SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bazarbackdoor (Back to overview)

BazarBackdoor

aka: BEERBOT, KEGTAP, Team9Backdoor, bazaloader, bazarloader

Actor(s): UNC1878


BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

References
2023-02-03MandiantKimberly Goody, Genevieve Stark
@online{goody:20230203:float:5150a2b, author = {Kimberly Goody and Genevieve Stark}, title = {{Float Like a Butterfly Sting Like a Bee}}, date = {2023-02-03}, organization = {Mandiant}, url = {https://www.youtube.com/watch?v=pIXl79IPkLI}, language = {English}, urldate = {2023-02-21} } Float Like a Butterfly Sting Like a Bee
BazarBackdoor BumbleBee Cobalt Strike
2022-11-21Palo Alto Networks Unit 42Kristopher Russo
@online{russo:20221121:threat:86205c7, author = {Kristopher Russo}, title = {{Threat Assessment: Luna Moth Callback Phishing Campaign}}, date = {2022-11-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/}, language = {English}, urldate = {2022-11-25} } Threat Assessment: Luna Moth Callback Phishing Campaign
BazarBackdoor Conti
2022-10-06TrellixDaksh Kapur
@online{kapur:20221006:evolution:788af5e, author = {Daksh Kapur}, title = {{Evolution of BazarCall Social Engineering Tactics}}, date = {2022-10-06}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html}, language = {English}, urldate = {2023-01-03} } Evolution of BazarCall Social Engineering Tactics
BazarBackdoor BazarCall
2022-08-06MalwareBookReportsmuzi
@online{muzi:20220806:look:840677d, author = {muzi}, title = {{A LOOK BACK AT BAZARLOADER’S DGA}}, date = {2022-08-06}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/a-look-back-at-bazarloaders-dga/}, language = {English}, urldate = {2023-08-07} } A LOOK BACK AT BAZARLOADER’S DGA
BazarBackdoor
2022-08-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20220803:flight:a8efd82, author = {Brad Duncan}, title = {{Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware}}, date = {2022-08-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/}, language = {English}, urldate = {2022-08-08} } Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-06-24Palo Alto Networks Unit 42Mark Lim, Riley Porter
@online{lim:20220624:there:7a3b762, author = {Mark Lim and Riley Porter}, title = {{There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families}}, date = {2022-06-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/api-hammering-malware-families/}, language = {English}, urldate = {2022-06-27} } There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families
BazarBackdoor Zloader
2022-06-21McAfeeLakshya Mathur
@online{mathur:20220621:rise:71e04f0, author = {Lakshya Mathur}, title = {{Rise of LNK (Shortcut files) Malware}}, date = {2022-06-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/}, language = {English}, urldate = {2022-07-05} } Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot
2022-06-15AttackIQJackson Wells, AttackIQ Adversary Research Team
@online{wells:20220615:attack:aa9fcfb, author = {Jackson Wells and AttackIQ Adversary Research Team}, title = {{Attack Graph Emulating the Conti Ransomware Team’s Behaviors}}, date = {2022-06-15}, organization = {AttackIQ}, url = {https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/}, language = {English}, urldate = {2022-07-01} } Attack Graph Emulating the Conti Ransomware Team’s Behaviors
BazarBackdoor Conti TrickBot
2022-06-12cocomelonc
@online{cocomelonc:20220612:malware:e988236, author = {cocomelonc}, title = {{Malware development: persistence - part 7. Winlogon. Simple C++ example.}}, date = {2022-06-12}, url = {https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2022-05-270ffset BlogChuong Dong
@online{dong:20220527:bazarloader:0729146, author = {Chuong Dong}, title = {{BAZARLOADER: Analysing The Main Loader}}, date = {2022-05-27}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/}, language = {English}, urldate = {2022-05-29} } BAZARLOADER: Analysing The Main Loader
BazarBackdoor
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-29NCC GroupMike Stokkel, Nikolaos Totosis, Nikolaos Pantazopoulos
@online{stokkel:20220429:adventures:7be43ad, author = {Mike Stokkel and Nikolaos Totosis and Nikolaos Pantazopoulos}, title = {{Adventures in the land of BumbleBee – a new malicious loader}}, date = {2022-04-29}, organization = {NCC Group}, url = {https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/}, language = {English}, urldate = {2022-04-29} } Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-25paloalto Networks Unit 42Mark Lim
@online{lim:20220425:defeating:3da4840, author = {Mark Lim}, title = {{Defeating BazarLoader Anti-Analysis Techniques}}, date = {2022-04-25}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/}, language = {English}, urldate = {2022-04-29} } Defeating BazarLoader Anti-Analysis Techniques
BazarBackdoor
2022-04-190ffset BlogChuong Dong
@online{dong:20220419:bazarloader:902cf53, author = {Chuong Dong}, title = {{BAZARLOADER: Unpacking An ISO File Infection}}, date = {2022-04-19}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/}, language = {English}, urldate = {2022-04-20} } BAZARLOADER: Unpacking An ISO File Infection
BazarBackdoor
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-04-17BushidoToken BlogBushidoToken
@online{bushidotoken:20220417:lessons:d4d0595, author = {BushidoToken}, title = {{Lessons from the Conti Leaks}}, date = {2022-04-17}, organization = {BushidoToken Blog}, url = {https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html}, language = {English}, urldate = {2022-04-25} } Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-15Bleeping ComputerIonut Ilascu
@online{ilascu:20220415:karakurt:6fc6399, author = {Ionut Ilascu}, title = {{Karakurt revealed as data extortion arm of Conti cybercrime syndicate}}, date = {2022-04-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/}, language = {English}, urldate = {2022-05-04} } Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot
2022-04-05Intel 471Intel 471
@online{471:20220405:move:d589859, author = {Intel 471}, title = {{Move fast and commit crimes: Conti’s development teams mirror corporate tech}}, date = {2022-04-05}, organization = {Intel 471}, url = {https://intel471.com/blog/conti-leaks-ransomware-development}, language = {English}, urldate = {2022-04-07} } Move fast and commit crimes: Conti’s development teams mirror corporate tech
BazarBackdoor TrickBot
2022-03-30PrevailionPrevailion
@online{prevailion:20220330:wizard:6eb38a7, author = {Prevailion}, title = {{Wizard Spider continues to confound}}, date = {2022-03-30}, organization = {Prevailion}, url = {https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903}, language = {English}, urldate = {2022-03-31} } Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet
2022-03-22Red CanaryRed Canary
@techreport{canary:20220322:2022:67c40ea, author = {Red Canary}, title = {{2022 Threat Detection Report}}, date = {2022-03-22}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf}, language = {English}, urldate = {2022-03-23} } 2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT
2022-03-21eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-17Trend MicroTrend Micro Research
@techreport{research:20220317:navigating:5ad631e, author = {Trend Micro Research}, title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}}, date = {2022-03-17}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf}, language = {English}, urldate = {2022-03-22} } Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens, Google Threat Analysis Group
@online{stolyarov:20220317:exposing:f818c6d, author = {Vladislav Stolyarov and Benoit Sevens and Google Threat Analysis Group}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/}, language = {English}, urldate = {2022-03-18} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-17GoogleVladislav Stolyarov, Benoit Sevens
@online{stolyarov:20220317:exposing:5f565b6, author = {Vladislav Stolyarov and Benoit Sevens}, title = {{Exposing initial access broker with ties to Conti}}, date = {2022-03-17}, organization = {Google}, url = {https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti}, language = {English}, urldate = {2022-05-17} } Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY
2022-03-10Bleeping ComputerBill Toulas
@online{toulas:20220310:corporate:30fac0b, author = {Bill Toulas}, title = {{Corporate website contact forms used to spread BazarBackdoor malware}}, date = {2022-03-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/}, language = {English}, urldate = {2022-03-14} } Corporate website contact forms used to spread BazarBackdoor malware
BazarBackdoor
2022-03-09AbnormalBelem Regalado, Rachelle Chouinard
@online{regalado:20220309:bazarloader:09cc5d7, author = {Belem Regalado and Rachelle Chouinard}, title = {{BazarLoader Actors Initiate Contact via Website Contact Forms}}, date = {2022-03-09}, organization = {Abnormal}, url = {https://abnormalsecurity.com/blog/bazarloader-contact-form}, language = {English}, urldate = {2022-05-04} } BazarLoader Actors Initiate Contact via Website Contact Forms
