SYMBOLCOMMON_NAMEaka. SYNONYMS
win.crimson (Back to overview)

Crimson RAT

aka: SEEDOOR, Scarimson

Actor(s): Operation C-Major

It was first discovered in 2017 and has since been used to attack organizations around the world. The malware is often distributed through phishing emails or by exploiting vulnerabilities in outdated security software. Once Crimson RAT is installed on a computer, it can be used to steal data, spy on users, and even take control of the infected computers.

Some of the features of Crimson RAT include:

Remote control of infected computers
Data theft, such as passwords, files, and emails
User spying
Takeover of infected computers
Locking of infected computers
Extortion of payments

References
2023-10-12Cluster25Cluster25 Threat Intel Team
@online{team:20231012:cve202338831:6b50b62, author = {Cluster25 Threat Intel Team}, title = {{CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations}}, date = {2023-10-12}, organization = {Cluster25}, url = {https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack}, language = {English}, urldate = {2023-10-13} } CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
Agent Tesla Crimson RAT Nanocore RAT SmokeLoader
2023-05-02SeqriteSathwik Ram Prakki
@online{prakki:20230502:transparent:4cb2266, author = {Sathwik Ram Prakki}, title = {{Transparent Tribe APT actively lures Indian Army amidst increased targeting of Educational Institutions}}, date = {2023-05-02}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions}, language = {English}, urldate = {2023-06-09} } Transparent Tribe APT actively lures Indian Army amidst increased targeting of Educational Institutions
Crimson RAT
2022-07-13CiscoNick Biasini
@online{biasini:20220713:transparent:b83f9dd, author = {Nick Biasini}, title = {{Transparent Tribe begins targeting education sector in latest campaign}}, date = {2022-07-13}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html}, language = {English}, urldate = {2022-07-15} } Transparent Tribe begins targeting education sector in latest campaign
Crimson RAT Oblique RAT
2022-05-11K7 SecuritySaikumaravel
@online{saikumaravel:20220511:transparent:16cdf62, author = {Saikumaravel}, title = {{Transparent Tribe Targets Educational Institution}}, date = {2022-05-11}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/}, language = {English}, urldate = {2022-05-17} } Transparent Tribe Targets Educational Institution
Crimson RAT
2022-03-29Bleeping ComputerBill Toulas
@online{toulas:20220329:hackers:06380e1, author = {Bill Toulas}, title = {{Hackers use modified MFA tool against Indian govt employees}}, date = {2022-03-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/}, language = {English}, urldate = {2022-03-30} } Hackers use modified MFA tool against Indian govt employees
Crimson RAT Oblique RAT
2022-03-29Cisco TalosAsheer Malhotra, Justin Thattil, Kendall McKay
@online{malhotra:20220329:transparent:dcf66a7, author = {Asheer Malhotra and Justin Thattil and Kendall McKay}, title = {{Transparent Tribe campaign uses new bespoke malware to target Indian government officials}}, date = {2022-03-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1}, language = {English}, urldate = {2022-03-30} } Transparent Tribe campaign uses new bespoke malware to target Indian government officials
Crimson RAT
2022-03-10Twitter (@teamcymru_S2)Team Cymru
@online{cymru:20220310:crimson:a646aac, author = {Team Cymru}, title = {{Tweet on Crimson RAT infrastructure used by APT36}}, date = {2022-03-10}, organization = {Twitter (@teamcymru_S2)}, url = {https://twitter.com/teamcymru_S2/status/1501955802025836546}, language = {English}, urldate = {2022-03-14} } Tweet on Crimson RAT infrastructure used by APT36
Crimson RAT
2022-03-10Twitter (@Katechondic)Katechondic
@online{katechondic:20220310:additional:5dd63e9, author = {Katechondic}, title = {{Tweet on additional computer names "desktop-g1i8n3f" & "desktop-j6llo2k", seen with Crimson RAT C2 infrastructure used by APT36}}, date = {2022-03-10}, organization = {Twitter (@Katechondic)}, url = {https://twitter.com/katechondic/status/1502206599166939137}, language = {English}, urldate = {2022-03-14} } Tweet on additional computer names "desktop-g1i8n3f" & "desktop-j6llo2k", seen with Crimson RAT C2 infrastructure used by APT36
Crimson RAT
2022-01-24Trend MicroTrend Micro
@online{micro:20220124:investigating:5e9386a, author = {Trend Micro}, title = {{Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal}}, date = {2022-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html}, language = {English}, urldate = {2022-01-25} } Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal
CapraRAT Crimson RAT Oblique RAT
2022-01-24Trend MicroTrend Micro
