SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dreambot (Back to overview)

DreamBot

URLhaus    

2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)

In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.

See win.gozi for additional historical information.

References
2020-05-01CSISBenoît Ancel
@online{ancel:20200501:end:939414e, author = {Benoît Ancel}, title = {{The end of Dreambot? Obituary for a loved piece of Gozi.}}, date = {2020-05-01}, organization = {CSIS}, url = {https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122}, language = {English}, urldate = {2020-05-05} } The end of Dreambot? Obituary for a loved piece of Gozi.
DreamBot
2020-02-07Medium CSIS TechblogBenoît Ancel
@online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2016-08-29ProofpointProofpoint Staff
@online{staff:20160829:nightmare:2268343, author = {Proofpoint Staff}, title = {{Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality}}, date = {2016-08-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality}, language = {English}, urldate = {2019-12-20} } Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality
DreamBot
Yara Rules
[TLP:WHITE] win_dreambot_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 751a ff7320 50 ff35???????? ffd6 }
            // n = 5, score = 700
            //   751a                 | inc                 ecx
            //   ff7320               | mov                 edx, edi
            //   50                   | jmp                 0x22
            //   ff35????????         |                     
            //   ffd6                 | mov                 dword ptr [eax + 0x2a], esi

        $sequence_1 = { ff771c e8???????? 8bd8 85db 0f8414020000 8b4320 }
            // n = 6, score = 700
            //   ff771c               | mov                 eax, dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   8bd8                 | mov                 edi, eax
            //   85db                 | push                dword ptr [ebx + 0x20]
            //   0f8414020000         | push                eax
            //   8b4320               | push                dword ptr [ebx + 0x20]

        $sequence_2 = { ff35???????? ffd6 8b44240c 894320 6a00 }
            // n = 5, score = 700
            //   ff35????????         |                     
            //   ffd6                 | add                 ecx, 0x2e
            //   8b44240c             | jmp                 0x11
            //   894320               | mov                 ecx, 0xa
            //   6a00                 | dec                 esp

        $sequence_3 = { 6a00 ff35???????? ffd6 897b20 8b4320 c6400731 8b742414 }
            // n = 7, score = 700
            //   6a00                 | mov                 esi, eax
            //   ff35????????         |                     
            //   ffd6                 | lock add            dword ptr [ecx + 0x56], -1
            //   897b20               | dec                 eax
            //   8b4320               | add                 ecx, 0x2e
            //   c6400731             | inc                 esp
            //   8b742414             | lea                 edi, [ebx + 2]

        $sequence_4 = { ff7614 ff15???????? 85c0 751f ff15???????? 8bf8 81ffe5030000 }
            // n = 7, score = 700
            //   ff7614               | cmp                 ebx, esi
            //   ff15????????         |                     
            //   85c0                 | jne                 0x32d
            //   751f                 | je                  0x26
            //   ff15????????         |                     
            //   8bf8                 | call                esi
            //   81ffe5030000         | mov                 eax, dword ptr [esp + 0xc]

        $sequence_5 = { ff7320 ff15???????? 50 ff7320 }
            // n = 4, score = 700
            //   ff7320               | dec                 eax
            //   ff15????????         |                     
            //   50                   | mov                 ecx, dword ptr [ecx + eax*8]
            //   ff7320               | dec                 eax

        $sequence_6 = { 85ff 755a 39451c 7475 8b4618 e8???????? 8bf8 }
            // n = 7, score = 700
            //   85ff                 | mov                 eax, edi
            //   755a                 | xor                 edx, edx
            //   39451c               | dec                 eax
            //   7475                 | mov                 ecx, eax
            //   8b4618               | dec                 eax
            //   e8????????           |                     
            //   8bf8                 | add                 ecx, 0x2e

        $sequence_7 = { 8b4730 a840 0f84cd000000 8d442410 50 8d442410 }
            // n = 6, score = 700
            //   8b4730               | mov                 dword ptr [ebx + 0x20], eax
            //   a840                 | push                0
            //   0f84cd000000         | test                edi, edi
            //   8d442410             | jne                 0x67
            //   50                   | cmp                 dword ptr [ebp + 0x1c], eax
            //   8d442410             | je                  0x87

        $sequence_8 = { a1???????? 85c0 7520 3bf3 741c 837d0c04 }
            // n = 6, score = 600
            //   a1????????           |                     
            //   85c0                 | je                  0xe2
            //   7520                 | inc                 ecx
            //   3bf3                 | cmp                 esi, ebp
            //   741c                 | je                  0x61
            //   837d0c04             | mov                 edx, esi

        $sequence_9 = { 7457 53 ff750c 8bfe }
            // n = 4, score = 600
            //   7457                 | cmp                 esi, ebp
            //   53                   | jmp                 0x2e
            //   ff750c               | inc                 ecx
            //   8bfe                 | cmp                 eax, ebp

        $sequence_10 = { ff750c 56 e8???????? e9???????? 3bf3 0f8496000000 395d0c }
            // n = 7, score = 600
            //   ff750c               | je                  0x8c
            //   56                   | inc                 ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   3bf3                 | cmp                 esi, ebp
            //   0f8496000000         | je                  0x8c
            //   395d0c               | inc                 ecx

        $sequence_11 = { 395d0c 747c 6a03 ebcc 3bf3 7474 }
            // n = 6, score = 600
            //   395d0c               | inc                 ecx
            //   747c                 | cmp                 esi, ebp
            //   6a03                 | je                  0xbe
            //   ebcc                 | xor                 edx, edx
            //   3bf3                 | dec                 ecx
            //   7474                 | cmp                 edi, ebp

