SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gootkit (Back to overview)

GootKit

aka: Waldek, Xswkit, talalpek
URLhaus      

Gootkit is a banking trojan consisting of an x86 loader and a payload embedding nodejs as well as a set of js scripts. The loader downloads the payload, stores it in registry and injects it in a copy of the loader process. The loader also contains two encrypted DLLs intended to be injected into each browser process launched in order to place the payload in man in the browser and allow it to apply the webinjects received from the command and control server on HTTPx exchanges. This allows Gootkit to intercept HTTPx requests and responses, steal their content or modify it according to the webinjects.

References
2023-01-09TrendmicroHitomi Kimura, Ryan Maglaque, Fe Cureg, Trent Bessell
@online{kimura:20230109:gootkit:585185a, author = {Hitomi Kimura and Ryan Maglaque and Fe Cureg and Trent Bessell}, title = {{Gootkit Loader Actively Targets Australian Healthcare Industry}}, date = {2023-01-09}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html}, language = {English}, urldate = {2023-01-13} } Gootkit Loader Actively Targets Australian Healthcare Industry
GootKit
2022-09-22deepwatchEric Ford, Ben Nichols
@techreport{ford:20220922:is:9ff086f, author = {Eric Ford and Ben Nichols}, title = {{Is Gootloader Working with a Foreign Intelligence Service?}}, date = {2022-09-22}, institution = {deepwatch}, url = {https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/PUBLIC_Gootloader%20-%20Foreign%20Intelligence%20Service.pdf}, language = {English}, urldate = {2022-09-30} } Is Gootloader Working with a Foreign Intelligence Service?
GootKit
2022-07-27Trend MicroBuddy Tancio, Jed Valderama
@online{tancio:20220727:gootkit:f1c63fa, author = {Buddy Tancio and Jed Valderama}, title = {{Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike}}, date = {2022-07-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html}, language = {English}, urldate = {2022-07-29} } Gootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike
Cobalt Strike GootKit Kronos REvil SunCrypt
2022-05-09The DFIR ReportThe DFIR Report
@online{report:20220509:seo:cc8b1c2, author = {The DFIR Report}, title = {{SEO Poisoning – A Gootloader Story}}, date = {2022-05-09}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/}, language = {English}, urldate = {2022-06-09} } SEO Poisoning – A Gootloader Story
GootLoader LaZagne Cobalt Strike GootKit
2022-03-22Red CanaryRed Canary
@techreport{canary:20220322:2022:67c40ea, author = {Red Canary}, title = {{2022 Threat Detection Report}}, date = {2022-03-22}, institution = {Red Canary}, url = {https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf}, language = {English}, urldate = {2022-03-23} } 2022 Threat Detection Report
FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT
2021-11-26Twitter (@jhencinski)Jon Hencinski
@online{hencinski:20211126:twitter:ca58fb5, author = {Jon Hencinski}, title = {{Twitter Thread on weelky MDR recap from expel.io}}, date = {2021-11-26}, organization = {Twitter (@jhencinski)}, url = {https://twitter.com/jhencinski/status/1464268732096815105}, language = {English}, urldate = {2021-11-29} } Twitter Thread on weelky MDR recap from expel.io
GootKit Squirrelwaffle
2021-11-10BlackberryCodi Starks, Ryan Chapman
@online{starks:20211110:revil:94c11c2, author = {Codi Starks and Ryan Chapman}, title = {{REvil Under the Microscope}}, date = {2021-11-10}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope}, language = {English}, urldate = {2021-11-17} } REvil Under the Microscope
GootKit REvil
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-07KasperskyAnton Kuzmenko
@online{kuzmenko:20210607:gootkit:dde97ac, author = {Anton Kuzmenko}, title = {{Gootkit: the cautious Trojan}}, date = {2021-06-07}, organization = {Kaspersky}, url = {https://securelist.com/gootkit-the-cautious-trojan/102731/}, language = {English}, urldate = {2021-06-16} } Gootkit: the cautious Trojan
GootKit
2021-03-02Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20210302:gootkit:30182a1, author = {Microsoft Security Intelligence}, title = {{Tweet on Gootkit malware campaign}}, date = {2021-03-02}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1366542130731094021}, language = {English}, urldate = {2021-03-04} } Tweet on Gootkit malware campaign