BazarBackdoor
2022-03-09Bleeping ComputerIonut Ilascu
@online{ilascu:20220309:cisa:63f18cd, author = {Ionut Ilascu}, title = {{CISA updates Conti ransomware alert with nearly 100 domain names}}, date = {2022-03-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/}, language = {English}, urldate = {2022-03-10} } CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot
2022-03-03Trend MicroTrend Micro Research
@online{research:20220303:cyberattacks:d961eb0, author = {Trend Micro Research}, title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}}, date = {2022-03-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html}, language = {English}, urldate = {2022-03-04} } Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-02-26MandiantMandiant
@online{mandiant:20220226:trending:a445d4a, author = {Mandiant}, title = {{TRENDING EVIL Q1 2022}}, date = {2022-02-26}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil/p/1}, language = {English}, urldate = {2022-03-14} } TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot
2022-02-25CyberScoopJoe Warminsky
@online{warminsky:20220225:trickbot:2d38470, author = {Joe Warminsky}, title = {{TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators}}, date = {2022-02-25}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/}, language = {English}, urldate = {2022-03-01} } TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:trickbot:7e86d52, author = {Ravie Lakshmanan}, title = {{TrickBot Gang Likely Shifting Operations to Switch to New Malware}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html}, language = {English}, urldate = {2022-03-01} } TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot
2022-02-24kienmanowar Blogm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20220224:quicknote:bea9238, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] Techniques for decrypting BazarLoader strings}}, date = {2022-02-24}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/}, language = {English}, urldate = {2022-03-01} } [QuickNote] Techniques for decrypting BazarLoader strings
BazarBackdoor
2022-02-24The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220224:notorious:c5e1556, author = {Ravie Lakshmanan}, title = {{Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure}}, date = {2022-02-24}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html}, language = {English}, urldate = {2022-03-04} } Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot
2022-02-16Medium elis531989Eli Salem
@online{salem:20220216:highway:c1726ea, author = {Eli Salem}, title = {{Highway to Conti: Analysis of Bazarloader}}, date = {2022-02-16}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d}, language = {English}, urldate = {2022-02-17} } Highway to Conti: Analysis of Bazarloader
BazarBackdoor
2022-02-02IBMKevin Henson
@online{henson:20220202:trickbot:fd4964d, author = {Kevin Henson}, title = {{TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware}}, date = {2022-02-02}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/}, language = {English}, urldate = {2022-02-04} } TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware
BazarBackdoor TrickBot
2022-01-22forensicitguyTony Lambert
@online{lambert:20220122:bazariso:b5e9a03, author = {Tony Lambert}, title = {{BazarISO Analysis - Loading with Advpack.dll}}, date = {2022-01-22}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/bazariso-analysis-advpack/}, language = {English}, urldate = {2022-01-28} } BazarISO Analysis - Loading with Advpack.dll
BazarBackdoor
2022-01-18Recorded FutureInsikt Group®
@techreport{group:20220118:2021:9cff6fc, author = {Insikt Group®}, title = {{2021 Adversary Infrastructure Report}}, date = {2022-01-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf}, language = {English}, urldate = {2022-01-24} } 2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-15MalwareBookReportsmuzi
@online{muzi:20220115:bazarloader:68ae068, author = {muzi}, title = {{BazarLoader - Back from Holiday Break}}, date = {2022-01-15}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/bazarloader-back-from-holiday-break/}, language = {English}, urldate = {2022-01-25} } BazarLoader - Back from Holiday Break
BazarBackdoor
2022-01-02BleepingComputerLawrence Abrams
@online{abrams:20220102:malicious:a53af29, author = {Lawrence Abrams}, title = {{Malicious CSV text files used to install BazarBackdoor malware}}, date = {2022-01-02}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/}, language = {English}, urldate = {2022-02-02} } Malicious CSV text files used to install BazarBackdoor malware
BazarBackdoor
2021-12-13The DFIR ReportThe DFIR Report
@online{report:20211213:diavol:7b6e4e6, author = {The DFIR Report}, title = {{Diavol Ransomware}}, date = {2021-12-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/12/13/diavol-ransomware/}, language = {English}, urldate = {2021-12-22} } Diavol Ransomware
BazarBackdoor Conti Diavol
2021-11-30SymantecSymantec Threat Hunter Team
@online{team:20211130:yanluowang:538b90c, author = {Symantec Threat Hunter Team}, title = {{Yanluowang: Further Insights on New Ransomware Threat}}, date = {2021-11-30}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue}, language = {English}, urldate = {2022-09-20} } Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands
2021-11-29The DFIR ReportThe DFIR Report
@online{report:20211129:continuing:646e622, author = {The DFIR Report}, title = {{CONTInuing the Bazar Ransomware Story}}, date = {2021-11-29}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/}, language = {English}, urldate = {2021-12-07} } CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti
2021-11-23Trend MicroIan Kenefick
@online{kenefick:20211123:bazarloader:794de7c, author = {Ian Kenefick}, title = {{BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors}}, date = {2021-11-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html}, language = {English}, urldate = {2021-11-26} } BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors
BazarBackdoor
2021-11-16PC's Xcetra SupportDavid Ledbetter
@online{ledbetter:20211116:excel:a63e7d6, author = {David Ledbetter}, title = {{Excel 4 macro code obfuscation}}, date = {2021-11-16}, organization = {PC's Xcetra Support}, url = {https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/}, language = {English}, urldate = {2021-11-25} } Excel 4 macro code obfuscation
BazarBackdoor
2021-11-11SophosLabs UncutAndrew Brandt
@online{brandt:20211111:bazarloader:9328545, author = {Andrew Brandt}, title = {{BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism}}, date = {2021-11-11}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/}, language = {English}, urldate = {2021-11-12} } BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism
BazarBackdoor
2021-11-05Twitter (@Unit42_Intel)Unit 42
@online{42:20211105:ta551:98c564e, author = {Unit 42}, title = {{Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops}}, date = {2021-11-05}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1458113934024757256}, language = {English}, urldate = {2021-11-17} } Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike
2021-10-18paloalto Netoworks: Unit42Brad Duncan
@online{duncan:20211018:case:bdd95ff, author = {Brad Duncan}, title = {{Case Study: From BazarLoader to Network Reconnaissance}}, date = {2021-10-18}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/}, language = {English}, urldate = {2021-10-22} } Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike
2021-10-13IBMOle Villadsen, Charlotte Hammond
@online{villadsen:20211013:trickbot:e0d4233, author = {Ole Villadsen and Charlotte Hammond}, title = {{Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds}}, date = {2021-10-13}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/}, language = {English}, urldate = {2021-10-25} } Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
BazarBackdoor TrickBot
2021-10-08ZscalerTarun Dewan, Lenart Brave
@online{dewan:20211008:new:b97c20c, author = {Tarun Dewan and Lenart Brave}, title = {{New Trickbot and BazarLoader campaigns use multiple delivery vectorsi}}, date = {2021-10-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors}, language = {English}, urldate = {2021-10-14} } New Trickbot and BazarLoader campaigns use multiple delivery vectorsi
BazarBackdoor TrickBot
2021-10-07MandiantJoshua Shilko, Zach Riddle, Jennifer Brooks, Genevieve Stark, Adam Brunner, Kimberly Goody, Jeremy Kennelly
@online{shilko:20211007:fin12:43d89f5, author = {Joshua Shilko and Zach Riddle and Jennifer Brooks and Genevieve Stark and Adam Brunner and Kimberly Goody and Jeremy Kennelly}, title = {{FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets}}, date = {2021-10-07}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets}, language = {English}, urldate = {2021-10-08} } FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
BazarBackdoor GRIMAGENT Ryuk
