SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20220808 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 6a02 ff15???????? 56 6a01 6a02 ff15???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   56                   | push                esi
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   ff15????????         |                     

        $sequence_1 = { 895c0108 ff8548ffffff 8b8548ffffff eb93 e8???????? }
            // n = 5, score = 100
            //   895c0108             | mov                 dword ptr [ecx + eax + 8], ebx
            //   ff8548ffffff         | inc                 dword ptr [ebp - 0xb8]
            //   8b8548ffffff         | mov                 eax, dword ptr [ebp - 0xb8]
            //   eb93                 | jmp                 0xffffff95
            //   e8????????           |                     

        $sequence_2 = { 50 ff7304 ff750c ff7508 e8???????? }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ff7304               | push                dword ptr [ebx + 4]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_3 = { 0fbdf1 0fbef4 8af4 d2ee d2ca 84c1 }
            // n = 6, score = 100
            //   0fbdf1               | bsr                 esi, ecx
            //   0fbef4               | movsx               esi, ah
            //   8af4                 | mov                 dh, ah
            //   d2ee                 | shr                 dh, cl
            //   d2ca                 | ror                 dl, cl
            //   84c1                 | test                cl, al

        $sequence_4 = { e8???????? ff75e4 ffd0 c3 6a68 68???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ffd0                 | call                eax
            //   c3                   | ret                 
            //   6a68                 | push                0x68
            //   68????????           |                     

        $sequence_5 = { 51 ff5210 eb40 85c0 }
            // n = 4, score = 100
            //   51                   | push                ecx
            //   ff5210               | call                dword ptr [edx + 0x10]
            //   eb40                 | jmp                 0x42
            //   85c0                 | test                eax, eax

        $sequence_6 = { ff7508 ff95c8f2ffff 6a0a ff15???????? 6a04 e8???????? 59 }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff95c8f2ffff         | call                dword ptr [ebp - 0xd38]
            //   6a0a                 | push                0xa
            //   ff15????????         |                     
            //   6a04                 | push                4
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_7 = { 8945fc 6805010000 6a40 e8???????? 8945f8 6805010000 }
            // n = 6, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   6805010000           | push                0x105
            //   6a40                 | push                0x40
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   6805010000           | push                0x105

        $sequence_8 = { 0fb3ce 0fadce 0fbef4 68???????? ff15???????? }
            // n = 5, score = 100
            //   0fb3ce               | btr                 esi, ecx
            //   0fadce               | shrd                esi, ecx, cl
            //   0fbef4               | movsx               esi, ah
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_9 = { e9???????? 8b4d18 e8???????? 894594 895598 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   e8????????           |                     
            //   894594               | mov                 dword ptr [ebp - 0x6c], eax
            //   895598               | mov                 dword ptr [ebp - 0x68], edx

        $sequence_10 = { 41 b87e8da638 e022 3a56b9 036890 2b02 }
            // n = 6, score = 100
            //   41                   | inc                 ecx
            //   b87e8da638           | mov                 eax, 0x38a68d7e
            //   e022                 | loopne              0x24
            //   3a56b9               | cmp                 dl, byte ptr [esi - 0x47]
            //   036890               | add                 ebp, dword ptr [eax - 0x70]
            //   2b02                 | sub                 eax, dword ptr [edx]

        $sequence_11 = { 8b4808 3bcf 7404 8bc1 ebf5 897008 }
            // n = 6, score = 100
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   3bcf                 | cmp                 ecx, edi
            //   7404                 | je                  6
            //   8bc1                 | mov                 eax, ecx
            //   ebf5                 | jmp                 0xfffffff7
            //   897008               | mov                 dword ptr [eax + 8], esi

        $sequence_12 = { 8c6a38 55 f79bfe7ca80d a7 ad b710 }
            // n = 6, score = 100
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs
            //   55                   | push                ebp
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   b710                 | mov                 bh, 0x10

        $sequence_13 = { d2ca 5f 5e 5b 8be5 }
            // n = 5, score = 100
            //   d2ca                 | ror                 dl, cl
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_14 = { ff10 50 ff75b8 ff7508 e8???????? ff75b8 }
            // n = 6, score = 100
            //   ff10                 | call                dword ptr [eax]
            //   50                   | push                eax
            //   ff75b8               | push                dword ptr [ebp - 0x48]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   ff75b8               | push                dword ptr [ebp - 0x48]

        $sequence_15 = { b2da c0eece 69d502bd8c1f 8af4 b686 }
            // n = 5, score = 100
            //   b2da                 | mov                 dl, 0xda
            //   c0eece               | shr                 dh, 0xce
            //   69d502bd8c1f         | imul                edx, ebp, 0x1f8cbd02
            //   8af4                 | mov                 dh, ah
            //   b686                 | mov                 dh, 0x86

        $sequence_16 = { 0fb3ce 0fbdf1 fece 86d6 69f1aeb998fb feca }
            // n = 6, score = 100
            //   0fb3ce               | btr                 esi, ecx
            //   0fbdf1               | bsr                 esi, ecx
            //   fece                 | dec                 dh
            //   86d6                 | xchg                dh, dl
            //   69f1aeb998fb         | imul                esi, ecx, 0xfb98b9ae
            //   feca                 | dec                 dl

