SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedammyy (Back to overview)

FlawedAmmyy

Actor(s): TA505

URLhaus        

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

References
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-28MITREMITRE
@online{mitre:20190528:flawedammyy:c4f6363, author = {MITRE}, title = {{FlawedAmmyy}}, date = {2019-05-28}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0381/}, language = {English}, urldate = {2020-01-13} } FlawedAmmyy
FlawedAmmyy
2019-04-22SANSMike Downey
@online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2018-07-19ProofpointProofpoint Staff
@online{staff:20180719:ta505:3c29d5a, author = {Proofpoint Staff}, title = {{TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT}}, date = {2018-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-06-28Secrary BlogLasha Khasaia
@online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-03-07ProofpointProofpoint Staff
@online{staff:20180307:leaked:5e33f64, author = {Proofpoint Staff}, title = {{Leaked Ammyy Admin Source Code Turned into Malware}}, date = {2018-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS Anunak
Yara Rules
[TLP:WHITE] win_flawedammyy_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_flawedammyy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75fc 53 e8???????? 8d45e4 50 ff75f8 53 }
            // n = 7, score = 200
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   53                   | push                ebx

        $sequence_1 = { ff15???????? 68???????? ff75fc ff15???????? 85c0 0f854a010000 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   68????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f854a010000         | jne                 0x150

        $sequence_2 = { 8d0c18 2bd8 8d0413 8987b4000000 8d0431 2bce 894734 }
            // n = 7, score = 200
            //   8d0c18               | lea                 ecx, [eax + ebx]
            //   2bd8                 | sub                 ebx, eax
            //   8d0413               | lea                 eax, [ebx + edx]
            //   8987b4000000         | mov                 dword ptr [edi + 0xb4], eax
            //   8d0431               | lea                 eax, [ecx + esi]
            //   2bce                 | sub                 ecx, esi
            //   894734               | mov                 dword ptr [edi + 0x34], eax

        $sequence_3 = { 83feff 740e 6a00 56 ff15???????? 83f801 770c }
            // n = 7, score = 200
            //   83feff               | cmp                 esi, -1
            //   740e                 | je                  0x10
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff15????????         |                     
            //   83f801               | cmp                 eax, 1
            //   770c                 | ja                  0xe

        $sequence_4 = { f3aa eb5d 8b54240c 81fa80000000 7c0e 0fba25????????01 0f82cacd0000 }
            // n = 7, score = 200
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   eb5d                 | jmp                 0x5f
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   81fa80000000         | cmp                 edx, 0x80
            //   7c0e                 | jl                  0x10
            //   0fba25????????01     |                     
            //   0f82cacd0000         | jb                  0xcdd0

        $sequence_5 = { 83fb40 0f8d42010000 8b3c9d10b44800 85ff 0f84ba000000 897de0 }
            // n = 6, score = 200
            //   83fb40               | cmp                 ebx, 0x40
            //   0f8d42010000         | jge                 0x148
            //   8b3c9d10b44800       | mov                 edi, dword ptr [ebx*4 + 0x48b410]
            //   85ff                 | test                edi, edi
            //   0f84ba000000         | je                  0xc0
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi

        $sequence_6 = { 3bc2 7646 83f910 7221 }
            // n = 4, score = 200
            //   3bc2                 | cmp                 eax, edx
            //   7646                 | jbe                 0x48
            //   83f910               | cmp                 ecx, 0x10
            //   7221                 | jb                  0x23

        $sequence_7 = { 668945bc b801000000 83c40c 668945e0 8b45f0 8d55bc }
            // n = 6, score = 200
            //   668945bc             | mov                 word ptr [ebp - 0x44], ax
            //   b801000000           | mov                 eax, 1
            //   83c40c               | add                 esp, 0xc
            //   668945e0             | mov                 word ptr [ebp - 0x20], ax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8d55bc               | lea                 edx, [ebp - 0x44]

        $sequence_8 = { 8bec 682680acc8 6a01 e8???????? 83c408 }
            // n = 5, score = 200
            //   8bec                 | mov                 ebp, esp
            //   682680acc8           | push                0xc8ac8026
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_9 = { 0faf4dd0 0fb745d6 03c8 51 68???????? 8d85b4faffff 50 }
            // n = 7, score = 200
            //   0faf4dd0             | imul                ecx, dword ptr [ebp - 0x30]
            //   0fb745d6             | movzx               eax, word ptr [ebp - 0x2a]
            //   03c8                 | add                 ecx, eax
            //   51                   | push                ecx
            //   68????????           |                     
            //   8d85b4faffff         | lea                 eax, [ebp - 0x54c]
            //   50                   | push                eax

