SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bazarbackdoor (Back to overview)

BazarBackdoor

aka: BEERBOT, KEGTAP, Team9Backdoor, bazaloader, bazarloader

Actor(s): UNC1878

VTCollection    

BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

References
2023-02-03MandiantGenevieve Stark, Kimberly Goody
Float Like a Butterfly Sting Like a Bee
BazarBackdoor BumbleBee Cobalt Strike
2022-12-06EuRepoCCamille Borrett, Kerstin Zettl-Schabath, Lena Rottinger
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER
2022-11-21Palo Alto Networks Unit 42Kristopher Russo
Threat Assessment: Luna Moth Callback Phishing Campaign
BazarBackdoor Conti
2022-10-06TrellixDaksh Kapur
Evolution of BazarCall Social Engineering Tactics
BazarBackdoor BazarCall
2022-08-06MalwareBookReportsmuzi
A LOOK BACK AT BAZARLOADER’S DGA
BazarBackdoor
2022-08-03Palo Alto Networks Unit 42Brad Duncan
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-06-24Palo Alto Networks Unit 42Mark Lim, Riley Porter
There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families
BazarBackdoor Zloader
2022-06-21McAfeeLakshya Mathur
Rise of LNK (Shortcut files) Malware
BazarBackdoor Emotet IcedID QakBot
2022-06-15AttackIQAttackIQ Adversary Research Team, Jackson Wells
Attack Graph Emulating the Conti Ransomware Team’s Behaviors
BazarBackdoor Conti TrickBot
2022-06-12cocomelonc
Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2022-05-270ffset BlogChuong Dong
BAZARLOADER: Analysing The Main Loader
BazarBackdoor
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-29NCC GroupMike Stokkel, Nikolaos Pantazopoulos, Nikolaos Totosis
Adventures in the land of BumbleBee – a new malicious loader
BazarBackdoor BumbleBee Conti
2022-04-25paloalto Networks Unit 42Mark Lim
Defeating BazarLoader Anti-Analysis Techniques
BazarBackdoor
2022-04-190ffset BlogChuong Dong
BAZARLOADER: Unpacking An ISO File Infection
BazarBackdoor
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-04-17BushidoToken BlogBushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-15Bleeping ComputerIonut Ilascu
Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot
2022-04-05Intel 471Intel 471
Move fast and commit crimes: Conti’s development teams mirror corporate tech
BazarBackdoor TrickBot
2022-03-30PrevailionPrevailion
Wizard Spider continues to confound
BazarBackdoor Cobalt Strike Emotet
2022-03-22Red CanaryRed Canary
2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT
2022-03-21eSentireeSentire Threat Response Unit (TRU)
Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID
2022-03-17GoogleBenoit Sevens, Google Threat Analysis Group, Vladislav Stolyarov
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Cobalt Strike Conti
2022-03-17Trend MicroTrend Micro Research
Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-03-17GoogleBenoit Sevens, Vladislav Stolyarov
Exposing initial access broker with ties to Conti
BazarBackdoor BumbleBee Conti EXOTIC LILY
2022-03-10Bleeping ComputerBill Toulas
Corporate website contact forms used to spread BazarBackdoor malware
BazarBackdoor
2022-03-09Bleeping ComputerIonut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot
2022-03-09AbnormalBelem Regalado, Rachelle Chouinard
BazarLoader Actors Initiate Contact via Website Contact Forms
BazarBackdoor
2022-03-03Trend MicroTrend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-02-26MandiantMandiant
TRENDING EVIL Q1 2022
KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot
2022-02-25CyberScoopJoe Warminsky
TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot
2022-02-24kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Techniques for decrypting BazarLoader strings
BazarBackdoor
2022-02-24The Hacker NewsRavie Lakshmanan
TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot
2022-02-24The Hacker NewsRavie Lakshmanan
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot
2022-02-16Medium elis531989Eli Salem
Highway to Conti: Analysis of Bazarloader
BazarBackdoor
2022-02-02IBMKevin Henson
TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware
BazarBackdoor TrickBot
2022-01-22forensicitguyTony Lambert
BazarISO Analysis - Loading with Advpack.dll
BazarBackdoor
2022-01-18Recorded FutureInsikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-15MalwareBookReportsmuzi
BazarLoader - Back from Holiday Break
BazarBackdoor
