SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bazarbackdoor (Back to overview)

BazarBackdoor

aka: BEERBOT, KEGTAP, Team9Backdoor

BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

References
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ransomware Ryuk TrickBot
2020-10-13HornetsecuritySecurity Lab
@online{lab:20201013:bazarloader:9a2d75b, author = {Security Lab}, title = {{BazarLoader Campaign with Fake Termination Emails}}, date = {2020-10-13}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/}, language = {English}, urldate = {2020-10-19} } BazarLoader Campaign with Fake Termination Emails
BazarBackdoor
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-09-29ZscalerMohd Sadique, Atinderpal Singh
@online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } A Bazar of Tricks: Following Team9’s Development Cycles
BazarBackdoor
2020-07-15Johannes Bader's BlogJohannes Bader
@online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Defective Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-07-14Johannes Bader's BlogJohannes Bader
@online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-06-02Fox-ITNikolaos Pantazopoulos, Stefano Antenucci, NCC RIFT
@online{pantazopoulos:20200602:indepth:f43e58f, author = {Nikolaos Pantazopoulos and Stefano Antenucci and NCC RIFT}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-06-02NCC GroupNikolaos Pantazopoulos, Stefano Antenucci
@online{pantazopoulos:20200602:indepth:bc09c9f, author = {Nikolaos Pantazopoulos and Stefano Antenucci}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-27Trend MicroTrend Micro
@online{micro:20200427:behind:da9ae72, author = {Trend Micro}, title = {{Group Behind TrickBot Spreads Fileless BazarBackdoor}}, date = {2020-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor}, language = {English}, urldate = {2020-05-02} } Group Behind TrickBot Spreads Fileless BazarBackdoor
BazarBackdoor
2020-04-24Vitali Kremez
@online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } TrickBot "BazarBackdoor" Process Hollowing Injection Primer
BazarBackdoor
2020-04-24Bleeping ComputerLawrence Abrams
@online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware
BazarBackdoor
Yara Rules
[TLP:WHITE] win_bazarbackdoor_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_bazarbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41b80f100000 488bce 4889442420 ff15???????? 85c0 780a }
            // n = 6, score = 1500
            //   41b80f100000         | dec                 esp
            //   488bce               | mov                 esi, ecx
            //   4889442420           | xor                 ebx, ebx
            //   ff15????????         |                     
            //   85c0                 | inc                 ecx
            //   780a                 | mov                 eax, 0x100f

        $sequence_1 = { 498bf0 488bea 4c8bf1 33db }
            // n = 4, score = 1500
            //   498bf0               | dec                 ecx
            //   488bea               | mov                 esi, eax
            //   4c8bf1               | dec                 eax
            //   33db                 | mov                 ebp, edx

        $sequence_2 = { 48bb32a2df2d992b0000 483bc3 7575 33c0 488d4d18 48894518 }
            // n = 6, score = 1300
            //   48bb32a2df2d992b0000     | mov    dword ptr [esp + 0x20], eax
            //   483bc3               | test                eax, eax
            //   7575                 | dec                 eax
            //   33c0                 | mov                 ecx, esi
            //   488d4d18             | dec                 eax
            //   48894518             | mov                 dword ptr [esp + 0x20], eax

        $sequence_3 = { 4885c0 750a b806000000 e9???????? }
            // n = 4, score = 1300
            //   4885c0               | dec                 eax
            //   750a                 | mov                 ecx, esi
            //   b806000000           | dec                 eax
            //   e9????????           |                     

        $sequence_4 = { 33c0 4c8d9c24b0050000 498b5b30 498b7338 498b7b48 498be3 }
            // n = 6, score = 1300
            //   33c0                 | mov                 dword ptr [esp + 0x20], eax
            //   4c8d9c24b0050000     | test                eax, eax
            //   498b5b30             | js                  0x16
            //   498b7338             | dec                 eax
            //   498b7b48             | cwde                
            //   498be3               | inc                 ecx

        $sequence_5 = { 4155 4156 4157 488da828fbffff 4881ecb0050000 }
            // n = 5, score = 1300
            //   4155                 | je                  0x10
            //   4156                 | dec                 eax
            //   4157                 | test                eax, eax
            //   488da828fbffff       | jne                 0xc
            //   4881ecb0050000       | mov                 eax, 6

