rule win_gotohttp_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.gotohttp."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gotohttp"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f00fc105???????? 4533c0 eb03 498bf0 4489842408010000 4538af24070000 7508 }
            // n = 7, score = 100
            //   f00fc105????????     |                     
            //   4533c0               | dec                 eax
            //   eb03                 | mov                 ecx, ebx
            //   498bf0               | dec                 eax
            //   4489842408010000     | lea                 ecx, [0x2738ef]
            //   4538af24070000       | and                 dword ptr [ebx + 0xc], 0xfffff7ff
            //   7508                 | dec                 eax

        $sequence_1 = { 66450ffec1 4c8bb424a8000000 660ffaf5 660f70ce8d 66410f7f0e 4983c610 4c89b424a8000000 }
            // n = 7, score = 100
            //   66450ffec1           | dec                 eax
            //   4c8bb424a8000000     | mov                 ecx, dword ptr [ecx + 0xe0]
            //   660ffaf5             | dec                 eax
            //   660f70ce8d           | add                 ecx, 0x10
            //   66410f7f0e           | dec                 eax
            //   4983c610             | mov                 ecx, dword ptr [ecx + 0xe0]
            //   4c89b424a8000000     | dec                 eax

        $sequence_2 = { eb1a 483d7c2e0000 7e12 41838000060000fe eb08 4183800006000002 418b8800060000 }
            // n = 7, score = 100
            //   eb1a                 | jg                  0x1325
            //   483d7c2e0000         | xor                 eax, eax
            //   7e12                 | dec                 eax
            //   41838000060000fe     | add                 esp, 0x30
            //   eb08                 | inc                 ecx
            //   4183800006000002     | pop                 esi
            //   418b8800060000       | inc                 ecx

        $sequence_3 = { eb2c 833d????????01 7f1e 4c8d0d8f3b2800 488d15403b2800 41b8b1000000 b901000000 }
            // n = 7, score = 100
            //   eb2c                 | dec                 ecx
            //   833d????????01       |                     
            //   7f1e                 | mov                 edx, edx
            //   4c8d0d8f3b2800       | dec                 edx
            //   488d15403b2800       | lea                 ecx, [ebx + edx*4 - 8]
            //   41b8b1000000         | dec                 ecx
            //   b901000000           | sub                 edx, eax

        $sequence_4 = { eb11 c6832401000000 c783f000000001000000 80bb2401000000 7410 80bb0101000000 7507 }
            // n = 7, score = 100
            //   eb11                 | dec                 eax
            //   c6832401000000       | mov                 ebx, dword ptr [esp + 0x8b8]
            //   c783f000000001000000     | dec    eax
            //   80bb2401000000       | add                 esp, 0x870
            //   7410                 | jle                 0x19fa
            //   80bb0101000000       | inc                 ebp
            //   7507                 | test                edx, edx

        $sequence_5 = { f30f104908 f30f104208 f30f59c9 f30f59c0 f30f5cc8 f30f58d1 0f2fd6 }
            // n = 7, score = 100
            //   f30f104908           | sub                 ecx, 1
            //   f30f104208           | dec                 eax
            //   f30f59c9             | mov                 eax, dword ptr [esp + 0x50]
            //   f30f59c0             | mov                 dword ptr [eax + 0x170c], ecx
            //   f30f5cc8             | add                 eax, 1
            //   f30f58d1             | mov                 dword ptr [esp + 0x34], eax
            //   0f2fd6               | dec                 eax

        $sequence_6 = { ff15???????? 4c8be0 4883bfd802000000 0f852b010000 33d2 41b8d0030000 488d8c24b0000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4c8be0               | dec                 ecx
            //   4883bfd802000000     | mov                 edx, dword ptr [edi + 0x3d0]
            //   0f852b010000         | mov                 dword ptr [esp + 0x30], ebx
            //   33d2                 | inc                 ebp
            //   41b8d0030000         | xor                 ecx, ecx
            //   488d8c24b0000000     | mov                 dword ptr [ecx + 8], eax

        $sequence_7 = { eb05 b901000000 41bd06000000 4489add8000000 85c0 7534 4c8bada8020000 }
            // n = 7, score = 100
            //   eb05                 | sub                 edx, eax
            //   b901000000           | dec                 ecx
            //   41bd06000000         | mov                 eax, edx
            //   4489add8000000       | dec                 ecx
            //   85c0                 | sub                 eax, ebx
            //   7534                 | jge                 0x10a6
            //   4c8bada8020000       | dec                 ecx

        $sequence_8 = { 8b8f90370000 81f9e8030000 7518 8b4750 41b8401f0000 413bc0 7564 }
            // n = 7, score = 100
            //   8b8f90370000         | dec                 esp
            //   81f9e8030000         | lea                 ecx, [ebx + 0x18]
            //   7518                 | inc                 ebp
            //   8b4750               | xor                 eax, eax
            //   41b8401f0000         | test                eax, eax
            //   413bc0               | je                  0x1cd9
            //   7564                 | dec                 eax

        $sequence_9 = { e8???????? 48ffc6 ffc7 4881c3c8000000 493bf4 7ca5 33c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48ffc6               | mov                 eax, dword ptr [esi + 0x3794]
            //   ffc7                 | cmp                 eax, 0x3e8
            //   4881c3c8000000       | je                  0xf05
            //   493bf4               | cmp                 eax, 0x3e9
            //   7ca5                 | jne                 0xf5a
            //   33c0                 | dec                 eax

    condition:
        7 of them and filesize < 6266704
}