SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bankshot (Back to overview)

Bankshot

aka: COPPERHEDGE

Actor(s): Lazarus Group


There is no description at this point.

References
2022-09-10Malversegreenplan
@online{greenplan:20220910:realizziamo:2eaa6a4, author = {greenplan}, title = {{Realizziamo un C&C Server in Python (Bankshot)}}, date = {2022-09-10}, organization = {Malverse}, url = {https://malverse.it/analisi-bankshot-copperhedge}, language = {Italian}, urldate = {2022-09-26} } Realizziamo un C&C Server in Python (Bankshot)
Bankshot
2022-04-18CISACISA, U.S. Department of the Treasury, FBI
@techreport{cisa:20220418:aa22108a:a0a81c6, author = {CISA and U.S. Department of the Treasury and FBI}, title = {{AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)}}, date = {2022-04-18}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf}, language = {English}, urldate = {2022-04-20} } AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)
FastCash Bankshot
2022-04-18CISACISA, FBI, U.S. Department of the Treasury
@online{cisa:20220418:alert:dcc72c0, author = {CISA and FBI and U.S. Department of the Treasury}, title = {{Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies}}, date = {2022-04-18}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-108a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
Bankshot
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-12-13US-CERTUS-CERT
@techreport{uscert:20171213:malware:89db625, author = {US-CERT}, title = {{Malware Analysis Report (MAR) - 10135536-B}}, date = {2017-12-13}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (MAR) - 10135536-B
Bankshot
Yara Rules
[TLP:WHITE] win_bankshot_auto (20230125 | Detects win.bankshot.)
rule win_bankshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.bankshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81ec48040000 a1???????? 33c5 8945f8 53 }
            // n = 5, score = 300
            //   81ec48040000         | dec                 eax
            //   a1????????           |                     
            //   33c5                 | add                 esi, 4
            //   8945f8               | dec                 ecx
            //   53                   | dec                 ebp

        $sequence_1 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 }
            // n = 7, score = 300
            //   8bf8                 | xor                 eax, esp
            //   8d5101               | dec                 eax
            //   8a01                 | mov                 dword ptr [esp + 0x40], eax
            //   41                   | dec                 eax
            //   84c0                 | mov                 ebx, ecx
            //   75f9                 | dec                 eax
            //   57                   | mov                 dword ptr [esp + 0x28], edx

        $sequence_2 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   57                   | lea                 edx, [eax + 0x1001e1c4]
            //   33ff                 | pop                 edi
            //   8bcf                 | lea                 edx, [eax + 0x1001e1c4]
            //   8bc7                 | pop                 edi
            //   894de4               | mov                 ax, word ptr [edx]
            //   3998c0e10110         | lea                 edx, [edx + 2]

        $sequence_3 = { 85d2 7e6a 83fa20 724a 251f000080 }
            // n = 5, score = 200
            //   85d2                 | mov                 ebp, esp
            //   7e6a                 | sub                 esp, 0x448
            //   83fa20               | xor                 eax, ebp
            //   724a                 | mov                 dword ptr [ebp - 8], eax
            //   251f000080           | push                ebx

        $sequence_4 = { 4b 7515 8b45fc 817848b8e40110 7409 ff7048 e8???????? }
            // n = 7, score = 200
            //   4b                   | pop                 ecx
            //   7515                 | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   8b45fc               | mov                 eax, dword ptr [ebp + 8]
            //   817848b8e40110       | mov                 word ptr [eax + 0x6c], cx
            //   7409                 | mov                 eax, dword ptr [ebp + 8]
            //   ff7048               | jmp                 0x19
            //   e8????????           |                     

        $sequence_5 = { e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83c40c               | or                  byte ptr [esi + edx + 0x19], al
            //   6b45e430             | inc                 edx
            //   8945e0               | movzx               eax, byte ptr [ecx + 1]
            //   8d80d0e10110         | cmp                 edx, eax

        $sequence_6 = { 8d85ecfdffff 50 ff15???????? 8b35???????? b92e000000 }
            // n = 5, score = 200
            //   8d85ecfdffff         | xor                 eax, ebp
            //   50                   | mov                 dword ptr [ebp - 8], eax
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   b92e000000           | push                ebx