        $sequence_12 = { 0f84b7000000 395d0c 0f84ae000000 6a01 }
            // n = 4, score = 600
            //   0f84b7000000         | dec                 ecx
            //   395d0c               | cmp                 edi, ebp
            //   0f84ae000000         | je                  0xe2
            //   6a01                 | inc                 ecx

        $sequence_13 = { 741c 837d0c04 7516 ff7510 ff36 68???????? e8???????? }
            // n = 7, score = 600
            //   741c                 | dec                 eax
            //   837d0c04             | mov                 ecx, edi
            //   7516                 | mov                 ebx, 0x57
            //   ff7510               | jmp                 0xffffffe5
            //   ff36                 | dec                 ecx
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_14 = { 0f848d000000 6a07 ebdd 3bf3 0f8481000000 }
            // n = 5, score = 600
            //   0f848d000000         | mov                 eax, 0xd
            //   6a07                 | je                  0x12
            //   ebdd                 | push                dword ptr [esp + 0x10]
            //   3bf3                 | xor                 edi, edi
            //   0f8481000000         | mov                 edi, dword ptr [ebp + 0xc]

        $sequence_15 = { 3bf3 7474 395d0c 746f 6a0d ebbf ff7510 }
            // n = 7, score = 600
            //   3bf3                 | cmp                 edi, ebp
            //   7474                 | je                  0xb2
            //   395d0c               | inc                 ecx
            //   746f                 | cmp                 esi, ebp
            //   6a0d                 | jmp                 0xffffffbf
            //   ebbf                 | dec                 ecx
            //   ff7510               | cmp                 edi, ebp

        $sequence_16 = { eb5a 493bfd 7464 413bf5 745f 8bd6 488bcf }
            // n = 7, score = 500
            //   eb5a                 | pop                 edi
            //   493bfd               | ret                 
            //   7464                 | inc                 eax
            //   413bf5               | push                ebx
            //   745f                 | dec                 eax
            //   8bd6                 | sub                 esp, 0x20
            //   488bcf               | dec                 esp

        $sequence_17 = { c3 4053 4883ec20 4c8b4108 488bd9 4d85c0 }
            // n = 6, score = 500
            //   c3                   | mov                 byte ptr [eax + 7], 0x31
            //   4053                 | mov                 esi, dword ptr [esp + 0x14]
            //   4883ec20             | jne                 0x4c
            //   4c8b4108             | push                dword ptr [ebx + 0x20]
            //   488bd9               | push                eax
            //   4d85c0               | call                esi

        $sequence_18 = { 4c896c2420 e8???????? 4c8b442468 488b0d???????? 33d2 }
            // n = 5, score = 500
            //   4c896c2420           | sub                 esp, 0x20
            //   e8????????           |                     
            //   4c8b442468           | dec                 esp
            //   488b0d????????       |                     
            //   33d2                 | mov                 eax, dword ptr [ecx + 8]

        $sequence_19 = { 0f8492000000 41b803000000 ebbd 493bfd }
            // n = 4, score = 500
            //   0f8492000000         | mov                 ebx, ecx
            //   41b803000000         | dec                 ebp
            //   ebbd                 | test                eax, eax
            //   493bfd               | je                  0x32

        $sequence_20 = { e9???????? 493bfd 0f84b5000000 413bf5 0f84ac000000 }
            // n = 5, score = 500
            //   e9????????           |                     
            //   493bfd               | pop                 edi
            //   0f84b5000000         | ret                 
            //   413bf5               | inc                 eax
            //   0f84ac000000         | push                ebx

        $sequence_21 = { 488b0d???????? 33d2 ff15???????? e9???????? 493bfd 0f84d9000000 413bf5 }
            // n = 7, score = 500
            //   488b0d????????       |                     
            //   33d2                 | mov                 eax, dword ptr [ecx + 8]
            //   ff15????????         |                     
            //   e9????????           |                     
            //   493bfd               | ret                 
            //   0f84d9000000         | inc                 eax
            //   413bf5               | push                ebx

        $sequence_22 = { 4533f6 488b0b 2580000000 418d5620 }
            // n = 4, score = 500
            //   4533f6               | push                esi
            //   488b0b               | mov                 byte ptr [eax], bl
            //   2580000000           | push                eax
            //   418d5620             | push                dword ptr [ebp - 0xc]

        $sequence_23 = { 488b9424a8000000 4533c9 4533c0 ff5028 }
            // n = 4, score = 500
            //   488b9424a8000000     | sub                 esp, 0x20
            //   4533c9               | dec                 esp
            //   4533c0               | mov                 eax, dword ptr [ecx + 8]
            //   ff5028               | dec                 eax

        $sequence_24 = { ebd7 493bfd 0f849b000000 413bf5 }
            // n = 4, score = 500
            //   ebd7                 | pop                 edi
            //   493bfd               | ret                 
            //   0f849b000000         | inc                 eax
            //   413bf5               | push                ebx

        $sequence_25 = { e8???????? 4c8b1d???????? ba0d000000 41834b3401 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   4c8b1d????????       |                     
            //   ba0d000000           | ret                 
            //   41834b3401           | inc                 eax

        $sequence_26 = { eb2c 8b05???????? 413bc5 7528 493bfd }
            // n = 5, score = 500
            //   eb2c                 | dec                 eax
            //   8b05????????         |                     
            //   413bc5               | sub                 esp, 0x20
            //   7528                 | dec                 esp
            //   493bfd               | mov                 eax, dword ptr [ecx + 8]

        $sequence_27 = { 418d5620 498bcf ff15???????? 4c8bf0 }
            // n = 4, score = 500
            //   418d5620             | inc                 ecx
            //   498bcf               | call                dword ptr [ebx + 0x18]
            //   ff15????????         |                     
            //   4c8bf0               | mov                 dword ptr [eax + 4], esi

