SYMBOLCOMMON_NAMEaka. SYNONYMS
win.buer (Back to overview)

Buer

aka: Buerloader, RustyBuer

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-17Trend MicroTrend Micro Research
@techreport{research:20220317:navigating:5ad631e, author = {Trend Micro Research}, title = {{Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report}}, date = {2022-03-17}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf}, language = {English}, urldate = {2022-03-22} } Navigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report
REvil BazarBackdoor Buer IcedID QakBot REvil
2022-01-20TEHTRISTEHTRIS
@online{tehtris:20220120:buer:f7d5789, author = {TEHTRIS}, title = {{Buer Loader Analysis, a Rusted malware program}}, date = {2022-01-20}, organization = {TEHTRIS}, url = {https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program}, language = {English}, urldate = {2022-03-01} } Buer Loader Analysis, a Rusted malware program
Buer
2021-11-05Trend MicroChristopher Boyton
@online{boyton:20211105:review:a1394e6, author = {Christopher Boyton}, title = {{A Review and Analysis of 2021 Buer Loader Campaigns}}, date = {2021-11-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html}, language = {English}, urldate = {2021-11-08} } A Review and Analysis of 2021 Buer Loader Campaigns
Buer
2021-11-05Trend MicroChristopher Boyton
@techreport{boyton:20211105:analysis:2711253, author = {Christopher Boyton}, title = {{An Analysis of Buer Loader}}, date = {2021-11-05}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf}, language = {English}, urldate = {2021-11-08} } An Analysis of Buer Loader
Buer
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-05The RecordCatalin Cimpanu
@online{cimpanu:20210805:meet:bce8310, author = {Catalin Cimpanu}, title = {{Meet Prometheus, the secret TDS behind some of today’s malware campaigns}}, date = {2021-08-05}, organization = {The Record}, url = {https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/}, language = {English}, urldate = {2021-08-06} } Meet Prometheus, the secret TDS behind some of today’s malware campaigns
Buer campoloader IcedID QakBot
2021-08-05Group-IBViktor Okorokov, Nikita Rostovcev
@online{okorokov:20210805:prometheus:38ab6a6, author = {Viktor Okorokov and Nikita Rostovcev}, title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}}, date = {2021-08-05}, organization = {Group-IB}, url = {https://blog.group-ib.com/prometheus-tds}, language = {English}, urldate = {2021-08-06} } Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-07-19FortinetVal Saengphaibul, Fred Gutierrez
@online{saengphaibul:20210719:signed:d9f809c, author = {Val Saengphaibul and Fred Gutierrez}, title = {{Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader}}, date = {2021-07-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader}, language = {English}, urldate = {2021-07-26} } Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader
Buer
2021-05-03Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210503:buerloader:2aa3e3f, author = {Joshua Platt and Jason Reaves}, title = {{BuerLoader Updates}}, date = {2021-05-03}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96}, language = {English}, urldate = {2021-05-04} } BuerLoader Updates
Buer
2021-05-03ProofpointKelsey Merriman, Bryan Campbell, Selena Larson, Proofpoint Threat Research Team
@online{merriman:20210503:new:cd4d275, author = {Kelsey Merriman and Bryan Campbell and Selena Larson and Proofpoint Threat Research Team}, title = {{New Variant of Buer Loader Written in Rust}}, date = {2021-05-03}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust}, language = {English}, urldate = {2021-05-03} } New Variant of Buer Loader Written in Rust
Buer
2021-03-18VIPREVIPRE Labs
@online{labs:20210318:buer:bbd7d97, author = {VIPRE Labs}, title = {{Buer Loader Found in an Unusual Email Attachment}}, date = {2021-03-18}, organization = {VIPRE}, url = {https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/}, language = {English}, urldate = {2022-04-20} } Buer Loader Found in an Unusual Email Attachment
Buer
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-25ANSSICERT-FR
@techreport{certfr:20210225:ryuk:7895e12, author = {CERT-FR}, title = {{Ryuk Ransomware}}, date = {2021-02-25}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf}, language = {English}, urldate = {2021-03-02} } Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021SecureworksSecureWorks
@online{secureworks:2021:threat:07bd94a, author = {SecureWorks}, title = {{Threat Profile: GOLD SYMPHONY}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-symphony}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD SYMPHONY
