rule win_scoring_math_tea_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.scoring_math_tea."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scoring_math_tea"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4903cf 66443921 75f7 8b05???????? 488d542430 8901 0fb705???????? }
            // n = 7, score = 100
            //   4903cf               | lea                 ecx, [ebp + 0x110]
            //   66443921             | xor                 edx, edx
            //   75f7                 | inc                 ebp
            //   8b05????????         |                     
            //   488d542430           | lea                 ebp, [esp + 1]
            //   8901                 | inc                 ebp
            //   0fb705????????       |                     

        $sequence_1 = { 4885c0 74d1 488d4c2460 ffd0 b9ad2d0ca2 e8???????? 488d4c2448 }
            // n = 7, score = 100
            //   4885c0               | mov                 ecx, eax
            //   74d1                 | dec                 eax
            //   488d4c2460           | mov                 eax, ebx
            //   ffd0                 | dec                 eax
            //   b9ad2d0ca2           | mov                 ecx, dword ptr [esp + 0x58]
            //   e8????????           |                     
            //   488d4c2448           | dec                 eax

        $sequence_2 = { 4c8d8520030000 4c89642428 8bd7 488bce 4c89642420 c744246005010000 ff15???????? }
            // n = 7, score = 100
            //   4c8d8520030000       | mov                 eax, 0x700
            //   4c89642428           | dec                 esp
            //   8bd7                 | lea                 eax, [esp + 0x5c]
            //   488bce               | xor                 edx, edx
            //   4c89642420           | inc                 ecx
            //   c744246005010000     | movzx               eax, word ptr [eax + edx*2]
            //   ff15????????         |                     

        $sequence_3 = { 740d 418bcf e8???????? 488bce ffd0 418bc6 488b4d27 }
            // n = 7, score = 100
            //   740d                 | dec                 eax
            //   418bcf               | lea                 esi, [ebx + 0x938]
            //   e8????????           |                     
            //   488bce               | mov                 ecx, eax
            //   ffd0                 | jae                 0x144
            //   418bc6               | mov                 dword ptr [eax], 0x22
            //   488b4d27             | dec                 eax

        $sequence_4 = { 4881f900100000 7215 e8???????? 488bf8 eb19 493bc8 0f87c2000000 }
            // n = 7, score = 100
            //   4881f900100000       | add                 eax, eax
            //   7215                 | dec                 eax
            //   e8????????           |                     
            //   488bf8               | inc                 ecx
            //   eb19                 | dec                 ecx
            //   493bc8               | sub                 ecx, 1
            //   0f87c2000000         | jne                 0x1ca1

        $sequence_5 = { 4c8d4c2450 488364242000 448bc7 ff15???????? 8b442450 eb09 c7431400000001 }
            // n = 7, score = 100
            //   4c8d4c2450           | cmove               esi, esi
            //   488364242000         | dec                 esp
            //   448bc7               | lea                 eax, [esp + 0x30]
            //   ff15????????         |                     
            //   8b442450             | dec                 eax
            //   eb09                 | lea                 edx, [esp + 0x40]
            //   c7431400000001       | test                eax, eax

        $sequence_6 = { 7423 8b5c2440 488bd5 015f5c 448bc3 8b4f60 e8???????? }
            // n = 7, score = 100
            //   7423                 | mov                 edx, dword ptr [eax]
            //   8b5c2440             | dec                 eax
            //   488bd5               | mov                 eax, edx
            //   015f5c               | dec                 ecx
            //   448bc3               | cmp                 edx, eax
            //   8b4f60               | mov                 edx, dword ptr [esp + 0x38]
            //   e8????????           |                     

        $sequence_7 = { 420fb744f204 8987e8af0600 420fb744f206 8987dcaf0600 443bf5 7f07 66834e0404 }
            // n = 7, score = 100
            //   420fb744f204         | mov                 esi, edx
            //   8987e8af0600         | dec                 eax
            //   420fb744f206         | mov                 ebx, ecx
            //   8987dcaf0600         | inc                 ecx
            //   443bf5               | push                ebp
            //   7f07                 | inc                 ecx
            //   66834e0404           | push                esi

        $sequence_8 = { 44886591 e8???????? 488d5587 488bcf 4c8bf8 e8???????? 4c8bf0 }
            // n = 7, score = 100
            //   44886591             | mov                 dword ptr [ebp - 0x68], ecx
            //   e8????????           |                     
            //   488d5587             | inc                 ecx
            //   488bcf               | or                  ebp, 0xffffffff
            //   4c8bf8               | test                eax, eax
            //   e8????????           |                     
            //   4c8bf0               | jne                 0xe03

        $sequence_9 = { e8???????? c70022000000 e8???????? 488b8328090000 488db338090000 8bc8 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   c70022000000         | inc                 ecx
            //   e8????????           |                     
            //   488b8328090000       | mov                 ebx, edi
            //   488db338090000       | mov                 dword ptr [ebp - 0x59], ebx
            //   8bc8                 | dec                 ecx

    condition:
        7 of them and filesize < 881664
}