SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bazarbackdoor (Back to overview)

BazarBackdoor

aka: BEERBOT, KEGTAP, Team9Backdoor, bazaloader, bazarloader

Actor(s): UNC1878


BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

References
2021-07-14Bleeping ComputerIonut Ilascu
@online{ilascu:20210714:bazarbackdoor:b63046e, author = {Ionut Ilascu}, title = {{BazarBackdoor sneaks in through nested RAR and ZIP archives}}, date = {2021-07-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/}, language = {English}, urldate = {2021-07-26} } BazarBackdoor sneaks in through nested RAR and ZIP archives
BazarBackdoor
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-05-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210519:bazarcall:60c6562, author = {Brad Duncan}, title = {{BazarCall: Call Centers Help Spread BazarLoader Malware}}, date = {2021-05-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bazarloader-malware/}, language = {English}, urldate = {2021-05-20} } BazarCall: Call Centers Help Spread BazarLoader Malware
BazarBackdoor campoloader
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-15SophosLabs UncutAndrew Brandt
@online{brandt:20210415:bazarloader:93400a1, author = {Andrew Brandt}, title = {{BazarLoader deploys a pair of novel spam vectors}}, date = {2021-04-15}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors}, language = {English}, urldate = {2021-04-16} } BazarLoader deploys a pair of novel spam vectors
BazarBackdoor
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-12Trend MicroRaphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
@online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-06Intel 471Intel 471
@online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-03-30YouTube ( malware-traffic-analysis.net)Brad Duncan
@online{duncan:20210330:20210329:bf22ea0, author = {Brad Duncan}, title = {{2021-03-29 BazaCall (BazarCall) Example}}, date = {2021-03-30}, organization = {YouTube ( malware-traffic-analysis.net)}, url = {https://www.youtube.com/watch?v=uAkeXCYcl4Y}, language = {English}, urldate = {2021-03-31} } 2021-03-29 BazaCall (BazarCall) Example
BazarBackdoor
2021-03-30FR3D.HKFred HK
@online{hk:20210330:campo:bf657d8, author = {Fred HK}, title = {{Campo Loader - Simple but effective}}, date = {2021-03-30}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/campo-loader-simple-but-effective}, language = {English}, urldate = {2021-04-09} } Campo Loader - Simple but effective
BazarBackdoor
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-08The DFIR ReportThe DFIR Report
@online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08, author = {Joshua Platt and Jason Reaves}, title = {{Nimar Loader}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e}, language = {English}, urldate = {2021-03-04} } Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-12FortinetXiaopeng Zhang
@online{zhang:20210212:new:0be729d, author = {Xiaopeng Zhang}, title = {{New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II}}, date = {2021-02-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II}, language = {English}, urldate = {2021-02-20} } New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II
BazarBackdoor
2021-02-12FortinetXiaopeng Zhang
@online{zhang:20210212:new:4e0dab7, author = {Xiaopeng Zhang}, title = {{New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I}}, date = {2021-02-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I}, language = {English}, urldate = {2021-02-20} } New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I
BazarBackdoor
2021-02-11ProofpointProofpoint Threat Research Team
@online{team:20210211:baza:41ddf2c, author = {Proofpoint Threat Research Team}, title = {{A Baza Valentine’s Day}}, date = {2021-02-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day}, language = {English}, urldate = {2021-02-25} } A Baza Valentine’s Day
BazarBackdoor
2021-02-09CofenseZachary Bailey
@online{bailey:20210209:bazarbackdoors:a9cf426, author = {Zachary Bailey}, title = {{BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs}}, date = {2021-02-09}, organization = {Cofense}, url = {https://cofense.com/blog/bazarbackdoor-stealthy-infiltration}, language = {English}, urldate = {2021-02-09} } BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs
BazarBackdoor
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01GoSecureLilly Chalupowski
@online{chalupowski:20210201:bazarloader:61a163a, author = {Lilly Chalupowski}, title = {{BazarLoader Mocks Researchers in December 2020 Malspam Campaign}}, date = {2021-02-01}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/}, language = {English}, urldate = {2021-02-02} } BazarLoader Mocks Researchers in December 2020 Malspam Campaign
BazarBackdoor
2021-01-31The DFIR ReportThe DFIR Report
@online{report:20210131:bazar:c3b3859, author = {The DFIR Report}, title = {{Bazar, No Ryuk?}}, date = {2021-01-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/}, language = {English}, urldate = {2021-02-02} } Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-28Huntress LabsJohn Hammond
@techreport{hammond:20210128:analyzing:2f8dae2, author = {John Hammond}, title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}}, date = {2021-01-28}, institution = {Huntress Labs}, url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf}, language = {English}, urldate = {2021-01-29} } Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk
2021-01-28HornetsecurityHornetsecurity Security Lab
@online{lab:20210128:bazarloaders:ee499c8, author = {Hornetsecurity Security Lab}, title = {{BazarLoader’s Elaborate Flower Shop Lure}}, date = {2021-01-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/}, language = {English}, urldate = {2021-01-29} } BazarLoader’s Elaborate Flower Shop Lure
BazarBackdoor
2021-01-23Johannes Bader's BlogJohannes Bader
@online{bader:20210123:yet:1274cbe, author = {Johannes Bader}, title = {{Yet Another Bazar Loader DGA}}, date = {2021-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/yet-another-bazarloader-dga/}, language = {English}, urldate = {2021-01-25} } Yet Another Bazar Loader DGA
BazarBackdoor
2021-01-12Minerva LabsMinervaLabs
@online{minervalabs:20210112:slamming:89461b1, author = {MinervaLabs}, title = {{Slamming The Backdoor On BazarLoader}}, date = {2021-01-12}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader}, language = {English}, urldate = {2021-01-21} } Slamming The Backdoor On BazarLoader
