Dridex (Malware Family)

Dridex
URLhaus
OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term."
According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method."
IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."
References
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus
Yara Rules
[TLP:WHITE] win_dridex_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_dridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd6 85c0 7512 e8???????? eb03 }
            // n = 5, score = 4000
            //   ffd6                 | mov                 ecx, 0x2710
            //   85c0                 | call                esi
            //   7512                 | test                eax, eax
            //   e8????????           |                     
            //   eb03                 | jne                 0x14

        $sequence_1 = { e8???????? b910270000 e8???????? e8???????? }
            // n = 4, score = 4000
            //   e8????????           |                     
            //   b910270000           | mov                 ecx, 0x2710
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_2 = { c605????????01 c3 c605????????00 c3 }
            // n = 4, score = 3900
            //   c605????????01       |                     
            //   c3                   | ret                 
            //   c605????????00       |                     
            //   c3                   | ret                 

        $sequence_3 = { 83f8ff 7505 e8???????? 3d34270000 }
            // n = 4, score = 3900
            //   83f8ff               | cmp                 eax, -1
            //   7505                 | jne                 7
            //   e8????????           |                     
            //   3d34270000           | cmp                 eax, 0x2734

        $sequence_4 = { e8???????? 84c0 740c b9e8030000 }
            // n = 4, score = 3800
            //   e8????????           |                     
            //   84c0                 | cmp                 eax, 0x2734
            //   740c                 | test                al, al
            //   b9e8030000           | je                  0xe

        $sequence_5 = { 740c b9e8030000 e8???????? b301 }
            // n = 4, score = 3800
            //   740c                 | mov                 ecx, 0x3e8
            //   b9e8030000           | je                  0xe
            //   e8????????           |                     
            //   b301                 | mov                 ecx, 0x3e8

        $sequence_6 = { ffd0 e8???????? 85c0 74de }
            // n = 4, score = 3800
            //   ffd0                 | mov                 bl, 1
            //   e8????????           |                     
            //   85c0                 | call                eax
            //   74de                 | test                eax, eax

        $sequence_7 = { 53 53 53 6a01 53 ffd0 }
            // n = 6, score = 3500
            //   53                   | jne                 0x21
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a01                 | push                ebx
            //   53                   | push                1
            //   ffd0                 | push                ebx

        $sequence_8 = { eb0a e8???????? eb03 6a7f }
            // n = 4, score = 3000
            //   eb0a                 | call                eax
            //   e8????????           |                     
            //   eb03                 | jmp                 0xc
            //   6a7f                 | jmp                 5

        $sequence_9 = { ffd0 eb02 33c0 6a00 50 }
            // n = 5, score = 2500
            //   ffd0                 | push                1
            //   eb02                 | call                eax
            //   33c0                 | jmp                 4
            //   6a00                 | xor                 eax, eax
            //   50                   | push                0

        $sequence_10 = { 7406 42 803a00 75fa }
            // n = 4, score = 2500
            //   7406                 | push                ebx
            //   42                   | je                  8
            //   803a00               | inc                 edx
            //   75fa                 | cmp                 byte ptr [edx], 0

        $sequence_11 = { ff36 ffd0 8bf8 85ff }
            // n = 4, score = 2500
            //   ff36                 | jmp                 5
            //   ffd0                 | push                dword ptr [esi]
            //   8bf8                 | call                eax
            //   85ff                 | mov                 edi, eax

        $sequence_12 = { c3 31c0 c3 50 }
            // n = 4, score = 2500
            //   c3                   | jne                 0x21
            //   31c0                 | ret                 
            //   c3                   | xor                 eax, eax
            //   50                   | ret                 

        $sequence_13 = { e8???????? 85c0 7403 56 ffd0 33f6 }
            // n = 6, score = 2400
            //   e8????????           |                     
            //   85c0                 | call                eax
            //   7403                 | test                eax, eax
            //   56                   | je                  5
            //   ffd0                 | push                esi
            //   33f6                 | call                eax

        $sequence_14 = { 807c241400 7409 8d4c2410 e8???????? }
            // n = 4, score = 2400
            //   807c241400           | xor                 esi, esi
            //   7409                 | cmp                 byte ptr [esp + 0x14], 0
            //   8d4c2410             | je                  0xb
            //   e8????????           |                     

        $sequence_15 = { e8???????? 6880000000 53 53 }
            // n = 4, score = 2300
            //   e8????????           |                     
            //   6880000000           | call                eax
            //   53                   | push                0x80
            //   53                   | push                ebx

        $sequence_16 = { e8???????? 85c0 7408 6a00 ffd0 }
            // n = 5, score = 2300
            //   e8????????           |                     
            //   85c0                 | push                0
            //   7408                 | test                eax, eax
            //   6a00                 | je                  0xa
            //   ffd0                 | push                0

        $sequence_17 = { 55 8bec 837d0800 7422 }
            // n = 4, score = 2300
            //   55                   | test                edi, edi
            //   8bec                 | push                ebp
            //   837d0800             | mov                 ebp, esp
            //   7422                 | cmp                 dword ptr [ebp + 8], 0

        $sequence_18 = { e8???????? eb0a b9d0070000 e8???????? }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   eb0a                 | jmp                 0xc
            //   b9d0070000           | mov                 ecx, 0x7d0
            //   e8????????           |                     

        $sequence_19 = { e8???????? 85c0 7404 6a7f }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   85c0                 | lea                 ecx, [esp + 0x10]
            //   7404                 | test                eax, eax
            //   6a7f                 | je                  6

        $sequence_20 = { 8d4c2420 e8???????? 50 6a00 }
            // n = 4, score = 2200
            //   8d4c2420             | call                eax
            //   e8????????           |                     
            //   50                   | lea                 ecx, [esp + 0x20]
            //   6a00                 | push                eax

        $sequence_21 = { e8???????? 6a00 8d4e1c e8???????? }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   6a00                 | push                0x7f
            //   8d4e1c               | push                0
            //   e8????????           |                     

