SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clop (Back to overview)

Clop

Actor(s): TA505


Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

References
2023-07-26TalosNicole Hoffman
@online{hoffman:20230726:incident:4731c33, author = {Nicole Hoffman}, title = {{Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical}}, date = {2023-07-26}, organization = {Talos}, url = {https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/}, language = {English}, urldate = {2023-08-03} } Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
BianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom
2023-06-23FourcoreJones Martin
@online{martin:20230623:clop:ed4b8f0, author = {Jones Martin}, title = {{Clop Ransomware: History, Timeline, And Adversary Simulation}}, date = {2023-06-23}, organization = {Fourcore}, url = {https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation}, language = {English}, urldate = {2023-07-28} } Clop Ransomware: History, Timeline, And Adversary Simulation
Clop
2023-05-23loginsoftSaharsh Agrawal
@online{agrawal:20230523:taming:7a77f19, author = {Saharsh Agrawal}, title = {{Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350}}, date = {2023-05-23}, organization = {loginsoft}, url = {https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/}, language = {English}, urldate = {2023-05-30} } Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350
Clop LockBit Silence
2022-12-08Cisco TalosTiago Pereira
@online{pereira:20221208:breaking:7f00030, author = {Tiago Pereira}, title = {{Breaking the silence - Recent Truebot activity}}, date = {2022-12-08}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/}, language = {English}, urldate = {2022-12-12} } Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport
2022-10-27Bleeping ComputerSergiu Gatlan
@online{gatlan:20221027:microsoft:e274158, author = {Sergiu Gatlan}, title = {{Microsoft links Raspberry Robin worm to Clop ransomware attacks}}, date = {2022-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/}, language = {English}, urldate = {2022-11-11} } Microsoft links Raspberry Robin worm to Clop ransomware attacks
Clop Raspberry Robin
2022-09-06PRODAFTPRODAFT
@techreport{prodaft:20220906:ta505:ed4c7e9, author = {PRODAFT}, title = {{TA505 Group’s TeslaGun In-Depth Analysis}}, date = {2022-09-06}, institution = {PRODAFT}, url = {https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf}, language = {English}, urldate = {2022-12-20} } TA505 Group’s TeslaGun In-Depth Analysis
Clop ServHelper
2022-07-26MandiantThibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden
@online{berlaere:20220726:mandiant:c1c4498, author = {Thibault van Geluwe de Berlaere and Jay Christiansen and Daniel Kapellmann Zafra and Ken Proska and Keith Lunden}, title = {{Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers}}, date = {2022-07-26}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics}, language = {English}, urldate = {2023-01-19} } Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-05-28Bleeping ComputerSergiu Gatlan
@online{gatlan:20220528:clop:bb8abda, author = {Sergiu Gatlan}, title = {{Clop ransomware gang is back, hits 21 victims in a single month}}, date = {2022-05-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/}, language = {English}, urldate = {2022-07-13} } Clop ransomware gang is back, hits 21 victims in a single month
Clop
2022-02-22Trend MicroTrend Micro Research
@online{research:20220222:ransomware:677506b, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Clop}}, date = {2022-02-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop}, language = {English}, urldate = {2022-02-26} } Ransomware Spotlight: Clop
Clop
2021-11-16Trend MicroTrend Micro
@online{micro:20211116:global:5b996d3, author = {Trend Micro}, title = {{Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels}}, date = {2021-11-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html}, language = {English}, urldate = {2021-11-18} } Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels
REvil Clop Gandcrab REvil
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210914:big:b345561, author = {CrowdStrike Intelligence Team}, title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}}, date = {2021-09-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/}, language = {English}, urldate = {2021-09-19} } Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-06-30Advanced IntelligenceYelisey Boguslavskiy, Brandon Rudisel, AdvIntel Security & Development Team
