DreamBot (Malware Family)

DreamBot

URLhaus
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)
In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
See win.gozi for additional historical information.
References

https://lokalhost.pl/gozi_tree.txt
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
Yara Rules

[TLP:WHITE] win_dreambot_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 74?? 8b4730 a840 75?? }
            // n = 4, score = 800
            //   74??                 |                     
            //   8b4730               | dec                 eax
            //   a840                 | add                 esp, 0x30
            //   75??                 |                     

        $sequence_1 = { 74?? 8b4730 a840 75?? }
            // n = 4, score = 800
            //   74??                 |                     
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]
            //   a840                 | test                al, 0x40
            //   75??                 |                     

        $sequence_2 = { 83671800 894f30 8b4f30 f6c140 75?? 85c0 }
            // n = 6, score = 700
            //   83671800             | and                 dword ptr [edi + 0x18], 0
            //   894f30               | mov                 dword ptr [edi + 0x30], ecx
            //   8b4f30               | mov                 ecx, dword ptr [edi + 0x30]
            //   f6c140               | test                cl, 0x40
            //   75??                 |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { e9???????? 834f3001 8b4720 2b4310 8b37 894724 e8???????? }
            // n = 7, score = 700
            //   e9????????           |                     
            //   834f3001             | or                  dword ptr [edi + 0x30], 1
            //   8b4720               | mov                 eax, dword ptr [edi + 0x20]
            //   2b4310               | sub                 eax, dword ptr [ebx + 0x10]
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   894724               | mov                 dword ptr [edi + 0x24], eax
            //   e8????????           |                     

        $sequence_4 = { 894730 e9???????? 55 8bec 83ec10 53 33db }
            // n = 7, score = 700
            //   894730               | mov                 dword ptr [edi + 0x30], eax
            //   e9????????           |                     
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx

        $sequence_5 = { 74?? 8b4730 a840 75?? 83672800 e9???????? 8b4730 }
            // n = 7, score = 700
            //   74??                 |                     
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]
            //   a840                 | test                al, 0x40
            //   75??                 |                     
            //   83672800             | and                 dword ptr [edi + 0x28], 0
            //   e9????????           |                     
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]

        $sequence_6 = { a840 0f8????????? 8d442410 50 8d442410 }
            // n = 5, score = 700
            //   a840                 | test                al, 0x40
            //   0f8?????????         |                     
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   8d442410             | lea                 eax, [esp + 0x10]

        $sequence_7 = { 8b4734 e8???????? 85c0 75?? ff7320 }
            // n = 5, score = 700
            //   8b4734               | mov                 eax, dword ptr [edi + 0x34]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   75??                 |                     
            //   ff7320               | push                dword ptr [ebx + 0x20]

        $sequence_8 = { 85ff 75?? 39451c 74?? 8b4618 e8???????? }
            // n = 6, score = 700
            //   85ff                 | test                edi, edi
            //   75??                 |                     
            //   39451c               | cmp                 dword ptr [ebp + 0x1c], eax
            //   74??                 |                     
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   e8????????           |                     

        $sequence_9 = { 81f98a437d92 0f8????????? 81f9d781e797 0f8????????? 81f9c6f269b7 0f8????????? }
            // n = 6, score = 600
            //   81f98a437d92         | dec                 eax
            //   0f8?????????         |                     
            //   81f9d781e797         | mov                 ebp, dword ptr [esp + 0x68]
            //   0f8?????????         |                     
            //   81f9c6f269b7         | mov                 eax, ebx
            //   0f8?????????         |                     

        $sequence_10 = { 8bec 83ec68 53 56 57 33f6 }
            // n = 6, score = 600
            //   8bec                 | lea                 eax, [esp + 0xc8]
            //   83ec68               | dec                 eax
            //   53                   | lea                 edx, [esp + 0x28]
            //   56                   | inc                 ecx
            //   57                   | shr                 ebx, 1
            //   33f6                 | inc                 ebp

        $sequence_11 = { 55 8bec 83ec68 53 56 57 33f6 }
            // n = 7, score = 600
            //   55                   | dec                 esp
            //   8bec                 | lea                 eax, [esp + 0xc8]
            //   83ec68               | dec                 eax
            //   53                   | lea                 edx, [esp + 0x28]
            //   56                   | mov                 eax, esi
            //   57                   | dec                 eax
            //   33f6                 | mov                 ebx, dword ptr [esp + 0xc0]

        $sequence_12 = { 81f9d4997b22 74?? 81f97e88152b 74?? }
            // n = 4, score = 600
            //   81f9d4997b22         | push                dword ptr [ebp - 0xc]
            //   74??                 |                     
            //   81f97e88152b         | add                 esi, 0x3c6ef35f
            //   74??                 |                     