2022-01-02BleepingComputerLawrence Abrams
Malicious CSV text files used to install BazarBackdoor malware
BazarBackdoor
2021-12-13The DFIR ReportThe DFIR Report
Diavol Ransomware
BazarBackdoor Conti Diavol
2021-11-30SymantecSymantec Threat Hunter Team
Yanluowang: Further Insights on New Ransomware Threat
BazarBackdoor Cobalt Strike FiveHands
2021-11-29The DFIR ReportThe DFIR Report
CONTInuing the Bazar Ransomware Story
BazarBackdoor Cobalt Strike Conti
2021-11-23Trend MicroIan Kenefick
BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors
BazarBackdoor
2021-11-16PC's Xcetra SupportDavid Ledbetter
Excel 4 macro code obfuscation
BazarBackdoor
2021-11-11SophosLabs UncutAndrew Brandt
BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism
BazarBackdoor
2021-11-05Twitter (@Unit42_Intel)Unit 42
Tweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops
BazarBackdoor Cobalt Strike
2021-10-18paloalto Netoworks: Unit42Brad Duncan
Case Study: From BazarLoader to Network Reconnaissance
BazarBackdoor Cobalt Strike
2021-10-13IBMCharlotte Hammond, Ole Villadsen
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
BazarBackdoor TrickBot
2021-10-08ZscalerLenart Brave, Tarun Dewan
New Trickbot and BazarLoader campaigns use multiple delivery vectorsi
BazarBackdoor TrickBot
2021-10-07MandiantAdam Brunner, Genevieve Stark, Jennifer Brooks, Jeremy Kennelly, Joshua Shilko, Kimberly Goody, Zach Riddle
FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
BazarBackdoor GRIMAGENT Ryuk
2021-10-04The DFIR ReportThe DFIR Report
BazarLoader and the Conti Leaks
BazarBackdoor Cobalt Strike Conti
2021-10-04CiscoTiago Pereira
Threat hunting in large datasets by clustering security events
BazarBackdoor TrickBot
2021-09-17CrowdStrikeFalcon OverWatch Team
Falcon OverWatch Hunts Down Adversaries Where They Hide
BazarBackdoor Cobalt Strike
2021-09-13The DFIR ReportThe DFIR Report
BazarLoader to Conti Ransomware in 32 Hours
BazarBackdoor Cobalt Strike Conti
2021-09-04cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 1
4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-09Johannes Bader's BlogJohannes Bader
A BazarLoader DGA that Breaks Down in the Summer
BazarBackdoor
2021-08-01The DFIR ReportThe DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-30Twitter (@Unit42_Intel)Unit 42
Tweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability
BazarBackdoor Cobalt Strike
2021-07-30Medium walmartglobaltechJason Reaves
Decrypting BazarLoader strings with a Unicorn
BazarBackdoor
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor Cobalt Strike
2021-07-29MicrosoftMicrosoft Defender Threat Intelligence
BazaCall: Phony call centers lead to exfiltration and ransomware
BazarBackdoor BazarCall
2021-07-14Bleeping ComputerIonut Ilascu
BazarBackdoor sneaks in through nested RAR and ZIP archives
BazarBackdoor
2021-06-16ProofpointDaniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577
2021-05-19Intel 471Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-19Palo Alto Networks Unit 42Brad Duncan
BazarCall: Call Centers Help Spread BazarLoader Malware
BazarBackdoor campoloader
2021-05-11Mal-Eatsmal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-15SophosLabs UncutAndrew Brandt
BazarLoader deploys a pair of novel spam vectors
BazarBackdoor
2021-04-14InfoSec Handlers Diary BlogBrad Duncan
April 2021 Forensic Quiz: Answers and Analysis
Anchor BazarBackdoor Cobalt Strike
2021-04-12Trend MicroDon Ovid Ladores, Frankylnn Uy, Junestherry Salvador, Lala Manly, Raphael Centeno
A Spike in BazarCall and IcedID Activity Detected in March
BazarBackdoor IcedID
2021-04-06Intel 471Intel 471
EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-03-30YouTube ( malware-traffic-analysis.net)Brad Duncan
2021-03-29 BazaCall (BazarCall) Example
BazarBackdoor
2021-03-30FR3D.HKFred HK
Campo Loader - Simple but effective
BazarBackdoor
2021-03-21BlackberryBlackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-08The DFIR ReportThe DFIR Report
Bazar Drops the Anchor
Anchor BazarBackdoor Cobalt Strike
2021-03-01Medium walmartglobaltechJason Reaves, Joshua Platt
Nimar Loader
BazarBackdoor BazarNimrod Cobalt Strike
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25ANSSICERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-12FortinetXiaopeng Zhang
New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I
BazarBackdoor
