rule win_rustyrocket_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.rustyrocket."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustyrocket"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5008 e9???????? 56 57 53 4883ec40 4889ce }
            // n = 7, score = 100
            //   8b5008               | dec                 eax
            //   e9????????           |                     
            //   56                   | lea                 edi, [ebx + 8]
            //   57                   | dec                 eax
            //   53                   | lea                 esi, [esp + 0x80]
            //   4883ec40             | mov                 ecx, 0xd
            //   4889ce               | mov                 ecx, dword ptr [esp + 0x30]

        $sequence_1 = { f048ff08 750c 488b8f48010000 e8???????? 48b80200000000000080 48394768 740c }
            // n = 7, score = 100
            //   f048ff08             |                     
            //   750c                 |                     
            //   488b8f48010000       | jne                 0xe
            //   e8????????           |                     
            //   48b80200000000000080     | dec    eax
            //   48394768             | mov                 ecx, dword ptr [edi + 0x148]
            //   740c                 | dec                 eax

        $sequence_2 = { ff15???????? 31c0 48898424b0010000 48c78424b801000001000000 48898424c0010000 807c243700 7452 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   31c0                 | sub                 edx, eax
            //   48898424b0010000     | movzx               eax, dx
            //   48c78424b801000001000000     | neg    edx
            //   48898424c0010000     | mov                 eax, edx
            //   807c243700           | shr                 eax, 0x17
            //   7452                 | xor                 eax, edx

        $sequence_3 = { e8???????? 488bbc2480000000 448b74243c eb12 488b4c2448 488d942490000000 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bbc2480000000     | mov                 edx, dword ptr [esp + 0xd0]
            //   448b74243c           | dec                 eax
            //   eb12                 | mov                 edx, dword ptr [esp + 0xd0]
            //   488b4c2448           | dec                 eax
            //   488d942490000000     | mov                 eax, dword ptr [esp + 0xc8]
            //   e8????????           |                     

        $sequence_4 = { c3 83f909 751b 89d8 2500ff0000 0fb7c0 3d00030000 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   83f909               | xor                 edx, 0x8eef08ad
            //   751b                 | imul                eax, edx, 0xaef2c09d
            //   89d8                 | mov                 edx, eax
            //   2500ff0000           | shr                 edx, 0xc
            //   0fb7c0               | xor                 edx, eax
            //   3d00030000           | imul                eax, edx, 0x2ccc

        $sequence_5 = { eb26 483b442420 4c8b442428 0f83b3010000 486bc068 49833c0000 0f84ea010000 }
            // n = 7, score = 100
            //   eb26                 | jmp                 0x23d
            //   483b442420           | inc                 ecx
            //   4c8b442428           | cmp                 byte ptr [ebx + 1], 0
            //   0f83b3010000         | jns                 0x23d
            //   486bc068             | dec                 ecx
            //   49833c0000           | inc                 ebx
            //   0f84ea010000         | dec                 eax

        $sequence_6 = { eb10 85c0 0f849cf4ffff 4c8d8424b0000000 41c60008 488d05ac9f1400 4889442420 }
            // n = 7, score = 100
            //   eb10                 | dec                 eax
            //   85c0                 | inc                 ecx
            //   0f849cf4ffff         | dec                 eax
            //   4c8d8424b0000000     | mov                 eax, ecx
            //   41c60008             | ret                 
            //   488d05ac9f1400       | jmp                 0x529
            //   4889442420           | inc                 ecx

        $sequence_7 = { eb33 0f10442470 0f108c2480000000 0f294c2430 0f29442420 0f10842490000000 0f108c24a0000000 }
            // n = 7, score = 100
            //   eb33                 | dec                 eax
            //   0f10442470           | mov                 dword ptr [esi + 0x10], eax
            //   0f108c2480000000     | dec                 eax
            //   0f294c2430           | mov                 dword ptr [esi + 0x18], 3
            //   0f29442420           | jmp                 0x96
            //   0f10842490000000     | dec                 eax
            //   0f108c24a0000000     | mov                 dword ptr [esi + 8], 0xb

        $sequence_8 = { bd04000000 e9???????? b802000000 31ff 41bc04000000 c744242c00000000 488d150a852a00 }
            // n = 7, score = 100
            //   bd04000000           | movups              xmm6, xmmword ptr [esp + ebx]
            //   e9????????           |                     
            //   b802000000           | mov                 ebx, 9
            //   31ff                 | dec                 eax
            //   41bc04000000         | sbb                 ebx, -1
            //   c744242c00000000     | dec                 eax
            //   488d150a852a00       | mov                 dword ptr [esi], ebx

        $sequence_9 = { ba48000000 4c8b44d440 4d89c1 49c1e908 4d31c1 4921c1 4d31c8 }
            // n = 7, score = 100
            //   ba48000000           | sub                 edx, eax
            //   4c8b44d440           | mov                 eax, edx
            //   4d89c1               | shr                 eax, 0x19
            //   49c1e908             | xor                 eax, edx
            //   4d31c1               | mov                 edx, 0xb21f
            //   4921c1               | sub                 edx, eax
            //   4d31c8               | mov                 edx, 0x40

    condition:
        7 of them and filesize < 6786048
}