DreamBot (Malware Family)

DreamBot

VTCollection URLhaus
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)
In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
See win.gozi for additional historical information.
References

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2020-09-02 ⋅ RiskIQ ⋅ Jordan Herman
The Inter Skimmer Kit
magecart DreamBot TeslaCrypt
2020-08-28 ⋅ Checkpoint ⋅ Check Point Research
Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-05-01 ⋅ CSIS ⋅ Benoît Ancel
The end of Dreambot? Obituary for a loved piece of Gozi.
DreamBot
2020-02-07 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2017-05-29 ⋅ Lokalhost.pl ⋅ Maciej Kotowicz
Gozi Tree
DreamBot Gozi ISFB Powersniff
2016-08-29 ⋅ Proofpoint ⋅ Proofpoint Staff
Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality
DreamBot
Yara Rules

[TLP:WHITE] win_dreambot_auto (20230808 | Detects win.dreambot.)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.dreambot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a802 7410 8b4730 a840 7509 83672800 e9???????? }
            // n = 7, score = 700
            //   a802                 | test                al, 2
            //   7410                 | je                  0x12
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]
            //   a840                 | test                al, 0x40
            //   7509                 | jne                 0xb
            //   83672800             | and                 dword ptr [edi + 0x28], 0
            //   e9????????           |                     

        $sequence_1 = { 897b20 8b4320 c6400731 8b742414 8b3e 6a00 }
            // n = 6, score = 700
            //   897b20               | mov                 dword ptr [ebx + 0x20], edi
            //   8b4320               | mov                 eax, dword ptr [ebx + 0x20]
            //   c6400731             | mov                 byte ptr [eax + 7], 0x31
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   6a00                 | push                0

        $sequence_2 = { 7454 68???????? 68???????? ff7320 e8???????? }
            // n = 5, score = 700
            //   7454                 | je                  0x56
            //   68????????           |                     
            //   68????????           |                     
            //   ff7320               | push                dword ptr [ebx + 0x20]
            //   e8????????           |                     

        $sequence_3 = { 0f8555ffffff 894730 e9???????? 55 8bec }
            // n = 5, score = 700
            //   0f8555ffffff         | jne                 0xffffff5b
            //   894730               | mov                 dword ptr [edi + 0x30], eax
            //   e9????????           |                     
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_4 = { 85f6 0f84a9000000 e8???????? 85c0 0f8483000000 }
            // n = 5, score = 700
            //   85f6                 | test                esi, esi
            //   0f84a9000000         | je                  0xaf
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8483000000         | je                  0x89

        $sequence_5 = { e8???????? 8bf8 85ff 755a 39451c 7475 }
            // n = 6, score = 700
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   755a                 | jne                 0x5c
            //   39451c               | cmp                 dword ptr [ebp + 0x1c], eax
            //   7475                 | je                  0x77

        $sequence_6 = { 751a 395d10 7413 8b4618 e8???????? eb09 ff7618 }
            // n = 7, score = 700
            //   751a                 | jne                 0x1c
            //   395d10               | cmp                 dword ptr [ebp + 0x10], ebx
            //   7413                 | je                  0x15
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   eb09                 | jmp                 0xb
            //   ff7618               | push                dword ptr [esi + 0x18]

        $sequence_7 = { 51 51 33c0 50 56 ff5214 8bfb }
            // n = 7, score = 700
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff5214               | call                dword ptr [edx + 0x14]
            //   8bfb                 | mov                 edi, ebx

        $sequence_8 = { 53 68???????? eb54 3bf3 745c 395d0c 7457 }
            // n = 7, score = 600
            //   53                   | je                  0xac
            //   68????????           |                     
            //   eb54                 | je                  0x66
            //   3bf3                 | inc                 ecx
            //   745c                 | cmp                 esi, ebp
            //   395d0c               | je                  0x64
            //   7457                 | mov                 edx, esi

        $sequence_9 = { 837d0c04 7516 ff7510 ff36 68???????? }
            // n = 5, score = 600
            //   837d0c04             | inc                 ecx
            //   7516                 | cmp                 esi, ebp
            //   ff7510               | je                  0xb5
            //   ff36                 | inc                 ecx
            //   68????????           |                     

        $sequence_10 = { ebcc 3bf3 7474 395d0c 746f 6a0d }
            // n = 6, score = 600
            //   ebcc                 | mov                 eax, 7
            //   3bf3                 | jmp                 0xffffffdf
            //   7474                 | dec                 ecx
            //   395d0c               | cmp                 edi, ebp
            //   746f                 | je                  0xac
            //   6a0d                 | je                  0xbb

        $sequence_11 = { 3bf3 0f8496000000 395d0c 0f848d000000 6a07 ebdd }
            // n = 6, score = 600
            //   3bf3                 | jne                 0x53
            //   0f8496000000         | push                dword ptr [esi + 0x18]
            //   395d0c               | call                edi
            //   0f848d000000         | push                dword ptr [esi + 0x1c]
            //   6a07                 | je                  0xb2
            //   ebdd                 | inc                 ecx

        $sequence_12 = { 3bf3 0f8481000000 395d0c 747c 6a03 }
            // n = 5, score = 600
            //   3bf3                 | inc                 ecx
            //   0f8481000000         | mov                 eax, 7
            //   395d0c               | jmp                 0xffffffdf
            //   747c                 | dec                 ecx
            //   6a03                 | cmp                 edi, ebp

