SYMBOLCOMMON_NAMEaka. SYNONYMS
win.isfb (Back to overview)

ISFB

aka: Gozi ISFB, IAP, Pandemyia

Actor(s): GOLD CABIN

URLhaus                      

2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)

In September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.

The other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.

There is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.

ISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.

In April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.

See win.gozi for additional historical information.

References
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-06-24Group-IBAlbert Priego
@online{priego:20220624:we:0ed77e2, author = {Albert Priego}, title = {{We see you, Gozi Hunting the latest TTPs used for delivering the Trojan}}, date = {2022-06-24}, organization = {Group-IB}, url = {https://blog.group-ib.com/gozi-latest-ttps}, language = {English}, urldate = {2022-08-17} } We see you, Gozi Hunting the latest TTPs used for delivering the Trojan
ISFB
2022-06-07McAfeeJyothi Naveen, Kiran Raj
@online{naveen:20220607:phishing:704f5f7, author = {Jyothi Naveen and Kiran Raj}, title = {{Phishing Campaigns featuring Ursnif Trojan on the Rise}}, date = {2022-06-07}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/}, language = {English}, urldate = {2022-06-15} } Phishing Campaigns featuring Ursnif Trojan on the Rise
ISFB
2022-05-19IBMCharlotte Hammond, Ole Villadsen, Golo Mühr
@online{hammond:20220519:itg23:eab10e2, author = {Charlotte Hammond and Ole Villadsen and Golo Mühr}, title = {{ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups}}, date = {2022-05-19}, organization = {IBM}, url = {https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/}, language = {English}, urldate = {2022-05-25} } ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-08QualysAmit Gadhave
@online{gadhave:20220508:ursnif:4e8605b, author = {Amit Gadhave}, title = {{Ursnif Malware Banks on News Events for Phishing Attacks}}, date = {2022-05-08}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks}, language = {English}, urldate = {2022-05-17} } Ursnif Malware Banks on News Events for Phishing Attacks
ISFB
2022-04-14Avast DecodedVladimir Martyanov
@online{martyanov:20220414:zloader:23c520a, author = {Vladimir Martyanov}, title = {{Zloader 2: The Silent Night}}, date = {2022-04-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/}, language = {English}, urldate = {2022-04-15} } Zloader 2: The Silent Night
ISFB Raccoon Zloader
2022-01-11Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220111:signed:0f32583, author = {Jason Reaves and Joshua Platt}, title = {{Signed DLL campaigns as a service}}, date = {2022-01-11}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489}, language = {English}, urldate = {2022-01-25} } Signed DLL campaigns as a service
Cobalt Strike ISFB Zloader
2021-10-25CleafyCleafy
@online{cleafy:20211025:digital:48fbdf8, author = {Cleafy}, title = {{Digital banking fraud: how the Gozi malware works}}, date = {2021-10-25}, organization = {Cleafy}, url = {https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work}, language = {English}, urldate = {2021-11-02} } Digital banking fraud: how the Gozi malware works
ISFB
2021-09-29ProofpointSelena Larson, Proofpoint Staff
@online{larson:20210929:ta544:ab2f0d3, author = {Selena Larson and Proofpoint Staff}, title = {{TA544 Targets Italian Organizations with Ursnif Malware}}, date = {2021-09-29}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware}, language = {English}, urldate = {2021-10-11} } TA544 Targets Italian Organizations with Ursnif Malware
ISFB
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-07-30HPPatrick Schläpfer
@online{schlpfer:20210730:detecting:2291323, author = {Patrick Schläpfer}, title = {{Detecting TA551 domains}}, date = {2021-07-30}, organization = {HP}, url = {https://threatresearch.ext.hp.com/detecting-ta551-domains/}, language = {English}, urldate = {2021-08-02} } Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-06-23IBMItzik Chimino
@online{chimino:20210623:ursnif:700b0a7, author = {Itzik Chimino}, title = {{Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy}}, date = {2021-06-23}, organization = {IBM}, url = {https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/}, language = {English}, urldate = {2021-06-24} } Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy
ISFB
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-05-04NCC Groupfumik0, NCC RIFT
@online{fumik0:20210504:rm3:cd994e6, author = {fumik0 and NCC RIFT}, title = {{RM3 – Curiosities of the wildest banking malware}}, date = {2021-05-04}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/}, language = {English}, urldate = {2021-05-19} } RM3 – Curiosities of the wildest banking malware
ISFB RM3
2021-05-04Fox-ITfumik0, the RIFT Team, Fox IT
@online{fumik0:20210504:rm3:41d6969, author = {fumik0 and the RIFT Team and Fox IT}, title = {{RM3 – Curiosities of the wildest banking malware}}, date = {2021-05-04}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/}, language = {English}, urldate = {2021-05-04} } RM3 – Curiosities of the wildest banking malware
ISFB
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-06Intel 471Intel 471
@online{471:20210406:ettersilent:b591f59, author = {Intel 471}, title = {{EtterSilent: the underground’s new favorite maldoc builder}}, date = {2021-04-06}, organization = {Intel 471}, url = {https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/}, language = {English}, urldate = {2021-04-06} } EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-02-03ZDNetCharlie Osborne
@online{osborne:20210203:ursnif:936317a, author = {Charlie Osborne}, title = {{Ursnif Trojan has targeted over 100 Italian banks}}, date = {2021-02-03}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/}, language = {English}, urldate = {2021-06-29} } Ursnif Trojan has targeted over 100 Italian banks
ISFB Snifula
2021-01-12FortinetXiaopeng Zhang
@online{zhang:20210112:new:bdf3ebb, author = {Xiaopeng Zhang}, title = {{New Variant of Ursnif Continuously Targeting Italy}}, date = {2021-01-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy}, language = {English}, urldate = {2021-01-18} } New Variant of Ursnif Continuously Targeting Italy
ISFB
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-080xC0DECAFEThomas Barabosch
@online{barabosch:20210108:malware:27c7ee2, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to aPLib decompression}}, date = {2021-01-08}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/}, language = {English}, urldate = {2021-01-11} } The malware analyst’s guide to aPLib decompression
ISFB Rovnix
2020-11-27malware.loveRobert Giczewski
@online{giczewski:20201127:having:7cd6ae8, author = {Robert Giczewski}, title = {{Having fun with a Ursnif VBS dropper}}, date = {2020-11-27}, organization = {malware.love}, url = {https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html}, language = {English}, urldate = {2020-12-01} } Having fun with a Ursnif VBS dropper
ISFB Snifula
2020-11-26CybereasonLior Rochberger, Cybereason Nocturnus
@online{rochberger:20201126:cybereason:8301aeb, author = {Lior Rochberger and Cybereason Nocturnus}, title = {{Cybereason vs. Egregor Ransomware}}, date = {2020-11-26}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware}, language = {English}, urldate = {2020-12-08} } Cybereason vs. Egregor Ransomware
Cobalt Strike Egregor IcedID ISFB QakBot
2020-10-29CERT-FRCERT-FR
@techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot
2020-10-15Department of JusticeDepartment of Justice
@online{justice:20201015:officials:b340951, author = {Department of Justice}, title = {{Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals}}, date = {2020-10-15}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization}, language = {English}, urldate = {2020-10-23} } Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot
2020-09-02Cisco TalosHolger Unterbrink, Edmund Brumaghin
@online{unterbrink:20200902:salfram:74ae3c9, author = {Holger Unterbrink and Edmund Brumaghin}, title = {{Salfram: Robbing the place without removing your name tag}}, date = {2020-09-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html}, language = {English}, urldate = {2020-09-03} } Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-08-28CheckpointCheck Point Research
@online{research:20200828:gozi:944c005, author = {Check Point Research}, title = {{Gozi: The Malware with a Thousand Faces}}, date = {2020-08-28}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/}, language = {English}, urldate = {2020-09-01} } Gozi: The Malware with a Thousand Faces
DreamBot ISFB LOLSnif SaiGon
2020-08TG SoftTG Soft
@online{soft:202008:tg:88b671c, author = {TG Soft}, title = {{TG Soft Cyber - Threat Report}}, date = {2020-08}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=7481257469}, language = {Italian}, urldate = {2020-09-15} } TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-23DarktraceMax Heinemeyer
@online{heinemeyer:20200723:resurgence:75f36ef, author = {Max Heinemeyer}, title = {{The resurgence of the Ursnif banking trojan}}, date = {2020-07-23}, organization = {Darktrace}, url = {https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/}, language = {English}, urldate = {2021-06-29} } The resurgence of the Ursnif banking trojan
ISFB Snifula
2020-07-22SentinelOneJason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-18HornetsecurityHornetsecurity Security Lab
@online{lab:20200718:firefox:4293555, author = {Hornetsecurity Security Lab}, title = {{Firefox Send sends Ursnif malware}}, date = {2020-07-18}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/}, language = {English}, urldate = {2020-08-21} } Firefox Send sends Ursnif malware
ISFB
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-01Cisco TalosNick Biasini, Edmund Brumaghin, Mariano Graziano
@online{biasini:20200701:threat:a726b7e, author = {Nick Biasini and Edmund Brumaghin and Mariano Graziano}, title = {{Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks}}, date = {2020-07-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/07/valak-emerges.html}, language = {English}, urldate = {2020-08-18} } Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
Valak IcedID ISFB MyKings Spreader
2020-07-01TG SoftTG Soft
@online{soft:20200701:cyberthreat:45d22d9, author = {TG Soft}, title = {{Cyber-Threat Report on the cyber attacks of June 2020 in Italy}}, date = {2020-07-01}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=568531345}, language = {Italian}, urldate = {2020-07-30} } Cyber-Threat Report on the cyber attacks of June 2020 in Italy
Avaddon ISFB
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-23NCC GroupNikolaos Pantazopoulos, Stefano Antenucci, Michael Sandee
@online{pantazopoulos:20200623:wastedlocker:112d6b3, author = {Nikolaos Pantazopoulos and Stefano Antenucci and Michael Sandee}, title = {{WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group}}, date = {2020-06-23}, organization = {NCC Group}, url = {https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/}, language = {English}, urldate = {2020-06-23} } WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Cobalt Strike ISFB WastedLocker
2020-06-17Youtube (Red Canary)Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
@online{noerenberg:20200617:attck:934d73c, author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan}, title = {{ATT&CK® Deep Dive: Process Injection}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/}, language = {English}, urldate = {2020-06-19} } ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-06-02MorphisecArnold Osipov
@online{osipov:20200602:ursnifgozi:2e20c85, author = {Arnold Osipov}, title = {{Ursnif/Gozi Delivery - Excel Macro 4.0 Utilization Uptick & OCR Bypass}}, date = {2020-06-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass}, language = {English}, urldate = {2020-06-25} } Ursnif/Gozi Delivery - Excel Macro 4.0 Utilization Uptick & OCR Bypass
ISFB
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-01-23SANS ISC InfoSec ForumsBrad Duncan
@online{duncan:20200123:german:2c867b2, author = {Brad Duncan}, title = {{German language malspam pushes Ursnif}}, date = {2020-01-23}, organization = {SANS ISC InfoSec Forums}, url = {https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/}, language = {English}, urldate = {2020-01-26} } German language malspam pushes Ursnif
ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2019-12-24SophosSophosLabs Threat Research
@online{research:20191224:gozi:6cca2ca, author = {SophosLabs Threat Research}, title = {{Gozi V3: tracked by their own stealth}}, date = {2019-12-24}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/}, language = {English}, urldate = {2020-01-13} } Gozi V3: tracked by their own stealth
ISFB
2019-12-23Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191223:wireshark:11f95ab, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Ursnif Infections}}, date = {2019-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/}, language = {English}, urldate = {2020-01-13} } Wireshark Tutorial: Examining Ursnif Infections
ISFB
2019-12-07SecureworksKevin O’Reilly, Keith Jarvis
@techreport{oreilly:20191207:endtoend:84340da, author = {Kevin O’Reilly and Keith Jarvis}, title = {{End-to-end Botnet Monitoring... Botconf 2019}}, date = {2019-12-07}, institution = {Secureworks}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf}, language = {English}, urldate = {2021-11-08} } End-to-end Botnet Monitoring... Botconf 2019
Emotet ISFB QakBot
2019-08-07FortinetXiaopeng Zhang
@online{zhang:20190807:new:2e838ee, author = {Xiaopeng Zhang}, title = {{New Ursnif Variant Spreading by Word Document}}, date = {2019-08-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html}, language = {English}, urldate = {2020-01-26} } New Ursnif Variant Spreading by Word Document
ISFB
2019-07-11ProofpointProofpoint Threat Insight Team
@online{team:20190711:threat:00e0a1a, author = {Proofpoint Threat Insight Team}, title = {{Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware}}, date = {2019-07-11}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware}, language = {English}, urldate = {2021-05-31} } Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware
ISFB PandaBanker UrlZone NARWHAL SPIDER
2019-06-25VMRayTamas Boczan
@online{boczan:20190625:analyzing:fe5a161, author = {Tamas Boczan}, title = {{Analyzing Ursnif’s Behavior Using a Malware Sandbox}}, date = {2019-06-25}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/}, language = {English}, urldate = {2019-12-17} } Analyzing Ursnif’s Behavior Using a Malware Sandbox
ISFB
2019-06-19ProofpointProofpoint Threat Insight Team
@online{team:20190619:urlzone:9163ce0, author = {Proofpoint Threat Insight Team}, title = {{URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape}}, date = {2019-06-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0}, language = {English}, urldate = {2021-05-31} } URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape
ISFB UrlZone NARWHAL SPIDER
2019-05-250ffset Blog0verfl0w_
@online{0verfl0w:20190525:analyzing:84874ea, author = {0verfl0w_}, title = {{Analyzing ISFB – The Second Loader}}, date = {2019-05-25}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/}, language = {English}, urldate = {2020-01-13} } Analyzing ISFB – The Second Loader
ISFB
2019-04-06Youtube (hasherezade)hasherezade
@online{hasherezade:20190406:unpacking:dc6a1be, author = {hasherezade}, title = {{Unpacking ISFB (including the custom 'PX' format)}}, date = {2019-04-06}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KvOpNznu_3w}, language = {English}, urldate = {2019-11-29} } Unpacking ISFB (including the custom 'PX' format)
ISFB
2019-04-05YoroiDavide Testa, Antonio Pirozzi
@online{testa:20190405:ursnif:4670538, author = {Davide Testa and Antonio Pirozzi}, title = {{Ursnif: The Latest Evolution of the Most Popular Banking Malware}}, date = {2019-04-05}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/}, language = {English}, urldate = {2019-10-23} } Ursnif: The Latest Evolution of the Most Popular Banking Malware
ISFB
2019-03-26YoroiLuigi Martire, Davide Testa, Luca Mella
@online{martire:20190326:ursnif:1d301b8, author = {Luigi Martire and Davide Testa and Luca Mella}, title = {{The Ursnif Gangs keep Threatening Italy}}, date = {2019-03-26}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/}, language = {English}, urldate = {2022-02-02} } The Ursnif Gangs keep Threatening Italy
ISFB
2019-03-130ffset Blog0verfl0w_
@online{0verfl0w:20190313:analysing:1f83706, author = {0verfl0w_}, title = {{Analysing ISFB – The First Loader}}, date = {2019-03-13}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/}, language = {English}, urldate = {2020-01-10} } Analysing ISFB – The First Loader
ISFB
2019-03-12CybereasonAssaf Dahan, Cybereason Nocturnus
@online{dahan:20190312:new:a435b52, author = {Assaf Dahan and Cybereason Nocturnus}, title = {{New Ursnif Variant targets Japan packed with new Features}}, date = {2019-03-12}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features}, language = {English}, urldate = {2019-11-28} } New Ursnif Variant targets Japan packed with new Features
ISFB UrlZone
2019-03-11MinervaMinerva Labs
@online{labs:20190311:attackers:013804a, author = {Minerva Labs}, title = {{Attackers Insert Themselves into the Email Conversation to Spread Malware}}, date = {2019-03-11}, organization = {Minerva}, url = {https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware}, language = {English}, urldate = {2020-01-08} } Attackers Insert Themselves into the Email Conversation to Spread Malware
ISFB
2019-02-07YoroiAntonio Farina, Davide Testa, Antonio Pirozzi
@online{farina:20190207:ursnif:f25be00, author = {Antonio Farina and Davide Testa and Antonio Pirozzi}, title = {{Ursnif: Long Live the Steganography!}}, date = {2019-02-07}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/ursnif-long-live-the-steganography/}, language = {English}, urldate = {2022-02-02} } Ursnif: Long Live the Steganography!
ISFB
2019-01-30CyberbitHod Gavriel
@online{gavriel:20190130:new:6e4ec87, author = {Hod Gavriel}, title = {{New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка)}}, date = {2019-01-30}, organization = {Cyberbit}, url = {https://www.cyberbit.com/new-ursnif-malware-variant/}, language = {English}, urldate = {2020-08-21} } New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка)
ISFB
2019-01-24Cisco TalosJohn Arneson
@online{arneson:20190124:cisco:58d9a8f, author = {John Arneson}, title = {{Cisco AMP tracks new campaign that delivers Ursnif}}, date = {2019-01-24}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html}, language = {English}, urldate = {2019-10-12} } Cisco AMP tracks new campaign that delivers Ursnif
ISFB
2019-01-150ffset Blog0verfl0w_
@online{0verfl0w:20190115:analyzing:bf3b215, author = {0verfl0w_}, title = {{Analyzing COMmunication in Malware}}, date = {2019-01-15}, organization = {0ffset Blog}, url = {https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/}, language = {English}, urldate = {2020-01-06} } Analyzing COMmunication in Malware
ISFB
2019CSISBenoît Ancel, Peter Kruse
@techreport{ancel:2019:dreambot:e29023e, author = {Benoît Ancel and Peter Kruse}, title = {{Dreambot Business overview 2019}}, date = {2019}, institution = {CSIS}, url = {http://benkow.cc/DreambotSAS19.pdf}, language = {English}, urldate = {2019-12-10} } Dreambot Business overview 2019
ISFB
2018-12-18Trend MicroTrendmicro
@online{trendmicro:20181218:ursnif:cc5ce31, author = {Trendmicro}, title = {{URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader}}, date = {2018-12-18}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/}, language = {English}, urldate = {2020-01-07} } URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-05-17FidelisThreat Research Team
@online{team:20180517:gozi:f554055, author = {Threat Research Team}, title = {{Gozi V3 Technical Update}}, date = {2018-05-17}, organization = {Fidelis}, url = {https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/}, language = {English}, urldate = {2020-01-08} } Gozi V3 Technical Update
ISFB
2018-03-19hasherezade
@online{hasherezade:20180319:unpacking:150cdac, author = {hasherezade}, title = {{Unpacking Ursnif}}, date = {2018-03-19}, url = {https://www.youtube.com/watch?v=jlc7Ahp8Iqg}, language = {English}, urldate = {2019-12-24} } Unpacking Ursnif
ISFB
2018-03-06Cisco TalosEdmund Brumaghin, Holger Unterbrink, Adam Weller
@online{brumaghin:20180306:gozi:6146f77, author = {Edmund Brumaghin and Holger Unterbrink and Adam Weller}, title = {{Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution}}, date = {2018-03-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html}, language = {English}, urldate = {2019-12-17} } Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution
ISFB
2018-02-07CylanceThreat Research Team
@online{team:20180207:threat:c0550bd, author = {Threat Research Team}, title = {{Threat Spotlight: URSNIF Infostealer Malware}}, date = {2018-02-07}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html}, language = {English}, urldate = {2019-11-24} } Threat Spotlight: URSNIF Infostealer Malware
ISFB
2018-01-17SANS ISCbrad
@online{brad:20180117:reviewing:49ad844, author = {brad}, title = {{Reviewing the spam filters: Malspam pushing Gozi-ISFB}}, date = {2018-01-17}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245}, language = {English}, urldate = {2019-12-20} } Reviewing the spam filters: Malspam pushing Gozi-ISFB
ISFB
2018-01-12ProofpointProofpoint Staff
@online{staff:20180112:holiday:b4225b8, author = {Proofpoint Staff}, title = {{Holiday lull? Not so much}}, date = {2018-01-12}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much}, language = {English}, urldate = {2021-05-31} } Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2017-11-28FireEyeSandor Nemes, Abhay Vaish
@online{nemes:20171128:newly:b2b9018, author = {Sandor Nemes and Abhay Vaish}, title = {{Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection}}, date = {2017-11-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html}, language = {English}, urldate = {2019-12-20} } Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection
ISFB
2017-07-02CERT.PLMaciej Kotowicz
@online{kotowicz:20170702:isfb:2fe662b, author = {Maciej Kotowicz}, title = {{ISFB: Still Live and Kicking}}, date = {2017-07-02}, organization = {CERT.PL}, url = {https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15}, language = {English}, urldate = {2020-01-13} } ISFB: Still Live and Kicking
ISFB
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-04-20MalwarebytesJérôme Segura
@online{segura:20170420:binary:eaa706a, author = {Jérôme Segura}, title = {{Binary Options malvertising campaign drops ISFB banking Trojan}}, date = {2017-04-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/}, language = {English}, urldate = {2019-12-20} } Binary Options malvertising campaign drops ISFB banking Trojan
ISFB
2016-11-01Ariel Koren's BlogAriel Koren
@online{koren:20161101:ursnif:a5e4fcd, author = {Ariel Koren}, title = {{Ursnif Malware: Deep Technical Dive}}, date = {2016-11-01}, organization = {Ariel Koren's Blog}, url = {https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/}, language = {English}, urldate = {2020-01-10} } Ursnif Malware: Deep Technical Dive
ISFB
2016-04-14SecurityIntelligenceLimor Kessem, Lior Keshet
@online{kessem:20160414:meet:16351ef, author = {Limor Kessem and Lior Keshet}, title = {{Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim}}, date = {2016-04-14}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/}, language = {English}, urldate = {2020-01-06} } Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim
ISFB Nymaim GozNym
2016-03-23Github (gbrindisi)gbrindisi
@online{gbrindisi:20160323:gozi:aa28233, author = {gbrindisi}, title = {{Gozi ISFB Sourceccode}}, date = {2016-03-23}, organization = {Github (gbrindisi)}, url = {https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb}, language = {English}, urldate = {2020-01-13} } Gozi ISFB Sourceccode
ISFB
Yara Rules
[TLP:WHITE] win_isfb_auto (20221125 | Detects win.isfb.)
rule win_isfb_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.isfb."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75f0 ff75f4 6822010000 e9???????? ff7508 }
            // n = 5, score = 2400
            //   ff75f0               | push                0
            //   ff75f4               | push                1
            //   6822010000           | push                dword ptr [esp + 0x10]
            //   e9????????           |                     
            //   ff7508               | pop                 ebp

