SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hancitor (Back to overview)

Hancitor

aka: Chanitor
URLhaus    

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.

References
2022-08-17Group-IBVictor Okorokov
@online{okorokov:20220817:switching:1ffd85f, author = {Victor Okorokov}, title = {{Switching side jobs Links between ATMZOW JS-sniffer and Hancitor}}, date = {2022-08-17}, organization = {Group-IB}, url = {https://blog.group-ib.com/switching-side-jobs}, language = {English}, urldate = {2022-08-22} } Switching side jobs Links between ATMZOW JS-sniffer and Hancitor
Hancitor
2022-02-12muha2xmadMuhammad Hasan Ali
@online{ali:20220212:full:2c09100, author = {Muhammad Hasan Ali}, title = {{Full Hancitor malware analysis}}, date = {2022-02-12}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/fullHancitor/}, language = {English}, urldate = {2022-02-14} } Full Hancitor malware analysis
Hancitor
2022-01-08muha2xmadMuhammad Hasan Ali
@online{ali:20220108:unpacking:498463e, author = {Muhammad Hasan Ali}, title = {{Unpacking Hancitor malware}}, date = {2022-01-08}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/unpacking/hancitor/}, language = {English}, urldate = {2022-01-19} } Unpacking Hancitor malware
Hancitor
2021-12-310ffset BlogChuong Dong
@online{dong:20211231:hancitor:734a06a, author = {Chuong Dong}, title = {{HANCITOR: Analysing The Main Loader}}, date = {2021-12-31}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/}, language = {English}, urldate = {2022-02-01} } HANCITOR: Analysing The Main Loader
Hancitor
2021-12-28Medium CrovaxCrovax
@online{crovax:20211228:extracting:cd05925, author = {Crovax}, title = {{Extracting Hancitor’s Configuration with Ghidra part 1}}, date = {2021-12-28}, organization = {Medium Crovax}, url = {https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5}, language = {English}, urldate = {2022-01-25} } Extracting Hancitor’s Configuration with Ghidra part 1
Hancitor
2021-11-230ffset BlogChuong Dong
@online{dong:20211123:hancitor:140d2c0, author = {Chuong Dong}, title = {{HANCITOR: Analysing The Malicious Document}}, date = {2021-11-23}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/}, language = {English}, urldate = {2022-02-01} } HANCITOR: Analysing The Malicious Document
Hancitor
2021-11-01The DFIR Report@iiamaleks, @samaritan_o
@online{iiamaleks:20211101:from:2348d47, author = {@iiamaleks and @samaritan_o}, title = {{From Zero to Domain Admin}}, date = {2021-11-01}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/}, language = {English}, urldate = {2021-11-03} } From Zero to Domain Admin
Cobalt Strike Hancitor
2021-10-04pid4.ioJames Hovious
@online{hovious:20211004:how:03b7d93, author = {James Hovious}, title = {{How to Write a Hancitor Extractor in Go}}, date = {2021-10-04}, organization = {pid4.io}, url = {https://pid4.io/posts/how_to_write_a_hancitor_extractor/}, language = {English}, urldate = {2021-10-11} } How to Write a Hancitor Extractor in Go
Hancitor
2021-10-04Github (OALabs)OALabs
@online{oalabs:20211004:reverse:470cd80, author = {OALabs}, title = {{Reverse engineered the Hancitor DLL and built a static config extractor}}, date = {2021-10-04}, organization = {Github (OALabs)}, url = {https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb}, language = {English}, urldate = {2021-12-02} } Reverse engineered the Hancitor DLL and built a static config extractor
Hancitor
2021-09-29Malware Traffic AnalysisBrad Duncan
@online{duncan:20210929:hancitor:e510da9, author = {Brad Duncan}, title = {{Hancitor with Cobalt Strike}}, date = {2021-09-29}, organization = {Malware Traffic Analysis}, url = {https://www.malware-traffic-analysis.net/2021/09/29/index.html}, language = {English}, urldate = {2022-02-01} } Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-29Malware Traffic AnalysisBrad Duncan
@online{duncan:20210929:20210929:e348fca, author = {Brad Duncan}, title = {{2021-09-29 (Wednesday) - Hancitor with Cobalt Strike}}, date = {2021-09-29}, organization = {Malware Traffic Analysis}, url = {https://malware-traffic-analysis.net/2021/09/29/index.html}, language = {English}, urldate = {2021-11-03} } 2021-09-29 (Wednesday) - Hancitor with Cobalt Strike
Cobalt Strike Hancitor
2021-09-09Cyber-AnubisNidal Fikri
@online{fikri:20210909:hancitor:ca9ad27, author = {Nidal Fikri}, title = {{Hancitor Loader | RE & Config Extraction}}, date = {2021-09-09}, organization = {Cyber-Anubis}, url = {https://cyber-anubis.github.io/malware%20analysis/hancitor/}, language = {English}, urldate = {2021-09-10} } Hancitor Loader | RE & Config Extraction
Hancitor
2021-08-05Group-IBViktor Okorokov, Nikita Rostovcev
@online{okorokov:20210805:prometheus:38ab6a6, author = {Viktor Okorokov and Nikita Rostovcev}, title = {{Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot}}, date = {2021-08-05}, organization = {Group-IB}, url = {https://blog.group-ib.com/prometheus-tds}, language = {English}, urldate = {2021-08-06} } Prometheus TDS The key to success for Campo Loader, Hancitor, IcedID, and QBot
Prometheus Backdoor Buer campoloader Hancitor IcedID QakBot
2021-07-20VMRayMateusz Lukaszewski
