SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bazarbackdoor (Back to overview)

BazarBackdoor

aka: BEERBOT, KEGTAP, Team9Backdoor, bazaloader, bazarloader

Actor(s): UNC1878


BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

References
2021-10-08ZscalerTarun Dewan, Lenart Brave
@online{dewan:20211008:new:b97c20c, author = {Tarun Dewan and Lenart Brave}, title = {{New Trickbot and BazarLoader campaigns use multiple delivery vectorsi}}, date = {2021-10-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors}, language = {English}, urldate = {2021-10-14} } New Trickbot and BazarLoader campaigns use multiple delivery vectorsi
BazarBackdoor TrickBot
2021-10-07MandiantJoshua Shilko, Zach Riddle, Jennifer Brooks, Genevieve Stark, Adam Brunner, Kimberly Goody, Jeremy Kennelly
@online{shilko:20211007:fin12:43d89f5, author = {Joshua Shilko and Zach Riddle and Jennifer Brooks and Genevieve Stark and Adam Brunner and Kimberly Goody and Jeremy Kennelly}, title = {{FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets}}, date = {2021-10-07}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets}, language = {English}, urldate = {2021-10-08} } FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
BazarBackdoor GRIMAGENT Ryuk
2021-10-04The DFIR ReportThe DFIR Report
@online{report:20211004:bazarloader:fe3adf3, author = {The DFIR Report}, title = {{BazarLoader and the Conti Leaks}}, date = {2021-10-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/}, language = {English}, urldate = {2021-10-11} } BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti
2021-09-17CrowdStrikeFalcon OverWatch Team
@online{team:20210917:falcon:76aa03b, author = {Falcon OverWatch Team}, title = {{Falcon OverWatch Hunts Down Adversaries Where They Hide}}, date = {2021-09-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/}, language = {English}, urldate = {2021-10-05} } Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike
2021-09-13The DFIR ReportThe DFIR Report
@online{report:20210913:bazarloader:5073703, author = {The DFIR Report}, title = {{BazarLoader to Conti Ransomware in 32 Hours}}, date = {2021-09-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/}, language = {English}, urldate = {2021-09-14} } BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-09Johannes Bader's BlogJohannes Bader
@online{bader:20210809:bazarloader:e123577, author = {Johannes Bader}, title = {{A BazarLoader DGA that Breaks Down in the Summer}}, date = {2021-08-09}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/}, language = {English}, urldate = {2021-08-09} } A BazarLoader DGA that Breaks Down in the Summer
BazarBackdoor
2021-08-01The DFIR ReportThe DFIR Report
@online{report:20210801:bazarcall:bb6829b, author = {The DFIR Report}, title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}}, date = {2021-08-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/}, language = {English}, urldate = {2021-08-02} } BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-30Twitter (@Unit42_Intel)Unit 42
@online{42:20210730:bazarloader:43bdc2c, author = {Unit 42}, title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}}, date = {2021-07-30}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20}, language = {English}, urldate = {2021-08-02} } Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike
2021-07-30Medium walmartglobaltechJason Reaves
@online{reaves:20210730:decrypting:0b08389, author = {Jason Reaves}, title = {{Decrypting BazarLoader strings with a Unicorn}}, date = {2021-07-30}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9}, language = {English}, urldate = {2021-08-02} } Decrypting BazarLoader strings with a Unicorn
BazarBackdoor
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210729:bazacall:8d79cdf, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/}, language = {English}, urldate = {2021-08-02} } BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike
2021-07-14Bleeping ComputerIonut Ilascu
@online{ilascu:20210714:bazarbackdoor:b63046e, author = {Ionut Ilascu}, title = {{BazarBackdoor sneaks in through nested RAR and ZIP archives}}, date = {2021-07-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/}, language = {English}, urldate = {2021-07-26} } BazarBackdoor sneaks in through nested RAR and ZIP archives
BazarBackdoor
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-05-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210519:bazarcall:60c6562, author = {Brad Duncan}, title = {{BazarCall: Call Centers Help Spread BazarLoader Malware}}, date = {2021-05-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bazarloader-malware/}, language = {English}, urldate = {2021-05-20} } BazarCall: Call Centers Help Spread BazarLoader Malware
BazarBackdoor campoloader
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-15SophosLabs UncutAndrew Brandt
@online{brandt:20210415:bazarloader:93400a1, author = {Andrew Brandt}, title = {{BazarLoader deploys a pair of novel spam vectors}}, date = {2021-04-15}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors}, language = {English}, urldate = {2021-04-16} } BazarLoader deploys a pair of novel spam vectors
BazarBackdoor
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-12Trend MicroRaphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
@online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-06Intel 471Intel 471
@online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-03-30YouTube ( malware-traffic-analysis.net)Brad Duncan