        $sequence_7 = { e8???????? 83c40c e8???????? 99 b907000000 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83c40c               | mov                 dword ptr [ebp - 0x20], esi
            //   e8????????           |                     
            //   99                   | mov                 dword ptr [ebp - 0x10], esi
            //   b907000000           | mov                 dword ptr [ebp - 0xc], 0x10017dfc

        $sequence_8 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | mov                 word ptr [ecx], ax
            //   89861c020000         | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   8b45e0               | mov                 eax, dword ptr [ebp + 8]
            //   8d4e0c               | mov                 word ptr [eax + 0x6c], cx
            //   6a06                 | mov                 eax, dword ptr [ebp + 8]
            //   8d90c4e10110         | mov                 eax, dword ptr [ebp + 8]

        $sequence_9 = { 0f840e010000 680c400000 8d85e4bfffff 57 }
            // n = 4, score = 200
            //   0f840e010000         | push                eax
            //   680c400000           | mov                 dword ptr [ebp - 0xc7c0], eax
            //   8d85e4bfffff         | mov                 eax, dword ptr [ebx + 8]
            //   57                   | movups              xmm0, xmmword ptr [ebp - 0xc7c8]

        $sequence_10 = { 50 6a00 68e9fd0000 ffd7 33c0 6800000020 }
            // n = 6, score = 200
            //   50                   | jne                 3
            //   6a00                 | push                edi
            //   68e9fd0000           | sub                 esp, 0x448
            //   ffd7                 | xor                 eax, ebp
            //   33c0                 | mov                 dword ptr [ebp - 8], eax
            //   6800000020           | push                ebx

        $sequence_11 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 }
            // n = 7, score = 200
            //   c74048b8e40110       | mov                 dword ptr [ebp - 0x1c], ecx
            //   8b4508               | cmp                 dword ptr [eax + 0x1001e1c0], ebx
            //   6689486c             | push                6
            //   8b4508               | lea                 edx, [eax + 0x1001e1c4]
            //   66898872010000       | pop                 edi
            //   8b4508               | mov                 ax, word ptr [edx]
            //   83a04c03000000       | lea                 edx, [edx + 2]

        $sequence_12 = { 33c9 85d2 7e78 83fa20 7259 }
            // n = 5, score = 200
            //   33c9                 | mov                 edi, eax
            //   85d2                 | lea                 edx, [ecx + 1]
            //   7e78                 | mov                 al, byte ptr [ecx]
            //   83fa20               | inc                 ecx
            //   7259                 | test                al, al

        $sequence_13 = { 50 ff15???????? 89854038ffff 8b4308 0f10853838ffff c7854c38ffff01000000 56 }
            // n = 7, score = 200
            //   50                   | lea                 ecx, [ebp - 0x540]
            //   ff15????????         |                     
            //   89854038ffff         | mov                 dword ptr [ebp - 0x7d4], ecx
            //   8b4308               | lea                 edx, [ebp - 0x12c]
            //   0f10853838ffff       | push                ebp
            //   c7854c38ffff01000000     | mov    ebp, esp
            //   56                   | sub                 esp, 0x448

        $sequence_14 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 }
            // n = 7, score = 200
            //   8b4508               | mov                 word ptr [eax + 0x6c], cx
            //   c700????????         |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   898850030000         | mov                 eax, dword ptr [eax + 0x48]
            //   8b4508               | lock xadd           dword ptr [eax], ebx
            //   59                   | dec                 ebx
            //   c74048b8e40110       | jne                 0x1c

        $sequence_15 = { 8bec 81ec280c0000 a1???????? 33c5 8945fc 898df8f3ffff }
            // n = 6, score = 100
            //   8bec                 | mov                 eax, dword ptr [ebp - 4]
            //   81ec280c0000         | mov                 ecx, dword ptr [eax*4 + 0x7188c8]
            //   a1????????           |                     
            //   33c5                 | mov                 al, byte ptr [esi]
            //   8945fc               | inc                 esi
            //   898df8f3ffff         | mov                 byte ptr [ecx + edi + 0x2c], al

