SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bankshot (Back to overview)

Bankshot

aka: COPPERHEDGE

Actor(s): Lazarus Group


There is no description at this point.

References
2022-09-10Malversegreenplan
@online{greenplan:20220910:realizziamo:2eaa6a4, author = {greenplan}, title = {{Realizziamo un C&C Server in Python (Bankshot)}}, date = {2022-09-10}, organization = {Malverse}, url = {https://malverse.it/analisi-bankshot-copperhedge}, language = {Italian}, urldate = {2022-09-26} } Realizziamo un C&C Server in Python (Bankshot)
Bankshot
2022-04-18CISACISA, U.S. Department of the Treasury, FBI
@techreport{cisa:20220418:aa22108a:a0a81c6, author = {CISA and U.S. Department of the Treasury and FBI}, title = {{AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)}}, date = {2022-04-18}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf}, language = {English}, urldate = {2022-04-20} } AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)
FastCash Bankshot
2022-04-18CISACISA, FBI, U.S. Department of the Treasury
@online{cisa:20220418:alert:dcc72c0, author = {CISA and FBI and U.S. Department of the Treasury}, title = {{Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies}}, date = {2022-04-18}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-108a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
Bankshot
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-12-13US-CERTUS-CERT
@techreport{uscert:20171213:malware:89db625, author = {US-CERT}, title = {{Malware Analysis Report (MAR) - 10135536-B}}, date = {2017-12-13}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (MAR) - 10135536-B
Bankshot
Yara Rules
[TLP:WHITE] win_bankshot_auto (20221125 | Detects win.bankshot.)
rule win_bankshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.bankshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 }
            // n = 7, score = 300
            //   8bf8                 | mov                 edi, eax
            //   8d5101               | lea                 edx, [ecx + 1]
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   57                   | push                edi

        $sequence_1 = { 8bec 81ec48040000 a1???????? 33c5 8945f8 53 }
            // n = 6, score = 300
            //   8bec                 | mov                 ebp, esp
            //   81ec48040000         | sub                 esp, 0x448
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   53                   | push                ebx

        $sequence_2 = { 0f85a5010000 c7856038ffff01000000 e9???????? ff15???????? }
            // n = 4, score = 200
            //   0f85a5010000         | mov                 dword ptr [ebp - 0x208], edx
            //   c7856038ffff01000000     | jmp    0xffffffa3
            //   e9????????           |                     
            //   ff15????????         |                     

        $sequence_3 = { 6a00 68e9fd0000 ff15???????? 33c0 66890477 8d85ec7dffff 68???????? }
            // n = 7, score = 200
            //   6a00                 | sub                 esp, 0x448
            //   68e9fd0000           | xor                 eax, ebp
            //   ff15????????         |                     
            //   33c0                 | mov                 dword ptr [ebp - 8], eax
            //   66890477             | push                ebx
            //   8d85ec7dffff         | mov                 ebp, esp
            //   68????????           |                     

        $sequence_4 = { 8a87bce10110 08441619 42 0fb64101 3bd0 }
            // n = 5, score = 200
            //   8a87bce10110         | mov                 eax, dword ptr [ebp + 8]
            //   08441619             | mov                 word ptr [eax + 0x172], cx
            //   42                   | mov                 eax, dword ptr [ebp + 8]
            //   0fb64101             | and                 dword ptr [eax + 0x34c], 0
            //   3bd0                 | jae                 0x15

        $sequence_5 = { 33cc e8???????? 8be5 5d c3 8b8c2494010000 b801000000 }
            // n = 7, score = 200
            //   33cc                 | push                ebx
            //   e8????????           |                     
            //   8be5                 | push                ebp
            //   5d                   | mov                 ebp, esp
            //   c3                   | sub                 esp, 0x448
            //   8b8c2494010000       | xor                 eax, ebp
            //   b801000000           | mov                 dword ptr [ebp - 8], eax