        $sequence_28 = { 4533c0 33d2 33c9 ff15???????? 4885c0 4c8be0 }
            // n = 6, score = 500
            //   4533c0               | push                ebx
            //   33d2                 | dec                 eax
            //   33c9                 | sub                 esp, 0x20
            //   ff15????????         |                     
            //   4885c0               | dec                 esp
            //   4c8be0               | mov                 eax, dword ptr [ecx + 8]

        $sequence_29 = { 75f5 eb06 8b05???????? 35fc5585cf }
            // n = 4, score = 400
            //   75f5                 | je                  0x6b
            //   eb06                 | inc                 ecx
            //   8b05????????         |                     
            //   35fc5585cf           | cmp                 esi, ebp

        $sequence_30 = { 50 6810040000 ff15???????? 8945fc }
            // n = 4, score = 400
            //   50                   | sub                 esp, 0x20
            //   6810040000           | dec                 esp
            //   ff15????????         |                     
            //   8945fc               | mov                 eax, dword ptr [ecx + 8]

        $sequence_31 = { 33d2 3bc2 7414 8b442444 0fb74c2458 }
            // n = 5, score = 400
            //   33d2                 | ret                 
            //   3bc2                 | push                0
            //   7414                 | push                0x400000
            //   8b442444             | push                0
            //   0fb74c2458           | test                eax, eax

        $sequence_32 = { 8d750c e8???????? 8bf0 3bf3 }
            // n = 4, score = 400
            //   8d750c               | call                edi
            //   e8????????           |                     
            //   8bf0                 | mov                 edi, eax
            //   3bf3                 | cmp                 edi, -1

        $sequence_33 = { ff75f8 69f60d661900 ff75f4 81c65ff36e3c 89750c 8d750c }
            // n = 6, score = 400
            //   ff75f8               | push                -1
            //   69f60d661900         | push                0xff676980
            //   ff75f4               | push                dword ptr [esp + 0x28]
            //   81c65ff36e3c         | call                edi
            //   89750c               | mov                 edi, eax
            //   8d750c               | cmp                 edi, -1

        $sequence_34 = { 418b44241c 488d5e10 4533f6 488b0b }
            // n = 4, score = 400
            //   418b44241c           | push                ebx
            //   488d5e10             | push                edi
            //   4533f6               | mov                 esp, ebp
            //   488b0b               | pop                 ebp

        $sequence_35 = { 89bc24b0030000 895c2440 eb07 8bbc24b0030000 }
            // n = 4, score = 400
            //   89bc24b0030000       | dec                 esp
            //   895c2440             | mov                 eax, dword ptr [ecx + 8]
            //   eb07                 | dec                 eax
            //   8bbc24b0030000       | mov                 ebx, ecx

        $sequence_36 = { 41d1eb 458d343b 4183fe18 7718 }
            // n = 4, score = 400
            //   41d1eb               | mov                 edx, dword ptr [esp + 0xa8]
            //   458d343b             | inc                 ebp
            //   4183fe18             | xor                 ecx, ecx
            //   7718                 | inc                 ebp

        $sequence_37 = { 4c8b1b 488b942480000000 488bcb 41ff5330 488b5e08 33c0 8984248c000000 }
            // n = 7, score = 400
            //   4c8b1b               | push                ebx
            //   488b942480000000     | push                dword ptr [ebp + 0xc]
            //   488bcb               | cmp                 dword ptr [ebp + 0xc], ebx
            //   41ff5330             | je                  0x81
            //   488b5e08             | push                3
            //   33c0                 | jmp                 0xffffffd5
            //   8984248c000000       | cmp                 esi, ebx

        $sequence_38 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 }
            // n = 4, score = 400
            //   3decc7eea6           | cmp                 dword ptr [esp + 0x110], 3
            //   0f84e8000000         | je                  0x18
            //   3d0470a8c4           | cmp                 dword ptr [esp + 0x110], 1
            //   0f8486000000         | jne                 0x2f

        $sequence_39 = { 33db 895dfc e8???????? 8945f8 33ff eb03 }
            // n = 6, score = 400
            //   33db                 | push                dword ptr [ebx]
            //   895dfc               | push                eax
            //   e8????????           |                     
            //   8945f8               | push                0x410
            //   33ff                 | mov                 dword ptr [ebp - 4], eax
            //   eb03                 | test                eax, eax

        $sequence_40 = { 747e 8b8c24a0000000 3bca 745f }
            // n = 4, score = 400
            //   747e                 | mov                 ebx, ecx
            //   8b8c24a0000000       | ret                 
            //   3bca                 | inc                 eax
            //   745f                 | push                ebx

        $sequence_41 = { 85c0 7551 ff33 50 6810040000 }
            // n = 5, score = 400
            //   85c0                 | push                0x400000
            //   7551                 | push                0
            //   ff33                 | test                eax, eax
            //   50                   | ret                 
            //   6810040000           | push                0

        $sequence_42 = { 0f86af030000 488b4a34 813948545450 740c 8139504f5354 }
            // n = 5, score = 400
            //   0f86af030000         | mov                 edi, esi
            //   488b4a34             | cmp                 esi, ebx
            //   813948545450         | je                  0x73
            //   740c                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   8139504f5354         | je                  0x73

        $sequence_43 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? 85c0 }
            // n = 7, score = 400
            //   c3                   | ret                 
            //   6a00                 | inc                 eax
            //   6800004000           | push                ebx
            //   6a00                 | dec                 eax
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | sub                 esp, 0x20

        $sequence_44 = { 8945fc 85c0 741a 6804010000 8d4f10 }
            // n = 5, score = 400
            //   8945fc               | dec                 eax
            //   85c0                 | mov                 ebx, ecx
            //   741a                 | pop                 edi
            //   6804010000           | ret                 
            //   8d4f10               | inc                 eax

