SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2023-03-190xToxin Labs@0xToxin
@online{0xtoxin:20230319:gozi:bb7bade, author = {@0xToxin}, title = {{Gozi - Italian ShellCode Dance}}, date = {2023-03-19}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/}, language = {English}, urldate = {2023-05-17} } Gozi - Italian ShellCode Dance
Gozi ISFB
2022-10-24Medium CSIS TechblogBenoît Ancel
@online{ancel:20221024:chapter:c870465, author = {Benoît Ancel}, title = {{Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.}}, date = {2022-10-24}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef}, language = {English}, urldate = {2023-05-02} } Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.
Gozi ISFB Snifula
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20230407 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-29"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 6a00 8d4da0 e8???????? 50 e8???????? }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   8d4da0               | lea                 ecx, [ebp - 0x60]
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { 55 f79bfe7ca80d a7 ad b710 2dc7ce5bbb d6 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   b710                 | mov                 bh, 0x10
            //   2dc7ce5bbb           | sub                 eax, 0xbb5bcec7
            //   d6                   | salc                

        $sequence_2 = { 57 56 56 68???????? ff75dc ff15???????? }
            // n = 6, score = 100
            //   57                   | push                edi
            //   56                   | push                esi
            //   56                   | push                esi
            //   68????????           |                     
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   ff15????????         |                     

        $sequence_3 = { 90 48 9e c1905ffb6daf6b }
            // n = 4, score = 100
            //   90                   | nop                 
            //   48                   | dec                 eax
            //   9e                   | sahf                
            //   c1905ffb6daf6b       | rcl                 dword ptr [eax - 0x509204a1], 0x6b

        $sequence_4 = { 8ee1 54 257c693a5c 48 fb }
            // n = 5, score = 100
            //   8ee1                 | mov                 fs, ecx
            //   54                   | push                esp
            //   257c693a5c           | and                 eax, 0x5c3a697c
            //   48                   | dec                 eax
            //   fb                   | sti                 

        $sequence_5 = { e9???????? 68b37418e6 ff35???????? e8???????? 894590 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   68b37418e6           | push                0xe61874b3
            //   ff35????????         |                     
            //   e8????????           |                     
            //   894590               | mov                 dword ptr [ebp - 0x70], eax

        $sequence_6 = { 75e9 e8???????? 5b 5e c9 c20400 }
            // n = 6, score = 100
            //   75e9                 | jne                 0xffffffeb
            //   e8????????           |                     
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20400               | ret                 4

        $sequence_7 = { c0ee1e 0fca f6c172 8af4 c0eef6 }
            // n = 5, score = 100
            //   c0ee1e               | shr                 dh, 0x1e
            //   0fca                 | bswap               edx
            //   f6c172               | test                cl, 0x72
            //   8af4                 | mov                 dh, ah
            //   c0eef6               | shr                 dh, 0xf6

        $sequence_8 = { 10ba810b7f57 a4 8c6a38 55 f79bfe7ca80d a7 }
            // n = 6, score = 100
            //   10ba810b7f57         | adc                 byte ptr [edx + 0x577f0b81], bh
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs
            //   55                   | push                ebp
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]

        $sequence_9 = { 6a29 ffb5d4f2ffff ff7508 ffd6 33c0 }
            // n = 5, score = 100
            //   6a29                 | push                0x29
            //   ffb5d4f2ffff         | push                dword ptr [ebp - 0xd2c]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd6                 | call                esi
            //   33c0                 | xor                 eax, eax

        $sequence_10 = { e8???????? 83c418 e9???????? 837d0803 751f }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   e9????????           |                     
            //   837d0803             | cmp                 dword ptr [ebp + 8], 3
            //   751f                 | jne                 0x21

        $sequence_11 = { 5c 3c32 7e02 19c1 a6 }
            // n = 5, score = 100
            //   5c                   | pop                 esp
            //   3c32                 | cmp                 al, 0x32
            //   7e02                 | jle                 4
            //   19c1                 | sbb                 ecx, eax
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]

        $sequence_12 = { 51 51 8365fc00 56 8b7508 807e1400 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   807e1400             | cmp                 byte ptr [esi + 0x14], 0

        $sequence_13 = { 751e ff45f4 25ff0f0000 0301 }
            // n = 4, score = 100
            //   751e                 | jne                 0x20
            //   ff45f4               | inc                 dword ptr [ebp - 0xc]
            //   25ff0f0000           | and                 eax, 0xfff
            //   0301                 | add                 eax, dword ptr [ecx]

        $sequence_14 = { ae 85729b 7a47 43 c571d5 }
            // n = 5, score = 100
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   85729b               | test                dword ptr [edx - 0x65], esi
            //   7a47                 | jp                  0x49
            //   43                   | inc                 ebx
            //   c571d5               | lds                 esi, ptr [ecx - 0x2b]