        $sequence_17 = { 95 bf633629a8 02738f 1da2c9dde2 f4 16 }
            // n = 6, score = 100
            //   95                   | xchg                eax, ebp
            //   bf633629a8           | mov                 edi, 0xa8293663
            //   02738f               | add                 dh, byte ptr [ebx - 0x71]
            //   1da2c9dde2           | sbb                 eax, 0xe2ddc9a2
            //   f4                   | hlt                 
            //   16                   | push                ss

        $sequence_18 = { 57 57 ff15???????? 8d8500ffffff }
            // n = 4, score = 100
            //   57                   | push                edi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8d8500ffffff         | lea                 eax, [ebp - 0x100]

        $sequence_19 = { 96 3b5375 60 d3e0 90 48 }
            // n = 6, score = 100
            //   96                   | xchg                eax, esi
            //   3b5375               | cmp                 edx, dword ptr [ebx + 0x75]
            //   60                   | pushal              
            //   d3e0                 | shl                 eax, cl
            //   90                   | nop                 
            //   48                   | dec                 eax

        $sequence_20 = { 53 ff7510 ff36 e8???????? }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     

        $sequence_21 = { 5d c3 8b04c56cf14300 5d }
            // n = 4, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04c56cf14300       | mov                 eax, dword ptr [eax*8 + 0x43f16c]
            //   5d                   | pop                 ebp

        $sequence_22 = { 63743200 c808bf35 6963c03caff3da c9 50 0c73 0e }
            // n = 7, score = 100
            //   63743200             | arpl                word ptr [edx + esi], si
            //   c808bf35             | enter               -0x40f8, 0x35
            //   6963c03caff3da       | imul                esp, dword ptr [ebx - 0x40], 0xdaf3af3c
            //   c9                   | leave               
            //   50                   | push                eax
            //   0c73                 | or                  al, 0x73
            //   0e                   | push                cs

        $sequence_23 = { f4 16 ee 7f7b 36110b 33745571 de7e75 }
            // n = 7, score = 100
            //   f4                   | hlt                 
            //   16                   | push                ss
            //   ee                   | out                 dx, al
            //   7f7b                 | jg                  0x7d
            //   36110b               | adc                 dword ptr ss:[ebx], ecx
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]
            //   de7e75               | fidivr              word ptr [esi + 0x75]

        $sequence_24 = { 3b45cc 0f8294000000 40 8945c8 8b4dc8 2b4dcc }
            // n = 6, score = 100
            //   3b45cc               | cmp                 eax, dword ptr [ebp - 0x34]
            //   0f8294000000         | jb                  0x9a
            //   40                   | inc                 eax
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   2b4dcc               | sub                 ecx, dword ptr [ebp - 0x34]

        $sequence_25 = { 894588 89558c 8b5588 0b558c 742e }
            // n = 5, score = 100
            //   894588               | mov                 dword ptr [ebp - 0x78], eax
            //   89558c               | mov                 dword ptr [ebp - 0x74], edx
            //   8b5588               | mov                 edx, dword ptr [ebp - 0x78]
            //   0b558c               | or                  edx, dword ptr [ebp - 0x74]
            //   742e                 | je                  0x30

        $sequence_26 = { 51 c1e902 33c0 f3a5 59 83e103 }
            // n = 6, score = 100
            //   51                   | push                ecx
            //   c1e902               | shr                 ecx, 2
            //   33c0                 | xor                 eax, eax
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   59                   | pop                 ecx
            //   83e103               | and                 ecx, 3

        $sequence_27 = { 03d0 03c8 57 8b7e14 03f8 }
            // n = 5, score = 100
            //   03d0                 | add                 edx, eax
            //   03c8                 | add                 ecx, eax
            //   57                   | push                edi
            //   8b7e14               | mov                 edi, dword ptr [esi + 0x14]
            //   03f8                 | add                 edi, eax

        $sequence_28 = { 68???????? ff15???????? ff15???????? 83c578 c9 }
            // n = 5, score = 100
            //   68????????           |                     
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   83c578               | add                 ebp, 0x78
            //   c9                   | leave               

        $sequence_29 = { 10ba810b7f57 a4 8c6a38 55 }
            // n = 4, score = 100
            //   10ba810b7f57         | adc                 byte ptr [edx + 0x577f0b81], bh
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs
            //   55                   | push                ebp

        $sequence_30 = { ffb5c0fdffff 8d8540fdffff 50 ff75dc ffd6 89853cfdffff }
            // n = 6, score = 100
            //   ffb5c0fdffff         | push                dword ptr [ebp - 0x240]
            //   8d8540fdffff         | lea                 eax, [ebp - 0x2c0]
            //   50                   | push                eax
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   ffd6                 | call                esi
            //   89853cfdffff         | mov                 dword ptr [ebp - 0x2c4], eax

        $sequence_31 = { e8???????? 6af4 dbe9 68912b4384 2383e08985e4 0572b6e2f4 fd }
            // n = 7, score = 100
            //   e8????????           |                     
            //   6af4                 | push                -0xc
            //   dbe9                 | fucomi              st(1)
            //   68912b4384           | push                0x84432b91
            //   2383e08985e4         | and                 eax, dword ptr [ebx - 0x1b7a7620]
            //   0572b6e2f4           | add                 eax, 0xf4e2b672
            //   fd                   | std                 

    condition:
        7 of them and filesize < 568320
}
Download all Yara Rules