DreamBot (Malware Family)

DreamBot

VTCollection URLhaus
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
2014 Dreambot (Gozi ISFB variant)
In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
See win.gozi for additional historical information.
References

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2020-09-02 ⋅ RiskIQ ⋅ Jordan Herman
The Inter Skimmer Kit
magecart DreamBot TeslaCrypt
2020-08-28 ⋅ Checkpoint ⋅ Check Point Research
Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-05-01 ⋅ CSIS ⋅ Benoît Ancel
The end of Dreambot? Obituary for a loved piece of Gozi.
DreamBot
2020-02-07 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2017-05-29 ⋅ Lokalhost.pl ⋅ Maciej Kotowicz
Gozi Tree
DreamBot Gozi ISFB Powersniff
2016-08-29 ⋅ Proofpoint ⋅ Proofpoint Staff
Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality
DreamBot
Yara Rules

[TLP:WHITE] win_dreambot_auto (20260504 | Detects win.dreambot.)
rule win_dreambot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.dreambot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 834f3001 8b4720 2b4310 8b37 }
            // n = 4, score = 700
            //   834f3001             | or                  dword ptr [edi + 0x30], 1
            //   8b4720               | mov                 eax, dword ptr [edi + 0x20]
            //   2b4310               | sub                 eax, dword ptr [ebx + 0x10]
            //   8b37                 | mov                 esi, dword ptr [edi]

        $sequence_1 = { 8b44240c 894320 8b442410 894310 836730f9 }
            // n = 5, score = 700
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   894320               | mov                 dword ptr [ebx + 0x20], eax
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   894310               | mov                 dword ptr [ebx + 0x10], eax
            //   836730f9             | and                 dword ptr [edi + 0x30], 0xfffffff9

        $sequence_2 = { 8b4320 be???????? 56 89442410 ff15???????? 56 }
            // n = 6, score = 700
            //   8b4320               | mov                 eax, dword ptr [ebx + 0x20]
            //   be????????           |                     
            //   56                   | push                esi
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_3 = { 894f30 8b4f30 f6c140 751e 85c0 740e 8bf8 }
            // n = 7, score = 700
            //   894f30               | mov                 dword ptr [edi + 0x30], ecx
            //   8b4f30               | mov                 ecx, dword ptr [edi + 0x30]
            //   f6c140               | test                cl, 0x40
            //   751e                 | jne                 0x20
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10
            //   8bf8                 | mov                 edi, eax

        $sequence_4 = { ff15???????? 56 ff742410 89442418 ff15???????? 85c0 7410 }
            // n = 7, score = 700
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12

        $sequence_5 = { 8b4618 e8???????? eb09 ff7618 ff15???????? 33ff }
            // n = 6, score = 700
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   eb09                 | jmp                 0xb
            //   ff7618               | push                dword ptr [esi + 0x18]
            //   ff15????????         |                     
            //   33ff                 | xor                 edi, edi

        $sequence_6 = { 50 8b4734 e8???????? 85c0 }
            // n = 4, score = 700
            //   50                   | push                eax
            //   8b4734               | mov                 eax, dword ptr [edi + 0x34]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_7 = { 6a00 ff35???????? ffd6 897b20 }
            // n = 4, score = 700
            //   6a00                 | push                0
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   897b20               | mov                 dword ptr [ebx + 0x20], edi

        $sequence_8 = { e8???????? e9???????? 3bf3 0f8496000000 395d0c }
            // n = 5, score = 600
            //   e8????????           |                     
            //   e9????????           |                     
            //   3bf3                 | jne                 0x2a
            //   0f8496000000         | dec                 ecx
            //   395d0c               | cmp                 edi, ebp

        $sequence_9 = { 0f848d000000 6a07 ebdd 3bf3 0f8481000000 395d0c }
            // n = 6, score = 600
            //   0f848d000000         | jmp                 0xffffffb4
            //   6a07                 | xor                 edx, edx
            //   ebdd                 | dec                 ecx
            //   3bf3                 | cmp                 edi, ebp
            //   0f8481000000         | je                  0xa4
            //   395d0c               | inc                 ecx

        $sequence_10 = { 745c 395d0c 7457 53 ff750c }
            // n = 5, score = 600
            //   745c                 | jmp                 0xffffffce
            //   395d0c               | je                  0x98
            //   7457                 | inc                 ecx
            //   53                   | mov                 eax, 3
            //   ff750c               | jmp                 0xffffffbf

        $sequence_11 = { 53 68???????? eb54 3bf3 }
            // n = 4, score = 600
            //   53                   | dec                 ecx
            //   68????????           |                     
            //   eb54                 | cmp                 edi, ebp
            //   3bf3                 | je                  0xdf

        $sequence_12 = { e9???????? 3bf3 0f84b7000000 395d0c }
            // n = 4, score = 600
            //   e9????????           |                     
            //   3bf3                 | je                  0x38
            //   0f84b7000000         | inc                 ecx
            //   395d0c               | cmp                 eax, ebp

        $sequence_13 = { 741c 837d0c04 7516 ff7510 ff36 68???????? }
            // n = 6, score = 600
            //   741c                 | inc                 ecx
            //   837d0c04             | cmp                 esi, ebp
            //   7516                 | je                  0x81
            //   ff7510               | inc                 ecx
            //   ff36                 | mov                 eax, 0xd
            //   68????????           |                     