GootKit
2021-03-02Github (microsoft)Microsoft
@online{microsoft:20210302:microsoft365defenderhuntingqueries:dcc8507, author = {Microsoft}, title = {{Microsoft-365-Defender-Hunting-Queries for hunting Gootkit malware delivery and C2}}, date = {2021-03-02}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md}, language = {English}, urldate = {2021-03-04} } Microsoft-365-Defender-Hunting-Queries for hunting Gootkit malware delivery and C2
GootKit
2021-03-01Sophos LabsGabor Szappanos, Andrew Brandt
@online{szappanos:20210301:gootloader:815834d, author = {Gabor Szappanos and Andrew Brandt}, title = {{“Gootloader” expands its payload delivery options}}, date = {2021-03-01}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728}, language = {English}, urldate = {2021-03-02} } “Gootloader” expands its payload delivery options
GootKit
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2020-12-11Trend MicroMarc Lanzendorfer
@online{lanzendorfer:20201211:investigating:273e6fb, author = {Marc Lanzendorfer}, title = {{Investigating the Gootkit Loader}}, date = {2020-12-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html}, language = {English}, urldate = {2020-12-14} } Investigating the Gootkit Loader
GootKit
2020-11-30Malwarebyteshasherezade, Jérôme Segura
@online{hasherezade:20201130:german:72b40c6, author = {hasherezade and Jérôme Segura}, title = {{German users targeted with Gootkit banker or REvil ransomware}}, date = {2020-11-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/}, language = {English}, urldate = {2020-12-03} } German users targeted with Gootkit banker or REvil ransomware
GootKit REvil
2020-04-13BlackberryTatsuya Hasegawa, Masaki Kasuya
@online{hasegawa:20200413:threat:57b739e, author = {Tatsuya Hasegawa and Masaki Kasuya}, title = {{Threat Spotlight: Gootkit Banking Trojan}}, date = {2020-04-13}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan}, language = {English}, urldate = {2020-11-23} } Threat Spotlight: Gootkit Banking Trojan
Azorult GootKit
2019-10-02Dissecting MalwareMarius Genheimer
@online{genheimer:20191002:nicht:20adbf8, author = {Marius Genheimer}, title = {{Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)}}, date = {2019-10-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html}, language = {English}, urldate = {2020-03-27} } Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)
FTCODE JasperLoader GootKit
2019-08-29SentinelOneDaniel Bunce
@online{bunce:20190829:gootkit:b379f2c, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities}}, date = {2019-08-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/}, language = {English}, urldate = {2020-01-08} } Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities
GootKit
2019-08-15SentinelOneDaniel Bunce
@online{bunce:20190815:gootkit:1052b18, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2019-12-20} } Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features
GootKit
2019-08-15Sentinel LABSDaniel Bunce
@online{bunce:20190815:gootkit:480c7e8, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2020-06-18} } Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features
GootKit
2019-03-23Open MalwareDanny Quist
@online{quist:20190323:reverse:8c71656, author = {Danny Quist}, title = {{Reverse Engineering Gootkit with Ghidra Part I}}, date = {2019-03-23}, organization = {Open Malware}, url = {https://dannyquist.github.io/gootkit-reversing-ghidra/}, language = {English}, urldate = {2020-11-23} } Reverse Engineering Gootkit with Ghidra Part I
GootKit
2019-02-14CertegoMatteo Lodi
@online{lodi:20190214:malware:93db4e1, author = {Matteo Lodi}, title = {{Malware Tales: Gootkit}}, date = {2019-02-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-gootkit/}, language = {English}, urldate = {2020-01-06} } Malware Tales: Gootkit
GootKit
2018-11CERT La PosteChristophe Rieunier, Thomas Dubier
@online{rieunier:201811:analyse:7b29c7d, author = {Christophe Rieunier and Thomas Dubier}, title = {{Analyse du malware bancaire Gootkit et de ses mécanismes de protection}}, date = {2018-11}, organization = {CERT La Poste}, url = {https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection}, language = {French}, urldate = {2020-09-24} } Analyse du malware bancaire Gootkit et de ses mécanismes de protection
GootKit
2018-05-20Youtube (OALabs)Sergei Frankoff