@online{duncan:20210330:20210329:bf22ea0, author = {Brad Duncan}, title = {{2021-03-29 BazaCall (BazarCall) Example}}, date = {2021-03-30}, organization = {YouTube ( malware-traffic-analysis.net)}, url = {https://www.youtube.com/watch?v=uAkeXCYcl4Y}, language = {English}, urldate = {2021-03-31} } 2021-03-29 BazaCall (BazarCall) Example
BazarBackdoor
2021-03-30FR3D.HKFred HK
@online{hk:20210330:campo:bf657d8, author = {Fred HK}, title = {{Campo Loader - Simple but effective}}, date = {2021-03-30}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/campo-loader-simple-but-effective}, language = {English}, urldate = {2021-04-09} } Campo Loader - Simple but effective
BazarBackdoor
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-08The DFIR ReportThe DFIR Report
@online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08, author = {Joshua Platt and Jason Reaves}, title = {{Nimar Loader}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e}, language = {English}, urldate = {2021-03-04} } Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-12FortinetXiaopeng Zhang
@online{zhang:20210212:new:0be729d, author = {Xiaopeng Zhang}, title = {{New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II}}, date = {2021-02-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II}, language = {English}, urldate = {2021-02-20} } New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II
BazarBackdoor
2021-02-12FortinetXiaopeng Zhang
@online{zhang:20210212:new:4e0dab7, author = {Xiaopeng Zhang}, title = {{New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I}}, date = {2021-02-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I}, language = {English}, urldate = {2021-02-20} } New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I
BazarBackdoor
2021-02-11ProofpointProofpoint Threat Research Team
@online{team:20210211:baza:41ddf2c, author = {Proofpoint Threat Research Team}, title = {{A Baza Valentine’s Day}}, date = {2021-02-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day}, language = {English}, urldate = {2021-02-25} } A Baza Valentine’s Day
BazarBackdoor
2021-02-09CofenseZachary Bailey
@online{bailey:20210209:bazarbackdoors:a9cf426, author = {Zachary Bailey}, title = {{BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs}}, date = {2021-02-09}, organization = {Cofense}, url = {https://cofense.com/blog/bazarbackdoor-stealthy-infiltration}, language = {English}, urldate = {2021-02-09} } BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs
BazarBackdoor
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01GoSecureLilly Chalupowski
@online{chalupowski:20210201:bazarloader:61a163a, author = {Lilly Chalupowski}, title = {{BazarLoader Mocks Researchers in December 2020 Malspam Campaign}}, date = {2021-02-01}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/}, language = {English}, urldate = {2021-02-02} } BazarLoader Mocks Researchers in December 2020 Malspam Campaign
BazarBackdoor
2021-01-31The DFIR ReportThe DFIR Report
@online{report:20210131:bazar:c3b3859, author = {The DFIR Report}, title = {{Bazar, No Ryuk?}}, date = {2021-01-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/}, language = {English}, urldate = {2021-02-02} } Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-28Huntress LabsJohn Hammond
@techreport{hammond:20210128:analyzing:2f8dae2, author = {John Hammond}, title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}}, date = {2021-01-28}, institution = {Huntress Labs}, url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf}, language = {English}, urldate = {2021-01-29} } Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk
2021-01-28HornetsecurityHornetsecurity Security Lab
@online{lab:20210128:bazarloaders:ee499c8, author = {Hornetsecurity Security Lab}, title = {{BazarLoader’s Elaborate Flower Shop Lure}}, date = {2021-01-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/}, language = {English}, urldate = {2021-01-29} } BazarLoader’s Elaborate Flower Shop Lure
BazarBackdoor
2021-01-23Johannes Bader's BlogJohannes Bader
@online{bader:20210123:yet:1274cbe, author = {Johannes Bader}, title = {{Yet Another Bazar Loader DGA}}, date = {2021-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/yet-another-bazarloader-dga/}, language = {English}, urldate = {2021-01-25} } Yet Another Bazar Loader DGA
BazarBackdoor
2021-01-12Minerva LabsMinervaLabs
@online{minervalabs:20210112:slamming:89461b1, author = {MinervaLabs}, title = {{Slamming The Backdoor On BazarLoader}}, date = {2021-01-12}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader}, language = {English}, urldate = {2021-01-21} } Slamming The Backdoor On BazarLoader
BazarBackdoor
2021-01-12CybereasonLior Rochberger
@online{rochberger:20210112:cybereason:5707e14, author = {Lior Rochberger}, title = {{Cybereason vs. Conti Ransomware}}, date = {2021-01-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware}, language = {English}, urldate = {2021-01-18} } Cybereason vs. Conti Ransomware
BazarBackdoor Conti
2021-01-06DomainToolsJoe Slowik
@online{slowik:20210106:holiday:6ef0c9d, author = {Joe Slowik}, title = {{Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident}}, date = {2021-01-06}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident}, language = {English}, urldate = {2021-01-10} } Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot
2020-12-16Johannes Bader's BlogJohannes Bader
