rule win_nitrogen_ransomware_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nitrogen_ransomware."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitrogen_ransomware"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4889e5 4883ec20 894d10 837d1000 741e 8b4510 89c0 }
            // n = 7, score = 100
            //   4889e5               | inc                 esp
            //   4883ec20             | mov                 edx, dword ptr [esp + 0x3c]
            //   894d10               | inc                 esp
            //   837d1000             | mov                 esp, dword ptr [esp + 0x58]
            //   741e                 | mov                 dword ptr [esp], eax
            //   8b4510               | inc                 esp
            //   89c0                 | mov                 eax, dword ptr [esp + 0x48]

        $sequence_1 = { 8b842460010000 83c001 31d0 6689842466010000 0fb7942468010000 8b842460010000 83c002 }
            // n = 7, score = 100
            //   8b842460010000       | add                 ebp, 8
            //   83c001               | add                 ecx, 6
            //   31d0                 | inc                 ecx
            //   6689842466010000     | add                 edi, 7
            //   0fb7942468010000     | punpckldq           xmm0, xmm3
            //   8b842460010000       | mov                 esi, dword ptr [esp + 0x13e0]
            //   83c002               | xor                 ecx, 0x79

        $sequence_2 = { 83f624 6689b42470550000 0fb7742450 83c609 83f653 6689b42472550000 0fb774244c }
            // n = 7, score = 100
            //   83f624               | dec                 eax
            //   6689b42470550000     | mov                 eax, dword ptr [ebp + 0x18]
            //   0fb7742450           | mov                 edx, dword ptr [eax + 0x28]
            //   83c609               | dec                 eax
            //   83f653               | mov                 eax, dword ptr [ebp + 0x18]
            //   6689b42472550000     | mov                 eax, dword ptr [eax + 0x24]
            //   0fb774244c           | cmp                 edx, eax

        $sequence_3 = { 83c004 31d0 668984245c130000 0fb794245e130000 8b842450130000 83c005 31d0 }
            // n = 7, score = 100
            //   83c004               | add                 eax, 1
            //   31d0                 | xor                 eax, 0x53
            //   668984245c130000     | mov                 word ptr [esp + 0x8042], ax
            //   0fb794245e130000     | movzx               eax, word ptr [esp + 0xd4]
            //   8b842450130000       | add                 eax, 2
            //   83c005               | mov                 word ptr [esp + 0x8140], ax
            //   31d0                 | movzx               eax, word ptr [esp + 0xe8]

        $sequence_4 = { 83e80a 668984246c040000 0fb784246e040000 f30f7e35???????? 4c8b3d???????? 83e80a 448b35???????? }
            // n = 7, score = 100
            //   83e80a               | dec                 eax
            //   668984246c040000     | add                 eax, 1
            //   0fb784246e040000     | dec                 eax
            //   f30f7e35????????     |                     
            //   4c8b3d????????       |                     
            //   83e80a               | cmp                 eax, 0x2b
            //   448b35????????       |                     

        $sequence_5 = { 83c007 31d0 66898424d21b0000 0fb79424d41b0000 8b8424c01b0000 83c008 31d0 }
            // n = 7, score = 100
            //   83c007               | mov                 word ptr [esp + 0x1b54], ax
            //   31d0                 | xor                 eax, eax
            //   66898424d21b0000     | xor                 ecx, ecx
            //   0fb79424d41b0000     | inc                 ebp
            //   8b8424c01b0000       | xor                 eax, eax
            //   83c008               | mov                 word ptr [esp + 0x1b56], ax
            //   31d0                 | dec                 eax

        $sequence_6 = { 83ea05 66899444203e0000 4883c001 4883f81f 75e3 488d8424203e0000 4c8b05???????? }
            // n = 7, score = 100
            //   83ea05               | mov                 eax, dword ptr [esp + 0x19c0]
            //   66899444203e0000     | inc                 esp
            //   4883c001             | xor                 eax, ecx
            //   4883f81f             | mov                 word ptr [esp + 0x10f2], bx
            //   75e3                 | mov                 ebx, 3
            //   488d8424203e0000     | inc                 esp
            //   4c8b05????????       |                     

        $sequence_7 = { 8bbc24204f0000 4183c601 8bb424204f0000 4183c502 4183c403 4183f665 83c504 }
            // n = 7, score = 100
            //   8bbc24204f0000       | mov                 eax, dword ptr [ebp + 0x18]
            //   4183c601             | test                eax, eax
            //   8bb424204f0000       | jne                 0x419
            //   4183c502             | test                al, al
            //   4183c403             | jne                 0x433
            //   4183f665             | dec                 eax
            //   83c504               | mov                 edx, esi

        $sequence_8 = { 488d8424647c0000 31c9 66899424ce7c0000 4889842420870000 c78424a05b000024000000 8bb424a05b0000 448bb424a05b0000 }
            // n = 7, score = 100
            //   488d8424647c0000     | dec                 eax
            //   31c9                 | shl                 eax, 0x10
            //   66899424ce7c0000     | dec                 eax
            //   4889842420870000     | or                  eax, edx
            //   c78424a05b000024000000     | dec    eax
            //   8bb424a05b0000       | or                  eax, edx
            //   448bb424a05b0000     | punpcklqdq          xmm0, xmm1

        $sequence_9 = { 89442468 8b8c24205d0000 8b9424205d0000 448b9c24205d0000 897c2460 448b8424205d0000 448b8c24205d0000 }
            // n = 7, score = 100
            //   89442468             | xor                 eax, edx
            //   8b8c24205d0000       | mov                 word ptr [esp + 0xc58], ax
            //   8b9424205d0000       | movzx               edx, word ptr [esp + 0xc5a]
            //   448b9c24205d0000     | mov                 eax, dword ptr [esp + 0xc50]
            //   897c2460             | add                 eax, 3
            //   448b8424205d0000     | xor                 eax, edx
            //   448b8c24205d0000     | add                 eax, 2

    condition:
        7 of them and filesize < 2590720
}