DreamBot (Malware Family)

DreamBot

URLhaus
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)
In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
See win.gozi for additional historical information.
References

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2020-09-02 ⋅ RiskIQ ⋅ Jordan Herman
The Inter Skimmer Kit
magecart DreamBot TeslaCrypt
2020-08-28 ⋅ Checkpoint ⋅ Check Point Research
Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-05-01 ⋅ CSIS ⋅ Benoît Ancel
The end of Dreambot? Obituary for a loved piece of Gozi.
DreamBot
2020-02-07 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2017-05-29 ⋅ Lokalhost.pl ⋅ Maciej Kotowicz
Gozi Tree
DreamBot Gozi ISFB Powersniff
2016-08-29 ⋅ Proofpoint ⋅ Proofpoint Staff
Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality
DreamBot
Yara Rules

[TLP:WHITE] win_dreambot_auto (20230125 | Detects win.dreambot.)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.dreambot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7320 e8???????? 8bf8 85ff 7410 ff7320 }
            // n = 6, score = 700
            //   ff7320               | push                dword ptr [ebx + 0x20]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7410                 | je                  0x12
            //   ff7320               | push                dword ptr [ebx + 0x20]

        $sequence_1 = { ff742410 89442418 ff15???????? 85c0 }
            // n = 4, score = 700
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_2 = { 894320 8b442410 894310 836730f9 }
            // n = 4, score = 700
            //   894320               | mov                 dword ptr [ebx + 0x20], eax
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   894310               | mov                 dword ptr [ebx + 0x10], eax
            //   836730f9             | and                 dword ptr [edi + 0x30], 0xfffffff9

        $sequence_3 = { 8b37 894724 e8???????? 8b7704 e8???????? 8b7708 }
            // n = 6, score = 700
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   894724               | mov                 dword ptr [edi + 0x24], eax
            //   e8????????           |                     
            //   8b7704               | mov                 esi, dword ptr [edi + 4]
            //   e8????????           |                     
            //   8b7708               | mov                 esi, dword ptr [edi + 8]

        $sequence_4 = { 53 ff7614 ff15???????? 85c0 751f ff15???????? 8bf8 }
            // n = 7, score = 700
            //   53                   | push                ebx
            //   ff7614               | push                dword ptr [esi + 0x14]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   751f                 | jne                 0x21
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_5 = { 8b4730 a801 7454 68???????? 68???????? ff7320 e8???????? }
            // n = 7, score = 700
            //   8b4730               | mov                 eax, dword ptr [edi + 0x30]
            //   a801                 | test                al, 1
            //   7454                 | je                  0x56
            //   68????????           |                     
            //   68????????           |                     
            //   ff7320               | push                dword ptr [ebx + 0x20]
            //   e8????????           |                     

        $sequence_6 = { ffd6 897b20 6a00 68???????? ff7320 }
            // n = 5, score = 700
            //   ffd6                 | call                esi
            //   897b20               | mov                 dword ptr [ebx + 0x20], edi
            //   6a00                 | push                0
            //   68????????           |                     
            //   ff7320               | push                dword ptr [ebx + 0x20]

        $sequence_7 = { 85c0 751a ff7320 50 ff35???????? ffd6 }
            // n = 6, score = 700
            //   85c0                 | test                eax, eax
            //   751a                 | jne                 0x1c
            //   ff7320               | push                dword ptr [ebx + 0x20]
            //   50                   | push                eax
            //   ff35????????         |                     
            //   ffd6                 | call                esi

        $sequence_8 = { 6a0d ebbf ff7510 53 68???????? }
            // n = 5, score = 600
            //   6a0d                 | cmp                 esi, ecx
            //   ebbf                 | jne                 0x25
            //   ff7510               | je                  0xb2
            //   53                   | inc                 ecx
            //   68????????           |                     

        $sequence_9 = { 395d0c 0f848d000000 6a07 ebdd 3bf3 0f8481000000 }
            // n = 6, score = 600
            //   395d0c               | jne                 0x2d
            //   0f848d000000         | cmp                 edi, ebx
            //   6a07                 | jne                 0x51
            //   ebdd                 | push                dword ptr [esi + 0x18]
            //   3bf3                 | dec                 ecx
            //   0f8481000000         | cmp                 edi, ebp

        $sequence_10 = { ebcc 3bf3 7474 395d0c 746f }
            // n = 5, score = 600
            //   ebcc                 | push                0xd
            //   3bf3                 | jmp                 0xffffffc1
            //   7474                 | push                dword ptr [ebp + 0x10]
            //   395d0c               | push                ebx
            //   746f                 | cmp                 esi, ebx

        $sequence_11 = { 3bf3 0f84b7000000 395d0c 0f84ae000000 6a01 ff750c }
            // n = 6, score = 600
            //   3bf3                 | jne                 0x22
            //   0f84b7000000         | push                dword ptr [ebp + 0x10]
            //   395d0c               | cmp                 dword ptr [ebp + 0xc], ebx
            //   0f84ae000000         | je                  0x93
            //   6a01                 | push                7
            //   ff750c               | jmp                 0xffffffe7

        $sequence_12 = { 3bf3 0f8481000000 395d0c 747c 6a03 ebcc 3bf3 }
            // n = 7, score = 600
            //   3bf3                 | mov                 eax, 7
            //   0f8481000000         | jmp                 0xffffffdf
            //   395d0c               | dec                 ecx
            //   747c                 | cmp                 edi, ebp
            //   6a03                 | je                  0xac
            //   ebcc                 | je                  0x61
            //   3bf3                 | mov                 edx, esi