@online{lukaszewski:20210720:hancitors:1baf2f1, author = {Mateusz Lukaszewski}, title = {{Hancitor’s Multi-Step Delivery Process}}, date = {2021-07-20}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/}, language = {English}, urldate = {2021-08-02} } Hancitor’s Multi-Step Delivery Process
Hancitor
2021-07-09InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210709:hancitor:814e815, author = {Brad Duncan}, title = {{Hancitor tries XLL as initial malware file}}, date = {2021-07-09}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/27618}, language = {English}, urldate = {2021-07-19} } Hancitor tries XLL as initial malware file
Cobalt Strike Hancitor
2021-07-08McAfeeMcAfee Labs
@online{labs:20210708:hancitor:b015f59, author = {McAfee Labs}, title = {{Hancitor Making Use of Cookies to Prevent URL Scraping}}, date = {2021-07-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping}, language = {English}, urldate = {2022-04-20} } Hancitor Making Use of Cookies to Prevent URL Scraping
Hancitor
2021-06-28The DFIR ReportThe DFIR Report
@online{report:20210628:hancitor:b21cdd2, author = {The DFIR Report}, title = {{Hancitor Continues to Push Cobalt Strike}}, date = {2021-06-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/}, language = {English}, urldate = {2021-06-29} } Hancitor Continues to Push Cobalt Strike
Cobalt Strike Hancitor
2021-06-21Medium elis531989Eli Salem
@online{salem:20210621:dissecting:295cc4b, author = {Eli Salem}, title = {{Dissecting and automating Hancitor’s config extraction}}, date = {2021-06-21}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8}, language = {English}, urldate = {2021-06-22} } Dissecting and automating Hancitor’s config extraction
Hancitor
2021-06-17Binary DefenseBrandon George
@online{george:20210617:analysis:6e4b8ac, author = {Brandon George}, title = {{Analysis of Hancitor – When Boring Begets Beacon}}, date = {2021-06-17}, organization = {Binary Defense}, url = {https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon}, language = {English}, urldate = {2021-06-22} } Analysis of Hancitor – When Boring Begets Beacon
Cobalt Strike Ficker Stealer Hancitor
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-07Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20210507:connecting:49c0b13, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Connecting the Bots Hancitor fuels Cuba Ransomware Operations}}, date = {2021-05-07}, organization = {Group-IB}, url = {https://blog.group-ib.com/hancitor-cuba-ransomware}, language = {English}, urldate = {2021-05-08} } Connecting the Bots Hancitor fuels Cuba Ransomware Operations
Cuba Hancitor
2021-04-16InQuestDmitry Melikov
@online{melikov:20210416:unearthing:4ff003c, author = {Dmitry Melikov}, title = {{Unearthing Hancitor Infrastructure}}, date = {2021-04-16}, organization = {InQuest}, url = {https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure}, language = {English}, urldate = {2021-04-28} } Unearthing Hancitor Infrastructure
Hancitor
2021-04-07Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210407:wireshark:3c806d8, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Traffic from Hancitor Infections}}, date = {2021-04-07}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/}, language = {English}, urldate = {2021-04-12} } Wireshark Tutorial: Examining Traffic from Hancitor Infections
Hancitor
2021-04-01Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20210401:hancitors:8876ca1, author = {Brad Duncan}, title = {{Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool}}, date = {2021-04-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/}, language = {English}, urldate = {2021-04-06} } Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool
Cobalt Strike Hancitor
2021-02-11Twitter (@TheDFIRReport)The DFIR Report
@online{report:20210211:hancitor:9fa527e, author = {The DFIR Report}, title = {{Tweet on Hancitor Activity followed by cobaltsrike beacon}}, date = {2021-02-11}, organization = {Twitter (@TheDFIRReport)}, url = {https://twitter.com/TheDFIRReport/status/1359669513520873473}, language = {English}, urldate = {2021-02-18} } Tweet on Hancitor Activity followed by cobaltsrike beacon
Cobalt Strike Hancitor
2021-02-01Silent PushMartijn Grooten
@online{grooten:20210201:pivoting:71e78c9, author = {Martijn Grooten}, title = {{Pivoting: finding malware domains without seeing malicious activity}}, date = {2021-02-01}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity}, language = {English}, urldate = {2022-05-05} } Pivoting: finding malware domains without seeing malicious activity
Hancitor
2021-01-13InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210113:hancitor:55f3ea5, author = {Brad Duncan}, title = {{Hancitor activity resumes after a hoilday break}}, date = {2021-01-13}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/}, language = {English}, urldate = {2021-01-21} } Hancitor activity resumes after a hoilday break
Hancitor
2021-01-10Medium walmartglobaltechJason Reaves
@online{reaves:20210110:man1:54a4162, author = {Jason Reaves}, title = {{MAN1, Moskal, Hancitor and a side of Ransomware}}, date = {2021-01-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618}, language = {English}, urldate = {2021-01-11} } MAN1, Moskal, Hancitor and a side of Ransomware