        $sequence_14 = { 6a03 ebcc 3bf3 7474 395d0c 746f 6a0d }
            // n = 7, score = 600
            //   6a03                 | inc                 ecx
            //   ebcc                 | mov                 eax, 7
            //   3bf3                 | jmp                 0xffffffdf
            //   7474                 | dec                 ecx
            //   395d0c               | cmp                 edi, ebp
            //   746f                 | je                  0xa4
            //   6a0d                 | inc                 ecx

        $sequence_15 = { a1???????? 85c0 7520 3bf3 741c 837d0c04 }
            // n = 6, score = 600
            //   a1????????           |                     
            //   85c0                 | inc                 ecx
            //   7520                 | cmp                 esi, ecx
            //   3bf3                 | je                  0x98
            //   741c                 | inc                 ecx
            //   837d0c04             | mov                 eax, 3

        $sequence_16 = { 4c896c2420 e8???????? 4c8b442468 488b0d???????? }
            // n = 4, score = 500
            //   4c896c2420           | jmp                 0xa
            //   e8????????           |                     
            //   4c8b442468           | add                 esi, 0x3c6ef35f
            //   488b0d????????       |                     

        $sequence_17 = { 488b542460 4533c9 488bc8 41ff5318 }
            // n = 4, score = 500
            //   488b542460           | lea                 ecx, [esp + 0x40]
            //   4533c9               | je                  0x10
            //   488bc8               | dec                 eax
            //   41ff5318             | lea                 eax, [esp + 0x40]

        $sequence_18 = { 448bc6 488bd7 e8???????? eb2c 8b05???????? }
            // n = 5, score = 500
            //   448bc6               | cmp                 esi, ebp
            //   488bd7               | je                  0xd6
            //   e8????????           |                     
            //   eb2c                 | inc                 esp
            //   8b05????????         |                     

        $sequence_19 = { 493bfd 7423 41b904000000 413bf1 7518 8b17 }
            // n = 6, score = 500
            //   493bfd               | inc                 ecx
            //   7423                 | mov                 eax, 0xd
            //   41b904000000         | jmp                 0xffffffb1
            //   413bf1               | inc                 ecx
            //   7518                 | mov                 eax, 3
            //   8b17                 | jmp                 0xffffffc5

        $sequence_20 = { 488b9424a8000000 4533c9 4533c0 ff5028 }
            // n = 4, score = 500
            //   488b9424a8000000     | dec                 eax
            //   4533c9               | cmp                 eax, -1
            //   4533c0               | dec                 eax
            //   ff5028               | mov                 edi, eax

        $sequence_21 = { 0f84b5000000 413bf5 0f84ac000000 41b807000000 ebd7 }
            // n = 5, score = 500
            //   0f84b5000000         | mov                 ecx, 4
            //   413bf5               | inc                 ecx
            //   0f84ac000000         | cmp                 esi, ecx
            //   41b807000000         | jne                 0x23
            //   ebd7                 | mov                 edx, dword ptr [edi]

        $sequence_22 = { 5f c3 4053 4883ec20 4c8b4108 488bd9 4d85c0 }
            // n = 7, score = 500
            //   5f                   | ret                 4
            //   c3                   | push                0
            //   4053                 | pop                 edi
            //   4883ec20             | pop                 ebx
            //   4c8b4108             | mov                 esp, ebp
            //   488bd9               | pop                 ebp
            //   4d85c0               | ret                 4

        $sequence_23 = { 493bfd 0f849b000000 413bf5 0f8492000000 41b803000000 ebbd 493bfd }
            // n = 7, score = 500
            //   493bfd               | inc                 ecx
            //   0f849b000000         | cmp                 esi, ebp
            //   413bf5               | je                  0x8a
            //   0f8492000000         | dec                 ecx
            //   41b803000000         | cmp                 edi, ebp
            //   ebbd                 | je                  0x28
            //   493bfd               | inc                 ecx

        $sequence_24 = { eb5a 493bfd 7464 413bf5 745f 8bd6 488bcf }
            // n = 7, score = 500
            //   eb5a                 | mov                 eax, esi
            //   493bfd               | dec                 eax
            //   7464                 | mov                 edx, edi
            //   413bf5               | jmp                 0x2e
            //   745f                 | jmp                 0x5c
            //   8bd6                 | dec                 ecx
            //   488bcf               | cmp                 edi, ebp

        $sequence_25 = { 492bd0 4803542460 41ff5220 4c8b442460 e9???????? }
            // n = 5, score = 500
            //   492bd0               | dec                 esp
            //   4803542460           | lea                 ecx, [esp + 0x40]
            //   41ff5220             | dec                 esp
            //   4c8b442460           | lea                 eax, [esp + 0x40]
            //   e9????????           |                     

        $sequence_26 = { 493bfd 0f84d9000000 413bf5 0f84d0000000 }
            // n = 4, score = 500
            //   493bfd               | dec                 ecx
            //   0f84d9000000         | cmp                 edi, ebp
            //   413bf5               | je                  0xdf
            //   0f84d0000000         | inc                 ecx

        $sequence_27 = { e8???????? 4c8b1d???????? ba0d000000 41834b3401 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   4c8b1d????????       |                     
            //   ba0d000000           | mov                 dword ptr [ebp - 4], eax
            //   41834b3401           | push                esi

        $sequence_28 = { 0f8481000000 413bf5 747c 41b80d000000 eba7 }
            // n = 5, score = 500
            //   0f8481000000         | je                  0x66
            //   413bf5               | inc                 ecx
            //   747c                 | cmp                 esi, ebp
            //   41b80d000000         | je                  0x66
            //   eba7                 | mov                 edx, esi