        $sequence_6 = { 41b982000000 41b8e6b8402d e8???????? 4885c0 7405 }
            // n = 5, score = 1300
            //   41b982000000         | dec                 eax
            //   41b8e6b8402d         | cwde                
            //   e8????????           |                     
            //   4885c0               | inc                 ecx
            //   7405                 | mov                 eax, 0x100f

        $sequence_7 = { 4885c0 7407 488bce ffd0 eb03 }
            // n = 5, score = 1300
            //   4885c0               | mov                 ecx, 0x82
            //   7407                 | inc                 ecx
            //   488bce               | mov                 eax, 0x2d40b8e6
            //   ffd0                 | dec                 eax
            //   eb03                 | test                eax, eax

        $sequence_8 = { 488bce e8???????? 488bf8 4885db }
            // n = 4, score = 900
            //   488bce               | call                eax
            //   e8????????           |                     
            //   488bf8               | pop                 esi
            //   4885db               | ret                 

        $sequence_9 = { 4885c9 7406 488b11 ff5210 ff15???????? }
            // n = 5, score = 900
            //   4885c9               | cmovg               eax, ecx
            //   7406                 | cdq                 
            //   488b11               | sub                 eax, edx
            //   ff5210               | mov                 ecx, 0xe10
            //   ff15????????         |                     

        $sequence_10 = { ff15???????? 0fb74f08 440fb7e8 ff15???????? }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   0fb74f08             | je                  9
            //   440fb7e8             | test                al, 1
            //   ff15????????         |                     

        $sequence_11 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 ff15???????? 0fb74f08 }
            // n = 6, score = 900
            //   0fb70f               | mov                 ecx, 0xe10
            //   ff15????????         |                     
            //   0fb74f02             | cmp                 eax, ecx
            //   0fb7d8               | cmovg               eax, ecx
            //   ff15????????         |                     
            //   0fb74f08             | cdq                 

        $sequence_12 = { 7507 33c0 e9???????? b8ff000000 }
            // n = 4, score = 800
            //   7507                 | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x20], eax
            //   e9????????           |                     
            //   b8ff000000           | test                eax, eax

        $sequence_13 = { 418d5508 488bc8 ff15???????? 488bd8 }
            // n = 4, score = 800
            //   418d5508             | dec                 eax
            //   488bc8               | mov                 ecx, esi
            //   ff15????????         |                     
            //   488bd8               | dec                 eax

        $sequence_14 = { 4c89742440 4c89742438 4489742430 4c89742428 }
            // n = 4, score = 800
            //   4c89742440           | test                eax, eax
            //   4c89742438           | js                  0xc
            //   4489742430           | inc                 ecx
            //   4c89742428           | mov                 eax, 0x100f

        $sequence_15 = { 0fb6c9 4881e9c0000000 48c1e108 4803c8 8bc1 488d94059f070000 }
            // n = 6, score = 800
            //   0fb6c9               | dec                 eax
            //   4881e9c0000000       | mov                 dword ptr [esp + 0x20], eax
            //   48c1e108             | inc                 ecx
            //   4803c8               | mov                 eax, 0x100f
            //   8bc1                 | dec                 eax
            //   488d94059f070000     | mov                 ecx, esi

        $sequence_16 = { 488d9590050000 488bce ff15???????? 85c0 }
            // n = 4, score = 800
            //   488d9590050000       | mov                 eax, 0x100f
            //   488bce               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, esi

        $sequence_17 = { ba08000000 ff15???????? 4c8bf8 4885c0 }
            // n = 4, score = 800
            //   ba08000000           | dec                 eax
            //   ff15????????         |                     
            //   4c8bf8               | mov                 ecx, esi
            //   4885c0               | dec                 eax

        $sequence_18 = { 4533c9 4889442428 488d95a0070000 488d442470 41b80f100000 488bce 4889442420 }
            // n = 7, score = 800
            //   4533c9               | dec                 eax
            //   4889442428           | mov                 ecx, esi
            //   488d95a0070000       | dec                 eax
            //   488d442470           | mov                 dword ptr [esp + 0x20], eax
            //   41b80f100000         | test                eax, eax
            //   488bce               | js                  0xe
            //   4889442420           | dec                 eax

