rule win_santa_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.santa_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.santa_stealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f6c208 0f840a010000 4d8b6f40 49634500 85c0 0f8efa000000 4c89842490000000 }
            // n = 7, score = 100
            //   f6c208               | mov                 dword ptr [ebp + 0x10], edx
            //   0f840a010000         | dec                 eax
            //   4d8b6f40             | lea                 eax, [esp + 0x118]
            //   49634500             | mov                 dword ptr [esp + 0xe8], edi
            //   85c0                 | xor                 edi, edi
            //   0f8efa000000         | mov                 dword ptr [esp + 0xa0], esi
            //   4c89842490000000     | dec                 eax

        $sequence_1 = { 4c89d2 4889f9 e8???????? 4585ed 400f95c5 807f6700 752a }
            // n = 7, score = 100
            //   4c89d2               | inc                 esp
            //   4889f9               | mov                 ebx, dword ptr [esp + 0x58]
            //   e8????????           |                     
            //   4585ed               | dec                 esp
            //   400f95c5             | mov                 ebp, dword ptr [esp + 0x38]
            //   807f6700             | inc                 esp
            //   752a                 | mov                 edx, dword ptr [esp + 0x34]

        $sequence_2 = { e8???????? 8b9424ac000000 4889c7 85d2 0f8827050000 0f8511060000 488bac24c8000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b9424ac000000       | dec                 eax
            //   4889c7               | mov                 dword ptr [esp + 0x100], ecx
            //   85d2                 | dec                 eax
            //   0f8827050000         | mov                 ecx, dword ptr [ebp + 0x18]
            //   0f8511060000         | dec                 eax
            //   488bac24c8000000     | mov                 dword ptr [esi + 0x178], edx

        $sequence_3 = { c744242000000000 ba47000000 e8???????? 0fb64761 4189e9 4c89e1 448b44244c }
            // n = 7, score = 100
            //   c744242000000000     | inc                 ebp
            //   ba47000000           | mov                 eax, dword ptr [esp + 0xc]
            //   e8????????           |                     
            //   0fb64761             | mov                 edx, 0xa
            //   4189e9               | dec                 esp
            //   4c89e1               | mov                 ecx, edi
            //   448b44244c           | mov                 dword ptr [esp + 0x20], 0

        $sequence_4 = { e8???????? 4885c0 0f845dfbffff 488d0dafaf1700 e8???????? 4885c0 0f8448fbffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4885c0               | dec                 esp
            //   0f845dfbffff         | mov                 dword ptr [edx + 0x30], ecx
            //   488d0dafaf1700       | dec                 eax
            //   e8????????           |                     
            //   4885c0               | lea                 esp, [ebp - 0x18]
            //   0f8448fbffff         | pop                 ebx

        $sequence_5 = { f20f10642428 f20f59d9 f20f59c2 f20f58c3 f20f58c4 f20f11442428 f20f10442420 }
            // n = 7, score = 100
            //   f20f10642428         | dec                 eax
            //   f20f59d9             | mov                 eax, dword ptr [ebx + 0x20]
            //   f20f59c2             | dec                 esp
            //   f20f58c3             | arpl                bx, ax
            //   f20f58c4             | dec                 edx
            //   f20f11442428         | lea                 eax, [edi + eax]
            //   f20f10442420         | dec                 ecx

        $sequence_6 = { e8???????? c744242000000000 488b942428010000 4531c9 4189c0 89842418010000 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c744242000000000     | dec                 ecx
            //   488b942428010000     | mov                 edx, dword ptr [edi + 0x18]
            //   4531c9               | dec                 ecx
            //   4189c0               | mov                 dword ptr [edi + 0x10], 0
            //   89842418010000       | dec                 ecx
            //   e8????????           |                     

        $sequence_7 = { e8???????? b801000000 89db 488d15a5cb1500 0fb61c1a 01df 488d5638 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   b801000000           | cmovne              edx, eax
            //   89db                 | mov                 dword ptr [esi + 0x50], edx
            //   488d15a5cb1500       | dec                 ecx
            //   0fb61c1a             | mov                 edx, dword ptr [ebp + 0x10]
            //   01df                 | dec                 eax
            //   488d5638             | test                edx, edx

        $sequence_8 = { c68424ad00000000 c78424cc00000000000000 0fb6bc2497000000 48c74030ffffffff e9???????? c684249600000000 c78424a800000000000000 }
            // n = 7, score = 100
            //   c68424ad00000000     | mov                 dword ptr [esp + 0x28], 0
            //   c78424cc00000000000000     | dec    eax
            //   0fb6bc2497000000     | mov                 dword ptr [esp + 0x20], 0
            //   48c74030ffffffff     | dec                 esp
            //   e9????????           |                     
            //   c684249600000000     | mov                 dword ptr [esp + 0x70], ebx
            //   c78424a800000000000000     | inc    esp

        $sequence_9 = { e9???????? 4889bc24a0000000 488b4510 c78424ac00000064000000 f30f6f9424a0000000 0f1110 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   4889bc24a0000000     | dec                 ecx
            //   488b4510             | lea                 ecx, [esp + ebx + 0xd10]
            //   c78424ac00000064000000     | dec    ecx
            //   f30f6f9424a0000000     | lea    ecx, [esp + ebx + 0xd10]
            //   0f1110               | dec                 eax
            //   e9????????           |                     

    condition:
        7 of them and filesize < 27009024
}