SYMBOLCOMMON_NAMEaka. SYNONYMS
win.amadey (Back to overview)

Amadey

URLhaus    

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.

References
2023-08-31Rapid7 LabsNatalie Zargarov, Thomas Elkins, Evan McCann, Tyler McGraw
@online{zargarov:20230831:fake:4b8ef57, author = {Natalie Zargarov and Thomas Elkins and Evan McCann and Tyler McGraw}, title = {{Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers}}, date = {2023-08-31}, organization = {Rapid7 Labs}, url = {https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/}, language = {English}, urldate = {2023-09-04} } Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey IDAT Loader Lumma Stealer SectopRAT
2023-08-10Github (muha2xmad)Muhammad Hasan Ali
@online{ali:20230810:amadey:5aed2ed, author = {Muhammad Hasan Ali}, title = {{Amadey configuration extractor}}, date = {2023-08-10}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_config_extractor.ipynb}, language = {English}, urldate = {2023-08-25} } Amadey configuration extractor
Amadey
2023-08-10Github (muha2xmad)Muhammad Hasan Ali
@online{ali:20230810:amadey:2b2dafc, author = {Muhammad Hasan Ali}, title = {{Amadey string decryptor}}, date = {2023-08-10}, organization = {Github (muha2xmad)}, url = {https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_string_decryptor.py}, language = {English}, urldate = {2023-08-25} } Amadey string decryptor
Amadey
2023-07-25splunkSplunk Threat Research Team
@online{team:20230725:amadey:cbe9d5b, author = {Splunk Threat Research Team}, title = {{Amadey Threat Analysis and Detections}}, date = {2023-07-25}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html}, language = {English}, urldate = {2023-07-27} } Amadey Threat Analysis and Detections
Amadey
2023-06-08Twitter (@embee_research)Embee_research
@online{embeeresearch:20230608:practical:61d0677, author = {Embee_research}, title = {{Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries}}, date = {2023-06-08}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/shodan-censys-queries/}, language = {English}, urldate = {2023-06-09} } Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker
2023-05-19Twitter (@embee_research)Embee_research
@online{embeeresearch:20230519:analysis:92de1d2, author = {Embee_research}, title = {{Analysis of Amadey Bot Infrastructure Using Shodan}}, date = {2023-05-19}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/amadey-bot-infrastructure/}, language = {English}, urldate = {2023-05-21} } Analysis of Amadey Bot Infrastructure Using Shodan
Amadey
2023-05-01Check Point ResearchCheck Point Research
@online{research:20230501:chain:855e7fa, author = {Check Point Research}, title = {{Chain Reaction: RokRAT's Missing Link}}, date = {2023-05-01}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/}, language = {English}, urldate = {2023-05-02} } Chain Reaction: RokRAT's Missing Link
Amadey RokRAT
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-10Twitter (@embee_research)Matthew
@online{matthew:20230410:redline:397ebbf, author = {Matthew}, title = {{Redline Stealer - Static Analysis and C2 Extraction}}, date = {2023-04-10}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/}, language = {English}, urldate = {2023-04-14} } Redline Stealer - Static Analysis and C2 Extraction
Amadey RedLine Stealer
2023-01-27cybleThe Cyber Express
@online{express:20230127:old:95851ce, author = {The Cyber Express}, title = {{Old Bot in New Bottle: Amadey Botnet Back in Action Via Phishing Sites}}, date = {2023-01-27}, organization = {cyble}, url = {https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/}, language = {English}, urldate = {2023-04-12} } Old Bot in New Bottle: Amadey Botnet Back in Action Via Phishing Sites
Amadey
2023-01-25cybleCyble