        $sequence_13 = { 3bf3 745c 395d0c 7457 53 }
            // n = 5, score = 600
            //   3bf3                 | je                  0x87
            //   745c                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   395d0c               | je                  0x87
            //   7457                 | push                3
            //   53                   | jmp                 0xffffffdb

        $sequence_14 = { 85c0 7520 3bf3 741c 837d0c04 7516 ff7510 }
            // n = 7, score = 600
            //   85c0                 | cmp                 edi, ebp
            //   7520                 | je                  0xac
            //   3bf3                 | inc                 ecx
            //   741c                 | cmp                 esi, ebp
            //   837d0c04             | jmp                 0x2e
            //   7516                 | inc                 ecx
            //   ff7510               | cmp                 eax, ebp

        $sequence_15 = { e8???????? 894508 8b7d08 eb24 a1???????? 85c0 }
            // n = 6, score = 600
            //   e8????????           |                     
            //   894508               | dec                 eax
            //   8b7d08               | mov                 ecx, edi
            //   eb24                 | mov                 ebx, 0x57
            //   a1????????           |                     
            //   85c0                 | inc                 ecx

        $sequence_16 = { 0f84ac000000 41b807000000 ebd7 493bfd 0f849b000000 }
            // n = 5, score = 500
            //   0f84ac000000         | je                  0xb2
            //   41b807000000         | inc                 ecx
            //   ebd7                 | mov                 eax, 7
            //   493bfd               | jmp                 0xffffffd9
            //   0f849b000000         | dec                 ecx

        $sequence_17 = { e8???????? 4c8b1d???????? ba0d000000 41834b3401 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   4c8b1d????????       |                     
            //   ba0d000000           | inc                 eax
            //   41834b3401           | push                ebx

        $sequence_18 = { 4c8bc5 e8???????? 8bd8 83fbff }
            // n = 4, score = 500
            //   4c8bc5               | dec                 ecx
            //   e8????????           |                     
            //   8bd8                 | cmp                 edi, ebp
            //   83fbff               | je                  0xbb

        $sequence_19 = { 4c896c2420 e8???????? 4c8b442468 488b0d???????? }
            // n = 4, score = 500
            //   4c896c2420           | je                  0x9c
            //   e8????????           |                     
            //   4c8b442468           | cmp                 dword ptr [ebp + 0xc], ebx
            //   488b0d????????       |                     

        $sequence_20 = { 0f849b000000 413bf5 0f8492000000 41b803000000 ebbd 493bfd }
            // n = 6, score = 500
            //   0f849b000000         | cmp                 edi, ebp
            //   413bf5               | je                  0xa1
            //   0f8492000000         | je                  0xa1
            //   41b803000000         | inc                 ecx
            //   ebbd                 | cmp                 esi, ebp
            //   493bfd               | je                  0x9b

        $sequence_21 = { 493bfd 0f84b5000000 413bf5 0f84ac000000 }
            // n = 4, score = 500
            //   493bfd               | je                  0x8a
            //   0f84b5000000         | inc                 ecx
            //   413bf5               | cmp                 esi, ebp
            //   0f84ac000000         | inc                 ecx

        $sequence_22 = { 4c8b18 488b542460 4533c9 488bc8 }
            // n = 4, score = 500
            //   4c8b18               | or                  ecx, 0xffffffff
            //   488b542460           | mov                 ecx, eax
            //   4533c9               | dec                 eax
            //   488bc8               | mov                 ebp, dword ptr [esp + 0x50]

        $sequence_23 = { 488bcf e8???????? e9???????? 493bfd 0f84b5000000 }
            // n = 5, score = 500
            //   488bcf               | cmp                 edi, ebp
            //   e8????????           |                     
            //   e9????????           |                     
            //   493bfd               | je                  0x98
            //   0f84b5000000         | inc                 ecx

        $sequence_24 = { 49ffc7 418d5620 498bcf ff15???????? }
            // n = 4, score = 500
            //   49ffc7               | mov                 eax, 0x800
            //   418d5620             | dec                 eax
            //   498bcf               | mov                 esi, eax
            //   ff15????????         |                     

        $sequence_25 = { ff15???????? e9???????? 493bfd 0f84d9000000 }
            // n = 4, score = 500
            //   ff15????????         |                     
            //   e9????????           |                     
            //   493bfd               | dec                 ecx
            //   0f84d9000000         | cmp                 edi, ebp

        $sequence_26 = { 488b9424a8000000 4533c9 4533c0 ff5028 }
            // n = 4, score = 500
            //   488b9424a8000000     | push                ecx
            //   4533c9               | mov                 dword ptr [ebp - 4], eax
            //   4533c0               | test                eax, eax
            //   ff5028               | je                  0x1e

        $sequence_27 = { ebbd 493bfd 0f8481000000 413bf5 }
            // n = 4, score = 500
            //   ebbd                 | jmp                 0xffffffd9
            //   493bfd               | dec                 ecx
            //   0f8481000000         | cmp                 edi, ebp
            //   413bf5               | je                  0xa4

        $sequence_28 = { bb57000000 e8???????? 413bc5 7446 }
            // n = 4, score = 500
            //   bb57000000           | inc                 ecx
            //   e8????????           |                     
            //   413bc5               | cmp                 esi, ebp
            //   7446                 | jmp                 0xffffffbf

        $sequence_29 = { 4533f6 488b0b 2580000000 418d5620 }
            // n = 4, score = 500
            //   4533f6               | push                ecx
            //   488b0b               | push                0
            //   2580000000           | mov                 eax, dword ptr [edi + 0x4a18]
            //   418d5620             | push                esi

