SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clop (Back to overview)

Clop

Actor(s): TA505


Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

References
2020-11-23S2W LAB Inc.TALON
@online{talon:20201123:s2w:97212ec, author = {TALON}, title = {{[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident}}, date = {2020-11-23}, organization = {S2W LAB Inc.}, url = {https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26}, language = {Korean}, urldate = {2020-11-25} } [S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident
Clop
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-11-16Fox-ITAntonis Terefos, Anne Postma, Tera0017
@online{terefos:20201116:ta505:8449383, author = {Antonis Terefos and Anne Postma and Tera0017}, title = {{TA505: A Brief History Of Their Time}}, date = {2020-11-16}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/}, language = {English}, urldate = {2020-11-23} } TA505: A Brief History Of Their Time
Clop Get2 SDBbot TA505
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
@online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-08ZDNetCatalin Cimpanu
@online{cimpanu:20201008:german:7b88550, author = {Catalin Cimpanu}, title = {{German tech giant Software AG down after ransomware attack}}, date = {2020-10-08}, organization = {ZDNet}, url = {https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/}, language = {English}, urldate = {2020-10-12} } German tech giant Software AG down after ransomware attack
Clop
2020-10-06TelekomThomas Barabosch
@online{barabosch:20201006:eager:54da318, author = {Thomas Barabosch}, title = {{Eager Beaver: A Short Overview of the Restless Threat Actor TA505}}, date = {2020-10-06}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546}, language = {English}, urldate = {2020-10-08} } Eager Beaver: A Short Overview of the Restless Threat Actor TA505
Clop Get2 SDBbot TA505
2020-08-20sensecycyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-07-07HornetsecurityHornetsecurity Security Lab
@online{lab:20200707:clop:12bb60d, author = {Hornetsecurity Security Lab}, title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}}, date = {2020-07-07}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/}, language = {English}, urldate = {2020-07-30} } Clop, Clop! It’s a TA505 HTML malspam analysis
Clop Get2
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-22BleepingComputerLawrence Abrams
@online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop
2020-06-16TelekomThomas Barabosch
@online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04SentinelOneJason Reaves
@online{reaves:20200304:breaking:8262e7e, author = {Jason Reaves}, title = {{Breaking TA505’s Crypter with an SMT Solver}}, date = {2020-03-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/}, language = {English}, urldate = {2020-03-04} } Breaking TA505’s Crypter with an SMT Solver
Clop CryptoMix MINEBIDGE
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-20ZDNetCatalin Cimpanu
@online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } Croatia's largest petrol station chain impacted by cyber-attack
Clop
2020-02-07Bleeping ComputerSergiu Gatlan
@online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } TA505 Hackers Behind Maastricht University Ransomware Attack
Clop
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-13Github (Tera0017)Tera0017
@online{tera0017:20200113:tafof:d939bc6, author = {Tera0017}, title = {{TAFOF Unpacker}}, date = {2020-01-13}, organization = {Github (Tera0017)}, url = {https://github.com/Tera0017/TAFOF-Unpacker}, language = {English}, urldate = {2020-03-30} } TAFOF Unpacker
Clop Get2 Silence
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:3e7202e, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md}, language = {English}, urldate = {2020-02-01} } Clop ransomware Notes
Clop
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:07d2a90, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md}, language = {English}, urldate = {2020-01-09} } Clop ransomware Notes
Clop
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-11-22CERT-FRCERT-FR
@online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } RAPPORT MENACES ET INCIDENTS DU CERT-FR
Clop
2019-11-19ACTURédaction Normandie
@online{normandie:20191119:une:d09ec98, author = {Rédaction Normandie}, title = {{Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates}}, date = {2019-11-19}, organization = {ACTU}, url = {https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html}, language = {French}, urldate = {2019-12-05} } Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates
Clop
2019-08-01McAfeeAlexandre Mundo, Marc Rivero López
@online{mundo:20190801:clop:fa3429f, author = {Alexandre Mundo and Marc Rivero López}, title = {{Clop Ransomware}}, date = {2019-08-01}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/}, language = {English}, urldate = {2020-01-06} } Clop Ransomware
Clop
2019-03-05Bleeping ComputerLawrence Abrams
@online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers
Clop
2019-02-02Medium SebdravenSébastien Larinier
@online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } Unpacking Clop
Clop
Yara Rules
[TLP:WHITE] win_clop_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_clop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd9 897c241c 6a01 895c2418 }
            // n = 4, score = 200
            //   8bd9                 | mov                 ebx, ecx
            //   897c241c             | mov                 dword ptr [esp + 0x1c], edi
            //   6a01                 | push                1
            //   895c2418             | mov                 dword ptr [esp + 0x18], ebx

