SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dridex (Back to overview)

Dridex

Actor(s): Evil Corp, INDRIK SPIDER, TA505

URLhaus    

OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term."
According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method."
IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."

References
2022-10-31paloalto Netoworks: Unit42Or Chechik
@online{chechik:20221031:banking:c421ac8, author = {Or Chechik}, title = {{Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure}}, date = {2022-10-31}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/banking-trojan-techniques/}, language = {English}, urldate = {2022-10-31} } Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-10-17} } Spamhaus Botnet Threat Update Q3 2022
FluBot Loki Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-01IBMKevin Henson, Emmy Ebanks
@online{henson:20220901:raspberry:b5b5946, author = {Kevin Henson and Emmy Ebanks}, title = {{Raspberry Robin and Dridex: Two Birds of a Feather}}, date = {2022-09-01}, organization = {IBM}, url = {https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/}, language = {English}, urldate = {2022-09-06} } Raspberry Robin and Dridex: Two Birds of a Feather
Dridex Raspberry Robin
2022-08-24Github (rad9800)Rad Kawar
@techreport{kawar:20220824:malware:2eeaafb, author = {Rad Kawar}, title = {{Malware Madness: EXCEPTION edition}}, date = {2022-08-24}, institution = {Github (rad9800)}, url = {https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf}, language = {English}, urldate = {2022-08-28} } Malware Madness: EXCEPTION edition
Dridex
2022-07-09Artik BlueArtik Blue
@online{blue:20220709:malware:be9282b, author = {Artik Blue}, title = {{Malware analysis with IDA/Radare2 - Basic Unpacking (Dridex first stage)}}, date = {2022-07-09}, organization = {Artik Blue}, url = {https://artik.blue/malware3}, language = {English}, urldate = {2022-07-15} } Malware analysis with IDA/Radare2 - Basic Unpacking (Dridex first stage)
Dridex
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02MandiantMandiant Intelligence
@online{intelligence:20220602:to:e15831c, author = {Mandiant Intelligence}, title = {{To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions}, language = {English}, urldate = {2022-06-04} } To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-24Deep instinctBar Block
@online{block:20220524:blame:9f45829, author = {Bar Block}, title = {{Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them}}, date = {2022-05-24}, organization = {Deep instinct}, url = {https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office}, language = {English}, urldate = {2022-05-29} } Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
Dridex Emotet
2022-05-19Palo Alto Networks Unit 42Saqib Khanzada
@online{khanzada:20220519:weaponization:969a179, author = {Saqib Khanzada}, title = {{Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies}}, date = {2022-05-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain}, language = {English}, urldate = {2022-05-23} } Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
Dridex
2022-05-10RiskIQRiskIQ
@online{riskiq:20220510:riskiq:0de1fcf, author = {RiskIQ}, title = {{RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns}}, date = {2022-05-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/e4fb7245}, language = {English}, urldate = {2022-05-17} } RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns
Dridex
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-03-13Malcatmalcat team
@online{team:20220313:cutting:f4878c8, author = {malcat team}, title = {{Cutting corners against a Dridex downloader}}, date = {2022-03-13}, organization = {Malcat}, url = {https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/}, language = {English}, urldate = {2022-03-14} } Cutting corners against a Dridex downloader
Dridex
2022-03VirusTotalVirusTotal
@techreport{virustotal:202203:virustotals:c6af9c1, author = {VirusTotal}, title = {{VirusTotal's 2021 Malware Trends Report}}, date = {2022-03}, institution = {VirusTotal}, url = {https://assets.virustotal.com/reports/2021trends.pdf}, language = {English}, urldate = {2022-04-13} } VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-02-23SophosLabs UncutAndrew Brandt
@online{brandt:20220223:dridex:c1d4784, author = {Andrew Brandt}, title = {{Dridex bots deliver Entropy ransomware in recent attacks}}, date = {2022-02-23}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/}, language = {English}, urldate = {2022-03-01} } Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy
2022-02-23Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
@online{pirozzi:20220223:sanctions:aae1c98, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp}}, date = {2022-02-23}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/}, language = {English}, urldate = {2022-02-26} } Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp
Dridex WastedLocker
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-02Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
@techreport{pirozzi:202202:sanctions:2213742, author = {Antonio Pirozzi and Antonis Terefos and Idan Weizman}, title = {{Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp}}, date = {2022-02}, institution = {Sentinel LABS}, url = {https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf}, language = {English}, urldate = {2022-05-17} } Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker
2022-01-18Recorded FutureInsikt Group®
@techreport{group:20220118:2021:9cff6fc, author = {Insikt Group®}, title = {{2021 Adversary Infrastructure Report}}, date = {2022-01-18}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf}, language = {English}, urldate = {2022-01-24} } 2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-14RiskIQJordan Herman
@online{herman:20220114:riskiq:f4f5b68, author = {Jordan Herman}, title = {{RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers}}, date = {2022-01-14}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2cd1c003}, language = {English}, urldate = {2022-01-18} } RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers
Dridex Emotet
2022-01-11muha2xmadMuhammad Hasan Ali
@online{ali:20220111:unpacking:2fe091c, author = {Muhammad Hasan Ali}, title = {{Unpacking Dridex malware}}, date = {2022-01-11}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/dridex/}, language = {English}, urldate = {2022-01-25} } Unpacking Dridex malware
Dridex
2022-01-09Atomic Matryoshkaz3r0day_504
@online{z3r0day504:20220109:malware:81e38aa, author = {z3r0day_504}, title = {{Malware Headliners: Dridex}}, date = {2022-01-09}, organization = {Atomic Matryoshka}, url = {https://www.atomicmatryoshka.com/post/malware-headliners-dridex}, language = {English}, urldate = {2022-02-01} } Malware Headliners: Dridex
Dridex
2021-12-23SymantecSiddhesh Chandrayan
@online{chandrayan:20211223:log4j:58ea562, author = {Siddhesh Chandrayan}, title = {{Log4j Vulnerabilities: Attack Insights}}, date = {2021-12-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks}, language = {English}, urldate = {2022-01-25} } Log4j Vulnerabilities: Attack Insights
Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass
2021-12-20InQuestNick Chalard
@online{chalard:20211220:dont:0aad3db, author = {Nick Chalard}, title = {{(Don't) Bring Dridex Home for the Holidays}}, date = {2021-12-20}, organization = {InQuest}, url = {https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays}, language = {English}, urldate = {2021-12-22} } (Don't) Bring Dridex Home for the Holidays
DoppelDridex Dridex
2021-11-21Cyber-AnubisNidal Fikri
@online{fikri:20211121:dridex:b9218fa, author = {Nidal Fikri}, title = {{Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction}}, date = {2021-11-21}, organization = {Cyber-Anubis}, url = {https://cyber-anubis.github.io/malware%20analysis/dridex/}, language = {English}, urldate = {2021-12-01} } Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction
DoppelDridex Dridex
2021-11-16YoroiLuigi Martire, Carmelo Ragusa, Luca Mella
@online{martire:20211116:office:2dba65a, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{Office Documents: May the XLL technique change the threat Landscape in 2022?}}, date = {2021-11-16}, organization = {Yoroi}, url = {https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/}, language = {English}, urldate = {2021-11-17} } Office Documents: May the XLL technique change the threat Landscape in 2022?
Agent Tesla Dridex Formbook
2021-11-12Recorded FutureInsikt Group®
@techreport{group:20211112:business:6d6cffa, author = {Insikt Group®}, title = {{The Business of Fraud: Botnet Malware Dissemination}}, date = {2021-11-12}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf}, language = {English}, urldate = {2021-11-17} } The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-09-15Palo Alto Networks Unit 42Anna Chung, Swetha Balla
@online{chung:20210915:phishing:15f054e, author = {Anna Chung and Swetha Balla}, title = {{Phishing Eager Travelers}}, date = {2021-09-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/travel-themed-phishing/}, language = {English}, urldate = {2021-09-19} } Phishing Eager Travelers
Dridex
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-19BlackberryBlackBerry Research & Intelligence Team
@online{team:20210819:blackberry:2eec433, author = {BlackBerry Research & Intelligence Team}, title = {{BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware}}, date = {2021-08-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware}, language = {English}, urldate = {2021-08-23} } BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex
2021-07-30HPPatrick Schläpfer
@online{schlpfer:20210730:detecting:2291323, author = {Patrick Schläpfer}, title = {{Detecting TA551 domains}}, date = {2021-07-30}, organization = {HP}, url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/}, language = {English}, urldate = {2021-08-02} } Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-02MalwareBookReportsmuzi