2021-10-04The DFIR ReportThe DFIR Report
@online{report:20211004:bazarloader:fe3adf3, author = {The DFIR Report}, title = {{BazarLoader and the Conti Leaks}}, date = {2021-10-04}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/}, language = {English}, urldate = {2021-10-11} } BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti
2021-10-04CiscoTiago Pereira
@online{pereira:20211004:threat:9f493e1, author = {Tiago Pereira}, title = {{Threat hunting in large datasets by clustering security events}}, date = {2021-10-04}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html}, language = {English}, urldate = {2021-10-20} } Threat hunting in large datasets by clustering security events
BazarBackdoor TrickBot
2021-09-17CrowdStrikeFalcon OverWatch Team
@online{team:20210917:falcon:76aa03b, author = {Falcon OverWatch Team}, title = {{Falcon OverWatch Hunts Down Adversaries Where They Hide}}, date = {2021-09-17}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/}, language = {English}, urldate = {2021-10-05} } Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike
2021-09-13The DFIR ReportThe DFIR Report
@online{report:20210913:bazarloader:5073703, author = {The DFIR Report}, title = {{BazarLoader to Conti Ransomware in 32 Hours}}, date = {2021-09-13}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/}, language = {English}, urldate = {2021-09-14} } BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-04cocomelonccocomelonc
@online{cocomelonc:20210904:av:06b27c5, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 1}}, date = {2021-09-04}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-09Johannes Bader's BlogJohannes Bader
@online{bader:20210809:bazarloader:e123577, author = {Johannes Bader}, title = {{A BazarLoader DGA that Breaks Down in the Summer}}, date = {2021-08-09}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/}, language = {English}, urldate = {2021-08-09} } A BazarLoader DGA that Breaks Down in the Summer
BazarBackdoor
2021-08-01The DFIR ReportThe DFIR Report
@online{report:20210801:bazarcall:bb6829b, author = {The DFIR Report}, title = {{BazarCall to Conti Ransomware via Trickbot and Cobalt Strike}}, date = {2021-08-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/}, language = {English}, urldate = {2021-08-02} } BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-30Twitter (@Unit42_Intel)Unit 42
@online{42:20210730:bazarloader:43bdc2c, author = {Unit 42}, title = {{Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability}}, date = {2021-07-30}, organization = {Twitter (@Unit42_Intel)}, url = {https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20}, language = {English}, urldate = {2021-08-02} } Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike
2021-07-30Medium walmartglobaltechJason Reaves
@online{reaves:20210730:decrypting:0b08389, author = {Jason Reaves}, title = {{Decrypting BazarLoader strings with a Unicorn}}, date = {2021-07-30}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9}, language = {English}, urldate = {2021-08-02} } Decrypting BazarLoader strings with a Unicorn
BazarBackdoor
2021-07-29MicrosoftMicrosoft Defender Threat Intelligence
@online{intelligence:20210729:bazacall:a24d9e6, author = {Microsoft Defender Threat Intelligence}, title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/}, language = {English}, urldate = {2023-01-03} } BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor BazarCall
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210729:bazacall:8d79cdf, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{BazaCall: Phony call centers lead to exfiltration and ransomware}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/}, language = {English}, urldate = {2021-08-02} } BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike
2021-07-14Bleeping ComputerIonut Ilascu
@online{ilascu:20210714:bazarbackdoor:b63046e, author = {Ionut Ilascu}, title = {{BazarBackdoor sneaks in through nested RAR and ZIP archives}}, date = {2021-07-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/}, language = {English}, urldate = {2021-07-26} } BazarBackdoor sneaks in through nested RAR and ZIP archives
BazarBackdoor
2021-06-16ProofpointSelena Larson, Daniel Blackford, Garrett M. Graff
@online{larson:20210616:first:2e436a0, author = {Selena Larson and Daniel Blackford and Garrett M. Graff}, title = {{The First Step: Initial Access Leads to Ransomware}}, date = {2021-06-16}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware}, language = {English}, urldate = {2021-06-21} } The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker
2021-05-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210519:bazarcall:60c6562, author = {Brad Duncan}, title = {{BazarCall: Call Centers Help Spread BazarLoader Malware}}, date = {2021-05-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/bazarloader-malware/}, language = {English}, urldate = {2021-05-20} } BazarCall: Call Centers Help Spread BazarLoader Malware
BazarBackdoor campoloader
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-15SophosLabs UncutAndrew Brandt
@online{brandt:20210415:bazarloader:93400a1, author = {Andrew Brandt}, title = {{BazarLoader deploys a pair of novel spam vectors}}, date = {2021-04-15}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors}, language = {English}, urldate = {2021-04-16} } BazarLoader deploys a pair of novel spam vectors
BazarBackdoor
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210414:april:4a29cb5, author = {Brad Duncan}, title = {{April 2021 Forensic Quiz: Answers and Analysis}}, date = {2021-04-14}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27308}, language = {English}, urldate = {2021-04-14} } April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-12Trend MicroRaphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, Frankylnn Uy
@online{centeno:20210412:spike:d67dcb0, author = {Raphael Centeno and Don Ovid Ladores and Lala Manly and Junestherry Salvador and Frankylnn Uy}, title = {{A Spike in BazarCall and IcedID Activity Detected in March}}, date = {2021-04-12}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html}, language = {English}, urldate = {2021-04-14} } A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-06Intel 471Intel 471
@online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-03-30YouTube ( malware-traffic-analysis.net)Brad Duncan
@online{duncan:20210330:20210329:bf22ea0, author = {Brad Duncan}, title = {{2021-03-29 BazaCall (BazarCall) Example}}, date = {2021-03-30}, organization = {YouTube ( malware-traffic-analysis.net)}, url = {https://www.youtube.com/watch?v=uAkeXCYcl4Y}, language = {English}, urldate = {2021-03-31} } 2021-03-29 BazaCall (BazarCall) Example
BazarBackdoor
2021-03-30FR3D.HKFred HK
@online{hk:20210330:campo:bf657d8, author = {Fred HK}, title = {{Campo Loader - Simple but effective}}, date = {2021-03-30}, organization = {FR3D.HK}, url = {https://fr3d.hk/blog/campo-loader-simple-but-effective}, language = {English}, urldate = {2021-04-09} } Campo Loader - Simple but effective
BazarBackdoor
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-08The DFIR ReportThe DFIR Report
@online{report:20210308:bazar:ba050d7, author = {The DFIR Report}, title = {{Bazar Drops the Anchor}}, date = {2021-03-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/}, language = {English}, urldate = {2021-03-10} } Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-01Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210301:nimar:c26af08, author = {Joshua Platt and Jason Reaves}, title = {{Nimar Loader}}, date = {2021-03-01}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e}, language = {English}, urldate = {2021-03-04} } Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-12FortinetXiaopeng Zhang
@online{zhang:20210212:new:4e0dab7, author = {Xiaopeng Zhang}, title = {{New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I}}, date = {2021-02-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I}, language = {English}, urldate = {2021-02-20} } New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I
BazarBackdoor
2021-02-12FortinetXiaopeng Zhang
@online{zhang:20210212:new:0be729d, author = {Xiaopeng Zhang}, title = {{New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II}}, date = {2021-02-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II}, language = {English}, urldate = {2021-02-20} } New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II
BazarBackdoor
2021-02-11ProofpointProofpoint Threat Research Team
@online{team:20210211:baza:41ddf2c, author = {Proofpoint Threat Research Team}, title = {{A Baza Valentine’s Day}}, date = {2021-02-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day}, language = {English}, urldate = {2021-02-25} } A Baza Valentine’s Day
BazarBackdoor
2021-02-09CofenseZachary Bailey