@online{bader:20201216:next:a8f5998, author = {Johannes Bader}, title = {{Next Version of the Bazar Loader DGA}}, date = {2020-12-16}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/}, language = {English}, urldate = {2020-12-16} } Next Version of the Bazar Loader DGA
BazarBackdoor
2020-12-10CybereasonJoakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e, author = {Joakim Kandefelt}, title = {{Cybereason vs. Ryuk Ransomware}}, date = {2020-12-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware}, language = {English}, urldate = {2020-12-14} } Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-10Intel 471Intel 471
@online{471:20201110:trickbot:5db76db, author = {Intel 471}, title = {{Trickbot down, but is it out?}}, date = {2020-11-10}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/}, language = {English}, urldate = {2020-11-11} } Trickbot down, but is it out?
BazarBackdoor TrickBot
2020-11-09Area 1Threat Research Team
@online{team:20201109:phishing:a25a567, author = {Threat Research Team}, title = {{Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware}}, date = {2020-11-09}, organization = {Area 1}, url = {https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/}, language = {English}, urldate = {2020-11-18} } Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer
2020-11-06Advanced IntelligenceVitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05SCYTHEJorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9, author = {Jorge Orchilles and Sean Lyngaas}, title = {{#ThreatThursday - Ryuk}}, date = {2020-11-05}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-ryuk}, language = {English}, urldate = {2020-11-06} } #ThreatThursday - Ryuk
BazarBackdoor Ryuk
2020-11-05The DFIR ReportThe DFIR Report
@online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-30CofenseThe Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a, author = {The Cofense Intelligence Team}, title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}}, date = {2020-10-30}, organization = {Cofense}, url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/}, language = {English}, urldate = {2020-11-02} } The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk
2020-10-29Twitter (@anthomsec)Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4, author = {Andrew Thompson}, title = {{Tweet on UNC1878 activity}}, date = {2020-10-29}, organization = {Twitter (@anthomsec)}, url = {https://twitter.com/anthomsec/status/1321865315513520128}, language = {English}, urldate = {2020-11-04} } Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-28CISACISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk
2020-10-28FireEyeKimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-13HornetsecuritySecurity Lab
@online{lab:20201013:bazarloader:9a2d75b, author = {Security Lab}, title = {{BazarLoader Campaign with Fake Termination Emails}}, date = {2020-10-13}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/}, language = {English}, urldate = {2020-10-19} } BazarLoader Campaign with Fake Termination Emails
BazarBackdoor
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-09-29ZscalerMohd Sadique, Atinderpal Singh
@online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@techreport{frank:20200716:bazar:1349d7d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles (IOCs)}}, date = {2020-07-16}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf}, language = {English}, urldate = {2021-05-08} } A Bazar of Tricks: Following Team9’s Development Cycles (IOCs)
BazarBackdoor
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } A Bazar of Tricks: Following Team9’s Development Cycles
BazarBackdoor
2020-07-15Johannes Bader's BlogJohannes Bader
@online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Defective Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-07-14Johannes Bader's BlogJohannes Bader
@online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-06-02NCC GroupNikolaos Pantazopoulos, Stefano Antenucci
@online{pantazopoulos:20200602:indepth:bc09c9f, author = {Nikolaos Pantazopoulos and Stefano Antenucci}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-06-02Fox-ITNikolaos Pantazopoulos, Stefano Antenucci, NCC RIFT
@online{pantazopoulos:20200602:indepth:f43e58f, author = {Nikolaos Pantazopoulos and Stefano Antenucci and NCC RIFT}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-27Trend MicroTrend Micro
@online{micro:20200427:behind:da9ae72, author = {Trend Micro}, title = {{Group Behind TrickBot Spreads Fileless BazarBackdoor}}, date = {2020-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor}, language = {English}, urldate = {2020-05-02} } Group Behind TrickBot Spreads Fileless BazarBackdoor
BazarBackdoor
2020-04-24Bleeping ComputerLawrence Abrams
@online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware
BazarBackdoor
2020-04-24Vitali Kremez
@online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } TrickBot "BazarBackdoor" Process Hollowing Injection Primer
BazarBackdoor
Yara Rules
[TLP:WHITE] win_bazarbackdoor_auto (20211008 | Detects win.bazarbackdoor.)
rule win_bazarbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.bazarbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41b80f100000 488bce 4889442420 ff15???????? }
            // n = 4, score = 1100
            //   41b80f100000         | inc                 ecx
            //   488bce               | mov                 eax, 0x100f
            //   4889442420           | dec                 eax
            //   ff15????????         |                     