        $sequence_22 = { e8???????? 84c0 7516 8bd3 }
            // n = 4, score = 2200
            //   e8????????           |                     
            //   84c0                 | call                eax
            //   7516                 | test                al, al
            //   8bd3                 | jne                 0x18

        $sequence_23 = { 85c0 7407 685a040000 ffd0 }
            // n = 4, score = 2200
            //   85c0                 | xor                 eax, eax
            //   7407                 | test                eax, eax
            //   685a040000           | je                  9
            //   ffd0                 | push                0x45a

        $sequence_24 = { 3db20d7897 7508 c70350000000 eb0d 3da665f63e 7506 c703bb010000 }
            // n = 7, score = 2200
            //   3db20d7897           | jne                 0x16
            //   7508                 | jmp                 9
            //   c70350000000         | push                eax
            //   eb0d                 | call                esi
            //   3da665f63e           | test                eax, eax
            //   7506                 | jne                 0x16
            //   c703bb010000         | call                esi

        $sequence_25 = { ffd0 5b c3 33c0 }
            // n = 4, score = 2200
            //   ffd0                 | push                ebx
            //   5b                   | call                eax
            //   c3                   | pop                 ebx
            //   33c0                 | ret                 

        $sequence_26 = { eb08 83ca20 eb03 83ca10 }
            // n = 4, score = 2100
            //   eb08                 | jmp                 0xa
            //   83ca20               | or                  edx, 0x20
            //   eb03                 | jmp                 5
            //   83ca10               | or                  edx, 0x10

        $sequence_27 = { 6a74 8bc8 e8???????? 6a74 8bc8 e8???????? }
            // n = 6, score = 2100
            //   6a74                 | push                0x73
            //   8bc8                 | push                0x74
            //   e8????????           |                     
            //   6a74                 | mov                 ecx, eax
            //   8bc8                 | push                0x74
            //   e8????????           |                     

        $sequence_28 = { e8???????? e9???????? 807c245000 740a }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   e9????????           |                     
            //   807c245000           | cmp                 byte ptr [esp + 0x50], 0
            //   740a                 | je                  0xc

        $sequence_29 = { 50 e8???????? 8938 8b35???????? }
            // n = 4, score = 2100
            //   50                   | push                0
            //   e8????????           |                     
            //   8938                 | push                eax
            //   8b35????????         |                     

        $sequence_30 = { 7415 6a01 6a00 6a00 8d4dfc }
            // n = 5, score = 2100
            //   7415                 | mov                 ecx, eax
            //   6a01                 | je                  0x17
            //   6a00                 | push                1
            //   6a00                 | push                0
            //   8d4dfc               | push                0

        $sequence_31 = { 8bc8 e8???????? 6a70 8bc8 e8???????? 6a73 }
            // n = 6, score = 2100
            //   8bc8                 | call                eax
            //   e8????????           |                     
            //   6a70                 | mov                 ecx, eax
            //   8bc8                 | push                0x70
            //   e8????????           |                     
            //   6a73                 | mov                 ecx, eax

        $sequence_32 = { 50 56 ffd5 57 }
            // n = 4, score = 2100
            //   50                   | xor                 eax, eax
            //   56                   | push                eax
            //   ffd5                 | push                esi
            //   57                   | call                ebp

        $sequence_33 = { 53 ffd0 8bf0 eb02 }
            // n = 4, score = 2100
            //   53                   | mov                 edx, ebx
            //   ffd0                 | push                ebx
            //   8bf0                 | call                eax
            //   eb02                 | mov                 esi, eax

        $sequence_34 = { 3bc7 7e24 8bce e8???????? 2bc7 }
            // n = 5, score = 2100
            //   3bc7                 | lea                 ecx, [ebp - 4]
            //   7e24                 | push                ecx
            //   8bce                 | push                0x74
            //   e8????????           |                     
            //   2bc7                 | mov                 ecx, eax

        $sequence_35 = { 7411 c7461003000000 e8???????? 894614 }
            // n = 4, score = 2100
            //   7411                 | je                  0xe
            //   c7461003000000       | mov                 ecx, 0x3e8
            //   e8????????           |                     
            //   894614               | test                al, al

        $sequence_36 = { e8???????? 8d4dc4 e8???????? 5e }
            // n = 4, score = 2100
            //   e8????????           |                     
            //   8d4dc4               | mov                 ecx, eax
            //   e8????????           |                     
            //   5e                   | push                0x74

        $sequence_37 = { 6a00 8bcf e8???????? 50 ffd6 }
            // n = 5, score = 2100
            //   6a00                 | mov                 ecx, eax
            //   8bcf                 | push                0
            //   e8????????           |                     
            //   50                   | mov                 ecx, edi
            //   ffd6                 | push                eax

        $sequence_38 = { 50 53 8bce e8???????? 50 e8???????? 83c40c }
            // n = 7, score = 2100
            //   50                   | push                0x70
            //   53                   | mov                 ecx, eax
            //   8bce                 | push                0x70
            //   e8????????           |                     
            //   50                   | mov                 ecx, eax
            //   e8????????           |                     
            //   83c40c               | push                0x73

        $sequence_39 = { 8b442428 6689c1 66894c2458 66894c245a }
            // n = 4, score = 2000
            //   8b442428             | mov                 byte ptr [esp + 0xf], dl
            //   6689c1               | mov                 eax, dword ptr [esp + 0x28]
            //   66894c2458           | mov                 cx, ax
            //   66894c245a           | mov                 word ptr [esp + 0x58], cx

        $sequence_40 = { a801 7534 eb00 31c0 }
            // n = 4, score = 2000
            //   a801                 | mov                 byte ptr [esp + 0xf], dl
            //   7534                 | test                al, 1
            //   eb00                 | jne                 0x36
            //   31c0                 | jmp                 2

        $sequence_41 = { 6a64 59 e8???????? 33c9 }
            // n = 4, score = 2000
            //   6a64                 | push                0x64
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx

        $sequence_42 = { 51 6880000000 68ffff0000 ff36 }
            // n = 4, score = 2000
            //   51                   | test                eax, eax
            //   6880000000           | jne                 0x21
            //   68ffff0000           | mov                 ecx, 0x2710
            //   ff36                 | call                esi

        $sequence_43 = { 7414 31c0 89c1 8b442424 88c2 8854240f }
            // n = 6, score = 2000
            //   7414                 | push                eax
            //   31c0                 | je                  0x16
            //   89c1                 | xor                 eax, eax
            //   8b442424             | mov                 ecx, eax
            //   88c2                 | mov                 eax, dword ptr [esp + 0x24]
            //   8854240f             | mov                 dl, al

        $sequence_44 = { 7407 b9c1000000 ffd0 33c0 }
            // n = 4, score = 2000
            //   7407                 | jne                 0xf
            //   b9c1000000           | mov                 dword ptr [ebx], 0x50
            //   ffd0                 | cmp                 eax, 0x97780db2
            //   33c0                 | jne                 0xf

        $sequence_45 = { 8954242c 8b44242c 89c1 89ca }
            // n = 4, score = 2000
            //   8954242c             | xor                 eax, eax
            //   8b44242c             | mov                 dword ptr [esp + 0x2c], edx
            //   89c1                 | mov                 eax, dword ptr [esp + 0x2c]
            //   89ca                 | mov                 ecx, eax

        $sequence_46 = { c7461002000000 eb0f c7461003000000 e8???????? }
            // n = 4, score = 2000
            //   c7461002000000       | push                0x7f
            //   eb0f                 | call                esi
            //   c7461003000000       | test                eax, eax
            //   e8????????           |                     

        $sequence_47 = { 89442408 7598 8a442407 a801 }
            // n = 4, score = 2000
            //   89442408             | mov                 edx, ecx
            //   7598                 | mov                 dword ptr [esp + 8], eax
            //   8a442407             | jne                 0xffffff9a
            //   a801                 | mov                 al, byte ptr [esp + 7]

        $sequence_48 = { 740d 40 83c104 3d00100000 }
            // n = 4, score = 2000
            //   740d                 | jne                 0x16
            //   40                   | jmp                 9
            //   83c104               | push                eax
            //   3d00100000           | call                esi

        $sequence_49 = { b964000000 e8???????? 33c9 e8???????? }
            // n = 4, score = 2000
            //   b964000000           | mov                 dword ptr [ebx], 0x50
            //   e8????????           |                     
            //   33c9                 | jmp                 0x15
            //   e8????????           |                     

        $sequence_50 = { 33c0 803900 7411 ffc0 }
            // n = 4, score = 2000
            //   33c0                 | cmp                 eax, 0x3ef665a6
            //   803900               | jne                 0xd
            //   7411                 | mov                 dword ptr [ebx], 0x1bb
            //   ffc0                 | cmp                 eax, 0x97780db2

        $sequence_51 = { 89442404 eb00 8b442404 89c1 }
            // n = 4, score = 2000
            //   89442404             | test                al, 1
            //   eb00                 | mov                 dword ptr [esp + 4], eax
            //   8b442404             | jmp                 2
            //   89c1                 | mov                 eax, dword ptr [esp + 4]

        $sequence_52 = { 890424 894c2404 75dd 8b0424 }
            // n = 4, score = 2000
            //   890424               | mov                 edx, ecx
            //   894c2404             | mov                 dword ptr [esp], eax
            //   75dd                 | mov                 dword ptr [esp + 4], ecx
            //   8b0424               | jne                 0xffffffdf

        $sequence_53 = { 7518 b900000100 48891d???????? e8???????? 488905???????? }
            // n = 5, score = 2000
            //   7518                 | jne                 0x1a
            //   b900000100           | mov                 ecx, 0x10000
            //   48891d????????       |                     
            //   e8????????           |                     
            //   488905????????       |                     

        $sequence_54 = { e8???????? 50 56 8bcb e8???????? 50 e8???????? }
            // n = 7, score = 2000
            //   e8????????           |                     
            //   50                   | je                  0x24
            //   56                   | push                eax
            //   8bcb                 | push                esi
            //   e8????????           |                     
            //   50                   | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_55 = { c20400 55 8bec 83ec34 8365fc00 }
            // n = 5, score = 2000
            //   c20400               | test                eax, eax
            //   55                   | jne                 0x18
            //   8bec                 | jmp                 0xb
            //   83ec34               | push                eax
            //   8365fc00             | call                esi

        $sequence_56 = { 807c242400 7409 8d4c2420 e8???????? }
            // n = 4, score = 1900
            //   807c242400           | push                edi
            //   7409                 | cmp                 byte ptr [esp + 0x24], 0
            //   8d4c2420             | je                  0xb
            //   e8????????           |                     

        $sequence_57 = { e8???????? 84c0 740f 6a05 }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   84c0                 | push                eax
            //   740f                 | test                al, al
            //   6a05                 | je                  0x11

        $sequence_58 = { e8???????? 8be8 85ed 7458 }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   8be8                 | lea                 ecx, [esp + 0x20]
            //   85ed                 | mov                 ebp, eax
            //   7458                 | test                ebp, ebp

        $sequence_59 = { e8???????? 6880000000 55 55 }
            // n = 4, score = 1800
            //   e8????????           |                     
            //   6880000000           | je                  0x5a
            //   55                   | push                0x80
            //   55                   | push                ebp

        $sequence_60 = { ff7508 ffd0 33c0 40 5d c20400 }
            // n = 6, score = 1700
            //   ff7508               | je                  0x24
            //   ffd0                 | push                dword ptr [ebp + 8]
            //   33c0                 | call                eax
            //   40                   | xor                 eax, eax
            //   5d                   | inc                 eax
            //   c20400               | pop                 ebp

        $sequence_61 = { ff35???????? ffd0 5d c3 }
            // n = 4, score = 1600
            //   ff35????????         |                     
            //   ffd0                 | push                esi
            //   5d                   | call                eax
            //   c3                   | push                0x80

