fd925824bd22779b63be73d9209717bd4d4f69fd8a16644a721055340873e4d2" + logic_hash = "4100a5c0d9e26ced829f24e47015acb23b4cfe8f247688d848bb8d900c3527e9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d55c0 52 8d9564ffffff c645fc4a 8b01 52 ff5044 } - $sequence_1 = { e8???????? 385df3 7407 c745ec40000000 68???????? 8d8d7cffffff e8???????? } - $sequence_2 = { 6a01 8d8c24f0020000 81e3fff7ffff e8???????? f7c300040000 740f 56 } - $sequence_3 = { 8d4dd8 e9???????? 8b4d08 e9???????? 8b4508 054c040000 e9???????? } - $sequence_4 = { 814df000020000 68???????? 8d4db4 e8???????? 8d85b8feffff 50 8d45b4 } - $sequence_5 = { 83a50cfffffff7 8d8d30feffff e9???????? c3 8d4db8 e9???????? 8d8dd8feffff } - $sequence_6 = { 8bfb e8???????? 33f6 33ff 56 47 57 } - $sequence_7 = { 895dcc f645d008 740e 8365d0f7 53 57 8d4d84 } - $sequence_8 = { ff750c 83a424bc00000000 8d442430 50 e8???????? } - $sequence_9 = { e8???????? c78424600800006d000000 f744241000000080 7417 81642410ffffff7f 53 } + $sequence_0 = { 8d4dc0 e9???????? c3 8d8d3cffffff e9???????? 8d4dc0 e9???????? } + $sequence_1 = { 2500000008 0f8415000000 81a5acf7fffffffffff7 8d8d18fcffff e9???????? c3 } + $sequence_2 = { 6a01 8d8c2450030000 e8???????? 6880000000 e8???????? 59 89442414 } + $sequence_3 = { 2500000200 0f8415000000 81a5acf7fffffffffdff 8d8d7cffffff e9???????? c3 8d8df4fdffff } + $sequence_4 = { 7437 6a44 e8???????? 8bf8 59 897c2414 33f6 } + $sequence_5 = { 8bf0 e8???????? 6a00 57 8d8d00ffffff e8???????? 6a00 } + $sequence_6 = { 884573 e8???????? 53 6a01 8d4d38 e8???????? 834dfcff } + $sequence_7 = { 81ec9c010000 a1???????? 33c5 8945fc 56 8d8568feffff 50 } + $sequence_8 = { c745e001000000 897de4 e8???????? 8365f000 85ff 0f860d010000 be???????? } + $sequence_9 = { ffb5b0f7ffff e8???????? 59 c3 8b85acf7ffff 83e010 0f8412000000 } condition: 7 of them and filesize < 761856 @@ -146011,36 +147076,36 @@ rule MALPEDIA_Win_Slave_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b0051d5-869a-52df-9d63-5531f0ea1bc8" - date = "2026-01-05" - modified = "2026-01-06" + id = "40845426-e8a5-5013-a39c-078606da0dcf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.slave_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.slave_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "523de3cfcbf6b6abf4a7273f5bce657ee9b1b72d0e892b1b3170df330ecf9a83" + logic_hash = "e861bab46507a430527599dbe2c596bb7c17916050ee29aa7bfcf473cc53f6e7" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 837df400 0f84f7250000 b80a000000 66894706 8a4704 24c3 } - $sequence_1 = { 0c10 888694030000 eb8d 817b0800000040 0f85ea020000 8a9694030000 8a5c240e } - $sequence_2 = { 813e6f563412 7406 5e 33c0 5b 5d c3 } - $sequence_3 = { 833d????????00 c705????????00000000 740a b9???????? e8???????? 833d????????00 c705????????00000000 } - $sequence_4 = { 3d00000001 0f8456030000 3d00000002 0f859a240000 } - $sequence_5 = { 837f7401 894de8 7620 83bf8400000000 7417 8b8780000000 0345f4 } - $sequence_6 = { 8bc8 83c408 3bd9 750b } - $sequence_7 = { 83c40c 028e08010000 888e08010000 80f9ff 730c 0fb6c1 } - $sequence_8 = { 7307 0fb6c2 2bc8 eb02 33c9 0fb6c2 68???????? } - $sequence_9 = { ff15???????? 5f 5e c3 837e1800 7445 90 } + $sequence_0 = { 818f1801000000080000 f70600200000 742b 0fb68707030000 8b4d0c c1e806 888c38f4020000 } + $sequence_1 = { 03c6 50 ffd3 83c410 008608010000 837c241000 } + $sequence_2 = { 0f427508 03470c 56 50 ff75e8 e8???????? 83c40c } + $sequence_3 = { 83c408 85c0 750e 46 81ff03010000 7424 } + $sequence_4 = { 33c6 2345ec 33c3 03ca 8b7dd4 03c1 8b55f0 } + $sequence_5 = { 83e802 0f84a0000000 83e804 0f859a010000 8b8e14030000 8b8610030000 85c9 } + $sequence_6 = { 8bf0 837e1400 75f1 ff35???????? ff15???????? } + $sequence_7 = { c1c802 33c8 8b45dc 8bf0 03ca 0b75e0 2345e0 } + $sequence_8 = { 0fb6c0 2bf8 8a8608010000 eb02 33ff 51 } + $sequence_9 = { 8be5 5d c3 5f 5e b89a020000 5b } condition: 7 of them and filesize < 532480 @@ -146050,36 +147115,36 @@ rule MALPEDIA_Win_Yakuza_Ransomware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0616b0d8-21b8-54e6-81ea-ef91fe1745e9" - date = "2026-01-05" - modified = "2026-01-06" + id = "224ba63c-d4f0-51b1-8c05-67d4892ede1d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yakuza_ransomware_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yakuza_ransomware_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "406ad1bef978847d25a0a40830a76c5748a247c44dcea0c0fe72a568e851fc77" + logic_hash = "0a0df7fa583a3ef9907c16a286a3464ad9534c70947de91ef5e701245c7f072f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c404 c645fc5b 56 8bd0 8d8d20fbffff e8???????? } - $sequence_1 = { e8???????? 8d8520ffffff 83bd34ffffff08 0f438520ffffff 8d8dd8fbffff 51 } - $sequence_2 = { 50 e8???????? 0fb74c242c 8d7f02 83c414 85c0 b8ffff0000 } - $sequence_3 = { e9???????? c3 8b4568 83e002 0f840c000000 836568fd 8d4d48 } - $sequence_4 = { e9???????? c3 8b4dec 81c180000000 e9???????? 8b4d08 83c104 } - $sequence_5 = { 0fb6c9 0fb689409c4d00 3304cdd2735400 8b4df8 8b55fc 8b4c8a08 c1e900 } - $sequence_6 = { e8???????? 84c0 0f84d0010000 8d8d54f6ffff e8???????? 8bf0 89b5d4f1ffff } - $sequence_7 = { e8???????? c745fc00000000 8b4e24 85c9 7466 8b01 8d55dc } - $sequence_8 = { ff7508 8d45a8 50 8d4de0 e8???????? 8bf0 8d4e04 } - $sequence_9 = { 50 c745ac00000000 c745b007000000 e8???????? 837f1408 8bc7 7202 } + $sequence_0 = { e8???????? c645fc2a c78550f7ffff4c844e00 c78554f7ffff7c7f4e00 c78558f7ffff947b4e00 c645fc2b 8d8d64f7ffff } + $sequence_1 = { e8???????? 8d8d34feffff c645fc67 e8???????? 6a01 8d8d4cfeffff e8???????? } + $sequence_2 = { ff75c8 e8???????? 8d45cc 50 e8???????? 83c404 8d4d60 } + $sequence_3 = { e9???????? 8d8de4feffff e9???????? 8d8dd0f9ffff e9???????? 8d8de8f9ffff e9???????? } + $sequence_4 = { 897df0 c745fc00000000 6a54 6a00 57 e8???????? 83c410 } + $sequence_5 = { ff742418 68???????? 68???????? e8???????? 8b4704 8d4f04 83c40c } + $sequence_6 = { e8???????? 8b4e0c 8d45dc 50 83c11c c645fc61 e8???????? } + $sequence_7 = { e8???????? c645fc2b 83ec08 50 8d8d08ffffff e8???????? c645fc2d } + $sequence_8 = { e8???????? 807b3400 c645fc14 7507 e8???????? eb05 e8???????? } + $sequence_9 = { ff5018 8bf8 8b06 8b0f 8b5918 3d???????? 7521 } condition: 7 of them and filesize < 2811904 @@ -146089,36 +147154,36 @@ rule MALPEDIA_Win_Xbtl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5435db05-6232-5daa-a834-a076fea3e65f" - date = "2026-01-05" - modified = "2026-01-06" + id = "d5db6d09-8688-5faa-abdc-b73ea6228856" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.xbtl_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.xbtl_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "9ca9bf365c91027033dee3986f32faacddaba9038a823c9929d03b22f8c79417" + logic_hash = "aad1f1f8d12723332af110ebc73e31d06fe847b4b1035c93d8a971bc90e13960" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8945f8 03c0 03c0 50 52 8945fc e8???????? } - $sequence_1 = { 8a08 40 84c9 75f9 2bc6 8dbc05f4fdffff 89bde0fcffff } - $sequence_2 = { ff15???????? 8b07 8b4820 51 68???????? 8d542428 6a40 } - $sequence_3 = { 8b55e0 8b470c 8b4490f8 8945e0 85c0 742f 0fbf4304 } - $sequence_4 = { 81e200ff0000 33ca 8bd7 c1ea18 } - $sequence_5 = { 40 8945fc 3b4608 0f8c78ffffff eb09 8b55fc 8b7508 } - $sequence_6 = { 897004 8b5108 8bf2 c1ce08 81e600ff00ff } - $sequence_7 = { 8b8d8cfdffff 8b9598fdffff 50 8b8588fdffff 50 8b8590fdffff 57 } - $sequence_8 = { 8b07 68a00f0000 8d4c2448 51 89742448 } - $sequence_9 = { 8b530c 0fbfc8 837c8afc00 74e5 8b4308 3daa55ff7f } + $sequence_0 = { c1fa05 c1e006 030495e0c04200 eb05 b8???????? f6400420 7415 } + $sequence_1 = { 8b85b4feffff 8db4169979825a 8b95b8feffff c1c902 83c705 8bde } + $sequence_2 = { 6a00 6a03 6a00 6a01 6800000080 51 ffd3 } + $sequence_3 = { 85f6 0f8594000000 3df0ff1f00 730c 8bc8 83e10f be10000000 } + $sequence_4 = { 030495e0c04200 eb05 b8???????? f6400420 7415 53 6a00 } + $sequence_5 = { 7405 e8???????? ba01000000 895608 } + $sequence_6 = { 83c720 8945f0 3b45fc 7c87 bf00200000 33db } + $sequence_7 = { 8b45fc 894df4 8bf0 3bc1 7c6b 8b4708 3daa55ff7f } + $sequence_8 = { 53 57 8bf8 8bd9 85ff 743a 8d9b00000000 } + $sequence_9 = { 6685c9 75f5 2bc2 6a00 d1f8 8d4dfc 51 } condition: 7 of them and filesize < 401408 @@ -146128,36 +147193,36 @@ rule MALPEDIA_Win_Santa_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "698b58d7-3beb-5b12-b9ab-ea8db82a9446" - date = "2026-01-05" - modified = "2026-01-06" + id = "d1fd15ad-7a3d-5595-97cf-69df8560dd65" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.santa_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.santa_stealer_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.santa_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "0ee975510b7aa8f6c88f59ccf7386a44e723fcc4879e58b69b100521065bb285" + logic_hash = "b2de36531f2ed031c4dac419ae11d768684a1ddd7f608f2f2664c37f846ef406" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 488d5640 4c89e1 44896c2458 4c897c2460 e8???????? 89c3 } - $sequence_1 = { 6644894114 488b4918 41c7422407000000 80796700 75b3 80796800 75ad } - $sequence_2 = { c744246cffffffff 488b01 4885c0 7464 4c8d44246c ba0a000000 ff5050 } - $sequence_3 = { e8???????? 89c7 85c0 0f8504f9ffff 8b4334 c7436801000000 4429e0 } - $sequence_4 = { e8???????? 89c3 85c0 0f84fc000000 31db 662e0f1f840000000000 4c89e2 } - $sequence_5 = { 7371 418b4120 85c0 755f 4881faffffff3f 7768 4883ec38 } - $sequence_6 = { c6431770 488d15d8461100 480f44fa 4d85e4 b8011a0000 48896b08 488d15d040fbff } - $sequence_7 = { e8???????? 4d85ff 7475 440fb74760 410fbf4e36 4139c8 7c66 } - $sequence_8 = { f77134 8d5001 4439fa 0f84b0010000 4531c9 4c8d442448 4489fa } - $sequence_9 = { e8???????? 4829c4 488b4548 4885c9 742d 4989ca 4883796800 } + $sequence_0 = { f6c208 0f840a010000 4d8b6f40 49634500 85c0 0f8efa000000 4c89842490000000 } + $sequence_1 = { 4c89d2 4889f9 e8???????? 4585ed 400f95c5 807f6700 752a } + $sequence_2 = { e8???????? 8b9424ac000000 4889c7 85d2 0f8827050000 0f8511060000 488bac24c8000000 } + $sequence_3 = { c744242000000000 ba47000000 e8???????? 0fb64761 4189e9 4c89e1 448b44244c } + $sequence_4 = { e8???????? 4885c0 0f845dfbffff 488d0dafaf1700 e8???????? 4885c0 0f8448fbffff } + $sequence_5 = { f20f10642428 f20f59d9 f20f59c2 f20f58c3 f20f58c4 f20f11442428 f20f10442420 } + $sequence_6 = { e8???????? c744242000000000 488b942428010000 4531c9 4189c0 89842418010000 e8???????? } + $sequence_7 = { e8???????? b801000000 89db 488d15a5cb1500 0fb61c1a 01df 488d5638 } + $sequence_8 = { c68424ad00000000 c78424cc00000000000000 0fb6bc2497000000 48c74030ffffffff e9???????? c684249600000000 c78424a800000000000000 } + $sequence_9 = { e9???????? 4889bc24a0000000 488b4510 c78424ac00000064000000 f30f6f9424a0000000 0f1110 e9???????? } condition: 7 of them and filesize < 27009024 @@ -146167,36 +147232,36 @@ rule MALPEDIA_Win_Betabot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dcaf48d4-507f-5b26-9a58-f3ffaf812c78" - date = "2026-01-05" - modified = "2026-01-06" + id = "4c076032-3f8d-5a2f-be4d-e46ded9d6a18" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.betabot_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.betabot_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "64a375dcaabd1648c075b4080e903b454efe58d8f528e81ccff7ee3035b4b817" + logic_hash = "18b066d2f259a69e2bef9b19793adbc94154a31379a7529dc2c96438387b144f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f7d0 2345fc eb02 33c0 c9 c20800 55 } - $sequence_1 = { ff15???????? 85c0 7413 8d4df8 e8???????? 50 8d45f8 } - $sequence_2 = { 7440 8d45f4 50 8d45f8 50 ff75fc ff15???????? } - $sequence_3 = { 8bc6 83e80c 53 57 741d 48 7551 } - $sequence_4 = { 8bec 81ecac000000 8365f800 8365f000 8365f400 8365fc00 } - $sequence_5 = { ff15???????? 85c0 7504 6a06 eb11 68???????? } - $sequence_6 = { 741a 837df800 7414 8b45f8 8b4804 e8???????? 8945fc } - $sequence_7 = { a3???????? 8bc7 5f 5e 5d c20400 55 } - $sequence_8 = { ff15???????? 85c0 75df 6a32 58 ebdc 55 } - $sequence_9 = { 8d04b8 833800 7414 ff30 ff45fc e8???????? 8b460c } + $sequence_0 = { 56 bb90000000 53 50 e8???????? a1???????? } + $sequence_1 = { 8365e800 8365fc00 8365e400 8365ec00 8365f800 } + $sequence_2 = { 8b461c 8945f8 58 5e 56 50 8b7508 } + $sequence_3 = { 56 e8???????? 8935???????? 8bc6 5e c9 c3 } + $sequence_4 = { ff7508 a4 895dfc ff15???????? 8bf0 83feff } + $sequence_5 = { ff15???????? 85c0 740b 43 83c628 83fb0c 72e7 } + $sequence_6 = { a1???????? 85c0 740b 8d4dfc 51 ff7508 ffd0 } + $sequence_7 = { 50 33ff 56 47 56 895df8 } + $sequence_8 = { 8985e4feffff eb11 8b85e4feffff 2de8030000 8985e4feffff 6a18 e8???????? } + $sequence_9 = { 743e 6880000000 50 8d4580 50 e8???????? 8b450c } condition: 7 of them and filesize < 835584 @@ -146206,36 +147271,36 @@ rule MALPEDIA_Win_Metadatabin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bab038c8-9529-5be3-bcc9-7d10f8fe61a6" - date = "2026-01-05" - modified = "2026-01-06" + id = "a2d0df94-9344-5970-ae13-4092f0b7ea03" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.metadatabin_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.metadatabin_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "407d015151f744f5ae0365f6bb52601cc8c31860d073c726bc5069058743c3e0" + logic_hash = "e23b710fe308760b0d61742755dba605975b9311e6186f6b185213ad8bc453bc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d9424b8000000 e8???????? 83bc248800000005 0f848d010000 f20f108c2498000000 f20f108424a0000000 f20f10942488000000 } - $sequence_1 = { c745e4c0834000 894dd0 8d4dc0 c745d402000000 89c2 897de8 8975ec } - $sequence_2 = { b911000000 89df f3a5 f20f108c2474050000 f20f1094246c050000 f20f1084247c050000 f20f118c24b8030000 } - $sequence_3 = { b001 84c9 0f859cfeffff 8b461c 6a01 68???????? ff7618 } - $sequence_4 = { 8b470c 83780400 7421 8b5f08 83780809 7308 e8???????? } - $sequence_5 = { ff76fc e9???????? 0fb64e2c 85c9 0f84a2000000 83f903 0f84b2000000 } - $sequence_6 = { e8???????? 0f0b 660f1f840000000000 55 89e5 83ec08 8b4508 } - $sequence_7 = { 8a4220 0f1002 8b4a10 8b5214 8845dc 8d45e0 0f1145bc } - $sequence_8 = { c68424010c000000 c78424c00b00003e000000 c68424020c000000 c78424c00b00003f000000 c68424030c000000 c78424c00b000040000000 8db424c00b0000 } - $sequence_9 = { 89de 8b9c24a0020000 135c2478 13542424 138424a0000000 03bc2430010000 135c2414 } + $sequence_0 = { 89fb 89c7 758b 8b45f0 8b5510 8b4dec 39d8 } + $sequence_1 = { 8b5c2414 8b4c2418 31c0 01d9 894c2418 8d4c19ff 39f9 } + $sequence_2 = { c1e105 01c1 fec0 f7d9 884724 80f909 726a } + $sequence_3 = { f7e3 8b5c2408 01c8 89842460010000 0fb6442418 11c2 89d8 } + $sequence_4 = { c144240407 c1c007 c1c207 8944244c 89c8 89f9 8954242c } + $sequence_5 = { f7e3 01f8 89d1 8b7c2440 89842418010000 8b442430 11f1 } + $sequence_6 = { 7426 01d0 8d341a 662e0f1f840000000000 6690 0fb618 40 } + $sequence_7 = { 89f7 8b75ec 89d3 8d14bd00000000 8b4808 8b4508 8d0481 } + $sequence_8 = { 8b8c2480020000 89542424 f7e1 898424d0010000 8b8424f0000000 89542420 f7e1 } + $sequence_9 = { f20f11431c f20f114b24 8b45dc 89432c 31c0 894604 897e08 } condition: 7 of them and filesize < 1263616 @@ -146245,36 +147310,36 @@ rule MALPEDIA_Win_Pillowmint_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3853669a-e086-5b11-9aa7-48869422e9e3" - date = "2026-01-05" - modified = "2026-01-06" + id = "37bc2c91-a871-547e-bffa-00693189f9af" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.pillowmint_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.pillowmint_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "4bf5c67c89e02047a57c78ccb54899d23f365f779797116ee014480492b0b534" + logic_hash = "a62a6db52cb7ab08526342a07cc2ffd34ac60c7a56feb339f5493112703e1c4d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 48c7442460feffffff 48895808 48897018 48897820 488b05???????? 4833c4 488985d0000000 } - $sequence_1 = { 488b8c24a0000000 e8???????? 48c78424b80000000f000000 4889bc24b0000000 c68424a000000000 4883bc24d800000010 720d } - $sequence_2 = { 7534 8b461c 0fb713 498d0c01 4181f8b80a4c53 7509 448b3491 } - $sequence_3 = { e8???????? 488b4608 488d3d68fb2200 488b80f8000000 488bdf bd10000000 c605????????00 } - $sequence_4 = { 488d4c2468 e8???????? 90 4c8d05360f0300 488bd0 488d8c24c0000000 e8???????? } - $sequence_5 = { 498bc5 482bc1 483bc2 7305 488bd7 eb03 4803d1 } - $sequence_6 = { 0fbe00 8d0480 8d80effeffff 8d0442 83f81e 0f8730010000 } - $sequence_7 = { e8???????? 8985c0000000 488d95c0000000 e8???????? 4885c0 0f853e040000 488b05???????? } - $sequence_8 = { 90 4c8d051c170300 488bd0 488d4dd8 e8???????? 90 4983c9ff } - $sequence_9 = { 4883c708 48833b00 75a9 418b4620 4983c614 85c0 0f8579ffffff } + $sequence_0 = { 488b12 49837d1810 7206 498b4d00 eb03 498bcd 4c8bc6 } + $sequence_1 = { 488d8a80010000 e9???????? 488d8a60010000 e9???????? 488d8a70000000 e9???????? 488d8a30000000 } + $sequence_2 = { e8???????? 90 4883bdf800000010 720c 488b8de0000000 e8???????? 4c89bdf8000000 } + $sequence_3 = { 42803c0000 75f6 488bd0 488d8da0000000 e8???????? 90 4c8d05bd930200 } + $sequence_4 = { 0f846c010000 33d2 41b818010000 488d4dd0 e8???????? 488d4dd0 e8???????? } + $sequence_5 = { 493bd8 0f83b3050000 ebd4 4c3bc3 770d 488d0d49930200 e8???????? } + $sequence_6 = { ff15???????? 488d0d432f0300 ff15???????? 4885c0 742a 488d15412f0300 488bc8 } + $sequence_7 = { 458bcd 4c8d05e3530200 33d2 8bcb ff15???????? 85c0 } + $sequence_8 = { e8???????? 90 4c8bcb 48395d8f 7637 0f1f840000000000 4c8d442448 } + $sequence_9 = { 488d4c2430 e8???????? 488bcb e8???????? 48c705????????0f000000 48c705????????00000000 } condition: 7 of them and filesize < 4667392 @@ -146284,36 +147349,36 @@ rule MALPEDIA_Win_Kamasers_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c1a7cc0c-2e35-5239-9e79-174b829766cd" - date = "2026-01-05" - modified = "2026-01-06" + id = "3b19f2a2-f834-5986-87b3-120904da4663" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kamasers" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kamasers_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kamasers_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "bc9204b6b1cca7a86ddf29783e99c6413f2a7179ee494a096a7a149c0e384519" + logic_hash = "f8e19ef3eb026c9a0c5c914bae604bfdcd7d4c89fa2663538a65855ee39a7abe" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 83c414 ebe1 8b55ec 8b4de8 8b04957885f904 807c082800 7d55 } - $sequence_1 = { 7602 8b06 8a4c3a04 80f13f 884c1004 83c205 83fa19 } - $sequence_2 = { 7776 51 52 e8???????? 83c408 c745e400000000 c745e80f000000 } - $sequence_3 = { 33c0 0f57c0 c78558feffff02000000 0f118548feffff 66898548feffff ba0f000000 88854afeffff } - $sequence_4 = { ffb5b4dbffff 8d85f0efffff f7d1 50 ffb5f8dbffff 66898dfaefffff ff95b0dbffff } - $sequence_5 = { 8b85e8fdffff 83f80f 7634 8b95d4fdffff 8d4801 8bc2 81f900100000 } - $sequence_6 = { 0f85be000000 8d4dd4 e8???????? 50 8d4d98 e8???????? 8b4de8 } - $sequence_7 = { 6a01 68???????? 8d8d40edffff c645fc13 e8???????? c785fcd8ffff00000000 } - $sequence_8 = { 0f875c070000 51 52 e8???????? 83c408 837de80f } - $sequence_9 = { 8bc8 2bcf b8abaaaa2a f7e9 8b4b04 c1fa02 2bcf } + $sequence_0 = { e8???????? 8b4db8 46 41 eb75 6a0c 8bcf } + $sequence_1 = { 8b07 8bcf ff5008 837df00f 8d4604 0f57c0 } + $sequence_2 = { 52 e8???????? 