        $sequence_6 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | mov                 dword ptr [ebp - 0x1c], ecx
            //   89861c020000         | cmp                 dword ptr [eax + 0x1001e1c0], ebx
            //   8b45e0               | je                  0xf9
            //   8d4e0c               | inc                 ecx
            //   6a06                 | add                 eax, 0x30
            //   8d90c4e10110         | mov                 eax, edi

        $sequence_7 = { 0fb611 0fb6c0 eb17 81fa00010000 7313 8a87bce10110 }
            // n = 6, score = 200
            //   0fb611               | movzx               eax, al
            //   0fb6c0               | jmp                 0x19
            //   eb17                 | cmp                 edx, 0x100
            //   81fa00010000         | jae                 0x1b
            //   7313                 | mov                 al, byte ptr [edi + 0x1001e1bc]
            //   8a87bce10110         | or                  byte ptr [esi + edx + 0x19], al

        $sequence_8 = { 0f11840de43fffff 0f10840df43fffff 660fefc1 0f11840df43fffff 83c120 }
            // n = 5, score = 200
            //   0f11840de43fffff     | mov                 al, byte ptr [ecx]
            //   0f10840df43fffff     | inc                 ecx
            //   660fefc1             | test                al, al
            //   0f11840df43fffff     | jne                 3
            //   83c120               | push                edi

        $sequence_9 = { 83c40c e8???????? 99 b907000000 }
            // n = 4, score = 200
            //   83c40c               | mov                 al, byte ptr [edi + 0x1001e1bc]
            //   e8????????           |                     
            //   99                   | or                  byte ptr [esi + edx + 0x19], al
            //   b907000000           | inc                 edx

        $sequence_10 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 }
            // n = 7, score = 200
            //   8b4508               | movzx               eax, byte ptr [ecx + 1]
            //   c700????????         |                     
            //   8b4508               | push                edi
            //   898850030000         | xor                 edi, edi
            //   8b4508               | mov                 ecx, edi
            //   59                   | mov                 eax, edi
            //   c74048b8e40110       | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_11 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   57                   | jae                 0x1b
            //   33ff                 | mov                 al, byte ptr [edi + 0x1001e1bc]
            //   8bcf                 | mov                 eax, dword ptr [ebp + 8]
            //   8bc7                 | pop                 ecx
            //   894de4               | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   3998c0e10110         | mov                 eax, dword ptr [ebp + 8]

        $sequence_12 = { a0???????? 88856638ffff ff15???????? 8a8d6438ffff }
            // n = 4, score = 200
            //   a0????????           |                     
            //   88856638ffff         | mov                 edi, eax
            //   ff15????????         |                     
            //   8a8d6438ffff         | lea                 edx, [ecx + 1]

        $sequence_13 = { 8b45fc 817848b8e40110 7409 ff7048 e8???????? 59 }
            // n = 6, score = 200
            //   8b45fc               | mov                 dword ptr [ebp - 0x1c], eax
            //   817848b8e40110       | cmp                 byte ptr [eax], 0
            //   7409                 | mov                 ecx, eax
            //   ff7048               | je                  0x3f
            //   e8????????           |                     
            //   59                   | mov                 al, byte ptr [ecx + 1]

        $sequence_14 = { 6915????????04010000 81c2???????? e8???????? 83c404 85c0 0f8427040000 }
            // n = 6, score = 200
            //   6915????????04010000     |     
            //   81c2????????         |                     
            //   e8????????           |                     
            //   83c404               | sub                 esp, 0x448
            //   85c0                 | xor                 eax, ebp
            //   0f8427040000         | mov                 dword ptr [ebp - 8], eax

        $sequence_15 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 }
            // n = 6, score = 200
            //   50                   | cmp                 cl, 0x79
            //   e8????????           |                     
            //   83c40c               | jg                  0x14
            //   6b45e430             | test                eax, eax
            //   8945e0               | jne                 0xffffff15
            //   8d80d0e10110         | lea                 eax, [ebx + 5]