@online{frankoff:20180520:unpacking:7db8c96, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg}}, date = {2018-05-20}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=QgUlPvEE4aw}, language = {English}, urldate = {2020-01-08} } Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg
GootKit
2018-03-04Youtube (OALabs)Sergei Frankoff
@online{frankoff:20180304:unpacking:4d7dc7c, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request}}, date = {2018-03-04}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=242Tn0IL2jE}, language = {English}, urldate = {2020-01-08} } Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request
Cold$eal GootKit
2018-02-13JuniperPaul Kimayong
@online{kimayong:20180213:new:b8d70e2, author = {Paul Kimayong}, title = {{New Gootkit Banking Trojan variant pushes the limits on evasive behavior}}, date = {2018-02-13}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055}, language = {English}, urldate = {2019-12-10} } New Gootkit Banking Trojan variant pushes the limits on evasive behavior
GootKit
2017-03-01SecurityIntelligenceGadi Ostrovsky, Limor Kessem
@online{ostrovsky:20170301:gootkit:ab4991e, author = {Gadi Ostrovsky and Limor Kessem}, title = {{GootKit Developers Dress It Up With Web Traffic Proxy}}, date = {2017-03-01}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/}, language = {English}, urldate = {2020-01-07} } GootKit Developers Dress It Up With Web Traffic Proxy
GootKit
2016-12-01US-CERTUS-CERT
@online{uscert:20161201:alert:b0f05c8, author = {US-CERT}, title = {{Alert (TA16-336A): Avalanche (crimeware-as-a-service infrastructure)}}, date = {2016-12-01}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA16-336A}, language = {English}, urldate = {2020-01-07} } Alert (TA16-336A): Avalanche (crimeware-as-a-service infrastructure)
GootKit
2016-10-27Kaspersky LabsAlexey Shulmin, Sergey Yunakovsky
@online{shulmin:20161027:inside:50f43ed, author = {Alexey Shulmin and Sergey Yunakovsky}, title = {{Inside the Gootkit C&C server}}, date = {2016-10-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/}, language = {English}, urldate = {2019-12-20} } Inside the Gootkit C&C server
GootKit
2016-07-08SecurityIntelligenceLimor Kessem
@online{kessem:20160708:gootkit:ed75518, author = {Limor Kessem}, title = {{GootKit: Bobbing and Weaving to Avoid Prying Eyes}}, date = {2016-07-08}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/}, language = {English}, urldate = {2020-01-07} } GootKit: Bobbing and Weaving to Avoid Prying Eyes
GootKit
2015-04-13CERT Societe GeneraleCERT Societe Generale
@online{generale:20150413:analyzing:2a4956d, author = {CERT Societe Generale}, title = {{Analyzing Gootkit's persistence mechanism (new ASEP inside!)}}, date = {2015-04-13}, organization = {CERT Societe Generale}, url = {http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html}, language = {English}, urldate = {2020-01-13} } Analyzing Gootkit's persistence mechanism (new ASEP inside!)
GootKit
2015-03-30Trend MicroCedric Pernet, Dark Luo
@online{pernet:20150330:fake:3b24447, author = {Cedric Pernet and Dark Luo}, title = {{Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority}}, date = {2015-03-30}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/}, language = {English}, urldate = {2020-01-10} } Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority
GootKit
2014-04-09Dr.WebDr.Web
@online{drweb:20140409:backdoorgootkit112a:b63758d, author = {Dr.Web}, title = {{BackDoor.Gootkit.112—a new multi-purpose backdoor}}, date = {2014-04-09}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=4338&lng=en}, language = {English}, urldate = {2019-07-11} } BackDoor.Gootkit.112—a new multi-purpose backdoor
GootKit
Yara Rules
[TLP:WHITE] win_gootkit_auto (20230125 | Detects win.gootkit.)
rule win_gootkit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.gootkit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 833b00 7406 837b0400 7502 32c0 }
            // n = 5, score = 1700
            //   833b00               | cmp                 dword ptr [ebx], 0
            //   7406                 | je                  8
            //   837b0400             | cmp                 dword ptr [ebx + 4], 0
            //   7502                 | jne                 4
            //   32c0                 | xor                 al, al