83c408 8b856cffffff c78510feffff00000000 c78514feffff0f000000 c68500feffff00 } + $sequence_3 = { 8bf9 ba11000000 8bc7 2bf7 0f1107 c6471000 0f1f00 } + $sequence_4 = { c78508feffff03000000 c60053 398d0cfeffff 0f4785f8fdffff c6400165 8d85f8fdffff 398d0cfeffff } + $sequence_5 = { 66f3ab 8b7df0 8b4d10 2bf9 8d047d02000000 8b7df8 50 } + $sequence_6 = { 8bd9 895dec 8b450c 8bc8 8b7508 2bce 8945f0 } + $sequence_7 = { 8b0d???????? 49 890d???????? 89048d947df904 5d c3 55 } + $sequence_8 = { 83c404 ba???????? 8bc8 e8???????? c645fc1c 8b8dc8fdffff } + $sequence_9 = { 0f87ef010000 ff2485e19df604 8b7e08 33c0 884638 384714 7507 } condition: 7 of them and filesize < 906240 @@ -146323,36 +147388,36 @@ rule MALPEDIA_Win_Unidentified_039_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5307ab67-7df6-58f4-b452-1c07a33c71d9" - date = "2026-01-05" - modified = "2026-01-06" + id = "bbf18cc6-6b35-5e87-a620-32ae448bbe18" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_039_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_039_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "afa5455e6fc48dacd94f7935b5ea52166f1efb72a1cca9234dab50b4c119076b" + logic_hash = "bb1e4b36ca1712ed43f9b61b59fe4c28a338b7504abce5c057a5310aa88db898" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 2bc8 034df4 81f1a1710000 894df8 8b45f4 8b4d0c 3bc8 } - $sequence_1 = { 894dfc 8b45f4 8b4df8 3bc8 7d0c ff75f8 } - $sequence_2 = { 837ddc00 75e6 c6460401 830eff 8bc6 2b04bd20d24100 } - $sequence_3 = { c745d8d9580000 8b45dc 59 59 8b4de0 } - $sequence_4 = { c7459c2e4c0000 c7459cd65d0000 8b459c 251f140000 89459c } + $sequence_0 = { 8b55e0 23ca 0bc1 8b4de4 0bc1 8945e8 8b45e0 } + $sequence_1 = { 0fafc1 8b4d34 0fafc1 8b4d28 81e9700a0000 33c1 894530 } + $sequence_2 = { 41 42 42 6685c0 75f1 5f 5e } + $sequence_3 = { 59 8945e4 ff75fc 56 ff15???????? c745d8de330000 c745f4dd0b0000 } + $sequence_4 = { 8b55e8 2bd1 8b4dec 23d1 8b4de4 0bc2 81f12d2a0000 } $sequence_5 = { 0bc1 8945d8 8b45f0 8b4df4 3bc8 7c0c } - $sequence_6 = { 40 663bcb 75f6 6a25 2bc2 8d4d04 51 } - $sequence_7 = { 6890010000 53 53 53 894538 } - $sequence_8 = { 0fafc1 8b4de8 2bc1 8b4dec 81e97f650000 33c1 8945f8 } - $sequence_9 = { 8b4dfc 0bc1 0d403a0000 8945f8 8b4508 8b4dfc 3bc8 } + $sequence_6 = { c74598006b0000 c74594b7040000 c745902b270000 c74588777d0000 c7458c4d5c0000 } + $sequence_7 = { c745e8f9580000 c745dc3f1a0000 c745d8ee2c0000 c745e4092b0000 8b45e4 0345d8 0345dc } + $sequence_8 = { 8945a4 66c74475a66e00 c7459cf1300000 c7459c4d710000 8b459c 2d540f0000 } + $sequence_9 = { 3505150000 0bc1 8945d0 8b45e0 8b4de4 3bc8 } condition: 7 of them and filesize < 262144 @@ -146362,36 +147427,36 @@ rule MALPEDIA_Win_Keyhole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1424dce1-e15d-5891-8b31-d03e6f9196b6" - date = "2026-01-05" - modified = "2026-01-06" + id = "34ad7e48-f147-50a0-8d5e-72212c767cfe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyhole" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.keyhole_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.keyhole_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "5d8e02829700ab11940f33d62fd46ba422e843d7ddb0ea7b421b42e641a7096f" + logic_hash = "af83068948165bd00385f1d128bc4ff34bcdb877d7f43205245837d049348534" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d442404 0f11442404 50 0f11442418 c744240830000000 c744241090f36800 c744241c00000000 } - $sequence_1 = { 2bee 90 8a01 8d4901 884429ff 83ef01 75f2 } - $sequence_2 = { 6a00 ff15???????? 8bd8 85ff 7515 8b0d???????? 81c15d010000 } - $sequence_3 = { 47 83c414 83c614 3bf8 72da a1???????? 33ff } - $sequence_4 = { 83ec08 53 8b5c2418 8bc3 d1e8 56 8d3440 } - $sequence_5 = { c3 a900080000 7404 33c0 eb11 56 53 } - $sequence_6 = { 7507 b9f5060000 eb1a 83f920 7205 83f97e 761e } - $sequence_7 = { 85c0 741f 53 e8???????? 83c404 85c0 } - $sequence_8 = { 3bf7 725d 8b7c2420 8bc2 25ff030000 0fbf844560010000 89442410 } - $sequence_9 = { 8d442420 50 55 6a00 ff15???????? 8b442428 8b542420 } + $sequence_0 = { 68???????? e8???????? 8d442448 c74424380a000000 89442434 8d442430 50 } + $sequence_1 = { 663bda 7551 0fb75002 83c002 0fb74e04 8ada 884c2430 } + $sequence_2 = { 6a00 6a0c 50 ff35???????? ff15???????? 8b3d???????? } + $sequence_3 = { 83c43c c20400 53 8d442410 50 56 ff15???????? } + $sequence_4 = { 5f 5e 81c4ac000000 c3 53 8a5e60 8d442430 } + $sequence_5 = { 668944240c 6a10 668b07 0fb64f01 66c1e008 6633c8 8b442424 } + $sequence_6 = { 85ff 0f8474010000 56 e8???????? 8b35???????? } + $sequence_7 = { 7403 50 ffd6 57 ffd3 eb0c 50 } + $sequence_8 = { 75f2 8b2d???????? 8b1d???????? 85ed 7408 85db 0f85f0000000 } + $sequence_9 = { 3bc5 7506 42 83e901 79f2 3bfa 7e12 } condition: 7 of them and filesize < 303104 @@ -146401,34 +147466,34 @@ rule MALPEDIA_Win_Oatboat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4613e236-064b-571a-be7e-ff2a01da6b41" - date = "2026-01-05" - modified = "2026-01-06" + id = "b70deb15-907c-57e5-93db-769ef748fca1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oatboat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.oatboat_auto.yar#L1-L103" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.oatboat_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "7413375bcf19ea166467a5406a23466233d2d4aaf455c3de8007d0b602ee838d" + logic_hash = "4fd89130628ae6dae46c069641713f47111051d9b2170bf05ebbd8e8d8374841" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745e465655669 c745e872747561 c745ec6c4d656d c745f06f727900 e8???????? 41b900800000 } - $sequence_1 = { 488d0dc20b0000 ff15???????? 33c0 4883c450 415f } - $sequence_2 = { 4c896538 c745e04e74416c c745e46c6f6361 c745e874655669 c745ec72747561 c745f06c4d656d c745f46f727900 } - $sequence_3 = { c745e8656d6f72 66c745ec7900 e8???????? 4d8bc4 } - $sequence_4 = { c745ec72747561 c745f06c4d656d c745f46f727900 e8???????? 4c8d4d38 c744242840000000 4533c0 } - $sequence_5 = { 488bc8 e8???????? 488bd8 488b7c2458 488bc3 } - $sequence_6 = { 7527 488d4df0 c745f04c6f6164 c745f44c696272 c745f861727957 44887dfc e8???????? } - $sequence_7 = { c745ec33003200 c745f02e004400 c745f44c004c00 e8???????? } + $sequence_0 = { c745e872747561 c745ec6c4d656d c745f06f727900 e8???????? 41b900800000 4c8d4540 488d5548 } + $sequence_1 = { 4c896538 c745e04e74416c c745e46c6f6361 c745e874655669 c745ec72747561 c745f06c4d656d } + $sequence_2 = { 488d48d8 c740dc64006c00 33db c740e06c002e00 c740e464006c00 c740e86c000000 e8???????? } + $sequence_3 = { 55 4156 4157 488bec 4883ec30 65488b042560000000 } + $sequence_4 = { c740e86c000000 e8???????? 4885c0 740e 488bd7 488bc8 } + $sequence_5 = { e8???????? 488bd8 488b7c2458 488bc3 488b5c2450 4883c440 5d } + $sequence_6 = { c745f04c6f6164 c745f44c696272 c745f861727957 44887dfc e8???????? 488bcf } + $sequence_7 = { 66895df8 c745e845004c00 c745ec33003200 c745f02e004400 c745f44c004c00 e8???????? 4885c0 } condition: 7 of them and filesize < 58368 @@ -146438,36 +147503,36 @@ rule MALPEDIA_Win_Newsreels_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9b53256-b535-5dc7-8672-9faed5bf005d" - date = "2026-01-05" - modified = "2026-01-06" + id = "9e8f99f3-3aeb-54a5-98cc-f8ad1508809d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.newsreels_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.newsreels_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "a1151606e01c8e298edbe7dd1574962a9c78cdce343ec52b131b424fbeb15649" + logic_hash = "427aa4c7d5e6a45f70adf11d4a89639f40d41588efa677409cd8b8bb2eaf8cc9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c1e902 f3a5 a1???????? 8bcd 83e103 } - $sequence_1 = { 83c41c 85f6 750b 5f } - $sequence_2 = { ff15???????? 8b8c241c030000 8dbc240c010000 51 83c9ff 33c0 } - $sequence_3 = { 56 ff15???????? 8be8 85ed 750e 56 } - $sequence_4 = { 83c410 c6043000 5e 5d 5b 81c4a0010000 } + $sequence_0 = { 0fbe543702 52 68???????? e8???????? 8a4c2b01 2d???????? c1f802 } + $sequence_1 = { 8b1d???????? 6884030000 68c2010000 e8???????? 8bf0 83c408 33c0 } + $sequence_2 = { 5b 81c40c040000 c3 8bc5 57 } + $sequence_3 = { e8???????? 6a01 6804010000 68???????? e8???????? 68???????? 68???????? } + $sequence_4 = { 8dbc2488000000 83c9ff 33c0 6a4d f2ae f7d1 } $sequence_5 = { 83c408 85db 750a 5e 5d } - $sequence_6 = { 83c703 c1f902 83e13f 897c2424 8a81305d4000 88441efc 8a4c2ffd } - $sequence_7 = { 80e301 881c30 40 83f808 } - $sequence_8 = { 7415 53 e8???????? 83c404 33c0 } - $sequence_9 = { f7d1 2bf9 6a4d 8bf7 8bd9 8bfa 83c9ff } + $sequence_6 = { 8808 8b15???????? 8bcb 8bc1 8d7a01 c1e902 } + $sequence_7 = { 8d442424 53 50 68???????? 53 } + $sequence_8 = { 80e301 881c86 8bda c1fb02 80e301 } + $sequence_9 = { 6a00 68???????? 68???????? 56 ff15???????? 8be8 85ed } condition: 7 of them and filesize < 65536 @@ -146477,36 +147542,36 @@ rule MALPEDIA_Win_Minibrowse_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "10e3be16-7c28-577f-b9d3-3ef306665a79" - date = "2026-01-05" - modified = "2026-01-06" + id = "9f6650b8-5239-5032-886e-aed87970db71" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibrowse" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.minibrowse_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.minibrowse_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "832a6f1a1806ae15f070571362445b96d0797510bb64e050cd468771ae5f3839" + logic_hash = "431afaa525f2fb5fee467730f29c5866714cce8b22c1963aa09f9eeafdd7fb92" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b10 488b442440 488b08 49b9fe54fd6de0b04522 4c030d???????? } - $sequence_1 = { eb00 488b45b8 8b10 488d4dd8 e8???????? eb00 488b15???????? } - $sequence_2 = { 48b82faa1e82712b2956 480305???????? 8b08 48b82faa1e82712b2956 480305???????? 8908 48b82faa1e82712b2956 } - $sequence_3 = { ffd0 4889442430 488b542430 488b4c2438 49b8ae95c15973721312 4c0305???????? 48b80ca985ca9581e688 } - $sequence_4 = { f7f1 89c1 48b85a5ff63d0a40dfa2 480305???????? 8908 48b85a5ff63d0a40dfa2 480305???????? } - $sequence_5 = { b903000000 31d2 f7f1 89c1 48b8d4f3e92d0d1244e8 480305???????? } - $sequence_6 = { 48894c2438 488b442438 4889442428 488b4c2440 48ba99b0f0dd579ba6c4 480315???????? 48b86641bd6f7fab0f25 } - $sequence_7 = { e9???????? 488b442438 48c7401000000000 488b442438 48c7401807000000 66c744244e0000 488b4c2438 } - $sequence_8 = { 01ca 48b9ae6044a06c22125f 48030d???????? 8911 a801 7502 eb36 } - $sequence_9 = { 4883ec48 88542447 4c89442438 48894c2430 488b4c2430 48894c2428 48ba856a0e13b3e6f301 } + $sequence_0 = { 488b4010 488b0c24 488b09 48ba519faa8c11c54d25 4801d0 4829c8 48b9519faa8c11c54d25 } + $sequence_1 = { 4c63c8 428a140a 88542407 41b91d000000 31d2 41f7f1 8b442410 } + $sequence_2 = { 48b8285a895ec1288634 49034338 4c89542420 ffd0 488b4c2478 48bae4ae95c06d509bd8 } + $sequence_3 = { f7f1 89c1 83e928 48b81ca6e955db0a66e9 480305???????? 8908 48b81ca6e955db0a66e9 } + $sequence_4 = { 48b84933c445a4f5a43d 480305???????? 8b00 8945ac 4189c0 4183e01f 4183c801 } + $sequence_5 = { 488b842488000000 4889442438 488b4c2460 48ba43826c17761a1b3b 480315???????? 48b8e2603ff4395df8be 48034230 } + $sequence_6 = { 488b4c2438 49b887c7de1b22f1b6a7 4c0305???????? 48b8584182a86aca4fb4 490300 ffd0 488b542428 } + $sequence_7 = { f7f1 89c1 83e92f 48b894f60aea1b77f0c0 480305???????? 8908 48b894f60aea1b77f0c0 } + $sequence_8 = { 80e101 0fb6c9 01ca 48b90080d46689848625 48030d???????? 8911 a801 } + $sequence_9 = { f7f1 89c1 48b815ac4d524d475ce8 480305???????? 8908 48b815ac4d524d475ce8 480305???????? } condition: 7 of them and filesize < 1779712 @@ -146516,36 +147581,36 @@ rule MALPEDIA_Win_Brbbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6f8ffa7c-cd8c-50e9-99ce-be919b2bf777" - date = "2026-01-05" - modified = "2026-01-06" + id = "9c5853e2-5ea6-5682-95ab-e688df258b9f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brbbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.brbbot_auto.yar#L1-L129" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.brbbot_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "81c84b2ac34bd64175981dcc2195841d305509a8b4adcc1041ffc068cd7e1797" + logic_hash = "a1ff584342823e582c57bb56f9522382b7ffa39690c47063f90ec090341065b9" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d0d14310000 4533c9 ba00000040 4489442420 ff15???????? 488905???????? } - $sequence_1 = { 4c8d41ff 488b4d00 e8???????? 443926 7433 488b4d00 488d15e1ca0000 } - $sequence_2 = { 8b4d48 41b801000000 4883caff e8???????? 807d580a 4c8d05af3dffff 740f } - $sequence_3 = { 488906 8b05???????? 894608 0fb705???????? 6689460c 488bc6 660f1f440000 } - $sequence_4 = { 48ffcf 75f5 488bce e8???????? 488bf8 } - $sequence_5 = { 81cb00000780 8bc3 4883c448 5f 5b c3 4c8d0562ec0000 } - $sequence_6 = { 57 4881ece0010000 488b05???????? 4833c4 48898424d0010000 33ff 33c9 } - $sequence_7 = { 7516 488d051cb80000 488b4c2430 483bc8 7405 e8???????? } - $sequence_8 = { 750d 488bce e8???????? e9???????? 4c8d2d31bb0000 8bcb 488beb } - $sequence_9 = { 8a45d9 4b8b8cf8c05a0100 88443139 4b8b84f8c05a0100 8854303a eb4c } + $sequence_0 = { 4585ed 743c 488bf8 6666660f1f840000000000 4c8d842428010000 488d15e1dc0000 } + $sequence_1 = { 4c8b742440 8bf8 85c0 0f885d020000 4883c9ff 33c0 498bfe } + $sequence_2 = { 488d15e1ca0000 41b801000000 e8???????? 8b16 4883c9ff 33c0 } + $sequence_3 = { bf0e000780 eb4a 4585ed 743c } + $sequence_4 = { 88443109 8a45d9 4b8b8cf8c05a0100 88443139 4b8b84f8c05a0100 8854303a eb4c } + $sequence_5 = { 48897c2428 488b4c2420 4885c9 740b } + $sequence_6 = { 488bcd e8???????? 4885c0 7403 448820 ba20000000 } + $sequence_7 = { 85c0 0f88d6020000 4c8d4da8 4c8d0570ea0000 } + $sequence_8 = { 48f7d1 48ffc9 03d1 4883c9ff f2ae 488d7c2458 } + $sequence_9 = { 4c8d2d35850000 49837cfd0000 7404 8bc6 eb79 b928000000 e8???????? } condition: 7 of them and filesize < 198656 @@ -146555,36 +147620,36 @@ rule MALPEDIA_Win_Lowzero_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0ac2a079-cc7d-5a01-943f-6fc6cc4cbe31" - date = "2026-01-05" - modified = "2026-01-06" + id = "459457b1-9851-5959-bfeb-eec17af1cd98" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowzero" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lowzero_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lowzero_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "f28e102152915a4d88e2eb7305099c61405576886b21971bd223760dea8f3689" + logic_hash = "10fd88869d65162b34eb0190a77edf0117a39de65dfd11eed9ccd83e6ab51505" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 5e 5b c70016000000 33c0 } - $sequence_1 = { 33c0 8be5 5d c3 e8???????? 5f 5e } - $sequence_2 = { 5d c3 8b4b3c 894df8 8d81f8000000 3bd0 72e0 } - $sequence_3 = { 2bce 894df0 8d9b00000000 8d1c31 ff7734 85c0 } - $sequence_4 = { 4b 75f7 8b4d0c 3b7dfc 0f8255feffff } - $sequence_5 = { 47 2bc8 8d4602 03c3 3b450c } - $sequence_6 = { 8b3e 0fb74706 3945f8 0f8c5affffff } - $sequence_7 = { 83fa40 7310 6a0d ff15???????? 5e 33c0 5b } - $sequence_8 = { 8b45f8 ff740854 51 56 } - $sequence_9 = { 8806 46 47 e9???????? 8bda } + $sequence_0 = { 47 8a07 8806 46 47 e9???????? } + $sequence_1 = { 03c3 3b450c 0f87ac000000 3b4d08 0f828f000000 83fb09 774e } + $sequence_2 = { 33f6 895dfc 83fa40 7310 6a0d } + $sequence_3 = { c1e208 2bca 49 83fb07 } + $sequence_4 = { 8d0417 8945fc 8d9b00000000 0fb617 47 83fa20 0f83e2000000 } + $sequence_5 = { 5e 5b 8be5 5d c3 894738 } + $sequence_6 = { 47 0fb607 47 2bc8 8d4602 03c3 3b450c } + $sequence_7 = { 47 2bc8 8d4602 03c3 3b450c } + $sequence_8 = { 5d c3 8b4df8 8b55fc 895f04 0fb7441116 c1e80d } + $sequence_9 = { 47 0fb607 47 2bc8 8d4602 } condition: 7 of them and filesize < 433152 @@ -146594,36 +147659,36 @@ rule MALPEDIA_Win_Bluenoroff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "715350ff-965b-560c-8af6-f01ef8d9887d" - date = "2026-01-05" - modified = "2026-01-06" + id = "a582fa23-6d82-52ca-9192-057379d9bfdf" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluenoroff" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bluenoroff_auto.yar#L1-L116" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bluenoroff_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "09078eca5d74bcdca0f6c272495f67d2206bb2b723aa1a39684e4df83692420a" + logic_hash = "e9593f18a8187895d43ff0b610d351efe39104b1899348daa5b3aa6a9fc0b2ef" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 33ff 53 ff15???????? 8b450c } - $sequence_1 = { 8bf0 83c404 85f6 7429 8b4508 8b5510 } - $sequence_2 = { 8bf8 85ff 7421 6a00 8d55fc 52 56 } - $sequence_3 = { b912010000 8bf3 f3a5 a1???????? 8b5004 83c410 8d7004 } - $sequence_4 = { 83c41c 83f801 750e 8d8dfcfffeff } - $sequence_5 = { 83feff 7433 8d4e01 51 6a40 ff15???????? } - $sequence_6 = { 51 52 8d85fcfffeff 68ffff0000 } - $sequence_7 = { 83c41c 8d95ecfffeff 33c9 52 } - $sequence_8 = { 7433 8d4e01 51 6a40 } - $sequence_9 = { 8d8dfcfffeff 51 68???????? eb23 83f802 } + $sequence_0 = { 52 8d4608 50 83c709 57 894e04 } + $sequence_1 = { 83c410 6a00 68???????? ff15???????? 6a00 } + $sequence_2 = { 57 ff15???????? 33ff 53 ff15???????? 8b450c 85c0 } + $sequence_3 = { 8906 8b5004 8902 8b45f8 40 81c348040000 8945f8 } + $sequence_4 = { 668985fafffeff ff15???????? 68???????? 68???????? } + $sequence_5 = { 8b550c 52 8d85f8feffff 33c9 57 50 66894df8 } + $sequence_6 = { 8985f2fffeff 8985f6fffeff 668985fafffeff ff15???????? 68???????? } + $sequence_7 = { ff15???????? 33ff 53 ff15???????? 8b450c 85c0 } + $sequence_8 = { 83feff 7433 8d4e01 51 6a40 } + $sequence_9 = { 8b5514 85d2 0f8e7e000000 8b4d0c 8b4508 53 56 } condition: 7 of them and filesize < 303104 @@ -146633,36 +147698,36 @@ rule MALPEDIA_Win_Yibackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bd826b97-b05e-574c-adcf-8cef34bea245" - date = "2026-01-05" - modified = "2026-01-06" + id = "8381ad3f-144e-57bf-b1e0-596a16631421" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yibackdoor" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.yibackdoor_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.yibackdoor_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "72cc75115eff495a52d292944ce30cf871fe0425f0d810307073cc2873931dac" + logic_hash = "d1e046cc1b955a806f4fd0e827829722c6add56dbc28052f2824eed9e402f3f3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c897ddf 488b18 e8???????? 488d4d6f 4c8bc3 48894c2440 } - $sequence_1 = { 33f6 4d85db 744a 4f8d0c00 498bf8 4d85c0 7439 } - $sequence_2 = { 743f 4180f97b 0f84b6000000 4180f92d 740e 4180e930 4180f909 } - $sequence_3 = { 33c9 e8???????? 488b4def ffd0 4c3965f7 741e 41b9fc000000 } - $sequence_4 = { ff15???????? 488b5c2450 448d4fda 33d2 33c9 41b842a86f9e e8???????? } - $sequence_5 = { 488bd8 e8???????? 488bcb 4c8b4008 488b10 e8???????? 488d15cd5c0000 } - $sequence_6 = { 448bc2 41c1e803 4183f80a 7de8 4d85d2 7464 4885db } - $sequence_7 = { 458bfe e8???????? 4533c9 4489742420 4533c0 33d2 } - $sequence_8 = { c3 33d2 488bc1 4885c9 7505 c3 4883c102 } - $sequence_9 = { 488b5028 c745db05000000 e8???????? 488bd0 488d4de3 e8???????? } + $sequence_0 = { 84c9 75ef 458b4c1820 4d8bd8 418b741814 4c03cb 458bd6 } + $sequence_1 = { 418bd6 ffd0 3d02010000 752b 488b4d90 33d2 ff15???????? } + $sequence_2 = { 4883ec30 488bfa 418bf0 33d2 4c8bf1 33c9 } + $sequence_3 = { 488d4da0 33d2 e8???????? 33d2 895da0 33c9 448d4baa } + $sequence_4 = { 7406 8b4028 8945d7 44887c2420 c74424244632b25f c74424285f30c738 8b442424 } + $sequence_5 = { 488bc1 4885c9 7505 c3 4883c102 663911 75f7 } + $sequence_6 = { 488b15???????? 4803d7 48895110 488b09 e8???????? 488903 48897b08 } + $sequence_7 = { c74513ac2aba60 895517 4489451b 89451f 895523 44894527 89452b } + $sequence_8 = { e8???????? 488bd0 488d4c2438 e8???????? 488b4c2468 e8???????? 40887c2420 } + $sequence_9 = { 0f31 48c1e220 480bc2 8905???????? 