SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2023-07-18Kostas TSKostas
@online{kostas:20230718:ursnif:294f10f, author = {Kostas}, title = {{Ursnif VS Italy: Il PDF del Destino}}, date = {2023-07-18}, organization = {Kostas TS}, url = {https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072}, language = {English}, urldate = {2023-07-20} } Ursnif VS Italy: Il PDF del Destino
Gozi ISFB Snifula
2023-03-190xToxin Labs@0xToxin
@online{0xtoxin:20230319:gozi:bb7bade, author = {@0xToxin}, title = {{Gozi - Italian ShellCode Dance}}, date = {2023-03-19}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/}, language = {English}, urldate = {2023-05-17} } Gozi - Italian ShellCode Dance
Gozi ISFB
2022-10-24Medium CSIS TechblogBenoît Ancel
@online{ancel:20221024:chapter:c870465, author = {Benoît Ancel}, title = {{Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.}}, date = {2022-10-24}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef}, language = {English}, urldate = {2023-05-02} } Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.
Gozi ISFB Snifula
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20230715 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75dc 8f05???????? eb54 68???????? e8???????? }
            // n = 5, score = 100
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   8f05????????         |                     
            //   eb54                 | jmp                 0x56
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_1 = { de7e75 cd18 4a 51 d2b8c512294e 8c8873cd58c8 17 }
            // n = 7, score = 100
            //   de7e75               | fidivr              word ptr [esi + 0x75]
            //   cd18                 | int                 0x18
            //   4a                   | dec                 edx
            //   51                   | push                ecx
            //   d2b8c512294e         | sar                 byte ptr [eax + 0x4e2912c5], cl
            //   8c8873cd58c8         | mov                 word ptr [eax - 0x37a7328d], cs
            //   17                   | pop                 ss

        $sequence_2 = { 3bde 59 7505 83c8ff eb41 53 ff75f8 }
            // n = 7, score = 100
            //   3bde                 | cmp                 ebx, esi
            //   59                   | pop                 ecx
            //   7505                 | jne                 7
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb41                 | jmp                 0x43
            //   53                   | push                ebx
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_3 = { 50 e8???????? 5f 5e 83c570 c9 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   83c570               | add                 ebp, 0x70
            //   c9                   | leave               

        $sequence_4 = { fece 56 d2ca 0fbed0 }
            // n = 4, score = 100
            //   fece                 | dec                 dh
            //   56                   | push                esi
            //   d2ca                 | ror                 dl, cl
            //   0fbed0               | movsx               edx, al

        $sequence_5 = { 50 e8???????? 3b457c 8b4d78 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   3b457c               | cmp                 eax, dword ptr [ebp + 0x7c]
            //   8b4d78               | mov                 ecx, dword ptr [ebp + 0x78]

        $sequence_6 = { 55 8bec 8d8742050000 8b00 }
            // n = 4, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8d8742050000         | lea                 eax, [edi + 0x542]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_7 = { 6802000080 ff15???????? 85c0 7515 8d45e4 50 }
            // n = 6, score = 100
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7515                 | jne                 0x17
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax

        $sequence_8 = { 3a56b9 036890 2b02 9a102a6715fb53 31db b0a6 46 }
            // n = 7, score = 100
            //   3a56b9               | cmp                 dl, byte ptr [esi - 0x47]
            //   036890               | add                 ebp, dword ptr [eax - 0x70]
            //   2b02                 | sub                 eax, dword ptr [edx]
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6
            //   46                   | inc                 esi

        $sequence_9 = { c1e606 033485e00c4400 c745e401000000 33db 395e08 }
            // n = 5, score = 100
            //   c1e606               | shl                 esi, 6
            //   033485e00c4400       | add                 esi, dword ptr [eax*4 + 0x440ce0]
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   33db                 | xor                 ebx, ebx
            //   395e08               | cmp                 dword ptr [esi + 8], ebx

        $sequence_10 = { 0facea12 f6de 0fbaf696 8b4de8 894dfc 8b55f4 }
            // n = 6, score = 100
            //   0facea12             | shrd                edx, ebp, 0x12
            //   f6de                 | neg                 dh
            //   0fbaf696             | btr                 esi, 0x96
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_11 = { b6c6 e8???????? 6af4 dbe9 68912b4384 2383e08985e4 }
            // n = 6, score = 100
            //   b6c6                 | mov                 dh, 0xc6
            //   e8????????           |                     
            //   6af4                 | push                -0xc
            //   dbe9                 | fucomi              st(1)
            //   68912b4384           | push                0x84432b91
            //   2383e08985e4         | and                 eax, dword ptr [ebx - 0x1b7a7620]

        $sequence_12 = { 895590 8b558c 0b5590 742a }
            // n = 4, score = 100
            //   895590               | mov                 dword ptr [ebp - 0x70], edx
            //   8b558c               | mov                 edx, dword ptr [ebp - 0x74]
            //   0b5590               | or                  edx, dword ptr [ebp - 0x70]
            //   742a                 | je                  0x2c

        $sequence_13 = { d3e0 90 48 9e c1905ffb6daf6b }
            // n = 5, score = 100
            //   d3e0                 | shl                 eax, cl
            //   90                   | nop                 
            //   48                   | dec                 eax
            //   9e                   | sahf                
            //   c1905ffb6daf6b       | rcl                 dword ptr [eax - 0x509204a1], 0x6b

        $sequence_14 = { 33db 56 895df4 e8???????? 8b7d08 8b8788000000 }
            // n = 6, score = 100
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   e8????????           |                     
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b8788000000         | mov                 eax, dword ptr [edi + 0x88]

        $sequence_15 = { 8b7508 c7465cf8934300 83660800 33ff }
            // n = 4, score = 100
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   c7465cf8934300       | mov                 dword ptr [esi + 0x5c], 0x4393f8
            //   83660800             | and                 dword ptr [esi + 8], 0
            //   33ff                 | xor                 edi, edi