@online{bailey:20210209:bazarbackdoors:a9cf426, author = {Zachary Bailey}, title = {{BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs}}, date = {2021-02-09}, organization = {Cofense}, url = {https://cofense.com/blog/bazarbackdoor-stealthy-infiltration}, language = {English}, urldate = {2021-02-09} } BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs
BazarBackdoor
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01GoSecureLilly Chalupowski
@online{chalupowski:20210201:bazarloader:61a163a, author = {Lilly Chalupowski}, title = {{BazarLoader Mocks Researchers in December 2020 Malspam Campaign}}, date = {2021-02-01}, organization = {GoSecure}, url = {https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/}, language = {English}, urldate = {2021-02-02} } BazarLoader Mocks Researchers in December 2020 Malspam Campaign
BazarBackdoor
2021-01-31The DFIR ReportThe DFIR Report
@online{report:20210131:bazar:c3b3859, author = {The DFIR Report}, title = {{Bazar, No Ryuk?}}, date = {2021-01-31}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/01/31/bazar-no-ryuk/}, language = {English}, urldate = {2021-02-02} } Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-28HornetsecurityHornetsecurity Security Lab
@online{lab:20210128:bazarloaders:ee499c8, author = {Hornetsecurity Security Lab}, title = {{BazarLoader’s Elaborate Flower Shop Lure}}, date = {2021-01-28}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/}, language = {English}, urldate = {2021-01-29} } BazarLoader’s Elaborate Flower Shop Lure
BazarBackdoor
2021-01-28Huntress LabsJohn Hammond
@techreport{hammond:20210128:analyzing:2f8dae2, author = {John Hammond}, title = {{Analyzing Ryuk Another Link in the Cyber Attack Chain}}, date = {2021-01-28}, institution = {Huntress Labs}, url = {https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf}, language = {English}, urldate = {2021-01-29} } Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk
2021-01-23Johannes Bader's BlogJohannes Bader
@online{bader:20210123:yet:1274cbe, author = {Johannes Bader}, title = {{Yet Another Bazar Loader DGA}}, date = {2021-01-23}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/yet-another-bazarloader-dga/}, language = {English}, urldate = {2021-01-25} } Yet Another Bazar Loader DGA
BazarBackdoor
2021-01-12Minerva LabsMinervaLabs
@online{minervalabs:20210112:slamming:89461b1, author = {MinervaLabs}, title = {{Slamming The Backdoor On BazarLoader}}, date = {2021-01-12}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader}, language = {English}, urldate = {2021-01-21} } Slamming The Backdoor On BazarLoader
BazarBackdoor
2021-01-12CybereasonLior Rochberger
@online{rochberger:20210112:cybereason:5707e14, author = {Lior Rochberger}, title = {{Cybereason vs. Conti Ransomware}}, date = {2021-01-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware}, language = {English}, urldate = {2021-01-18} } Cybereason vs. Conti Ransomware
BazarBackdoor Conti
2021-01-06DomainToolsJoe Slowik
@online{slowik:20210106:holiday:6ef0c9d, author = {Joe Slowik}, title = {{Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident}}, date = {2021-01-06}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident}, language = {English}, urldate = {2021-01-10} } Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot
2020-12-16Johannes Bader's BlogJohannes Bader
@online{bader:20201216:next:a8f5998, author = {Johannes Bader}, title = {{Next Version of the Bazar Loader DGA}}, date = {2020-12-16}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/}, language = {English}, urldate = {2020-12-16} } Next Version of the Bazar Loader DGA
BazarBackdoor
2020-12-10CybereasonJoakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e, author = {Joakim Kandefelt}, title = {{Cybereason vs. Ryuk Ransomware}}, date = {2020-12-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware}, language = {English}, urldate = {2020-12-14} } Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-10Intel 471Intel 471
@online{471:20201110:trickbot:5db76db, author = {Intel 471}, title = {{Trickbot down, but is it out?}}, date = {2020-11-10}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/}, language = {English}, urldate = {2020-11-11} } Trickbot down, but is it out?
BazarBackdoor TrickBot
2020-11-09Area 1Threat Research Team
@online{team:20201109:phishing:a25a567, author = {Threat Research Team}, title = {{Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware}}, date = {2020-11-09}, organization = {Area 1}, url = {https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/}, language = {English}, urldate = {2020-11-18} } Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer
2020-11-06Advanced IntelligenceVitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05The DFIR ReportThe DFIR Report
@online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-05SCYTHEJorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9, author = {Jorge Orchilles and Sean Lyngaas}, title = {{#ThreatThursday - Ryuk}}, date = {2020-11-05}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-ryuk}, language = {English}, urldate = {2020-11-06} } #ThreatThursday - Ryuk
BazarBackdoor Ryuk
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-30CofenseThe Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a, author = {The Cofense Intelligence Team}, title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}}, date = {2020-10-30}, organization = {Cofense}, url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/}, language = {English}, urldate = {2020-11-02} } The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-29Twitter (@anthomsec)Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4, author = {Andrew Thompson}, title = {{Tweet on UNC1878 activity}}, date = {2020-10-29}, organization = {Twitter (@anthomsec)}, url = {https://twitter.com/anthomsec/status/1321865315513520128}, language = {English}, urldate = {2020-11-04} } Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-28FireEyeKimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-28CISACISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
AnchorDNS Anchor BazarBackdoor Ryuk
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-13HornetsecuritySecurity Lab
@online{lab:20201013:bazarloader:9a2d75b, author = {Security Lab}, title = {{BazarLoader Campaign with Fake Termination Emails}}, date = {2020-10-13}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/}, language = {English}, urldate = {2020-10-19} } BazarLoader Campaign with Fake Termination Emails
BazarBackdoor
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-09-29ZscalerMohd Sadique, Atinderpal Singh
@online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } A Bazar of Tricks: Following Team9’s Development Cycles
BazarBackdoor
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@techreport{frank:20200716:bazar:1349d7d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles (IOCs)}}, date = {2020-07-16}, institution = {Cybereason}, url = {https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf}, language = {English}, urldate = {2021-05-08} } A Bazar of Tricks: Following Team9’s Development Cycles (IOCs)
BazarBackdoor
2020-07-15Johannes Bader's BlogJohannes Bader
@online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Defective Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-07-14Johannes Bader's BlogJohannes Bader
@online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-06-02Fox-ITNikolaos Pantazopoulos, Stefano Antenucci, NCC RIFT
@online{pantazopoulos:20200602:indepth:f43e58f, author = {Nikolaos Pantazopoulos and Stefano Antenucci and NCC RIFT}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-06-02NCC GroupNikolaos Pantazopoulos, Stefano Antenucci
@online{pantazopoulos:20200602:indepth:bc09c9f, author = {Nikolaos Pantazopoulos and Stefano Antenucci}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-27Trend MicroTrend Micro
@online{micro:20200427:behind:da9ae72, author = {Trend Micro}, title = {{Group Behind TrickBot Spreads Fileless BazarBackdoor}}, date = {2020-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor}, language = {English}, urldate = {2020-05-02} } Group Behind TrickBot Spreads Fileless BazarBackdoor
BazarBackdoor
2020-04-24Vitali Kremez
@online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } TrickBot "BazarBackdoor" Process Hollowing Injection Primer
BazarBackdoor
2020-04-24Bleeping ComputerLawrence Abrams
@online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware
BazarBackdoor
Yara Rules
[TLP:WHITE] win_bazarbackdoor_auto (20230715 | Detects win.bazarbackdoor.)
rule win_bazarbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.bazarbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bce 4889442420 ff15???????? 85c0 780a 4898 }
            // n = 6, score = 1500
            //   488bce               | dec                 eax
            //   4889442420           | mov                 ecx, esi
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   780a                 | mov                 dword ptr [esp + 0x20], eax
            //   4898                 | test                eax, eax

