DreamBot (Malware Family)

DreamBot

URLhaus
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)
In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
See win.gozi for additional historical information.
References

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2020-09-02 ⋅ RiskIQ ⋅ Jordan Herman
The Inter Skimmer Kit
magecart DreamBot TeslaCrypt
2020-08-28 ⋅ Checkpoint ⋅ Check Point Research
Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-05-01 ⋅ CSIS ⋅ Benoît Ancel
The end of Dreambot? Obituary for a loved piece of Gozi.
DreamBot
2020-02-07 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2017-05-29 ⋅ Lokalhost.pl ⋅ Maciej Kotowicz
Gozi Tree
DreamBot Gozi ISFB Powersniff
2016-08-29 ⋅ Proofpoint ⋅ Proofpoint Staff
Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality
DreamBot
Yara Rules

[TLP:WHITE] win_dreambot_auto (20230715 | Detects win.dreambot.)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.dreambot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0b4b18 83671800 894f30 8b4f30 }
            // n = 4, score = 700
            //   0b4b18               | dec                 ecx
            //   83671800             | cmp                 edi, ebp
            //   894f30               | je                  0x69
            //   8b4f30               | inc                 ecx

        $sequence_1 = { 8b44240c 894320 8b4730 a802 7410 }
            // n = 5, score = 700
            //   8b44240c             | inc                 ecx
            //   894320               | cmp                 esi, ebp
            //   8b4730               | je                  0x92
            //   a802                 | inc                 ecx
            //   7410                 | mov                 eax, 0xd

        $sequence_2 = { 7414 ff7320 6a00 ff35???????? ffd6 8b44240c }
            // n = 6, score = 700
            //   7414                 | cmp                 esi, ebp
            //   ff7320               | je                  0x69
            //   6a00                 | mov                 edx, esi
            //   ff35????????         |                     
            //   ffd6                 | dec                 eax
            //   8b44240c             | mov                 ecx, edi

        $sequence_3 = { e9???????? 8b4730 a840 0f84cd000000 }
            // n = 4, score = 700
            //   e9????????           |                     
            //   8b4730               | inc                 ecx
            //   a840                 | mov                 ecx, 4
            //   0f84cd000000         | inc                 ecx

        $sequence_4 = { 897b20 8b4320 c6400731 8b742414 8b3e }
            // n = 5, score = 700
            //   897b20               | dec                 eax
            //   8b4320               | mov                 ecx, edi
            //   c6400731             | dec                 ecx
            //   8b742414             | cmp                 edi, ebp
            //   8b3e                 | je                  0xc3

        $sequence_5 = { e8???????? 8bf8 3bfb 754f ff7618 }
            // n = 5, score = 700
            //   e8????????           |                     
            //   8bf8                 | cmp                 esi, ecx
            //   3bfb                 | jne                 0x23
            //   754f                 | mov                 edx, dword ptr [edi]
            //   ff7618               | mov                 edx, esi

        $sequence_6 = { ff7320 ff15???????? 85c0 742e 68???????? }
            // n = 5, score = 700
            //   ff7320               | dec                 ecx
            //   ff15????????         |                     
            //   85c0                 | cmp                 edi, ebp
            //   742e                 | je                  0xbe
            //   68????????           |                     

        $sequence_7 = { 56 ff742410 89442418 ff15???????? }
            // n = 4, score = 700
            //   56                   | inc                 ecx
            //   ff742410             | cmp                 esi, ebp
            //   89442418             | je                  0xbe
            //   ff15????????         |                     

        $sequence_8 = { 7457 53 ff750c 8bfe c7450857000000 }
            // n = 5, score = 600
            //   7457                 | cmp                 esi, ebp
            //   53                   | jmp                 0x5c
            //   ff750c               | dec                 ecx
            //   8bfe                 | cmp                 edi, ebp
            //   c7450857000000       | je                  0x6b

        $sequence_9 = { 53 68???????? eb54 3bf3 745c }
            // n = 5, score = 600
            //   53                   | and                 dword ptr [edi + 0x30], 0xfffffff9
            //   68????????           |                     
            //   eb54                 | mov                 dword ptr [edi + 0x28], 1
            //   3bf3                 | mov                 eax, dword ptr [edi + 0x30]
            //   745c                 | test                al, 1

        $sequence_10 = { ebdd 3bf3 0f8481000000 395d0c }
            // n = 4, score = 600
            //   ebdd                 | mov                 dword ptr [ebx + 0x20], edi
            //   3bf3                 | push                0
            //   0f8481000000         | push                dword ptr [ebx + 0x20]
            //   395d0c               | mov                 eax, dword ptr [edi + 0x34]

        $sequence_11 = { ff750c 56 e8???????? e9???????? 3bf3 0f8496000000 }
            // n = 6, score = 600
            //   ff750c               | push                dword ptr [esp + 0x10]
            //   56                   | mov                 dword ptr [esp + 0x18], eax
            //   e8????????           |                     
            //   e9????????           |                     
            //   3bf3                 | push                0
            //   0f8496000000         | call                esi

        $sequence_12 = { 395d0c 0f84ae000000 6a01 ff750c 56 }
            // n = 5, score = 600
            //   395d0c               | mov                 edi, eax
            //   0f84ae000000         | cmp                 edi, ebx
            //   6a01                 | jne                 0x55
            //   ff750c               | push                dword ptr [esi + 0x18]
            //   56                   | mov                 dword ptr [ebx + 0x10], eax

