SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bazarbackdoor (Back to overview)

BazarBackdoor

aka: BEERBOT, KEGTAP, Team9Backdoor

BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

References
2021-01-06DomainToolsJoe Slowik
@online{slowik:20210106:holiday:6ef0c9d, author = {Joe Slowik}, title = {{Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident}}, date = {2021-01-06}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident}, language = {English}, urldate = {2021-01-10} } Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot
2020-12-16Johannes Bader's BlogJohannes Bader
@online{bader:20201216:next:a8f5998, author = {Johannes Bader}, title = {{Next Version of the Bazar Loader DGA}}, date = {2020-12-16}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/}, language = {English}, urldate = {2020-12-16} } Next Version of the Bazar Loader DGA
BazarBackdoor
2020-12-10CybereasonJoakim Kandefelt
@online{kandefelt:20201210:cybereason:0267d5e, author = {Joakim Kandefelt}, title = {{Cybereason vs. Ryuk Ransomware}}, date = {2020-12-10}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware}, language = {English}, urldate = {2020-12-14} } Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-10Intel 471Intel 471
@online{471:20201110:trickbot:5db76db, author = {Intel 471}, title = {{Trickbot down, but is it out?}}, date = {2020-11-10}, organization = {Intel 471}, url = {https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/}, language = {English}, urldate = {2020-11-11} } Trickbot down, but is it out?
BazarBackdoor TrickBot
2020-11-09Area 1Threat Research Team
@online{team:20201109:phishing:a25a567, author = {Threat Research Team}, title = {{Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware}}, date = {2020-11-09}, organization = {Area 1}, url = {https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/}, language = {English}, urldate = {2020-11-18} } Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer
2020-11-06Advanced IntelligenceVitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05SCYTHEJorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9, author = {Jorge Orchilles and Sean Lyngaas}, title = {{#ThreatThursday - Ryuk}}, date = {2020-11-05}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-ryuk}, language = {English}, urldate = {2020-11-06} } #ThreatThursday - Ryuk
BazarBackdoor Ryuk
2020-11-05The DFIR ReportThe DFIR Report
@online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-30CofenseThe Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a, author = {The Cofense Intelligence Team}, title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}}, date = {2020-10-30}, organization = {Cofense}, url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/}, language = {English}, urldate = {2020-11-02} } The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk
2020-10-29Twitter (@anthomsec)Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4, author = {Andrew Thompson}, title = {{Tweet on UNC1878 activity}}, date = {2020-10-29}, organization = {Twitter (@anthomsec)}, url = {https://twitter.com/anthomsec/status/1321865315513520128}, language = {English}, urldate = {2020-11-04} } Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-28CISACISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk
2020-10-28FireEyeKimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ransomware Ryuk TrickBot
2020-10-13HornetsecuritySecurity Lab
@online{lab:20201013:bazarloader:9a2d75b, author = {Security Lab}, title = {{BazarLoader Campaign with Fake Termination Emails}}, date = {2020-10-13}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/}, language = {English}, urldate = {2020-10-19} } BazarLoader Campaign with Fake Termination Emails
BazarBackdoor
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-09-29ZscalerMohd Sadique, Atinderpal Singh
@online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-07-16CybereasonDaniel Frank, Mary Zhao, Assaf Dahan
@online{frank:20200716:bazar:3ed900d, author = {Daniel Frank and Mary Zhao and Assaf Dahan}, title = {{A Bazar of Tricks: Following Team9’s Development Cycles}}, date = {2020-07-16}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles}, language = {English}, urldate = {2020-07-16} } A Bazar of Tricks: Following Team9’s Development Cycles
BazarBackdoor
2020-07-15Johannes Bader's BlogJohannes Bader
@online{bader:20200715:defective:3a3721f, author = {Johannes Bader}, title = {{The Defective Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-15}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Defective Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-07-14Johannes Bader's BlogJohannes Bader
@online{bader:20200714:domain:51498ab, author = {Johannes Bader}, title = {{The Domain Generation Algorithm of BazarBackdoor}}, date = {2020-07-14}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/}, language = {English}, urldate = {2020-07-15} } The Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-06-02NCC GroupNikolaos Pantazopoulos, Stefano Antenucci
@online{pantazopoulos:20200602:indepth:bc09c9f, author = {Nikolaos Pantazopoulos and Stefano Antenucci}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-06-02Fox-ITNikolaos Pantazopoulos, Stefano Antenucci, NCC RIFT
@online{pantazopoulos:20200602:indepth:f43e58f, author = {Nikolaos Pantazopoulos and Stefano Antenucci and NCC RIFT}, title = {{In-depth analysis of the new Team9 malware family}}, date = {2020-06-02}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/}, language = {English}, urldate = {2020-06-03} } In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-27Trend MicroTrend Micro
@online{micro:20200427:behind:da9ae72, author = {Trend Micro}, title = {{Group Behind TrickBot Spreads Fileless BazarBackdoor}}, date = {2020-04-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor}, language = {English}, urldate = {2020-05-02} } Group Behind TrickBot Spreads Fileless BazarBackdoor
BazarBackdoor
2020-04-24Bleeping ComputerLawrence Abrams
@online{abrams:20200424:bazarbackdoor:86afc50, author = {Lawrence Abrams}, title = {{BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware}}, date = {2020-04-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/}, language = {English}, urldate = {2020-05-02} } BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware
BazarBackdoor
2020-04-24Vitali Kremez
@online{kremez:20200424:trickbot:3773039, author = {Vitali Kremez}, title = {{TrickBot "BazarBackdoor" Process Hollowing Injection Primer}}, date = {2020-04-24}, url = {https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html}, language = {English}, urldate = {2020-05-02} } TrickBot "BazarBackdoor" Process Hollowing Injection Primer
BazarBackdoor
Yara Rules
[TLP:WHITE] win_bazarbackdoor_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_bazarbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41b80f100000 488bce 4889442420 ff15???????? 85c0 }
            // n = 5, score = 1500
            //   41b80f100000         | cmp                 ecx, 0xa
            //   488bce               | setl                bl
            //   4889442420           | cmp                 ecx, 9
            //   ff15????????         |                     
            //   85c0                 | setg                cl

