SYMBOLCOMMON_NAMEaka. SYNONYMS
win.konni (Back to overview)

Konni

Actor(s): APT37

Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

References
2022-09-06cocomelonccocomelonc
@online{cocomelonc:20220906:malware:a09756f, author = {cocomelonc}, title = {{Malware development tricks: parent PID spoofing. Simple C++ example.}}, date = {2022-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html}, language = {English}, urldate = {2022-11-17} } Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni
2022-07-23BleepingComputerBill Toulas
@online{toulas:20220723:north:79193bd, author = {Bill Toulas}, title = {{North Korean hackers attack EU targets with Konni RAT malware}}, date = {2022-07-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/}, language = {English}, urldate = {2022-07-25} } North Korean hackers attack EU targets with Konni RAT malware
Konni
2022-07-20Securonix Threat LabsD. Iuzvyk, T. Peck, O. Kolesnikov
@online{iuzvyk:20220720:stiffbizon:ae896da, author = {D. Iuzvyk and T. Peck and O. Kolesnikov}, title = {{STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix}}, date = {2022-07-20}, organization = {Securonix Threat Labs}, url = {https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/}, language = {English}, urldate = {2022-07-25} } STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix
Konni
2022-05-02cocomelonccocomelonc
@online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2022-01-26MalwarebytesRoberto Santos
@online{santos:20220126:konni:589b447, author = {Roberto Santos}, title = {{KONNI evolves into stealthier RAT}}, date = {2022-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/}, language = {English}, urldate = {2022-01-31} } KONNI evolves into stealthier RAT
Konni
2022-01-12BleepingComputerIonut Ilascu
@online{ilascu:20220112:hackers:e8e7709, author = {Ionut Ilascu}, title = {{Hackers take over diplomat's email, target Russian deputy minister}}, date = {2022-01-12}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/}, language = {English}, urldate = {2022-07-25} } Hackers take over diplomat's email, target Russian deputy minister
Konni
2022-01-05LumenDanny Adamitis, Steve Rudd
@online{adamitis:20220105:new:4342d69, author = {Danny Adamitis and Steve Rudd}, title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}}, date = {2022-01-05}, organization = {Lumen}, url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/}, language = {English}, urldate = {2022-01-25} } New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Konni
2022-01-03Cluster25Cluster25
@techreport{cluster25:20220103:north:b362bcd, author = {Cluster25}, title = {{North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants}}, date = {2022-01-03}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf}, language = {English}, urldate = {2022-07-25} } North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants
Konni
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze Unidentified 090 (Lazarus)
2021-08-20MalwarebytesHossein Jazi
@online{jazi:20210820:new:2efd65e, author = {Hossein Jazi}, title = {{New variant of Konni malware used in campaign targetting Russia}}, date = {2021-08-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/}, language = {English}, urldate = {2021-08-25} } New variant of Konni malware used in campaign targetting Russia
Konni
2020-08-14Department of Homeland SecurityUS-CERT
@online{uscert:20200814:alert:d3dbb71, author = {US-CERT}, title = {{Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware}}, date = {2020-08-14}, organization = {Department of Homeland Security}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-227a}, language = {English}, urldate = {2020-08-14} } Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni
2020-01-27CyberIntCyberInt
@techreport{cyberint:20200127:konni:5cb8e40, author = {CyberInt}, title = {{Konni Malware 2019 Campaign}}, date = {2020-01-27}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf}, language = {English}, urldate = {2022-07-25} } Konni Malware 2019 Campaign
Konni
2020-01-04Medium d-hunterDoron Karmi
@online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } A Look Into Konni 2019 Campaign
Konni
2019-08-19EST SecurityEast Security Response Center
@online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } Konni APT organization emerges as an attack disguised as Russian document
Konni
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2017-08-15FortinetJasper Manuel
@online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } A Quick Look at a New KONNI RAT Variant
Konni
2017-07-06Cisco TalosPaul Rascagnères
@online{rascagnres:20170706:new:b0410c3, author = {Paul Rascagnères}, title = {{New KONNI Campaign References North Korean Missile Capabilities}}, date = {2017-07-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html}, language = {English}, urldate = {2020-01-10} } New KONNI Campaign References North Korean Missile Capabilities
Konni
2017-07vallejo.ccvallejocc
@online{vallejocc:201707:analysis:b16e1c3, author = {vallejocc}, title = {{Analysis of new variant of Konni RAT}}, date = {2017-07}, organization = {vallejo.cc}, url = {https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/}, language = {English}, urldate = {2019-07-31} } Analysis of new variant of Konni RAT
Konni
2017-05-03Cisco TalosPaul Rascagnères
@online{rascagnres:20170503:konni:8b039a6, author = {Paul Rascagnères}, title = {{KONNI: A Malware Under The Radar For Years}}, date = {2017-05-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html}, language = {English}, urldate = {2020-01-13} } KONNI: A Malware Under The Radar For Years
Konni
Yara Rules
[TLP:WHITE] win_konni_auto (20230407 | Detects win.konni.)
rule win_konni_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.konni."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945fc 53 56 57 b910000000 be???????? }
            // n = 6, score = 800
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   b910000000           | mov                 ecx, 0x10
            //   be????????           |                     