        $sequence_29 = { e9???????? 493bfd 0f84b5000000 413bf5 }
            // n = 4, score = 500
            //   e9????????           |                     
            //   493bfd               | dec                 ecx
            //   0f84b5000000         | cmp                 edi, ebp
            //   413bf5               | je                  0x8a

        $sequence_30 = { 488d5e10 4533f6 488b0b 2580000000 }
            // n = 4, score = 500
            //   488d5e10             | mov                 dword ptr [ebp - 4], eax
            //   4533f6               | test                eax, eax
            //   488b0b               | inc                 esi
            //   2580000000           | mov                 dword ptr [ebp - 8], eax

        $sequence_31 = { 49ffc7 418d5620 498bcf ff15???????? 4c8bf0 }
            // n = 5, score = 500
            //   49ffc7               | test                eax, eax
            //   418d5620             | jne                 0x59
            //   498bcf               | push                dword ptr [ebx]
            //   ff15????????         |                     
            //   4c8bf0               | push                eax

        $sequence_32 = { 488bce 4c63c0 ff15???????? 488bce }
            // n = 4, score = 400
            //   488bce               | add                 esp, 0x80
            //   4c63c0               | mov                 eax, esi
            //   ff15????????         |                     
            //   488bce               | dec                 eax

        $sequence_33 = { 48c7c101000080 ff15???????? 85c0 7568 4c8d8c24d0000000 4c8d8424c8000000 }
            // n = 6, score = 400
            //   48c7c101000080       | ret                 4
            //   ff15????????         |                     
            //   85c0                 | push                0
            //   7568                 | pop                 ebp
            //   4c8d8c24d0000000     | ret                 4
            //   4c8d8424c8000000     | push                0

        $sequence_34 = { 8945f8 85c0 7551 ff33 50 6810040000 ff15???????? }
            // n = 7, score = 400
            //   8945f8               | mov                 edi, eax
            //   85c0                 | cmp                 edi, ebx
            //   7551                 | jne                 0x53
            //   ff33                 | push                dword ptr [esi + 0x18]
            //   50                   | pop                 edi
            //   6810040000           | ret                 
            //   ff15????????         |                     

        $sequence_35 = { 33d2 ff15???????? 48895f2c 8b464c a802 7410 8b464c }
            // n = 7, score = 400
            //   33d2                 | je                  0x47
            //   ff15????????         |                     
            //   48895f2c             | dec                 eax
            //   8b464c               | lea                 eax, [esp + 0x88]
            //   a802                 | dec                 eax
            //   7410                 | cmp                 eax, -1
            //   8b464c               | dec                 eax

        $sequence_36 = { 4883f8ff 488bf8 7445 488d842488000000 }
            // n = 4, score = 400
            //   4883f8ff             | push                dword ptr [ebp - 0xc]
            //   488bf8               | add                 esi, 0x3c6ef35f
            //   7445                 | mov                 dword ptr [ebp + 0xc], esi
            //   488d842488000000     | lea                 esi, [ebp + 0xc]

        $sequence_37 = { 0f8431010000 81f97acff109 0f840f010000 81f9eb6bfb0d 0f84de000000 }
            // n = 5, score = 400
            //   0f8431010000         | push                1
            //   81f97acff109         | pop                 ebx
            //   0f840f010000         | mov                 esp, ebp
            //   81f9eb6bfb0d         | pop                 ebp
            //   0f84de000000         | ret                 4

        $sequence_38 = { 53 c1e010 56 8db4083089b9ed 57 8d45f4 50 }
            // n = 7, score = 400
            //   53                   | jmp                 0x57
            //   c1e010               | cmp                 esi, ebx
            //   56                   | je                  0x76
            //   8db4083089b9ed       | cmp                 dword ptr [ebp + 0xc], ebx
            //   57                   | je                  0x74
            //   8d45f4               | push                0xd
            //   50                   | cmp                 esi, ebx

        $sequence_39 = { 0f85bd000000 33c0 89942498000000 899424a8000000 8984249c000000 }
            // n = 5, score = 400
            //   0f85bd000000         | mov                 edx, dword ptr [esp + 0x60]
            //   33c0                 | inc                 ebp
            //   89942498000000       | xor                 ecx, ecx
            //   899424a8000000       | dec                 eax
            //   8984249c000000       | mov                 ecx, eax

        $sequence_40 = { 33d2 ff15???????? 8bc6 488b9c24c0000000 4881c480000000 }
            // n = 5, score = 400
            //   33d2                 | pop                 ebx
            //   ff15????????         |                     
            //   8bc6                 | mov                 esp, ebp
            //   488b9c24c0000000     | pop                 ebp
            //   4881c480000000       | ret                 4

        $sequence_41 = { 8b05???????? 35fc5585cf 4533c9 4533c0 418bd6 33c9 8905???????? }
            // n = 7, score = 400
            //   8b05????????         |                     
            //   35fc5585cf           | push                0
            //   4533c9               | push                1
            //   4533c0               | pop                 ebp
            //   418bd6               | ret                 4
            //   33c9                 | push                0
            //   8905????????         |                     

        $sequence_42 = { ff15???????? 8945fc 85c0 741a 6804010000 8d4f10 51 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   8945fc               | mov                 ecx, 0x80000001
            //   85c0                 | test                eax, eax
            //   741a                 | jne                 0x6a
            //   6804010000           | dec                 eax
            //   8d4f10               | mov                 ecx, eax
            //   51                   | dec                 eax

