SYMBOLCOMMON_NAMEaka. SYNONYMS
win.konni (Back to overview)

Konni

Actor(s): APT37

Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

References
2023-11-10NSFOCUSNSFOCUS
@online{nsfocus:20231110:new:f2ce1ec, author = {NSFOCUS}, title = {{The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits}}, date = {2023-11-10}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/}, language = {English}, urldate = {2023-11-17} } The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
Cobalt Strike Konni
2023ThreatMonThreatMon Malware Research Team, Seyit Sigirci (@h3xecute)
@online{team:2023:konni:9f6c4dc, author = {ThreatMon Malware Research Team and Seyit Sigirci (@h3xecute)}, title = {{The Konni APT Chronicle: Tracing Their Intelligence-Driven Attack Chain}}, date = {2023}, organization = {ThreatMon}, url = {https://threatmon.io/the-konni-apt-chronicle-tracing-their-intelligence-driven-attack-chain/}, language = {English}, urldate = {2023-11-22} } The Konni APT Chronicle: Tracing Their Intelligence-Driven Attack Chain
Konni
2022-09-06cocomelonccocomelonc
@online{cocomelonc:20220906:malware:a09756f, author = {cocomelonc}, title = {{Malware development tricks: parent PID spoofing. Simple C++ example.}}, date = {2022-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html}, language = {English}, urldate = {2022-11-17} } Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni
2022-07-23BleepingComputerBill Toulas
@online{toulas:20220723:north:79193bd, author = {Bill Toulas}, title = {{North Korean hackers attack EU targets with Konni RAT malware}}, date = {2022-07-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/}, language = {English}, urldate = {2022-07-25} } North Korean hackers attack EU targets with Konni RAT malware
Konni
2022-07-20Securonix Threat LabsD. Iuzvyk, T. Peck, O. Kolesnikov
@online{iuzvyk:20220720:stiffbizon:ae896da, author = {D. Iuzvyk and T. Peck and O. Kolesnikov}, title = {{STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix}}, date = {2022-07-20}, organization = {Securonix Threat Labs}, url = {https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/}, language = {English}, urldate = {2022-07-25} } STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix
Konni
2022-05-02cocomelonccocomelonc
@online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2022-01-26MalwarebytesRoberto Santos
@online{santos:20220126:konni:589b447, author = {Roberto Santos}, title = {{KONNI evolves into stealthier RAT}}, date = {2022-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/}, language = {English}, urldate = {2022-01-31} } KONNI evolves into stealthier RAT
Konni
2022-01-12BleepingComputerIonut Ilascu
@online{ilascu:20220112:hackers:e8e7709, author = {Ionut Ilascu}, title = {{Hackers take over diplomat's email, target Russian deputy minister}}, date = {2022-01-12}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/}, language = {English}, urldate = {2022-07-25} } Hackers take over diplomat's email, target Russian deputy minister
Konni
2022-01-05LumenDanny Adamitis, Steve Rudd
@online{adamitis:20220105:new:4342d69, author = {Danny Adamitis and Steve Rudd}, title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}}, date = {2022-01-05}, organization = {Lumen}, url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/}, language = {English}, urldate = {2022-01-25} } New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Konni
2022-01-03Cluster25Cluster25
@techreport{cluster25:20220103:north:b362bcd, author = {Cluster25}, title = {{North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants}}, date = {2022-01-03}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf}, language = {English}, urldate = {2022-07-25} } North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants
Konni
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2023-07-24} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-20MalwarebytesHossein Jazi
@online{jazi:20210820:new:2efd65e, author = {Hossein Jazi}, title = {{New variant of Konni malware used in campaign targetting Russia}}, date = {2021-08-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/}, language = {English}, urldate = {2021-08-25} } New variant of Konni malware used in campaign targetting Russia
Konni
2020-08-14Department of Homeland SecurityUS-CERT
@online{uscert:20200814:alert:d3dbb71, author = {US-CERT}, title = {{Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware}}, date = {2020-08-14}, organization = {Department of Homeland Security}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-227a}, language = {English}, urldate = {2020-08-14} } Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni
2020-01-27CyberIntCyberInt
@techreport{cyberint:20200127:konni:5cb8e40, author = {CyberInt}, title = {{Konni Malware 2019 Campaign}}, date = {2020-01-27}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf}, language = {English}, urldate = {2022-07-25} } Konni Malware 2019 Campaign
Konni
2020-01-04Medium d-hunterDoron Karmi
@online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } A Look Into Konni 2019 Campaign
Konni
2019-08-19EST SecurityEast Security Response Center
@online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } Konni APT organization emerges as an attack disguised as Russian document
Konni
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2017-08-15FortinetJasper Manuel
@online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } A Quick Look at a New KONNI RAT Variant
Konni
2017-07-06Cisco TalosPaul Rascagnères
@online{rascagnres:20170706:new:b0410c3, author = {Paul Rascagnères}, title = {{New KONNI Campaign References North Korean Missile Capabilities}}, date = {2017-07-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html}, language = {English}, urldate = {2020-01-10} } New KONNI Campaign References North Korean Missile Capabilities
Konni
2017-07vallejo.ccvallejocc
@online{vallejocc:201707:analysis:b16e1c3, author = {vallejocc}, title = {{Analysis of new variant of Konni RAT}}, date = {2017-07}, organization = {vallejo.cc}, url = {https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/}, language = {English}, urldate = {2019-07-31} } Analysis of new variant of Konni RAT
Konni
2017-05-03Cisco TalosPaul Rascagnères
@online{rascagnres:20170503:konni:8b039a6, author = {Paul Rascagnères}, title = {{KONNI: A Malware Under The Radar For Years}}, date = {2017-05-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html}, language = {English}, urldate = {2020-01-13} } KONNI: A Malware Under The Radar For Years
Konni
Yara Rules
[TLP:WHITE] win_konni_auto (20230808 | Detects win.konni.)
rule win_konni_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.konni."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7908 4e 81ce00ffffff 46 8a9c35f8feffff 8819 889435f8feffff }
            // n = 7, score = 800
            //   7908                 | jns                 0xa
            //   4e                   | dec                 esi
            //   81ce00ffffff         | or                  esi, 0xffffff00
            //   46                   | inc                 esi
            //   8a9c35f8feffff       | mov                 bl, byte ptr [ebp + esi - 0x108]
            //   8819                 | mov                 byte ptr [ecx], bl
            //   889435f8feffff       | mov                 byte ptr [ebp + esi - 0x108], dl