        $sequence_1 = { 41b982000000 41b8e6b8402d e8???????? 4885c0 }
            // n = 4, score = 1300
            //   41b982000000         | mov                 dword ptr [esp + 0x20], eax
            //   41b8e6b8402d         | test                eax, eax
            //   e8????????           |                     
            //   4885c0               | js                  0xe

        $sequence_2 = { 8b4120 2d20059319 83f802 774b 488b4130 }
            // n = 5, score = 1300
            //   8b4120               | mov                 dword ptr [esp + 0x20], eax
            //   2d20059319           | inc                 ebp
            //   83f802               | xor                 ecx, ecx
            //   774b                 | dec                 eax
            //   488b4130             | mov                 dword ptr [esp + 0x28], eax

        $sequence_3 = { 85c0 7519 8b0d???????? 83f9ff 74df e8???????? 830d????????ff }
            // n = 7, score = 1300
            //   85c0                 | mov                 ecx, esi
            //   7519                 | dec                 eax
            //   8b0d????????         |                     
            //   83f9ff               | mov                 dword ptr [esp + 0x28], eax
            //   74df                 | dec                 eax
            //   e8????????           |                     
            //   830d????????ff       |                     

        $sequence_4 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 ff15???????? }
            // n = 5, score = 1100
            //   0fb70f               | mov                 eax, 0x100f
            //   ff15????????         |                     
            //   0fb74f02             | dec                 eax
            //   0fb7d8               | mov                 ecx, esi
            //   ff15????????         |                     

        $sequence_5 = { 488d4d80 e8???????? 498bd6 488d4d80 }
            // n = 4, score = 1100
            //   488d4d80             | movzx               ecx, word ptr [edi + 8]
            //   e8????????           |                     
            //   498bd6               | movzx               ecx, word ptr [edi]
            //   488d4d80             | movzx               ecx, word ptr [edi + 2]

        $sequence_6 = { 7507 33c0 e9???????? b8ff000000 }
            // n = 4, score = 1000
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   b8ff000000           | mov                 eax, 0xff

        $sequence_7 = { 0fb7d8 ff15???????? 0fb74f08 440fb7e8 }
            // n = 4, score = 1000
            //   0fb7d8               | dec                 esp
            //   ff15????????         |                     
            //   0fb74f08             | mov                 eax, ebx
            //   440fb7e8             | xor                 edx, edx

        $sequence_8 = { c3 0fb74c0818 b80b010000 663bc8 }
            // n = 4, score = 900
            //   c3                   | dec                 eax
            //   0fb74c0818           | mov                 dword ptr [esp + 0x20], eax
            //   b80b010000           | test                eax, eax
            //   663bc8               | js                  0xe

        $sequence_9 = { cc 4053 4883ec20 b902000000 e8???????? e8???????? }
            // n = 6, score = 900
            //   cc                   | movzx               ebx, ax
            //   4053                 | movzx               ecx, word ptr [edi + 2]
            //   4883ec20             | movzx               ebx, ax
            //   b902000000           | movzx               ecx, word ptr [edi + 8]
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_10 = { 4885c9 7406 488b11 ff5210 ff15???????? }
            // n = 5, score = 900
            //   4885c9               | inc                 edx
            //   7406                 | movzx               edx, byte ptr [ecx + esi]
            //   488b11               | test                dl, dl
            //   ff5210               | je                  9
            //   ff15????????         |                     