        $sequence_62 = { 8d4de0 51 68???????? ffd0 }
            // n = 4, score = 1600
            //   8d4de0               | mov                 ebp, esp
            //   51                   | lea                 ecx, [ebp - 0x20]
            //   68????????           |                     
            //   ffd0                 | push                ecx

        $sequence_63 = { e8???????? 8bc8 6a74 e8???????? 8bc8 6a70 }
            // n = 6, score = 1500
            //   e8????????           |                     
            //   8bc8                 | push                ebp
            //   6a74                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8bc8                 | push                0x74
            //   6a70                 | mov                 ecx, eax

        $sequence_64 = { 5e c3 31c0 89c2 }
            // n = 4, score = 1200
            //   5e                   | xor                 eax, eax
            //   c3                   | mov                 eax, dword ptr [esp + 0x28]
            //   31c0                 | mov                 cx, ax
            //   89c2                 | mov                 word ptr [esp + 0x58], cx

        $sequence_65 = { eb0c e8???????? 8bf0 eb03 6a7f 5e }
            // n = 6, score = 900
            //   eb0c                 | call                eax
            //   e8????????           |                     
            //   8bf0                 | jmp                 0xe
            //   eb03                 | mov                 esi, eax
            //   6a7f                 | jmp                 5
            //   5e                   | push                0x7f

        $sequence_66 = { e8???????? 50 ffd7 85c0 7512 }
            // n = 5, score = 900
            //   e8????????           |                     
            //   50                   | jmp                 5
            //   ffd7                 | push                eax
            //   85c0                 | call                edi
            //   7512                 | test                eax, eax

        $sequence_67 = { 8038e9 89c1 8945d0 894dcc }
            // n = 4, score = 700
            //   8038e9               | jne                 0x21
            //   89c1                 | cmp                 byte ptr [eax], 0xe9
            //   8945d0               | mov                 ecx, eax
            //   894dcc               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_68 = { 8b45cc 31c9 8b55d0 39c2 }
            // n = 4, score = 700
            //   8b45cc               | mov                 dword ptr [ebp - 0x34], ecx
            //   31c9                 | mov                 eax, dword ptr [ebp - 0x34]
            //   8b55d0               | xor                 ecx, ecx
            //   39c2                 | mov                 edx, dword ptr [ebp - 0x30]

        $sequence_69 = { 8b45e8 05ffff0000 25ffff0000 83c001 }
            // n = 4, score = 600
            //   8b45e8               | mov                 edi, ecx
            //   05ffff0000           | mov                 eax, dword ptr [ebp - 0x18]
            //   25ffff0000           | add                 eax, 0xffff
            //   83c001               | and                 eax, 0xffff

        $sequence_70 = { c3 50 8b442408 8038e9 }
            // n = 4, score = 600
            //   c3                   | mov                 eax, dword ptr [esp]
            //   50                   | ret                 
            //   8b442408             | push                eax
            //   8038e9               | mov                 eax, dword ptr [esp + 8]

        $sequence_71 = { 8b0424 8b4801 89c2 01ca 83c205 807c0805e9 }
            // n = 6, score = 600
            //   8b0424               | mov                 edx, eax
            //   8b4801               | mov                 eax, dword ptr [esp]
            //   89c2                 | mov                 ecx, dword ptr [eax + 1]
            //   01ca                 | mov                 edx, eax
            //   83c205               | add                 edx, ecx
            //   807c0805e9           | add                 edx, 5

        $sequence_72 = { 8b442408 8038e9 890424 7517 8b0424 8b4801 89c2 }
            // n = 7, score = 600
            //   8b442408             | push                eax
            //   8038e9               | mov                 eax, dword ptr [esp + 8]
            //   890424               | cmp                 byte ptr [eax], 0xe9
            //   7517                 | mov                 dword ptr [esp], eax
            //   8b0424               | jne                 0x19
            //   8b4801               | mov                 eax, dword ptr [esp]
            //   89c2                 | mov                 ecx, dword ptr [eax + 1]

        $sequence_73 = { 01ca 83c205 807c0805e9 891424 74e9 8b0424 }
            // n = 6, score = 600
            //   01ca                 | mov                 eax, dword ptr [esp + 8]
            //   83c205               | add                 edx, ecx
            //   807c0805e9           | add                 edx, 5
            //   891424               | cmp                 byte ptr [eax + ecx + 5], 0xe9
            //   74e9                 | mov                 dword ptr [esp], edx
            //   8b0424               | je                  0xffffffeb

        $sequence_74 = { 8b513c 6689d6 6683fe00 89cf }
            // n = 4, score = 600
            //   8b513c               | cmp                 edx, eax
            //   6689d6               | mov                 edx, dword ptr [ecx + 0x3c]
            //   6683fe00             | mov                 si, dx
            //   89cf                 | cmp                 si, 0

        $sequence_75 = { 8b704c 2b7134 891424 89742404 894c2418 e8???????? }
            // n = 6, score = 600
            //   8b704c               | je                  0xffffffeb
            //   2b7134               | mov                 esi, dword ptr [eax + 0x4c]
            //   891424               | sub                 esi, dword ptr [ecx + 0x34]
            //   89742404             | mov                 dword ptr [esp], edx
            //   894c2418             | mov                 dword ptr [esp + 4], esi
            //   e8????????           |                     

        $sequence_76 = { 83c454 5b 5e 5f 5d c3 55 }
            // n = 7, score = 500
            //   83c454               | push                edi
            //   5b                   | add                 esp, 0x54
            //   5e                   | pop                 ebx
            //   5f                   | pop                 esi
            //   5d                   | pop                 edi
            //   c3                   | pop                 ebp
            //   55                   | ret                 