        $sequence_13 = { 0f848d000000 6a07 ebdd 3bf3 }
            // n = 4, score = 600
            //   0f848d000000         | test                eax, eax
            //   6a07                 | jne                 0x1e
            //   ebdd                 | push                dword ptr [ebx + 0x20]
            //   3bf3                 | push                eax

        $sequence_14 = { e9???????? 3bf3 0f84b7000000 395d0c }
            // n = 4, score = 600
            //   e9????????           |                     
            //   3bf3                 | test                edi, edi
            //   0f84b7000000         | je                  0x1f
            //   395d0c               | push                dword ptr [ebp - 8]

        $sequence_15 = { 7520 3bf3 741c 837d0c04 7516 ff7510 }
            // n = 6, score = 600
            //   7520                 | push                dword ptr [ebp - 8]
            //   3bf3                 | mov                 edi, eax
            //   741c                 | cmp                 edi, ebx
            //   837d0c04             | jne                 0x55
            //   7516                 | push                dword ptr [ebx + 0x20]
            //   ff7510               | mov                 edi, eax

        $sequence_16 = { 4c8b18 488b542460 4533c9 488bc8 }
            // n = 4, score = 500
            //   4c8b18               | push                esi
            //   488b542460           | xor                 esi, esi
            //   4533c9               | inc                 esi
            //   488bc8               | mov                 dword ptr [ebp - 8], eax

        $sequence_17 = { 488b9424a8000000 4533c9 4533c0 ff5028 }
            // n = 4, score = 500
            //   488b9424a8000000     | lea                 esi, [ebp + 0xc]
            //   4533c9               | mov                 esi, eax
            //   4533c0               | cmp                 esi, ebx
            //   ff5028               | je                  0x26

        $sequence_18 = { 493bfd 7464 413bf5 745f 8bd6 488bcf }
            // n = 6, score = 500
            //   493bfd               | dec                 ecx
            //   7464                 | cmp                 edi, ebp
            //   413bf5               | je                  0xb2
            //   745f                 | jmp                 0xffffffbf
            //   8bd6                 | dec                 ecx
            //   488bcf               | cmp                 edi, ebp

        $sequence_19 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 }
            // n = 6, score = 500
            //   5f                   | push                dword ptr [ebp - 0xc]
            //   c3                   | push                esi
            //   4053                 | lea                 esi, [eax + ecx - 0x124676d0]
            //   4883ec20             | push                edi
            //   4c8b4108             | lea                 eax, [ebp - 0xc]
            //   488bd9               | push                eax

        $sequence_20 = { 488d5e10 4533f6 488b0b 2580000000 418d5620 }
            // n = 5, score = 500
            //   488d5e10             | mov                 ecx, ebp
            //   4533f6               | dec                 eax
            //   488b0b               | mov                 edx, dword ptr [edi + 0x2c]
            //   2580000000           | inc                 ebp
            //   418d5620             | xor                 ecx, ecx

        $sequence_21 = { 418d5620 498bcf ff15???????? 4c8bf0 4885c0 }
            // n = 5, score = 500
            //   418d5620             | inc                 esp
            //   498bcf               | mov                 eax, eax
            //   ff15????????         |                     
            //   4c8bf0               | dec                 ecx
            //   4885c0               | mov                 ecx, ebp

        $sequence_22 = { 498bcb 492bd0 4803542460 41ff5220 4c8b442460 }
            // n = 5, score = 500
            //   498bcb               | mov                 dword ptr [ebp - 4], eax
            //   492bd0               | test                eax, eax
            //   4803542460           | je                  0x1e
            //   41ff5220             | push                0x104
            //   4c8b442460           | mov                 eax, dword ptr [edi + 0x4a18]

        $sequence_23 = { ebbd 493bfd 0f8481000000 413bf5 }
            // n = 4, score = 500
            //   ebbd                 | dec                 ecx
            //   493bfd               | cmp                 edi, ebp
            //   0f8481000000         | je                  0xcc
            //   413bf5               | inc                 ecx

        $sequence_24 = { 41b904000000 413bf1 7518 8b17 }
            // n = 4, score = 500
            //   41b904000000         | je                  0x8c
            //   413bf1               | inc                 ecx
            //   7518                 | cmp                 esi, ebp
            //   8b17                 | je                  0xa1

        $sequence_25 = { e8???????? 4c8b1d???????? ba0d000000 41834b3401 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   4c8b1d????????       |                     
            //   ba0d000000           | dec                 eax
            //   41834b3401           | mov                 edx, dword ptr [edi + 0x2c]

        $sequence_26 = { 0f849b000000 413bf5 0f8492000000 41b803000000 }
            // n = 4, score = 500
            //   0f849b000000         | cmp                 esi, ebp
            //   413bf5               | je                  0xcc
            //   0f8492000000         | inc                 ecx
            //   41b803000000         | mov                 eax, 7

        $sequence_27 = { 8bd6 488bcf e8???????? e9???????? 493bfd 0f84b5000000 413bf5 }
            // n = 7, score = 500
            //   8bd6                 | mov                 ecx, 4
            //   488bcf               | inc                 ecx
            //   e8????????           |                     
            //   e9????????           |                     
            //   493bfd               | cmp                 eax, ebp
            //   0f84b5000000         | jne                 0x2d
            //   413bf5               | dec                 ecx