        $sequence_1 = { ff15???????? 85c0 780a 4898 }
            // n = 4, score = 1500
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, ebp
            //   780a                 | xor                 ecx, 0xfffffffe
            //   4898                 | test                ecx, ebp

        $sequence_2 = { 488bcf ffd0 8bc3 e9???????? 488b4c2458 488d55e0 ff15???????? }
            // n = 7, score = 1300
            //   488bcf               | test                eax, eax
            //   ffd0                 | js                  0x16
            //   8bc3                 | dec                 eax
            //   e9????????           |                     
            //   488b4c2458           | cwde                
            //   488d55e0             | cmp                 eax, -1
            //   ff15????????         |                     

        $sequence_3 = { 488905???????? 4885c0 750a b82c000000 }
            // n = 4, score = 1300
            //   488905????????       |                     
            //   4885c0               | mov                 dword ptr [esp + 0x20], eax
            //   750a                 | test                eax, eax
            //   b82c000000           | js                  0x13

        $sequence_4 = { 4885c0 750a b829000000 e9???????? }
            // n = 4, score = 1300
            //   4885c0               | dec                 eax
            //   750a                 | mov                 dword ptr [esp + 0x20], eax
            //   b829000000           | test                eax, eax
            //   e9????????           |                     

        $sequence_5 = { 4c8d9c24b0050000 498b5b30 498b7338 498b7b48 }
            // n = 4, score = 1300
            //   4c8d9c24b0050000     | dec                 eax
            //   498b5b30             | cwde                
            //   498b7338             | dec                 eax
            //   498b7b48             | mov                 ecx, esi

        $sequence_6 = { 4156 4883ec20 498bf0 488bea 4c8bf1 33db 4c8bc6 }
            // n = 7, score = 1300
            //   4156                 | dec                 eax
            //   4883ec20             | mov                 dword ptr [esp + 0x20], eax
            //   498bf0               | test                eax, eax
            //   488bea               | js                  0x16
            //   4c8bf1               | dec                 eax
            //   33db                 | mov                 ecx, esi
            //   4c8bc6               | dec                 eax

        $sequence_7 = { 8905???????? 83f8ff 7504 32c0 eb2d }
            // n = 5, score = 1300
            //   8905????????         |                     
            //   83f8ff               | inc                 ecx
            //   7504                 | mov                 eax, 0x100f
            //   32c0                 | dec                 eax
            //   eb2d                 | mov                 ecx, esi

