DreamBot (Malware Family)

DreamBot

URLhaus
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)
In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
See win.gozi for additional historical information.
References

2017-05-29 ⋅ Lokalhost.pl ⋅ Maciej Kotowicz
Gozi Tree
DreamBot Gozi ISFB Powersniff
2016-08-29 ⋅ Proofpoint ⋅ Proofpoint Staff
Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality
DreamBot
Yara Rules

[TLP:WHITE] win_dreambot_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { a802 7410 8b4730 a840 }
            // n = 4, score = 700
            //   a802                 | xor                 edx, edx
            //   7410                 | dec                 esp
            //   8b4730               | mov                 eax, dword ptr [esp + 0x78]
            //   a840                 | xor                 edx, edx

        $sequence_1 = { 8bf0 85f6 0f84a9000000 e8???????? 85c0 0f8483000000 837d1c00 }
            // n = 7, score = 700
            //   8bf0                 | dec                 esp
            //   85f6                 | mov                 eax, dword ptr [esp + 0x78]
            //   0f84a9000000         | dec                 esp
            //   e8????????           |                     
            //   85c0                 | mov                 eax, ebx
            //   0f8483000000         | xor                 edx, edx
            //   837d1c00             | dec                 esp

        $sequence_2 = { 751f ff15???????? 8bf8 81ffe5030000 751a 395d10 7413 }
            // n = 7, score = 700
            //   751f                 | je                  0x3b
            //   ff15????????         |                     
            //   8bf8                 | mov                 eax, dword ptr [edi + 0x30]
            //   81ffe5030000         | test                al, 0x40
            //   751a                 | mov                 dword ptr [ebx + 0x20], edi
            //   395d10               | mov                 eax, dword ptr [ebx + 0x20]
            //   7413                 | mov                 byte ptr [eax + 7], 0x31

        $sequence_3 = { 751a 395d10 7413 8b4618 e8???????? }
            // n = 5, score = 700
            //   751a                 | mov                 eax, dword ptr [esp + 0x78]
            //   395d10               | xor                 edx, edx
            //   7413                 | dec                 esp
            //   8b4618               | mov                 eax, ebx
            //   e8????????           |                     

        $sequence_4 = { 7410 ff742410 33ff e8???????? }
            // n = 4, score = 700
            //   7410                 | test                eax, eax
            //   ff742410             | je                  0x9c
            //   33ff                 | cmp                 dword ptr [ebp + 0x1c], 0
            //   e8????????           |                     

        $sequence_5 = { 897b20 8b4320 c6400731 8b742414 8b3e 6a00 ff7320 }
            // n = 7, score = 700
            //   897b20               | mov                 edi, eax
            //   8b4320               | test                edi, edi
            //   c6400731             | je                  0x14
            //   8b742414             | push                dword ptr [ebx + 0x20]
            //   8b3e                 | mov                 esi, eax
            //   6a00                 | test                esi, esi
            //   ff7320               | je                  0xba

        $sequence_6 = { e8???????? 8bf8 85ff 7410 ff7320 }
            // n = 5, score = 700
            //   e8????????           |                     
            //   8bf8                 | mov                 eax, dword ptr [esp + 0x78]
            //   85ff                 | dec                 esp
            //   7410                 | mov                 eax, ebx
            //   ff7320               | xor                 edx, edx

        $sequence_7 = { e8???????? 85c0 0f8483000000 837d1c00 7504 834e2801 }
            // n = 6, score = 700
            //   e8????????           |                     
            //   85c0                 | jne                 0x39
            //   0f8483000000         | cmp                 dword ptr [ebp + 0x10], ebx
            //   837d1c00             | je                  0x37
            //   7504                 | mov                 eax, dword ptr [esi + 0x18]
            //   834e2801             | test                al, 2

        $sequence_8 = { 395d0c 7457 53 ff750c 8bfe c7450857000000 }
            // n = 6, score = 600
            //   395d0c               | mov                 ebp, dword ptr [esp + 0xa0]
            //   7457                 | dec                 esp
            //   53                   | lea                 eax, [esp + 0xa0]
            //   ff750c               | dec                 eax
            //   8bfe                 | mov                 edx, eax
            //   c7450857000000       | mov                 ecx, 0x11a

        $sequence_9 = { 745c 395d0c 7457 53 }
            // n = 4, score = 600
            //   745c                 | mov                 ebp, dword ptr [esp + 0xa0]
            //   395d0c               | cmp                 ebp, edi
            //   7457                 | jne                 0x2e
            //   53                   | dec                 esp

        $sequence_10 = { 6a03 ebcc 3bf3 7474 395d0c }
            // n = 5, score = 600
            //   6a03                 | mov                 ebp, 0x10000
            //   ebcc                 | xor                 edx, edx
            //   3bf3                 | dec                 esp
            //   7474                 | mov                 eax, ebp
            //   395d0c               | mov                 dword ptr [esp + 0xa0], ebp

        $sequence_11 = { e8???????? e9???????? 3bf3 0f8496000000 395d0c }
            // n = 5, score = 600
            //   e8????????           |                     
            //   e9????????           |                     
            //   3bf3                 | dec                 eax
            //   0f8496000000         | mov                 edx, dword ptr [esp + 0xa8]
            //   395d0c               | inc                 ebp

