rule win_revenant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.revenant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenant"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 4881ec58040000 31c0 4531c0 }
            // n = 4, score = 100
            //   53                   | mov                 dword ptr [esp + 0x30], eax
            //   4881ec58040000       | dec                 eax
            //   31c0                 | test                eax, eax
            //   4531c0               | dec                 eax

        $sequence_1 = { ffd5 4889f8 f0480fb133 4885c0 75e3 488b35???????? 31ff }
            // n = 7, score = 100
            //   ffd5                 | mov                 ebp, eax
            //   4889f8               | push                ebx
            //   f0480fb133           | dec                 eax
            //   4885c0               | sub                 esp, 0x90
            //   75e3                 | xor                 esi, esi
            //   488b35????????       |                     
            //   31ff                 | dec                 eax

        $sequence_2 = { ba28000000 b940000000 ffd6 31d2 }
            // n = 4, score = 100
            //   ba28000000           | inc                 ebp
            //   b940000000           | xor                 eax, eax
            //   ffd6                 | inc                 esp
            //   31d2                 | mov                 dword ptr [esp + 0x28], edi

        $sequence_3 = { 035008 4839d1 72ac 4883c028 }
            // n = 4, score = 100
            //   035008               | dec                 eax
            //   4839d1               | cmp                 ecx, eax
            //   72ac                 | jb                  0x11
            //   4883c028             | dec                 eax

        $sequence_4 = { e8???????? 31c9 4889f2 4989c0 e8???????? 4883f8ff 742f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   31c9                 | jmp                 0x1060
            //   4889f2               | xor                 edx, edx
            //   4989c0               | dec                 eax
            //   e8????????           |                     
            //   4883f8ff             | mov                 ecx, ebx
            //   742f                 | mov                 edx, 0x104

        $sequence_5 = { e8???????? eb29 8b542444 4889f9 e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   eb29                 | mov                 eax, ecx
            //   8b542444             | pop                 edi
            //   4889f9               | ret                 
            //   e8????????           |                     

        $sequence_6 = { 488b05???????? 833801 7450 31c0 }
            // n = 4, score = 100
            //   488b05????????       |                     
            //   833801               | dec                 eax
            //   7450                 | mov                 edi, eax
            //   31c0                 | dec                 eax

        $sequence_7 = { 418b542420 4889d9 e8???????? 488d542420 }
            // n = 4, score = 100
            //   418b542420           | xor                 ebx, ebx
            //   4889d9               | xor                 ebp, ebp
            //   e8????????           |                     
            //   488d542420           | cmp                 dword ptr [edi + 0x3c], 0

        $sequence_8 = { 4885d2 0f84f2000000 488d0d3d370000 31ff e8???????? }
            // n = 5, score = 100
            //   4885d2               | inc                 ecx
            //   0f84f2000000         | mov                 al, byte ptr [eax + edx]
            //   488d0d3d370000       | inc                 edx
            //   31ff                 | xor                 byte ptr [ecx + edx], al
            //   e8????????           |                     

        $sequence_9 = { e8???????? ba04010000 b940000000 48c744242804010000 41ffd6 4885c0 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   ba04010000           | mov                 eax, eax
            //   b940000000           | dec                 eax
            //   48c744242804010000     | mov    ecx, dword ptr [esp + 0x28]
            //   41ffd6               | xor                 eax, eax
            //   4885c0               | rep stosb           byte ptr es:[edi], al

    condition:
        7 of them and filesize < 99328
}