        $sequence_10 = { 8ad8 84db 7468 8bcf e8???????? 84c0 }
            // n = 6, score = 200
            //   8ad8                 | mov                 bl, al
            //   84db                 | test                bl, bl
            //   7468                 | je                  0x6a
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_11 = { c1e606 898d30e5ffff 8b0c8d88ae4100 89b514e5ffff 8a5c0e24 }
            // n = 5, score = 200
            //   c1e606               | shl                 esi, 6
            //   898d30e5ffff         | mov                 dword ptr [ebp - 0x1ad0], ecx
            //   8b0c8d88ae4100       | mov                 ecx, dword ptr [ecx*4 + 0x41ae88]
            //   89b514e5ffff         | mov                 dword ptr [ebp - 0x1aec], esi
            //   8a5c0e24             | mov                 bl, byte ptr [esi + ecx + 0x24]

        $sequence_12 = { 8d85b8fcffff 68???????? 50 ff15???????? 8b1d???????? }
            // n = 5, score = 200
            //   8d85b8fcffff         | lea                 eax, [ebp - 0x348]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b1d????????         |                     

        $sequence_13 = { 894e14 8b4df8 894610 8bc6 33cd }
            // n = 5, score = 200
            //   894e14               | mov                 dword ptr [esi + 0x14], ecx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   894610               | mov                 dword ptr [esi + 0x10], eax
            //   8bc6                 | mov                 eax, esi
            //   33cd                 | xor                 ecx, ebp

        $sequence_14 = { e8???????? 83c40c 32db 8d4c2414 c7842488000000ffffffff e8???????? 8ac3 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   32db                 | xor                 bl, bl
            //   8d4c2414             | lea                 ecx, [esp + 0x14]
            //   c7842488000000ffffffff     | mov    dword ptr [esp + 0x88], 0xffffffff
            //   e8????????           |                     
            //   8ac3                 | mov                 al, bl

        $sequence_15 = { 8bc3 8bca d3e8 a801 7553 8d4f01 8bc3 }
            // n = 7, score = 200
            //   8bc3                 | mov                 eax, ebx
            //   8bca                 | mov                 ecx, edx
            //   d3e8                 | shr                 eax, cl
            //   a801                 | test                al, 1
            //   7553                 | jne                 0x55
            //   8d4f01               | lea                 ecx, [edi + 1]
            //   8bc3                 | mov                 eax, ebx

        $sequence_16 = { 0f8415020000 8d45f0 53 50 }
            // n = 4, score = 100
            //   0f8415020000         | je                  0x21b
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_17 = { ff2485f6203400 8b8614080000 3b45f4 7e03 8945f4 8365fc00 8365f000 }
            // n = 7, score = 100
            //   ff2485f6203400       | jmp                 dword ptr [eax*4 + 0x3420f6]
            //   8b8614080000         | mov                 eax, dword ptr [esi + 0x814]
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   7e03                 | jle                 5
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8365f000             | and                 dword ptr [ebp - 0x10], 0

        $sequence_18 = { 49 c745e8ff000000 8b3c857c303400 c745ecffff0000 0faff9 83f801 }
            // n = 6, score = 100
            //   49                   | dec                 ecx
            //   c745e8ff000000       | mov                 dword ptr [ebp - 0x18], 0xff
            //   8b3c857c303400       | mov                 edi, dword ptr [eax*4 + 0x34307c]
            //   c745ecffff0000       | mov                 dword ptr [ebp - 0x14], 0xffff
            //   0faff9               | imul                edi, ecx
            //   83f801               | cmp                 eax, 1

        $sequence_19 = { 0f87c9000000 ff248580233400 832700 e9???????? 55 }
            // n = 5, score = 100
            //   0f87c9000000         | ja                  0xcf
            //   ff248580233400       | jmp                 dword ptr [eax*4 + 0x342380]
            //   832700               | and                 dword ptr [edi], 0
            //   e9????????           |                     
            //   55                   | push                ebp

        $sequence_20 = { c6075c ff15???????? 85c0 7465 53 }
            // n = 5, score = 100
            //   c6075c               | mov                 byte ptr [edi], 0x5c
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7465                 | je                  0x67
            //   53                   | push                ebx