        $sequence_12 = { 6a03 ebcc 3bf3 7474 395d0c 746f }
            // n = 6, score = 600
            //   6a03                 | mov                 eax, ebx
            //   ebcc                 | dec                 eax
            //   3bf3                 | mov                 edx, eax
            //   7474                 | mov                 ecx, 0x11a
            //   395d0c               | cmp                 eax, edi
            //   746f                 | jne                 0x31

        $sequence_13 = { 894508 8b7d08 eb24 a1???????? 85c0 }
            // n = 5, score = 600
            //   894508               | call                dword ptr [edi + 0x10]
            //   8b7d08               | mov                 edx, dword ptr [esi]
            //   eb24                 | xor                 ecx, ecx
            //   a1????????           |                     
            //   85c0                 | push                ecx

        $sequence_14 = { 7474 395d0c 746f 6a0d ebbf ff7510 }
            // n = 6, score = 600
            //   7474                 | xor                 ecx, ecx
            //   395d0c               | inc                 ebp
            //   746f                 | xor                 eax, eax
            //   6a0d                 | call                dword ptr [eax + 0x28]
            //   ebbf                 | push                dword ptr [ebx + 0x20]
            //   ff7510               | push                esi

        $sequence_15 = { 7474 395d0c 746f 6a0d ebbf ff7510 53 }
            // n = 7, score = 600
            //   7474                 | mov                 ebx, dword ptr [ebx + 0x30]
            //   395d0c               | dec                 ecx
            //   746f                 | mov                 ebp, dword ptr [ebx + 0x38]
            //   6a0d                 | dec                 ecx
            //   ebbf                 | mov                 esi, dword ptr [ebx + 0x40]
            //   ff7510               | dec                 ecx
            //   53                   | mov                 esp, ebx

        $sequence_16 = { 4c8bc3 33d2 ff15???????? 4c8b442478 }
            // n = 4, score = 500
            //   4c8bc3               | mov                 eax, ebx
            //   33d2                 | xor                 edx, edx
            //   ff15????????         |                     
            //   4c8b442478           | dec                 esp

        $sequence_17 = { 8bac24a0000000 3bef 7517 488b0d???????? }
            // n = 4, score = 500
            //   8bac24a0000000       | lea                 ebx, [esp + 0x50]
            //   3bef                 | dec                 ecx
            //   7517                 | mov                 ebx, dword ptr [ebx + 0x30]
            //   488b0d????????       |                     

        $sequence_18 = { 33d2 ff15???????? 4c8d5c2450 498b5b30 498b6b38 498b7340 498be3 }
            // n = 7, score = 500
            //   33d2                 | dec                 eax
            //   ff15????????         |                     
            //   4c8d5c2450           | sub                 esp, 0x20
            //   498b5b30             | dec                 esp
            //   498b6b38             | mov                 eax, dword ptr [ecx + 8]
            //   498b7340             | dec                 eax
            //   498be3               | mov                 ebx, ecx

        $sequence_19 = { e8???????? 488b0d???????? 4c8bc3 33d2 ff15???????? 4c8b442478 488b0d???????? }
            // n = 7, score = 500
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4c8bc3               | mov                 eax, ebx
            //   33d2                 | xor                 edx, edx
            //   ff15????????         |                     
            //   4c8b442478           | dec                 esp
            //   488b0d????????       |                     

        $sequence_20 = { 33d2 ff15???????? 4c8d5c2450 498b5b30 498b6b38 498b7340 }
            // n = 6, score = 500
            //   33d2                 | dec                 eax
            //   ff15????????         |                     
            //   4c8d5c2450           | mov                 ebx, ecx
            //   498b5b30             | ret                 
            //   498b6b38             | inc                 eax
            //   498b7340             | push                ebx

        $sequence_21 = { e8???????? 488b742440 8be8 eb03 418bed 8b942498000000 }
            // n = 6, score = 500
            //   e8????????           |                     
            //   488b742440           | dec                 eax
            //   8be8                 | mov                 dword ptr [eax + 8], ebx
            //   eb03                 | dec                 eax
            //   418bed               | mov                 dword ptr [eax + 0x10], ebp
            //   8b942498000000       | dec                 eax

        $sequence_22 = { 8bac24a0000000 3bef 7517 488b0d???????? 4c8bc3 }
            // n = 5, score = 500
            //   8bac24a0000000       | sub                 esp, 0x20
            //   3bef                 | dec                 esp
            //   7517                 | mov                 eax, dword ptr [ecx + 8]
            //   488b0d????????       |                     
            //   4c8bc3               | pop                 edi

        $sequence_23 = { e8???????? 3bc7 750b 8bac24a0000000 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   3bc7                 | mov                 dword ptr [eax + 0x20], esi
            //   750b                 | xor                 edx, edx
            //   8bac24a0000000       | dec                 esp

        $sequence_24 = { e8???????? 488b0d???????? 4c8bc3 33d2 ff15???????? 4c8b442478 }
            // n = 6, score = 500
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4c8bc3               | dec                 esp
            //   33d2                 | mov                 eax, dword ptr [esp + 0x78]
            //   ff15????????         |                     
            //   4c8b442478           | dec                 esp