        $sequence_43 = { 33f6 46 8945f8 85c0 }
            // n = 4, score = 400
            //   33f6                 | mov                 eax, dword ptr [ecx + 8]
            //   46                   | dec                 eax
            //   8945f8               | mov                 ebx, ecx
            //   85c0                 | dec                 ebp

        $sequence_44 = { ff75f8 69f60d661900 ff75f4 81c65ff36e3c }
            // n = 4, score = 400
            //   ff75f8               | push                dword ptr [ebp - 0xc]
            //   69f60d661900         | add                 esi, 0x3c6ef35f
            //   ff75f4               | mov                 dword ptr [ebp + 0xc], esi
            //   81c65ff36e3c         | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_45 = { 50 8b450c 33db 895dfc e8???????? 8945f8 33ff }
            // n = 7, score = 400
            //   50                   | mov                 edi, dword ptr [ebp + 8]
            //   8b450c               | jmp                 0x29
            //   33db                 | test                eax, eax
            //   895dfc               | jne                 0x24
            //   e8????????           |                     
            //   8945f8               | cmp                 dword ptr [ebp + 0xc], ebx
            //   33ff                 | je                  0x85

        $sequence_46 = { ff75f4 81c65ff36e3c 89750c 8d750c e8???????? 8bf0 3bf3 }
            // n = 7, score = 400
            //   ff75f4               | je                  0x5e
            //   81c65ff36e3c         | cmp                 dword ptr [ebp + 0xc], ebx
            //   89750c               | je                  0x59
            //   8d750c               | push                ebx
            //   e8????????           |                     
            //   8bf0                 | jne                 0x25
            //   3bf3                 | cmp                 esi, ebx

        $sequence_47 = { 33db eb0b 8b842498000000 c6041800 44897c2430 }
            // n = 5, score = 400
            //   33db                 | xor                 ecx, ecx
            //   eb0b                 | dec                 esp
            //   8b842498000000       | mov                 eax, ebx
            //   c6041800             | xor                 edx, edx
            //   44897c2430           | mov                 eax, esi

        $sequence_48 = { 33ff eb03 8b750c ff75f8 69f60d661900 }
            // n = 5, score = 400
            //   33ff                 | push                3
            //   eb03                 | jmp                 0xffffffd9
            //   8b750c               | cmp                 esi, ebx
            //   ff75f8               | je                  0x85
            //   69f60d661900         | cmp                 dword ptr [ebp + 0xc], ebx

        $sequence_49 = { ff7310 ff15???????? 33d2 89b7184a0000 }
            // n = 4, score = 400
            //   ff7310               | test                eax, eax
            //   ff15????????         |                     
            //   33d2                 | pop                 edi
            //   89b7184a0000         | ret                 

        $sequence_50 = { 4d8bc4 33d2 ff15???????? 488bf8 }
            // n = 4, score = 400
            //   4d8bc4               | ret                 8
            //   33d2                 | push                ecx
            //   ff15????????         |                     
            //   488bf8               | push                ebx

        $sequence_51 = { 2b471c 4489742478 448974247c 488b542478 894640 33c0 }
            // n = 6, score = 400
            //   2b471c               | dec                 esp
            //   4489742478           | lea                 ecx, [esp + 0xd0]
            //   448974247c           | dec                 esp
            //   488b542478           | lea                 eax, [esp + 0xc8]
            //   894640               | je                  0x137
            //   33c0                 | cmp                 ecx, 0x9f1cf7a

        $sequence_52 = { c3 6a00 6800004000 6a00 ff15???????? a3???????? }
            // n = 6, score = 400
            //   c3                   | mov                 dword ptr [ebp - 4], eax
            //   6a00                 | test                eax, eax
            //   6800004000           | je                  0x21
            //   6a00                 | push                0x104
            //   ff15????????         |                     
            //   a3????????           |                     

        $sequence_53 = { 3decc7eea6 0f84e8000000 3d0470a8c4 0f8486000000 }
            // n = 4, score = 400
            //   3decc7eea6           | push                eax
            //   0f84e8000000         | mov                 dword ptr [ebp - 8], eax
            //   3d0470a8c4           | xor                 edi, edi
            //   0f8486000000         | jmp                 0xf

        $sequence_54 = { e8???????? 488b5c2428 85c0 753e 8b9424c8000000 85d2 7421 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   488b5c2428           | push                0
            //   85c0                 | pop                 ebp
            //   753e                 | ret                 4
            //   8b9424c8000000       | push                0
            //   85d2                 | mov                 eax, dword ptr [esp + 0xc]
            //   7421                 | pop                 edi

        $sequence_55 = { 33ff 3bc7 7528 83bc241001000003 740a 83bc241001000001 7514 }
            // n = 7, score = 400
            //   33ff                 | inc                 ecx
            //   3bc7                 | call                dword ptr [edx + 0x20]
            //   7528                 | dec                 esp
            //   83bc241001000003     | mov                 eax, dword ptr [esp + 0x60]
            //   740a                 | dec                 esp
            //   83bc241001000001     | mov                 ebx, dword ptr [eax]
            //   7514                 | dec                 eax