2021-02-12FortinetXiaopeng Zhang
New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II
BazarBackdoor
2021-02-11ProofpointProofpoint Threat Research Team
A Baza Valentine’s Day
BazarBackdoor
2021-02-09CofenseZachary Bailey
BazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs
BazarBackdoor
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01GoSecureLilly Chalupowski
BazarLoader Mocks Researchers in December 2020 Malspam Campaign
BazarBackdoor
2021-01-31The DFIR ReportThe DFIR Report
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-28HornetsecurityHornetsecurity Security Lab
BazarLoader’s Elaborate Flower Shop Lure
BazarBackdoor
2021-01-28Huntress LabsJohn Hammond
Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk
2021-01-23Johannes Bader's BlogJohannes Bader
Yet Another Bazar Loader DGA
BazarBackdoor
2021-01-12CybereasonLior Rochberger
Cybereason vs. Conti Ransomware
BazarBackdoor Conti
2021-01-12Minerva LabsMinervaLabs
Slamming The Backdoor On BazarLoader
BazarBackdoor
2021-01-06DomainToolsJoe Slowik
Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot
2020-12-16Johannes Bader's BlogJohannes Bader
Next Version of the Bazar Loader DGA
BazarBackdoor
2020-12-10CybereasonJoakim Kandefelt
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-10Intel 471Intel 471
Trickbot down, but is it out?
BazarBackdoor TrickBot
2020-11-09Area 1Threat Research Team
Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer
2020-11-06Advanced IntelligenceVitali Kremez
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05The DFIR ReportThe DFIR Report
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-05SCYTHEJorge Orchilles, Sean Lyngaas
#ThreatThursday - Ryuk
BazarBackdoor Ryuk
2020-11-04VMRayGiovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-30CofenseThe Cofense Intelligence Team
The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-29Palo Alto Networks Unit 42Brad Duncan, Brittany Barbehenn, Doel Santos
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-29Twitter (@anthomsec)Andrew Thompson
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-28FireEyeDouglas Bienstock, Jeremy Kennelly, Joshua Shilko, Kimberly Goody, Steve Elovitz
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-28CISACISA, FBI, HHS
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
AnchorDNS Anchor BazarBackdoor Ryuk
2020-10-18The DFIR ReportThe DFIR Report
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-13HornetsecuritySecurity Lab
BazarLoader Campaign with Fake Termination Emails
BazarBackdoor
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-08The DFIR ReportThe DFIR Report
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-09-29ZscalerAtinderpal Singh, Mohd Sadique
Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-07-16CybereasonAssaf Dahan, Daniel Frank, Mary Zhao
A Bazar of Tricks: Following Team9’s Development Cycles
BazarBackdoor
2020-07-16CybereasonAssaf Dahan, Daniel Frank, Mary Zhao
A Bazar of Tricks: Following Team9’s Development Cycles (IOCs)
BazarBackdoor
2020-07-15Johannes Bader's BlogJohannes Bader
The Defective Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-07-14Johannes Bader's BlogJohannes Bader
The Domain Generation Algorithm of BazarBackdoor
BazarBackdoor
2020-06-02NCC GroupNikolaos Pantazopoulos, Stefano Antenucci
In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-06-02Fox-ITNCC RIFT, Nikolaos Pantazopoulos, Stefano Antenucci
In-depth analysis of the new Team9 malware family
BazarBackdoor
2020-05-19AlienLabsOfer Caspi
TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-04-27Trend MicroTrend Micro
Group Behind TrickBot Spreads Fileless BazarBackdoor
BazarBackdoor
2020-04-24Vitali Kremez
TrickBot "BazarBackdoor" Process Hollowing Injection Primer
BazarBackdoor
2020-04-24Bleeping ComputerLawrence Abrams
BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware
BazarBackdoor
Yara Rules
[TLP:WHITE] win_bazarbackdoor_auto (20241030 | Detects win.bazarbackdoor.)
rule win_bazarbackdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.bazarbackdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 85c0 780a 4898 }
            // n = 4, score = 1500
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   780a                 | mov                 dword ptr [esp + 0x20], eax
            //   4898                 | test                eax, eax