        $sequence_25 = { c3 4053 4883ec20 4c8b4108 488bd9 }
            // n = 5, score = 500
            //   c3                   | jne                 0x3e
            //   4053                 | mov                 edi, eax
            //   4883ec20             | cmp                 edi, 0x3e5
            //   4c8b4108             | jne                 0x22
            //   488bd9               | cmp                 dword ptr [ebp + 0x10], ebx

        $sequence_26 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 }
            // n = 6, score = 500
            //   5f                   | je                  0x20
            //   c3                   | push                dword ptr [esi + 0x14]
            //   4053                 | test                eax, eax
            //   4883ec20             | jne                 0x33
            //   4c8b4108             | mov                 edi, eax
            //   488bd9               | cmp                 edi, 0x3e5

        $sequence_27 = { 488b0d???????? 4c8bc3 33d2 ff15???????? 4c8b442478 }
            // n = 5, score = 500
            //   488b0d????????       |                     
            //   4c8bc3               | mov                 eax, dword ptr [esp + 0x78]
            //   33d2                 | xor                 edx, edx
            //   ff15????????         |                     
            //   4c8b442478           | dec                 esp

        $sequence_28 = { 4c8bc3 33d2 ff15???????? 4c8b442478 488b0d???????? 33d2 ff15???????? }
            // n = 7, score = 500
            //   4c8bc3               | mov                 eax, dword ptr [esp + 0x78]
            //   33d2                 | dec                 esp
            //   ff15????????         |                     
            //   4c8b442478           | mov                 eax, ebx
            //   488b0d????????       |                     
            //   33d2                 | xor                 edx, edx
            //   ff15????????         |                     

        $sequence_29 = { 4c8bc3 33d2 ff15???????? 4c8b442478 488b0d???????? 33d2 }
            // n = 6, score = 500
            //   4c8bc3               | mov                 eax, ebx
            //   33d2                 | xor                 edx, edx
            //   ff15????????         |                     
            //   4c8b442478           | dec                 esp
            //   488b0d????????       |                     
            //   33d2                 | mov                 eax, dword ptr [esp + 0x78]

        $sequence_30 = { c3 4053 4883ec20 4c8b4108 488bd9 4d85c0 740f }
            // n = 7, score = 500
            //   c3                   | push                dword ptr [esp + 0x10]
            //   4053                 | xor                 edi, edi
            //   4883ec20             | test                eax, eax
            //   4c8b4108             | je                  0x96
            //   488bd9               | cmp                 dword ptr [ebp + 0x1c], 0
            //   4d85c0               | jne                 0x1d
            //   740f                 | or                  dword ptr [esi + 0x28], 1

        $sequence_31 = { 488b9424a8000000 4533c9 4533c0 ff5028 }
            // n = 4, score = 500
            //   488b9424a8000000     | je                  0x161
            //   4533c9               | push                eax
            //   4533c0               | push                2
            //   ff5028               | mov                 edi, eax

        $sequence_32 = { 4c8d8424a0000000 488bd0 b91a010000 e8???????? 3bc7 750b 8bac24a0000000 }
            // n = 7, score = 500
            //   4c8d8424a0000000     | dec                 esp
            //   488bd0               | mov                 eax, dword ptr [ecx + 8]
            //   b91a010000           | dec                 eax
            //   e8????????           |                     
            //   3bc7                 | mov                 ebx, ecx
            //   750b                 | dec                 ebp
            //   8bac24a0000000       | test                eax, eax

        $sequence_33 = { 488bd0 b91a010000 e8???????? 3bc7 750b 8bac24a0000000 }
            // n = 6, score = 500
            //   488bd0               | ret                 
            //   b91a010000           | inc                 eax
            //   e8????????           |                     
            //   3bc7                 | push                ebx
            //   750b                 | dec                 eax
            //   8bac24a0000000       | sub                 esp, 0x20

        $sequence_34 = { 4c8bc3 33d2 ff15???????? 4c8b442478 488b0d???????? }
            // n = 5, score = 500
            //   4c8bc3               | dec                 esp
            //   33d2                 | mov                 eax, dword ptr [esp + 0x78]
            //   ff15????????         |                     
            //   4c8b442478           | dec                 esp
            //   488b0d????????       |                     

        $sequence_35 = { 5f c3 4053 4883ec20 4c8b4108 }
            // n = 5, score = 500
            //   5f                   | test                eax, eax
            //   c3                   | je                  0x21
            //   4053                 | ret                 
            //   4883ec20             | inc                 eax
            //   4c8b4108             | push                ebx

        $sequence_36 = { 4889442430 488d842498000000 488d0d???????? 4889442428 488d442440 448bcd }
            // n = 6, score = 500
            //   4889442430           | pop                 esi
            //   488d842498000000     | pop                 ebp
            //   488d0d????????       |                     
            //   4889442428           | ret                 
            //   488d442440           | dec                 eax
            //   448bcd               | mov                 eax, esp

        $sequence_37 = { c3 4053 4883ec20 4c8b4108 488bd9 4d85c0 }
            // n = 6, score = 500
            //   c3                   | ret                 
            //   4053                 | inc                 eax
            //   4883ec20             | push                ebx
            //   4c8b4108             | dec                 eax
            //   488bd9               | sub                 esp, 0x20
            //   4d85c0               | dec                 esp

