Dridex (Malware Family)

Dridex
URLhaus
OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term."
According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method."
IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."
References
2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
Yara Rules
[TLP:WHITE] win_dridex_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_dridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd6 85c0 7512 e8???????? eb03 }
            // n = 5, score = 4000
            //   ffd6                 | lea                 ecx, [esp + 0x48]
            //   85c0                 | dec                 eax
            //   7512                 | lea                 ecx, [esp + 0x30]
            //   e8????????           |                     
            //   eb03                 | dec                 eax

        $sequence_1 = { e8???????? b910270000 e8???????? e8???????? }
            // n = 4, score = 4000
            //   e8????????           |                     
            // 
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_2 = { 83f8ff 7505 e8???????? 3d34270000 }
            // n = 4, score = 3900
            //   83f8ff               | cmp                 eax, -1
            //   7505                 | jne                 7
            //   e8????????           |                     
            //   3d34270000           | cmp                 eax, 0x2734

        $sequence_3 = { ffd0 85c0 751f e8???????? }
            // n = 4, score = 3800
            //   ffd0                 | jmp                 7
            //   85c0                 | cmp                 eax, -1
            //   751f                 | jne                 0xe
            //   e8????????           |                     

        $sequence_4 = { e8???????? 803800 7509 e8???????? }
            // n = 4, score = 3800
            //   e8????????           |                     
            //   803800               | je                  0xe
            //   7509                 | mov                 ecx, 0x3e8
            //   e8????????           |                     

        $sequence_5 = { ffd0 e8???????? 85c0 74de }
            // n = 4, score = 3800
            //   ffd0                 | je                  0x17
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, 0x3e8
            //   74de                 | je                  0x1e

        $sequence_6 = { 84c0 740c b9e8030000 e8???????? b301 }
            // n = 5, score = 3800
            //   84c0                 | mov                 ecx, 0x2710
            //   740c                 | call                esi
            //   b9e8030000           | test                eax, eax
            //   e8????????           |                     
            //   b301                 | jne                 0x14

        $sequence_7 = { 53 53 53 6a01 53 ffd0 }
            // n = 6, score = 3500
            //   53                   | je                  0xffffffe9
            //   53                   | test                al, al
            //   53                   | je                  0xe
            //   6a01                 | mov                 ecx, 0x3e8
            //   53                   | cmp                 byte ptr [eax], 0
            //   ffd0                 | jne                 0x15

        $sequence_8 = { eb0a e8???????? eb03 6a7f 58 }
            // n = 5, score = 3000
            //   eb0a                 | push                ebx
            //   e8????????           |                     
            //   eb03                 | call                eax
            //   6a7f                 | push                ebx
            //   58                   | push                ebx

        $sequence_9 = { b801000000 c3 31c0 c3 50 }
            // n = 5, score = 2500
            //   b801000000           | test                al, al
            //   c3                   | je                  0x10
            //   31c0                 | mov                 ecx, 0x3e8
            //   c3                   | mov                 bl, 1
            //   50                   | cmp                 byte ptr [eax], 0

        $sequence_10 = { ff36 ffd0 8bf8 85ff }
            // n = 4, score = 2500
            //   ff36                 | je                  0x22
            //   ffd0                 | mov                 ecx, 0x3e8
            //   8bf8                 | xor                 ecx, ecx
            //   85ff                 | mov                 ecx, eax

        $sequence_11 = { ffd0 eb02 33c0 6a00 50 }
            // n = 5, score = 2500
            //   ffd0                 | push                ebx
            //   eb02                 | push                1
            //   33c0                 | test                eax, eax
            //   6a00                 | je                  0x11
            //   50                   | push                ebx

        $sequence_12 = { 7406 42 803a00 75fa }
            // n = 4, score = 2500
            //   7406                 | push                1
            //   42                   | test                eax, eax
            //   803a00               | je                  0x13
            //   75fa                 | push                ebx

        $sequence_13 = { 807c241400 7409 8d4c2410 e8???????? }
            // n = 4, score = 2400
            //   807c241400           | xor                 ecx, ecx
            //   7409                 | mov                 ecx, eax
            //   8d4c2410             | push                ebx
            //   e8????????           |                     

        $sequence_14 = { e8???????? 85c0 7408 6a00 ffd0 }
            // n = 5, score = 2300
            //   e8????????           |                     
            //   85c0                 | push                ebx
            //   7408                 | push                ebx
            //   6a00                 | push                1
            //   ffd0                 | call                eax

        $sequence_15 = { e8???????? 6880000000 53 53 }
            // n = 4, score = 2300
            //   e8????????           |                     
            //   6880000000           | jmp                 6
            //   53                   | xor                 eax, eax
            //   53                   | push                0

        $sequence_16 = { 55 8bec 837d0800 7422 }
            // n = 4, score = 2200
            //   55                   | call                edi
            //   8bec                 | test                eax, eax
            //   837d0800             | jne                 0x16
            //   7422                 | jmp                 9

        $sequence_17 = { 7508 c70350000000 eb0d 3da665f63e }
            // n = 4, score = 2200
            //   7508                 | cmp                 eax, 0x97780db2
            //   c70350000000         | jne                 0xa
            //   eb0d                 | mov                 dword ptr [ebx], 0x50
            //   3da665f63e           | jmp                 0x17