        $sequence_1 = { 41b80f100000 488bce 4889442420 ff15???????? }
            // n = 4, score = 1500
            //   41b80f100000         | inc                 ecx
            //   488bce               | mov                 eax, 0x100f
            //   4889442420           | dec                 eax
            //   ff15????????         |                     

        $sequence_2 = { e8???????? 4885c0 740a 488bcf ffd0 }
            // n = 5, score = 1300
            //   e8????????           |                     
            //   4885c0               | test                dl, dl
            //   740a                 | je                  7
            //   488bcf               | cmp                 dl, 0x2e
            //   ffd0                 | jne                 0x16

        $sequence_3 = { 488d4d80 e8???????? 498bd6 488d4d80 }
            // n = 4, score = 1100
            //   488d4d80             | js                  0xe
            //   e8????????           |                     
            //   498bd6               | dec                 eax
            //   488d4d80             | cwde                

        $sequence_4 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 }
            // n = 4, score = 1100
            //   0fb70f               | dec                 eax
            //   ff15????????         |                     
            //   0fb74f02             | mov                 ecx, esi
            //   0fb7d8               | dec                 eax

        $sequence_5 = { 0fb74f02 0fb7d8 ff15???????? 0fb74f08 }
            // n = 4, score = 1100
            //   0fb74f02             | dec                 eax
            //   0fb7d8               | sub                 ecx, 0xc0
            //   ff15????????         |                     
            //   0fb74f08             | dec                 eax

        $sequence_6 = { 7507 33c0 e9???????? b8ff000000 }
            // n = 4, score = 1000
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   b8ff000000           | mov                 eax, 0xff

        $sequence_7 = { ff15???????? 0fb74f08 440fb7e8 ff15???????? }
            // n = 4, score = 1000
            //   ff15????????         |                     
            //   0fb74f08             | dec                 eax
            //   440fb7e8             | mov                 dword ptr [esp + 0x28], eax
            //   ff15????????         |                     

        $sequence_8 = { c3 0fb74c0818 b80b010000 663bc8 }
            // n = 4, score = 900
            //   c3                   | mov                 dword ptr [esp + 0x20], eax
            //   0fb74c0818           | test                eax, eax
            //   b80b010000           | js                  0x16
            //   663bc8               | test                eax, eax

        $sequence_9 = { cc e8???????? cc 4053 4883ec20 b902000000 }
            // n = 6, score = 900
            //   cc                   | mov                 ecx, esi
            //   e8????????           |                     
            //   cc                   | dec                 eax
            //   4053                 | mov                 dword ptr [esp + 0x20], eax
            //   4883ec20             | test                eax, eax
            //   b902000000           | js                  0xc

        $sequence_10 = { 4885c9 7406 488b11 ff5210 ff15???????? }
            // n = 5, score = 900
            //   4885c9               | dec                 eax
            //   7406                 | mov                 ecx, esi
            //   488b11               | dec                 eax
            //   ff5210               | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     

        $sequence_11 = { e8???????? 4c89e1 e8???????? 8b05???????? }
            // n = 4, score = 800
            //   e8????????           |                     
            //   4c89e1               | dec                 eax
            //   e8????????           |                     
            //   8b05????????         |                     

        $sequence_12 = { 4889f1 e8???????? 8b05???????? 8b0d???????? }
            // n = 4, score = 800
            //   4889f1               | dec                 eax
            //   e8????????           |                     
            //   8b05????????         |                     
            //   8b0d????????         |                     

        $sequence_13 = { 48c1e108 4803c8 8bc1 488d94059f070000 }
            // n = 4, score = 800
            //   48c1e108             | inc                 ebp
            //   4803c8               | xor                 ecx, ecx
            //   8bc1                 | dec                 eax
            //   488d94059f070000     | mov                 dword ptr [esp + 0x28], eax

        $sequence_14 = { ff15???????? ff15???????? 4d8bc5 33d2 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   4d8bc5               | mov                 ecx, esi
            //   33d2                 | dec                 eax

        $sequence_15 = { e8???????? 4889c7 8b05???????? 8b0d???????? }
            // n = 4, score = 800
            //   e8????????           |                     
            //   4889c7               | test                eax, eax
            //   8b05????????         |                     
            //   8b0d????????         |                     

        $sequence_16 = { 31ff 4889c1 31d2 4989f0 }
            // n = 4, score = 800
            //   31ff                 | dec                 eax
            //   4889c1               | arpl                word ptr [esp + 0x30], ax
            //   31d2                 | dec                 eax
            //   4989f0               | imul                eax, eax, 0x10

        $sequence_17 = { ff15???????? 4889c1 31d2 4d89e0 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   4889c1               | dec                 eax
            //   31d2                 | lea                 ecx, [0x238e3]
            //   4d89e0               | dec                 eax

        $sequence_18 = { 488d95a0070000 488d442470 41b80f100000 488bce }
            // n = 4, score = 800
            //   488d95a0070000       | js                  0x16
            //   488d442470           | dec                 eax
            //   41b80f100000         | cwde                
            //   488bce               | dec                 eax