        $sequence_45 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 }
            // n = 7, score = 400
            //   817424105085b8ed     | je                  0x80
            //   33ff                 | mov                 ecx, dword ptr [esp + 0xa0]
            //   47                   | cmp                 ecx, edx
            //   57                   | je                  0x6a
            //   be????????           |                     
            //   56                   | jmp                 8
            //   8d542418             | mov                 ebp, eax

        $sequence_46 = { 33d2 ff15???????? 83633c00 83634000 4489634c 488b4b50 }
            // n = 6, score = 400
            //   33d2                 | je                  0xb7
            //   ff15????????         |                     
            //   83633c00             | push                1
            //   83634000             | je                  0x64
            //   4489634c             | push                ebx
            //   488b4b50             | push                dword ptr [ebp + 0xc]

        $sequence_47 = { 488bc8 48898424d8000000 ff15???????? 448bd8 b8abaaaaaa }
            // n = 5, score = 400
            //   488bc8               | mov                 dword ptr [eax + 0x10], ebp
            //   48898424d8000000     | dec                 eax
            //   ff15????????         |                     
            //   448bd8               | mov                 dword ptr [eax + 0x20], esi
            //   b8abaaaaaa           | dec                 eax

        $sequence_48 = { 56 33f6 46 8945f8 85c0 }
            // n = 5, score = 400
            //   56                   | je                  0x22
            //   33f6                 | pop                 edi
            //   46                   | ret                 
            //   8945f8               | inc                 eax
            //   85c0                 | push                ebx

        $sequence_49 = { 4883f8ff 488bf8 7445 488d842488000000 }
            // n = 4, score = 400
            //   4883f8ff             | pop                 esi
            //   488bf8               | pop                 ebp
            //   7445                 | ret                 
            //   488d842488000000     | dec                 eax

        $sequence_50 = { 0f84b3000000 83bc248800000000 7504 834f4801 488b842480000000 458bcc }
            // n = 6, score = 400
            //   0f84b3000000         | dec                 eax
            //   83bc248800000000     | mov                 ebx, dword ptr [esp + 0xc0]
            //   7504                 | dec                 eax
            //   834f4801             | add                 esp, 0x80
            //   488b842480000000     | je                  0xbd
            //   458bcc               | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_51 = { e8???????? eb08 ff15???????? 8bd8 85db }
            // n = 5, score = 400
            //   e8????????           |                     
            //   eb08                 | pop                 edi
            //   ff15????????         |                     
            //   8bd8                 | ret                 
            //   85db                 | inc                 eax

        $sequence_52 = { 752f 83bc241001000004 7525 393b }
            // n = 4, score = 400
            //   752f                 | ret                 
            //   83bc241001000004     | push                0
            //   7525                 | push                0x400000
            //   393b                 | push                0

        $sequence_53 = { ff7310 ff15???????? 33d2 89b7184a0000 39971c4a0000 }
            // n = 5, score = 400
            //   ff7310               | mov                 ecx, dword ptr [ebx]
            //   ff15????????         |                     
            //   33d2                 | and                 eax, 0x80
            //   89b7184a0000         | inc                 ecx
            //   39971c4a0000         | lea                 edx, [esi + 0x20]

        $sequence_54 = { 33ff eb03 8b750c ff75f8 69f60d661900 ff75f4 }
            // n = 6, score = 400
            //   33ff                 | je                  0x152
            //   eb03                 | cmp                 edi, 0x102
            //   8b750c               | je                  0xbc
            //   ff75f8               | test                eax, eax
            //   69f60d661900         | jne                 0x12c
            //   ff75f4               | push                esi

        $sequence_55 = { 4821742428 4c8d8424c8000000 488d542428 488d4c2450 4533c9 e8???????? 488b5c2428 }
            // n = 7, score = 400
            //   4821742428           | je                  0x98
            //   4c8d8424c8000000     | inc                 ecx
            //   488d542428           | mov                 eax, 3
            //   488d4c2450           | jmp                 0xffffffc5
            //   4533c9               | dec                 ecx
            //   e8????????           |                     
            //   488b5c2428           | cmp                 edi, ebp

        $sequence_56 = { e8???????? 8b9424c8000000 488bcb e8???????? }
            // n = 4, score = 400
            //   e8????????           |                     
            //   8b9424c8000000       | xor                 eax, eax
            //   488bcb               | call                dword ptr [eax + 0x28]
            //   e8????????           |                     

        $sequence_57 = { 3bc7 752b 83bc241001000003 740a 83bc241001000001 7517 }
            // n = 6, score = 400
            //   3bc7                 | push                ebx
            //   752b                 | dec                 eax
            //   83bc241001000003     | sub                 esp, 0x20
            //   740a                 | dec                 esp
            //   83bc241001000001     | mov                 eax, dword ptr [ecx + 8]
            //   7517                 | dec                 eax

        $sequence_58 = { 33c0 89942498000000 899424a8000000 8984249c000000 }
            // n = 4, score = 400
            //   33c0                 | mov                 eax, dword ptr [esi + 0x18]
            //   89942498000000       | test                eax, eax
            //   899424a8000000       | jne                 0x25
            //   8984249c000000       | push                esi

        $sequence_59 = { 4883c208 4883e901 75e2 837c243801 0f86b2000000 488b4c2450 4c8d442430 }
            // n = 7, score = 400
            //   4883c208             | je                  0x81
            //   4883e901             | test                eax, eax
            //   75e2                 | jne                 0x22
            //   837c243801           | cmp                 esi, ebx
            //   0f86b2000000         | je                  0x22
            //   488b4c2450           | cmp                 dword ptr [ebp + 0xc], 4
            //   4c8d442430           | je                  0x1e