        $sequence_18 = { 8d4c2420 e8???????? 50 6a00 }
            // n = 4, score = 2200
            //   8d4c2420             | jmp                 4
            //   e8????????           |                     
            //   50                   | xor                 eax, eax
            //   6a00                 | push                0

        $sequence_19 = { e8???????? 84c0 7516 8bd3 }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   84c0                 | test                eax, eax
            //   7516                 | je                  0x16
            //   8bd3                 | push                0x45a

        $sequence_20 = { e8???????? eb0a b9d0070000 e8???????? }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   eb0a                 | jmp                 0xc
            //   b9d0070000           | mov                 ecx, 0x7d0
            //   e8????????           |                     

        $sequence_21 = { e8???????? 85c0 7407 685a040000 ffd0 }
            // n = 5, score = 2200
            //   e8????????           |                     
            //   85c0                 | cmp                 byte ptr [esp + 0x14], 0
            //   7407                 | je                  0x12
            //   685a040000           | lea                 ecx, [esp + 0x10]
            //   ffd0                 | test                eax, eax

        $sequence_22 = { e8???????? 85c0 7404 6a7f ffd0 33c0 }
            // n = 6, score = 2200
            //   e8????????           |                     
            //   85c0                 | push                ebx
            //   7404                 | push                ebx
            //   6a7f                 | push                1
            //   ffd0                 | push                ebx
            //   33c0                 | call                eax

        $sequence_23 = { e8???????? 6a00 8d4e1c e8???????? }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   6a00                 | test                eax, eax
            //   8d4e1c               | je                  0xb
            //   e8????????           |                     

        $sequence_24 = { e8???????? 3db20d7897 7508 c70350000000 }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   3db20d7897           | jmp                 7
            //   7508                 | push                0x7f
            //   c70350000000         | pop                 eax

        $sequence_25 = { ffd0 5b c3 33c0 }
            // n = 4, score = 2200
            //   ffd0                 | push                eax
            //   5b                   | test                eax, eax
            //   c3                   | je                  9
            //   33c0                 | push                esi

        $sequence_26 = { e8???????? eb08 6a04 59 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   eb08                 | push                0x45a
            //   6a04                 | call                eax
            //   59                   | xor                 eax, eax

        $sequence_27 = { 50 e8???????? 8938 8b35???????? }
            // n = 4, score = 2100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8938                 | test                eax, eax
            //   8b35????????         |                     

        $sequence_28 = { e8???????? e9???????? 807c245000 740a }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   e9????????           |                     
            //   807c245000           | cmp                 byte ptr [esp + 0x50], 0
            //   740a                 | je                  0xc

        $sequence_29 = { e8???????? 85c0 7406 6a01 }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   85c0                 | call                eax
            //   7406                 | pop                 ebx
            //   6a01                 | ret                 

        $sequence_30 = { eb08 6a64 59 e8???????? }
            // n = 4, score = 2100
            //   eb08                 | jmp                 0xa
            //   6a64                 | push                0x64
            //   59                   | pop                 ecx
            //   e8????????           |                     

        $sequence_31 = { 7411 c7461003000000 e8???????? 894614 }
            // n = 4, score = 2100
            //   7411                 | jne                 0x23
            //   c7461003000000       | jmp                 0x16
            //   e8????????           |                     
            //   894614               | push                eax

        $sequence_32 = { 50 56 ffd5 57 }
            // n = 4, score = 2100
            //   50                   | call                eax
            //   56                   | push                0x80
            //   ffd5                 | push                ebx
            //   57                   | push                ebx

        $sequence_33 = { eb08 83ca20 eb03 83ca10 }
            // n = 4, score = 2100
            //   eb08                 | jmp                 0xa
            //   83ca20               | or                  edx, 0x20
            //   eb03                 | jmp                 5
            //   83ca10               | or                  edx, 0x10

        $sequence_34 = { 740d 40 83c104 3d00100000 }
            // n = 4, score = 2000
            //   740d                 | mov                 dword ptr [esi + 0x10], 3
            //   40                   | mov                 dword ptr [esi + 0x14], eax
            //   83c104               | xor                 al, al
            //   3d00100000           | mov                 dword ptr [esi + 0x10], 2

        $sequence_35 = { 890424 894c2404 75dd 8b0424 }
            // n = 4, score = 2000
            //   890424               | jne                 0x3c
            //   894c2404             | jmp                 0xa
            //   75dd                 | xor                 eax, eax
            //   8b0424               | mov                 ecx, eax

        $sequence_36 = { 8954242c 8b44242c 89c1 89ca }
            // n = 4, score = 2000
            //   8954242c             | jmp                 2
            //   8b44242c             | mov                 eax, dword ptr [esp + 4]
            //   89c1                 | mov                 ecx, eax
            //   89ca                 | mov                 edx, ecx

        $sequence_37 = { b964000000 e8???????? 33c9 e8???????? }
            // n = 4, score = 2000
            //   b964000000           | jne                 0xa
            //   e8????????           |                     
            //   33c9                 | mov                 dword ptr [ebx], 0x50
            //   e8????????           |                     

        $sequence_38 = { c7461002000000 eb0f c7461003000000 e8???????? }
            // n = 4, score = 2000
            //   c7461002000000       | push                dword ptr [esi]
            //   eb0f                 | push                0x1001
            //   c7461003000000       | push                0xffff
            //   e8????????           |                     