        $sequence_30 = { 492bd0 4803542460 41ff5220 4c8b442460 }
            // n = 4, score = 500
            //   492bd0               | je                  0x1a
            //   4803542460           | dec                 ecx
            //   41ff5220             | mov                 edx, ebp
            //   4c8b442460           | dec                 eax

        $sequence_31 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 }
            // n = 6, score = 500
            //   5f                   | test                eax, eax
            //   c3                   | je                  0x1c
            //   4053                 | push                0x104
            //   4883ec20             | lea                 ecx, [edi + 0x10]
            //   4c8b4108             | push                ecx
            //   488bd9               | push                0

        $sequence_32 = { 488bc8 ff15???????? 85c0 7411 8b542438 488bcb }
            // n = 6, score = 400
            //   488bc8               | dec                 esp
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, dword ptr [ecx + 8]
            //   7411                 | dec                 eax
            //   8b542438             | mov                 ebx, ecx
            //   488bcb               | dec                 ebp

        $sequence_33 = { 3c09 7618 8a07 2c41 3c05 8a07 }
            // n = 6, score = 400
            //   3c09                 | call                edi
            //   7618                 | push                0x3a
            //   8a07                 | mov                 ecx, dword ptr [esp + 4]
            //   2c41                 | mov                 dword ptr [eax], ecx
            //   3c05                 | add                 eax, 0x1e
            //   8a07                 | push                eax

        $sequence_34 = { 3df3b7b9a2 746e 837c244c01 765d }
            // n = 4, score = 400
            //   3df3b7b9a2           | mov                 eax, dword ptr [ecx + 8]
            //   746e                 | dec                 eax
            //   837c244c01           | mov                 ebx, ecx
            //   765d                 | pop                 edi

        $sequence_35 = { 488bcf c744242860ea0000 48895c2420 e8???????? 85c0 8bd8 7567 }
            // n = 7, score = 400
            //   488bcf               | cmp                 dword ptr [ebp + 0xc], ebx
            //   c744242860ea0000     | je                  0xbd
            //   48895c2420           | push                1
            //   e8????????           |                     
            //   85c0                 | push                dword ptr [ebp + 0xc]
            //   8bd8                 | push                7
            //   7567                 | jmp                 0xffffffdf

        $sequence_36 = { 418b44241c 488d5e10 4533f6 488b0b }
            // n = 4, score = 400
            //   418b44241c           | inc                 esi
            //   488d5e10             | mov                 dword ptr [ebp - 8], eax
            //   4533f6               | test                eax, eax
            //   488b0b               | jne                 0x59

        $sequence_37 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 }
            // n = 4, score = 400
            //   3decc7eea6           | xor                 edi, edi
            //   0f84e8000000         | jmp                 5
            //   3d0470a8c4           | mov                 esi, dword ptr [ebp + 0xc]
            //   0f8486000000         | push                dword ptr [ebp - 8]

        $sequence_38 = { 85c0 741a 6804010000 8d4f10 }
            // n = 4, score = 400
            //   85c0                 | dec                 eax
            //   741a                 | test                eax, eax
            //   6804010000           | dec                 eax
            //   8d4f10               | mov                 esi, eax

        $sequence_39 = { 488bcb e8???????? 8b9424c8000000 488bcb e8???????? f7d0 eb07 }
            // n = 7, score = 400
            //   488bcb               | je                  0x66
            //   e8????????           |                     
            //   8b9424c8000000       | cmp                 dword ptr [ebp + 0xc], 4
            //   488bcb               | jne                 0x18
            //   e8????????           |                     
            //   f7d0                 | push                dword ptr [ebp + 0x10]
            //   eb07                 | push                dword ptr [esi]

        $sequence_40 = { 33d2 3bc2 0f85bd000000 33c0 89942498000000 899424a8000000 8984249c000000 }
            // n = 7, score = 400
            //   33d2                 | pop                 ebp
            //   3bc2                 | pop                 ebx
            //   0f85bd000000         | ret                 
            //   33c0                 | jmp                 0x15
            //   89942498000000       | pop                 edi
            //   899424a8000000       | pop                 esi
            //   8984249c000000       | pop                 ebx

        $sequence_41 = { 488bce ff15???????? 488b0d???????? 33d2 41b800080000 }
            // n = 5, score = 400
            //   488bce               | cmp                 dword ptr [edi + 0x4a1c], edx
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   33d2                 | mov                 ebp, eax
            //   41b800080000         | test                ebp, ebp

        $sequence_42 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 }
            // n = 7, score = 400
            //   817424105085b8ed     | mov                 dword ptr [ebp - 4], ebx
            //   33ff                 | mov                 dword ptr [ebp - 8], eax
            //   47                   | xor                 edi, edi
            //   57                   | push                dword ptr [ebp - 8]
            //   be????????           |                     
            //   56                   | imul                esi, esi, 0x19660d
            //   8d542418             | push                dword ptr [ebp - 0xc]

        $sequence_43 = { eb03 8b750c ff75f8 69f60d661900 ff75f4 }
            // n = 5, score = 400
            //   eb03                 | jmp                 0xd
            //   8b750c               | push                dword ptr [ebp - 0xc]
            //   ff75f8               | add                 esi, 0x3c6ef35f
            //   69f60d661900         | mov                 dword ptr [ebp + 0xc], esi
            //   ff75f4               | lea                 esi, [ebp + 0xc]

        $sequence_44 = { 33d2 89442448 ff15???????? 33d2 }
            // n = 4, score = 400
            //   33d2                 | ret                 8
            //   89442448             | push                ecx
            //   ff15????????         |                     
            //   33d2                 | push                ebx

