SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ghost_rat (Back to overview)

Ghost RAT

aka: Farfli, Gh0st RAT, PCRat

Actor(s): EMISSARY PANDA, Hurricane Panda, Lazarus Group, Leviathan, Stone Panda

URLhaus    

There is no description at this point.

References
2021-05-05ZscalerAniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-28Trend MicroJaromír Hořejší, Joseph C Chen
@online{hoej:20210428:water:f769ce2, author = {Jaromír Hořejší and Joseph C Chen}, title = {{Water Pamola Attacked Online Shops Via Malicious Orders}}, date = {2021-04-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html}, language = {English}, urldate = {2021-05-04} } Water Pamola Attacked Online Shops Via Malicious Orders
Ghost RAT
2021-04-02Dr.WebDr.Web
@techreport{drweb:20210402:study:31b191e, author = {Dr.Web}, title = {{Study of targeted attacks on Russian research institutes}}, date = {2021-04-02}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf}, language = {English}, urldate = {2021-04-06} } Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT
2021-02-22tccontre Blogtcontre
@online{tcontre:20210222:gh0strat:9f98308, author = {tcontre}, title = {{Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload}}, date = {2021-02-22}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html}, language = {English}, urldate = {2021-02-25} } Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload
Ghost RAT
2021-02-01ESET ResearchIgnacio Sanmillan, Matthieu Faou
@online{sanmillan:20210201:operation:9e52a78, author = {Ignacio Sanmillan and Matthieu Faou}, title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}}, date = {2021-02-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/}, language = {English}, urldate = {2021-02-17} } Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy
2021-01-15SwisscomMarkus Neis
@techreport{neis:20210115:cracking:b1c1684, author = {Markus Neis}, title = {{Cracking a Soft Cell is Harder Than You Think}}, date = {2021-01-15}, institution = {Swisscom}, url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf}, language = {English}, urldate = {2021-01-18} } Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2020-12-18SeqritePavankumar Chaudhari
@online{chaudhari:20201218:rat:50074a2, author = {Pavankumar Chaudhari}, title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}}, date = {2020-12-18}, organization = {Seqrite}, url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/}, language = {English}, urldate = {2020-12-18} } RAT used by Chinese cyberspies infiltrating Indian businesses
Ghost RAT
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-07-28NTTNTT Security
@online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-20Risky.bizDaniel Gordon
@online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-05PrevailionDanny Adamitis
@online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } The Gh0st Remains the Same
Ghost RAT
2020-06-04PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020-05-20Medium Asuna AmawakaAsuna Amawaka
@online{amawaka:20200520:what:e02d9a4, author = {Asuna Amawaka}, title = {{What happened between the BigBadWolf and the Tiger?}}, date = {2020-05-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2}, language = {English}, urldate = {2021-02-18} } What happened between the BigBadWolf and the Tiger?
Ghost RAT
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dcdc02a, author = {SecureWorks}, title = {{BRONZE FLEETWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood}, language = {English}, urldate = {2020-05-23} } BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dc58892, author = {SecureWorks}, title = {{BRONZE GLOBE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-globe}, language = {English}, urldate = {2020-05-23} } BRONZE GLOBE
EtumBot Ghost RAT IXESHE
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell EMISSARY PANDA
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:41a0bc0, author = {SecureWorks}, title = {{BRONZE EDISON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-edison}, language = {English}, urldate = {2020-05-23} } BRONZE EDISON
Ghost RAT sykipot Maverick Panda Samurai Panda
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } GALLIUM: Targeting global telecom