        $sequence_77 = { 6689f7 6683ff00 89cb 8945f0 894dec 8955e8 }
            // n = 6, score = 500
            //   6689f7               | ret                 
            //   6683ff00             | mov                 di, si
            //   89cb                 | cmp                 di, 0
            //   8945f0               | mov                 ebx, ecx
            //   894dec               | mov                 dword ptr [ebp - 0x10], eax
            //   8955e8               | mov                 dword ptr [ebp - 0x14], ecx

        $sequence_78 = { 83c001 8b4df8 01c1 894df0 8b45f0 83c40c 5e }
            // n = 7, score = 500
            //   83c001               | je                  0x25
            //   8b4df8               | mov                 eax, dword ptr [ebp - 0xc]
            //   01c1                 | mov                 dword ptr [ebp - 0x10], esi
            //   894df0               | je                  0x1d
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0xc]
            //   83c40c               | add                 eax, 0xffff
            //   5e                   | and                 eax, 0xffff

        $sequence_79 = { 01c1 894de4 8b45e4 89c1 83c106 }
            // n = 5, score = 500
            //   01c1                 | add                 esi, edx
            //   894de4               | add                 ecx, eax
            //   8b45e4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   89c1                 | mov                 eax, dword ptr [ebp - 0x1c]
            //   83c106               | mov                 ecx, eax

        $sequence_80 = { 83c430 5e 5d c3 55 89e5 57 }
            // n = 7, score = 500
            //   83c430               | jne                 0x21
            //   5e                   | add                 esp, 0x30
            //   5d                   | pop                 esi
            //   c3                   | pop                 ebp
            //   55                   | ret                 
            //   89e5                 | push                ebp
            //   57                   | mov                 ebp, esp

        $sequence_81 = { 25ffff0000 83c001 8b4da8 01c1 }
            // n = 4, score = 500
            //   25ffff0000           | mov                 eax, dword ptr [ebp - 0x14]
            //   83c001               | add                 esp, 0x10
            //   8b4da8               | pop                 esi
            //   01c1                 | pop                 ebp

        $sequence_82 = { c7424800b00400 8b7de4 c787cc00000000000000 c787c800000000000000 8945dc }
            // n = 5, score = 500
            //   c7424800b00400       | pop                 esi
            //   8b7de4               | mov                 dword ptr [edx + 0x48], 0x4b000
            //   c787cc00000000000000     | mov    edi, dword ptr [ebp - 0x1c]
            //   c787c800000000000000     | mov    dword ptr [edi + 0xcc], 0
            //   8945dc               | mov                 dword ptr [edi + 0xc8], 0

        $sequence_83 = { 8b45ec 83c410 5e 5d }
            // n = 4, score = 500
            //   8b45ec               | add                 esp, 0xc
            //   83c410               | mov                 dword ptr [ebp - 0x10], ecx
            //   5e                   | mov                 eax, dword ptr [ebp - 0x10]
            //   5d                   | add                 esp, 0xc

        $sequence_84 = { 895de0 7418 8b45e4 05ffff0000 25ffff0000 }
            // n = 5, score = 500
            //   895de0               | add                 ecx, 6
            //   7418                 | mov                 dword ptr [ebp - 0x20], ebx
            //   8b45e4               | je                  0x1a
            //   05ffff0000           | mov                 eax, dword ptr [ebp - 0x1c]
            //   25ffff0000           | add                 eax, 0xffff

        $sequence_85 = { 6683fa00 89c6 8945f8 894df4 8975f0 7418 8b45f4 }
            // n = 7, score = 500
            //   6683fa00             | mov                 dword ptr [esp + 0xc], ecx
            //   89c6                 | mov                 edx, dword ptr [esp + 0x84]
            //   8945f8               | mov                 edx, dword ptr [ecx + 0x3c]
            //   894df4               | mov                 si, dx
            //   8975f0               | cmp                 si, 0
            //   7418                 | mov                 edi, ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_86 = { 31c0 8b4ddc 8b9180000000 8b75ec 01d6 }
            // n = 5, score = 500
            //   31c0                 | mov                 dword ptr [ebp - 0x14], ecx
            //   8b4ddc               | xor                 eax, eax
            //   8b9180000000         | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b75ec               | mov                 edx, dword ptr [ecx + 0x80]
            //   01d6                 | mov                 esi, dword ptr [ebp - 0x14]

        $sequence_87 = { 53 57 83ec5c 8b450c }
            // n = 4, score = 400
            //   53                   | xor                 edx, edx
            //   57                   | push                ebx
            //   83ec5c               | push                edi
            //   8b450c               | sub                 esp, 0x5c

        $sequence_88 = { 5b 5d c3 8b45d0 8b4dd4 668b55d8 }
            // n = 6, score = 400
            //   5b                   | mov                 eax, dword ptr [esp + 8]
            //   5d                   | cmp                 byte ptr [eax], 0xe9
            //   c3                   | mov                 dword ptr [esp], eax
            //   8b45d0               | jne                 0x1f
            //   8b4dd4               | mov                 eax, dword ptr [esp]
            //   668b55d8             | mov                 ecx, dword ptr [eax + 1]

        $sequence_89 = { 8945a8 0f84e2feffff e9???????? 8b45e0 83c45c 5f 5b }
            // n = 7, score = 400
            //   8945a8               | mov                 eax, dword ptr [ebp + 0xc]
            //   0f84e2feffff         | mov                 dword ptr [ebp - 0x58], eax
            //   e9????????           |                     
            //   8b45e0               | je                  0xfffffee8
            //   83c45c               | mov                 eax, dword ptr [ebp - 0x20]
            //   5f                   | add                 esp, 0x5c
            //   5b                   | pop                 edi

        $sequence_90 = { 57 83ec38 8b450c 8b4d08 8945f0 648b1518000000 31c0 }
            // n = 7, score = 400
            //   57                   | sub                 esp, 0xc
            //   83ec38               | push                edi
            //   8b450c               | sub                 esp, 0x38
            //   8b4d08               | mov                 eax, dword ptr [ebp + 0xc]
            //   8945f0               | mov                 ecx, dword ptr [ebp + 8]
            //   648b1518000000       | mov                 dword ptr [ebp - 0x10], eax
            //   31c0                 | mov                 edx, dword ptr fs:[0x18]