        $sequence_13 = { e8???????? 894508 8b7d08 eb24 a1???????? 85c0 7520 }
            // n = 7, score = 600
            //   e8????????           |                     
            //   894508               | dec                 eax
            //   8b7d08               | mov                 ecx, edi
            //   eb24                 | mov                 ebx, 0x57
            //   a1????????           |                     
            //   85c0                 | mov                 dword ptr [ebx + 0x20], eax
            //   7520                 | push                dword ptr [ebx + 0x20]

        $sequence_14 = { 745c 395d0c 7457 53 ff750c 8bfe c7450857000000 }
            // n = 7, score = 600
            //   745c                 | mov                 eax, 7
            //   395d0c               | dec                 esp
            //   7457                 | mov                 eax, ebp
            //   53                   | mov                 ebx, eax
            //   ff750c               | cmp                 ebx, -1
            //   8bfe                 | jne                 0xf
            //   c7450857000000       | je                  0xb2

        $sequence_15 = { e8???????? e9???????? 3bf3 0f8496000000 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   e9????????           |                     
            //   3bf3                 | call                esi
            //   0f8496000000         | mov                 dword ptr [ebx + 0x20], edi

        $sequence_16 = { 4803542460 41ff5220 4c8b442460 e9???????? }
            // n = 4, score = 500
            //   4803542460           | cmp                 eax, 0x11
            //   41ff5220             | push                dword ptr [ebx + 0x10]
            //   4c8b442460           | xor                 edx, edx
            //   e9????????           |                     

        $sequence_17 = { e8???????? 4c8b1d???????? ba0d000000 41834b3401 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   4c8b1d????????       |                     
            //   ba0d000000           | add                 esp, 0x28
            //   41834b3401           | ret                 

        $sequence_18 = { 0f84b5000000 413bf5 0f84ac000000 41b807000000 ebd7 493bfd }
            // n = 6, score = 500
            //   0f84b5000000         | inc                 ecx
            //   413bf5               | cmp                 eax, ebp
            //   0f84ac000000         | jne                 0x2a
            //   41b807000000         | je                  0xbb
            //   ebd7                 | inc                 ecx
            //   493bfd               | cmp                 esi, ebp

        $sequence_19 = { 4c896c2420 e8???????? 4c8b442468 488b0d???????? 33d2 }
            // n = 5, score = 500
            //   4c896c2420           | ret                 4
            //   e8????????           |                     
            //   4c8b442468           | push                0
            //   488b0d????????       |                     
            //   33d2                 | pop                 ebx

        $sequence_20 = { 7423 41b904000000 413bf1 7518 8b17 }
            // n = 5, score = 500
            //   7423                 | je                  0xa1
            //   41b904000000         | inc                 ecx
            //   413bf1               | cmp                 esi, ebp
            //   7518                 | je                  0xa1
            //   8b17                 | inc                 ecx

        $sequence_21 = { 418d5620 498bcf ff15???????? 4c8bf0 4885c0 }
            // n = 5, score = 500
            //   418d5620             | sub                 esp, 0x20
            //   498bcf               | dec                 esp
            //   ff15????????         |                     
            //   4c8bf0               | mov                 eax, dword ptr [ecx + 8]
            //   4885c0               | dec                 eax

        $sequence_22 = { 498bcb 492bd0 4803542460 41ff5220 }
            // n = 4, score = 500
            //   498bcb               | je                  0xa
            //   492bd0               | dec                 eax
            //   4803542460           | add                 esp, 0x28
            //   41ff5220             | ret                 

        $sequence_23 = { 0f8492000000 41b803000000 ebbd 493bfd 0f8481000000 413bf5 }
            // n = 6, score = 500
            //   0f8492000000         | dec                 ecx
            //   41b803000000         | cmp                 edi, ebp
            //   ebbd                 | je                  0xa1
            //   493bfd               | inc                 ecx
            //   0f8481000000         | cmp                 esi, ebp
            //   413bf5               | je                  0xa1

        $sequence_24 = { 4c8b18 488b542460 4533c9 488bc8 41ff5318 }
            // n = 5, score = 500
            //   4c8b18               | inc                 eax
            //   488b542460           | push                ebx
            //   4533c9               | dec                 eax
            //   488bc8               | sub                 esp, 0x20
            //   41ff5318             | dec                 eax

        $sequence_25 = { 488d5e10 4533f6 488b0b 2580000000 418d5620 }
            // n = 5, score = 500
            //   488d5e10             | pop                 edi
            //   4533f6               | ret                 
            //   488b0b               | inc                 eax
            //   2580000000           | push                ebx
            //   418d5620             | dec                 eax

        $sequence_26 = { ff15???????? e9???????? 493bfd 0f84d9000000 }
            // n = 4, score = 500
            //   ff15????????         |                     
            //   e9????????           |                     
            //   493bfd               | cmp                 edi, ebp
            //   0f84d9000000         | je                  0x28

        $sequence_27 = { e8???????? eb2c 8b05???????? 413bc5 7528 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   eb2c                 | mov                 eax, 3
            //   8b05????????         |                     
            //   413bc5               | jmp                 0xffffffbf
            //   7528                 | jmp                 0x2e

        $sequence_28 = { 488b9424a8000000 4533c9 4533c0 ff5028 }
            // n = 4, score = 500
            //   488b9424a8000000     | je                  0x9f
            //   4533c9               | cmp                 dword ptr [ebp + 0xc], ebx
            //   4533c0               | je                  0x96
            //   ff5028               | push                7

