SYMBOLCOMMON_NAMEaka. SYNONYMS
win.flawedammyy (Back to overview)

FlawedAmmyy

Actor(s): TA505

URLhaus        

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

References
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200520:operation:7f6282e, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet}}, date = {2020-05-20}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/}, language = {English}, urldate = {2020-06-05} } Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-08-29ThreatReconThreatRecon Team
@online{team:20190829:sectorj04:ce6cc4b, author = {ThreatRecon Team}, title = {{SectorJ04 Group’s Increased Activity in 2019}}, date = {2019-08-29}, organization = {ThreatRecon}, url = {https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/}, language = {English}, urldate = {2019-10-13} } SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
@online{hiroaki:20190827:ta505:9bcbff1, author = {Hara Hiroaki and Jaromír Hořejší and Loseway Lu}, title = {{TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy}}, date = {2019-08-27}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/}, language = {English}, urldate = {2019-11-27} } TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-05-31Youtube (0verfl0w_)0verfl0w_
@online{0verfl0w:20190531:defeating:eb0994e, author = {0verfl0w_}, title = {{Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more}}, date = {2019-05-31}, organization = {Youtube (0verfl0w_)}, url = {https://www.youtube.com/watch?v=N4f2e8Mygag}, language = {English}, urldate = {2020-01-08} } Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-28MITREMITRE
@online{mitre:20190528:flawedammyy:c4f6363, author = {MITRE}, title = {{FlawedAmmyy}}, date = {2019-05-28}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0381/}, language = {English}, urldate = {2020-01-13} } FlawedAmmyy
FlawedAmmyy
2019-04-22SANSMike Downey
@online{downey:20190422:unpacking:2cb6558, author = {Mike Downey}, title = {{Unpacking & Decrypting FlawedAmmyy}}, date = {2019-04-22}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930}, language = {English}, urldate = {2020-01-09} } Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2018-07-19ProofpointProofpoint Staff
@online{staff:20180719:ta505:3c29d5a, author = {Proofpoint Staff}, title = {{TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT}}, date = {2018-07-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-06-28Secrary BlogLasha Khasaia
@online{khasaia:20180628:brief:d854824, author = {Lasha Khasaia}, title = {{A Brief Overview of the AMMYY RAT Downloader}}, date = {2018-06-28}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/}, language = {English}, urldate = {2020-01-13} } A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-03-07ProofpointProofpoint Staff
@online{staff:20180307:leaked:5e33f64, author = {Proofpoint Staff}, title = {{Leaked Ammyy Admin Source Code Turned into Malware}}, date = {2018-03-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat}, language = {English}, urldate = {2019-12-20} } Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2016-10-11SymantecSymantec Security Response
@online{response:20161011:odinaff:bdd6f10, author = {Symantec Security Response}, title = {{Odinaff: New Trojan used in high level financial attacks}}, date = {2016-10-11}, organization = {Symantec}, url = {https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks}, language = {English}, urldate = {2020-04-21} } Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS Anunak
Yara Rules
[TLP:WHITE] win_flawedammyy_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_flawedammyy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785c0feffff44000000 668985f0feffff ffd7 85c0 }
            // n = 4, score = 200
            //   c785c0feffff44000000     | mov    dword ptr [ebp - 0x140], 0x44
            //   668985f0feffff       | mov                 word ptr [ebp - 0x110], ax
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_1 = { c3 57 6866bd7db8 6a06 }
            // n = 4, score = 200
            //   c3                   | ret                 
            //   57                   | push                edi
            //   6866bd7db8           | push                0xb87dbd66
            //   6a06                 | push                6

        $sequence_2 = { 8d55e8 52 c745e800000000 8b08 68???????? }
            // n = 5, score = 200
            //   8d55e8               | lea                 edx, [ebp - 0x18]
            //   52                   | push                edx
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   68????????           |                     

        $sequence_3 = { 55 8bec 6839bfc80c 6a02 e8???????? 83c408 }
            // n = 6, score = 200
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   6839bfc80c           | push                0xcc8bf39
            //   6a02                 | push                2
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_4 = { 8b75fc 85f6 7453 8d9b00000000 }
            // n = 4, score = 200
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   85f6                 | test                esi, esi
            //   7453                 | je                  0x55
            //   8d9b00000000         | lea                 ebx, [ebx]

        $sequence_5 = { 50 ff510c ff75fc 8b45f8 68???????? 8b08 50 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff510c               | call                dword ptr [ecx + 0xc]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   68????????           |                     
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   50                   | push                eax

        $sequence_6 = { 8b0c9d88ae4100 47 88440e34 8b049d88ae4100 }
            // n = 4, score = 200
            //   8b0c9d88ae4100       | mov                 ecx, dword ptr [ebx*4 + 0x41ae88]
            //   47                   | inc                 edi
            //   88440e34             | mov                 byte ptr [esi + ecx + 0x34], al
            //   8b049d88ae4100       | mov                 eax, dword ptr [ebx*4 + 0x41ae88]