        $sequence_1 = { 33c0 3bc7 741b 50 33c0 e8???????? }
            // n = 6, score = 2300
            //   33c0                 | xor                 eax, eax
            //   3bc7                 | cmp                 eax, edi
            //   741b                 | je                  0x1d
            //   50                   | push                eax
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     

        $sequence_2 = { 33c0 e8???????? 3bc7 740f }
            // n = 4, score = 2300
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   3bc7                 | cmp                 eax, edi
            //   740f                 | je                  0x11

        $sequence_3 = { ff35???????? e8???????? 8bf0 3bf3 7443 6aff }
            // n = 6, score = 2200
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8bf0                 | dec                 eax
            //   3bf3                 | cmp                 ecx, edi
            //   7443                 | je                  7
            //   6aff                 | dec                 eax

        $sequence_4 = { 6a10 58 e8???????? 3bc7 7406 }
            // n = 5, score = 2200
            //   6a10                 | push                0x10
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   3bc7                 | cmp                 eax, edi
            //   7406                 | je                  8

        $sequence_5 = { eb02 33c0 3bc7 7413 50 }
            // n = 5, score = 2200
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   3bc7                 | cmp                 eax, edi
            //   7413                 | je                  0x15
            //   50                   | push                eax

        $sequence_6 = { 5d 5b 59 c20400 8325????????00 6a00 68???????? }
            // n = 7, score = 2100
            //   5d                   | cmp                 edi, esi
            //   5b                   | je                  0x10
            //   59                   | push                edi
            //   c20400               | jne                 0x30
            //   8325????????00       |                     
            //   6a00                 | push                ebx
            //   68????????           |                     

        $sequence_7 = { 3bc7 740f 8b35???????? 50 }
            // n = 4, score = 2100
            //   3bc7                 | cmp                 eax, edi
            //   740f                 | je                  0x11
            //   8b35????????         |                     
            //   50                   | push                eax

        $sequence_8 = { ff15???????? 85c0 a3???????? 7402 ffe0 c20400 }
            // n = 6, score = 2100
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   a3????????           |                     
            //   7402                 | mov                 dword ptr [esp + 0x20], ebx
            //   ffe0                 | mov                 dword ptr [esp + 0x28], 0xea60
            //   c20400               | dec                 esp

        $sequence_9 = { ff15???????? a1???????? 85c0 7407 83ee64 }
            // n = 5, score = 2000
            //   ff15????????         |                     
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   83ee64               | sub                 esi, 0x64

        $sequence_10 = { 3bc7 7406 50 e8???????? 3bdf 7414 }
            // n = 6, score = 1900
            //   3bc7                 | cmp                 eax, edi
            //   7406                 | je                  8
            //   50                   | push                eax
            //   e8????????           |                     
            //   3bdf                 | cmp                 ebx, edi
            //   7414                 | je                  0x16

        $sequence_11 = { ff15???????? 3c05 7506 84e4 }
            // n = 4, score = 1800
            //   ff15????????         |                     
            //   3c05                 | dec                 eax
            //   7506                 | mov                 dword ptr [esp + 0x20], ebx
            //   84e4                 | test                eax, eax

        $sequence_12 = { 7506 84e4 7704 3ac0 }
            // n = 4, score = 1800
            //   7506                 | cmovne              ecx, eax
            //   84e4                 | dec                 eax
            //   7704                 | mov                 dword ptr [esp + 0x20], ebx
            //   3ac0                 | test                eax, eax

        $sequence_13 = { c20400 55 8bec 83ec0c a1???????? 8365f800 }
            // n = 6, score = 1800
            //   c20400               | pop                 ebx
            //   55                   | pop                 ecx
            //   8bec                 | ret                 4
            //   83ec0c               | pop                 ebp
            //   a1????????           |                     
            //   8365f800             | pop                 ebx

        $sequence_14 = { 83e103 740d 51 50 ff7510 e8???????? }
            // n = 6, score = 1700
            //   83e103               | cmovne              ecx, eax
            //   740d                 | dec                 eax
            //   51                   | mov                 dword ptr [esp + 0x20], ebx
            //   50                   | mov                 dword ptr [esp + 0x28], 0xea60
            //   ff7510               | dec                 esp
            //   e8????????           |                     

        $sequence_15 = { 2b55fc 8b7d10 0155fc 83451004 }
            // n = 4, score = 1700
            //   2b55fc               | dec                 eax
            //   8b7d10               | mov                 ecx, edi
            //   0155fc               | mov                 dword ptr [esp + 0x28], 0xea60
            //   83451004             | dec                 esp

        $sequence_16 = { 0155fc 83451004 83c004 49 8917 75e9 8b4e10 }
            // n = 7, score = 1700
            //   0155fc               | neg                 al
            //   83451004             | sbb                 eax, eax
            //   83c004               | mov                 al, byte ptr [esi + 4]
            //   49                   | and                 al, 4
            //   8917                 | neg                 al
            //   75e9                 | sbb                 eax, eax
            //   8b4e10               | and                 eax, 6

        $sequence_17 = { 50 ff7510 e8???????? 83c40c c745fc01000000 8b4610 }
            // n = 6, score = 1700
            //   50                   | mov                 dword ptr [esp + 0x28], 0xea60
            //   ff7510               | dec                 esp
            //   e8????????           |                     
            //   83c40c               | cmovne              ecx, eax
            //   c745fc01000000       | dec                 eax
            //   8b4610               | mov                 dword ptr [esp + 0x20], ebx

        $sequence_18 = { 8bc6 5e c9 c21000 55 8bec 83ec14 }
            // n = 7, score = 1700
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c21000               | ret                 0x10
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14

        $sequence_19 = { 7505 b8???????? 53 bb60ea0000 53 }
            // n = 5, score = 1700
            //   7505                 | mov                 dword ptr [esp + 0x20], ebx
            //   b8????????           |                     
            //   53                   | dec                 eax
            //   bb60ea0000           | mov                 ecx, edi
            //   53                   | mov                 dword ptr [esp + 0x28], 0xea60

        $sequence_20 = { 7417 8b10 2b55fc 8b7d10 }
            // n = 4, score = 1700
            //   7417                 | mov                 ecx, edi
            //   8b10                 | dec                 esp
            //   2b55fc               | mov                 dword ptr [ebp + ebx*8], esp
            //   8b7d10               | add                 ebx, 1

        $sequence_21 = { 8b4b24 2b4b28 894c2410 8b4b34 f6c140 }
            // n = 5, score = 1600
            //   8b4b24               | push                dword ptr [ebp - 0xc]
            //   2b4b28               | push                0x122
            //   894c2410             | push                dword ptr [ebp + 8]
            //   8b4b34               | push                0
            //   f6c140               | push                dword ptr [ebp - 0xc]

        $sequence_22 = { 83e4f8 83ec14 8364240400 53 8b5d0c 837b240c 56 }
            // n = 7, score = 1600
            //   83e4f8               | push                dword ptr [ebp + 0xc]
            //   83ec14               | jne                 7
            //   8364240400           | push                ebx
            //   53                   | mov                 ebx, 0xea60
            //   8b5d0c               | push                ebx
            //   837b240c             | mov                 ebx, 0xea60
            //   56                   | push                ebx

        $sequence_23 = { 56 57 8b3b 897c241c 760a 8b4b20 e8???????? }
            // n = 7, score = 1600
            //   56                   | pop                 ecx
            //   57                   | ret                 4
            //   8b3b                 | pop                 ebp
            //   897c241c             | pop                 ebx
            //   760a                 | pop                 ecx
            //   8b4b20               | ret                 4
            //   e8????????           |                     

        $sequence_24 = { 8b1e 6a00 ff37 ff15???????? 2b442414 50 }
            // n = 6, score = 1600
            //   8b1e                 | and                 dword ptr [ebp - 8], 0
            //   6a00                 | mov                 eax, esi
            //   ff37                 | pop                 esi
            //   ff15????????         |                     
            //   2b442414             | leave               
            //   50                   | ret                 0x10

        $sequence_25 = { 83c40c 8974240c c6401a00 8b44240c 85c0 }
            // n = 5, score = 1600
            //   83c40c               | mov                 eax, ebp
            //   8974240c             | pop                 ebp
            //   c6401a00             | pop                 ebx
            //   8b44240c             | pop                 ecx
            //   85c0                 | ret                 4

        $sequence_26 = { 8a4604 2404 f6d8 1bc0 83e006 }
            // n = 5, score = 1600
            //   8a4604               | lea                 ecx, [ebp - 0x20]
            //   2404                 | cmp                 eax, ecx
            //   f6d8                 | je                  0xd6
            //   1bc0                 | jmp                 0xd
            //   83e006               | mov                 eax, dword ptr [ebp - 0x20]

        $sequence_27 = { 8b442418 894110 836334f9 c7432c01000000 8b4334 }
            // n = 5, score = 1600
            //   8b442418             | push                0
            //   894110               | pop                 esi
            //   836334f9             | mov                 eax, ebp
            //   c7432c01000000       | pop                 ebp
            //   8b4334               | pop                 ebx

        $sequence_28 = { ff37 50 ff35???????? ff15???????? 8b442414 8b4c240c }
            // n = 6, score = 1600
            //   ff37                 | push                1
            //   50                   | pop                 ebx
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   8b442414             | pop                 ecx
            //   8b4c240c             | ret                 4

        $sequence_29 = { 8b07 03442418 50 56 }
            // n = 4, score = 1600
            //   8b07                 | push                0
            //   03442418             | pop                 ecx
            //   50                   | ret                 4
            //   56                   | push                0

