rule win_reedbed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.reedbed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reedbed"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c9 e8???????? 488b0d???????? 488981c2140000 }
            // n = 4, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   488981c2140000       | dec                 eax

        $sequence_1 = { 33c9 ff15???????? 85c0 751e }
            // n = 4, score = 300
            //   33c9                 | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [ecx + 0x14c2], eax
            //   751e                 | xor                 ecx, ecx

        $sequence_2 = { 453b03 7519 41833b40 7313 }
            // n = 4, score = 200
            //   453b03               | je                  0x18
            //   7519                 | inc                 ecx
            //   41833b40             | mov                 al, byte ptr [ecx]
            //   7313                 | inc                 ecx

        $sequence_3 = { 4181ba9814000000000200 7347 4533c0 443b06 7316 418b490e }
            // n = 6, score = 200
            //   4181ba9814000000000200     | or    dword ptr [eax + 0x21], 0x204
            //   7347                 | dec                 eax
            //   4533c0               | test                eax, eax
            //   443b06               | je                  0x2a
            //   7316                 | mov                 byte ptr [eax], 0
            //   418b490e             | dec                 eax

        $sequence_4 = { 4885c0 75e9 8d4f01 4803c9 e8???????? 488bf8 }
            // n = 6, score = 200
            //   4885c0               | mov                 dword ptr [esi + 0x26], ebx
            //   75e9                 | inc                 ebp
            //   8d4f01               | xor                 eax, eax
            //   4803c9               | mov                 word ptr [esi + 0x2a], di
            //   e8????????           |                     
            //   488bf8               | dec                 eax

        $sequence_5 = { 40f6c520 7412 418a01 4181482104020000 }
            // n = 4, score = 200
            //   40f6c520             | test                eax, eax
            //   7412                 | jne                 0xffffffee
            //   418a01               | lea                 ecx, [edi + 1]
            //   4181482104020000     | dec                 eax

        $sequence_6 = { eb55 8b9d90020000 4c8d8d90020000 895e26 4533c0 66897e2a }
            // n = 6, score = 200
            //   eb55                 | test                eax, eax
            //   8b9d90020000         | jne                 0x20
            //   4c8d8d90020000       | jmp                 0x57
            //   895e26               | mov                 ebx, dword ptr [ebp + 0x290]
            //   4533c0               | dec                 esp
            //   66897e2a             | lea                 ecx, [ebp + 0x290]

        $sequence_7 = { 4885c0 7425 c60000 488d742440 eb13 }
            // n = 5, score = 200
            //   4885c0               | add                 ecx, ecx
            //   7425                 | dec                 eax
            //   c60000               | mov                 edi, eax
            //   488d742440           | inc                 eax
            //   eb13                 | test                ch, 0x20

        $sequence_8 = { 8944244c 48c744243800000000 c744243051010000 488d0546980600 4889442428 }
            // n = 5, score = 100
            //   8944244c             | mov                 al, byte ptr [ecx]
            //   48c744243800000000     | inc    ecx
            //   c744243051010000     | or                  dword ptr [eax + 0x21], 0x204
            //   488d0546980600       | dec                 eax
            //   4889442428           | test                eax, eax

        $sequence_9 = { 89442450 817c245000ca9a3b 723a 488d0514070600 }
            // n = 4, score = 100
            //   89442450             | mov                 dword ptr [esp + 0x28], eax
            //   817c245000ca9a3b     | dec                 eax
            //   723a                 | lea                 eax, [0x323ca]
            //   488d0514070600       | mov                 dword ptr [esp + 0x4c], eax

        $sequence_10 = { 89442450 837c245000 753a 488d053d0e0500 }
            // n = 4, score = 100
            //   89442450             | dec                 eax
            //   837c245000           | lea                 eax, [0x600a4]
            //   753a                 | dec                 eax
            //   488d053d0e0500       | mov                 dword ptr [esp + 0x28], eax

        $sequence_11 = { 89442450 488b442428 0fb700 488d0d10da0500 }
            // n = 4, score = 100
            //   89442450             | dec                 eax
            //   488b442428           | lea                 eax, [0x51000]
            //   0fb700               | dec                 eax
            //   488d0d10da0500       | mov                 dword ptr [esp + 0x20], eax

        $sequence_12 = { 8944244c 837c244c00 753a 488d0504c00500 }
            // n = 4, score = 100
            //   8944244c             | jae                 0x49
            //   837c244c00           | inc                 ebp
            //   753a                 | xor                 eax, eax
            //   488d0504c00500       | inc                 esp

        $sequence_13 = { 8944244c 837c244c0f 0f875e010000 8b44244c 488d0d1ba4eaff }
            // n = 5, score = 100
            //   8944244c             | dec                 eax
            //   837c244c0f           | mov                 dword ptr [esp + 0x28], eax
            //   0f875e010000         | mov                 dword ptr [esp + 0x4c], eax
            //   8b44244c             | cmp                 dword ptr [esp + 0x4c], 0
            //   488d0d1ba4eaff       | jne                 0x41

    condition:
        7 of them and filesize < 3760128
}