@techreport{micro:20220124:investigating:7727327, author = {Trend Micro}, title = {{Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal}}, date = {2022-01-24}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf}, language = {English}, urldate = {2022-01-25} } Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal
Crimson RAT Oblique RAT
2022-01-24Trend MicroTrend Micro
@online{micro:20220124:investigating:a7e6049, author = {Trend Micro}, title = {{Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal (IOCs)}}, date = {2022-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf}, language = {English}, urldate = {2022-01-25} } Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal (IOCs)
Crimson RAT Oblique RAT
2021-12-22Know ChuangyuKnow Chuangyu
@online{chuangyu:20211222:tracking:5b23633, author = {Know Chuangyu}, title = {{APT Tracking Analytics: Transparent Tribe Attack Activity}}, date = {2021-12-22}, organization = {Know Chuangyu}, url = {https://www.4hou.com/posts/vLzM}, language = {English}, urldate = {2021-12-23} } APT Tracking Analytics: Transparent Tribe Attack Activity
Crimson RAT
2021-10-13Anchored Narratives on Threat Intelligence and GeopoliticsRJM
@online{rjm:20211013:trouble:c988e46, author = {RJM}, title = {{Trouble in Asia and the Middle East. Tracking the TransparentTribe threat actor.}}, date = {2021-10-13}, organization = {Anchored Narratives on Threat Intelligence and Geopolitics}, url = {https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east}, language = {English}, urldate = {2021-10-14} } Trouble in Asia and the Middle East. Tracking the TransparentTribe threat actor.
Crimson RAT
2021-09-08Microstep Intelligence BureauMicrostep Online Research Response Center
@online{center:20210908:trilateral:aedcf24, author = {Microstep Online Research Response Center}, title = {{Trilateral operation: years of cyberespionage against countries in south asia and the middle east (APT36)}}, date = {2021-09-08}, organization = {Microstep Intelligence Bureau}, url = {https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg}, language = {Chinese}, urldate = {2021-09-14} } Trilateral operation: years of cyberespionage against countries in south asia and the middle east (APT36)
AndroRAT Crimson RAT
2021-09-01360 Threat Intelligence CenterAdvanced Threat Institute
@online{institute:20210901:aptc56:0f08cce, author = {Advanced Threat Institute}, title = {{APT-C-56 (Transparent Tribe) Latest Attack Analysis and Associated Suspected Gorgon Group Attack Analysis Alert}}, date = {2021-09-01}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg}, language = {Chinese}, urldate = {2021-09-09} } APT-C-56 (Transparent Tribe) Latest Attack Analysis and Associated Suspected Gorgon Group Attack Analysis Alert
Crimson RAT NetWire RC
2021-07-02Team CymruJoshua Picolet
@online{picolet:20210702:transparent:329d046, author = {Joshua Picolet}, title = {{Transparent Tribe APT Infrastructure Mapping Part 2: A Deeper Dive into the Identification of CrimsonRAT Infrastructure}}, date = {2021-07-02}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/}, language = {English}, urldate = {2021-07-11} } Transparent Tribe APT Infrastructure Mapping Part 2: A Deeper Dive into the Identification of CrimsonRAT Infrastructure
Crimson RAT
2021-05-13TalosAsheer Malhotra, Justin Thattil, Kendall McKay
@online{malhotra:20210513:transparent:9993964, author = {Asheer Malhotra and Justin Thattil and Kendall McKay}, title = {{Transparent Tribe APT expands its Windows malware arsenal}}, date = {2021-05-13}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html}, language = {English}, urldate = {2021-05-13} } Transparent Tribe APT expands its Windows malware arsenal
Crimson RAT Oblique RAT
2021-05-05ZscalerAniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-30Cybleinccybleinc
@online{cybleinc:20210430:transparent:1df2639, author = {cybleinc}, title = {{Transparent Tribe Operating with a New Variant of Crimson RAT}}, date = {2021-04-30}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/}, language = {English}, urldate = {2021-05-03} } Transparent Tribe Operating with a New Variant of Crimson RAT
Crimson RAT
2021-04-20360 Threat Intelligence CenterAdvanced Threat Institute
@online{institute:20210420:transparent:1033b04, author = {Advanced Threat Institute}, title = {{Transparent Tribe uses the new crown vaccine hotspot to analyze the targeted attacks on the Indian medical industry}}, date = {2021-04-20}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ}, language = {Chinese}, urldate = {2021-04-28} } Transparent Tribe uses the new crown vaccine hotspot to analyze the targeted attacks on the Indian medical industry
Crimson RAT
2021-04-16Team CymruJoshua Picolet
