rule win_regphantom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.regphantom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regphantom"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b4508 488b08 4883c101 488b4508 488908 8b0d???????? 8b05???????? }
            // n = 7, score = 100
            //   488b4508             | je                  0x1719
            //   488b08               | and                 al, 1
            //   4883c101             | mov                 byte ptr [ebp - 0x39], al
            //   488b4508             | mov                 dword ptr [ebp - 0x40], 0xd5bfd28f
            //   488908               | mov                 eax, dword ptr [ebp - 0x40]
            //   8b0d????????         |                     
            //   8b05????????         |                     

        $sequence_1 = { 83e101 83f900 0f94c2 83f80a 0f9cc0 08c2 b833fbe6de }
            // n = 7, score = 100
            //   83e101               | add                 ecx, eax
            //   83f900               | dec                 eax
            //   0f94c2               | mov                 eax, dword ptr [ebp - 0x10]
            //   83f80a               | dec                 eax
            //   0f9cc0               | mov                 dword ptr [eax], ecx
            //   08c2                 | dec                 eax
            //   b833fbe6de           | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_2 = { 89c1 488b4508 8908 488b4510 c70000000000 8b0d???????? 8b05???????? }
            // n = 7, score = 100
            //   89c1                 | mov                 ecx, dword ptr [eax]
            //   488b4508             | dec                 eax
            //   8908                 | mov                 eax, dword ptr [ebp - 0x10]
            //   488b4510             | dec                 eax
            //   c70000000000         | mov                 dword ptr [eax], ecx
            //   8b0d????????         |                     
            //   8b05????????         |                     

        $sequence_3 = { b98706d3f6 f6c201 0f45c1 8945c0 e9???????? 488b45d8 }
            // n = 6, score = 100
            //   b98706d3f6           | je                  0xe9a
            //   f6c201               | mov                 eax, dword ptr [ebp - 0x50]
            //   0f45c1               | sub                 eax, 0x8c5fe509
            //   8945c0               | mov                 dword ptr [ebp - 0x50], eax
            //   e9????????           |                     
            //   488b45d8             | sub                 eax, 0x8222af8d

        $sequence_4 = { 4889e2 488955f0 488908 48b84282cd736822e120 480305???????? 488d0d32faffff 4883ec20 }
            // n = 7, score = 100
            //   4889e2               | mov                 ecx, 0x4a634d15
            //   488955f0             | test                dl, 1
            //   488908               | cmovne              eax, ecx
            //   48b84282cd736822e120     | mov    dword ptr [ebp - 0x40], eax
            //   480305????????       |                     
            //   488d0d32faffff       | setl                al
            //   4883ec20             | or                  dl, al

        $sequence_5 = { 2da9f8c8c5 0f8429020000 e9???????? 8b45b0 2d8ac76fc9 0f845e020000 e9???????? }
            // n = 7, score = 100
            //   2da9f8c8c5           | mov                 eax, dword ptr [ebp - 0x5c]
            //   0f8429020000         | sub                 eax, 0xe0680913
            //   e9????????           |                     
            //   8b45b0               | je                  0x13a3
            //   2d8ac76fc9           | mov                 eax, dword ptr [ebp - 0x5c]
            //   0f845e020000         | je                  0x1123
            //   e9????????           |                     

        $sequence_6 = { 88450e 8b0d???????? 8b05???????? 89ca 83ea01 0fafca 83e101 }
            // n = 7, score = 100
            //   88450e               | mov                 eax, dword ptr [ebp - 0x78]
            //   8b0d????????         |                     
            //   8b05????????         |                     
            //   89ca                 | dec                 eax
            //   83ea01               | mov                 edx, esp
            //   0fafca               | dec                 eax
            //   83e101               | mov                 dword ptr [ebp - 0x70], edx

        $sequence_7 = { b8805d9d8d b9aadb55d5 f6c201 0f45c1 8945c0 e9???????? }
            // n = 6, score = 100
            //   b8805d9d8d           | or                  dl, al
            //   b9aadb55d5           | mov                 eax, 0xbc2ffafe
            //   f6c201               | mov                 ecx, 0xb55bc812
            //   0f45c1               | test                dl, 1
            //   8945c0               | cmp                 eax, 0xa
            //   e9????????           |                     

        $sequence_8 = { ffd0 4883c420 c745e8e3f795bc e9???????? 488b0d???????? 488b05???????? 4831c1 }
            // n = 7, score = 100
            //   ffd0                 | test                dl, 1
            //   4883c420             | cmovne              eax, ecx
            //   c745e8e3f795bc       | mov                 dword ptr [ebp - 0x38], eax
            //   e9????????           |                     
            //   488b0d????????       |                     
            //   488b05????????       |                     
            //   4831c1               | mov                 dword ptr [ebp - 0x38], 0xfc3f11e5

        $sequence_9 = { 2d2795afa3 0f84f40a0000 e9???????? 8b45a4 2d2e173da4 0f8447080000 e9???????? }
            // n = 7, score = 100
            //   2d2795afa3           | mov                 eax, 0x7f848a1b
            //   0f84f40a0000         | mov                 ecx, 0x1f61f9b0
            //   e9????????           |                     
            //   8b45a4               | test                byte ptr [ebp - 9], 1
            //   2d2e173da4           | cmovne              eax, ecx
            //   0f8447080000         | cmovne              eax, ecx
            //   e9????????           |                     

    condition:
        7 of them and filesize < 123904
}