Cobalt Strike Hancitor SendSafe VegaLocker
2019-11-01Dodge This SecurityDodge This Security
@online{security:20191101:hancitor:1e78408, author = {Dodge This Security}, title = {{Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication}}, date = {2019-11-01}, organization = {Dodge This Security}, url = {https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/}, language = {English}, urldate = {2020-01-07} } Hancitor. Evasive new waves, and how COM objects can use Cached Credentials for Proxy Authentication
Hancitor
2019-05Felix Weyne
@online{weyne:201905:hancitors:9fccb0b, author = {Felix Weyne}, title = {{Hancitor's Packer Damystified}}, date = {2019-05}, url = {https://www.uperesia.com/hancitor-packer-demystified}, language = {English}, urldate = {2020-01-07} } Hancitor's Packer Damystified
Hancitor
2018-11-05Vitali Kremez
@online{kremez:20181105:lets:aed7583, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression}}, date = {2018-11-05}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html}, language = {English}, urldate = {2020-01-07} } Let's Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression
Hancitor
2018-02-27Palo Alto Networks Unit 42Jeff White
@online{white:20180227:dissecting:4a4c07e, author = {Jeff White}, title = {{Dissecting Hancitor’s Latest 2018 Packer}}, date = {2018-02-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/}, language = {English}, urldate = {2019-12-20} } Dissecting Hancitor’s Latest 2018 Packer
Hancitor
2018-02-07Palo Alto Networks Unit 42Vicky Ray, Brad Duncan
@online{ray:20180207:compromised:01adde2, author = {Vicky Ray and Brad Duncan}, title = {{Compromised Servers & Fraud Accounts: Recent Hancitor Attacks}}, date = {2018-02-07}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/}, language = {English}, urldate = {2019-12-20} } Compromised Servers & Fraud Accounts: Recent Hancitor Attacks
Hancitor
2016-09-23FireEyeAnkit Anubhav, Dileep Kumar Jallepalli
@online{anubhav:20160923:hancitor:220140e, author = {Ankit Anubhav and Dileep Kumar Jallepalli}, title = {{Hancitor (AKA Chanitor) observed using multiple attack approaches}}, date = {2016-09-23}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html}, language = {English}, urldate = {2019-12-20} } Hancitor (AKA Chanitor) observed using multiple attack approaches
Hancitor
2016-08-22Palo Alto Networks Unit 42Jeff White
@online{white:20160822:vb:7220081, author = {Jeff White}, title = {{VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick}}, date = {2016-08-22}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/}, language = {English}, urldate = {2019-12-20} } VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick
Hancitor
2016-08-19Minerva LabsMinerva Labs Research Team
@online{team:20160819:new:dead711, author = {Minerva Labs Research Team}, title = {{New Hancitor Malware: Pimp my Downloaded}}, date = {2016-08-19}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader}, language = {English}, urldate = {2019-10-15} } New Hancitor Malware: Pimp my Downloaded
Hancitor
2016-07-12Fidelis CybersecurityThreat Research Team
@online{team:20160712:me:d8f4707, author = {Threat Research Team}, title = {{Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter}}, date = {2016-07-12}, organization = {Fidelis Cybersecurity}, url = {https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/}, language = {English}, urldate = {2021-07-29} } Me and Mr. Robot: Tracking the Actor Behind the MAN1 Crypter
Hancitor Vawtrak
2016-05-12ProofpointAxel F, Matthew Mesa
@online{f:20160512:hancitor:9c250c0, author = {Axel F and Matthew Mesa}, title = {{Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck}}, date = {2016-05-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear}, language = {English}, urldate = {2019-12-20} } Hancitor and Ruckguv Reappear, Updated and With Vawtrak On Deck
Hancitor Ruckguv
2015-01-09ZscalerZscaler
@online{zscaler:20150109:chanitor:432f3d9, author = {Zscaler}, title = {{Chanitor Downloader Actively Installing Vawtrak}}, date = {2015-01-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak}, language = {English}, urldate = {2019-12-18} } Chanitor Downloader Actively Installing Vawtrak
Hancitor
Yara Rules
[TLP:WHITE] win_hancitor_auto (20220808 | Detects win.hancitor.)
rule win_hancitor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.hancitor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a00 6824040000 6a00 6a00 6a00 }
            // n = 6, score = 1000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6824040000           | push                0x424
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_1 = { 6800010000 6a40 68???????? e8???????? 83c40c }
            // n = 5, score = 800
            //   6800010000           | push                0x100
            //   6a40                 | push                0x40
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_2 = { 6a20 68???????? 68???????? e8???????? 83c410 83f801 }
            // n = 6, score = 700
            //   6a20                 | push                0x20
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   83f801               | cmp                 eax, 1