        $sequence_13 = { 0f8????????? 0f8????????? b88442f73f 3bc8 0f8????????? 0f8????????? 81f94d05940f }
            // n = 7, score = 600
            //   0f8?????????         |                     
            //   0f8?????????         |                     
            //   b88442f73f           | push                dword ptr [ebp - 0xc]
            //   3bc8                 | add                 esi, 0x3c6ef35f
            //   0f8?????????         |                     
            //   0f8?????????         |                     
            //   81f94d05940f         | mov                 dword ptr [ebp + 0xc], esi

        $sequence_14 = { 83ec68 53 56 57 33f6 }
            // n = 5, score = 600
            //   83ec68               | lea                 esi, [ebx + edi]
            //   53                   | inc                 ecx
            //   56                   | cmp                 esi, 0x18
            //   57                   | dec                 esp
            //   33f6                 | lea                 ecx, [esp + 0xd0]

        $sequence_15 = { 81f97e88152b 74?? 81f9f1b0cd3d 0f8????????? }
            // n = 4, score = 600
            //   81f97e88152b         | mov                 dword ptr [ebp - 8], eax
            //   74??                 |                     
            //   81f9f1b0cd3d         | xor                 edi, edi
            //   0f8?????????         |                     

        $sequence_16 = { 81f9c6f269b7 0f8????????? 81f9ebb764bc 74?? 81f98e59e2c7 74?? }
            // n = 6, score = 600
            //   81f9c6f269b7         | dec                 eax
            //   0f8?????????         |                     
            //   81f9ebb764bc         | mov                 ebx, dword ptr [esp + 0x60]
            //   74??                 |                     
            //   81f98e59e2c7         | dec                 eax
            //   74??                 |                     

        $sequence_17 = { b88442f73f 3bc8 0f8????????? 0f8????????? }
            // n = 4, score = 600
            //   b88442f73f           | mov                 esi, dword ptr [ebp + 0xc]
            //   3bc8                 | push                dword ptr [ebp - 8]
            //   0f8?????????         |                     
            //   0f8?????????         |                     

        $sequence_18 = { b88442f73f 3bc8 0f8????????? 0f8????????? 81f94d05940f }
            // n = 5, score = 600
            //   b88442f73f           | imul                esi, esi, 0x19660d
            //   3bc8                 | push                dword ptr [ebp - 0xc]
            //   0f8?????????         |                     
            //   0f8?????????         |                     
            //   81f94d05940f         | add                 esi, 0x3c6ef35f

        $sequence_19 = { 81f9d781e797 0f8????????? 81f9c6f269b7 0f8????????? 81f9ebb764bc 74?? 81f98e59e2c7 }
            // n = 7, score = 600
            //   81f9d781e797         | dec                 eax
            //   0f8?????????         |                     
            //   81f9c6f269b7         | mov                 ebx, dword ptr [esp + 0x60]
            //   0f8?????????         |                     
            //   81f9ebb764bc         | dec                 eax
            //   74??                 |                     
            //   81f98e59e2c7         | add                 esp, 0x30

        $sequence_20 = { 81f9d4997b22 74?? 81f97e88152b 74?? 81f9f1b0cd3d 0f8????????? }
            // n = 6, score = 600
            //   81f9d4997b22         | lea                 esi, [ebp + 0xc]
            //   74??                 |                     
            //   81f97e88152b         | add                 esi, 0x3c6ef35f
            //   74??                 |                     
            //   81f9f1b0cd3d         | mov                 dword ptr [ebp + 0xc], esi
            //   0f8?????????         |                     

        $sequence_21 = { 81f9ebb764bc 74?? 81f98e59e2c7 74?? }
            // n = 4, score = 600
            //   81f9ebb764bc         | add                 esp, 0x30
            //   74??                 |                     
            //   81f98e59e2c7         | mov                 ebx, eax
            //   74??                 |                     

        $sequence_22 = { 0f8????????? 81f9ebb764bc 74?? 81f98e59e2c7 74?? 81f9b2aa2bc8 0f8????????? }
            // n = 7, score = 600
            //   0f8?????????         |                     
            //   81f9ebb764bc         | inc                 ecx
            //   74??                 |                     
            //   81f98e59e2c7         | pop                 esp
            //   74??                 |                     
            //   81f9b2aa2bc8         | dec                 eax
            //   0f8?????????         |                     

        $sequence_23 = { 85c0 75?? bbbf000000 eb?? }
            // n = 4, score = 600
            //   85c0                 | test                eax, eax
            //   75??                 |                     
            //   bbbf000000           | mov                 ebx, 0xbf
            //   eb??                 |                     

        $sequence_24 = { 0f8????????? 81f9c6f269b7 0f8????????? 81f9ebb764bc 74?? 81f98e59e2c7 }
            // n = 6, score = 600
            //   0f8?????????         |                     
            //   81f9c6f269b7         | mov                 ebp, dword ptr [esp + 0x68]
            //   0f8?????????         |                     
            //   81f9ebb764bc         | mov                 eax, ebx
            //   74??                 |                     
            //   81f98e59e2c7         | dec                 eax

