SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedammyy (Back to overview)

FlawedAmmyy

Actor(s): TA505

URLhaus        

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

References
2021-06-16Національної поліції УкраїниНаціональна поліція України
@online{:20210616:cyberpolice:f455d86, author = {Національна поліція України}, title = {{Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies}}, date = {2021-06-16}, organization = {Національної поліції України}, url = {https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/}, language = {Ukrainian}, urldate = {2021-06-21} } Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-28MITREMITRE
@online{mitre:20190528:flawedammyy:c4f6363, author = {MITRE}, title = {{FlawedAmmyy}}, date = {2019-05-28}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0381/}, language = {English}, urldate = {2020-01-13} } FlawedAmmyy
FlawedAmmyy
2019-04-22SANSMike Downey
@online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2018-10-01Macnica NetworksMacnica Networks
@techreport{networks:20181001:trends:17b1db5, author = {Macnica Networks}, title = {{Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018}}, date = {2018-10-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-07-19ProofpointProofpoint Staff
@online{staff:20180719:ta505:3c29d5a, author = {Proofpoint Staff}, title = {{TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT}}, date = {2018-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-06-28Secrary BlogLasha Khasaia
@online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-03-07ProofpointProofpoint Staff
@online{staff:20180307:leaked:5e33f64, author = {Proofpoint Staff}, title = {{Leaked Ammyy Admin Source Code Turned into Malware}}, date = {2018-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS FIN7
Yara Rules
[TLP:WHITE] win_flawedammyy_auto (20230407 | Detects win.flawedammyy.)
rule win_flawedammyy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.flawedammyy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b45f4 0f8f43010000 8d642400 8d148500000000 8955e8 8b9415e8feffff 8955f0 }
            // n = 7, score = 200
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   0f8f43010000         | jg                  0x149
            //   8d642400             | lea                 esp, [esp]
            //   8d148500000000       | lea                 edx, [eax*4]
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   8b9415e8feffff       | mov                 edx, dword ptr [ebp + edx - 0x118]
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx

        $sequence_1 = { 8975f4 8945f0 85db 7e3e 8d642400 0fb70450 8bc8 }
            // n = 7, score = 200
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   85db                 | test                ebx, ebx
            //   7e3e                 | jle                 0x40
            //   8d642400             | lea                 esp, [esp]
            //   0fb70450             | movzx               eax, word ptr [eax + edx*2]
            //   8bc8                 | mov                 ecx, eax

        $sequence_2 = { 3a86ca000000 7504 b001 eb02 }
            // n = 4, score = 200
            //   3a86ca000000         | cmp                 al, byte ptr [esi + 0xca]
            //   7504                 | jne                 6
            //   b001                 | mov                 al, 1
            //   eb02                 | jmp                 4

        $sequence_3 = { 52 50 ff5124 85c0 0f8872ffffff 8b45cc 8d55d4 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff5124               | call                dword ptr [ecx + 0x24]
            //   85c0                 | test                eax, eax
            //   0f8872ffffff         | js                  0xffffff78
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   8d55d4               | lea                 edx, [ebp - 0x2c]

        $sequence_4 = { 3a9debfeffff 741a 0c04 8807 }
            // n = 4, score = 200
            //   3a9debfeffff         | cmp                 bl, byte ptr [ebp - 0x115]
            //   741a                 | je                  0x1c
            //   0c04                 | or                  al, 4
            //   8807                 | mov                 byte ptr [edi], al

        $sequence_5 = { 83ec10 8bc4 6a00 660fd600 f30f7e45a4 660fd64008 }
            // n = 6, score = 200
            //   83ec10               | sub                 esp, 0x10
            //   8bc4                 | mov                 eax, esp
            //   6a00                 | push                0
            //   660fd600             | movq                qword ptr [eax], xmm0
            //   f30f7e45a4           | movq                xmm0, qword ptr [ebp - 0x5c]
            //   660fd64008           | movq                qword ptr [eax + 8], xmm0

        $sequence_6 = { 51 68???????? 8d85acf9ffff 50 8d85a4f7ffff 68???????? 50 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   68????????           |                     
            //   8d85acf9ffff         | lea                 eax, [ebp - 0x654]
            //   50                   | push                eax
            //   8d85a4f7ffff         | lea                 eax, [ebp - 0x85c]
            //   68????????           |                     
            //   50                   | push                eax