488bcb 6901fd430300 bfc39e2600 } condition: 7 of them and filesize < 147456 @@ -146672,36 +147737,36 @@ rule MALPEDIA_Win_Sysraw_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0b55ef6-5e72-5427-8051-b4c3cd8766ea" - date = "2026-01-05" - modified = "2026-01-06" + id = "2dacca50-75f4-571e-8414-248370e25c4f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sysraw_stealer_auto.yar#L1-L113" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sysraw_stealer_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "c61c4a8b05627678a7ba0afb4e01a7aec8181a910b716ed57582ec5bcddd612c" + logic_hash = "c6c1f0c61f70970454e86ed60c3c7743b18f85228c5050098b903b7fcf3084ed" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ffd3 8bd0 8d8decfeffff ffd6 8b4d90 8d9580feffff 83c114 } - $sequence_1 = { 56 ff512c 8b55bc 8b06 8d8d54feffff } - $sequence_2 = { 33c9 8955bc 894de4 ba3f000000 } - $sequence_3 = { 6a0d 57 56 ff5238 } - $sequence_4 = { 8bf8 ffd6 3bfb 7472 } - $sequence_5 = { 8b8df8feffff 8b85f4feffff 898d24feffff 8b8df0feffff 898d1cfeffff } - $sequence_6 = { 8b550c 8b06 51 52 56 } - $sequence_7 = { 2bd7 6a00 42 83ec08 895590 db4590 } - $sequence_8 = { 8bd0 8b45d4 51 f7da } - $sequence_9 = { 50 ffd3 8bd0 8d8d24ffffff ffd6 } + $sequence_0 = { ffd6 53 e8???????? ffd6 53 6a0d e8???????? } + $sequence_1 = { 33c9 8955bc 894de4 ba3f000000 3bca 0f8f0c020000 83f910 } + $sequence_2 = { 8bc8 f7d1 23ca 8b54240c 23c2 8b542414 33c8 } + $sequence_3 = { c7404c00000800 c7405000001000 c7405400002000 c7405800004000 c7405c00008000 c7406000000001 } + $sequence_4 = { 898d0cfeffff 6a08 68???????? 8d8d78ffffff 89bdfcfeffff 89bdf8feffff 89bdf4feffff } + $sequence_5 = { 6a04 ff15???????? 83c420 9b } + $sequence_6 = { 50 52 56 ff512c 8b4590 8b8d5cfeffff } + $sequence_7 = { f7d8 1bc0 f7d8 0bc8 7507 c745ec01000000 } + $sequence_8 = { 50 ffd3 8b4de4 8bd0 } + $sequence_9 = { 8b5590 c742107f520e51 8b4590 c740148c68059b 8b4d90 c74118abd9831f } condition: 7 of them and filesize < 1540096 @@ -146711,36 +147776,36 @@ rule MALPEDIA_Win_Wm_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c6756856-697a-5678-ac68-3f5e48855d20" - date = "2026-01-05" - modified = "2026-01-06" + id = "747bdadd-c5ad-51c6-aa42-0fc395c36715" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wm_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.wm_rat_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.wm_rat_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "17d23eab1cdfe83be57cb83b91146c56a89d3518780617b00510aa5e646a5ec0" + logic_hash = "915161228258a5b3eac41ee3f036022feee5d4f01a85152598b95c9fb0f4ab1f" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 89481c 894820 894824 6a00 b901000000 6a00 6689480c } - $sequence_1 = { 8d8c24e4110000 ff15???????? c684247c31020056 8b8424d4110000 8b4804 f6840cdc11000006 0f842c010000 } - $sequence_2 = { 83f8ff 0f8423070000 90 f684247402000010 0f8492020000 68fc070000 8d8c24f80b0000 } - $sequence_3 = { ff15???????? 33c9 6a30 51 8d9424aa100000 } - $sequence_4 = { 8b4c240c 6aff 8d542414 894608 } - $sequence_5 = { 83c404 6a64 ffd6 8b4c2414 51 e8???????? 83c404 } - $sequence_6 = { b804000000 2bc6 50 8d0c3e 51 52 } - $sequence_7 = { 50 8b4204 ffd0 c684245402000000 8b44241c 83c0f0 8d480c } - $sequence_8 = { 84c0 0f84f4e9ffff 83ec1c 8bcc 89642434 68???????? ff15???????? } - $sequence_9 = { 3b01 743b 8b542428 8b4e14 2bd0 8d4c0a01 51 } + $sequence_0 = { 8b442410 50 e8???????? 83c404 6a64 ffd6 } + $sequence_1 = { 50 ffd6 83c40c 8d8c24d4110000 51 b9???????? } + $sequence_2 = { 8d8c24600d0000 e9???????? 8b4c2424 51 ff15???????? 8b3d???????? 89442424 } + $sequence_3 = { 50 8d8424a43d0000 64a300000000 33db 68???????? 8d8c24b83d0000 899c24b03d0000 } + $sequence_4 = { b9???????? ff15???????? 8d9424d4120000 52 b9???????? ff15???????? 83ec1c } + $sequence_5 = { 8944242c 89442414 a1???????? c744240c00000000 c744241801000000 c744241c06000000 7305 } + $sequence_6 = { 8d44242c 50 e8???????? 83c40c ff15???????? 33c9 68ac010000 } + $sequence_7 = { 52 50 ffd1 8d7c2428 8bf0 e8???????? 8d7c2424 } + $sequence_8 = { 8b15???????? a1???????? 8b0d???????? 03c2 8b15???????? 89442414 db442414 } + $sequence_9 = { e8???????? 8d542408 c684247401000002 8b4c242c 52 e8???????? c684247401000004 } condition: 7 of them and filesize < 258048 @@ -146750,36 +147815,36 @@ rule MALPEDIA_Win_Atmosphere_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4a1cda9-16c6-5553-aa27-a4261bb4c5d6" - date = "2026-01-05" - modified = "2026-01-06" + id = "ca63c9fa-30a8-5d9c-b237-90751a378aa4" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.atmosphere_auto.yar#L1-L110" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.atmosphere_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "cdc6f699a9e6edd17b2609c792a1b077712e73bd58ad4e35ab98f645501a4fd4" + logic_hash = "bec5a8b07d3d360e72629aac51bf0b691bf24bf4167a305760c736df73365d93" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a12 50 8b11 ff12 } - $sequence_1 = { c20400 56 57 8b7c240c 8bf1 57 ff15???????? } + $sequence_0 = { 50 8bcf ff5338 5f 5e } + $sequence_1 = { 57 8bf9 6a2e e8???????? 8bf0 } $sequence_2 = { 56 f6d8 1bc0 57 83e002 } - $sequence_3 = { 894114 b001 c20400 8b4114 } - $sequence_4 = { 57 8bce ff502c 84c0 } - $sequence_5 = { 8b5104 668b0402 8b542404 668902 } - $sequence_6 = { ff15???????? 56 8bf8 ff15???????? 83c410 8bc7 } - $sequence_7 = { 83ec10 8bc4 89642410 50 } - $sequence_8 = { 57 8bf9 6a2e e8???????? } - $sequence_9 = { 6a0a 50 8b11 ff12 } + $sequence_3 = { e8???????? 83ec10 c645fc02 8bcc 8965e8 50 51 } + $sequence_4 = { 83ec10 c645fc02 8bcc 8965e8 50 51 } + $sequence_5 = { 57 8d45e0 8965f0 8bf1 } + $sequence_6 = { 8bf9 8b06 8bce 8b1f } + $sequence_7 = { 8bce 50 ff15???????? 8d4e16 } + $sequence_8 = { 33c0 894612 894616 89461a 884e1e } + $sequence_9 = { 8b5104 668b0402 8b542404 668902 } condition: 7 of them and filesize < 360448 @@ -146789,57 +147854,57 @@ rule MALPEDIA_Win_Kimsuky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2b35147a-6567-5a82-9763-3c4ee63e8bd0" - date = "2026-01-05" - modified = "2026-01-06" + id = "f6b89441-1987-5ba0-8edf-1ab8837a162a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kimsuky_auto.yar#L1-L287" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kimsuky_auto.yar#L1-L298" license_url = "N/A" - logic_hash = "8be5626e2aa4b8842ccf79ecee20f7ed9aeff1f3bf60d56bf491e7076e9910d9" + logic_hash = "0302f9bb4ba03cc69300f88428cb54ddc311de48a95ef36985a3fb1ba768c7bd" score = 75 quality = 73 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" - malpedia_license = "CC BY-SA 4.0" - malpedia_sharing = "TLP:WHITE" - - strings: - $sequence_0 = { 8d85f8feffff 6804010000 50 e8???????? 8d85f0fcffff } - $sequence_1 = { ffd7 a3???????? 8d85ecfbffff 50 53 ffd7 } - $sequence_2 = { 6a00 6800f70484 6a00 6a00 68???????? 8d85e4fbffff 50 } - $sequence_3 = { ff15???????? 3db7000000 7503 56 eb18 6a00 } - $sequence_4 = { 8d95f0fcffff b9???????? e8???????? 8d95ecfbffff b9???????? } - $sequence_5 = { ff15???????? 8d85ecfbffff 50 8d85f8feffff 50 8d85f4fdffff 68???????? } - $sequence_6 = { e8???????? 83c418 8d85f8feffff 6a00 50 ff15???????? 8d85ecfbffff } - $sequence_7 = { ff15???????? 85c0 7516 ff15???????? 8bd8 e8???????? } - $sequence_8 = { ffd7 a3???????? 8d85d4f5ffff 50 } - $sequence_9 = { 8b4520 4883c514 85c0 0f857affffff 4c8b7c2460 4c8b6c2420 4c8b642428 } - $sequence_10 = { 4156 4157 4883ec40 48896c2470 } - $sequence_11 = { 48896c2460 488b4818 41bb01000000 4c8b7120 4d85f6 } - $sequence_12 = { 33d2 4883c9ff 4903de ff542468 4533c0 498bce } - $sequence_13 = { 488b6c2460 4c637d3c 33c9 41b800300000 4c03fd 448d4940 } - $sequence_14 = { 48896c2470 4889742438 4533ff 4c89642428 4c896c2420 33f6 } - $sequence_15 = { 7405 48ffcd ebdb 65488b042560000000 48897c2430 48896c2460 } - $sequence_16 = { 85c9 0f8494020000 89bda0000000 897d30 } - $sequence_17 = { 89442450 8bf0 8bc8 e8???????? } - $sequence_18 = { 85c0 0f84b3000000 85f6 0f8497000000 } - $sequence_19 = { 85c0 0f84e6000000 c6850801000000 33c0 } - $sequence_20 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 ba00000040 } - $sequence_21 = { 8bcf 85c0 0f94c1 85c9 } - $sequence_22 = { 488d8a38000000 e9???????? 488d8a28010000 e9???????? } - $sequence_23 = { 895c2458 eb04 8b5c2458 c685700d000000 33d2 } - $sequence_24 = { 8bd7 3bd8 0f94c2 85d2 7419 } - $sequence_25 = { 488d95003e0000 488bc8 e8???????? 90 } - $sequence_26 = { 488d9510010000 488d4dc0 e8???????? 90 } - $sequence_27 = { 488d9510010000 498bce ff15???????? 498bce } - $sequence_28 = { 488d9500010000 4883bd1801000008 480f439500010000 4c8d05c2850500 } - $sequence_29 = { 488d9424c0000000 4883bc24d800000008 480f439424c0000000 48895c2438 c744243000f70484 48895c2428 } - $sequence_30 = { 488d9508010000 488d4c2440 e8???????? 90 488b542458 } + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" + malpedia_license = "CC BY-SA 4.0" + malpedia_sharing = "TLP:WHITE" + + strings: + $sequence_0 = { ff15???????? 3db7000000 7503 56 eb18 6a00 6a00 } + $sequence_1 = { 8d85f0feffff 50 68???????? ff15???????? 6a04 6a00 } + $sequence_2 = { 56 85ff 740a 33ff } + $sequence_3 = { ffd7 a3???????? 8d85ecfbffff 50 53 ffd7 } + $sequence_4 = { 7516 ff15???????? 8bd8 e8???????? 0fafd8 } + $sequence_5 = { 50 8d85f8feffff 50 8d85f4fdffff 68???????? 50 e8???????? } + $sequence_6 = { 6a00 68???????? ff15???????? 6a00 8d85e8fdffff 50 } + $sequence_7 = { 56 ffd7 a3???????? 8d85ccf3ffff 50 56 } + $sequence_8 = { ffd6 8bd8 85db 7510 5e 5b 8b4dfc } + $sequence_9 = { 4c897c2468 41bb01000000 418d5b02 4d85ed } + $sequence_10 = { 4c897c2460 ffd6 458b4754 488bd5 4c8bf0 4d85c0 } + $sequence_11 = { 4889742438 4533ff 4c89642428 4c896c2420 33f6 4533ed 4533e4 } + $sequence_12 = { 4d8b36 4d85f6 0f8540feffff 488b6c2460 4c637d3c 33c9 } + $sequence_13 = { 488b6c2470 4d8bc6 4d2b4730 4183bfb400000000 } + $sequence_14 = { 4c8b7c2460 4c8b6c2420 4c8b642428 488b7c2430 488b742438 488b6c2470 4d8bc6 } + $sequence_15 = { 4d03d1 4d03d9 666666660f1f840000000000 418b0a } + $sequence_16 = { 488d8a38000000 e9???????? 488d8a28010000 e9???????? } + $sequence_17 = { 8bd7 3bd8 0f94c2 85d2 7419 } + $sequence_18 = { 894d90 8bc1 81fb00000001 0f97c0 } + $sequence_19 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 ba00000040 } + $sequence_20 = { 8b7590 660f1f440000 837df000 0f841b020000 } + $sequence_21 = { 83f809 8d7340 7405 be20000000 c68424a000000000 33d2 } + $sequence_22 = { 8b442468 6683f809 7508 83f809 } + $sequence_23 = { 898521010000 66898525010000 888527010000 8b742450 } + $sequence_24 = { 85c0 0f94c1 85c9 0f8494020000 89bda0000000 897d30 } + $sequence_25 = { 488dac24d0c1ffff b8303f0000 e8???????? 482be0 } + $sequence_26 = { 488dac24c0fdffff 4881ec40030000 488b05???????? 4833c4 48898530020000 488bf1 } + $sequence_27 = { 488dac24d0fbffff 4881ec30050000 488b05???????? 4833c4 48898520040000 488bf9 } + $sequence_28 = { 488dac24a0feffff 4881ec60020000 488b05???????? 4833c4 48898558010000 4c8bf9 } + $sequence_29 = { 488dac2490f5ffff 4881ec700b0000 488b05???????? 4833c4 488985600a0000 8a4208 4c8d1d5a98fcff } + $sequence_30 = { 488dac2480feffff 4881ec80020000 488b05???????? 4833c4 48898570010000 488bf1 488d4dc8 } condition: 7 of them and filesize < 1021952 @@ -146849,36 +147914,36 @@ rule MALPEDIA_Win_Glitch_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c93e3d6a-335e-54cb-bdcc-97351033393c" - date = "2026-01-05" - modified = "2026-01-06" + id = "905ab686-29a9-58f5-ab43-a66dfc48d5b1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.glitch_pos_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.glitch_pos_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "21a834f4b54c4ad338d28c072f57ab5cdab3b8ecf8da5350f54289b7483fd1b9" + logic_hash = "757128f31249556432b1c63f78c045ad9cc1baeb1b0d31982de910507016eb48" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b00 ff7508 ff9010030000 50 8d45c4 50 e8???????? } - $sequence_1 = { 8b4508 8b4034 83c001 0f80b9060000 8b4d08 894134 8b4508 } - $sequence_2 = { 8b00 ff7508 ff902c070000 6683bd2cffffffff 0f85f7030000 8b4508 8b00 } - $sequence_3 = { e8???????? 8945dc 8d45e0 50 8b450c 668b00 } - $sequence_4 = { 50 8b8554ffffff 8b00 ffb554ffffff ff5054 } - $sequence_5 = { 668985f0feffff 8d8568ffffff 50 8d8578ffffff 50 8d4598 50 } - $sequence_6 = { 8d4588 50 8b856cffffff 8b00 ffb56cffffff ff90d8000000 } - $sequence_7 = { ffb5dcfeffff e8???????? 89852cfeffff eb07 83a52cfeffff00 8b45c0 } - $sequence_8 = { 83658000 8d45dc 50 8d45d8 50 8d45e0 } - $sequence_9 = { ff75d8 e8???????? dc9d68ffffff dfe0 } + $sequence_0 = { ff9088000000 dbe2 898504feffff 83bd04feffff00 } + $sequence_1 = { 68???????? ffb5d0feffff ffb5ccfeffff e8???????? 898524feffff } + $sequence_2 = { e8???????? 898500ffffff eb07 83a500ffffff00 8b4508 8b00 ff7508 } + $sequence_3 = { 8d45d8 50 6a00 e8???????? 8d45d4 50 6a00 } + $sequence_4 = { ff7508 ff9010030000 50 8d45cc } + $sequence_5 = { eb07 83a5fcfdffff00 8d45c4 50 8d45cc 50 6a02 } + $sequence_6 = { eb07 83a564fdffff00 8b4508 8b00 ff7508 ff901c030000 } + $sequence_7 = { 83a53cffffff00 c78534ffffff02000000 6a10 58 e8???????? } + $sequence_8 = { 6a03 e8???????? 83c410 c7853cffffff01000000 } + $sequence_9 = { 8b4510 832000 8b450c ff30 e8???????? 3d00010000 7e7d } condition: 7 of them and filesize < 1024000 @@ -146888,36 +147953,36 @@ rule MALPEDIA_Win_Phoreal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2e1897fd-9f9a-538a-af8f-a84b5fcbe486" - date = "2026-01-05" - modified = "2026-01-06" + id = "4d0b5689-e497-5eb6-a570-01be7909f5bb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.phoreal_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.phoreal_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "18c8ae88c86b0c778613b0a4c96093868db37bfa76fd9a20dc86ddc9f37cec17" + logic_hash = "750621c79c21b1cf575f788b27d63305a6cef8163d5bc16b8245d927f1755542" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 33ff 8d642400 8b4608 3b7e0c 731f 8b0cb8 8d04b8 } - $sequence_1 = { 8bd0 0355f8 83c40c 2bf7 740b 8bce 33c0 } - $sequence_2 = { 8d45ac 50 51 53 ffd6 85c0 750a } - $sequence_3 = { 2bf0 03f8 85f6 7fe0 eb03 83cfff } - $sequence_4 = { 2bc1 50 51 8d45cc 50 53 } - $sequence_5 = { 51 c7852cfeffff01000000 888534feffff e8???????? 8d8554ffffff 33d2 8d7e17 } - $sequence_6 = { 1bd2 f7d2 85d1 75c3 8b5c2414 33ff 8b4c2418 } - $sequence_7 = { 8b0d???????? 8b55fc 8d040f 2bf0 03f1 c1fe02 } - $sequence_8 = { c78574ffffff8992f2a7 c78578ffffffaa9e9aee c7857cffffff89a5c199 c7458067cc6aaf c74584fa1200f5 c74588efc8d4ba } - $sequence_9 = { 85ff 7414 8b855cffffff 50 } + $sequence_0 = { 51 6a00 57 897c2444 e8???????? 8b5344 8b4b4c } + $sequence_1 = { 8b06 8b10 6a01 8bce ffd2 8b442424 50 } + $sequence_2 = { 83e001 0f8412000000 83a5c8fdfffffe 8bb5c4fdffff e9???????? c3 } + $sequence_3 = { 83c404 33c0 897dcc 895dc8 668945b8 39751c 720c } + $sequence_4 = { e8???????? 83c404 8b45e4 83f814 7605 b814000000 } + $sequence_5 = { ff15???????? e9???????? be01000000 89b550ffffff e8???????? 8d4586 56 } + $sequence_6 = { 50 e8???????? 83c404 8d4c2450 c684242801000004 e8???????? } + $sequence_7 = { 7433 8b06 53 33db } + $sequence_8 = { 52 8d434e 50 8d434b 8d534d 8d4b4c 50 } + $sequence_9 = { 7e2a 8b5508 8bcb 2bce 6a00 51 8d0416 } condition: 7 of them and filesize < 622592 @@ -146927,36 +147992,36 @@ rule MALPEDIA_Win_Bluehaze_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1fd1249e-5be9-518c-b471-fb529bb8c9ae" - date = "2026-01-05" - modified = "2026-01-06" + id = "9af219f2-c450-5e97-917a-5a21c2a9d38a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluehaze" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.bluehaze_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.bluehaze_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "09fb1421d27d0a64efc13cfb683dac14a3c5bd0c2192d0b84f6a45513276dafa" + logic_hash = "51a3ce754f78e0ca90cba6a465558f73b1cdbbdad00fa836798f44855cb7eab3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85ff 7405 8b4dec 890f 83c704 897dd8 3b5604 } - $sequence_1 = { 894704 8b4804 8901 837dcc10 c745fcffffffff 720c } - $sequence_2 = { 51 c745fc00000000 e8???????? 83c408 837de810 720c 8b55d4 } - $sequence_3 = { c706???????? 8bc6 5e 8be5 5d c3 8d45fc } - $sequence_4 = { 33d2 eb02 8b10 8b4518 85c0 740c } - $sequence_5 = { 03ce 51 8b4b6c 57 51 ff15???????? } - $sequence_6 = { c706???????? e8???????? 6a30 c745fc00000000 c7462000000000 e8???????? 83c404 } - $sequence_7 = { 53 8d9564feffff 52 8d8dd4feffff e8???????? 8b7010 838d20feffff01 } - $sequence_8 = { c747140f000000 895f10 881f 833e10 7315 8b56fc } - $sequence_9 = { e8???????? 83c404 c785ccfeffff0f000000 899dc8feffff 889db8feffff c645fc03 39b578feffff } + $sequence_0 = { c645fc18 e8???????? 8b08 8b5104 83c408 f644020c06 } + $sequence_1 = { e9???????? 68???????? 8d8db0fbffff e8???????? 85c0 753c 6a30 } + $sequence_2 = { 895e10 8bc7 8b4df4 64890d00000000 59 5f 5e } + $sequence_3 = { 8bf0 3b772c 75ac 5e 8b07 8b5048 8bcf } + $sequence_4 = { ffd2 8b10 8bc8 8b4240 53 ffd0 8b4dfc } + $sequence_5 = { 8d4e08 c745e40f000000 895de0 c645d000 e8???????? 8b7e0c 89856cfeffff } + $sequence_6 = { 51 8bd8 e8???????? 8bf0 83c414 85f6 7407 } + $sequence_7 = { 8d8df0feffff e9???????? c3 8b8574feffff 83e002 0f8412000000 83a574fefffffd } + $sequence_8 = { 50 8d8d80feffff c645fc04 e8???????? 83bdccfeffff10 c645fc03 720f } + $sequence_9 = { 897dc8 8b7db4 c745cc0f000000 c645b800 83fb01 0f8716feffff be10000000 } condition: 7 of them and filesize < 424960 @@ -146966,42 +148031,42 @@ rule MALPEDIA_Win_Grey_Energy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "286c9a55-9cf0-55bb-80e0-2e0f311ee2a1" - date = "2026-01-05" - modified = "2026-01-06" + id = "3ac00cef-1f72-57ca-b049-9bd0d6e40e42" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.grey_energy_auto.yar#L1-L160" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.grey_energy_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "b914dfed1e2f2f24a40105da213346dd87b255cf1b7c608a5613862d55be27f8" + logic_hash = "d6d0cefb247942bf377e89b9cc7483dec7cddacdedf01c87ea6c10585d366fb6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 50 53 53 6800000008 57 } - $sequence_1 = { 6800000008 57 53 53 } - $sequence_2 = { 68???????? 8945cc e8???????? 68???????? 8945d4 } - $sequence_3 = { 8945d4 e8???????? 68???????? 8945d0 } - $sequence_4 = { 53 ff15???????? 8b75f8 85f6 } - $sequence_5 = { 8b45f8 0345ec 8808 eb10 } - $sequence_6 = { 8b45ec 8b55f8 66890c42 eb14 8b45ec 8b4df8 8b55f0 } - $sequence_7 = { 7507 33c0 e9???????? c745f004000000 } - $sequence_8 = { 8b4df8 8b55f0 8b7508 668b1456 66891441 } - $sequence_9 = { 8b4d08 0fb70c41 8b45f0 33d2 } - $sequence_10 = { 6a40 ff15???????? 8945f8 837df800 7507 33c0 } - $sequence_11 = { 8b4508 0345f0 0fbe08 8b45f0 } + $sequence_0 = { 8945d4 e8???????? 68???????? 8945d0 } + $sequence_1 = { 53 53 6800000008 57 } + $sequence_2 = { 6800000008 57 53 53 } + $sequence_3 = { e8???????? 68???????? 8945cc e8???????? 68???????? 8945d4 } + $sequence_4 = { 8b45f8 0345ec 8808 eb10 } + $sequence_5 = { 81e1ff000000 8b45ec 8b55f8 66890c42 eb14 8b45ec 8b4df8 } + $sequence_6 = { 8b45ec 8b4df8 8b55f0 8b7508 668b1456 66891441 } + $sequence_7 = { 8b45f0 8b4d08 0fb70c41 8b45f0 33d2 } + $sequence_8 = { 6a40 ff15???????? 8945f8 837df800 7507 33c0 } + $sequence_9 = { 53 ff15???????? 8b75f8 85f6 } + $sequence_10 = { 7507 33c0 e9???????? c745f004000000 } + $sequence_11 = { 0345f0 0fbe08 8b45f0 33d2 } $sequence_12 = { c60100 41 48 75f9 ff75f8 } - $sequence_13 = { ff5108 56 e9???????? 