        $sequence_11 = { 488d442470 41b80f100000 488bce 4889442420 }
            // n = 4, score = 800
            //   488d442470           | inc                 ebp
            //   41b80f100000         | xor                 ecx, ecx
            //   488bce               | dec                 eax
            //   4889442420           | mov                 dword ptr [esp + 0x28], eax

        $sequence_12 = { ff15???????? ff15???????? 4d8bc5 33d2 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   4d8bc5               | mov                 eax, 0xff
            //   33d2                 | movzx               eax, word ptr [ebp - 0x16]

        $sequence_13 = { e8???????? 4c89e1 e8???????? 8b05???????? }
            // n = 4, score = 800
            //   e8????????           |                     
            //   4c89e1               | dec                 eax
            //   e8????????           |                     
            //   8b05????????         |                     

        $sequence_14 = { e8???????? 4889c7 8b05???????? 8b0d???????? }
            // n = 4, score = 800
            //   e8????????           |                     
            //   4889c7               | mov                 eax, 0x100f
            //   8b05????????         |                     
            //   8b0d????????         |                     

        $sequence_15 = { 4889442428 488d95a0070000 488d442470 41b80f100000 }
            // n = 4, score = 800
            //   4889442428           | mov                 eax, 0x100f
            //   488d95a0070000       | dec                 eax
            //   488d442470           | mov                 ecx, esi
            //   41b80f100000         | dec                 eax

        $sequence_16 = { 488d9590050000 488bce ff15???????? 85c0 }
            // n = 4, score = 800
            //   488d9590050000       | lea                 edx, [ebp + 0x7a0]
            //   488bce               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 eax, [esp + 0x70]

        $sequence_17 = { 4c89742440 4c89742438 4489742430 4c89742428 }
            // n = 4, score = 800
            //   4c89742440           | movzx               edx, byte ptr [ecx + esi]
            //   4c89742438           | test                dl, dl
            //   4489742430           | je                  9
            //   4c89742428           | cmp                 dl, 0x2e

        $sequence_18 = { ff15???????? 4889c1 31d2 4d89e0 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   4889c1               | mov                 ecx, esi
            //   31d2                 | dec                 eax
            //   4d89e0               | mov                 dword ptr [esp + 0x20], eax

        $sequence_19 = { 418d5508 488bc8 ff15???????? 488bd8 }
            // n = 4, score = 800
            //   418d5508             | dec                 esp
            //   488bc8               | mov                 esi, eax
            //   ff15????????         |                     
            //   488bd8               | dec                 eax

        $sequence_20 = { 48c1e108 4803c8 8bc1 488d94059f070000 }
            // n = 4, score = 800
            //   48c1e108             | dec                 eax
            //   4803c8               | mov                 dword ptr [esp + 0x28], eax
            //   8bc1                 | dec                 eax
            //   488d94059f070000     | lea                 edx, [ebp + 0x7a0]

        $sequence_21 = { 4889f1 e8???????? 8b05???????? 8b0d???????? }
            // n = 4, score = 800
            //   4889f1               | mov                 dword ptr [esp + 0x20], eax
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b0d????????         |                     

        $sequence_22 = { 31ff 4889c1 31d2 4989f0 }
            // n = 4, score = 800
            //   31ff                 | test                eax, eax
            //   4889c1               | inc                 ecx
            //   31d2                 | mov                 eax, 0x100f
            //   4989f0               | dec                 eax

        $sequence_23 = { 488bd3 e8???????? ff15???????? 4c8bc3 33d2 488bc8 }
            // n = 6, score = 700
            //   488bd3               | mov                 ecx, esi
            //   e8????????           |                     
            //   ff15????????         |                     
            //   4c8bc3               | test                eax, eax
            //   33d2                 | dec                 eax
            //   488bc8               | lea                 eax, [esp + 0x70]

        $sequence_24 = { 488bc8 ff15???????? ff15???????? 4c8bc6 33d2 488bc8 ff15???????? }
            // n = 7, score = 700
            //   488bc8               | jne                 0x2a
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   4c8bc6               | movzx               ecx, byte ptr [ebx + 4]
            //   33d2                 | movzx               edx, cl
            //   488bc8               | cmp                 cl, 0x73
            //   ff15????????         |                     

        $sequence_25 = { 4889c1 31d2 4989f8 ff15???????? 4885c0 }
            // n = 5, score = 700
            //   4889c1               | js                  0x16
            //   31d2                 | dec                 eax
            //   4989f8               | cwde                
            //   ff15????????         |                     
            //   4885c0               | dec                 eax

        $sequence_26 = { 0f9fc1 89cb 30d3 08d1 80f101 08d9 }
            // n = 6, score = 700
            //   0f9fc1               | inc                 ecx
            //   89cb                 | mov                 eax, 1
            //   30d3                 | inc                 ebp
            //   08d1                 | xor                 ecx, ecx
            //   80f101               | mov                 dword ptr [esp + 0x20], 3
            //   08d9                 | dec                 eax

        $sequence_27 = { 0f9cc2 30da 7509 08c1 80f101 }
            // n = 5, score = 700
            //   0f9cc2               | dec                 eax
            //   30da                 | mov                 ecx, esi
            //   7509                 | lea                 ebp, [eax - 1]
            //   08c1                 | imul                ebp, eax
            //   80f101               | mov                 eax, ebp

        $sequence_28 = { 0fb65305 33c0 80f973 0f94c0 }
            // n = 4, score = 700
            //   0fb65305             | mov                 dword ptr [esp + 0x20], eax
            //   33c0                 | inc                 ecx
            //   80f973               | mov                 ecx, 0x82
            //   0f94c0               | inc                 ecx

        $sequence_29 = { 0fafc8 89c8 83f0fe 85c8 0f95c0 0f94c3 83fa09 }
            // n = 7, score = 700
            //   0fafc8               | mov                 ecx, edi
            //   89c8                 | mov                 edx, 0x80000000
            //   83f0fe               | inc                 ecx
            //   85c8                 | mov                 eax, 1
            //   0f95c0               | inc                 ebp
            //   0f94c3               | xor                 ecx, ecx
            //   83fa09               | dec                 eax

        $sequence_30 = { 48c744243000000000 c744242880000000 c744242003000000 4889f9 }
            // n = 4, score = 700
            //   48c744243000000000     | dec    eax
            //   c744242880000000     | arpl                word ptr [eax + 0x3c], ax
            //   c744242003000000     | dec                 eax
            //   4889f9               | mov                 ecx, dword ptr [esp + 0xf8]

