rule win_grapeloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.grapeloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grapeloader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b45e0 488b8d40060000 ffd0 eb00 488d8d00020000 e8???????? 488d8d30020000 }
            // n = 7, score = 100
            //   488b45e0             | add                 al, 1
            //   488b8d40060000       | mov                 ecx, dword ptr [esp + 0x24]
            //   ffd0                 | movzx               eax, byte ptr [esp + 0x2e]
            //   eb00                 | imul                eax, ecx
            //   488d8d00020000       | mov                 byte ptr [esp + 0x2e], al
            //   e8????????           |                     
            //   488d8d30020000       | mov                 byte ptr [esp + 0x23], 0xa6

        $sequence_1 = { 3dd58c0000 0f839b000000 c7442414c0738358 0fb64c243b 0fb744243c 29c8 668944243c }
            // n = 7, score = 100
            //   3dd58c0000           | mov                 word ptr [esp + 0x28], 0xce84
            //   0f839b000000         | mov                 eax, dword ptr [esp + 0x34]
            //   c7442414c0738358     | sub                 eax, 0x5e00e8c8
            //   0fb64c243b           | mov                 dword ptr [esp + 0x34], eax
            //   0fb744243c           | mov                 dword ptr [esp + 0x24], 0x613f5618
            //   29c8                 | mov                 word ptr [esp + 0x3c], ax
            //   668944243c           | mov                 word ptr [esp + 0x32], 0x58e9

        $sequence_2 = { 89442454 8b44244c 2de1ab2bee 8944244c 66c7442416f43f 0fbe442423 }
            // n = 6, score = 100
            //   89442454             | jmp                 0x10c
            //   8b44244c             | dec                 eax
            //   2de1ab2bee           | mov                 dword ptr [ebp - 0x48], eax
            //   8944244c             | jmp                 0x112
            //   66c7442416f43f       | dec                 eax
            //   0fbe442423           | mov                 eax, dword ptr [ebp - 0x48]

        $sequence_3 = { 69c088000000 6689442432 8b4c2438 0fbf44243c 01c8 668944243c }
            // n = 6, score = 100
            //   69c088000000         | imul                eax, eax, 0x2191
            //   6689442432           | mov                 byte ptr [esp + 0x2e], al
            //   8b4c2438             | movzx               eax, byte ptr [esp + 0x2f]
            //   0fbf44243c           | sub                 eax, 0xb7
            //   01c8                 | mov                 byte ptr [esp + 0x2e], al
            //   668944243c           | movzx               ecx, byte ptr [esp + 0x2e]

        $sequence_4 = { 4c8d0dd4d60000 33c9 4c8d05c3d60000 488d15c4d60000 e8???????? 4885c0 }
            // n = 6, score = 100
            //   4c8d0dd4d60000       | mov                 word ptr [esp + 0xe], 0x9f8d
            //   33c9                 | movsx               eax, byte ptr [esp + 0x23]
            //   4c8d05c3d60000       | add                 eax, dword ptr [esp + 0x4c]
            //   488d15c4d60000       | mov                 dword ptr [esp + 0x4c], eax
            //   e8????????           |                     
            //   4885c0               | movsx               ecx, byte ptr [esp + 0x23]

        $sequence_5 = { 488d8d5f040000 488d9560040000 e8???????? eb00 488d8d60040000 e8???????? 488985a8000000 }
            // n = 7, score = 100
            //   488d8d5f040000       | lea                 ecx, [ebp + 0xddf]
            //   488d9560040000       | dec                 eax
            //   e8????????           |                     
            //   eb00                 | mov                 ecx, dword ptr [ebp + 0x110]
            //   488d8d60040000       | dec                 eax
            //   e8????????           |                     
            //   488985a8000000       | mov                 edx, dword ptr [ebp + 0x120]

        $sequence_6 = { 488d9550060000 e8???????? eb00 488d8d50060000 e8???????? 48898578010000 }
            // n = 6, score = 100
            //   488d9550060000       | mov                 eax, dword ptr [esp + 0x3c]
            //   e8????????           |                     
            //   eb00                 | sub                 eax, ecx
            //   488d8d50060000       | mov                 dword ptr [esp + 0x3c], eax
            //   e8????????           |                     
            //   48898578010000       | mov                 eax, dword ptr [esp + 0x38]

        $sequence_7 = { eb00 488d8db0020000 e8???????? 488d8dd8020000 e8???????? 488b8d60050000 488b9520030000 }
            // n = 7, score = 100
            //   eb00                 | mov                 dx, word ptr [esp + 0x16]
            //   488d8db0020000       | dec                 eax
            //   e8????????           |                     
            //   488d8dd8020000       | mov                 eax, dword ptr [esp + 8]
            //   e8????????           |                     
            //   488b8d60050000       | dec                 eax
            //   488b9520030000       | mov                 ecx, dword ptr [esp]

        $sequence_8 = { 488b45f8 b910270000 ffd0 eb00 488d8d40010000 e8???????? 488d8d70010000 }
            // n = 7, score = 100
            //   488b45f8             | imul                eax, ecx
            //   b910270000           | mov                 byte ptr [esp + 0x3f], al
            //   ffd0                 | mov                 eax, dword ptr [esp + 0x20]
            //   eb00                 | add                 eax, 0x6c87
            //   488d8d40010000       | mov                 ecx, dword ptr [esp + 0x24]
            //   e8????????           |                     
            //   488d8d70010000       | movsx               eax, word ptr [esp + 0x2c]

        $sequence_9 = { 7510 488b442428 488b4030 4889442460 eb1a eb00 488b442430 }
            // n = 7, score = 100
            //   7510                 | jae                 0x8e
            //   488b442428           | dec                 eax
            //   488b4030             | mov                 ecx, dword ptr [esp + 0x28]
            //   4889442460           | dec                 eax
            //   eb1a                 | add                 ecx, 1
            //   eb00                 | movzx               eax, byte ptr [esp + 0x27]
            //   488b442430           | add                 eax, 1

    condition:
        7 of them and filesize < 397312
}