        $sequence_45 = { 8d8718020000 50 ff7310 ff15???????? 33d2 89b7184a0000 }
            // n = 6, score = 400
            //   8d8718020000         | dec                 eax
            //   50                   | cmp                 eax, -1
            //   ff7310               | dec                 eax
            //   ff15????????         |                     
            //   33d2                 | mov                 edi, eax
            //   89b7184a0000         | je                  0x4a

        $sequence_46 = { 6810040000 ff15???????? 8945fc 85c0 741a }
            // n = 5, score = 400
            //   6810040000           | test                eax, eax
            //   ff15????????         |                     
            //   8945fc               | mov                 ebx, eax
            //   85c0                 | jne                 0x7a
            //   741a                 | dec                 esp

        $sequence_47 = { 33d2 ff15???????? 48895f2c 488b472c c6400731 }
            // n = 5, score = 400
            //   33d2                 | push                ebx
            //   ff15????????         |                     
            //   48895f2c             | dec                 eax
            //   488b472c             | sub                 esp, 0x20
            //   c6400731             | dec                 esp

        $sequence_48 = { 56 33f6 46 8945f8 }
            // n = 4, score = 400
            //   56                   | dec                 eax
            //   33f6                 | lea                 eax, [esp + 0x88]
            //   46                   | dec                 eax
            //   8945f8               | cmp                 eax, -1

        $sequence_49 = { 33ff 3bc7 7528 83bc241001000003 }
            // n = 4, score = 400
            //   33ff                 | cmp                 cx, 2
            //   3bc7                 | jne                 0x25
            //   7528                 | cmp                 word ptr [eax + 2], 0
            //   83bc241001000003     | je                  0x21

        $sequence_50 = { 33d2 3bc2 7414 8b442444 0fb74c245a 3bc2 }
            // n = 6, score = 400
            //   33d2                 | push                ebp
            //   3bc2                 | mov                 ebp, esp
            //   7414                 | sub                 esp, 0x11c
            //   8b442444             | lea                 ecx, [eax + 7]
            //   0fb74c245a           | push                dword ptr [edi + 0x82c]
            //   3bc2                 | pop                 esi

        $sequence_51 = { 81f97acff109 0f840f010000 81f9eb6bfb0d 0f84de000000 81f9281d9f16 0f84cb000000 }
            // n = 6, score = 400
            //   81f97acff109         | push                esi
            //   0f840f010000         | cmp                 esi, ebx
            //   81f9eb6bfb0d         | je                  0x9e
            //   0f84de000000         | cmp                 dword ptr [ebp + 0xc], ebx
            //   81f9281d9f16         | mov                 ecx, dword ptr [edi + 0x30]
            //   0f84cb000000         | test                cl, 0x40

        $sequence_52 = { 498be9 e8???????? 4885c0 488bf0 0f84a3000000 }
            // n = 5, score = 400
            //   498be9               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   4885c0               | push                ebx
            //   488bf0               | jmp                 0x5a
            //   0f84a3000000         | cmp                 esi, ebx

        $sequence_53 = { e8???????? 488b5c2428 85c0 753e 8b9424c8000000 85d2 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   488b5c2428           | jne                 0x23
            //   85c0                 | test                eax, eax
            //   753e                 | je                  0x17
            //   8b9424c8000000       | mov                 edi, eax
            //   85d2                 | dec                 esp

        $sequence_54 = { 4489764c e9???????? 834e4c01 8b463c 488b1e }
            // n = 5, score = 400
            //   4489764c             | push                0x104
            //   e9????????           |                     
            //   834e4c01             | lea                 ecx, [edi + 0x10]
            //   8b463c               | xor                 edx, edx
            //   488b1e               | mov                 dword ptr [edi + 0x4a18], esi

        $sequence_55 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? }
            // n = 6, score = 400
            //   c3                   | xor                 edx, edx
            //   6a00                 | mov                 dword ptr [edi + 0x4a18], esi
            //   6800004000           | cmp                 dword ptr [edi + 0x4a1c], edx
            //   6a00                 | push                esi
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_56 = { ff15???????? 4883f8ff 488bf8 7445 488d842488000000 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   4883f8ff             | je                  0xbd
            //   488bf8               | cmp                 dword ptr [ebp + 0xc], ebx
            //   7445                 | je                  0xb7
            //   488d842488000000     | push                1

        $sequence_57 = { 8945f8 85c0 7551 ff33 50 }
            // n = 5, score = 400
            //   8945f8               | dec                 eax
            //   85c0                 | mov                 edi, eax
            //   7551                 | je                  0x4a
            //   ff33                 | dec                 eax
            //   50                   | lea                 eax, [esp + 0x88]

        $sequence_58 = { 4c8d8424d0000000 48c7c101000080 ff15???????? 85c0 7568 }
            // n = 5, score = 400
            //   4c8d8424d0000000     | cmp                 esi, ebx
            //   48c7c101000080       | je                  0x8b
            //   ff15????????         |                     
            //   85c0                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   7568                 | jmp                 0xffffffc1

        $sequence_59 = { 89750c 8d750c e8???????? 8bf0 3bf3 741a }
            // n = 6, score = 400
            //   89750c               | je                  0x5e
            //   8d750c               | cmp                 dword ptr [ebp + 0xc], ebx
            //   e8????????           |                     
            //   8bf0                 | je                  0x5e
            //   3bf3                 | push                ebx
            //   741a                 | je                  0xbd