@online{picolet:20210416:transparent:645e443, author = {Joshua Picolet}, title = {{Transparent Tribe APT Infrastructure Mapping Part 1: A High-Level Study of CrimsonRAT Infrastructure October 2020 – March 2021}}, date = {2021-04-16}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/}, language = {English}, urldate = {2021-04-19} } Transparent Tribe APT Infrastructure Mapping Part 1: A High-Level Study of CrimsonRAT Infrastructure October 2020 – March 2021
Crimson RAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-01-18Twitter (@teamcymru)Team Cymru
@online{cymru:20210118:apt36:e2e83ce, author = {Team Cymru}, title = {{Tweet on APT36 CrimsonRAT C2}}, date = {2021-01-18}, organization = {Twitter (@teamcymru)}, url = {https://twitter.com/teamcymru/status/1351228309632385027}, language = {English}, urldate = {2021-01-21} } Tweet on APT36 CrimsonRAT C2
Crimson RAT
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-08-26Kaspersky LabsGiampaolo Dedola
@online{dedola:20200826:transparent:b6f0422, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 2}}, date = {2020-08-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-2/98233/}, language = {English}, urldate = {2020-08-27} } Transparent Tribe: Evolution analysis, part 2
AhMyth Crimson RAT Oblique RAT
2020-08-25QianxinQi'anxin Threat Intelligence
@online{intelligence:20200825:apt:0ad132f, author = {Qi'anxin Threat Intelligence}, title = {{南亚APT组织“透明部落”在移动端上与对手的较量}}, date = {2020-08-25}, organization = {Qianxin}, url = {https://www.secrss.com/articles/24995}, language = {Chinese}, urldate = {2020-08-25} } 南亚APT组织“透明部落”在移动端上与对手的较量
AhMyth Crimson RAT Oblique RAT
2020-08-20Kaspersky LabsGiampaolo Dedola
@online{dedola:20200820:transparent:b63fac6, author = {Giampaolo Dedola}, title = {{Transparent Tribe: Evolution analysis, part 1}}, date = {2020-08-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/transparent-tribe-part-1/98127/}, language = {English}, urldate = {2020-08-24} } Transparent Tribe: Evolution analysis, part 1
Crimson RAT
2020-07-08SeqriteKalpesh Mantri
@online{mantri:20200708:operation:bee5008, author = {Kalpesh Mantri}, title = {{Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India}}, date = {2020-07-08}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/}, language = {English}, urldate = {2020-07-13} } Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India
Crimson RAT
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-21YoroiLuigi Martire, Pietro Melillo, Antonio Pirozzi
@online{martire:20200221:transparent:eb18469, author = {Luigi Martire and Pietro Melillo and Antonio Pirozzi}, title = {{Transparent Tribe: Four Years Later}}, date = {2020-02-21}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/transparent-tribe-four-years-later}, language = {English}, urldate = {2020-03-06} } Transparent Tribe: Four Years Later
Crimson RAT
2020SecureworksSecureWorks
@online{secureworks:2020:copper:e356116, author = {SecureWorks}, title = {{COPPER FIELDSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone}, language = {English}, urldate = {2020-05-23} } COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-03-05TencentTencent
@online{tencent:20190305:transparenttribe:55798e4, author = {Tencent}, title = {{TransparentTribe APT organizes 2019 attacks on Indian government and military targets}}, date = {2019-03-05}, organization = {Tencent}, url = {https://s.tencent.com/research/report/669.html}, language = {Chinese}, urldate = {2020-01-08} } TransparentTribe APT organizes 2019 attacks on Indian government and military targets
Crimson RAT Unidentified 066 Operation C-Major
2018-05-15Amnesty InternationalBrave
@techreport{brave:20180515:human:b4396ac, author = {Brave}, title = {{HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN}}, date = {2018-05-15}, institution = {Amnesty International}, url = {https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF}, language = {English}, urldate = {2019-12-10} } HUMAN RIGHTS UNDER SURVEILLANCE DIGITAL THREATS AGAINST HUMAN RIGHTS DEFENDERS IN PAKISTAN
StealthAgent Crimson RAT
2016-03-01ProofpointDarien Huss
@techreport{huss:20160301:operation:65330f0, author = {Darien Huss}, title = {{Operation Transparent Tribe}}, date = {2016-03-01}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf}, language = {English}, urldate = {2019-12-02} } Operation Transparent Tribe
Andromeda beendoor Bezigate Crimson RAT Luminosity RAT Operation C-Major
Yara Rules
[TLP:WHITE] win_crimson_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_crimson_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 3bdc df141a 94 b41f }
            // n = 4, score = 1000
            //   3bdc                 | cmp                 ebx, esp
            //   df141a               | fist                word ptr [edx + ebx]
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f