53 8d45cc 50 8d45c8 } - $sequence_14 = { 83ec18 57 33ff 897dfc 397d0c 0f86a5010000 } - $sequence_15 = { 51 e8???????? 85c0 0f84be000000 } + $sequence_13 = { ffd7 eb06 8b3d???????? 8b5d88 85db 7413 } + $sequence_14 = { 51 e8???????? 85c0 0f84be000000 } + $sequence_15 = { 8b9d78ffffff 85db 7417 53 ffd6 03c0 } condition: 7 of them and filesize < 303104 @@ -147011,36 +148076,36 @@ rule MALPEDIA_Win_Vohuk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fa7917d0-5d38-5842-a477-3065670570e2" - date = "2026-01-05" - modified = "2026-01-06" + id = "fb6b58d3-fa4a-5eee-bc81-fe16f3c6b51f" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vohuk" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.vohuk_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.vohuk_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "1c7046d07a287745fd2dd564d0be780eb277cd73b0fb9a0541750f2b4df4fc07" + logic_hash = "f4b261500b0d3d44477009b29f1d4f668d5ebc735b2f6389f2d738c0d8340208" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745a441003500 b81f6b193a 8bce f7ee c1fa05 8bc2 c1e81f } - $sequence_1 = { c7403c9e008200 c7404083008300 c74044ce00c200 c74048ce00d100 c7404cbb00b700 c74050ce00d500 } - $sequence_2 = { e8???????? ff75ac 6a00 56 ffd0 8b7da0 e9???????? } - $sequence_3 = { c745ec00000000 50 ffd7 85c0 7474 8b0d???????? ba43c7bfd0 } - $sequence_4 = { 83f804 7646 6a14 81ff00010000 0f8618010000 51 } - $sequence_5 = { 7586 c745fc2f000000 8d9dd8feffff 8b5334 8d4004 8b33 8d5b04 } - $sequence_6 = { c645ff00 8b0d???????? ba05bc94bf 8b35???????? 6a15 e8???????? } - $sequence_7 = { 7307 bee8030000 eb0d 81fe10270000 7605 be10270000 8b0d???????? } - $sequence_8 = { ffd0 8bd8 bf41000000 b81a000000 8945fc f6c301 0f858a000000 } - $sequence_9 = { 51 6a38 8d8d60ffffff 51 6a0a 56 ffd0 } + $sequence_0 = { 83fe44 72d3 57 e8???????? 83c404 8b0d???????? ba14102140 } + $sequence_1 = { 8b4508 53 56 57 5f 5e c7004d005d00 } + $sequence_2 = { c7842402010000b100b600 c7842406010000b400fb00 c784240a010000f100e300 c784240e010000fe009900 c784241201000089008d00 c78424160100008700c300 c784241a010000a1008b00 } + $sequence_3 = { 6a4d e8???????? 8d4db8 51 56 ffd0 8bf8 } + $sequence_4 = { b8e7000000 c745f2bd00b400 56 c745f68c008c00 33f6 c745fa90008d00 668945fe } + $sequence_5 = { c740747f013d01 c7407810011401 c7407c4f014c01 c7808000000044014301 c7808400000050014101 c7808800000005014001 c7808c0000004e014601 } + $sequence_6 = { c5fd708560ffffff4e c5fe7f65c0 c5fdfee4 c5d5ef85e0fdffff c5fe7fa5c0fdffff c5ddefe1 c5f572f00c } + $sequence_7 = { 6a20 ff75cc ff9520ffffff 85c0 0f8529010000 8b0d???????? ba43c7bfd0 } + $sequence_8 = { 6a00 6aff ffd0 8b0d???????? ba25000044 688c000000 a3???????? } + $sequence_9 = { 8bf2 8b5508 b908000000 57 8d7ddc f3a5 8a45fb } condition: 7 of them and filesize < 260096 @@ -147050,36 +148115,36 @@ rule MALPEDIA_Win_Mistpen_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "da7a11f3-113a-5db0-8b14-11346c846c77" - date = "2026-01-05" - modified = "2026-01-06" + id = "53c9e5a6-10bd-50cf-bfa6-a4f106400457" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistpen" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mistpen_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mistpen_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "70ffa3f473a1017022fe8085a2fe1094ee2434500473a4c1dd94bcb7c2db0a7a" + logic_hash = "c02e63704aa0a669b52b83a02513e9d87ccd1e9e0bfb05d989aca48149964693" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 7602 ffc0 4585c0 8bf0 } - $sequence_1 = { 420fb6842090960200 4433d8 45335ffc 4533da 458bd3 45895e20 4533d0 } - $sequence_2 = { 4533848460850200 410fb6c3 4533848460750200 400fb6c7 4533848490920200 4533465c 418bc0 } - $sequence_3 = { 4403c1 418bcb 410bca 458bc8 23cf 41c1c91b } - $sequence_4 = { 4c8d0d74d70000 b919000000 4c8d0564d70000 488d1561d70000 e8???????? 4885c0 7420 } - $sequence_5 = { c1e31e 8bcf 410bcd 8bc7 4123cf 4123c5 0bc8 } + $sequence_0 = { f20f5cca f2410f590cc1 660f28d1 660f28c1 4c8d0d3b930000 f20f101d???????? } + $sequence_1 = { 448bce 4489642428 4c8bc0 33d2 4c89642420 b9e9fd0000 } + $sequence_2 = { 4c8d3555140100 896b48 40886b24 8a11 48ffc1 e9???????? } + $sequence_3 = { 4403c2 410bdb 4181c1a1ebd96e 418bc0 c1c81b 8bce 33cb } + $sequence_4 = { ff15???????? 498bc4 eb4b 428b540010 83fa17 7610 b97f000000 } + $sequence_5 = { ffc5 418d4c2402 03cd e8???????? 85f6 458be5 } $sequence_6 = { 458b8c9460810200 4133bc8490920200 418bc0 41337e20 c1e808 0fb6c8 8bc3 } - $sequence_7 = { 83f838 7cec 8b4c2458 8bc1 c1e818 884594 8bc1 } - $sequence_8 = { 488d45e8 48894de8 488945f0 488d1590d10000 b805000000 894520 } - $sequence_9 = { 7e1d 488b5588 4c8d4c2450 458bc4 498bce } + $sequence_7 = { 418bc7 33c7 c1ca1b 4133c5 41c1e21e 05d6c162ca 41c1ed02 } + $sequence_8 = { 488b05???????? 4833c4 488985e0010000 4c8ba560020000 0f57c0 488b8568020000 4c8bf1 } + $sequence_9 = { 488d4c2420 e8???????? 488d158f350200 488d4c2420 e8???????? cc 4883ec48 } condition: 7 of them and filesize < 458752 @@ -147089,36 +148154,36 @@ rule MALPEDIA_Win_Mim221_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "228071fb-1a03-5df1-9306-75e661d4eff3" - date = "2026-01-05" - modified = "2026-01-06" + id = "6b3ca20b-0128-5dd4-ae44-a9ad20468513" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mim221" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mim221_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mim221_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "fbcd019f6c67a46486f2c63b4d67a0947f9feb6ff08f1d935eac4f65f1ebad93" + logic_hash = "c8ab0bebcf8a5d049b64e0dbc52faacc83c56fe19f5796af9fe2c171bbbea243" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488d0d77ec0100 e8???????? 488bf0 483bc5 7507 33c0 e9???????? } - $sequence_1 = { 66c785cc0000007800 66c785ce0000006300 66c785d00000006500 66c785d20000007000 66c785d40000007400 66c785d60000006900 66c785d80000006f00 } - $sequence_2 = { 48894108 488b442440 488b4808 4885c9 740f ff15???????? 488b4c2440 } - $sequence_3 = { 33d2 488d42ff 48f7f1 4883f801 733b 48c78424b800000000000000 488d9424b8000000 } - $sequence_4 = { 49c743a80f000000 49c743a000000000 c644247800 33c0 488d48ff 488d7c2460 f2ae } - $sequence_5 = { e8???????? 90 488d4c2450 e8???????? 90 488d054c2b0100 4889442450 } - $sequence_6 = { c78424c0000000d8000000 89ac24c4000000 89b424c8000000 48c78424d000000020010000 89bc24d8000000 48c78424e000000018000000 44899c24e8000000 } - $sequence_7 = { 4883f8ff 488be8 0f84ae000000 488d9424c0000000 488bc8 c78424c000000038020000 e8???????? } - $sequence_8 = { 6644897c2450 66c74424526400 66c74424545d00 66897c2456 } - $sequence_9 = { 7505 498bd1 eb21 498b5108 41386849 7504 49895008 } + $sequence_0 = { 488d542450 488d4c2460 41b868000000 e8???????? 413bc6 746a 488b842460010000 } + $sequence_1 = { 7408 8bcb ff15???????? 48897c2448 e8???????? 488d1ddaf10000 488d3dfbf10000 } + $sequence_2 = { 33d2 458d462e 488d8c24ca000000 e8???????? c684249003000044 c68424910300008b c684249203000001 } + $sequence_3 = { e8???????? 4c8b1d???????? 4c3bdd 760b } + $sequence_4 = { c784241c07000004000000 e8???????? c784244007000000280000 899c2448070000 488d842490080000 488d8c2470070000 4c8bc6 } + $sequence_5 = { e8???????? 413bc7 7424 48634f30 4c8d4530 488d542450 } + $sequence_6 = { 488b4310 80784900 7513 488bd8 488b00 80784900 74f4 } + $sequence_7 = { 66c74424447300 66c74424464900 66c74424486e00 66c744244a6300 66c744244c7200 66896c244e 66c74424506d00 } + $sequence_8 = { 0f8c3fffffff 4585ff 745e 488b442450 c64424600d 488d0df47d0100 488b0cc1 } + $sequence_9 = { 8b842404010000 4903c4 4889442470 8b8424f8000000 4a8b0c20 48894c2458 4c8b8788000000 } condition: 7 of them and filesize < 471040 @@ -147128,36 +148193,36 @@ rule MALPEDIA_Win_Unidentified_095_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ae500f5e-affa-5f35-9b25-bf3d8d6f6e24" - date = "2026-01-05" - modified = "2026-01-06" + id = "1ee109b8-7db3-547e-8aa9-bdbf890c6fe1" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_095" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_095_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_095_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "67701e8a3738389ac39b70a15648c44474c2440f2bd29cec3f0c8b5d1f7550a9" + logic_hash = "5aec5e44580b8209132775ea3819c3df19ed619165f934b3fecfb8f0c5d79241" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4c8d0590ea0000 488d1541dd0000 e8???????? 4885c0 740f 488bcb 4883c420 } - $sequence_1 = { 488d15f0e80100 488d0df5e80100 e8???????? eb2e 803875 } - $sequence_2 = { 7419 4c8d442420 ba01000000 488bcb ff15???????? 85c0 } - $sequence_3 = { 4d3bc1 0f84d1000000 8b7500 498b9cf7b8410200 90 4885db 740b } - $sequence_4 = { 498bcc 488b9424c0000000 48896c2460 48896c2458 48896c2450 48896c2448 4889442440 } - $sequence_5 = { 752e 48895c2430 448d4303 895c2428 488d0d67a00000 4533c9 4489442420 } - $sequence_6 = { 4157 4881ec68020000 488b05???????? 4833c4 4889842440020000 49896b18 } - $sequence_7 = { 4883c308 488d0520990100 483bd8 75d8 b001 4883c420 } - $sequence_8 = { ff15???????? 3d24040000 7523 eb1c 41c70601000000 4885ed 7410 } - $sequence_9 = { e9???????? 488d05b7890100 4a8b0ce8 42385cf938 } + $sequence_0 = { 85c0 7428 85db 7524 488d0d9ef60100 e8???????? 85c0 } + $sequence_1 = { 4c8d35ed59ffff 4885db 750d 488bc7 498784f6f0430200 eb1e 488bc3 } + $sequence_2 = { 488d0df9350100 ff15???????? 488bf8 4885c0 } + $sequence_3 = { 8bd0 488d0d064c0100 e8???????? 41b999010000 e9???????? 488b5597 41b901000000 } + $sequence_4 = { 4157 4883ec20 33db 498be8 4c8bf2 891a 4c8bf9 } + $sequence_5 = { 4c8bb42450020000 8bd8 4885ed 7409 488bcd ff15???????? } + $sequence_6 = { 4c8d0d56ac0000 c5f35cca c4c173590cc1 4c8d0d259c0000 c5f359c1 } + $sequence_7 = { 0f84ea020000 ba04010000 488bc8 ff15???????? 85c0 0f84d4020000 ffc8 } + $sequence_8 = { c744245004000000 ff15???????? 488b4c2468 8bd8 ff15???????? 85db } + $sequence_9 = { 48833d????????ff 488bd9 7507 e8???????? eb0f 488bd3 488d0d30f50100 } condition: 7 of them and filesize < 339968 @@ -147168,10 +148233,10 @@ rule MALPEDIA_Win_Sasfis_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "faa37fe5-b8ae-5b3d-8761-9ca44fa700a7" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.sasfis_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.sasfis_auto.yar#L1-L121" license_url = "N/A" logic_hash = "cf32d2a1a7d6bbcae913d88ae0d2c6c9327ff9b8dad43d2e492ba8c00cbedd6a" score = 75 @@ -147180,9 +148245,9 @@ rule MALPEDIA_Win_Sasfis_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -147206,36 +148271,36 @@ rule MALPEDIA_Win_Tofsee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ec9c841-1425-53ec-b84c-3ac0dbb9536e" - date = "2026-01-05" - modified = "2026-01-06" + id = "163a5e30-e6cd-5440-a6b6-a9e7dcda3f7e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.tofsee_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.tofsee_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "a6df759b6d2a0e48c553f18c939a733af072972aeea2dd4dbecf6d38d79b3015" + logic_hash = "52711e15690a0962e0aff48717cf30d2e585c129aaac0f1d755fd0fa052f50d8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6864006400 ff7510 ff15???????? 85c0 7404 } - $sequence_1 = { 5e c3 55 8bec 83ec14 8365f400 8365f800 } - $sequence_2 = { 57 8d8580fbffff eb68 03d8 81fbf4010000 0f8f92000000 } - $sequence_3 = { 85c9 8816 7ff0 017dfc eb13 8b45ec } - $sequence_4 = { 51 50 53 e8???????? 8b4c241c 8b413c 56 } - $sequence_5 = { ff75fc e8???????? 83c40c 56 ff75f8 8d45d4 6a03 } - $sequence_6 = { 8b4e10 85c9 7412 33d2 f7f1 894df8 8945fc } - $sequence_7 = { e9???????? 68???????? ff7514 e8???????? 59 59 83fb05 } - $sequence_8 = { 391e 895dbc 8975f4 7e7f 83c608 bf???????? 8b46fc } - $sequence_9 = { 0f8498000000 8b4510 8938 8b450c 8d4801 8a10 40 } + $sequence_0 = { 397e0c 7421 397e10 741c 8d4614 50 } + $sequence_1 = { 8bf8 8b473c 8b5c3850 6a04 be00100000 56 53 } + $sequence_2 = { 8d85d0feffff 50 ff15???????? 8b45e0 c68405d1feffff00 8b4508 2b45f0 } + $sequence_3 = { 59 59 89442420 0f84df000000 2174241c 21742418 } + $sequence_4 = { 81ecac050000 83656c00 83654800 56 57 } + $sequence_5 = { 8935???????? 891d???????? 891d???????? 891d???????? 8935???????? c705????????05000000 c705????????30750000 } + $sequence_6 = { 85c0 7410 8a442410 c0e004 02442414 884645 eb03 } + $sequence_7 = { 48 743a 48 741f 48 755d ff36 } + $sequence_8 = { e8???????? 59 59 83fb05 0f8c58010000 80bc1d7ffbffff0a 0f854a010000 } + $sequence_9 = { 55 8bec 53 56 57 e8???????? bf???????? } condition: 7 of them and filesize < 147456 @@ -147245,36 +148310,36 @@ rule MALPEDIA_Win_Divergent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0e7b7156-a784-541b-bc2e-90cf2a4a8de0" - date = "2026-01-05" - modified = "2026-01-06" + id = "df4da09c-a414-5c0c-b239-981fb3834201" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.divergent_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.divergent_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "59dd95ddff9efda2ca5f59f400b3973c8f58905843f6145e813b39dc6d7537d1" + logic_hash = "9247c6ad7e2906da9bca25e865c3fd503aa0241494c50d7292cb477fc6b7d478" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 85c0 781e 8d85f8fdffff 50 } - $sequence_1 = { 50 e8???????? 59 59 8b0b 8bd7 eb08 } - $sequence_2 = { 6aff 0f44c1 50 57 ff15???????? 8bf0 85f6 } - $sequence_3 = { 68???????? eb37 68???????? eb30 68???????? eb29 68???????? } - $sequence_4 = { f77dfc 43 8aca 81fb00010000 7cba 5f 5e } - $sequence_5 = { 786e ff75e0 ff15???????? 40 50 e8???????? 8bf0 } - $sequence_6 = { eb03 8b7dfc 8b36 85f6 0f8574ffffff } - $sequence_7 = { e8???????? ff730c 68???????? 56 e8???????? f20f104310 83c420 } - $sequence_8 = { 894dd4 894dd8 ff15???????? 33db 85c0 0f99c3 85db } - $sequence_9 = { d9e0 dec1 dd5df8 dd45f8 8be5 5d c3 } + $sequence_0 = { e8???????? 59 83f806 7505 8b4608 eb03 } + $sequence_1 = { c745f865763169 c645fc00 c60000 40 49 75f9 } + $sequence_2 = { 743e 6a3c 5a 8bca } + $sequence_3 = { 40 50 6800000010 ff7508 ff15???????? 8bf8 } + $sequence_4 = { 832700 57 ff760c ff7608 } + $sequence_5 = { 53 56 8b7508 8b4604 85c0 7509 394608 } + $sequence_6 = { 50 e8???????? 59 6a03 56 e8???????? 59 } + $sequence_7 = { ff15???????? 6800100000 e8???????? 8bf0 8b45fc 59 } + $sequence_8 = { 56 e8???????? 0fb645e2 660f6ec0 f30fe6c0 83c408 } + $sequence_9 = { 0f84b8000000 57 50 e8???????? 8bf8 59 85ff } condition: 7 of them and filesize < 212992 @@ -147284,36 +148349,36 @@ rule MALPEDIA_Win_Shadow_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cd866f0d-a058-5516-ad44-83c67b926cef" - date = "2026-01-05" - modified = "2026-01-06" + id = "0240dfb0-8371-59e3-922f-a02e10d5a5b0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadow_rat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.shadow_rat_auto.yar#L1-L131" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.shadow_rat_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "f9ac6b211213f8898a8d9a850cbd590282d120dd08d8f19a3ecf3df1330c81a4" + logic_hash = "1cffae3c5b35a4f229c4ff367539fb35f32b27d0a39cf180d3abfa255cf4664e" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 488b8580000000 483bc6 0f82f1060000 482bc6 49c7c0ffffffff } - $sequence_1 = { 5f c3 488b542468 488d0db6590300 e8???????? 4c8b18 } - $sequence_2 = { e8???????? 448ba570010000 8b4c2438 488d15b7e5fcff 2b4c2448 41b826000000 894c2438 } - $sequence_3 = { 488b8c2430010000 4833cc e8???????? 4881c448010000 415e 415c 5e } - $sequence_4 = { 488d5570 4883bd880000000f 490f47d5 4533e4 4c89642420 4533c9 448b8580000000 } - $sequence_5 = { 488bf1 48894c2428 488bea 7603 488b2a 4c8b6210 48899c2480010000 } - $sequence_6 = { 488b5928 4885db 750d 488d5930 eb07 488d1d785b0400 33d2 } - $sequence_7 = { 664489bd1e010000 ebc2 418bff 488d15009d0100 488bcb e8???????? 4885c0 } - $sequence_8 = { e8???????? 90 0f57c0 0f11442458 660f6f0d???????? f30f7f4c2468 c644245800 } - $sequence_9 = { 488bcf e8???????? 90 488d4c2450 e8???????? 488bc7 488b4d50 } + $sequence_0 = { 48634804 488d05faec0300 48890439 488b07 } + $sequence_1 = { 488d05cb2c0300 eb04 4883c020 4883c428 c3 48895c2408 48896c2410 } + $sequence_2 = { 4883f81f 0f87b20c0000 e8???????? 90 488b9588000000 4883fa0f 0f86630b0000 } + $sequence_3 = { 4d3bf8 755e 488bcf 493bc0 744e 488d5018 4c8bcf } + $sequence_4 = { 488d3d97380200 eb10 488d3d9e380200 eb07 488d3d7d380200 4533ed 4584f6 } + $sequence_5 = { 4883ec70 488bf1 488d050d780400 4533ed 418bfd 4489ac24b8000000 } + $sequence_6 = { 488d05faec0300 48890439 488b07 48634804 8d9150ffffff 895439fc 48895c2458 } + $sequence_7 = { 488b07 48634804 8d9150ffffff 895439fc 48895c2458 488bcb } + $sequence_8 = { 41b802000000 488d1526610400 488bc8 e8???????? } + $sequence_9 = { 83cdff 498bd8 83791000 4c8bd2 0f84ac000000 4c634910 4c8d35f5c3feff } condition: 7 of them and filesize < 727040 @@ -147323,36 +148388,36 @@ rule MALPEDIA_Win_Retro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d637dc20-27e8-52c5-9acd-7f862f01bb0c" - date = "2026-01-05" - modified = "2026-01-06" + id = "54b24fe9-9fd1-54c0-a395-935122df7bc0" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.retro_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.retro_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "273926cf1373ebba7c2ee31df8ab1a96a84446d1d934a401daaeed8742274515" + logic_hash = "599af0bfd5ee60a1ba65ef57ea0c1de02676fdbfc366b689801c1bd471d36af8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { f3ab 498bec 4585e4 0f8e59010000 488b442428 f2440f1005???????? 498db5fc070000 } - $sequence_1 = { 4c8b442460 ffc0 4883c108 4883c204 4983c320 4981c100240000 4981c220290000 } - $sequence_2 = { 488bd9 e8???????? 85c0 7409 8b430c 4883c420 5b } - $sequence_3 = { 488b4f18 4533c0 e8???????? 488b4f20 8981a0120000 488b4720 8b88ec120000 } - $sequence_4 = { 664585d2 7964 4983c102 ffce 7852 498b942430560000 418b8c2428560000 } - $sequence_5 = { f30f5cd9 f30f108814100000 f30f59c4 f30f59dc f30f114018 f30f119818100000 f30f105810 } - $sequence_6 = { 418bd5 488bcb 4869ff90140000 4903ff e8???????? 837b2401 750b } - $sequence_7 = { 0f14c0 450f14c0 0f5ac0 410f5ac8 f2410f58c2 f20f5ec8 f20f5ad1 } - $sequence_8 = { 83c364 83bfa000000000 740b 488bd6 488bcf e8???????? 4533c9 } - $sequence_9 = { f30f114f08 f30f104308 0f2f4708 768e ba01000000 eb89 f30f104304 } + $sequence_0 = { f20f59c2 f20f5c2dd713fcff f20f59da f20f580d9b14fcff f20f58056314fcff f20f582dbb13fcff f20f59da } + $sequence_1 = { 488b442440 eb02 33c0 488b8c2470010000 4833cc e8???????? 4881c480010000 } + $sequence_2 = { 0f284c2470 0f11443340 0f114c3350 89443360 83c364 83bfa000000000 740b } + $sequence_3 = { f30f1025???????? 0f28ec f30f59e6 f3410f59ee f30f5829 f30f58642408 } + $sequence_4 = { 41f7e4 d1ea 410f2ff0 f30f5844947c f30f1144947c 7626 450f2fc2 } + $sequence_5 = { 75ba e9???????? 48636c2458 4533c9 4883f904 0f8c36010000 488d79fc } + $sequence_6 = { 4c8d1d96660000 f30fe6cc f20f1015???????? f20f59d1 660f7ee1 48c7c03f000000 23c1 } + $sequence_7 = { 0f28c3 f30f1049fc f30f58d0 f30f59c9 0f2fd9 f30f58e1 7703 } + $sequence_8 = { 410bc8 410bc0 81c9c0000000 0fbae807 894af8 8942f4 4183f905 } + $sequence_9 = { 48ffcb 75ee 488b9c2430010000 85f6 7e24 8bd6 } condition: 7 of them and filesize < 1409024 @@ -147362,36 +148427,36 @@ rule MALPEDIA_Win_Dubrute_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b3f57fb-3926-53bd-845a-86ae7ddb65ab" - date = "2026-01-05" - modified = "2026-01-06" + id = "c5adb48e-7e94-5301-bde8-7cb77016d9d2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dubrute_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dubrute_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "15ef5a601ee94177845777a653e057c97a84bc2521287b368cd711d048d0bf0d" + logic_hash = "3a0ed5e631105bbcaa56a02e98ebb80fb00baef1952d6774966f9fe8b4d0a2d4" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff15???????? 