        $sequence_1 = { ffd6 ff75ec 6a00 ff15???????? 50 ffd6 }
            // n = 6, score = 1700
            //   ffd6                 | call                esi
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi

        $sequence_2 = { 33ff 33c9 85d2 740e 0fbe0431 c1cf0d 03f8 }
            // n = 7, score = 1700
            //   33ff                 | xor                 edi, edi
            //   33c9                 | xor                 ecx, ecx
            //   85d2                 | test                edx, edx
            //   740e                 | je                  0x10
            //   0fbe0431             | movsx               eax, byte ptr [ecx + esi]
            //   c1cf0d               | ror                 edi, 0xd
            //   03f8                 | add                 edi, eax

        $sequence_3 = { ff15???????? 8bd8 85db 7431 3bfb 752d 56 }
            // n = 7, score = 1700
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7431                 | je                  0x33
            //   3bfb                 | cmp                 edi, ebx
            //   752d                 | jne                 0x2f
            //   56                   | push                esi

        $sequence_4 = { 8d45c4 8975f8 50 ff75fc ffd7 33c9 }
            // n = 6, score = 1700
            //   8d45c4               | lea                 eax, [ebp - 0x3c]
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ffd7                 | call                edi
            //   33c9                 | xor                 ecx, ecx

        $sequence_5 = { 894df8 897df4 c745fc04010000 ff15???????? 50 ff15???????? }
            // n = 6, score = 1700
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   c745fc04010000       | mov                 dword ptr [ebp - 4], 0x104
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { 6a04 6800300000 57 6a00 897df8 ff15???????? 8bf0 }
            // n = 7, score = 1700
            //   6a04                 | push                4
            //   6800300000           | push                0x3000
            //   57                   | push                edi
            //   6a00                 | push                0
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { eb06 8b7dd8 8b75d4 8bd7 8bc6 }
            // n = 5, score = 1700
            //   eb06                 | jmp                 8
            //   8b7dd8               | mov                 edi, dword ptr [ebp - 0x28]
            //   8b75d4               | mov                 esi, dword ptr [ebp - 0x2c]
            //   8bd7                 | mov                 edx, edi
            //   8bc6                 | mov                 eax, esi

        $sequence_8 = { f3aa 68???????? ff15???????? 50 }
            // n = 4, score = 1200
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   68????????           |                     
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_9 = { 8b7df4 32c0 8b4de4 f3aa }
            // n = 4, score = 1200
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   32c0                 | xor                 al, al
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

        $sequence_10 = { 50 e8???????? 83c40c 68fd000000 }
            // n = 4, score = 1100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68fd000000           | push                0xfd

        $sequence_11 = { 50 68???????? ff15???????? 85c0 7505 e8???????? }
            // n = 6, score = 1100
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   e8????????           |                     

        $sequence_12 = { 8b4508 8b00 99 52 }
            // n = 4, score = 1000
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   99                   | cdq                 
            //   52                   | push                edx

        $sequence_13 = { c705????????01000000 c705????????02000000 8be5 5d c3 55 8bec }
            // n = 7, score = 900
            //   c705????????01000000     |     
            //   c705????????02000000     |     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_14 = { 833d????????00 750a 6a32 ff15???????? }
            // n = 4, score = 800
            //   833d????????00       |                     
            //   750a                 | jne                 0xc
            //   6a32                 | push                0x32
            //   ff15????????         |                     

        $sequence_15 = { e8???????? 6a0c 6a08 ff15???????? 50 ff15???????? }
            // n = 6, score = 800
            //   e8????????           |                     
            //   6a0c                 | push                0xc
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_16 = { 50 6a02 ff15???????? 6888130000 ff15???????? }
            // n = 5, score = 700
            //   50                   | push                eax
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   6888130000           | push                0x1388
            //   ff15????????         |                     

        $sequence_17 = { e8???????? 8d45fc 50 6a01 6a01 6a00 }
            // n = 6, score = 600
            //   e8????????           |                     
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6a01                 | push                1
            //   6a00                 | push                0

        $sequence_18 = { 83c00c 99 52 50 }
            // n = 4, score = 600
            //   83c00c               | add                 eax, 0xc
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_19 = { e8???????? 85c0 750c c705????????03000000 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   c705????????03000000     |     

        $sequence_20 = { e8???????? 85c0 740d 6810270000 ff15???????? }
            // n = 5, score = 400
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   6810270000           | push                0x2710
            //   ff15????????         |                     

        $sequence_21 = { 724b 8d4204 3bc8 7344 2bca }
            // n = 5, score = 300
            //   724b                 | jb                  0x4d
            //   8d4204               | lea                 eax, [edx + 4]
            //   3bc8                 | cmp                 ecx, eax
            //   7344                 | jae                 0x46
            //   2bca                 | sub                 ecx, edx

        $sequence_22 = { 03d1 813a50450000 7541 8b82d8000000 03c1 3bd8 7235 }
            // n = 7, score = 300
            //   03d1                 | add                 edx, ecx
            //   813a50450000         | cmp                 dword ptr [edx], 0x4550
            //   7541                 | jne                 0x43
            //   8b82d8000000         | mov                 eax, dword ptr [edx + 0xd8]
            //   03c1                 | add                 eax, ecx
            //   3bd8                 | cmp                 ebx, eax
            //   7235                 | jb                  0x37

        $sequence_23 = { 0f104850 0f114f50 0f104060 0f114760 8b4070 894770 be01000000 }
            // n = 7, score = 300
            //   0f104850             | movups              xmm1, xmmword ptr [eax + 0x50]
            //   0f114f50             | movups              xmmword ptr [edi + 0x50], xmm1
            //   0f104060             | movups              xmm0, xmmword ptr [eax + 0x60]
            //   0f114760             | movups              xmmword ptr [edi + 0x60], xmm0
            //   8b4070               | mov                 eax, dword ptr [eax + 0x70]
            //   894770               | mov                 dword ptr [edi + 0x70], eax
            //   be01000000           | mov                 esi, 1