        $sequence_39 = { e8???????? 6a74 8bc8 e8???????? 6a74 8bc8 }
            // n = 6, score = 2000
            //   e8????????           |                     
            //   6a74                 | call                eax
            //   8bc8                 | test                eax, eax
            //   e8????????           |                     
            //   6a74                 | je                  8
            //   8bc8                 | push                0x7f

        $sequence_40 = { 89442404 eb00 8b442404 89c1 }
            // n = 4, score = 2000
            //   89442404             | mov                 dword ptr [esp + 8], eax
            //   eb00                 | jne                 0xffffff9e
            //   8b442404             | mov                 al, byte ptr [esp + 7]
            //   89c1                 | test                al, 1

        $sequence_41 = { 7414 31c0 89c1 8b442424 88c2 }
            // n = 5, score = 2000
            //   7414                 | xor                 eax, eax
            //   31c0                 | ret                 
            //   89c1                 | push                eax
            //   8b442424             | mov                 eax, 1
            //   88c2                 | ret                 

        $sequence_42 = { 4885d2 7505 4533c0 eb1d }
            // n = 4, score = 2000
            //   4885d2               | dec                 eax
            //   7505                 | lea                 ecx, [esp + 0x30]
            //   4533c0               | dec                 eax
            //   eb1d                 | test                edx, edx

        $sequence_43 = { 8bc8 e8???????? 6a70 8bc8 e8???????? 6a73 8bc8 }
            // n = 7, score = 2000
            //   8bc8                 | lea                 edi, [ebx + 4]
            //   e8????????           |                     
            //   6a70                 | lea                 edi, [ebx + 4]
            //   8bc8                 | cmp                 eax, edi
            //   e8????????           |                     
            //   6a73                 | jle                 0x30
            //   8bc8                 | mov                 ecx, esi

        $sequence_44 = { e8???????? 50 56 8bcb e8???????? 50 }
            // n = 6, score = 2000
            //   e8????????           |                     
            //   50                   | push                dword ptr [esi]
            //   56                   | call                eax
            //   8bcb                 | mov                 edi, eax
            //   e8????????           |                     
            //   50                   | test                edi, edi

        $sequence_45 = { 85c0 7406 6a02 ff36 }
            // n = 4, score = 2000
            //   85c0                 | je                  0x15
            //   7406                 | mov                 dword ptr [esi + 0x10], 3
            //   6a02                 | mov                 dword ptr [esi + 0x14], eax
            //   ff36                 | push                0x80

        $sequence_46 = { 8a442427 a801 7534 eb00 }
            // n = 4, score = 2000
            //   8a442427             | mov                 dword ptr [esp], eax
            //   a801                 | mov                 dword ptr [esp + 4], ecx
            //   7534                 | jne                 0xffffffdf
            //   eb00                 | mov                 eax, dword ptr [esp]

        $sequence_47 = { 7534 eb00 31c0 89c1 }
            // n = 4, score = 2000
            //   7534                 | mov                 ecx, eax
            //   eb00                 | mov                 eax, dword ptr [esp + 0x24]
            //   31c0                 | mov                 dl, al
            //   89c1                 | mov                 byte ptr [esp + 7], bl

        $sequence_48 = { 488d4c2458 e8???????? 488d4c2430 e8???????? }
            // n = 4, score = 2000
            //   488d4c2458           | dec                 eax
            //   e8????????           |                     
            //   488d4c2430           | lea                 ecx, [esp + 0x58]
            //   e8????????           |                     

        $sequence_49 = { 8d7b04 e8???????? 3bc7 7e24 8bce }
            // n = 5, score = 2000
            //   8d7b04               | push                0x74
            //   e8????????           |                     
            //   3bc7                 | mov                 ecx, eax
            //   7e24                 | push                0x74
            //   8bce                 | mov                 ecx, eax

        $sequence_50 = { 6880000000 68ffff0000 ff36 ffd0 }
            // n = 4, score = 2000
            //   6880000000           | push                eax
            //   68ffff0000           | call                esi
            //   ff36                 | test                eax, eax
            //   ffd0                 | jne                 0x1d

        $sequence_51 = { 885c2407 89442408 7598 8a442407 a801 }
            // n = 5, score = 2000
            //   885c2407             | xor                 eax, eax
            //   89442408             | ret                 
            //   7598                 | push                eax
            //   8a442407             | je                  0x16
            //   a801                 | xor                 eax, eax

        $sequence_52 = { e8???????? 3bc3 7e44 8bce 8d7b04 e8???????? }
            // n = 6, score = 2000
            //   e8????????           |                     
            //   3bc3                 | call                eax
            //   7e44                 | test                eax, eax
            //   8bce                 | je                  9
            //   8d7b04               | push                0x45a
            //   e8????????           |                     

        $sequence_53 = { 8b442428 6689c1 66894c2458 66894c245a }
            // n = 4, score = 2000
            //   8b442428             | mov                 dword ptr [esp + 8], eax
            //   6689c1               | jne                 0xffffff9e
            //   66894c2458           | mov                 al, byte ptr [esp + 7]
            //   66894c245a           | test                al, 1

        $sequence_54 = { e8???????? 8be8 85ed 7458 }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   8be8                 | push                0
            //   85ed                 | call                eax
            //   7458                 | test                eax, eax

        $sequence_55 = { 807c242400 7409 8d4c2420 e8???????? }
            // n = 4, score = 1900
            //   807c242400           | xor                 eax, eax
            //   7409                 | push                0
            //   8d4c2420             | lea                 ecx, [esi + 0x1c]
            //   e8????????           |                     

