rule win_revenant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.revenant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenant"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d4c2458 4889f1 4889c3 31c0 4889442420 4889da ff15???????? }
            // n = 7, score = 100
            //   4c8d4c2458           | inc                 esp
            //   4889f1               | mov                 dword ptr [esp + 0x20], edi
            //   4889c3               | test                eax, eax
            //   31c0                 | inc                 esp
            //   4889442420           | mov                 eax, eax
            //   4889da               | bswap               eax
            //   ff15????????         |                     

        $sequence_1 = { 4c89e1 e8???????? 488906 31c0 48894608 }
            // n = 5, score = 100
            //   4c89e1               | mov                 ecx, 0x3f9
            //   e8????????           |                     
            //   488906               | rep stosb           byte ptr es:[edi], al
            //   31c0                 | inc                 esp
            //   48894608             | mov                 dword ptr [esp + 0x68], eax

        $sequence_2 = { ba28000000 b940000000 ffd6 31d2 }
            // n = 4, score = 100
            //   ba28000000           | mov                 eax, edx
            //   b940000000           | dec                 ecx
            //   ffd6                 | mov                 eax, esi
            //   31d2                 | dec                 ecx

        $sequence_3 = { eb3a 4c89e1 e8???????? 488906 31c0 }
            // n = 5, score = 100
            //   eb3a                 | test                eax, eax
            //   4c89e1               | je                  1
            //   e8????????           |                     
            //   488906               | dec                 eax
            //   31c0                 | lea                 ecx, [0x37c5]

        $sequence_4 = { 4889442450 e8???????? 85c0 4189c7 }
            // n = 4, score = 100
            //   4889442450           | dec                 eax
            //   e8????????           |                     
            //   85c0                 | add                 esp, 0x28
            //   4189c7               | pop                 ebx

        $sequence_5 = { 4c01c2 31c9 49f7d0 48ffc9 4939c8 740a 448a140a }
            // n = 7, score = 100
            //   4c01c2               | sub                 esp, 0x28
            //   31c9                 | inc                 ecx
            //   49f7d0               | pop                 esi
            //   48ffc9               | inc                 ecx
            //   4939c8               | pop                 edi
            //   740a                 | ret                 
            //   448a140a             | push                esi

        $sequence_6 = { 41b842000000 4c89e1 ff15???????? 8b4c246c 4989c4 }
            // n = 5, score = 100
            //   41b842000000         | jle                 0x122
            //   4c89e1               | test                esi, esi
            //   ff15????????         |                     
            //   8b4c246c             | jns                 0x5a
            //   4989c4               | dec                 ecx

        $sequence_7 = { 8b00 41390424 7592 41c744240801000000 }
            // n = 4, score = 100
            //   8b00                 | mov                 dword ptr [esp + 0x20], eax
            //   41390424             | rep stosd           dword ptr es:[edi], eax
            //   7592                 | mov                 ecx, 0x100
            //   41c744240801000000     | dec    eax

        $sequence_8 = { 4883c328 4839fb 7427 41b808000000 4889f2 4889d9 }
            // n = 6, score = 100
            //   4883c328             | jle                 0xffffffdc
            //   4839fb               | mov                 eax, 0xffffffff
            //   7427                 | test                ecx, ecx
            //   41b808000000         | jne                 0x3e
            //   4889f2               | dec                 eax
            //   4889d9               | cmp                 esi, 0xff

        $sequence_9 = { e8???????? ba04010000 b940000000 48c744242804010000 41ffd6 4885c0 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   ba04010000           | lea                 ecx, [0x38ea]
            //   b940000000           | mov                 ecx, 0x154
            //   48c744242804010000     | dec    eax
            //   41ffd6               | mov                 ebp, ecx
            //   4885c0               | dec                 eax

    condition:
        7 of them and filesize < 99328
}