        $sequence_19 = { 4c89742440 4c89742438 4489742430 4c89742428 }
            // n = 4, score = 800
            //   4c89742440           | mov                 eax, 0x100f
            //   4c89742438           | dec                 eax
            //   4489742430           | mov                 ecx, esi
            //   4c89742428           | dec                 eax

        $sequence_20 = { 418d5508 488bc8 ff15???????? 488bd8 4885c0 }
            // n = 5, score = 800
            //   418d5508             | mov                 dword ptr [esp + 0x20], eax
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x28], eax
            //   4885c0               | dec                 eax

        $sequence_21 = { 488d9590050000 488bce ff15???????? 85c0 }
            // n = 4, score = 800
            //   488d9590050000       | dec                 eax
            //   488bce               | cwde                
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_22 = { 4533c9 4889442428 488d95a0070000 488d442470 }
            // n = 4, score = 800
            //   4533c9               | mov                 ecx, esi
            //   4889442428           | dec                 eax
            //   488d95a0070000       | mov                 dword ptr [esp + 0x20], eax
            //   488d442470           | test                eax, eax

        $sequence_23 = { 4889c1 31d2 4989f8 41ffd6 }
            // n = 4, score = 700
            //   4889c1               | je                  0x62
            //   31d2                 | dec                 eax
            //   4989f8               | mov                 eax, dword ptr [esp + 0x30]
            //   41ffd6               | dec                 eax

        $sequence_24 = { 488bd3 e8???????? ff15???????? 4c8bc3 33d2 488bc8 }
            // n = 6, score = 700
            //   488bd3               | lea                 eax, [esp + 0x70]
            //   e8????????           |                     
            //   ff15????????         |                     
            //   4c8bc3               | inc                 ecx
            //   33d2                 | mov                 eax, 0x100f
            //   488bc8               | dec                 eax

        $sequence_25 = { 85c8 0f94c0 833d????????0a 0f9cc1 84c1 7508 30c1 }
            // n = 7, score = 700
            //   85c8                 | cwde                
            //   0f94c0               | mov                 eax, 6
            //   833d????????0a       |                     
            //   0f9cc1               | inc                 esp
            //   84c1                 | mov                 ecx, dword ptr [edi + 0x54]
            //   7508                 | dec                 esp
            //   30c1                 | mov                 eax, esi

        $sequence_26 = { c744242800000001 4533c9 4533c0 c744242002000000 }
            // n = 4, score = 700
            //   c744242800000001     | jne                 6
            //   4533c9               | movzx               edx, byte ptr [ebx + 5]
            //   4533c0               | xor                 eax, eax
            //   c744242002000000     | cmp                 cl, 0x73

        $sequence_27 = { c744242880000000 c744242003000000 4889f9 ba00000080 41b801000000 }
            // n = 5, score = 700
            //   c744242880000000     | je                  0xc
            //   c744242003000000     | mov                 edx, 2
            //   4889f9               | dec                 eax
            //   ba00000080           | mov                 ecx, esi
            //   41b801000000         | call                eax

        $sequence_28 = { 0fb65305 33c0 80f973 0f94c0 }
            // n = 4, score = 700
            //   0fb65305             | dec                 eax
            //   33c0                 | mov                 ecx, esi
            //   80f973               | dec                 eax
            //   0f94c0               | mov                 dword ptr [esp + 0x20], eax

        $sequence_29 = { 08c1 80f101 7502 ebfe }
            // n = 4, score = 700
            //   08c1                 | inc                 ebp
            //   80f101               | xor                 ecx, ecx
            //   7502                 | dec                 eax
            //   ebfe                 | mov                 dword ptr [esp + 0x30], 0

        $sequence_30 = { 08ca 80f201 7502 ebfe }
            // n = 4, score = 700
            //   08ca                 | mov                 ecx, edi
            //   80f201               | mov                 edx, 0x80000000
            //   7502                 | inc                 ecx
            //   ebfe                 | mov                 eax, 1

        $sequence_31 = { 0f9fc1 38d3 7507 08c1 80f101 744d }
            // n = 6, score = 700
            //   0f9fc1               | xor                 edx, edx
            //   38d3                 | dec                 ecx
            //   7507                 | mov                 eax, ebx
            //   08c1                 | xor                 ebp, ebp
            //   80f101               | dec                 eax
            //   744d                 | mov                 ecx, eax

        $sequence_32 = { 89d1 83f1fe 85d1 0f95c2 833d????????09 0f9fc1 89cb }
            // n = 7, score = 700
            //   89d1                 | js                  0x16
            //   83f1fe               | inc                 ecx
            //   85d1                 | mov                 eax, 0x100f
            //   0f95c2               | dec                 eax
            //   833d????????09       |                     
            //   0f9fc1               | mov                 ecx, esi
            //   89cb                 | dec                 eax