        $sequence_28 = { 4c896c2420 e8???????? 4c8b442468 488b0d???????? 33d2 }
            // n = 5, score = 500
            //   4c896c2420           | cmp                 eax, ebp
            //   e8????????           |                     
            //   4c8b442468           | jne                 0x2d
            //   488b0d????????       |                     
            //   33d2                 | dec                 ecx

        $sequence_29 = { 8b05???????? 413bc5 7528 493bfd 7423 41b904000000 }
            // n = 6, score = 500
            //   8b05????????         |                     
            //   413bc5               | je                  0xa1
            //   7528                 | inc                 ecx
            //   493bfd               | cmp                 esi, ebp
            //   7423                 | inc                 ecx
            //   41b904000000         | cmp                 eax, ebp

        $sequence_30 = { 41b807000000 ebd7 493bfd 0f849b000000 413bf5 }
            // n = 5, score = 500
            //   41b807000000         | inc                 ecx
            //   ebd7                 | mov                 eax, 7
            //   493bfd               | jmp                 0xffffffd9
            //   0f849b000000         | dec                 ecx
            //   413bf5               | cmp                 edi, ebp

        $sequence_31 = { 0f84b5000000 413bf5 0f84ac000000 41b807000000 }
            // n = 4, score = 500
            //   0f84b5000000         | dec                 ecx
            //   413bf5               | cmp                 edi, ebp
            //   0f84ac000000         | je                  0xbb
            //   41b807000000         | inc                 ecx

        $sequence_32 = { 48c7c101000080 ff15???????? 85c0 7568 4c8d8c24d0000000 4c8d8424c8000000 488d542428 }
            // n = 7, score = 400
            //   48c7c101000080       | inc                 ecx
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, 0xd
            //   7568                 | jmp                 0xffffffaf
            //   4c8d8c24d0000000     | xor                 edx, edx
            //   4c8d8424c8000000     | cmp                 esi, ebx
            //   488d542428           | je                  0xbd

        $sequence_33 = { ff15???????? 33d2 89b7184a0000 39971c4a0000 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   33d2                 | mov                 esi, eax
            //   89b7184a0000         | jmp                 0x36
            //   39971c4a0000         | dec                 eax

        $sequence_34 = { 415c 5f c3 bb01000000 e9???????? }
            // n = 5, score = 400
            //   415c                 | mov                 esp, ebp
            //   5f                   | pop                 ebp
            //   c3                   | ret                 4
            //   bb01000000           | push                0
            //   e9????????           |                     

        $sequence_35 = { 8b05???????? 35fc5585cf 4533c9 4533c0 418bd6 33c9 }
            // n = 6, score = 400
            //   8b05????????         |                     
            //   35fc5585cf           | cmp                 esi, ebx
            //   4533c9               | je                  0x66
            //   4533c0               | jmp                 0xffffffc1
            //   418bd6               | push                dword ptr [ebp + 0x10]
            //   33c9                 | push                ebx

        $sequence_36 = { 81f97acff109 0f840f010000 81f9eb6bfb0d 0f84de000000 }
            // n = 4, score = 400
            //   81f97acff109         | je                  0x2a
            //   0f840f010000         | inc                 ecx
            //   81f9eb6bfb0d         | mov                 ecx, 4
            //   0f84de000000         | inc                 ecx

        $sequence_37 = { 33d2 89442448 ff15???????? 33d2 }
            // n = 4, score = 400
            //   33d2                 | pop                 ebp
            //   89442448             | ret                 
            //   ff15????????         |                     
            //   33d2                 | movzx               ecx, word ptr [eax]

        $sequence_38 = { 4885db 7417 488b0d???????? 4c8bc3 33d2 }
            // n = 5, score = 400
            //   4885db               | cmp                 esi, ecx
            //   7417                 | jne                 0x2a
            //   488b0d????????       |                     
            //   4c8bc3               | inc                 esp
            //   33d2                 | mov                 eax, esi

        $sequence_39 = { 69f60d661900 ff75f4 81c65ff36e3c 89750c 8d750c e8???????? 8bf0 }
            // n = 7, score = 400
            //   69f60d661900         | xor                 eax, eax
            //   ff75f4               | inc                 ecx
            //   81c65ff36e3c         | mov                 edx, esi
            //   89750c               | xor                 ecx, ecx
            //   8d750c               | je                  0xfffffe43
            //   e8????????           |                     
            //   8bf0                 | cmp                 eax, 0xa6eec7ec

        $sequence_40 = { 56 8db4083089b9ed 57 8d45f4 50 8b450c 33db }
            // n = 7, score = 400
            //   56                   | push                ebx
            //   8db4083089b9ed       | push                dword ptr [ebp + 0xc]
            //   57                   | mov                 edi, esi
            //   8d45f4               | mov                 dword ptr [ebp + 8], 0x57
            //   50                   | cmp                 dword ptr [ebp + 0xc], ebx
            //   8b450c               | je                  0xb7
            //   33db                 | push                1

        $sequence_41 = { 33f6 46 8945f8 85c0 }
            // n = 4, score = 400
            //   33f6                 | lea                 eax, [esp + 0x40]
            //   46                   | dec                 esp
            //   8945f8               | lea                 ecx, [esp + 0x40]
            //   85c0                 | je                  0x10

        $sequence_42 = { 0f86b2000000 488b4c2450 4c8d442430 488d9424c8000000 e8???????? }
            // n = 5, score = 400
            //   0f86b2000000         | mov                 esp, ebp
            //   488b4c2450           | pop                 ebp
            //   4c8d442430           | ret                 4
            //   488d9424c8000000     | push                0
            //   e8????????           |                     