        $sequence_38 = { 33d2 4c8bc5 89ac24a0000000 ff15???????? }
            // n = 4, score = 500
            //   33d2                 | dec                 ecx
            //   4c8bc5               | mov                 ebp, dword ptr [ebx + 0x38]
            //   89ac24a0000000       | dec                 ecx
            //   ff15????????         |                     

        $sequence_39 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 4d85c0 }
            // n = 7, score = 500
            //   5f                   | dec                 eax
            //   c3                   | sub                 esp, 0x20
            //   4053                 | dec                 esp
            //   4883ec20             | mov                 eax, dword ptr [ecx + 8]
            //   4c8b4108             | dec                 eax
            //   488bd9               | mov                 ebx, ecx
            //   4d85c0               | pop                 edi

        $sequence_40 = { 488b0d???????? 4c8bc3 33d2 ff15???????? 4c8b442478 488b0d???????? }
            // n = 6, score = 500
            //   488b0d????????       |                     
            //   4c8bc3               | dec                 esp
            //   33d2                 | mov                 eax, ebx
            //   ff15????????         |                     
            //   4c8b442478           | xor                 edx, edx
            //   488b0d????????       |                     

        $sequence_41 = { ff15???????? 8945fc 85c0 741a 6804010000 8d4f10 51 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   8945fc               | mov                 eax, dword ptr [ecx + 8]
            //   85c0                 | ret                 
            //   741a                 | inc                 eax
            //   6804010000           | push                ebx
            //   8d4f10               | dec                 eax
            //   51                   | sub                 esp, 0x20

        $sequence_42 = { 8bd8 488b6c2468 8bc3 488b5c2460 4883c430 }
            // n = 5, score = 400
            //   8bd8                 | ret                 
            //   488b6c2468           | push                ecx
            //   8bc3                 | and                 dword ptr [edi + 0x8c], 0
            //   488b5c2460           | xor                 eax, eax
            //   4883c430             | ret                 

        $sequence_43 = { 8945fc 85c0 741a 6804010000 8d4f10 }
            // n = 5, score = 400
            //   8945fc               | call                dword ptr [eax + 0x28]
            //   85c0                 | dec                 esp
            //   741a                 | mov                 ebx, dword ptr [ebx]
            //   6804010000           | dec                 eax
            //   8d4f10               | mov                 edx, dword ptr [esp + 0x200]

        $sequence_44 = { ff15???????? 33ff 3bc7 7528 83bc241001000003 740a }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   33ff                 | cmp                 eax, 0x10d2
            //   3bc7                 | cmp                 dword ptr [ebp + 0x10], 4
            //   7528                 | jne                 0x1ff
            //   83bc241001000003     | push                dword ptr [esi]
            //   740a                 | push                dword ptr [ebp + 0x14]

        $sequence_45 = { 8bd8 488b6c2468 8bc3 488b5c2460 4883c430 415c }
            // n = 6, score = 400
            //   8bd8                 | xor                 edx, edx
            //   488b6c2468           | dec                 esp
            //   8bc3                 | lea                 ebx, [esp + 0x50]
            //   488b5c2460           | dec                 ecx
            //   4883c430             | mov                 ebx, dword ptr [ebx + 0x30]
            //   415c                 | dec                 ecx

        $sequence_46 = { 69f60d661900 ff75f4 81c65ff36e3c 89750c 8d750c }
            // n = 5, score = 400
            //   69f60d661900         | mov                 edi, eax
            //   ff75f4               | cmp                 edi, -1
            //   81c65ff36e3c         | je                  0x2dd
            //   89750c               | cmp                 edi, 0x102
            //   8d750c               | je                  0x11a

        $sequence_47 = { ff15???????? 33d2 89b7184a0000 39971c4a0000 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   33d2                 | push                esi
            //   89b7184a0000         | push                edi
            //   39971c4a0000         | mov                 edi, dword ptr [ebp + 0xc]

        $sequence_48 = { 89750c 8d750c e8???????? 8bf0 3bf3 }
            // n = 5, score = 400
            //   89750c               | dec                 esp
            //   8d750c               | mov                 eax, ebx
            //   e8????????           |                     
            //   8bf0                 | xor                 edx, edx
            //   3bf3                 | dec                 esp

        $sequence_49 = { 81c65ff36e3c 89750c 8d750c e8???????? }
            // n = 4, score = 400
            //   81c65ff36e3c         | je                  0xff
            //   89750c               | push                -1
            //   8d750c               | call                edi
            //   e8????????           |                     

        $sequence_50 = { ff15???????? 33d2 3bc2 7414 8b442444 0fb74c245a }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   33d2                 | push                dword ptr [esp + 0x1c]
            //   3bc2                 | call                edi
            //   7414                 | mov                 edi, eax
            //   8b442444             | jne                 0xcb
            //   0fb74c245a           | push                esi

        $sequence_51 = { 85c0 741a 6804010000 8d4f10 }
            // n = 4, score = 400
            //   85c0                 | dec                 esp
            //   741a                 | mov                 eax, dword ptr [ecx + 8]
            //   6804010000           | dec                 eax
            //   8d4f10               | mov                 ebx, ecx