BazarBackdoor
2021-01-12CybereasonLior Rochberger
@online{rochberger:20210112:cybereason:5707e14, author = {Lior Rochberger}, title = {{Cybereason vs. Conti Ransomware}}, date = {2021-01-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware}, language = {English}, urldate = {2021-01-18} } Cybereason vs. Conti Ransomware
BazarBackdoor Conti
2021-01-06DomainToolsJoe Slowik
@online{slowik:20210106:holiday:6ef0c9d, author = {Joe Slowik}, title = {{Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident}}, date = {2021-01-06}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident}, language = {English}, urldate = {2021-01-10} } Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot
2020-12-16Johannes Bader's BlogJohannes Bader
@online{bader:20201216:next:a8f5998, author = {Johannes Bader}, title = {{Next Version of the Bazar Loader DGA}}, date = {2020-12-16}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/}, language = {English}, urldate = {2020-12-16} } Next Version of the Bazar Loader DGA
BazarBackdoor
2020-12-10CybereasonJoakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e, author = {Joakim Kandefelt}, title = {{Cybereason vs. Ryuk Ransomware}}, date = {2020-12-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware}, language = {English}, urldate = {2020-12-14} } Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-10Intel 471Intel 471
@online{471:20201110:trickbot:5db76db, author = {Intel 471}, title = {{Trickbot down, but is it out?}}, date = {2020-11-10}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/}, language = {English}, urldate = {2020-11-11} } Trickbot down, but is it out?
BazarBackdoor TrickBot
2020-11-09Area 1Threat Research Team
@online{team:20201109:phishing:a25a567, author = {Threat Research Team}, title = {{Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware}}, date = {2020-11-09}, organization = {Area 1}, url = {https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/}, language = {English}, urldate = {2020-11-18} } Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer
2020-11-06Advanced IntelligenceVitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05SCYTHEJorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9, author = {Jorge Orchilles and Sean Lyngaas}, title = {{#ThreatThursday - Ryuk}}, date = {2020-11-05}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-ryuk}, language = {English}, urldate = {2020-11-06} } #ThreatThursday - Ryuk
BazarBackdoor Ryuk
2020-11-05The DFIR ReportThe DFIR Report
@online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-30CofenseThe Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a, author = {The Cofense Intelligence Team}, title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}}, date = {2020-10-30}, organization = {Cofense}, url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/}, language = {English}, urldate = {2020-11-02} } The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk
2020-10-29Twitter (@anthomsec)Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4, author = {Andrew Thompson}, title = {{Tweet on UNC1878 activity}}, date = {2020-10-29}, organization = {Twitter (@anthomsec)}, url = {https://twitter.com/anthomsec/status/1321865315513520128}, language = {English}, urldate = {2020-11-04} } Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-28CISACISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk
2020-10-28FireEyeKimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-13HornetsecuritySecurity Lab
@online{lab:20201013:bazarloader:9a2d75b, author = {Security Lab}, title = {{BazarLoader Campaign with Fake Termination Emails}}, date = {2020-10-13}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/}, language = {English}, urldate = {2020-10-19} } BazarLoader Campaign with Fake Termination Emails
BazarBackdoor
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-09-29ZscalerMohd Sadique, Atinderpal Singh
@online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@techreport{frank:20200716:bazar:1349d7d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles (IOCs)}}, date = {2020-07-16}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf}, language = {English}, urldate = {2021-05-08} } A Bazar of Tricks: Following Team9’s Development Cycles (IOCs)
BazarBackdoor
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } A Bazar of Tricks: Following Team9’s Development Cycles
BazarBackdoor
2020-07-15Johannes Bader's BlogJohannes Bader
@online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Defective Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-07-14Johannes Bader's BlogJohannes Bader
@online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-06-02NCC GroupNikolaos Pantazopoulos, Stefano Antenucci
@online{pantazopoulos:20200602:indepth:bc09c9f, author = {Nikolaos Pantazopoulos and Stefano Antenucci}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-06-02Fox-ITNikolaos Pantazopoulos, Stefano Antenucci, NCC RIFT
@online{pantazopoulos:20200602:indepth:f43e58f, author = {Nikolaos Pantazopoulos and Stefano Antenucci and NCC RIFT}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-27Trend MicroTrend Micro
@online{micro:20200427:behind:da9ae72, author = {Trend Micro}, title = {{Group Behind TrickBot Spreads Fileless BazarBackdoor}}, date = {2020-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor}, language = {English}, urldate = {2020-05-02} } Group Behind TrickBot Spreads Fileless BazarBackdoor
BazarBackdoor
2020-04-24Bleeping ComputerLawrence Abrams
@online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware
BazarBackdoor
2020-04-24Vitali Kremez
@online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } TrickBot "BazarBackdoor" Process Hollowing Injection Primer
BazarBackdoor
Yara Rules
[TLP:WHITE] win_bazarbackdoor_auto (20210616 | Detects win.bazarbackdoor.)
rule win_bazarbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.bazarbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bce 4889442420 ff15???????? 85c0 780a }
            // n = 5, score = 1100
            //   488bce               | dec                 esp
            //   4889442420           | mov                 esi, ecx
            //   ff15????????         |                     
            //   85c0                 | xor                 ebx, ebx
            //   780a                 | dec                 eax