Buer GOLD SYMPHONY
2021SecureworksSecureWorks
@online{secureworks:2021:threat:4e7c443, author = {SecureWorks}, title = {{Threat Profile: GOLD BLACKBURN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-blackburn}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD BLACKBURN
Buer Dyre TrickBot WIZARD SPIDER
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18Minerva LabsEddy Bobritsky
@online{bobritsky:20201118:stopping:e5c486b, author = {Eddy Bobritsky}, title = {{Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module}}, date = {2020-11-18}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/stopping-buerloader}, language = {English}, urldate = {2020-11-19} } Stopping BuerLoader With Minerva Lab's Hostile Environment Simulation module
Buer
2020-11-09Area 1Threat Research Team
@online{team:20201109:phishing:a25a567, author = {Threat Research Team}, title = {{Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware}}, date = {2020-11-09}, organization = {Area 1}, url = {https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/}, language = {English}, urldate = {2020-11-18} } Phishing Campaign Threatens Job Security, Drops Bazar and Buer Malware
BazarBackdoor Buer
2020-10-29Twitter (@SophosLabs)SophosLabs
@online{sophoslabs:20201029:similarities:408a640, author = {SophosLabs}, title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}}, date = {2020-10-29}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1321844306970251265}, language = {English}, urldate = {2020-11-02} } Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk
2020-10-28SophosLabs UncutSean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader
2020-09-29ZscalerMohd Sadique, Atinderpal Singh
@online{sadique:20200929:spear:de79be6, author = {Mohd Sadique and Atinderpal Singh}, title = {{Spear Phishing Campaign Delivers Buer and Bazar Malware}}, date = {2020-09-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware}, language = {English}, urldate = {2020-10-15} } Spear Phishing Campaign Delivers Buer and Bazar Malware
BazarBackdoor Buer
2020-03-05Kaspersky LabsAMR
@online{amr:20200305:mokes:698295f, author = {AMR}, title = {{Mokes and Buerak distributed under the guise of security certificates}}, date = {2020-03-05}, organization = {Kaspersky Labs}, url = {https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/}, language = {English}, urldate = {2020-03-09} } Mokes and Buerak distributed under the guise of security certificates
Buer Mokes
2019-12-05KrabsOnSecurityMr. Krabs
@online{krabs:20191205:buer:9c3cf72, author = {Mr. Krabs}, title = {{Buer Loader, new Russian loader on the market with interesting persistence}}, date = {2019-12-05}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/}, language = {English}, urldate = {2020-01-08} } Buer Loader, new Russian loader on the market with interesting persistence
Buer
2019-12-04ProofpointKelsey Merriman, Dennis Schwarz, Kafeine, Axel F
@online{merriman:20191204:buer:6c413aa, author = {Kelsey Merriman and Dennis Schwarz and Kafeine and Axel F}, title = {{Buer, a new loader emerges in the underground marketplace}}, date = {2019-12-04}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace}, language = {English}, urldate = {2020-01-06} } Buer, a new loader emerges in the underground marketplace
Buer
2019-10-10Twitter (@StopMalvertisin)Kimberly
@online{kimberly:20191010:malware:032ed3c, author = {Kimberly}, title = {{Tweet on Malware Sample}}, date = {2019-10-10}, organization = {Twitter (@StopMalvertisin)}, url = {https://twitter.com/StopMalvertisin/status/1182505434231398401}, language = {English}, urldate = {2020-01-10} } Tweet on Malware Sample
Buer
Yara Rules
[TLP:WHITE] win_buer_auto (20220808 | Detects win.buer.)
rule win_buer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.buer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 57 60 64a130000000 8b400c }
            // n = 5, score = 1100
            //   56                   | push                esi
            //   57                   | push                edi
            //   60                   | pushal              
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_1 = { 3bc7 7d0f 8a0c46 880c18 }
            // n = 4, score = 1100
            //   3bc7                 | cmp                 eax, edi
            //   7d0f                 | jge                 0x11
            //   8a0c46               | mov                 cl, byte ptr [esi + eax*2]
            //   880c18               | mov                 byte ptr [eax + ebx], cl

