rule win_darkbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.darkbit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkbit"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb1c 4889c7 488b8c24f8250000 e8???????? 488d3d1b882200 e8???????? e8???????? }
            // n = 7, score = 100
            //   eb1c                 | dec                 eax
            //   4889c7               | mov                 ecx, dword ptr [esp + 0x38]
            //   488b8c24f8250000     | nop                 
            //   e8????????           |                     
            //   488d3d1b882200       | test                bl, bl
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_1 = { e8???????? 488d3d4bb92200 e8???????? e8???????? 4889842488280000 48899c24580c0000 488b0d???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d3d4bb92200       | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   4889842488280000     | mov                 ebx, dword ptr [esp + 0x38]
            //   48899c24580c0000     | nop                 dword ptr [eax + eax]
            //   488b0d????????       |                     

        $sequence_2 = { ffd0 488b8c24f8000000 488b9c2410010000 488bbc2400010000 488b842408010000 488bac2420010000 4881c428010000 }
            // n = 7, score = 100
            //   ffd0                 | mov                 edi, ebx
            //   488b8c24f8000000     | dec                 eax
            //   488b9c2410010000     | lea                 eax, [0x2cbaa9]
            //   488bbc2400010000     | dec                 eax
            //   488b842408010000     | mov                 ebx, dword ptr [esp + 0x40]
            //   488bac2420010000     | nop                 dword ptr [eax]
            //   4881c428010000       | dec                 eax

        $sequence_3 = { e8???????? 4889842478070000 4889d9 488b9c2490000000 31c0 e8???????? 48898424f80a0000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4889842478070000     | mov                 ecx, 0x1a
            //   4889d9               | xor                 edx, edx
            //   488b9c2490000000     | xor                 ebx, ebx
            //   31c0                 | xor                 esi, esi
            //   e8????????           |                     
            //   48898424f80a0000     | xor                 edi, edi

        $sequence_4 = { c6041fc8 b903000000 e9???????? 4983f805 7545 4c8d4301 4c39c6 }
            // n = 7, score = 100
            //   c6041fc8             | dec                 eax
            //   b903000000           | cmp                 edx, 4
            //   e9????????           |                     
            //   4983f805             | jae                 0x2377
            //   7545                 | mov                 edi, esi
            //   4c8d4301             | xor                 esi, edx
            //   4c39c6               | lea                 esi, [eax + esi]

        $sequence_5 = { 4983f802 729b e9???????? 48894c2470 4889442460 48895c2468 488d442430 }
            // n = 7, score = 100
            //   4983f802             | and                 al, 0x1a
            //   729b                 | dec                 ecx
            //   e9????????           |                     
            //   48894c2470           | cmp                 esp, dword ptr [esi + 0x10]
            //   4889442460           | jbe                 0x1a7
            //   48895c2468           | dec                 eax
            //   488d442430           | sub                 esp, 0x38

        $sequence_6 = { eb7d 488d5104 4889542468 488d05453c1700 4889cb 4889d1 e8???????? }
            // n = 7, score = 100
            //   eb7d                 | dec                 eax
            //   488d5104             | mov                 dword ptr [esp + 0x4b0], eax
            //   4889542468           | dec                 eax
            //   488d05453c1700       | mov                 dword ptr [esp + 0x158], ebx
            //   4889cb               | dec                 eax
            //   4889d1               | mov                 dword ptr [esp + 0x3e0], ecx
            //   e8????????           |                     

        $sequence_7 = { e8???????? 48899c24e0010000 4889d8 48c7c3ffffffff e8???????? 48898424e0030000 48899c24b0050000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48899c24e0010000     | jne                 0x94b
            //   4889d8               | mov                 ecx, 0x186a0
            //   48c7c3ffffffff       | nop                 
            //   e8????????           |                     
            //   48898424e0030000     | movzx               edx, byte ptr [esp + ecx + 0x16d]
            //   48899c24b0050000     | movzx               esi, byte ptr [esp + ecx + 0x14c]

        $sequence_8 = { e9???????? 4889842490010000 440f11bc24d0000000 440f11bc24d8000000 440f11bc24e8000000 488d8c24d0000000 48890c24 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4889842490010000     | mov                 dword ptr [esp + 8], eax
            //   440f11bc24d0000000     | dec    eax
            //   440f11bc24d8000000     | mov    ebx, eax
            //   440f11bc24e8000000     | dec    eax
            //   488d8c24d0000000     | lea                 eax, [0x2a516c]
            //   48890c24             | dec                 eax

        $sequence_9 = { eb23 488b8424e8000000 48ffc0 488b942480010000 488bb424500b0000 488bbc24480b0000 4839d0 }
            // n = 7, score = 100
            //   eb23                 | mov                 word ptr [esp + 0xf8], 0x3d97
            //   488b8424e8000000     | mov                 byte ptr [esp + 0xfa], 0x70
            //   48ffc0               | mov                 word ptr [esp + 0xf5], 0x70d0
            //   488b942480010000     | mov                 byte ptr [esp + 0xf7], 0x24
            //   488bb424500b0000     | xor                 ecx, ecx
            //   488bbc24480b0000     | nop                 
            //   4839d0               | mov                 word ptr [esp + 0x1fa], 0x3f2d

    condition:
        7 of them and filesize < 11612160
}