@online{boguslavskiy:20210630:ransomwarecve:deae6a7, author = {Yelisey Boguslavskiy and Brandon Rudisel and AdvIntel Security & Development Team}, title = {{Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets}}, date = {2021-06-30}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities}, language = {English}, urldate = {2021-07-01} } Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets
BlackKingdom Ransomware Clop dearcry Hades REvil
2021-06-25KrCertKayoung Kim, Dongwook Kim, Taewoo Lee, Seulgi Lee
@techreport{kim:20210625:attack:d4ae440, author = {Kayoung Kim and Dongwook Kim and Taewoo Lee and Seulgi Lee}, title = {{Attack patterns in AD environment}}, date = {2021-06-25}, institution = {KrCert}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf}, language = {English}, urldate = {2021-06-29} } Attack patterns in AD environment
Clop
2021-06-24BinanceBinance
@online{binance:20210624:binance:afde1e5, author = {Binance}, title = {{Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks}}, date = {2021-06-24}, organization = {Binance}, url = {https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks}, language = {English}, urldate = {2021-06-29} } Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks
Clop
2021-06-16Національної поліції УкраїниНаціональна поліція України
@online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2021-06-16The RecordCatalin Cimpanu
@online{cimpanu:20210616:ukrainian:141533c, author = {Catalin Cimpanu}, title = {{Ukrainian police arrest Clop ransomware members, seize server infrastructure}}, date = {2021-06-16}, organization = {The Record}, url = {https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/}, language = {English}, urldate = {2021-06-21} } Ukrainian police arrest Clop ransomware members, seize server infrastructure
Clop
2021-06-16Youtube (Національна поліція України)Національна поліція України
@online{:20210616:clop:28caf8c, author = {Національна поліція України}, title = {{Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)}}, date = {2021-06-16}, organization = {Youtube (Національна поліція України)}, url = {https://www.youtube.com/watch?v=PqGaZgepNTE}, language = {Ukrainian}, urldate = {2021-06-21} } Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)
Clop
2021-06-16KrebsOnSecurityBrian Krebs
@online{krebs:20210616:ukrainian:e0e117f, author = {Brian Krebs}, title = {{Ukrainian Police Nab Six Tied to CLOP Ransomware}}, date = {2021-06-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/}, language = {English}, urldate = {2021-06-21} } Ukrainian Police Nab Six Tied to CLOP Ransomware
Clop
2021-06-15Trend MicroJanus Agcaoili, Miguel Ang, Earle Earnshaw, Byron Gelera, Nikko Tamana
@online{agcaoili:20210615:ransomware:41013af, author = {Janus Agcaoili and Miguel Ang and Earle Earnshaw and Byron Gelera and Nikko Tamana}, title = {{Ransomware Double Extortion and Beyond: REvil, Clop, and Conti}}, date = {2021-06-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti}, language = {English}, urldate = {2021-06-21} } Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-03splunkSplunk Threat Research Team
@online{team:20210503:clop:1d24527, author = {Splunk Threat Research Team}, title = {{Clop Ransomware Detection: Threat Research Release, April 2021}}, date = {2021-05-03}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html}, language = {English}, urldate = {2021-05-07} } Clop Ransomware Detection: Threat Research Release, April 2021
Clop
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-14ViceLorenzo Franceschi-Bicchierai
@online{franceschibicchierai:20210414:meet:0a23d2a, author = {Lorenzo Franceschi-Bicchierai}, title = {{Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever}}, date = {2021-04-14}, organization = {Vice}, url = {https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever}, language = {English}, urldate = {2021-04-14} } Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever
Clop
2021-04-13Palo Alto Networks Unit 42Doel Santos
@online{santos:20210413:threat:7154f80, author = {Doel Santos}, title = {{Threat Assessment: Clop Ransomware}}, date = {2021-04-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/clop-ransomware/}, language = {English}, urldate = {2021-04-14} } Threat Assessment: Clop Ransomware
Clop
2021-04-13splunkSplunk Threat Research Team
@online{team:20210413:detecting:83655d0, author = {Splunk Threat Research Team}, title = {{Detecting Clop Ransomware}}, date = {2021-04-13}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html}, language = {English}, urldate = {2021-04-14} } Detecting Clop Ransomware
Clop
2021-03-26Bleeping ComputerLawrence Abrams
