SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dharma (Back to overview)

Dharma

aka: Arena, Crysis, Wadhrama, ncov
URLhaus      

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

References
2023-07-03AhnLabASEC
@online{asec:20230703:crysis:3ffd122, author = {ASEC}, title = {{Crysis Threat Actor Installing Venus Ransomware Through RDP}}, date = {2023-07-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/54937/}, language = {English}, urldate = {2023-08-07} } Crysis Threat Actor Installing Venus Ransomware Through RDP
Dharma
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
@techreport{group:20230215:fog:0d99aaa, author = {Google Threat Analysis Group and Mandiant}, title = {{Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape}}, date = {2023-02-15}, institution = {Google}, url = {https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf}, language = {English}, urldate = {2023-03-13} } Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-04-01Bleeping ComputerLawrence Abrams
@online{abrams:20220401:week:14d9669, author = {Lawrence Abrams}, title = {{The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'}}, date = {2022-04-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/}, language = {English}, urldate = {2022-04-05} } The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-29Національна поліція УкраїниНаціональна поліція України
@online{:20211029:cyberpolice:fc43b20, author = {Національна поліція України}, title = {{Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies}}, date = {2021-10-29}, organization = {Національна поліція України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-11-02} } Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29EuropolEuropol
@online{europol:20211029:12:5c0fd59, author = {Europol}, title = {{12 targeted for involvement in ransomware attacks against critical infrastructure}}, date = {2021-10-29}, organization = {Europol}, url = {https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure}, language = {English}, urldate = {2021-11-02} } 12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-22HUNT & HACKETTKrijn de Mik
@online{mik:20211022:advanced:e22d6f6, author = {Krijn de Mik}, title = {{Advanced IP Scanner: the preferred scanner in the A(P)T toolbox}}, date = {2021-10-22}, organization = {HUNT & HACKETT}, url = {https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox}, language = {English}, urldate = {2021-11-02} } Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk
2021-10-07KasperskyFedor Sinitsyn, Yanis Zinchenko
@online{sinitsyn:20211007:ransomware:b5e74a3, author = {Fedor Sinitsyn and Yanis Zinchenko}, title = {{Ransomware in the CIS}}, date = {2021-10-07}, organization = {Kaspersky}, url = {https://securelist.com/cis-ransomware/104452/}, language = {English}, urldate = {2021-10-11} } Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2021-04-27CrowdStrikeJosh Dalman, Kamil Janton, Eben Kaplan
@online{dalman:20210427:ransomware:8242ac5, author = {Josh Dalman and Kamil Janton and Eben Kaplan}, title = {{Ransomware Preparedness: A Call to Action}}, date = {2021-04-27}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/}, language = {English}, urldate = {2021-05-31} } Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER
2021-03-17Palo Alto Networks Unit 42Unit42
@techreport{unit42:20210317:ransomware:504cc32, author = {Unit42}, title = {{Ransomware Threat Report 2021}}, date = {2021-03-17}, institution = {Palo Alto Networks Unit 42}, url = {https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf}, language = {English}, urldate = {2021-03-19} } Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03AcronisAcronis Security
@online{security:202103:threat:4d82ead, author = {Acronis Security}, title = {{Threat analysis: Dharma (CrySiS) ransomware}}, date = {2021-03}, organization = {Acronis}, url = {https://www.acronis.com/en-us/articles/Dharma-ransomware/}, language = {English}, urldate = {2021-10-14} } Threat analysis: Dharma (CrySiS) ransomware
Dharma
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-08ZscalerMohd Sadique, Pradeep Kulkarni
@online{sadique:20210108:ransomware:7e4aa27, author = {Mohd Sadique and Pradeep Kulkarni}, title = {{Ransomware Delivered Using RDP Brute-Force Attack}}, date = {2021-01-08}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack}, language = {English}, urldate = {2021-02-09} } Ransomware Delivered Using RDP Brute-Force Attack
Dharma
2020-12-18Trend MicroMatthew Camacho, Raphael Centeno, Junestherry Salvador
@online{camacho:20201218:negasteal:e5b291f, author = {Matthew Camacho and Raphael Centeno and Junestherry Salvador}, title = {{Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware}}, date = {2020-12-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware}, language = {English}, urldate = {2020-12-26} } Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware
Agent Tesla Dharma
2020-08-24Group-IBOleg Skulkin
@online{skulkin:20200824:cybercriminal:f1959f3, author = {Oleg Skulkin}, title = {{Cybercriminal greeners from Iran attack companies worldwide for financial gain}}, date = {2020-08-24}, organization = {Group-IB}, url = {https://www.group-ib.com/media/iran-cybercriminals/}, language = {English}, urldate = {2020-08-25} } Cybercriminal greeners from Iran attack companies worldwide for financial gain
Dharma
2020-08-12CERT SantéCERT Santé
@online{sant:20200812:retour:1243ccf, author = {CERT Santé}, title = {{Retour d’expérience suite à une attaque par rançongiciel contre une structure de santé}}, date = {2020-08-12}, organization = {CERT Santé}, url = {https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une}, language = {French}, urldate = {2021-08-03} } Retour d’expérience suite à une attaque par rançongiciel contre une structure de santé
Dharma
2020-08-12SophosLabs UncutSean Gallagher
@online{gallagher:20200812:color:9deb334, author = {Sean Gallagher}, title = {{Color by numbers: inside a Dharma ransomware-as-a-service attack}}, date = {2020-08-12}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/}, language = {English}, urldate = {2022-03-18} } Color by numbers: inside a Dharma ransomware-as-a-service attack