        $sequence_1 = { 4f 75ef 68???????? 56 }
            // n = 4, score = 800
            //   4f                   | dec                 edi
            //   75ef                 | jne                 0xfffffff1
            //   68????????           |                     
            //   56                   | push                esi

        $sequence_2 = { 8b46fc 03c0 3306 03c0 }
            // n = 4, score = 800
            //   8b46fc               | mov                 eax, dword ptr [esi - 4]
            //   03c0                 | add                 eax, eax
            //   3306                 | xor                 eax, dword ptr [esi]
            //   03c0                 | add                 eax, eax

        $sequence_3 = { 8d8c0df8feffff 0fb6da 03f3 81e6ff000080 }
            // n = 4, score = 800
            //   8d8c0df8feffff       | lea                 ecx, [ebp + ecx - 0x108]
            //   0fb6da               | movzx               ebx, dl
            //   03f3                 | add                 esi, ebx
            //   81e6ff000080         | and                 esi, 0x800000ff

        $sequence_4 = { d0f9 0fbef1 d0f9 83e601 884c15f4 8970e8 42 }
            // n = 7, score = 800
            //   d0f9                 | sar                 cl, 1
            //   0fbef1               | movsx               esi, cl
            //   d0f9                 | sar                 cl, 1
            //   83e601               | and                 esi, 1
            //   884c15f4             | mov                 byte ptr [ebp + edx - 0xc], cl
            //   8970e8               | mov                 dword ptr [eax - 0x18], esi
            //   42                   | inc                 edx

        $sequence_5 = { 4e 81ce00ffffff 46 8a9435f8feffff }
            // n = 4, score = 800
            //   4e                   | dec                 esi
            //   81ce00ffffff         | or                  esi, 0xffffff00
            //   46                   | inc                 esi
            //   8a9435f8feffff       | mov                 dl, byte ptr [ebp + esi - 0x108]

        $sequence_6 = { 7c93 8b4dfc 5f 5e }
            // n = 4, score = 800
            //   7c93                 | jl                  0xffffff95
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { 8b45e8 0fb6cc 51 0fb6d0 52 68???????? }
            // n = 6, score = 800
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   0fb6cc               | movzx               ecx, ah
            //   51                   | push                ecx
            //   0fb6d0               | movzx               edx, al
            //   52                   | push                edx
            //   68????????           |                     

        $sequence_8 = { 68b6030000 6a0d 50 ff15???????? }
            // n = 4, score = 500
            //   68b6030000           | push                0x3b6
            //   6a0d                 | push                0xd
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_9 = { 6a01 ff15???????? 50 a3???????? e8???????? }
            // n = 5, score = 500
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   50                   | push                eax
            //   a3????????           |                     
            //   e8????????           |                     

        $sequence_10 = { 51 ffd6 8b35???????? 8d95f0faffff 52 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8b35????????         |                     
            //   8d95f0faffff         | lea                 edx, [ebp - 0x510]
            //   52                   | push                edx

        $sequence_11 = { 8d8ea0000000 e8???????? 8b4e08 33db 56 e8???????? 8a9c30c2c44600 }
            // n = 7, score = 200
            //   8d8ea0000000         | lea                 ecx, [esi + 0xa0]
            //   e8????????           |                     
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]

        $sequence_12 = { ff15???????? 8b3d???????? be0a000000 68e8030000 ffd7 4e }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   8b3d????????         |                     
            //   be0a000000           | mov                 esi, 0xa
            //   68e8030000           | push                0x3e8
            //   ffd7                 | call                edi
            //   4e                   | dec                 esi

        $sequence_13 = { 59 0bc9 89851a040000 61 7508 b801000000 c20c00 }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   0bc9                 | or                  ecx, ecx
            //   89851a040000         | mov                 dword ptr [ebp + 0x41a], eax
            //   61                   | popal               
            //   7508                 | jne                 0xa
            //   b801000000           | mov                 eax, 1
            //   c20c00               | ret                 0xc

        $sequence_14 = { 8b5dd0 ebab c745e428614000 817de42c614000 7311 }
            // n = 5, score = 200
            //   8b5dd0               | mov                 ebx, dword ptr [ebp - 0x30]
            //   ebab                 | jmp                 0xffffffad
            //   c745e428614000       | mov                 dword ptr [ebp - 0x1c], 0x406128
            //   817de42c614000       | cmp                 dword ptr [ebp - 0x1c], 0x40612c
            //   7311                 | jae                 0x13