        $sequence_56 = { e8???????? 6880000000 55 55 }
            // n = 4, score = 1800
            //   e8????????           |                     
            //   6880000000           | cmp                 byte ptr [edx], 0
            //   55                   | jne                 2
            //   55                   | cmp                 byte ptr [esp + 0x14], 0

        $sequence_57 = { ff7508 ffd0 33c0 40 }
            // n = 4, score = 1700
            //   ff7508               | test                eax, eax
            //   ffd0                 | jne                 0x1a
            //   33c0                 | jmp                 0xa
            //   40                   | ret                 

        $sequence_58 = { 8d4de0 51 68???????? ffd0 }
            // n = 4, score = 1600
            //   8d4de0               | inc                 eax
            //   51                   | pop                 ebp
            //   68????????           |                     
            //   ffd0                 | ret                 4

        $sequence_59 = { c70750000000 eb0d 3da665f63e 7506 c707bb010000 }
            // n = 5, score = 1500
            //   c70750000000         | je                  0xb
            //   eb0d                 | lea                 ecx, [esp + 0x10]
            //   3da665f63e           | lea                 ecx, [esp + 0x20]
            //   7506                 | push                eax
            //   c707bb010000         | push                0

        $sequence_60 = { e8???????? 50 ffd7 85c0 7512 }
            // n = 5, score = 900
            //   e8????????           |                     
            //   50                   | jne                 0x1f
            //   ffd7                 | jmp                 0x12
            //   85c0                 | push                eax
            //   7512                 | call                edi

        $sequence_61 = { eb0c e8???????? 8bf0 eb03 }
            // n = 4, score = 900
            //   eb0c                 | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bf0                 | call                eax
            //   eb03                 | xor                 eax, eax

        $sequence_62 = { 8038e9 89c1 8945d0 894dcc }
            // n = 4, score = 700
            //   8038e9               | mov                 ecx, 0x3e8
            //   89c1                 | test                al, al
            //   8945d0               | je                  0x15
            //   894dcc               | mov                 ecx, 0x3e8

        $sequence_63 = { 8b45cc 31c9 8b55d0 39c2 }
            // n = 4, score = 700
            //   8b45cc               | cmp                 byte ptr [eax], 0
            //   31c9                 | jne                 0xb
            //   8b55d0               | xor                 ecx, ecx
            //   39c2                 | mov                 ecx, eax

        $sequence_64 = { 8b780c 8bf7 8b36 837e1800 }
            // n = 4, score = 700
            //   8b780c               | call                edi
            //   8bf7                 | test                eax, eax
            //   8b36                 | jne                 0x18
            //   837e1800             | push                eax

        $sequence_65 = { 2b7134 891424 89742404 894c2418 e8???????? }
            // n = 5, score = 600
            //   2b7134               | je                  0xfffffff6
            //   891424               | mov                 eax, dword ptr [esp]
            //   89742404             | mov                 ecx, dword ptr [eax + 1]
            //   894c2418             | mov                 edx, eax
            //   e8????????           |                     

        $sequence_66 = { 50 8b442408 8038e9 890424 7517 }
            // n = 5, score = 600
            //   50                   | xor                 eax, eax
            //   8b442408             | ret                 
            //   8038e9               | push                eax
            //   890424               | mov                 eax, 1
            //   7517                 | ret                 

        $sequence_67 = { 83ec04 890424 894dd4 e8???????? 83c404 8038e9 89c1 }
            // n = 7, score = 600
            //   83ec04               | xor                 ecx, ecx
            //   890424               | mov                 edx, dword ptr [ebp - 0x30]
            //   894dd4               | cmp                 edx, eax
            //   e8????????           |                     
            //   83c404               | add                 esi, edx
            //   8038e9               | cmp                 dword ptr [ecx + 0x7c], 0
            //   89c1                 | mov                 edi, dword ptr [ebp - 0x44]

        $sequence_68 = { 7517 8b0424 8b4801 89c2 01ca }
            // n = 5, score = 600
            //   7517                 | push                eax
            //   8b0424               | mov                 eax, dword ptr [esp + 8]
            //   8b4801               | jb                  0xffffff71
            //   89c2                 | mov                 eax, 1
            //   01ca                 | ret                 

        $sequence_69 = { 01d6 83797c00 8b7dbc 8945b4 8955b0 }
            // n = 5, score = 600
            //   01d6                 | cmp                 byte ptr [eax], 0xe9
            //   83797c00             | mov                 ecx, eax
            //   8b7dbc               | mov                 dword ptr [ebp - 0x30], eax
            //   8945b4               | mov                 dword ptr [ebp - 0x34], ecx
            //   8955b0               | mov                 eax, dword ptr [ebp - 0x34]

        $sequence_70 = { 83c205 807c0805e9 891424 74e9 8b0424 }
            // n = 5, score = 600
            //   83c205               | xor                 eax, eax
            //   807c0805e9           | ret                 
            //   891424               | push                eax
            //   74e9                 | push                eax
            //   8b0424               | mov                 eax, dword ptr [esp + 8]

        $sequence_71 = { 8b45e0 31c9 83b88400000000 8945dc 894dd8 }
            // n = 5, score = 500
            //   8b45e0               | mov                 dword ptr [ebp - 0x18], eax
            //   31c9                 | mov                 dword ptr [ebp - 0x1c], ecx
            //   83b88400000000       | mov                 dword ptr [ebp - 0x20], edx
            //   8945dc               | cmp                 si, 0
            //   894dd8               | mov                 edi, eax