        $sequence_21 = { ff15???????? 8bcf 83e809 2b4dfc 3bc8 7e06 c60720 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bcf                 | mov                 ecx, edi
            //   83e809               | sub                 eax, 9
            //   2b4dfc               | sub                 ecx, dword ptr [ebp - 4]
            //   3bc8                 | cmp                 ecx, eax
            //   7e06                 | jle                 8
            //   c60720               | mov                 byte ptr [edi], 0x20

        $sequence_22 = { 389dd0feffff 7518 ff75d4 8d85d0feffff 68???????? }
            // n = 5, score = 100
            //   389dd0feffff         | cmp                 byte ptr [ebp - 0x130], bl
            //   7518                 | jne                 0x1a
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   8d85d0feffff         | lea                 eax, [ebp - 0x130]
            //   68????????           |                     

        $sequence_23 = { 53 53 8d4594 6a01 50 ff15???????? 8d4594 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8d4594               | lea                 eax, [ebp - 0x6c]
            //   6a01                 | push                1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d4594               | lea                 eax, [ebp - 0x6c]

        $sequence_24 = { 8b75d8 e9???????? 8d85d0feffff 68???????? }
            // n = 4, score = 100
            //   8b75d8               | mov                 esi, dword ptr [ebp - 0x28]
            //   e9????????           |                     
            //   8d85d0feffff         | lea                 eax, [ebp - 0x130]
            //   68????????           |                     

        $sequence_25 = { 837efcff 7518 8b46f8 8b04855c303400 c1e002 50 6a40 }
            // n = 7, score = 100
            //   837efcff             | cmp                 dword ptr [esi - 4], -1
            //   7518                 | jne                 0x1a
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   8b04855c303400       | mov                 eax, dword ptr [eax*4 + 0x34305c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   6a40                 | push                0x40

        $sequence_26 = { 50 8d8550ffffff 50 53 53 6a10 6a01 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8d8550ffffff         | lea                 eax, [ebp - 0xb0]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6a10                 | push                0x10
            //   6a01                 | push                1

        $sequence_27 = { 8b06 eb02 8bc6 8b4ef8 83f907 0f8781000000 ff248dfd243400 }
            // n = 7, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   eb02                 | jmp                 4
            //   8bc6                 | mov                 eax, esi
            //   8b4ef8               | mov                 ecx, dword ptr [esi - 8]
            //   83f907               | cmp                 ecx, 7
            //   0f8781000000         | ja                  0x87
            //   ff248dfd243400       | jmp                 dword ptr [ecx*4 + 0x3424fd]

        $sequence_28 = { 0f8781000000 ff248dfd243400 881f eb76 }
            // n = 4, score = 100
            //   0f8781000000         | ja                  0x87
            //   ff248dfd243400       | jmp                 dword ptr [ecx*4 + 0x3424fd]
            //   881f                 | mov                 byte ptr [edi], bl
            //   eb76                 | jmp                 0x78

        $sequence_29 = { 8a1e 80fb78 7405 80fb58 7538 42 42 }
            // n = 7, score = 100
            //   8a1e                 | mov                 bl, byte ptr [esi]
            //   80fb78               | cmp                 bl, 0x78
            //   7405                 | je                  7
            //   80fb58               | cmp                 bl, 0x58
            //   7538                 | jne                 0x3a
            //   42                   | inc                 edx
            //   42                   | inc                 edx

        $sequence_30 = { 8b4d08 8a0408 a2???????? eb07 c605????????00 c705????????4c403400 ff7508 }
            // n = 7, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8a0408               | mov                 al, byte ptr [eax + ecx]
            //   a2????????           |                     
            //   eb07                 | jmp                 9
            //   c605????????00       |                     
            //   c705????????4c403400     |     
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_31 = { 8b0c855c303400 c1e705 33d2 03fe 42 837dfcff 8955dc }
            // n = 7, score = 100
            //   8b0c855c303400       | mov                 ecx, dword ptr [eax*4 + 0x34305c]
            //   c1e705               | shl                 edi, 5
            //   33d2                 | xor                 edx, edx
            //   03fe                 | add                 edi, esi
            //   42                   | inc                 edx
            //   837dfcff             | cmp                 dword ptr [ebp - 4], -1
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx

    condition:
        7 of them and filesize < 1350656
}
Download all Yara Rules