        $sequence_60 = { 33db 895dfc e8???????? 8945f8 33ff eb03 }
            // n = 6, score = 400
            //   33db                 | cmp                 dword ptr [ebp + 0xc], ebx
            //   895dfc               | je                  0xb7
            //   e8????????           |                     
            //   8945f8               | push                1
            //   33ff                 | push                dword ptr [ebp + 0xc]
            //   eb03                 | push                esi

        $sequence_61 = { 69f60d661900 ff75f4 81c65ff36e3c 89750c 8d750c }
            // n = 5, score = 400
            //   69f60d661900         | cmp                 esi, ebx
            //   ff75f4               | je                  0x78
            //   81c65ff36e3c         | cmp                 dword ptr [ebp + 0xc], ebx
            //   89750c               | je                  0x78
            //   8d750c               | cmp                 esi, ebx

        $sequence_62 = { 53 c1e010 56 8db4083089b9ed 57 8d45f4 50 }
            // n = 7, score = 400
            //   53                   | push                dword ptr [ebp + 0x10]
            //   c1e010               | push                dword ptr [esi]
            //   56                   | push                ebx
            //   8db4083089b9ed       | jmp                 0x57
            //   57                   | cmp                 esi, ebx
            //   8d45f4               | je                  0x60
            //   50                   | dec                 eax

        $sequence_63 = { e8???????? 8bf8 3bfb 0f85a1010000 ff750c 8b75fc }
            // n = 6, score = 300
            //   e8????????           |                     
            //   8bf8                 | push                eax
            //   3bfb                 | inc                 ecx
            //   0f85a1010000         | lea                 edx, [esi + 0x20]
            //   ff750c               | dec                 ecx
            //   8b75fc               | mov                 ecx, edi

        $sequence_64 = { 8bf0 8975f4 3bf7 0f8487000000 }
            // n = 4, score = 300
            //   8bf0                 | dec                 eax
            //   8975f4               | mov                 ecx, dword ptr [ebx]
            //   3bf7                 | and                 eax, 0x80
            //   0f8487000000         | inc                 ecx

        $sequence_65 = { 5f 5b 8be5 5d c20400 8325????????00 }
            // n = 6, score = 300
            //   5f                   | mov                 dword ptr [ebp - 8], eax
            //   5b                   | xor                 edi, edi
            //   8be5                 | push                dword ptr [ebp - 0xc]
            //   5d                   | add                 esi, 0x3c6ef35f
            //   c20400               | mov                 dword ptr [ebp + 0xc], esi
            //   8325????????00       |                     

        $sequence_66 = { 0f8473030000 395d08 0f847f030000 50 ff15???????? }
            // n = 5, score = 300
            //   0f8473030000         | push                0
            //   395d08               | push                0x400000
            //   0f847f030000         | push                0
            //   50                   | ret                 
            //   ff15????????         |                     

        $sequence_67 = { 4d3bef 7415 498bd5 4883c9ff ff15???????? 8bc8 ff15???????? }
            // n = 7, score = 300
            //   4d3bef               | lea                 ecx, [edi + 0x10]
            //   7415                 | mov                 dword ptr [ebp - 4], eax
            //   498bd5               | test                eax, eax
            //   4883c9ff             | je                  0x1e
            //   ff15????????         |                     
            //   8bc8                 | push                0x104
            //   ff15????????         |                     

        $sequence_68 = { 488b0d???????? 4885c9 7405 e8???????? 4883c428 c3 4053 }
            // n = 7, score = 300
            //   488b0d????????       |                     
            //   4885c9               | lea                 ecx, [edi + 0x10]
            //   7405                 | push                esi
            //   e8????????           |                     
            //   4883c428             | xor                 esi, esi
            //   c3                   | inc                 esi
            //   4053                 | mov                 dword ptr [ebp - 8], eax

        $sequence_69 = { 85c0 743d d16dfc 8b4dfc 33c0 6689044b }
            // n = 6, score = 300
            //   85c0                 | dec                 esp
            //   743d                 | mov                 esi, eax
            //   d16dfc               | dec                 eax
            //   8b4dfc               | test                eax, eax
            //   33c0                 | inc                 ebp
            //   6689044b             | xor                 esi, esi

        $sequence_70 = { ff7514 53 68???????? e9???????? 3bf3 0f84e5010000 }
            // n = 6, score = 300
            //   ff7514               | push                0
            //   53                   | push                0x400000
            //   68????????           |                     
            //   e9????????           |                     
            //   3bf3                 | push                0
            //   0f84e5010000         | test                eax, eax

        $sequence_71 = { 4c8bc6 ff15???????? 488bd8 493bc7 }
            // n = 4, score = 300
            //   4c8bc6               | push                0x410
            //   ff15????????         |                     
            //   488bd8               | test                eax, eax
            //   493bc7               | jne                 0x53

        $sequence_72 = { 493bc5 742f 488d4810 ff15???????? }
            // n = 4, score = 300
            //   493bc5               | xor                 edx, edx
            //   742f                 | mov                 dword ptr [edi + 0x4a18], esi
            //   488d4810             | cmp                 dword ptr [edi + 0x4a1c], edx
            //   ff15????????         |                     

        $sequence_73 = { 8b45fc 0fb700 8bc8 81e100f00000 }
            // n = 4, score = 300
            //   8b45fc               | push                dword ptr [ebx]
            //   0fb700               | xor                 esi, esi
            //   8bc8                 | inc                 esi
            //   81e100f00000         | mov                 dword ptr [ebp - 8], eax