@online{muzi:20210702:skip:09c3cd8, author = {muzi}, title = {{Skip the Middleman: Dridex Document to Cobalt Strike}}, date = {2021-07-02}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/cryptone-cobalt-strike/}, language = {English}, urldate = {2021-07-06} } Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex
2021-06-22Twitter (@Cryptolaemus1)Cryptolaemus, Kirk Sayre, dao ming si
@online{cryptolaemus:20210622:ta575:895ac37, author = {Cryptolaemus and Kirk Sayre and dao ming si}, title = {{Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs}}, date = {2021-06-22}, organization = {Twitter (@Cryptolaemus1)}, url = {https://twitter.com/Cryptolaemus1/status/1407135648528711680}, language = {English}, urldate = {2021-06-22} } Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex
2021-06-08Intel 471Intel 471
@online{471:20210608:blurry:5b278e5, author = {Intel 471}, title = {{The blurry boundaries between nation-state actors and the cybercrime underground}}, date = {2021-06-08}, organization = {Intel 471}, url = {https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state}, language = {English}, urldate = {2021-06-16} } The blurry boundaries between nation-state actors and the cybercrime underground
Dridex Gameover P2P
2021-06-03YouTube (FIRST)Felipe Domingues, Gustavo Palazolo
@online{domingues:20210603:breaking:69967e5, author = {Felipe Domingues and Gustavo Palazolo}, title = {{Breaking Dridex Malware}}, date = {2021-06-03}, organization = {YouTube (FIRST)}, url = {https://www.youtube.com/watch?v=1VB15_HgUkg}, language = {English}, urldate = {2021-06-16} } Breaking Dridex Malware
Dridex
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-04-21SophosLabs UncutSean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-15ProofpointSelena Larson
@online{larson:20210415:threat:cdfef32, author = {Selena Larson}, title = {{Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes}}, date = {2021-04-15}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes}, language = {English}, urldate = {2021-08-23} } Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes
Dridex TrickBot
2021-04-15Twitter (@felixw3000)Felix
@online{felix:20210415:dridexs:a39e123, author = {Felix}, title = {{Tweet on Dridex's evasion technique}}, date = {2021-04-15}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1382614469713530883?s=20}, language = {English}, urldate = {2021-05-25} } Tweet on Dridex's evasion technique
Dridex
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-06LexfoLexfo
@online{lexfo:20210406:dridex:a3b6f4f, author = {Lexfo}, title = {{Dridex Loader Analysis}}, date = {2021-04-06}, organization = {Lexfo}, url = {https://blog.lexfo.fr/dridex-malware.html}, language = {English}, urldate = {2021-04-09} } Dridex Loader Analysis
Dridex
2021-03-31Red CanaryRed Canary
@techreport{canary:20210331:2021:cd81f2d, author = {Red Canary}, title = {{2021 Threat Detection Report}}, date = {2021-03-31}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf}, language = {English}, urldate = {2021-04-06} } 2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-29VMWare Carbon BlackJason Zhang, Oleg Boyarchuk, Giovanni Vigna
@online{zhang:20210329:dridex:7692f65, author = {Jason Zhang and Oleg Boyarchuk and Giovanni Vigna}, title = {{Dridex Reloaded: Analysis of a New Dridex Campaign}}, date = {2021-03-29}, organization = {VMWare Carbon Black}, url = {https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/}, language = {English}, urldate = {2021-04-09} } Dridex Reloaded: Analysis of a New Dridex Campaign
Dridex
2021-03-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210318:silverfish:f203208, author = {PRODAFT}, title = {{SilverFish GroupThreat Actor Report}}, date = {2021-03-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf}, language = {English}, urldate = {2021-04-06} } SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-11IBMDave McMillen, Limor Kessem
@online{mcmillen:20210311:dridex:1140b01, author = {Dave McMillen and Limor Kessem}, title = {{Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts}}, date = {2021-03-11}, organization = {IBM}, url = {https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/}, language = {English}, urldate = {2021-03-12} } Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts
Cutwail Dridex
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-07Technical Blog of Ali AqeelAli Aqeel
@online{aqeel:20210207:dridex:871b7d0, author = {Ali Aqeel}, title = {{Dridex Malware Analysis}}, date = {2021-02-07}, organization = {Technical Blog of Ali Aqeel}, url = {https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/}, language = {English}, urldate = {2021-02-09} } Dridex Malware Analysis
Dridex
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-02Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210202:recent:5272ed0, author = {The DFIR Report}, title = {{Tweet on recent dridex post infection activity}}, date = {2021-02-02}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1356729371931860992}, language = {English}, urldate = {2021-02-04} } Tweet on recent dridex post infection activity
Cobalt Strike Dridex
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}}, date = {2021-02-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/}, language = {English}, urldate = {2021-02-02} } What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2021-01-19HPPatrick Schläpfer
@online{schlpfer:20210119:dridex:a8b3da4, author = {Patrick Schläpfer}, title = {{Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs}}, date = {2021-01-19}, organization = {HP}, url = {https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/}, language = {English}, urldate = {2021-01-21} } Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs
Dridex
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-04Check PointCheck Point Research
@online{research:20210104:dridex:2741eba, author = {Check Point Research}, title = {{DRIDEX Stopping Serial Killer: Catching the Next Strike}}, date = {2021-01-04}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/}, language = {English}, urldate = {2021-01-05} } DRIDEX Stopping Serial Killer: Catching the Next Strike
Dridex
2021SecureworksSecureWorks
@online{secureworks:2021:threat:98f1049, author = {SecureWorks}, title = {{Threat Profile: GOLD HERON}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER
2021SecureWorks
@online{secureworks:2021:threat:dbd7ed7, author = {SecureWorks}, title = {{Threat Profile: GOLD DRAKE}}, date = {2021}, url = {http://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18SophosSophos
@techreport{sophos:20201118:sophos:8fd201e, author = {Sophos}, title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}}, date = {2020-11-18}, institution = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf}, language = {English}, urldate = {2020-11-19} } SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader
2020-10-29CERT-FRCERT-FR
@techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot
2020-10-15Department of JusticeDepartment of Justice
@online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot
2020-10-03WikipediaWikpedia
@online{wikpedia:20201003:wikipedia:70dbf1e, author = {Wikpedia}, title = {{Wikipedia Page: Maksim Yakubets}}, date = {2020-10-03}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Maksim_Yakubets}, language = {English}, urldate = {2020-11-02} } Wikipedia Page: Maksim Yakubets
Dridex Feodo Evil Corp
2020-09-29PWC UKAndy Auld
@online{auld:20200929:whats:2782a62, author = {Andy Auld}, title = {{What's behind the increase in ransomware attacks this year?}}, date = {2020-09-29}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html}, language = {English}, urldate = {2021-05-25} } What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-18AppGateGustavo Palazolo, Felipe Duarte
@online{palazolo:20200918:reverse:689e4cb, author = {Gustavo Palazolo and Felipe Duarte}, title = {{Reverse Engineering Dridex and Automating IOC Extraction}}, date = {2020-09-18}, organization = {AppGate}, url = {https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction}, language = {English}, urldate = {2020-09-25} } Reverse Engineering Dridex and Automating IOC Extraction
Dridex
2020-09-10SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20200910:recent:f9e103f, author = {Brad Duncan}, title = {{Recent Dridex activity}}, date = {2020-09-10}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/}, language = {English}, urldate = {2020-09-15} } Recent Dridex activity
Dridex
2020-09-07Github (pan-unit42)Brad Duncan
@online{duncan:20200907:collection:09ab7be, author = {Brad Duncan}, title = {{Collection of recent Dridex IOCs}}, date = {2020-09-07}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt}, language = {English}, urldate = {2020-09-15} } Collection of recent Dridex IOCs
Cutwail Dridex
2020-08-21Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200821:wireshark:d98d5ed, author = {Brad Duncan}, title = {{Wireshark Tutorial: Decrypting HTTPS Traffic}}, date = {2020-08-21}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/}, language = {English}, urldate = {2020-08-25} } Wireshark Tutorial: Decrypting HTTPS Traffic
Dridex
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-08-03The DFIR Report
@online{report:20200803:dridex:165cf39, author = {The DFIR Report}, title = {{Dridex – From Word to Domain Dominance}}, date = {2020-08-03}, url = {https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/}, language = {English}, urldate = {2020-08-05} } Dridex – From Word to Domain Dominance
Dridex
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-19ReaqtaReaqta
@online{reaqta:20200619:dridex:54f4dd5, author = {Reaqta}, title = {{Dridex: the secret in a PostMessage()}}, date = {2020-06-19}, organization = {Reaqta}, url = {https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/}, language = {English}, urldate = {2020-06-22} } Dridex: the secret in a PostMessage()
Dridex
2020-06-05VotiroVotiro’s Research Team
