SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedammyy (Back to overview)

FlawedAmmyy

Actor(s): TA505

URLhaus        

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

References
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-28MITREMITRE
@online{mitre:20190528:flawedammyy:c4f6363, author = {MITRE}, title = {{FlawedAmmyy}}, date = {2019-05-28}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0381/}, language = {English}, urldate = {2020-01-13} } FlawedAmmyy
FlawedAmmyy
2019-04-22SANSMike Downey
@online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2018-07-19ProofpointProofpoint Staff
@online{staff:20180719:ta505:3c29d5a, author = {Proofpoint Staff}, title = {{TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT}}, date = {2018-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-06-28Secrary BlogLasha Khasaia
@online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-03-07ProofpointProofpoint Staff
@online{staff:20180307:leaked:5e33f64, author = {Proofpoint Staff}, title = {{Leaked Ammyy Admin Source Code Turned into Malware}}, date = {2018-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS Anunak
Yara Rules
[TLP:WHITE] win_flawedammyy_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_flawedammyy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c080 660f6ec0 0f5bc0 03cb f30f11857cffffff 0fb64101 83c080 }
            // n = 7, score = 200
            //   83c080               | add                 eax, -0x80
            //   660f6ec0             | movd                xmm0, eax
            //   0f5bc0               | cvtdq2ps            xmm0, xmm0
            //   03cb                 | add                 ecx, ebx
            //   f30f11857cffffff     | movss               dword ptr [ebp - 0x84], xmm0
            //   0fb64101             | movzx               eax, byte ptr [ecx + 1]
            //   83c080               | add                 eax, -0x80

        $sequence_1 = { e8???????? 68???????? c684248400000009 ffd7 8b442438 8d48f4 81f9???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   68????????           |                     
            //   c684248400000009     | mov                 byte ptr [esp + 0x84], 9
            //   ffd7                 | call                edi
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   8d48f4               | lea                 ecx, [eax - 0xc]
            //   81f9????????         |                     

        $sequence_2 = { 0f8557ffffff c74720ffffffff 5f 5e }
            // n = 4, score = 200
            //   0f8557ffffff         | jne                 0xffffff5d
            //   c74720ffffffff       | mov                 dword ptr [edi + 0x20], 0xffffffff
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_3 = { ff511c 8d4df0 8bf0 e8???????? 85f6 }
            // n = 5, score = 200
            //   ff511c               | call                dword ptr [ecx + 0x1c]
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   85f6                 | test                esi, esi

        $sequence_4 = { 8b4514 40 c745ec0f514000 894df8 8945fc 64a100000000 8945e8 }
            // n = 7, score = 200
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   40                   | inc                 eax
            //   c745ec0f514000       | mov                 dword ptr [ebp - 0x14], 0x40510f
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_5 = { 660fd64590 f30f7e45bc 8d8570fbffff 50 8d8d58ffffff 660fd64588 }
            // n = 6, score = 200
            //   660fd64590           | movq                qword ptr [ebp - 0x70], xmm0
            //   f30f7e45bc           | movq                xmm0, qword ptr [ebp - 0x44]
            //   8d8570fbffff         | lea                 eax, [ebp - 0x490]
            //   50                   | push                eax
            //   8d8d58ffffff         | lea                 ecx, [ebp - 0xa8]
            //   660fd64588           | movq                qword ptr [ebp - 0x78], xmm0

        $sequence_6 = { 50 8d85f8fdffff 68???????? 50 ff15???????? 68e306e0fd }
            // n = 6, score = 200
            //   50                   | push                eax
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   68e306e0fd           | push                0xfde006e3

        $sequence_7 = { 8b85d0fcffff ff8dd0fcffff 8b9df8fcffff 85c0 }
            // n = 4, score = 200
            //   8b85d0fcffff         | mov                 eax, dword ptr [ebp - 0x330]
            //   ff8dd0fcffff         | dec                 dword ptr [ebp - 0x330]
            //   8b9df8fcffff         | mov                 ebx, dword ptr [ebp - 0x308]
            //   85c0                 | test                eax, eax