        $sequence_19 = { c3 0fb74c0818 b80b010000 663bc8 }
            // n = 4, score = 800
            //   c3                   | js                  0xc
            //   0fb74c0818           | dec                 eax
            //   b80b010000           | cwde                
            //   663bc8               | dec                 eax

        $sequence_20 = { 0f4cc1 b9100e0000 3bc1 0f4fc1 99 2bc2 d1f8 }
            // n = 7, score = 700
            //   0f4cc1               | mov                 dword ptr [esp + 0x20], eax
            //   b9100e0000           | test                eax, eax
            //   3bc1                 | js                  0xc
            //   0f4fc1               | inc                 ecx
            //   99                   | mov                 eax, 0x100f
            //   2bc2                 | dec                 eax
            //   d1f8                 | mov                 ecx, esi

        $sequence_21 = { 7526 ff15???????? 3d33270000 7519 8b0f }
            // n = 5, score = 700
            //   7526                 | dec                 eax
            //   ff15????????         |                     
            //   3d33270000           | mov                 dword ptr [esp + 0x20], eax
            //   7519                 | test                eax, eax
            //   8b0f                 | js                  0x16

        $sequence_22 = { b9bb010000 663bc1 7404 a801 }
            // n = 4, score = 700
            //   b9bb010000           | inc                 ecx
            //   663bc1               | mov                 eax, 0x100f
            //   7404                 | dec                 eax
            //   a801                 | mov                 ecx, esi

        $sequence_23 = { 3d12030900 7407 33c0 e9???????? }
            // n = 4, score = 700
            //   3d12030900           | test                eax, eax
            //   7407                 | je                  0xf
            //   33c0                 | dec                 eax
            //   e9????????           |                     

        $sequence_24 = { ff15???????? 6683f808 7404 33c0 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   6683f808             | dec                 ecx
            //   7404                 | mov                 ebp, dword ptr [ebx + 0x40]
            //   33c0                 | dec                 ecx

        $sequence_25 = { 663bd9 72cc 8d4176 663bd8 0f8218010000 8d480a }
            // n = 6, score = 400
            //   663bd9               | test                eax, eax
            //   72cc                 | js                  0xe
            //   8d4176               | dec                 eax
            //   663bd8               | cwde                
            //   0f8218010000         | inc                 ecx
            //   8d480a               | mov                 eax, 0x100f

        $sequence_26 = { 8ac1 24c0 3c80 0f8586000000 8bc2 0fb6c9 83e13f }
            // n = 7, score = 400
            //   8ac1                 | dec                 eax
            //   24c0                 | mov                 ecx, esi
            //   3c80                 | dec                 eax
            //   0f8586000000         | mov                 dword ptr [esp + 0x20], eax
            //   8bc2                 | test                eax, eax
            //   0fb6c9               | dec                 eax
            //   83e13f               | mov                 ecx, esi

        $sequence_27 = { 0fb7d3 8d42bf 83f819 8d429f }
            // n = 4, score = 400
            //   0fb7d3               | dec                 eax
            //   8d42bf               | mov                 ecx, esi
            //   83f819               | dec                 eax
            //   8d429f               | mov                 dword ptr [esp + 0x20], eax

        $sequence_28 = { 83f822 77dd 488bd1 488d4c2420 e8???????? 4c8b3b }
            // n = 6, score = 400
            //   83f822               | dec                 eax
            //   77dd                 | mov                 dword ptr [esp + 0x20], eax
            //   488bd1               | test                eax, eax
            //   488d4c2420           | js                  0x13
            //   e8????????           |                     
            //   4c8b3b               | inc                 ecx

        $sequence_29 = { 660f73d801 660febd0 660f7ed0 84c0 }
            // n = 4, score = 300
            //   660f73d801           | mov                 eax, edx
            //   660febd0             | movzx               ecx, cl
            //   660f7ed0             | and                 ecx, 0x3f
            //   84c0                 | cmp                 eax, 0x22