@online{team:20200605:anatomy:3047f6e, author = {Votiro’s Research Team}, title = {{Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19}}, date = {2020-06-05}, organization = {Votiro}, url = {https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/}, language = {English}, urldate = {2020-06-10} } Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19
Dridex
2020-05-31Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20200531:wastedloader:c37b988, author = {Jason Reaves and Joshua Platt}, title = {{WastedLoader or DridexLoader?}}, date = {2020-05-31}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77}, language = {English}, urldate = {2021-06-09} } WastedLoader or DridexLoader?
Dridex WastedLocker
2020-05-27GAIS-CERTGAIS-CERT
@techreport{gaiscert:20200527:dridex:90bd3bd, author = {GAIS-CERT}, title = {{Dridex Banking Trojan Technical Analysis Report}}, date = {2020-05-27}, institution = {GAIS-CERT}, url = {https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf}, language = {English}, urldate = {2020-06-24} } Dridex Banking Trojan Technical Analysis Report
Dridex
2020-05-25CERT-FRCERT-FR
@online{certfr:20200525:indicateurs:642332f, author = {CERT-FR}, title = {{INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex}}, date = {2020-05-25}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/}, language = {French}, urldate = {2020-06-03} } INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex
Dridex
2020-05-25CERT-FRCERT-FR
@techreport{certfr:20200525:le:ac94f72, author = {CERT-FR}, title = {{Le Code Malveillant Dridex: Origines et Usages}}, date = {2020-05-25}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf}, language = {French}, urldate = {2020-05-26} } Le Code Malveillant Dridex: Origines et Usages
Dridex
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:b12ae49, author = {SecureWorks}, title = {{GOLD HERON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-heron}, language = {English}, urldate = {2020-05-23} } GOLD HERON
DoppelPaymer Dridex Empire Downloader
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2019-12-19KrebsOnSecurityBrian Krebs
@online{krebs:20191219:inside:c7595ad, author = {Brian Krebs}, title = {{Inside ‘Evil Corp,’ a $100M Cybercrime Menace}}, date = {2019-12-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/}, language = {English}, urldate = {2020-11-02} } Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2019-12-05U.S. Department of the TreasuryU.S. Department of the Treasury
@online{treasury:20191205:treasury:81d8c3e, author = {U.S. Department of the Treasury}, title = {{Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware}}, date = {2019-12-05}, organization = {U.S. Department of the Treasury}, url = {https://home.treasury.gov/news/press-releases/sm845}, language = {English}, urldate = {2021-04-06} } Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware
Dridex
2019-09-09McAfeeThomas Roccia, Marc Rivero López, Chintan Shah
@online{roccia:20190909:evolution:baf3b6c, author = {Thomas Roccia and Marc Rivero López and Chintan Shah}, title = {{Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study}}, date = {2019-09-09}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/}, language = {English}, urldate = {2020-08-30} } Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-08-13AdalogicsDavid Korczynski
@online{korczynski:20190813:state:a4ad074, author = {David Korczynski}, title = {{The state of advanced code injections}}, date = {2019-08-13}, organization = {Adalogics}, url = {https://adalogics.com/blog/the-state-of-advanced-code-injections}, language = {English}, urldate = {2020-01-13} } The state of advanced code injections
Dridex Emotet Tinba
2019-07-12CrowdStrikeBrett Stone-Gross, Sergei Frankoff, Bex Hartley
@online{stonegross:20190712:bitpaymer:113a037, author = {Brett Stone-Gross and Sergei Frankoff and Bex Hartley}, title = {{BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0}}, date = {2019-07-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/}, language = {English}, urldate = {2020-04-25} } BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx
2019-05-14GovCERT.chGovCERT.ch
@online{govcertch:20190514:rise:8fd8ef4, author = {GovCERT.ch}, title = {{The Rise of Dridex and the Role of ESPs}}, date = {2019-05-14}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps}, language = {English}, urldate = {2020-01-09} } The Rise of Dridex and the Role of ESPs
Dridex
2018-12-18Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-01-26ESET ResearchMichal Poslušný
@online{poslun:20180126:friedex:3c3f46b, author = {Michal Poslušný}, title = {{FriedEx: BitPaymer ransomware the work of Dridex authors}}, date = {2018-01-26}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/}, language = {English}, urldate = {2019-11-14} } FriedEx: BitPaymer ransomware the work of Dridex authors
Dridex FriedEx
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2017-08-01Panda SecurityPanda Security
@techreport{security:20170801:malware:e92cd36, author = {Panda Security}, title = {{Malware Report: Dridex Version 4}}, date = {2017-08-01}, institution = {Panda Security}, url = {https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf}, language = {English}, urldate = {2020-04-14} } Malware Report: Dridex Version 4
Dridex
2017-07-25Github (viql)Johannes Bader
@online{bader:20170725:dridex:44f64d8, author = {Johannes Bader}, title = {{Dridex Loot}}, date = {2017-07-25}, organization = {Github (viql)}, url = {https://viql.github.io/dridex/}, language = {English}, urldate = {2020-01-07} } Dridex Loot
Dridex
2017-07-18ElasticAshkan Hosseini
@online{hosseini:20170718:ten:af036b3, author = {Ashkan Hosseini}, title = {{Ten process injection techniques: A technical survey of common and trending process injection techniques}}, date = {2017-07-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process}, language = {English}, urldate = {2020-07-15} } Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-05-25Kaspersky LabsNikita Slepogin
@online{slepogin:20170525:dridex:90a70d9, author = {Nikita Slepogin}, title = {{Dridex: A History of Evolution}}, date = {2017-05-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/}, language = {English}, urldate = {2022-08-31} } Dridex: A History of Evolution
Dridex Feodo
2017-05-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20170515:evolution:d0e74ea, author = {Counter Threat Unit ResearchTeam}, title = {{Evolution of the GOLD EVERGREEN Threat Group}}, date = {2017-05-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group}, language = {English}, urldate = {2021-05-28} } Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN
2017-02-28Security IntelligenceMagal Baz, Or Safran
@online{baz:20170228:dridexs:f72a5ec, author = {Magal Baz and Or Safran}, title = {{Dridex’s Cold War: Enter AtomBombing}}, date = {2017-02-28}, organization = {Security Intelligence}, url = {https://securityintelligence.com/dridexs-cold-war-enter-atombombing/}, language = {English}, urldate = {2019-12-16} } Dridex’s Cold War: Enter AtomBombing
Dridex
2017-01-26FlashpointFlashpoint
@online{flashpoint:20170126:dridex:2ca4920, author = {Flashpoint}, title = {{Dridex Banking Trojan Returns, Leverages New UAC Bypass Method}}, date = {2017-01-26}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/}, language = {English}, urldate = {2020-01-08} } Dridex Banking Trojan Returns, Leverages New UAC Bypass Method
Dridex
2016-02-16SymantecDick O'Brien
@techreport{obrien:20160216:dridex:7abdc31, author = {Dick O'Brien}, title = {{Dridex: Tidal waves of spam pushing dangerous financial Trojan}}, date = {2016-02-16}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf}, language = {English}, urldate = {2020-01-08} } Dridex: Tidal waves of spam pushing dangerous financial Trojan
Dridex
2015-11-10CERT.PLCERT.PL
@online{certpl:20151110:talking:d93cf24, author = {CERT.PL}, title = {{Talking to Dridex (part 0) – inside the dropper}}, date = {2015-11-10}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/}, language = {English}, urldate = {2020-01-06} } Talking to Dridex (part 0) – inside the dropper
Dridex
2015-10-26BluelivBlueliv
@techreport{blueliv:20151026:chasing:975ef1a, author = {Blueliv}, title = {{Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers}}, date = {2015-10-26}, institution = {Blueliv}, url = {https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf}, language = {English}, urldate = {2020-01-13} } Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre
2015-10-15BitSightAnubisLabs
@techreport{anubislabs:20151015:dridex:4dafca8, author = {AnubisLabs}, title = {{Dridex: Chasing a botnet from the inside}}, date = {2015-10-15}, institution = {BitSight}, url = {https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf}, language = {English}, urldate = {2020-08-06} } Dridex: Chasing a botnet from the inside
Dridex
2015-10-13SecureworksBrett Stone-Gross
@online{stonegross:20151013:dridex:46d9a58, author = {Brett Stone-Gross}, title = {{Dridex (Bugat v5) Botnet Takeover Operation}}, date = {2015-10-13}, organization = {Secureworks}, url = {https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation}, language = {English}, urldate = {2020-01-08} } Dridex (Bugat v5) Botnet Takeover Operation
Dridex Evil Corp
Yara Rules
[TLP:WHITE] win_dridex_auto (20221125 | Detects win.dridex.)
rule win_dridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.dridex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? b910270000 e8???????? e8???????? }
            // n = 4, score = 4000
            //   e8????????           |                     
            //   b910270000           | test                eax, eax
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_1 = { ffd6 85c0 7512 e8???????? eb03 }
            // n = 5, score = 4000
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7512                 | jne                 0x14
            //   e8????????           |                     
            //   eb03                 | jmp                 5