        $sequence_52 = { eb03 8b750c ff75f8 69f60d661900 ff75f4 81c65ff36e3c }
            // n = 6, score = 400
            //   eb03                 | jmp                 0xa
            //   8b750c               | mov                 ebx, eax
            //   ff75f8               | test                ebx, ebx
            //   69f60d661900         | xor                 edi, edi
            //   ff75f4               | cmp                 eax, edi
            //   81c65ff36e3c         | jne                 0x32

        $sequence_53 = { 488b6c2468 8bc3 488b5c2460 4883c430 415c 5f }
            // n = 6, score = 400
            //   488b6c2468           | push                ecx
            //   8bc3                 | push                ebx
            //   488b5c2460           | push                edi
            //   4883c430             | push                0x84
            //   415c                 | pop                 edi
            //   5f                   | pop                 ebx

        $sequence_54 = { 8bd8 488b6c2468 8bc3 488b5c2460 4883c430 415c 5f }
            // n = 7, score = 400
            //   8bd8                 | push                ecx
            //   488b6c2468           | add                 eax, 0x258
            //   8bc3                 | pop                 ebx
            //   488b5c2460           | ret                 8
            //   4883c430             | push                ecx
            //   415c                 | push                ebx
            //   5f                   | push                edi

        $sequence_55 = { ff15???????? 33ff 3bc7 7528 83bc241001000003 740a 83bc241001000001 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   33ff                 | mov                 edi, 0x1002e065
            //   3bc7                 | push                edi
            //   7528                 | call                esi
            //   83bc241001000003     | push                dword ptr [ebp + 0x10]
            //   740a                 | mov                 dword ptr [ebp - 4], eax
            //   83bc241001000001     | push                dword ptr [ebp + 0xc]

        $sequence_56 = { e8???????? eb08 ff15???????? 8bd8 85db }
            // n = 5, score = 400
            //   e8????????           |                     
            //   eb08                 | push                ebx
            //   ff15????????         |                     
            //   8bd8                 | push                dword ptr [ebp + 8]
            //   85db                 | mov                 dword ptr [ebp + 0x10], eax

        $sequence_57 = { 8db4083089b9ed 57 8d45f4 50 8b450c }
            // n = 5, score = 400
            //   8db4083089b9ed       | mov                 edi, eax
            //   57                   | cmp                 edi, -1
            //   8d45f4               | je                  0x193
            //   50                   | cmp                 edi, 0x102
            //   8b450c               | cmp                 edi, 0x102

        $sequence_58 = { eb03 8b750c ff75f8 69f60d661900 ff75f4 81c65ff36e3c 89750c }
            // n = 7, score = 400
            //   eb03                 | push                dword ptr [esp + 0x14]
            //   8b750c               | jne                 0xc1
            //   ff75f8               | push                1
            //   69f60d661900         | push                eax
            //   ff75f4               | push                0x410
            //   81c65ff36e3c         | mov                 dword ptr [ebp - 4], eax
            //   89750c               | test                eax, eax

        $sequence_59 = { 50 ff7310 ff15???????? 33d2 89b7184a0000 }
            // n = 5, score = 400
            //   50                   | push                ebx
            //   ff7310               | dec                 eax
            //   ff15????????         |                     
            //   33d2                 | sub                 esp, 0x20
            //   89b7184a0000         | dec                 esp

        $sequence_60 = { 837c247403 0f8590000000 33c0 398424d8030000 }
            // n = 4, score = 400
            //   837c247403           | test                eax, eax
            //   0f8590000000         | je                  0x2b1
            //   33c0                 | lea                 eax, [ebp - 0x158]
            //   398424d8030000       | push                eax

        $sequence_61 = { 33d2 ff15???????? eb2d 837c247800 }
            // n = 4, score = 400
            //   33d2                 | mov                 eax, 0x1002ce5c
            //   ff15????????         |                     
            //   eb2d                 | mov                 eax, 0x1002ce58
            //   837c247800           | push                ebx

        $sequence_62 = { 56 8db4083089b9ed 57 8d45f4 50 }
            // n = 5, score = 400
            //   56                   | push                esi
            //   8db4083089b9ed       | je                  0x175
            //   57                   | push                dword ptr [esp + 0x1c]
            //   8d45f4               | call                edi
            //   50                   | lea                 eax, [esp + 0x54]

        $sequence_63 = { 33f6 46 8945f8 85c0 7551 }
            // n = 5, score = 400
            //   33f6                 | ret                 8
            //   46                   | mov                 eax, dword ptr [edi + 0x30]
            //   8945f8               | test                al, 4
            //   85c0                 | dec                 eax
            //   7551                 | mov                 ecx, ebx

        $sequence_64 = { 8b750c ff75f8 69f60d661900 ff75f4 81c65ff36e3c 89750c }
            // n = 6, score = 400
            //   8b750c               | mov                 eax, dword ptr [esp + 0x78]
            //   ff75f8               | dec                 esp
            //   69f60d661900         | mov                 eax, ebx
            //   ff75f4               | xor                 edx, edx
            //   81c65ff36e3c         | dec                 esp
            //   89750c               | mov                 eax, dword ptr [esp + 0x78]