        $sequence_15 = { 8b4de4 83c104 894de4 8b55e0 83c202 8955e0 8b45fc }
            // n = 7, score = 100
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   83c104               | add                 ecx, 4
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   83c202               | add                 edx, 2
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_16 = { 0fb3ce feca 80ca32 69f1a6d150d3 }
            // n = 4, score = 100
            //   0fb3ce               | btr                 esi, ecx
            //   feca                 | dec                 dl
            //   80ca32               | or                  dl, 0x32
            //   69f1a6d150d3         | imul                esi, ecx, 0xd350d1a6

        $sequence_17 = { ff750c ff7508 e8???????? 683e010000 6a40 e8???????? }
            // n = 6, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   683e010000           | push                0x13e
            //   6a40                 | push                0x40
            //   e8????????           |                     

        $sequence_18 = { 8945f0 eb02 33d2 8b4f15 }
            // n = 4, score = 100
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   eb02                 | jmp                 4
            //   33d2                 | xor                 edx, edx
            //   8b4f15               | mov                 ecx, dword ptr [edi + 0x15]

        $sequence_19 = { 12a502b346d1 41 b87e8da638 e022 3a56b9 036890 2b02 }
            // n = 7, score = 100
            //   12a502b346d1         | adc                 ah, byte ptr [ebp - 0x2eb94cfe]
            //   41                   | inc                 ecx
            //   b87e8da638           | mov                 eax, 0x38a68d7e
            //   e022                 | loopne              0x24
            //   3a56b9               | cmp                 dl, byte ptr [esi - 0x47]
            //   036890               | add                 ebp, dword ptr [eax - 0x70]
            //   2b02                 | sub                 eax, dword ptr [edx]

        $sequence_20 = { 8d4dbc 51 50 ff15???????? 8945dc 83f8ff 0f84b9feffff }
            // n = 7, score = 100
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   83f8ff               | cmp                 eax, -1
            //   0f84b9feffff         | je                  0xfffffebf

        $sequence_21 = { ff4508 837d080c 894dec 8d8c0de4feffff 8a11 8810 }
            // n = 6, score = 100
            //   ff4508               | inc                 dword ptr [ebp + 8]
            //   837d080c             | cmp                 dword ptr [ebp + 8], 0xc
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8d8c0de4feffff       | lea                 ecx, [ebp + ecx - 0x11c]
            //   8a11                 | mov                 dl, byte ptr [ecx]
            //   8810                 | mov                 byte ptr [eax], dl

        $sequence_22 = { 02738f 1da2c9dde2 f4 16 ee }
            // n = 5, score = 100
            //   02738f               | add                 dh, byte ptr [ebx - 0x71]
            //   1da2c9dde2           | sbb                 eax, 0xe2ddc9a2
            //   f4                   | hlt                 
            //   16                   | push                ss
            //   ee                   | out                 dx, al

        $sequence_23 = { 8dbdc0feffff f3ab 33f6 89b5b8feffff 8975fc 684fd1c15b ff35???????? }
            // n = 7, score = 100
            //   8dbdc0feffff         | lea                 edi, [ebp - 0x140]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   33f6                 | xor                 esi, esi
            //   89b5b8feffff         | mov                 dword ptr [ebp - 0x148], esi
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   684fd1c15b           | push                0x5bc1d14f
            //   ff35????????         |                     

        $sequence_24 = { 59 7e14 83c606 8d0c30 3b4d10 }
            // n = 5, score = 100
            //   59                   | pop                 ecx
            //   7e14                 | jle                 0x16
            //   83c606               | add                 esi, 6
            //   8d0c30               | lea                 ecx, [eax + esi]
            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]

        $sequence_25 = { 0f85c1000000 889d94fdffff 6a40 59 }
            // n = 4, score = 100
            //   0f85c1000000         | jne                 0xc7
            //   889d94fdffff         | mov                 byte ptr [ebp - 0x26c], bl
            //   6a40                 | push                0x40
            //   59                   | pop                 ecx

        $sequence_26 = { 57 894dec a1???????? 8b0d???????? 6a00 68f80a0000 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   6a00                 | push                0
            //   68f80a0000           | push                0xaf8

        $sequence_27 = { 4e 0fbef4 0fbdf1 0fce 2af4 4e }
            // n = 6, score = 100
            //   4e                   | dec                 esi
            //   0fbef4               | movsx               esi, ah
            //   0fbdf1               | bsr                 esi, ecx
            //   0fce                 | bswap               esi
            //   2af4                 | sub                 dh, ah
            //   4e                   | dec                 esi

        $sequence_28 = { 894208 8d45dc 50 8b4d08 }
            // n = 4, score = 100
            //   894208               | mov                 dword ptr [edx + 8], eax
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_29 = { c3 8b4134 8b4924 8b00 }
            // n = 4, score = 100
            //   c3                   | ret                 
            //   8b4134               | mov                 eax, dword ptr [ecx + 0x34]
            //   8b4924               | mov                 ecx, dword ptr [ecx + 0x24]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_30 = { feca 0fca 80ca4a 0fb3ce }
            // n = 4, score = 100
            //   feca                 | dec                 dl
            //   0fca                 | bswap               edx
            //   80ca4a               | or                  dl, 0x4a
            //   0fb3ce               | btr                 esi, ecx

    condition:
        7 of them and filesize < 568320
}
Download all Yara Rules