        $sequence_2 = { c605????????01 c3 c605????????00 c3 }
            // n = 4, score = 3900
            //   c605????????01       |                     
            //   c3                   | call                esi
            //   c605????????00       |                     
            //   c3                   | test                eax, eax

        $sequence_3 = { 83f8ff 7505 e8???????? 3d34270000 }
            // n = 4, score = 3900
            //   83f8ff               | jne                 0x16
            //   7505                 | jmp                 9
            //   e8????????           |                     
            //   3d34270000           | mov                 ecx, 0x2710

        $sequence_4 = { e8???????? 84c0 740c b9e8030000 }
            // n = 4, score = 3800
            //   e8????????           |                     
            //   84c0                 | call                eax
            //   740c                 | test                eax, eax
            //   b9e8030000           | jne                 0x23

        $sequence_5 = { 740c b9e8030000 e8???????? b301 }
            // n = 4, score = 3800
            //   740c                 | jmp                 9
            //   b9e8030000           | mov                 ecx, 0x2710
            //   e8????????           |                     
            //   b301                 | cmp                 eax, -1

        $sequence_6 = { ffd0 e8???????? 85c0 74de }
            // n = 4, score = 3800
            //   ffd0                 | jne                 0x16
            //   e8????????           |                     
            //   85c0                 | jmp                 9
            //   74de                 | mov                 ecx, 0x2710

        $sequence_7 = { ffd0 85c0 751f e8???????? }
            // n = 4, score = 3800
            //   ffd0                 | call                esi
            //   85c0                 | test                eax, eax
            //   751f                 | jne                 0x16
            //   e8????????           |                     

        $sequence_8 = { 53 53 53 6a01 53 ffd0 }
            // n = 6, score = 3500
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a01                 | push                1
            //   53                   | push                ebx
            //   ffd0                 | call                eax

        $sequence_9 = { eb0a e8???????? eb03 6a7f }
            // n = 4, score = 3000
            //   eb0a                 | jmp                 0xc
            //   e8????????           |                     
            //   eb03                 | jmp                 5
            //   6a7f                 | push                0x7f

        $sequence_10 = { b801000000 c3 31c0 c3 50 }
            // n = 5, score = 2500
            //   b801000000           | mov                 eax, 1
            //   c3                   | ret                 
            //   31c0                 | xor                 eax, eax
            //   c3                   | ret                 
            //   50                   | push                eax

        $sequence_11 = { 7406 42 803a00 75fa }
            // n = 4, score = 2500
            //   7406                 | je                  8
            //   42                   | inc                 edx
            //   803a00               | cmp                 byte ptr [edx], 0
            //   75fa                 | jne                 0xfffffffc

        $sequence_12 = { ff36 ffd0 8bf8 85ff }
            // n = 4, score = 2500
            //   ff36                 | push                dword ptr [esi]
            //   ffd0                 | call                eax
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi

        $sequence_13 = { 7403 56 ffd0 33f6 }
            // n = 4, score = 2400
            //   7403                 | je                  5
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   33f6                 | xor                 esi, esi

        $sequence_14 = { 807c241400 7409 8d4c2410 e8???????? }
            // n = 4, score = 2400
            //   807c241400           | cmp                 byte ptr [esp + 0x14], 0
            //   7409                 | je                  0xb
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   e8????????           |                     

        $sequence_15 = { e8???????? 85c0 7407 56 ffd0 }
            // n = 5, score = 2400
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   56                   | push                esi
            //   ffd0                 | call                eax

        $sequence_16 = { e8???????? 6880000000 53 53 }
            // n = 4, score = 2300
            //   e8????????           |                     
            //   6880000000           | push                0x80
            //   53                   | push                ebx
            //   53                   | push                ebx

        $sequence_17 = { e8???????? 85c0 7408 6a00 ffd0 }
            // n = 5, score = 2300
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   6a00                 | push                0
            //   ffd0                 | call                eax

        $sequence_18 = { 85c0 7407 685a040000 ffd0 }
            // n = 4, score = 2200
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   685a040000           | push                0x45a
            //   ffd0                 | call                eax

        $sequence_19 = { e8???????? 6a00 8d4e1c e8???????? }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d4e1c               | lea                 ecx, [esi + 0x1c]
            //   e8????????           |                     

        $sequence_20 = { 8d4c2420 e8???????? 50 6a00 }
            // n = 4, score = 2200
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   e8????????           |                     
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_21 = { 3db20d7897 7508 c70350000000 eb0d }
            // n = 4, score = 2200
            //   3db20d7897           | jmp                 5
            //   7508                 | push                0x7f
            //   c70350000000         | pop                 eax
            //   eb0d                 | jmp                 0xc

        $sequence_22 = { e8???????? 84c0 7516 8bd3 }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7516                 | jne                 0x18
            //   8bd3                 | mov                 edx, ebx

        $sequence_23 = { eb0d 3da665f63e 7506 c703bb010000 }
            // n = 4, score = 2200
            //   eb0d                 | mov                 al, byte ptr [esp + 7]
            //   3da665f63e           | test                al, 1
            //   7506                 | inc                 bp
            //   c703bb010000         | mov                 ebx, ecx

        $sequence_24 = { e8???????? eb0a b9d0070000 e8???????? }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   eb0a                 | mov                 dword ptr [ebx], 0x1bb
            //   b9d0070000           | cmp                 eax, 0x97780db2
            //   e8????????           |                     

        $sequence_25 = { e8???????? 85c0 7404 6a7f ffd0 33c0 }
            // n = 6, score = 2200
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6
            //   6a7f                 | push                0x7f
            //   ffd0                 | call                eax
            //   33c0                 | xor                 eax, eax

        $sequence_26 = { ffd0 5b c3 33c0 }
            // n = 4, score = 2200
            //   ffd0                 | call                eax
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax

        $sequence_27 = { 7411 c7461003000000 e8???????? 894614 }
            // n = 4, score = 2100
            //   7411                 | je                  0x13
            //   c7461003000000       | mov                 dword ptr [esi + 0x10], 3
            //   e8????????           |                     
            //   894614               | mov                 dword ptr [esi + 0x14], eax

        $sequence_28 = { 6810270000 50 e8???????? 83c410 }
            // n = 4, score = 2100
            //   6810270000           | lea                 ecx, [ebp - 4]
            //   50                   | lea                 ecx, [ebp - 0x3c]
            //   e8????????           |                     
            //   83c410               | pop                 esi

        $sequence_29 = { e8???????? e9???????? 807c245000 740a }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   e9????????           |                     
            //   807c245000           | jne                 0xa
            //   740a                 | mov                 dword ptr [ebx], 0x50

        $sequence_30 = { 50 e8???????? 8938 8b35???????? }
            // n = 4, score = 2100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8938                 | mov                 dword ptr [eax], edi
            //   8b35????????         |                     

        $sequence_31 = { e8???????? 8d4dc4 e8???????? 5e }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   8d4dc4               | je                  0x19
            //   e8????????           |                     
            //   5e                   | push                1

        $sequence_32 = { 6a70 8bc8 e8???????? 6a73 8bc8 }
            // n = 5, score = 2100
            //   6a70                 | mov                 ecx, eax
            //   8bc8                 | push                0x73
            //   e8????????           |                     
            //   6a73                 | push                0x74
            //   8bc8                 | mov                 ecx, eax

        $sequence_33 = { 46 e8???????? c1e802 3bf0 }
            // n = 4, score = 2100
            //   46                   | push                0x70
            //   e8????????           |                     
            //   c1e802               | mov                 ecx, eax
            //   3bf0                 | push                0x70

