win.darkside (Back to overview)


aka: BlackMatter

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

2023-07-11Twitter (@embee_research)Embee_research
Tweets on Ransomware Infrastructure Analysis With Censys and GrabbrApp
2022-09-22BroadcomSymantec Threat Hunter Team
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
BlackCat BlackMatter DarkSide
Lockbit 3.0
BlackMatter DarkSide LockBit
2022-06-29MandiantJared Wilson
Burrowing your way into VPNs, Proxies, and Tunnels
Why Remediation Alone Is Not Enough When Infected by Malware
Cobalt Strike DarkSide
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader
2022-03-23splunkShannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-23splunkShannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
Darkside Ransomware Analysis Report
2022-01-25Nozomi NetworksAlexey Kleymenov
How to Analyze Malware for Technical Writing
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-11-03Group-IBAndrey Zhdanov
The Darker Things BlackMatter and their victims
BlackMatter DarkSide BlackMatter DarkSide
PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
DarkSide RansomEXX DarkSide PyXie RansomEXX
2021-10-22HUNT & HACKETTKrijn de Mik
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk
2021-10-22Twitter (@GelosSnake)Omri Segev Moyal
Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22Bleeping ComputerIonut Ilascu
DarkSide ransomware rushes to cash out $7 million in Bitcoin
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22The RecordCatalin Cimpanu
DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22EllipticElliptic Intel
DarkSide bitcoins on the move following government cyberattack against REvil ransomware group
BlackMatter DarkSide BlackMatter DarkSide
2021-10-14YouTube (Uriel Kosayev)Uriel Kosayev
DarkSide Ransomware Reverse Engineering
BlackMatter DarkSide BlackMatter DarkSide
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-10-05Trend MicroByron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-09-23BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?
BlackMatter DarkSide BlackMatter DarkSide
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-02US Department of Health and Human ServicesHealth Sector Cybersecurity Coordination Center (HC3)
Demystifying BlackMatter
BlackMatter BlackMatter DarkSide
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-06Group-IBAndrey Zhdanov
It's alive! The story behind the BlackMatter ransomware strain
BlackMatter DarkSide BlackMatter DarkSide
2021-08-06metabaseqJesus Dominguez, Miguel Gonzalez
Inside DarkSide, the ransomware that attacked Colonial Pipeline
2021-08-05SymantecThreat Hunter Team
Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
BlackMatter Under the Lens: An Emerging Ransomware Group Looking for Affiliates
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-08-04Recorded FutureInsikt Group®
Protect Against BlackMatter Ransomware Before It’s Offered
BlackMatter DarkSide
2021-08-03Twitter (@sisoma2)sisoma2
Python script for recovering the hashes hardcoded in different samples of the BlackMatter ransomware
2021-08-03Twitter (@ValthekOn)Valthek
Tweet on blacklisted extensions & names of BlackMatter ransomware making the check against custom hashes values
2021-08-03Twitter (@sysopfb)Jason Reaves
Tweet on python script to decode the blob from Blackmatter ransomware
2021-08-02The RecordDmitry Smilyanets
An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil
DarkSide LockBit REvil
2021-08-01ID RansomwareAndrew Ivanov
BlackMatter Ransomware
2021-07-31Bleeping ComputerLawrence Abrams
BlackMatter ransomware gang rises from the ashes of DarkSide, REvil
DarkSide REvil
2021-07-31Bleeping ComputerLawrence Abrams
DarkSide ransomware gang returns as new BlackMatter operation
2021-07-27Recorded FutureInsikt Group®
BlackMatter Ransomware Emerges As Successor to DarkSide, REvil
DarkSide LockBit REvil
2021-07-27ZAYOTEMHalil Filik
DarkSide Ransomware Technical Analysis Report
2021-07-13Threat PostBecky Bracken
Guess Fashion Brand Deals With Data Loss After Ransomware Attack
Malware Analysis Report (AR21-189A): DarkSide Ransomware
2021-07-03Bleeping ComputerSergiu Gatlan
US chemical distributor shares info on DarkSide ransomware data theft
2021-06-22MaltegoIntel 471, Maltego Team
Chasing DarkSide Affiliates: Identifying Threat Actors Connected to Darkside Ransomware Using Maltego & Intel 471
DarkSide DarkSide
2021-06-14CYBER GEEKS All Things InfosecCyberMasterV
A Step-by-Step Analysis of a New Version of DarkSide Ransomware
Blue Team Detection: DarkSide Ransomware
2021-06-10McAfeeATR Operational Intelligence Team
Are Virtual Machines the New Gold for Cyber Criminals?
Babuk DarkSide
2021-06-04DeepInstinctBar Block
The Ransomware Conundrum – A Look into DarkSide
2021-06-03Medium s2wlabDenise Dasom Kim, Hyunmin Suh, Jungyeon Lim, YH Jeong
W1 Jun | EN | Story of the week: Ransomware on the Darkweb
DarkSide Babuk DarkSide
2021-06-02CrowdStrikeHeather Smith, Josh Dalman
Under Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware
DarkSide Conti DarkSide REvil
2021-05-24MIT Technology ReviewDaniel Golden, Renee Dudley
The Colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms
DarkSide DarkSide
2021-05-21360 Total Securitykate
DarkSide’s Targeted Ransomware Analysis Report for Critical U.S. Infrastructure
2021-05-21Bleeping ComputerIonut Ilascu
DarkSide affiliates claim gang's bitcoins in deposit on hacker forum
2021-05-20RiskIQJennifer Grob
Analysis of Infrastructure used by DarkSide Affiliates
2021-05-20Digital ShadowsStefano De Blasi
Ransomware-as-a-Service, Rogue Affiliates, and What’s Next
DarkSide DarkSide REvil
2021-05-19The Wall Street JournalCollin Eaton
Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom
DarkSide DarkSide
2021-05-19Nozomi NetworksAlexey Kleymenov
Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
2021-05-18EllipticTom Robinson
DarkSide Ransomware has Netted Over $90 million in Bitcoin
DarkSide DarkSide
2021-05-18The RecordCatalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-18Bleeping ComputerIonut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-18KEYSIGHT TECHNOLOGIESRadu Emanuel Chiscariu