        $sequence_3 = { 68???????? 8d85dcfaffff 50 ff15???????? }
            // n = 4, score = 700
            //   68????????           |                     
            //   8d85dcfaffff         | lea                 eax, [ebp - 0x524]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_4 = { 55 8bec 81ec58010000 6a44 }
            // n = 4, score = 700
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec58010000         | sub                 esp, 0x158
            //   6a44                 | push                0x44

        $sequence_5 = { 750d e8???????? 83c010 a3???????? }
            // n = 4, score = 700
            //   750d                 | jne                 0xf
            //   e8????????           |                     
            //   83c010               | add                 eax, 0x10
            //   a3????????           |                     

        $sequence_6 = { eb02 eb2d 6a00 8b4df0 51 8b55f8 52 }
            // n = 7, score = 600
            //   eb02                 | jmp                 4
            //   eb2d                 | jmp                 0x2f
            //   6a00                 | push                0
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   51                   | push                ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   52                   | push                edx

        $sequence_7 = { 837df800 7502 eb6f 8b4df4 51 }
            // n = 5, score = 600
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   7502                 | jne                 4
            //   eb6f                 | jmp                 0x71
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   51                   | push                ecx

        $sequence_8 = { 6b55fc28 8b45f4 8b4d08 034c1014 51 }
            // n = 5, score = 600
            //   6b55fc28             | imul                edx, dword ptr [ebp - 4], 0x28
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   034c1014             | add                 ecx, dword ptr [eax + edx + 0x14]
            //   51                   | push                ecx

        $sequence_9 = { 55 8bec 833d????????00 7518 6a00 6a00 6a00 }
            // n = 7, score = 600
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   833d????????00       |                     
            //   7518                 | jne                 0x1a
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_10 = { 68???????? 8b4d08 51 ff15???????? 8d95f4fdffff 52 e8???????? }
            // n = 7, score = 600
            //   68????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8d95f4fdffff         | lea                 edx, [ebp - 0x20c]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_11 = { 837de800 0f849a000000 8b4df4 8b5104 83ea08 d1ea }
            // n = 6, score = 600
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   0f849a000000         | je                  0xa0
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   83ea08               | sub                 edx, 8
            //   d1ea                 | shr                 edx, 1

        $sequence_12 = { 85c0 753c 85db 7438 }
            // n = 4, score = 500
            //   85c0                 | test                eax, eax
            //   753c                 | jne                 0x3e
            //   85db                 | test                ebx, ebx
            //   7438                 | je                  0x3a

        $sequence_13 = { 41 3bc8 72f7 c6043000 40 5e }
            // n = 6, score = 500
            //   41                   | inc                 ecx
            //   3bc8                 | cmp                 ecx, eax
            //   72f7                 | jb                  0xfffffff9
            //   c6043000             | mov                 byte ptr [eax + esi], 0
            //   40                   | inc                 eax
            //   5e                   | pop                 esi