        $sequence_34 = { 6a00 8bcf e8???????? 50 ffd6 }
            // n = 5, score = 2100
            //   6a00                 | push                0x70
            //   8bcf                 | push                0x70
            //   e8????????           |                     
            //   50                   | mov                 ecx, eax
            //   ffd6                 | push                0x73

        $sequence_35 = { eb08 83ca20 eb03 83ca10 }
            // n = 4, score = 2100
            //   eb08                 | jmp                 0xa
            //   83ca20               | or                  edx, 0x20
            //   eb03                 | jmp                 5
            //   83ca10               | or                  edx, 0x10

        $sequence_36 = { 8bc8 e8???????? 6a74 8bc8 e8???????? 6a70 }
            // n = 6, score = 2100
            //   8bc8                 | call                eax
            //   e8????????           |                     
            //   6a74                 | test                eax, eax
            //   8bc8                 | je                  0xb
            //   e8????????           |                     
            //   6a70                 | push                0x45a

        $sequence_37 = { 85c0 7415 6a01 6a00 6a00 8d4dfc 51 }
            // n = 7, score = 2100
            //   85c0                 | mov                 ecx, eax
            //   7415                 | push                0x74
            //   6a01                 | mov                 ecx, eax
            //   6a00                 | push                0x70
            //   6a00                 | mov                 ecx, eax
            //   8d4dfc               | test                eax, eax
            //   51                   | je                  0x17

        $sequence_38 = { 8b442428 6689c1 66894c2458 66894c245a }
            // n = 4, score = 2000
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   6689c1               | mov                 cx, ax
            //   66894c2458           | mov                 word ptr [esp + 0x58], cx
            //   66894c245a           | mov                 word ptr [esp + 0x5a], cx

        $sequence_39 = { eb18 c7461002000000 eb0f c7461003000000 }
            // n = 4, score = 2000
            //   eb18                 | jmp                 0x1a
            //   c7461002000000       | mov                 dword ptr [esi + 0x10], 2
            //   eb0f                 | jmp                 0x11
            //   c7461003000000       | mov                 dword ptr [esi + 0x10], 3

        $sequence_40 = { 740d 40 83c104 3d00100000 }
            // n = 4, score = 2000
            //   740d                 | je                  0xf
            //   40                   | inc                 eax
            //   83c104               | add                 ecx, 4
            //   3d00100000           | cmp                 eax, 0x1000

        $sequence_41 = { 55 8bec 51 8bc1 884dfd c1e808 }
            // n = 6, score = 2000
            //   55                   | mov                 ecx, eax
            //   8bec                 | push                0x73
            //   51                   | inc                 esi
            //   8bc1                 | shr                 eax, 2
            //   884dfd               | cmp                 esi, eax
            //   c1e808               | push                ebp

        $sequence_42 = { 890424 894c2404 75dd 8b0424 }
            // n = 4, score = 2000
            //   890424               | mov                 dword ptr [esp], eax
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   75dd                 | jne                 0xffffffdf
            //   8b0424               | mov                 eax, dword ptr [esp]

        $sequence_43 = { eb0a b988130000 e8???????? 33d2 }
            // n = 4, score = 2000
            //   eb0a                 | jmp                 0x17
            //   b988130000           | cmp                 eax, 0x97780db2
            //   e8????????           |                     
            //   33d2                 | jne                 0xa

        $sequence_44 = { 8a442427 a801 7534 eb00 31c0 89c1 }
            // n = 6, score = 2000
            //   8a442427             | mov                 al, byte ptr [esp + 0x27]
            //   a801                 | test                al, 1
            //   7534                 | jne                 0x36
            //   eb00                 | jmp                 2
            //   31c0                 | xor                 eax, eax
            //   89c1                 | mov                 ecx, eax

        $sequence_45 = { 8954242c 8b44242c 89c1 89ca }
            // n = 4, score = 2000
            //   8954242c             | mov                 dword ptr [esp + 0x2c], edx
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   89c1                 | mov                 ecx, eax
            //   89ca                 | mov                 edx, ecx

        $sequence_46 = { 51 6802100000 68ffff0000 ff36 ffd0 }
            // n = 5, score = 2000
            //   51                   | push                ecx
            //   6802100000           | push                0x1002
            //   68ffff0000           | push                0xffff
            //   ff36                 | push                dword ptr [esi]
            //   ffd0                 | call                eax

        $sequence_47 = { 89442408 7598 8a442407 a801 }
            // n = 4, score = 2000
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   7598                 | jne                 0xffffff9a
            //   8a442407             | mov                 al, byte ptr [esp + 7]
            //   a801                 | test                al, 1

        $sequence_48 = { 7417 33d2 488d4c2420 e8???????? }
            // n = 4, score = 2000
            //   7417                 | je                  0x19
            //   33d2                 | xor                 edx, edx
            //   488d4c2420           | dec                 eax
            //   e8????????           |                     

        $sequence_49 = { 89442404 eb00 8b442404 89c1 89ca }
            // n = 5, score = 2000
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   eb00                 | jmp                 2
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   89c1                 | mov                 ecx, eax
            //   89ca                 | mov                 edx, ecx

        $sequence_50 = { 50 56 8bcb e8???????? 50 e8???????? }
            // n = 6, score = 2000
            //   50                   | push                eax
            //   56                   | push                esi
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_51 = { 85c0 7406 6a02 ff36 ffd0 }
            // n = 5, score = 2000
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   6a02                 | push                2
            //   ff36                 | push                dword ptr [esi]
            //   ffd0                 | call                eax

        $sequence_52 = { 6a01 6a02 ffd0 8906 }
            // n = 4, score = 2000
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   ffd0                 | call                eax
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_53 = { c20400 55 8bec 83ec34 8365fc00 }
            // n = 5, score = 2000
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec34               | sub                 esp, 0x34
            //   8365fc00             | and                 dword ptr [ebp - 4], 0

        $sequence_54 = { 7414 31c0 89c1 8b442424 88c2 8854240f }
            // n = 6, score = 2000
            //   7414                 | je                  0x16
            //   31c0                 | xor                 eax, eax
            //   89c1                 | mov                 ecx, eax
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   88c2                 | mov                 dl, al
            //   8854240f             | mov                 byte ptr [esp + 0xf], dl

        $sequence_55 = { ffd0 85c0 7510 e8???????? }
            // n = 4, score = 2000
            //   ffd0                 | cmp                 eax, 0x97780db2
            //   85c0                 | jne                 0xa
            //   7510                 | mov                 dword ptr [ebx], 0x50
            //   e8????????           |                     

        $sequence_56 = { 6a64 59 e8???????? 33c9 }
            // n = 4, score = 2000
            //   6a64                 | push                0x64
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx

        $sequence_57 = { e8???????? 84c0 740f 6a05 }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   740f                 | je                  0x11
            //   6a05                 | push                5

        $sequence_58 = { e8???????? 8be8 85ed 7458 }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   85ed                 | test                ebp, ebp
            //   7458                 | je                  0x5a

        $sequence_59 = { e8???????? 6880000000 55 55 }
            // n = 4, score = 1800
            //   e8????????           |                     
            //   6880000000           | push                0x80
            //   55                   | push                ebp
            //   55                   | push                ebp

        $sequence_60 = { ff7508 ffd0 33c0 40 5d }
            // n = 5, score = 1700
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   5d                   | pop                 ebp

        $sequence_61 = { c3 55 8bec 837d0800 7422 }
            // n = 5, score = 1700
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7422                 | je                  0x24

        $sequence_62 = { 6a08 ff35???????? ffd0 5d }
            // n = 4, score = 1600
            //   6a08                 | push                8
            //   ff35????????         |                     
            //   ffd0                 | call                eax
            //   5d                   | pop                 ebp

        $sequence_63 = { 8d4de0 51 68???????? ffd0 }
            // n = 4, score = 1600
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   51                   | push                ecx
            //   68????????           |                     
            //   ffd0                 | call                eax

        $sequence_64 = { 6a70 e8???????? 8bc8 6a73 e8???????? 833f00 7523 }
            // n = 7, score = 1500
            //   6a70                 | push                0x70
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   6a73                 | push                0x73
            //   e8????????           |                     
            //   833f00               | cmp                 dword ptr [edi], 0
            //   7523                 | jne                 0x25

        $sequence_65 = { 6a00 6a02 ffd0 50 }
            // n = 4, score = 1500
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   ffd0                 | call                eax
            //   50                   | push                eax

        $sequence_66 = { 5e c3 31c0 89c2 }
            // n = 4, score = 1200
            //   5e                   | jne                 0x38
            //   c3                   | jmp                 2
            //   31c0                 | xor                 eax, eax
            //   89c2                 | mov                 ecx, eax