        $sequence_16 = { c74048b8e40110 8b4508 6689486c 8b4508 }
            // n = 4, score = 200
            //   c74048b8e40110       | pop                 ecx
            //   8b4508               | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   6689486c             | mov                 eax, dword ptr [ebp + 8]
            //   8b4508               | mov                 word ptr [eax + 0x6c], cx

        $sequence_17 = { 6a00 8b95acf7ffff 52 ff15???????? 89859cf7ffff }
            // n = 5, score = 100
            //   6a00                 | add                 esp, 0xc
            //   8b95acf7ffff         | cdq                 
            //   52                   | mov                 ecx, 7
            //   ff15????????         |                     
            //   89859cf7ffff         | add                 esp, 0xc

        $sequence_18 = { 488b05???????? 4833c4 488985a0030000 33f6 4c8bf9 4d8be8 }
            // n = 6, score = 100
            //   488b05????????       |                     
            //   4833c4               | dec                 eax
            //   488985a0030000       | mov                 ecx, ebx
            //   33f6                 | mov                 edx, dword ptr [ebx + 0x1afb0]
            //   4c8bf9               | dec                 eax
            //   4d8be8               | lea                 ecx, [0x7b38]

        $sequence_19 = { 488b442428 488b7c2438 4883c004 ffc6 4889442428 3bf3 0f8244ffffff }
            // n = 7, score = 100
            //   488b442428           | test                eax, eax
            //   488b7c2438           | je                  0x8b
            //   4883c004             | dec                 eax
            //   ffc6                 | mov                 eax, dword ptr [esp + 0x28]
            //   4889442428           | dec                 eax
            //   3bf3                 | mov                 edi, dword ptr [esp + 0x38]
            //   0f8244ffffff         | dec                 eax

        $sequence_20 = { 488d542444 4d8bcd 448bc7 498bcf c744242001000000 }
            // n = 5, score = 100
            //   488d542444           | dec                 eax
            //   4d8bcd               | mov                 ecx, eax
            //   448bc7               | dec                 eax
            //   498bcf               | xor                 eax, esp
            //   c744242001000000     | dec                 eax

        $sequence_21 = { 8917 894704 8b442448 33c9 40 33d2 }
            // n = 6, score = 100
            //   8917                 | mov                 ecx, 7
            //   894704               | idiv                ecx
            //   8b442448             | add                 esp, 0xc
            //   33c9                 | cdq                 
            //   40                   | mov                 ecx, 7
            //   33d2                 | add                 esp, 0xc

        $sequence_22 = { 68???????? 52 50 e8???????? 83c41c f7d8 }
            // n = 6, score = 100
            //   68????????           |                     
            //   52                   | idiv                ecx
            //   50                   | test                eax, eax
            //   e8????????           |                     
            //   83c41c               | mov                 dword ptr [esp + 0x18], edi
            //   f7d8                 | jle                 0xc3

        $sequence_23 = { 83c201 899598f8ffff 80bdbbf8ffff00 75bd 8d85fcfdffff }
            // n = 5, score = 100
            //   83c201               | idiv                ecx
            //   899598f8ffff         | xor                 eax, eax
            //   80bdbbf8ffff00       | mov                 edx, dword ptr [ebp - 0xc08]
            //   75bd                 | cmp                 dword ptr [edx + 4], 0
            //   8d85fcfdffff         | test                eax, eax

        $sequence_24 = { 89954cf3ffff 8b854cf3ffff 8a4801 888dadf3ffff }
            // n = 4, score = 100
            //   89954cf3ffff         | mov                 dword ptr [ebp - 0x20], eax
            //   8b854cf3ffff         | lea                 eax, [eax + 0x1001e1d0]
            //   8a4801               | mov                 dword ptr [ebp - 0x1c], eax
            //   888dadf3ffff         | cmp                 byte ptr [eax], 0

        $sequence_25 = { 410fb60b 80f962 7c0f 80f979 7f0a }
            // n = 5, score = 100
            //   410fb60b             | mov                 dword ptr [ebp + 0x3a0], eax
            //   80f962               | xor                 esi, esi
            //   7c0f                 | dec                 esp
            //   80f979               | mov                 edi, ecx
            //   7f0a                 | dec                 ebp