        $sequence_25 = { 0f8????????? b88442f73f 3bc8 0f8????????? 0f8????????? 81f94d05940f }
            // n = 6, score = 600
            //   0f8?????????         |                     
            //   b88442f73f           | mov                 dword ptr [ebp + 0xc], esi
            //   3bc8                 | push                dword ptr [ebp - 8]
            //   0f8?????????         |                     
            //   0f8?????????         |                     
            //   81f94d05940f         | imul                esi, esi, 0x19660d

        $sequence_26 = { 0f8????????? 0f8????????? b88442f73f 3bc8 }
            // n = 4, score = 600
            //   0f8?????????         |                     
            //   0f8?????????         |                     
            //   b88442f73f           | mov                 esi, dword ptr [ebp + 0xc]
            //   3bc8                 | push                dword ptr [ebp - 8]

        $sequence_27 = { 85c0 75?? bbbf000000 eb?? }
            // n = 4, score = 600
            //   85c0                 | lea                 esi, [ebp + 0xc]
            //   75??                 |                     
            //   bbbf000000           | mov                 esi, eax
            //   eb??                 |                     

        $sequence_28 = { 488d5e10 4533f6 488b0b 2580000000 }
            // n = 4, score = 500
            //   488d5e10             | dec                 eax
            //   4533f6               | lea                 ebx, [esi + 0x10]
            //   488b0b               | inc                 ebp
            //   2580000000           | xor                 esi, esi

        $sequence_29 = { 33c9 ff15???????? 4885c0 4c8be0 }
            // n = 4, score = 500
            //   33c9                 | mov                 eax, ebx
            //   ff15????????         |                     
            //   4885c0               | dec                 eax
            //   4c8be0               | mov                 ebx, dword ptr [esp + 0x60]

        $sequence_30 = { 85c0 75?? 6a08 58 eb?? ff15???????? }
            // n = 6, score = 500
            //   85c0                 | inc                 ecx
            //   75??                 |                     
            //   6a08                 | lea                 edx, [esi + 0x20]
            //   58                   | dec                 esp
            //   eb??                 |                     
            //   ff15????????         |                     

        $sequence_31 = { ff15???????? 4c8bf8 4885c0 0f8????????? 49ffc7 418d5620 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   4c8bf8               | dec                 eax
            //   4885c0               | mov                 ecx, dword ptr [ebx]
            //   0f8?????????         |                     
            //   49ffc7               | and                 eax, 0x80
            //   418d5620             | inc                 ecx

        $sequence_32 = { 85c0 75?? 6a08 58 eb?? ff15???????? }
            // n = 6, score = 500
            //   85c0                 | cmp                 esi, ebx
            //   75??                 |                     
            //   6a08                 | mov                 eax, dword ptr [ebp + 0xc]
            //   58                   | xor                 ebx, ebx
            //   eb??                 |                     
            //   ff15????????         |                     

        $sequence_33 = { 488d5e10 4533f6 488b0b 2580000000 418d5620 }
            // n = 5, score = 500
            //   488d5e10             | mov                 esi, eax
            //   4533f6               | dec                 eax
            //   488b0b               | test                eax, eax
            //   2580000000           | inc                 ebp
            //   418d5620             | xor                 esi, esi

        $sequence_34 = { 0f8????????? 49ffc7 418d5620 498bcf ff15???????? 4c8bf0 }
            // n = 6, score = 500
            //   0f8?????????         |                     
            //   49ffc7               | lea                 edx, [esi + 0x20]
            //   418d5620             | dec                 eax
            //   498bcf               | lea                 ebx, [esi + 0x10]
            //   ff15????????         |                     
            //   4c8bf0               | inc                 ebp

        $sequence_35 = { 418d5620 498bcf ff15???????? 4c8bf0 4885c0 }
            // n = 5, score = 500
            //   418d5620             | dec                 eax
            //   498bcf               | mov                 ecx, dword ptr [ebx]
            //   ff15????????         |                     
            //   4c8bf0               | and                 eax, 0x80
            //   4885c0               | inc                 ecx

        $sequence_36 = { 4885c0 0f8????????? 49ffc7 418d5620 498bcf }
            // n = 5, score = 500
            //   4885c0               | xor                 esi, esi
            //   0f8?????????         |                     
            //   49ffc7               | dec                 eax
            //   418d5620             | mov                 ecx, dword ptr [ebx]
            //   498bcf               | and                 eax, 0x80

        $sequence_37 = { 4533c0 33d2 33c9 ff15???????? 4885c0 4c8be0 }
            // n = 6, score = 500
            //   4533c0               | push                dword ptr [esp + 0x14]
            //   33d2                 | add                 esp, 0xc
            //   33c9                 | mov                 ebx, eax
            //   ff15????????         |                     
            //   4885c0               | dec                 eax
            //   4c8be0               | mov                 ebp, dword ptr [esp + 0x68]