        $sequence_1 = { b41f 214008 39492d 38b9cbd1d3fe }
            // n = 4, score = 1000
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx
            //   38b9cbd1d3fe         | cmp                 byte ptr [ecx - 0x12c2e35], bh

        $sequence_2 = { 214008 39492d 38b9cbd1d3fe c81f9e56 }
            // n = 4, score = 1000
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx
            //   38b9cbd1d3fe         | cmp                 byte ptr [ecx - 0x12c2e35], bh
            //   c81f9e56             | enter               -0x61e1, 0x56

        $sequence_3 = { 55 35fdfbdfff beaed3e886 0800 }
            // n = 4, score = 1000
            //   55                   | push                ebp
            //   35fdfbdfff           | xor                 eax, 0xffdffbfd
            //   beaed3e886           | mov                 esi, 0x86e8d3ae
            //   0800                 | or                  byte ptr [eax], al

        $sequence_4 = { df141a 94 b41f 214008 }
            // n = 4, score = 1000
            //   df141a               | fist                word ptr [edx + ebx]
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax

        $sequence_5 = { 307362 c1096b bbf9910d38 5c }
            // n = 4, score = 1000
            //   307362               | xor                 byte ptr [ebx + 0x62], dh
            //   c1096b               | ror                 dword ptr [ecx], 0x6b
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp

        $sequence_6 = { bbf9910d38 5c d38aa4973fe2 3bdc }
            // n = 4, score = 1000
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl
            //   3bdc                 | cmp                 ebx, esp

        $sequence_7 = { c1096b bbf9910d38 5c d38aa4973fe2 }
            // n = 4, score = 1000
            //   c1096b               | ror                 dword ptr [ecx], 0x6b
            //   bbf9910d38           | mov                 ebx, 0x380d91f9
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl

        $sequence_8 = { 94 b41f 214008 39492d }
            // n = 4, score = 1000
            //   94                   | xchg                eax, esp
            //   b41f                 | mov                 ah, 0x1f
            //   214008               | and                 dword ptr [eax + 8], eax
            //   39492d               | cmp                 dword ptr [ecx + 0x2d], ecx

        $sequence_9 = { 5c d38aa4973fe2 3bdc df141a }
            // n = 4, score = 1000
            //   5c                   | pop                 esp
            //   d38aa4973fe2         | ror                 dword ptr [edx - 0x1dc0685c], cl
            //   3bdc                 | cmp                 ebx, esp
            //   df141a               | fist                word ptr [edx + ebx]

    condition:
        7 of them
}
Download all Yara Rules