        $sequence_1 = { 498bf0 488bea 4c8bf1 33db }
            // n = 4, score = 1100
            //   498bf0               | dec                 ecx
            //   488bea               | mov                 esi, eax
            //   4c8bf1               | dec                 eax
            //   33db                 | mov                 ebp, edx

        $sequence_2 = { 7507 33c0 e9???????? b8ff000000 }
            // n = 4, score = 1000
            //   7507                 | dec                 eax
            //   33c0                 | mov                 ecx, esi
            //   e9????????           |                     
            //   b8ff000000           | dec                 eax

        $sequence_3 = { 488905???????? 4885c0 750a b82c000000 e9???????? }
            // n = 5, score = 900
            //   488905????????       |                     
            //   4885c0               | dec                 eax
            //   750a                 | mov                 ecx, esi
            //   b82c000000           | dec                 eax
            //   e9????????           |                     

        $sequence_4 = { ffd0 488905???????? 4885c0 7507 }
            // n = 4, score = 900
            //   ffd0                 | js                  0x16
            //   488905????????       |                     
            //   4885c0               | dec                 eax
            //   7507                 | cwde                

        $sequence_5 = { 7406 488b11 ff5210 ff15???????? }
            // n = 4, score = 900
            //   7406                 | mov                 dword ptr [esp + 0x20], eax
            //   488b11               | test                eax, eax
            //   ff5210               | js                  0xe
            //   ff15????????         |                     

        $sequence_6 = { 750a b803000000 e9???????? 660f6f05???????? }
            // n = 4, score = 900
            //   750a                 | mov                 dword ptr [esp + 0x20], eax
            //   b803000000           | test                eax, eax
            //   e9????????           |                     
            //   660f6f05????????     |                     

        $sequence_7 = { ba01000000 33c9 41b8e6b5a12c 448d4a7d e8???????? }
            // n = 5, score = 900
            //   ba01000000           | mov                 eax, 0x100f
            //   33c9                 | dec                 eax
            //   41b8e6b5a12c         | mov                 ecx, esi
            //   448d4a7d             | dec                 eax
            //   e8????????           |                     

        $sequence_8 = { 488d95a0070000 488d442470 41b80f100000 488bce 4889442420 }
            // n = 5, score = 800
            //   488d95a0070000       | movzx               eax, al
            //   488d442470           | push                eax
            //   41b80f100000         | push                eax
            //   488bce               | mov                 eax, edx
            //   4889442420           | sar                 eax, 8

        $sequence_9 = { 4533c9 4889442428 488d95a0070000 488d442470 }
            // n = 4, score = 800
            //   4533c9               | movzx               eax, al
            //   4889442428           | movzx               eax, word ptr [edi]
            //   488d95a0070000       | push                eax
            //   488d442470           | call                ebx

        $sequence_10 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 }
            // n = 4, score = 700
            //   0fb70f               | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     
            //   0fb74f02             | test                eax, eax
            //   0fb7d8               | js                  0xc

        $sequence_11 = { 0fb74f02 0fb7d8 ff15???????? 0fb74f08 }
            // n = 4, score = 700
            //   0fb74f02             | dec                 eax
            //   0fb7d8               | cwde                
            //   ff15????????         |                     
            //   0fb74f08             | inc                 ecx

        $sequence_12 = { 7512 e8???????? c70016000000 e8???????? ebae }
            // n = 5, score = 600
            //   7512                 | mov                 edx, dword ptr [ecx]
            //   e8????????           |                     
            //   c70016000000         | call                dword ptr [edx + 0x10]
            //   e8????????           |                     
            //   ebae                 | je                  8

        $sequence_13 = { e8???????? 8bf8 85c0 0f84c4010000 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   8bf8                 | cmp                 bx, cx
            //   85c0                 | mov                 eax, dword ptr [ecx + 0x14]
            //   0f84c4010000         | or                  edi, 0xffffffff

        $sequence_14 = { 83e602 e8???????? c70022000000 85db }
            // n = 4, score = 600
            //   83e602               | cmp                 bx, ax
            //   e8????????           |                     
            //   c70022000000         | jb                  0xf9
            //   85db                 | lea                 ecx, dword ptr [eax + 0xa]

        $sequence_15 = { 3c20 7709 84c0 7431 }
            // n = 4, score = 600
            //   3c20                 | test                eax, eax
            //   7709                 | js                  0x16
            //   84c0                 | jne                 9
            //   7431                 | xor                 eax, eax

        $sequence_16 = { e8???????? 83f8ff 0f84ef010000 8b4da7 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   83f8ff               | mov                 dword ptr [eax], 0x16
            //   0f84ef010000         | jmp                 0xffffffb6
            //   8b4da7               | cmp                 bx, ax

        $sequence_17 = { ff15???????? 0fb74f08 440fb7e8 ff15???????? }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   0fb74f08             | je                  8
            //   440fb7e8             | dec                 eax
            //   ff15????????         |                     

        $sequence_18 = { 663bd8 0f822c010000 8d480a 663bd9 72cc }
            // n = 5, score = 600
            //   663bd8               | dec                 eax
            //   0f822c010000         | mov                 edx, dword ptr [ecx]
            //   8d480a               | call                dword ptr [edx + 0x10]
            //   663bd9               | movzx               ecx, word ptr [edi]
            //   72cc                 | movzx               ecx, word ptr [edi + 2]

        $sequence_19 = { c3 0fb74c0818 b80b010000 663bc8 }
            // n = 4, score = 500
            //   c3                   | mov                 eax, dword ptr [esp + 0x88]
            //   0fb74c0818           | dec                 eax
            //   b80b010000           | mov                 eax, dword ptr [eax]
            //   663bc8               | dec                 eax