@online{cyble:20230125:rise:db7b864, author = {Cyble}, title = {{The Rise of Amadey Bot: A Growing Concern for Internet Security}}, date = {2023-01-25}, organization = {cyble}, url = {https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/}, language = {English}, urldate = {2023-04-12} } The Rise of Amadey Bot: A Growing Concern for Internet Security
Amadey
2022-12-22AhnLabSanseo
@online{sanseo:20221222:nitol:ad67d69, author = {Sanseo}, title = {{Nitol DDoS Malware Installing Amadey Bot}}, date = {2022-12-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/44504/}, language = {English}, urldate = {2023-03-20} } Nitol DDoS Malware Installing Amadey Bot
Amadey Nitol
2022-11-08AhnLabASEC
@online{asec:20221108:lockbit:6acb17e, author = {ASEC}, title = {{LockBit 3.0 Being Distributed via Amadey Bot}}, date = {2022-11-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/41450/}, language = {English}, urldate = {2022-11-09} } LockBit 3.0 Being Distributed via Amadey Bot
Amadey Gandcrab LockBit
2022-09-29Team CymruS2 Research Team
@online{team:20220929:seychelles:2d1a3c1, author = {S2 Research Team}, title = {{Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.}}, date = {2022-09-29}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore}, language = {English}, urldate = {2022-10-10} } Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP
2022-07-29BlackberryBlackBerry Research & Intelligence Team
@online{team:20220729:smokeloader:628912d, author = {BlackBerry Research & Intelligence Team}, title = {{SmokeLoader Malware Used to Augment Amadey Infostealer}}, date = {2022-07-29}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer}, language = {English}, urldate = {2022-08-22} } SmokeLoader Malware Used to Augment Amadey Infostealer
Amadey SmokeLoader
2022-07-21AhnLabASEC
@online{asec:20220721:amadey:1bbe53b, author = {ASEC}, title = {{Amadey Bot Being Distributed Through SmokeLoader}}, date = {2022-07-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/36634/}, language = {English}, urldate = {2023-03-20} } Amadey Bot Being Distributed Through SmokeLoader
Amadey SmokeLoader
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-04-20cocomelonccocomelonc
@online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2021-11-02MinervaNatalie Zargarov
@online{zargarov:20211102:underminer:f03f426, author = {Natalie Zargarov}, title = {{Underminer Exploit Kit: The More You Check The More Evasive You Become}}, date = {2021-11-02}, organization = {Minerva}, url = {https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become}, language = {English}, urldate = {2021-11-03} } Underminer Exploit Kit: The More You Check The More Evasive You Become
Amadey Oski Stealer RedLine Stealer UnderminerEK
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2023-07-24} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-12Cisco TalosVanja Svajcer
@online{svajcer:20210812:signed:728ea8f, author = {Vanja Svajcer}, title = {{Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT}}, date = {2021-08-12}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html}, language = {English}, urldate = {2021-08-20} } Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
2021-07-08Medium walmartglobaltechJason Reaves, Harold Ogden
@online{reaves:20210708:amadey:0deeb3d, author = {Jason Reaves and Harold Ogden}, title = {{Amadey stealer plugin adds Mikrotik and Outlook harvesting}}, date = {2021-07-08}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4}, language = {English}, urldate = {2021-07-11} } Amadey stealer plugin adds Mikrotik and Outlook harvesting
Amadey
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-31InfoSec Handlers Diary BlogXavier Mertens
@online{mertens:20210331:quick:56fcc20, author = {Xavier Mertens}, title = {{Quick Analysis of a Modular InfoStealer}}, date = {2021-03-31}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27264}, language = {English}, urldate = {2021-03-31} } Quick Analysis of a Modular InfoStealer
