SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20220516 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b55ac 0b55b0 7420 96 0fc0d6 }
            // n = 5, score = 100
            //   8b55ac               | mov                 edx, dword ptr [ebp - 0x54]
            //   0b55b0               | or                  edx, dword ptr [ebp - 0x50]
            //   7420                 | je                  0x22
            //   96                   | xchg                eax, esi
            //   0fc0d6               | xadd                dh, dl

        $sequence_1 = { 0fbdf1 f6c5be d2ca 86d6 }
            // n = 4, score = 100
            //   0fbdf1               | bsr                 esi, ecx
            //   f6c5be               | test                ch, 0xbe
            //   d2ca                 | ror                 dl, cl
            //   86d6                 | xchg                dh, dl

        $sequence_2 = { f3a5 8bcb f3a4 5f 5e 5b }
            // n = 6, score = 100
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bcb                 | mov                 ecx, ebx
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_3 = { e8???????? ff7014 e8???????? 89b504f4ffff 56 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   ff7014               | push                dword ptr [eax + 0x14]
            //   e8????????           |                     
            //   89b504f4ffff         | mov                 dword ptr [ebp - 0xbfc], esi
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_4 = { b87e8da638 e022 3a56b9 036890 }
            // n = 4, score = 100
            //   b87e8da638           | mov                 eax, 0x38a68d7e
            //   e022                 | loopne              0x24
            //   3a56b9               | cmp                 dl, byte ptr [esi - 0x47]
            //   036890               | add                 ebp, dword ptr [eax - 0x70]

        $sequence_5 = { 2b02 9a102a6715fb53 31db b0a6 46 312d???????? ca065b }
            // n = 7, score = 100
            //   2b02                 | sub                 eax, dword ptr [edx]
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6
            //   46                   | inc                 esi
            //   312d????????         |                     
            //   ca065b               | retf                0x5b06

        $sequence_6 = { 80bd7dfdffff01 0f851affffff 895db8 8d45b8 }
            // n = 4, score = 100
            //   80bd7dfdffff01       | cmp                 byte ptr [ebp - 0x283], 1
            //   0f851affffff         | jne                 0xffffff20
            //   895db8               | mov                 dword ptr [ebp - 0x48], ebx
            //   8d45b8               | lea                 eax, [ebp - 0x48]

        $sequence_7 = { 7415 53 53 8d85d0f4ffff 50 ffb538f4ffff }
            // n = 6, score = 100
            //   7415                 | je                  0x17
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8d85d0f4ffff         | lea                 eax, [ebp - 0xb30]
            //   50                   | push                eax
            //   ffb538f4ffff         | push                dword ptr [ebp - 0xbc8]

        $sequence_8 = { 33745571 de7e75 cd18 4a 51 d2b8c512294e }
            // n = 6, score = 100
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]
            //   de7e75               | fidivr              word ptr [esi + 0x75]
            //   cd18                 | int                 0x18
            //   4a                   | dec                 edx
            //   51                   | push                ecx
            //   d2b8c512294e         | sar                 byte ptr [eax + 0x4e2912c5], cl

        $sequence_9 = { 85c0 0f94c3 ff75fc e8???????? 8bc3 5b }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   0f94c3               | sete                bl
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx

        $sequence_10 = { ff7028 e8???????? 85c0 0f84aa000000 c785a8fcffff00010000 8d85a8fcffff }
            // n = 6, score = 100
            //   ff7028               | push                dword ptr [eax + 0x28]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84aa000000         | je                  0xb0
            //   c785a8fcffff00010000     | mov    dword ptr [ebp - 0x358], 0x100
            //   8d85a8fcffff         | lea                 eax, [ebp - 0x358]

        $sequence_11 = { 8365fc00 bf???????? 57 8b35???????? }
            // n = 4, score = 100
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   bf????????           |                     
            //   57                   | push                edi
            //   8b35????????         |                     

        $sequence_12 = { 8995ccfeffff 8b95c8feffff 0b95ccfeffff 7427 }
            // n = 4, score = 100
            //   8995ccfeffff         | mov                 dword ptr [ebp - 0x134], edx
            //   8b95c8feffff         | mov                 edx, dword ptr [ebp - 0x138]
            //   0b95ccfeffff         | or                  edx, dword ptr [ebp - 0x134]
            //   7427                 | je                  0x29

        $sequence_13 = { e8???????? 0bc0 7412 50 50 ff7510 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   7412                 | je                  0x14
            //   50                   | push                eax
            //   50                   | push                eax
            //   ff7510               | push                dword ptr [ebp + 0x10]

        $sequence_14 = { e8???????? 50 8d85dcfaffff 50 8d85d0f8ffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d85dcfaffff         | lea                 eax, [ebp - 0x524]
            //   50                   | push                eax
            //   8d85d0f8ffff         | lea                 eax, [ebp - 0x730]

        $sequence_15 = { 837df800 750f ff35???????? 8f0485fad24000 eb23 8b45f8 }
            // n = 6, score = 100
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   750f                 | jne                 0x11
            //   ff35????????         |                     
            //   8f0485fad24000       | pop                 dword ptr [eax*4 + 0x40d2fa]
            //   eb23                 | jmp                 0x25
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_16 = { 8945d4 8b4dd4 3b4ddc 0f83c3000000 8b55d4 }
            // n = 5, score = 100
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   3b4ddc               | cmp                 ecx, dword ptr [ebp - 0x24]
            //   0f83c3000000         | jae                 0xc9
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]

