rule win_knight_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.knight."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.knight"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488d3d639e2f00 0f1f00 e8???????? e8???????? 48898424081f0000 48899c24d0020000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d3d639e2f00       | mov                 dword ptr [esp + 0x78], ecx
            //   0f1f00               | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   48898424081f0000     | lea                 eax, [esp + 0x70]
            //   48899c24d0020000     | dec                 eax

        $sequence_1 = { 72b8 eb1b 31c0 488d5c241a b920000000 e8???????? 488b6c2468 }
            // n = 7, score = 100
            //   72b8                 | je                  0x1a75
            //   eb1b                 | inc                 esp
            //   31c0                 | cmp                 byte ptr [ecx], bl
            //   488d5c241a           | jne                 0x1a75
            //   b920000000           | dec                 eax
            //   e8????????           |                     
            //   488b6c2468           | mov                 eax, ecx

        $sequence_2 = { e8???????? 4889442428 48c70000000000 488d0514eb0d00 e8???????? 4889442420 488d0583961000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4889442428           | dec                 eax
            //   48c70000000000       | lea                 eax, [0x2c49c3]
            //   488d0514eb0d00       | nop                 dword ptr [eax]
            //   e8????????           |                     
            //   4889442420           | dec                 eax
            //   488d0583961000       | mov                 dword ptr [esp + 0x1b0], eax

        $sequence_3 = { eb14 488b442458 488b7c2428 488b5c2440 488b4c2430 488bb020100000 4c8b8028100000 }
            // n = 7, score = 100
            //   eb14                 | mov                 dword ptr [eax], 0
            //   488b442458           | dec                 eax
            //   488b7c2428           | lea                 eax, [0x17c854]
            //   488b5c2440           | dec                 eax
            //   488b4c2430           | mov                 dword ptr [esp + 0x20], eax
            //   488bb020100000       | dec                 eax
            //   4c8b8028100000       | lea                 eax, [0x19fd43]

        $sequence_4 = { 90 ff82d8000000 498b5630 31c0 488d3590215800 bf01000000 f00fb13e }
            // n = 7, score = 100
            //   90                   | mov                 dword ptr [eax + 8], ecx
            //   ff82d8000000         | dec                 eax
            //   498b5630             | mov                 ecx, dword ptr [esp + 0x2b8]
            //   31c0                 | dec                 eax
            //   488d3590215800       | mov                 dword ptr [eax + 0x18], ecx
            //   bf01000000           | nop                 
            //   f00fb13e             | jmp                 0x30e

        $sequence_5 = { c681e400000000 b9ffffffff 488d1514da5200 f00fc10a ffc9 85c9 7c62 }
            // n = 7, score = 100
            //   c681e400000000       | nop                 
            //   b9ffffffff           | mov                 edi, 0xffffffff
            //   488d1514da5200       | dec                 eax
            //   f00fc10a             | lea                 eax, [0x2aca5b]
            //   ffc9                 | test                byte ptr [eax], al
            //   85c9                 | jne                 0x110f
            //   7c62                 | dec                 eax

        $sequence_6 = { eb1d 440fb64c3428 4129d1 418d51e9 88543c28 418d50e9 88543428 }
            // n = 7, score = 100
            //   eb1d                 | mov                 ecx, dword ptr [esp + 0x18]
            //   440fb64c3428         | nop                 
            //   4129d1               | dec                 eax
            //   418d51e9             | mov                 dword ptr [eax + 0x10], 0
            //   88543c28             | dec                 eax
            //   418d50e9             | mov                 ebx, eax
            //   88543428             | dec                 eax

        $sequence_7 = { eb10 4889c7 488b8c2490000000 e8???????? 488b4c2450 48894810 833d????????00 }
            // n = 7, score = 100
            //   eb10                 | dec                 eax
            //   4889c7               | mov                 edx, 0x6ca67ce6
            //   488b8c2490000000     | adc                 byte ptr [esi + edi], dh
            //   e8????????           |                     
            //   488b4c2450           | in                  eax, dx
            //   48894810             | dec                 eax
            //   833d????????00       |                     

        $sequence_8 = { e8???????? 31db 488d0d61312300 4889c7 31c0 488bac2448010000 4881c450010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   31db                 | enter               -0x74b8, -0x78
            //   488d0d61312300       | mov                 al, byte ptr [0xf000009]
            //   4889c7               | pop                 ds
            //   31c0                 | inc                 eax
            //   488bac2448010000     | add                 byte ptr [eax - 0x7b], cl
            //   4881c450010000       | leave               

        $sequence_9 = { e8???????? e8???????? 4889c3 488d05e17b2700 90 e8???????? 4c89d8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e8????????           |                     
            //   4889c3               | dec                 eax
            //   488d05e17b2700       | mov                 ecx, dword ptr [esp + 0xf98]
            //   90                   | dec                 eax
            //   e8????????           |                     
            //   4c89d8               | mov                 ecx, dword ptr [esp + 0x110]

    condition:
        7 of them and filesize < 12149760
}