        $sequence_33 = { ff15???????? 488bf8 4885c0 7533 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   488bf8               | jne                 0xc
            //   4885c0               | movzx               edx, cl
            //   7533                 | cmp                 cl, 0x73

        $sequence_34 = { 89c1 83f1fe 85c1 0f94c0 }
            // n = 4, score = 700
            //   89c1                 | dec                 eax
            //   83f1fe               | mov                 ecx, dword ptr [esp + 0x50]
            //   85c1                 | inc                 ebp
            //   0f94c0               | xor                 eax, eax

        $sequence_35 = { 89d1 83f1fe 85d1 0f94c2 833d????????0a 0f9cc1 89cb }
            // n = 7, score = 700
            //   89d1                 | mov                 dword ptr [esp + 0x20], eax
            //   83f1fe               | test                eax, eax
            //   85d1                 | dec                 eax
            //   0f94c2               | mov                 ecx, esi
            //   833d????????0a       |                     
            //   0f9cc1               | dec                 eax
            //   89cb                 | mov                 dword ptr [esp + 0x20], eax

        $sequence_36 = { ff15???????? 31ed 4889c1 31d2 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   31ed                 | add                 ecx, eax
            //   4889c1               | dec                 eax
            //   31d2                 | mov                 eax, ecx

        $sequence_37 = { 0fb64b04 0fb6d1 80f973 7504 0fb65305 33c0 }
            // n = 6, score = 700
            //   0fb64b04             | dec                 eax
            //   0fb6d1               | mov                 dword ptr [esp + 0x20], eax
            //   80f973               | test                eax, eax
            //   7504                 | js                  0xe
            //   0fb65305             | dec                 eax
            //   33c0                 | cwde                

        $sequence_38 = { 0f9fc1 83fa0a 0f9cc2 30da 7512 08c1 80f101 }
            // n = 7, score = 700
            //   0f9fc1               | mov                 ecx, edi
            //   83fa0a               | mov                 edx, 0x80000000
            //   0f9cc2               | inc                 ecx
            //   30da                 | mov                 eax, 1
            //   7512                 | xor                 ebp, ebp
            //   08c1                 | dec                 eax
            //   80f101               | mov                 ecx, eax

        $sequence_39 = { 4889c1 31d2 4989e8 ff15???????? }
            // n = 4, score = 600
            //   4889c1               | arpl                word ptr [esp + 0x30], ax
            //   31d2                 | dec                 eax
            //   4989e8               | imul                eax, eax, 0x10
            //   ff15????????         |                     

        $sequence_40 = { 4889c1 31d2 4d89f8 ffd3 }
            // n = 4, score = 600
            //   4889c1               | lea                 eax, [0x202a]
            //   31d2                 | dec                 eax
            //   4d89f8               | mov                 edx, dword ptr [esp + 0x28]
            //   ffd3                 | dec                 eax

        $sequence_41 = { e8???????? 4c897c2420 4889d9 89fa }
            // n = 4, score = 600
            //   e8????????           |                     
            //   4c897c2420           | dec                 eax
            //   4889d9               | add                 ecx, eax
            //   89fa                 | dec                 eax

        $sequence_42 = { 7405 80fa2e 750f 0fb6c1 }
            // n = 4, score = 600
            //   7405                 | test                eax, eax
            //   80fa2e               | js                  0x1c
            //   750f                 | dec                 eax
            //   0fb6c1               | sub                 ecx, 0xc0

        $sequence_43 = { 488d4c2428 e8???????? 4889f1 4889c2 }
            // n = 4, score = 500
            //   488d4c2428           | cmovg               eax, ecx
            //   e8????????           |                     
            //   4889f1               | cdq                 
            //   4889c2               | sub                 eax, edx

        $sequence_44 = { c744242880000000 c744242003000000 4889f1 ba00000080 }
            // n = 4, score = 500
            //   c744242880000000     | dec                 esp
            //   c744242003000000     | lea                 eax, [0x202a]
            //   4889f1               | dec                 eax
            //   ba00000080           | mov                 edx, dword ptr [esp + 0x28]

        $sequence_45 = { 4889fa 4189f0 4d89f1 ffd0 }
            // n = 4, score = 500
            //   4889fa               | mov                 eax, 0x10b
            //   4189f0               | cmp                 cx, ax
            //   4d89f1               | mov                 ecx, 0xe10
            //   ffd0                 | cmp                 eax, ecx