        $sequence_2 = { 85f6 7507 e8???????? eb05 e8???????? 46 }
            // n = 6, score = 1100
            //   85f6                 | test                esi, esi
            //   7507                 | jne                 9
            //   e8????????           |                     
            //   eb05                 | jmp                 7
            //   e8????????           |                     
            //   46                   | inc                 esi

        $sequence_3 = { 3bc2 7cf1 eb02 33c0 }
            // n = 4, score = 1100
            //   3bc2                 | cmp                 eax, edx
            //   7cf1                 | jl                  0xfffffff3
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 8b45f4 03c1 8bcb 894144 8b45f0 }
            // n = 5, score = 1100
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   03c1                 | add                 eax, ecx
            //   8bcb                 | mov                 ecx, ebx
            //   894144               | mov                 dword ptr [ecx + 0x44], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_5 = { 8b734c 8b7b50 8b4340 0345f8 8b5b54 }
            // n = 5, score = 1100
            //   8b734c               | mov                 esi, dword ptr [ebx + 0x4c]
            //   8b7b50               | mov                 edi, dword ptr [ebx + 0x50]
            //   8b4340               | mov                 eax, dword ptr [ebx + 0x40]
            //   0345f8               | add                 eax, dword ptr [ebp - 8]
            //   8b5b54               | mov                 ebx, dword ptr [ebx + 0x54]

        $sequence_6 = { 8945f8 ff15???????? 59 59 85c0 }
            // n = 5, score = 1100
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   ff15????????         |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax

        $sequence_7 = { 894148 8b45dc 03c6 89414c }
            // n = 4, score = 1100
            //   894148               | mov                 dword ptr [ecx + 0x48], eax
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   03c6                 | add                 eax, esi
            //   89414c               | mov                 dword ptr [ecx + 0x4c], eax

        $sequence_8 = { c1e808 8944243c c1e808 8d04e8 }
            // n = 4, score = 300
            //   c1e808               | shr                 eax, 8
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax
            //   c1e808               | shr                 eax, 8
            //   8d04e8               | lea                 eax, [eax + ebp*8]

        $sequence_9 = { c1e808 8944244c c1e808 89442450 }
            // n = 4, score = 300
            //   c1e808               | shr                 eax, 8
            //   8944244c             | mov                 dword ptr [esp + 0x4c], eax
            //   c1e808               | shr                 eax, 8
            //   89442450             | mov                 dword ptr [esp + 0x50], eax

        $sequence_10 = { c68424bc03000031 83fa01 741c 8d4aff }
            // n = 4, score = 300
            //   c68424bc03000031     | mov                 byte ptr [esp + 0x3bc], 0x31
            //   83fa01               | cmp                 edx, 1
            //   741c                 | je                  0x1e
            //   8d4aff               | lea                 ecx, [edx - 1]

        $sequence_11 = { c1e808 89442448 c1e808 81e1ffffff01 c1e105 81e6ffffff01 }
            // n = 6, score = 300
            //   c1e808               | shr                 eax, 8
            //   89442448             | mov                 dword ptr [esp + 0x48], eax
            //   c1e808               | shr                 eax, 8
            //   81e1ffffff01         | and                 ecx, 0x1ffffff
            //   c1e105               | shl                 ecx, 5
            //   81e6ffffff01         | and                 esi, 0x1ffffff

        $sequence_12 = { c1e808 89442444 c1e808 89442448 }
            // n = 4, score = 300
            //   c1e808               | shr                 eax, 8
            //   89442444             | mov                 dword ptr [esp + 0x44], eax
            //   c1e808               | shr                 eax, 8
            //   89442448             | mov                 dword ptr [esp + 0x48], eax

        $sequence_13 = { c1e808 89442450 c1e808 c1e106 03c8 8bc1 }
            // n = 6, score = 300
            //   c1e808               | shr                 eax, 8
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   c1e808               | shr                 eax, 8
            //   c1e106               | shl                 ecx, 6
            //   03c8                 | add                 ecx, eax
            //   8bc1                 | mov                 eax, ecx

        $sequence_14 = { c1fa15 8bce 2bcd 8bc2 8bac248c000000 }
            // n = 5, score = 300
            //   c1fa15               | sar                 edx, 0x15
            //   8bce                 | mov                 ecx, esi
            //   2bcd                 | sub                 ecx, ebp
            //   8bc2                 | mov                 eax, edx
            //   8bac248c000000       | mov                 ebp, dword ptr [esp + 0x8c]

        $sequence_15 = { c1fa15 8bce c1e715 8bc2 2bcf 8b7c246c }
            // n = 6, score = 300
            //   c1fa15               | sar                 edx, 0x15
            //   8bce                 | mov                 ecx, esi
            //   c1e715               | shl                 edi, 0x15
            //   8bc2                 | mov                 eax, edx
            //   2bcf                 | sub                 ecx, edi
            //   8b7c246c             | mov                 edi, dword ptr [esp + 0x6c]

    condition:
        7 of them and filesize < 3031040
}
Download all Yara Rules