        $sequence_60 = { 4c8d8424d0000000 48c7c101000080 ff15???????? 85c0 }
            // n = 4, score = 400
            //   4c8d8424d0000000     | jmp                 0x5c
            //   48c7c101000080       | dec                 ecx
            //   ff15????????         |                     
            //   85c0                 | cmp                 edi, ebp

        $sequence_61 = { 8db4083089b9ed 57 8d45f4 50 8b450c 33db 895dfc }
            // n = 7, score = 400
            //   8db4083089b9ed       | mov                 ecx, 4
            //   57                   | inc                 ecx
            //   8d45f4               | cmp                 esi, ecx
            //   50                   | jne                 0x25
            //   8b450c               | pop                 esi
            //   33db                 | pop                 ebp
            //   895dfc               | ret                 

        $sequence_62 = { ff15???????? eb06 ff15???????? 8be8 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   eb06                 | dec                 eax
            //   ff15????????         |                     
            //   8be8                 | sub                 esp, 0x20

        $sequence_63 = { 493bc5 742f 488d4810 ff15???????? }
            // n = 4, score = 300
            //   493bc5               | sub                 esp, 0x11c
            //   742f                 | lea                 ecx, [eax + 7]
            //   488d4810             | and                 dword ptr [edi + 0x8c], 0
            //   ff15????????         |                     

        $sequence_64 = { 4d3bef 7415 498bd5 4883c9ff ff15???????? 8bc8 ff15???????? }
            // n = 7, score = 300
            //   4d3bef               | mov                 esp, ebp
            //   7415                 | pop                 ebp
            //   498bd5               | ret                 
            //   4883c9ff             | movzx               ecx, word ptr [eax]
            //   ff15????????         |                     
            //   8bc8                 | pop                 ebx
            //   ff15????????         |                     

        $sequence_65 = { 488b0d???????? 4885c9 7405 e8???????? 4883c428 c3 4053 }
            // n = 7, score = 300
            //   488b0d????????       |                     
            //   4885c9               | movzx               ecx, word ptr [eax]
            //   7405                 | cmp                 cx, 2
            //   e8????????           |                     
            //   4883c428             | pop                 ebx
            //   c3                   | mov                 esp, ebp
            //   4053                 | pop                 ebp

        $sequence_66 = { f605????????04 740e 44893d???????? 44893d???????? 488d442440 4c8d4c2440 4c8d442440 }
            // n = 7, score = 300
            //   f605????????04       |                     
            //   740e                 | je                  0x10
            //   44893d????????       |                     
            //   44893d????????       |                     
            //   488d442440           | dec                 eax
            //   4c8d4c2440           | lea                 eax, [esp + 0x40]
            //   4c8d442440           | dec                 esp

        $sequence_67 = { 4c8bc6 ff15???????? 488bd8 493bc7 }
            // n = 4, score = 300
            //   4c8bc6               | and                 dword ptr [edi + 0x8c], 0
            //   ff15????????         |                     
            //   488bd8               | xor                 eax, eax
            //   493bc7               | ret                 

        $sequence_68 = { ffd3 8bf8 47 5b 85ff }
            // n = 5, score = 300
            //   ffd3                 | ret                 
            //   8bf8                 | inc                 eax
            //   47                   | push                ebx
            //   5b                   | dec                 eax
            //   85ff                 | sub                 esp, 0x20

        $sequence_69 = { 8d85a0fcffff 68???????? 50 ff15???????? }
            // n = 4, score = 300
            //   8d85a0fcffff         | dec                 esp
            //   68????????           |                     
            //   50                   | mov                 eax, dword ptr [ecx + 8]
            //   ff15????????         |                     

        $sequence_70 = { 6817010000 56 e8???????? 8bf8 3bfb 0f84fe030000 }
            // n = 6, score = 300
            //   6817010000           | inc                 eax
            //   56                   | push                ebx
            //   e8????????           |                     
            //   8bf8                 | dec                 eax
            //   3bfb                 | sub                 esp, 0x20
            //   0f84fe030000         | dec                 esp

        $sequence_71 = { ffd7 8945f8 3bc3 0f8412010000 }
            // n = 4, score = 300
            //   ffd7                 | dec                 ebp
            //   8945f8               | test                eax, eax
            //   3bc3                 | je                  0x22
            //   0f8412010000         | pop                 edi

        $sequence_72 = { e8???????? 894510 3dd2100000 7503 897d10 ff750c 57 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   894510               | mov                 eax, dword ptr [ecx + 8]
            //   3dd2100000           | dec                 eax
            //   7503                 | mov                 ebx, ecx
            //   897d10               | ret                 
            //   ff750c               | inc                 eax
            //   57                   | push                ebx

        $sequence_73 = { 5b 8be5 5d c20400 8325????????00 6a00 68???????? }
            // n = 7, score = 300
            //   5b                   | lea                 eax, [ebp - 0xc]
            //   8be5                 | push                eax
            //   5d                   | mov                 eax, dword ptr [ebp + 0xc]
            //   c20400               | xor                 ebx, ebx
            //   8325????????00       |                     
            //   6a00                 | mov                 dword ptr [ebp - 4], ebx
            //   68????????           |                     

        $sequence_74 = { 83c40c 56 8d8558ffffff e8???????? 8bf8 3bfb 0f857c040000 }
            // n = 7, score = 300
            //   83c40c               | dec                 eax
            //   56                   | sub                 esp, 0x20
            //   8d8558ffffff         | dec                 esp
            //   e8????????           |                     
            //   8bf8                 | mov                 eax, dword ptr [ecx + 8]
            //   3bfb                 | dec                 eax
            //   0f857c040000         | mov                 ebx, ecx