        $sequence_26 = { 68???????? ff15???????? 85c0 7e11 68???????? }
            // n = 5, score = 100
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | pop                 ecx
            //   7e11                 | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   68????????           |                     

        $sequence_27 = { 33d2 41b800040000 e8???????? 488d4c2450 33d2 41b804010000 }
            // n = 6, score = 100
            //   33d2                 | dec                 eax
            //   41b800040000         | lea                 edx, [ebx + 0x914]
            //   e8????????           |                     
            //   488d4c2450           | mov                 edx, 0x12345c
            //   33d2                 | dec                 ecx
            //   41b804010000         | mov                 ecx, ebp

        $sequence_28 = { 6a00 51 68e0ff0300 52 56 ff15???????? }
            // n = 6, score = 100
            //   6a00                 | cdq                 
            //   51                   | mov                 ecx, 7
            //   68e0ff0300           | add                 esp, 0xc
            //   52                   | cdq                 
            //   56                   | mov                 ecx, 7
            //   ff15????????         |                     

        $sequence_29 = { 50 57 ffd6 85c0 755f 8bf7 0f1f840000000000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   755f                 | jne                 0x61
            //   8bf7                 | mov                 esi, edi
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]

        $sequence_30 = { 56 57 68???????? 8bf9 899dd8f3ffff ffd3 68???????? }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   68????????           |                     
            //   8bf9                 | mov                 edi, ecx
            //   899dd8f3ffff         | mov                 dword ptr [ebp - 0xc28], ebx
            //   ffd3                 | call                ebx
            //   68????????           |                     

        $sequence_31 = { 68???????? 50 ff95dcf3ffff 8d8df8f3ffff 8bd8 }
            // n = 5, score = 100
            //   68????????           |                     
            //   50                   | push                eax
            //   ff95dcf3ffff         | call                dword ptr [ebp - 0xc24]
            //   8d8df8f3ffff         | lea                 ecx, [ebp - 0xc08]
            //   8bd8                 | mov                 ebx, eax

        $sequence_32 = { ff750c 33c0 394510 0f95c0 50 e8???????? 99 }
            // n = 7, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   33c0                 | xor                 eax, eax
            //   394510               | cmp                 dword ptr [ebp + 0x10], eax
            //   0f95c0               | setne               al
            //   50                   | push                eax
            //   e8????????           |                     
            //   99                   | cdq                 

        $sequence_33 = { 33c0 e9???????? 8b95f8f3ffff 837a0400 }
            // n = 4, score = 100
            //   33c0                 | cmp                 dword ptr [eax + 0x48], 0x1001e4b8
            //   e9????????           |                     
            //   8b95f8f3ffff         | je                  0x15
            //   837a0400             | push                dword ptr [eax + 0x48]

        $sequence_34 = { 85c0 897c2418 0f8ebd000000 33db 3bf3 0f84b3000000 33c0 }
            // n = 7, score = 100
            //   85c0                 | mov                 word ptr [eax + 0x6c], cx
            //   897c2418             | mov                 eax, dword ptr [ebp + 8]
            //   0f8ebd000000         | mov                 word ptr [eax + 0x172], cx
            //   33db                 | mov                 eax, dword ptr [ebp + 8]
            //   3bf3                 | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   0f84b3000000         | mov                 dword ptr [ebp - 0x20], eax
            //   33c0                 | lea                 eax, [eax + 0x1001e1d0]

        $sequence_35 = { c744242400000000 8b4704 8b1f 89442434 ff15???????? 8be8 }
            // n = 6, score = 100
            //   c744242400000000     | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4704               | cmp                 byte ptr [eax], 0
            //   8b1f                 | mov                 ecx, eax
            //   89442434             | add                 esp, 0xc
            //   ff15????????         |                     
            //   8be8                 | cdq                 