        $sequence_7 = { 5d c3 8b45c8 8d9570fbffff 8b08 52 }
            // n = 6, score = 200
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]
            //   8d9570fbffff         | lea                 edx, [ebp - 0x490]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   52                   | push                edx

        $sequence_8 = { b8ff000000 bb0000ff00 ba00ff0000 8945f8 eb40 8b413c 85c0 }
            // n = 7, score = 100
            //   b8ff000000           | mov                 eax, 0xff
            //   bb0000ff00           | mov                 ebx, 0xff0000
            //   ba00ff0000           | mov                 edx, 0xff00
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   eb40                 | jmp                 0x42
            //   8b413c               | mov                 eax, dword ptr [ecx + 0x3c]
            //   85c0                 | test                eax, eax

        $sequence_9 = { c1e702 eb60 8b46f8 834de4ff 49 c745e8ff000000 8b3c857c303400 }
            // n = 7, score = 100
            //   c1e702               | shl                 edi, 2
            //   eb60                 | jmp                 0x62
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   834de4ff             | or                  dword ptr [ebp - 0x1c], 0xffffffff
            //   49                   | dec                 ecx
            //   c745e8ff000000       | mov                 dword ptr [ebp - 0x18], 0xff
            //   8b3c857c303400       | mov                 edi, dword ptr [eax*4 + 0x34307c]

        $sequence_10 = { 0101 014334 294330 e9???????? 837b3000 }
            // n = 5, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   014334               | add                 dword ptr [ebx + 0x34], eax
            //   294330               | sub                 dword ptr [ebx + 0x30], eax
            //   e9????????           |                     
            //   837b3000             | cmp                 dword ptr [ebx + 0x30], 0

        $sequence_11 = { fec8 c0e104 0ac8 8b4508 0faf450c 884c3701 }
            // n = 6, score = 100
            //   fec8                 | dec                 al
            //   c0e104               | shl                 cl, 4
            //   0ac8                 | or                  cl, al
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0faf450c             | imul                eax, dword ptr [ebp + 0xc]
            //   884c3701             | mov                 byte ptr [edi + esi + 1], cl

        $sequence_12 = { ff248dfd243400 881f eb76 ff30 eb63 }
            // n = 5, score = 100
            //   ff248dfd243400       | jmp                 dword ptr [ecx*4 + 0x3424fd]
            //   881f                 | mov                 byte ptr [edi], bl
            //   eb76                 | jmp                 0x78
            //   ff30                 | push                dword ptr [eax]
            //   eb63                 | jmp                 0x65

        $sequence_13 = { 7d0e 8b480c 8b55fc 8d0c8a 894dfc eb0e 8b14957c303400 }
            // n = 7, score = 100
            //   7d0e                 | jge                 0x10
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8d0c8a               | lea                 ecx, [edx + ecx*4]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   eb0e                 | jmp                 0x10
            //   8b14957c303400       | mov                 edx, dword ptr [edx*4 + 0x34307c]

        $sequence_14 = { 7518 8b46f8 8b04855c303400 c1e002 50 }
            // n = 5, score = 100
            //   7518                 | jne                 0x1a
            //   8b46f8               | mov                 eax, dword ptr [esi - 8]
            //   8b04855c303400       | mov                 eax, dword ptr [eax*4 + 0x34305c]
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax

        $sequence_15 = { 8d5108 7e09 8a0e 880a 4a 4e 48 }
            // n = 7, score = 100
            //   8d5108               | lea                 edx, [ecx + 8]
            //   7e09                 | jle                 0xb
            //   8a0e                 | mov                 cl, byte ptr [esi]
            //   880a                 | mov                 byte ptr [edx], cl
            //   4a                   | dec                 edx
            //   4e                   | dec                 esi
            //   48                   | dec                 eax

        $sequence_16 = { 7425 8b85c0fbffff f30f7e85a0fbffff 660fd600 f30f7e85a8fbffff 660fd64008 }
            // n = 6, score = 100
            //   7425                 | je                  0x27
            //   8b85c0fbffff         | mov                 eax, dword ptr [ebp - 0x440]
            //   f30f7e85a0fbffff     | movq                xmm0, qword ptr [ebp - 0x460]
            //   660fd600             | movq                qword ptr [eax], xmm0
            //   f30f7e85a8fbffff     | movq                xmm0, qword ptr [ebp - 0x458]
            //   660fd64008           | movq                qword ptr [eax + 8], xmm0

