SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ghost_rat (Back to overview)

Ghost RAT

aka: Farfli, Gh0st RAT, PCRat

Actor(s): Emissary Panda, Hurricane Panda, Lazarus Group, Leviathan, Stone Panda

URLhaus    

There is no description at this point.

References
2020-12-18SeqritePavankumar Chaudhari
@online{chaudhari:20201218:rat:50074a2, author = {Pavankumar Chaudhari}, title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}}, date = {2020-12-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/}, language = {English}, urldate = {2020-12-18} } RAT used by Chinese cyberspies infiltrating Indian businesses
Ghost RAT
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-07-28NTTNTT Security
@online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-20Risky.bizDaniel Gordon
@online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-05PrevailionDanny Adamitis
@online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } The Gh0st Remains the Same
Ghost RAT
2020-06-04PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dcdc02a, author = {SecureWorks}, title = {{BRONZE FLEETWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood}, language = {English}, urldate = {2020-05-23} } BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dc58892, author = {SecureWorks}, title = {{BRONZE GLOBE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-globe}, language = {English}, urldate = {2020-05-23} } BRONZE GLOBE
EtumBot Ghost RAT IXESHE
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:41a0bc0, author = {SecureWorks}, title = {{BRONZE EDISON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-edison}, language = {English}, urldate = {2020-05-23} } BRONZE EDISON
Ghost RAT sykipot Maverick Panda Samurai Panda
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } GALLIUM: Targeting global telecom
Ghost RAT HTran GALLIUM
2019-11-04TencentTencent Security Mikan TIC
@online{tic:20191104:attack:33a29db, author = {Tencent Security Mikan TIC}, title = {{APT attack group "Higaisa" attack activity disclosed}}, date = {2019-11-04}, organization = {Tencent}, url = {https://s.tencent.com/research/report/836.html}, language = {Chinese}, urldate = {2020-05-13} } APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-09-17TalosChristopher Evans, David Liebenberg
@online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-01-07IntezerIgnacio Sanmillan
@online{sanmillan:20190107:chinaz:50bb5f4, author = {Ignacio Sanmillan}, title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}}, date = {2019-01-07}, organization = {Intezer}, url = {https://www.intezer.com/blog-chinaz-relations/}, language = {English}, urldate = {2019-11-27} } ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20180919:hexrays:1afcc0c, author = {Rolf Rolles}, title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}}, date = {2018-09-19}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.hexblog.com/?p=1248}, language = {English}, urldate = {2019-10-28} } Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-04-17NCC GroupNikolaos Pantazopoulos
@online{pantazopoulos:20180417:decoding:7d5f713, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-17}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2019-11-27} } Decoding network data from a Gh0st RAT variant
Ghost RAT LuckyMouse
2018-02-01BitdefenderBitdefender Team
@online{team:20180201:operation:e76f179, author = {Bitdefender Team}, title = {{Operation PZCHAO: Inside a highly specialized espionage infrastructure}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/}, language = {English}, urldate = {2020-05-18} } Operation PZCHAO: Inside a highly specialized espionage infrastructure
Ghost RAT Emissary Panda
2018-01-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2017-12-19ProofpointDarien Huss
@online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-19ProofpointDarien Huss
@techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba
2017-02-25Financial Security InstituteKyoung-Ju Kwak (郭炅周)
@techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } Silent RIFLE: Response Against Advanced Threat
Ghost RAT
2016-04-22CylanceIsaac Palmer
@online{palmer:20160422:ghost:dda6514, author = {Isaac Palmer}, title = {{The Ghost Dragon}}, date = {2016-04-22}, organization = {Cylance}, url = {https://blog.cylance.com/the-ghost-dragon}, language = {English}, urldate = {2020-01-08} } The Ghost Dragon
Ghost RAT
2012Norman ASASnorre Fagerland
@techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } The many faces of Gh0st Rat
Ghost RAT
2011-06-29SymantecJohn McDonald
@online{mcdonald:20110629:inside:b955948, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, organization = {Symantec}, url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack}, language = {English}, urldate = {2020-04-21} } Inside a Back Door Attack
Ghost RAT Dust Storm
2009-03-28Information Warfare MonitorInformation Warfare Monitor
@techreport{monitor:20090328:tracking:dffad13, author = {Information Warfare Monitor}, title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}}, date = {2009-03-28}, institution = {Information Warfare Monitor}, url = {http://www.nartv.org/mirror/ghostnet.pdf}, language = {English}, urldate = {2020-04-23} } Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet
Yara Rules
[TLP:WHITE] win_ghost_rat_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_ghost_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b400c 85c0 7505 a1???????? 50 8bce e8???????? }
            // n = 7, score = 500
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   a1????????           |                     
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_1 = { 6a01 56 ff15???????? 5e c20800 }
            // n = 5, score = 500
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   c20800               | ret                 8