@online{abrams:20210326:ransomware:bc58d85, author = {Lawrence Abrams}, title = {{Ransomware gang urges victims’ customers to demand a ransom payment}}, date = {2021-03-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/}, language = {English}, urldate = {2021-03-31} } Ransomware gang urges victims’ customers to demand a ransom payment
Clop
2021-03-11FlashpointFlashpoint
@online{flashpoint:20210311:cl0p:666bd6f, author = {Flashpoint}, title = {{CL0P and REvil Escalate Their Ransomware Tactics}}, date = {2021-03-11}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/}, language = {English}, urldate = {2021-03-12} } CL0P and REvil Escalate Their Ransomware Tactics
Clop REvil
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22FireEyeAndrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody
@online{moore:20210222:cyber:a641e26, author = {Andrew Moore and Genevieve Stark and Isif Ibrahima and Van Ta and Kimberly Goody}, title = {{Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion}}, date = {2021-02-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html}, language = {English}, urldate = {2021-02-25} } Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
DEWMODE Clop
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-05AhnLabAhnLab ASEC Analysis Team
@online{team:20210105:threat:6541fd7, author = {AhnLab ASEC Analysis Team}, title = {{[Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant}}, date = {2021-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/19542/}, language = {English}, urldate = {2021-06-16} } [Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant
Clop
2020-12-15Twitter (@darb0ng)Minhee Lee
@online{lee:20201215:symrise:e60ff65, author = {Minhee Lee}, title = {{Tweet on Symrise group hit by Clop Ransomware}}, date = {2020-12-15}, organization = {Twitter (@darb0ng)}, url = {https://twitter.com/darb0ng/status/1338692764121251840}, language = {English}, urldate = {2020-12-15} } Tweet on Symrise group hit by Clop Ransomware
Clop
2020-12-03Bleeping ComputerLawrence Abrams
@online{abrams:20201203:ransomware:186759f, author = {Lawrence Abrams}, title = {{Ransomware gang says they stole 2 million credit cards from E-Land}}, date = {2020-12-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/}, language = {English}, urldate = {2020-12-08} } Ransomware gang says they stole 2 million credit cards from E-Land
Clop
2020-12-02AhnLabAhnLab ASEC Analysis Team
@techreport{team:20201202:clop:2df3556, author = {AhnLab ASEC Analysis Team}, title = {{CLOP Ransomware Report}}, date = {2020-12-02}, institution = {AhnLab}, url = {https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf}, language = {Korean}, urldate = {2021-07-02} } CLOP Ransomware Report
Clop
2020-11-23S2W LAB Inc.TALON
@online{talon:20201123:s2w:97212ec, author = {TALON}, title = {{[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident}}, date = {2020-11-23}, organization = {S2W LAB Inc.}, url = {https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e}, language = {English}, urldate = {2020-12-03} } [S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident
Clop
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-16Fox-ITAntonis Terefos, Anne Postma, Tera0017
@online{terefos:20201116:ta505:8449383, author = {Antonis Terefos and Anne Postma and Tera0017}, title = {{TA505: A Brief History Of Their Time}}, date = {2020-11-16}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/}, language = {English}, urldate = {2020-11-23} } TA505: A Brief History Of Their Time
Clop Get2 SDBbot TA505
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
@online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-08ZDNetCatalin Cimpanu
@online{cimpanu:20201008:german:7b88550, author = {Catalin Cimpanu}, title = {{German tech giant Software AG down after ransomware attack}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/}, language = {English}, urldate = {2020-10-12} } German tech giant Software AG down after ransomware attack
Clop
2020-10-06TelekomThomas Barabosch
@online{barabosch:20201006:eager:54da318, author = {Thomas Barabosch}, title = {{Eager Beaver: A Short Overview of the Restless Threat Actor TA505}}, date = {2020-10-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546}, language = {English}, urldate = {2020-10-08} } Eager Beaver: A Short Overview of the Restless Threat Actor TA505
Clop Get2 SDBbot TA505