        $sequence_16 = { 8b842440020000 53 6a00 6a02 }
            // n = 4, score = 100
            //   8b842440020000       | xor                 eax, eax
            //   53                   | jmp                 0x28
            //   6a00                 | push                4
            //   6a02                 | pop                 eax

        $sequence_17 = { 8b0c8dc87f0110 80643128fd 5f 5e }
            // n = 4, score = 100
            //   8b0c8dc87f0110       | push                ebx
            //   80643128fd           | push                ebp
            //   5f                   | mov                 ebp, esp
            //   5e                   | sub                 esp, 0x448

        $sequence_18 = { 6a00 52 6802000080 ff15???????? 85c0 7541 }
            // n = 6, score = 100
            //   6a00                 | cdq                 
            //   52                   | mov                 ecx, 7
            //   6802000080           | idiv                ecx
            //   ff15????????         |                     
            //   85c0                 | add                 esp, 0xc
            //   7541                 | cdq                 

        $sequence_19 = { 50 6af6 ff15???????? 8b04bd80f10110 834c0318ff 33c0 eb16 }
            // n = 7, score = 100
            //   50                   | je                  0x17
            //   6af6                 | mov                 ebx, dword ptr [ebp + 0x10]
            //   ff15????????         |                     
            //   8b04bd80f10110       | mov                 eax, dword ptr [eax*4 + 0x1001f180]
            //   834c0318ff           | push                esi
            //   33c0                 | mov                 esi, dword ptr [ebp + 8]
            //   eb16                 | push                edi

        $sequence_20 = { 0fb74582 440fb75d80 418bd3 6bd23c 03d0 8b05???????? 6bc03c }
            // n = 7, score = 100
            //   0fb74582             | xor                 eax, eax
            //   440fb75d80           | dec                 eax
            //   418bd3               | mov                 dword ptr [esp + 0x438], esi
            //   6bd23c               | mov                 edx, 0x4008
            //   03d0                 | mov                 ecx, 0x40
            //   8b05????????         |                     
            //   6bc03c               | dec                 eax

        $sequence_21 = { 8b410c 56 85c0 894c2404 }
            // n = 4, score = 100
            //   8b410c               | imul                eax, eax, 0
            //   56                   | mov                 ecx, dword ptr [ebp + 8]
            //   85c0                 | mov                 dword ptr [eax + 0x1001ec0c], ecx
            //   894c2404             | add                 esp, 0xc

        $sequence_22 = { 41b800020000 e8???????? 488d542430 41b93f000f00 }
            // n = 4, score = 100
            //   41b800020000         | shr                 ecx, 0x1f
            //   e8????????           |                     
            //   488d542430           | add                 edx, ecx
            //   41b93f000f00         | inc                 ecx

        $sequence_23 = { 8d4c247c 8d94242c010000 51 6a01 6a00 }
            // n = 5, score = 100
            //   8d4c247c             | mov                 ecx, 7
            //   8d94242c010000       | idiv                ecx
            //   51                   | add                 esp, 0xc
            //   6a01                 | cdq                 
            //   6a00                 | mov                 ecx, 7

        $sequence_24 = { 8945e8 837e0c00 0f84af000000 8b5df0 85db 7516 5f }
            // n = 7, score = 100
            //   8945e8               | xor                 eax, eax
            //   837e0c00             | mov                 dword ptr [esp + 0x10], eax
            //   0f84af000000         | xor                 esi, esi
            //   8b5df0               | mov                 dword ptr [esp + 0x30], 1
            //   85db                 | xor                 eax, eax
            //   7516                 | mov                 dword ptr [esp + 0x10], eax
            //   5f                   | mov                 ecx, dword ptr [ecx*4 + 0x10017fc8]

        $sequence_25 = { 4833c4 4889442440 488bd9 4889542428 488d542420 }
            // n = 5, score = 100
            //   4833c4               | imul                eax, eax, 0x3c
            //   4889442440           | nop                 dword ptr [eax]
            //   488bd9               | inc                 ecx
            //   4889542428           | movzx               ecx, byte ptr [ebx]
            //   488d542420           | cmp                 cl, 0x62