Amadey
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-09Max Kersten's BlogMax Kersten
@online{kersten:20210209:ghidra:0e7f66c, author = {Max Kersten}, title = {{Ghidra script to decrypt strings in Amadey 1.09}}, date = {2021-02-09}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/}, language = {English}, urldate = {2021-02-09} } Ghidra script to decrypt strings in Amadey 1.09
Amadey
2021-02-01Microstep Intelligence BureauMicrostep online research response team
@online{team:20210201:analysis:203afe0, author = {Microstep online research response team}, title = {{Analysis of the attack activity organized by Konni APT using the topic of North Korean epidemic materials as bait}}, date = {2021-02-01}, organization = {Microstep Intelligence Bureau}, url = {https://www.anquanke.com/post/id/230116}, language = {Chinese}, urldate = {2021-02-02} } Analysis of the attack activity organized by Konni APT using the topic of North Korean epidemic materials as bait
Amadey
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-05CybereasonLior Rochberger, Assaf Dahan
@online{rochberger:20200205:hole:b982e31, author = {Lior Rochberger and Assaf Dahan}, title = {{The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware}}, date = {2020-02-05}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware}, language = {English}, urldate = {2020-02-09} } The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar
2020-01-08BlackberryMasaki Kasuya
@online{kasuya:20200108:threat:3efa417, author = {Masaki Kasuya}, title = {{Threat Spotlight: Amadey Bot Targets Non-Russian Users}}, date = {2020-01-08}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot}, language = {English}, urldate = {2022-01-12} } Threat Spotlight: Amadey Bot Targets Non-Russian Users
Amadey
2019-04-27nao_secnao_sec
@online{naosec:20190427:analyzing:27f1d35, author = {nao_sec}, title = {{Analyzing Amadey}}, date = {2019-04-27}, organization = {nao_sec}, url = {https://nao-sec.org/2019/04/Analyzing-amadey.html}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey
Amadey
2019-02-13KrabsOnSecurityMr. Krabs
@online{krabs:20190213:analyzing:404862f, author = {Mr. Krabs}, title = {{Analyzing Amadey – a simple native malware}}, date = {2019-02-13}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/}, language = {English}, urldate = {2020-01-08} } Analyzing Amadey – a simple native malware
Amadey
2018-11-14Twitter (@0xffff0800)0xffff0800
@online{0xffff0800:20181114:amadey:e362501, author = {0xffff0800}, title = {{Tweet on Amadey C2}}, date = {2018-11-14}, organization = {Twitter (@0xffff0800)}, url = {https://twitter.com/0xffff0800/status/1062948406266642432}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey C2
Amadey
2018-11-13Twitter (@ViriBack)Dee
@online{dee:20181113:amadey:81d3bc6, author = {Dee}, title = {{Tweet on Amadey Malware}}, date = {2018-11-13}, organization = {Twitter (@ViriBack)}, url = {https://twitter.com/ViriBack/status/1062405363457118210}, language = {English}, urldate = {2020-01-07} } Tweet on Amadey Malware
Amadey
Yara Rules
[TLP:WHITE] win_amadey_auto (20230715 | Detects win.amadey.)
rule win_amadey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.amadey."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f4 837df408 744f 8d85e8fdffff 890424 e8???????? c70424???????? }
            // n = 7, score = 700
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df408             | cmp                 dword ptr [ebp - 0xc], 8
            //   744f                 | je                  0x51
            //   8d85e8fdffff         | lea                 eax, [ebp - 0x218]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c70424????????       |                     