        $sequence_74 = { 8d45c0 50 8b45f0 40 50 e8???????? 8bf0 }
            // n = 7, score = 300
            //   8d45c0               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | movzx               eax, word ptr [eax]
            //   8b45f0               | mov                 ecx, eax
            //   40                   | and                 ecx, 0xf000
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | push                edi

        $sequence_75 = { 8975f8 e8???????? 8945ec 3bc3 0f84ad010000 53 8d4de4 }
            // n = 7, score = 300
            //   8975f8               | mov                 dword ptr [esi], ebx
            //   e8????????           |                     
            //   8945ec               | xor                 edi, edi
            //   3bc3                 | mov                 dword ptr [ebp - 0x12], eax
            //   0f84ad010000         | cmp                 eax, ebx
            //   53                   | je                  0xe
            //   8d4de4               | push                dword ptr [ebp - 8]

        $sequence_76 = { 740e 44893d???????? 44893d???????? 488d442440 4c8d4c2440 }
            // n = 5, score = 300
            //   740e                 | push                ebx
            //   44893d????????       |                     
            //   44893d????????       |                     
            //   488d442440           | dec                 eax
            //   4c8d4c2440           | sub                 esp, 0x20

        $sequence_77 = { 66b90100 4889442420 e8???????? 3bc3 0f859b000000 }
            // n = 5, score = 200
            //   66b90100             | dec                 ecx
            //   4889442420           | inc                 edi
            //   e8????????           |                     
            //   3bc3                 | inc                 ecx
            //   0f859b000000         | lea                 edx, [esi + 0x20]

        $sequence_78 = { 488bfa 4883c12e ff15???????? eb0b b90a000000 ff15???????? }
            // n = 6, score = 200
            //   488bfa               | inc                 ebp
            //   4883c12e             | xor                 eax, eax
            //   ff15????????         |                     
            //   eb0b                 | call                dword ptr [eax + 0x28]
            //   b90a000000           | inc                 esp
            //   ff15????????         |                     

        $sequence_79 = { 488bf0 488b0d???????? f0834156ff 488b5c2430 }
            // n = 4, score = 200
            //   488bf0               | mov                 dword ptr [esi + 0x4c], esi
            //   488b0d????????       |                     
            //   f0834156ff           | or                  dword ptr [esi + 0x4c], 1
            //   488b5c2430           | mov                 eax, dword ptr [esi + 0x3c]

        $sequence_80 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 }
            // n = 7, score = 200
            //   ffb72c080000         | mov                 ebp, dword ptr [esp + 0x38]
            //   e8????????           |                     
            //   5e                   | dec                 eax
            //   5d                   | mov                 esi, dword ptr [esp + 0x40]
            //   5b                   | dec                 eax
            //   c3                   | add                 esp, 0x20
            //   eb10                 | pop                 edi

        $sequence_81 = { 5e 5b c20800 51 53 57 }
            // n = 6, score = 200
            //   5e                   | test                eax, eax
            //   5b                   | je                  0x379
            //   c20800               | cmp                 dword ptr [ebp + 8], ebx
            //   51                   | je                  0x385
            //   53                   | push                eax
            //   57                   | push                dword ptr [ebp + 0x14]

        $sequence_82 = { 8b1d???????? 6a3a b8???????? 56 ff35???????? a3???????? }
            // n = 6, score = 200
            //   8b1d????????         |                     
            //   6a3a                 | sub                 al, 0x41
            //   b8????????           |                     
            //   56                   | cmp                 al, 5
            //   ff35????????         |                     
            //   a3????????           |                     

        $sequence_83 = { 897760 488b6c2438 488b742440 4883c420 5f c3 48895c2408 }
            // n = 7, score = 200
            //   897760               | dec                 esp
            //   488b6c2438           | mov                 esi, eax
            //   488b742440           | dec                 eax
            //   4883c420             | test                eax, eax
            //   5f                   | inc                 ecx
            //   c3                   | lea                 edx, [esi + 0x20]
            //   48895c2408           | dec                 ecx

        $sequence_84 = { ff35???????? ff15???????? a1???????? 8b4c2404 8908 83c01e 50 }
            // n = 7, score = 200
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   a1????????           |                     
            //   8b4c2404             | push                ecx
            //   8908                 | push                dword ptr [ebx + 0x10]
            //   83c01e               | xor                 edx, edx
            //   50                   | mov                 dword ptr [edi + 0x4a18], esi

        $sequence_85 = { 68???????? 8975f4 ffd7 8b1d???????? 6a3a b8???????? }
            // n = 6, score = 200
            //   68????????           |                     
            //   8975f4               | je                  0x1e
            //   ffd7                 | push                0x104
            //   8b1d????????         |                     
            //   6a3a                 | lea                 ecx, [edi + 0x10]
            //   b8????????           |                     

        $sequence_86 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? }
            // n = 4, score = 200
            //   488b15????????       |                     
            //   4c8d442468           | dec                 esp
            //   48c7c101000080       | mov                 eax, dword ptr [ecx + 8]
            //   ff15????????         |                     

        $sequence_87 = { 8908 83c01e 50 ff15???????? c20400 55 }
            // n = 6, score = 200
            //   8908                 | cmp                 dword ptr [esp + 0x4c], 1
            //   83c01e               | jbe                 0x66
            //   50                   | cmp                 eax, 0xa2b9b7f3
            //   ff15????????         |                     
            //   c20400               | je                  0x70
            //   55                   | cmp                 dword ptr [esp + 0x4c], 1

        $sequence_88 = { a1???????? 33c9 83c036 41 f00fc108 }
            // n = 5, score = 200
            //   a1????????           |                     
            //   33c9                 | dec                 eax
            //   83c036               | lea                 ecx, [esp + 0x20]
            //   41                   | dec                 eax
            //   f00fc108             | lea                 edx, [esp + 0x38]