        $sequence_38 = { 4885c0 0f8????????? 49ffc7 418d5620 498bcf ff15???????? }
            // n = 6, score = 500
            //   4885c0               | cmp                 ecx, 0xf94054d
            //   0f8?????????         |                     
            //   49ffc7               | cmp                 ecx, 0x227b99d4
            //   418d5620             | cmp                 ecx, 0x2b15887e
            //   498bcf               | cmp                 ecx, 0x3dcdb0f1
            //   ff15????????         |                     

        $sequence_39 = { a3???????? 85c0 75?? 6a08 58 eb?? ff15???????? }
            // n = 7, score = 500
            //   a3????????           |                     
            //   85c0                 | mov                 edi, eax
            //   75??                 |                     
            //   6a08                 | dec                 eax
            //   58                   | test                eax, eax
            //   eb??                 |                     
            //   ff15????????         |                     

        $sequence_40 = { a3???????? 85c0 75?? 6a08 58 eb?? ff15???????? }
            // n = 7, score = 500
            //   a3????????           |                     
            //   85c0                 | mov                 dword ptr [ebp - 4], ebx
            //   75??                 |                     
            //   6a08                 | mov                 dword ptr [ebp - 8], eax
            //   58                   | xor                 edi, edi
            //   eb??                 |                     
            //   ff15????????         |                     

        $sequence_41 = { 4533f6 488b0b 2580000000 418d5620 }
            // n = 4, score = 500
            //   4533f6               | lea                 edx, [esi + 0x20]
            //   488b0b               | dec                 ecx
            //   2580000000           | mov                 ecx, edi
            //   418d5620             | dec                 esp

        $sequence_42 = { e8???????? eb?? ff15???????? 8bd8 85db }
            // n = 5, score = 400
            //   e8????????           |                     
            //   eb??                 |                     
            //   ff15????????         |                     
            //   8bd8                 | test                eax, eax
            //   85db                 | push                8

        $sequence_43 = { 488b6c2468 8bc3 488b5c2460 4883c430 415c }
            // n = 5, score = 400
            //   488b6c2468           | cmp                 eax, edx
            //   8bc3                 | xor                 eax, eax
            //   488b5c2460           | mov                 dword ptr [esp + 0x98], edx
            //   4883c430             | mov                 ebp, esp
            //   415c                 | sub                 esp, 0x68

        $sequence_44 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? 85c0 }
            // n = 7, score = 400
            //   c3                   | dec                 ecx
            //   6a00                 | inc                 edi
            //   6800004000           | inc                 ecx
            //   6a00                 | lea                 edx, [esi + 0x20]
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | dec                 ecx

        $sequence_45 = { 74?? 399424f4000000 75?? 8b8c24f0000000 }
            // n = 4, score = 400
            //   74??                 |                     
            //   399424f4000000       | cmp                 eax, -1
            //   75??                 |                     
            //   8b8c24f0000000       | dec                 eax

        $sequence_46 = { 75?? 41d1eb 458d343b 4183fe18 77?? }
            // n = 5, score = 400
            //   75??                 |                     
            //   41d1eb               | cmp                 ecx, 0xf94054d
            //   458d343b             | mov                 eax, 0x3ff74284
            //   4183fe18             | cmp                 ecx, eax
            //   77??                 |                     

        $sequence_47 = { 8b750c ff75f8 69f60d661900 ff75f4 81c65ff36e3c 89750c }
            // n = 6, score = 400
            //   8b750c               | mov                 edi, edx
            //   ff75f8               | dec                 eax
            //   69f60d661900         | add                 ecx, 0x2e
            //   ff75f4               | mov                 ecx, 0xa
            //   81c65ff36e3c         | dec                 eax
            //   89750c               | add                 ecx, 0x2e

        $sequence_48 = { 81c65ff36e3c 89750c 8d750c e8???????? 8bf0 3bf3 }
            // n = 6, score = 400
            //   81c65ff36e3c         | mov                 ecx, 0xa
            //   89750c               | dec                 eax
            //   8d750c               | add                 ecx, 0x2e
            //   e8????????           |                     
            //   8bf0                 | mov                 al, bl
            //   3bf3                 | dec                 eax

        $sequence_49 = { 488b6c2468 8bc3 488b5c2460 4883c430 415c 5f }
            // n = 6, score = 400
            //   488b6c2468           | mov                 dword ptr [esp + 0xa0], 1
            //   8bc3                 | mov                 dword ptr [esp + 0x3b0], edi
            //   488b5c2460           | mov                 dword ptr [esp + 0x40], ebx
            //   4883c430             | cmp                 dword ptr [esp + 0xf4], edx
            //   415c                 | mov                 ecx, dword ptr [esp + 0xf0]
            //   5f                   | mov                 ecx, dword ptr [esp + 0xa0]

        $sequence_50 = { 8bc3 488b5c2460 4883c430 415c }
            // n = 4, score = 400
            //   8bc3                 | push                ebp
            //   488b5c2460           | mov                 ebp, esp
            //   4883c430             | sub                 esp, 0x68
            //   415c                 | push                ebx