        $sequence_8 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 }
            // n = 4, score = 1100
            //   0fb70f               | sub                 eax, edx
            //   ff15????????         |                     
            //   0fb74f02             | sar                 eax, 1
            //   0fb7d8               | cmovl               eax, ecx

        $sequence_9 = { 0fb74f02 0fb7d8 ff15???????? 0fb74f08 }
            // n = 4, score = 1100
            //   0fb74f02             | cmp                 eax, ecx
            //   0fb7d8               | cmovg               eax, ecx
            //   ff15????????         |                     
            //   0fb74f08             | cdq                 

        $sequence_10 = { 7507 33c0 e9???????? b8ff000000 }
            // n = 4, score = 1000
            //   7507                 | inc                 ecx
            //   33c0                 | mov                 eax, 0x100f
            //   e9????????           |                     
            //   b8ff000000           | dec                 eax

        $sequence_11 = { c3 0fb74c0818 b80b010000 663bc8 }
            // n = 4, score = 900
            //   c3                   | mov                 ecx, esi
            //   0fb74c0818           | dec                 eax
            //   b80b010000           | mov                 dword ptr [esp + 0x20], eax
            //   663bc8               | inc                 ecx

        $sequence_12 = { 3bc1 0f4fc1 99 2bc2 }
            // n = 4, score = 800
            //   3bc1                 | mov                 dword ptr [esp + 0x20], eax
            //   0f4fc1               | test                eax, eax
            //   99                   | js                  0x16
            //   2bc2                 | inc                 ecx

        $sequence_13 = { b9bb010000 663bc1 7404 a801 }
            // n = 4, score = 800
            //   b9bb010000           | mov                 dword ptr [esp + 0x20], eax
            //   663bc1               | test                eax, eax
            //   7404                 | js                  0xe
            //   a801                 | dec                 eax

        $sequence_14 = { 7526 ff15???????? 3d33270000 7519 8b0f }
            // n = 5, score = 800
            //   7526                 | mov                 eax, 0x100f
            //   ff15????????         |                     
            //   3d33270000           | dec                 eax
            //   7519                 | mov                 ecx, esi
            //   8b0f                 | dec                 eax

        $sequence_15 = { ff15???????? 6683f808 7404 33c0 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   6683f808             | mov                 dword ptr [esp + 0x20], eax
            //   7404                 | test                eax, eax
            //   33c0                 | js                  0x16

        $sequence_16 = { 3d12030900 7407 33c0 e9???????? }
            // n = 4, score = 800
            //   3d12030900           | lea                 edx, [ebp - 0x20]
            //   7407                 | dec                 eax
            //   33c0                 | mov                 ecx, dword ptr [esp + 0x58]
            //   e9????????           |                     

        $sequence_17 = { 0f4cc1 b9100e0000 3bc1 0f4fc1 }
            // n = 4, score = 800
            //   0f4cc1               | dec                 eax
            //   b9100e0000           | add                 edi, esi
            //   3bc1                 | inc                 ecx
            //   0f4fc1               | mov                 eax, 0x100f

        $sequence_18 = { 8a03 3c20 7709 84c0 }
            // n = 4, score = 600
            //   8a03                 | sub                 eax, edx
            //   3c20                 | cmp                 eax, ecx
            //   7709                 | cmovg               eax, ecx
            //   84c0                 | cdq                 

        $sequence_19 = { b81aff0000 663bd8 0f82fcfeffff 83c8ff }
            // n = 4, score = 600
            //   b81aff0000           | cmovl               eax, ecx
            //   663bd8               | mov                 ecx, 0xe10
            //   0f82fcfeffff         | cmp                 eax, ecx
            //   83c8ff               | cmovg               eax, ecx

        $sequence_20 = { 8d480a 663bd9 0f822cffffff 8d4176 663bd8 727c 8d480a }
            // n = 7, score = 600
            //   8d480a               | sub                 eax, edx
            //   663bd9               | sar                 eax, 1
            //   0f822cffffff         | cmovg               eax, ecx
            //   8d4176               | cdq                 
            //   663bd8               | sub                 eax, edx
            //   727c                 | sar                 eax, 1
            //   8d480a               | cmovl               eax, ecx