        $sequence_31 = { 08ca 80f201 7502 ebfe }
            // n = 4, score = 700
            //   08ca                 | dec                 eax
            //   80f201               | mov                 ecx, edi
            //   7502                 | mov                 edx, 0x80000000
            //   ebfe                 | mov                 dword ptr [esp + 0x28], 0x80

        $sequence_32 = { ff15???????? 31ed 4889c1 31d2 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   31ed                 | inc                 ecx
            //   4889c1               | mov                 eax, 0x100f
            //   31d2                 | dec                 eax

        $sequence_33 = { 0fb6d1 80f973 7504 0fb65305 }
            // n = 4, score = 700
            //   0fb6d1               | dec                 eax
            //   80f973               | mov                 ecx, esi
            //   7504                 | dec                 eax
            //   0fb65305             | mov                 dword ptr [esp + 0x20], eax

        $sequence_34 = { 8d46ff 0fafc6 89c1 83f1fe 85c1 }
            // n = 5, score = 700
            //   8d46ff               | call                dword ptr [eax + 0x38]
            //   0fafc6               | xor                 eax, eax
            //   89c1                 | dec                 eax
            //   83f1fe               | mov                 eax, dword ptr [esp + 0x38]
            //   85c1                 | movzx               eax, word ptr [eax + 0x14]

        $sequence_35 = { e8???????? 4889f9 4889f2 ffd0 }
            // n = 4, score = 700
            //   e8????????           |                     
            //   4889f9               | mov                 ecx, esi
            //   4889f2               | dec                 eax
            //   ffd0                 | mov                 dword ptr [esp + 0x20], eax

        $sequence_36 = { 08c1 80f101 7502 ebfe }
            // n = 4, score = 700
            //   08c1                 | mov                 dword ptr [esp + 0x20], 3
            //   80f101               | dec                 eax
            //   7502                 | mov                 ecx, edi
            //   ebfe                 | mov                 edx, 0x80000000

        $sequence_37 = { 7528 0fb64b04 0fb6d1 80f973 }
            // n = 4, score = 700
            //   7528                 | dec                 eax
            //   0fb64b04             | mov                 dword ptr [esp + 0x20], eax
            //   0fb6d1               | test                eax, eax
            //   80f973               | js                  0x16

        $sequence_38 = { 8b0d???????? 8d68ff 0fafe8 89e8 83f0fe 85e8 0f94c3 }
            // n = 7, score = 700
            //   8b0d????????         |                     
            //   8d68ff               | mov                 eax, dword ptr [esp + 0x30]
            //   0fafe8               | dec                 eax
            //   89e8                 | mov                 dword ptr [esp + 0x48], eax
            //   83f0fe               | dec                 eax
            //   85e8                 | mov                 eax, dword ptr [esp + 0x38]
            //   0f94c3               | dec                 eax

        $sequence_39 = { c744242003000000 4889f9 ba00000080 41b801000000 }
            // n = 4, score = 700
            //   c744242003000000     | test                eax, eax
            //   4889f9               | dec                 eax
            //   ba00000080           | mov                 dword ptr [esp + 0x20], eax
            //   41b801000000         | test                eax, eax

        $sequence_40 = { 0f94c3 83f809 0f9fc2 83f80a 0f9cc0 30d8 }
            // n = 6, score = 700
            //   0f94c3               | dec                 eax
            //   83f809               | mov                 ecx, edi
            //   0f9fc2               | mov                 edx, 0x80000000
            //   83f80a               | inc                 ecx
            //   0f9cc0               | mov                 eax, 1
            //   30d8                 | inc                 ebp

        $sequence_41 = { 4889c1 31d2 4d89e8 ff15???????? }
            // n = 4, score = 600
            //   4889c1               | js                  0x16
            //   31d2                 | dec                 eax
            //   4d89e8               | cwde                
            //   ff15????????         |                     

        $sequence_42 = { 89f0 4883c450 5b 5f }
            // n = 4, score = 600
            //   89f0                 | cdq                 
            //   4883c450             | sub                 eax, edx
            //   5b                   | sar                 eax, 1
            //   5f                   | inc                 ecx

        $sequence_43 = { 84d2 7405 80fa2e 750f }
            // n = 4, score = 600
            //   84d2                 | dec                 eax
            //   7405                 | lea                 edx, [ebp + 0x7a0]
            //   80fa2e               | dec                 eax
            //   750f                 | lea                 eax, [esp + 0x70]

        $sequence_44 = { 4889c1 31d2 4d89f8 ffd3 }
            // n = 4, score = 600
            //   4889c1               | cwde                
            //   31d2                 | dec                 eax
            //   4d89f8               | mov                 ecx, esi
            //   ffd3                 | dec                 eax

        $sequence_45 = { e8???????? 4c897c2420 4889d9 89fa }
            // n = 4, score = 600
            //   e8????????           |                     
            //   4c897c2420           | mov                 ecx, 0xe10
            //   4889d9               | cmp                 eax, ecx
            //   89fa                 | cmovg               eax, ecx

        $sequence_46 = { 4c8bf0 4889442458 488d4801 e8???????? }
            // n = 4, score = 500
            //   4c8bf0               | add                 ecx, eax
            //   4889442458           | mov                 eax, ecx
            //   488d4801             | dec                 eax
            //   e8????????           |                     

        $sequence_47 = { 83c70c 8b37 eb17 0fb7562c }
            // n = 4, score = 400
            //   83c70c               | add                 edi, 0xc
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   eb17                 | jmp                 0x19
            //   0fb7562c             | movzx               edx, word ptr [esi + 0x2c]

        $sequence_48 = { 6685ff 0f849c000000 837c2460ff 0f858c000000 }
            // n = 4, score = 400
            //   6685ff               | jne                 0x1b
            //   0f849c000000         | cmp                 ecx, -1
            //   837c2460ff           | je                  0xffffffe6
            //   0f858c000000         | test                eax, eax

        $sequence_49 = { 0fb745ea 50 0fb745e8 50 68???????? e8???????? }
            // n = 6, score = 400
            //   0fb745ea             | movzx               eax, word ptr [ebp - 0x16]
            //   50                   | push                eax
            //   0fb745e8             | movzx               eax, word ptr [ebp - 0x18]
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_50 = { 66890d???????? 0fb7ca ff15???????? b901000000 66c746020100 668906 ff15???????? }
            // n = 7, score = 400
            //   66890d????????       |                     
            //   0fb7ca               | jne                 0x1b
            //   ff15????????         |                     
            //   b901000000           | cmp                 ecx, -1
            //   66c746020100         | je                  0xffffffe6
            //   668906               | test                eax, eax
            //   ff15????????         |                     

        $sequence_51 = { 83f813 72f1 8bc7 c6411400 }
            // n = 4, score = 400
            //   83f813               | cmp                 eax, 0x13
            //   72f1                 | jb                  0xfffffff3
            //   8bc7                 | mov                 eax, edi
            //   c6411400             | mov                 byte ptr [ecx + 0x14], 0