        $sequence_29 = { 0f8481000000 413bf5 747c 41b80d000000 }
            // n = 4, score = 500
            //   0f8481000000         | mov                 eax, 3
            //   413bf5               | dec                 eax
            //   747c                 | mov                 ecx, edi
            //   41b80d000000         | dec                 ecx

        $sequence_30 = { 488bcf e8???????? e9???????? 493bfd 0f84b5000000 }
            // n = 5, score = 500
            //   488bcf               | cmp                 edi, ebp
            //   e8????????           |                     
            //   e9????????           |                     
            //   493bfd               | dec                 ecx
            //   0f84b5000000         | cmp                 edi, ebp

        $sequence_31 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 4d85c0 }
            // n = 7, score = 500
            //   5f                   | xor                 eax, 0xcf8555fc
            //   c3                   | inc                 ebp
            //   4053                 | xor                 ecx, ecx
            //   4883ec20             | dec                 eax
            //   4c8b4108             | and                 dword ptr [esp + 0x28], esi
            //   488bd9               | dec                 esp
            //   4d85c0               | lea                 eax, [esp + 0xc8]

        $sequence_32 = { 0f849b000000 413bf5 0f8492000000 41b803000000 ebbd }
            // n = 5, score = 500
            //   0f849b000000         | je                  0xa1
            //   413bf5               | inc                 ecx
            //   0f8492000000         | cmp                 esi, ebp
            //   41b803000000         | je                  0x98
            //   ebbd                 | inc                 ecx

        $sequence_33 = { 33d2 89442448 ff15???????? 33d2 }
            // n = 4, score = 400
            //   33d2                 | inc                 ecx
            //   89442448             | lea                 edx, [esi + 0x20]
            //   ff15????????         |                     
            //   33d2                 | dec                 ecx

        $sequence_34 = { 33d2 3bc2 0f85bd000000 33c0 89942498000000 }
            // n = 5, score = 400
            //   33d2                 | mov                 ecx, dword ptr [ebx]
            //   3bc2                 | and                 eax, 0x80
            //   0f85bd000000         | inc                 ecx
            //   33c0                 | lea                 edx, [esi + 0x20]
            //   89942498000000       | dec                 ecx

        $sequence_35 = { e8???????? 488b5c2428 85c0 753e 8b9424c8000000 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   488b5c2428           | pop                 ebx
            //   85c0                 | mov                 esp, ebp
            //   753e                 | pop                 ebp
            //   8b9424c8000000       | ret                 4

        $sequence_36 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 }
            // n = 4, score = 400
            //   3decc7eea6           | push                dword ptr [ebp - 8]
            //   0f84e8000000         | push                dword ptr [ebp - 0xc]
            //   3d0470a8c4           | add                 esi, 0x3c6ef35f
            //   0f8486000000         | mov                 dword ptr [ebp + 0xc], esi

        $sequence_37 = { 488b0d???????? 4d8bc4 33d2 ff15???????? 488bf8 }
            // n = 5, score = 400
            //   488b0d????????       |                     
            //   4d8bc4               | push                eax
            //   33d2                 | push                dword ptr [ebx + 0x10]
            //   ff15????????         |                     
            //   488bf8               | xor                 edx, edx

        $sequence_38 = { 4883ec30 837a3c04 4c8b2a 488bf2 488bd9 }
            // n = 5, score = 400
            //   4883ec30             | jmp                 0xffffffea
            //   837a3c04             | cmp                 esi, ebx
            //   4c8b2a               | cmp                 esi, ebx
            //   488bf2               | je                  0x78
            //   488bd9               | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_39 = { 89750c 8d750c e8???????? 8bf0 }
            // n = 4, score = 400
            //   89750c               | jmp                 0x29
            //   8d750c               | test                eax, eax
            //   e8????????           |                     
            //   8bf0                 | jne                 0x29

        $sequence_40 = { 4883c208 4883e901 75e2 837c243801 0f86b2000000 }
            // n = 5, score = 400
            //   4883c208             | push                3
            //   4883e901             | jmp                 0xffffffd2
            //   75e2                 | cmp                 esi, ebx
            //   837c243801           | je                  0x7e
            //   0f86b2000000         | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_41 = { 8b450c 33db 895dfc e8???????? 8945f8 33ff eb03 }
            // n = 7, score = 400
            //   8b450c               | cmp                 esi, ebx
            //   33db                 | jmp                 0x56
            //   895dfc               | cmp                 esi, ebx
            //   e8????????           |                     
            //   8945f8               | je                  0x60
            //   33ff                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   eb03                 | je                  0x60

        $sequence_42 = { 75f5 eb06 8b05???????? 35fc5585cf 4533c9 }
            // n = 5, score = 400
            //   75f5                 | pop                 edi
            //   eb06                 | pop                 ebx
            //   8b05????????         |                     
            //   35fc5585cf           | mov                 esp, ebp
            //   4533c9               | pop                 ebp

        $sequence_43 = { ff7310 ff15???????? 33d2 89b7184a0000 39971c4a0000 }
            // n = 5, score = 400
            //   ff7310               | add                 edi, ebp
            //   ff15????????         |                     
            //   33d2                 | dec                 ebp
            //   89b7184a0000         | mov                 eax, edi
            //   39971c4a0000         | dec                 eax

        $sequence_44 = { ff33 50 6810040000 ff15???????? 8945fc }
            // n = 5, score = 400
            //   ff33                 | dec                 eax
            //   50                   | add                 edi, ebp
            //   6810040000           | dec                 eax
            //   ff15????????         |                     
            //   8945fc               | mov                 esi, eax

