rule win_mim221_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.mim221."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mim221"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 90 4883bc244001000008 720d 488b8c2428010000 e8???????? 4881c420020000 415e }
            // n = 7, score = 100
            //   90                   | xor                 edx, edx
            //   4883bc244001000008     | dec    eax
            //   720d                 | mov                 dword ptr [esp + 0x7f0], eax
            //   488b8c2428010000     | mov                 dword ptr [esp + 0x7e0], 0x3839
            //   e8????????           |                     
            //   4881c420020000       | mov                 dword ptr [esp + 0x7e8], ebx
            //   415e                 | dec                 eax

        $sequence_1 = { c68424b400000061 4488a424b5000000 c68424b600000064 c68424b70000006c 4488ac24b8000000 c68424b900000046 c68424ba00000072 }
            // n = 7, score = 100
            //   c68424b400000061     | mov                 eax, ecx
            //   4488a424b5000000     | dec                 eax
            //   c68424b600000064     | shr                 eax, 8
            //   c68424b70000006c     | dec                 eax
            //   4488ac24b8000000     | and                 eax, ebp
            //   c68424b900000046     | dec                 ecx
            //   c68424ba00000072     | mov                 eax, eax

        $sequence_2 = { 488b8c2400010000 e8???????? e9???????? 4889442420 4d8bcc 4c8b8424f8010000 488bd6 }
            // n = 7, score = 100
            //   488b8c2400010000     | inc                 ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   4889442420           | pop                 edi
            //   4d8bcc               | inc                 ecx
            //   4c8b8424f8010000     | pop                 esi
            //   488bd6               | inc                 ecx

        $sequence_3 = { 57 488bc4 4883ec58 48c7442420feffffff 498bd8 488bf9 }
            // n = 6, score = 100
            //   57                   | mov                 ecx, 0x80800
            //   488bc4               | mov                 dword ptr [esp + 0x48], eax
            //   4883ec58             | mov                 dword ptr [esp + 0x5c], eax
            //   48c7442420feffffff     | mov    dword ptr [esp + 0x88], eax
            //   498bd8               | inc                 esp
            //   488bf9               | lea                 ebp, [ebx + 0xf]

        $sequence_4 = { 668944243a 668944243c 668944243e 6689442440 488d542420 488bcf 66c74424420000 }
            // n = 7, score = 100
            //   668944243a           | mov                 dword ptr [esp + 0x3f4], ebx
            //   668944243c           | mov                 dword ptr [esp + 0x3f8], 0x98
            //   668944243e           | inc                 esp
            //   6689442440           | mov                 dword ptr [esp + 0x5b8], ebx
            //   488d542420           | inc                 esp
            //   488bcf               | mov                 dword ptr [esp + 0x5c4], ebx
            //   66c74424420000       | inc                 ecx

        $sequence_5 = { 3d5a290000 7307 b801000000 eb0a 3d39380000 1bc0 83c003 }
            // n = 7, score = 100
            //   3d5a290000           | mov                 word ptr [esp + 0x50], 0x20
            //   7307                 | mov                 word ptr [esp + 0x52], 0x30
            //   b801000000           | mov                 word ptr [esp + 0x54], 0x78
            //   eb0a                 | mov                 word ptr [esp + 0x4c], 0x20
            //   3d39380000           | mov                 word ptr [esp + 0x4e], 0x31
            //   1bc0                 | mov                 word ptr [esp + 0x50], 0x36
            //   83c003               | mov                 word ptr [esp + 0x52], 0x3a

        $sequence_6 = { 66c7803effffff4c00 66b85300 6689842418010000 66c784241a0100004100 6644899c241c010000 66c784241e0100004900 66c78424200100007300 }
            // n = 7, score = 100
            //   66c7803effffff4c00     | mov    dword ptr [esp + 0x140], edi
            //   66b85300             | inc                 esp
            //   6689842418010000     | mov                 byte ptr [esp + 0x130], bh
            //   66c784241a0100004100     | xor    eax, eax
            //   6644899c241c010000     | dec    esp
            //   66c784241e0100004900     | lea    esp, [eax - 1]
            //   66c78424200100007300     | dec    ecx

        $sequence_7 = { 4157 4881ec88000000 33ff 498be8 488bf1 4c8bfa }
            // n = 6, score = 100
            //   4157                 | mov                 dword ptr [esp + 0x394], 0x10001000
            //   4881ec88000000       | mov                 dword ptr [esp + 0x398], esi
            //   33ff                 | mov                 dword ptr [esp + 0x39c], 0x10400000
            //   498be8               | mov                 dword ptr [esp + 0x18c], edx
            //   488bf1               | lea                 ecx, [edx + 1]
            //   4c8bfa               | mov                 dword ptr [esp + 0x190], ecx

        $sequence_8 = { 3d401f0000 7309 8d7b20 448d6b18 eb1b 3db8240000 730b }
            // n = 7, score = 100
            //   3d401f0000           | mov                 word ptr [esp + 0x4c], 0x65
            //   7309                 | mov                 word ptr [esp + 0x4e], 0x50
            //   8d7b20               | mov                 word ptr [esp + 0x50], ax
            //   448d6b18             | mov                 word ptr [esp + 0x52], 0x69
            //   eb1b                 | mov                 word ptr [esp + 0x54], 0x76
            //   3db8240000           | mov                 word ptr [esp + 0x4a], 0x6e
            //   730b                 | mov                 word ptr [esp + 0x4c], 0x74

        $sequence_9 = { 488d8c24ca000000 e8???????? c684249003000044 c68424910300008b c684249203000001 c684249303000044 c684249403000039 }
            // n = 7, score = 100
            //   488d8c24ca000000     | mov                 byte ptr [edi], bh
            //   e8????????           |                     
            //   c684249003000044     | dec                 eax
            //   c68424910300008b     | cmp                 dword ptr [ebx + 0x20], 0x10
            //   c684249203000001     | inc                 ecx
            //   c684249303000044     | mov                 ebp, 0xf
            //   c684249403000039     | dec                 esp

    condition:
        7 of them and filesize < 471040
}