        $sequence_51 = { e8???????? f7d0 eb?? 8b8424c8000000 3dcad2b74e }
            // n = 5, score = 400
            //   e8????????           |                     
            //   f7d0                 | cmp                 ecx, 0xf94054d
            //   eb??                 |                     
            //   8b8424c8000000       | mov                 eax, 0x3ff74284
            //   3dcad2b74e           | cmp                 ecx, eax

        $sequence_52 = { 8bd8 488b6c2468 8bc3 488b5c2460 4883c430 415c 5f }
            // n = 7, score = 400
            //   8bd8                 | mov                 ecx, edi
            //   488b6c2468           | mov                 ebx, eax
            //   8bc3                 | test                ebx, ebx
            //   488b5c2460           | mov                 ebx, eax
            //   4883c430             | test                ebx, ebx
            //   415c                 | mov                 edi, dword ptr [esp + 0x90]
            //   5f                   | or                  ebx, 8

        $sequence_53 = { 75?? 83bc241801000004 75?? 83bc241001000004 75?? 393b }
            // n = 6, score = 400
            //   75??                 |                     
            //   83bc241801000004     | lea                 eax, [esp + 0x88]
            //   75??                 |                     
            //   83bc241001000004     | dec                 esp
            //   75??                 |                     
            //   393b                 | mov                 eax, ebx

        $sequence_54 = { 8b450c 33db 895dfc e8???????? 8945f8 33ff }
            // n = 6, score = 400
            //   8b450c               | mov                 ebx, dword ptr [esp + 0x40]
            //   33db                 | dec                 eax
            //   895dfc               | add                 esp, 0x30
            //   e8????????           |                     
            //   8945f8               | dec                 eax
            //   33ff                 | add                 ecx, 0x2e

        $sequence_55 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? }
            // n = 6, score = 400
            //   c3                   | dec                 ecx
            //   6a00                 | inc                 edi
            //   6800004000           | inc                 ecx
            //   6a00                 | lea                 edx, [esi + 0x20]
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_56 = { 8bc3 488b5c2460 4883c430 415c 5f }
            // n = 5, score = 400
            //   8bc3                 | push                ebx
            //   488b5c2460           | push                esi
            //   4883c430             | push                edi
            //   415c                 | xor                 esi, esi
            //   5f                   | sub                 esp, 0x68

        $sequence_57 = { 8bd8 488b6c2468 8bc3 488b5c2460 4883c430 415c }
            // n = 6, score = 400
            //   8bd8                 | cmovne              cx, ax
            //   488b6c2468           | mov                 word ptr [esp + 0x58], cx
            //   8bc3                 | cmp                 dword ptr [esp + 0x118], 4
            //   488b5c2460           | cmp                 dword ptr [esp + 0x110], 4
            //   4883c430             | cmp                 dword ptr [ebx], edi
            //   415c                 | xor                 edx, edx

        $sequence_58 = { 8db4083089b9ed 57 8d45f4 50 8b450c 33db 895dfc }
            // n = 7, score = 400
            //   8db4083089b9ed       | add                 ecx, 0x2e
            //   57                   | mov                 al, bl
            //   8d45f4               | dec                 eax
            //   50                   | mov                 ebx, dword ptr [esp + 0x40]
            //   8b450c               | mov                 esi, dword ptr [ebp + 0xc]
            //   33db                 | push                dword ptr [ebp - 8]
            //   895dfc               | imul                esi, esi, 0x19660d

        $sequence_59 = { e8???????? 8945f8 33ff eb?? 8b750c ff75f8 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   8945f8               | inc                 ecx
            //   33ff                 | mov                 cl, 0xff
            //   eb??                 |                     
            //   8b750c               | mov                 byte ptr [esp + 0x20], 0xff
            //   ff75f8               | dec                 eax

        $sequence_60 = { 85c0 74?? 6804010000 8d4f10 51 6a00 50 }
            // n = 7, score = 400
            //   85c0                 | inc                 ecx
            //   74??                 |                     
            //   6804010000           | lea                 edx, [esi + 0x20]
            //   8d4f10               | dec                 ecx
            //   51                   | mov                 ecx, edi
            //   6a00                 | test                eax, eax
            //   50                   | push                8

        $sequence_61 = { 8b750c ff75f8 69f60d661900 ff75f4 81c65ff36e3c }
            // n = 5, score = 400
            //   8b750c               | push                0x410
            //   ff75f8               | inc                 ecx
            //   69f60d661900         | mov                 eax, dword ptr [ebx + 0x56]
            //   ff75f4               | test                eax, eax
            //   81c65ff36e3c         | mov                 cl, byte ptr [edi]

        $sequence_62 = { 33d2 3bc2 0f8????????? 33c0 89942498000000 }
            // n = 5, score = 400
            //   33d2                 | xor                 edx, edx
            //   3bc2                 | dec                 eax
            //   0f8?????????         |                     
            //   33c0                 | and                 dword ptr [esp + 0x28], esi
            //   89942498000000       | dec                 esp

