rule win_acbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.acbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ba04000000 e9???????? 8b542448 8b4c244c 8b742440 89542420 894c2424 }
            // n = 7, score = 100
            //   ba04000000           | mov                 edx, 4
            //   e9????????           |                     
            //   8b542448             | mov                 edx, dword ptr [esp + 0x48]
            //   8b4c244c             | mov                 ecx, dword ptr [esp + 0x4c]
            //   8b742440             | mov                 esi, dword ptr [esp + 0x40]
            //   89542420             | mov                 dword ptr [esp + 0x20], edx
            //   894c2424             | mov                 dword ptr [esp + 0x24], ecx

        $sequence_1 = { ebbd 8b442440 890424 ff15???????? 83ec04 89c3 83c42c }
            // n = 7, score = 100
            //   ebbd                 | jmp                 0xffffffbf
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   890424               | mov                 dword ptr [esp], eax
            //   ff15????????         |                     
            //   83ec04               | sub                 esp, 4
            //   89c3                 | mov                 ebx, eax
            //   83c42c               | add                 esp, 0x2c

        $sequence_2 = { c744240c76070000 c7442408???????? c744240404000000 892c24 e8???????? 8b442438 892c24 }
            // n = 7, score = 100
            //   c744240c76070000     | mov                 dword ptr [esp + 0xc], 0x776
            //   c7442408????????     |                     
            //   c744240404000000     | mov                 dword ptr [esp + 4], 4
            //   892c24               | mov                 dword ptr [esp], ebp
            //   e8????????           |                     
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   892c24               | mov                 dword ptr [esp], ebp

        $sequence_3 = { 8b7904 895c2408 894c2404 890424 e8???????? 8b4c243c 0fb64500 }
            // n = 7, score = 100
            //   8b7904               | mov                 edi, dword ptr [ecx + 4]
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8b4c243c             | mov                 ecx, dword ptr [esp + 0x3c]
            //   0fb64500             | movzx               eax, byte ptr [ebp]

        $sequence_4 = { e8???????? 85c0 7e06 83c414 5b 5e c3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7e06                 | jle                 8
            //   83c414               | add                 esp, 0x14
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c3                   | ret                 

        $sequence_5 = { e8???????? 8b06 8b5054 85d2 0f8415fdffff 8b4050 85c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b5054               | mov                 edx, dword ptr [eax + 0x54]
            //   85d2                 | test                edx, edx
            //   0f8415fdffff         | je                  0xfffffd1b
            //   8b4050               | mov                 eax, dword ptr [eax + 0x50]
            //   85c0                 | test                eax, eax

        $sequence_6 = { c744241087934a00 c744240cc8000000 c7442408???????? c744240401000000 892c24 e8???????? 8b85c4000000 }
            // n = 7, score = 100
            //   c744241087934a00     | mov                 dword ptr [esp + 0x10], 0x4a9387
            //   c744240cc8000000     | mov                 dword ptr [esp + 0xc], 0xc8
            //   c7442408????????     |                     
            //   c744240401000000     | mov                 dword ptr [esp + 4], 1
            //   892c24               | mov                 dword ptr [esp], ebp
            //   e8????????           |                     
            //   8b85c4000000         | mov                 eax, dword ptr [ebp + 0xc4]

        $sequence_7 = { 89c8 8b4c2430 31de 8b5c2434 8987d0000000 894f50 895f54 }
            // n = 7, score = 100
            //   89c8                 | mov                 eax, ecx
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   31de                 | xor                 esi, ebx
            //   8b5c2434             | mov                 ebx, dword ptr [esp + 0x34]
            //   8987d0000000         | mov                 dword ptr [edi + 0xd0], eax
            //   894f50               | mov                 dword ptr [edi + 0x50], ecx
            //   895f54               | mov                 dword ptr [edi + 0x54], ebx

        $sequence_8 = { e8???????? 8b83c4000000 c783cc00000004000000 c783c800000016000000 c60000 891c24 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b83c4000000         | mov                 eax, dword ptr [ebx + 0xc4]
            //   c783cc00000004000000     | mov    dword ptr [ebx + 0xcc], 4
            //   c783c800000016000000     | mov    dword ptr [ebx + 0xc8], 0x16
            //   c60000               | mov                 byte ptr [eax], 0
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     

        $sequence_9 = { e8???????? 8bbc241c020000 8d742434 31db 85ff 7e1e 8b86f0010000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bbc241c020000       | mov                 edi, dword ptr [esp + 0x21c]
            //   8d742434             | lea                 esi, [esp + 0x34]
            //   31db                 | xor                 ebx, ebx
            //   85ff                 | test                edi, edi
            //   7e1e                 | jle                 0x20
            //   8b86f0010000         | mov                 eax, dword ptr [esi + 0x1f0]

    condition:
        7 of them and filesize < 1704960
}