        $sequence_2 = { 894df4 c745f800000000 df6df4 83ec08 dc0d???????? dd1c24 }
            // n = 6, score = 400
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   df6df4               | fild                qword ptr [ebp - 0xc]
            //   83ec08               | sub                 esp, 8
            //   dc0d????????         |                     
            //   dd1c24               | fstp                qword ptr [esp]

        $sequence_3 = { 8b06 6aff 50 ff15???????? 8b0e 51 }
            // n = 6, score = 400
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   51                   | push                ecx

        $sequence_4 = { 8be5 5d c20400 894df4 c745f800000000 df6df4 }
            // n = 6, score = 400
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   df6df4               | fild                qword ptr [ebp - 0xc]

        $sequence_5 = { 8bd9 e8???????? 8b4d08 3bc8 }
            // n = 4, score = 400
            //   8bd9                 | mov                 ebx, ecx
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3bc8                 | cmp                 ecx, eax

        $sequence_6 = { 83c454 c20400 8d7901 57 ff15???????? 8bcf }
            // n = 6, score = 300
            //   83c454               | add                 esp, 0x54
            //   c20400               | ret                 4
            //   8d7901               | lea                 edi, [ecx + 1]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bcf                 | mov                 ecx, edi

        $sequence_7 = { 59 83c8ff e9???????? 8b45fc }
            // n = 4, score = 300
            //   59                   | pop                 ecx
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_8 = { f3a5 53 8bcd e8???????? 53 ff15???????? }
            // n = 6, score = 300
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   53                   | push                ebx
            //   8bcd                 | mov                 ecx, ebp
            //   e8????????           |                     
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_9 = { 50 6800000080 ff15???????? 85c0 7407 32c0 e9???????? }
            // n = 7, score = 300
            //   50                   | push                eax
            //   6800000080           | push                0x80000000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     

        $sequence_10 = { ff7510 ff75dc ff15???????? 85c0 7507 c745e401000000 }
            // n = 6, score = 300
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1

        $sequence_11 = { ff15???????? 8b4e2c 6a00 51 ff15???????? 8b4610 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   8b4e2c               | mov                 ecx, dword ptr [esi + 0x2c]
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]

        $sequence_12 = { 85c0 7506 46 83fe19 }
            // n = 4, score = 300
            //   85c0                 | test                eax, eax
            //   7506                 | jne                 8
            //   46                   | inc                 esi
            //   83fe19               | cmp                 esi, 0x19

        $sequence_13 = { 6a00 c705????????20010000 e8???????? 8b35???????? 83c434 }
            // n = 5, score = 300
            //   6a00                 | push                0
            //   c705????????20010000     |     
            //   e8????????           |                     
            //   8b35????????         |                     
            //   83c434               | add                 esp, 0x34

        $sequence_14 = { 68???????? 50 6802000080 e8???????? 83c41c 5f }
            // n = 6, score = 300
            //   68????????           |                     
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   5f                   | pop                 edi

        $sequence_15 = { e9???????? 8d45dc 50 681f000200 }
            // n = 4, score = 300
            //   e9????????           |                     
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   681f000200           | push                0x2001f

        $sequence_16 = { ff7508 ff15???????? 40 50 ff15???????? 59 }
            // n = 6, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   ff15????????         |                     
            //   59                   | pop                 ecx