        $sequence_17 = { ff7510 ff750c ff7508 8d8701050000 }
            // n = 4, score = 100
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d8701050000         | lea                 eax, [edi + 0x501]

        $sequence_18 = { 0f8e4b010000 8b5530 52 8b4520 50 }
            // n = 5, score = 100
            //   0f8e4b010000         | jle                 0x151
            //   8b5530               | mov                 edx, dword ptr [ebp + 0x30]
            //   52                   | push                edx
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   50                   | push                eax

        $sequence_19 = { 8b4dec 2b4d20 83c101 51 8d4da0 }
            // n = 5, score = 100
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   2b4d20               | sub                 ecx, dword ptr [ebp + 0x20]
            //   83c101               | add                 ecx, 1
            //   51                   | push                ecx
            //   8d4da0               | lea                 ecx, [ebp - 0x60]

        $sequence_20 = { 3b5375 60 d3e0 90 }
            // n = 4, score = 100
            //   3b5375               | cmp                 edx, dword ptr [ebx + 0x75]
            //   60                   | pushal              
            //   d3e0                 | shl                 eax, cl
            //   90                   | nop                 

        $sequence_21 = { e8???????? 0bc0 746b 59 2b4dfc }
            // n = 5, score = 100
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   746b                 | je                  0x6d
            //   59                   | pop                 ecx
            //   2b4dfc               | sub                 ecx, dword ptr [ebp - 4]

        $sequence_22 = { 0fadce c0cac2 8af4 f6c566 69d51a756497 69f10e99f8db }
            // n = 6, score = 100
            //   0fadce               | shrd                esi, ecx, cl
            //   c0cac2               | ror                 dl, 0xc2
            //   8af4                 | mov                 dh, ah
            //   f6c566               | test                ch, 0x66
            //   69d51a756497         | imul                edx, ebp, 0x9764751a
            //   69f10e99f8db         | imul                esi, ecx, 0xdbf8990e

        $sequence_23 = { 6a61 5e 03d6 52 }
            // n = 4, score = 100
            //   6a61                 | push                0x61
            //   5e                   | pop                 esi
            //   03d6                 | add                 edx, esi
            //   52                   | push                edx

        $sequence_24 = { dbe9 68912b4384 2383e08985e4 0572b6e2f4 fd }
            // n = 5, score = 100
            //   dbe9                 | fucomi              st(1)
            //   68912b4384           | push                0x84432b91
            //   2383e08985e4         | and                 eax, dword ptr [ebx - 0x1b7a7620]
            //   0572b6e2f4           | add                 eax, 0xf4e2b672
            //   fd                   | std                 

        $sequence_25 = { 6a00 68cee6ac00 52 50 e8???????? 898538fbffff }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   68cee6ac00           | push                0xace6ce
            //   52                   | push                edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   898538fbffff         | mov                 dword ptr [ebp - 0x4c8], eax

        $sequence_26 = { bf633629a8 02738f 1da2c9dde2 f4 16 }
            // n = 5, score = 100
            //   bf633629a8           | mov                 edi, 0xa8293663
            //   02738f               | add                 dh, byte ptr [ebx - 0x71]
            //   1da2c9dde2           | sbb                 eax, 0xe2ddc9a2
            //   f4                   | hlt                 
            //   16                   | push                ss

        $sequence_27 = { 33c0 8908 50 45 43 6f 6d }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   8908                 | mov                 dword ptr [eax], ecx
            //   50                   | push                eax
            //   45                   | inc                 ebp
            //   43                   | inc                 ebx
            //   6f                   | outsd               dx, dword ptr [esi]
            //   6d                   | insd                dword ptr es:[edi], dx

        $sequence_28 = { 8f85fcfbffff 8d85f4fbffff 50 6a00 6a4a }
            // n = 5, score = 100
            //   8f85fcfbffff         | pop                 dword ptr [ebp - 0x404]
            //   8d85f4fbffff         | lea                 eax, [ebp - 0x40c]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a4a                 | push                0x4a

        $sequence_29 = { 397844 7e26 33f6 e8???????? 8b4048 ff3430 53 }
            // n = 7, score = 100
            //   397844               | cmp                 dword ptr [eax + 0x44], edi
            //   7e26                 | jle                 0x28
            //   33f6                 | xor                 esi, esi
            //   e8????????           |                     
            //   8b4048               | mov                 eax, dword ptr [eax + 0x48]
            //   ff3430               | push                dword ptr [eax + esi]
            //   53                   | push                ebx

        $sequence_30 = { 0f8478010000 837de000 0f846e010000 68???????? ff75fc e8???????? 85c0 }
            // n = 7, score = 100
            //   0f8478010000         | je                  0x17e
            //   837de000             | cmp                 dword ptr [ebp - 0x20], 0
            //   0f846e010000         | je                  0x174
            //   68????????           |                     
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_31 = { f4 16 ee 7f7b 36110b 33745571 de7e75 }
            // n = 7, score = 100
            //   f4                   | hlt                 
            //   16                   | push                ss
            //   ee                   | out                 dx, al
            //   7f7b                 | jg                  0x7d
            //   36110b               | adc                 dword ptr ss:[ebx], ecx
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]
            //   de7e75               | fidivr              word ptr [esi + 0x75]

    condition:
        7 of them and filesize < 568320
}
Download all Yara Rules