        $sequence_1 = { 4889442420 ff15???????? 85c0 780a }
            // n = 4, score = 1100
            //   4889442420           | xor                 eax, eax
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esp + 0x20], 2
            //   780a                 | mov                 edx, 0x40000000

        $sequence_2 = { 4533c9 4533c0 c744242002000000 ba00000040 ffd0 }
            // n = 5, score = 1100
            //   4533c9               | inc                 ebp
            //   4533c0               | xor                 ecx, ecx
            //   c744242002000000     | inc                 ebp
            //   ba00000040           | xor                 eax, eax
            //   ffd0                 | mov                 dword ptr [esp + 0x20], 2

        $sequence_3 = { 498bf0 488bea 4c8bf1 33db }
            // n = 4, score = 1100
            //   498bf0               | mov                 dword ptr [esp + 0x28], 0x80
            //   488bea               | inc                 ebp
            //   4c8bf1               | xor                 ecx, ecx
            //   33db                 | inc                 ebp

        $sequence_4 = { 0fb6c8 e8???????? 85c0 7403 }
            // n = 4, score = 1100
            //   0fb6c8               | cmp                 dword ptr [ecx + 0x18], 4
            //   e8????????           |                     
            //   85c0                 | jne                 0x66
            //   7403                 | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_5 = { 7507 33c0 e9???????? b8ff000000 }
            // n = 4, score = 1000
            //   7507                 | inc                 ecx
            //   33c0                 | mov                 eax, 0x100f
            //   e9????????           |                     
            //   b8ff000000           | dec                 eax

        $sequence_6 = { 4084ff 400f94c7 0fb6c8 e8???????? }
            // n = 4, score = 1000
            //   4084ff               | mov                 dword ptr [esp + 0x20], 2
            //   400f94c7             | mov                 edx, 0x40000000
            //   0fb6c8               | mov                 dword ptr [esp + 0x28], 0x80
            //   e8????????           |                     

        $sequence_7 = { ebd2 3c20 7709 48ffc3 8a03 }
            // n = 5, score = 1000
            //   ebd2                 | inc                 eax
            //   3c20                 | test                bh, bh
            //   7709                 | je                  0x28
            //   48ffc3               | je                  0x33
            //   8a03                 | inc                 eax