        $sequence_43 = { 483bc3 488b4550 4c8bc3 410f94c1 33d2 4889442420 }
            // n = 6, score = 400
            //   483bc3               | pop                 ebp
            //   488b4550             | ret                 4
            //   4c8bc3               | push                0
            //   410f94c1             | push                1
            //   33d2                 | pop                 ebp
            //   4889442420           | ret                 4

        $sequence_44 = { 8945f8 33ff eb03 8b750c }
            // n = 4, score = 400
            //   8945f8               | inc                 ebp
            //   33ff                 | lea                 esi, [ebx + edi]
            //   eb03                 | inc                 ecx
            //   8b750c               | cmp                 esi, 0x18

        $sequence_45 = { eb03 8b750c ff75f8 69f60d661900 ff75f4 81c65ff36e3c }
            // n = 6, score = 400
            //   eb03                 | cmp                 dword ptr [ebp + 0xc], 4
            //   8b750c               | jne                 0x20
            //   ff75f8               | push                dword ptr [ebp + 0x10]
            //   69f60d661900         | push                dword ptr [esi]
            //   ff75f4               | cmp                 esi, ebx
            //   81c65ff36e3c         | je                  0xbf

        $sequence_46 = { 33d2 3bc2 0f85bd000000 33c0 89942498000000 }
            // n = 5, score = 400
            //   33d2                 | ret                 8
            //   3bc2                 | push                ecx
            //   0f85bd000000         | push                ebx
            //   33c0                 | push                edi
            //   89942498000000       | push                0x84

        $sequence_47 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? 85c0 }
            // n = 7, score = 400
            //   c3                   | je                  0x10
            //   6a00                 | dec                 eax
            //   6800004000           | lea                 eax, [esp + 0x40]
            //   6a00                 | je                  0x10
            //   ff15????????         |                     
            //   a3????????           |                     
            //   85c0                 | dec                 eax

        $sequence_48 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 }
            // n = 7, score = 400
            //   817424105085b8ed     | je                  0x16a
            //   33ff                 | cmp                 eax, 0xc4a87004
            //   47                   | je                  0xf9
            //   57                   | jne                 5
            //   be????????           |                     
            //   56                   | inc                 ecx
            //   8d542418             | shr                 ebx, 1

        $sequence_49 = { 8b450c 33db 895dfc e8???????? 8945f8 33ff }
            // n = 6, score = 400
            //   8b450c               | push                0xd
            //   33db                 | jmp                 0xffffffc3
            //   895dfc               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   8945f8               | push                ebx
            //   33ff                 | jmp                 0x5e

        $sequence_50 = { 8945f8 85c0 7551 ff33 50 6810040000 }
            // n = 6, score = 400
            //   8945f8               | dec                 eax
            //   85c0                 | test                eax, eax
            //   7551                 | je                  0x2d
            //   ff33                 | mov                 edi, dword ptr [ebx + 0x10]
            //   50                   | dec                 eax
            //   6810040000           | add                 edi, ebp

        $sequence_51 = { 488b572c 4533c9 448bc0 498bcd ff5320 498b4500 4489742478 }
            // n = 7, score = 400
            //   488b572c             | pop                 edi
            //   4533c9               | pop                 ebx
            //   448bc0               | mov                 esp, ebp
            //   498bcd               | pop                 ebp
            //   ff5320               | ret                 4
            //   498b4500             | push                0
            //   4489742478           | pop                 ebx

        $sequence_52 = { 0f84ca010000 8b424c a801 0f840f010000 8b424c }
            // n = 5, score = 400
            //   0f84ca010000         | mov                 esp, ebp
            //   8b424c               | pop                 ebp
            //   a801                 | ret                 4
            //   0f840f010000         | push                0
            //   8b424c               | pop                 ebp

        $sequence_53 = { 57 4883ec20 8b05???????? 8364243800 }
            // n = 4, score = 400
            //   57                   | ret                 4
            //   4883ec20             | push                0
            //   8b05????????         |                     
            //   8364243800           | push                1

        $sequence_54 = { 488d4c2450 4533c9 e8???????? 488b5c2428 }
            // n = 4, score = 400
            //   488d4c2450           | push                dword ptr [ebp + 0x10]
            //   4533c9               | push                ebx
            //   e8????????           |                     
            //   488b5c2428           | jmp                 0x5e

        $sequence_55 = { 33c0 89942498000000 899424a8000000 8984249c000000 }
            // n = 4, score = 400
            //   33c0                 | je                  0x22
            //   89942498000000       | pop                 edi
            //   899424a8000000       | pop                 ebx
            //   8984249c000000       | mov                 esp, ebp

        $sequence_56 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 }
            // n = 4, score = 400
            //   3decc7eea6           | lea                 esi, [eax + ecx - 0x124676d0]
            //   0f84e8000000         | push                edi
            //   3d0470a8c4           | lea                 eax, [ebp - 0xc]
            //   0f8486000000         | push                eax

        $sequence_57 = { 6810040000 ff15???????? 8945fc 85c0 741a 6804010000 8d4f10 }
            // n = 7, score = 400
            //   6810040000           | jmp                 0x36
            //   ff15????????         |                     
            //   8945fc               | dec                 eax
            //   85c0                 | lea                 eax, [0xffffd695]
            //   741a                 | dec                 eax
            //   6804010000           | test                eax, eax
            //   8d4f10               | dec                 eax