        $sequence_21 = { 663bd9 0f8387010000 663bda 0f8294010000 b96a060000 663bd9 }
            // n = 6, score = 600
            //   663bd9               | mov                 ecx, 0xe10
            //   0f8387010000         | cmp                 eax, ecx
            //   663bda               | cmovg               eax, ecx
            //   0f8294010000         | cdq                 
            //   b96a060000           | cmp                 ax, 8
            //   663bd9               | je                  6

        $sequence_22 = { 0f8586000000 8bc2 0fb6c9 83e13f }
            // n = 4, score = 600
            //   0f8586000000         | mov                 ecx, 0xe10
            //   8bc2                 | cmp                 eax, ecx
            //   0fb6c9               | cmovg               eax, ecx
            //   83e13f               | cdq                 

        $sequence_23 = { 8d820028ffff 3dff070000 763e 81fa00001100 }
            // n = 4, score = 600
            //   8d820028ffff         | sub                 eax, edx
            //   3dff070000           | cmp                 eax, 0x90312
            //   763e                 | je                  9
            //   81fa00001100         | xor                 eax, eax

        $sequence_24 = { 56 57 8bf2 8bf9 33d2 6a07 68eeeac01f }
            // n = 7, score = 400
            //   56                   | test                eax, eax
            //   57                   | js                  0x16
            //   8bf2                 | inc                 ecx
            //   8bf9                 | mov                 eax, 0x100f
            //   33d2                 | dec                 eax
            //   6a07                 | mov                 ecx, esi
            //   68eeeac01f           | dec                 eax

        $sequence_25 = { 688f000000 6858bc81da 42 e8???????? 59 59 }
            // n = 6, score = 400
            //   688f000000           | cmp                 al, 9
            //   6858bc81da           | ja                  0x12
            //   42                   | imul                eax, edx, 0xa
            //   e8????????           |                     
            //   59                   | lea                 edx, [ebx - 0x30]
            //   59                   | movzx               ebx, byte ptr [ecx]

        $sequence_26 = { 8a01 56 8bf1 eb07 }
            // n = 4, score = 400
            //   8a01                 | add                 edx, eax
            //   56                   | inc                 ecx
            //   8bf1                 | mov                 eax, 0x100f
            //   eb07                 | dec                 eax

        $sequence_27 = { 02d0 3016 40 83f813 72f1 }
            // n = 5, score = 400
            //   02d0                 | mov                 dword ptr [esp + 0x20], eax
            //   3016                 | dec                 eax
            //   40                   | mov                 ecx, esi
            //   83f813               | dec                 eax
            //   72f1                 | mov                 dword ptr [esp + 0x20], eax

        $sequence_28 = { 33f6 8b54240c 85d2 7505 5f }
            // n = 5, score = 400
            //   33f6                 | test                eax, eax
            //   8b54240c             | js                  0xc
            //   85d2                 | dec                 eax
            //   7505                 | cwde                
            //   5f                   | dec                 eax

        $sequence_29 = { 0fb745e8 50 68???????? e8???????? }
            // n = 4, score = 400
            //   0fb745e8             | jne                 0xc
            //   50                   | mov                 eax, 0x2c
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_30 = { c3 85d2 741b 56 8b742408 }
            // n = 5, score = 400
            //   c3                   | test                eax, eax
            //   85d2                 | js                  0x13
            //   741b                 | dec                 eax
            //   56                   | cwde                
            //   8b742408             | inc                 ecx

        $sequence_31 = { 83f813 72f6 8bc1 c3 }
            // n = 4, score = 400
            //   83f813               | mov                 dword ptr [esp + 0x20], eax
            //   72f6                 | test                eax, eax
            //   8bc1                 | js                  0xe
            //   c3                   | dec                 eax

        $sequence_32 = { 0fb7f0 0fb74702 50 ffd3 0fb7d8 0fb74708 }
            // n = 6, score = 300
            //   0fb7f0               | lea                 edx, [ebp - 0x20]
            //   0fb74702             | cmp                 eax, 2
            //   50                   | ja                  0x4d
            //   ffd3                 | dec                 eax
            //   0fb7d8               | mov                 eax, dword ptr [ecx + 0x30]
            //   0fb74708             | dec                 eax

        $sequence_33 = { 8d91ff3fffff b101 03d0 eb08 }
            // n = 4, score = 300
            //   8d91ff3fffff         | mov                 esi, ecx
            //   b101                 | dec                 eax
            //   03d0                 | mov                 ecx, edi
            //   eb08                 | call                eax