        $sequence_56 = { 0b4724 44897630 89464c 8b464c a840 }
            // n = 5, score = 400
            //   0b4724               | mov                 edi, eax
            //   44897630             | je                  0x47
            //   89464c               | dec                 eax
            //   8b464c               | lea                 eax, [esp + 0x88]
            //   a840                 | dec                 eax

        $sequence_57 = { 41b825000000 e8???????? 4885db 7417 488b0d???????? }
            // n = 5, score = 400
            //   41b825000000         | pop                 ebp
            //   e8????????           |                     
            //   4885db               | ret                 4
            //   7417                 | push                0
            //   488b0d????????       |                     

        $sequence_58 = { 817424105085b8ed 33ff 47 57 be???????? 56 8d542418 }
            // n = 7, score = 400
            //   817424105085b8ed     | push                dword ptr [ebp - 8]
            //   33ff                 | imul                esi, esi, 0x19660d
            //   47                   | xor                 ebx, ebx
            //   57                   | mov                 dword ptr [ebp - 4], ebx
            //   be????????           |                     
            //   56                   | mov                 dword ptr [ebp - 8], eax
            //   8d542418             | xor                 edi, edi

        $sequence_59 = { 4533c9 8bd6 488bcf e8???????? 488b4c2430 448d4b03 }
            // n = 6, score = 400
            //   4533c9               | mov                 ebx, dword ptr [esp + 0x28]
            //   8bd6                 | test                eax, eax
            //   488bcf               | jne                 0x40
            //   e8????????           |                     
            //   488b4c2430           | mov                 edx, dword ptr [esp + 0xc8]
            //   448d4b03             | test                edx, edx

        $sequence_60 = { 0f840b010000 395d10 0f8402010000 6a03 eb13 3bf3 0f84f6000000 }
            // n = 7, score = 300
            //   0f840b010000         | or                  ecx, 0xffffffff
            //   395d10               | mov                 ecx, eax
            //   0f8402010000         | dec                 esp
            //   6a03                 | mov                 eax, esi
            //   eb13                 | dec                 eax
            //   3bf3                 | mov                 ebx, eax
            //   0f84f6000000         | dec                 ecx

        $sequence_61 = { 8d85a0fcffff 68???????? 50 ff15???????? 83c41c 53 }
            // n = 6, score = 300
            //   8d85a0fcffff         | pop                 edi
            //   68????????           |                     
            //   50                   | ret                 
            //   ff15????????         |                     
            //   83c41c               | dec                 ebp
            //   53                   | cmp                 ebp, edi

        $sequence_62 = { 740e 44893d???????? 44893d???????? 488d442440 4c8d4c2440 }
            // n = 5, score = 300
            //   740e                 | je                  0x1e
            //   44893d????????       |                     
            //   44893d????????       |                     
            //   488d442440           | push                0x104
            //   4c8d4c2440           | lea                 ecx, [edi + 0x10]

        $sequence_63 = { 8945d0 3dea000000 7554 ff75fc 53 ff35???????? }
            // n = 6, score = 300
            //   8945d0               | add                 esp, 0x20
            //   3dea000000           | inc                 ecx
            //   7554                 | pop                 ebp
            //   ff75fc               | inc                 ecx
            //   53                   | pop                 esp
            //   ff35????????         |                     

        $sequence_64 = { 895c2414 895c2410 895c240c 3bfe 0f86ea000000 }
            // n = 5, score = 300
            //   895c2414             | cmp                 eax, edi
            //   895c2410             | mov                 eax, esi
            //   895c240c             | dec                 eax
            //   3bfe                 | mov                 esi, dword ptr [esp + 0x58]
            //   0f86ea000000         | dec                 eax

        $sequence_65 = { 8975f8 e8???????? 8945ec 3bc3 }
            // n = 4, score = 300
            //   8975f8               | mov                 eax, esi
            //   e8????????           |                     
            //   8945ec               | dec                 eax
            //   3bc3                 | mov                 esi, dword ptr [esp + 0x58]

        $sequence_66 = { 4c8bc6 ff15???????? 488bd8 493bc7 }
            // n = 4, score = 300
            //   4c8bc6               | push                dword ptr [ebx]
            //   ff15????????         |                     
            //   488bd8               | push                eax
            //   493bc7               | push                0x410

        $sequence_67 = { ff15???????? 8bf0 8d4601 50 8975f8 e8???????? }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   8bf0                 | je                  0x24
            //   8d4601               | dec                 ecx
            //   50                   | mov                 edx, ebp
            //   8975f8               | dec                 eax
            //   e8????????           |                     

        $sequence_68 = { 395d10 7423 6a01 ff75fc e8???????? 3bc3 7518 }
            // n = 7, score = 300
            //   395d10               | dec                 eax
            //   7423                 | add                 esp, 0x20
            //   6a01                 | inc                 ecx
            //   ff75fc               | pop                 ebp
            //   e8????????           |                     
            //   3bc3                 | inc                 ecx
            //   7518                 | pop                 esp

        $sequence_69 = { 493bc5 742f 488d4810 ff15???????? }
            // n = 4, score = 300
            //   493bc5               | mov                 dword ptr [ebp - 4], eax
            //   742f                 | test                eax, eax
            //   488d4810             | je                  0x1e
            //   ff15????????         |                     

        $sequence_70 = { 8b45fc 0fb700 8bc8 81e100f00000 }
            // n = 4, score = 300
            //   8b45fc               | mov                 dword ptr [ebp - 8], eax
            //   0fb700               | test                eax, eax
            //   8bc8                 | jne                 0x55
            //   81e100f00000         | push                dword ptr [ebx]