Dharma
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-10ViceJoseph Cox
@online{cox:20200710:secret:5414fbb, author = {Joseph Cox}, title = {{The Secret Service Tried to Catch a Hacker With a Malware Booby-Trap}}, date = {2020-07-10}, organization = {Vice}, url = {https://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware}, language = {English}, urldate = {2023-07-19} } The Secret Service Tried to Catch a Hacker With a Malware Booby-Trap
Dharma
2020-06-16The DFIR ReportThe DFIR Report
@online{report:20200616:little:bc50ff0, author = {The DFIR Report}, title = {{The Little Ransomware That Couldn’t (Dharma)}}, date = {2020-06-16}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/}, language = {English}, urldate = {2020-06-16} } The Little Ransomware That Couldn’t (Dharma)
Dharma
2020-04-24Advanced IntelligenceBridgit Sullivan
@online{sullivan:20200424:inside:ee63bb1, author = {Bridgit Sullivan}, title = {{Inside "Phobos" Ransomware: "Dharma" Past & Underground}}, date = {2020-04-24}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground}, language = {English}, urldate = {2020-07-30} } Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2019-11-11The RegisterGareth Corfield
@online{corfield:20191111:if:426203c, author = {Gareth Corfield}, title = {{If it sounds too good to be true, it most likely is: Nobody can decrypt the Dharma ransomware}}, date = {2019-11-11}, organization = {The Register}, url = {https://www.theregister.com/2019/11/11/dharma_decryption_promises_data_recovery/}, language = {English}, urldate = {2023-08-07} } If it sounds too good to be true, it most likely is: Nobody can decrypt the Dharma ransomware
Dharma
2019-05-08Trend MicroRaphael Centeno
@online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } Dharma Ransomware Uses AV Tool to Distract from Malicious Activities
Dharma
2019-01-22Twitter (@JakubKroustek)Jakub Křoustek
@online{koustek:20190122:frequently:67caefe, author = {Jakub Křoustek}, title = {{Frequently updated Twitter thread with many Dharma samples}}, date = {2019-01-22}, organization = {Twitter (@JakubKroustek)}, url = {https://twitter.com/JakubKroustek/status/1087808550309675009}, language = {English}, urldate = {2021-05-19} } Frequently updated Twitter thread with many Dharma samples
Dharma
2018-12-02Check PointCheck Point Research
@online{research:20181202:ransomware:193f7d3, author = {Check Point Research}, title = {{The Ransomware Doctor Without A Cure}}, date = {2018-12-02}, organization = {Check Point}, url = {https://research.checkpoint.com/2018/the-ransomware-doctor-without-a-cure/}, language = {English}, urldate = {2023-06-01} } The Ransomware Doctor Without A Cure
Dharma
2018-09-11Sophos Naked SecurityMark Stockley
@online{stockley:20180911:rise:3ecf259, author = {Mark Stockley}, title = {{The Rise of Targeted Ransomware}}, date = {2018-09-11}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/}, language = {English}, urldate = {2022-03-22} } The Rise of Targeted Ransomware
Dharma FriedEx SamSam
2018-07-10Carbon BlackJared Myers
@online{myers:20180710:carbon:cc54d00, author = {Jared Myers}, title = {{Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools}}, date = {2018-07-10}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/}, language = {English}, urldate = {2020-01-10} } Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools
Dharma
2017-12-11United States Department of JusticeUnited States Department of Justice
@online{justice:20171211:united:3fee774, author = {United States Department of Justice}, title = {{United States of America v. MIHAI ALEXANDRU ISVANCA and EVELINE CISMARU}}, date = {2017-12-11}, organization = {United States Department of Justice}, url = {https://www.justice.gov/usao-dc/press-release/file/1021186/download}, language = {English}, urldate = {2023-07-19} } United States of America v. MIHAI ALEXANDRU ISVANCA and EVELINE CISMARU
Cerber Dharma
2017-08-25Bleeping ComputerLawrence Abrams
@online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } New Arena Crysis Ransomware Variant Released
Dharma
2016-12-23United States District Court for the Western District of WashingtonUnited States District Court for the Western District of Washington
@techreport{washington:20161223:united:1dfd669, author = {United States District Court for the Western District of Washington}, title = {{United States v. lavandos@dr.com :: APPLICATION FOR A SEARCH WARRANT}}, date = {2016-12-23}, institution = {United States District Court for the Western District of Washington}, url = {https://s3.documentcloud.org/documents/6986753/Secret-Service-Seattle-NIT-Warrant-Application.pdf}, language = {English}, urldate = {2023-07-19} } United States v. lavandos@dr.com :: APPLICATION FOR A SEARCH WARRANT
Dharma
2016-06-07SogetiPAF, mirak
@online{paf:20160607:story:f92c17c, author = {PAF and mirak}, title = {{The Story of yet another ransom-fail-ware}}, date = {2016-06-07}, organization = {Sogeti}, url = {http://web.archive.org/web/20191008053714/http://esec-lab.sogeti.com/posts/2016/06/07/the-story-of-yet-another-ransomfailware.html}, language = {English}, urldate = {2023-05-30} } The Story of yet another ransom-fail-ware
Dharma
Yara Rules
[TLP:WHITE] win_dharma_auto (20230715 | Detects win.dharma.)
rule win_dharma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.dharma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec 83ec64 c7459c00000000 c7459c1f000000 eb09 8b459c }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec64               | sub                 esp, 0x64
            //   c7459c00000000       | mov                 dword ptr [ebp - 0x64], 0
            //   c7459c1f000000       | mov                 dword ptr [ebp - 0x64], 0x1f
            //   eb09                 | jmp                 0xb
            //   8b459c               | mov                 eax, dword ptr [ebp - 0x64]