        $sequence_30 = { 6a0d 58 e8???????? 85c0 740d 8906 }
            // n = 6, score = 1600
            //   6a0d                 | cmovne              ecx, eax
            //   58                   | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [esp + 0x20], ebx
            //   740d                 | test                eax, eax
            //   8906                 | mov                 ebx, eax

        $sequence_31 = { 837d0800 7408 ff7508 e8???????? 8bc7 }
            // n = 5, score = 1500
            //   837d0800             | inc                 ecx
            //   7408                 | push                ebp
            //   ff7508               | inc                 ecx
            //   e8????????           |                     
            //   8bc7                 | push                esi

        $sequence_32 = { c744242860ea0000 4c0f45c8 48895c2420 e8???????? }
            // n = 4, score = 1500
            //   c744242860ea0000     | xor                 eax, eax
            //   4c0f45c8             | cmp                 eax, edi
            //   48895c2420           | je                  0x13
            //   e8????????           |                     

        $sequence_33 = { 752f 8b450c 8930 eb33 }
            // n = 4, score = 1500
            //   752f                 | mov                 ecx, edi
            //   8b450c               | mov                 ebx, eax
            //   8930                 | dec                 esp
            //   eb33                 | mov                 eax, edi

        $sequence_34 = { 837d1800 b8???????? 7505 b8???????? }
            // n = 4, score = 1500
            //   837d1800             | mov                 dword ptr [esp + 0x20], ebx
            //   b8????????           |                     
            //   7505                 | test                eax, eax
            //   b8????????           |                     

        $sequence_35 = { 85ff 750e 837d0800 7408 }
            // n = 4, score = 1500
            //   85ff                 | mov                 dword ptr [eax], esi
            //   750e                 | jmp                 0x3a
            //   837d0800             | xor                 edi, edi
            //   7408                 | jmp                 0xd

        $sequence_36 = { 33ff eb0b 33ff eb03 }
            // n = 4, score = 1500
            //   33ff                 | dec                 eax
            //   eb0b                 | mov                 dword ptr [edi + ecx], eax
            //   33ff                 | dec                 eax
            //   eb03                 | add                 edi, 8

        $sequence_37 = { 50 53 8bc6 e8???????? 85c0 7516 }
            // n = 6, score = 1500
            //   50                   | dec                 esp
            //   53                   | mov                 eax, edi
            //   8bc6                 | xor                 edx, edx
            //   e8????????           |                     
            //   85c0                 | jne                 0xc
            //   7516                 | dec                 eax

        $sequence_38 = { 8b5210 3bd0 740e 8b742408 890e }
            // n = 5, score = 1400
            //   8b5210               | pop                 eax
            //   3bd0                 | push                dword ptr [ebp - 4]
            //   740e                 | push                0xd
            //   8b742408             | pop                 eax
            //   890e                 | test                eax, eax

        $sequence_39 = { 85c0 742d ff75fc 6a0d 58 e8???????? }
            // n = 6, score = 1400
            //   85c0                 | shl                 eax, 3
            //   742d                 | dec                 eax
            //   ff75fc               | test                eax, eax
            //   6a0d                 | dec                 eax
            //   58                   | mov                 ebp, eax
            //   e8????????           |                     

        $sequence_40 = { ff15???????? bb01000000 498bcc eb07 83c301 488d4801 66ba2000 }
            // n = 7, score = 1400
            //   ff15????????         |                     
            //   bb01000000           | xor                 ecx, ecx
            //   498bcc               | push                dword ptr [ebp - 0xc]
            //   eb07                 | push                0x122
            //   83c301               | push                dword ptr [ebp + 8]
            //   488d4801             | xor                 ebx, ebx
            //   66ba2000             | mov                 dx, 0x20

        $sequence_41 = { 4c8be7 75c4 48892e eb02 33db 488b0d???????? 885e08 }
            // n = 7, score = 1400
            //   4c8be7               | ret                 4
            //   75c4                 | pop                 ebp
            //   48892e               | pop                 ebx
            //   eb02                 | pop                 ecx
            //   33db                 | ret                 4
            //   488b0d????????       |                     
            //   885e08               | push                0

        $sequence_42 = { 33db 66ba2000 498bcc ff15???????? 4885c0 488bf8 7417 }
            // n = 7, score = 1400
            //   33db                 | dec                 eax
            //   66ba2000             | arpl                word ptr [ebx + 0x3c], dx
            //   498bcc               | dec                 eax
            //   ff15????????         |                     
            //   4885c0               | mov                 eax, dword ptr [esi + 8]
            //   488bf8               | dec                 eax
            //   7417                 | mov                 ecx, dword ptr [esi]

        $sequence_43 = { 415c 5f 5e 5d 5b c3 8b4754 }
            // n = 7, score = 1400
            //   415c                 | mov                 ecx, dword ptr [esi]
            //   5f                   | inc                 ebp
            //   5e                   | xor                 ecx, ecx
            //   5d                   | inc                 esp
            //   5b                   | mov                 eax, ebp
            //   c3                   | test                al, al
            //   8b4754               | jns                 0xa9

        $sequence_44 = { 448bc3 33d2 41c1e003 ff15???????? 4885c0 488be8 }
            // n = 6, score = 1400
            //   448bc3               | push                dword ptr [ebp - 0xc]
            //   33d2                 | push                0x122
            //   41c1e003             | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   4885c0               | pop                 ebx
            //   488be8               | pop                 ecx

        $sequence_45 = { be01000000 8bc6 4883c440 415e 415d 415c }
            // n = 6, score = 1400
            //   be01000000           | test                al, 1
            //   8bc6                 | je                  0x2e
            //   4883c440             | dec                 eax
            //   415e                 | mov                 ecx, dword ptr [ebx]
            //   415d                 | test                eax, eax
            //   415c                 | jne                 0xf5

        $sequence_46 = { ff15???????? 4c8964dd00 83c301 4885ff 4c8be7 }
            // n = 5, score = 1400
            //   ff15????????         |                     
            //   4c8964dd00           | mov                 eax, dword ptr [esi + 8]
            //   83c301               | jne                 0x167
            //   4885ff               | mov                 eax, dword ptr [ebx + 0x48]
            //   4c8be7               | test                al, 1

        $sequence_47 = { 03ca 0fb75114 56 0fb77106 33c0 8d4c0a18 33d2 }
            // n = 7, score = 1400
            //   03ca                 | je                  0x14
            //   0fb75114             | mov                 dword ptr [esi], eax
            //   56                   | push                dword ptr [ebp - 4]
            //   0fb77106             | push                0xd
            //   33c0                 | pop                 eax
            //   8d4c0a18             | je                  0x2f
            //   33d2                 | push                dword ptr [ebp - 4]

        $sequence_48 = { 53 b800080000 50 56 ff35???????? }
            // n = 5, score = 1400
            //   53                   | mov                 dword ptr [ebp - 0xc], ebx
            //   b800080000           | mov                 dword ptr [ebp - 0x10], ebx
            //   50                   | mov                 dword ptr [ebp - 8], 0x57
            //   56                   | mov                 edi, 0x119
            //   ff35????????         |                     

        $sequence_49 = { 50 57 6a01 ff75e0 }
            // n = 4, score = 1400
            //   50                   | dec                 eax
            //   57                   | mov                 ebx, edi
            //   6a01                 | mov                 esi, edi
            //   ff75e0               | dec                 eax

        $sequence_50 = { c1e902 895d10 7417 8b10 }
            // n = 4, score = 1400
            //   c1e902               | jmp                 9
            //   895d10               | xor                 ebx, ebx
            //   7417                 | mov                 byte ptr [esi + 8], bl
            //   8b10                 | xor                 edx, edx

        $sequence_51 = { 6a01 ff75e0 68???????? e8???????? }
            // n = 4, score = 1400
            //   6a01                 | dec                 eax
            //   ff75e0               | mov                 dword ptr [esp + 0x20], ebx
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_52 = { 498bcc ff15???????? 33db 66ba2000 }
            // n = 4, score = 1400
            //   498bcc               | mov                 eax, ebp
            //   ff15????????         |                     
            //   33db                 | pop                 ebp
            //   66ba2000             | pop                 ebx

        $sequence_53 = { 8bd5 488bcf bb57000000 e8???????? }
            // n = 4, score = 1300
            //   8bd5                 | add                 ebx, 1
            //   488bcf               | dec                 eax
            //   bb57000000           | test                edi, edi
            //   e8????????           |                     

        $sequence_54 = { 8b35???????? 50 83c604 e8???????? 3bfb 7414 }
            // n = 6, score = 1300
            //   8b35????????         |                     
            //   50                   | dec                 eax
            //   83c604               | lea                 eax, [edx + 0x4a20]
            //   e8????????           |                     
            //   3bfb                 | dec                 eax
            //   7414                 | mov                 dword ptr [edx + 0x4a28], eax

        $sequence_55 = { ff15???????? a810 ff750c 7535 }
            // n = 4, score = 1300
            //   ff15????????         |                     
            //   a810                 | push                esi
            //   ff750c               | mov                 ebx, esi
            //   7535                 | mov                 edi, eax

        $sequence_56 = { 89450c ff15???????? 3bc3 8945f4 741a ff750c }
            // n = 6, score = 1300
            //   89450c               | jne                 0x5d
            //   ff15????????         |                     
            //   3bc3                 | push                ebx
            //   8945f4               | push                esi
            //   741a                 | push                edi
            //   ff750c               | mov                 esi, 0x104

        $sequence_57 = { 4883c608 83fd05 72c1 eb0c bb7f000000 eb05 }
            // n = 6, score = 1300
            //   4883c608             | dec                 eax
            //   83fd05               | test                eax, eax
            //   72c1                 | inc                 esp
            //   eb0c                 | mov                 eax, ebx
            //   bb7f000000           | xor                 edx, edx
            //   eb05                 | inc                 ecx

        $sequence_58 = { ff15???????? 488bdf 8bf7 483bdf }
            // n = 4, score = 1300
            //   ff15????????         |                     
            //   488bdf               | jmp                 0x11
            //   8bf7                 | push                dword ptr [ebp - 8]
            //   483bdf               | call                esi

        $sequence_59 = { e8???????? 85db 7423 8b0d???????? 0fb701 }
            // n = 5, score = 1300
            //   e8????????           |                     
            //   85db                 | test                eax, eax
            //   7423                 | dec                 eax
            //   8b0d????????         |                     
            //   0fb701               | mov                 ebp, eax

        $sequence_60 = { ba08000000 b90e010000 41b800000100 4889442420 e8???????? e9???????? }
            // n = 6, score = 1300
            //   ba08000000           | dec                 eax
            //   b90e010000           | cmp                 ebx, edi
            //   41b800000100         | jne                 0xd
            //   4889442420           | dec                 esp
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_61 = { 8bd7 e8???????? eb02 33c0 3bc3 7413 }
            // n = 6, score = 1300
            //   8bd7                 | cmp                 dword ptr [esp + 0x88], 0
            //   e8????????           |                     
            //   eb02                 | dec                 esp
            //   33c0                 | mov                 eax, dword ptr [esp + 0x40]
            //   3bc3                 | dec                 eax
            //   7413                 | mov                 edx, dword ptr [esp + 0x48]