DarkSide Ransomware Behavior and Techniques
2021-05-17GigamonJoe Slowik
Tracking DarkSide and Ransomware: The Network View
DarkSide DarkSide
2021-05-17splunkSplunk Threat Research Team
DarkSide Ransomware: Splunk Threat Update and Detections
2021-05-17FortinetFred Gutierrez, Gayathri Thirugnanasambandam, Val Saengphaibul
Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions
2021-05-14Blue Team BlogAuth 0r
DarkSide Ransomware Operations – Preventions and Detections.
Cobalt Strike DarkSide
2021-05-14Intel 471Intel 471
The moral underground? Ransomware operators retreat after Colonial Pipeline hack
DarkSide DarkSide
2021-05-14Bleeping ComputerLawrence Abrams
DarkSide ransomware servers reportedly seized, REvil restricts targets
DarkSide DarkSide
2021-05-14Advanced IntelligenceVitali Kremez
From Dawn to "Silent Night": "DarkSide Ransomware" Initial Attack Vector Evolution
2021-05-14EllipticDr. Tom Robinson
Elliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims
DarkSide DarkSide
2021-05-13BloombergJennifer Jacobs, Michael Riley, William Turton
Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
2021-05-13Bleeping ComputerLawrence Abrams
Popular Russian hacking forum XSS bans all ransomware topics
DarkSide DarkSide LockBit REvil
2021-05-13The RecordCatalin Cimpanu
Popular hacking forum bans ransomware ads
DarkSide DarkSide
2021-05-13Bleeping ComputerLawrence Abrams
Chemical distributor pays $4.4 million to DarkSide ransomware
DarkSide DarkSide
2021-05-12Trend MicroTrend Micro Research
What We Know About Darkside Ransomware and the US Pipeline Attack
2021-05-12Zero DayKim Zetter
Anatomy of a $2 Million Darkside Ransomware Breach
2021-05-12Palo Alto Networks Unit 42Ramarcus Baylor
DarkSide Ransomware Gang: An Overview
2021-05-12SecurityScorecardRyan Sherstobitoff
New Evidence Supports Assessment that DarkSide Likely Responsible for Colonial Pipeline Ransomware Attack; Others Targeted
DarkSide DarkSide
2021-05-11KrebsOnSecurityBrian Krebs
A Closer Look at the DarkSide Ransomware Gang
Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
2021-05-11SophosFerenc László Nagy, Gabor Szappanos, Mark Loman, Peter Mackenzie, Sean Gallagher, Suriya Natarajan, Szabolcs Lévai, Yusuf Arslan Polat
A defender’s view inside a DarkSide ransomware attack
2021-05-11DragosMike Hoffman, Tom Winston
Recommendations Following the Colonial Pipeline Cyber Attack
DarkSide Ransomware Links to REvil Group Difficult to Dismiss
DarkSide REvil
2021-05-11splunkJames Brodsky
The DarkSide of the Ransomware Pipeline
2021-05-11FireEyeAlyssa Rahman, Andrew Moore, Brendan McKeague, Jared Wilson, Jeremy Kennelly, Jordan Nuce, Kimberly Goody
Shining a Light on DARKSIDE Ransomware Operations
Cobalt Strike DarkSide
2021-05-10SecurityIntelligenceLimor Kessem
Shedding Light on the DarkSide Ransomware Attack
2021-05-10Intel 471Intel 471
Here’s what we know about DarkSide ransomware
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
Meet DarkSide and Their Ransomware – SentinelOne Customers Protected
2021-05-10Anheng Threat Intelligence CenterHunting Shadow Lab
Analysis of U.S. Oil Products Pipeline Operators Suspended by Ransomware Attacks
2021-05-08ReutersChristopher Bing, Stephanie Kelly
Cyber attack shuts down top U.S. fuel pipeline network
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-05-06Chuongdong blogChuong Dong
Darkside Ransomware
2021-05-06Chuongdong blogChuong Dong
Darkside Ransomware
2021-05-01Twitter (@JAMESWT_MHT)JamesWT
Tweet on linux version of DarkSide ransomware
DarkSide DarkSide
2021-04-28La RepubblicaAndrea Greco
Un sospetto attacco telematico blocca le filiali della Bcc di Roma
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt BlogCorsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-22The RecordCatalin Cimpanu
Ransomware gang wants to short the stock price of their victims
A chat with DarkSide
2021-04-01CybereasonCybereason Nocturnus
Cybereason vs. DarkSide Ransomware
2021-03-18VaronisSnir Ben Shimol
Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign
2021-03-09Youtube (SANS Digital Forensics and Incident Response)Eric Loui, Sergei Frankoff
Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-25SOC PrimeEmanuele De Lucia
Affiliates vs Hunters: Fighting the DarkSide
2021-01-11BitdefenderBitdefender Team
Darkside Ransomware Decryption Tool
Threat Profile: GOLD WATERFALL
Cobalt Strike DarkSide GOLD WATERFALL
2021-01-01CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT
2020-12-16AccenturePaul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-03Medium GhouLSecGhouLSec
[Mal Series #13] Darkside Ransom
2020-11-13Bleeping ComputerLawrence Abrams
DarkSide ransomware is creating a secure data leak service in Iran
2020-11-12databreachtodayMathew J. Schwartz
Darkside Ransomware Gang Launches Affiliate Program
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-05Zawadi DoneZawadi Done
DarkSide ransomware analysis
2020-09-22Digital ShadowsStefano De Blasi
DarkSide: The New Ransomware Group Behind Highly Targeted Attacks
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-10ID RansomwareAndrew Ivanov
DarkSide Ransomware
2020-08-01AcronisAcronis Security
DarkSide Ransomware Does Not Attack Hospitals, Schools and Governments
2020-05-28CrowdStrikeThe Crowdstrike Intel Team
DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape
DarkSide DarkSide
2020-05-18CrowdStrikeKaran Sood, Liviu Arsene, Shaun Hurley
DarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected
DarkSide DarkSide
Yara Rules
[TLP:WHITE] win_darkside_auto (20230808 | Detects win.darkside.)
rule win_darkside_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.darkside."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { 8bd8 68ff000000 57 e8???????? 81c7ff000000 }
            // n = 5, score = 1100
            //   8bd8                 | mov                 ebx, eax
            //   68ff000000           | push                0xff
            //   57                   | push                edi
            //   e8????????           |                     
            //   81c7ff000000         | add                 edi, 0xff