        $sequence_45 = { 56 33f6 46 8945f8 }
            // n = 4, score = 400
            //   56                   | dec                 eax
            //   33f6                 | lea                 eax, [0xffffd695]
            //   46                   | dec                 eax
            //   8945f8               | test                eax, eax

        $sequence_46 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? 85c0 }
            // n = 7, score = 400
            //   c3                   | dec                 eax
            //   6a00                 | or                  ecx, 0xffffffff
            //   6800004000           | mov                 eax, esi
            //   6a00                 | dec                 eax
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | mov                 esi, dword ptr [esp + 0x58]

        $sequence_47 = { 46 8945f8 85c0 7551 }
            // n = 4, score = 400
            //   46                   | jmp                 0x40
            //   8945f8               | dec                 eax
            //   85c0                 | lea                 eax, [0xffffd695]
            //   7551                 | jmp                 0x36

        $sequence_48 = { 57 4883ec20 8b05???????? 8364243800 }
            // n = 4, score = 400
            //   57                   | push                dword ptr [ebp + 0x10]
            //   4883ec20             | push                dword ptr [esi]
            //   8b05????????         |                     
            //   8364243800           | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_49 = { ff15???????? 8945fc 85c0 741a 6804010000 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   8945fc               | mov                 ecx, ebp
            //   85c0                 | mov                 dword ptr [esp + 0x20], eax
            //   741a                 | dec                 eax
            //   6804010000           | mov                 esi, eax

        $sequence_50 = { 85c0 7551 ff33 50 }
            // n = 4, score = 400
            //   85c0                 | mov                 ecx, dword ptr [ebx]
            //   7551                 | and                 eax, 0x80
            //   ff33                 | inc                 ecx
            //   50                   | lea                 edx, [esi + 0x20]

        $sequence_51 = { eb03 8b750c ff75f8 69f60d661900 ff75f4 81c65ff36e3c 89750c }
            // n = 7, score = 400
            //   eb03                 | je                  0x87
            //   8b750c               | push                3
            //   ff75f8               | push                ebx
            //   69f60d661900         | jmp                 0x56
            //   ff75f4               | cmp                 esi, ebx
            //   81c65ff36e3c         | je                  0x62
            //   89750c               | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_52 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 }
            // n = 7, score = 400
            //   817424105085b8ed     | je                  0x62
            //   33ff                 | je                  0x76
            //   47                   | cmp                 dword ptr [ebp + 0xc], ebx
            //   57                   | je                  0x74
            //   be????????           |                     
            //   56                   | push                0xd
            //   8d542418             | jmp                 0xffffffc8

        $sequence_53 = { 1bdb f7db 83c303 ebc4 }
            // n = 4, score = 400
            //   1bdb                 | push                dword ptr [ebp + 0x10]
            //   f7db                 | push                dword ptr [esi]
            //   83c303               | jmp                 0xffffffc1
            //   ebc4                 | push                dword ptr [ebp + 0x10]

        $sequence_54 = { 8b9424c8000000 85d2 7421 4533c9 }
            // n = 4, score = 400
            //   8b9424c8000000       | pop                 ebp
            //   85d2                 | ret                 4
            //   7421                 | push                0
            //   4533c9               | push                1

        $sequence_55 = { 4883f8ff 488bf8 7445 488d842488000000 }
            // n = 4, score = 400
            //   4883f8ff             | ret                 4
            //   488bf8               | mov                 esp, ebp
            //   7445                 | pop                 ebp
            //   488d842488000000     | ret                 4

        $sequence_56 = { 48c7c101000080 ff15???????? 85c0 7568 4c8d8c24d0000000 4c8d8424c8000000 488d542428 }
            // n = 7, score = 400
            //   48c7c101000080       | push                0
            //   ff15????????         |                     
            //   85c0                 | mov                 esp, ebp
            //   7568                 | pop                 ebp
            //   4c8d8c24d0000000     | ret                 4
            //   4c8d8424c8000000     | push                0
            //   488d542428           | pop                 edi

        $sequence_57 = { 4c8bc3 33d2 ff15???????? 4821742428 4c8d8424c8000000 488d542428 488d4c2450 }
            // n = 7, score = 400
            //   4c8bc3               | pop                 ebx
            //   33d2                 | mov                 esp, ebp
            //   ff15????????         |                     
            //   4821742428           | pop                 ebp
            //   4c8d8424c8000000     | ret                 4
            //   488d542428           | push                0
            //   488d4c2450           | mov                 esp, ebp

        $sequence_58 = { 4883c208 4983e801 75e4 8b442420 }
            // n = 4, score = 400
            //   4883c208             | pop                 edi
            //   4983e801             | ret                 
            //   75e4                 | inc                 eax
            //   8b442420             | push                ebx

        $sequence_59 = { 0f84ca010000 8b424c a801 0f840f010000 8b424c }
            // n = 5, score = 400
            //   0f84ca010000         | je                  0x78
            //   8b424c               | mov                 dword ptr [ebp + 8], eax
            //   a801                 | mov                 edi, dword ptr [ebp + 8]
            //   0f840f010000         | jmp                 0x2c
            //   8b424c               | je                  0x7e

        $sequence_60 = { 33c0 89942498000000 899424a8000000 8984249c000000 }
            // n = 4, score = 400
            //   33c0                 | dec                 eax
            //   89942498000000       | test                eax, eax
            //   899424a8000000       | dec                 ecx
            //   8984249c000000       | inc                 edi