        $sequence_62 = { 8d4de0 3bc1 0f84ce000000 eb03 }
            // n = 4, score = 1300
            //   8d4de0               | cmp                 edi, ebx
            //   3bc1                 | je                  0x4e
            //   0f84ce000000         | push                ebx
            //   eb03                 | lea                 eax, [ebp - 4]

        $sequence_63 = { 6641b85c00 33d2 488bcd ff15???????? }
            // n = 4, score = 1300
            //   6641b85c00           | mov                 dword ptr [esp + 0x28], 0xea60
            //   33d2                 | dec                 esp
            //   488bcd               | cmovne              ecx, eax
            //   ff15????????         |                     

        $sequence_64 = { 3bc3 7406 50 e8???????? 3bfb 7414 a1???????? }
            // n = 7, score = 1300
            //   3bc3                 | mov                 dword ptr [esp + 0x20], ebx
            //   7406                 | test                eax, eax
            //   50                   | mov                 ebx, eax
            //   e8????????           |                     
            //   3bfb                 | mov                 dword ptr [esp + 0x28], 0xea60
            //   7414                 | dec                 esp
            //   a1????????           |                     

        $sequence_65 = { 57 ff750c 53 e8???????? 3bfe }
            // n = 5, score = 1200
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0x10]
            //   53                   | pop                 esi
            //   e8????????           |                     
            //   3bfe                 | xor                 eax, eax

        $sequence_66 = { 83632800 e9???????? 8b4330 a840 0f84e2000000 }
            // n = 5, score = 1200
            //   83632800             | lea                 eax, [edx + 0x4a20]
            //   e9????????           |                     
            //   8b4330               | dec                 eax
            //   a840                 | mov                 dword ptr [edx + 0x4a28], eax
            //   0f84e2000000         | dec                 eax

        $sequence_67 = { 8b8c2490000000 83bc248800000000 4c8b442440 488b542448 }
            // n = 4, score = 1200
            //   8b8c2490000000       | dec                 esp
            //   83bc248800000000     | mov                 eax, ebx
            //   4c8b442440           | xor                 edx, edx
            //   488b542448           | dec                 eax

        $sequence_68 = { 8b4f30 84c9 0f8992000000 8b4f30 }
            // n = 4, score = 1200
            //   8b4f30               | mov                 edx, edi
            //   84c9                 | jmp                 6
            //   0f8992000000         | xor                 eax, eax
            //   8b4f30               | cmp                 eax, ebx

        $sequence_69 = { ff75fc 56 ff35???????? ff15???????? 53 }
            // n = 5, score = 1200
            //   ff75fc               | add                 eax, 0xfffffefe
            //   56                   | xor                 ebx, ebx
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   53                   | xor                 ecx, ecx

        $sequence_70 = { 0f854affffff 894330 e9???????? 55 }
            // n = 4, score = 1200
            //   0f854affffff         | mov                 edx, ebx
            //   894330               | dec                 eax
            //   e9????????           |                     
            //   55                   | mov                 ecx, dword ptr [esp + 0x228]

        $sequence_71 = { ff37 e8???????? 85c0 0f85d7000000 }
            // n = 4, score = 1200
            //   ff37                 | cmp                 eax, ebx
            //   e8????????           |                     
            //   85c0                 | je                  0x19
            //   0f85d7000000         | push                eax

        $sequence_72 = { e8???????? 33f6 3975fc 7410 ff75fc }
            // n = 5, score = 1200
            //   e8????????           |                     
            //   33f6                 | xor                 ebx, ebx
            //   3975fc               | xor                 ecx, ecx
            //   7410                 | push                esi
            //   ff75fc               | mov                 esi, ecx

        $sequence_73 = { 56 ff35???????? 8945f8 ff15???????? 8bd8 3bde }
            // n = 6, score = 1200
            //   56                   | mov                 eax, edi
            //   ff35????????         |                     
            //   8945f8               | lea                 eax, [esi + 0x18]
            //   ff15????????         |                     
            //   8bd8                 | mov                 ecx, dword ptr [eax]
            //   3bde                 | mov                 eax, esi

        $sequence_74 = { e8???????? 3bfe 740e 57 }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   3bfe                 | push                ebx
            //   740e                 | push                esi
            //   57                   | mov                 esi, ecx

        $sequence_75 = { a840 0f84e2000000 8b7334 8d442418 50 }
            // n = 5, score = 1200
            //   a840                 | lea                 eax, [edx + 0x4a20]
            //   0f84e2000000         | dec                 eax
            //   8b7334               | add                 esp, 0x28
            //   8d442418             | ret                 
            //   50                   | dec                 eax

        $sequence_76 = { c20800 8b4330 a804 0f8451ffffff 8b470c }
            // n = 5, score = 1200
            //   c20800               | mov                 eax, ecx
            //   8b4330               | dec                 eax
            //   a804                 | add                 esp, 0x38
            //   0f8451ffffff         | ret                 
            //   8b470c               | dec                 eax

        $sequence_77 = { 8bf7 8bfe e8???????? 5f }
            // n = 4, score = 1200
            //   8bf7                 | mov                 dword ptr [esp + 8], ebx
            //   8bfe                 | dec                 eax
            //   e8????????           |                     
            //   5f                   | mov                 dword ptr [esp + 0x10], ebp

        $sequence_78 = { c744242000010000 ff15???????? 4883f8ff 488bf8 7442 }
            // n = 5, score = 1200
            //   c744242000010000     | mov                 ebx, edi
            //   ff15????????         |                     
            //   4883f8ff             | mov                 esi, edi
            //   488bf8               | dec                 eax
            //   7442                 | cmp                 ebx, edi

        $sequence_79 = { e8???????? 85c0 0f8586000000 8b4720 }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   85c0                 | je                  0x21
            //   0f8586000000         | push                eax
            //   8b4720               | cmp                 eax, ebx

        $sequence_80 = { 752e 53 e8???????? 6a01 }
            // n = 4, score = 1200
            //   752e                 | mov                 ecx, dword ptr [eax]
            //   53                   | push                edi
            //   e8????????           |                     
            //   6a01                 | push                ebx

        $sequence_81 = { 745d 488b0d???????? 33d2 41b800040000 ff15???????? 4c8b4608 }
            // n = 6, score = 1100
            //   745d                 | test                eax, eax
            //   488b0d????????       |                     
            //   33d2                 | jne                 0xf3
            //   41b800040000         | dec                 eax
            //   ff15????????         |                     
            //   4c8b4608             | mov                 eax, dword ptr [esi + 8]

        $sequence_82 = { 33d2 ff15???????? 4885db 740c }
            // n = 4, score = 1100
            //   33d2                 | dec                 eax
            //   ff15????????         |                     
            //   4885db               | mov                 dword ptr [esp + 0x20], eax
            //   740c                 | dec                 eax

        $sequence_83 = { c3 418bd8 4803df 410fb64101 33d2 }
            // n = 5, score = 1100
            //   c3                   | add                 esi, 8
            //   418bd8               | cmp                 ebp, 5
            //   4803df               | jb                  0xffffffc3
            //   410fb64101           | jmp                 0x10
            //   33d2                 | dec                 eax

        $sequence_84 = { 8d45fc 50 8b4508 e8???????? 85c0 742d ff75fc }
            // n = 7, score = 1100
            //   8d45fc               | mov                 ecx, esp
            //   50                   | xor                 ebx, ebx
            //   8b4508               | mov                 dx, 0x20
            //   e8????????           |                     
            //   85c0                 | dec                 ecx
            //   742d                 | mov                 ecx, esp
            //   ff75fc               | xor                 ebx, ebx

        $sequence_85 = { 410fb64102 488d0cc3 48890d???????? 410fb64103 488d0cc3 }
            // n = 5, score = 1100
            //   410fb64102           | cmp                 ebp, 5
            //   488d0cc3             | jb                  0xffffffc6
            //   48890d????????       |                     
            //   410fb64103           | jmp                 0xe
            //   488d0cc3             | mov                 ebx, 0x7f

        $sequence_86 = { e8???????? 85c0 7507 33db 895d08 eb03 8b5d08 }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   85c0                 | cmp                 dword ptr [ebp + 8], 0
            //   7507                 | je                  0xe
            //   33db                 | push                dword ptr [ebp + 8]
            //   895d08               | jne                 0x10
            //   eb03                 | cmp                 dword ptr [ebp + 8], 0
            //   8b5d08               | je                  0xe

        $sequence_87 = { 448be8 418b4310 41394308 410f474308 }
            // n = 4, score = 1100
            //   448be8               | push                0x122
            //   418b4310             | push                dword ptr [ebp + 8]
            //   41394308             | push                dword ptr [ebp - 0x10]
            //   410f474308           | push                dword ptr [ebp - 0xc]

        $sequence_88 = { 33d2 488d0cc3 48890d???????? 410fb64102 }
            // n = 4, score = 1100
            //   33d2                 | mov                 ebx, 0x7f
            //   488d0cc3             | jmp                 0x13
            //   48890d????????       |                     
            //   410fb64102           | mov                 ebx, 0x7e

        $sequence_89 = { 4885db 740c 4c8b0d???????? e9???????? }
            // n = 4, score = 1100
            //   4885db               | add                 esi, 8
            //   740c                 | cmp                 ebp, 5
            //   4c8b0d????????       |                     
            //   e9????????           |                     

        $sequence_90 = { ff15???????? 488bcf 48870d???????? 483bcf 7405 e8???????? ba01000000 }
            // n = 7, score = 1100
            //   ff15????????         |                     
            //   488bcf               | pop                 ebx
            //   48870d????????       |                     
            //   483bcf               | ret                 8
            //   7405                 | dec                 dword ptr [esp + 0xc]
            //   e8????????           |                     
            //   ba01000000           | jne                 0xffffffe8

        $sequence_91 = { 33d2 ff15???????? 483bc3 4c8be8 }
            // n = 4, score = 1100
            //   33d2                 | mov                 ecx, esp
            //   ff15????????         |                     
            //   483bc3               | jmp                 0x13
            //   4c8be8               | dec                 ecx

        $sequence_92 = { 33d2 498bcc 498bfd e8???????? }
            // n = 4, score = 1100
            //   33d2                 | test                edi, edi
            //   498bcc               | dec                 esp
            //   498bfd               | mov                 esp, edi
            //   e8????????           |                     

        $sequence_93 = { 50 57 e8???????? e9???????? 68???????? }
            // n = 5, score = 1100
            //   50                   | xor                 edi, edi
            //   57                   | jmp                 0xb
            //   e8????????           |                     
            //   e9????????           |                     
            //   68????????           |                     