        $sequence_72 = { 6683fe00 89c7 8945f0 894dec 8955e8 }
            // n = 5, score = 500
            //   6683fe00             | xor                 ecx, ecx
            //   89c7                 | mov                 ecx, dword ptr [eax + 0x3c]
            //   8945f0               | mov                 si, cx
            //   894dec               | cmp                 si, 0
            //   8955e8               | mov                 edx, eax

        $sequence_73 = { 83c430 5e 5d c3 55 89e5 57 }
            // n = 7, score = 500
            //   83c430               | mov                 bl, 1
            //   5e                   | call                eax
            //   5d                   | test                eax, eax
            //   c3                   | jne                 0x27
            //   55                   | cmp                 byte ptr [eax], 0
            //   89e5                 | jne                 0xe
            //   57                   | xor                 ecx, ecx

        $sequence_74 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc }
            // n = 5, score = 500
            //   c7424800b00400       | pop                 esi
            //   8b7de4               | pop                 edi
            //   c787cc00000000000000     | pop    ebp
            //   c787c800000000000000     | mov    eax, dword ptr [ebp - 0x20]
            //   8945dc               | add                 esp, 0x5c

        $sequence_75 = { c744240400000000 8945f0 8955ec e8???????? 8b483c }
            // n = 5, score = 500
            //   c744240400000000     | mov                 dword ptr [ebp - 0x10], eax
            //   8945f0               | mov                 dword ptr [ebp - 0x14], ecx
            //   8955ec               | mov                 dword ptr [ebp - 0x18], edx
            //   e8????????           |                     
            //   8b483c               | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_76 = { 83c454 5b 5e 5f 5d c3 55 }
            // n = 7, score = 500
            //   83c454               | push                edi
            //   5b                   | ret                 
            //   5e                   | push                ebp
            //   5f                   | mov                 ebp, esp
            //   5d                   | push                edi
            //   c3                   | push                esi
            //   55                   | push                ebx

        $sequence_77 = { 8b483c 6689ce 6683fe00 89c2 8945e8 894de4 8955e0 }
            // n = 7, score = 500
            //   8b483c               | mov                 edx, dword ptr [ebp - 0x30]
            //   6689ce               | cmp                 edx, eax
            //   6683fe00             | add                 eax, 1
            //   89c2                 | mov                 ecx, dword ptr [ebp - 0x18]
            //   8945e8               | add                 ecx, eax
            //   894de4               | mov                 dword ptr [ebp - 0x20], ecx
            //   8955e0               | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_78 = { 81c1ffff0000 81e1ffff0000 83c101 8b55ec 01ca }
            // n = 5, score = 500
            //   81c1ffff0000         | cmp                 si, 0
            //   81e1ffff0000         | mov                 edx, eax
            //   83c101               | mov                 dword ptr [ebp - 0x18], eax
            //   8b55ec               | mov                 dword ptr [ebp - 0x1c], ecx
            //   01ca                 | mov                 si, cx

        $sequence_79 = { 83c001 8b4de8 01c1 894de0 8b45e0 31c9 }
            // n = 6, score = 500
            //   83c001               | cmp                 byte ptr [eax], 0xe9
            //   8b4de8               | mov                 ecx, eax
            //   01c1                 | mov                 dword ptr [ebp - 0x30], eax
            //   894de0               | mov                 dword ptr [ebp - 0x34], ecx
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x34]
            //   31c9                 | xor                 ecx, ecx

        $sequence_80 = { 56 53 57 83ec5c 8b450c 8b4d08 31d2 }
            // n = 7, score = 400
            //   56                   | pop                 edi
            //   53                   | pop                 ebx
            //   57                   | pop                 esi
            //   83ec5c               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b450c               | add                 esp, 0x5c
            //   8b4d08               | pop                 edi
            //   31d2                 | pop                 ebx

        $sequence_81 = { 5b 5d c3 8b45d0 8b4dd4 668b55d8 }
            // n = 6, score = 400
            //   5b                   | mov                 edi, dword ptr [ebp - 0x1c]
            //   5d                   | mov                 dword ptr [edi + 0xcc], 0
            //   c3                   | mov                 dword ptr [edi + 0xc8], 0
            //   8b45d0               | pop                 ebx
            //   8b4dd4               | pop                 esi
            //   668b55d8             | pop                 ebp

        $sequence_82 = { 83c45c 5f 5b 5e }
            // n = 4, score = 400
            //   83c45c               | mov                 eax, dword ptr [ebp - 0x20]
            //   5f                   | add                 esp, 0x38
            //   5b                   | pop                 edi
            //   5e                   | mov                 dword ptr [ebp - 0x20], ecx

        $sequence_83 = { 5d c3 8b45f0 8b0c8504406e00 8b55f8 }
            // n = 5, score = 300
            //   5d                   | mov                 dword ptr [ebp - 0x18], ecx
            //   c3                   | pop                 ebx
            //   8b45f0               | pop                 ebp
            //   8b0c8504406e00       | ret                 
            //   8b55f8               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_84 = { 31ff 890424 c744240400000000 8b84248c000000 }
            // n = 4, score = 300
            //   31ff                 | push                eax
            //   890424               | mov                 eax, dword ptr [esp + 8]
            //   c744240400000000     | cmp                 byte ptr [eax], 0xe9
            //   8b84248c000000       | cmp                 byte ptr [eax], 0xe9