        $sequence_1 = { 8945fc 53 56 57 b910000000 be???????? 8d7db0 }
            // n = 7, score = 800
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   b910000000           | mov                 ecx, 0x10
            //   be????????           |                     
            //   8d7db0               | lea                 edi, [ebp - 0x50]

        $sequence_2 = { 7527 0fb655eb 0fb645ea 52 }
            // n = 4, score = 800
            //   7527                 | jne                 0x29
            //   0fb655eb             | movzx               edx, byte ptr [ebp - 0x15]
            //   0fb645ea             | movzx               eax, byte ptr [ebp - 0x16]
            //   52                   | push                edx

        $sequence_3 = { 889435f8feffff 0fb609 0fb6d2 03ca 81e1ff000080 7908 }
            // n = 6, score = 800
            //   889435f8feffff       | mov                 byte ptr [ebp + esi - 0x108], dl
            //   0fb609               | movzx               ecx, byte ptr [ecx]
            //   0fb6d2               | movzx               edx, dl
            //   03ca                 | add                 ecx, edx
            //   81e1ff000080         | and                 ecx, 0x800000ff
            //   7908                 | jns                 0xa

        $sequence_4 = { 0fbef1 d0f9 83e601 884c15f4 8970e8 42 }
            // n = 6, score = 800
            //   0fbef1               | movsx               esi, cl
            //   d0f9                 | sar                 cl, 1
            //   83e601               | and                 esi, 1
            //   884c15f4             | mov                 byte ptr [ebp + edx - 0xc], cl
            //   8970e8               | mov                 dword ptr [eax - 0x18], esi
            //   42                   | inc                 edx

        $sequence_5 = { 49 81c900ffffff 41 8a940df8feffff 8d8c0df8feffff 0fb6da 03f3 }
            // n = 7, score = 800
            //   49                   | dec                 ecx
            //   81c900ffffff         | or                  ecx, 0xffffff00
            //   41                   | inc                 ecx
            //   8a940df8feffff       | mov                 dl, byte ptr [ebp + ecx - 0x108]
            //   8d8c0df8feffff       | lea                 ecx, [ebp + ecx - 0x108]
            //   0fb6da               | movzx               ebx, dl
            //   03f3                 | add                 esi, ebx

        $sequence_6 = { 83e601 897004 d0f9 0fbef1 83e601 8930 }
            // n = 6, score = 800
            //   83e601               | and                 esi, 1
            //   897004               | mov                 dword ptr [eax + 4], esi
            //   d0f9                 | sar                 cl, 1
            //   0fbef1               | movsx               esi, cl
            //   83e601               | and                 esi, 1
            //   8930                 | mov                 dword ptr [eax], esi

        $sequence_7 = { 68b6030000 6a0d 50 ff15???????? }
            // n = 4, score = 500
            //   68b6030000           | push                0x3b6
            //   6a0d                 | push                0xd
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 6a01 ff15???????? 50 a3???????? }
            // n = 4, score = 500
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   50                   | push                eax
            //   a3????????           |                     

        $sequence_9 = { 33c9 83f802 7508 890d???????? }
            // n = 4, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   83f802               | cmp                 eax, 2
            //   7508                 | jne                 0xa
            //   890d????????         |                     

        $sequence_10 = { eb1e 83f804 740f c705????????02000000 }
            // n = 4, score = 300
            //   eb1e                 | jmp                 0x20
            //   83f804               | cmp                 eax, 4
            //   740f                 | je                  0x11
            //   c705????????02000000     |     

        $sequence_11 = { 740f c705????????02000000 83f801 750a c705????????01000000 890d???????? }
            // n = 6, score = 300
            //   740f                 | je                  0x11
            //   c705????????02000000     |     
            //   83f801               | cmp                 eax, 1
            //   750a                 | jne                 0xc
            //   c705????????01000000     |     
            //   890d????????         |                     

        $sequence_12 = { 7508 890d???????? eb1e 83f804 }
            // n = 4, score = 300
            //   7508                 | jne                 0xa
            //   890d????????         |                     
            //   eb1e                 | jmp                 0x20
            //   83f804               | cmp                 eax, 4

        $sequence_13 = { 8916 56 e8???????? 8a8c30dec44600 }
            // n = 4, score = 200
            //   8916                 | mov                 dword ptr [esi], edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]

        $sequence_14 = { e8???????? 83c40c 6804010000 8d8df4fdffff 51 ff15???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6804010000           | push                0x104
            //   8d8df4fdffff         | lea                 ecx, [ebp - 0x20c]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_15 = { 83e203 83f908 7229 f3a5 ff2495f0444000 8bc7 }
            // n = 6, score = 200
            //   83e203               | and                 edx, 3
            //   83f908               | cmp                 ecx, 8
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495f0444000       | jmp                 dword ptr [edx*4 + 0x4044f0]
            //   8bc7                 | mov                 eax, edi

        $sequence_16 = { 8d85f8feffff 50 ffd6 68???????? 8d8df0faffff }
            // n = 5, score = 200
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d8df0faffff         | lea                 ecx, [ebp - 0x510]

