SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedammyy (Back to overview)

FlawedAmmyy

Actor(s): TA505

URLhaus        

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

References
2021-06-16Національної поліції УкраїниНаціональна поліція України
@online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-28MITREMITRE
@online{mitre:20190528:flawedammyy:c4f6363, author = {MITRE}, title = {{FlawedAmmyy}}, date = {2019-05-28}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0381/}, language = {English}, urldate = {2020-01-13} } FlawedAmmyy
FlawedAmmyy
2019-04-22SANSMike Downey
@online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2018-10-01Macnica NetworksMacnica Networks
@techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-07-19ProofpointProofpoint Staff
@online{staff:20180719:ta505:3c29d5a, author = {Proofpoint Staff}, title = {{TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT}}, date = {2018-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-06-28Secrary BlogLasha Khasaia
@online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-03-07ProofpointProofpoint Staff
@online{staff:20180307:leaked:5e33f64, author = {Proofpoint Staff}, title = {{Leaked Ammyy Admin Source Code Turned into Malware}}, date = {2018-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS FIN7
Yara Rules
[TLP:WHITE] win_flawedammyy_auto (20210616 | Detects win.flawedammyy.)
rule win_flawedammyy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.flawedammyy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 004bbf 42 0062bf 42 }
            // n = 4, score = 200
            //   004bbf               | add                 byte ptr [ebx - 0x41], cl
            //   42                   | inc                 edx
            //   0062bf               | add                 byte ptr [edx - 0x41], ah
            //   42                   | inc                 edx

        $sequence_1 = { 0039 e342 0048e3 42 }
            // n = 4, score = 200
            //   0039                 | add                 byte ptr [ecx], bh
            //   e342                 | jecxz               0x44
            //   0048e3               | add                 byte ptr [eax - 0x1d], cl
            //   42                   | inc                 edx

        $sequence_2 = { 00b3854200e5 854200 37 864200 }
            // n = 4, score = 200
            //   00b3854200e5         | add                 byte ptr [ebx - 0x1affbd7b], dh
            //   854200               | test                dword ptr [edx], eax
            //   37                   | aaa                 
            //   864200               | xchg                byte ptr [edx], al

        $sequence_3 = { 50 ff5178 8b45fc 6800200000 8b08 50 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   ff5178               | call                dword ptr [ecx + 0x78]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   6800200000           | push                0x2000
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   50                   | push                eax

        $sequence_4 = { ffd3 ebc0 56 ffd3 6a00 6880000000 6a03 }
            // n = 7, score = 200
            //   ffd3                 | call                ebx
            //   ebc0                 | jmp                 0xffffffc2
            //   56                   | push                esi
            //   ffd3                 | call                ebx
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a03                 | push                3

        $sequence_5 = { 660fd64008 ff5244 8d4df0 8bf0 }
            // n = 4, score = 200
            //   660fd64008           | movq                qword ptr [eax + 8], xmm0
            //   ff5244               | call                dword ptr [edx + 0x44]
            //   8d4df0               | lea                 ecx, dword ptr [ebp - 0x10]
            //   8bf0                 | mov                 esi, eax

        $sequence_6 = { 8d85f8feffff 50 ff15???????? 53 ff15???????? 50 }
            // n = 6, score = 200
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_7 = { 0062bf 42 0079bf 42 }
            // n = 4, score = 200
            //   0062bf               | add                 byte ptr [edx - 0x41], ah
            //   42                   | inc                 edx
            //   0079bf               | add                 byte ptr [ecx - 0x41], bh
            //   42                   | inc                 edx

        $sequence_8 = { 660fd645ac 660fd645b4 e8???????? 83c40c 33c0 }
            // n = 5, score = 200
            //   660fd645ac           | movq                qword ptr [ebp - 0x54], xmm0
            //   660fd645b4           | movq                qword ptr [ebp - 0x4c], xmm0
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 002a e342 0039 e342 }
            // n = 4, score = 200
            //   002a                 | add                 byte ptr [edx], ch
            //   e342                 | jecxz               0x44
            //   0039                 | add                 byte ptr [ecx], bh
            //   e342                 | jecxz               0x44

        $sequence_10 = { 0022 8a4200 828a4200bb8a42 00ff }
            // n = 4, score = 200
            //   0022                 | add                 byte ptr [edx], ah
            //   8a4200               | mov                 al, byte ptr [edx]
            //   828a4200bb8a42       |                     
            //   00ff                 | add                 bh, bh

        $sequence_11 = { c745e865786500 e8???????? 83c408 8d4dcc }
            // n = 4, score = 200
            //   c745e865786500       | mov                 dword ptr [ebp - 0x18], 0x657865
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8d4dcc               | lea                 ecx, dword ptr [ebp - 0x34]

        $sequence_12 = { 68???????? 6a00 6a00 ff15???????? 8b3d???????? 6830750000 ffd7 }
            // n = 7, score = 200
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   6830750000           | push                0x7530
            //   ffd7                 | call                edi

        $sequence_13 = { 8b35???????? 6a00 6a23 8d8594f3ffff 50 }
            // n = 5, score = 200
            //   8b35????????         |                     
            //   6a00                 | push                0
            //   6a23                 | push                0x23
            //   8d8594f3ffff         | lea                 eax, dword ptr [ebp - 0xc6c]
            //   50                   | push                eax

        $sequence_14 = { 0000 0404 0404 0404 0401 }
            // n = 5, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0401                 | add                 al, 1

        $sequence_15 = { 0018 874200 58 874200 }
            // n = 4, score = 200
            //   0018                 | add                 byte ptr [eax], bl
            //   874200               | xchg                dword ptr [edx], eax
            //   58                   | pop                 eax
            //   874200               | xchg                dword ptr [edx], eax