        $sequence_7 = { 3a86c1000000 755e 668b865a050000 663b86c2000000 754e }
            // n = 5, score = 200
            //   3a86c1000000         | cmp                 al, byte ptr [esi + 0xc1]
            //   755e                 | jne                 0x60
            //   668b865a050000       | mov                 ax, word ptr [esi + 0x55a]
            //   663b86c2000000       | cmp                 ax, word ptr [esi + 0xc2]
            //   754e                 | jne                 0x50

        $sequence_8 = { 83feff 0f8425020000 68f1cbf7ae 6a01 e8???????? 83c408 6a00 }
            // n = 7, score = 200
            //   83feff               | cmp                 esi, -1
            //   0f8425020000         | je                  0x22b
            //   68f1cbf7ae           | push                0xaef7cbf1
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6a00                 | push                0

        $sequence_9 = { 68???????? e8???????? 8b7508 c7465c28394100 83660800 }
            // n = 5, score = 200
            //   68????????           |                     
            //   e8????????           |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465c28394100       | mov                 dword ptr [esi + 0x5c], 0x413928
            //   83660800             | and                 dword ptr [esi + 8], 0

        $sequence_10 = { 3a86c8000000 7520 8a8661050000 3a86c9000000 }
            // n = 4, score = 200
            //   3a86c8000000         | cmp                 al, byte ptr [esi + 0xc8]
            //   7520                 | jne                 0x22
            //   8a8661050000         | mov                 al, byte ptr [esi + 0x561]
            //   3a86c9000000         | cmp                 al, byte ptr [esi + 0xc9]

        $sequence_11 = { 50 8d85f0fbffff 68???????? 50 ffd7 8b35???????? 83c424 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d85f0fbffff         | lea                 eax, [ebp - 0x410]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8b35????????         |                     
            //   83c424               | add                 esp, 0x24

        $sequence_12 = { 85c0 0f8549010000 817df4a00f0000 0f8677030000 50 6a23 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   0f8549010000         | jne                 0x14f
            //   817df4a00f0000       | cmp                 dword ptr [ebp - 0xc], 0xfa0
            //   0f8677030000         | jbe                 0x37d
            //   50                   | push                eax
            //   6a23                 | push                0x23

        $sequence_13 = { 3a86c9000000 7512 8a8662050000 3a86ca000000 }
            // n = 4, score = 200
            //   3a86c9000000         | cmp                 al, byte ptr [esi + 0xc9]
            //   7512                 | jne                 0x14
            //   8a8662050000         | mov                 al, byte ptr [esi + 0x562]
            //   3a86ca000000         | cmp                 al, byte ptr [esi + 0xca]

        $sequence_14 = { 3a95eafcffff 0f94c0 84c0 751d }
            // n = 4, score = 200
            //   3a95eafcffff         | cmp                 dl, byte ptr [ebp - 0x316]
            //   0f94c0               | sete                al
            //   84c0                 | test                al, al
            //   751d                 | jne                 0x1f

        $sequence_15 = { 0000 0404 0404 0404 0401 0404 }
            // n = 6, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0404                 | add                 al, 4
            //   0401                 | add                 al, 1
            //   0404                 | add                 al, 4

        $sequence_16 = { ab ab 33c0 8d7d95 ab ab ab }
            // n = 7, score = 100
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   33c0                 | xor                 eax, eax
            //   8d7d95               | lea                 edi, [ebp - 0x6b]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_17 = { 7509 395df0 0f8415020000 8d45f0 53 50 53 }
            // n = 7, score = 100
            //   7509                 | jne                 0xb
            //   395df0               | cmp                 dword ptr [ebp - 0x10], ebx
            //   0f8415020000         | je                  0x21b
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_18 = { 0f8781000000 ff248dfd243400 881f eb76 ff30 eb63 57 }
            // n = 7, score = 100
            //   0f8781000000         | ja                  0x87
            //   ff248dfd243400       | jmp                 dword ptr [ecx*4 + 0x3424fd]
            //   881f                 | mov                 byte ptr [edi], bl
            //   eb76                 | jmp                 0x78
            //   ff30                 | push                dword ptr [eax]
            //   eb63                 | jmp                 0x65
            //   57                   | push                edi

        $sequence_19 = { 8b7df4 8b0c855c303400 c1e705 33d2 03fe 42 837dfcff }
            // n = 7, score = 100
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   8b0c855c303400       | mov                 ecx, dword ptr [eax*4 + 0x34305c]
            //   c1e705               | shl                 edi, 5
            //   33d2                 | xor                 edx, edx
            //   03fe                 | add                 edi, esi
            //   42                   | inc                 edx
            //   837dfcff             | cmp                 dword ptr [ebp - 4], -1