        $sequence_58 = { 488b0d???????? 4d8bc4 33d2 ff15???????? 488bf8 }
            // n = 5, score = 400
            //   488b0d????????       |                     
            //   4d8bc4               | inc                 esi
            //   33d2                 | mov                 dword ptr [ebp - 8], eax
            //   ff15????????         |                     
            //   488bf8               | test                eax, eax

        $sequence_59 = { 4883f8ff 488bf8 7445 488d842488000000 }
            // n = 4, score = 400
            //   4883f8ff             | inc                 ecx
            //   488bf8               | mov                 ecx, 4
            //   7445                 | inc                 ecx
            //   488d842488000000     | cmp                 esi, ecx

        $sequence_60 = { 3decc7eea6 0f8459010000 3d0470a8c4 0f84dd000000 }
            // n = 4, score = 400
            //   3decc7eea6           | dec                 eax
            //   0f8459010000         | mov                 edx, edi
            //   3d0470a8c4           | jmp                 0x34
            //   0f84dd000000         | je                  0x7e

        $sequence_61 = { 3bc7 0f85dc000000 57 ff7618 }
            // n = 4, score = 300
            //   3bc7                 | je                  0x10
            //   0f85dc000000         | dec                 eax
            //   57                   | lea                 eax, [esp + 0x40]
            //   ff7618               | dec                 esp

        $sequence_62 = { 4c8bc6 ff15???????? 488bd8 493bc7 }
            // n = 4, score = 300
            //   4c8bc6               | ret                 
            //   ff15????????         |                     
            //   488bd8               | mov                 ebx, 1
            //   493bc7               | mov                 eax, dword ptr [esp + 0x30]

        $sequence_63 = { f605????????04 740e 44893d???????? 44893d???????? 488d442440 4c8d4c2440 4c8d442440 }
            // n = 7, score = 300
            //   f605????????04       |                     
            //   740e                 | and                 dword ptr [esp + 0x38], 0
            //   44893d????????       |                     
            //   44893d????????       |                     
            //   488d442440           | dec                 eax
            //   4c8d4c2440           | lea                 edx, [esp + 0x40]
            //   4c8d442440           | mov                 dword ptr [esp + 0x40], eax

        $sequence_64 = { ff7508 46 e8???????? 85c0 0f845d030000 53 }
            // n = 6, score = 300
            //   ff7508               | dec                 esp
            //   46                   | lea                 ecx, [esp + 0x40]
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   0f845d030000         | lea                 eax, [esp + 0x40]
            //   53                   | je                  0x10

        $sequence_65 = { 4d3bef 7415 498bd5 4883c9ff ff15???????? }
            // n = 5, score = 300
            //   4d3bef               | pop                 esp
            //   7415                 | pop                 edi
            //   498bd5               | ret                 
            //   4883c9ff             | mov                 ebx, 1
            //   ff15????????         |                     

        $sequence_66 = { 493bc5 742f 488d4810 ff15???????? }
            // n = 4, score = 300
            //   493bc5               | dec                 eax
            //   742f                 | sub                 esp, 0x20
            //   488d4810             | and                 dword ptr [esp + 0x38], 0
            //   ff15????????         |                     

        $sequence_67 = { 50 e8???????? 8bf0 8975f4 3bf7 0f8487000000 }
            // n = 6, score = 300
            //   50                   | dec                 esp
            //   e8????????           |                     
            //   8bf0                 | lea                 ecx, [esp + 0x40]
            //   8975f4               | je                  0x10
            //   3bf7                 | dec                 eax
            //   0f8487000000         | lea                 eax, [esp + 0x40]

        $sequence_68 = { 40 50 e8???????? 8945f0 3bc7 }
            // n = 5, score = 300
            //   40                   | lea                 ecx, [esp + 0x40]
            //   50                   | dec                 esp
            //   e8????????           |                     
            //   8945f0               | lea                 eax, [esp + 0x40]
            //   3bc7                 | dec                 eax

        $sequence_69 = { 5f 5b 8be5 5d c20400 8325????????00 6a00 }
            // n = 7, score = 300
            //   5f                   | push                dword ptr [ebp - 8]
            //   5b                   | xor                 ebx, ebx
            //   8be5                 | mov                 dword ptr [ebp - 4], ebx
            //   5d                   | mov                 dword ptr [ebp - 8], eax
            //   c20400               | xor                 edi, edi
            //   8325????????00       |                     
            //   6a00                 | lea                 esi, [eax + ecx - 0x124676d0]

        $sequence_70 = { e9???????? 6800100000 e8???????? 8945f8 }
            // n = 4, score = 300
            //   e9????????           |                     
            //   6800100000           | dec                 eax
            //   e8????????           |                     
            //   8945f8               | lea                 eax, [esp + 0x40]

        $sequence_71 = { 8b45fc 0fb700 8bc8 81e100f00000 }
            // n = 4, score = 300
            //   8b45fc               | inc                 ecx
            //   0fb700               | pop                 esp
            //   8bc8                 | pop                 edi
            //   81e100f00000         | dec                 eax

        $sequence_72 = { 7406 890d???????? 840d???????? 7405 e8???????? }
            // n = 5, score = 300
            //   7406                 | dec                 eax
            //   890d????????         |                     
            //   840d????????         |                     
            //   7405                 | lea                 eax, [esp + 0x40]
            //   e8????????           |                     

