SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gootkit (Back to overview)

GootKit

aka: Waldek, Xswkit, talalpek
URLhaus      

Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.

References
2021-03-02Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20210302:gootkit:30182a1, author = {Microsoft Security Intelligence}, title = {{Tweet on Gootkit malware campaign}}, date = {2021-03-02}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1366542130731094021}, language = {English}, urldate = {2021-03-04} } Tweet on Gootkit malware campaign
GootKit
2021-03-02Github (microsoft)Microsoft
@online{microsoft:20210302:microsoft365defenderhuntingqueries:dcc8507, author = {Microsoft}, title = {{Microsoft-365-Defender-Hunting-Queries for hunting Gootkit malware delivery and C2}}, date = {2021-03-02}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md}, language = {English}, urldate = {2021-03-04} } Microsoft-365-Defender-Hunting-Queries for hunting Gootkit malware delivery and C2
GootKit
2021-03-01Sophos LabsGabor Szappanos, Andrew Brandt
@online{szappanos:20210301:gootloader:815834d, author = {Gabor Szappanos and Andrew Brandt}, title = {{“Gootloader” expands its payload delivery options}}, date = {2021-03-01}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728}, language = {English}, urldate = {2021-03-02} } “Gootloader” expands its payload delivery options
GootKit
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-19Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210119:wireshark:be0c831, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Emotet Infection Traffic}}, date = {2021-01-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/}, language = {English}, urldate = {2021-01-21} } Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2020-12-11Trend MicroMarc Lanzendorfer
@online{lanzendorfer:20201211:investigating:273e6fb, author = {Marc Lanzendorfer}, title = {{Investigating the Gootkit Loader}}, date = {2020-12-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html}, language = {English}, urldate = {2020-12-14} } Investigating the Gootkit Loader
GootKit
2020-11-30Malwarebyteshasherezade, Jérôme Segura
@online{hasherezade:20201130:german:72b40c6, author = {hasherezade and Jérôme Segura}, title = {{German users targeted with Gootkit banker or REvil ransomware}}, date = {2020-11-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/}, language = {English}, urldate = {2020-12-03} } German users targeted with Gootkit banker or REvil ransomware
GootKit REvil
2020-04-13BlackberryTatsuya Hasegawa, Masaki Kasuya
@online{hasegawa:20200413:threat:57b739e, author = {Tatsuya Hasegawa and Masaki Kasuya}, title = {{Threat Spotlight: Gootkit Banking Trojan}}, date = {2020-04-13}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan}, language = {English}, urldate = {2020-11-23} } Threat Spotlight: Gootkit Banking Trojan
Azorult GootKit
2019-10-02Dissecting MalwareMarius Genheimer
@online{genheimer:20191002:nicht:20adbf8, author = {Marius Genheimer}, title = {{Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)}}, date = {2019-10-02}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html}, language = {English}, urldate = {2020-03-27} } Nicht so goot - Breaking down Gootkit and Jasper (+ FTCODE)
FTCODE JasperLoader GootKit
2019-08-29SentinelOneDaniel Bunce
@online{bunce:20190829:gootkit:b379f2c, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities}}, date = {2019-08-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/}, language = {English}, urldate = {2020-01-08} } Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities
GootKit
2019-08-15SentinelOneDaniel Bunce
@online{bunce:20190815:gootkit:1052b18, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2019-12-20} } Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features
GootKit
2019-08-15Sentinel LABSDaniel Bunce
@online{bunce:20190815:gootkit:480c7e8, author = {Daniel Bunce}, title = {{Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features}}, date = {2019-08-15}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/}, language = {English}, urldate = {2020-06-18} } Gootkit Banking Trojan | Deep Dive into Anti-Analysis Features
GootKit
2019-03-23Open MalwareDanny Quist
@online{quist:20190323:reverse:8c71656, author = {Danny Quist}, title = {{Reverse Engineering Gootkit with Ghidra Part I}}, date = {2019-03-23}, organization = {Open Malware}, url = {https://dannyquist.github.io/gootkit-reversing-ghidra/}, language = {English}, urldate = {2020-11-23} } Reverse Engineering Gootkit with Ghidra Part I
GootKit
2019-02-14CertegoMatteo Lodi
@online{lodi:20190214:malware:93db4e1, author = {Matteo Lodi}, title = {{Malware Tales: Gootkit}}, date = {2019-02-14}, organization = {Certego}, url = {https://www.certego.net/en/news/malware-tales-gootkit/}, language = {English}, urldate = {2020-01-06} } Malware Tales: Gootkit
GootKit
2018-11CERT La PosteChristophe Rieunier, Thomas Dubier