        $sequence_65 = { 488b6c2468 8bc3 488b5c2460 4883c430 415c }
            // n = 5, score = 400
            //   488b6c2468           | mov                 eax, dword ptr [edi + 0x34]
            //   8bc3                 | test                eax, eax
            //   488b5c2460           | jne                 0x1e
            //   4883c430             | push                dword ptr [ebx + 0x20]
            //   415c                 | push                eax

        $sequence_66 = { ff33 50 6810040000 ff15???????? 8945fc }
            // n = 5, score = 400
            //   ff33                 | sub                 esp, 0x11c
            //   50                   | lea                 ecx, [eax + 7]
            //   6810040000           | mov                 esp, ebp
            //   ff15????????         |                     
            //   8945fc               | pop                 ebp

        $sequence_67 = { 7414 8b442444 0fb74c2458 3bc2 660f45c8 }
            // n = 5, score = 400
            //   7414                 | pop                 ecx
            //   8b442444             | test                eax, eax
            //   0fb74c2458           | jne                 0x2ab
            //   3bc2                 | push                edi
            //   660f45c8             | push                0x206

        $sequence_68 = { 8b8c24a0000000 3bca 745f 33c0 899424e0030000 899424c0030000 }
            // n = 6, score = 400
            //   8b8c24a0000000       | cmp                 eax, ebx
            //   3bca                 | je                  0x1de
            //   745f                 | push                esi
            //   33c0                 | push                ebx
            //   899424e0030000       | push                esi
            //   899424c0030000       | je                  0xef

        $sequence_69 = { 46 8945f8 85c0 7551 ff33 }
            // n = 5, score = 400
            //   46                   | cmp                 dword ptr [edi + 0x20], 4
            //   8945f8               | mov                 eax, dword ptr [edi]
            //   85c0                 | mov                 dword ptr [esp + 0x14], eax
            //   7551                 | ret                 
            //   ff33                 | inc                 eax

        $sequence_70 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? 85c0 }
            // n = 7, score = 400
            //   c3                   | inc                 ecx
            //   6a00                 | mov                 ebp, ebp
            //   6800004000           | mov                 edx, dword ptr [esp + 0x98]
            //   6a00                 | cmp                 eax, edi
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | jne                 0x1d

        $sequence_71 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? }
            // n = 6, score = 400
            //   c3                   | mov                 ebp, dword ptr [esp + 0xa0]
            //   6a00                 | mov                 ebp, dword ptr [esp + 0xa0]
            //   6800004000           | cmp                 ebp, edi
            //   6a00                 | jne                 0x3b
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_72 = { 8bd8 488b6c2468 8bc3 488b5c2460 }
            // n = 4, score = 400
            //   8bd8                 | mov                 ebp, dword ptr [ebx + 0x38]
            //   488b6c2468           | dec                 ecx
            //   8bc3                 | mov                 esi, dword ptr [ebx + 0x40]
            //   488b5c2460           | dec                 ecx

        $sequence_73 = { 6a01 53 ff7508 e8???????? 894510 3dd2100000 }
            // n = 6, score = 300
            //   6a01                 | xor                 edx, edx
            //   53                   | dec                 esp
            //   ff7508               | mov                 eax, ebp
            //   e8????????           |                     
            //   894510               | mov                 dword ptr [esp + 0xa0], ebp
            //   3dd2100000           | jne                 0x3d

        $sequence_74 = { 837d1004 0f85d2010000 ff36 ff7514 e8???????? }
            // n = 5, score = 300
            //   837d1004             | mov                 ebp, dword ptr [esp + 0xa0]
            //   0f85d2010000         | cmp                 ebp, edi
            //   ff36                 | jne                 0x54
            //   ff7514               | dec                 esp
            //   e8????????           |                     

        $sequence_75 = { 59 85c0 0f8545020000 57 6806020000 }
            // n = 5, score = 300
            //   59                   | je                  0x8e
            //   85c0                 | push                0xd
            //   0f8545020000         | jmp                 0xffffffe2
            //   57                   | push                dword ptr [ebp + 0x10]
            //   6806020000           | mov                 dword ptr [ebp + 8], eax

        $sequence_76 = { 8b35???????? bf65e00210 57 ffd6 ff7510 8945fc ff750c }
            // n = 7, score = 300
            //   8b35????????         |                     
            //   bf65e00210           | mov                 eax, ebx
            //   57                   | je                  0x76
            //   ffd6                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   ff7510               | je                  0x74
            //   8945fc               | push                0xd
            //   ff750c               | jmp                 0xffffffc8

        $sequence_77 = { e9???????? b85cce0210 e9???????? b858ce0210 e9???????? }
            // n = 5, score = 300
            //   e9????????           |                     
            //   b85cce0210           | push                dword ptr [ebp + 0x10]
            //   e9????????           |                     
            //   b858ce0210           | push                ebx
            //   e9????????           |                     

        $sequence_78 = { 53 ff15???????? 85c0 0f845b020000 8d85a8feffff 50 ff15???????? }
            // n = 7, score = 300
            //   53                   | cmp                 esi, ebx
            //   ff15????????         |                     
            //   85c0                 | je                  0xab
            //   0f845b020000         | cmp                 dword ptr [ebp + 0xc], ebx
            //   8d85a8feffff         | je                  0x8e
            //   50                   | cmp                 dword ptr [ebp + 0xc], ebx
            //   ff15????????         |                     