        $sequence_63 = { 4883f8ff 488bf8 74?? 488d842488000000 }
            // n = 4, score = 400
            //   4883f8ff             | push                dword ptr [ebp - 0xc]
            //   488bf8               | add                 esi, 0x3c6ef35f
            //   74??                 |                     
            //   488d842488000000     | mov                 dword ptr [ebp + 0xc], esi

        $sequence_64 = { 8bd8 488b6c2468 8bc3 488b5c2460 }
            // n = 4, score = 400
            //   8bd8                 | push                ebx
            //   488b6c2468           | push                esi
            //   8bc3                 | push                edi
            //   488b5c2460           | xor                 esi, esi

        $sequence_65 = { 8945f8 85c0 75?? ff33 50 6810040000 }
            // n = 6, score = 400
            //   8945f8               | pop                 eax
            //   85c0                 | test                eax, eax
            //   75??                 |                     
            //   ff33                 | push                8
            //   50                   | pop                 eax
            //   6810040000           | ret                 

        $sequence_66 = { 74?? 8b8c24a0000000 3bca 74?? }
            // n = 4, score = 400
            //   74??                 |                     
            //   8b8c24a0000000       | mov                 edi, eax
            //   3bca                 | dec                 eax
            //   74??                 |                     

        $sequence_67 = { ff15???????? 8bc6 488b9c24c0000000 4881c480000000 415f 415e 415d }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   8bc6                 | mov                 eax, 0x3ff74284
            //   488b9c24c0000000     | cmp                 ecx, eax
            //   4881c480000000       | mov                 eax, 0x3ff74284
            //   415f                 | cmp                 ecx, eax
            //   415e                 | mov                 eax, 0x3ff74284
            //   415d                 | cmp                 ecx, eax

        $sequence_68 = { 75?? 4c8d8c24d0000000 4c8d8424c8000000 488d542428 }
            // n = 4, score = 400
            //   75??                 |                     
            //   4c8d8c24d0000000     | cmp                 ecx, 0x2b15887e
            //   4c8d8424c8000000     | cmp                 ecx, 0x2b15887e
            //   488d542428           | cmp                 ecx, 0x3dcdb0f1

        $sequence_69 = { 3bc2 74?? 8b442444 0fb74c2458 3bc2 660f45c8 66894c2458 }
            // n = 7, score = 400
            //   3bc2                 | lea                 eax, [esp + 0x88]
            //   74??                 |                     
            //   8b442444             | dec                 eax
            //   0fb74c2458           | cmp                 eax, -1
            //   3bc2                 | dec                 eax
            //   660f45c8             | mov                 edi, eax
            //   66894c2458           | dec                 eax

        $sequence_70 = { ff33 50 6810040000 ff15???????? 8945fc }
            // n = 5, score = 400
            //   ff33                 | mov                 ecx, edi
            //   50                   | dec                 esp
            //   6810040000           | mov                 esi, eax
            //   ff15????????         |                     
            //   8945fc               | dec                 eax

        $sequence_71 = { ff15???????? 4883f8ff 488bf8 74?? 488d842488000000 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   4883f8ff             | lea                 esi, [ebp + 0xc]
            //   488bf8               | mov                 esi, eax
            //   74??                 |                     
            //   488d842488000000     | cmp                 esi, ebx

        $sequence_72 = { ff75f4 81c65ff36e3c 89750c 8d750c e8???????? 8bf0 3bf3 }
            // n = 7, score = 400
            //   ff75f4               | mov                 ecx, 0xa
            //   81c65ff36e3c         | mov                 dword ptr [eax + 0x2a], esi
            //   89750c               | dec                 eax
            //   8d750c               | mov                 dword ptr [ebp], edi
            //   e8????????           |                     
            //   8bf0                 | mov                 ebx, 0xb7
            //   3bf3                 | dec                 eax

        $sequence_73 = { 75?? 41d1eb 458d343b 4183fe18 }
            // n = 4, score = 400
            //   75??                 |                     
            //   41d1eb               | xor                 ebx, ebx
            //   458d343b             | mov                 dword ptr [ebp - 4], ebx
            //   4183fe18             | cmp                 ecx, 0x227b99d4

        $sequence_74 = { 33d2 89b7184a0000 39971c4a0000 74?? }
            // n = 4, score = 400
            //   33d2                 | test                eax, eax
            //   89b7184a0000         | dec                 ecx
            //   39971c4a0000         | inc                 edi
            //   74??                 |                     

        $sequence_75 = { e8???????? eb?? ff15???????? 8bd8 85db 74?? }
            // n = 6, score = 400
            //   e8????????           |                     
            //   eb??                 |                     
            //   ff15????????         |                     
            //   8bd8                 | test                eax, eax
            //   85db                 | mov                 ebx, 0xbf
            //   74??                 |                     