Ghost RAT HTran GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb, author = {Kelli Vanderlee and Nalani Fraser}, title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}}, date = {2019-11-19}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf}, language = {English}, urldate = {2021-03-02} } Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-04TencentTencent Security Mikan TIC
@online{tic:20191104:attack:33a29db, author = {Tencent Security Mikan TIC}, title = {{APT attack group "Higaisa" attack activity disclosed}}, date = {2019-11-04}, organization = {Tencent}, url = {https://s.tencent.com/research/report/836.html}, language = {Chinese}, urldate = {2020-05-13} } APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-09-17TalosChristopher Evans, David Liebenberg
@online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-04-25DATANETKim Seon-ae
@online{seonae:20190425:chinesebased:fa78904, author = {Kim Seon-ae}, title = {{Chinese-based hackers attack domestic energy institutions}}, date = {2019-04-25}, organization = {DATANET}, url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346}, language = {Korean}, urldate = {2021-02-09} } Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-01-07IntezerIgnacio Sanmillan
@online{sanmillan:20190107:chinaz:50bb5f4, author = {Ignacio Sanmillan}, title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}}, date = {2019-01-07}, organization = {Intezer}, url = {https://www.intezer.com/blog-chinaz-relations/}, language = {English}, urldate = {2019-11-27} } ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20180919:hexrays:1afcc0c, author = {Rolf Rolles}, title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}}, date = {2018-09-19}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.hexblog.com/?p=1248}, language = {English}, urldate = {2019-10-28} } Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-04-17NCC GroupNikolaos Pantazopoulos
@online{pantazopoulos:20180417:decoding:7d5f713, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-17}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2019-11-27} } Decoding network data from a Gh0st RAT variant
Ghost RAT EMISSARY PANDA
2018-02-01BitdefenderBitdefender Team
@online{team:20180201:operation:e76f179, author = {Bitdefender Team}, title = {{Operation PZCHAO: Inside a highly specialized espionage infrastructure}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/}, language = {English}, urldate = {2020-05-18} } Operation PZCHAO: Inside a highly specialized espionage infrastructure
Ghost RAT EMISSARY PANDA
2018-01-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2017-12-19ProofpointDarien Huss
@online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-19ProofpointDarien Huss
@techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba
2017-02-25Financial Security InstituteKyoung-Ju Kwak (郭炅周)
@techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } Silent RIFLE: Response Against Advanced Threat
Ghost RAT
2016-04-22CylanceIsaac Palmer
@online{palmer:20160422:ghost:dda6514, author = {Isaac Palmer}, title = {{The Ghost Dragon}}, date = {2016-04-22}, organization = {Cylance}, url = {https://blog.cylance.com/the-ghost-dragon}, language = {English}, urldate = {2020-01-08} } The Ghost Dragon
Ghost RAT
2012Norman ASASnorre Fagerland
@techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } The many faces of Gh0st Rat
Ghost RAT
2011-06-29SymantecJohn McDonald
@online{mcdonald:20110629:inside:b955948, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, organization = {Symantec}, url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack}, language = {English}, urldate = {2020-04-21} } Inside a Back Door Attack
Ghost RAT Dust Storm
2009-03-28Information Warfare MonitorInformation Warfare Monitor
@techreport{monitor:20090328:tracking:dffad13, author = {Information Warfare Monitor}, title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}}, date = {2009-03-28}, institution = {Information Warfare Monitor}, url = {http://www.nartv.org/mirror/ghostnet.pdf}, language = {English}, urldate = {2020-04-23} } Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet
Yara Rules
[TLP:WHITE] win_ghost_rat_auto (20210616 | Detects win.ghost_rat.)
rule win_ghost_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.ghost_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a01 56 ff15???????? 5e c20800 }
            // n = 5, score = 500
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   c20800               | ret                 8