        $sequence_91 = { 8945c4 894dc0 885dbf 8975b8 8955b4 }
            // n = 5, score = 400
            //   8945c4               | add                 esp, 0xc
            //   894dc0               | pop                 esi
            //   885dbf               | mov                 esi, eax
            //   8975b8               | mov                 dword ptr [ebp - 8], eax
            //   8955b4               | mov                 dword ptr [ebp - 0xc], ecx

        $sequence_92 = { 83c45c 5f 5b 5e 5d c3 }
            // n = 6, score = 400
            //   83c45c               | sub                 esp, 0x5c
            //   5f                   | add                 esp, 0x5c
            //   5b                   | pop                 edi
            //   5e                   | pop                 ebx
            //   5d                   | pop                 esi
            //   c3                   | pop                 ebp

        $sequence_93 = { 39f8 8945c8 75e4 83c448 5e 5f }
            // n = 6, score = 300
            //   39f8                 | push                ebp
            //   8945c8               | mov                 ebp, esp
            //   75e4                 | sub                 esp, 0xc
            //   83c448               | mov                 dword ptr [edx + 0x48], 0x4b000
            //   5e                   | mov                 edi, dword ptr [ebp - 0x1c]
            //   5f                   | mov                 dword ptr [edi + 0xcc], 0

        $sequence_94 = { 8945a0 8955cc 74bc 8b45cc 83c454 5f }
            // n = 6, score = 300
            //   8945a0               | mov                 edx, dword ptr [eax + 0x4c]
            //   8955cc               | mov                 dword ptr [ebp - 0x60], eax
            //   74bc                 | mov                 dword ptr [ebp - 0x34], edx
            //   8b45cc               | je                  0xffffffbe
            //   83c454               | mov                 eax, dword ptr [ebp - 0x34]
            //   5f                   | add                 esp, 0x54

        $sequence_95 = { 53 81ecb0000000 8b4508 8d4dd8 c745d800000000 }
            // n = 5, score = 300
            //   53                   | sub                 esp, 0x54
            //   81ecb0000000         | push                ebx
            //   8b4508               | sub                 esp, 0xb0
            //   8d4dd8               | mov                 eax, dword ptr [ebp + 8]
            //   c745d800000000       | lea                 ecx, [ebp - 0x28]

        $sequence_96 = { 53 83ec74 8b450c 8b4d08 31d2 }
            // n = 5, score = 300
            //   53                   | mov                 esi, dword ptr [eax + 0x20]
            //   83ec74               | push                ebx
            //   8b450c               | sub                 esp, 0x74
            //   8b4d08               | mov                 eax, dword ptr [ebp + 0xc]
            //   31d2                 | mov                 ecx, dword ptr [ebp + 8]

        $sequence_97 = { 8b54240c 8b7204 83fe00 894c2414 }
            // n = 4, score = 300
            //   8b54240c             | mov                 dword ptr [edi + 0xc8], 0
            //   8b7204               | mov                 edx, dword ptr [esp + 0xc]
            //   83fe00               | mov                 esi, dword ptr [edx + 4]
            //   894c2414             | cmp                 esi, 0

        $sequence_98 = { 8d8424bc000000 8b30 8b7804 8b5808 }
            // n = 4, score = 300
            //   8d8424bc000000       | and                 eax, 1
            //   8b30                 | lea                 eax, [esp + 0xbc]
            //   8b7804               | mov                 esi, dword ptr [eax]
            //   8b5808               | mov                 edi, dword ptr [eax + 4]

        $sequence_99 = { 8b45f0 8b0c8504406e00 8b55f8 39d1 8945ec 894de8 }
            // n = 6, score = 300
            //   8b45f0               | pop                 ebp
            //   8b0c8504406e00       | ret                 
            //   8b55f8               | push                ebp
            //   39d1                 | mov                 ebp, esp
            //   8945ec               | push                0
            //   894de8               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_100 = { 57 83ec20 8b4508 890424 8945f0 e8???????? 8945ec }
            // n = 7, score = 300
            //   57                   | pop                 edi
            //   83ec20               | push                edi
            //   8b4508               | sub                 esp, 0x20
            //   890424               | mov                 eax, dword ptr [ebp + 8]
            //   8945f0               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   8945ec               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_101 = { 895dc4 8945e4 0f85dafeffff 8b45e4 83c474 5b }
            // n = 6, score = 300
            //   895dc4               | xor                 edx, edx
            //   8945e4               | mov                 dword ptr [ebp - 0x3c], ebx
            //   0f85dafeffff         | mov                 dword ptr [ebp - 0x1c], eax
            //   8b45e4               | jne                 0xfffffee0
            //   83c474               | mov                 eax, dword ptr [ebp - 0x1c]
            //   5b                   | add                 esp, 0x74

        $sequence_102 = { e8???????? 8b45f0 890424 e8???????? 31c0 83c420 5f }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8b45f0               | mov                 ecx, dword ptr [ebp + 8]
            //   890424               | mov                 eax, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   31c0                 | mov                 dword ptr [esp], eax
            //   83c420               | xor                 eax, eax
            //   5f                   | add                 esp, 0x20

        $sequence_103 = { 7505 e9???????? 8b45e0 83c438 5e 5b }
            // n = 6, score = 300
            //   7505                 | pop                 edi
            //   e9????????           |                     
            //   8b45e0               | jne                 7
            //   83c438               | mov                 eax, dword ptr [ebp - 0x20]
            //   5e                   | add                 esp, 0x38
            //   5b                   | pop                 esi