        $sequence_8 = { 8a03 3c20 7709 84c0 7431 4084ff }
            // n = 6, score = 1000
            //   8a03                 | xor                 bh, bh
            //   3c20                 | mov                 al, byte ptr [ebx]
            //   7709                 | cmp                 al, 0x20
            //   84c0                 | ja                  0x12
            //   7431                 | dec                 eax
            //   4084ff               | cmovne              ebx, eax

        $sequence_9 = { 84c0 7431 4084ff 741f 3c22 7507 4084ff }
            // n = 7, score = 1000
            //   84c0                 | cmp                 al, 0x20
            //   7431                 | ja                  0xf
            //   4084ff               | inc                 eax
            //   741f                 | xor                 bh, bh
            //   3c22                 | mov                 al, byte ptr [ebx]
            //   7507                 | cmp                 al, 0x20
            //   4084ff               | ja                  0xf

        $sequence_10 = { 488bcf ffd0 488905???????? 4885c0 750a b806000000 }
            // n = 6, score = 900
            //   488bcf               | inc                 ebp
            //   ffd0                 | xor                 eax, eax
            //   488905????????       |                     
            //   4885c0               | mov                 dword ptr [esp + 0x20], 2
            //   750a                 | mov                 edx, 0x40000000
            //   b806000000           | call                eax

        $sequence_11 = { 41b989010000 41b841587c4c e8???????? 4885c0 740a }
            // n = 5, score = 900
            //   41b989010000         | inc                 eax
            //   41b841587c4c         | sete                bh
            //   e8????????           |                     
            //   4885c0               | movzx               ecx, al
            //   740a                 | test                eax, eax

        $sequence_12 = { e8???????? cc e8???????? cc 4053 4883ec20 b902000000 }
            // n = 7, score = 900
            //   e8????????           |                     
            //   cc                   | sete                bh
            //   e8????????           |                     
            //   cc                   | movzx               ecx, al
            //   4053                 | je                  0x21
            //   4883ec20             | cmp                 al, 0x22
            //   b902000000           | jne                 0xb

        $sequence_13 = { e8???????? 4885c0 7407 b9b80b0000 ffd0 }
            // n = 5, score = 900
            //   e8????????           |                     
            //   4885c0               | inc                 ebx
            //   7407                 | mov                 al, byte ptr [ebx]
            //   b9b80b0000           | test                al, al
            //   ffd0                 | inc                 eax

        $sequence_14 = { 33d2 488bc8 ff15???????? ff15???????? 4c8bc3 }
            // n = 5, score = 900
            //   33d2                 | inc                 eax
            //   488bc8               | test                bh, bh
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   4c8bc3               | je                  0x24

        $sequence_15 = { 750a b834000000 e9???????? 660f6f05???????? }
            // n = 4, score = 900
            //   750a                 | dec                 eax
            //   b834000000           | mov                 edi, eax
            //   e9????????           |                     
            //   660f6f05????????     |                     

        $sequence_16 = { 4885c9 7406 488b11 ff5210 ff15???????? }
            // n = 5, score = 900
            //   4885c9               | mov                 ecx, esi
            //   7406                 | dec                 eax
            //   488b11               | mov                 dword ptr [esp + 0x20], eax
            //   ff5210               | test                eax, eax
            //   ff15????????         |                     

        $sequence_17 = { ff15???????? ff15???????? 4d8bc5 33d2 488bc8 }
            // n = 5, score = 800
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   4d8bc5               | inc                 eax
            //   33d2                 | sete                bh
            //   488bc8               | movzx               ecx, al

        $sequence_18 = { b902000000 e8???????? e8???????? 8bc8 e8???????? e8???????? 8bd8 }
            // n = 7, score = 700
            //   b902000000           | jmp                 0xffffffd4
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | cmp                 al, 0x20
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bd8                 | ja                  0xf

        $sequence_19 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 ff15???????? }
            // n = 5, score = 700
            //   0fb70f               | inc                 eax
            //   ff15????????         |                     
            //   0fb74f02             | sete                bh
            //   0fb7d8               | movzx               ecx, al
            //   ff15????????         |                     