        $sequence_85 = { 53 81ecb0000000 8b4508 8d4dd8 c745d800000000 }
            // n = 5, score = 300
            //   53                   | sub                 esp, 0x54
            //   81ecb0000000         | add                 esp, 0x54
            //   8b4508               | pop                 ebx
            //   8d4dd8               | pop                 esi
            //   c745d800000000       | pop                 edi

        $sequence_86 = { 83c408 c3 8b442404 ff704c }
            // n = 4, score = 300
            //   83c408               | mov                 dword ptr [edi + 0xc8], 0
            //   c3                   | mov                 dword ptr [esp + 0x10], eax
            //   8b442404             | mov                 eax, ecx
            //   ff704c               | mov                 dword ptr [edx + 0x48], 0x4b000

        $sequence_87 = { 75e4 83c448 5e 5f }
            // n = 4, score = 300
            //   75e4                 | pop                 ebp
            //   83c448               | ret                 
            //   5e                   | mov                 eax, dword ptr [ebp - 0x30]
            //   5f                   | mov                 ecx, dword ptr [ebp - 0x2c]

        $sequence_88 = { 83c310 89542428 894c2424 895c2420 }
            // n = 4, score = 300
            //   83c310               | mov                 edi, dword ptr [esp + 0x18]
            //   89542428             | mov                 dword ptr [edi + 0xcc], 0
            //   894c2424             | mov                 dword ptr [edi + 0xc8], 0
            //   895c2420             | mov                 dword ptr [esp + 0x10], eax

        $sequence_89 = { 8955cc 74bc 8b45cc 83c454 5b 5e }
            // n = 6, score = 300
            //   8955cc               | add                 esp, 0x54
            //   74bc                 | pop                 ebx
            //   8b45cc               | pop                 esi
            //   83c454               | je                  0xffffffbe
            //   5b                   | mov                 eax, dword ptr [ebp - 0x34]
            //   5e                   | add                 esp, 0x54

        $sequence_90 = { 01fb 8b7924 89fd c1ed1e 83e501 }
            // n = 5, score = 300
            //   01fb                 | mov                 dword ptr [esp + 0x28], edx
            //   8b7924               | mov                 dword ptr [esp + 0x24], ecx
            //   89fd                 | mov                 dword ptr [esp + 0x20], ebx
            //   c1ed1e               | push                dword ptr [esp + 8]
            //   83e501               | add                 esp, 8

        $sequence_91 = { 8945e4 0f85dafeffff 8b45e4 83c474 5b }
            // n = 5, score = 300
            //   8945e4               | lea                 ecx, [ebp - 0x28]
            //   0f85dafeffff         | mov                 dword ptr [ebp - 0x28], 0
            //   8b45e4               | mov                 edx, dword ptr [eax + 0x4c]
            //   83c474               | mov                 esi, dword ptr [eax + 0x20]
            //   5b                   | push                ebx

        $sequence_92 = { 53 83ec74 8b450c 8b4d08 }
            // n = 4, score = 300
            //   53                   | lea                 ecx, [ebp - 0x28]
            //   83ec74               | push                ebx
            //   8b450c               | sub                 esp, 0xb0
            //   8b4d08               | mov                 eax, dword ptr [ebp + 8]

        $sequence_93 = { 53 56 83ec38 8b450c 8b4d08 }
            // n = 5, score = 300
            //   53                   | jne                 0xfffffee3
            //   56                   | mov                 eax, dword ptr [ebp - 0x1c]
            //   83ec38               | add                 esp, 0x74
            //   8b450c               | pop                 ebx
            //   8b4d08               | jne                 0xfffffef0

        $sequence_94 = { 7505 e9???????? 8b45e0 83c438 5e 5b 5f }
            // n = 7, score = 300
            //   7505                 | mov                 eax, dword ptr [ebp - 0x1c]
            //   e9????????           |                     
            //   8b45e0               | add                 esp, 0x74
            //   83c438               | pop                 ebx
            //   5e                   | push                ebx
            //   5b                   | push                esi
            //   5f                   | sub                 esp, 0x38

        $sequence_95 = { 8b0c8504406e00 8b55f8 39d1 8945ec }
            // n = 4, score = 300
            //   8b0c8504406e00       | mov                 dword ptr [edi + 0xc8], 0
            //   8b55f8               | pop                 ebx
            //   39d1                 | pop                 esi
            //   8945ec               | pop                 ebp

        $sequence_96 = { 890424 8b4c240c ff5128 83ec04 89442404 }
            // n = 5, score = 300
            //   890424               | mov                 dword ptr [esp], eax
            //   8b4c240c             | mov                 dword ptr [esp + 4], 0
            //   ff5128               | mov                 eax, dword ptr [esp + 0x8c]
            //   83ec04               | add                 edx, esi
            //   89442404             | add                 esi, -0x40

        $sequence_97 = { 01f2 83c6c0 81fec00f0000 89442450 8954244c }
            // n = 5, score = 300
            //   01f2                 | mov                 dword ptr [esp], eax
            //   83c6c0               | jne                 0x1c
            //   81fec00f0000         | mov                 eax, dword ptr [esp]
            //   89442450             | mov                 ecx, dword ptr [eax + 1]
            //   8954244c             | xor                 edi, edi