        $sequence_61 = { 498be9 e8???????? 4885c0 488bf0 0f84a3000000 }
            // n = 5, score = 400
            //   498be9               | pop                 ebx
            //   e8????????           |                     
            //   4885c0               | mov                 esp, ebp
            //   488bf0               | pop                 ebp
            //   0f84a3000000         | ret                 4

        $sequence_62 = { 8db4083089b9ed 57 8d45f4 50 }
            // n = 4, score = 400
            //   8db4083089b9ed       | cmp                 esi, ebp
            //   57                   | inc                 ecx
            //   8d45f4               | cmp                 eax, ebp
            //   50                   | jne                 0x2d

        $sequence_63 = { 4d3bef 7415 498bd5 4883c9ff }
            // n = 4, score = 300
            //   4d3bef               | push                ebx
            //   7415                 | dec                 eax
            //   498bd5               | sub                 esp, 0x20
            //   4883c9ff             | dec                 esp

        $sequence_64 = { 8b45fc 0fb700 8bc8 81e100f00000 }
            // n = 4, score = 300
            //   8b45fc               | inc                 ecx
            //   0fb700               | pop                 esp
            //   8bc8                 | pop                 edi
            //   81e100f00000         | ret                 

        $sequence_65 = { ff75fc e8???????? 8b45f0 40 c745e801000000 }
            // n = 5, score = 300
            //   ff75fc               | dec                 eax
            //   e8????????           |                     
            //   8b45f0               | add                 esp, 0x28
            //   40                   | ret                 
            //   c745e801000000       | inc                 eax

        $sequence_66 = { 4c8bc6 ff15???????? 488bd8 493bc7 }
            // n = 4, score = 300
            //   4c8bc6               | cmp                 dword ptr [esp + 0x38], 1
            //   ff15????????         |                     
            //   488bd8               | jbe                 0xc3
            //   493bc7               | dec                 eax

        $sequence_67 = { 395d10 0f8402010000 6a03 eb13 3bf3 }
            // n = 5, score = 300
            //   395d10               | sub                 esp, 0x20
            //   0f8402010000         | xor                 ebx, ebx
            //   6a03                 | inc                 ecx
            //   eb13                 | cmp                 eax, 0x11
            //   3bf3                 | je                  7

        $sequence_68 = { 6a01 eb3d 3bf3 0f8420010000 }
            // n = 4, score = 300
            //   6a01                 | jle                 0x430
            //   eb3d                 | inc                 edx
            //   3bf3                 | cmp                 byte ptr [ebx + ebp], al
            //   0f8420010000         | jne                 0x27

        $sequence_69 = { 8d85a2fcffff 53 50 895de4 e8???????? }
            // n = 5, score = 300
            //   8d85a2fcffff         | ret                 
            //   53                   | inc                 eax
            //   50                   | push                ebx
            //   895de4               | dec                 eax
            //   e8????????           |                     

        $sequence_70 = { 4885c9 7405 e8???????? 4883c428 c3 4053 }
            // n = 6, score = 300
            //   4885c9               | push                ebx
            //   7405                 | dec                 eax
            //   e8????????           |                     
            //   4883c428             | sub                 esp, 0x20
            //   c3                   | dec                 esp
            //   4053                 | mov                 eax, dword ptr [ecx + 8]

        $sequence_71 = { 493bc5 742f 488d4810 ff15???????? }
            // n = 4, score = 300
            //   493bc5               | mov                 ebx, ecx
            //   742f                 | ret                 
            //   488d4810             | inc                 eax
            //   ff15????????         |                     

        $sequence_72 = { 57 6806020000 668985a0fcffff 8d85a2fcffff 53 }
            // n = 5, score = 300
            //   57                   | jne                 0x2d
            //   6806020000           | inc                 esp
            //   668985a0fcffff       | mov                 eax, edx
            //   8d85a2fcffff         | dec                 ecx
            //   53                   | arpl                si, cx

        $sequence_73 = { 8be5 5d c20400 8325????????00 6a00 }
            // n = 5, score = 300
            //   8be5                 | imul                esi, esi, 0x19660d
            //   5d                   | push                dword ptr [ebp - 0xc]
            //   c20400               | add                 esi, 0x3c6ef35f
            //   8325????????00       |                     
            //   6a00                 | mov                 dword ptr [ebp + 0xc], esi

        $sequence_74 = { 740e 44893d???????? 44893d???????? 488d442440 4c8d4c2440 4c8d442440 4889442430 }
            // n = 7, score = 300
            //   740e                 | add                 edx, 8
            //   44893d????????       |                     
            //   44893d????????       |                     
            //   488d442440           | dec                 eax
            //   4c8d4c2440           | sub                 ecx, 1
            //   4c8d442440           | jne                 0xffffffe8
            //   4889442430           | cmp                 dword ptr [esp + 0x38], 1

        $sequence_75 = { 89410e 5f 5e 5b c9 c20400 }
            // n = 6, score = 300
            //   89410e               | jmp                 0xd
            //   5f                   | mov                 esi, dword ptr [ebp + 0xc]
            //   5e                   | push                dword ptr [ebp - 8]
            //   5b                   | lea                 esi, [eax + ecx - 0x124676d0]
            //   c9                   | push                edi
            //   c20400               | lea                 eax, [ebp - 0xc]

        $sequence_76 = { 8bf0 33db 81c1fefeffff 33c0 83cfff 33d2 895dfc }
            // n = 7, score = 300
            //   8bf0                 | dec                 esp
            //   33db                 | lea                 eax, [esp + 0x40]
            //   81c1fefeffff         | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x30], eax
            //   83cfff               | jle                 0x430
            //   33d2                 | inc                 edx
            //   895dfc               | cmp                 byte ptr [ebx + ebp], al