        $sequence_1 = { 8bd9 e8???????? 8b4d08 3bc8 }
            // n = 4, score = 500
            //   8bd9                 | mov                 ebx, ecx
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3bc8                 | cmp                 ecx, eax

        $sequence_2 = { 8b400c 85c0 7505 a1???????? 50 8bce e8???????? }
            // n = 7, score = 500
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   a1????????           |                     
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_3 = { 6a6b 8bce e8???????? 5f 5e }
            // n = 5, score = 400
            //   6a6b                 | push                0x6b
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_4 = { 8b06 6aff 50 ff15???????? 8b0e 51 }
            // n = 6, score = 400
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   51                   | push                ecx

        $sequence_5 = { c20400 894df4 c745f800000000 df6df4 83ec08 dc0d???????? dd1c24 }
            // n = 7, score = 400
            //   c20400               | ret                 4
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   df6df4               | fild                qword ptr [ebp - 0xc]
            //   83ec08               | sub                 esp, 8
            //   dc0d????????         |                     
            //   dd1c24               | fstp                qword ptr [esp]

        $sequence_6 = { 5b 8be5 5d c20400 894df4 c745f800000000 }
            // n = 6, score = 400
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0

        $sequence_7 = { 50 6800000080 ff15???????? 85c0 7407 32c0 e9???????? }
            // n = 7, score = 300
            //   50                   | push                eax
            //   6800000080           | push                0x80000000
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     

        $sequence_8 = { 84c0 7505 83ceff eb2c }
            // n = 4, score = 300
            //   84c0                 | test                al, al
            //   7505                 | jne                 7
            //   83ceff               | or                  esi, 0xffffffff
            //   eb2c                 | jmp                 0x2e

        $sequence_9 = { 8dbd85feffff f3ab 66ab aa }
            // n = 4, score = 300
            //   8dbd85feffff         | lea                 edi, dword ptr [ebp - 0x17b]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_10 = { f3a4 ff15???????? 8bf0 83c40c 46 750b }
            // n = 6, score = 300
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   46                   | inc                 esi
            //   750b                 | jne                 0xd

        $sequence_11 = { 68???????? 6a00 6a00 e8???????? 8b8e549f0000 }
            // n = 5, score = 300
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8b8e549f0000         | mov                 ecx, dword ptr [esi + 0x9f54]

        $sequence_12 = { e9???????? 8d45dc 50 681f000200 }
            // n = 4, score = 300
            //   e9????????           |                     
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]
            //   50                   | push                eax
            //   681f000200           | push                0x2001f

        $sequence_13 = { 68???????? 50 6802000080 e8???????? 83c41c 5f }
            // n = 6, score = 300
            //   68????????           |                     
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   5f                   | pop                 edi

        $sequence_14 = { 57 8bfe f2ae f7d1 49 7509 5f }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8bfe                 | mov                 edi, esi
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   7509                 | jne                 0xb
            //   5f                   | pop                 edi

        $sequence_15 = { 8365fc00 ff7508 ff15???????? 40 50 ff15???????? 59 }
            // n = 7, score = 300
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   ff15????????         |                     
            //   59                   | pop                 ecx

        $sequence_16 = { 8bce ff75e8 e8???????? 8bce e8???????? }
            // n = 5, score = 300
            //   8bce                 | mov                 ecx, esi
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_17 = { 8b5c2408 55 8b6c2410 56 8b742418 57 3bee }
            // n = 7, score = 300
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   55                   | push                ebp
            //   8b6c2410             | mov                 ebp, dword ptr [esp + 0x10]
            //   56                   | push                esi
            //   8b742418             | mov                 esi, dword ptr [esp + 0x18]
            //   57                   | push                edi
            //   3bee                 | cmp                 ebp, esi

        $sequence_18 = { 6a00 50 e8???????? 83c40c ff7508 6a40 ff15???????? }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a40                 | push                0x40
            //   ff15????????         |                     

        $sequence_19 = { 6a01 ff7620 ff15???????? 8b4e04 e8???????? 33c0 }
            // n = 6, score = 300
            //   6a01                 | push                1
            //   ff7620               | push                dword ptr [esi + 0x20]
            //   ff15????????         |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax

        $sequence_20 = { e8???????? 59 83c8ff e9???????? 8b45fc }
            // n = 5, score = 300
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_21 = { ff7510 ff75dc ff15???????? 85c0 7507 c745e401000000 834dfcff }
            // n = 7, score = 300
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff

        $sequence_22 = { c745e0867f0000 c745e4837f0000 c745e8857f0000 c745ec827f0000 }
            // n = 4, score = 200
            //   c745e0867f0000       | mov                 dword ptr [ebp - 0x20], 0x7f86
            //   c745e4837f0000       | mov                 dword ptr [ebp - 0x1c], 0x7f83
            //   c745e8857f0000       | mov                 dword ptr [ebp - 0x18], 0x7f85
            //   c745ec827f0000       | mov                 dword ptr [ebp - 0x14], 0x7f82