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-08-20sensecycyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-07-15MandiantNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot}, language = {English}, urldate = {2022-07-28} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-07-07HornetsecurityHornetsecurity Security Lab
@online{lab:20200707:clop:12bb60d, author = {Hornetsecurity Security Lab}, title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}}, date = {2020-07-07}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/}, language = {English}, urldate = {2020-07-30} } Clop, Clop! It’s a TA505 HTML malspam analysis
Clop Get2
2020-06-22BleepingComputerLawrence Abrams
@online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-16TelekomThomas Barabosch
@online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-04SentinelOneJason Reaves
@online{reaves:20200304:breaking:8262e7e, author = {Jason Reaves}, title = {{Breaking TA505’s Crypter with an SMT Solver}}, date = {2020-03-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/}, language = {English}, urldate = {2020-03-04} } Breaking TA505’s Crypter with an SMT Solver
Clop CryptoMix MINEBRIDGE
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-20ZDNetCatalin Cimpanu
@online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } Croatia's largest petrol station chain impacted by cyber-attack
Clop
2020-02-07Bleeping ComputerSergiu Gatlan
@online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } TA505 Hackers Behind Maastricht University Ransomware Attack
Clop
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-14TelekomThomas Barabosch
@online{barabosch:20200114:inside:2187ad3, author = {Thomas Barabosch}, title = {{Inside of CL0P’s ransomware operation}}, date = {2020-01-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824}, language = {English}, urldate = {2021-01-14} } Inside of CL0P’s ransomware operation
Clop Get2 SDBbot
2020-01-13Github (Tera0017)Tera0017
@online{tera0017:20200113:tafof:d939bc6, author = {Tera0017}, title = {{TAFOF Unpacker}}, date = {2020-01-13}, organization = {Github (Tera0017)}, url = {https://github.com/Tera0017/TAFOF-Unpacker}, language = {English}, urldate = {2020-03-30} } TAFOF Unpacker
Clop Get2 Silence
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:07d2a90, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md}, language = {English}, urldate = {2020-01-09} } Clop ransomware Notes
Clop
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:3e7202e, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md}, language = {English}, urldate = {2020-02-01} } Clop ransomware Notes
Clop
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-11-22CERT-FRCERT-FR
@online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } RAPPORT MENACES ET INCIDENTS DU CERT-FR
Clop
2019-11-19ACTURédaction Normandie
@online{normandie:20191119:une:d09ec98, author = {Rédaction Normandie}, title = {{Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates}}, date = {2019-11-19}, organization = {ACTU}, url = {https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html}, language = {French}, urldate = {2019-12-05} } Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates
Clop
2019-08-01McAfeeAlexandre Mundo, Marc Rivero López
@online{mundo:20190801:clop:fa3429f, author = {Alexandre Mundo and Marc Rivero López}, title = {{Clop Ransomware}}, date = {2019-08-01}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/}, language = {English}, urldate = {2020-01-06} } Clop Ransomware
Clop
2019-03-28Carbon BlackCB TAU Threat Intelligence
@online{intelligence:20190328:cryptomix:622c0b3, author = {CB TAU Threat Intelligence}, title = {{CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies}}, date = {2019-03-28}, organization = {Carbon Black}, url = {https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/}, language = {English}, urldate = {2021-07-02} } CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies
Clop
2019-03-05Bleeping ComputerLawrence Abrams
@online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers
Clop
2019-02-02Medium SebdravenSébastien Larinier
@online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } Unpacking Clop
Clop
Yara Rules
[TLP:WHITE] win_clop_auto (20230715 | Detects win.clop.)
rule win_clop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.clop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a04 6800300000 6887000000 6a00 }
            // n = 4, score = 900
            //   6a04                 | push                4
            //   6800300000           | push                0x3000
            //   6887000000           | push                0x87
            //   6a00                 | push                0