        $sequence_104 = { 8b6c247c 01dd 8b5924 89442424 89d8 c1e81e 83e001 }
            // n = 7, score = 300
            //   8b6c247c             | mov                 dword ptr [esp + 0x18], ecx
            //   01dd                 | mov                 ebp, dword ptr [esp + 0x7c]
            //   8b5924               | add                 ebp, ebx
            //   89442424             | mov                 ebx, dword ptr [ecx + 0x24]
            //   89d8                 | mov                 dword ptr [esp + 0x24], eax
            //   c1e81e               | mov                 eax, ebx
            //   83e001               | shr                 eax, 0x1e

        $sequence_105 = { eb06 83c414 5b 5d c3 8b45f0 8b0c8504406e00 }
            // n = 7, score = 300
            //   eb06                 | mov                 eax, dword ptr [ebp - 0x10]
            //   83c414               | mov                 ecx, dword ptr [eax*4 + 0x6e4004]
            //   5b                   | mov                 edx, dword ptr [ebp - 8]
            //   5d                   | cmp                 ecx, edx
            //   c3                   | mov                 dword ptr [ebp - 0x14], eax
            //   8b45f0               | jmp                 8
            //   8b0c8504406e00       | add                 esp, 0x14

        $sequence_106 = { 57 53 56 83ec38 8b450c 8b4d08 }
            // n = 6, score = 300
            //   57                   | ret                 
            //   53                   | push                edi
            //   56                   | push                ebx
            //   83ec38               | push                esi
            //   8b450c               | sub                 esp, 0x38
            //   8b4d08               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_107 = { 8b54170c 83fa00 89542444 89742440 89442448 }
            // n = 5, score = 300
            //   8b54170c             | mov                 dword ptr [esp + 0x14], ecx
            //   83fa00               | mov                 edx, dword ptr [edi + edx + 0xc]
            //   89542444             | cmp                 edx, 0
            //   89742440             | mov                 dword ptr [esp + 0x44], edx
            //   89442448             | mov                 dword ptr [esp + 0x40], esi

        $sequence_108 = { 83c438 5e 5b 5f 5d c3 }
            // n = 6, score = 300
            //   83c438               | mov                 esi, dword ptr [ecx + 0x3c]
            //   5e                   | add                 esp, 0x38
            //   5b                   | pop                 esi
            //   5f                   | pop                 ebx
            //   5d                   | pop                 edi
            //   c3                   | pop                 ebp

        $sequence_109 = { c744240400000000 8955e4 e8???????? 8d0dc9306e00 890424 }
            // n = 5, score = 200
            //   c744240400000000     | jne                 0x21
            //   8955e4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   e8????????           |                     
            //   8d0dc9306e00         | mov                 cl, byte ptr [ebp - 0x51]
            //   890424               | xor                 edx, edx

        $sequence_110 = { 56 57 81ecb0000000 8b4508 }
            // n = 4, score = 200
            //   56                   | push                edi
            //   57                   | sub                 esp, 0xb0
            //   81ecb0000000         | mov                 eax, dword ptr [ebp + 8]
            //   8b4508               | lea                 ecx, [ebp - 0x28]

        $sequence_111 = { 31d2 8a2c0575306e00 83c001 38e9 8945a0 8955cc }
            // n = 6, score = 200
            //   31d2                 | sub                 esp, 0xb0
            //   8a2c0575306e00       | mov                 dword ptr [esp + 4], ecx
            //   83c001               | mov                 dword ptr [ebp - 8], eax
            //   38e9                 | lea                 ecx, [0x6e3044]
            //   8945a0               | xor                 edx, edx
            //   8955cc               | xor                 edx, edx

        $sequence_112 = { 8b75ec 89723c c7424004000000 c742442c0c0200 c7424800b00400 }
            // n = 5, score = 200
            //   8b75ec               | pop                 esi
            //   89723c               | mov                 esi, dword ptr [ebp - 0x14]
            //   c7424004000000       | mov                 dword ptr [edx + 0x3c], esi
            //   c742442c0c0200       | mov                 dword ptr [edx + 0x40], 4
            //   c7424800b00400       | mov                 dword ptr [edx + 0x44], 0x20c2c

        $sequence_113 = { 55 89e5 57 56 53 81ecb0000000 }
            // n = 6, score = 200
            //   55                   | push                ebx
            //   89e5                 | sub                 esp, 0xb0
            //   57                   | mov                 eax, dword ptr [ebp + 8]
            //   56                   | lea                 ecx, [ebp - 0x28]
            //   53                   | mov                 dword ptr [ebp - 0x28], 0
            //   81ecb0000000         | push                ebp

        $sequence_114 = { c3 55 89e5 56 53 57 83ec54 }
            // n = 7, score = 200
            //   c3                   | pop                 esi
            //   55                   | ret                 
            //   89e5                 | push                ebp
            //   56                   | mov                 ebp, esp
            //   53                   | push                esi
            //   57                   | push                ebx
            //   83ec54               | push                edi

        $sequence_115 = { 8975cc 751c 8b45a4 8a4daf 31d2 8a2c0575306e00 }
            // n = 6, score = 200
            //   8975cc               | mov                 ch, byte ptr [eax + 0x6e3075]
            //   751c                 | add                 eax, 1
            //   8b45a4               | cmp                 cl, ch
            //   8a4daf               | mov                 dword ptr [ebp - 0x60], eax
            //   31d2                 | mov                 dword ptr [ebp - 0x34], edx
            //   8a2c0575306e00       | mov                 dword ptr [ebp - 0x34], esi

        $sequence_116 = { 894c2404 8945f8 e8???????? 8d0d44306e00 31d2 }
            // n = 5, score = 200
            //   894c2404             | lea                 ecx, [ebp - 0x28]
            //   8945f8               | push                ebx
            //   e8????????           |                     
            //   8d0d44306e00         | push                esi
            //   31d2                 | push                edi