        $sequence_79 = { ffd7 8bf8 83ffff 0f8464020000 81ff02010000 0f8495000000 8b3d???????? }
            // n = 7, score = 200
            //   ffd7                 | inc                 eax
            //   8bf8                 | push                ebx
            //   83ffff               | dec                 eax
            //   0f8464020000         | sub                 esp, 0x20
            //   81ff02010000         | dec                 esp
            //   0f8495000000         | mov                 eax, dword ptr [ecx + 8]
            //   8b3d????????         |                     

        $sequence_80 = { 8d4710 e8???????? 83a78c00000000 33c0 c3 51 e8???????? }
            // n = 7, score = 200
            //   8d4710               | movzx               ecx, word ptr [esp + 0x5a]
            //   e8????????           |                     
            //   83a78c00000000       | je                  0x104
            //   33c0                 | mov                 ecx, dword ptr [esp + 0xa0]
            //   c3                   | cmp                 ecx, edx
            //   51                   | je                  0xf0
            //   e8????????           |                     

        $sequence_81 = { 813d???????????????? 56 0f84e9000000 ff74241c ffd7 }
            // n = 5, score = 200
            //   813d????????????????     |     
            //   56                   | dec                 eax
            //   0f84e9000000         | mov                 ebx, ecx
            //   ff74241c             | dec                 ebp
            //   ffd7                 | test                eax, eax

        $sequence_82 = { 5d c3 0fb708 6683f902 751c }
            // n = 5, score = 200
            //   5d                   | push                dword ptr [ebp - 0xc]
            //   c3                   | add                 esi, 0x3c6ef35f
            //   0fb708               | mov                 dword ptr [ebp + 0xc], esi
            //   6683f902             | mov                 dword ptr [ebp + 0xc], esi
            //   751c                 | lea                 esi, [ebp + 0xc]

        $sequence_83 = { 5b c20800 51 53 57 6884000000 e8???????? }
            // n = 7, score = 200
            //   5b                   | xor                 eax, eax
            //   c20800               | call                dword ptr [eax + 0x28]
            //   51                   | mov                 edx, 0xd
            //   53                   | cmp                 esi, ebx
            //   57                   | je                  0x5e
            //   6884000000           | cmp                 dword ptr [ebp + 0xc], ebx
            //   e8????????           |                     

        $sequence_84 = { 8be5 5d c3 0fb708 6683f902 751c }
            // n = 6, score = 200
            //   8be5                 | add                 esi, 0x3c6ef35f
            //   5d                   | mov                 dword ptr [ebp + 0xc], esi
            //   c3                   | lea                 esi, [ebp + 0xc]
            //   0fb708               | push                esi
            //   6683f902             | lea                 esi, [eax + ecx - 0x124676d0]
            //   751c                 | push                edi

        $sequence_85 = { 81ff02010000 0f8495000000 8b3d???????? 6aff }
            // n = 4, score = 200
            //   81ff02010000         | dec                 esp
            //   0f8495000000         | mov                 eax, dword ptr [esp + 0x78]
            //   8b3d????????         |                     
            //   6aff                 | ret                 

        $sequence_86 = { 56 0f84e9000000 ff74241c ffd7 8bf8 }
            // n = 5, score = 200
            //   56                   | jmp                 0
            //   0f84e9000000         | cmp                 esi, ebx
            //   ff74241c             | je                  0xac
            //   ffd7                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   8bf8                 | je                  0x99

        $sequence_87 = { 488d0d???????? 488bd3 e8???????? 4885c0 488be8 0f84af000000 }
            // n = 6, score = 200
            //   488d0d????????       |                     
            //   488bd3               | jne                 0x63
            //   e8????????           |                     
            //   4885c0               | pop                 esi
            //   488be8               | pop                 ebx
            //   0f84af000000         | ret                 8

        $sequence_88 = { 50 6a02 ff15???????? 8bf8 83ffff 0f84a0010000 3bfe }
            // n = 7, score = 200
            //   50                   | cmp                 dword ptr [ebp + 0xc], ebx
            //   6a02                 | je                  0xbf
            //   ff15????????         |                     
            //   8bf8                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   83ffff               | je                  0xac
            //   0f84a0010000         | push                ebx
            //   3bfe                 | push                dword ptr [ebp + 0xc]

        $sequence_89 = { 5e 5b c20800 51 53 57 6884000000 }
            // n = 7, score = 200
            //   5e                   | je                  0x5e
            //   5b                   | push                eax
            //   c20800               | call                esi
            //   51                   | mov                 eax, dword ptr [esp + 0xc]
            //   53                   | lea                 esi, [eax + ecx - 0x124676d0]
            //   57                   | push                edi
            //   6884000000           | lea                 eax, [ebp - 0xc]

        $sequence_90 = { 5f 5b 8be5 5d c3 0fb708 6683f902 }
            // n = 7, score = 200
            //   5f                   | push                eax
            //   5b                   | mov                 eax, dword ptr [ebp + 0xc]
            //   8be5                 | add                 esi, 0x3c6ef35f
            //   5d                   | mov                 dword ptr [ebp + 0xc], esi
            //   c3                   | lea                 esi, [ebp + 0xc]
            //   0fb708               | imul                esi, esi, 0x19660d
            //   6683f902             | push                dword ptr [ebp - 0xc]