        $sequence_94 = { c9 c20400 51 56 ff74240c }
            // n = 5, score = 1100
            //   c9                   | jne                 0x10
            //   c20400               | cmp                 dword ptr [ebp + 8], 0
            //   51                   | je                  0xe
            //   56                   | push                dword ptr [ebp + 8]
            //   ff74240c             | xor                 edi, edi

        $sequence_95 = { 33d2 ff15???????? 8b05???????? 418bdd }
            // n = 4, score = 1100
            //   33d2                 | je                  0x26
            //   ff15????????         |                     
            //   8b05????????         |                     
            //   418bdd               | xor                 edx, edx

        $sequence_96 = { 8a4b1c 488b4558 4c8b4d30 4c8b4510 }
            // n = 4, score = 1100
            //   8a4b1c               | mov                 ecx, dword ptr [esi]
            //   488b4558             | je                  0x2e
            //   4c8b4d30             | dec                 eax
            //   4c8b4510             | mov                 ecx, dword ptr [ebx]

        $sequence_97 = { 488bce ff15???????? 488b0d???????? 33d2 4c63c0 }
            // n = 5, score = 1100
            //   488bce               | lea                 ecx, [ebx + eax*8]
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   33d2                 | inc                 esp
            //   4c63c0               | mov                 ebp, eax

        $sequence_98 = { 72d6 eb13 ff75fc 6a00 ff35???????? }
            // n = 5, score = 1100
            //   72d6                 | jne                 0xffffffcf
            //   eb13                 | dec                 esp
            //   ff75fc               | mov                 dword ptr [ebp + ebx*8], esp
            //   6a00                 | add                 ebx, 1
            //   ff35????????         |                     

        $sequence_99 = { ff4c240c 75e6 5e 5b c20800 }
            // n = 5, score = 1000
            //   ff4c240c             | mov                 ebx, dword ptr [ebp + 8]
            //   75e6                 | test                eax, eax
            //   5e                   | jne                 9
            //   5b                   | xor                 ebx, ebx
            //   c20800               | mov                 dword ptr [ebp + 8], ebx

        $sequence_100 = { 0f8386000000 488b18 8364245800 33c0 21442450 }
            // n = 5, score = 1000
            //   0f8386000000         | mov                 esi, edi
            //   488b18               | dec                 eax
            //   8364245800           | cmp                 ebx, edi
            //   33c0                 | jne                 0x12
            //   21442450             | dec                 eax

        $sequence_101 = { 3b3e 72dc 8b45fc 5f 5b c9 c21400 }
            // n = 7, score = 1000
            //   3b3e                 | jae                 0x8c
            //   72dc                 | dec                 eax
            //   8b45fc               | mov                 ebx, dword ptr [eax]
            //   5f                   | and                 dword ptr [esp + 0x58], 0
            //   5b                   | xor                 eax, eax
            //   c9                   | and                 dword ptr [esp + 0x50], eax
            //   c21400               | jmp                 0xa

        $sequence_102 = { 8932 83c204 ff4c240c 75e6 }
            // n = 4, score = 1000
            //   8932                 | lea                 eax, [ebp + 8]
            //   83c204               | push                eax
            //   ff4c240c             | push                ebx
            //   75e6                 | mov                 eax, esi

        $sequence_103 = { 8b3d???????? 56 ffd7 53 56 }
            // n = 5, score = 1000
            //   8b3d????????         |                     
            //   56                   | push                ebx
            //   ffd7                 | mov                 ebx, 0xea60
            //   53                   | push                ebx
            //   56                   | jne                 7

        $sequence_104 = { 5b c3 a1???????? 83c040 50 ff15???????? }
            // n = 6, score = 1000
            //   5b                   | push                ebx
            //   c3                   | mov                 ebx, 0xea60
            //   a1????????           |                     
            //   83c040               | push                ebx
            //   50                   | jne                 7
            //   ff15????????         |                     

        $sequence_105 = { 8bf1 05fefeffff 33db 33c9 }
            // n = 4, score = 1000
            //   8bf1                 | mov                 eax, dword ptr [edx]
            //   05fefeffff           | inc                 ebx
            //   33db                 | mov                 cl, bl
            //   33c9                 | rol                 eax, cl

        $sequence_106 = { 8b02 43 8acb d3c0 33c6 33442410 8bf0 }
            // n = 7, score = 1000
            //   8b02                 | test                edi, edi
            //   43                   | jne                 0x10
            //   8acb                 | cmp                 dword ptr [ebp + 8], 0
            //   d3c0                 | je                  0x10
            //   33c6                 | push                dword ptr [ebp + 8]
            //   33442410             | test                edi, edi
            //   8bf0                 | jne                 0x10

        $sequence_107 = { 8ac3 5b c9 c20400 53 56 8bf0 }
            // n = 7, score = 1000
            //   8ac3                 | je                  0xe4
            //   5b                   | inc                 esp
            //   c9                   | cmp                 esi, ebx
            //   c20400               | mov                 eax, ebx
            //   53                   | je                  0xa
            //   56                   | lea                 eax, [esi - 4]
            //   8bf0                 | cmp                 eax, esi

        $sequence_108 = { 7512 ff15???????? 8bf8 81ffe5030000 }
            // n = 4, score = 1000
            //   7512                 | mov                 eax, dword ptr [ebp + 0xc]
            //   ff15????????         |                     
            //   8bf8                 | mov                 dword ptr [eax], esi
            //   81ffe5030000         | jmp                 0x3a

        $sequence_109 = { 53 ff7614 ff15???????? 85c0 7512 }
            // n = 5, score = 1000
            //   53                   | push                0
            //   ff7614               | je                  0xffffffa5
            //   ff15????????         |                     
            //   85c0                 | xor                 edi, edi
            //   7512                 | jmp                 0xf

        $sequence_110 = { 488d542440 488bcd ff15???????? 4883f8ff 4c8be0 }
            // n = 5, score = 900
            //   488d542440           | dec                 ecx
            //   488bcd               | mov                 ecx, esp
            //   ff15????????         |                     
            //   4883f8ff             | dec                 eax
            //   4c8be0               | test                eax, eax

        $sequence_111 = { 483bc3 4c8be8 0f841c010000 448b05???????? 33d2 }
            // n = 5, score = 900
            //   483bc3               | add                 ebx, 1
            //   4c8be8               | dec                 eax
            //   0f841c010000         | test                edi, edi
            //   448b05????????       |                     
            //   33d2                 | dec                 esp

        $sequence_112 = { 754f 488d4c246c 66ba2e00 ff15???????? 488bf0 }
            // n = 5, score = 900
            //   754f                 | mov                 esp, edi
            //   488d4c246c           | jne                 0xffffffcf
            //   66ba2e00             | dec                 eax
            //   ff15????????         |                     
            //   488bf0               | test                edi, edi

        $sequence_113 = { 57 8d45fc 50 ff750c 33ff ff7508 217dfc }
            // n = 7, score = 900
            //   57                   | je                  0x12
            //   8d45fc               | push                dword ptr [ebp - 4]
            //   50                   | push                esi
            //   ff750c               | push                ebx
            //   33ff                 | cmp                 edi, esi
            //   ff7508               | je                  0x10
            //   217dfc               | push                edi

        $sequence_114 = { 33d2 ff15???????? 33ff 4885ff }
            // n = 4, score = 900
            //   33d2                 | inc                 ecx
            //   ff15????????         |                     
            //   33ff                 | movzx               eax, byte ptr [ecx + 3]
            //   4885ff               | dec                 eax

        $sequence_115 = { ff15???????? c20400 55 8bec 51 a1???????? 83c040 }
            // n = 7, score = 900
            //   ff15????????         |                     
            //   c20400               | add                 esi, 8
            //   55                   | cmp                 ebp, 5
            //   8bec                 | jb                  0xffffffc3
            //   51                   | jmp                 0x10
            //   a1????????           |                     
            //   83c040               | mov                 ebx, 0x7f

        $sequence_116 = { e8???????? 483bc3 488be8 0f84de000000 }
            // n = 4, score = 900
            //   e8????????           |                     
            //   483bc3               | test                eax, eax
            //   488be8               | mov                 ebx, 1
            //   0f84de000000         | dec                 ecx

        $sequence_117 = { e9???????? 33c9 bb26040000 48870d???????? }
            // n = 4, score = 900
            //   e9????????           |                     
            //   33c9                 | xor                 eax, dword ptr [esp + 0x10]
            //   bb26040000           | mov                 esi, eax
            //   48870d????????       |                     

        $sequence_118 = { 458be0 bb08000000 e8???????? 85c0 }
            // n = 4, score = 900
            //   458be0               | ret                 8
            //   bb08000000           | mov                 dword ptr [edx], esi
            //   e8????????           |                     
            //   85c0                 | add                 edx, 4

        $sequence_119 = { 8d442430 50 8d442430 50 8d442428 50 8d442428 }
            // n = 7, score = 900
            //   8d442430             | mov                 ecx, ebp
            //   50                   | dec                 eax
            //   8d442430             | cmp                 eax, -1
            //   50                   | dec                 esp
            //   8d442428             | mov                 esp, eax
            //   50                   | dec                 eax
            //   8d442428             | cmp                 eax, ebx

        $sequence_120 = { ff35???????? ffd3 8bd8 85db 7476 }
            // n = 5, score = 900
            //   ff35????????         |                     
            //   ffd3                 | mov                 eax, ebp
            //   8bd8                 | xor                 edx, edx
            //   85db                 | dec                 eax
            //   7476                 | cmp                 eax, ebx

        $sequence_121 = { ff15???????? eb14 488b0d???????? 4c8bc7 }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   eb14                 | inc                 ecx
            //   488b0d????????       |                     
            //   4c8bc7               | movzx               eax, byte ptr [ecx + 2]

        $sequence_122 = { 3dd2100000 7416 a1???????? 83c004 }
            // n = 4, score = 900
            //   3dd2100000           | mov                 ecx, eax
            //   7416                 | mov                 dword ptr [esp + 0x1d8], eax
            //   a1????????           |                     
            //   83c004               | mov                 dword ptr [esp + 0x1dc], eax

        $sequence_123 = { ff15???????? 4c8d4c2450 4c8d442458 8d5001 488bce e8???????? }
            // n = 6, score = 900
            //   ff15????????         |                     
            //   4c8d4c2450           | inc                 ecx
            //   4c8d442458           | cmova               eax, dword ptr [ebx + 8]
            //   8d5001               | inc                 ebp
            //   488bce               | xor                 eax, eax
            //   e8????????           |                     

        $sequence_124 = { 480f45f2 832700 458be0 bb08000000 }
            // n = 4, score = 900
            //   480f45f2             | dec                 dword ptr [esp + 0xc]
            //   832700               | jne                 0xffffffec
            //   458be0               | pop                 esi
            //   bb08000000           | pop                 ebx