        $sequence_52 = { 83660800 894e04 85c0 7403 }
            // n = 4, score = 400
            //   83660800             | and                 dword ptr [esi + 8], 0
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5

        $sequence_53 = { 8d43d0 3c09 770e 6bc20a }
            // n = 4, score = 400
            //   8d43d0               | lea                 eax, [ebx - 0x30]
            //   3c09                 | cmp                 al, 9
            //   770e                 | ja                  0x10
            //   6bc20a               | imul                eax, edx, 0xa

        $sequence_54 = { 8bf1 8d4e7c e8???????? 8d4e58 }
            // n = 4, score = 400
            //   8bf1                 | mov                 esi, ecx
            //   8d4e7c               | lea                 ecx, [esi + 0x7c]
            //   e8????????           |                     
            //   8d4e58               | lea                 ecx, [esi + 0x58]

        $sequence_55 = { 81fb80000000 760c 80e1f2 80c902 }
            // n = 4, score = 400
            //   81fb80000000         | jne                 0x1b
            //   760c                 | cmp                 ecx, -1
            //   80e1f2               | je                  0xffffffe6
            //   80c902               | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_56 = { 8d55e1 8bce e8???????? a3???????? }
            // n = 4, score = 400
            //   8d55e1               | lea                 edx, [ebp - 0x1f]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   a3????????           |                     

        $sequence_57 = { 42 8d4701 84c9 0f45c7 }
            // n = 4, score = 300
            //   42                   | inc                 edx
            //   8d4701               | lea                 eax, [edi + 1]
            //   84c9                 | test                cl, cl
            //   0f45c7               | cmovne              eax, edi

        $sequence_58 = { 0fb74702 50 ffd3 0fb7d8 0fb74708 50 }
            // n = 6, score = 300
            //   0fb74702             | movzx               eax, word ptr [edi + 2]
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   0fb7d8               | movzx               ebx, ax
            //   0fb74708             | movzx               eax, word ptr [edi + 8]
            //   50                   | push                eax

        $sequence_59 = { e8???????? 33d2 83c40c 8d4a01 3bf9 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   83c40c               | add                 esp, 0xc
            //   8d4a01               | lea                 ecx, [edx + 1]
            //   3bf9                 | cmp                 edi, ecx

        $sequence_60 = { 0fb70d???????? 83c40c 8d4101 51 }
            // n = 4, score = 300
            //   0fb70d????????       |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4101               | lea                 eax, [ecx + 1]
            //   51                   | push                ecx

        $sequence_61 = { 0fb6c1 50 8bc2 c1f808 0fb6c0 50 0fb6c2 }
            // n = 7, score = 300
            //   0fb6c1               | movzx               eax, cl
            //   50                   | push                eax
            //   8bc2                 | mov                 eax, edx
            //   c1f808               | sar                 eax, 8
            //   0fb6c0               | movzx               eax, al
            //   50                   | push                eax
            //   0fb6c2               | movzx               eax, dl

        $sequence_62 = { 6a01 66894104 33c0 894106 6689410a ff15???????? }
            // n = 6, score = 300
            //   6a01                 | push                1
            //   66894104             | mov                 word ptr [ecx + 4], ax
            //   33c0                 | xor                 eax, eax
            //   894106               | mov                 dword ptr [ecx + 6], eax
            //   6689410a             | mov                 word ptr [ecx + 0xa], ax
            //   ff15????????         |                     

        $sequence_63 = { 6a04 68???????? ff15???????? 8bf8 83ffff 7424 6a00 }
            // n = 7, score = 300
            //   6a04                 | push                4
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1
            //   7424                 | je                  0x26
            //   6a00                 | push                0

        $sequence_64 = { 56 6800300000 6a40 ff15???????? 8bf0 85f6 }
            // n = 6, score = 300
            //   56                   | push                esi
            //   6800300000           | push                0x3000
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi

        $sequence_65 = { 8b442424 488b4c2430 4803c8 488bc1 482b442448 }
            // n = 5, score = 100
            //   8b442424             | inc                 ecx
            //   488b4c2430           | mov                 eax, 0x100f
            //   4803c8               | dec                 eax
            //   488bc1               | mov                 ecx, esi
            //   482b442448           | dec                 eax

        $sequence_66 = { 488b5040 488b4c2448 488b842488000000 ff5038 }
            // n = 4, score = 100
            //   488b5040             | dec                 eax
            //   488b4c2448           | cwde                
            //   488b842488000000     | dec                 eax
            //   ff5038               | mov                 ecx, esi

        $sequence_67 = { e9???????? ff15???????? 41b858000000 ba08000000 488bc8 ff15???????? }
            // n = 6, score = 100
            //   e9????????           |                     
            //   ff15????????         |                     
            //   41b858000000         | mov                 ecx, 0x82
            //   ba08000000           | inc                 ecx
            //   488bc8               | mov                 eax, 0x2d40b8e6
            //   ff15????????         |                     

        $sequence_68 = { 488b4c2438 4803c8 488bc1 4889442430 488b442428 8b4c2430 }
            // n = 6, score = 100
            //   488b4c2438           | mov                 eax, 0x100f
            //   4803c8               | dec                 eax
            //   488bc1               | mov                 ecx, esi
            //   4889442430           | dec                 eax
            //   488b442428           | mov                 dword ptr [esp + 0x20], eax
            //   8b4c2430             | inc                 ecx

        $sequence_69 = { eb5c 488b442430 4889442448 488b442438 4889442450 8b442424 89442458 }
            // n = 7, score = 100
            //   eb5c                 | mov                 dword ptr [esp + 0x20], eax
            //   488b442430           | test                eax, eax
            //   4889442448           | js                  0x16
            //   488b442438           | dec                 eax
            //   4889442450           | mov                 dword ptr [esp + 0x20], eax
            //   8b442424             | test                eax, eax
            //   89442458             | js                  0xe

        $sequence_70 = { ff15???????? 33c0 e9???????? 488b442438 0fb74014 488b4c2438 488d440118 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   33c0                 | dec                 eax
            //   e9????????           |                     
            //   488b442438           | mov                 dword ptr [esp + 0x20], eax
            //   0fb74014             | test                eax, eax
            //   488b4c2438           | js                  0x13
            //   488d440118           | test                eax, eax

        $sequence_71 = { 488b442428 8b4024 8944245c e9???????? c744246001000000 }
            // n = 5, score = 100
            //   488b442428           | js                  0xc
            //   8b4024               | dec                 eax
            //   8944245c             | cwde                
            //   e9????????           |                     
            //   c744246001000000     | inc                 ecx

        $sequence_72 = { 488b442458 4863403c 488b8c24f8000000 4803c8 }
            // n = 4, score = 100
            //   488b442458           | test                eax, eax
            //   4863403c             | js                  0x13
            //   488b8c24f8000000     | dec                 eax
            //   4803c8               | cwde                

    condition:
        7 of them and filesize < 2088960
}
Download all Yara Rules