SYMBOLCOMMON_NAMEaka. SYNONYMS
win.konni (Back to overview)

Konni


Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

References
2022-01-26MalwarebytesRoberto Santos
@online{santos:20220126:konni:589b447, author = {Roberto Santos}, title = {{KONNI evolves into stealthier RAT}}, date = {2022-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/}, language = {English}, urldate = {2022-01-31} } KONNI evolves into stealthier RAT
Konni
2022-01-05LumenDanny Adamitis, Steve Rudd
@online{adamitis:20220105:new:4342d69, author = {Danny Adamitis and Steve Rudd}, title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}}, date = {2022-01-05}, organization = {Lumen}, url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/}, language = {English}, urldate = {2022-01-25} } New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Konni
2021-08-20MalwarebytesHossein Jazi
@online{jazi:20210820:new:2efd65e, author = {Hossein Jazi}, title = {{New variant of Konni malware used in campaign targetting Russia}}, date = {2021-08-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/}, language = {English}, urldate = {2021-08-25} } New variant of Konni malware used in campaign targetting Russia
Konni
2020-08-14Department of Homeland SecurityUS-CERT
@online{uscert:20200814:alert:d3dbb71, author = {US-CERT}, title = {{Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware}}, date = {2020-08-14}, organization = {Department of Homeland Security}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-227a}, language = {English}, urldate = {2020-08-14} } Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni
2020-01-04Medium d-hunterDoron Karmi
@online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } A Look Into Konni 2019 Campaign
Konni
2019-08-19EST SecurityEast Security Response Center
@online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } Konni APT organization emerges as an attack disguised as Russian document
Konni
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2017-08-15FortinetJasper Manuel
@online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } A Quick Look at a New KONNI RAT Variant
Konni
2017-07-06Cisco TalosPaul Rascagnères
@online{rascagnres:20170706:new:b0410c3, author = {Paul Rascagnères}, title = {{New KONNI Campaign References North Korean Missile Capabilities}}, date = {2017-07-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html}, language = {English}, urldate = {2020-01-10} } New KONNI Campaign References North Korean Missile Capabilities
Konni
2017-07vallejo.ccvallejocc
@online{vallejocc:201707:analysis:b16e1c3, author = {vallejocc}, title = {{Analysis of new variant of Konni RAT}}, date = {2017-07}, organization = {vallejo.cc}, url = {https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/}, language = {English}, urldate = {2019-07-31} } Analysis of new variant of Konni RAT
Konni
2017-05-03Cisco TalosPaul Rascagnères
@online{rascagnres:20170503:konni:8b039a6, author = {Paul Rascagnères}, title = {{KONNI: A Malware Under The Radar For Years}}, date = {2017-05-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html}, language = {English}, urldate = {2020-01-13} } KONNI: A Malware Under The Radar For Years
Konni
Yara Rules
[TLP:WHITE] win_konni_auto (20220411 | Detects win.konni.)
rule win_konni_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.konni."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { d0f9 0fbef1 83e601 8970ec d0f9 0fbef1 d0f9 }
            // n = 7, score = 800
            //   d0f9                 | sar                 cl, 1
            //   0fbef1               | movsx               esi, cl
            //   83e601               | and                 esi, 1
            //   8970ec               | mov                 dword ptr [eax - 0x14], esi
            //   d0f9                 | sar                 cl, 1
            //   0fbef1               | movsx               esi, cl
            //   d0f9                 | sar                 cl, 1

        $sequence_1 = { 8d55e8 52 8d45dc 50 6a00 68???????? }
            // n = 6, score = 800
            //   8d55e8               | lea                 edx, dword ptr [ebp - 0x18]
            //   52                   | push                edx
            //   8d45dc               | lea                 eax, dword ptr [ebp - 0x24]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_2 = { e8???????? 83c410 85c0 0f850fffffff 6a3d 68???????? }
            // n = 6, score = 800
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   0f850fffffff         | jne                 0xffffff15
            //   6a3d                 | push                0x3d
            //   68????????           |                     

        $sequence_3 = { 03c0 3306 03c0 334604 03c0 }
            // n = 5, score = 800
            //   03c0                 | add                 eax, eax
            //   3306                 | xor                 eax, dword ptr [esi]
            //   03c0                 | add                 eax, eax
            //   334604               | xor                 eax, dword ptr [esi + 4]
            //   03c0                 | add                 eax, eax

        $sequence_4 = { 40 3b4514 7c93 8b4dfc 5f }
            // n = 5, score = 800
            //   40                   | inc                 eax
            //   3b4514               | cmp                 eax, dword ptr [ebp + 0x14]
            //   7c93                 | jl                  0xffffff95
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi

        $sequence_5 = { 81e1ff000080 7908 49 81c900ffffff 41 8a8c0df8feffff 300c07 }
            // n = 7, score = 800
            //   81e1ff000080         | and                 ecx, 0x800000ff
            //   7908                 | jns                 0xa
            //   49                   | dec                 ecx
            //   81c900ffffff         | or                  ecx, 0xffffff00
            //   41                   | inc                 ecx
            //   8a8c0df8feffff       | mov                 cl, byte ptr [ebp + ecx - 0x108]
            //   300c07               | xor                 byte ptr [edi + eax], cl

        $sequence_6 = { 68???????? e8???????? 83c418 8b45e4 50 }
            // n = 5, score = 800
            //   68????????           |                     
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax

        $sequence_7 = { 68b6030000 6a0d 50 ff15???????? }
            // n = 4, score = 500
            //   68b6030000           | push                0x3b6
            //   6a0d                 | push                0xd
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 6a01 ff15???????? 50 a3???????? }
            // n = 4, score = 500
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   50                   | push                eax
            //   a3????????           |                     

        $sequence_9 = { 6804010000 8d95f8feffff 52 50 ff15???????? 8d85f8feffff }
            // n = 6, score = 200
            //   6804010000           | push                0x104
            //   8d95f8feffff         | lea                 edx, dword ptr [ebp - 0x108]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]

        $sequence_10 = { 8b9cae68020000 33d2 56 e8???????? 8a9435dec44600 5e }
            // n = 6, score = 200
            //   8b9cae68020000       | mov                 ebx, dword ptr [esi + ebp*4 + 0x268]
            //   33d2                 | xor                 edx, edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9435dec44600       | mov                 dl, byte ptr [ebp + esi + 0x46c4de]
            //   5e                   | pop                 esi

        $sequence_11 = { 8b35???????? 8d95f0faffff 52 8d85f8feffff 50 ffd6 68???????? }
            // n = 7, score = 200
            //   8b35????????         |                     
            //   8d95f0faffff         | lea                 edx, dword ptr [ebp - 0x510]
            //   52                   | push                edx
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   68????????           |                     

        $sequence_12 = { 59 0bc9 89851a040000 61 }
            // n = 4, score = 200
            //   59                   | pop                 ecx
            //   0bc9                 | or                  ecx, ecx
            //   89851a040000         | mov                 dword ptr [ebp + 0x41a], eax
            //   61                   | popal               

        $sequence_13 = { 57 56 ff95b10f0000 ab b000 ae }
            // n = 6, score = 200
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff95b10f0000         | call                dword ptr [ebp + 0xfb1]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   b000                 | mov                 al, 0
            //   ae                   | scasb               al, byte ptr es:[edi]

        $sequence_14 = { 83bd9404000000 899d94040000 0f85d7030000 8d85a0040000 50 }
            // n = 5, score = 200
            //   83bd9404000000       | cmp                 dword ptr [ebp + 0x494], 0
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx
            //   0f85d7030000         | jne                 0x3dd
            //   8d85a0040000         | lea                 eax, dword ptr [ebp + 0x4a0]
            //   50                   | push                eax

        $sequence_15 = { 897dd4 8b5dd0 ebab c745e428614000 }
            // n = 4, score = 200
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi
            //   8b5dd0               | mov                 ebx, dword ptr [ebp - 0x30]
            //   ebab                 | jmp                 0xffffffad
            //   c745e428614000       | mov                 dword ptr [ebp - 0x1c], 0x406128

        $sequence_16 = { 8a8c30dec44600 5e bb01000000 83c604 }
            // n = 4, score = 200
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   bb01000000           | mov                 ebx, 1
            //   83c604               | add                 esi, 4

        $sequence_17 = { 50 ffd6 68???????? 8d8df8feffff 51 ffd6 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d8df8feffff         | lea                 ecx, dword ptr [ebp - 0x108]
            //   51                   | push                ecx
            //   ffd6                 | call                esi

        $sequence_18 = { 51 ffd6 68???????? 8d95f8feffff 52 ffd6 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d95f8feffff         | lea                 edx, dword ptr [ebp - 0x108]
            //   52                   | push                edx
            //   ffd6                 | call                esi

        $sequence_19 = { 33db 56 e8???????? 8a9c30c2c44600 5e 83f908 }
            // n = 6, score = 200
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]
            //   5e                   | pop                 esi
            //   83f908               | cmp                 ecx, 8

        $sequence_20 = { 4c89742420 ff15???????? 488bd8 4885c0 744f }
            // n = 5, score = 200
            //   4c89742420           | dec                 esp
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x20], esi
            //   4885c0               | dec                 eax
            //   744f                 | mov                 ebx, eax