        $sequence_76 = { 8bd8 488b6c2468 8bc3 488b5c2460 4883c430 }
            // n = 5, score = 400
            //   8bd8                 | cmp                 ecx, edx
            //   488b6c2468           | cmp                 eax, edx
            //   8bc3                 | mov                 eax, dword ptr [esp + 0x44]
            //   488b5c2460           | movzx               ecx, word ptr [esp + 0x58]
            //   4883c430             | cmp                 eax, edx

        $sequence_77 = { ff75f8 69f60d661900 ff75f4 81c65ff36e3c 89750c 8d750c }
            // n = 6, score = 400
            //   ff75f8               | inc                 esp
            //   69f60d661900         | mov                 bl, byte ptr [edi]
            //   ff75f4               | inc                 esp
            //   81c65ff36e3c         | cmp                 bl, byte ptr [ebx + 8]
            //   89750c               | dec                 eax
            //   8d750c               | add                 ecx, 0x2e

        $sequence_78 = { 8bbc2490000000 83cb08 c78424a000000001000000 89bc24b0030000 895c2440 eb?? }
            // n = 6, score = 400
            //   8bbc2490000000       | pop                 eax
            //   83cb08               | test                eax, eax
            //   c78424a000000001000000     | push    8
            //   89bc24b0030000       | pop                 eax
            //   895c2440             | dec                 eax
            //   eb??                 |                     

        $sequence_79 = { 4c8bc3 33d2 ff15???????? 4821742428 4c8d8424c8000000 488d542428 }
            // n = 6, score = 400
            //   4c8bc3               | lea                 esi, [eax + ecx - 0x124676d0]
            //   33d2                 | push                edi
            //   ff15????????         |                     
            //   4821742428           | lea                 eax, [ebp - 0xc]
            //   4c8d8424c8000000     | push                eax
            //   488d542428           | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_80 = { e8???????? 56 ff742410 ff15???????? }
            // n = 4, score = 300
            //   e8????????           |                     
            //   56                   | inc                 ecx
            //   ff742410             | xor                 eax, eax
            //   ff15????????         |                     

        $sequence_81 = { ff15???????? e8???????? 56 ff742410 ff15???????? 85c0 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   e8????????           |                     
            //   56                   | mov                 dword ptr [ebp - 0x44], ebx
            //   ff742410             | call                edi
            //   ff15????????         |                     
            //   85c0                 | cmp                 ecx, 0x10

        $sequence_82 = { e8???????? 56 ff742410 ff15???????? 85c0 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   56                   | push                edi
            //   ff742410             | mov                 edi, 0x3be8019
            //   ff15????????         |                     
            //   85c0                 | push                edi

        $sequence_83 = { ff15???????? e8???????? 56 ff742410 ff15???????? }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   e8????????           |                     
            //   56                   | push                esi
            //   ff742410             | push                edi
            //   ff15????????         |                     

        $sequence_84 = { 56 ff742410 ff15???????? 85c0 }
            // n = 4, score = 300
            //   56                   | push                ebx
            //   ff742410             | push                0x3be8256
            //   ff15????????         |                     
            //   85c0                 | push                dword ptr [ebp - 8]

        $sequence_85 = { ff15???????? e8???????? 56 ff742410 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   e8????????           |                     
            //   56                   | xor                 esi, esi
            //   ff742410             | and                 dword ptr [ebp - 4], 0

        $sequence_86 = { 4883c12e ff15???????? 8ac3 488b5c2440 4883c430 }
            // n = 5, score = 200
            //   4883c12e             | mov                 dword ptr [edi + 0x4a18], esi
            //   ff15????????         |                     
            //   8ac3                 | cmp                 dword ptr [edi + 0x4a1c], edx
            //   488b5c2440           | test                eax, eax
            //   4883c430             | push                0x104

        $sequence_87 = { 4883c12e ff15???????? eb?? b90a000000 ff15???????? }
            // n = 5, score = 200
            //   4883c12e             | lea                 ecx, [edi + 0x10]
            //   ff15????????         |                     
            //   eb??                 |                     
            //   b90a000000           | push                ecx
            //   ff15????????         |                     

        $sequence_88 = { ff742428 89542464 ffd3 56 57 }
            // n = 5, score = 200
            //   ff742428             | dec                 eax
            //   89542464             | add                 esp, 0x30
            //   ffd3                 | inc                 ecx
            //   56                   | pop                 esp
            //   57                   | pop                 edi

        $sequence_89 = { 83a78c00000000 33c0 c3 51 e8???????? 0558020000 83d200 }
            // n = 7, score = 200
            //   83a78c00000000       | mov                 eax, ebx
            //   33c0                 | pop                 ebx
            //   c3                   | ret                 8
            //   51                   | xor                 edi, edi
            //   e8????????           |                     
            //   0558020000           | push                0x18
            //   83d200               | push                0x3be7460

        $sequence_90 = { ff742414 e8???????? 813d???????????????? 75?? 6a01 e8???????? 6a01 }
            // n = 7, score = 200
            //   ff742414             | inc                 ecx
            //   e8????????           |                     
            //   813d????????????????     |     
            //   75??                 |                     
            //   6a01                 | pop                 esp
            //   e8????????           |                     
            //   6a01                 | pop                 edi