        $sequence_16 = { c745e8ff000000 8b3c857c303400 c745ecffff0000 0faff9 83f801 c745f0ffffff00 }
            // n = 6, score = 100
            //   c745e8ff000000       | mov                 dword ptr [ebp - 0x18], 0xff
            //   8b3c857c303400       | mov                 edi, dword ptr [eax*4 + 0x34307c]
            //   c745ecffff0000       | mov                 dword ptr [ebp - 0x14], 0xffff
            //   0faff9               | imul                edi, ecx
            //   83f801               | cmp                 eax, 1
            //   c745f0ffffff00       | mov                 dword ptr [ebp - 0x10], 0xffffff

        $sequence_17 = { 8b46f8 8b04855c303400 c1e002 50 6a40 }
            // n = 5, score = 100
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   8b04855c303400       | mov                 eax, dword ptr [eax*4 + 0x34305c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   6a40                 | push                0x40

        $sequence_18 = { e9???????? 33c0 8b7df4 8b0c855c303400 c1e705 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8b0c855c303400       | mov                 ecx, dword ptr [eax*4 + 0x34305c]
            //   c1e705               | shl                 edi, 5

        $sequence_19 = { eb0e 8b14957c303400 49 0fafd1 0155fc 46 }
            // n = 6, score = 100
            //   eb0e                 | jmp                 0x10
            //   8b14957c303400       | mov                 edx, dword ptr [edx*4 + 0x34307c]
            //   49                   | dec                 ecx
            //   0fafd1               | imul                edx, ecx
            //   0155fc               | add                 dword ptr [ebp - 4], edx
            //   46                   | inc                 esi

        $sequence_20 = { 53 8d85ccfdffff 56 50 c6075c }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   8d85ccfdffff         | lea                 eax, dword ptr [ebp - 0x234]
            //   56                   | push                esi
            //   50                   | push                eax
            //   c6075c               | mov                 byte ptr [edi], 0x5c

        $sequence_21 = { ff2485f6203400 8b8614080000 3b45f4 7e03 8945f4 }
            // n = 5, score = 100
            //   ff2485f6203400       | jmp                 dword ptr [eax*4 + 0x3420f6]
            //   8b8614080000         | mov                 eax, dword ptr [esi + 0x814]
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   7e03                 | jle                 5
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_22 = { 8bc6 8b4ef8 83f907 0f8781000000 ff248dfd243400 881f eb76 }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   8b4ef8               | mov                 ecx, dword ptr [esi - 8]
            //   83f907               | cmp                 ecx, 7
            //   0f8781000000         | ja                  0x87
            //   ff248dfd243400       | jmp                 dword ptr [ecx*4 + 0x3424fd]
            //   881f                 | mov                 byte ptr [edi], bl
            //   eb76                 | jmp                 0x78

        $sequence_23 = { 41 47 8a07 3ac3 }
            // n = 4, score = 100
            //   41                   | inc                 ecx
            //   47                   | inc                 edi
            //   8a07                 | mov                 al, byte ptr [edi]
            //   3ac3                 | cmp                 al, bl

        $sequence_24 = { 895df4 8d7301 c60322 8975ec }
            // n = 4, score = 100
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   8d7301               | lea                 esi, dword ptr [ebx + 1]
            //   c60322               | mov                 byte ptr [ebx], 0x22
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi

        $sequence_25 = { 742f 8b30 85f6 7429 837c240800 7413 8d4604 }
            // n = 7, score = 100
            //   742f                 | je                  0x31
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   85f6                 | test                esi, esi
            //   7429                 | je                  0x2b
            //   837c240800           | cmp                 dword ptr [esp + 8], 0
            //   7413                 | je                  0x15
            //   8d4604               | lea                 eax, dword ptr [esi + 4]

        $sequence_26 = { ff15???????? 85c0 7465 53 53 6a03 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7465                 | je                  0x67
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a03                 | push                3

        $sequence_27 = { 33c0 53 56 8a0a }
            // n = 4, score = 100
            //   33c0                 | xor                 eax, eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8a0a                 | mov                 cl, byte ptr [edx]

        $sequence_28 = { 53 50 53 ff15???????? 3bc3 8945f8 7431 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   3bc3                 | cmp                 eax, ebx
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   7431                 | je                  0x33

        $sequence_29 = { eb60 8b46f8 834de4ff 49 c745e8ff000000 8b3c857c303400 c745ecffff0000 }
            // n = 7, score = 100
            //   eb60                 | jmp                 0x62
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   834de4ff             | or                  dword ptr [ebp - 0x1c], 0xffffffff
            //   49                   | dec                 ecx
            //   c745e8ff000000       | mov                 dword ptr [ebp - 0x18], 0xff
            //   8b3c857c303400       | mov                 edi, dword ptr [eax*4 + 0x34307c]
            //   c745ecffff0000       | mov                 dword ptr [ebp - 0x14], 0xffff

        $sequence_30 = { ff15???????? 8945fc 3bfb c745c001000000 895dbc }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   3bfb                 | cmp                 edi, ebx
            //   c745c001000000       | mov                 dword ptr [ebp - 0x40], 1
            //   895dbc               | mov                 dword ptr [ebp - 0x44], ebx

        $sequence_31 = { 8bdf 8b06 83661c00 83f807 0f87c9000000 ff248580233400 }
            // n = 6, score = 100
            //   8bdf                 | mov                 ebx, edi
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   83661c00             | and                 dword ptr [esi + 0x1c], 0
            //   83f807               | cmp                 eax, 7
            //   0f87c9000000         | ja                  0xcf
            //   ff248580233400       | jmp                 dword ptr [eax*4 + 0x342380]

    condition:
        7 of them and filesize < 1350656
}
Download all Yara Rules