        $sequence_125 = { 4533c9 4889442428 215c2420 4533c0 }
            // n = 4, score = 900
            //   4533c9               | dec                 dword ptr [esp + 0xc]
            //   4889442428           | jne                 0xffffffec
            //   215c2420             | pop                 esi
            //   4533c0               | pop                 ebx

        $sequence_126 = { ff15???????? 3bc3 7fbd 83c701 e9???????? 488b8424c8010000 }
            // n = 6, score = 900
            //   ff15????????         |                     
            //   3bc3                 | mov                 dword ptr [ebp + ebx*8], esp
            //   7fbd                 | add                 ebx, 1
            //   83c701               | dec                 eax
            //   e9????????           |                     
            //   488b8424c8010000     | test                edi, edi

        $sequence_127 = { 488bce ff15???????? 4c8d4c2450 4c8d442458 }
            // n = 4, score = 900
            //   488bce               | lea                 ecx, [ebx + eax*8]
            //   ff15????????         |                     
            //   4c8d4c2450           | dec                 eax
            //   4c8d442458           | lea                 ecx, [ebx + eax*8]

        $sequence_128 = { 41be01000000 33c9 418bd6 ff15???????? }
            // n = 4, score = 800
            //   41be01000000         | xor                 ecx, ecx
            //   33c9                 | inc                 ebp
            //   418bd6               | xor                 eax, eax
            //   ff15????????         |                     

        $sequence_129 = { 4c63c0 33d2 4983c00c ff15???????? }
            // n = 4, score = 800
            //   4c63c0               | add                 esp, 0x40
            //   33d2                 | inc                 ecx
            //   4983c00c             | pop                 esi
            //   ff15????????         |                     

        $sequence_130 = { 803f2a 750b 4883c701 83c3ff }
            // n = 4, score = 800
            //   803f2a               | push                esi
            //   750b                 | xor                 esi, esi
            //   4883c701             | cmp                 dword ptr [ebp - 4], esi
            //   83c3ff               | je                  0x15

        $sequence_131 = { 488b0d???????? 448bc0 8bd8 33d2 4983c001 }
            // n = 5, score = 800
            //   488b0d????????       |                     
            //   448bc0               | push                ebx
            //   8bd8                 | push                esi
            //   33d2                 | pop                 ebx
            //   4983c001             | push                edi

        $sequence_132 = { a1???????? 25efff0000 0bc2 e9???????? }
            // n = 4, score = 800
            //   a1????????           |                     
            //   25efff0000           | jne                 0xffffffec
            //   0bc2                 | pop                 esi
            //   e9????????           |                     

        $sequence_133 = { e9???????? 488bcb ff15???????? a810 }
            // n = 4, score = 800
            //   e9????????           |                     
            //   488bcb               | arpl                ax, ax
            //   ff15????????         |                     
            //   a810                 | xor                 edx, edx

        $sequence_134 = { 6a03 8935???????? 8935???????? 8935???????? }
            // n = 4, score = 800
            //   6a03                 | dec                 dword ptr [esp + 0xc]
            //   8935????????         |                     
            //   8935????????         |                     
            //   8935????????         |                     

        $sequence_135 = { ff15???????? 488b8c2490000000 8bd8 ff15???????? 33d2 }
            // n = 5, score = 800
            //   ff15????????         |                     
            //   488b8c2490000000     | dec                 eax
            //   8bd8                 | lea                 ecx, [ebx + eax*8]
            //   ff15????????         |                     
            //   33d2                 | inc                 ecx

        $sequence_136 = { 215c2420 4533c9 4533c0 33d2 ff15???????? 85c0 7511 }
            // n = 7, score = 800
            //   215c2420             | add                 eax, 0xc
            //   4533c9               | dec                 esp
            //   4533c0               | arpl                ax, ax
            //   33d2                 | xor                 edx, edx
            //   ff15????????         |                     
            //   85c0                 | dec                 ecx
            //   7511                 | add                 eax, 0xc

        $sequence_137 = { 53 56 8bf1 05fefeffff }
            // n = 4, score = 800
            //   53                   | push                eax
            //   56                   | push                ecx
            //   8bf1                 | dec                 eax
            //   05fefeffff           | mov                 ecx, edi

        $sequence_138 = { 895df4 895df0 c745f857000000 bf19010000 }
            // n = 4, score = 800
            //   895df4               | and                 eax, 0xffef
            //   895df0               | or                  eax, edx
            //   c745f857000000       | je                  0x1c
            //   bf19010000           | mov                 eax, dword ptr [edx]

        $sequence_139 = { ff7508 8bc6 e8???????? 8b06 8b08 57 ff7510 }
            // n = 7, score = 700
            //   ff7508               | pop                 ebx
            //   8bc6                 | ret                 8
            //   e8????????           |                     
            //   8b06                 | add                 edx, 4
            //   8b08                 | dec                 dword ptr [esp + 0xc]
            //   57                   | jne                 0xffffffec
            //   ff7510               | pop                 esi

        $sequence_140 = { 488d542438 488bcb e8???????? eb02 33c0 85c0 }
            // n = 6, score = 700
            //   488d542438           | pop                 ecx
            //   488bcb               | ret                 4
            //   e8????????           |                     
            //   eb02                 | push                0
            //   33c0                 | pop                 ecx
            //   85c0                 | ret                 4

        $sequence_141 = { 750a 488bcf e8???????? 8bd8 488b0d???????? }
            // n = 5, score = 700
            //   750a                 | test                eax, eax
            //   488bcf               | inc                 ecx
            //   e8????????           |                     
            //   8bd8                 | mov                 esi, 1
            //   488b0d????????       |                     

        $sequence_142 = { 56 57 4154 4155 4156 4883ec50 488bf1 }
            // n = 7, score = 700
            //   56                   | inc                 ebp
            //   57                   | xor                 eax, eax
            //   4154                 | xor                 edx, edx
            //   4155                 | and                 dword ptr [esp + 0x20], ebx
            //   4156                 | inc                 ebp
            //   4883ec50             | xor                 ecx, ecx
            //   488bf1               | inc                 ebp

        $sequence_143 = { 53 8bc7 e8???????? 8d4618 8b08 }
            // n = 5, score = 700
            //   53                   | mov                 ecx, edi
            //   8bc7                 | dec                 eax
            //   e8????????           |                     
            //   8d4618               | cmp                 ecx, edi
            //   8b08                 | je                  7

        $sequence_144 = { 8bc7 5f c20400 55 8bec 83e4f8 81ec9c000000 }
            // n = 7, score = 700
            //   8bc7                 | jmp                 0x3a
            //   5f                   | push                0
            //   c20400               | test                edi, edi
            //   55                   | jne                 0x10
            //   8bec                 | cmp                 dword ptr [ebp + 8], 0
            //   83e4f8               | je                  0x10
            //   81ec9c000000         | push                dword ptr [ebp + 8]

        $sequence_145 = { 488b0d???????? 4889040f 4883c708 492bf6 75db }
            // n = 5, score = 700
            //   488b0d????????       |                     
            //   4889040f             | mov                 esi, 1
            //   4883c708             | xor                 ecx, ecx
            //   492bf6               | inc                 ecx
            //   75db                 | mov                 edx, esi

        $sequence_146 = { 488bcb ff15???????? 8bc8 ff15???????? 21b42410020000 }
            // n = 5, score = 600
            //   488bcb               | pop                 ecx
            //   ff15????????         |                     
            //   8bc8                 | ret                 4
            //   ff15????????         |                     
            //   21b42410020000       | push                0

        $sequence_147 = { 7417 4863461c 2b6e1c 4c03e8 488b4610 48894718 4883661000 }
            // n = 7, score = 600
            //   7417                 | ret                 4
            //   4863461c             | pop                 ecx
            //   2b6e1c               | ret                 4
            //   4c03e8               | push                0
            //   488b4610             | push                1
            //   48894718             | pop                 ecx
            //   4883661000           | ret                 4

        $sequence_148 = { 33db 53 ffd7 85c0 7557 813d????????04df2209 }
            // n = 6, score = 600
            //   33db                 | cmp                 dword ptr [ebp + 8], 0
            //   53                   | je                  0x10
            //   ffd7                 | cmp                 dword ptr [ebp + 8], 0
            //   85c0                 | je                  0xa
            //   7557                 | push                dword ptr [ebp + 8]
            //   813d????????04df2209     |     

        $sequence_149 = { 488364242000 448d4803 4533c0 488bd3 ff15???????? 488b8c2428020000 8bf0 }
            // n = 7, score = 600
            //   488364242000         | mov                 edx, ebx
            //   448d4803             | jmp                 6
            //   4533c0               | xor                 eax, eax
            //   488bd3               | cmp                 eax, edi
            //   ff15????????         |                     
            //   488b8c2428020000     | je                  0x19
            //   8bf0                 | mov                 edx, ebx

        $sequence_150 = { ff15???????? 8bf8 3bfb 744a 53 8d45fc }
            // n = 6, score = 600
            //   ff15????????         |                     
            //   8bf8                 | pop                 edi
            //   3bfb                 | pop                 esi
            //   744a                 | jne                 0x10
            //   53                   | cmp                 dword ptr [ebp + 8], 0
            //   8d45fc               | je                  0xe

        $sequence_151 = { 33d2 ff15???????? 83bc241002000000 7416 488d942410020000 4c8bcf 458bc4 }
            // n = 7, score = 600
            //   33d2                 | je                  0x18
            //   ff15????????         |                     
            //   83bc241002000000     | push                eax
            //   7416                 | mov                 edx, ebx
            //   488d942410020000     | jmp                 6
            //   4c8bcf               | xor                 eax, eax
            //   458bc4               | cmp                 eax, edi

        $sequence_152 = { 7405 e8???????? 4883c428 c3 488d82204a0000 488982284a0000 }
            // n = 6, score = 600
            //   7405                 | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   4883c428             | push                esi
            //   c3                   | push                dword ptr [ebp - 4]
            //   488d82204a0000       | push                esi
            //   488982284a0000       | push                ebx

        $sequence_153 = { 50 e8???????? 85c0 7505 6a05 58 eb61 }
            // n = 7, score = 600
            //   50                   | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   85c0                 | mov                 eax, dword ptr [ebp + 0xc]
            //   7505                 | mov                 dword ptr [eax], esi
            //   6a05                 | jmp                 0x37
            //   58                   | push                0
            //   eb61                 | push                eax

        $sequence_154 = { 21b42410020000 eb0d ff15???????? 89842410020000 }
            // n = 4, score = 600
            //   21b42410020000       | je                  8
            //   eb0d                 | push                eax
            //   ff15????????         |                     
            //   89842410020000       | cmp                 ebx, edi