        $sequence_20 = { 6890010000 686a72995d 6a04 5a }
            // n = 4, score = 400
            //   6890010000           | jne                 0x3f
            //   686a72995d           | xor                 eax, eax
            //   6a04                 | mov                 eax, 0xff
            //   5a                   | je                  0x47

        $sequence_21 = { 75ef 8bd6 33c9 8a440c68 }
            // n = 4, score = 400
            //   75ef                 | dec                 eax
            //   8bd6                 | test                ecx, ecx
            //   33c9                 | je                  0x52
            //   8a440c68             | dec                 eax

        $sequence_22 = { ff15???????? 33c9 0fb7c0 41 663bf1 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   33c9                 | dec                 eax
            //   0fb7c0               | mov                 dword ptr [esp + 0x20], eax
            //   41                   | test                eax, eax
            //   663bf1               | js                  0x40

        $sequence_23 = { 50 0fb745ea 50 0fb745e8 50 68???????? e8???????? }
            // n = 7, score = 400
            //   50                   | mov                 eax, 0x100f
            //   0fb745ea             | dec                 eax
            //   50                   | mov                 ecx, esi
            //   0fb745e8             | dec                 eax
            //   50                   | mov                 dword ptr [esp + 0x20], eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_24 = { 03d0 eb05 88443c10 47 }
            // n = 4, score = 400
            //   03d0                 | js                  0x2c
            //   eb05                 | dec                 eax
            //   88443c10             | cwde                
            //   47                   | inc                 ecx

        $sequence_25 = { a3???????? 85c0 7507 6a38 }
            // n = 4, score = 400
            //   a3????????           |                     
            //   85c0                 | mov                 eax, 0x100f
            //   7507                 | dec                 eax
            //   6a38                 | mov                 ecx, esi

        $sequence_26 = { 6866f3a52c 42 e8???????? 59 }
            // n = 4, score = 400
            //   6866f3a52c           | dec                 eax
            //   42                   | mov                 edx, dword ptr [ecx]
            //   e8????????           |                     
            //   59                   | call                dword ptr [edx + 0x10]

        $sequence_27 = { 53 6a02 ff15???????? 83f801 }
            // n = 4, score = 300
            //   53                   | dec                 eax
            //   6a02                 | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     
            //   83f801               | test                eax, eax

        $sequence_28 = { 33d2 83c40c 8d4a01 3bf9 }
            // n = 4, score = 300
            //   33d2                 | test                eax, eax
            //   83c40c               | js                  0xc
            //   8d4a01               | inc                 ecx
            //   3bf9                 | mov                 eax, 0x100f

        $sequence_29 = { 6a04 68???????? ff15???????? 8bf8 83ffff }
            // n = 5, score = 300
            //   6a04                 | dec                 eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bf8                 | test                eax, eax
            //   83ffff               | je                  9

        $sequence_30 = { 0fb6c1 50 8bc2 c1f808 0fb6c0 }
            // n = 5, score = 300
            //   0fb6c1               | mov                 ecx, 0xbb8
            //   50                   | call                eax
            //   8bc2                 | dec                 ecx
            //   c1f808               | mov                 esi, eax
            //   0fb6c0               | dec                 eax

        $sequence_31 = { 83c410 b800308804 6a00 50 6a00 6a00 }
            // n = 6, score = 300
            //   83c410               | dec                 eax
            //   b800308804           | mov                 dword ptr [esp + 0x20], eax
            //   6a00                 | test                eax, eax
            //   50                   | js                  0x13
            //   6a00                 | inc                 ecx
            //   6a00                 | mov                 eax, 0x100f

        $sequence_32 = { 733c 8a02 3cc0 721e 0fb6c8 0fb64201 }
            // n = 6, score = 300
            //   733c                 | dec                 eax
            //   8a02                 | mov                 ecx, esi
            //   3cc0                 | dec                 eax
            //   721e                 | mov                 dword ptr [esp + 0x20], eax
            //   0fb6c8               | dec                 eax
            //   0fb64201             | mov                 ecx, esi

