rule win_quickmute_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.quickmute."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickmute"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 ff15???????? 50 ff15???????? 5f c3 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   c3                   | ret                 

        $sequence_1 = { 750c 8d4dd8 51 56 }
            // n = 4, score = 100
            //   750c                 | jne                 0xe
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   51                   | push                ecx
            //   56                   | push                esi

        $sequence_2 = { 8d55c0 52 56 ffd7 a3???????? 833d????????00 c6854cffffff54 }
            // n = 7, score = 100
            //   8d55c0               | lea                 edx, [ebp - 0x40]
            //   52                   | push                edx
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   833d????????00       |                     
            //   c6854cffffff54       | mov                 byte ptr [ebp - 0xb4], 0x54

        $sequence_3 = { 8d9578edffff 52 6a03 ff15???????? 3bc3 745c }
            // n = 6, score = 100
            //   8d9578edffff         | lea                 edx, [ebp - 0x1288]
            //   52                   | push                edx
            //   6a03                 | push                3
            //   ff15????????         |                     
            //   3bc3                 | cmp                 eax, ebx
            //   745c                 | je                  0x5e

        $sequence_4 = { 885dae 391d???????? 750c 8d4da8 }
            // n = 4, score = 100
            //   885dae               | mov                 byte ptr [ebp - 0x52], bl
            //   391d????????         |                     
            //   750c                 | jne                 0xe
            //   8d4da8               | lea                 ecx, [ebp - 0x58]

        $sequence_5 = { 56 68???????? ff15???????? 83c408 8b751c }
            // n = 5, score = 100
            //   56                   | push                esi
            //   68????????           |                     
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   8b751c               | mov                 esi, dword ptr [ebp + 0x1c]

        $sequence_6 = { 7510 53 6a40 ff15???????? 53 }
            // n = 5, score = 100
            //   7510                 | jne                 0x12
            //   53                   | push                ebx
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   53                   | push                ebx

        $sequence_7 = { c7459030002900 c7459420006c00 c7459869006b00 c7459c65002000 }
            // n = 4, score = 100
            //   c7459030002900       | mov                 dword ptr [ebp - 0x70], 0x290030
            //   c7459420006c00       | mov                 dword ptr [ebp - 0x6c], 0x6c0020
            //   c7459869006b00       | mov                 dword ptr [ebp - 0x68], 0x6b0069
            //   c7459c65002000       | mov                 dword ptr [ebp - 0x64], 0x200065

        $sequence_8 = { 6a00 50 8946f8 ff15???????? }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8946f8               | mov                 dword ptr [esi - 8], eax
            //   ff15????????         |                     

        $sequence_9 = { c78542ffffff63746f72 66c78546ffffff7957 c68548ffffff00 750f }
            // n = 4, score = 100
            //   c78542ffffff63746f72     | mov    dword ptr [ebp - 0xbe], 0x726f7463
            //   66c78546ffffff7957     | mov    word ptr [ebp - 0xba], 0x5779
            //   c68548ffffff00       | mov                 byte ptr [ebp - 0xb8], 0
            //   750f                 | jne                 0x11

    condition:
        7 of them and filesize < 146432
}