        $sequence_34 = { 85d2 740d 33d2 83f902 0f95c2 83c224 }
            // n = 6, score = 300
            //   85d2                 | movzx               ecx, word ptr [edi]
            //   740d                 | movzx               ecx, word ptr [edi + 2]
            //   33d2                 | movzx               ebx, ax
            //   83f902               | movzx               ecx, word ptr [edi + 2]
            //   0f95c2               | movzx               ebx, ax
            //   83c224               | movzx               ecx, word ptr [edi]

        $sequence_35 = { 8d7001 56 6a08 ff15???????? }
            // n = 4, score = 300
            //   8d7001               | inc                 ecx
            //   56                   | push                esi
            //   6a08                 | dec                 eax
            //   ff15????????         |                     

        $sequence_36 = { 8bc2 c1f808 0fb6c0 50 0fb6c2 50 68???????? }
            // n = 7, score = 300
            //   8bc2                 | sub                 esp, 0x20
            //   c1f808               | dec                 ecx
            //   0fb6c0               | mov                 esi, eax
            //   50                   | dec                 eax
            //   0fb6c2               | mov                 ebp, edx
            //   50                   | dec                 esp
            //   68????????           |                     

        $sequence_37 = { 68???????? e8???????? 83c410 b800308804 6a00 50 }
            // n = 6, score = 300
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | mov                 eax, ebx
            //   b800308804           | dec                 eax
            //   6a00                 | mov                 ecx, dword ptr [esp + 0x58]
            //   50                   | dec                 eax

        $sequence_38 = { 8bf8 8bd6 be???????? 83ef04 }
            // n = 4, score = 300
            //   8bf8                 | test                eax, eax
            //   8bd6                 | je                  0x4d
            //   be????????           |                     
            //   83ef04               | dec                 eax

        $sequence_39 = { 8bf0 8d7e02 57 6a08 ff15???????? }
            // n = 5, score = 300
            //   8bf0                 | dec                 eax
            //   8d7e02               | mov                 dword ptr [eax + 0x18], esi
            //   57                   | dec                 eax
            //   6a08                 | mov                 dword ptr [eax + 0x20], edi
            //   ff15????????         |                     

        $sequence_40 = { 4183f809 0f9fc3 4183f80a 0f9cc1 30d1 }
            // n = 5, score = 200
            //   4183f809             | inc                 ecx
            //   0f9fc3               | mov                 ecx, 0x104
            //   4183f80a             | call                eax
            //   0f9cc1               | xor                 ecx, ecx
            //   30d1                 | mov                 edx, 1

        $sequence_41 = { 38d0 488b7da8 752a c60700 c7470465f90c0d c7470857f9250d }
            // n = 6, score = 200
            //   38d0                 | inc                 ebp
            //   488b7da8             | movzx               edx, word ptr [ecx + edx + 0x18]
            //   752a                 | xor                 eax, eax
            //   c60700               | inc                 ecx
            //   c7470465f90c0d       | cmp                 edx, 0x20b
            //   c7470857f9250d       | je                  0x30

        $sequence_42 = { 30c8 08d0 3c01 7508 8a4c2420 84c0 7506 }
            // n = 7, score = 200
            //   30c8                 | inc                 ecx
            //   08d0                 | cmp                 eax, 9
            //   3c01                 | setg                bl
            //   7508                 | inc                 ecx
            //   8a4c2420             | cmp                 eax, 0xa
            //   84c0                 | setl                cl
            //   7506                 | xor                 cl, dl

        $sequence_43 = { 4d8d0411 450fb7541118 31c0 4181fa0b020000 741f }
            // n = 5, score = 200
            //   4d8d0411             | xor                 al, cl
            //   450fb7541118         | or                  al, dl
            //   31c0                 | cmp                 al, 1
            //   4181fa0b020000       | jne                 0xe
            //   741f                 | mov                 cl, byte ptr [esp + 0x20]

        $sequence_44 = { e8???????? 488b5c2440 488b0b 488b542460 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   488b5c2440           | dec                 eax
            //   488b0b               | mov                 ebx, dword ptr [esp + 0x40]
            //   488b542460           | dec                 eax