8d85d0fcffff bfff000000 50 57 ff15???????? 8d85d0fcffff } - $sequence_1 = { ff7514 8b8674090000 ff7510 ff750c ff7008 e8???????? 83c410 } - $sequence_2 = { 55 8bec 83ec24 56 57 6a0c 8d45f4 } - $sequence_3 = { 395008 7510 8b4808 3bca 7c09 83f907 7f04 } - $sequence_4 = { e9???????? 8d45fc 50 53 e8???????? 59 85c0 } - $sequence_5 = { 8b8040000100 83b81804000000 741e 837df800 7418 83b80c04000008 7e0f } - $sequence_6 = { 894508 8d8564ffffff 6a01 50 8d4dc8 ff15???????? db4508 } - $sequence_7 = { ff7508 50 e8???????? 8bf0 8d7de8 } - $sequence_8 = { 8bf0 8d7df0 a5 a5 a5 8b75f0 83c43c } - $sequence_9 = { 0f8cce000000 83650800 837f0400 8b7510 bb???????? 7e70 8b07 } + $sequence_0 = { 83c41c a5 837dccff 0f8485010000 33f6 3975cc 0f85b2000000 } + $sequence_1 = { 83450828 43 3b5e48 7cc3 837d1000 5b 7508 } + $sequence_2 = { 8bec 51 51 56 8b750c 6a08 8d45f8 } + $sequence_3 = { 6aff 68???????? ffd7 804df080 59 59 8945ec } + $sequence_4 = { 7405 48 740a eb18 8b4514 832000 eb10 } + $sequence_5 = { ff25???????? 8d4df0 ff25???????? 8d4dec ff25???????? 8d4df0 ff25???????? } + $sequence_6 = { ffd7 8b4e34 8d45d8 50 c745d8e6000000 c745dc0a000000 c745e0ad010000 } + $sequence_7 = { 57 ff15???????? e8???????? 84c0 7507 53 ff15???????? } + $sequence_8 = { 5e 5d c3 55 8bec f6451401 56 } + $sequence_9 = { ffd3 83c40c 8b8edc000000 8b3d???????? 50 c745fc01000000 ffd7 } condition: 7 of them and filesize < 598016 @@ -147401,36 +148466,36 @@ rule MALPEDIA_Win_Rokku_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e0917d2-b33a-54a8-a28e-92ca643aac23" - date = "2026-01-05" - modified = "2026-01-06" + id = "a5feb178-c735-508e-a0f8-0bfcbe692e7b" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.rokku_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.rokku_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "5443b2e7560cc69ec04b0b3e247a5b78bf0ac816da2824e945b614a9052a8971" + logic_hash = "e2bf74104beac743ec38bdbe73eb38f6365a43d5359a716e4280a8e578384cb8" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0bd0 c1e90e 8b442418 0bf1 33442444 } - $sequence_1 = { c1fb1a 01442420 8b442430 1154241c f76c2438 01442420 8b44246c } - $sequence_2 = { 8d54240c e8???????? a3???????? 33c0 c744240c5d786f7a c74424106b4c6f72 66c74424146b00 } - $sequence_3 = { 03d0 33ca 8954242c 8b542428 c1c10c 03d1 } - $sequence_4 = { 8bf1 89742408 85f6 745d 53 8b1e 57 } - $sequence_5 = { 83f917 72f0 8b0d???????? 88542439 8d542422 e8???????? } - $sequence_6 = { 8d7d28 53 8d5328 8bcf e8???????? 8b742448 83c550 } - $sequence_7 = { 894a0c 8b4c2420 0fa4c11a 8b4c2410 c1e01a 2bc8 8b842488000000 } - $sequence_8 = { 7517 8b0e 68???????? e8???????? 33c9 84c0 0f45cf } - $sequence_9 = { 41 83f905 7305 8a55ee ebee } + $sequence_0 = { 8bcf 0facc808 33d2 c1e618 0bd0 c1e908 } + $sequence_1 = { 53 bfe9fd0000 8bf2 57 } + $sequence_2 = { 0f85e3feffff 8b7c2424 8d442430 33d2 52 52 } + $sequence_3 = { f76c2438 03e8 8b442474 13da f76c2448 03e8 13da } + $sequence_4 = { 8b44240c 56 8b721c 57 8b4824 f7de } + $sequence_5 = { 7509 83433801 7503 ff433c 5f 5e 5d } + $sequence_6 = { 0facf919 8bea ba42db0100 c1ff19 897c2430 8bf8 8b442410 } + $sequence_7 = { f76c2438 898c24c0000000 8bf8 8bea 8b44246c f76c2460 03f8 } + $sequence_8 = { 8b442468 894d18 8b4c2418 0fa4c119 8b4c244c c1e019 2bf8 } + $sequence_9 = { 397218 744c 8b5a30 8be9 0fbe7d00 45 0fb70b } condition: 7 of them and filesize < 548864 @@ -147440,36 +148505,36 @@ rule MALPEDIA_Win_Carrotbat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9e3c15b1-53c0-536f-b748-485d961b1513" - date = "2026-01-05" - modified = "2026-01-06" + id = "9c5a3a20-60c2-5dcf-a60f-f619d67554ce" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.carrotbat_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.carrotbat_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "bfaec56400fafcaf85efd0fb6650770c8db082e08e8b7c0c5f56e8a5a426d6b1" + logic_hash = "d882602801007a1975bc3e96f8f6fca5dd27c0a35d61f2403626f094b8ddf9f2" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { ff742424 c22800 c744241402000000 66f7d7 9c 89742414 0fcf } - $sequence_1 = { 0f84b9000000 8975e0 8b04bd20ee4000 0500080000 3bf0 0f8396000000 } - $sequence_2 = { 0f88d7feffff d2df 660fa5cf 5f 660fbaf30b 6681c61cd0 6681cef437 } - $sequence_3 = { e8???????? 33cd ff3424 0fbed9 8b5c240c 9c c60424ba } - $sequence_4 = { 8bff 56 57 33f6 bf???????? 833cf5a4d5400001 } - $sequence_5 = { 7353 8bc1 c1f805 8bf1 83e61f 8d3c8520ee4000 } - $sequence_6 = { 7524 a1???????? a3???????? a1???????? c705????????46444000 8935???????? a3???????? } - $sequence_7 = { 80e17f 3008 8b06 8bc8 c1f905 8b0c8d20ee4000 83e01f } - $sequence_8 = { 3b0d???????? 7353 8bc1 c1f805 8bf1 83e61f 8d3c8520ee4000 } - $sequence_9 = { 5f 03d1 5e c6840201ed400000 5b 5d } + $sequence_0 = { 8bec 8b4508 ff34c5a0d54000 ff15???????? 5d c3 6a0c } + $sequence_1 = { 668b4c4310 66890c4584ec4000 40 ebe8 33c0 8945e4 3d01010000 } + $sequence_2 = { eb05 68???????? 8d85f8feffff 50 8d85f4fdffff e8???????? } + $sequence_3 = { 42 3bd1 7cf1 8b550c 8d7201 8a1a 42 } + $sequence_4 = { 46 3bf2 7cf2 5f 03d1 5e } + $sequence_5 = { 8a1a 42 84db 75f9 2bd6 33f6 85d2 } + $sequence_6 = { 84c0 75f8 6a1a 59 be???????? } + $sequence_7 = { 68???????? 50 e8???????? 6a02 8bf8 6af8 } + $sequence_8 = { 8dbdf4f9ffff a5 a5 a5 8d85f4fdffff } + $sequence_9 = { 57 e8???????? e8???????? 6803010000 8d85f9feffff 6a00 50 } condition: 7 of them and filesize < 360448 @@ -147480,10 +148545,10 @@ rule MALPEDIA_Win_Webc2_Table_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "74911130-496c-59cd-b9b7-d073dda2a5a6" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.webc2_table_auto.yar#L1-L121" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.webc2_table_auto.yar#L1-L121" license_url = "N/A" logic_hash = "82557b5976335e4f1972b3218d4e36ee8e0264f2a148ef98566fdf5b62d6108c" score = 75 @@ -147492,9 +148557,9 @@ rule MALPEDIA_Win_Webc2_Table_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -147518,36 +148583,36 @@ rule MALPEDIA_Win_Joao_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a574fe28-a1f8-553e-b910-02d4312c2eca" - date = "2026-01-05" - modified = "2026-01-06" + id = "8934e5e5-01af-5fe1-8486-0ab7ee7d7508" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.joao_auto.yar#L1-L124" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.joao_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "26a2c27da2ce5891d333b17daccfb50c0846c7c8910a76f91916cef0b5d7e33f" + logic_hash = "f8cf11a88d4c62490f03a51951c6ad156abd25599bf40ed0a693ebdff69cee93" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 83c404 c705????????0f000000 891d???????? 881d???????? 8b4df4 64890d00000000 } - $sequence_1 = { 5d c20c00 68???????? 53 e8???????? } - $sequence_2 = { 83c004 8955d0 8945cc 3bd1 } - $sequence_3 = { e8???????? 8845d4 c745fc01000000 84c0 0f84dc000000 8b16 8d4de4 } - $sequence_4 = { 50 e8???????? 83c414 8b4508 c1e005 03c3 83e7e0 } - $sequence_5 = { c1e005 03c3 83e7e0 03fb 894608 897e04 891e } - $sequence_6 = { 52 6a40 6a20 68???????? ff15???????? } - $sequence_7 = { 83ec08 53 56 8b7510 33c0 } - $sequence_8 = { 8bc6 2bc7 5f 5e 5b 5d c20c00 } - $sequence_9 = { 897dfc e8???????? 8d55f8 52 8bce c745f808000000 } + $sequence_0 = { 83c404 c7060f000000 895efc 885eec 83c620 8d4ee8 } + $sequence_1 = { 033e 894508 8945f0 33d2 8955fc eb20 } + $sequence_2 = { e8???????? 8d55f8 52 8bce c745f802000000 897dfc e8???????? } + $sequence_3 = { 8d4602 5e 5b 8be5 5d c20c00 68???????? } + $sequence_4 = { 56 c745ec01000000 894df0 8955f4 c745f802000000 e8???????? 8b55e8 } + $sequence_5 = { 51 52 53 e8???????? 83c40c 85c0 74de } + $sequence_6 = { 51 52 56 e8???????? 8b4dfc 83c418 33cd } + $sequence_7 = { bf02000000 b8???????? 897dd0 c745e80f000000 895de4 } + $sequence_8 = { 6a20 6a00 56 ff5510 } + $sequence_9 = { 894510 83c720 e9???????? 8b4df4 } condition: 7 of them and filesize < 2867200 @@ -147557,36 +148622,36 @@ rule MALPEDIA_Win_Slowstepper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "83f15ae7-3874-55c6-9009-11d19ac08b8c" - date = "2026-01-05" - modified = "2026-01-06" + id = "39bdca13-0127-53b7-8485-f660ba74cd3d" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slowstepper" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.slowstepper_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.slowstepper_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "dd0e842f62bc92cdd486a9615b960e4b584259d9116f2837f2c07d72a5000be5" + logic_hash = "961d15a6340eca8906edf01a770461e1f1364731e9beeea6bea60a858af70d2d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 6a04 43 53 50 8945d4 8975e0 8975dc } - $sequence_1 = { e8???????? b001 e8???????? c3 68a4020000 b8???????? e8???????? } - $sequence_2 = { 83661000 83c414 8d45b8 c746140f000000 50 8bce c60600 } - $sequence_3 = { c645fc4c e8???????? 57 c645fc4b 56 8d8dcceeffff e8???????? } - $sequence_4 = { 85c0 746b 395c241c 765e 53 ff742420 8d8c2474050000 } - $sequence_5 = { 59 85c0 7507 c605????????01 68???????? 8d9564ebffff 8bce } - $sequence_6 = { 57 8d4db8 e9???????? 6a48 b8???????? e8???????? 8b4508 } - $sequence_7 = { 8b8d70faffff 8d85ecfaffff 50 8d85ecfeffff 50 e8???????? 59 } - $sequence_8 = { ff6008 55 8bec 8b4904 8b01 5d ff600c } - $sequence_9 = { 6bc00c 8d8405b8feffff 8d8da8feffff 3bc1 7422 8b08 8b95a8feffff } + $sequence_0 = { 8bca c1f908 884df6 8bfa c1ff1f 8bca 884df7 } + $sequence_1 = { e8???????? c3 837da408 8b4590 7303 8d4590 53 } + $sequence_2 = { ffd0 8345e404 ebe6 c745e048d34c00 817de04cd34c00 7311 8b45e0 } + $sequence_3 = { e8???????? c20400 6a48 b8???????? e8???????? 8b4508 33db } + $sequence_4 = { 8d420c 8b8a30ecffff 33c8 e8???????? 8b4af8 33c8 e8???????? } + $sequence_5 = { 50 e8???????? 8d85e4feffff 83c414 830bff 8d7001 8a08 } + $sequence_6 = { 53 56 8b750c 57 8bf9 8b5f20 e8???????? } + $sequence_7 = { c684248895010004 8b35???????? 50 e8???????? 50 ff15???????? 53 } + $sequence_8 = { 50 a3???????? ff15???????? a3???????? 8d851cf1ffff 50 ff35???????? } + $sequence_9 = { e9???????? 8d4d98 e9???????? 8db534ffffff e9???????? 8d4dd0 e9???????? } condition: 7 of them and filesize < 909312 @@ -147596,36 +148661,36 @@ rule MALPEDIA_Win_Unidentified_078_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "be01d120-44f2-52e2-a1fa-8d3ce9aeac2c" - date = "2026-01-05" - modified = "2026-01-06" + id = "94ed8b69-a925-581b-b675-e95110fbdcbe" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_078" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_078_auto.yar#L1-L118" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_078_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "e6046ec69321f4df1e212f93ebf4122d030058a32e3fabef5fe6e0f5f1575a85" + logic_hash = "b21070777561ec20c7e258b89cb634f08a3748193a432fdfe91aad038950c4de" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8412010000 0f8cee000000 80fa0d 0f8421010000 80fa1b 0f8576010000 } - $sequence_1 = { 0f8d94010000 80fa26 0f8f18010000 80fa23 0f8d82010000 } - $sequence_2 = { 80fa5c 0f94c1 80fa2f 0f94c2 08d1 } - $sequence_3 = { 3c18 0f8483000000 3c1c 740d 3c16 } + $sequence_0 = { 0f8d28020000 80fa0a 0f8417010000 7f39 80fa08 } + $sequence_1 = { 80f95c 7504 b201 ebde 80f92f 74f7 } + $sequence_2 = { 80fa28 0f8d94010000 80fa26 0f8f18010000 80fa23 } + $sequence_3 = { 80fa5b 7f3c 80fa28 0f8d94010000 80fa26 0f8f18010000 } $sequence_4 = { e9???????? 80fa0c 0f8412010000 0f8cee000000 80fa0d } - $sequence_5 = { 89d6 0f883a020000 80fa21 0f8f8f000000 80fa20 0f8d28020000 } - $sequence_6 = { a910000108 753f a900004011 7521 a900000600 7467 } - $sequence_7 = { ff15???????? 85c0 740e e8???????? 31d2 89c1 e8???????? } - $sequence_8 = { b901010000 ff15???????? 85c0 740e } - $sequence_9 = { 0f8421010000 80fa1b 0f8576010000 ba02000000 e8???????? } + $sequence_5 = { 80fa26 0f8f18010000 80fa23 0f8d82010000 } + $sequence_6 = { 0f8d28020000 80fa0a 0f8417010000 7f39 } + $sequence_7 = { 84d2 89d6 0f883a020000 80fa21 0f8f8f000000 80fa20 0f8d28020000 } + $sequence_8 = { 0f8412010000 0f8cee000000 80fa0d 0f8421010000 80fa1b 0f8576010000 ba02000000 } + $sequence_9 = { 5b 5e e9???????? ebc0 ebbe ebbc } condition: 7 of them and filesize < 688128 @@ -147635,36 +148700,36 @@ rule MALPEDIA_Win_Solarbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "05e274f3-e1a5-5d28-b9c3-6c8b8c413847" - date = "2026-01-05" - modified = "2026-01-06" + id = "105fa4f4-8183-52bf-8123-e9354b485107" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.solarbot_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.solarbot_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "531287eb552516451607fb4943bd4268dc00786ea51d0ac858b62961b07eaa85" + logic_hash = "fd7305b845e3c66493e1bc450b2017063e86e29be679d0520ec1b532d9af5c7a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c745f800000000 6a00 8d55fc 52 89da 8b0a } - $sequence_1 = { 8945fc 8b7d14 8b4518 8945f4 8b451c c745ec00000000 6a00 } - $sequence_2 = { 8b55f8 01d0 50 8b55fc 8b45f8 01c2 52 } - $sequence_3 = { 8b85f8feffff 8b5020 0395f0feffff 89d8 c1e002 01c2 } - $sequence_4 = { 8b8524f8ffff 0fb610 83fa50 0f8598000000 83bd20f8ffff21 0f868b000000 } - $sequence_5 = { 89ca 8d1453 0fb712 85d2 7ff3 89c8 } - $sequence_6 = { 8945a8 e9???????? ff75a4 ff75e0 681a040000 } - $sequence_7 = { 0f8580020000 8b85d0fdffff 85c0 0f8472020000 c785e0fdffff00000000 bf00000000 be00000000 } - $sequence_8 = { 8945e0 eb2d 6a1c 8d45e4 50 } - $sequence_9 = { 50 e8???????? 89c3 53 e8???????? 8945f4 89f0 } + $sequence_0 = { 8b95d4f7ffff 8b85d8f7ffff 01c2 52 e8???????? 8985dcf7ffff 85c0 } + $sequence_1 = { ffd0 8b85f4faffff 83f801 0f859c000000 8b8500fbffff 3d03000080 0f858b000000 } + $sequence_2 = { 85c0 0f8475000000 6a00 ff75f8 ff7508 ff75fc } + $sequence_3 = { 50 e8???????? 6800020000 8d8500feffff 50 53 8b95d8fdffff } + $sequence_4 = { 8b955cfeffff 8910 81fefa000000 72c9 8b8550feffff 0fb710 52 } + $sequence_5 = { 8b45f8 c7401c00000000 8b55f8 8b45f0 } + $sequence_6 = { c745e402000000 c745e811000000 eb15 c745e002000000 c745e401000000 c745e806000000 } + $sequence_7 = { 7521 6a00 6a0c 8d85e8fdffff 50 } + $sequence_8 = { 83ec28 895dd8 8975dc 897de0 8b5d08 8b750c 8b7d10 } + $sequence_9 = { 66c745f00200 8b45f4 85c0 0f86a9020000 b800040000 89c6 56 } condition: 7 of them and filesize < 204800 @@ -147674,42 +148739,42 @@ rule MALPEDIA_Win_Kivars_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "97e9352f-68df-56fa-86e0-872f02c50448" - date = "2026-01-05" - modified = "2026-01-06" + id = "e3629ab6-6c44-5699-b846-61a8ef3e4e0a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.kivars_auto.yar#L1-L164" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.kivars_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "4d20cf7aacd2e8c5bf1e2fc02d32857c61e25ca91f0ca5072534ea8bbca535b9" + logic_hash = "39fdab25349f39ee4ae2444df4528b7d0d4bb9e7503fd39f5d68889aebe8ec6d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 448bc0 488d542440 488b8c2478080000 e8???????? } - $sequence_1 = { e8???????? 4c8d442440 488d942464030000 488b8c24e0050000 e8???????? } - $sequence_2 = { c784247004000001000000 83bc247004000000 7548 c784247c05000000000000 488d8c2440010000 } - $sequence_3 = { e8???????? 90 488d4c2430 e8???????? 486344242c } - $sequence_4 = { 8bcb 66897304 e8???????? 83f8ff } - $sequence_5 = { 85c0 7424 50 8b4354 50 ffd7 } - $sequence_6 = { 49 80bc0c7b0100005c 7433 bf???????? 83c9ff } - $sequence_7 = { 33c0 8d7c2418 f3ab 8d4366 6689542418 6a00 6a00 } - $sequence_8 = { 488d8c24780b0000 e8???????? e9???????? 488d542430 488d8c2440010000 } - $sequence_9 = { 482bc8 488bc1 89442428 e9???????? 8b442440 ffc8 } - $sequence_10 = { e9???????? 488b842460100000 48ffc0 ba3a000000 } - $sequence_11 = { 51 89442420 897c2434 ff15???????? 8b4c241c } - $sequence_12 = { 0bf0 83e23f 83c703 83c504 8a443410 } - $sequence_13 = { 894c244e b900080000 668b5004 33c0 50 50 } - $sequence_14 = { 8d7a01 57 e8???????? 83c404 8bd8 } - $sequence_15 = { 8b842400010000 488bc8 ff15???????? 4889842480000000 4883bc248000000000 } + $sequence_0 = { 48c744242000000000 41b918000000 4c8d442430 33d2 488b4c2448 ff15???????? } + $sequence_1 = { 41b802000000 488d942470040000 488b8c2478080000 e8???????? 89842480080000 } + $sequence_2 = { 488b8c2410030000 ff15???????? 488d1510390000 488b8c2410030000 } + $sequence_3 = { 668944243c 0fb744243c 488b4c2448 0fb74906 } + $sequence_4 = { 51 6a01 68???????? 68???????? 6801000080 e8???????? 83c414 } + $sequence_5 = { 8984241c010000 0f843b010000 56 57 89442414 } + $sequence_6 = { c644247069 c6442471b1 c644247217 c644247363 c6442474bd } + $sequence_7 = { 52 e8???????? 8b442420 8b4c2428 57 56 50 } + $sequence_8 = { 8905???????? b001 e9???????? 488d8c2498020000 e8???????? 48c784245802000000000000 } + $sequence_9 = { 8d55dc 52 681f000200 50 57 56 } + $sequence_10 = { 8d8c2420030000 51 50 ff15???????? 85c0 } + $sequence_11 = { ff15???????? 8d9424a4020000 52 ff15???????? 80bc04a30200005c } + $sequence_12 = { ff15???????? 85c0 89442410 0f848d000000 8b8c2418020000 } + $sequence_13 = { 837c242400 0f8caa040000 8b842440010000 ffc8 8bc0 } + $sequence_14 = { c684248000000025 c684248100000026 c684248200000027 c684248300000028 c684248400000029 c68424850000002a } + $sequence_15 = { ff15???????? 89842490050000 ff15???????? 8b8c2490050000 0fafc8 } condition: 7 of them and filesize < 196608 @@ -147719,34 +148784,36 @@ rule MALPEDIA_Win_Nestegg_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52ec43db-af34-5600-ae4f-7af1b99fc246" - date = "2026-01-05" - modified = "2026-01-06" + id = "d1d3bbd9-c81f-5c05-895b-4fef76e3bfa2" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.nestegg_auto.yar#L1-L101" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.nestegg_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "998bf1c6b0e9df7e30236e71f3887671a96f6e1e7f5c7700f72ff2a5d20b9889" + logic_hash = "655cfa452dafff7c982fcd01db9b0e21c88f3384c7f3501f19f60309ef6a3159" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8d4c2420 33ed 89442444 51 } - $sequence_1 = { 6a08 ff15???????? 8be8 b988000000 33c0 8dbc24a8020000 c78424a402000024020000 } - $sequence_2 = { 89742410 e8???????? 6a00 6800200000 8d8e2c040000 c744245800000000 } - $sequence_3 = { 2bc3 8bce 50 e8???????? 8b8f28040000 } - $sequence_4 = { 5f 5e 59 c20c00 ff15???????? } - $sequence_5 = { b907000000 f7f9 42 89542410 8b5500 } - $sequence_6 = { 7530 50 50 8b44240c 25ffff0000 50 68???????? } - $sequence_7 = { 81e1ffff0000 c744243400000000 d1e1 85c9 } + $sequence_0 = { c784242804000000000000 ffd6 8bf8 81e7ff010080 7908 } + $sequence_1 = { 8d54244c c744244c94000000 52 ff15???????? } + $sequence_2 = { 8d44241c 6a08 50 8bce e8???????? 8d4c2424 6a08 } + $sequence_3 = { 8b08 8b7004 51 8d4c241c e8???????? 33ff 8d5e01 } + $sequence_4 = { 5f 83c8ff 5b c20800 8b7b08 55 56 } + $sequence_5 = { 8d542410 51 52 8bce c744241004010000 e8???????? 85c0 } + $sequence_6 = { 52 8bce e8???????? 8d44247c } + $sequence_7 = { ff15???????? 