        $sequence_71 = { 5b 8be5 5d c20400 8325????????00 6a00 68???????? }
            // n = 7, score = 300
            //   5b                   | lea                 eax, [ebp - 0xc]
            //   8be5                 | push                eax
            //   5d                   | mov                 eax, dword ptr [ebp + 0xc]
            //   c20400               | mov                 dword ptr [ebp - 4], ebx
            //   8325????????00       |                     
            //   6a00                 | mov                 dword ptr [ebp - 8], eax
            //   68????????           |                     

        $sequence_72 = { 488b0d???????? 4885c9 7405 e8???????? 4883c428 c3 4053 }
            // n = 7, score = 300
            //   488b0d????????       |                     
            //   4885c9               | push                eax
            //   7405                 | test                eax, eax
            //   e8????????           |                     
            //   4883c428             | je                  0x1c
            //   c3                   | push                0x104
            //   4053                 | lea                 ecx, [edi + 0x10]

        $sequence_73 = { 4d3bef 7415 498bd5 4883c9ff ff15???????? }
            // n = 5, score = 300
            //   4d3bef               | push                ecx
            //   7415                 | push                0
            //   498bd5               | push                esi
            //   4883c9ff             | xor                 esi, esi
            //   ff15????????         |                     

        $sequence_74 = { 8b4778 034774 39477c 0f834effffff }
            // n = 4, score = 200
            //   8b4778               | ret                 
            //   034774               | push                ecx
            //   39477c               | add                 eax, 0x258
            //   0f834effffff         | pop                 ebx

        $sequence_75 = { c1ed04 83c004 81f91e010000 894f74 }
            // n = 4, score = 200
            //   c1ed04               | ret                 
            //   83c004               | movzx               ecx, word ptr [eax]
            //   81f91e010000         | cmp                 cx, 2
            //   894f74               | jne                 0x26

        $sequence_76 = { a1???????? 8b35???????? 83c01e 50 ffd6 }
            // n = 5, score = 200
            //   a1????????           |                     
            //   8b35????????         |                     
            //   83c01e               | jne                 0x55
            //   50                   | push                dword ptr [ebx]
            //   ffd6                 | push                eax

        $sequence_77 = { e8???????? 488b0d???????? 4883c12e ff15???????? 4c8b05???????? 448d7b02 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4883c12e             | push                eax
            //   ff15????????         |                     
            //   4c8b05????????       |                     
            //   448d7b02             | push                0x410

        $sequence_78 = { 8b4036 85c0 75ec 8b06 }
            // n = 4, score = 200
            //   8b4036               | test                eax, eax
            //   85c0                 | je                  0x26
            //   75ec                 | test                eax, eax
            //   8b06                 | jne                 0x53

        $sequence_79 = { 5f 5b 8be5 5d c3 0fb708 6683f902 }
            // n = 7, score = 200
            //   5f                   | test                eax, eax
            //   5b                   | je                  0x21
            //   8be5                 | push                0x104
            //   5d                   | push                dword ptr [ebx]
            //   c3                   | push                eax
            //   0fb708               | push                0x410
            //   6683f902             | mov                 dword ptr [ebp - 4], eax

        $sequence_80 = { 66b90100 4889442420 e8???????? 3bc3 0f859b000000 }
            // n = 5, score = 200
            //   66b90100             | ret                 8
            //   4889442420           | push                ecx
            //   e8????????           |                     
            //   3bc3                 | push                ebx
            //   0f859b000000         | push                edi

        $sequence_81 = { 83a78c00000000 33c0 c3 51 e8???????? }
            // n = 5, score = 200
            //   83a78c00000000       | push                0x410
            //   33c0                 | inc                 esi
            //   c3                   | mov                 dword ptr [ebp - 8], eax
            //   51                   | test                eax, eax
            //   e8????????           |                     

        $sequence_82 = { 7505 8d5857 eb15 488b05???????? 89702a }
            // n = 5, score = 200
            //   7505                 | push                eax
            //   8d5857               | push                0x410
            //   eb15                 | mov                 dword ptr [ebp - 4], eax
            //   488b05????????       |                     
            //   89702a               | test                eax, eax

        $sequence_83 = { ffd7 8b1d???????? 6a3a b8???????? 56 ff35???????? a3???????? }
            // n = 7, score = 200
            //   ffd7                 | mov                 dword ptr [ebp - 8], eax
            //   8b1d????????         |                     
            //   6a3a                 | test                eax, eax
            //   b8????????           |                     
            //   56                   | jne                 0x55
            //   ff35????????         |                     
            //   a3????????           |                     

        $sequence_84 = { eb14 a1???????? 89701a 8b4508 8938 }
            // n = 5, score = 200
            //   eb14                 | inc                 esi
            //   a1????????           |                     
            //   89701a               | mov                 dword ptr [ebp - 8], eax
            //   8b4508               | test                eax, eax
            //   8938                 | jne                 0x58

        $sequence_85 = { 83c01e 50 ff15???????? c20400 a1???????? 56 83c004 }
            // n = 7, score = 200
            //   83c01e               | push                0x410
            //   50                   | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     
            //   c20400               | test                eax, eax
            //   a1????????           |                     
            //   56                   | je                  0x21
            //   83c004               | test                eax, eax