        $sequence_15 = { 7229 f3a5 ff2495f0444000 8bc7 ba03000000 83e904 }
            // n = 6, score = 200
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495f0444000       | jmp                 dword ptr [edx*4 + 0x4044f0]
            //   8bc7                 | mov                 eax, edi
            //   ba03000000           | mov                 edx, 3
            //   83e904               | sub                 ecx, 4

        $sequence_16 = { 03dd 81eb00200200 83bd9404000000 899d94040000 0f85d7030000 }
            // n = 5, score = 200
            //   03dd                 | add                 ebx, ebp
            //   81eb00200200         | sub                 ebx, 0x22000
            //   83bd9404000000       | cmp                 dword ptr [ebp + 0x494], 0
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx
            //   0f85d7030000         | jne                 0x3dd

        $sequence_17 = { 4c89742420 ff15???????? 488bd8 4885c0 744f }
            // n = 5, score = 200
            //   4c89742420           | dec                 esp
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x20], esi
            //   4885c0               | dec                 eax
            //   744f                 | mov                 ebx, eax

        $sequence_18 = { 57 56 ff95b10f0000 ab }
            // n = 4, score = 200
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff95b10f0000         | call                dword ptr [ebp + 0xfb1]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_19 = { ff95b10f0000 ab b000 ae 75fd 3807 }
            // n = 6, score = 200
            //   ff95b10f0000         | call                dword ptr [ebp + 0xfb1]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   b000                 | mov                 al, 0
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   75fd                 | jne                 0xffffffff
            //   3807                 | cmp                 byte ptr [edi], al

        $sequence_20 = { ff15???????? 85c0 755b 57 6804010000 8d95f8feffff 52 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   755b                 | jne                 0x5d
            //   57                   | push                edi
            //   6804010000           | push                0x104
            //   8d95f8feffff         | lea                 edx, [ebp - 0x108]
            //   52                   | push                edx

        $sequence_21 = { 56 e8???????? 8a8c30dec44600 5e bb01000000 }
            // n = 5, score = 200
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   bb01000000           | mov                 ebx, 1

        $sequence_22 = { 8a8664020000 8b9cae68020000 33d2 56 e8???????? 8a9435dec44600 }
            // n = 6, score = 200
            //   8a8664020000         | mov                 al, byte ptr [esi + 0x264]
            //   8b9cae68020000       | mov                 ebx, dword ptr [esi + ebp*4 + 0x268]
            //   33d2                 | xor                 edx, edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9435dec44600       | mov                 dl, byte ptr [ebp + esi + 0x46c4de]

        $sequence_23 = { 8d8df8feffff 51 8d95f0fcffff 52 }
            // n = 4, score = 200
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]
            //   52                   | push                edx

        $sequence_24 = { 33c9 56 e8???????? 8a8c30a6c44600 5e 8b442414 }
            // n = 6, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30a6c44600       | mov                 cl, byte ptr [eax + esi + 0x46c4a6]
            //   5e                   | pop                 esi
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]

        $sequence_25 = { ffd7 4e 75f6 5f e9???????? 8b35???????? }
            // n = 6, score = 200
            //   ffd7                 | call                edi
            //   4e                   | dec                 esi
            //   75f6                 | jne                 0xfffffff8
            //   5f                   | pop                 edi
            //   e9????????           |                     
            //   8b35????????         |                     

        $sequence_26 = { ffd6 68???????? 8d95f8feffff 52 ffd6 6804010000 8d85f0fcffff }
            // n = 7, score = 200
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d95f8feffff         | lea                 edx, [ebp - 0x108]
            //   52                   | push                edx
            //   ffd6                 | call                esi
            //   6804010000           | push                0x104
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]

        $sequence_27 = { 488bcb e8???????? bf01000000 ff15???????? 4533ed }
            // n = 5, score = 100
            //   488bcb               | mov                 dword ptr [esp + 0x20], esi
            //   e8????????           |                     
            //   bf01000000           | dec                 eax
            //   ff15????????         |                     
            //   4533ed               | mov                 ebx, eax

        $sequence_28 = { 4489742420 ff15???????? 488bf0 4885c0 0f8483000000 4c89742438 4489742430 }
            // n = 7, score = 100
            //   4489742420           | dec                 esp
            //   ff15????????         |                     
            //   488bf0               | mov                 ebp, eax
            //   4885c0               | dec                 ebx
            //   0f8483000000         | mov                 ecx, dword ptr [eax + edi*8 + 0x22ea0]
            //   4c89742438           | dec                 eax
            //   4489742430           | mov                 ecx, edi