        $sequence_155 = { 418bcd e8???????? 8b842410020000 4c8d9c24f0010000 }
            // n = 4, score = 600
            //   418bcd               | je                  0xa
            //   e8????????           |                     
            //   8b842410020000       | push                eax
            //   4c8d9c24f0010000     | cmp                 ebx, edi

        $sequence_156 = { 53 56 57 be04010000 56 8bde e8???????? }
            // n = 7, score = 600
            //   53                   | mov                 eax, edi
            //   56                   | pop                 edi
            //   57                   | pop                 esi
            //   be04010000           | je                  0xa
            //   56                   | push                dword ptr [ebp + 8]
            //   8bde                 | mov                 eax, edi
            //   e8????????           |                     

        $sequence_157 = { 488b8c2428020000 488364242000 448d4803 4533c0 }
            // n = 4, score = 600
            //   488b8c2428020000     | je                  0x18
            //   488364242000         | push                eax
            //   448d4803             | push                edi
            //   4533c0               | push                dword ptr [ebp + 8]

        $sequence_158 = { a801 742c 488b0b e8???????? 85c0 0f85e8000000 488b4608 }
            // n = 7, score = 500
            //   a801                 | push                eax
            //   742c                 | cmp                 edi, ebx
            //   488b0b               | je                  0x18
            //   e8????????           |                     
            //   85c0                 | add                 esi, 4
            //   0f85e8000000         | cmp                 edi, ebx
            //   488b4608             | je                  0x18

        $sequence_159 = { e9???????? 488d942498000000 488d4c2430 4889442420 e8???????? 85c0 7574 }
            // n = 7, score = 500
            //   e9????????           |                     
            //   488d942498000000     | inc                 ecx
            //   488d4c2430           | push                esp
            //   4889442420           | inc                 ecx
            //   e8????????           |                     
            //   85c0                 | push                ebp
            //   7574                 | inc                 ecx

        $sequence_160 = { 85c0 0f8561010000 8b4348 a801 742c }
            // n = 5, score = 500
            //   85c0                 | add                 esi, 4
            //   0f8561010000         | cmp                 edi, ebx
            //   8b4348               | je                  0x11
            //   a801                 | push                eax
            //   742c                 | add                 esi, 4

        $sequence_161 = { 85c0 0f85e8000000 488b4608 488b0e 4533c9 448bc5 498bd4 }
            // n = 7, score = 500
            //   85c0                 | mov                 ebx, dword ptr [ebp + 8]
            //   0f85e8000000         | push                esi
            //   488b4608             | push                edi
            //   488b0e               | xor                 edi, edi
            //   4533c9               | mov                 ebp, esp
            //   448bc5               | sub                 esp, 0x48
            //   498bd4               | push                ebx

        $sequence_162 = { e8???????? 85c0 0f859b000000 4863533c }
            // n = 4, score = 500
            //   e8????????           |                     
            //   85c0                 | je                  0x1b
            //   0f859b000000         | je                  0x11
            //   4863533c             | push                eax

        $sequence_163 = { 448bcf 4533c0 e8???????? 483bc3 488905???????? 0f8403010000 }
            // n = 6, score = 500
            //   448bcf               | je                  0x12
            //   4533c0               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   483bc3               | push                esi
            //   488905????????       |                     
            //   0f8403010000         | push                ebx

        $sequence_164 = { 0f8480010000 448b484c 41f6c108 7415 4c8d40cc 33d2 }
            // n = 6, score = 500
            //   0f8480010000         | mov                 esi, dword ptr [ebx + 0x34]
            //   448b484c             | lea                 eax, [esp + 0x18]
            //   41f6c108             | push                eax
            //   7415                 | lea                 eax, [esp + 0x10]
            //   4c8d40cc             | mov                 eax, dword ptr [ebx + 0x30]
            //   33d2                 | test                al, 0x40

        $sequence_165 = { eb0b 8b434c 84c0 0f89a3000000 8b434c a804 7415 }
            // n = 7, score = 500
            //   eb0b                 | jmp                 4
            //   8b434c               | xor                 eax, eax
            //   84c0                 | cmp                 eax, ebx
            //   0f89a3000000         | je                  0x23
            //   8b434c               | push                eax
            //   a804                 | add                 esi, 4
            //   7415                 | cmp                 edi, ebx

        $sequence_166 = { e8???????? 488b0d???????? 4c8bc3 33d2 ff15???????? 488b0d???????? 4c8bc7 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   4c8bc3               | je                  0x12
            //   33d2                 | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4c8bc7               | push                esi

        $sequence_167 = { 488bc8 e8???????? 483bc3 488905???????? 0f849a020000 488b0d???????? }
            // n = 6, score = 500
            //   488bc8               | push                ebx
            //   e8????????           |                     
            //   483bc3               | test                byte ptr [eax + 4], 8
            //   488905????????       |                     
            //   0f849a020000         | jne                 0x30
            //   488b0d????????       |                     

        $sequence_168 = { 4c8d40cc 33d2 33c9 e8???????? 85c0 0f8561010000 }
            // n = 6, score = 500
            //   4c8d40cc             | pop                 edi
            //   33d2                 | je                  0xe8
            //   33c9                 | mov                 esi, dword ptr [ebx + 0x34]
            //   e8????????           |                     
            //   85c0                 | lea                 eax, [esp + 0x18]
            //   0f8561010000         | push                eax

        $sequence_169 = { 488b0d???????? 33d2 448d4256 ff15???????? 4c8be0 }
            // n = 5, score = 400
            //   488b0d????????       |                     
            //   33d2                 | push                0
            //   448d4256             | push                0x122
            //   ff15????????         |                     
            //   4c8be0               | push                dword ptr [ebp + 8]

        $sequence_170 = { 488d542420 b901020000 ff15???????? 85c0 7513 448d4001 }
            // n = 6, score = 400
            //   488d542420           | push                0
            //   b901020000           | push                1
            //   ff15????????         |                     
            //   85c0                 | pop                 ecx
            //   7513                 | ret                 4
            //   448d4001             | push                0

        $sequence_171 = { 488bf8 4885c0 7427 488d542420 b901020000 ff15???????? }
            // n = 6, score = 400
            //   488bf8               | push                dword ptr [ebp - 0x10]
            //   4885c0               | push                dword ptr [ebp - 0xc]
            //   7427                 | push                0x122
            //   488d542420           | push                dword ptr [ebp + 8]
            //   b901020000           | push                dword ptr [ebp - 0x10]
            //   ff15????????         |                     

        $sequence_172 = { 458bf9 33ff e8???????? 4c8be8 4885c0 }
            // n = 5, score = 400
            //   458bf9               | push                0
            //   33ff                 | push                dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   4c8be8               | push                0x122
            //   4885c0               | push                dword ptr [ebp + 8]

        $sequence_173 = { 33d2 468d44385f ff15???????? 4c8bf0 }
            // n = 4, score = 400
            //   33d2                 | push                0x122
            //   468d44385f           | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   4c8bf0               | push                0

        $sequence_174 = { 4c89642448 ff15???????? 8bd8 83f8ff }
            // n = 4, score = 400
            //   4c89642448           | push                0x122
            //   ff15????????         |                     
            //   8bd8                 | push                dword ptr [ebp + 8]
            //   83f8ff               | push                dword ptr [ebp + 8]

        $sequence_175 = { 488b842410020000 4889442420 e8???????? 8bd8 85c0 }
            // n = 5, score = 400
            //   488b842410020000     | push                0
            //   4889442420           | push                0
            //   e8????????           |                     
            //   8bd8                 | push                dword ptr [ebp + 8]
            //   85c0                 | push                dword ptr [ebp - 0x10]

        $sequence_176 = { ba10000000 488bc8 e8???????? 48898424e0010000 4885c0 }
            // n = 5, score = 400
            //   ba10000000           | push                -1
            //   488bc8               | push                ebx
            //   e8????????           |                     
            //   48898424e0010000     | mov                 esi, eax
            //   4885c0               | cmp                 esi, ebx

        $sequence_177 = { 5e 01e8 8d342a eba2 5f 5e }
            // n = 6, score = 300
            //   5e                   | mov                 dx, 0x20
            //   01e8                 | dec                 eax
            //   8d342a               | test                edi, edi
            //   eba2                 | dec                 esp
            //   5f                   | mov                 esp, edi
            //   5e                   | jne                 0xffffffc9

        $sequence_178 = { c20c00 60 8b742424 8b7c2428 fc b280 31db }
            // n = 7, score = 300
            //   c20c00               | dec                 eax
            //   60                   | mov                 dword ptr [esi], ebp
            //   8b742424             | jmp                 0xc
            //   8b7c2428             | xor                 ebx, ebx
            //   fc                   | mov                 dx, 0x20
            //   b280                 | dec                 ecx
            //   31db                 | mov                 ecx, esp

        $sequence_179 = { 01cb c644241300 30c9 eb67 8044241301 }
            // n = 5, score = 300
            //   01cb                 | dec                 eax
            //   c644241300           | test                eax, eax
            //   30c9                 | dec                 eax
            //   eb67                 | mov                 edi, eax
            //   8044241301           | je                  0x11

        $sequence_180 = { e2e4 c9 c20c00 83ec10 }
            // n = 4, score = 300
            //   e2e4                 | dec                 eax
            //   c9                   | mov                 ebp, eax
            //   c20c00               | dec                 esp
            //   83ec10               | mov                 dword ptr [ebp + ebx*8], esp

        $sequence_181 = { 8b5508 035510 8b3a 83c204 8b0a 83e908 }
            // n = 6, score = 300
            //   8b5508               | add                 ebx, 1
            //   035510               | dec                 eax
            //   8b3a                 | test                edi, edi
            //   83c204               | dec                 esp
            //   8b0a                 | mov                 esp, edi
            //   83e908               | jne                 0xffffffcf

        $sequence_182 = { 8b4508 8b4d0c 8b5510 31db 90 }
            // n = 5, score = 300
            //   8b4508               | dec                 eax
            //   8b4d0c               | mov                 dword ptr [esi], ebp
            //   8b5510               | jmp                 0x12
            //   31db                 | mov                 ebx, 1
            //   90                   | dec                 ecx

        $sequence_183 = { 89e5 53 56 57 51 64ff3530000000 }
            // n = 6, score = 300
            //   89e5                 | dec                 ecx
            //   53                   | mov                 ecx, esp
            //   56                   | jmp                 9
            //   57                   | add                 ebx, 1
            //   51                   | dec                 eax
            //   64ff3530000000       | lea                 ecx, [eax + 1]

        $sequence_184 = { 90 89ce 83e603 750c 8b5d10 6601da }
            // n = 6, score = 300
            //   90                   | jne                 0xffffffcf
            //   89ce                 | mov                 ebx, 1
            //   83e603               | dec                 ecx
            //   750c                 | mov                 ecx, esp
            //   8b5d10               | jmp                 0xc
            //   6601da               | add                 ebx, 1

    condition:
        7 of them and filesize < 2940928
}
Download all Yara Rules