        $sequence_14 = { 750e 57 ff15???????? 8bd8 83fbff 7509 }
            // n = 6, score = 500
            //   750e                 | jne                 0x10
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   7509                 | jne                 0xb

        $sequence_15 = { c3 ff7508 6a00 50 ff15???????? }
            // n = 5, score = 500
            //   c3                   | ret                 
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_16 = { 03c8 6a40 6800300000 894df4 8b5950 }
            // n = 5, score = 500
            //   03c8                 | add                 ecx, eax
            //   6a40                 | push                0x40
            //   6800300000           | push                0x3000
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   8b5950               | mov                 ebx, dword ptr [ecx + 0x50]

        $sequence_17 = { 8b5518 85d2 740a 8b45f4 8b4028 03c1 }
            // n = 6, score = 500
            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]
            //   85d2                 | test                edx, edx
            //   740a                 | je                  0xc
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4028               | mov                 eax, dword ptr [eax + 0x28]
            //   03c1                 | add                 eax, ecx

        $sequence_18 = { 6a01 51 8b413c 8b440828 03c1 ffd0 33c0 }
            // n = 7, score = 500
            //   6a01                 | push                1
            //   51                   | push                ecx
            //   8b413c               | mov                 eax, dword ptr [ecx + 0x3c]
            //   8b440828             | mov                 eax, dword ptr [eax + ecx + 0x28]
            //   03c1                 | add                 eax, ecx
            //   ffd0                 | call                eax
            //   33c0                 | xor                 eax, eax

        $sequence_19 = { 83c044 a3???????? 8b45a0 05c8d45566 }
            // n = 4, score = 100
            //   83c044               | add                 eax, 0x44
            //   a3????????           |                     
            //   8b45a0               | mov                 eax, dword ptr [ebp - 0x60]
            //   05c8d45566           | add                 eax, 0x6655d4c8

        $sequence_20 = { 83c008 8945c0 8b45b8 48 8945b8 a1???????? }
            // n = 6, score = 100
            //   83c008               | add                 eax, 8
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   8b45b8               | mov                 eax, dword ptr [ebp - 0x48]
            //   48                   | dec                 eax
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   a1????????           |                     

        $sequence_21 = { 008d4556f400 08640f08 ed fec3 }
            // n = 4, score = 100
            //   008d4556f400         | add                 byte ptr [ebp + 0xf45645], cl
            //   08640f08             | or                  byte ptr [edi + ecx + 8], ah
            //   ed                   | in                  eax, dx
            //   fec3                 | inc                 bl

        $sequence_22 = { c745c488b24000 a1???????? 83c052 8945cc 8365e400 c745bc0a000000 eb07 }
            // n = 7, score = 100
            //   c745c488b24000       | mov                 dword ptr [ebp - 0x3c], 0x40b288
            //   a1????????           |                     
            //   83c052               | add                 eax, 0x52
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   c745bc0a000000       | mov                 dword ptr [ebp - 0x44], 0xa
            //   eb07                 | jmp                 9

        $sequence_23 = { 833d????????00 7414 8b45e4 0345c0 8945e4 }
            // n = 5, score = 100
            //   833d????????00       |                     
            //   7414                 | je                  0x16
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   0345c0               | add                 eax, dword ptr [ebp - 0x40]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_24 = { ff15???????? c745a064000000 894da0 8b45c0 83c008 8945c0 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   c745a064000000       | mov                 dword ptr [ebp - 0x60], 0x64
            //   894da0               | mov                 dword ptr [ebp - 0x60], ecx
            //   8b45c0               | mov                 eax, dword ptr [ebp - 0x40]
            //   83c008               | add                 eax, 8
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax

        $sequence_25 = { 0345cc a3???????? 817df8b07d0900 0f8ced000000 }
            // n = 4, score = 100
            //   0345cc               | add                 eax, dword ptr [ebp - 0x34]
            //   a3????????           |                     
            //   817df8b07d0900       | cmp                 dword ptr [ebp - 8], 0x97db0
            //   0f8ced000000         | jl                  0xf3

        $sequence_26 = { c745f464000000 8b45cc 0305???????? 8945cc }
            // n = 4, score = 100
            //   c745f464000000       | mov                 dword ptr [ebp - 0xc], 0x64
            //   8b45cc               | mov                 eax, dword ptr [ebp - 0x34]
            //   0305????????         |                     
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax

    condition:
        7 of them and filesize < 106496
}
Download all Yara Rules