        $sequence_26 = { ffd3 6800080000 898560f2ffff 8d8570f2ffff 6a00 }
            // n = 5, score = 100
            //   ffd3                 | mov                 ebp, esp
            //   6800080000           | sub                 esp, 0x448
            //   898560f2ffff         | xor                 eax, ebp
            //   8d8570f2ffff         | mov                 dword ptr [ebp - 8], eax
            //   6a00                 | push                ebx

        $sequence_27 = { 85c0 750c ff15???????? 8985e4fcffff eb0c ff15???????? }
            // n = 6, score = 100
            //   85c0                 | and                 eax, 2
            //   750c                 | add                 esp, 0xc
            //   ff15????????         |                     
            //   8985e4fcffff         | cdq                 
            //   eb0c                 | mov                 ecx, 7
            //   ff15????????         |                     

        $sequence_28 = { 4533c9 4533c0 4889b42438040000 ff15???????? ba08400000 b940000000 ff15???????? }
            // n = 7, score = 100
            //   4533c9               | mov                 eax, 0x200
            //   4533c0               | dec                 eax
            //   4889b42438040000     | lea                 edx, [esp + 0x30]
            //   ff15????????         |                     
            //   ba08400000           | inc                 ecx
            //   b940000000           | mov                 ecx, 0xf003f
            //   ff15????????         |                     

        $sequence_29 = { 33c0 89442410 e9???????? 33f6 c744243001000000 33c0 89442410 }
            // n = 7, score = 100
            //   33c0                 | mov                 ecx, ebx
            //   89442410             | dec                 eax
            //   e9????????           |                     
            //   33f6                 | lea                 edx, [0xf30a]
            //   c744243001000000     | sub                 esp, 0x448
            //   33c0                 | xor                 eax, ebp
            //   89442410             | mov                 dword ptr [ebp - 8], eax

        $sequence_30 = { 0f1f4000 410fb60b 80f962 7c0f }
            // n = 4, score = 100
            //   0f1f4000             | lea                 edx, [0xf862]
            //   410fb60b             | dec                 eax
            //   80f962               | lea                 ecx, [esp + 0x20]
            //   7c0f                 | cmp                 byte ptr [esp + 0x20], 0

        $sequence_31 = { 83e03f 6bc830 8b0495c87f0110 8b440818 }
            // n = 4, score = 100
            //   83e03f               | xor                 eax, ebp
            //   6bc830               | mov                 dword ptr [ebp - 8], eax
            //   8b0495c87f0110       | push                ebx
            //   8b440818             | mov                 edi, eax

        $sequence_32 = { a1???????? c705????????01000000 85c0 a1???????? 0f848e000000 6a00 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   c705????????01000000     |     
            //   85c0                 | cdq                 
            //   a1????????           |                     
            //   0f848e000000         | mov                 ecx, 7
            //   6a00                 | add                 esp, 0xc

        $sequence_33 = { 8bf0 b84fecc44e f7ee c1fa03 8bca c1e91f 03d1 }
            // n = 7, score = 100
            //   8bf0                 | dec                 eax
            //   b84fecc44e           | lea                 ecx, [esp + 0x20]
            //   f7ee                 | mov                 esi, eax
            //   c1fa03               | mov                 eax, 0x4ec4ec4f
            //   8bca                 | imul                esi
            //   c1e91f               | sar                 edx, 3
            //   03d1                 | mov                 ecx, edx

        $sequence_34 = { 0f8595fcffff 8b8d9cf8ffff 85c9 0f8413050000 8b3c8d54187100 85ff 755d }
            // n = 7, score = 100
            //   0f8595fcffff         | add                 esp, 0xc
            //   8b8d9cf8ffff         | cdq                 
            //   85c9                 | mov                 ecx, 7
            //   0f8413050000         | idiv                ecx
            //   8b3c8d54187100       | add                 esp, 0xc
            //   85ff                 | cdq                 
            //   755d                 | mov                 ecx, 7