        $sequence_21 = { ff2495f0444000 8bc7 ba03000000 83e904 720c }
            // n = 5, score = 200
            //   ff2495f0444000       | jmp                 dword ptr [edx*4 + 0x4044f0]
            //   8bc7                 | mov                 eax, edi
            //   ba03000000           | mov                 edx, 3
            //   83e904               | sub                 ecx, 4
            //   720c                 | jb                  0xe

        $sequence_22 = { 5d bbedffffff 03dd 81eb00200200 }
            // n = 4, score = 200
            //   5d                   | pop                 ebp
            //   bbedffffff           | mov                 ebx, 0xffffffed
            //   03dd                 | add                 ebx, ebp
            //   81eb00200200         | sub                 ebx, 0x22000

        $sequence_23 = { b801000000 5e e8???????? 8be5 5d c21000 3b0d???????? }
            // n = 7, score = 200
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c21000               | ret                 0x10
            //   3b0d????????         |                     

        $sequence_24 = { 81e2ffffff00 d3ea 33c9 56 e8???????? 8a8c30a6c44600 }
            // n = 6, score = 200
            //   81e2ffffff00         | and                 edx, 0xffffff
            //   d3ea                 | shr                 edx, cl
            //   33c9                 | xor                 ecx, ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30a6c44600       | mov                 cl, byte ptr [eax + esi + 0x46c4a6]

        $sequence_25 = { 7428 488bc2 488bcf 482bc2 48c1f803 488d1cc500000000 4c8bc3 }
            // n = 7, score = 100
            //   7428                 | dec                 eax
            //   488bc2               | xor                 ecx, esp
            //   488bcf               | dec                 esp
            //   482bc2               | lea                 ebx, dword ptr [esp + 0x160]
            //   48c1f803             | dec                 ecx
            //   488d1cc500000000     | mov                 ebx, dword ptr [ebx + 0x18]
            //   4c8bc3               | dec                 ecx

        $sequence_26 = { 4833cc e8???????? 4c8d9c2460010000 498b5b18 498b7b20 498be3 }
            // n = 6, score = 100
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   4c8d9c2460010000     | mov                 ebx, eax
            //   498b5b18             | dec                 eax
            //   498b7b20             | test                eax, eax
            //   498be3               | je                  0x736

        $sequence_27 = { 83e01f 8b0c8de0a30010 8d04c0 f644810401 7425 }
            // n = 5, score = 100
            //   83e01f               | and                 eax, 0x1f
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]
            //   8d04c0               | lea                 eax, dword ptr [eax + eax*8]
            //   f644810401           | test                byte ptr [ecx + eax*4 + 4], 1
            //   7425                 | je                  0x27

        $sequence_28 = { 440fb744242a 440fb74c242c 41ba67666666 c643053a 418bc2 }
            // n = 5, score = 100
            //   440fb744242a         | mov                 byte ptr [edx - 1], al
            //   440fb74c242c         | ja                  0xf
            //   41ba67666666         | dec                 eax
            //   c643053a             | lea                 ecx, dword ptr [0xef50]
            //   418bc2               | int3                

        $sequence_29 = { 4803c8 b840000000 33d2 412bc0 }
            // n = 4, score = 100
            //   4803c8               | dec                 esp
            //   b840000000           | mov                 eax, ebx
            //   33d2                 | dec                 eax
            //   412bc0               | test                ecx, ecx

        $sequence_30 = { ffc0 48ffc1 3d00010000 7cf2 458bca }
            // n = 5, score = 100
            //   ffc0                 | xor                 edx, edx
            //   48ffc1               | inc                 ecx
            //   3d00010000           | sub                 eax, eax
            //   7cf2                 | shl                 ecx, 3
            //   458bca               | shr                 eax, cl

        $sequence_31 = { 83e01f c1f905 8d04c0 8b0c8de0a30010 }
            // n = 4, score = 100
            //   83e01f               | and                 eax, 0x1f
            //   c1f905               | sar                 ecx, 5
            //   8d04c0               | lea                 eax, dword ptr [eax + eax*8]
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]

        $sequence_32 = { 8885db020000 0fb68688000000 8885dd020000 488bc1 }
            // n = 4, score = 100
            //   8885db020000         | mov                 byte ptr [edx - 5], al
            //   0fb68688000000       | inc                 ecx
            //   8885dd020000         | mov                 eax, ecx
            //   488bc1               | shr                 eax, cl

        $sequence_33 = { 488b0d???????? 4885c9 7438 488d15a41a0100 c705????????01000000 48c705????????01000000 }
            // n = 6, score = 100
            //   488b0d????????       |                     
            //   4885c9               | mov                 edi, dword ptr [ebx + 0x20]
            //   7438                 | dec                 ecx
            //   488d15a41a0100       | mov                 esp, ebx
            //   c705????????01000000     |     
            //   48c705????????01000000     |     