        $sequence_20 = { 83f855 0f872affffff 0fb6805a213400 ff2485f6203400 8b8614080000 3b45f4 7e03 }
            // n = 7, score = 100
            //   83f855               | cmp                 eax, 0x55
            //   0f872affffff         | ja                  0xffffff30
            //   0fb6805a213400       | movzx               eax, byte ptr [eax + 0x34215a]
            //   ff2485f6203400       | jmp                 dword ptr [eax*4 + 0x3420f6]
            //   8b8614080000         | mov                 eax, dword ptr [esi + 0x814]
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   7e03                 | jle                 5

        $sequence_21 = { 8b55fc 8d0c8a 894dfc eb0e 8b14957c303400 49 }
            // n = 6, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8d0c8a               | lea                 ecx, [edx + ecx*4]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   eb0e                 | jmp                 0x10
            //   8b14957c303400       | mov                 edx, dword ptr [edx*4 + 0x34307c]
            //   49                   | dec                 ecx

        $sequence_22 = { 0f8448010000 50 ff15???????? 8945fc 57 ff75fc }
            // n = 6, score = 100
            //   0f8448010000         | je                  0x14e
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   57                   | push                edi
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_23 = { 395d08 895de0 895dcc c745f001000000 895dd4 c745e402010000 895df8 }
            // n = 7, score = 100
            //   395d08               | cmp                 dword ptr [ebp + 8], ebx
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   895dcc               | mov                 dword ptr [ebp - 0x34], ebx
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   c745e402010000       | mov                 dword ptr [ebp - 0x1c], 0x102
            //   895df8               | mov                 dword ptr [ebp - 8], ebx

        $sequence_24 = { 8b7d08 7510 57 ff15???????? 50 }
            // n = 5, score = 100
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   7510                 | jne                 0x12
            //   57                   | push                edi
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_25 = { 8b46f8 834de4ff 49 c745e8ff000000 8b3c857c303400 c745ecffff0000 }
            // n = 6, score = 100
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   834de4ff             | or                  dword ptr [ebp - 0x1c], 0xffffffff
            //   49                   | dec                 ecx
            //   c745e8ff000000       | mov                 dword ptr [ebp - 0x18], 0xff
            //   8b3c857c303400       | mov                 edi, dword ptr [eax*4 + 0x34307c]
            //   c745ecffff0000       | mov                 dword ptr [ebp - 0x14], 0xffff

        $sequence_26 = { 80fb30 7c18 8bd6 eb09 83f937 7f2a }
            // n = 6, score = 100
            //   80fb30               | cmp                 bl, 0x30
            //   7c18                 | jl                  0x1a
            //   8bd6                 | mov                 edx, esi
            //   eb09                 | jmp                 0xb
            //   83f937               | cmp                 ecx, 0x37
            //   7f2a                 | jg                  0x2c

        $sequence_27 = { 8d5108 7e09 8a0e 880a 4a 4e 48 }
            // n = 7, score = 100
            //   8d5108               | lea                 edx, [ecx + 8]
            //   7e09                 | jle                 0xb
            //   8a0e                 | mov                 cl, byte ptr [esi]
            //   880a                 | mov                 byte ptr [edx], cl
            //   4a                   | dec                 edx
            //   4e                   | dec                 esi
            //   48                   | dec                 eax

        $sequence_28 = { e8???????? 8b4d08 8a0408 a2???????? eb07 c605????????00 c705????????4c403400 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8a0408               | mov                 al, byte ptr [eax + ecx]
            //   a2????????           |                     
            //   eb07                 | jmp                 9
            //   c605????????00       |                     
            //   c705????????4c403400     |     

        $sequence_29 = { 8b04855c303400 c1e002 50 6a40 ff15???????? }
            // n = 5, score = 100
            //   8b04855c303400       | mov                 eax, dword ptr [eax*4 + 0x34305c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   6a40                 | push                0x40
            //   ff15????????         |                     

        $sequence_30 = { 8945c4 eb17 68???????? 56 }
            // n = 4, score = 100
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   eb17                 | jmp                 0x19
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_31 = { 0f87c9000000 ff248580233400 832700 e9???????? }
            // n = 4, score = 100
            //   0f87c9000000         | ja                  0xcf
            //   ff248580233400       | jmp                 dword ptr [eax*4 + 0x342380]
            //   832700               | and                 dword ptr [edi], 0
            //   e9????????           |                     

    condition:
        7 of them and filesize < 1350656
}
Download all Yara Rules