        $sequence_24 = { 6a01 6a0b 56 ff15???????? 83c420 5e }
            // n = 6, score = 300
            //   6a01                 | push                1
            //   6a0b                 | push                0xb
            //   56                   | push                esi
            //   ff15????????         |                     
            //   83c420               | add                 esp, 0x20
            //   5e                   | pop                 esi

        $sequence_25 = { 0f114710 0f104030 0f114f20 0f104840 0f114730 }
            // n = 5, score = 300
            //   0f114710             | movups              xmmword ptr [edi + 0x10], xmm0
            //   0f104030             | movups              xmm0, xmmword ptr [eax + 0x30]
            //   0f114f20             | movups              xmmword ptr [edi + 0x20], xmm1
            //   0f104840             | movups              xmm1, xmmword ptr [eax + 0x40]
            //   0f114730             | movups              xmmword ptr [edi + 0x30], xmm0

        $sequence_26 = { 0f104840 0f114730 0f104050 0f114f40 }
            // n = 4, score = 300
            //   0f104840             | movups              xmm1, xmmword ptr [eax + 0x40]
            //   0f114730             | movups              xmmword ptr [edi + 0x30], xmm0
            //   0f104050             | movups              xmm0, xmmword ptr [eax + 0x50]
            //   0f114f40             | movups              xmmword ptr [edi + 0x40], xmm1

        $sequence_27 = { 7550 ff15???????? 8bf8 893d???????? }
            // n = 4, score = 300
            //   7550                 | jne                 0x52
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   893d????????         |                     

        $sequence_28 = { 50 6a10 8d45e8 50 68060000c8 56 ff15???????? }
            // n = 7, score = 300
            //   50                   | push                eax
            //   6a10                 | push                0x10
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   68060000c8           | push                0xc8000006
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_29 = { ff15???????? 85c0 7510 8d4864 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12
            //   8d4864               | lea                 ecx, [eax + 0x64]

        $sequence_30 = { 7412 83ec0c ba???????? b9???????? e8???????? e8???????? }
            // n = 6, score = 300
            //   7412                 | je                  0x14
            //   83ec0c               | sub                 esp, 0xc
            //   ba????????           |                     
            //   b9????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_31 = { 55 8bec 83ec1c 56 8bf1 85f6 }
            // n = 6, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec1c               | sub                 esp, 0x1c
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   85f6                 | test                esi, esi

        $sequence_32 = { 56 ff15???????? 8b4de8 b84d5a0000 663901 754e 8b513c }
            // n = 7, score = 300
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   b84d5a0000           | mov                 eax, 0x5a4d
            //   663901               | cmp                 word ptr [ecx], ax
            //   754e                 | jne                 0x50
            //   8b513c               | mov                 edx, dword ptr [ecx + 0x3c]

        $sequence_33 = { 8bf7 57 81e60000ffff e8???????? 8b4608 83c40c 894738 }
            // n = 7, score = 300
            //   8bf7                 | mov                 esi, edi
            //   57                   | push                edi
            //   81e60000ffff         | and                 esi, 0xffff0000
            //   e8????????           |                     
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   83c40c               | add                 esp, 0xc
            //   894738               | mov                 dword ptr [edi + 0x38], eax

        $sequence_34 = { 8b4c2434 ff15???????? 0fb74c2432 ff15???????? }
            // n = 4, score = 300
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   ff15????????         |                     
            //   0fb74c2432           | movzx               ecx, word ptr [esp + 0x32]
            //   ff15????????         |                     

        $sequence_35 = { 0f104860 0f114750 0f114f60 b801000000 }
            // n = 4, score = 300
            //   0f104860             | movups              xmm1, xmmword ptr [eax + 0x60]
            //   0f114750             | movups              xmmword ptr [edi + 0x50], xmm0
            //   0f114f60             | movups              xmmword ptr [edi + 0x60], xmm1
            //   b801000000           | mov                 eax, 1

        $sequence_36 = { ffc3 83fb0a 7cd5 33c0 }
            // n = 4, score = 300
            //   ffc3                 | inc                 ebx
            //   83fb0a               | cmp                 ebx, 0xa
            //   7cd5                 | jl                  0xffffffd7
            //   33c0                 | xor                 eax, eax

    condition:
        7 of them and filesize < 516096
}
Download all Yara Rules