        $sequence_8 = { 0f84a0000000 8b4a38 3bc8 0f42c8 8b4210 33d2 }
            // n = 6, score = 200
            //   0f84a0000000         | je                  0xa6
            //   8b4a38               | mov                 ecx, dword ptr [edx + 0x38]
            //   3bc8                 | cmp                 ecx, eax
            //   0f42c8               | cmovb               ecx, eax
            //   8b4210               | mov                 eax, dword ptr [edx + 0x10]
            //   33d2                 | xor                 edx, edx

        $sequence_9 = { 0f886cfeffff 8b45dc 8d55d8 52 }
            // n = 4, score = 200
            //   0f886cfeffff         | js                  0xfffffe72
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   8d55d8               | lea                 edx, [ebp - 0x28]
            //   52                   | push                edx

        $sequence_10 = { 7918 8b45f8 50 8b08 }
            // n = 4, score = 200
            //   7918                 | jns                 0x1a
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_11 = { 8b7508 57 8b865c010000 33ff }
            // n = 4, score = 200
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b865c010000         | mov                 eax, dword ptr [esi + 0x15c]
            //   33ff                 | xor                 edi, edi

        $sequence_12 = { 83f908 735f 8b45f0 40 }
            // n = 4, score = 200
            //   83f908               | cmp                 ecx, 8
            //   735f                 | jae                 0x61
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   40                   | inc                 eax

        $sequence_13 = { 660fd64594 e8???????? 83c40c 33c0 68???????? c78504ffffff44000000 }
            // n = 6, score = 200
            //   660fd64594           | movq                qword ptr [ebp - 0x6c], xmm0
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax
            //   68????????           |                     
            //   c78504ffffff44000000     | mov    dword ptr [ebp - 0xfc], 0x44

        $sequence_14 = { 8b45d8 8d4dd8 ff5004 8b4de4 8b45dc 891c08 8b5de4 }
            // n = 7, score = 200
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   ff5004               | call                dword ptr [eax + 4]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   891c08               | mov                 dword ptr [eax + ecx], ebx
            //   8b5de4               | mov                 ebx, dword ptr [ebp - 0x1c]

        $sequence_15 = { 50 8d85e8f9ffff 68???????? 50 ffd7 8d85fcfeffff }
            // n = 6, score = 200
            //   50                   | push                eax
            //   8d85e8f9ffff         | lea                 eax, [ebp - 0x618]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]

        $sequence_16 = { ffd6 53 ff75dc 6813100000 ff35???????? ffd6 5e }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   53                   | push                ebx
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   6813100000           | push                0x1013
            //   ff35????????         |                     
            //   ffd6                 | call                esi
            //   5e                   | pop                 esi

        $sequence_17 = { 0f872affffff 0fb6805a213400 ff2485f6203400 8b8614080000 }
            // n = 4, score = 100
            //   0f872affffff         | ja                  0xffffff30
            //   0fb6805a213400       | movzx               eax, byte ptr [eax + 0x34215a]
            //   ff2485f6203400       | jmp                 dword ptr [eax*4 + 0x3420f6]
            //   8b8614080000         | mov                 eax, dword ptr [esi + 0x814]

        $sequence_18 = { 8d44c1d0 0fbe0a 42 83f930 7dee eb1b 0fbec9 }
            // n = 7, score = 100
            //   8d44c1d0             | lea                 eax, [ecx + eax*8 - 0x30]
            //   0fbe0a               | movsx               ecx, byte ptr [edx]
            //   42                   | inc                 edx
            //   83f930               | cmp                 ecx, 0x30
            //   7dee                 | jge                 0xfffffff0
            //   eb1b                 | jmp                 0x1d
            //   0fbec9               | movsx               ecx, cl

        $sequence_19 = { 83f907 0f8781000000 ff248dfd243400 881f eb76 ff30 eb63 }
            // n = 7, score = 100
            //   83f907               | cmp                 ecx, 7
            //   0f8781000000         | ja                  0x87
            //   ff248dfd243400       | jmp                 dword ptr [ecx*4 + 0x3424fd]
            //   881f                 | mov                 byte ptr [edi], bl
            //   eb76                 | jmp                 0x78
            //   ff30                 | push                dword ptr [eax]
            //   eb63                 | jmp                 0x65