        $sequence_17 = { 4c89742420 ff15???????? 488bd8 4885c0 744f }
            // n = 5, score = 200
            //   4c89742420           | dec                 esp
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x20], esi
            //   4885c0               | dec                 eax
            //   744f                 | mov                 ebx, eax

        $sequence_18 = { bbedffffff 03dd 81eb00200200 83bd9404000000 899d94040000 0f85d7030000 }
            // n = 6, score = 200
            //   bbedffffff           | mov                 ebx, 0xffffffed
            //   03dd                 | add                 ebx, ebp
            //   81eb00200200         | sub                 ebx, 0x22000
            //   83bd9404000000       | cmp                 dword ptr [ebp + 0x494], 0
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx
            //   0f85d7030000         | jne                 0x3dd

        $sequence_19 = { e9???????? 8b35???????? 68???????? 8d85f8feffff }
            // n = 4, score = 200
            //   e9????????           |                     
            //   8b35????????         |                     
            //   68????????           |                     
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]

        $sequence_20 = { ff95b50f0000 898598040000 8bf0 8d7d51 }
            // n = 4, score = 200
            //   ff95b50f0000         | call                dword ptr [ebp + 0xfb5]
            //   898598040000         | mov                 dword ptr [ebp + 0x498], eax
            //   8bf0                 | mov                 esi, eax
            //   8d7d51               | lea                 edi, [ebp + 0x51]

        $sequence_21 = { 6804010000 8d95f8feffff 52 50 ff15???????? }
            // n = 5, score = 200
            //   6804010000           | push                0x104
            //   8d95f8feffff         | lea                 edx, [ebp - 0x108]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_22 = { 50 038594040000 59 0bc9 89851a040000 61 7508 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   038594040000         | add                 eax, dword ptr [ebp + 0x494]
            //   59                   | pop                 ecx
            //   0bc9                 | or                  ecx, ecx
            //   89851a040000         | mov                 dword ptr [ebp + 0x41a], eax
            //   61                   | popal               
            //   7508                 | jne                 0xa

        $sequence_23 = { 8b4e08 33db 56 e8???????? 8a9c30c2c44600 }
            // n = 5, score = 200
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]

        $sequence_24 = { 8bf0 8d7d51 57 56 ff95b10f0000 ab }
            // n = 6, score = 200
            //   8bf0                 | mov                 esi, eax
            //   8d7d51               | lea                 edi, [ebp + 0x51]
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff95b10f0000         | call                dword ptr [ebp + 0xfb1]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_25 = { 33d2 56 e8???????? 8a9435dec44600 5e 84c0 8bfa }
            // n = 7, score = 200
            //   33d2                 | xor                 edx, edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9435dec44600       | mov                 dl, byte ptr [ebp + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   84c0                 | test                al, al
            //   8bfa                 | mov                 edi, edx

        $sequence_26 = { 56 33d2 898ddcfeffff 40 57 }
            // n = 5, score = 200
            //   56                   | cmp                 eax, 2
            //   33d2                 | jne                 0xd
            //   898ddcfeffff         | jmp                 0x25
            //   40                   | push                0x208
            //   57                   | push                0

        $sequence_27 = { 6808020000 6a00 56 c745fc00010000 e8???????? 83c40c 8d45fc }
            // n = 7, score = 200
            //   6808020000           | je                  0x14
            //   6a00                 | cmp                 eax, 1
            //   56                   | jne                 0x14
            //   c745fc00010000       | jmp                 0x20
            //   e8????????           |                     
            //   83c40c               | cmp                 eax, 4
            //   8d45fc               | je                  0x14

        $sequence_28 = { ebab c745e428614000 817de42c614000 7311 8b45e4 }
            // n = 5, score = 200
            //   ebab                 | jmp                 0xffffffad
            //   c745e428614000       | mov                 dword ptr [ebp - 0x1c], 0x406128
            //   817de42c614000       | cmp                 dword ptr [ebp - 0x1c], 0x40612c
            //   7311                 | jae                 0x13
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_29 = { 6a00 6a00 8d8df8feffff 51 8d95f0fcffff }
            // n = 5, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]

        $sequence_30 = { 68???????? 8d8df0faffff 51 ffd6 8b35???????? }
            // n = 5, score = 200
            //   68????????           |                     
            //   8d8df0faffff         | lea                 ecx, [ebp - 0x510]
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8b35????????         |                     

        $sequence_31 = { 51 6689442414 e8???????? 6808020000 8d942420020000 6a00 }
            // n = 6, score = 200
            //   51                   | cmp                 eax, 1
            //   6689442414           | jne                 0xa
            //   e8????????           |                     
            //   6808020000           | jmp                 0x20
            //   8d942420020000       | cmp                 eax, 4
            //   6a00                 | cmp                 eax, 2

        $sequence_32 = { e8???????? 8a8c30a6c44600 5e 8b442414 03ca 03c1 89442414 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8a8c30a6c44600       | mov                 cl, byte ptr [eax + esi + 0x46c4a6]
            //   5e                   | pop                 esi
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   03ca                 | add                 ecx, edx
            //   03c1                 | add                 eax, ecx
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_33 = { 33c0 56 51 668985e8fdffff e8???????? }
            // n = 5, score = 200
            //   33c0                 | jne                 0xa
            //   56                   | jmp                 0x22
            //   51                   | cmp                 eax, 4
            //   668985e8fdffff       | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_34 = { 488bda 488b15???????? 4889442458 89442450 488b05???????? 482bc2 }
            // n = 6, score = 100
            //   488bda               | dec                 eax
            //   488b15????????       |                     
            //   4889442458           | test                eax, eax
            //   89442450             | je                  0x51
            //   488b05????????       |                     
            //   482bc2               | dec                 eax

        $sequence_35 = { 48ffc9 48ffc1 7440 488d542448 458d4e2e }
            // n = 5, score = 100
            //   48ffc9               | xor                 eax, eax
            //   48ffc1               | dec                 eax
            //   7440                 | mov                 ecx, 0x80000002
            //   488d542448           | dec                 eax
            //   458d4e2e             | sub                 esp, 0x20

        $sequence_36 = { 8bd9 e8???????? 4885c0 7509 488d051f390100 }
            // n = 5, score = 100
            //   8bd9                 | jmp                 dword ptr [eax*4 + 0x1000bbd1]
            //   e8????????           |                     
            //   4885c0               | push                edi
            //   7509                 | mov                 edi, dword ptr [ebp + 0x10]
            //   488d051f390100       | mov                 dword ptr [ebp - 0x10c], eax

        $sequence_37 = { 4883ec20 488bd9 e8???????? 4c8d1d4b9b0000 }
            // n = 4, score = 100
            //   4883ec20             | je                  0xffffff57
            //   488bd9               | cmp                 eax, 7
            //   e8????????           |                     
            //   4c8d1d4b9b0000       | ja                  0xa20

        $sequence_38 = { 488b01 8b08 ff15???????? 488d15f3170100 488bcb }
            // n = 5, score = 100
            //   488b01               | dec                 eax
            //   8b08                 | mov                 ebx, ecx
            //   ff15????????         |                     
            //   488d15f3170100       | dec                 esp
            //   488bcb               | lea                 ebx, [0x9b4b]

        $sequence_39 = { e8???????? 59 3bc7 59 a3???????? 7419 68???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   3bc7                 | cmp                 eax, edi
            //   59                   | pop                 ecx
            //   a3????????           |                     
            //   7419                 | je                  0x1b
            //   68????????           |                     

        $sequence_40 = { 743e 8305????????20 8d0c9de0a30010 8d9080040000 8901 3bc2 }
            // n = 6, score = 100
            //   743e                 | je                  0x40
            //   8305????????20       |                     
            //   8d0c9de0a30010       | lea                 ecx, [ebx*4 + 0x1000a3e0]
            //   8d9080040000         | lea                 edx, [eax + 0x480]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   3bc2                 | cmp                 eax, edx