        $sequence_30 = { 740d 33d2 83f902 0f95c2 83c224 eb05 }
            // n = 6, score = 300
            //   740d                 | dec                 eax
            //   33d2                 | mov                 ecx, esi
            //   83f902               | dec                 eax
            //   0f95c2               | mov                 dword ptr [esp + 0x20], eax
            //   83c224               | test                eax, eax
            //   eb05                 | dec                 eax

        $sequence_31 = { f3a4 c64414102e 42 3bd0 7cdd 85d2 }
            // n = 6, score = 200
            //   f3a4                 | mov                 edi, eax
            //   c64414102e           | dec                 eax
            //   42                   | test                eax, eax
            //   3bd0                 | inc                 ecx
            //   7cdd                 | lea                 edx, [ebp + 8]
            //   85d2                 | dec                 eax

        $sequence_32 = { e8???????? 33d2 33c9 6a07 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   33d2                 | mov                 ecx, eax
            //   33c9                 | dec                 eax
            //   6a07                 | mov                 ebx, eax

        $sequence_33 = { 0fb74708 50 ff15???????? 0fb7c8 83fe01 }
            // n = 5, score = 200
            //   0fb74708             | dec                 eax
            //   50                   | mov                 edx, dword ptr [esp + 0x40]
            //   ff15????????         |                     
            //   0fb7c8               | dec                 eax
            //   83fe01               | mov                 ecx, dword ptr [esp + 0x28]

        $sequence_34 = { 72e5 53 8b1d???????? ffd3 }
            // n = 4, score = 200
            //   72e5                 | movzx               ebp, ax
            //   53                   | movzx               ecx, word ptr [edi + 2]
            //   8b1d????????         |                     
            //   ffd3                 | movzx               ebx, ax

        $sequence_35 = { ff15???????? 50 ff15???????? 8d4e01 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   50                   | mov                 ecx, dword ptr [esp + 0x38]
            //   ff15????????         |                     
            //   8d4e01               | dec                 eax

        $sequence_36 = { 0fb745e8 50 68???????? e8???????? }
            // n = 4, score = 200
            //   0fb745e8             | movzx               ebp, ax
            //   50                   | movzx               ebx, ax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_37 = { 733c 8a02 3cc0 721e 0fb6c8 }
            // n = 5, score = 200
            //   733c                 | dec                 eax
            //   8a02                 | mov                 eax, dword ptr [esp + 0x38]
            //   3cc0                 | mov                 eax, dword ptr [esp + 0x20]
            //   721e                 | inc                 esp
            //   0fb6c8               | mov                 eax, eax

        $sequence_38 = { eb0d 85ff 7511 8bca e8???????? 8bf8 85f6 }
            // n = 7, score = 200
            //   eb0d                 | mov                 ecx, eax
            //   85ff                 | dec                 eax
            //   7511                 | mov                 ebx, eax
            //   8bca                 | inc                 ecx
            //   e8????????           |                     
            //   8bf8                 | lea                 edx, [ebp + 8]
            //   85f6                 | dec                 eax

        $sequence_39 = { 83e820 f7d8 1bc0 83e003 }
            // n = 4, score = 200
            //   83e820               | mov                 ecx, eax
            //   f7d8                 | mov                 edx, 8
            //   1bc0                 | dec                 esp
            //   83e003               | mov                 edi, eax

        $sequence_40 = { 6a01 6a04 68???????? ff15???????? 8bf8 83ffff }
            // n = 6, score = 200
            //   6a01                 | dec                 eax
            //   6a04                 | add                 eax, 0x28
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bf8                 | dec                 eax
            //   83ffff               | mov                 dword ptr [esp + 0x50], eax

        $sequence_41 = { ffd0 5e c3 33c0 5e c3 33d2 }
            // n = 7, score = 200
            //   ffd0                 | dec                 eax
            //   5e                   | mov                 dword ptr [esp + 0x20], eax
            //   c3                   | dec                 eax
            //   33c0                 | mov                 ecx, esi
            //   5e                   | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x20], eax
            //   33d2                 | test                eax, eax