        $sequence_77 = { 59 c20400 a1???????? 53 55 56 57 }
            // n = 7, score = 300
            //   59                   | inc                 esp
            //   c20400               | mov                 eax, edx
            //   a1????????           |                     
            //   53                   | jle                 0x430
            //   55                   | inc                 edx
            //   56                   | cmp                 byte ptr [ebx + ebp], al
            //   57                   | jne                 0x2d

        $sequence_78 = { 7505 8d5857 eb15 488b05???????? 89702a 48897d00 eb17 }
            // n = 7, score = 200
            //   7505                 | lea                 eax, [esp + 0x40]
            //   8d5857               | je                  0x10
            //   eb15                 | dec                 eax
            //   488b05????????       |                     
            //   89702a               | lea                 eax, [esp + 0x40]
            //   48897d00             | dec                 esp
            //   eb17                 | lea                 ecx, [esp + 0x40]

        $sequence_79 = { eb08 ff15???????? 8bd8 413bde 0f85fb010000 488b05???????? }
            // n = 6, score = 200
            //   eb08                 | dec                 eax
            //   ff15????????         |                     
            //   8bd8                 | lea                 eax, [esp + 0x40]
            //   413bde               | je                  0x10
            //   0f85fb010000         | dec                 eax
            //   488b05????????       |                     

        $sequence_80 = { 66b90100 4889442420 e8???????? 3bc3 0f859b000000 }
            // n = 5, score = 200
            //   66b90100             | inc                 esi
            //   4889442420           | mov                 dword ptr [ebp - 8], eax
            //   e8????????           |                     
            //   3bc3                 | mov                 dword ptr [ebp - 4], eax
            //   0f859b000000         | test                eax, eax

        $sequence_81 = { a1???????? 83c036 83c9ff f00fc108 }
            // n = 4, score = 200
            //   a1????????           |                     
            //   83c036               | mov                 eax, esi
            //   83c9ff               | dec                 eax
            //   f00fc108             | mov                 esi, dword ptr [esp + 0x58]

        $sequence_82 = { 0f8e2a040000 8a05???????? 4238042b 7521 448bc2 4963ce }
            // n = 6, score = 200
            //   0f8e2a040000         | dec                 eax
            //   8a05????????         |                     
            //   4238042b             | mov                 esi, eax
            //   7521                 | jmp                 0x36
            //   448bc2               | dec                 eax
            //   4963ce               | lea                 eax, [0xffffd695]

        $sequence_83 = { e8???????? 488b0d???????? 448be0 f0834156ff 85c0 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   448be0               | dec                 esp
            //   f0834156ff           | mov                 eax, esi
            //   85c0                 | dec                 eax

        $sequence_84 = { 83c036 41 f00fc108 a1???????? 83c01e 50 }
            // n = 6, score = 200
            //   83c036               | je                  0xa
            //   41                   | dec                 eax
            //   f00fc108             | add                 esp, 0x28
            //   a1????????           |                     
            //   83c01e               | ret                 
            //   50                   | inc                 eax

        $sequence_85 = { 488bf0 eb34 488d0595d6ffff 4885c0 7428 }
            // n = 5, score = 200
            //   488bf0               | lea                 edx, [esp + 0x40]
            //   eb34                 | mov                 dword ptr [esp + 0x40], eax
            //   488d0595d6ffff       | push                edi
            //   4885c0               | dec                 eax
            //   7428                 | sub                 esp, 0x20

        $sequence_86 = { 6a0a ff15???????? a1???????? 8b4036 }
            // n = 4, score = 200
            //   6a0a                 | dec                 ecx
            //   ff15????????         |                     
            //   a1????????           |                     
            //   8b4036               | cmp                 eax, ebp

        $sequence_87 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 }
            // n = 7, score = 200
            //   ffb72c080000         | dec                 eax
            //   e8????????           |                     
            //   5e                   | mov                 edx, dword ptr [esp + 0x60]
            //   5d                   | inc                 ebp
            //   5b                   | xor                 ecx, ecx
            //   c3                   | dec                 eax
            //   eb10                 | mov                 ecx, eax

        $sequence_88 = { e9???????? 83f916 0f8fa7080000 0f8415080000 }
            // n = 4, score = 200
            //   e9????????           |                     
            //   83f916               | mov                 dword ptr [ebp - 8], eax
            //   0f8fa7080000         | xor                 edx, edx
            //   0f8415080000         | mov                 dword ptr [edi + 0x4a18], esi

        $sequence_89 = { 83c01e 50 ff15???????? 8a06 3a4704 7311 8b0f }
            // n = 7, score = 200
            //   83c01e               | or                  ecx, 0xffffffff
            //   50                   | mov                 eax, esi
            //   ff15????????         |                     
            //   8a06                 | dec                 eax
            //   3a4704               | mov                 esi, dword ptr [esp + 0x58]
            //   7311                 | dec                 eax
            //   8b0f                 | add                 esp, 0x20

        $sequence_90 = { 33d2 e8???????? 44892d???????? 33c9 44892d???????? e8???????? 488bcf }
            // n = 7, score = 200
            //   33d2                 | je                  0x1e
            //   e8????????           |                     
            //   44892d????????       |                     
            //   33c9                 | push                0x104
            //   44892d????????       |                     
            //   e8????????           |                     
            //   488bcf               | lea                 ecx, [edi + 0x10]

        $sequence_91 = { 8d4604 66d3e0 66098310170000 8d4103 }
            // n = 4, score = 200
            //   8d4604               | lea                 eax, [edi + 0x218]
            //   66d3e0               | push                eax
            //   66098310170000       | push                dword ptr [ebx + 0x10]
            //   8d4103               | xor                 edx, edx

        $sequence_92 = { 488b0d???????? 4883c12e ff15???????? 4c8b05???????? 448d7b02 }
            // n = 5, score = 200
            //   488b0d????????       |                     
            //   4883c12e             | mov                 ebx, eax
            //   ff15????????         |                     
            //   4c8b05????????       |                     
            //   448d7b02             | dec                 ecx

        $sequence_93 = { 8b9314170000 83432801 b910000000 8d42f3 2aca }
            // n = 5, score = 200
            //   8b9314170000         | mov                 dword ptr [edi + 0x4a18], esi
            //   83432801             | mov                 eax, dword ptr [edi + 0x4a18]
            //   b910000000           | push                esi
            //   8d42f3               | xor                 esi, esi
            //   2aca                 | inc                 esi

        $sequence_94 = { a1???????? 8b4c2404 8908 83c01e 50 ff15???????? }
            // n = 6, score = 200
            //   a1????????           |                     
            //   8b4c2404             | dec                 eax
            //   8908                 | add                 esp, 0x20
            //   83c01e               | inc                 ecx
            //   50                   | pop                 ebp
            //   ff15????????         |                     

        $sequence_95 = { 83a78c00000000 33c0 c3 51 e8???????? }
            // n = 5, score = 200
            //   83a78c00000000       | mov                 dword ptr [ebp - 0x18], 1
            //   33c0                 | jae                 0x63
            //   c3                   | lea                 eax, [ebp + 8]
            //   51                   | push                eax
            //   e8????????           |                     

        $sequence_96 = { 8b4036 85c0 75ec 8b442404 53 8a1e }
            // n = 6, score = 200
            //   8b4036               | dec                 ebp
            //   85c0                 | cmp                 ebp, edi
            //   75ec                 | je                  0x17
            //   8b442404             | dec                 ecx
            //   53                   | mov                 edx, ebp
            //   8a1e                 | dec                 eax

        $sequence_97 = { 5f 5e 5b c20800 51 53 57 }
            // n = 7, score = 200
            //   5f                   | jne                 0x206
            //   5e                   | dec                 eax
            //   5b                   | add                 ecx, 0x2e
            //   c20800               | inc                 esp
            //   51                   | lea                 edi, [ebx + 2]
            //   53                   | inc                 ecx
            //   57                   | mov                 edx, edi

        $sequence_98 = { e9???????? 83e908 74eb 2bcb 0f84fa000000 2bcb }
            // n = 6, score = 200
            //   e9????????           |                     
            //   83e908               | push                0x410
            //   74eb                 | push                eax
            //   2bcb                 | push                dword ptr [ebx + 0x10]
            //   0f84fa000000         | xor                 edx, edx
            //   2bcb                 | mov                 dword ptr [edi + 0x4a18], esi

        $sequence_99 = { a1???????? 6a00 e8???????? a1???????? 83c01e 50 ff15???????? }
            // n = 7, score = 200
            //   a1????????           |                     
            //   6a00                 | inc                 ecx
            //   e8????????           |                     
            //   a1????????           |                     
            //   83c01e               | pop                 esp
            //   50                   | pop                 edi
            //   ff15????????         |                     

        $sequence_100 = { c3 33c0 483bc8 7458 488b5128 483bd0 }
            // n = 6, score = 200
            //   c3                   | push                eax
            //   33c0                 | push                0x410
            //   483bc8               | mov                 dword ptr [ebp - 4], eax
            //   7458                 | test                eax, eax
            //   488b5128             | je                  0x26
            //   483bd0               | push                0x104

        $sequence_101 = { c9 c20800 55 8bec 81ec1c010000 8d4807 83e1f8 }
            // n = 7, score = 200
            //   c9                   | je                  0xfd
            //   c20800               | inc                 esp
            //   55                   | mov                 esp, eax
            //   8bec                 | lock add            dword ptr [ecx + 0x56], -1
            //   81ec1c010000         | test                eax, eax
            //   8d4807               | dec                 eax
            //   83e1f8               | add                 ecx, 0x2e

        $sequence_102 = { 5b 8be5 5d c3 0fb708 6683f902 751c }
            // n = 7, score = 200
            //   5b                   | inc                 esp
            //   8be5                 | lea                 edi, [ebx + 2]
            //   5d                   |                     
            //   c3                   | jmp                 0xa
            //   0fb708               | mov                 ebx, eax
            //   6683f902             | inc                 ecx
            //   751c                 | cmp                 ebx, esi

        $sequence_103 = { 488bd8 488b05???????? f0834056ff 4885db 0f84ec000000 }
            // n = 5, score = 200
            //   488bd8               | cmp                 eax, ebp
            //   488b05????????       |                     
            //   f0834056ff           | je                  0x31
            //   4885db               | dec                 eax
            //   0f84ec000000         | lea                 ecx, [eax + 0x10]

        $sequence_104 = { ffd7 8b1d???????? 6a3a b8???????? 56 }
            // n = 5, score = 200
            //   ffd7                 | je                  0x31
            //   8b1d????????         |                     
            //   6a3a                 | dec                 eax
            //   b8????????           |                     
            //   56                   | lea                 ecx, [eax + 0x10]