        $sequence_36 = { 396c2414 7423 b98b000000 33c0 }
            // n = 4, score = 100
            //   396c2414             | xor                 ebx, ebx
            //   7423                 | cmp                 esi, ebx
            //   b98b000000           | je                  0xc3
            //   33c0                 | xor                 eax, eax

        $sequence_37 = { ba5c341200 498bcd e8???????? e9???????? 488bc8 }
            // n = 5, score = 100
            //   ba5c341200           | jb                  0xffffff51
            //   498bcd               | dec                 eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   488bc8               | lea                 edx, [ebx + 0x20]

        $sequence_38 = { 51 ff15???????? 2385c0f3ffff 8985c0f3ffff 8b95ccf3ffff }
            // n = 5, score = 100
            //   51                   | cdq                 
            //   ff15????????         |                     
            //   2385c0f3ffff         | mov                 ecx, 7
            //   8985c0f3ffff         | idiv                ecx
            //   8b95ccf3ffff         | add                 esp, 0xc

        $sequence_39 = { eb05 4a8d543202 ff15???????? 4885c0 0f8482000000 }
            // n = 5, score = 100
            //   eb05                 | jmp                 7
            //   4a8d543202           | dec                 edx
            //   ff15????????         |                     
            //   4885c0               | lea                 edx, [edx + esi + 2]
            //   0f8482000000         | dec                 eax

        $sequence_40 = { e8???????? 68f0000000 8d83300e0000 6a00 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   68f0000000           | push                0xf0
            //   8d83300e0000         | lea                 eax, [ebx + 0xe30]
            //   6a00                 | push                0

        $sequence_41 = { 8bb5dcf2ffff 8b95d8f2ffff 8bca c1e902 f3a5 8bca }
            // n = 6, score = 100
            //   8bb5dcf2ffff         | jle                 0x13
            //   8b95d8f2ffff         | mov                 dword ptr [ebp - 0xcb4], edx
            //   8bca                 | mov                 eax, dword ptr [ebp - 0xcb4]
            //   c1e902               | mov                 cl, byte ptr [eax + 1]
            //   f3a5                 | mov                 byte ptr [ebp - 0xc53], cl
            //   8bca                 | lea                 eax, [ebp - 0x2290]

        $sequence_42 = { 66894c247a 0f57c0 66894c2468 8d8c2480000000 51 8d4c243c 660f13442440 }
            // n = 7, score = 100
            //   66894c247a           | mov                 word ptr [esp + 0x7a], cx
            //   0f57c0               | xorps               xmm0, xmm0
            //   66894c2468           | mov                 word ptr [esp + 0x68], cx
            //   8d8c2480000000       | lea                 ecx, [esp + 0x80]
            //   51                   | push                ecx
            //   8d4c243c             | lea                 ecx, [esp + 0x3c]
            //   660f13442440         | movlpd              qword ptr [esp + 0x40], xmm0

        $sequence_43 = { 488d5320 488bcb e8???????? 8b93b0af0100 488d0d387b0000 e8???????? 488d9314090000 }
            // n = 7, score = 100
            //   488d5320             | add                 eax, 4
            //   488bcb               | inc                 esi
            //   e8????????           |                     
            //   8b93b0af0100         | dec                 eax
            //   488d0d387b0000       | mov                 dword ptr [esp + 0x28], eax
            //   e8????????           |                     
            //   488d9314090000       | cmp                 esi, ebx

        $sequence_44 = { 88542458 c644245978 c644245ae1 c644245bdd c744240484140000 0f848d000000 }
            // n = 6, score = 100
            //   88542458             | mov                 dword ptr [esp + 0x24], 0
            //   c644245978           | mov                 eax, dword ptr [edi + 4]
            //   c644245ae1           | mov                 ebx, dword ptr [edi]
            //   c644245bdd           | mov                 dword ptr [esp + 0x34], eax
            //   c744240484140000     | mov                 ebp, eax
            //   0f848d000000         | mov                 dword ptr [edi], edx

    condition:
        7 of them and filesize < 860160
}
Download all Yara Rules