        $sequence_33 = { 745c 57 8d450c 50 ff7508 }
            // n = 5, score = 300
            //   745c                 | dec                 eax
            //   57                   | mov                 ecx, esi
            //   8d450c               | dec                 eax
            //   50                   | mov                 dword ptr [esp + 0x20], eax
            //   ff7508               | test                eax, eax

        $sequence_34 = { 53 8bd8 8d4b01 51 }
            // n = 4, score = 300
            //   53                   | je                  8
            //   8bd8                 | dec                 eax
            //   8d4b01               | mov                 edx, dword ptr [ecx]
            //   51                   | call                dword ptr [edx + 0x10]

        $sequence_35 = { 0f94c0 833d????????0a 0f9cc1 84c1 7543 30c1 0f849b000000 }
            // n = 7, score = 200
            //   0f94c0               | xor                 ecx, ecx
            //   833d????????0a       |                     
            //   0f9cc1               | dec                 eax
            //   84c1                 | mov                 dword ptr [esp + 0x28], eax
            //   7543                 | dec                 eax
            //   30c1                 | lea                 edx, dword ptr [ebp + 0x7a0]
            //   0f849b000000         | dec                 eax

        $sequence_36 = { 4c8d742430 49c70600000000 4c8d44242c 41c70000000000 4c89f2 4531c9 e8???????? }
            // n = 7, score = 200
            //   4c8d742430           | mov                 dword ptr [esp + 0x28], eax
            //   49c70600000000       | dec                 eax
            //   4c8d44242c           | lea                 edx, dword ptr [ebp + 0x7a0]
            //   41c70000000000       | dec                 eax
            //   4c89f2               | lea                 eax, dword ptr [esp + 0x70]
            //   4531c9               | inc                 ecx
            //   e8????????           |                     

        $sequence_37 = { 85d1 0f94c1 833d????????0a 0f9cc2 84ca 7526 30ca }
            // n = 7, score = 200
            //   85d1                 | dec                 eax
            //   0f94c1               | add                 eax, 0x28
            //   833d????????0a       |                     
            //   0f9cc2               | dec                 eax
            //   84ca                 | mov                 dword ptr [esp + 0x28], eax
            //   7526                 | dec                 eax
            //   30ca                 | mov                 eax, dword ptr [esp + 0x70]

        $sequence_38 = { ba01000000 41b8c613c449 41b999000000 e8???????? 4889f9 31d2 4989f0 }
            // n = 7, score = 200
            //   ba01000000           | lea                 eax, dword ptr [esp + 0x70]
            //   41b8c613c449         | inc                 ecx
            //   41b999000000         | mov                 eax, 0x100f
            //   e8????????           |                     
            //   4889f9               | inc                 ebp
            //   31d2                 | xor                 ecx, ecx
            //   4989f0               | dec                 eax

        $sequence_39 = { 0f8407020000 41807c240100 0f8596000000 c644246800 8b05???????? 8d48ff }
            // n = 6, score = 200
            //   0f8407020000         | dec                 eax
            //   41807c240100         | mov                 eax, dword ptr [eax]
            //   0f8596000000         | test                eax, eax
            //   c644246800           | jne                 0xb
            //   8b05????????         |                     
            //   8d48ff               | xor                 eax, eax

        $sequence_40 = { 41b8ff000000 31d2 e8???????? 8b05???????? 8d48ff 0fafc8 89c8 }
            // n = 7, score = 200
            //   41b8ff000000         | mov                 eax, 0x100f
            //   31d2                 | dec                 eax
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8d48ff               | mov                 ecx, esi
            //   0fafc8               | dec                 eax
            //   89c8                 | lea                 edx, dword ptr [ebp + 0x590]

        $sequence_41 = { 0f9cc0 83fa09 0f9fc2 38d8 0f85bdf6ffff 08ca 80f201 }
            // n = 7, score = 200
            //   0f9cc0               | dec                 eax
            //   83fa09               | mov                 ecx, esi
            //   0f9fc2               | test                eax, eax
            //   38d8                 | inc                 eax
            //   0f85bdf6ffff         | mov                 dword ptr [esp + 0x20], eax
            //   08ca                 | dec                 eax
            //   80f201               | mov                 eax, dword ptr [esp + 0x28]