        $sequence_75 = { 57 e8???????? 8b3d???????? 33db 8945fc }
            // n = 5, score = 300
            //   57                   | dec                 eax
            //   e8????????           |                     
            //   8b3d????????         |                     
            //   33db                 | mov                 ebx, ecx
            //   8945fc               | dec                 ebp

        $sequence_76 = { 8d4710 e8???????? 83a78c00000000 33c0 c3 51 e8???????? }
            // n = 7, score = 200
            //   8d4710               | xor                 ebx, ebx
            //   e8????????           |                     
            //   83a78c00000000       | mov                 dword ptr [ebp - 8], eax
            //   33c0                 | xor                 edi, edi
            //   c3                   | jmp                 7
            //   51                   | mov                 esi, dword ptr [ebp + 0xc]
            //   e8????????           |                     

        $sequence_77 = { 5b c9 c20800 55 8bec 81ec1c010000 8d4807 }
            // n = 7, score = 200
            //   5b                   | mov                 esi, eax
            //   c9                   | cmp                 esi, ebx
            //   c20800               | mov                 dword ptr [ebp + 0xc], esi
            //   55                   | lea                 esi, [ebp + 0xc]
            //   8bec                 | mov                 esi, eax
            //   81ec1c010000         | cmp                 esi, ebx
            //   8d4807               | je                  0x23

        $sequence_78 = { 8b4770 39477c 72d4 eb13 8b477c }
            // n = 5, score = 200
            //   8b4770               | push                ebx
            //   39477c               | push                edi
            //   72d4                 | push                0x84
            //   eb13                 | pop                 ebx
            //   8b477c               | mov                 esp, ebp

        $sequence_79 = { 488b0d???????? 4883c12e ff15???????? 488b15???????? 488bcd 488b12 e8???????? }
            // n = 7, score = 200
            //   488b0d????????       |                     
            //   4883c12e             | dec                 eax
            //   ff15????????         |                     
            //   488b15????????       |                     
            //   488bcd               | lea                 eax, [esp + 0x40]
            //   488b12               | dec                 esp
            //   e8????????           |                     

        $sequence_80 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 }
            // n = 7, score = 200
            //   ffb72c080000         | add                 esi, 0x3c6ef35f
            //   e8????????           |                     
            //   5e                   | mov                 dword ptr [ebp + 0xc], esi
            //   5d                   | lea                 esi, [ebp + 0xc]
            //   5b                   | add                 esi, 0x3c6ef35f
            //   c3                   | mov                 dword ptr [ebp + 0xc], esi
            //   eb10                 | lea                 esi, [ebp + 0xc]

        $sequence_81 = { 4883c12e ff15???????? eb0b b90a000000 ff15???????? }
            // n = 5, score = 200
            //   4883c12e             | lea                 ecx, [esp + 0x40]
            //   ff15????????         |                     
            //   eb0b                 | je                  0x10
            //   b90a000000           | dec                 eax
            //   ff15????????         |                     

        $sequence_82 = { 33d2 e8???????? 44892d???????? 33c9 44892d???????? e8???????? 488bcf }
            // n = 7, score = 200
            //   33d2                 | xor                 eax, eax
            //   e8????????           |                     
            //   44892d????????       |                     
            //   33c9                 | ret                 
            //   44892d????????       |                     
            //   e8????????           |                     
            //   488bcf               | push                ecx

        $sequence_83 = { ff35???????? e8???????? 813d????????58876837 7505 e8???????? 8b3d???????? }
            // n = 6, score = 200
            //   ff35????????         |                     
            //   e8????????           |                     
            //   813d????????58876837     |     
            //   7505                 | mov                 eax, esp
            //   e8????????           |                     
            //   8b3d????????         |                     

        $sequence_84 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? }
            // n = 4, score = 200
            //   488b15????????       |                     
            //   4c8d442468           | mov                 dword ptr [esp + 0x30], eax
            //   48c7c101000080       | je                  0x10
            //   ff15????????         |                     

        $sequence_85 = { 897760 488b6c2438 488b742440 4883c420 5f c3 48895c2408 }
            // n = 7, score = 200
            //   897760               | ret                 8
            //   488b6c2438           | push                ebp
            //   488b742440           | mov                 ebp, esp
            //   4883c420             | sub                 esp, 0x11c
            //   5f                   | lea                 ecx, [eax + 7]
            //   c3                   | and                 ecx, 0xfffffff8
            //   48895c2408           | and                 dword ptr [edi + 0x8c], 0

        $sequence_86 = { 4c8bc7 33d2 488bc8 e8???????? 488b0d???????? 4883c12e }
            // n = 6, score = 200
            //   4c8bc7               | lea                 eax, [esp + 0x40]
            //   33d2                 | je                  0x10
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4883c12e             | lea                 eax, [esp + 0x40]

        $sequence_87 = { eb15 488b05???????? 89702a 48897d00 eb17 bbb7000000 488b0d???????? }
            // n = 7, score = 200
            //   eb15                 | dec                 eax
            //   488b05????????       |                     
            //   89702a               | mov                 ecx, 0x80000001
            //   48897d00             | dec                 eax
            //   eb17                 | add                 ecx, 0x2e
            //   bbb7000000           | dec                 eax
            //   488b0d????????       |                     

        $sequence_88 = { 83f916 0f8fa7080000 0f8415080000 83e90f 7452 2bcb 0f84e7000000 }
            // n = 7, score = 200
            //   83f916               | pop                 ebp
            //   0f8fa7080000         | ret                 
            //   0f8415080000         | movzx               ecx, word ptr [eax]
            //   83e90f               | cmp                 cx, 2
            //   7452                 | leave               
            //   2bcb                 | ret                 8
            //   0f84e7000000         | push                ebp