@online{rieunier:201811:analyse:7b29c7d, author = {Christophe Rieunier and Thomas Dubier}, title = {{Analyse du malware bancaire Gootkit et de ses mécanismes de protection}}, date = {2018-11}, organization = {CERT La Poste}, url = {https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection}, language = {French}, urldate = {2020-09-24} } Analyse du malware bancaire Gootkit et de ses mécanismes de protection
GootKit
2018-05-20Youtube (OALabs)Sergei Frankoff
@online{frankoff:20180520:unpacking:7db8c96, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg}}, date = {2018-05-20}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=QgUlPvEE4aw}, language = {English}, urldate = {2020-01-08} } Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg
GootKit
2018-03-04Youtube (OALabs)Sergei Frankoff
@online{frankoff:20180304:unpacking:4d7dc7c, author = {Sergei Frankoff}, title = {{Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request}}, date = {2018-03-04}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=242Tn0IL2jE}, language = {English}, urldate = {2020-01-08} } Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request
Cold$eal GootKit
2018-02-13JuniperPaul Kimayong
@online{kimayong:20180213:new:b8d70e2, author = {Paul Kimayong}, title = {{New Gootkit Banking Trojan variant pushes the limits on evasive behavior}}, date = {2018-02-13}, organization = {Juniper}, url = {https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055}, language = {English}, urldate = {2019-12-10} } New Gootkit Banking Trojan variant pushes the limits on evasive behavior
GootKit
2017-03-01SecurityIntelligenceGadi Ostrovsky, Limor Kessem
@online{ostrovsky:20170301:gootkit:ab4991e, author = {Gadi Ostrovsky and Limor Kessem}, title = {{GootKit Developers Dress It Up With Web Traffic Proxy}}, date = {2017-03-01}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/}, language = {English}, urldate = {2020-01-07} } GootKit Developers Dress It Up With Web Traffic Proxy
GootKit
2016-12-01US-CERTUS-CERT
@online{uscert:20161201:alert:b0f05c8, author = {US-CERT}, title = {{Alert (TA16-336A): Avalanche (crimeware-as-a-service infrastructure)}}, date = {2016-12-01}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA16-336A}, language = {English}, urldate = {2020-01-07} } Alert (TA16-336A): Avalanche (crimeware-as-a-service infrastructure)
GootKit
2016-10-27Kaspersky LabsAlexey Shulmin, Sergey Yunakovsky
@online{shulmin:20161027:inside:50f43ed, author = {Alexey Shulmin and Sergey Yunakovsky}, title = {{Inside the Gootkit C&C server}}, date = {2016-10-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/}, language = {English}, urldate = {2019-12-20} } Inside the Gootkit C&C server
GootKit
2016-07-08SecurityIntelligenceLimor Kessem
@online{kessem:20160708:gootkit:ed75518, author = {Limor Kessem}, title = {{GootKit: Bobbing and Weaving to Avoid Prying Eyes}}, date = {2016-07-08}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/}, language = {English}, urldate = {2020-01-07} } GootKit: Bobbing and Weaving to Avoid Prying Eyes
GootKit
2015-04-13CERT Societe GeneraleCERT Societe Generale
@online{generale:20150413:analyzing:2a4956d, author = {CERT Societe Generale}, title = {{Analyzing Gootkit's persistence mechanism (new ASEP inside!)}}, date = {2015-04-13}, organization = {CERT Societe Generale}, url = {http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html}, language = {English}, urldate = {2020-01-13} } Analyzing Gootkit's persistence mechanism (new ASEP inside!)
GootKit
2015-03-30Trend MicroCedric Pernet, Dark Luo
@online{pernet:20150330:fake:3b24447, author = {Cedric Pernet and Dark Luo}, title = {{Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority}}, date = {2015-03-30}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/}, language = {English}, urldate = {2020-01-10} } Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority
GootKit
2014-04-09Dr.WebDr.Web
@online{drweb:20140409:backdoorgootkit112a:b63758d, author = {Dr.Web}, title = {{BackDoor.Gootkit.112—a new multi-purpose backdoor}}, date = {2014-04-09}, organization = {Dr.Web}, url = {https://news.drweb.com/show/?i=4338&lng=en}, language = {English}, urldate = {2019-07-11} } BackDoor.Gootkit.112—a new multi-purpose backdoor
GootKit
Yara Rules
[TLP:WHITE] win_gootkit_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_gootkit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7f1 81c260ea0000 52 ff15???????? }
            // n = 4, score = 2000
            //   f7f1                 | div                 ecx
            //   81c260ea0000         | add                 edx, 0xea60
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_1 = { 83ffff 743f 6a00 6a00 ff75f8 57 ff15???????? }
            // n = 7, score = 1700
            //   83ffff               | cmp                 edi, -1
            //   743f                 | je                  0x41
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_2 = { 011c10 8b5dec 115c1004 eb08 }
            // n = 4, score = 1700
            //   011c10               | add                 dword ptr [eax + edx], ebx
            //   8b5dec               | mov                 ebx, dword ptr [ebp - 0x14]
            //   115c1004             | adc                 dword ptr [eax + edx + 4], ebx
            //   eb08                 | jmp                 0xa