        $sequence_73 = { 59 59 3bf3 7469 83c614 3b75f8 7361 }
            // n = 7, score = 300
            //   59                   | mov                 dword ptr [esp + 0x30], eax
            //   59                   | jmp                 0x36
            //   3bf3                 | dec                 eax
            //   7469                 | lea                 eax, [0xffffd695]
            //   83c614               | dec                 eax
            //   3b75f8               | test                eax, eax
            //   7361                 | je                  0x34

        $sequence_74 = { 4885c9 7405 e8???????? 4883c428 c3 4053 }
            // n = 6, score = 300
            //   4885c9               | dec                 eax
            //   7405                 | cmp                 eax, ebx
            //   e8????????           |                     
            //   4883c428             | dec                 eax
            //   c3                   | mov                 eax, dword ptr [ebp + 0x50]
            //   4053                 | dec                 esp

        $sequence_75 = { e8???????? a1???????? 83c40c 83c01e 50 ffd7 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   a1????????           |                     
            //   83c40c               | sub                 esp, 0x20
            //   83c01e               | dec                 esp
            //   50                   | mov                 eax, dword ptr [ecx + 8]
            //   ffd7                 | dec                 eax

        $sequence_76 = { eb34 488d0595d6ffff 4885c0 7428 8b7b10 }
            // n = 5, score = 200
            //   eb34                 | add                 eax, 0x36
            //   488d0595d6ffff       | call                edi
            //   4885c0               | push                0x3a
            //   7428                 | mov                 eax, dword ptr [eax + 0x36]
            //   8b7b10               | test                eax, eax

        $sequence_77 = { 8b9314170000 83432801 b910000000 8d42f3 2aca }
            // n = 5, score = 200
            //   8b9314170000         | cmp                 byte ptr [ebx + ebp], al
            //   83432801             | jne                 0x27
            //   b910000000           | inc                 esp
            //   8d42f3               | mov                 eax, edx
            //   2aca                 | dec                 ecx

        $sequence_78 = { 4883c12e ff15???????? 448a1f 443a5b08 7315 488b0b 410fb6c3 }
            // n = 7, score = 200
            //   4883c12e             | lea                 ebx, [esi + 0x10]
            //   ff15????????         |                     
            //   448a1f               | inc                 ebp
            //   443a5b08             | xor                 esi, esi
            //   7315                 | dec                 eax
            //   488b0b               | mov                 ecx, dword ptr [ebx]
            //   410fb6c3             | and                 eax, 0x80

        $sequence_79 = { 488bce ff15???????? 488b0d???????? 4883c12e }
            // n = 4, score = 200
            //   488bce               | xor                 ecx, ecx
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4883c12e             | dec                 eax

        $sequence_80 = { 33d2 e8???????? 44892d???????? 33c9 44892d???????? e8???????? 488bcf }
            // n = 7, score = 200
            //   33d2                 | mov                 ebx, eax
            //   e8????????           |                     
            //   44892d????????       |                     
            //   33c9                 | dec                 ecx
            //   44892d????????       |                     
            //   e8????????           |                     
            //   488bcf               | cmp                 eax, edi

        $sequence_81 = { c9 c20800 55 8bec 81ec1c010000 8d4807 }
            // n = 6, score = 200
            //   c9                   | push                dword ptr [ebp + 8]
            //   c20800               | inc                 esi
            //   55                   | test                eax, eax
            //   8bec                 | je                  0x366
            //   81ec1c010000         | push                ebx
            //   8d4807               | je                  8

        $sequence_82 = { 89542464 ffd3 56 57 e8???????? }
            // n = 5, score = 200
            //   89542464             | pop                 edi
            //   ffd3                 | dec                 ebp
            //   56                   | cmp                 ebp, edi
            //   57                   | je                  0x17
            //   e8????????           |                     

        $sequence_83 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? }
            // n = 4, score = 200
            //   488b15????????       |                     
            //   4c8d442468           | sub                 esp, 0x18
            //   48c7c101000080       | add                 eax, 0x1e
            //   ff15????????         |                     

        $sequence_84 = { 50 ff742438 8b442440 e8???????? 8b0d???????? 89442414 83c136 }
            // n = 7, score = 200
            //   50                   | mov                 eax, dword ptr [ecx + 8]
            //   ff742438             | dec                 eax
            //   8b442440             | mov                 ebx, ecx
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   89442414             | dec                 ebp
            //   83c136               | test                eax, eax

        $sequence_85 = { 66b90100 4889442420 e8???????? 3bc3 0f859b000000 }
            // n = 5, score = 200
            //   66b90100             | or                  ecx, 0xffffffff
            //   4889442420           | dec                 esp
            //   e8????????           |                     
            //   3bc3                 | mov                 eax, esi
            //   0f859b000000         | dec                 eax

        $sequence_86 = { a1???????? 83c01e 50 ffd6 }
            // n = 4, score = 200
            //   a1????????           |                     
            //   83c01e               | inc                 eax
            //   50                   | push                ebx
            //   ffd6                 | dec                 eax

        $sequence_87 = { 488b0d???????? 448be0 f0834156ff 85c0 }
            // n = 4, score = 200
            //   488b0d????????       |                     
            //   448be0               | push                eax
            //   f0834156ff           | call                esi
            //   85c0                 | xor                 ecx, ecx

        $sequence_88 = { 5d c3 0fb708 6683f902 751c }
            // n = 5, score = 200
            //   5d                   | mov                 dword ptr [ebp - 4], eax
            //   c3                   | test                eax, eax
            //   0fb708               | mov                 dword ptr [ebp - 8], eax
            //   6683f902             | test                eax, eax
            //   751c                 | jne                 0x55