        $sequence_1 = { 7503 c20000 e9???????? c3 }
            // n = 4, score = 200
            //   7503                 | jne                 5
            //   c20000               | ret                 0
            //   e9????????           |                     
            //   c3                   | ret                 

        $sequence_2 = { 68???????? 50 ffd3 8d8424e80f0000 50 }
            // n = 5, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd3                 | call                ebx
            //   8d8424e80f0000       | lea                 eax, [esp + 0xfe8]
            //   50                   | push                eax

        $sequence_3 = { 52 e8???????? 83c40c 8b45f8 50 8d4dfc 51 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx

        $sequence_4 = { 81bdf0fdffff26c08e84 0f8400060000 81bdf0fdffff497a7886 0f84f7050000 }
            // n = 4, score = 200
            //   81bdf0fdffff26c08e84     | cmp    dword ptr [ebp - 0x210], 0x848ec026
            //   0f8400060000         | je                  0x606
            //   81bdf0fdffff497a7886     | cmp    dword ptr [ebp - 0x210], 0x86787a49
            //   0f84f7050000         | je                  0x5fd

        $sequence_5 = { 99 f7f9 8b55b0 2bd0 8955b0 }
            // n = 5, score = 200
            //   99                   | cdq                 
            //   f7f9                 | idiv                ecx
            //   8b55b0               | mov                 edx, dword ptr [ebp - 0x50]
            //   2bd0                 | sub                 edx, eax
            //   8955b0               | mov                 dword ptr [ebp - 0x50], edx

        $sequence_6 = { b001 8be5 5d c3 ff25???????? }
            // n = 5, score = 200
            //   b001                 | mov                 al, 1
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   ff25????????         |                     

        $sequence_7 = { 56 e8???????? ffb5e8efffff ffb5e0efffff 56 e8???????? }
            // n = 6, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   ffb5e8efffff         | push                dword ptr [ebp - 0x1018]
            //   ffb5e0efffff         | push                dword ptr [ebp - 0x1020]
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_8 = { 8b955ce5ffff 8b4524 898254070000 8b8d5ce5ffff }
            // n = 4, score = 200
            //   8b955ce5ffff         | mov                 edx, dword ptr [ebp - 0x1aa4]
            //   8b4524               | mov                 eax, dword ptr [ebp + 0x24]
            //   898254070000         | mov                 dword ptr [edx + 0x754], eax
            //   8b8d5ce5ffff         | mov                 ecx, dword ptr [ebp - 0x1aa4]

        $sequence_9 = { 85c0 7457 68???????? 8d442450 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   7457                 | je                  0x59
            //   68????????           |                     
            //   8d442450             | lea                 eax, [esp + 0x50]

        $sequence_10 = { 6a01 c78550e2ffff00000000 ff15???????? 8d859cfaffff 50 }
            // n = 5, score = 200
            //   6a01                 | push                1
            //   c78550e2ffff00000000     | mov    dword ptr [ebp - 0x1db0], 0
            //   ff15????????         |                     
            //   8d859cfaffff         | lea                 eax, [ebp - 0x564]
            //   50                   | push                eax

        $sequence_11 = { e8???????? 83c424 8d857ce9ffff 50 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   8d857ce9ffff         | lea                 eax, [ebp - 0x1684]
            //   50                   | push                eax

        $sequence_12 = { ff15???????? eb36 8b4d18 83c101 894d18 6a00 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   eb36                 | jmp                 0x38
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   83c101               | add                 ecx, 1
            //   894d18               | mov                 dword ptr [ebp + 0x18], ecx
            //   6a00                 | push                0

        $sequence_13 = { 6aff 8b9564e9ffff 52 ff15???????? 6a00 8b8564e9ffff }
            // n = 6, score = 200
            //   6aff                 | push                -1
            //   8b9564e9ffff         | mov                 edx, dword ptr [ebp - 0x169c]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   8b8564e9ffff         | mov                 eax, dword ptr [ebp - 0x169c]

        $sequence_14 = { ff15???????? 8985b0f9ffff 8b8db0f9ffff 51 8d95ecfbffff 52 ff15???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8985b0f9ffff         | mov                 dword ptr [ebp - 0x650], eax
            //   8b8db0f9ffff         | mov                 ecx, dword ptr [ebp - 0x650]
            //   51                   | push                ecx
            //   8d95ecfbffff         | lea                 edx, [ebp - 0x414]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_15 = { 56 e8???????? 83c418 8d85e8efffff ffb5f8efffff }
            // n = 5, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8d85e8efffff         | lea                 eax, [ebp - 0x1018]
            //   ffb5f8efffff         | push                dword ptr [ebp - 0x1008]

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules