rule win_kiwistealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.kiwistealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kiwistealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 4885c0 751f 488b442460 48634804 488d442460 4803c8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4885c0               | dec                 eax
            //   751f                 | lea                 eax, [0xc007]
            //   488b442460           | dec                 eax
            //   48634804             | mov                 dword ptr [ecx + 0x70], eax
            //   488d442460           | dec                 eax
            //   4803c8               | lea                 eax, [0xc524]

        $sequence_1 = { 744b 4c8bcb 48837b1808 7203 4c8b0b 488b5310 488b4618 }
            // n = 7, score = 100
            //   744b                 | test                esp, esp
            //   4c8bcb               | jne                 0x424
            //   48837b1808           | dec                 ecx
            //   7203                 | add                 ebx, 0x10
            //   4c8b0b               | dec                 esp
            //   488b5310             | mov                 dword ptr [ebp - 0x20], ebx
            //   488b4618             | je                  0x43b

        $sequence_2 = { 663bd5 7509 410fb7c7 e9???????? 488b4140 488b38 488b4158 }
            // n = 7, score = 100
            //   663bd5               | mov                 dword ptr [esp + 0x70], ebp
            //   7509                 | dec                 edx
            //   410fb7c7             | lea                 ebp, [edx]
            //   e9????????           |                     
            //   488b4140             | dec                 ebp
            //   488b38               | mov                 ebp, ecx
            //   488b4158             | dec                 ecx

        $sequence_3 = { 488d15ec550100 488d8c2498030000 e8???????? 90 4c8d842498030000 488d942460080000 488d8c2430060000 }
            // n = 7, score = 100
            //   488d15ec550100       | dec                 ecx
            //   488d8c2498030000     | mov                 dword ptr [eax + 8], eax
            //   e8????????           |                     
            //   90                   | dec                 ecx
            //   4c8d842498030000     | mov                 eax, eax
            //   488d942460080000     | inc                 ecx
            //   488d8c2430060000     | mov                 byte ptr [eax + 4], 1

        $sequence_4 = { c3 488d0541da0100 41c70074000000 49894008 498bc0 41c6400401 c3 }
            // n = 7, score = 100
            //   c3                   | dec                 eax
            //   488d0541da0100       | mov                 ecx, edx
            //   41c70074000000       | mov                 ecx, 0x49
            //   49894008             | dec                 eax
            //   498bc0               | mov                 edx, eax
            //   41c6400401           | nop                 
            //   c3                   | test                bl, 1

        $sequence_5 = { 4883f81f 7607 ff15???????? cc e8???????? 660f6f05???????? f30f7f842420020000 }
            // n = 7, score = 100
            //   4883f81f             | sub                 esp, 0x20
            //   7607                 | dec                 eax
            //   ff15????????         |                     
            //   cc                   | mov                 ebx, ecx
            //   e8????????           |                     
            //   660f6f05????????     |                     
            //   f30f7f842420020000     | mov    dword ptr [esp + 0x40], 0

        $sequence_6 = { 660f1f440000 488b4120 48898390000000 4885c0 7507 4889ab98000000 }
            // n = 6, score = 100
            //   660f1f440000         | dec                 eax
            //   488b4120             | lea                 eax, [0xbc67]
            //   48898390000000       | mov                 ebx, edx
            //   4885c0               | dec                 eax
            //   7507                 | mov                 dword ptr [ecx], eax
            //   4889ab98000000       | dec                 eax

        $sequence_7 = { 488bcf 4b8d1c3e 488d53c0 e8???????? 488d53e0 488d4f20 e8???????? }
            // n = 7, score = 100
            //   488bcf               | dec                 eax
            //   4b8d1c3e             | mov                 dword ptr [esp + 0x5e8], 0x4f
            //   488d53c0             | movups              xmmword ptr [eax], xmm0
            //   e8????????           |                     
            //   488d53e0             | dec                 eax
            //   488d4f20             | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_8 = { 48f7fb 4869c800ca9a3b 498bc0 4899 48f7fb 4869c200ca9a3b 4899 }
            // n = 7, score = 100
            //   48f7fb               | movups              xmmword ptr [edx], xmm0
            //   4869c800ca9a3b       | dec                 eax
            //   498bc0               | lea                 eax, [0xbbdf]
            //   4899                 | dec                 eax
            //   48f7fb               | mov                 dword ptr [ebx], eax
            //   4869c200ca9a3b       | dec                 eax
            //   4899                 | mov                 eax, ebx

        $sequence_9 = { 4803c8 b20a ff15???????? 440fb6c0 488d9424d8060000 488d8c24e0070000 e8???????? }
            // n = 7, score = 100
            //   4803c8               | lea                 eax, [esp + 0x60]
            //   b20a                 | xor                 edx, edx
            //   ff15????????         |                     
            //   440fb6c0             | mov                 esi, eax
            //   488d9424d8060000     | test                eax, eax
            //   488d8c24e0070000     | inc                 ebp
            //   e8????????           |                     

    condition:
        7 of them and filesize < 403456
}