        $sequence_117 = { e9???????? 8b45e0 83c45c 5e 5f 5b 5d }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8b45e0               | sub                 esp, 0xb0
            //   83c45c               | mov                 eax, dword ptr [ebp + 8]
            //   5e                   | lea                 ecx, [ebp - 0x28]
            //   5f                   | mov                 dword ptr [ebp - 0x28], 0
            //   5b                   | mov                 edx, dword ptr [eax + 0x4c]
            //   5d                   | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_118 = { 8b45e0 83c438 5f 5e 5b }
            // n = 5, score = 200
            //   8b45e0               | pop                 ebx
            //   83c438               | mov                 eax, dword ptr [ebp - 0x20]
            //   5f                   | add                 esp, 0x38
            //   5e                   | pop                 edi
            //   5b                   | pop                 esi

        $sequence_119 = { 8b7de8 033c8a 897dd8 8b45d8 83c444 5b 5e }
            // n = 7, score = 200
            //   8b7de8               | mov                 eax, dword ptr [ebp - 0x34]
            //   033c8a               | add                 esp, 0x54
            //   897dd8               | pop                 edi
            //   8b45d8               | pop                 ebx
            //   83c444               | mov                 eax, dword ptr [ebp - 0x34]
            //   5b                   | add                 esp, 0x54
            //   5e                   | pop                 edi

        $sequence_120 = { e9???????? 55 89e5 648b0d18000000 8b4130 5d }
            // n = 6, score = 200
            //   e9????????           |                     
            //   55                   | add                 ecx, eax
            //   89e5                 | mov                 dword ptr [ebp - 0x3c], eax
            //   648b0d18000000       | mov                 dword ptr [ebp - 0x40], ecx
            //   8b4130               | mov                 byte ptr [ebp - 0x41], bl
            //   5d                   | mov                 dword ptr [ebp - 0x48], esi

        $sequence_121 = { 55 89e5 53 56 57 83ec38 }
            // n = 6, score = 200
            //   55                   | pop                 ebx
            //   89e5                 | push                ebp
            //   53                   | mov                 ebp, esp
            //   56                   | push                ebx
            //   57                   | push                esi
            //   83ec38               | push                edi

        $sequence_122 = { 8d0d5a238400 8b55c8 39ca 8945cc 0f84f9000000 }
            // n = 5, score = 100
            //   8d0d5a238400         | xor                 edx, edx
            //   8b55c8               | mov                 esi, dword ptr [ebp - 8]
            //   39ca                 | mov                 dword ptr [esi + 0x2c], eax
            //   8945cc               | mov                 dword ptr [esp], ecx
            //   0f84f9000000         | mov                 dword ptr [esp + 4], 0

        $sequence_123 = { 83ec44 8b4508 8d0d30308400 31d2 }
            // n = 4, score = 100
            //   83ec44               | mov                 dword ptr [edi + 0xc8], 0
            //   8b4508               | mov                 dword ptr [ebp - 0x24], eax
            //   8d0d30308400         | pop                 ebx
            //   31d2                 | pop                 edi

        $sequence_124 = { 894c2404 e8???????? 8d0d44302f00 31d2 8b75f8 89461c 890c24 }
            // n = 7, score = 100
            //   894c2404             | pop                 ebp
            //   e8????????           |                     
            //   8d0d44302f00         | ret                 
            //   31d2                 | push                ebp
            //   8b75f8               | mov                 ebp, esp
            //   89461c               | push                ebx
            //   890c24               | mov                 dword ptr [esp + 4], ecx

        $sequence_125 = { c3 55 89e5 8d055a232f00 5d c3 55 }
            // n = 7, score = 100
            //   c3                   | lea                 ecx, [0x2f3044]
            //   55                   | xor                 edx, edx
            //   89e5                 | mov                 esi, dword ptr [ebp - 8]
            //   8d055a232f00         | mov                 dword ptr [esi + 0x2c], eax
            //   5d                   | mov                 dword ptr [esp], ecx
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_126 = { c744240400000000 8955e8 e8???????? 8d0dbc302700 890424 894c2404 e8???????? }
            // n = 7, score = 100
            //   c744240400000000     | pop                 esi
            //   8955e8               | mov                 dword ptr [ebp - 0x28], edi
            //   e8????????           |                     
            //   8d0dbc302700         | mov                 eax, dword ptr [ebp - 0x28]
            //   890424               | add                 esp, 0x44
            //   894c2404             | pop                 ebx
            //   e8????????           |                     

        $sequence_127 = { 890c24 c744240400000000 8955e0 e8???????? 8d0dd8308400 890424 }
            // n = 6, score = 100
            //   890c24               | mov                 dword ptr [edx + 0x48], 0x4c000
            //   c744240400000000     | mov                 edi, dword ptr [ebp - 0x1c]
            //   8955e0               | mov                 dword ptr [edi + 0xcc], 0
            //   e8????????           |                     
            //   8d0dd8308400         | mov                 dword ptr [edi + 0xc8], 0
            //   890424               | mov                 dword ptr [ebp - 0x24], eax

        $sequence_128 = { 8d0d44308400 31d2 8b75f8 89462c 890c24 c744240400000000 }
            // n = 6, score = 100
            //   8d0d44308400         | mov                 dword ptr [ebp - 0x24], eax
            //   31d2                 | mov                 eax, ecx
            //   8b75f8               | add                 esp, 0x2c
            //   89462c               | mov                 dword ptr [edx + 0x48], 0x4c000
            //   890c24               | mov                 edi, dword ptr [ebp - 0x1c]
            //   c744240400000000     | mov                 dword ptr [edi + 0xcc], 0

        $sequence_129 = { 57 56 53 83ec54 8d055a238400 31c9 8d55d8 }
            // n = 7, score = 100
            //   57                   | cmp                 edx, ecx
            //   56                   | mov                 dword ptr [ebp - 0x34], eax
            //   53                   | je                  0x104
            //   83ec54               | mov                 dword ptr [ebp - 0x30], eax
            //   8d055a238400         | je                  0xffffffe9
            //   31c9                 | xor                 eax, eax
            //   8d55d8               | lea                 ecx, [0x84235a]

    condition:
        7 of them and filesize < 1040384
}
Download all Yara Rules
Dridex Propose Change

References

Yara Rules

Dridex