        $sequence_89 = { 0f8524010000 813d????????58876837 56 0f84e9000000 }
            // n = 4, score = 200
            //   0f8524010000         | dec                 eax
            //   813d????????58876837     |     
            //   56                   | mov                 ecx, dword ptr [edx + 0x34]
            //   0f84e9000000         | cmp                 dword ptr [ecx], 0x50545448

        $sequence_90 = { 56 50 e8???????? a1???????? 83c40c 83c01e 50 }
            // n = 7, score = 200
            //   56                   | ret                 
            //   50                   | inc                 eax
            //   e8????????           |                     
            //   a1????????           |                     
            //   83c40c               | push                ebx
            //   83c01e               | dec                 ecx
            //   50                   | cmp                 edi, ebp

        $sequence_91 = { ff742414 e8???????? 813d????????58876837 7525 6a01 e8???????? }
            // n = 6, score = 200
            //   ff742414             | pop                 ebp
            //   e8????????           |                     
            //   813d????????58876837     |     
            //   7525                 | ret                 
            //   6a01                 | dec                 eax
            //   e8????????           |                     

        $sequence_92 = { 488b0cc1 e8???????? 488bf0 488b0d???????? f0834156ff }
            // n = 5, score = 200
            //   488b0cc1             | dec                 esp
            //   e8????????           |                     
            //   488bf0               | lea                 ecx, [esp + 0x40]
            //   488b0d????????       |                     
            //   f0834156ff           | dec                 esp

        $sequence_93 = { 0f8499000000 f605????????08 6aff 68806967ff }
            // n = 4, score = 200
            //   0f8499000000         | dec                 eax
            //   f605????????08       |                     
            //   6aff                 | mov                 ebx, ecx
            //   68806967ff           | pop                 esi

        $sequence_94 = { e9???????? b8???????? e9???????? ff25???????? ff25???????? 68???????? }
            // n = 6, score = 200
            //   e9????????           |                     
            //   b8????????           |                     
            //   e9????????           |                     
            //   ff25????????         |                     
            //   ff25????????         |                     
            //   68????????           |                     

        $sequence_95 = { 68???????? 8975f4 ffd7 8b1d???????? 6a3a b8???????? }
            // n = 6, score = 200
            //   68????????           |                     
            //   8975f4               | lea                 ecx, [esp + 0x58]
            //   ffd7                 | xor                 edx, edx
            //   8b1d????????         |                     
            //   6a3a                 | inc                 ecx
            //   b8????????           |                     

        $sequence_96 = { 4883c420 5f c3 48895c2410 57 4883ec20 488bf9 }
            // n = 7, score = 200
            //   4883c420             | pop                 ebp
            //   5f                   | ret                 
            //   c3                   | movzx               ecx, word ptr [eax]
            //   48895c2410           | cmp                 cx, 2
            //   57                   | jne                 0x27
            //   4883ec20             | cmp                 word ptr [eax + 2], 0
            //   488bf9               | leave               

        $sequence_97 = { 83ffff 0f8464020000 81ff02010000 0f8495000000 8b3d???????? }
            // n = 5, score = 200
            //   83ffff               | or                  dword ptr [edi + 0x48], 1
            //   0f8464020000         | dec                 eax
            //   81ff02010000         | mov                 eax, dword ptr [esp + 0x80]
            //   0f8495000000         | inc                 ebp
            //   8b3d????????         |                     

        $sequence_98 = { 897004 5f 5e 5b c20800 51 53 }
            // n = 7, score = 200
            //   897004               | push                dword ptr [ebp - 0xc]
            //   5f                   | add                 esi, 0x3c6ef35f
            //   5e                   | mov                 dword ptr [ebp + 0xc], esi
            //   5b                   | mov                 dword ptr [ebp - 8], eax
            //   c20800               | xor                 edi, edi
            //   51                   | jmp                 7
            //   53                   | mov                 esi, dword ptr [ebp + 0xc]

        $sequence_99 = { 5f 5b 8be5 5d c3 0fb708 }
            // n = 6, score = 200
            //   5f                   | mov                 dword ptr [ebp - 8], eax
            //   5b                   | xor                 edi, edi
            //   8be5                 | jmp                 0xf
            //   5d                   | add                 esi, 0x3c6ef35f
            //   c3                   | mov                 dword ptr [ebp + 0xc], esi
            //   0fb708               | lea                 esi, [ebp + 0xc]

        $sequence_100 = { 6689844f88000000 015f7c e9???????? 66837c243610 755e }
            // n = 5, score = 200
            //   6689844f88000000     | mov                 ebp, esp
            //   015f7c               | sub                 esp, 0x11c
            //   e9????????           |                     
            //   66837c243610         | lea                 ecx, [eax + 7]
            //   755e                 | mov                 dword ptr [esi + 0x98], 0x1000aaf5

        $sequence_101 = { 5d c3 0fb708 6683f902 751c 6683780200 7411 }
            // n = 7, score = 200
            //   5d                   | push                dword ptr [ebp - 8]
            //   c3                   | add                 esi, 0x3c6ef35f
            //   0fb708               | mov                 dword ptr [ebp + 0xc], esi
            //   6683f902             | lea                 esi, [ebp + 0xc]
            //   751c                 | mov                 esi, eax
            //   6683780200           | push                esi
            //   7411                 | lea                 esi, [eax + ecx - 0x124676d0]