        $sequence_1 = { c745fc00000000 e8???????? 84c0 750c c7042401000000 e8???????? e8???????? }
            // n = 7, score = 700
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   750c                 | jne                 0xe
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_2 = { 89442404 891424 e8???????? 85c0 7510 8b45fc 40 }
            // n = 7, score = 700
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891424               | mov                 dword ptr [esp], edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   40                   | inc                 eax

        $sequence_3 = { 890424 e8???????? c7042400000000 e8???????? 81c424040000 }
            // n = 5, score = 700
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   e8????????           |                     
            //   81c424040000         | add                 esp, 0x424

        $sequence_4 = { e8???????? 8945f4 837df40a 0f842e010000 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837df40a             | cmp                 dword ptr [ebp - 0xc], 0xa
            //   0f842e010000         | je                  0x134

        $sequence_5 = { e8???????? c7442404???????? 8b4508 890424 e8???????? 85c0 7e75 }
            // n = 7, score = 700
            //   e8????????           |                     
            //   c7442404????????     |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7e75                 | jle                 0x77

        $sequence_6 = { 890424 e8???????? c7042401000000 e8???????? 89442404 8d85e8fbffff 890424 }
            // n = 7, score = 700
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   c7042401000000       | mov                 dword ptr [esp], 1
            //   e8????????           |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d85e8fbffff         | lea                 eax, [ebp - 0x418]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_7 = { e8???????? 8b4508 c60000 c9 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c60000               | mov                 byte ptr [eax], 0
            //   c9                   | leave               

        $sequence_8 = { 68???????? e8???????? 8d4dcc e8???????? 83c418 }
            // n = 5, score = 500
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_9 = { 83fa10 722f 8b8d78feffff 42 8bc1 81fa00100000 7214 }
            // n = 7, score = 500
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8d78feffff         | mov                 ecx, dword ptr [ebp - 0x188]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx
            //   81fa00100000         | cmp                 edx, 0x1000
            //   7214                 | jb                  0x16

        $sequence_10 = { 52 51 e8???????? 83c408 8b955cfeffff }
            // n = 5, score = 400
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b955cfeffff         | mov                 edx, dword ptr [ebp - 0x1a4]

        $sequence_11 = { 50 68???????? 83ec18 8bcc 68???????? }
            // n = 5, score = 400
            //   50                   | push                eax
            //   68????????           |                     
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp
            //   68????????           |                     

        $sequence_12 = { 8b7dfc 8d4201 3bcb 7ccb 837e1410 }
            // n = 5, score = 400
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   8d4201               | lea                 eax, [edx + 1]
            //   3bcb                 | cmp                 ecx, ebx
            //   7ccb                 | jl                  0xffffffcd
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10

        $sequence_13 = { 83c408 8b554c c7453000000000 c745340f000000 c6452000 83fa10 0f8204ffffff }
            // n = 7, score = 400
            //   83c408               | add                 esp, 8
            //   8b554c               | mov                 edx, dword ptr [ebp + 0x4c]
            //   c7453000000000       | mov                 dword ptr [ebp + 0x30], 0
            //   c745340f000000       | mov                 dword ptr [ebp + 0x34], 0xf
            //   c6452000             | mov                 byte ptr [ebp + 0x20], 0
            //   83fa10               | cmp                 edx, 0x10
            //   0f8204ffffff         | jb                  0xffffff0a

        $sequence_14 = { 68e8030000 ff15???????? 8b551c 83fa10 7228 8b4d08 }
            // n = 6, score = 400
            //   68e8030000           | push                0x3e8
            //   ff15????????         |                     
            //   8b551c               | mov                 edx, dword ptr [ebp + 0x1c]
            //   83fa10               | cmp                 edx, 0x10
            //   7228                 | jb                  0x2a
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_15 = { 83fa10 722f 8b8d60feffff 42 }
            // n = 4, score = 400
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8d60feffff         | mov                 ecx, dword ptr [ebp - 0x1a0]
            //   42                   | inc                 edx

        $sequence_16 = { 68???????? e8???????? 8d4db4 e8???????? 83c418 }
            // n = 5, score = 400
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_17 = { c78514feffff0f000000 c68500feffff00 83fa10 722f 8b8de8fdffff 42 }
            // n = 6, score = 300
            //   c78514feffff0f000000     | mov    dword ptr [ebp - 0x1ec], 0xf
            //   c68500feffff00       | mov                 byte ptr [ebp - 0x200], 0
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8de8fdffff         | mov                 ecx, dword ptr [ebp - 0x218]
            //   42                   | inc                 edx

        $sequence_18 = { 83c408 8b95fcfdffff c78510feffff00000000 c78514feffff0f000000 c68500feffff00 83fa10 }
            // n = 6, score = 300
            //   83c408               | add                 esp, 8
            //   8b95fcfdffff         | mov                 edx, dword ptr [ebp - 0x204]
            //   c78510feffff00000000     | mov    dword ptr [ebp - 0x1f0], 0
            //   c78514feffff0f000000     | mov    dword ptr [ebp - 0x1ec], 0xf
            //   c68500feffff00       | mov                 byte ptr [ebp - 0x200], 0
            //   83fa10               | cmp                 edx, 0x10

    condition:
        7 of them and filesize < 520192
}
Download all Yara Rules