        $sequence_89 = { e9???????? 83e908 74eb 2bcb 0f84fa000000 2bcb }
            // n = 6, score = 200
            //   e9????????           |                     
            //   83e908               | lea                 eax, [esp + 0x40]
            //   74eb                 | dec                 eax
            //   2bcb                 | mov                 dword ptr [esp + 0x30], eax
            //   0f84fa000000         | je                  0x10
            //   2bcb                 | dec                 eax

        $sequence_90 = { ffd7 8b1d???????? 6a3a b8???????? }
            // n = 4, score = 200
            //   ffd7                 | mov                 eax, dword ptr [ecx + 8]
            //   8b1d????????         |                     
            //   6a3a                 | dec                 eax
            //   b8????????           |                     

        $sequence_91 = { c3 33c0 483bc8 7458 488b5128 483bd0 }
            // n = 6, score = 200
            //   c3                   | dec                 eax
            //   33c0                 | lea                 eax, [esp + 0x40]
            //   483bc8               | je                  0x10
            //   7458                 | dec                 eax
            //   488b5128             | lea                 eax, [esp + 0x40]
            //   483bd0               | dec                 esp

        $sequence_92 = { 8d4604 66d3e0 66098310170000 8d4103 }
            // n = 4, score = 200
            //   8d4604               | dec                 esp
            //   66d3e0               | lea                 ecx, [esp + 0x40]
            //   66098310170000       | jle                 0x430
            //   8d4103               | inc                 edx

        $sequence_93 = { 83c01e 50 ff15???????? c20400 55 8bec 83ec18 }
            // n = 7, score = 200
            //   83c01e               | inc                 ebp
            //   50                   | xor                 ecx, ecx
            //   ff15????????         |                     
            //   c20400               | inc                 ebp
            //   55                   | xor                 eax, eax
            //   8bec                 | call                dword ptr [eax + 0x28]
            //   83ec18               | dec                 eax

        $sequence_94 = { ff15???????? eb0b b90a000000 ff15???????? 4c8b1d???????? 418b4356 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   eb0b                 | inc                 ebp
            //   b90a000000           | xor                 eax, eax
            //   ff15????????         |                     
            //   4c8b1d????????       |                     
            //   418b4356             | xor                 edx, edx

        $sequence_95 = { 5b c20800 51 53 57 6884000000 e8???????? }
            // n = 7, score = 200
            //   5b                   | ret                 
            //   c20800               | push                0
            //   51                   | push                0x400000
            //   53                   | push                0
            //   57                   | test                eax, eax
            //   6884000000           | ret                 
            //   e8????????           |                     

        $sequence_96 = { e8???????? 488b0d???????? 4883c12e ff15???????? 8ac3 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4883c12e             | push                0x3a
            //   ff15????????         |                     
            //   8ac3                 | add                 eax, 0x36

        $sequence_97 = { 0f8e2a040000 8a05???????? 4238042b 7521 448bc2 4963ce }
            // n = 6, score = 200
            //   0f8e2a040000         | pop                 edi
            //   8a05????????         |                     
            //   4238042b             | ret                 
            //   7521                 | dec                 ecx
            //   448bc2               | cmp                 eax, ebp
            //   4963ce               | je                  0x31

        $sequence_98 = { e8???????? 8bd8 a1???????? 83c036 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8bd8                 | sub                 esp, 0x20
            //   a1????????           |                     
            //   83c036               | dec                 esp

        $sequence_99 = { a1???????? 8b4036 85c0 75ec 8b442404 53 }
            // n = 6, score = 200
            //   a1????????           |                     
            //   8b4036               | pop                 edi
            //   85c0                 | ret                 
            //   75ec                 | inc                 eax
            //   8b442404             | push                ebx
            //   53                   | dec                 eax

        $sequence_100 = { ff15???????? 8bd8 413bde 0f8517030000 f605????????04 740e 44893d???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8bd8                 | add                 eax, 0x36
            //   413bde               | inc                 ecx
            //   0f8517030000         | mov                 dword ptr [ebp - 0xc], esi
            //   f605????????04       |                     
            //   740e                 | call                edi
            //   44893d????????       |                     

        $sequence_101 = { 50 ff15???????? a1???????? 33c9 83c036 41 f00fc108 }
            // n = 7, score = 200
            //   50                   | dec                 ebp
            //   ff15????????         |                     
            //   a1????????           |                     
            //   33c9                 | test                eax, eax
            //   83c036               | ret                 
            //   41                   | inc                 eax
            //   f00fc108             | push                ebx

        $sequence_102 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 }
            // n = 7, score = 200
            //   ffb72c080000         | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   5e                   | test                eax, eax
            //   5d                   | je                  0x1e
            //   5b                   | push                0x104
            //   c3                   | lea                 ecx, [edi + 0x10]
            //   eb10                 | push                eax

        $sequence_103 = { 83839c000000ff 397818 0f852ffcffff 33c0 }
            // n = 4, score = 200
            //   83839c000000ff       | xor                 ebx, ebx
            //   397818               | inc                 ecx
            //   0f852ffcffff         | cmp                 eax, 0x11
            //   33c0                 | dec                 eax