        $sequence_102 = { 8bf8 83ffff 0f843b010000 81ff02010000 0f8499000000 f605????????08 }
            // n = 6, score = 200
            //   8bf8                 | mov                 edx, dword ptr [esp + 0xa8]
            //   83ffff               | inc                 ebp
            //   0f843b010000         | xor                 ecx, ecx
            //   81ff02010000         | inc                 ebp
            //   0f8499000000         | xor                 eax, eax
            //   f605????????08       |                     

        $sequence_103 = { 56 0f84e9000000 ff74241c ffd7 8bf8 83ffff 0f8464020000 }
            // n = 7, score = 200
            //   56                   | dec                 eax
            //   0f84e9000000         | mov                 dword ptr [eax + 8], ebx
            //   ff74241c             | dec                 eax
            //   ffd7                 | mov                 dword ptr [eax + 0x10], ebp
            //   8bf8                 | dec                 eax
            //   83ffff               | mov                 dword ptr [eax + 0x20], esi
            //   0f8464020000         | dec                 eax

        $sequence_104 = { 0f8462040000 2bcb 0f840c060000 2bcb }
            // n = 4, score = 200
            //   0f8462040000         | mov                 eax, esi
            //   2bcb                 | test                eax, eax
            //   0f840c060000         | mov                 dword ptr [ebp - 8], eax
            //   2bcb                 | jne                 0x3f4

        $sequence_105 = { 66b90100 4889442420 e8???????? 3bc3 0f859b000000 }
            // n = 5, score = 200
            //   66b90100             | add                 eax, 0x258
            //   4889442420           | and                 dword ptr [edi + 0x8c], 0
            //   e8????????           |                     
            //   3bc3                 | xor                 eax, eax
            //   0f859b000000         | ret                 

        $sequence_106 = { 4883c12e ff15???????? 4c8b05???????? 448d7b02 418bd7 }
            // n = 5, score = 200
            //   4883c12e             | lea                 eax, [esp + 0x40]
            //   ff15????????         |                     
            //   4c8b05????????       |                     
            //   448d7b02             | dec                 esp
            //   418bd7               | lea                 eax, [esp + 0x68]

        $sequence_107 = { 56 ff742464 ffd7 85c0 0f8524010000 813d????????58876837 }
            // n = 6, score = 200
            //   56                   | push                ebx
            //   ff742464             | dec                 eax
            //   ffd7                 | sub                 esp, 0x20
            //   85c0                 | dec                 esp
            //   0f8524010000         | mov                 eax, dword ptr [ecx + 8]
            //   813d????????58876837     |     

        $sequence_108 = { 83c40c 68???????? e8???????? 3bc6 8945f8 7470 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   68????????           |                     
            //   e8????????           |                     
            //   3bc6                 | cmp                 eax, esi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   7470                 | je                  0x72

        $sequence_109 = { 3bf3 0f859d010000 e8???????? 85c0 0f849d010000 395c244c 7407 }
            // n = 7, score = 100
            //   3bf3                 | cmp                 esi, ebx
            //   0f859d010000         | jne                 0x1a3
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f849d010000         | je                  0x1a3
            //   395c244c             | cmp                 dword ptr [esp + 0x4c], ebx
            //   7407                 | je                  9

        $sequence_110 = { ff7508 8d45e8 e8???????? ff75ec 8b3d???????? }
            // n = 5, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   e8????????           |                     
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   8b3d????????         |                     

        $sequence_111 = { 50 8bc6 e8???????? 85c0 8945f8 0f85e7030000 ff7508 }
            // n = 7, score = 100
            //   50                   | xor                 eax, 0xca241234
            //   8bc6                 | ret                 
            //   e8????????           |                     
            //   85c0                 | push                0
            //   8945f8               | push                0x400000
            //   0f85e7030000         | push                0
            //   ff7508               | test                eax, eax

        $sequence_112 = { c78698000000f5aa0010 899e9c000000 895e18 895e78 895e70 }
            // n = 5, score = 100
            //   c78698000000f5aa0010     | push    1
            //   899e9c000000         | je                  0xa
            //   895e18               | mov                 eax, dword ptr [ebp - 4]
            //   895e78               | cmp                 esi, ebx
            //   895e70               | je                  0x1b

        $sequence_113 = { 64637810 705d 3d0e643f6e b974ef18f3 61 }
            // n = 5, score = 100
            //   64637810             | arpl                word ptr fs:[eax + 0x10], di
            //   705d                 | jo                  0x5f
            //   3d0e643f6e           | cmp                 eax, 0x6e3f640e
            //   b974ef18f3           | mov                 ecx, 0xf318ef74
            //   61                   | popal               

        $sequence_114 = { 89b31c70be03 740a 83c304 83fb14 72c9 eb12 }
            // n = 6, score = 100
            //   89b31c70be03         | mov                 dword ptr [ebx + 0x3be701c], esi
            //   740a                 | je                  0xc
            //   83c304               | add                 ebx, 4
            //   83fb14               | cmp                 ebx, 0x14
            //   72c9                 | jb                  0xffffffcb
            //   eb12                 | jmp                 0x14

        $sequence_115 = { 50 89759c e8???????? 83c40c 68???????? }
            // n = 5, score = 100
            //   50                   | push                eax
            //   89759c               | mov                 dword ptr [ebp - 0x64], esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68????????           |                     

        $sequence_116 = { e42c d08b19ec3bc2 14e1 32ec e25e 37 }
            // n = 6, score = 100
            //   e42c                 | in                  al, 0x2c
            //   d08b19ec3bc2         | ror                 byte ptr [ebx - 0x3dc413e7], 1
            //   14e1                 | adc                 al, 0xe1
            //   32ec                 | xor                 ch, ah
            //   e25e                 | loop                0x60
            //   37                   | aaa                 

        $sequence_117 = { 53 57 ff742410 8b3d???????? }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   8b3d????????         |                     

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules