SYMBOLCOMMON_NAMEaka. SYNONYMS
win.konni (Back to overview)

Konni


Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

References
2022-07-23BleepingComputerBill Toulas
@online{toulas:20220723:north:79193bd, author = {Bill Toulas}, title = {{North Korean hackers attack EU targets with Konni RAT malware}}, date = {2022-07-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/}, language = {English}, urldate = {2022-07-25} } North Korean hackers attack EU targets with Konni RAT malware
Konni
2022-07-20Securonix Threat LabsD. Iuzvyk, T. Peck, O. Kolesnikov
@online{iuzvyk:20220720:stiffbizon:ae896da, author = {D. Iuzvyk and T. Peck and O. Kolesnikov}, title = {{STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix}}, date = {2022-07-20}, organization = {Securonix Threat Labs}, url = {https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/}, language = {English}, urldate = {2022-07-25} } STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix
Konni
2022-01-26MalwarebytesRoberto Santos
@online{santos:20220126:konni:589b447, author = {Roberto Santos}, title = {{KONNI evolves into stealthier RAT}}, date = {2022-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/}, language = {English}, urldate = {2022-01-31} } KONNI evolves into stealthier RAT
Konni
2022-01-12BleepingComputerIonut Ilascu
@online{ilascu:20220112:hackers:e8e7709, author = {Ionut Ilascu}, title = {{Hackers take over diplomat's email, target Russian deputy minister}}, date = {2022-01-12}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/}, language = {English}, urldate = {2022-07-25} } Hackers take over diplomat's email, target Russian deputy minister
Konni
2022-01-05LumenDanny Adamitis, Steve Rudd
@online{adamitis:20220105:new:4342d69, author = {Danny Adamitis and Steve Rudd}, title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}}, date = {2022-01-05}, organization = {Lumen}, url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/}, language = {English}, urldate = {2022-01-25} } New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Konni
2022-01-03Cluster25Cluster25
@techreport{cluster25:20220103:north:b362bcd, author = {Cluster25}, title = {{North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants}}, date = {2022-01-03}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf}, language = {English}, urldate = {2022-07-25} } North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants
Konni
2021-08-20MalwarebytesHossein Jazi
@online{jazi:20210820:new:2efd65e, author = {Hossein Jazi}, title = {{New variant of Konni malware used in campaign targetting Russia}}, date = {2021-08-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/}, language = {English}, urldate = {2021-08-25} } New variant of Konni malware used in campaign targetting Russia
Konni
2020-08-14Department of Homeland SecurityUS-CERT
@online{uscert:20200814:alert:d3dbb71, author = {US-CERT}, title = {{Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware}}, date = {2020-08-14}, organization = {Department of Homeland Security}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-227a}, language = {English}, urldate = {2020-08-14} } Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni
2020-01-27CyberIntCyberInt
@techreport{cyberint:20200127:konni:5cb8e40, author = {CyberInt}, title = {{Konni Malware 2019 Campaign}}, date = {2020-01-27}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf}, language = {English}, urldate = {2022-07-25} } Konni Malware 2019 Campaign
Konni
2020-01-04Medium d-hunterDoron Karmi
@online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } A Look Into Konni 2019 Campaign
Konni
2019-08-19EST SecurityEast Security Response Center
@online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } Konni APT organization emerges as an attack disguised as Russian document
Konni
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2017-08-15FortinetJasper Manuel
@online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } A Quick Look at a New KONNI RAT Variant
Konni
2017-07-06Cisco TalosPaul Rascagnères
@online{rascagnres:20170706:new:b0410c3, author = {Paul Rascagnères}, title = {{New KONNI Campaign References North Korean Missile Capabilities}}, date = {2017-07-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html}, language = {English}, urldate = {2020-01-10} } New KONNI Campaign References North Korean Missile Capabilities
Konni
2017-07vallejo.ccvallejocc
@online{vallejocc:201707:analysis:b16e1c3, author = {vallejocc}, title = {{Analysis of new variant of Konni RAT}}, date = {2017-07}, organization = {vallejo.cc}, url = {https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/}, language = {English}, urldate = {2019-07-31} } Analysis of new variant of Konni RAT
Konni
2017-05-03Cisco TalosPaul Rascagnères
@online{rascagnres:20170503:konni:8b039a6, author = {Paul Rascagnères}, title = {{KONNI: A Malware Under The Radar For Years}}, date = {2017-05-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html}, language = {English}, urldate = {2020-01-13} } KONNI: A Malware Under The Radar For Years
Konni
Yara Rules
[TLP:WHITE] win_konni_auto (20220808 | Detects win.konni.)
rule win_konni_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.konni."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a9c35f8feffff 8819 889435f8feffff 0fb609 0fb6d2 03ca 81e1ff000080 }
            // n = 7, score = 800
            //   8a9c35f8feffff       | mov                 bl, byte ptr [ebp + esi - 0x108]
            //   8819                 | mov                 byte ptr [ecx], bl
            //   889435f8feffff       | mov                 byte ptr [ebp + esi - 0x108], dl
            //   0fb609               | movzx               ecx, byte ptr [ecx]
            //   0fb6d2               | movzx               edx, dl
            //   03ca                 | add                 ecx, edx
            //   81e1ff000080         | and                 ecx, 0x800000ff

        $sequence_1 = { 7552 8d4de0 51 8b4de4 8d55e8 }
            // n = 5, score = 800
            //   7552                 | jne                 0x54
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   51                   | push                ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   8d55e8               | lea                 edx, [ebp - 0x18]

        $sequence_2 = { 334608 03c0 33460c 03c0 }
            // n = 4, score = 800
            //   334608               | xor                 eax, dword ptr [esi + 8]
            //   03c0                 | add                 eax, eax
            //   33460c               | xor                 eax, dword ptr [esi + 0xc]
            //   03c0                 | add                 eax, eax

        $sequence_3 = { 7c93 8b4dfc 5f 5e }
            // n = 4, score = 800
            //   7c93                 | jl                  0xffffff95
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_4 = { 0fb655eb 0fb645ea 52 50 }
            // n = 4, score = 800
            //   0fb655eb             | movzx               edx, byte ptr [ebp - 0x15]
            //   0fb645ea             | movzx               eax, byte ptr [ebp - 0x16]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_5 = { 40 3d00010000 7cf1 33c9 }
            // n = 4, score = 800
            //   40                   | inc                 eax
            //   3d00010000           | cmp                 eax, 0x100
            //   7cf1                 | jl                  0xfffffff3
            //   33c9                 | xor                 ecx, ecx

        $sequence_6 = { 83c418 8b45e4 50 ff15???????? 8b4dfc 33cd }
            // n = 6, score = 800
            //   83c418               | add                 esp, 0x18
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp

        $sequence_7 = { 0fbef1 d0f9 83e601 884c15f4 }
            // n = 4, score = 800
            //   0fbef1               | movsx               esi, cl
            //   d0f9                 | sar                 cl, 1
            //   83e601               | and                 esi, 1
            //   884c15f4             | mov                 byte ptr [ebp + edx - 0xc], cl

        $sequence_8 = { 6a01 ff15???????? 50 a3???????? e8???????? }
            // n = 5, score = 500
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   50                   | push                eax
            //   a3????????           |                     
            //   e8????????           |                     

        $sequence_9 = { 68b6030000 6a0d 50 ff15???????? }
            // n = 4, score = 500
            //   68b6030000           | push                0x3b6
            //   6a0d                 | push                0xd
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_10 = { 8a9435dec44600 5e 84c0 8bfa 7476 83ff03 }
            // n = 6, score = 200
            //   8a9435dec44600       | mov                 dl, byte ptr [ebp + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   84c0                 | test                al, al
            //   8bfa                 | mov                 edi, edx
            //   7476                 | je                  0x78
            //   83ff03               | cmp                 edi, 3

        $sequence_11 = { 8db768020000 8916 56 e8???????? 8a8c30dec44600 }
            // n = 5, score = 200
            //   8db768020000         | lea                 esi, [edi + 0x268]
            //   8916                 | mov                 dword ptr [esi], edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]

        $sequence_12 = { d3ea 33c9 56 e8???????? 8a8c30a6c44600 5e }
            // n = 6, score = 200
            //   d3ea                 | shr                 edx, cl
            //   33c9                 | xor                 ecx, ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30a6c44600       | mov                 cl, byte ptr [eax + esi + 0x46c4a6]
            //   5e                   | pop                 esi

        $sequence_13 = { 57 56 ff95b10f0000 ab }
            // n = 4, score = 200
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff95b10f0000         | call                dword ptr [ebp + 0xfb1]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_14 = { e8???????? 8a8c30dec44600 5e bb01000000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   bb01000000           | mov                 ebx, 1

        $sequence_15 = { 897dd4 8b5dd0 ebab c745e428614000 }
            // n = 4, score = 200
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi
            //   8b5dd0               | mov                 ebx, dword ptr [ebp - 0x30]
            //   ebab                 | jmp                 0xffffffad
            //   c745e428614000       | mov                 dword ptr [ebp - 0x1c], 0x406128

        $sequence_16 = { 4c89742420 ff15???????? 488bd8 4885c0 744f }
            // n = 5, score = 200
            //   4c89742420           | dec                 esp
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x20], esi
            //   4885c0               | dec                 eax
            //   744f                 | mov                 ebx, eax

        $sequence_17 = { 004044 40 00644440 0023 d18a0688078a 46 }
            // n = 6, score = 200
            //   004044               | add                 byte ptr [eax + 0x44], al
            //   40                   | inc                 eax
            //   00644440             | add                 byte ptr [esp + eax*2 + 0x40], ah
            //   0023                 | add                 byte ptr [ebx], ah
            //   d18a0688078a         | ror                 dword ptr [edx - 0x75f877fa], 1
            //   46                   | inc                 esi

        $sequence_18 = { 52 8d85f8feffff 50 ffd6 68???????? 8d8df8feffff }
            // n = 6, score = 200
            //   52                   | push                edx
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]

        $sequence_19 = { 8d85f0fcffff 50 68???????? ff15???????? 85c0 741c }
            // n = 6, score = 200
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   741c                 | je                  0x1e

        $sequence_20 = { ffd0 8345e404 ebe6 c745e030614000 817de034614000 7311 }
            // n = 6, score = 200
            //   ffd0                 | call                eax
            //   8345e404             | add                 dword ptr [ebp - 0x1c], 4
            //   ebe6                 | jmp                 0xffffffe8
            //   c745e030614000       | mov                 dword ptr [ebp - 0x20], 0x406130
            //   817de034614000       | cmp                 dword ptr [ebp - 0x20], 0x406134
            //   7311                 | jae                 0x13

        $sequence_21 = { 817de034614000 7311 8b45e0 8b00 85c0 }
            // n = 5, score = 200
            //   817de034614000       | cmp                 dword ptr [ebp - 0x20], 0x406134
            //   7311                 | jae                 0x13
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   85c0                 | test                eax, eax

        $sequence_22 = { 8d85a0040000 50 ff95b50f0000 898598040000 8bf0 }
            // n = 5, score = 200
            //   8d85a0040000         | lea                 eax, [ebp + 0x4a0]
            //   50                   | push                eax
            //   ff95b50f0000         | call                dword ptr [ebp + 0xfb5]
            //   898598040000         | mov                 dword ptr [ebp + 0x498], eax
            //   8bf0                 | mov                 esi, eax

        $sequence_23 = { ffd6 8b35???????? 8d95f0faffff 52 8d85f8feffff 50 }
            // n = 6, score = 200
            //   ffd6                 | call                esi
            //   8b35????????         |                     
            //   8d95f0faffff         | lea                 edx, [ebp - 0x510]
            //   52                   | push                edx
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax

        $sequence_24 = { 8b4e08 33db 56 e8???????? 8a9c30c2c44600 5e }
            // n = 6, score = 200
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]
            //   5e                   | pop                 esi

        $sequence_25 = { bbedffffff 03dd 81eb00200200 83bd9404000000 899d94040000 }
            // n = 5, score = 200
            //   bbedffffff           | mov                 ebx, 0xffffffed
            //   03dd                 | add                 ebx, ebp
            //   81eb00200200         | sub                 ebx, 0x22000
            //   83bd9404000000       | cmp                 dword ptr [ebp + 0x494], 0
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx

        $sequence_26 = { ff15???????? 68d0070000 ff15???????? 8b4dfc 33cd b801000000 5e }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   68d0070000           | push                0x7d0
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi

        $sequence_27 = { 488d4de0 8bd8 ff15???????? 8bc3 488b8dc0090000 4833cc e8???????? }
            // n = 7, score = 100
            //   488d4de0             | dec                 eax
            //   8bd8                 | mov                 dword ptr [esp + 0x20], ebx
            //   ff15????????         |                     
            //   8bc3                 | xor                 ebx, ebx
            //   488b8dc0090000       | dec                 eax
            //   4833cc               | lea                 edx, [0x11d69]
            //   e8????????           |                     

        $sequence_28 = { e8???????? 83c410 837dfc08 752f 68???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   837dfc08             | cmp                 dword ptr [ebp - 4], 8
            //   752f                 | jne                 0x31
            //   68????????           |                     

        $sequence_29 = { 41b800040000 c744244000040000 e8???????? c744243800040000 }
            // n = 4, score = 100
            //   41b800040000         | dec                 eax
            //   c744244000040000     | jne                 0xffffffdd
            //   e8????????           |                     
            //   c744243800040000     | mov                 eax, 0xf

        $sequence_30 = { 48897c2438 48897c2430 33c9 897c2428 897c2420 ff15???????? 4c8d0548000000 }
            // n = 7, score = 100
            //   48897c2438           | mov                 ecx, 0x40
            //   48897c2430           | inc                 ebp
            //   33c9                 | lea                 eax, [ecx + 1]
            //   897c2428             | mov                 edx, 0x80000000
            //   897c2420             | mov                 dword ptr [esp + 0x28], 0x20
            //   ff15????????         |                     
            //   4c8d0548000000       | dec                 eax

        $sequence_31 = { 57 4883ec20 488d1d47c50000 bf0a000000 488b0b ff15???????? }
            // n = 6, score = 100
            //   57                   | dec                 eax
            //   4883ec20             | mov                 dword ptr [esp + 0x2f0], eax
            //   488d1d47c50000       | dec                 eax
            //   bf0a000000           | mov                 edi, ecx
            //   488b0b               | dec                 eax
            //   ff15????????         |                     

        $sequence_32 = { 66f7460c0c01 7552 833c85209e001000 53 }
            // n = 4, score = 100
            //   66f7460c0c01         | test                word ptr [esi + 0xc], 0x10c
            //   7552                 | jne                 0x54
            //   833c85209e001000     | cmp                 dword ptr [eax*4 + 0x10009e20], 0
            //   53                   | push                ebx

        $sequence_33 = { b90b000000 f3a6 488d742420 488d3de6070100 0f94c0 }
            // n = 5, score = 100
            //   b90b000000           | mov                 ecx, dword ptr [ebp - 4]
            //   f3a6                 | dec                 esp
            //   488d742420           | mov                 dword ptr [esp + 0x20], esi
            //   488d3de6070100       | dec                 eax
            //   0f94c0               | mov                 ebx, eax

        $sequence_34 = { 0f8cdc060000 80fb20 7c13 80fb78 7f0e 0fbec3 8a80e8700010 }
            // n = 7, score = 100
            //   0f8cdc060000         | jl                  0x6e2
            //   80fb20               | cmp                 bl, 0x20
            //   7c13                 | jl                  0x15
            //   80fb78               | cmp                 bl, 0x78
            //   7f0e                 | jg                  0x10
            //   0fbec3               | movsx               eax, bl
            //   8a80e8700010         | mov                 al, byte ptr [eax + 0x100070e8]

        $sequence_35 = { 0f8458010000 4c89642470 4c896c2478 448d68f0 498d5501 b940000000 ff15???????? }
            // n = 7, score = 100
            //   0f8458010000         | dec                 eax
            //   4c89642470           | lea                 ecx, [ebp - 0x20]
            //   4c896c2478           | mov                 ebx, eax
            //   448d68f0             | mov                 eax, ebx
            //   498d5501             | dec                 eax
            //   b940000000           | mov                 ecx, dword ptr [ebp + 0x9c0]
            //   ff15????????         |                     

        $sequence_36 = { f683a1a2001004 740c ff01 85f6 7405 8a18 881e }
            // n = 7, score = 100
            //   f683a1a2001004       | test                byte ptr [ebx + 0x1000a2a1], 4
            //   740c                 | je                  0xe
            //   ff01                 | inc                 dword ptr [ecx]
            //   85f6                 | test                esi, esi
            //   7405                 | je                  7
            //   8a18                 | mov                 bl, byte ptr [eax]
            //   881e                 | mov                 byte ptr [esi], bl

        $sequence_37 = { 68???????? e8???????? 83c410 ff15???????? 5f eb06 }
            // n = 6, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   eb06                 | jmp                 8

        $sequence_38 = { 85f6 7419 0fb6da f683a1a2001004 7406 8816 }
            // n = 6, score = 100
            //   85f6                 | test                esi, esi
            //   7419                 | je                  0x1b
            //   0fb6da               | movzx               ebx, dl
            //   f683a1a2001004       | test                byte ptr [ebx + 0x1000a2a1], 4
            //   7406                 | je                  8
            //   8816                 | mov                 byte ptr [esi], dl

        $sequence_39 = { 0f84a5000000 33c0 41b910000000 4c8d05bb070100 488907 48894708 }
            // n = 6, score = 100
            //   0f84a5000000         | dec                 esp
            //   33c0                 | mov                 dword ptr [esp + 0x78], ebp
            //   41b910000000         | inc                 esp
            //   4c8d05bb070100       | lea                 ebp, [eax - 0x10]
            //   488907               | dec                 ecx
            //   48894708             | lea                 edx, [ebp + 1]

        $sequence_40 = { 48ffca 75ed 49ffc8 75d8 b80f000000 0f1f00 4180bc07f0000000ff }
            // n = 7, score = 100
            //   48ffca               | mov                 dword ptr [esp + 0x2b8], edi
            //   75ed                 | mov                 dword ptr [esp + 0x20], 3
            //   49ffc8               | je                  0xab
            //   75d8                 | xor                 eax, eax
            //   b80f000000           | inc                 ecx
            //   0f1f00               | mov                 ecx, 0x10
            //   4180bc07f0000000ff     | dec    esp

        $sequence_41 = { 48895c2420 33db 488d15691d0100 c705????????03000000 48c705????????02000000 }
            // n = 5, score = 100
            //   48895c2420           | dec                 eax
            //   33db                 | test                eax, eax
            //   488d15691d0100       | je                  0x54
            //   c705????????03000000     |     
            //   48c705????????02000000     |     

        $sequence_42 = { 488d542440 4c8be1 ff15???????? 488be8 4883f8ff 0f8440010000 }
            // n = 6, score = 100
            //   488d542440           | mov                 cl, byte ptr [ebp + ecx - 0x108]
            //   4c8be1               | xor                 byte ptr [edi + eax], cl
            //   ff15????????         |                     
            //   488be8               | inc                 eax
            //   4883f8ff             | cmp                 eax, dword ptr [ebp + 0x14]
            //   0f8440010000         | jl                  0xffffff9c

        $sequence_43 = { 4c8d4c2448 4c8d05b18d0100 488d1532120100 498bce 4889442420 }
            // n = 5, score = 100
            //   4c8d4c2448           | xor                 esp, esp
            //   4c8d05b18d0100       | xor                 edx, edx
            //   488d1532120100       | inc                 ecx
            //   498bce               | mov                 eax, 0x206
            //   4889442420           | inc                 ecx

        $sequence_44 = { ff15???????? 488bce ff15???????? 498bcd e8???????? 498bce }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488bce               | nop                 dword ptr [eax]
            //   ff15????????         |                     
            //   498bcd               | inc                 ecx
            //   e8????????           |                     
            //   498bce               | cmp                 byte ptr [edi + eax + 0xf0], 0xff

        $sequence_45 = { 458d4101 ba00000080 c744242820000000 4889bc24b8020000 c744242003000000 }
            // n = 5, score = 100
            //   458d4101             | dec                 eax
            //   ba00000080           | xor                 ecx, esp
            //   c744242820000000     | je                  0x15e
            //   4889bc24b8020000     | dec                 esp
            //   c744242003000000     | mov                 dword ptr [esp + 0x70], esp

        $sequence_46 = { e8???????? 488d4c2448 e8???????? 4c8d4d08 4c8d442448 488d156d140100 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d4c2448           | mov                 ebp, edx
            //   e8????????           |                     
            //   4c8d4d08             | dec                 eax
            //   4c8d442448           | lea                 ecx, [esp + 0xe2]
            //   488d156d140100       | inc                 ebp

    condition:
        7 of them and filesize < 330752
}
Download all Yara Rules