        $sequence_98 = { 8b5054 891424 894c2404 8945f8 e8???????? 8d0d44306e00 31d2 }
            // n = 7, score = 200
            //   8b5054               | mov                 edx, dword ptr [eax + 0x4c]
            //   891424               | ret                 
            //   894c2404             | push                ebp
            //   8945f8               | mov                 ebp, esp
            //   e8????????           |                     
            //   8d0d44306e00         | push                ebx
            //   31d2                 | push                esi

        $sequence_99 = { 55 89e5 53 56 57 83ec38 }
            // n = 6, score = 200
            //   55                   | mov                 eax, dword ptr [ebp - 0x34]
            //   89e5                 | add                 esp, 0x54
            //   53                   | pop                 edi
            //   56                   | mov                 eax, dword ptr [ebp - 0x20]
            //   57                   | add                 esp, 0x38
            //   83ec38               | pop                 edi

        $sequence_100 = { 8d0de8302400 890424 894c2404 e8???????? 8d0d44302400 31d2 }
            // n = 6, score = 200
            //   8d0de8302400         | xor                 edx, edx
            //   890424               | add                 esp, 0x74
            //   894c2404             | pop                 ebx
            //   e8????????           |                     
            //   8d0d44302400         | pop                 edi
            //   31d2                 | pop                 esi

        $sequence_101 = { 83c474 5b 5f 5e 5d c3 }
            // n = 6, score = 200
            //   83c474               | xor                 edx, edx
            //   5b                   | push                ebp
            //   5f                   | mov                 ebp, esp
            //   5e                   | push                esi
            //   5d                   | push                edi
            //   c3                   | push                ebx

        $sequence_102 = { e8???????? 8d0dad302400 890424 894c2404 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8d0dad302400         | mov                 dword ptr [esp + 4], ecx
            //   890424               | lea                 ecx, [0x243044]
            //   894c2404             | lea                 ecx, [0x2430a0]

        $sequence_103 = { 8b45cc 83c454 5f 5b }
            // n = 4, score = 200
            //   8b45cc               | push                edi
            //   83c454               | sub                 esp, 0x54
            //   5f                   | mov                 dword ptr [edx + 0x44], 0x20c2c
            //   5b                   | mov                 dword ptr [edx + 0x48], 0x4b000

        $sequence_104 = { 033c8a 897dd8 8b45d8 83c444 5b 5e 5f }
            // n = 7, score = 200
            //   033c8a               | pop                 esi
            //   897dd8               | pop                 ebp
            //   8b45d8               | mov                 dword ptr [edx + 0x40], 4
            //   83c444               | mov                 dword ptr [edx + 0x44], 0x20c2c
            //   5b                   | mov                 dword ptr [edx + 0x48], 0x4b000
            //   5e                   | mov                 edi, dword ptr [ebp - 0x1c]
            //   5f                   | mov                 dword ptr [edi + 0xcc], 0

        $sequence_105 = { 8b45e0 83c438 5f 5e 5b }
            // n = 5, score = 200
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x34]
            //   83c438               | add                 esp, 0x54
            //   5f                   | pop                 edi
            //   5e                   | mov                 dword ptr [ebp - 0x34], edx
            //   5b                   | je                  0xffffffbe

        $sequence_106 = { 56 57 81ecb0000000 8b4508 }
            // n = 4, score = 200
            //   56                   | pop                 edi
            //   57                   | pop                 esi
            //   81ecb0000000         | pop                 ebx
            //   8b4508               | push                ebx

        $sequence_107 = { 55 89e5 56 57 53 83ec74 }
            // n = 6, score = 200
            //   55                   | pop                 ebp
            //   89e5                 | mov                 ebp, esp
            //   56                   | push                esi
            //   57                   | push                edi
            //   53                   | push                ebx
            //   83ec74               | sub                 esp, 0x74

        $sequence_108 = { 56 53 83ec44 8b4508 }
            // n = 4, score = 200
            //   56                   | mov                 edi, dword ptr [ebp - 0x1c]
            //   53                   | add                 esp, 0x54
            //   83ec44               | pop                 edi
            //   8b4508               | pop                 ebx

        $sequence_109 = { c3 55 89e5 56 53 57 83ec54 }
            // n = 7, score = 200
            //   c3                   | sub                 esp, 0x38
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   56                   | push                ebx
            //   53                   | push                esi
            //   57                   | push                edi
            //   83ec54               | sub                 esp, 0x38

        $sequence_110 = { 8b4508 8d0d30306e00 31d2 890c24 }
            // n = 4, score = 200
            //   8b4508               | mov                 dword ptr [ebp - 8], eax
            //   8d0d30306e00         | lea                 ecx, [0x6e3044]
            //   31d2                 | xor                 edx, edx
            //   890c24               | mov                 dword ptr [esp], eax

        $sequence_111 = { e9???????? 8b45e0 83c45c 5e 5f 5b 5d }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8b45e0               | pop                 esi
            //   83c45c               | pop                 edi
            //   5e                   | mov                 dword ptr [ebp - 0x34], edx
            //   5f                   | je                  0xffffffc1
            //   5b                   | mov                 eax, dword ptr [ebp - 0x34]
            //   5d                   | add                 esp, 0x54

        $sequence_112 = { 8b55f4 8b75ec 89723c c7424004000000 c742442c0c0200 c7424800b00400 }
            // n = 6, score = 200
            //   8b55f4               | pop                 edi
            //   8b75ec               | pop                 ebx
            //   89723c               | je                  0xffffffbe
            //   c7424004000000       | mov                 eax, dword ptr [ebp - 0x34]
            //   c742442c0c0200       | add                 esp, 0x54
            //   c7424800b00400       | pop                 edi