        $sequence_34 = { c1e103 d3e8 8842fb 418bc1 d3e8 8842ff }
            // n = 6, score = 100
            //   c1e103               | je                  0x3a
            //   d3e8                 | dec                 eax
            //   8842fb               | lea                 edx, dword ptr [0x11aa4]
            //   418bc1               | xor                 eax, eax
            //   d3e8                 | dec                 eax
            //   8842ff               | mov                 ebx, ecx

        $sequence_35 = { 57 8b348de0a30010 8d1c8de0a30010 8d3cc0 c1e702 03f7 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   8b348de0a30010       | mov                 esi, dword ptr [ecx*4 + 0x1000a3e0]
            //   8d1c8de0a30010       | lea                 ebx, dword ptr [ecx*4 + 0x1000a3e0]
            //   8d3cc0               | lea                 edi, dword ptr [eax + eax*8]
            //   c1e702               | shl                 edi, 2
            //   03f7                 | add                 esi, edi

        $sequence_36 = { c1e603 3b9640830010 0f851c010000 a1???????? 83f801 0f84e8000000 }
            // n = 6, score = 100
            //   c1e603               | shl                 esi, 3
            //   3b9640830010         | cmp                 edx, dword ptr [esi + 0x10008340]
            //   0f851c010000         | jne                 0x122
            //   a1????????           |                     
            //   83f801               | cmp                 eax, 1
            //   0f84e8000000         | je                  0xee

        $sequence_37 = { eb02 33c0 0fbe84c608710010 c1f804 83f807 }
            // n = 5, score = 100
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   0fbe84c608710010     | movsx               eax, byte ptr [esi + eax*8 + 0x10007108]
            //   c1f804               | sar                 eax, 4
            //   83f807               | cmp                 eax, 7

        $sequence_38 = { 4883ec20 4c8d2578c80000 33f6 33db }
            // n = 4, score = 100
            //   4883ec20             | lea                 edx, dword ptr [ecx - 1]
            //   4c8d2578c80000       | dec                 eax
            //   33f6                 | add                 ecx, eax
            //   33db                 | mov                 eax, 0x40

        $sequence_39 = { ff15???????? 488b9c24c8020000 488bbc24a0020000 488b8c2490020000 4833cc e8???????? 4881c4a8020000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488b9c24c8020000     | dec                 eax
            //   488bbc24a0020000     | mov                 edx, dword ptr [edx + 0x58]
            //   488b8c2490020000     | dec                 eax
            //   4833cc               | mov                 ecx, dword ptr [esi + 0x10]
            //   e8????????           |                     
            //   4881c4a8020000       | sar                 cl, 1

        $sequence_40 = { 33c0 488bd9 4883c9ff 498bf9 48894520 66f2af }
            // n = 6, score = 100
            //   33c0                 | je                  0x2a
            //   488bd9               | dec                 eax
            //   4883c9ff             | mov                 eax, edx
            //   498bf9               | dec                 eax
            //   48894520             | mov                 ecx, edi
            //   66f2af               | dec                 eax

        $sequence_41 = { 4c8d4d08 4c8d442448 488d156d140100 488d4c2448 e8???????? 4883c9ff }
            // n = 6, score = 100
            //   4c8d4d08             | movsx               esi, cl
            //   4c8d442448           | and                 esi, 1
            //   488d156d140100       | mov                 dword ptr [eax - 0x10], esi
            //   488d4c2448           | sar                 cl, 1
            //   e8????????           |                     
            //   4883c9ff             | movsx               esi, cl

        $sequence_42 = { 49ffc0 4883c220 8bc1 d0f9 83e001 }
            // n = 5, score = 100
            //   49ffc0               | dec                 esp
            //   4883c220             | mov                 dword ptr [esp + 0x20], esi
            //   8bc1                 | dec                 eax
            //   d0f9                 | mov                 ebx, eax
            //   83e001               | dec                 eax

        $sequence_43 = { c705????????01000000 50 a3???????? e8???????? 8db6c4880010 bf???????? }
            // n = 6, score = 100
            //   c705????????01000000     |     
            //   50                   | push                eax
            //   a3????????           |                     
            //   e8????????           |                     
            //   8db6c4880010         | lea                 esi, dword ptr [esi + 0x100088c4]
            //   bf????????           |                     

        $sequence_44 = { 4883c9ff 498bfb f2ae 48f7d1 488d51ff }
            // n = 5, score = 100
            //   4883c9ff             | sub                 eax, edx
            //   498bfb               | dec                 eax
            //   f2ae                 | sar                 eax, 3
            //   48f7d1               | dec                 eax
            //   488d51ff             | lea                 ebx, dword ptr [eax*8]

    condition:
        7 of them and filesize < 330752
}
Download all Yara Rules