        $sequence_67 = { eb0c e8???????? 8bf0 eb03 }
            // n = 4, score = 900
            //   eb0c                 | jmp                 0xe
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   eb03                 | jmp                 5

        $sequence_68 = { e8???????? 50 ffd7 85c0 7512 }
            // n = 5, score = 900
            //   e8????????           |                     
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   7512                 | jne                 0x14

        $sequence_69 = { 8b45cc 31c9 8b55d0 39c2 }
            // n = 4, score = 800
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   31c9                 | xor                 ecx, ecx
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   39c2                 | cmp                 edx, eax

        $sequence_70 = { 8038e9 89c1 8945d0 894dcc }
            // n = 4, score = 800
            //   8038e9               | cmp                 byte ptr [eax], 0xe9
            //   89c1                 | mov                 ecx, eax
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   894dcc               | mov                 dword ptr [ebp - 0x34], ecx

        $sequence_71 = { 8b45e8 05ffff0000 25ffff0000 83c001 }
            // n = 4, score = 700
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   05ffff0000           | add                 eax, 0xffff
            //   25ffff0000           | and                 eax, 0xffff
            //   83c001               | add                 eax, 1

        $sequence_72 = { 31c0 8b4de8 81c1ffff0000 81e1ffff0000 83c101 8b55ec }
            // n = 6, score = 600
            //   31c0                 | xor                 eax, eax
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   81c1ffff0000         | add                 ecx, 0xffff
            //   81e1ffff0000         | and                 ecx, 0xffff
            //   83c101               | add                 ecx, 1
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_73 = { 8d4dd8 83ec04 890424 894dd4 }
            // n = 4, score = 600
            //   8d4dd8               | push                esi
            //   83ec04               | push                ebx
            //   890424               | push                edi
            //   894dd4               | sub                 esp, 0x5c

        $sequence_74 = { c3 50 8b442408 8038e9 890424 7517 }
            // n = 6, score = 600
            //   c3                   | add                 edx, 5
            //   50                   | cmp                 byte ptr [eax + ecx + 5], 0xe9
            //   8b442408             | mov                 dword ptr [esp], edx
            //   8038e9               | je                  0xffffffee
            //   890424               | ret                 
            //   7517                 | push                eax

        $sequence_75 = { 8b704c 2b7134 891424 89742404 894c2418 }
            // n = 5, score = 600
            //   8b704c               | mov                 ecx, dword ptr [eax + 1]
            //   2b7134               | mov                 edx, eax
            //   891424               | add                 edx, ecx
            //   89742404             | add                 edx, 5
            //   894c2418             | mov                 esi, dword ptr [eax + 0x4c]

        $sequence_76 = { 8b45e0 31c9 8b4078 8b55e8 01c2 8b75e8 }
            // n = 6, score = 600
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   31c9                 | xor                 ecx, ecx
            //   8b4078               | mov                 eax, dword ptr [eax + 0x78]
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   01c2                 | add                 edx, eax
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]

        $sequence_77 = { 7517 8b0424 8b4801 89c2 01ca 83c205 }
            // n = 6, score = 600
            //   7517                 | ret                 
            //   8b0424               | xor                 eax, eax
            //   8b4801               | ret                 
            //   89c2                 | push                eax
            //   01ca                 | jne                 0x19
            //   83c205               | mov                 eax, dword ptr [esp]

        $sequence_78 = { 89cb 8945f0 894dec 8955e8 }
            // n = 4, score = 600
            //   89cb                 | mov                 ebx, ecx
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx

        $sequence_79 = { 01ca 83c205 807c0805e9 891424 74e9 8b0424 }
            // n = 6, score = 600
            //   01ca                 | sub                 esi, dword ptr [ecx + 0x34]
            //   83c205               | mov                 dword ptr [esp], edx
            //   807c0805e9           | mov                 dword ptr [esp + 4], esi
            //   891424               | mov                 dword ptr [esp + 0x18], ecx
            //   74e9                 | add                 edx, ecx
            //   8b0424               | add                 edx, 5

        $sequence_80 = { 89742404 894c2418 e8???????? 8b4c2420 }
            // n = 4, score = 600
            //   89742404             | cmp                 byte ptr [eax + ecx + 5], 0xe9
            //   894c2418             | mov                 dword ptr [esp], edx
            //   e8????????           |                     
            //   8b4c2420             | je                  0xfffffff6

        $sequence_81 = { 8b4dbc 6681394d5a 8945b8 894dc4 0f85b6000000 8b45b8 }
            // n = 6, score = 600
            //   8b4dbc               | pop                 esi
            //   6681394d5a           | pop                 ebp
            //   8945b8               | ret                 
            //   894dc4               | mov                 eax, dword ptr [ebp - 0x20]
            //   0f85b6000000         | add                 esp, 0x5c
            //   8b45b8               | pop                 edi

        $sequence_82 = { 6689ce 6683fe00 89c2 8945e8 894de4 8955e0 }
            // n = 6, score = 600
            //   6689ce               | mov                 si, cx
            //   6683fe00             | cmp                 si, 0
            //   89c2                 | mov                 edx, eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx

        $sequence_83 = { 0f85b6000000 8b45b8 813850450000 8b4dbc }
            // n = 4, score = 600
            //   0f85b6000000         | mov                 eax, dword ptr [ebp - 0x20]
            //   8b45b8               | add                 esp, 0x5c
            //   813850450000         | pop                 edi
            //   8b4dbc               | pop                 ebx

        $sequence_84 = { 8b450c 8b4d08 8b513c 6689d6 }
            // n = 4, score = 600
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b513c               | mov                 edx, dword ptr [ecx + 0x3c]
            //   6689d6               | mov                 si, dx

        $sequence_85 = { 0f94c3 08f3 f6c301 8b75bc 894da0 }
            // n = 5, score = 600
            //   0f94c3               | sub                 esp, 0x5c
            //   08f3                 | mov                 eax, dword ptr [ebp + 0xc]
            //   f6c301               | ret                 
            //   8b75bc               | push                ebp
            //   894da0               | mov                 ebp, esp

        $sequence_86 = { 25ffff0000 83c001 8b4df8 01c1 894df0 8b45f0 }
            // n = 6, score = 500
            //   25ffff0000           | and                 eax, 0xffff
            //   83c001               | add                 eax, 1
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   01c1                 | add                 ecx, eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_87 = { 57 83ec38 8b450c 8b4d08 }
            // n = 4, score = 500
            //   57                   | mov                 eax, dword ptr [esp + 0x24]
            //   83ec38               | xor                 eax, eax
            //   8b450c               | mov                 ecx, eax
            //   8b4d08               | mov                 eax, dword ptr [esp + 0x24]

        $sequence_88 = { 25ffff0000 83c001 8b4da8 01c1 }
            // n = 4, score = 500
            //   25ffff0000           | and                 eax, 0xffff
            //   83c001               | add                 eax, 1
            //   8b4da8               | mov                 ecx, dword ptr [ebp - 0x58]
            //   01c1                 | add                 ecx, eax

        $sequence_89 = { 894df4 8975f0 7418 8b45f4 }
            // n = 4, score = 500
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   7418                 | je                  0x1a
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_90 = { 8945c4 894dc0 885dbf 8975b8 }
            // n = 4, score = 500
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   885dbf               | mov                 byte ptr [ebp - 0x41], bl
            //   8975b8               | mov                 dword ptr [ebp - 0x48], esi

        $sequence_91 = { 894df0 8b45f0 83c40c 5e }
            // n = 4, score = 500
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c40c               | add                 esp, 0xc
            //   5e                   | pop                 esi

        $sequence_92 = { c3 55 89e5 57 56 53 83ec54 }
            // n = 7, score = 500
            //   c3                   | mov                 byte ptr [esp + 0xf], dl
            //   55                   | mov                 al, byte ptr [esp + 0x27]
            //   89e5                 | test                al, 1
            //   57                   | jne                 0x38
            //   56                   | jmp                 6
            //   53                   | xor                 eax, eax
            //   83ec54               | mov                 byte ptr [esp + 7], bl

        $sequence_93 = { e9???????? 8b45e0 83c438 5f }
            // n = 4, score = 500
            //   e9????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [esp + 0x24]
            //   83c438               | mov                 dl, al
            //   5f                   | mov                 byte ptr [esp + 0xf], dl