        $sequence_113 = { 8d0d04316e00 890424 894c2404 e8???????? 8b4df8 894130 }
            // n = 6, score = 200
            //   8d0d04316e00         | xor                 edx, edx
            //   890424               | mov                 dword ptr [esp], ecx
            //   894c2404             | lea                 ecx, [0x6e30e8]
            //   e8????????           |                     
            //   8b4df8               | mov                 dword ptr [esp], eax
            //   894130               | mov                 dword ptr [esp + 4], ecx

        $sequence_114 = { 55 89e5 57 56 53 81ecb0000000 }
            // n = 6, score = 200
            //   55                   | mov                 eax, dword ptr [ebp - 0x20]
            //   89e5                 | add                 esp, 0x5c
            //   57                   | pop                 esi
            //   56                   | pop                 edi
            //   53                   | mov                 eax, dword ptr [ebp - 0x20]
            //   81ecb0000000         | add                 esp, 0x5c

        $sequence_115 = { 890424 894c2404 e8???????? 8d0d44306e00 31d2 8b75f8 }
            // n = 6, score = 200
            //   890424               | push                edi
            //   894c2404             | sub                 esp, 0xb0
            //   e8????????           |                     
            //   8d0d44306e00         | mov                 edx, dword ptr [eax + 0x54]
            //   31d2                 | mov                 dword ptr [esp], edx
            //   8b75f8               | mov                 dword ptr [esp + 4], ecx

        $sequence_116 = { 55 89e5 8d055a238400 5d }
            // n = 4, score = 100
            //   55                   | mov                 eax, dword ptr [ebp + 0xc]
            //   89e5                 | mov                 ecx, dword ptr [ebp + 8]
            //   8d055a238400         | lea                 edx, [0x84305e]
            //   5d                   | sub                 esp, 4

        $sequence_117 = { 8d0d44308400 31d2 890c24 c744240400000000 8945fc 8955f8 e8???????? }
            // n = 7, score = 100
            //   8d0d44308400         | mov                 dword ptr [esp], eax
            //   31d2                 | mov                 dword ptr [esp + 4], ecx
            //   890c24               | lea                 ecx, [0x843044]
            //   c744240400000000     | xor                 edx, edx
            //   8945fc               | mov                 esi, dword ptr [ebp - 8]
            //   8955f8               | lea                 ecx, [0x8430ad]
            //   e8????????           |                     

        $sequence_118 = { c3 55 89e5 83ec10 8b4508 8d0d44308400 31d2 }
            // n = 7, score = 100
            //   c3                   | lea                 ecx, [0x8430a0]
            //   55                   | mov                 dword ptr [esp], eax
            //   89e5                 | mov                 dword ptr [esp + 4], ecx
            //   83ec10               | push                ebx
            //   8b4508               | sub                 esp, 0x54
            //   8d0d44308400         | lea                 eax, [0x84235a]
            //   31d2                 | xor                 ecx, ecx

        $sequence_119 = { c744240400000000 8955dc e8???????? 8d0de8308400 }
            // n = 4, score = 100
            //   c744240400000000     | mov                 dword ptr [esp + 4], ecx
            //   8955dc               | lea                 ecx, [0x843044]
            //   e8????????           |                     
            //   8d0de8308400         | push                esi

        $sequence_120 = { 894620 890c24 c744240400000000 8955e0 e8???????? 8d0dd8302500 }
            // n = 6, score = 100
            //   894620               | mov                 dword ptr [edx + 0x44], 0x20c2c
            //   890c24               | mov                 dword ptr [edx + 0x48], 0x4b000
            //   c744240400000000     | mov                 edi, dword ptr [ebp - 0x1c]
            //   8955e0               | mov                 eax, dword ptr [ebp - 0x34]
            //   e8????????           |                     
            //   8d0dd8302500         | add                 esp, 0x54

        $sequence_121 = { 8d0d44308400 31d2 8b75f8 89460c }
            // n = 4, score = 100
            //   8d0d44308400         | mov                 dword ptr [esp + 4], 0
            //   31d2                 | mov                 dword ptr [ebp - 0x24], edx
            //   8b75f8               | lea                 ecx, [0x8430e8]
            //   89460c               | mov                 dword ptr [esp], eax

        $sequence_122 = { 83ec54 8d055a238400 31c9 8d55d8 803d????????e9 8955d4 }
            // n = 6, score = 100
            //   83ec54               | mov                 dword ptr [esi + 0xc], eax
            //   8d055a238400         | lea                 eax, [0x84235a]
            //   31c9                 | pop                 ebp
            //   8d55d8               | ret                 
            //   803d????????e9       |                     
            //   8955d4               | push                ebp

        $sequence_123 = { 31c0 8d0d5a232f00 8b55c8 39ca 8945cc 0f84f9000000 }
            // n = 6, score = 100
            //   31c0                 | pop                 ebx
            //   8d0d5a232f00         | pop                 ebx
            //   8b55c8               | pop                 edi
            //   39ca                 | pop                 ebp
            //   8945cc               | ret                 
            //   0f84f9000000         | push                ebp

    condition:
        7 of them and filesize < 1040384
}
Download all Yara Rules
Dridex Propose Change

References

Yara Rules

Dridex