        $sequence_89 = { c3 33c0 483bc8 7458 488b5128 }
            // n = 5, score = 200
            //   c3                   | mov                 esi, eax
            //   33c0                 | dec                 eax
            //   483bc8               | lea                 ebx, [esi + 0x10]
            //   7458                 | inc                 ebp
            //   488b5128             | xor                 esi, esi

        $sequence_90 = { 4c891d???????? 8d7b5b 33d2 4c8bc7 448935???????? ff15???????? }
            // n = 6, score = 200
            //   4c891d????????       |                     
            //   8d7b5b               | mov                 edx, dword ptr [esp + 0xa8]
            //   33d2                 | inc                 ebp
            //   4c8bc7               | xor                 ecx, ecx
            //   448935????????       |                     
            //   ff15????????         |                     

        $sequence_91 = { e9???????? 83bbb000000004 0f84b4000000 3bca }
            // n = 4, score = 200
            //   e9????????           |                     
            //   83bbb000000004       | dec                 eax
            //   0f84b4000000         | lea                 ebx, [esi + 0x10]
            //   3bca                 | inc                 ebp

        $sequence_92 = { 83a78c00000000 33c0 c3 51 e8???????? 0558020000 83d200 }
            // n = 7, score = 200
            //   83a78c00000000       | dec                 esp
            //   33c0                 | lea                 eax, [esp + 0x40]
            //   c3                   | dec                 eax
            //   51                   | mov                 dword ptr [esp + 0x30], eax
            //   e8????????           |                     
            //   0558020000           | je                  0x10
            //   83d200               | dec                 eax

        $sequence_93 = { 50 57 ff15???????? 891e 33ff }
            // n = 5, score = 200
            //   50                   | test                eax, eax
            //   57                   | jne                 0x58
            //   ff15????????         |                     
            //   891e                 | push                dword ptr [ebx]
            //   33ff                 | push                eax

        $sequence_94 = { 33d2 e8???????? 44892d???????? 33c9 44892d???????? e8???????? 488bcf }
            // n = 7, score = 200
            //   33d2                 | dec                 eax
            //   e8????????           |                     
            //   44892d????????       |                     
            //   33c9                 | mov                 ecx, dword ptr [ebx]
            //   44892d????????       |                     
            //   e8????????           |                     
            //   488bcf               | and                 eax, 0x80

        $sequence_95 = { 5b c9 c20800 55 8bec 81ec1c010000 8d4807 }
            // n = 7, score = 200
            //   5b                   | jle                 0x430
            //   c9                   | inc                 edx
            //   c20800               | cmp                 byte ptr [ebx + ebp], al
            //   55                   | jne                 0x27
            //   8bec                 | inc                 esp
            //   81ec1c010000         | mov                 eax, edx
            //   8d4807               | ret                 

        $sequence_96 = { c1ed03 0fb70442 6683e107 66898c4788000000 }
            // n = 4, score = 200
            //   c1ed03               | dec                 eax
            //   0fb70442             | test                ecx, ecx
            //   6683e107             | je                  0xa
            //   66898c4788000000     | dec                 eax

        $sequence_97 = { 81c101010000 83e00f 03d3 c1ed04 83c004 81f91e010000 894f74 }
            // n = 7, score = 200
            //   81c101010000         | lea                 ebx, [esi + 0x10]
            //   83e00f               | inc                 ebp
            //   03d3                 | xor                 esi, esi
            //   c1ed04               | dec                 eax
            //   83c004               | mov                 ecx, dword ptr [ebx]
            //   81f91e010000         | inc                 ecx
            //   894f74               | mov                 eax, dword ptr [esp + 0x1c]

        $sequence_98 = { 488b0d???????? 4883c12e ff15???????? 448a1f 443a5b08 7315 488b0b }
            // n = 7, score = 200
            //   488b0d????????       |                     
            //   4883c12e             | dec                 eax
            //   ff15????????         |                     
            //   448a1f               | sub                 esp, 0x20
            //   443a5b08             | dec                 esp
            //   7315                 | mov                 eax, dword ptr [ecx + 8]
            //   488b0b               | dec                 eax

        $sequence_99 = { 75e9 8b4778 034774 39477c 0f834effffff e9???????? }
            // n = 6, score = 200
            //   75e9                 | dec                 ecx
            //   8b4778               | mov                 ecx, edi
            //   034774               | inc                 ecx
            //   39477c               | mov                 eax, dword ptr [esp + 0x1c]
            //   0f834effffff         | dec                 eax
            //   e9????????           |                     

        $sequence_100 = { eb14 a1???????? 89701a 8b4508 8938 }
            // n = 5, score = 200
            //   eb14                 | mov                 al, byte ptr [edi]
            //   a1????????           |                     
            //   89701a               | ja                  0x10
            //   8b4508               | xor                 edx, edx
            //   8938                 | dec                 eax

        $sequence_101 = { 8bd8 413bde 0f8517030000 f605????????04 740e }
            // n = 5, score = 200
            //   8bd8                 | je                  0x21
            //   413bde               | ret                 
            //   0f8517030000         | inc                 eax
            //   f605????????04       |                     
            //   740e                 | push                ebx

        $sequence_102 = { 488b05???????? 89702a 48897d00 eb17 bbb7000000 488b0d???????? }
            // n = 6, score = 200
            //   488b05????????       |                     
            //   89702a               | dec                 eax
            //   48897d00             | mov                 ebx, ecx
            //   eb17                 | dec                 ebp
            //   bbb7000000           | test                eax, eax
            //   488b0d????????       |                     