        $sequence_94 = { 7418 8b45f4 05ffff0000 25ffff0000 }
            // n = 4, score = 500
            //   7418                 | je                  0x1a
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   05ffff0000           | add                 eax, 0xffff
            //   25ffff0000           | and                 eax, 0xffff

        $sequence_95 = { 5b 5e 5d c3 55 89e5 6a00 }
            // n = 7, score = 500
            //   5b                   | mov                 dword ptr [edi + 0xcc], 0
            //   5e                   | mov                 dword ptr [edi + 0xc8], 0
            //   5d                   | mov                 dword ptr [esp + 0x10], eax
            //   c3                   | mov                 edx, dword ptr [esp + 0x7c]
            //   55                   | mov                 esi, dword ptr [esp + 0x94]
            //   89e5                 | add                 edx, dword ptr [esi + 0x44]
            //   6a00                 | mov                 edi, dword ptr [esi + 0x6c]

        $sequence_96 = { 83c454 5b 5e 5f 5d c3 55 }
            // n = 7, score = 500
            //   83c454               | mov                 dword ptr [esp + 8], eax
            //   5b                   | jne                 0xffffff9e
            //   5e                   | mov                 al, byte ptr [esp + 7]
            //   5f                   | xor                 eax, eax
            //   5d                   | mov                 ecx, eax
            //   c3                   | mov                 eax, dword ptr [esp + 0x24]
            //   55                   | mov                 dl, al

        $sequence_97 = { 5b 5d c3 8b45d0 8b4dd4 668b55d8 }
            // n = 6, score = 400
            //   5b                   | je                  0x10
            //   5d                   | mov                 ecx, 0x3e8
            //   c3                   | cmp                 byte ptr [eax], 0
            //   8b45d0               | jne                 0xb
            //   8b4dd4               | mov                 dword ptr [edx + 0x48], 0x4b000
            //   668b55d8             | mov                 edi, dword ptr [ebp - 0x1c]

        $sequence_98 = { 89e5 56 57 53 83ec70 }
            // n = 5, score = 300
            //   89e5                 | mov                 ebp, esp
            //   56                   | push                esi
            //   57                   | push                edi
            //   53                   | push                ebx
            //   83ec70               | sub                 esp, 0x70

        $sequence_99 = { 83c414 5b 5d c3 8b45f0 8b0c8504406e00 }
            // n = 6, score = 300
            //   83c414               | cmp                 ecx, edx
            //   5b                   | mov                 dword ptr [ebp - 0x14], eax
            //   5d                   | mov                 dword ptr [ebp - 0x18], ecx
            //   c3                   | ret                 
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8b0c8504406e00       | mov                 ecx, dword ptr [eax*4 + 0x6e4004]

        $sequence_100 = { 53 83ec74 8b450c 8b4d08 31d2 8b713c 89cf }
            // n = 7, score = 300
            //   53                   | pop                 ebx
            //   83ec74               | pop                 esi
            //   8b450c               | pop                 edi
            //   8b4d08               | pop                 ebp
            //   31d2                 | mov                 dword ptr [ebp - 0x34], edx
            //   8b713c               | je                  0xffffffbe
            //   89cf                 | mov                 eax, dword ptr [ebp - 0x34]

        $sequence_101 = { 89742458 894c2454 897c2450 8944244c 89542448 0f849a010000 }
            // n = 6, score = 300
            //   89742458             | cmp                 edx, ecx
            //   894c2454             | mov                 dword ptr [esp + 0x2c], eax
            //   897c2450             | je                  0x131
            //   8944244c             | lea                 eax, [esp + 0x38]
            //   89542448             | mov                 dword ptr [esp + 0x58], esi
            //   0f849a010000         | mov                 dword ptr [esp + 0x54], ecx

        $sequence_102 = { 39f8 8945c8 75e4 83c448 5e 5f 5b }
            // n = 7, score = 300
            //   39f8                 | xor                 esi, esi
            //   8945c8               | je                  0xffffffbe
            //   75e4                 | mov                 eax, dword ptr [ebp - 0x34]
            //   83c448               | add                 esp, 0x54
            //   5e                   | pop                 edi
            //   5f                   | mov                 dword ptr [ebp - 0x34], edx
            //   5b                   | je                  0xffffffc1

        $sequence_103 = { 57 83ec20 8b4508 890424 }
            // n = 4, score = 300
            //   57                   | mov                 dword ptr [ebp - 0x34], edx
            //   83ec20               | je                  0xffffffc1
            //   8b4508               | mov                 eax, dword ptr [ebp - 0x34]
            //   890424               | add                 esp, 0x54

        $sequence_104 = { 8955c8 895dc4 8945e4 0f85dafeffff 8b45e4 83c474 5b }
            // n = 7, score = 300
            //   8955c8               | sub                 esp, 0xb0
            //   895dc4               | mov                 eax, dword ptr [ebp + 8]
            //   8945e4               | lea                 ecx, [ebp - 0x28]
            //   0f85dafeffff         | push                ebx
            //   8b45e4               | sub                 esp, 0xb0
            //   83c474               | mov                 eax, dword ptr [ebp + 8]
            //   5b                   | lea                 ecx, [ebp - 0x28]

        $sequence_105 = { 8b542428 39ca 8944242c 0f8425010000 8d442438 8b0d???????? }
            // n = 6, score = 300
            //   8b542428             | mov                 dword ptr [esp + 4], esi
            //   39ca                 | mov                 dword ptr [esp + 0x18], ecx
            //   8944242c             | mov                 ecx, dword ptr [esp + 0x20]
            //   0f8425010000         | mov                 dword ptr [esp], ecx
            //   8d442438             | mov                 edx, dword ptr [esp + 0x28]
            //   8b0d????????         |                     

        $sequence_106 = { 53 81ecb0000000 8b4508 8d4dd8 }
            // n = 4, score = 300
            //   53                   | pop                 ebx
            //   81ecb0000000         | pop                 esi
            //   8b4508               | pop                 edi
            //   8d4dd8               | mov                 eax, dword ptr [ebp - 0x34]

        $sequence_107 = { 890424 e8???????? 31c0 83c420 5f }
            // n = 5, score = 300
            //   890424               | pop                 esi
            //   e8????????           |                     
            //   31c0                 | je                  0xffffffbe
            //   83c420               | mov                 eax, dword ptr [ebp - 0x34]
            //   5f                   | add                 esp, 0x54

        $sequence_108 = { c7424800b00400 8b7c2418 c787cc00000000000000 c787c800000000000000 89442410 89c8 }
            // n = 6, score = 300
            //   c7424800b00400       | mov                 edx, eax
            //   8b7c2418             | add                 edx, ecx
            //   c787cc00000000000000     | add    edx, 5
            //   c787c800000000000000     | cmp    byte ptr [eax], 0xe9
            //   89442410             | mov                 dword ptr [esp], eax
            //   89c8                 | jne                 0x1c

        $sequence_109 = { ff15???????? 83ec0c 31c9 8b54244c }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   83ec0c               | mov                 dword ptr [edi + 0xcc], 0
            //   31c9                 | mov                 dword ptr [edi + 0xc8], 0
            //   8b54244c             | mov                 dword ptr [esp + 0x10], eax

        $sequence_110 = { 89442410 7450 eb2e 8b442414 8b4c240c }
            // n = 5, score = 300
            //   89442410             | mov                 dword ptr [esp], eax
            //   7450                 | jne                 0x19
            //   eb2e                 | mov                 eax, dword ptr [esp]
            //   8b442414             | mov                 ecx, dword ptr [eax + 1]
            //   8b4c240c             | mov                 edx, eax

        $sequence_111 = { 8b45f0 8b0c8504406e00 8b55f8 39d1 8945ec 894de8 }
            // n = 6, score = 300
            //   8b45f0               | mov                 dword ptr [esp + 0xbc], edi
            //   8b0c8504406e00       | mov                 dword ptr [edx + 0x48], 0x4b000
            //   8b55f8               | mov                 edi, dword ptr [ebp - 0x1c]
            //   39d1                 | mov                 dword ptr [edi + 0xcc], 0
            //   8945ec               | mov                 dword ptr [edi + 0xc8], 0
            //   894de8               | mov                 dword ptr [ebp - 0x24], eax

        $sequence_112 = { 8955cc 74bc 8b45cc 83c454 5b 5e }
            // n = 6, score = 300
            //   8955cc               | pop                 ebx
            //   74bc                 | pop                 esi
            //   8b45cc               | pop                 edi
            //   83c454               | pop                 ebp
            //   5b                   | je                  0xffffffbe
            //   5e                   | mov                 eax, dword ptr [ebp - 0x34]