        $sequence_104 = { 0f84a0010000 3bfe 0f8498010000 ff742418 ff15???????? }
            // n = 5, score = 200
            //   0f84a0010000         | mov                 ebp, dword ptr [esp + 0x50]
            //   3bfe                 | mov                 eax, esi
            //   0f8498010000         | dec                 eax
            //   ff742418             | mov                 esi, dword ptr [esp + 0x58]
            //   ff15????????         |                     

        $sequence_105 = { e9???????? 83f916 0f8fa7080000 0f8415080000 }
            // n = 4, score = 200
            //   e9????????           |                     
            //   83f916               | arpl                si, cx
            //   0f8fa7080000         | jle                 0x430
            //   0f8415080000         | inc                 edx

        $sequence_106 = { 8d4710 e8???????? 83a78c00000000 33c0 c3 51 e8???????? }
            // n = 7, score = 200
            //   8d4710               | push                0
            //   e8????????           |                     
            //   83a78c00000000       | push                0x400000
            //   33c0                 | push                0
            //   c3                   | push                0x1000
            //   51                   | mov                 dword ptr [ebp - 8], eax
            //   e8????????           |                     

        $sequence_107 = { 68???????? c74424340c000000 895c243c e8???????? }
            // n = 4, score = 100
            //   68????????           |                     
            //   c74424340c000000     | lea                 ecx, [edi + 0x10]
            //   895c243c             | push                ecx
            //   e8????????           |                     

        $sequence_108 = { e8???????? 85c0 0f849d010000 395c244c 7407 68???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   85c0                 | push                0x104
            //   0f849d010000         | lea                 ecx, [edi + 0x10]
            //   395c244c             | ret                 
            //   7407                 | push                0
            //   68????????           |                     

        $sequence_109 = { 32ec e25e 37 91 da885a791c0a 99 }
            // n = 6, score = 100
            //   32ec                 | push                0x104
            //   e25e                 | lea                 ecx, [edi + 0x10]
            //   37                   | push                ecx
            //   91                   | mov                 dword ptr [ebp - 4], eax
            //   da885a791c0a         | test                eax, eax
            //   99                   | je                  0x1e

        $sequence_110 = { 83c004 41 3bc2 7cf4 }
            // n = 4, score = 100
            //   83c004               | je                  0x1e
            //   41                   | push                0x104
            //   3bc2                 | test                eax, eax
            //   7cf4                 | jne                 0x53

        $sequence_111 = { 894de4 894df4 894df8 894dec c745e0e724be03 8945d8 751b }
            // n = 7, score = 100
            //   894de4               | mov                 eax, dword ptr [ebp - 4]
            //   894df4               | movzx               eax, word ptr [eax]
            //   894df8               | mov                 ecx, eax
            //   894dec               | and                 ecx, 0xf000
            //   c745e0e724be03       | je                  0x1a6
            //   8945d8               | cmp                 edi, esi
            //   751b                 | je                  0x1a0

        $sequence_112 = { 6a01 e8???????? 85c0 0f8534030000 8b3d???????? 813d????????ca52a99a 8b4c2420 }
            // n = 7, score = 100
            //   6a01                 | push                dword ptr [ebx]
            //   e8????????           |                     
            //   85c0                 | push                eax
            //   0f8534030000         | push                0x410
            //   8b3d????????         |                     
            //   813d????????ca52a99a     |     
            //   8b4c2420             | mov                 dword ptr [ebp - 4], eax

        $sequence_113 = { 1110 81c13231038d 848698046e99 16 }
            // n = 4, score = 100
            //   1110                 | cmp                 dword ptr [edi + 0x4a1c], edx
            //   81c13231038d         | mov                 dword ptr [ebp - 8], eax
            //   848698046e99         | test                eax, eax
            //   16                   | jne                 0x55

        $sequence_114 = { 8bd8 ffd7 ff75e8 ffd7 eb08 }
            // n = 5, score = 100
            //   8bd8                 | push                0
            //   ffd7                 | push                eax
            //   ff75e8               | push                0x410
            //   ffd7                 | mov                 dword ptr [ebp - 4], eax
            //   eb08                 | test                eax, eax

        $sequence_115 = { 740f 8b4e08 c745e8a8200410 894dec eb07 8b06 8945ec }
            // n = 7, score = 100
            //   740f                 | xor                 esi, esi
            //   8b4e08               | inc                 esi
            //   c745e8a8200410       | mov                 dword ptr [ebp - 8], eax
            //   894dec               | test                eax, eax
            //   eb07                 | jne                 0x59
            //   8b06                 | mov                 dword ptr [ebp - 8], eax
            //   8945ec               | test                eax, eax

        $sequence_116 = { 8b35???????? 6a00 ffd6 ff742414 ff742414 57 e8???????? }
            // n = 7, score = 100
            //   8b35????????         |                     
            //   6a00                 | lea                 eax, [edi + 0x218]
            //   ffd6                 | push                eax
            //   ff742414             | push                dword ptr [ebx + 0x10]
            //   ff742414             | xor                 edx, edx
            //   57                   | mov                 dword ptr [edi + 0x4a18], esi
            //   e8????????           |                     

        $sequence_117 = { 57 35fa446809 33ff 57 50 8d45f8 50 }
            // n = 7, score = 100
            //   57                   | push                0x400000
            //   35fa446809           | push                0
            //   33ff                 | test                eax, eax
            //   57                   | ret                 
            //   50                   | push                0
            //   8d45f8               | push                0x400000
            //   50                   | push                0

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules
DreamBot Propose Change

References

Yara Rules

DreamBot