        $sequence_91 = { ffd3 56 57 e8???????? 85c0 74?? }
            // n = 6, score = 200
            //   ffd3                 | mov                 ebx, eax
            //   56                   | dec                 eax
            //   57                   | mov                 ebp, dword ptr [esp + 0x68]
            //   e8????????           |                     
            //   85c0                 | mov                 eax, ebx
            //   74??                 |                     

        $sequence_92 = { 89542464 ffd3 56 57 e8???????? 85c0 74?? }
            // n = 7, score = 200
            //   89542464             | dec                 eax
            //   ffd3                 | mov                 ebp, dword ptr [esp + 0x68]
            //   56                   | mov                 eax, ebx
            //   57                   | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 ebx, dword ptr [esp + 0x60]
            //   74??                 |                     

        $sequence_93 = { 5d c3 0fb708 6683f902 }
            // n = 4, score = 200
            //   5d                   | mov                 ecx, 0x3be7548
            //   c3                   | call                esi
            //   0fb708               | pop                 esi
            //   6683f902             | pop                 edi

        $sequence_94 = { 4883c12e ff15???????? 8ac3 488b5c2440 }
            // n = 4, score = 200
            //   4883c12e             | test                eax, eax
            //   ff15????????         |                     
            //   8ac3                 | push                dword ptr [ebx]
            //   488b5c2440           | push                eax

        $sequence_95 = { 89702a 48897d00 eb?? bbb7000000 }
            // n = 4, score = 200
            //   89702a               | push                0
            //   48897d00             | push                eax
            //   eb??                 |                     
            //   bbb7000000           | mov                 dword ptr [ebp - 8], eax

        $sequence_96 = { 4883c12e ff15???????? 448a1f 443a5b08 }
            // n = 4, score = 200
            //   4883c12e             | push                dword ptr [ebx]
            //   ff15????????         |                     
            //   448a1f               | push                eax
            //   443a5b08             | push                0x410

        $sequence_97 = { 418b4356 85c0 75?? 8a0f 41b1ff c6442420ff }
            // n = 6, score = 200
            //   418b4356             | push                0
            //   85c0                 | push                0x400000
            //   75??                 |                     
            //   8a0f                 | push                0
            //   41b1ff               | ret                 
            //   c6442420ff           | push                0

        $sequence_98 = { 4883c12e ff15???????? eb?? b90a000000 }
            // n = 4, score = 200
            //   4883c12e             | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     
            //   eb??                 |                     
            //   b90a000000           | xor                 edx, edx

        $sequence_99 = { 488bfa 4883c12e ff15???????? eb?? b90a000000 }
            // n = 5, score = 200
            //   488bfa               | push                0x400000
            //   4883c12e             | push                0
            //   ff15????????         |                     
            //   eb??                 |                     
            //   b90a000000           | test                eax, eax

        $sequence_100 = { 33ff 6a18 686074be03 ff742414 e8???????? 83c40c }
            // n = 6, score = 100
            //   33ff                 | dec                 ecx
            //   6a18                 | inc                 edi
            //   686074be03           | inc                 ecx
            //   ff742414             | lea                 edx, [esi + 0x20]
            //   e8????????           |                     
            //   83c40c               | dec                 ecx

        $sequence_101 = { ffd6 5e 5f 8bc3 5b c20800 }
            // n = 6, score = 100
            //   ffd6                 | inc                 ebp
            //   5e                   | lea                 esi, [ebx + edi]
            //   5f                   | inc                 ecx
            //   8bc3                 | cmp                 esi, 0x18
            //   5b                   | dec                 eax
            //   c20800               | test                eax, eax

        $sequence_102 = { 7e?? 83f910 7d?? 41 890d???????? 33c0 b94875be03 }
            // n = 7, score = 100
            //   7e??                 |                     
            //   83f910               | mov                 eax, dword ptr [esp + 0xc8]
            //   7d??                 |                     
            //   41                   | cmp                 eax, 0x4eb7d2ca
            //   890d????????         |                     
            //   33c0                 | inc                 ecx
            //   b94875be03           | shr                 ebx, 1

        $sequence_103 = { 53 685682be03 ff75f8 895dbc ffd7 }
            // n = 5, score = 100
            //   53                   | inc                 ecx
            //   685682be03           | pop                 esi
            //   ff75f8               | inc                 ecx
            //   895dbc               | pop                 ebp
            //   ffd7                 | not                 eax

        $sequence_104 = { 8365fc00 57 bf1980be03 57 }
            // n = 4, score = 100
            //   8365fc00             | dec                 eax
            //   57                   | add                 esp, 0x80
            //   bf1980be03           | inc                 ecx
            //   57                   | pop                 edi

    condition:
        7 of them
}
Download all Yara Rules
DreamBot Propose Change

References

Yara Rules

DreamBot