        $sequence_91 = { 83ffff 0f843b010000 81ff02010000 0f8499000000 }
            // n = 4, score = 200
            //   83ffff               | mov                 edi, esi
            //   0f843b010000         | mov                 dword ptr [ebp + 8], 0x57
            //   81ff02010000         | cmp                 esi, ebx
            //   0f8499000000         | je                  0x121

        $sequence_92 = { 0f85b7000000 56 ff742428 ffd7 8bf8 83ffff 0f843b010000 }
            // n = 7, score = 200
            //   0f85b7000000         | cmp                 dword ptr [ebp + 0xc], ebx
            //   56                   | je                  0x99
            //   ff742428             | push                ebx
            //   ffd7                 | push                3
            //   8bf8                 | jmp                 0x13
            //   83ffff               | cmp                 esi, ebx
            //   0f843b010000         | je                  0xbf

        $sequence_93 = { ffd7 8bf8 83ffff 0f843b010000 81ff02010000 }
            // n = 5, score = 200
            //   ffd7                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   8bf8                 | je                  0x121
            //   83ffff               | dec                 esp
            //   0f843b010000         | mov                 eax, ebx
            //   81ff02010000         | xor                 edx, edx

        $sequence_94 = { 5e 5b c20800 51 53 57 }
            // n = 6, score = 200
            //   5e                   | lea                 eax, [ebp - 0xc]
            //   5b                   | push                eax
            //   c20800               | jmp                 0x3b
            //   51                   | mov                 esi, dword ptr [ebp + 0xc]
            //   53                   | push                dword ptr [ebp - 8]
            //   57                   | imul                esi, esi, 0x19660d

        $sequence_95 = { 83a78c00000000 33c0 c3 51 e8???????? 0558020000 }
            // n = 6, score = 200
            //   83a78c00000000       | dec                 eax
            //   33c0                 | mov                 edx, dword ptr [esp + 0xa8]
            //   c3                   | inc                 ebp
            //   51                   | xor                 ecx, ecx
            //   e8????????           |                     
            //   0558020000           | inc                 ebp

        $sequence_96 = { 4c897c2420 e8???????? 85c0 8bf8 741e 3dd2100000 }
            // n = 6, score = 200
            //   4c897c2420           | mov                 esp, ebp
            //   e8????????           |                     
            //   85c0                 | pop                 ebp
            //   8bf8                 | ret                 
            //   741e                 | movzx               ecx, word ptr [eax]
            //   3dd2100000           | cmp                 cx, 2

        $sequence_97 = { 56 c7459c44000000 ffd7 8d45e8 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   c7459c44000000       | mov                 dword ptr [ebp - 0x64], 0x44
            //   ffd7                 | call                edi
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_98 = { 68e580be03 ff75f8 ffd7 eb55 83f820 745b 8d45f8 }
            // n = 7, score = 100
            //   68e580be03           | push                0x3be80e5
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ffd7                 | call                edi
            //   eb55                 | jmp                 0x57
            //   83f820               | cmp                 eax, 0x20
            //   745b                 | je                  0x5d
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_99 = { 7c12 8d0c950875be03 8b39 42 }
            // n = 4, score = 100
            //   7c12                 | jl                  0x14
            //   8d0c950875be03       | lea                 ecx, [edx*4 + 0x3be7508]
            //   8b39                 | mov                 edi, dword ptr [ecx]
            //   42                   | inc                 edx

        $sequence_100 = { bbac73be03 eb0a 53 51 }
            // n = 4, score = 100
            //   bbac73be03           | mov                 ebx, 0x3be73ac
            //   eb0a                 | jmp                 0xc
            //   53                   | push                ebx
            //   51                   | push                ecx

        $sequence_101 = { 85c0 0f8e73ffffff 33d2 bb4875be03 42 8bfb }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f8e73ffffff         | jle                 0xffffff79
            //   33d2                 | xor                 edx, edx
            //   bb4875be03           | mov                 ebx, 0x3be7548
            //   42                   | inc                 edx
            //   8bfb                 | mov                 edi, ebx

        $sequence_102 = { 55 8bec 51 8365fc00 57 bf1980be03 }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   57                   | push                edi
            //   bf1980be03           | mov                 edi, 0x3be8019

        $sequence_103 = { 85f6 741f 6a00 684086be03 ffd3 }
            // n = 5, score = 100
            //   85f6                 | test                esi, esi
            //   741f                 | je                  0x21
            //   6a00                 | push                0
            //   684086be03           | push                0x3be8640
            //   ffd3                 | call                ebx

        $sequence_104 = { 744f 681f81be03 ffd6 a3???????? 8b831c70be03 3305???????? 8b3d???????? }
            // n = 7, score = 100
            //   744f                 | je                  0x51
            //   681f81be03           | push                0x3be811f
            //   ffd6                 | call                esi
            //   a3????????           |                     
            //   8b831c70be03         | mov                 eax, dword ptr [ebx + 0x3be701c]
            //   3305????????         |                     
            //   8b3d????????         |                     

    condition:
        1 of them
}
Download all Yara Rules
DreamBot Propose Change

References

Yara Rules

DreamBot