        $sequence_41 = { 4885c0 7438 33c0 4883c9ff 4c8d8600010000 488bfb }
            // n = 6, score = 100
            //   4885c0               | mov                 ebx, edx
            //   7438                 | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x58], eax
            //   4883c9ff             | mov                 dword ptr [esp + 0x50], eax
            //   4c8d8600010000       | dec                 eax
            //   488bfb               | sub                 eax, edx

        $sequence_42 = { 8d04c0 8b0c8de0a30010 8a448104 83e040 c3 55 8bec }
            // n = 7, score = 100
            //   8d04c0               | lea                 eax, [eax + eax*8]
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]
            //   8a448104             | mov                 al, byte ptr [ecx + eax*4 + 4]
            //   83e040               | and                 eax, 0x40
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_43 = { 83c410 837dfc08 752f 68???????? 53 e8???????? }
            // n = 6, score = 100
            //   83c410               | add                 esp, 0x10
            //   837dfc08             | cmp                 dword ptr [ebp - 4], 8
            //   752f                 | jne                 0x31
            //   68????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_44 = { 448d5bf0 498d4e10 4963d3 4d8bcd 4d8bc4 }
            // n = 5, score = 100
            //   448d5bf0             | dec                 eax
            //   498d4e10             | test                eax, eax
            //   4963d3               | je                  0x3a
            //   4d8bcd               | xor                 eax, eax
            //   4d8bc4               | dec                 eax

        $sequence_45 = { 8b8fa8af0100 488b87a0af0100 400fb6d6 f6d2 881401 ff87a8af0100 8b97a8af0100 }
            // n = 7, score = 100
            //   8b8fa8af0100         | xor                 esi, esi
            //   488b87a0af0100       | push                edi
            //   400fb6d6             | mov                 edi, dword ptr [ebp + 0x10]
            //   f6d2                 | mov                 dword ptr [ebp - 0x10c], eax
            //   881401               | xor                 esi, esi
            //   ff87a8af0100         | dec                 esp
            //   8b97a8af0100         | mov                 dword ptr [esp + 0x20], esi

        $sequence_46 = { 59 8a4dff 8d3c85e0a30010 8bc3 80c901 83e01f 884d0b }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   8a4dff               | mov                 cl, byte ptr [ebp - 1]
            //   8d3c85e0a30010       | lea                 edi, [eax*4 + 0x1000a3e0]
            //   8bc3                 | mov                 eax, ebx
            //   80c901               | or                  cl, 1
            //   83e01f               | and                 eax, 0x1f
            //   884d0b               | mov                 byte ptr [ebp + 0xb], cl

        $sequence_47 = { 488905???????? 8905???????? 488b05???????? 4533c0 48c7c102000080 488905???????? }
            // n = 6, score = 100
            //   488905????????       |                     
            //   8905????????         |                     
            //   488b05????????       |                     
            //   4533c0               | lea                 eax, [ebp - 4]
            //   48c7c102000080       | cmp                 eax, edx
            //   488905????????       |                     

        $sequence_48 = { 8bc3 c1f905 83e01f 8b0c8de0a30010 8d04c0 }
            // n = 5, score = 100
            //   8bc3                 | mov                 eax, ebx
            //   c1f905               | sar                 ecx, 5
            //   83e01f               | and                 eax, 0x1f
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]
            //   8d04c0               | lea                 eax, [eax + eax*8]

        $sequence_49 = { 8b442448 448b6e4c 448b7e44 c1e808 4c8bf3 8b5e48 }
            // n = 6, score = 100
            //   8b442448             | dec                 eax
            //   448b6e4c             | mov                 ebx, eax
            //   448b7e44             | dec                 eax
            //   c1e808               | test                eax, eax
            //   4c8bf3               | je                  0x5c
            //   8b5e48               | inc                 ebp

    condition:
        7 of them and filesize < 330752
}
Download all Yara Rules