        $sequence_20 = { 7d0e 8b480c 8b55fc 8d0c8a 894dfc eb0e 8b14957c303400 }
            // n = 7, score = 100
            //   7d0e                 | jge                 0x10
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8d0c8a               | lea                 ecx, [edx + ecx*4]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   eb0e                 | jmp                 0x10
            //   8b14957c303400       | mov                 edx, dword ptr [edx*4 + 0x34307c]

        $sequence_21 = { ff2485f6203400 8b8614080000 3b45f4 7e03 }
            // n = 4, score = 100
            //   ff2485f6203400       | jmp                 dword ptr [eax*4 + 0x3420f6]
            //   8b8614080000         | mov                 eax, dword ptr [esi + 0x814]
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   7e03                 | jle                 5

        $sequence_22 = { 837efcff 7518 8b46f8 8b04855c303400 c1e002 50 }
            // n = 6, score = 100
            //   837efcff             | cmp                 dword ptr [esi - 4], -1
            //   7518                 | jne                 0x1a
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   8b04855c303400       | mov                 eax, dword ptr [eax*4 + 0x34305c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax

        $sequence_23 = { 7426 8b483c ba???????? 03c8 50 }
            // n = 5, score = 100
            //   7426                 | je                  0x28
            //   8b483c               | mov                 ecx, dword ptr [eax + 0x3c]
            //   ba????????           |                     
            //   03c8                 | add                 ecx, eax
            //   50                   | push                eax

        $sequence_24 = { 8b30 85f6 7429 837c240800 7413 8d4604 50 }
            // n = 7, score = 100
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   85f6                 | test                esi, esi
            //   7429                 | je                  0x2b
            //   837c240800           | cmp                 dword ptr [esp + 8], 0
            //   7413                 | je                  0x15
            //   8d4604               | lea                 eax, [esi + 4]
            //   50                   | push                eax

        $sequence_25 = { 6a01 50 ff15???????? 8d4594 8945bc }
            // n = 5, score = 100
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d4594               | lea                 eax, [ebp - 0x6c]
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax

        $sequence_26 = { 75f4 8d4de8 51 8d4da4 51 53 }
            // n = 6, score = 100
            //   75f4                 | jne                 0xfffffff6
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx
            //   8d4da4               | lea                 ecx, [ebp - 0x5c]
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_27 = { 8d0480 8d0441 0fbe0a 83e930 42 }
            // n = 5, score = 100
            //   8d0480               | lea                 eax, [eax + eax*4]
            //   8d0441               | lea                 eax, [ecx + eax*2]
            //   0fbe0a               | movsx               ecx, byte ptr [edx]
            //   83e930               | sub                 ecx, 0x30
            //   42                   | inc                 edx

        $sequence_28 = { 7512 8d85d0feffff 68???????? 50 ff15???????? 389dd0feffff 7518 }
            // n = 7, score = 100
            //   7512                 | jne                 0x14
            //   8d85d0feffff         | lea                 eax, [ebp - 0x130]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   389dd0feffff         | cmp                 byte ptr [ebp - 0x130], bl
            //   7518                 | jne                 0x1a

        $sequence_29 = { 8a0408 a2???????? eb07 c605????????00 c705????????4c403400 }
            // n = 5, score = 100
            //   8a0408               | mov                 al, byte ptr [eax + ecx]
            //   a2????????           |                     
            //   eb07                 | jmp                 9
            //   c605????????00       |                     
            //   c705????????4c403400     |     

        $sequence_30 = { 83661c00 83f807 0f87c9000000 ff248580233400 832700 }
            // n = 5, score = 100
            //   83661c00             | and                 dword ptr [esi + 0x1c], 0
            //   83f807               | cmp                 eax, 7
            //   0f87c9000000         | ja                  0xcf
            //   ff248580233400       | jmp                 dword ptr [eax*4 + 0x342380]
            //   832700               | and                 dword ptr [edi], 0

        $sequence_31 = { 8b14957c303400 49 0fafd1 0155fc 46 83c020 }
            // n = 6, score = 100
            //   8b14957c303400       | mov                 edx, dword ptr [edx*4 + 0x34307c]
            //   49                   | dec                 ecx
            //   0fafd1               | imul                edx, ecx
            //   0155fc               | add                 dword ptr [ebp - 4], edx
            //   46                   | inc                 esi
            //   83c020               | add                 eax, 0x20

    condition:
        7 of them and filesize < 1350656
}
Download all Yara Rules