        $sequence_17 = { 8a0408 a2???????? eb07 c605????????00 c705????????4c403400 ff7508 ff15???????? }
            // n = 7, score = 100
            //   8a0408               | mov                 al, byte ptr [eax + ecx]
            //   a2????????           |                     
            //   eb07                 | jmp                 9
            //   c605????????00       |                     
            //   c705????????4c403400     |     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     

        $sequence_18 = { b800100000 50 6a42 ff15???????? 3bc3 8945f8 0f84af000000 }
            // n = 7, score = 100
            //   b800100000           | mov                 eax, 0x1000
            //   50                   | push                eax
            //   6a42                 | push                0x42
            //   ff15????????         |                     
            //   3bc3                 | cmp                 eax, ebx
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   0f84af000000         | je                  0xb5

        $sequence_19 = { 57 50 ff15???????? 8bf8 8d85ccfdffff 3bf8 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   8d85ccfdffff         | lea                 eax, [ebp - 0x234]
            //   3bf8                 | cmp                 edi, eax

        $sequence_20 = { 8b06 83661c00 83f807 0f87c9000000 ff248580233400 }
            // n = 5, score = 100
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   83661c00             | and                 dword ptr [esi + 0x1c], 0
            //   83f807               | cmp                 eax, 7
            //   0f87c9000000         | ja                  0xcf
            //   ff248580233400       | jmp                 dword ptr [eax*4 + 0x342380]

        $sequence_21 = { 85f6 7429 837c240800 7413 8d4604 }
            // n = 5, score = 100
            //   85f6                 | test                esi, esi
            //   7429                 | je                  0x2b
            //   837c240800           | cmp                 dword ptr [esp + 8], 0
            //   7413                 | je                  0x15
            //   8d4604               | lea                 eax, [esi + 4]

        $sequence_22 = { c745fc???????? e8???????? 68???????? 8d45f0 50 c745f0b8e54600 e8???????? }
            // n = 7, score = 100
            //   c745fc????????       |                     
            //   e8????????           |                     
            //   68????????           |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   c745f0b8e54600       | mov                 dword ptr [ebp - 0x10], 0x46e5b8
            //   e8????????           |                     

        $sequence_23 = { 7409 ff75ec ff15???????? ff75f4 8b35???????? }
            // n = 5, score = 100
            //   7409                 | je                  0xb
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff15????????         |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   8b35????????         |                     

        $sequence_24 = { 3b542420 8bce 0f42542420 52 e8???????? 8b06 }
            // n = 6, score = 100
            //   3b542420             | cmp                 edx, dword ptr [esp + 0x20]
            //   8bce                 | mov                 ecx, esi
            //   0f42542420           | cmovb               edx, dword ptr [esp + 0x20]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_25 = { 33ff 8d432c 6a18 8d4de4 51 }
            // n = 5, score = 100
            //   33ff                 | xor                 edi, edi
            //   8d432c               | lea                 eax, [ebx + 0x2c]
            //   6a18                 | push                0x18
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   51                   | push                ecx

        $sequence_26 = { 3bc6 59 750f 8d4609 50 e8???????? 59 }
            // n = 7, score = 100
            //   3bc6                 | cmp                 eax, esi
            //   59                   | pop                 ecx
            //   750f                 | jne                 0x11
            //   8d4609               | lea                 eax, [esi + 9]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_27 = { ff15???????? 8bf8 8bce e8???????? 833801 7f0c 8bce }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   833801               | cmp                 dword ptr [eax], 1
            //   7f0c                 | jg                  0xe
            //   8bce                 | mov                 ecx, esi

        $sequence_28 = { 83f855 0f872affffff 0fb6805a213400 ff2485f6203400 }
            // n = 4, score = 100
            //   83f855               | cmp                 eax, 0x55
            //   0f872affffff         | ja                  0xffffff30
            //   0fb6805a213400       | movzx               eax, byte ptr [eax + 0x34215a]
            //   ff2485f6203400       | jmp                 dword ptr [eax*4 + 0x3420f6]

        $sequence_29 = { 0fb6805a213400 ff2485f6203400 8b8614080000 3b45f4 7e03 8945f4 }
            // n = 6, score = 100
            //   0fb6805a213400       | movzx               eax, byte ptr [eax + 0x34215a]
            //   ff2485f6203400       | jmp                 dword ptr [eax*4 + 0x3420f6]
            //   8b8614080000         | mov                 eax, dword ptr [esi + 0x814]
            //   3b45f4               | cmp                 eax, dword ptr [ebp - 0xc]
            //   7e03                 | jle                 5
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax

        $sequence_30 = { 42 85c9 7dea 5e 5b c3 55 }
            // n = 7, score = 100
            //   42                   | inc                 edx
            //   85c9                 | test                ecx, ecx
            //   7dea                 | jge                 0xffffffec
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 1294336
}
Download all Yara Rules