        $sequence_20 = { 0fb64b04 0fb6d1 80f973 7504 0fb65305 33c0 }
            // n = 6, score = 700
            //   0fb64b04             | inc                 eax
            //   0fb6d1               | xor                 bh, bh
            //   80f973               | mov                 al, byte ptr [ebx]
            //   7504                 | cmp                 al, 0x20
            //   0fb65305             | ja                  0xd
            //   33c0                 | test                al, al

        $sequence_21 = { 8bd3 e8???????? 33c0 e9???????? }
            // n = 4, score = 700
            //   8bd3                 | test                bh, bh
            //   e8????????           |                     
            //   33c0                 | inc                 eax
            //   e9????????           |                     

        $sequence_22 = { 84d2 7405 80fa2e 750f 0fb6c1 }
            // n = 5, score = 600
            //   84d2                 | inc                 eax
            //   7405                 | sete                bh
            //   80fa2e               | movzx               ecx, al
            //   750f                 | test                eax, eax
            //   0fb6c1               | je                  0xa

        $sequence_23 = { c3 0fb74c0818 b80b010000 663bc8 }
            // n = 4, score = 500
            //   c3                   | push                esi
            //   0fb74c0818           | push                edi
            //   b80b010000           | push                ebp
            //   663bc8               | push                ebx

        $sequence_24 = { 6685ff 0f849c000000 837c2460ff 0f858c000000 }
            // n = 4, score = 400
            //   6685ff               | test                bh, bh
            //   0f849c000000         | inc                 eax
            //   837c2460ff           | test                bh, bh
            //   0f858c000000         | je                  0x21

        $sequence_25 = { 66890d???????? 0fb7ca ff15???????? b901000000 }
            // n = 4, score = 400
            //   66890d????????       |                     
            //   0fb7ca               | inc                 eax
            //   ff15????????         |                     
            //   b901000000           | xor                 bh, bh

        $sequence_26 = { ffd0 90 4883c430 5b }
            // n = 4, score = 400
            //   ffd0                 | mov                 al, byte ptr [ebx]
            //   90                   | cmp                 al, 0x20
            //   4883c430             | ja                  0xd
            //   5b                   | test                al, al

        $sequence_27 = { e8???????? 4c897c2420 4889d9 89fa }
            // n = 4, score = 400
            //   e8????????           |                     
            //   4c897c2420           | je                  0x39
            //   4889d9               | inc                 eax
            //   89fa                 | test                bh, bh

        $sequence_28 = { 89e8 4883c448 5b 5d 5f 5e 415c }
            // n = 7, score = 400
            //   89e8                 | je                  0x2c
            //   4883c448             | ja                  0xb
            //   5b                   | test                al, al
            //   5d                   | je                  0x35
            //   5f                   | inc                 eax
            //   5e                   | test                bh, bh
            //   415c                 | ja                  0xb

        $sequence_29 = { a1???????? 53 56 8b742410 85c0 }
            // n = 5, score = 400
            //   a1????????           |                     
            //   53                   | inc                 eax
            //   56                   | sete                bh
            //   8b742410             | movzx               ecx, al
            //   85c0                 | test                eax, eax

        $sequence_30 = { 51 ffd0 8b4df4 64890d00000000 }
            // n = 4, score = 400
            //   51                   | inc                 eax
            //   ffd0                 | sete                bh
            //   8b4df4               | movzx               ecx, al
            //   64890d00000000       | test                eax, eax

        $sequence_31 = { 75c5 c6443c1000 84db 7402 ff06 8d4c2410 }
            // n = 6, score = 400
            //   75c5                 | inc                 eax
            //   c6443c1000           | test                bh, bh
            //   84db                 | inc                 eax
            //   7402                 | test                bh, bh
            //   ff06                 | je                  0x21
            //   8d4c2410             | cmp                 al, 0x22

        $sequence_32 = { 4155 4154 56 57 55 53 4881ec98010000 }
            // n = 7, score = 400
            //   4155                 | inc                 eax
            //   4154                 | test                bh, bh
            //   56                   | je                  0x28
            //   57                   | cmp                 al, 0x22
            //   55                   | je                  5
            //   53                   | dec                 eax
            //   4881ec98010000       | inc                 ebx