        $sequence_42 = { 745c 57 8d450c 50 ff7508 }
            // n = 5, score = 200
            //   745c                 | lea                 ecx, [esp + 0x20]
            //   57                   | dec                 esp
            //   8d450c               | mov                 edi, dword ptr [ebx]
            //   50                   | cmp                 bx, ax
            //   ff7508               | jb                  0xb3

        $sequence_43 = { 83e840 f7d8 1bc0 83e004 }
            // n = 4, score = 200
            //   83e840               | dec                 eax
            //   f7d8                 | mov                 ecx, eax
            //   1bc0                 | mov                 edx, 8
            //   83e004               | dec                 esp

        $sequence_44 = { 81fe80000000 760b 24f2 0c02 88842483030000 a80f 7533 }
            // n = 7, score = 200
            //   81fe80000000         | dec                 eax
            //   760b                 | test                eax, eax
            //   24f2                 | inc                 ebp
            //   0c02                 | xor                 ecx, ecx
            //   88842483030000       | dec                 eax
            //   a80f                 | mov                 dword ptr [esp + 0x28], eax
            //   7533                 | dec                 eax

        $sequence_45 = { 8b1d???????? ffd3 8b3d???????? 8d7001 }
            // n = 4, score = 200
            //   8b1d????????         |                     
            //   ffd3                 | mov                 eax, dword ptr [eax + ecx]
            //   8b3d????????         |                     
            //   8d7001               | dec                 eax

        $sequence_46 = { 488b8c24f0000000 e8???????? 488b4c2430 894124 eb0c }
            // n = 5, score = 100
            //   488b8c24f0000000     | dec                 eax
            //   e8????????           |                     
            //   488b4c2430           | mov                 dword ptr [ebp + 0x18], eax
            //   894124               | dec                 eax
            //   eb0c                 | mov                 dword ptr [eax + 0x18], esi

        $sequence_47 = { 8b442420 448bc0 488b542440 488b4c2428 e8???????? }
            // n = 5, score = 100
            //   8b442420             | mov                 ecx, 0x82
            //   448bc0               | inc                 ecx
            //   488b542440           | mov                 eax, 0x2d40b8e6
            //   488b4c2428           | dec                 eax
            //   e8????????           |                     

        $sequence_48 = { 488b442450 4883c028 4889442450 488b442438 }
            // n = 4, score = 100
            //   488b442450           | js                  0x13
            //   4883c028             | dec                 eax
            //   4889442450           | cwde                
            //   488b442438           | inc                 ecx

        $sequence_49 = { 8b0408 488b4c2438 4803c8 488bc1 }
            // n = 4, score = 100
            //   8b0408               | test                eax, eax
            //   488b4c2438           | je                  0xa
            //   4803c8               | dec                 eax
            //   488bc1               | test                eax, eax

        $sequence_50 = { 4883c002 4889442418 8b442408 4889442450 }
            // n = 4, score = 100
            //   4883c002             | jne                 0x77
            //   4889442418           | xor                 eax, eax
            //   8b442408             | dec                 eax
            //   4889442450           | lea                 ecx, [ebp + 0x18]

        $sequence_51 = { ff15???????? 488b442438 8b4050 8b8c24ac000000 8d4408ff 8b8c24ac000000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488b442438           | dec                 eax
            //   8b4050               | mov                 dword ptr [eax + 0x20], edi
            //   8b8c24ac000000       | inc                 ecx
            //   8d4408ff             | push                esi
            //   8b8c24ac000000       | dec                 eax

        $sequence_52 = { 488b08 ff15???????? b801000000 e9???????? }
            // n = 4, score = 100
            //   488b08               | add                 byte ptr [eax + 0x3b], cl
            //   ff15????????         |                     
            //   b801000000           | ret                 
            //   e9????????           |                     

        $sequence_53 = { e9???????? 488b442428 8b4014 488b4c2428 034110 8bc0 448bc0 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b442428           | jne                 0xf
            //   8b4014               | mov                 eax, 6
            //   488b4c2428           | dec                 eax
            //   034110               | mov                 ebx, 0x2ddfa232
            //   8bc0                 | cdq                 
            //   448bc0               | sub                 eax, dword ptr [eax]

    condition:
        7 of them and filesize < 507904
}
Download all Yara Rules