8944242c 8d442424 8d4c241c 50 } + $sequence_8 = { 8844243e 885c243f c64424506f 88442451 c644245265 c644245361 } + $sequence_9 = { ff15???????? e9???????? 8d4c2418 c7842434410000ffffffff e8???????? 8b8c242c410000 } condition: 7 of them and filesize < 221184 @@ -147756,36 +148823,36 @@ rule MALPEDIA_Win_Dnespy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "99cbf088-6549-56a2-969b-60e6f7eba155" - date = "2026-01-05" - modified = "2026-01-06" + id = "6ad9df4c-5a33-513f-97c8-10355272b5e9" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.dnespy_auto.yar#L1-L132" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.dnespy_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "4e1c2bd2efe3fbaf06ba8ff5d9f3d8607a9e5d8c5f87336409321d599b08c5ad" + logic_hash = "7122d179219cca1256e739bba538cf24826e3a3104c038607a1dcb344b5e9f45" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8b54240c a1???????? 89542414 81faff0f0000 762d 0f1f00 ff774c } - $sequence_1 = { 83f80a 0f85e6080000 834608fc 8b55dc 85d2 791b 8bc2 } - $sequence_2 = { 894618 837e0cff 7403 ff4e24 8bce e8???????? 8b4e0c } - $sequence_3 = { 83f9ff 7245 880a 0facc108 c1e808 884a01 0facc108 } - $sequence_4 = { 8975b4 c745b80f000000 c645a400 8d8de8feffff e8???????? 8b531c 83fa10 } - $sequence_5 = { 33c9 c645fc02 8b45e4 85c0 0f95c1 8d0c8d04000000 034d10 } - $sequence_6 = { e9???????? 6a00 57 53 ff762c 56 e8???????? } - $sequence_7 = { 3bc3 7304 8bc3 eb0b 3dffffff3f 0f87ca000000 } - $sequence_8 = { 8be8 8bc2 eb16 8b4618 53 ff761c } - $sequence_9 = { 6a20 c745e400000000 e8???????? 0f104588 8bc8 c745e400000000 8b45b0 } + $sequence_0 = { 51 e8???????? 0f108558ddffff 83c408 } + $sequence_1 = { e8???????? 8b956cffffff 8845a7 83fa10 722f 8b8d58ffffff 42 } + $sequence_2 = { 894108 8bcb 8b4224 c1e908 89480c eb05 8bcb } + $sequence_3 = { 8d420c 8b8a60e9ffff 33c8 e8???????? 8b4af8 33c8 e8???????? } + $sequence_4 = { 8d4590 c645fc0b 50 8bcf e8???????? 8b55a4 83fa10 } + $sequence_5 = { 8b5d08 895dd8 c745d400000000 c7431000000000 c743140f000000 c60300 c745fc00000000 } + $sequence_6 = { 8b542414 83faff 0f83a0000000 8810 8bc5 0facc208 89542418 } + $sequence_7 = { 8d45e0 50 e8???????? 6a00 68???????? 68???????? 6a00 } + $sequence_8 = { 7711 7207 3dffff0000 7308 89442410 894c2424 6804040000 } + $sequence_9 = { 5b 8be5 5d c20800 52 50 51 } condition: 7 of them and filesize < 794624 @@ -147795,40 +148862,40 @@ rule MALPEDIA_Win_Reedbed_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "74769a46-8253-5d47-b255-0c21b0e137a7" - date = "2026-01-05" - modified = "2026-01-06" + id = "2c3f1425-1a73-59f8-aed5-33df07b7a49e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.reedbed_auto.yar#L1-L143" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.reedbed_auto.yar#L1-L141" license_url = "N/A" - logic_hash = "9739a2569b16e57b90481814e6cc540a2c3a0da3aecf12af2fc73ab886c25305" + logic_hash = "8ef64fbf6f9497b7e87f87a1a7c073da11ad69dcb2995452562b2c12f64cc930" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $sequence_0 = { 33c9 e8???????? 488b0d???????? 488981c2140000 } $sequence_1 = { 33c9 ff15???????? 85c0 751e } - $sequence_2 = { 4885c9 7405 e8???????? 33c0 0f57c0 } - $sequence_3 = { eb19 488d15e3d10100 eb10 488d15cad10100 eb07 488d15b5d10100 4533c0 } - $sequence_4 = { 4c8d0d44e50000 b919000000 4c8d0534e50000 488d1531e50000 e8???????? } - $sequence_5 = { 488bd8 4885c0 7431 488bc8 ff15???????? 83f8ff } - $sequence_6 = { 8364244000 4c8d4c2440 baffff0000 c744242004000000 41b801000000 } - $sequence_7 = { 488b83a6140000 4c8974080e 4883c13f 483bcf 7ceb e8???????? 33c9 } - $sequence_8 = { c7450400000000 c7452400000000 488b8548010000 83780a00 } - $sequence_9 = { c7450400000000 c7452400000000 488b85a0010000 4883b8a614000000 } - $sequence_10 = { c7450400000000 83bd0801000000 7515 488d15ce130f00 } - $sequence_11 = { c7450400000000 ba01000000 b900003f00 e8???????? } - $sequence_12 = { c7450400000000 c7452400000000 488b8540010000 8b808c140000 } - $sequence_13 = { c7450400000000 837d0400 7534 488b8580010000 } + $sequence_2 = { 453b03 7519 41833b40 7313 } + $sequence_3 = { 4181ba9814000000000200 7347 4533c0 443b06 7316 418b490e } + $sequence_4 = { 4885c0 75e9 8d4f01 4803c9 e8???????? 488bf8 } + $sequence_5 = { 40f6c520 7412 418a01 4181482104020000 } + $sequence_6 = { eb55 8b9d90020000 4c8d8d90020000 895e26 4533c0 66897e2a } + $sequence_7 = { 4885c0 7425 c60000 488d742440 eb13 } + $sequence_8 = { 8944244c 48c744243800000000 c744243051010000 488d0546980600 4889442428 } + $sequence_9 = { 89442450 817c245000ca9a3b 723a 488d0514070600 } + $sequence_10 = { 89442450 837c245000 753a 488d053d0e0500 } + $sequence_11 = { 89442450 488b442428 0fb700 488d0d10da0500 } + $sequence_12 = { 8944244c 837c244c00 753a 488d0504c00500 } + $sequence_13 = { 8944244c 837c244c0f 0f875e010000 8b44244c 488d0d1ba4eaff } condition: 7 of them and filesize < 3760128 @@ -147838,36 +148905,36 @@ rule MALPEDIA_Win_Unidentified_100_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "46aeb4db-19b2-5469-a0eb-5c4c4a4bf0ff" - date = "2026-01-05" - modified = "2026-01-06" + id = "10e936da-f22c-50be-bc05-a5a93c8d7577" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_100_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_100_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "47aac890cf0ac352426261b33fabc1042e2b5071c52a28784cdba5465d5e39a5" + logic_hash = "6451eccbbc38115e7b096bf9bb2e522aaf03c5ad5e4db979198e28fc1f8d2d4d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0fb6442420 2580000000 88442402 0fb6442420 } - $sequence_1 = { 488b542420 88040a 6b05????????03 0fb60c24 03c1 4898 488b4c2420 } - $sequence_2 = { 8d0c8d03000000 4863c9 488b542448 4c8b442440 410fb60400 88040a } - $sequence_3 = { 488d9424a0070000 488d8c24a0050000 e8???????? 8b442434 ffc0 eb3d } - $sequence_4 = { 3da5000000 751b 48630424 488b4c2478 c6040146 48630424 } - $sequence_5 = { 488b8c24c0000000 4c8b442468 420fb60c01 e8???????? 0fb6c0 8b4c242c 33c8 } - $sequence_6 = { 488bf1 b932000000 f3a4 488d842402030000 } - $sequence_7 = { 488b8c24c0000000 4c8b842480000000 420fb60c01 e8???????? 0fb6c0 8b4c2438 33c8 } - $sequence_8 = { 742d 4c8d4c2460 41b802000000 488d542464 488b4c2448 ff15???????? 8b442460 } - $sequence_9 = { c744841001000000 e9???????? 48630424 488b4c2470 0fb60401 83f82b 751e } + $sequence_0 = { eb0b 0fb6442422 fec8 88442422 0fb6442422 83f801 7c35 } + $sequence_1 = { 88040a eb44 48630424 837c841002 7520 48630424 } + $sequence_2 = { 488b8c2418040000 488b542470 0fb6941488000000 881401 ebb2 } + $sequence_3 = { 8d048503000000 4898 0fb64c2420 8d0c8d03000000 4863c9 488b542448 } + $sequence_4 = { 4889442458 48837c245800 7402 eb02 eb9e 48837c245800 } + $sequence_5 = { 48837c244000 7441 4c8d8c24b0070000 4533c0 488d9424e0060000 } + $sequence_6 = { 833c2410 0f8d4a020000 48630424 488b4c2470 } + $sequence_7 = { b90a000000 ff15???????? 48c744242800000000 c744242000000000 41b9ffffffff 4c8d842420070000 488b942458090000 } + $sequence_8 = { 33c8 8bc1 88442401 0fb6442420 2580000000 88442402 0fb6442420 } + $sequence_9 = { 488d842430030000 4889442420 4c8b8c24b8200000 4c8d8424c00a0000 488d9424f0030000 } condition: 7 of them and filesize < 372736 @@ -147881,7 +148948,7 @@ rule MALPEDIA_Win_Unidentified_081_Auto : FILE date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_081" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.unidentified_081_auto.yar#L1-L125" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.unidentified_081_auto.yar#L1-L125" license_url = "N/A" logic_hash = "0bf113d92abe743278ae5a94b3d8f7a48f5ba7f91d2e79f1d3ac361b6c786f4e" score = 75 @@ -147916,36 +148983,36 @@ rule MALPEDIA_Win_Statc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "808b480a-a4a8-5b96-a652-004f7a1eca10" - date = "2026-01-05" - modified = "2026-01-06" + id = "e0e5702e-8d19-5b6c-b2ad-c305cf847b2a" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.statc" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.statc_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.statc_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "d41663c5e21054ad8e54e8097dd90a58bbd0b9def413c1922ece24784d1402b9" + logic_hash = "162a93568274339cc4928131dfcee6db91044c6d5caf037b3baa14a50dac053a" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 85c0 7409 8984248c000000 ebc5 488d942488000000 488bcf e8???????? } - $sequence_1 = { c6040129 e9???????? 4d8b4010 488d15c9dd2700 488d4def 4d8b00 e8???????? } - $sequence_2 = { 7f1d 8b8424e0000000 448bca ba69000000 89442420 488bcb e8???????? } - $sequence_3 = { b807000000 8bc8 894344 488bcb 8bd0 e8???????? e9???????? } - $sequence_4 = { e9???????? 488d8ab8010000 e9???????? 488d8ad0000000 e9???????? 488d8a90000000 e9???????? } - $sequence_5 = { c645d01c c745d401000000 488975e0 48894598 488d4d90 488b4580 4533e4 } - $sequence_6 = { e8???????? 488bcf e8???????? 48c70300000000 4d85ed 7409 498bcd } - $sequence_7 = { 48f7e2 488bf2 48c1ee04 48ffc6 0fbe43f1 84c0 740d } - $sequence_8 = { e8???????? 8bf8 896c2450 3b44243c 7413 488d15da212800 488bce } - $sequence_9 = { ff15???????? 488b4b18 33c0 48898318020000 48898320020000 898328020000 898378020000 } + $sequence_0 = { ba64000000 0f44c2 4489b188000000 884105 4a8b842580000000 488bc8 e8???????? } + $sequence_1 = { c705????????01000000 488d15f1a80400 488d0daaa80400 e8???????? 85c0 740a b8ff000000 } + $sequence_2 = { e8???????? 488b4318 48638bb8000000 39483c 7f26 41b901000000 89742420 } + $sequence_3 = { eb13 4c8d85e8010000 488bd0 488d4df0 e8???????? 4c896d08 4c896d18 } + $sequence_4 = { eb32 448b442444 488d0c52 8d4201 418906 488b4368 66c704c85900 } + $sequence_5 = { 90 4c8bc3 488bd0 488d8dc0020000 e8???????? 90 488d8580000000 } + $sequence_6 = { 85c0 0f8507020000 49635710 488bcf 4d8b4550 4883c209 4c03c2 } + $sequence_7 = { e9???????? 488d0d8d611000 e9???????? 488d0d25611000 e9???????? 4883ec28 488d0ddd8d2e00 } + $sequence_8 = { eb1e 8b86b8000000 ffc8 4898 488d0c40 488b4668 488d14c8 } + $sequence_9 = { 5f c3 418bdd 488b442428 4c8928 488b7808 4c896808 } condition: 7 of them and filesize < 6429696 @@ -147955,36 +149022,36 @@ rule MALPEDIA_Win_Headertip_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1dda5df3-2437-55ec-aee3-662480184ff3" - date = "2026-01-05" - modified = "2026-01-06" + id = "e5bb308f-a1fe-5294-97d5-d3261b413a75" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.headertip" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.headertip_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.headertip_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "a8e98ab682cf8297008cac86233820760ccd69da30239b18014120d2702bf71b" + logic_hash = "1f532c8941d6653e29a0c919ea784a07ef1f6eca77292dc4366a3f53e9eec97c" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { c645e465 c645e573 c645e674 c645e757 885de8 } - $sequence_1 = { 8b450c 48 753a 8b4508 } - $sequence_2 = { 0f845b020000 8d4d34 51 50 ff15???????? a3???????? } - $sequence_3 = { 84c9 75f1 c20400 8b542404 33c0 85d2 } - $sequence_4 = { 56 57 64a130000000 8b400c 8b7014 8bfe } - $sequence_5 = { c6451d74 c6451e45 c6451f72 c6452072 c645216f c6452272 885d23 } - $sequence_6 = { ff7508 ff35???????? ff15???????? 85c0 7528 } - $sequence_7 = { 68???????? be???????? 56 c705????????19100010 c705????????5b120010 ff15???????? } - $sequence_8 = { 58 668945f4 668945f6 6a33 58 668945f8 6a32 } - $sequence_9 = { 33c0 5f 5b 5e c3 0fb7c7 } + $sequence_0 = { a3???????? 8d85e4feffff 50 e8???????? 59 8d85e4feffff } + $sequence_1 = { eb15 6a10 56 e8???????? } + $sequence_2 = { 83c418 8be8 03ef 8b4618 89442414 85c0 74c4 } + $sequence_3 = { 56 8d8570fdffff 50 68???????? ff35???????? ff15???????? } + $sequence_4 = { 85c0 750d 83c304 45 45 39442414 } + $sequence_5 = { c6452674 c6452770 c6452851 c6452975 c6452a65 c6452b72 } + $sequence_6 = { 0f95c0 57 57 50 56 ff15???????? a3???????? } + $sequence_7 = { 7580 ff15???????? ff35???????? ff15???????? ff35???????? } + $sequence_8 = { 85d2 750c eb12 42 } + $sequence_9 = { 59 be???????? 8dbd74ffffff f3a5 33ff 57 } condition: 7 of them and filesize < 174080 @@ -147994,36 +149061,36 @@ rule MALPEDIA_Win_M0Yv_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9a129bc6-2344-5ff6-a3ef-18a2b58317ac" - date = "2026-01-05" - modified = "2026-01-06" + id = "e8f21795-cde1-56af-8629-9b8b79ab48ca" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.m0yv_auto.yar#L1-L128" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.m0yv_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "187d793321c420f42e54cfca36e40f43e077f8b56c43ac66dc5d6006d88beffc" + logic_hash = "9cffd172d9d16138c6b0d779b824ef7b29f6b82f72ce5c8491087921c282630d" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 4589d1 41c1f919 4501c1 4589c8 41c1f81a 4501d8 8811 } - $sequence_1 = { 4889ce e8???????? 31ff 4885db 744f 85c0 744b } - $sequence_2 = { 7418 4180783c02 755f 418ac3 24f0 3c40 7556 } - $sequence_3 = { 4801d8 480500000001 4803542420 4889c5 } - $sequence_4 = { b918000000 ff10 4885c0 740b c70002000000 897008 eb02 } - $sequence_5 = { 4d89ea 4a035cee08 4831cf 4889c1 48c1c11e 4889c6 4931fc } - $sequence_6 = { 4889f2 e8???????? 4c89e1 4c89e2 4989d8 e8???????? 4c8d4778 } - $sequence_7 = { 4869c2182d0700 4901c3 4c69d5d1150200 4d01fa 4869c267fb0900 } - $sequence_8 = { 4889dd 480fafee 4889ac2488000000 4c8d3c36 480faff6 4801ce 48635810 } - $sequence_9 = { b918000000 ff17 4885c0 7433 4889c6 c70006000000 } + $sequence_0 = { 742e 403afe 731c 488b83b0000000 400fb6cf 8a0c01 } + $sequence_1 = { 243f 0c40 8844244f 488dac2440010000 4889e9 e8???????? 488d9c2470010000 } + $sequence_2 = { 83f802 7323 0fb6495c 488d159d110200 488b04c2 488b14c8 } + $sequence_3 = { 4c89e9 4809c1 4901fb 4c21f9 4c89ee 4821c6 } + $sequence_4 = { 4889f1 490fafcc 4d0faffd 4901cf 4c89f7 4c89f1 490fafca } + $sequence_5 = { 09c1 884a1c 4c89e0 48d1e8 88421d 4c89e0 48c1e809 } + $sequence_6 = { 48c1fe19 488b7c2440 4c8d0c3e 488d0c3e 4881c100000002 4889ce 48c1ee1a } + $sequence_7 = { e8???????? 4889f1 4c89f2 e8???????? 31db 4c8d7c2460 31ff } + $sequence_8 = { 66410fdbcf 660f76ca 660fdbcf 660fefcb 660fefcd 66410f6fd9 } + $sequence_9 = { 488d1529540200 4533c0 488d0c9b 488d0cca baa00f0000 e8???????? 85c0 } condition: 7 of them and filesize < 779264 @@ -148033,36 +149100,36 @@ rule MALPEDIA_Win_Banatrix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6974f81a-af90-539d-af3d-94a99f9a6ee8" - date = "2026-01-05" - modified = "2026-01-06" + id = "c24a710d-5483-5df9-8208-39cc85022996" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.banatrix_auto.yar#L1-L120" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.banatrix_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "c6cf826d5b4f12a87f113cad069f8b787ae4fd983cd321b74f5d11035bda50a6" + logic_hash = "d7e3357ec22c64617bb7d3370c0ac973ec3c980cc668526f6159559e086342bc" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e9???????? 8b470c 85c0 74e3 } - $sequence_1 = { 8b45cc d16dd0 8b4dd0 8d34c8 8b0e 81e1ffffff7f 034dc8 } - $sequence_2 = { 0f44d0 e9???????? 7418 8b75d4 } - $sequence_3 = { 89c2 ebe0 0f86dc000000 8d7101 } - $sequence_4 = { 5f 5d c3 55 89e5 83ec28 8b4514 } - $sequence_5 = { 8d4101 c74424080a000000 890424 c745e400000000 e8???????? 89c6 } - $sequence_6 = { 894314 8b4510 897b04 c7430800000000 c7431000000000 } - $sequence_7 = { 010c37 ff45d0 ebcb 01fa ebb4 8b7dd0 } - $sequence_8 = { e8???????? 895c2408 c744240400000000 890424 e8???????? 83ec0c } - $sequence_9 = { 83ec10 85c0 8945d4 7542 8b45d0 c744240c04000000 c744240800300000 } + $sequence_0 = { 85c0 74e3 8b5320 0345d0 } + $sequence_1 = { 0fb706 3b4314 7798 8d0487 03431c 0338 89f8 } + $sequence_2 = { 891c24 89442408 e8???????? 8b55c0 85c0 } + $sequence_3 = { 8b55c4 8b4dc0 89c6 83ec10 894208 89f7 } + $sequence_4 = { 8b7508 8b4a10 037214 89c7 } + $sequence_5 = { 8b03 c745d000000000 0fb75014 8d741018 e9???????? } + $sequence_6 = { 75d3 eb30 8b55d0 8d440202 ebd4 8b4320 } + $sequence_7 = { 8b02 85c0 740c 8b55d0 } + $sequence_8 = { 7514 a840 7405 8b4a20 eb07 a880 74a6 } + $sequence_9 = { 894c2404 c744240c04000000 c744240800100000 03420c 894dc0 } condition: 7 of them and filesize < 180224 @@ -148072,36 +149139,36 @@ rule MALPEDIA_Win_Curlback_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "92c5ff94-7733-554e-9411-adf2e04e8882" - date = "2026-01-05" - modified = "2026-01-06" + id = "d6d6897b-eaad-5866-a449-2154cbb73a9e" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.curlback" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.curlback_auto.yar#L1-L133" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.curlback_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "5762a9ce8640933ae705745a803bbe43e75d1e28f524d7c7dfbc6bececc7a9c4" + logic_hash = "a2000e34bded4627be734821f7818e1114b6a48a81b23babb34d1004e983f3a6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { e8???????? 84c0 7420 488d153ac20c00 488bcb e8???????? eb0f } - $sequence_1 = { ba15000000 488bce e8???????? eb4c 488b5318 488bc8 e8???????? } - $sequence_2 = { 8bd8 85c0 752e 488b97a8080000 488d8f08130000 e8???????? 8bd8 } - $sequence_3 = { 85c0 7848 488b4550 488b08 488b5958 498bd6 488d8d88000000 } - $sequence_4 = { 7527 488b4c2460 4c8bc5 e8???????? 85c0 7516 488d15ac050b00 } - $sequence_5 = { 4883c908 498bc7 48894c2470 0fb6d1 48894590 eb14 b8f7ffffff } - $sequence_6 = { baffff0000 e8???????? 48899ec8010000 33c0 8983ac1c0000 488bce } - $sequence_7 = { e8???????? 894340 83f80d 742a 83f80b 0f8562050000 498bce } - $sequence_8 = { eb11 488b4308 488b08 48894ddf eb04 4c897def 48895db7 } - $sequence_9 = { 80bd2d13000000 7513 488bcd 85db 0f84a1000000 488bd3 e8???????? } + $sequence_0 = { e8???????? 85c0 75a4 490137 39833c010000 0f8578ffffff 498bce } + $sequence_1 = { 482bc1 4883c0f8 4883f81f 7710 e8???????? 488bc3 4883c450 } + $sequence_2 = { 740f 488d0d656c0c00 498909 e9???????? 0fb6871a130000 83f805 772b } + $sequence_3 = { e8???????? 488d05820d0000 48c74338c0d40100 48898390000000 4c8dbbb8000000 488d0595050000 498bd5 } + $sequence_4 = { 7415 ba01000000 488bcd e8???????? 418bf6 e9???????? 4038b1510a0000 } + $sequence_5 = { ff15???????? 488bd8 4885c0 743c 48895b10 488d0510da0d00 488903 } + $sequence_6 = { 488d8b580c0000 e8???????? 4d8bc7 488d15f48b0a00 488d4d98 e8???????? 8bf8 } + $sequence_7 = { e8???????? 488bf8 4885c0 758b 488b7c2460 4885db 7427 } + $sequence_8 = { d3e8 49895008 4189401c 0fb60a 83e10f 4a0fbe840990a81200 428a8c09a0a81200 } + $sequence_9 = { 75ba 488b0b e8???????? 488b4b18 e8???????? 488d4b30 e8???????? } condition: 7 of them and filesize < 4027392 @@ -148111,42 +149178,42 @@ rule MALPEDIA_Win_Mylobot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f7dde5ee-bede-5ac3-b3eb-6e299ffacf3b" - date = "2026-01-05" - modified = "2026-01-06" + id = "3367c4b8-2e00-50bb-8106-f7bfa38e7fdb" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mylobot_auto.yar#L1-L174" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mylobot_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "56cc02e4b48743c53b559e650312c78d0538beee90fc9e32cc4b9fd49244eca7" + logic_hash = "dfa8c9d0c20f16c0183dd13cc15d32e5e1ca0cab59c086be613c6143f9ccb393" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 75f6 5e c3 8b442404 eb05 40 84c9 } - $sequence_1 = { 6a00 6a00 8d8c24c4000000 51 } - $sequence_2 = { 8b54241c 891481 ff430c 8b4ff0 85c9 7502 } - $sequence_3 = { 8bf0 6aff 56 ff15???????? 56 ff15???????? 6810270000 } - $sequence_4 = { 5d 5e 5b 81c404080000 c3 8b4c2404 8b54240c } - $sequence_5 = { 42 84c9 75f6 5e c3 } - $sequence_6 = { ff96a8000000 50 ff5670 a1???????? 57 ff742410 ff742414 } - $sequence_7 = { 8b54240c 56 8b74240c 57 8bf9 2bf1 8bc2 } - $sequence_8 = { ff15???????? 85c0 0f8447010000 8b742438 85f6 0f843b010000 8b3d???????? } - $sequence_9 = { 51 8d8ddcfdffff e8???????? 83c404 85c0 } - $sequence_10 = { c3 ff15???????? 8b45f0 50 ff15???????? } - $sequence_11 = { b8???????? e8???????? 83c40c 85c0 0f84d9010000 } - $sequence_12 = { 8d4dfc 51 52 ffd0 8b45fc } - $sequence_13 = { 6a09 50 ffd2 8bf8 } - $sequence_14 = { 7416 8bff 0fb6d0 8a9c15dcfdffff 84db } - $sequence_15 = { 85c0 0f84c3000000 8b08 8d55f8 52 68???????? } + $sequence_0 = { ff5068 5f 5e c3 } + $sequence_1 = { 8981f8000000 55 8d442414 50 68???????? } + $sequence_2 = { 8938 56 ff15???????? 8bc7 5f 5e } + $sequence_3 = { 5d c3 8b54240c 8b442404 56 8bf0 } + $sequence_4 = { a3???????? a1???????? 68???????? 56 56 ff501c } + $sequence_5 = { ff75f8 ff9100010000 33c0 85f6 7507 837df001 0f94c0 } + $sequence_6 = { ffd3 8b0d???????? 55 89812c010000 8d442414 50 } + $sequence_7 = { 50 50 6a1a 50 a1???????? ff9038010000 } + $sequence_8 = { 51 51 6800000004 51 51 } + $sequence_9 = { 03c7 8955f8 3bd0 7356 90 } + $sequence_10 = { 33ff 8bd8 8d8d3af1ffff 33c0 57 51 } + $sequence_11 = { 57 51 66898538f1ffff e8???????? 83c40c } + $sequence_12 = { 68fe070000 52 8d8562f7ffff 50 66899560f7ffff } + $sequence_13 = { 85c0 7477 8b4d08 8b550c } + $sequence_14 = { 741c 8d431c e8???????? 8b5318 } + $sequence_15 = { 83f8ff 7554 6a01 6a08 ff15???????? 8d9558f5ffff } condition: 7 of them and filesize < 8028160 @@ -148156,36 +149223,36 @@ rule MALPEDIA_Win_Feed_Load_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "12c918c0-c452-5da2-b8ac-4e16f1c3b07c" - date = "2026-01-05" - modified = "2026-01-06" + id = "4106d258-8381-5ca7-9bbc-eef40c512280" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.feed_load" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.feed_load_auto.yar#L1-L126" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.feed_load_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "722b483a312044af2fe5076c6a59554ad3a69ee6c355530da497915e66c263d4" + logic_hash = "b42fea18c41c4a2ec88e9b45a0010dde384d0ba1f83ae008081a3bc9400a84f3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 44393d???????? 742c 4c897c2428 4c8d0578faffff 4533c9 44897c2420 33d2 } - $sequence_1 = { 48ffc0 4983ef01 75ef 498d5508 488bcd 4c8d4c2458 } - $sequence_2 = { 448bc7 488bd0 488bce 4c8bf0 e8???????? 3bc5 7411 } - $sequence_3 = { 482bca 4883c302 4183e60f 4983fe0f 0f85bd000000 } - $sequence_4 = { e8???????? 8b442450 8905???????? eb17 4c8d442454 e8???????? } - $sequence_5 = { 488d15a6550200 448bcf 448bc6 ff15???????? 4423e0 0f84ef010000 488b4b18 } - $sequence_6 = { 4889742420 4489442418 55 57 4154 4156 4157 } - $sequence_7 = { 8bc2 c1e81f 03d0 8d4310 03c2 48638c24b0000000 3bc8 } - $sequence_8 = { e9???????? 488bc3 4c8d3d873affff 498784f798600300 4885c0 7409 } - $sequence_9 = { 410fb608 83e10f 4a0fbe841100050200 428a8c1110050200 } + $sequence_0 = { 488b942480000000 448d4718 448902 488bcd ff15???????? } + $sequence_1 = { e8???????? 448b8f60100000 4c8d0589690200 bb04010000 488d8d30010000 8bd3 } + $sequence_2 = { 483b8c2488000000 0f8262020000 4883fa08 7226 488b01 498d52e0 } + $sequence_3 = { 85c8 75d6 418bcc 48897c2430 412bcf 41ba81808080 } + $sequence_4 = { 4c2bc5 4c8bce 4c2bcb 488bd5 488bcb 498d0410 4885c0 } + $sequence_5 = { ff8170040000 83b97004000002 0f84fa010000 4c8d35263b0100 bd20000000 897350 89732c } + $sequence_6 = { c744242803000000 4889742420 ff15???????? 48894710 4885c0 0f84ce000000 } + $sequence_7 = { 4885d2 746c 4585c0 7467 83600800 33db 83602000 } + $sequence_8 = { 418b8630020000 89442438 488d8580070000 4889442430 488d8578050000 4889442428 } + $sequence_9 = { 488d542430 ff15???????? 393b 7424 48217c2420 488d151cec0200 4c8b05???????? } condition: 7 of them and filesize < 512000 @@ -148195,36 +149262,36 @@ rule MALPEDIA_Win_Typehash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c0bfd3b-1920-5db4-be8f-16377880af07" - date = "2026-01-05" - modified = "2026-01-06" + id = "cd3d0daf-071b-56a7-92ed-25ee2ed69617" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.typehash_auto.yar#L1-L122" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.typehash_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "cb4de3d61dde4ee402264a80e34744365587a3be274cf88c25ae82f2b1a1af55" + logic_hash = "6bbfe1811b32f3324fb596ed5ae275614a5c61379d42007891469e7976a2ba78" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0f8380000000 8bc8 8bf0 c1f905 83e61f 8d3c8de03d4100 c1e603 } - $sequence_1 = { 8d7c246c 83c9ff 33c0 8d54246c f2ae f7d1 } - $sequence_2 = { 8b0c8de03d4100 8d04c1 eb05 b8???????? f6400480 0f8492000000 ff4e04 } - $sequence_3 = { 8b15???????? 8d4c2410 52 6800280000 } - $sequence_4 = { 50 c745c458e64000 e8???????? cc 56 ff742408 8bf1 } - $sequence_5 = { 5f eb26 8d4508 8db6742a4100 6a00 50 } - $sequence_6 = { c1f905 83e01f 8b0c8de03d4100 8d04c1 } - $sequence_7 = { 3bd7 770f e8???????? 8b442418 8b0d???????? 3bfb } - $sequence_8 = { 8d4c2440 c68424cc00000001 e8???????? 8b44241c 3d00280000 7312 } - $sequence_9 = { 03f8 897c2410 813f50450000 7413 68c1000000 } + $sequence_0 = { 8841ff eb0a 49 51 e8???????? 83c404 8b8c24c0000000 } + $sequence_1 = { f6c303 7509 8b0c85b02b4100 eb07 8b0c85e42b4100 034d20 837d0801 } + $sequence_2 = { 8818 8a9c0a93e54000 88990f354100 40 83f903 } + $sequence_3 = { 7524 8b5750 6a04 6800300000 52 50 ffd6 } + $sequence_4 = { 8a442403 53 55 56 33ed } + $sequence_5 = { 7514 c1e902 83e203 83f908 7229 f3a5 ff2495f8334000 } + $sequence_6 = { ff15???????? bf???????? 83c9ff 33c0 68???????? f2ae } + $sequence_7 = { 66f7460c0c01 7552 833c852835410000 53 57 8d3c8528354100 } + $sequence_8 = { 5f 89b0f83a4100 5e 5b } + $sequence_9 = { 8d8424a80a0000 8d8c2404010000 89442474 3bfb } condition: 7 of them and filesize < 180224 @@ -148235,10 +149302,10 @@ rule MALPEDIA_Win_Lazarloader_Auto : FILE description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" id = "4eef2499-48c5-5b94-8dd0-29267a0265f8" - date = "2026-01-05" - modified = "2026-01-06" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarloader" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.lazarloader_auto.yar#L1-L119" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.lazarloader_auto.yar#L1-L119" license_url = "N/A" logic_hash = "176d7f7f65178334e7677ff59a660edd6b016ed103feffa239e5ccc53e031e90" score = 75 @@ -148247,9 +149314,9 @@ rule MALPEDIA_Win_Lazarloader_Auto : FILE version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" @@ -148273,36 +149340,36 @@ rule MALPEDIA_Win_Mail_O_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5d523861-cfbe-53c5-a1e3-510491b0431d" - date = "2026-01-05" - modified = "2026-01-06" + id = "6db30e21-fc04-5fa1-a965-bf55201bb2d8" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mail_o" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mail_o_auto.yar#L1-L134" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mail_o_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "0523be98b7e34057335b62be8aafee77bb16a4b5cb13de84130c24ec4689c31e" + logic_hash = "3667a4352aecdf72cc423283a0e17748cdf3ea3643006d7778672925370e06f3" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { eb09 b801000000 66894348 ba03000000 897320 488d8b70010000 e8???????? } - $sequence_1 = { c781e806000002000000 b801000000 4883c438 c3 c744242892070000 ba2f000000 41b96e000000 } - $sequence_2 = { eba9 488b5008 4c8d442440 488d0debe00e00 488b5208 e8???????? eb8e } - $sequence_3 = { b800010000 e8???????? 482be0 488b05???????? 4833c4 48898424d0000000 4c8ba42450010000 } - $sequence_4 = { e8???????? 8bf0 83f8ff 0f85befeffff 33c0 488b5c2470 488b6c2478 } - $sequence_5 = { 74bb 488d8b00080000 e8???????? 85c0 7457 488b9388000000 488bcb } - $sequence_6 = { eb04 488b45d8 8b0a 4d8bfe 8bc0 498bd5 4c8b6da8 } - $sequence_7 = { 85c0 0f8ec7000000 0f1f4000 488b8bf8000000 8bd5 e8???????? 488bf0 } - $sequence_8 = { c744242073000000 4c8d0d028e1100 8d4f06 448d420b e8???????? 33c0 488b5c2440 } - $sequence_9 = { eb1a 488bcb e8???????? 85c0 7560 4889b3500d0000 4889b350160000 } + $sequence_0 = { ebd5 ba67000000 c744242006020000 4c8d0d3ff31100 8d4ab9 448d4212 e8???????? } + $sequence_1 = { 7468 ffc7 3bfe 7ce0 4c63c3 4d8bcc 49d1f8 } + $sequence_2 = { eb04 83670cfd 33c0 488b5c2440 488b6c2448 488b742450 488b7c2458 } + $sequence_3 = { ffc2 e8???????? 4885c0 7471 8b4308 894708 4c8b0b } + $sequence_4 = { eb03 4d8be5 498bf5 44897328 4c39ab98000000 0f862f030000 83fd16 } + $sequence_5 = { e8???????? 0f1030 eb05 0f28742440 4983c8ff 899da0030000 895d80 } + $sequence_6 = { eb84 488bce e8???????? b816000000 e9???????? 83a370050000fe e9???????? } + $sequence_7 = { 7510 8b4730 418901 b801000000 e9???????? 83fbfd 0f8cebfeffff } + $sequence_8 = { ff15???????? 488b5c2430 488907 4883c420 5f c3 48895c2410 } + $sequence_9 = { f00fc181c0050000 83e801 0f8fc4020000 488b89d0000000 e8???????? 488d8bd8000000 e8???????? } condition: 7 of them and filesize < 5985280 @@ -148312,36 +149379,36 @@ rule MALPEDIA_Win_Misha_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ba08020-4181-5ded-9bc0-49b98b3d2547" - date = "2026-01-05" - modified = "2026-01-06" + id = "57a86f97-0226-57cc-b18e-fd683342e34c" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.misha_auto.yar#L1-L127" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.misha_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "55176526d6c66aba41e971557ded1fe9cdb654b2ecbb0584caf24e3a0c3f703a" + logic_hash = "b455493573aed00c54386916fa074b0978e9f408f42bd4d3861eacb866a330b6" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 0d19000200 50 8b4318 0508010000 50 } - $sequence_1 = { 6a08 59 8bc3 c1e310 0bc3 6a18 8bfa } - $sequence_2 = { ff75c8 8b4314 83c070 50 8b8578ffffff 48 48 } - $sequence_3 = { 50 8b4314 05d8000000 50 ff75ec 8b7308 } - $sequence_4 = { 50 8b4318 0508020000 50 ff730c e8???????? } - $sequence_5 = { 8945e8 8b4510 8b00 8945e4 8d45fc } - $sequence_6 = { c78550feffff18181818 c78554feffff18181818 c78558feffff18181819 c7855cfeffff19191919 c78560feffff19191919 c78564feffff19191919 c78568feffff19191919 } - $sequence_7 = { 6a00 e8???????? 83c40c 8b45f4 8a4d0c 884818 8b45f4 } - $sequence_8 = { 8d85f8f9ffff 50 8d85e0f9ffff e8???????? 83c40c 0fb6c0 } - $sequence_9 = { 8d8568ffffff 50 6a01 6a02 8b4314 83c008 50 } + $sequence_0 = { 894df0 8b4d90 83c104 ff75f0 8b45b4 e8???????? 59 } + $sequence_1 = { 59 39551c 7409 ff751c e8???????? 59 5d } + $sequence_2 = { ff7508 ff75cc e8???????? 83c410 8945b0 837d2402 7520 } + $sequence_3 = { 8d45f4 50 6a28 e8???????? 59 59 85c0 } + $sequence_4 = { 8b45d8 6bc038 8b4b18 8d440120 50 ff7324 8b45e8 } + $sequence_5 = { 8b4df8 8908 8b4510 8b4d0c 894808 8b45f8 8b4008 } + $sequence_6 = { ff5168 85c0 8b45f8 8b08 50 0f99c3 } + $sequence_7 = { c785acfeffff1b1b1b1b c785b0feffff1b1b1b1b c785b4feffff1b1b1b1b 66c785b8feffff1b1b c685bafeffff1c } + $sequence_8 = { b84d5a0000 663901 755a 8b413c 8d90f8000000 39542404 7c4b } + $sequence_9 = { ff75dc 6a08 59 e8???????? 83c420 0fb6c0 85c0 } condition: 7 of them and filesize < 710656 @@ -148351,36 +149418,36 @@ rule MALPEDIA_Win_Mangzamel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb9c7043-77a1-5f0e-9ec6-79bacd6f6a15" - date = "2026-01-05" - modified = "2026-01-06" + id = "19e0bc3a-f233-51b7-8164-8d0d0d454d70" + date = "2026-05-04" + modified = "2026-05-18" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel" - source_url = "https://github.com/malpedia/signator-rules//blob/173f2e2012643b57ff6521a58ba6dd57331de3c6/rules/win.mangzamel_auto.yar#L1-L130" + source_url = "https://github.com/malpedia/signator-rules//blob/c901f97b7df03e41917da74c2a84b04c227316c2/rules/win.mangzamel_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "1febff50405236297e35d0651b3a25a3fa9330c560b764c64ec02cac2724b444" + logic_hash = "d610bb40ce56694906b30cc6804ff5313f734f6fb3860c9165b518dde4a56c8b" score = 75 quality = 75 tags = "FILE" version = "1" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" - malpedia_rule_date = "20260105" - malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79" - malpedia_version = "20251219" + malpedia_rule_date = "20260422" + malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" + malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: - $sequence_0 = { 8bce e8???????? 8b45dc 33ff 85c0 } - $sequence_1 = { e8???????? 8d8564ffffff c745e40d011133 50 e8???????? 83c428 40 } - $sequence_2 = { 57 8d4dec c645fc02 e8???????? 85c0 0f8e95000000 57 } - $sequence_3 = { 7412 ff7508 8d4e08 50 e8???????? 8b450c 894624 } - $sequence_4 = { 6aff 57 68???????? 8d4de4 e8???????? 8bce e8???????? } - $sequence_5 = { e8???????? 8d45ec 68???????? 50 e8???????? 83c41c 8d45ec } - $sequence_6 = { e8???????? 57 e8???????? 59 55 8d4b20 } - $sequence_7 = { 8bc8 c1e910 c1e818 880a 33ff 897514 8b4d14 } - $sequence_8 = { 8b06 8365fc00 8bce b301 ff5010 3d04000102 } - $sequence_9 = { eb34 68???????? 57 ffd6 59 85c0 59 } + $sequence_0 = { 85f6 7419 8d4e10 e8???????? 8d8e24010000 c645fc01 e8???????? } + $sequence_1 = { ff7508 e8???????? eb12 8b5510 899188000000 8b5514 } + $sequence_2 = { c3 55 8bec 51 51 8b510c 8365f800 } + $sequence_3 = { 8bce ff5020 33c0 50 50 50 } + $sequence_4 = { 84c0 7406 46 3b75f8 72f1 } + $sequence_5 = { 8b4483fc ff36 8078012d 751b ff33 a1???????? 83c040 } + $sequence_6 = { 5b c9 c21000 55 8bec 51 8065ff00 } + $sequence_7 = { ff7510 8d443011 ff760d ff7609 50 e8???????? } + $sequence_8 = { 8bce ff5038 eb09 53 57 8bce e8???????? } + $sequence_9 = { 8b5de0 6a19 8d45ac 57 50 e8???????? 83c40c } condition: 7 of them and filesize < 360448 @@ -148389,7 +149456,7 @@ rule MALPEDIA_Win_Mangzamel_Auto : FILE * YARA Rule Set * Repository Name: Trellix ARC * Repository: https://github.com/advanced-threat-research/Yara-Rules/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 1919562a59f190bda60c982424f6a24c542ee3e0 * Number of Rules: 164 * Skipped: 0 (age), 3 (quality), 0 (score), 0 (importance) @@ -152120,7 +153187,7 @@ rule TRELLIX_ARC_Anatova_Ransomware : RANSOMWARE FILE hash = "97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93" logic_hash = "4fce15ad0ef2d3cb39f6092677f117308f847815cb2a5a491290a1f9d09776df" score = 75 - quality = 70 + quality = 45 tags = "RANSOMWARE, FILE" rule_version = "v1" malware_type = "ransomware" @@ -154313,7 +155380,7 @@ rule TRELLIX_ARC_Ransom_Tunderx : RANSOMWARE FILE * YARA Rule Set * Repository Name: Arkbird SOLG * Repository: https://github.com/StrangerealIntel/DailyIOC - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: a873ff1298c43705e9c67286f3014f4300dd04f7 * Number of Rules: 215 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -161422,7 +162489,7 @@ rule ARKBIRD_SOLG_Loa_JS_Gootkit_Nov_2020_1 : FILE * YARA Rule Set * Repository Name: Telekom Security * Repository: https://github.com/telekom-security/malware_analysis/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 755efb66586f53fea34926f78a8d2054a8e8e74b * Number of Rules: 12 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -161790,7 +162857,7 @@ rule TELEKOM_SECURITY_Vatet_Loader_Rufus_Backdoor : DEFRAY777 * YARA Rule Set * Repository Name: Volexity * Repository: https://github.com/volexity/threat-intel - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 92353b1ccc638f5ed0e7db43a26cb40fad7f03df * Number of Rules: 86 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -162025,7 +163092,7 @@ rule VOLEXITY_Webshell_Jsp_Godzilla : FILE MEMORY license_url = "https://github.com/volexity/threat-intel/blob/92353b1ccc638f5ed0e7db43a26cb40fad7f03df/LICENSE.txt" logic_hash = "52cba9545f662da18ca6e07340d7a9be637b89e7ed702dd58cac545c702a00e3" score = 75 - quality = 55 + quality = 80 tags = "FILE, MEMORY" hash1 = "2786d2dc738529a34ecde10ffeda69b7f40762bf13e7771451f13a24ab7fc5fe" os = "win,linux" @@ -164973,7 +166040,7 @@ rule VOLEXITY_Apt_Malware_Win_Rokload : INKYPINE FILE * YARA Rule Set * Repository Name: JPCERTCC * Repository: https://github.com/JPCERTCC/MalConfScan/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 19ec0d145535a6a4cfd37c0960114f455a8c343e * Number of Rules: 30 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -165817,7 +166884,7 @@ rule JPCERTCC_Elf_Wellmess : FILE * YARA Rule Set * Repository Name: SecuInfra * Repository: https://github.com/SIFalcon/Detection - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd * Number of Rules: 45 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -166261,7 +167328,7 @@ rule SECUINFRA_MALWARE_Emotet_Onenote_Delivery_Wsf_Mar23 license_url = "N/A" logic_hash = "ca48f5e694b18e3f0b89b0128817848a7d36f60d8a3ada522739849bf3f7126b" score = 75 - quality = 70 + quality = 45 tags = "" tlp = "CLEAR" hash0 = "dd9fcdcaf5c26fc27863c86aa65948924f23ab9faa261562cbc9d65ac80d33d4" @@ -167110,7 +168177,7 @@ rule SECUINFRA_DROPPER_Vjw0Rm_Stage_1 : JAVASCRIPT DROPPER VJW0RM FILE * YARA Rule Set * Repository Name: RussianPanda * Repository: https://github.com/RussianPanda95/Yara-Rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: cd712dfbd20050a57e868656a39771b79120595c * Number of Rules: 106 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -168598,7 +169665,7 @@ rule RUSSIANPANDA_Smartapesg_JS_Dropper_Stage1 : FILE hash = "8769d9ebcf14b24a657532cd96f9520f54aa0e799399d840285311dfebe3fb15" logic_hash = "de7e4ec30c780699b46de7baf2a916fdb7331da2ee7c2d637422ea664cd03b82" score = 75 - quality = 85 + quality = 60 tags = "FILE" strings: @@ -169874,7 +170941,7 @@ rule RUSSIANPANDA_Mal_Botnetfenix_Payload : FILE * YARA Rule Set * Repository Name: CadoSecurity * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 8 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -170123,7 +171190,7 @@ rule CADOSECURITY_Whispergate_Stage_2 : FILE * YARA Rule Set * Repository Name: Check Point * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 4 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -170337,7 +171404,7 @@ rule CHECK_POINT_Injector_ZZ_Dotrunpex : FILE * YARA Rule Set * Repository Name: BlackBerry * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 22 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -170625,7 +171692,7 @@ rule BLACKBERRY_Mal_Infostealer_MSI_Jupyter_Embedded_Powershell : FILE license_url = "N/A" logic_hash = "7528342e5aea1c35b59a458695c0e363c6d6c6e1c2df38614ff185c74085ac89" score = 75 - quality = 85 + quality = 60 tags = "FILE" license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team" @@ -170822,7 +171889,7 @@ rule BLACKBERRY_Mal_Infostealer_MSI_EXE_Jupyter_Certificate : FILE license_url = "N/A" logic_hash = "5524f227e4c0090b923d7966223806dd384458178083b752ebd9e0981b3fba52" score = 75 - quality = 58 + quality = 33 tags = "FILE" license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team" @@ -171021,7 +172088,7 @@ rule BLACKBERRY_Mal_Win32_Onyx_Strain_Chaos_Ransomware_2022 : FILE * YARA Rule Set * Repository Name: Cluster25 * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 9 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -171319,7 +172386,7 @@ rule CLUSTER25_UNC1222_Hermeticwiper_23433_10002 : FILE * YARA Rule Set * Repository Name: Dragon Threat Labs * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 7 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -171510,7 +172577,7 @@ rule DRAGON_THREAT_LABS_Apt_C16_Win_Swisyn : MEMORY FILE * YARA Rule Set * Repository Name: Microsoft * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 21 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -172063,7 +173130,7 @@ rule MICROSOFT_Trojan_Win32_Plakpeer : PLATINUM hash = "2155c20483528377b5e3fde004bb604198463d29" logic_hash = "cc34ce9f12c95133872783090efd5813d3e2f44a1c726d29b2ba834509c9a1d5" score = 75 - quality = 80 + quality = 55 tags = "PLATINUM" unpacked_sample_sha1 = "dc991ef598825daabd9e70bac92c79154363bab2" activity_group = "Platinum" @@ -172113,7 +173180,7 @@ rule MICROSOFT_Devilstongue_Hijackdll : FILE * YARA Rule Set * Repository Name: NCSC * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 17 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -172583,7 +173650,7 @@ rule NCSC_Sparrowdoor_Sleep_Routine * YARA Rule Set * Repository Name: Dr4k0nia * Repository: https://github.com/dr4k0nia/yara-rules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8 * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -172761,7 +173828,7 @@ rule DR4K0NIA_Msil_Susp_Obf_Antidump : FILE * YARA Rule Set * Repository Name: EmbeeResearch * Repository: https://github.com/embee-research/Yara-detection-rules/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4 * Number of Rules: 39 * Skipped: 0 (age), 8 (quality), 0 (score), 0 (importance) @@ -173842,7 +174909,7 @@ rule EMBEERESEARCH_Win_Icedid_Encryption_Oct_2022 : FILE * YARA Rule Set * Repository Name: AvastTI * Repository: https://github.com/avast/ioc - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: e7835efe946f0c9468c3118ee75ff1865c851826 * Number of Rules: 33 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -174705,7 +175772,7 @@ rule AVASTTI_Manjusaka_Payload_Mz * YARA Rule Set * Repository Name: SBousseaden * Repository: https://github.com/sbousseaden/YaraHunts/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 71b27a2a7c57c2aa1877a11d8933167794e2b4fb * Number of Rules: 37 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -175811,7 +176878,7 @@ rule SBOUSSEADEN_Dcsync_Mimikatz : FILE * YARA Rule Set * Repository Name: Elceef * Repository: https://github.com/elceef/yara-rulz - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 5683b294a12cf0c875b624933586029ae43a852f * Number of Rules: 20 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -175933,7 +177000,7 @@ rule ELCEEF_Obfuscated_IP_Address_In_URL license_url = "https://github.com/elceef/yara-rulz/blob/5683b294a12cf0c875b624933586029ae43a852f/LICENSE" logic_hash = "ab2a2a3a56e6eed9f4a3a8f994c89a167f00b86ce442820c81d8ee673b0ab85c" score = 75 - quality = 65 + quality = 40 tags = "" strings: @@ -176398,7 +177465,7 @@ rule ELCEEF_HTA_Wscriptshell_Onenote : FILE * YARA Rule Set * Repository Name: GodModeRules * Repository: https://github.com/Neo23x0/god-mode-rules/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 436dc682164cf17a123d6b09d1424e7e2acf0c25 * Number of Rules: 1 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -176669,7 +177736,7 @@ rule GODMODERULES_IDDQD_God_Mode_Rule * YARA Rule Set * Repository Name: Cod3nym * Repository: https://github.com/cod3nym/detection-rules/ - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 86a04c4594cb48895192aad4af164f21f568c136 * Number of Rules: 13 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -177126,7 +178193,7 @@ rule COD3NYM_MAL_NET_Limecrypter_Runpe_Jan24 : FILE * YARA Rule Set * Repository Name: craiu * Repository: https://github.com/craiu/yararules - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: 23cf0ca22021fa3684e180a18416b9ae1b695243 * Number of Rules: 13 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -178291,10 +179358,10 @@ rule CRAIU_Apt_ZZ_Orangeworm_Kwampirs_Shamoon : FILE * YARA Rule Set * Repository Name: DitekSHen * Repository: https://github.com/ditekshen/detection - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: e76c93dcdedff04076380ffc60ea54e45b313635 - * Number of Rules: 1442 - * Skipped: 0 (age), 111 (quality), 0 (score), 0 (importance) + * Number of Rules: 1441 + * Skipped: 0 (age), 112 (quality), 0 (score), 0 (importance) * * * LICENSE @@ -178518,7 +179585,7 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Mimikatz : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "42c9c78c88bb7c427d5f0bf1d3b0113205780142b499eb17858037ded0f2971e" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -178646,7 +179713,7 @@ rule DITEKSHEN_INDICATOR_TOOL_Avbypass_Aviator : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "1fb497eec2b0cd4051b5ddd53463f1da511c0a7b72d54a0bc68736a99fdc6143" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -178825,7 +179892,7 @@ rule DITEKSHEN_INDICATOR_TOOL_EXP_Eternalblue : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "63e56637118accb8c32c20e52465c027df2dbf83b3b663d316b453ce879572c8" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -179866,7 +180933,7 @@ rule DITEKSHEN_INDICATOR_TOOL_ANT_Sharpedrchecker : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "77a26ff5298dddebc669d9b6c39905a48a86884cf98adebdf935b94c62d36ddc" score = 75 - quality = 48 + quality = 23 tags = "FILE" strings: @@ -179911,7 +180978,7 @@ rule DITEKSHEN_INDICATOR_TOOL_ANT_Invizzzible : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "bd84015f9fdc160a6ed9010c5a5905fcf13987b1fdec6fdd9535e315dc3617e8" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -180267,7 +181334,7 @@ rule DITEKSHEN_INDICATOR_TOOL_ENUM_Sharpshares : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "8b35d6a692814e1b27ffc1db4ab124bf621c156aaf57f24796c422ec95a85715" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -180436,7 +181503,7 @@ rule DITEKSHEN_INDICATOR_TOOL_Extpassword : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "525530cb7e9f44be0408fd710306f90056b1b6b9a9e4779d8c1eb1ddef443fb0" score = 75 - quality = 50 + quality = 25 tags = "FILE" strings: @@ -197201,7 +198268,7 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Finger_Download_Pattern license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "04cbb1abc4c3d2990bae798ece052eb8aa1b5104b5712e98aeb80731316b9c57" score = 40 - quality = 45 + quality = 20 tags = "" importance = 20 @@ -199407,7 +200474,7 @@ rule DITEKSHEN_MALWARE_Win_Robbinhood : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "f1c4226ed5cb1583418d5ef0efc2c2b5bc3cfe7f148f359c5d432fd660331a46" score = 75 - quality = 75 + quality = 50 tags = "FILE" clamav_sig = "MALWARE.Win.Ransomware.Robbinhood" @@ -199985,7 +201052,7 @@ rule DITEKSHEN_MALWARE_DOC_Koadicdoc : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "9f0538e1faee737a08d403a7f321ce45bdc70b390accfe378ba0d26292509fd7" score = 75 - quality = 50 + quality = 25 tags = "FILE" strings: @@ -200866,7 +201933,7 @@ rule DITEKSHEN_MALWARE_Win_Cryptbot : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "6322b8b1ad210fac4475c194e060046538d4174f69a7c0e3618646d262cd33bd" score = 75 - quality = 69 + quality = 44 tags = "FILE" snort2_sid = "920110" snort3_sid = "920108" @@ -201287,7 +202354,7 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginransomhansom : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "b22f6d22630f311241634513eb051df2b36af84a938c1ae1f5284e5a5d7d3077" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -203006,7 +204073,7 @@ rule DITEKSHEN_MALWARE_Win_STOP : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "61f7e7c1139c56088b2f58b78ae132ffcfef0f931c15b67ea775b0d5e51d189d" score = 75 - quality = 73 + quality = 48 tags = "FILE" snort2_sid = "920113" snort3_sid = "920111" @@ -205043,7 +206110,7 @@ rule DITEKSHEN_MALWARE_Win_EXEPWSH_Dlagent : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "6380359db1ac775cea3ebb93f7cf22a92d2f2e634c6aa724e2814c10d4ed42f5" score = 60 - quality = 55 + quality = 30 tags = "FILE" strings: @@ -205544,7 +206611,7 @@ rule DITEKSHEN_MALWARE_Win_Dlagent08 : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "0238c13b00e5778ef216b4e8576c321803da6e269c96c3051b9cc45a3ac6e567" score = 75 - quality = 75 + quality = 50 tags = "FILE" snort2_sid = "920122" snort3_sid = "920119" @@ -206081,7 +207148,7 @@ rule DITEKSHEN_MALWARE_Win_Karkoff : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "e9b6ba5be2b3cd0faa898347e57cee5a57b80b19842c3a1ddb42d620307c8b39" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -206873,7 +207940,7 @@ rule DITEKSHEN_MALWARE_Win_Buterat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c3d93e8dc1bde8e77c11586c8d8b67d137ef2c4791e12269f1af310fbe14832b" score = 75 - quality = 48 + quality = 73 tags = "FILE" strings: @@ -207487,7 +208554,7 @@ rule DITEKSHEN_MALWARE_Win_Gelsevirine : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "60d41d6d789f1cd2a7040d6535f13c69ea58a489035838f047b886e8f1f37f63" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -207768,7 +208835,7 @@ rule DITEKSHEN_MALWARE_Win_Xfiles : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "0c04a8f019aea36f4bba3ce8289c2d608c69d76bbf321052560b4ca2214be057" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -208497,7 +209564,7 @@ rule DITEKSHEN_MALWARE_Win_Actionrat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "1552cda3f02c08582e3dd97df98416635a25005081627097df181bfc6aac4665" score = 75 - quality = 71 + quality = 46 tags = "FILE" strings: @@ -209726,7 +210793,7 @@ rule DITEKSHEN_MALWARE_Win_Darkcomet : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "444df3c914c47500018614af10036864b459e7873daf079b684352dbe52f0486" score = 75 - quality = 50 + quality = 25 tags = "FILE" strings: @@ -211559,7 +212626,7 @@ rule DITEKSHEN_MALWARE_Win_Flagpro : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c5e5944426b7be690ad62dd0d98a8fc6f8135cab0dbdd8a5aaf1670491eda59d" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -211947,38 +213014,6 @@ rule DITEKSHEN_MALWARE_Win_Blackcat : FILE condition: ( uint16( 0 ) == 0x5a4d or uint16( 0 ) == 0x457f ) and ( all of ( $x* ) or 5 of ( $s* ) or ( 1 of ( $x* ) and 3 of ( $s* ) ) ) } -rule DITEKSHEN_MALWARE_Win_Koxic : FILE -{ - meta: - description = "Detects Koxic ransomware" - author = "ditekSHen" - id = "6a82bf44-b155-5746-b798-20a13623a14a" - date = "2020-11-06" - modified = "2024-11-01" - reference = "https://github.com/ditekshen/detection" - source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9291-L9309" - license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "d874c8ebf330814e52d159cbf71f8bc05ebeb4a9fb93d96c3f861b51e57925a3" - score = 75 - quality = 25 - tags = "FILE" - - strings: - $c1 = " INFO: >> %TEMP%\\" ascii wide - $c2 = "cmd /c \"wmic" ascii wide - $c3 = "cmd /c \"echo" ascii wide - $c4 = "cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"" fullword wide - $c5 = /sc config.{1,30}start=disabled/ fullword ascii wide - $s1 = "Container: %s" fullword wide - $s2 = "Shotcut dir : %s" fullword wide - $s3 = "\\Microsoft\\Windows\\Network Shortcuts\\" fullword wide - $s4 = "Thread %d started." fullword ascii - $s5 = "ADD our TOXID:" wide - $s6 = "[Recommended] Using an email" wide - - condition: - uint16( 0 ) == 0x5a4d and ( ( 4 of ( $s* ) and 1 of ( $c* ) ) or ( 2 of ( $s* ) and ( #c1 > 5 or #c2 > 5 or #c3 > 5 or #c5 > 5 ) ) ) -} rule DITEKSHEN_MALWARE_Win_Timetime : FILE { meta: @@ -212122,7 +213157,7 @@ rule DITEKSHEN_MALWARE_Win_Jesterstealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c84df5d3ad2bc7a75a11c07995cc034c2a92b2f6f6f6943288add9c44c57bf6d" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -212419,7 +213454,7 @@ rule DITEKSHEN_MALWARE_Win_Mystic : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "26e0b85141df818d70124c0b19b5b6a05ac24ae679724d7a8ad94415a6462d17" score = 75 - quality = 50 + quality = 75 tags = "FILE" strings: @@ -212534,7 +213569,7 @@ rule DITEKSHEN_MALWARE_Win_Multi_Family_Infostealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "0fdd1cdc4f2e5bee6c763e6e6b2e79d85285e44e2b5e3168a56d7d360252ee99" score = 75 - quality = 73 + quality = 48 tags = "FILE" strings: @@ -212829,7 +213864,7 @@ rule DITEKSHEN_MALWARE_Win_Arrowrat : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "13e6d4fd274f75c50aa4110276812d02885c03cfc269dde480db66955e5f703a" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -213409,7 +214444,7 @@ rule DITEKSHEN_MALWARE_Win_Rootteamstealer : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "d1693865253067527d58c980653d550b55d022d5a394b88090a958e5d5818143" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -213439,7 +214474,7 @@ rule DITEKSHEN_MALWARE_Win_Espioloader : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "8ad77a50db48f12e6f6465652b24fc1daa56375bb27e37e0eead1bea55b89e0c" score = 75 - quality = 75 + quality = 50 tags = "FILE" clamav_sig = "MALWARE.Win.EspioLoader" @@ -213889,7 +214924,7 @@ rule DITEKSHEN_MALWRE_Win_Darkgate : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "805a04bbb3915d539e76927393384a2786c25490e8b9fc151d5b12415247578b" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -214964,7 +215999,7 @@ rule DITEKSHEN_MALWARE_Win_Blackhunt : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "62e9bc505eff3e19ff0cdaf180e45e6d7917f0bec7cd9b007bee9fe1d9d09b66" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -215233,7 +216268,7 @@ rule DITEKSHEN_MALWARE_Win_Lighthand : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "4f06467a522b786045839e6b22b888cecc554b0f63cc20dc43dc0f8ec80f5654" score = 75 - quality = 75 + quality = 50 tags = "FILE" strings: @@ -216291,7 +217326,7 @@ rule DITEKSHEN_INDICATOR_RMM_Dwagent_Soundcapture : FILE license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" logic_hash = "c0efa9f383373dec1c5b9d127c2b4c6f4906718ae8f62eea28d7a369001be5af" score = 75 - quality = 50 + quality = 75 tags = "FILE" clamav1 = "INDICATOR.Win.RMM.DWAgent-SoundCapture" @@ -218028,7 +219063,7 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Blackhunt * YARA Rule Set * Repository Name: WithSecureLabs * Repository: https://github.com/WithSecureLabs/iocs - * Retrieval Date: 2026-05-17 + * Retrieval Date: 2026-05-24 * Git Commit: c570e84073fe5cd2b00ece7994f790fc03b20fd1 * Number of Rules: 15 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -218519,8 +219554,8 @@ rule WITHSECURELABS_SILKLOADER * YARA Rule Set * Repository Name: HarfangLab * Repository: https://github.com/HarfangLab/iocs - * Retrieval Date: 2026-05-17 - * Git Commit: 62063a5d2f13e52d290cd332c695e084cd828456 + * Retrieval Date: 2026-05-24 + * Git Commit: 3e2b674bf2f591ac46301420671ba553de094dea * Number of Rules: 39 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) * @@ -218536,9 +219571,9 @@ rule HARFANGLAB_Masepie_Campaign_Htmlstarter : FILE author = "HarfangLab" id = "0cca485c-7941-5760-8c24-d993dcbf376d" date = "2024-01-24" - modified = "2026-01-29" + modified = "2026-05-18" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/62063a5d2f13e52d290cd332c695e084cd828456/hl_public_reports_master.yar#L1-L16" + source_url = "https://github.com/HarfangLab/iocs/blob/3e2b674bf2f591ac46301420671ba553de094dea/hl_public_reports_master.yar#L1-L16" license_url = "N/A" hash = "628bc9f4aa71a015ec415d5d7d8cb168359886a231e17ecac2e5664760ee8eba" logic_hash = "d131372c6ad01ae77e5630bae0c0a04ce311718eb1bcf423e6575f3b0ecdba5d" @@ -218561,9 +219596,9 @@ rule HARFANGLAB_Masepie_Campaign_Webdavlnk : FILE author = "HarfangLab" id = "de7fd592-e733-52d0-af9b-55adf37eaf74" date = "2024-01-24" - modified = "2026-01-29" + modified = "2026-05-18" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/62063a5d2f13e52d290cd332c695e084cd828456/hl_public_reports_master.yar#L17-L39" + source_url = "https://github.com/HarfangLab/iocs/blob/3e2b674bf2f591ac46301420671ba553de094dea/hl_public_reports_master.yar#L17-L39" license_url = "N/A" hash = "19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc" logic_hash = "26075e47b54404c55f4ca5eb757efa2b1711d919de0ffbfbdf6935e2e4dd3f3d" @@ -218589,9 +219624,9 @@ rule HARFANGLAB_Masepie_Campaign_Masepie : FILE author = "HarfangLab" id = "f0a034fa-38d4-5c54-b865-f830f85e245e" date = "2024-01-24" - modified = "2026-01-29" + modified = "2026-05-18" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/62063a5d2f13e52d290cd332c695e084cd828456/hl_public_reports_master.yar#L40-L60" + source_url = "https://github.com/HarfangLab/iocs/blob/3e2b674bf2f591ac46301420671ba553de094dea/hl_public_reports_master.yar#L40-L60" license_url = "N/A" hash = "18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6" logic_hash = "02da8119267978e63e3ee5ecdefb52285718f8875ec64d320f2752460c05588d" @@ -218621,7 +219656,7 @@ rule HARFANGLAB_Masepie_Campaign_Oceanmap : FILE date = "2024-01-24" modified = "2024-01-31" reference = "TRR240101;https://cert.gov.ua/article/6276894" - source_url = "https://github.com/HarfangLab/iocs/blob/62063a5d2f13e52d290cd332c695e084cd828456/hl_public_reports_master.yar#L61-L95" + source_url = "https://github.com/HarfangLab/iocs/blob/3e2b674bf2f591ac46301420671ba553de094dea/hl_public_reports_master.yar#L61-L95" license_url = "N/A" hash = "24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04" logic_hash = "5fe244025f49358b4285e1272489378a46363ae915881dece26691d971aa93f3" @@ -218652,6 +219687,114 @@ rule HARFANGLAB_Masepie_Campaign_Oceanmap : FILE condition: filesize > 8KB and filesize < 100KB and ( uint16be( 0 ) == 0x4D5A ) and $dotNet and ( 3 of ( $a* ) ) and ( 2 of ( $t* ) ) } +rule HARFANGLAB_Gamaredon_Gammadrop : FILE +{ + meta: + description = "Matches Gamaredon GammaDrop VBScript samples used in late 2025 - mid 2026" + author = "HarfangLab" + id = "cd8c645a-7b8b-5d3f-923a-f73af9a102c5" + date = "2026-05-13" + modified = "2026-05-18" + reference = "TRR260501" + source_url = "https://github.com/HarfangLab/iocs/blob/3e2b674bf2f591ac46301420671ba553de094dea/hl_public_reports_master.yar#L96-L121" + license_url = "N/A" + hash = "62818ae5e305b89b9461536dac1b9daf4cebd99d24e417357e27e2ae4582a704" + logic_hash = "23405d6ec961f7c3d30702fdc414e2ff2f4c856f719e26207b5241def426530a" + score = 75 + quality = 80 + tags = "FILE" + context = "file" + + strings: + $vbs = "On Error Resume Next" ascii + $a1 = "Function " ascii + $a2 = "End Function" ascii + $a3 = ".Run " ascii + $a4 = "= Eval(" ascii + $a5 = "randomize" ascii + $a6 = "CreateObject(" ascii nocase + $a7 = ", false" ascii + $b1 = " + \"" ascii + + condition: + filesize < 600KB and $vbs in ( 0 .. 80 ) and #vbs >= 4 and #a1 >= 2 and #a2 >= 2 and #a3 >= 1 and 5 of ( $a* ) and #b1 > 150 +} +rule HARFANGLAB_Gamaredon_Gammaload_HTA : FILE +{ + meta: + description = "Matches Gamaredon GammaLoad HTA wrapped VBScript samples used in late 2025 - mid 2026" + author = "HarfangLab" + id = "b585a530-82ad-51f1-a346-757120a23d14" + date = "2026-05-13" + modified = "2026-05-18" + reference = "TRR260501" + source_url = "https://github.com/HarfangLab/iocs/blob/3e2b674bf2f591ac46301420671ba553de094dea/hl_public_reports_master.yar#L122-L151" + license_url = "N/A" + hash = "69cdde1ec82099a471283de89dd5e17266b1d8dda57d3c1589b7754b009fa2ed" + logic_hash = "016250fb11909dabf6f3e5580ecaf9aab16f02f8cfea36841d4d591601a607b0" + score = 75 + quality = 80 + tags = "FILE" + context = "file" + + strings: + $hta = "" ascii + $vbs = "on error resume next" ascii nocase + $a1 = "Function " ascii + $a2 = "End Function" ascii nocase + $a3 = "