        $sequence_33 = { 03c3 50 8b840a04010000 03c5 }
            // n = 4, score = 400
            //   03c3                 | xor                 bh, bh
            //   50                   | mov                 al, byte ptr [ebx]
            //   8b840a04010000       | cmp                 al, 0x20
            //   03c5                 | ja                  0x12

        $sequence_34 = { 75e5 33c0 5f 5e 59 }
            // n = 5, score = 400
            //   75e5                 | je                  0xe
            //   33c0                 | dec                 eax
            //   5f                   | inc                 ebx
            //   5e                   | movzx               ecx, al
            //   59                   | test                eax, eax

        $sequence_35 = { 0fb745ea 50 0fb745e8 50 68???????? e8???????? }
            // n = 6, score = 400
            //   0fb745ea             | movzx               ecx, al
            //   50                   | test                eax, eax
            //   0fb745e8             | je                  0xa
            //   50                   | dec                 eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_36 = { 56 57 53 4883ec20 4889d7 }
            // n = 5, score = 400
            //   56                   | inc                 eax
            //   57                   | test                bh, bh
            //   53                   | je                  0x28
            //   4883ec20             | cmp                 al, 0x22
            //   4889d7               | jne                 0x14

        $sequence_37 = { 0fbe1f 85db 7e0c 8d742411 }
            // n = 4, score = 400
            //   0fbe1f               | test                al, al
            //   85db                 | je                  0x3e
            //   7e0c                 | inc                 eax
            //   8d742411             | test                bh, bh

        $sequence_38 = { ff7508 56 ff15???????? 6a00 }
            // n = 4, score = 300
            //   ff7508               | mov                 al, byte ptr [ebx]
            //   56                   | cmp                 al, 0x20
            //   ff15????????         |                     
            //   6a00                 | ja                  0xf

        $sequence_39 = { c644244421 c644244569 c64424467b c64424477a }
            // n = 4, score = 300
            //   c644244421           | ja                  0x12
            //   c644244569           | dec                 eax
            //   c64424467b           | inc                 ebx
            //   c64424477a           | mov                 al, byte ptr [ebx]

        $sequence_40 = { 46 42 8d4701 84c9 }
            // n = 4, score = 300
            //   46                   | inc                 eax
            //   42                   | test                bh, bh
            //   8d4701               | inc                 eax
            //   84c9                 | sete                bh

        $sequence_41 = { 0fb7d8 0fb74708 50 ff15???????? 0fb7c8 83fe01 }
            // n = 6, score = 300
            //   0fb7d8               | dec                 eax
            //   0fb74708             | inc                 ebx
            //   50                   | dec                 eax
            //   ff15????????         |                     
            //   0fb7c8               | inc                 ebx
            //   83fe01               | cmp                 al, 0x22

        $sequence_42 = { c64424413b c644244224 c644244321 c644244421 c644244569 }
            // n = 5, score = 300
            //   c64424413b           | cmp                 al, 0x20
            //   c644244224           | ja                  0x16
            //   c644244321           | test                al, al
            //   c644244421           | dec                 eax
            //   c644244569           | inc                 ebx

        $sequence_43 = { c744242880000000 c744242003000000 4889f1 ba00000080 }
            // n = 4, score = 300
            //   c744242880000000     | inc                 eax
            //   c744242003000000     | xor                 bh, bh
            //   4889f1               | mov                 al, byte ptr [ebx]
            //   ba00000080           | cmp                 al, 0x20

        $sequence_44 = { e8???????? 4889f9 4889da ffd0 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   4889f9               | ja                  0xf
            //   4889da               | test                al, al
            //   ffd0                 | dec                 eax

        $sequence_45 = { 8d4601 50 ff15???????? 83f8ff }
            // n = 4, score = 300
            //   8d4601               | jne                 9
            //   50                   | inc                 eax
            //   ff15????????         |                     
            //   83f8ff               | test                bh, bh

        $sequence_46 = { 53 8b1d???????? ffd3 8b3d???????? 8d7001 8d4610 50 }
            // n = 7, score = 300
            //   53                   | mov                 al, byte ptr [ebx]
            //   8b1d????????         |                     
            //   ffd3                 | cmp                 al, 0x20
            //   8b3d????????         |                     
            //   8d7001               | ja                  0xd
            //   8d4610               | test                al, al
            //   50                   | je                  0x39