        $sequence_1 = { 85d2 7407 52 57 }
            // n = 4, score = 1100
            //   85d2                 | test                edx, edx
            //   7407                 | je                  9
            //   52                   | push                edx
            //   57                   | push                edi

        $sequence_2 = { b9ff000000 33d2 f7f1 85c0 7418 }
            // n = 5, score = 1100
            //   b9ff000000           | mov                 ecx, 0xff
            //   33d2                 | xor                 edx, edx
            //   f7f1                 | div                 ecx
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a

        $sequence_3 = { 57 e8???????? 81c7ff000000 4b }
            // n = 4, score = 1100
            //   57                   | push                edi
            //   e8????????           |                     
            //   81c7ff000000         | add                 edi, 0xff
            //   4b                   | dec                 ebx

        $sequence_4 = { fec1 75d2 5f 5e 5a 59 5b }
            // n = 7, score = 1100
            //   fec1                 | inc                 cl
            //   75d2                 | jne                 0xffffffd4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx
            //   5b                   | pop                 ebx

        $sequence_5 = { 56 57 b9f0000000 be???????? }
            // n = 4, score = 1100
            //   56                   | push                esi
            //   57                   | push                edi
            //   b9f0000000           | mov                 ecx, 0xf0
            //   be????????           |                     

        $sequence_6 = { 8b7d08 8b450c b9ff000000 33d2 f7f1 }
            // n = 5, score = 1100
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   b9ff000000           | mov                 ecx, 0xff
            //   33d2                 | xor                 edx, edx
            //   f7f1                 | div                 ecx

        $sequence_7 = { 56 57 b9f0000000 be???????? 8b4508 }
            // n = 5, score = 1100
            //   56                   | push                esi
            //   57                   | push                edi
            //   b9f0000000           | mov                 ecx, 0xf0
            //   be????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_8 = { e8???????? 5f 5e 5a 59 5b 5d }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp

        $sequence_9 = { 81ea10101010 2d10101010 81eb10101010 81ef10101010 }
            // n = 4, score = 1100
            //   81ea10101010         | sub                 edx, 0x10101010
            //   2d10101010           | sub                 eax, 0x10101010
            //   81eb10101010         | sub                 ebx, 0x10101010
            //   81ef10101010         | sub                 edi, 0x10101010

        7 of them and filesize < 286720
Download all Yara Rules