        $sequence_1 = { 83c408 8945f8 837df800 745a 6a2c }
            // n = 5, score = 100
            //   83c408               | add                 esp, 8
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   745a                 | je                  0x5c
            //   6a2c                 | push                0x2c

        $sequence_2 = { 2b45ec d1f8 50 8b4de0 2b4d0c d1f9 8b5510 }
            // n = 7, score = 100
            //   2b45ec               | sub                 eax, dword ptr [ebp - 0x14]
            //   d1f8                 | sar                 eax, 1
            //   50                   | push                eax
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   2b4d0c               | sub                 ecx, dword ptr [ebp + 0xc]
            //   d1f9                 | sar                 ecx, 1
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_3 = { 7905 48 83c8f0 40 8b4df8 8b15???????? 668b0442 }
            // n = 7, score = 100
            //   7905                 | jns                 7
            //   48                   | dec                 eax
            //   83c8f0               | or                  eax, 0xfffffff0
            //   40                   | inc                 eax
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b15????????         |                     
            //   668b0442             | mov                 ax, word ptr [edx + eax*2]

        $sequence_4 = { 50 e8???????? 50 6a00 8b4df4 51 e8???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   50                   | push                eax
            //   6a00                 | push                0
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_5 = { e8???????? 83c404 8b5508 8b4a04 8b5508 8b12 89048a }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   89048a               | mov                 dword ptr [edx + ecx*4], eax

        $sequence_6 = { 8955f4 8b45f8 83c002 8945f8 eb02 eb02 }
            // n = 6, score = 100
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   83c002               | add                 eax, 2
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   eb02                 | jmp                 4
            //   eb02                 | jmp                 4

        $sequence_7 = { 8b08 8b550c 8b4204 8901 8b4d14 8b11 83c204 }
            // n = 7, score = 100
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   83c204               | add                 edx, 4

        $sequence_8 = { 894dfc 837d1000 7515 8b55f4 a1???????? 8a08 880a }
            // n = 7, score = 100
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7515                 | jne                 0x17
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   a1????????           |                     
            //   8a08                 | mov                 cl, byte ptr [eax]
            //   880a                 | mov                 byte ptr [edx], cl

        $sequence_9 = { 8b4d84 51 e8???????? 83c40c 8b5584 52 }
            // n = 6, score = 100
            //   8b4d84               | mov                 ecx, dword ptr [ebp - 0x7c]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b5584               | mov                 edx, dword ptr [ebp - 0x7c]
            //   52                   | push                edx

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules