{"group":"royal","count":1,"rules":[{"rule_name":"royal.yar","rule_text":"rule win_royal_ransom_auto {\n\n    meta:\n        author = \"Felix Bilstein - yara-signator at cocacoding dot com\"\n        date = \"2023-07-11\"\n        version = \"1\"\n        description = \"Detects win.royal_ransom.\"\n        info = \"autogenerated rule brought to you by yara-signator\"\n        tool = \"yara-signator v0.6.0\"\n        signator_config = \"callsandjumps;datarefs;binvalue\"\n        malpedia_reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom\"\n        malpedia_rule_date = \"20230705\"\n        malpedia_hash = \"42d0574f4405bd7d2b154d321d345acb18834a41\"\n        malpedia_version = \"20230715\"\n        malpedia_license = \"CC BY-SA 4.0\"\n        malpedia_sharing = \"TLP:WHITE\"\n\n    /* DISCLAIMER\n     * The strings used in this rule have been automatically selected from the\n     * disassembly of memory dumps and unpacked files, using YARA-Signator.\n     * The code and documentation is published here:\n     * https://github.com/fxb-cocacoding/yara-signator\n     * As Malpedia is used as data source, please note that for a given\n     * number of families, only single samples are documented.\n     * This likely impacts the degree of generalization these rules will offer.\n     * Take the described generation method also into consideration when you\n     * apply the rules in your use cases and assign them confidence levels.\n     */\n\n\n    strings:\n        $sequence_0 = { e8???????? 834f5404 488d05f53ee4ff 488b5c2430 488987b0020000 b801000000 4883c420 }\n            // n = 7, score = 100\n            //   e8????????           |                     \n            //   834f5404             | mov                 eax, 0x1e6\n            //   488d05f53ee4ff       | dec                 eax\n            //   488b5c2430           | mov                 ecx, dword ptr [ebx + 0x38]\n            //   488987b0020000       | inc                 ecx\n            //   b801000000           | mov                 eax, 0x1e6\n            //   4883c420             | dec                 eax\n\n        $sequence_1 = { b820000000 e8???????? 482be0 488bda 488bf1 488bcb 488d15e89a1100 }\n            // n = 7, score = 100\n            //   b820000000           | dec                 eax\n            //   e8????????           |                     \n            //   482be0               | lea                 ecx, [0x13be42]\n            //   488bda               | jmp                 0x1c59\n            //   488bf1               | dec                 esp\n            //   488bcb               | lea                 eax, [0x162c77]\n            //   488d15e89a1100       | mov                 edx, 0x28f\n\n        $sequence_2 = { e8???????? 4c8d05dea70d00 ba2f010000 488d0df2a70d00 e8???????? 4533c0 baae000000 }\n            // n = 7, score = 100\n            //   e8????????           |                     \n            //   4c8d05dea70d00       | dec                 eax\n            //   ba2f010000           | lea                 edx, [0x15ce09]\n            //   488d0df2a70d00       | dec                 eax\n            //   e8????????           |                     \n            //   4533c0               | mov                 ecx, ebx\n            //   baae000000           | dec                 eax\n\n        $sequence_3 = { e8???????? 482be0 85d2 488d050ffe1600 488d3d14fe1600 418bd0 480f45f8 }\n            // n = 7, score = 100\n            //   e8????????           |                     \n            //   482be0               | test                eax, eax\n            //   85d2                 | jne                 0x65d\n            //   488d050ffe1600       | dec                 esp\n            //   488d3d14fe1600       | lea                 eax, [0xe6472]\n            //   418bd0               | mov                 edx, 0x416\n            //   480f45f8             | dec                 eax\n\n        $sequence_4 = { e8???????? 488bc8 4885c0 752f 41b920000000 488d0575010000 488d154e061400 }\n            // n = 7, score = 100\n            //   e8????????           |                     \n            //   488bc8               | inc                 ebp\n            //   4885c0               | test                edi, edi\n            //   752f                 | inc                 ecx\n            //   41b920000000         | cmp                 esi, 0x40\n            //   488d0575010000       | je                  0x1d95\n            //   488d154e061400       | dec                 eax\n\n        $sequence_5 = { 8bcf e9???????? 4c8b45e0 4533c9 488b55e8 e8???????? 488bf0 }\n            // n = 7, score = 100\n            //   8bcf                 | lea                 eax, [eax - 2]\n            //   e9????????           |                     \n            //   4c8b45e0             | cmp                 eax, 6\n            //   4533c9               | ja                  0x1cf1\n            //   488b55e8             | mov                 eax, 0xf\n            //   e8????????           |                     \n            //   488bf0               | inc                 ecx\n\n        $sequence_6 = { 448bf5 4d85ff 0f8502010000 e8???????? 4c8d05e0461400 ba27010000 488d0d84461400 }\n            // n = 7, score = 100\n            //   448bf5               | je                  0x1bb4\n            //   4d85ff               | dec                 eax\n            //   0f8502010000         | mov                 edx, dword ptr [edi + 0xd0]\n            //   e8????????           |                     \n            //   4c8d05e0461400       | dec                 eax\n            //   ba27010000           | lea                 edx, [0x12bb3e]\n            //   488d0d84461400       | dec                 eax\n\n        $sequence_7 = { 85c0 0f8531030000 4c396368 7527 e8???????? 4c8d05e11e1500 badc000000 }\n            // n = 7, score = 100\n            //   85c0                 | dec                 eax\n            //   0f8531030000         | lea                 ecx, [0xe94c8]\n            //   4c396368             | mov                 eax, dword ptr [esp + 0x34]\n            //   7527                 | dec                 esp\n            //   e8????????           |                     \n            //   4c8d05e11e1500       | lea                 eax, [0xfa1bc]\n            //   badc000000           | mov                 edx, 0xae\n\n        $sequence_8 = { 7534 4181e700000f00 74b6 4181ff00000100 0f8537ffffff 4c8d0da7e20a00 458bc4 }\n            // n = 7, score = 100\n            //   7534                 | test                eax, eax\n            //   4181e700000f00       | jne                 0x64a\n            //   74b6                 | dec                 esp\n            //   4181ff00000100       | lea                 eax, [0xfea1a]\n            //   0f8537ffffff         | dec                 eax\n            //   4c8d0da7e20a00       | mov                 ebp, eax\n            //   458bc4               | dec                 eax\n\n        $sequence_9 = { e8???????? 4c8d053fd91300 bab7000000 488d0dfbd81300 e8???????? ba8c000000 4533c0 }\n            // n = 7, score = 100\n            //   e8????????           |                     \n            //   4c8d053fd91300       | arpl                bx, dx\n            //   bab7000000           | shr                 ebx, 0x1f\n            //   488d0dfbd81300       | inc                 ecx\n            //   e8????????           |                     \n            //   ba8c000000           | mov                 eax, 0x113\n            //   4533c0               | dec                 eax\n\n    condition:\n        7 of them and filesize < 6235136\n}","sha256":"5cdb8283dba3dc76cd8aa19b3b909676af45affe5b97ece956e443071af4ce69","byte_size":7497,"updated_at":"2026-06-24 05:16:05"}]}