        $sequence_42 = { 8d69ff 0fafe9 b9ffffffff 31cd 83cdfe 39cd 0f94c3 }
            // n = 7, score = 200
            //   8d69ff               | dec                 eax
            //   0fafe9               | mov                 eax, dword ptr [esp + 0x58]
            //   b9ffffffff           | dec                 eax
            //   31cd                 | arpl                word ptr [eax + 0x3c], ax
            //   83cdfe               | mov                 dword ptr [esp + 0x20], 0
            //   39cd                 | dec                 eax
            //   0f94c3               | mov                 eax, dword ptr [esp + 0x88]

        $sequence_43 = { 488b442430 488b4c2440 48894808 488b442438 0fb74016 2500200000 85c0 }
            // n = 7, score = 100
            //   488b442430           | test                edx, edx
            //   488b4c2440           | dec                 ecx
            //   48894808             | mov                 esi, eax
            //   488b442438           | dec                 eax
            //   0fb74016             | mov                 ebp, edx
            //   2500200000           | dec                 esp
            //   85c0                 | mov                 esi, ecx

        $sequence_44 = { 488b4c2438 4803c8 488bc1 4889442430 488b0424 }
            // n = 5, score = 100
            //   488b4c2438           | dec                 eax
            //   4803c8               | test                eax, eax
            //   488bc1               | je                  0x44
            //   4889442430           | dec                 eax
            //   488b0424             | arpl                word ptr [eax + 4], dx

        $sequence_45 = { 4889442428 488b842488000000 488b00 48b900000000ffffffff 488b4030 4823c1 4889442440 }
            // n = 7, score = 100
            //   4889442428           | mov                 ecx, esi
            //   488b842488000000     | dec                 eax
            //   488b00               | mov                 dword ptr [esp + 0x20], eax
            //   48b900000000ffffffff     | test    eax, eax
            //   488b4030             | js                  0x16
            //   4823c1               | inc                 ecx
            //   4889442440           | mov                 eax, 0x100f

        $sequence_46 = { 0fb600 488b4c2410 0fb609 3bc1 7e0a }
            // n = 5, score = 100
            //   0fb600               | cwde                
            //   488b4c2410           | je                  8
            //   0fb609               | dec                 eax
            //   3bc1                 | mov                 edx, dword ptr [ecx]
            //   7e0a                 | call                dword ptr [edx + 0x10]

        $sequence_47 = { 488b4c2458 f77150 8bc2 85c0 751e 488b442460 8b4010 }
            // n = 7, score = 100
            //   488b4c2458           | dec                 eax
            //   f77150               | mov                 ecx, esi
            //   8bc2                 | dec                 eax
            //   85c0                 | mov                 dword ptr [esp + 0x20], eax
            //   751e                 | test                eax, eax
            //   488b442460           | js                  0x16
            //   8b4010               | dec                 eax

        $sequence_48 = { 4889442430 48837c243000 7504 33c0 eb59 488b442428 }
            // n = 6, score = 100
            //   4889442430           | dec                 eax
            //   48837c243000         | test                ecx, ecx
            //   7504                 | je                  8
            //   33c0                 | dec                 eax
            //   eb59                 | mov                 edx, dword ptr [ecx]
            //   488b442428           | call                dword ptr [edx + 0x10]

        $sequence_49 = { ff15???????? c744242000000000 e9???????? 488b842488000000 488b4c2458 48894810 488b842488000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   c744242000000000     | dec                 eax
            //   e9????????           |                     
            //   488b842488000000     | cwde                
            //   488b4c2458           | inc                 ecx
            //   48894810             | mov                 eax, 0x100f
            //   488b842488000000     | dec                 eax

        $sequence_50 = { ffc0 89442420 488b442428 4883c028 4889442428 488b442470 488b00 }
            // n = 7, score = 100
            //   ffc0                 | dec                 eax
            //   89442420             | cwde                
            //   488b442428           | dec                 eax
            //   4883c028             | mov                 dword ptr [esp + 0x20], eax
            //   4889442428           | test                eax, eax
            //   488b442470           | js                  0xc
            //   488b00               | dec                 eax

    condition:
        7 of them and filesize < 507904
}
Download all Yara Rules