        $sequence_1 = { 83c40c 6860070000 6a40 ff15???????? }
            // n = 4, score = 900
            //   83c40c               | add                 esp, 0xc
            //   6860070000           | push                0x760
            //   6a40                 | push                0x40
            //   ff15????????         |                     

        $sequence_2 = { 56 53 ff15???????? 50 ff15???????? 56 53 }
            // n = 7, score = 800
            //   56                   | push                esi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   56                   | push                esi
            //   53                   | push                ebx

        $sequence_3 = { ff15???????? 56 53 8bf8 ff15???????? 8bf0 56 }
            // n = 7, score = 800
            //   ff15????????         |                     
            //   56                   | push                esi
            //   53                   | push                ebx
            //   8bf8                 | mov                 edi, eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi

        $sequence_4 = { 6a00 ff15???????? 68???????? 8bd8 }
            // n = 4, score = 800
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   68????????           |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_5 = { 833d????????00 0f842e0c0000 83ec08 0fae5c2404 8b442404 25807f0000 3d801f0000 }
            // n = 7, score = 700
            //   833d????????00       |                     
            //   0f842e0c0000         | je                  0xc34
            //   83ec08               | sub                 esp, 8
            //   0fae5c2404           | stmxcsr             dword ptr [esp + 4]
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   25807f0000           | and                 eax, 0x7f80
            //   3d801f0000           | cmp                 eax, 0x1f80

        $sequence_6 = { 6683f87f 8d642408 0f85fd0b0000 eb00 }
            // n = 4, score = 700
            //   6683f87f             | cmp                 ax, 0x7f
            //   8d642408             | lea                 esp, [esp + 8]
            //   0f85fd0b0000         | jne                 0xc03
            //   eb00                 | jmp                 2

        $sequence_7 = { db2d???????? b802000000 833d????????00 0f85f0080000 }
            // n = 4, score = 700
            //   db2d????????         |                     
            //   b802000000           | mov                 eax, 2
            //   833d????????00       |                     
            //   0f85f0080000         | jne                 0x8f6

        $sequence_8 = { 50 ff15???????? 83c40c 6860070000 }
            // n = 4, score = 600
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   6860070000           | push                0x760

        $sequence_9 = { 0f85aa010000 68???????? 8d442450 50 }
            // n = 4, score = 500
            //   0f85aa010000         | jne                 0x1b0
            //   68????????           |                     
            //   8d442450             | lea                 eax, [esp + 0x50]
            //   50                   | push                eax

        $sequence_10 = { 5d c20400 56 ff15???????? 6a00 }
            // n = 5, score = 500
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   ff15????????         |                     
            //   6a00                 | push                0

        $sequence_11 = { 8b1d???????? 8d85d4f7ffff 68???????? 50 ffd3 8d85d4f7ffff }
            // n = 6, score = 500
            //   8b1d????????         |                     
            //   8d85d4f7ffff         | lea                 eax, [ebp - 0x82c]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8d85d4f7ffff         | lea                 eax, [ebp - 0x82c]

        $sequence_12 = { 8d85bcefffff 50 ff15???????? 68???????? }
            // n = 4, score = 500
            //   8d85bcefffff         | lea                 eax, [ebp - 0x1044]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_13 = { ff15???????? 68???????? 8d85dcf7ffff 50 }
            // n = 4, score = 500
            //   ff15????????         |                     
            //   68????????           |                     
            //   8d85dcf7ffff         | lea                 eax, [ebp - 0x824]
            //   50                   | push                eax

        $sequence_14 = { 68???????? 68???????? e8???????? 83c424 6aff }
            // n = 5, score = 500
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   6aff                 | push                -1

        $sequence_15 = { ffd0 c3 8bff 55 8bec 83ec1c 8d4de4 }
            // n = 7, score = 500
            //   ffd0                 | call                eax
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec1c               | sub                 esp, 0x1c
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]

        $sequence_16 = { 6a00 e8???????? 83c408 6aff ff15???????? }
            // n = 5, score = 400
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6aff                 | push                -1
            //   ff15????????         |                     

        $sequence_17 = { 83c424 53 50 ffd6 }
            // n = 4, score = 300
            //   83c424               | add                 esp, 0x24
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ffd6                 | call                esi

        $sequence_18 = { 83c40c 33f6 85ff 7428 }
            // n = 4, score = 300
            //   83c40c               | add                 esp, 0xc
            //   33f6                 | xor                 esi, esi
            //   85ff                 | test                edi, edi
            //   7428                 | je                  0x2a

        $sequence_19 = { 6aff ffd7 8b4dfc 33c0 }
            // n = 4, score = 300
            //   6aff                 | push                -1
            //   ffd7                 | call                edi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33c0                 | xor                 eax, eax

        $sequence_20 = { 6a00 51 ffb560e2ffff 50 }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ffb560e2ffff         | push                dword ptr [ebp - 0x1da0]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 796672
}
Download all Yara Rules