        $sequence_17 = { 8dbd85feffff f3ab 66ab aa }
            // n = 4, score = 300
            //   8dbd85feffff         | lea                 edi, [ebp - 0x17b]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_18 = { 8b36 813f6b006500 7406 813f4b004500 75e8 }
            // n = 5, score = 200
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   813f6b006500         | cmp                 dword ptr [edi], 0x65006b
            //   7406                 | je                  8
            //   813f4b004500         | cmp                 dword ptr [edi], 0x45004b
            //   75e8                 | jne                 0xffffffea

        $sequence_19 = { 8b760c 8b761c 8b4608 8b7e20 8b36 813f6b006500 }
            // n = 6, score = 200
            //   8b760c               | mov                 esi, dword ptr [esi + 0xc]
            //   8b761c               | mov                 esi, dword ptr [esi + 0x1c]
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8b7e20               | mov                 edi, dword ptr [esi + 0x20]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   813f6b006500         | cmp                 dword ptr [edi], 0x65006b

        $sequence_20 = { 83e9fc c7014c696272 83e9fc c70161727941 83e9fc }
            // n = 5, score = 200
            //   83e9fc               | sub                 ecx, -4
            //   c7014c696272         | mov                 dword ptr [ecx], 0x7262694c
            //   83e9fc               | sub                 ecx, -4
            //   c70161727941         | mov                 dword ptr [ecx], 0x41797261
            //   83e9fc               | sub                 ecx, -4

        $sequence_21 = { 8b55b8 8911 eb26 8b45b4 8b4d08 8d540102 8955b0 }
            // n = 7, score = 100
            //   8b55b8               | mov                 edx, dword ptr [ebp - 0x48]
            //   8911                 | mov                 dword ptr [ecx], edx
            //   eb26                 | jmp                 0x28
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d540102             | lea                 edx, [ecx + eax + 2]
            //   8955b0               | mov                 dword ptr [ebp - 0x50], edx

        $sequence_22 = { 8985fcfeffff 8b8d6cffffff 6bc928 8b9538ffffff 8b440a10 50 }
            // n = 6, score = 100
            //   8985fcfeffff         | mov                 dword ptr [ebp - 0x104], eax
            //   8b8d6cffffff         | mov                 ecx, dword ptr [ebp - 0x94]
            //   6bc928               | imul                ecx, ecx, 0x28
            //   8b9538ffffff         | mov                 edx, dword ptr [ebp - 0xc8]
            //   8b440a10             | mov                 eax, dword ptr [edx + ecx + 0x10]
            //   50                   | push                eax

        $sequence_23 = { 817f0865006c00 7407 817f0845004c00 75c2 817f0c33003200 75b9 817f102e006400 }
            // n = 7, score = 100
            //   817f0865006c00       | cmp                 dword ptr [edi + 8], 0x6c0065
            //   7407                 | je                  9
            //   817f0845004c00       | cmp                 dword ptr [edi + 8], 0x4c0045
            //   75c2                 | jne                 0xffffffc4
            //   817f0c33003200       | cmp                 dword ptr [edi + 0xc], 0x320033
            //   75b9                 | jne                 0xffffffbb
            //   817f102e006400       | cmp                 dword ptr [edi + 0x10], 0x64002e

        $sequence_24 = { 035110 8955f4 6a00 6a01 ffb560ffffff ff55f4 }
            // n = 6, score = 100
            //   035110               | add                 edx, dword ptr [ecx + 0x10]
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   ffb560ffffff         | push                dword ptr [ebp - 0xa0]
            //   ff55f4               | call                dword ptr [ebp - 0xc]

        $sequence_25 = { 8b458c 898504ffffff 8b4d94 898d00ffffff }
            // n = 4, score = 100
            //   8b458c               | mov                 eax, dword ptr [ebp - 0x74]
            //   898504ffffff         | mov                 dword ptr [ebp - 0xfc], eax
            //   8b4d94               | mov                 ecx, dword ptr [ebp - 0x6c]
            //   898d00ffffff         | mov                 dword ptr [ebp - 0x100], ecx

    condition:
        7 of them and filesize < 303104
}
Download all Yara Rules