        $sequence_86 = { 33d2 e8???????? 44892d???????? 33c9 44892d???????? e8???????? 488bcf }
            // n = 7, score = 200
            //   33d2                 | ret                 
            //   e8????????           |                     
            //   44892d????????       |                     
            //   33c9                 | push                ecx
            //   44892d????????       |                     
            //   e8????????           |                     
            //   488bcf               | pop                 ebx

        $sequence_87 = { 4883c12e ff15???????? 448b05???????? 488bd3 b92ab5f293 }
            // n = 5, score = 200
            //   4883c12e             | push                dword ptr [ebx]
            //   ff15????????         |                     
            //   448b05????????       |                     
            //   488bd3               | push                eax
            //   b92ab5f293           | push                0x410

        $sequence_88 = { 8b45e8 8d4de8 8945f4 3bc1 0f851ffeffff }
            // n = 5, score = 200
            //   8b45e8               | push                0x104
            //   8d4de8               | test                eax, eax
            //   8945f4               | jne                 0x53
            //   3bc1                 | push                dword ptr [ebx]
            //   0f851ffeffff         | push                eax

        $sequence_89 = { 0f8e2a040000 8a05???????? 4238042b 7521 448bc2 }
            // n = 5, score = 200
            //   0f8e2a040000         | lea                 ecx, [edi + 0x10]
            //   8a05????????         |                     
            //   4238042b             | push                ecx
            //   7521                 | push                0x410
            //   448bc2               | mov                 dword ptr [ebp - 4], eax

        $sequence_90 = { c9 c20800 55 8bec 81ec1c010000 8d4807 83e1f8 }
            // n = 7, score = 200
            //   c9                   | mov                 ecx, eax
            //   c20800               | and                 ecx, 0xf000
            //   55                   | push                edi
            //   8bec                 | mov                 dword ptr [esi], eax
            //   81ec1c010000         | xor                 edi, edi
            //   8d4807               | mov                 eax, dword ptr [ebp - 0x18]
            //   83e1f8               | lea                 ecx, [ebp - 0x18]

        $sequence_91 = { 33c0 e8???????? 8bd8 a1???????? 83c036 83c9ff }
            // n = 6, score = 200
            //   33c0                 | push                esi
            //   e8????????           |                     
            //   8bd8                 | xor                 esi, esi
            //   a1????????           |                     
            //   83c036               | inc                 esi
            //   83c9ff               | mov                 dword ptr [ebp - 8], eax

        $sequence_92 = { 488b0d???????? 4883c12e ff15???????? 488b15???????? 488b8c24b0000000 488b12 }
            // n = 6, score = 200
            //   488b0d????????       |                     
            //   4883c12e             | mov                 dword ptr [ebp - 8], eax
            //   ff15????????         |                     
            //   488b15????????       |                     
            //   488b8c24b0000000     | test                eax, eax
            //   488b12               | jne                 0x5b

        $sequence_93 = { c1ed03 0fb70442 6683e107 66898c4788000000 }
            // n = 4, score = 200
            //   c1ed03               | and                 dword ptr [edi + 0x8c], 0
            //   0fb70442             | xor                 eax, eax
            //   6683e107             | ret                 
            //   66898c4788000000     | push                ecx

        $sequence_94 = { 88040a 8b8314170000 83432801 b910000000 2ac8 }
            // n = 5, score = 200
            //   88040a               | ret                 
            //   8b8314170000         | movzx               ecx, word ptr [eax]
            //   83432801             | cmp                 cx, 2
            //   b910000000           | and                 dword ptr [edi + 0x8c], 0
            //   2ac8                 | xor                 eax, eax

        $sequence_95 = { 488bd8 488b05???????? f0834056ff 4885db }
            // n = 4, score = 200
            //   488bd8               | push                dword ptr [ebx]
            //   488b05????????       |                     
            //   f0834056ff           | jne                 0x53
            //   4885db               | push                dword ptr [ebx]

        $sequence_96 = { 8a8310170000 88040a 83432801 8a8311170000 }
            // n = 4, score = 200
            //   8a8310170000         | cmp                 cx, 2
            //   88040a               | jne                 0x27
            //   83432801             | leave               
            //   8a8311170000         | ret                 8

        $sequence_97 = { 897004 5f 5e 5b c20800 51 53 }
            // n = 7, score = 200
            //   897004               | push                eax
            //   5f                   | push                dword ptr [ebx + 0x10]
            //   5e                   | xor                 edx, edx
            //   5b                   | mov                 dword ptr [edi + 0x4a18], esi
            //   c20800               | cmp                 dword ptr [edi + 0x4a1c], edx
            //   51                   | push                0x410
            //   53                   | mov                 dword ptr [ebp - 4], eax

        $sequence_98 = { c9 c21000 a1???????? 83c01e 50 ff15???????? eb08 }
            // n = 7, score = 200
            //   c9                   | push                dword ptr [ebx]
            //   c21000               | push                dword ptr [ebx + 0x10]
            //   a1????????           |                     
            //   83c01e               | xor                 edx, edx
            //   50                   | mov                 dword ptr [edi + 0x4a18], esi
            //   ff15????????         |                     
            //   eb08                 | cmp                 dword ptr [edi + 0x4a1c], edx

        $sequence_99 = { c744242800010000 89442420 e8???????? 488b0d???????? 413bc6 480f454c2458 }
            // n = 6, score = 200
            //   c744242800010000     | mov                 dword ptr [ebp - 4], eax
            //   89442420             | push                esi
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   413bc6               | xor                 esi, esi
            //   480f454c2458         | inc                 esi