        $sequence_3 = { 1adb fec3 6a00 6880000000 6a03 }
            // n = 5, score = 1700
            //   1adb                 | sbb                 bl, bl
            //   fec3                 | inc                 bl
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a03                 | push                3

        $sequence_4 = { 894dec 8d0c1a 894dfc 8945f0 85c0 }
            // n = 5, score = 1700
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8d0c1a               | lea                 ecx, [edx + ebx]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   85c0                 | test                eax, eax

        $sequence_5 = { 1bc0 2145fc ff15???????? 8b45fc 5e }
            // n = 5, score = 1700
            //   1bc0                 | sbb                 eax, eax
            //   2145fc               | and                 dword ptr [ebp - 4], eax
            //   ff15????????         |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5e                   | pop                 esi

        $sequence_6 = { 41 3bca 72f2 335df0 6a10 58 50 }
            // n = 7, score = 1700
            //   41                   | inc                 ecx
            //   3bca                 | cmp                 ecx, edx
            //   72f2                 | jb                  0xfffffff4
            //   335df0               | xor                 ebx, dword ptr [ebp - 0x10]
            //   6a10                 | push                0x10
            //   58                   | pop                 eax
            //   50                   | push                eax

        $sequence_7 = { ba64860000 6639540804 7509 8b840888000000 eb04 8b440878 03c1 }
            // n = 7, score = 1700
            //   ba64860000           | mov                 edx, 0x8664
            //   6639540804           | cmp                 word ptr [eax + ecx + 4], dx
            //   7509                 | jne                 0xb
            //   8b840888000000       | mov                 eax, dword ptr [eax + ecx + 0x88]
            //   eb04                 | jmp                 6
            //   8b440878             | mov                 eax, dword ptr [eax + ecx + 0x78]
            //   03c1                 | add                 eax, ecx

        $sequence_8 = { 52 50 8b4510 99 52 50 8b450c }
            // n = 7, score = 1400
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_9 = { f3aa 68???????? ff15???????? 50 }
            // n = 4, score = 1200
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   68????????           |                     
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_10 = { 8b7df4 32c0 8b4de4 f3aa }
            // n = 4, score = 1200
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   32c0                 | xor                 al, al
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

        $sequence_11 = { 50 68???????? ff15???????? 85c0 7505 e8???????? }
            // n = 6, score = 1100
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   e8????????           |                     

        $sequence_12 = { 50 e8???????? 83c40c 68fd000000 }
            // n = 4, score = 1100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68fd000000           | push                0xfd

        $sequence_13 = { 50 8b4508 8b00 99 52 }
            // n = 5, score = 1000
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   99                   | cdq                 
            //   52                   | push                edx

        $sequence_14 = { c705????????02000000 8be5 5d c3 }
            // n = 4, score = 900
            //   c705????????02000000     |     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_15 = { 7514 c705????????01000000 c705????????02000000 8be5 }
            // n = 4, score = 900
            //   7514                 | jne                 0x16
            //   c705????????01000000     |     
            //   c705????????02000000     |     
            //   8be5                 | mov                 esp, ebp

        $sequence_16 = { e8???????? 6a0c 6a08 ff15???????? }
            // n = 4, score = 800
            //   e8????????           |                     
            //   6a0c                 | push                0xc
            //   6a08                 | push                8
            //   ff15????????         |                     

        $sequence_17 = { 68???????? 51 51 ff15???????? 50 }
            // n = 5, score = 300
            //   68????????           |                     
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   50                   | push                eax

        $sequence_18 = { 53 53 53 8901 }
            // n = 4, score = 300
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_19 = { 8b0d???????? 5f a3???????? a1???????? 5e 85c0 }
            // n = 6, score = 200
            //   8b0d????????         |                     
            //   5f                   | pop                 edi
            //   a3????????           |                     
            //   a1????????           |                     
            //   5e                   | pop                 esi
            //   85c0                 | test                eax, eax

        $sequence_20 = { 034e10 8d852cfdffff 898de4fdffff 50 }
            // n = 4, score = 200
            //   034e10               | add                 ecx, dword ptr [esi + 0x10]
            //   8d852cfdffff         | lea                 eax, [ebp - 0x2d4]
            //   898de4fdffff         | mov                 dword ptr [ebp - 0x21c], ecx
            //   50                   | push                eax