        $sequence_47 = { 6a2e 6a00 50 ff15???????? }
            // n = 4, score = 300
            //   6a2e                 | mov                 al, byte ptr [ebx]
            //   6a00                 | cmp                 al, 0x20
            //   50                   | ja                  0x12
            //   ff15????????         |                     

        $sequence_48 = { fec8 88041a 8bd1 41 }
            // n = 4, score = 300
            //   fec8                 | inc                 eax
            //   88041a               | sete                bh
            //   8bd1                 | movzx               ecx, al
            //   41                   | cmp                 al, 0x22

        $sequence_49 = { 7404 3c2e 750b 8ac1 2ac2 fec8 88041a }
            // n = 7, score = 300
            //   7404                 | movzx               ecx, al
            //   3c2e                 | test                eax, eax
            //   750b                 | inc                 eax
            //   8ac1                 | sete                bh
            //   2ac2                 | movzx               ecx, al
            //   fec8                 | test                eax, eax
            //   88041a               | je                  0xa

        $sequence_50 = { 57 53 4883ec58 4989ce }
            // n = 4, score = 300
            //   57                   | test                al, al
            //   53                   | je                  0x3e
            //   4883ec58             | inc                 eax
            //   4989ce               | xor                 bh, bh

        $sequence_51 = { e8???????? 4889f9 4889f2 ffd0 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   4889f9               | pop                 ebp
            //   4889f2               | pop                 edi
            //   ffd0                 | pop                 esi

        $sequence_52 = { ff15???????? 488906 4885c0 7425 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   488906               | inc                 eax
            //   4885c0               | xor                 bh, bh
            //   7425                 | mov                 al, byte ptr [ebx]

        $sequence_53 = { 0f848c000000 488b442430 83782000 7460 }
            // n = 4, score = 100
            //   0f848c000000         | cmp                 cl, 0x73
            //   488b442430           | sete                al
            //   83782000             | jne                 6
            //   7460                 | movzx               edx, byte ptr [ebx + 5]

        $sequence_54 = { 0f8398000000 488b442418 0fb700 c1f80c }
            // n = 4, score = 100
            //   0f8398000000         | dec                 ebp
            //   488b442418           | mov                 eax, ebp
            //   0fb700               | xor                 edx, edx
            //   c1f80c               | jne                 0x2a

        $sequence_55 = { 0bc8 8bc1 0fbaf019 8944245c }
            // n = 4, score = 100
            //   0bc8                 | sete                bh
            //   8bc1                 | movzx               ecx, al
            //   0fbaf019             | dec                 eax
            //   8944245c             | inc                 ebx

        $sequence_56 = { 034110 8bc0 448bc0 488b542460 }
            // n = 4, score = 100
            //   034110               | je                  0x3b
            //   8bc0                 | inc                 eax
            //   448bc0               | test                bh, bh
            //   488b542460           | inc                 eax

        $sequence_57 = { 03842480000000 488b4c2428 8901 eb2d }
            // n = 4, score = 100
            //   03842480000000       | cmp                 al, 0x20
            //   488b4c2428           | ja                  0xb
            //   8901                 | test                al, al
            //   eb2d                 | je                  0x37

        $sequence_58 = { 034110 8bc0 4889442478 488b442470 }
            // n = 4, score = 100
            //   034110               | sete                bh
            //   8bc0                 | movzx               ecx, al
            //   4889442478           | test                eax, eax
            //   488b442470           | je                  0xa

        $sequence_59 = { 0bc8 8bc1 8944245c 8b442424 }
            // n = 4, score = 100
            //   0bc8                 | test                bh, bh
            //   8bc1                 | inc                 eax
            //   8944245c             | sete                bh
            //   8b442424             | movzx               ecx, al

        $sequence_60 = { 0f8483020000 488b442428 8b400c 488b4c2438 }
            // n = 4, score = 100
            //   0f8483020000         | cmp                 cl, 0x73
            //   488b442428           | jne                 6
            //   8b400c               | movzx               edx, byte ptr [ebx + 5]
            //   488b4c2438           | xor                 eax, eax

    condition:
        7 of them and filesize < 675840
}
Download all Yara Rules