        $sequence_105 = { 48895c2408 57 4883ec30 488bd9 488b0d???????? 488bfa 4883c12e }
            // n = 7, score = 200
            //   48895c2408           | je                  0x10
            //   57                   | dec                 eax
            //   4883ec30             | lea                 eax, [esp + 0x40]
            //   488bd9               | dec                 esp
            //   488b0d????????       |                     
            //   488bfa               | lea                 ecx, [esp + 0x40]
            //   4883c12e             | dec                 esp

        $sequence_106 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? }
            // n = 4, score = 200
            //   488b15????????       |                     
            //   4c8d442468           | pop                 edi
            //   48c7c101000080       | dec                 ecx
            //   ff15????????         |                     

        $sequence_107 = { 83839c000000ff 397818 0f852ffcffff 33c0 }
            // n = 4, score = 200
            //   83839c000000ff       | push                0x104
            //   397818               | lea                 ecx, [edi + 0x10]
            //   0f852ffcffff         | push                ecx
            //   33c0                 | inc                 esi

        $sequence_108 = { ff35???????? c74424200e440410 c744241c08000000 ffd6 8bf8 }
            // n = 5, score = 100
            //   ff35????????         |                     
            //   c74424200e440410     | mov                 eax, dword ptr [esp + 0x60]
            //   c744241c08000000     | dec                 ecx
            //   ffd6                 | sub                 edx, eax
            //   8bf8                 | dec                 eax

        $sequence_109 = { e8???????? 8bf0 83fe0c 74c5 3bf3 0f8581020000 a1???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | test                eax, eax
            //   83fe0c               | jne                 0x58
            //   74c5                 | push                dword ptr [ebx]
            //   3bf3                 | push                eax
            //   0f8581020000         | push                eax
            //   a1????????           |                     

        $sequence_110 = { 8b831c70be03 3305???????? 8b3d???????? 50 33f6 56 8bef }
            // n = 7, score = 100
            //   8b831c70be03         | mov                 dword ptr [ebp - 8], eax
            //   3305????????         |                     
            //   8b3d????????         |                     
            //   50                   | test                eax, eax
            //   33f6                 | jne                 0x59
            //   56                   | push                dword ptr [ebx]
            //   8bef                 | mov                 dword ptr [ebp - 8], eax

        $sequence_111 = { c1e804 46 33048d1062be03 85ff }
            // n = 4, score = 100
            //   c1e804               | test                eax, eax
            //   46                   | jne                 0x53
            //   33048d1062be03       | push                dword ptr [ebx]
            //   85ff                 | push                eax

        $sequence_112 = { 7470 8b3d???????? 56 c7459c44000000 ffd7 8d45e8 50 }
            // n = 7, score = 100
            //   7470                 | push                0x410
            //   8b3d????????         |                     
            //   56                   | mov                 dword ptr [ebp - 4], eax
            //   c7459c44000000       | xor                 esi, esi
            //   ffd7                 | inc                 esi
            //   8d45e8               | mov                 dword ptr [ebp - 8], eax
            //   50                   | test                eax, eax

        $sequence_113 = { 397dfc 7417 a1???????? 8b55fc 354c4e4c7e 50 }
            // n = 6, score = 100
            //   397dfc               | test                eax, eax
            //   7417                 | jne                 0x55
            //   a1????????           |                     
            //   8b55fc               | push                dword ptr [ebx]
            //   354c4e4c7e           | push                eax
            //   50                   | push                0x410

        $sequence_114 = { e8???????? 3bc5 89442430 0f84ac010000 53 55 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   3bc5                 | dec                 esp
            //   89442430             | mov                 eax, dword ptr [esp + 0x60]
            //   0f84ac010000         | dec                 eax
            //   53                   | mov                 edx, dword ptr [esp + 0xa8]
            //   55                   | inc                 ebp

        $sequence_115 = { 3934850875be03 742a 8d41ff 85c0 7c10 3934850875be03 7403 }
            // n = 7, score = 100
            //   3934850875be03       | mov                 dword ptr [ebp - 4], eax
            //   742a                 | test                eax, eax
            //   8d41ff               | je                  0x1e
            //   85c0                 | push                0x104
            //   7c10                 | lea                 ecx, [edi + 0x10]
            //   3934850875be03       | xor                 esi, esi
            //   7403                 | inc                 esi

        $sequence_116 = { 8b30 03f5 85f6 89b31c70be03 740a }
            // n = 5, score = 100
            //   8b30                 | jne                 0x59
            //   03f5                 | push                dword ptr [ebx]
            //   85f6                 | push                eax
            //   89b31c70be03         | inc                 esi
            //   740a                 | mov                 dword ptr [ebp - 8], eax

        $sequence_117 = { 68???????? ffd6 a3???????? 33ff 8db7c4260410 }
            // n = 5, score = 100
            //   68????????           |                     
            //   ffd6                 | add                 edx, dword ptr [esp + 0x60]
            //   a3????????           |                     
            //   33ff                 | inc                 ecx
            //   8db7c4260410         | call                dword ptr [edx + 0x20]

        $sequence_118 = { ff75ec 8b3d???????? 8bd8 ffd7 ff75e8 ffd7 eb08 }
            // n = 7, score = 100
            //   ff75ec               | push                0x410
            //   8b3d????????         |                     
            //   8bd8                 | mov                 dword ptr [ebp - 4], eax
            //   ffd7                 | push                0x410
            //   ff75e8               | mov                 dword ptr [ebp - 4], eax
            //   ffd7                 | test                eax, eax
            //   eb08                 | je                  0x21

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules
DreamBot Propose Change

References

Yara Rules

DreamBot