        $sequence_46 = { 6689442470 8d4833 ff15???????? c744242810000000 }
            // n = 4, score = 400
            //   6689442470           | je                  0xc
            //   8d4833               | dec                 eax
            //   ff15????????         |                     
            //   c744242810000000     | mov                 ecx, edi

        $sequence_47 = { 33d2 6a09 68fe6a7a69 42 e8???????? }
            // n = 5, score = 400
            //   33d2                 | xor                 edx, edx
            //   6a09                 | push                9
            //   68fe6a7a69           | push                0x697a6afe
            //   42                   | inc                 edx
            //   e8????????           |                     

        $sequence_48 = { 7506 8b0e 894c2460 0fb7c0 }
            // n = 4, score = 400
            //   7506                 | dec                 eax
            //   8b0e                 | cwde                
            //   894c2460             | dec                 eax
            //   0fb7c0               | test                eax, eax

        $sequence_49 = { 7512 83fe40 730d 896c846c 8b742468 46 }
            // n = 6, score = 400
            //   7512                 | jne                 0x14
            //   83fe40               | cmp                 esi, 0x40
            //   730d                 | jae                 0xf
            //   896c846c             | mov                 dword ptr [esp + eax*4 + 0x6c], ebp
            //   8b742468             | mov                 esi, dword ptr [esp + 0x68]
            //   46                   | inc                 esi

        $sequence_50 = { 0fb745e8 50 68???????? e8???????? }
            // n = 4, score = 400
            //   0fb745e8             | movzx               eax, word ptr [ebp - 0x18]
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_51 = { 50 e8???????? 83c404 33c0 33d2 40 8bc8 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   33d2                 | xor                 edx, edx
            //   40                   | inc                 eax
            //   8bc8                 | mov                 ecx, eax

        $sequence_52 = { 66890d???????? 0fb7ca ff15???????? b901000000 66c746020100 }
            // n = 5, score = 400
            //   66890d????????       |                     
            //   0fb7ca               | js                  0x13
            //   ff15????????         |                     
            //   b901000000           | dec                 eax
            //   66c746020100         | cwde                

        $sequence_53 = { 75ef 21542440 6890010000 686a72995d 6a04 }
            // n = 5, score = 400
            //   75ef                 | jne                 0xfffffff1
            //   21542440             | and                 dword ptr [esp + 0x40], edx
            //   6890010000           | push                0x190
            //   686a72995d           | push                0x5d99726a
            //   6a04                 | push                4

        $sequence_54 = { 51 8bd6 e8???????? 59 59 85c0 }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax

        $sequence_55 = { 33ff 32db 885c2410 c70601000000 eb35 81ffff030000 }
            // n = 6, score = 400
            //   33ff                 | xor                 edi, edi
            //   32db                 | xor                 bl, bl
            //   885c2410             | mov                 byte ptr [esp + 0x10], bl
            //   c70601000000         | mov                 dword ptr [esi], 1
            //   eb35                 | jmp                 0x37
            //   81ffff030000         | cmp                 edi, 0x3ff

        $sequence_56 = { 6a01 6a04 68???????? ff15???????? 8bf8 83ffff }
            // n = 6, score = 300
            //   6a01                 | push                1
            //   6a04                 | push                4
            //   68????????           |                     
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1

        $sequence_57 = { 81feff030000 733c 8a02 3cc0 721e }
            // n = 5, score = 300
            //   81feff030000         | cmp                 esi, 0x3ff
            //   733c                 | jae                 0x3e
            //   8a02                 | mov                 al, byte ptr [edx]
            //   3cc0                 | cmp                 al, 0xc0
            //   721e                 | jb                  0x20

        $sequence_58 = { 88041a 8bd1 41 3bcf }
            // n = 4, score = 300
            //   88041a               | mov                 byte ptr [edx + ebx], al
            //   8bd1                 | mov                 edx, ecx
            //   41                   | inc                 ecx
            //   3bcf                 | cmp                 ecx, edi

        $sequence_59 = { 0fb6c9 51 8bca c1f910 0fb6c1 50 8bc2 }
            // n = 7, score = 300
            //   0fb6c9               | movzx               ecx, cl
            //   51                   | push                ecx
            //   8bca                 | mov                 ecx, edx
            //   c1f910               | sar                 ecx, 0x10
            //   0fb6c1               | movzx               eax, cl
            //   50                   | push                eax
            //   8bc2                 | mov                 eax, edx