        $sequence_21 = { 0f114f20 0f104840 0f114730 0f104050 }
            // n = 4, score = 200
            //   0f114f20             | movups              xmmword ptr [edi + 0x20], xmm1
            //   0f104840             | movups              xmm1, xmmword ptr [eax + 0x40]
            //   0f114730             | movups              xmmword ptr [edi + 0x30], xmm0
            //   0f104050             | movups              xmm0, xmmword ptr [eax + 0x50]

        $sequence_22 = { 0f114730 0f104050 0f114f40 0f104860 0f114750 0f114f60 b801000000 }
            // n = 7, score = 200
            //   0f114730             | movups              xmmword ptr [edi + 0x30], xmm0
            //   0f104050             | movups              xmm0, xmmword ptr [eax + 0x50]
            //   0f114f40             | movups              xmmword ptr [edi + 0x40], xmm1
            //   0f104860             | movups              xmm1, xmmword ptr [eax + 0x60]
            //   0f114750             | movups              xmmword ptr [edi + 0x50], xmm0
            //   0f114f60             | movups              xmmword ptr [edi + 0x60], xmm1
            //   b801000000           | mov                 eax, 1

        $sequence_23 = { 813a50450000 7541 8b82d8000000 03c1 3bd8 7235 8b82dc000000 }
            // n = 7, score = 200
            //   813a50450000         | cmp                 dword ptr [edx], 0x4550
            //   7541                 | jne                 0x43
            //   8b82d8000000         | mov                 eax, dword ptr [edx + 0xd8]
            //   03c1                 | add                 eax, ecx
            //   3bd8                 | cmp                 ebx, eax
            //   7235                 | jb                  0x37
            //   8b82dc000000         | mov                 eax, dword ptr [edx + 0xdc]

        $sequence_24 = { 83faff 7508 ff15???????? 8bd0 }
            // n = 4, score = 200
            //   83faff               | cmp                 edx, -1
            //   7508                 | jne                 0xa
            //   ff15????????         |                     
            //   8bd0                 | mov                 edx, eax

        $sequence_25 = { ff15???????? ffc3 83fb0a 7cd5 33c0 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   ffc3                 | inc                 ebx
            //   83fb0a               | cmp                 ebx, 0xa
            //   7cd5                 | jl                  0xffffffd7
            //   33c0                 | xor                 eax, eax

        $sequence_26 = { 391d???????? 7428 85c0 7424 83ec0c ba???????? b9???????? }
            // n = 7, score = 200
            //   391d????????         |                     
            //   7428                 | je                  0x2a
            //   85c0                 | test                eax, eax
            //   7424                 | je                  0x26
            //   83ec0c               | sub                 esp, 0xc
            //   ba????????           |                     
            //   b9????????           |                     

        $sequence_27 = { 0f104820 0f114710 0f104030 0f114f20 }
            // n = 4, score = 200
            //   0f104820             | movups              xmm1, xmmword ptr [eax + 0x20]
            //   0f114710             | movups              xmmword ptr [edi + 0x10], xmm0
            //   0f104030             | movups              xmm0, xmmword ptr [eax + 0x30]
            //   0f114f20             | movups              xmmword ptr [edi + 0x20], xmm1

        $sequence_28 = { 53 33db e8???????? ff15???????? 8bc8 }
            // n = 5, score = 200
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   e8????????           |                     
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_29 = { 0f104850 0f114f50 0f104060 0f114760 8b4070 894770 be01000000 }
            // n = 7, score = 200
            //   0f104850             | movups              xmm1, xmmword ptr [eax + 0x50]
            //   0f114f50             | movups              xmmword ptr [edi + 0x50], xmm1
            //   0f104060             | movups              xmm0, xmmword ptr [eax + 0x60]
            //   0f114760             | movups              xmmword ptr [edi + 0x60], xmm0
            //   8b4070               | mov                 eax, dword ptr [eax + 0x70]
            //   894770               | mov                 dword ptr [edi + 0x70], eax
            //   be01000000           | mov                 esi, 1

        $sequence_30 = { 8b7df4 85ff 7414 57 8bce }
            // n = 5, score = 200
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   85ff                 | test                edi, edi
            //   7414                 | je                  0x16
            //   57                   | push                edi
            //   8bce                 | mov                 ecx, esi

        $sequence_31 = { ff15???????? 8bd0 83fa01 7e18 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8bd0                 | mov                 edx, eax
            //   83fa01               | cmp                 edx, 1
            //   7e18                 | jle                 0x1a

        $sequence_32 = { ff15???????? 85c0 7550 ff15???????? 8bf8 893d???????? }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7550                 | jne                 0x52
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   893d????????         |                     

    condition:
        7 of them and filesize < 516096
}
Download all Yara Rules