        $sequence_100 = { ff15???????? 57 ff15???????? 8906 33ff }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   57                   | mov                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     
            //   8906                 | test                eax, eax
            //   33ff                 | je                  0x21

        $sequence_101 = { 488b15???????? 4c8d442468 48c7c101000080 ff15???????? }
            // n = 4, score = 200
            //   488b15????????       |                     
            //   4c8d442468           | lea                 ecx, [edi + 0x10]
            //   48c7c101000080       | jne                 0x53
            //   ff15????????         |                     

        $sequence_102 = { 83c01e 50 ff15???????? 8ac3 5b c20400 53 }
            // n = 7, score = 200
            //   83c01e               | push                ecx
            //   50                   | push                0
            //   ff15????????         |                     
            //   8ac3                 | push                eax
            //   5b                   | push                eax
            //   c20400               | push                0x410
            //   53                   | mov                 dword ptr [ebp - 4], eax

        $sequence_103 = { ffb72c080000 e8???????? 5e 5d 5b c3 eb10 }
            // n = 7, score = 200
            //   ffb72c080000         | mov                 ecx, edi
            //   e8????????           |                     
            //   5e                   | dec                 esp
            //   5d                   | mov                 esi, eax
            //   5b                   | dec                 eax
            //   c3                   | test                eax, eax
            //   eb10                 | dec                 ecx

        $sequence_104 = { 8b4778 034774 3bc8 0f86a4000000 }
            // n = 4, score = 200
            //   8b4778               | xor                 eax, eax
            //   034774               | ret                 
            //   3bc8                 | push                ecx
            //   0f86a4000000         | pop                 ebp

        $sequence_105 = { c1e804 46 33048d1062be03 85ff 75cf }
            // n = 5, score = 100
            //   c1e804               | movzx               ecx, word ptr [eax]
            //   46                   | cmp                 cx, 2
            //   33048d1062be03       | jne                 0x27
            //   85ff                 | pop                 ebx
            //   75cf                 | ret                 8

        $sequence_106 = { ff742410 57 e8???????? 8bd8 83fb02 }
            // n = 5, score = 100
            //   ff742410             | pop                 esi
            //   57                   | pop                 ebx
            //   e8????????           |                     
            //   8bd8                 | ret                 8
            //   83fb02               | push                ecx

        $sequence_107 = { 56 8b35???????? 6a00 ffd6 ff742414 ff742414 57 }
            // n = 7, score = 100
            //   56                   | jne                 0x26
            //   8b35????????         |                     
            //   6a00                 | cmp                 word ptr [eax + 2], 0
            //   ffd6                 | pop                 edi
            //   ff742414             | pop                 esi
            //   ff742414             | pop                 ebx
            //   57                   | ret                 8

        $sequence_108 = { 894dec c745e0e724be03 8945d8 751b f605????????01 7412 8b7e08 }
            // n = 7, score = 100
            //   894dec               | push                ebx
            //   c745e0e724be03       | push                edi
            //   8945d8               | push                0x84
            //   751b                 | mov                 esp, ebp
            //   f605????????01       |                     
            //   7412                 | pop                 ebp
            //   8b7e08               | ret                 

        $sequence_109 = { 08ee 2ad2 50 3a1c07 }
            // n = 4, score = 100
            //   08ee                 | push                ecx
            //   2ad2                 | push                ebx
            //   50                   | push                edi
            //   3a1c07               | push                0x84

        $sequence_110 = { 48 55 395002 cd60 }
            // n = 4, score = 100
            //   48                   | pop                 ebp
            //   55                   | ret                 
            //   395002               | movzx               ecx, word ptr [eax]
            //   cd60                 | cmp                 cx, 2

        $sequence_111 = { 8b4508 8945e4 8b00 c745e820320410 }
            // n = 4, score = 100
            //   8b4508               | dec                 ecx
            //   8945e4               | mov                 edx, ebp
            //   8b00                 | dec                 eax
            //   c745e820320410       | or                  ecx, 0xffffffff

        $sequence_112 = { ff75e8 ffd7 eb08 ff15???????? }
            // n = 4, score = 100
            //   ff75e8               | mov                 ebp, esp
            //   ffd7                 | sub                 esp, 0x11c
            //   eb08                 | lea                 ecx, [eax + 7]
            //   ff15????????         |                     

        $sequence_113 = { ff15???????? a1???????? 8d480c 33ed 83c42c 3929 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   a1????????           |                     
            //   8d480c               | push                ebx
            //   33ed                 | dec                 ebp
            //   83c42c               | cmp                 ebp, edi
            //   3929                 | je                  0x17

        $sequence_114 = { 8bd8 3bde 0f85df020000 e8???????? 8bd8 3bde }
            // n = 6, score = 100
            //   8bd8                 | dec                 ebp
            //   3bde                 | cmp                 ebp, edi
            //   0f85df020000         | je                  0x17
            //   e8????????           |                     
            //   8bd8                 | dec                 ecx
            //   3bde                 | mov                 edx, ebp

        $sequence_115 = { e8???????? ff75ec 8b3d???????? 8bd8 ffd7 ff75e8 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   ff75ec               | pop                 ebx
            //   8b3d????????         |                     
            //   8bd8                 | leave               
            //   ffd7                 | ret                 8
            //   ff75e8               | push                ebp

    condition:
        7 of them and filesize < 802816
}
Download all Yara Rules
DreamBot Propose Change

References

Yara Rules

DreamBot