        $sequence_60 = { 2ac2 fec8 88041a 8bd1 }
            // n = 4, score = 300
            //   2ac2                 | sub                 al, dl
            //   fec8                 | dec                 al
            //   88041a               | mov                 byte ptr [edx + ebx], al
            //   8bd1                 | mov                 edx, ecx

        $sequence_61 = { 3cc0 721e 0fb6c8 0fb64201 }
            // n = 4, score = 300
            //   3cc0                 | cmp                 al, 0xc0
            //   721e                 | jb                  0x20
            //   0fb6c8               | movzx               ecx, al
            //   0fb64201             | movzx               eax, byte ptr [edx + 1]

        $sequence_62 = { 8d7001 8d4610 50 6a08 }
            // n = 4, score = 300
            //   8d7001               | lea                 esi, [eax + 1]
            //   8d4610               | lea                 eax, [esi + 0x10]
            //   50                   | push                eax
            //   6a08                 | push                8

        $sequence_63 = { 0fb70d???????? 83c40c 8d4101 51 66a3???????? }
            // n = 5, score = 300
            //   0fb70d????????       |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4101               | lea                 eax, [ecx + 1]
            //   51                   | push                ecx
            //   66a3????????         |                     

        $sequence_64 = { 89442438 4863442430 486bc010 488d0de3380200 4803c8 488bc1 }
            // n = 6, score = 100
            //   89442438             | js                  0x16
            //   4863442430           | dec                 eax
            //   486bc010             | cwde                
            //   488d0de3380200       | dec                 eax
            //   4803c8               | mov                 ecx, esi
            //   488bc1               | dec                 eax

        $sequence_65 = { 7460 488b442430 488b00 8b4028 488b4c2440 4803c8 488bc1 }
            // n = 7, score = 100
            //   7460                 | cwde                
            //   488b442430           | inc                 ecx
            //   488b00               | mov                 eax, 0x100f
            //   8b4028               | dec                 eax
            //   488b4c2440           | mov                 ecx, esi
            //   4803c8               | dec                 eax
            //   488bc1               | mov                 dword ptr [esp + 0x20], eax

        $sequence_66 = { 4c8d052a200000 488b542428 488d4c2420 e8???????? 4889442430 ff542430 }
            // n = 6, score = 100
            //   4c8d052a200000       | mov                 dword ptr [esp + 0x20], eax
            //   488b542428           | test                eax, eax
            //   488d4c2420           | inc                 ecx
            //   e8????????           |                     
            //   4889442430           | mov                 eax, 0x100f
            //   ff542430             | dec                 eax

        $sequence_67 = { 48894c2408 4883ec48 8b442458 89442424 48c744242800000000 41b800100200 }
            // n = 6, score = 100
            //   48894c2408           | mov                 eax, ebx
            //   4883ec48             | dec                 eax
            //   8b442458             | mov                 ecx, esi
            //   89442424             | dec                 eax
            //   48c744242800000000     | mov    dword ptr [esp + 0x20], eax
            //   41b800100200         | test                eax, eax

        $sequence_68 = { 0f848c000000 488b442430 83782000 7460 488b442430 }
            // n = 5, score = 100
            //   0f848c000000         | inc                 ecx
            //   488b442430           | mov                 eax, 0x100f
            //   83782000             | dec                 eax
            //   7460                 | mov                 ecx, esi
            //   488b442430           | dec                 eax

        $sequence_69 = { 4533c0 ba01000000 488b4c2440 ff9424a0000000 89842480000000 }
            // n = 5, score = 100
            //   4533c0               | dec                 eax
            //   ba01000000           | mov                 ecx, esi
            //   488b4c2440           | dec                 eax
            //   ff9424a0000000       | mov                 dword ptr [esp + 0x20], eax
            //   89842480000000       | test                eax, eax

        $sequence_70 = { 488b442430 488b00 83782800 0f848c000000 488b442430 }
            // n = 5, score = 100
            //   488b442430           | js                  0x13
            //   488b00               | dec                 eax
            //   83782800             | cwde                
            //   0f848c000000         | inc                 ecx
            //   488b442430           | mov                 eax, 0x100f

        $sequence_71 = { 488d0de3380200 4803c8 488bc1 48634c2434 488d04c8 48634c2438 8b0488 }
            // n = 7, score = 100
            //   488d0de3380200       | cwde                
            //   4803c8               | dec                 eax
            //   488bc1               | mov                 ecx, esi
            //   48634c2434           | dec                 eax
            //   488d04c8             | mov                 dword ptr [esp + 0x20], eax
            //   48634c2438           | test                eax, eax
            //   8b0488               | js                  0x13

    condition:
        7 of them and filesize < 2088960
}
Download all Yara Rules