        $sequence_16 = { 89843d64fcffff 83c704 83c64c ff4dfc 75da }
            // n = 5, score = 100
            //   89843d64fcffff       | mov                 dword ptr [ebp + edi - 0x39c], eax
            //   83c704               | add                 edi, 4
            //   83c64c               | add                 esi, 0x4c
            //   ff4dfc               | dec                 dword ptr [ebp - 4]
            //   75da                 | jne                 0xffffffdc

        $sequence_17 = { 8b7804 897de4 e8???????? 8b5808 895de0 c745fc01000000 }
            // n = 6, score = 100
            //   8b7804               | mov                 edi, dword ptr [eax + 4]
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi
            //   e8????????           |                     
            //   8b5808               | mov                 ebx, dword ptr [eax + 8]
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1

        $sequence_18 = { e8???????? 8945bc 8955c0 ff75c0 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8945bc               | mov                 dword ptr [ebp - 0x44], eax
            //   8955c0               | mov                 dword ptr [ebp - 0x40], edx
            //   ff75c0               | push                dword ptr [ebp - 0x40]

        $sequence_19 = { 4e 0fb3ce 0fbaf6b6 0ad0 8ad0 }
            // n = 5, score = 100
            //   4e                   | dec                 esi
            //   0fb3ce               | btr                 esi, ecx
            //   0fbaf6b6             | btr                 esi, 0xb6
            //   0ad0                 | or                  dl, al
            //   8ad0                 | mov                 dl, al

        $sequence_20 = { d2ee b65e feca 0fbaf2a2 b616 }
            // n = 5, score = 100
            //   d2ee                 | shr                 dh, cl
            //   b65e                 | mov                 dh, 0x5e
            //   feca                 | dec                 dl
            //   0fbaf2a2             | btr                 edx, 0xa2
            //   b616                 | mov                 dh, 0x16

        $sequence_21 = { 2383e08985e4 0572b6e2f4 fd 4e 128b42926614 12a502b346d1 41 }
            // n = 7, score = 100
            //   2383e08985e4         | and                 eax, dword ptr [ebx - 0x1b7a7620]
            //   0572b6e2f4           | add                 eax, 0xf4e2b672
            //   fd                   | std                 
            //   4e                   | dec                 esi
            //   128b42926614         | adc                 cl, byte ptr [ebx + 0x14669242]
            //   12a502b346d1         | adc                 ah, byte ptr [ebp - 0x2eb94cfe]
            //   41                   | inc                 ecx

        $sequence_22 = { 5b 53 8d9feb040000 c70300000000 5b }
            // n = 5, score = 100
            //   5b                   | pop                 ebx
            //   53                   | push                ebx
            //   8d9feb040000         | lea                 ebx, [edi + 0x4eb]
            //   c70300000000         | mov                 dword ptr [ebx], 0
            //   5b                   | pop                 ebx

        $sequence_23 = { 50 ff75d8 ff15???????? 8945e0 3bc7 0f840e010000 68fa000000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   ff15????????         |                     
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   3bc7                 | cmp                 eax, edi
            //   0f840e010000         | je                  0x114
            //   68fa000000           | push                0xfa

        $sequence_24 = { 8d9724070000 52 50 8d87f2030000 ff10 }
            // n = 5, score = 100
            //   8d9724070000         | lea                 edx, [edi + 0x724]
            //   52                   | push                edx
            //   50                   | push                eax
            //   8d87f2030000         | lea                 eax, [edi + 0x3f2]
            //   ff10                 | call                dword ptr [eax]

        $sequence_25 = { 63743200 c808bf35 6963c03caff3da c9 50 }
            // n = 5, score = 100
            //   63743200             | arpl                word ptr [edx + esi], si
            //   c808bf35             | enter               -0x40f8, 0x35
            //   6963c03caff3da       | imul                esp, dword ptr [ebx - 0x40], 0xdaf3af3c
            //   c9                   | leave               
            //   50                   | push                eax

        $sequence_26 = { feca 4a c0caca 86d6 }
            // n = 4, score = 100
            //   feca                 | dec                 dl
            //   4a                   | dec                 edx
            //   c0caca               | ror                 dl, 0xca
            //   86d6                 | xchg                dh, dl

        $sequence_27 = { 8bec 81ec44020000 8d45fc 50 8d85fcfeffff }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   81ec44020000         | sub                 esp, 0x244
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]

        $sequence_28 = { 50 8d8769030000 ff10 83c40c }
            // n = 4, score = 100
            //   50                   | push                eax
            //   8d8769030000         | lea                 eax, [edi + 0x369]
            //   ff10                 | call                dword ptr [eax]
            //   83c40c               | add                 esp, 0xc

        $sequence_29 = { ff75f8 50 e8???????? ff75f8 8d8772060000 }
            // n = 5, score = 100
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8d8772060000         | lea                 eax, [edi + 0x672]

        $sequence_30 = { b87e8da638 e022 3a56b9 036890 }
            // n = 4, score = 100
            //   b87e8da638           | mov                 eax, 0x38a68d7e
            //   e022                 | loopne              0x24
            //   3a56b9               | cmp                 dl, byte ptr [esi - 0x47]
            //   036890               | add                 ebp, dword ptr [eax - 0x70]

        $sequence_31 = { be84f7c34f 10ba810b7f57 a4 8c6a38 }
            // n = 4, score = 100
            //   be84f7c34f           | mov                 esi, 0x4fc3f784
            //   10ba810b7f57         | adc                 byte ptr [edx + 0x577f0b81], bh
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs

    condition:
        7 of them and filesize < 568320
}
Download all Yara Rules