        $sequence_45 = { 83f90a 0f9cc3 83f909 0f9fc1 38d3 0f8579020000 }
            // n = 6, score = 200
            //   83f90a               | lea                 edi, [eax - 1]
            //   0f9cc3               | imul                edi, eax
            //   83f909               | and                 edi, 1
            //   0f9fc1               | test                edi, edi
            //   38d3                 | cmp                 al, dl
            //   0f8579020000         | dec                 eax

        $sequence_46 = { 4989f0 41b904010000 ffd0 e9???????? 31c9 ba01000000 }
            // n = 6, score = 200
            //   4989f0               | mov                 ecx, dword ptr [ebx]
            //   41b904010000         | dec                 eax
            //   ffd0                 | mov                 edx, dword ptr [esp + 0x60]
            //   e9????????           |                     
            //   31c9                 | dec                 ecx
            //   ba01000000           | mov                 eax, esi

        $sequence_47 = { 8d78ff 0faff8 83e701 85ff }
            // n = 4, score = 200
            //   8d78ff               | test                al, al
            //   0faff8               | jne                 8
            //   83e701               | dec                 ebp
            //   85ff                 | lea                 eax, [ecx + edx]

        $sequence_48 = { 8b442420 448bc0 488b542440 488b4c2428 e8???????? }
            // n = 5, score = 100
            //   8b442420             | push                0x8f
            //   448bc0               | push                0xda81bc58
            //   488b542440           | inc                 edx
            //   488b4c2428           | pop                 ecx
            //   e8????????           |                     

        $sequence_49 = { 89442458 e9???????? 4c8d442448 488b942488000000 488b8c2480000000 e8???????? 85c0 }
            // n = 7, score = 100
            //   89442458             | xor                 esi, esi
            //   e9????????           |                     
            //   4c8d442448           | mov                 edx, dword ptr [esp + 0xc]
            //   488b942488000000     | test                edx, edx
            //   488b8c2480000000     | jne                 0xd
            //   e8????????           |                     
            //   85c0                 | pop                 edi

        $sequence_50 = { 488b542468 488b442438 488b4830 ff15???????? }
            // n = 4, score = 100
            //   488b542468           | pop                 ecx
            //   488b442438           | mov                 al, byte ptr [ecx]
            //   488b4830             | push                esi
            //   ff15????????         |                     

        $sequence_51 = { 4883ec48 488b442458 488b4008 4889442430 488b442458 488b00 }
            // n = 6, score = 100
            //   4883ec48             | push                edi
            //   488b442458           | mov                 esi, edx
            //   488b4008             | mov                 edi, ecx
            //   4889442430           | xor                 edx, edx
            //   488b442458           | push                7
            //   488b00               | push                0x1fc0eaee

        $sequence_52 = { 85c0 7410 488b442428 488b00 8b4020 890424 eb1f }
            // n = 7, score = 100
            //   85c0                 | cmp                 eax, 0x13
            //   7410                 | jb                  0xfffffff8
            //   488b442428           | mov                 eax, ecx
            //   488b00               | ret                 
            //   8b4020               | inc                 edx
            //   890424               | sub                 eax, 1
            //   eb1f                 | jne                 0xfffffffc

        $sequence_53 = { 488bc1 483b442438 7669 488b442428 }
            // n = 4, score = 100
            //   488bc1               | je                  0x1f
            //   483b442438           | push                esi
            //   7669                 | mov                 esi, dword ptr [esp + 8]
            //   488b442428           | push                ecx

        $sequence_54 = { 488b442470 488b00 0fb74006 39442420 0f8d63010000 }
            // n = 5, score = 100
            //   488b442470           | mov                 al, byte ptr [ecx]
            //   488b00               | push                esi
            //   0fb74006             | mov                 esi, ecx
            //   39442420             | jmp                 0x13
            //   0f8d63010000         | push                esi

        $sequence_55 = { 483908 7556 488b442460 83781800 752d 488b442458 488b00 }
            // n = 7, score = 100
            //   483908               | add                 dl, al
            //   7556                 | xor                 byte ptr [esi], dl
            //   488b442460           | inc                 eax
            //   83781800             | cmp                 eax, 0x13
            //   752d                 | jb                  0xfffffff9
            //   488b442458           | ret                 
            //   488b00               | test                edx, edx

    condition:
        7 of them and filesize < 507904
}
Download all Yara Rules