        $sequence_113 = { 56 53 57 83ec54 }
            // n = 4, score = 200
            //   56                   | mov                 edi, dword ptr [ebp - 0x1c]
            //   53                   | mov                 dword ptr [edi + 0xcc], 0
            //   57                   | mov                 eax, dword ptr [ebp - 0x34]
            //   83ec54               | add                 esp, 0x54

        $sequence_114 = { 53 57 83ec44 8b4508 8d0d30306e00 31d2 890c24 }
            // n = 7, score = 200
            //   53                   | mov                 eax, dword ptr [ebp - 0x10]
            //   57                   | mov                 ecx, dword ptr [eax*4 + 0x6e4004]
            //   83ec44               | mov                 edx, dword ptr [ebp - 8]
            //   8b4508               | mov                 dword ptr [esp], ecx
            //   8d0d30306e00         | mov                 dword ptr [esp + 4], 0
            //   31d2                 | mov                 dword ptr [ebp - 0x18], edx
            //   890c24               | lea                 ecx, [0x6e30bc]

        $sequence_115 = { 897dd8 8b45d8 83c444 5b 5e 5f }
            // n = 6, score = 200
            //   897dd8               | pop                 edi
            //   8b45d8               | pop                 ebx
            //   83c444               | xor                 ecx, ecx
            //   5b                   | mov                 edx, dword ptr [ebp - 0xc]
            //   5e                   | mov                 esi, dword ptr [ebp - 0x14]
            //   5f                   | mov                 dword ptr [edx + 0x3c], esi

        $sequence_116 = { 894c2404 8945f8 e8???????? 8d0d44306e00 }
            // n = 4, score = 200
            //   894c2404             | mov                 esi, dword ptr [ebp - 8]
            //   8945f8               | mov                 dword ptr [esi + 8], eax
            //   e8????????           |                     
            //   8d0d44306e00         | mov                 dword ptr [esp], ecx

        $sequence_117 = { e9???????? 8b45e0 83c45c 5e 5f 5b 5d }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8b45e0               | lea                 ecx, [ebp - 0x28]
            //   83c45c               | mov                 dword ptr [ebp - 0x28], 0
            //   5e                   | mov                 edx, dword ptr [eax + 0x4c]
            //   5f                   | pop                 ebx
            //   5b                   | pop                 edi
            //   5d                   | pop                 ebp

        $sequence_118 = { c742442c0c0200 c7424800b00400 8b7de4 c787cc00000000000000 }
            // n = 4, score = 200
            //   c742442c0c0200       | pop                 edi
            //   c7424800b00400       | mov                 dword ptr [ebp - 0x38], eax
            //   8b7de4               | jne                 0xffffffe6
            //   c787cc00000000000000     | add    esp, 0x48

        $sequence_119 = { 57 56 83ec5c 8b450c 8b4d08 31d2 8b7008 }
            // n = 7, score = 200
            //   57                   | pop                 edi
            //   56                   | push                edi
            //   83ec5c               | push                esi
            //   8b450c               | push                ebx
            //   8b4d08               | sub                 esp, 0xb0
            //   31d2                 | mov                 eax, dword ptr [ebp + 8]
            //   8b7008               | lea                 ecx, [ebp - 0x28]

        $sequence_120 = { c7424800c00400 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc 89c8 83c42c }
            // n = 7, score = 200
            //   c7424800c00400       | mov                 eax, dword ptr [ebp + 8]
            //   8b7de4               | mov                 dword ptr [esp], eax
            //   c787cc00000000000000     | mov    dword ptr [ebp - 0x10], eax
            //   c787c800000000000000     | mov    dword ptr [ebp - 0x14], eax
            //   8945dc               | xor                 eax, eax
            //   89c8                 | add                 esp, 0x20
            //   83c42c               | pop                 edi

        $sequence_121 = { 53 56 57 83ec38 }
            // n = 4, score = 200
            //   53                   | push                esi
            //   56                   | push                ebx
            //   57                   | push                edi
            //   83ec38               | sub                 esp, 0x54

        $sequence_122 = { 8d0d44306e00 31d2 8b75f8 894608 890c24 }
            // n = 5, score = 200
            //   8d0d44306e00         | mov                 edx, dword ptr [ebp - 8]
            //   31d2                 | cmp                 ecx, edx
            //   8b75f8               | mov                 dword ptr [ebp - 0x14], eax
            //   894608               | mov                 ecx, dword ptr [eax*4 + 0x6e4004]
            //   890c24               | mov                 edx, dword ptr [ebp - 8]

        $sequence_123 = { 890c24 c744240400000000 8955e8 e8???????? 8d0dbc306e00 890424 }
            // n = 6, score = 200
            //   890c24               | cmp                 ecx, edx
            //   c744240400000000     | mov                 ecx, dword ptr [eax*4 + 0x6e4004]
            //   8955e8               | mov                 edx, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   8d0dbc306e00         | cmp                 ecx, edx
            //   890424               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_124 = { 8b45cc 83c454 5f 5b 5e }
            // n = 5, score = 200
            //   8b45cc               | mov                 edi, dword ptr [ebp - 0x1c]
            //   83c454               | mov                 dword ptr [edx + 0x3c], esi
            //   5f                   | mov                 dword ptr [edx + 0x40], 4
            //   5b                   | mov                 dword ptr [edx + 0x44], 0x20c2c
            //   5e                   | mov                 dword ptr [edx + 0x48], 0x4b000

        $sequence_125 = { 89723c c7424004000000 c742442c0c0200 c7424800b00400 }
            // n = 4, score = 200
            //   89723c               | push                ebx
            //   c7424004000000       | push                edi
            //   c742442c0c0200       | push                esi
            //   c7424800b00400       | sub                 esp, 0x48

        $sequence_126 = { 8955f0 e8???????? 8d0da0306e00 890424 894c2404 }
            // n = 5, score = 200
            //   8955f0               | mov                 dword ptr [ebp - 0x18], ecx
            //   e8????????           |                     
            //   8d0da0306e00         | jb                  0x1f
            //   890424               | mov                 eax, dword ptr [ebp - 0x14]
            //   894c2404             | mov                 ecx, dword ptr [eax*4 + 0x6e4004]

        $sequence_127 = { 8b45a4 8a4daf 31d2 8a2c0575302f00 }
            // n = 4, score = 100
            //   8b45a4               | add                 esp, 0x5c
            //   8a4daf               | pop                 esi
            //   31d2                 | pop                 edi
            //   8a2c0575302f00       | push                ebp

        $sequence_128 = { 8b4d08 8d155e302f00 83ec04 891424 8945e8 894de4 e8???????? }
            // n = 7, score = 100
            //   8b4d08               | mov                 ebp, esp
            //   8d155e302f00         | push                edi
            //   83ec04               | push                esi
            //   891424               | push                ebx
            //   8945e8               | sub                 esp, 0xb0
            //   894de4               | mov                 eax, dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_129 = { 8d0d44302700 31d2 8b75f8 89460c 890c24 c744240400000000 8955e8 }
            // n = 7, score = 100
            //   8d0d44302700         | push                edi
            //   31d2                 | push                esi
            //   8b75f8               | sub                 esp, 0x48
            //   89460c               | mov                 eax, dword ptr [ebp + 0xc]
            //   890c24               | mov                 ecx, dword ptr [ebp + 8]
            //   c744240400000000     | xor                 edx, edx
            //   8955e8               | lea                 ecx, [0x2730bc]

        $sequence_130 = { 8d0de8308400 890424 894c2404 e8???????? }
            // n = 4, score = 100
            //   8d0de8308400         | mov                 dword ptr [edx + 0x48], 0x4c000
            //   890424               | mov                 edi, dword ptr [ebp - 0x1c]
            //   894c2404             | mov                 dword ptr [edi + 0xcc], 0
            //   e8????????           |                     

        $sequence_131 = { 894c2404 e8???????? 8d0d44308400 31d2 8b75f8 894628 890c24 }
            // n = 7, score = 100
            //   894c2404             | mov                 eax, ecx
            //   e8????????           |                     
            //   8d0d44308400         | add                 esp, 0x2c
            //   31d2                 | mov                 dword ptr [edx + 0x48], 0x4c000
            //   8b75f8               | mov                 edi, dword ptr [ebp - 0x1c]
            //   894628               | mov                 dword ptr [edi + 0xcc], 0
            //   890c24               | mov                 dword ptr [edi + 0xc8], 0

    condition:
        7 of them and filesize < 1040384
}
Download all Yara Rules