        $sequence_103 = { 6a00 e8???????? a1???????? 83c01e }
            // n = 4, score = 200
            //   6a00                 | inc                 ecx
            //   e8????????           |                     
            //   a1????????           |                     
            //   83c01e               | mov                 eax, 6

        $sequence_104 = { 5d c3 0fb708 6683f902 751c }
            // n = 5, score = 200
            //   5d                   | je                  0x10
            //   c3                   | dec                 eax
            //   0fb708               | lea                 eax, [esp + 0x40]
            //   6683f902             | dec                 esp
            //   751c                 | lea                 ecx, [esp + 0x40]

        $sequence_105 = { 8be8 85ed 0f848d010000 a1???????? 8b35???????? 83c01e 50 }
            // n = 7, score = 200
            //   8be8                 | push                dword ptr [ebx]
            //   85ed                 | push                eax
            //   0f848d010000         | push                0x410
            //   a1????????           |                     
            //   8b35????????         |                     
            //   83c01e               | mov                 dword ptr [ebp - 4], eax
            //   50                   | test                eax, eax

        $sequence_106 = { ff35???????? ffd6 8be8 85ed 0f8486010000 }
            // n = 5, score = 100
            //   ff35????????         |                     
            //   ffd6                 | and                 cx, 7
            //   8be8                 | mov                 word ptr [edi + eax*2 + 0x88], cx
            //   85ed                 | shr                 ebp, 3
            //   0f8486010000         | movzx               eax, word ptr [edx + eax*2]

        $sequence_107 = { 3bf3 0f85d4020000 8b3d???????? 8d442410 50 }
            // n = 5, score = 100
            //   3bf3                 | dec                 eax
            //   0f85d4020000         | mov                 edx, dword ptr [esp + 0x60]
            //   8b3d????????         |                     
            //   8d442410             | inc                 ebp
            //   50                   | xor                 ecx, ecx

        $sequence_108 = { ff75ec 8b3d???????? 8bd8 ffd7 ff75e8 }
            // n = 5, score = 100
            //   ff75ec               | dec                 eax
            //   8b3d????????         |                     
            //   8bd8                 | mov                 ecx, eax
            //   ffd7                 | inc                 ecx
            //   ff75e8               | call                dword ptr [ebx + 0x18]

        $sequence_109 = { 7e0e 3934850875be03 742b 40 3bc1 }
            // n = 5, score = 100
            //   7e0e                 | dec                 ecx
            //   3934850875be03       | sub                 edx, eax
            //   742b                 | dec                 eax
            //   40                   | add                 edx, dword ptr [esp + 0x60]
            //   3bc1                 | inc                 ecx

        $sequence_110 = { cf 8b2d???????? 48 55 395002 }
            // n = 5, score = 100
            //   cf                   | je                  0x104
            //   8b2d????????         |                     
            //   48                   | dec                 ecx
            //   55                   | sub                 edx, eax
            //   395002               | dec                 eax

        $sequence_111 = { 3934850875be03 7403 48 79f4 }
            // n = 4, score = 100
            //   3934850875be03       | dec                 esp
            //   7403                 | mov                 eax, dword ptr [esp + 0x60]
            //   48                   | dec                 esp
            //   79f4                 | mov                 ebx, dword ptr [eax]

        $sequence_112 = { ffd7 ff75e8 ffd7 eb08 }
            // n = 4, score = 100
            //   ffd7                 | mov                 ecx, eax
            //   ff75e8               | dec                 eax
            //   ffd7                 | add                 edx, dword ptr [esp + 0x60]
            //   eb08                 | inc                 ecx

        $sequence_113 = { e8???????? 83c40c 68???????? e8???????? 3bc6 8945f8 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c40c               | call                dword ptr [edx + 0x20]
            //   68????????           |                     
            //   e8????????           |                     
            //   3bc6                 | dec                 esp
            //   8945f8               | mov                 eax, dword ptr [esp + 0x60]

        $sequence_114 = { a1???????? 56 57 35fa446809 33ff 57 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   56                   | dec                 eax
            //   57                   | mov                 edx, dword ptr [esp + 0x60]
            //   35fa446809           | inc                 ebp
            //   33ff                 | xor                 ecx, ecx
            //   57                   | dec                 eax

        $sequence_115 = { 85c0 8b7c2414 0f85cc000000 57 e8???????? 89442410 }
            // n = 6, score = 100
            //   85c0                 | and                 cx, 7
            //   8b7c2414             | mov                 word ptr [edi + eax*2 + 0x88], cx
            //   0f85cc000000         | add                 dword ptr [edi + 0x7c], ebx
            //   57                   | shr                 ebp, 3
            //   e8????????           |                     
            //   89442410             | movzx               eax, word ptr [edx + eax*2]

        $sequence_116 = { c7868c0000003dca0210 c7869000000069ca0210 c7869400000001020210 c7869800000089ca0210 bb???????? 7412 6a02 }
            // n = 7, score = 100
            //   c7868c0000003dca0210     | and    cx, 7
            //   c7869000000069ca0210     | mov    word ptr [edi + eax*2 + 0x88], cx
            //   c7869400000001020210     | add    dword ptr [edi + 0x7c], ebx
            //   c7869800000089ca0210     | add    esi, -3
            //   bb????????           |                     
            //   7412                 | shr                 ebp, 3
            //   6a02                 | movzx               eax, word ptr [edx + eax*2]

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules
DreamBot Propose Change

References

Yara Rules

DreamBot
