rule win_boldmove_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.boldmove."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 895df0 31da 8b5de0 31ce c1c210 c1c607 }
            // n = 6, score = 100
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   31da                 | xor                 edx, ebx
            //   8b5de0               | mov                 ebx, dword ptr [ebp - 0x20]
            //   31ce                 | xor                 esi, ecx
            //   c1c210               | rol                 edx, 0x10
            //   c1c607               | rol                 esi, 7

        $sequence_1 = { c744243801000000 8b442440 895c2404 892c24 89442410 8b442448 8944240c }
            // n = 7, score = 100
            //   c744243801000000     | mov                 dword ptr [esp + 0x38], 1
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   892c24               | mov                 dword ptr [esp], ebp
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   8b442448             | mov                 eax, dword ptr [esp + 0x48]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax

        $sequence_2 = { 89442404 8b85c4fbffff 897c2410 8d8405e8fbffff 890424 e8???????? }
            // n = 6, score = 100
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8b85c4fbffff         | mov                 eax, dword ptr [ebp - 0x43c]
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   8d8405e8fbffff       | lea                 eax, [ebp + eax - 0x418]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_3 = { eb14 f6431402 740e 895d08 83c410 5b 5e }
            // n = 7, score = 100
            //   eb14                 | jmp                 0x16
            //   f6431402             | test                byte ptr [ebx + 0x14], 2
            //   740e                 | je                  0x10
            //   895d08               | mov                 dword ptr [ebp + 8], ebx
            //   83c410               | add                 esp, 0x10
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

        $sequence_4 = { 894c2418 0f852f0e0000 8b542454 85d2 0f8599000000 f7c500060000 }
            // n = 6, score = 100
            //   894c2418             | mov                 dword ptr [esp + 0x18], ecx
            //   0f852f0e0000         | jne                 0xe35
            //   8b542454             | mov                 edx, dword ptr [esp + 0x54]
            //   85d2                 | test                edx, edx
            //   0f8599000000         | jne                 0x9f
            //   f7c500060000         | test                ebp, 0x600

        $sequence_5 = { 890f bf10000000 99 f7ff bf04000000 0fb63406 89c8 }
            // n = 7, score = 100
            //   890f                 | mov                 dword ptr [edi], ecx
            //   bf10000000           | mov                 edi, 0x10
            //   99                   | cdq                 
            //   f7ff                 | idiv                edi
            //   bf04000000           | mov                 edi, 4
            //   0fb63406             | movzx               esi, byte ptr [esi + eax]
            //   89c8                 | mov                 eax, ecx

        $sequence_6 = { 89c2 31c0 c745c45f244762 89d7 f3ab 8b4508 8d7a44 }
            // n = 7, score = 100
            //   89c2                 | mov                 edx, eax
            //   31c0                 | xor                 eax, eax
            //   c745c45f244762       | mov                 dword ptr [ebp - 0x3c], 0x6247245f
            //   89d7                 | mov                 edi, edx
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8d7a44               | lea                 edi, [edx + 0x44]

        $sequence_7 = { c744247401000000 8b542458 c744246400000000 85d2 0f88e4050000 8b44244c 85c0 }
            // n = 7, score = 100
            //   c744247401000000     | mov                 dword ptr [esp + 0x74], 1
            //   8b542458             | mov                 edx, dword ptr [esp + 0x58]
            //   c744246400000000     | mov                 dword ptr [esp + 0x64], 0
            //   85d2                 | test                edx, edx
            //   0f88e4050000         | js                  0x5ea
            //   8b44244c             | mov                 eax, dword ptr [esp + 0x4c]
            //   85c0                 | test                eax, eax

        $sequence_8 = { 0f8715130000 8db42600000000 8d04b6 83c701 8d7442d0 0fb617 8d4ad0 }
            // n = 7, score = 100
            //   0f8715130000         | ja                  0x131b
            //   8db42600000000       | lea                 esi, [esi]
            //   8d04b6               | lea                 eax, [esi + esi*4]
            //   83c701               | add                 edi, 1
            //   8d7442d0             | lea                 esi, [edx + eax*2 - 0x30]
            //   0fb617               | movzx               edx, byte ptr [edi]
            //   8d4ad0               | lea                 ecx, [edx - 0x30]

        $sequence_9 = { c744247cffffffff 39c6 0f8cfbf1ffff e9???????? 8b442430 8b4004 83c001 }
            // n = 7, score = 100
            //   c744247cffffffff     | mov                 dword ptr [esp + 0x7c], 0xffffffff
            //   39c6                 | cmp                 esi, eax
            //   0f8cfbf1ffff         | jl                  0xfffff201
            //   e9????????           |                     
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   83c001               | add                 eax, 1

    condition:
        7 of them and filesize < 242688
}