rule win_mimic_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.mimic."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimic"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb23 ff15???????? 8b4e08 83c118 83791408 7202 8b09 }
            // n = 7, score = 100
            //   eb23                 | jmp                 0x25
            //   ff15????????         |                     
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   83c118               | add                 ecx, 0x18
            //   83791408             | cmp                 dword ptr [ecx + 0x14], 8
            //   7202                 | jb                  4
            //   8b09                 | mov                 ecx, dword ptr [ecx]

        $sequence_1 = { eb1c 8d4101 8b4de0 8901 ff4208 8b55e4 8b02 }
            // n = 7, score = 100
            //   eb1c                 | jmp                 0x1e
            //   8d4101               | lea                 eax, [ecx + 1]
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   ff4208               | inc                 dword ptr [edx + 8]
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   8b02                 | mov                 eax, dword ptr [edx]

        $sequence_2 = { 0f4345c0 50 e8???????? 33c9 0f1000 0f1185d8feffff f30f7e4010 }
            // n = 7, score = 100
            //   0f4345c0             | cmovae              eax, dword ptr [ebp - 0x40]
            //   50                   | push                eax
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx
            //   0f1000               | movups              xmm0, xmmword ptr [eax]
            //   0f1185d8feffff       | movups              xmmword ptr [ebp - 0x128], xmm0
            //   f30f7e4010           | movq                xmm0, qword ptr [eax + 0x10]

        $sequence_3 = { 56 e8???????? 83c404 83f810 7f29 8b74241c }
            // n = 6, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   83f810               | cmp                 eax, 0x10
            //   7f29                 | jg                  0x2b
            //   8b74241c             | mov                 esi, dword ptr [esp + 0x1c]

        $sequence_4 = { ffd3 85c0 7517 8d85e8fdffff 50 ffb5b0f5ffff ffd6 }
            // n = 7, score = 100
            //   ffd3                 | call                ebx
            //   85c0                 | test                eax, eax
            //   7517                 | jne                 0x19
            //   8d85e8fdffff         | lea                 eax, [ebp - 0x218]
            //   50                   | push                eax
            //   ffb5b0f5ffff         | push                dword ptr [ebp - 0xa50]
            //   ffd6                 | call                esi

        $sequence_5 = { eb1d 8d45c0 3bc6 7416 837e1408 8bc6 7202 }
            // n = 7, score = 100
            //   eb1d                 | jmp                 0x1f
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   3bc6                 | cmp                 eax, esi
            //   7416                 | je                  0x18
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8
            //   8bc6                 | mov                 eax, esi
            //   7202                 | jb                  4

        $sequence_6 = { 6a00 6a00 ffd7 8b4e04 894608 85c9 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffd7                 | call                edi
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   85c9                 | test                ecx, ecx

        $sequence_7 = { e8???????? 83c40c c645fc16 8b55e0 83fa08 0f8299000000 8b4dcc }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   c645fc16             | mov                 byte ptr [ebp - 4], 0x16
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   83fa08               | cmp                 edx, 8
            //   0f8299000000         | jb                  0x9f
            //   8b4dcc               | mov                 ecx, dword ptr [ebp - 0x34]

        $sequence_8 = { c745fcffffffff 8b75ac 85f6 7441 f00fc17e08 4f 7539 }
            // n = 7, score = 100
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8b75ac               | mov                 esi, dword ptr [ebp - 0x54]
            //   85f6                 | test                esi, esi
            //   7441                 | je                  0x43
            //   f00fc17e08           | lock xadd           dword ptr [esi + 8], edi
            //   4f                   | dec                 edi
            //   7539                 | jne                 0x3b

        $sequence_9 = { 33c8 8b44241c 330c95080b5c00 33c1 8b5738 8944241c 33d6 }
            // n = 7, score = 100
            //   33c8                 | xor                 ecx, eax
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   330c95080b5c00       | xor                 ecx, dword ptr [edx*4 + 0x5c0b08]
            //   33c1                 | xor                 eax, ecx
            //   8b5738               | mov                 edx, dword ptr [edi + 0x38]
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   33d6                 | xor                 edx, esi

    condition:
        7 of them and filesize < 4204544
}