        $sequence_35 = { ff15???????? 488d1536f70000 488d4c2420 488905???????? }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488d1536f70000       | dec                 eax
            //   488d4c2420           | lea                 edx, [0xf736]
            //   488905????????       |                     

        $sequence_36 = { 8b45fc 8b0c85c8887100 8a06 46 8844392c 2bf2 }
            // n = 6, score = 100
            //   8b45fc               | mov                 eax, 1
            //   8b0c85c8887100       | push                ecx
            //   8a06                 | add                 esp, 0x14
            //   46                   | neg                 eax
            //   8844392c             | sbb                 eax, eax
            //   2bf2                 | pop                 edi

        $sequence_37 = { c644241c60 c644241d77 c644241e3e c644241f76 }
            // n = 4, score = 100
            //   c644241c60           | push                eax
            //   c644241d77           | push                -0xa
            //   c644241e3e           | mov                 eax, dword ptr [edi*4 + 0x1001f180]
            //   c644241f76           | or                  dword ptr [ebx + eax + 0x18], 0xffffffff

        $sequence_38 = { 8d45d0 c745d020000000 50 8d45dc 50 6a05 }
            // n = 6, score = 100
            //   8d45d0               | lea                 edx, [ecx + 1]
            //   c745d020000000       | mov                 al, byte ptr [ecx]
            //   50                   | inc                 ecx
            //   8d45dc               | test                al, al
            //   50                   | jne                 3
            //   6a05                 | push                edi

        $sequence_39 = { c78564ddffff00000000 8b8564ddffff 8b4dfc 33cd }
            // n = 4, score = 100
            //   c78564ddffff00000000     | add    esp, 0xc
            //   8b8564ddffff         | cdq                 
            //   8b4dfc               | mov                 ecx, 7
            //   33cd                 | idiv                ecx

        $sequence_40 = { 8bce 52 68???????? e8???????? b801000000 }
            // n = 5, score = 100
            //   8bce                 | mov                 byte ptr [esp + 0x1c], 0x60
            //   52                   | mov                 byte ptr [esp + 0x1d], 0x77
            //   68????????           |                     
            //   e8????????           |                     
            //   b801000000           | mov                 byte ptr [esp + 0x1e], 0x3e

        $sequence_41 = { dd00 ebc6 c745e0e8ba0110 e9???????? c745e0f0ba0110 e9???????? c745e0f8ba0110 }
            // n = 7, score = 100
            //   dd00                 | movzx               eax, byte ptr [ecx + 1]
            //   ebc6                 | lea                 edx, [eax + 0x1001e1c4]
            //   c745e0e8ba0110       | pop                 edi
            //   e9????????           |                     
            //   c745e0f0ba0110       | mov                 ax, word ptr [edx]
            //   e9????????           |                     
            //   c745e0f8ba0110       | lea                 edx, [edx + 2]

        $sequence_42 = { 51 e8???????? 83c40c c785a0f9ffff24020000 8d95a0f9ffff }
            // n = 5, score = 100
            //   51                   | push                0
            //   e8????????           |                     
            //   83c40c               | push                0
            //   c785a0f9ffff24020000     | push    0
            //   8d95a0f9ffff         | mov                 eax, dword ptr [ebp - 0x798]

        $sequence_43 = { ff15???????? 6a00 6a00 6a00 8b8568f8ffff }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   6a00                 | push                1
            //   6a00                 | push                0
            //   6a00                 | mov                 ecx, esi
            //   8b8568f8ffff         | push                edx

        $sequence_44 = { 41018274af0100 4883c604 49ffcd 0f8577ffffff 85d2 0f84f4000000 488d0dc0a60000 }
            // n = 7, score = 100
            //   41018274af0100       | movzx               eax, word ptr [ebp - 0x7e]
            //   4883c604             | inc                 esp
            //   49ffcd               | movzx               ebx, word ptr [ebp - 0x80]
            //   0f8577ffffff         | inc                 ecx
            //   85d2                 | mov                 edx, ebx
            //   0f84f4000000         | imul                edx, edx, 0x3c
            //   488d0dc0a60000       | add                 edx, eax

    condition:
        7 of them and filesize < 860160
}
Download all Yara Rules