        $sequence_23 = { c745e8857f0000 c745ec827f0000 c745f0847f0000 c745f4047f0000 }
            // n = 4, score = 200
            //   c745e8857f0000       | mov                 dword ptr [ebp - 0x18], 0x7f85
            //   c745ec827f0000       | mov                 dword ptr [ebp - 0x14], 0x7f82
            //   c745f0847f0000       | mov                 dword ptr [ebp - 0x10], 0x7f84
            //   c745f4047f0000       | mov                 dword ptr [ebp - 0xc], 0x7f04

        $sequence_24 = { 83e9fc c7014c696272 83e9fc c70161727941 }
            // n = 4, score = 200
            //   83e9fc               | sub                 ecx, -4
            //   c7014c696272         | mov                 dword ptr [ecx], 0x7262694c
            //   83e9fc               | sub                 ecx, -4
            //   c70161727941         | mov                 dword ptr [ecx], 0x41797261

        $sequence_25 = { 813f6b006500 7406 813f4b004500 75e8 }
            // n = 4, score = 200
            //   813f6b006500         | cmp                 dword ptr [edi], 0x65006b
            //   7406                 | je                  8
            //   813f4b004500         | cmp                 dword ptr [edi], 0x45004b
            //   75e8                 | jne                 0xffffffea

        $sequence_26 = { 8b761c 8b4608 8b7e20 8b36 813f6b006500 7406 }
            // n = 6, score = 200
            //   8b761c               | mov                 esi, dword ptr [esi + 0x1c]
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8b7e20               | mov                 edi, dword ptr [esi + 0x20]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   813f6b006500         | cmp                 dword ptr [edi], 0x65006b
            //   7406                 | je                  8

        $sequence_27 = { 898d44ffffff 8b9544ffffff 33c0 668b4206 }
            // n = 4, score = 100
            //   898d44ffffff         | mov                 dword ptr [ebp - 0xbc], ecx
            //   8b9544ffffff         | mov                 edx, dword ptr [ebp - 0xbc]
            //   33c0                 | xor                 eax, eax
            //   668b4206             | mov                 ax, word ptr [edx + 6]

        $sequence_28 = { 8b5104 83ea08 d1ea 3955f4 7749 8b45f0 33c9 }
            // n = 7, score = 100
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   83ea08               | sub                 edx, 8
            //   d1ea                 | shr                 edx, 1
            //   3955f4               | cmp                 dword ptr [ebp - 0xc], edx
            //   7749                 | ja                  0x4b
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   33c9                 | xor                 ecx, ecx

        $sequence_29 = { 8945ec 8b8d58ffffff 034dec 66c7014343 8b9558ffffff 8b423c }
            // n = 6, score = 100
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b8d58ffffff         | mov                 ecx, dword ptr [ebp - 0xa8]
            //   034dec               | add                 ecx, dword ptr [ebp - 0x14]
            //   66c7014343           | mov                 word ptr [ecx], 0x4343
            //   8b9558ffffff         | mov                 edx, dword ptr [ebp - 0xa8]
            //   8b423c               | mov                 eax, dword ptr [edx + 0x3c]

        $sequence_30 = { 8b8dfcfeffff 51 ff9514ffffff 83c40c e9???????? 8b957cffffff 83ba8800000000 }
            // n = 7, score = 100
            //   8b8dfcfeffff         | mov                 ecx, dword ptr [ebp - 0x104]
            //   51                   | push                ecx
            //   ff9514ffffff         | call                dword ptr [ebp - 0xec]
            //   83c40c               | add                 esp, 0xc
            //   e9????????           |                     
            //   8b957cffffff         | mov                 edx, dword ptr [ebp - 0x84]
            //   83ba8800000000       | cmp                 dword ptr [edx + 0x88], 0

        $sequence_31 = { 41 ebc0 8d8d98ffffff c7014c6f6164 }
            // n = 4, score = 100
            //   41                   | inc                 ecx
            //   ebc0                 | jmp                 0xffffffc2
            //   8d8d98ffffff         | lea                 ecx, dword ptr [ebp - 0x68]
            //   c7014c6f6164         | mov                 dword ptr [ecx], 0x64616f4c

    condition:
        7 of them and filesize < 357376
}
Download all Yara Rules