        $sequence_29 = { 740e 8bd1 4c8d4520 498bc9 }
            // n = 4, score = 100
            //   740e                 | dec                 eax
            //   8bd1                 | cmp                 eax, 2
            //   4c8d4520             | ja                  0x13
            //   498bc9               | xor                 edx, edx

        $sequence_30 = { 488b9c2438030000 4881c400030000 415c 5f 5d c3 }
            // n = 6, score = 100
            //   488b9c2438030000     | lea                 edx, [esp + 0x30]
            //   4881c400030000       | dec                 eax
            //   415c                 | lea                 ecx, [esi + 0x208]
            //   5f                   | je                  0x10
            //   5d                   | mov                 edx, ecx
            //   c3                   | dec                 esp

        $sequence_31 = { 8845c7 0fb645bf 884dbf 8845c3 4180fe0e 0f840b010000 }
            // n = 6, score = 100
            //   8845c7               | je                  0x66
            //   0fb645bf             | nop                 dword ptr [eax + eax]
            //   884dbf               | inc                 esp
            //   8845c3               | mov                 eax, dword ptr [esp + 0x98]
            //   4180fe0e             | mov                 byte ptr [ebp - 0x39], al
            //   0f840b010000         | movzx               eax, byte ptr [ebp - 0x41]

        $sequence_32 = { 8ac8 80e920 ebe0 80a0a0a1001000 40 3bc6 }
            // n = 6, score = 100
            //   8ac8                 | mov                 cl, al
            //   80e920               | sub                 cl, 0x20
            //   ebe0                 | jmp                 0xffffffe2
            //   80a0a0a1001000       | and                 byte ptr [eax + 0x1000a1a0], 0
            //   40                   | inc                 eax
            //   3bc6                 | cmp                 eax, esi

        $sequence_33 = { 448b84b0d0850100 4585c0 7411 2b9cb7e81e0000 488bcf 8bd3 e8???????? }
            // n = 7, score = 100
            //   448b84b0d0850100     | mov                 dword ptr [esp + 0x20], esi
            //   4585c0               | test                eax, eax
            //   7411                 | jne                 0x13
            //   2b9cb7e81e0000       | dec                 eax
            //   488bcf               | lea                 ecx, [ebp - 0x20]
            //   8bd3                 | dec                 esp
            //   e8????????           |                     

        $sequence_34 = { 85c0 7462 0f1f440000 448b842498000000 }
            // n = 4, score = 100
            //   85c0                 | dec                 eax
            //   7462                 | test                eax, eax
            //   0f1f440000           | je                  0x51
            //   448b842498000000     | test                eax, eax

        $sequence_35 = { 41 41 8079ff00 0f8547ffffff 8bc6 8088a1a2001008 }
            // n = 6, score = 100
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   8079ff00             | cmp                 byte ptr [ecx - 1], 0
            //   0f8547ffffff         | jne                 0xffffff4d
            //   8bc6                 | mov                 eax, esi
            //   8088a1a2001008       | or                  byte ptr [eax + 0x1000a2a1], 8

        $sequence_36 = { 33d2 41b808020000 e8???????? 488b15???????? 488b05???????? 482bd0 48c1fa03 }
            // n = 7, score = 100
            //   33d2                 | dec                 ecx
            //   41b808020000         | add                 ecx, eax
            //   e8????????           |                     
            //   488b15????????       |                     
            //   488b05????????       |                     
            //   482bd0               | mov                 dword ptr [esp + 0x30], 0x100
            //   48c1fa03             | dec                 eax

        $sequence_37 = { 66833d????????01 0f8501010000 66893d???????? 8b4608 83f80d 8945fc }
            // n = 6, score = 100
            //   66833d????????01     |                     
            //   0f8501010000         | jne                 0x107
            //   66893d????????       |                     
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   83f80d               | cmp                 eax, 0xd
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_38 = { 8d04c0 8b0c8de0a30010 f644810401 8d0481 }
            // n = 4, score = 100
            //   8d04c0               | lea                 eax, [eax + eax*8]
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]
            //   f644810401           | test                byte ptr [ecx + eax*4 + 4], 1
            //   8d0481               | lea                 eax, [ecx + eax*4]

        $sequence_39 = { 488bcf e8???????? 85c0 7499 488d15b7580100 488bcf }
            // n = 6, score = 100
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | add                 esp, 0x300
            //   7499                 | inc                 ecx
            //   488d15b7580100       | pop                 esp
            //   488bcf               | pop                 edi

        $sequence_40 = { 488905???????? 4c8b4108 418d4903 ff15???????? 488905???????? }
            // n = 5, score = 100
            //   488905????????       |                     
            //   4c8b4108             | pop                 ebp
            //   418d4903             | ret                 
            //   ff15????????         |                     
            //   488905????????       |                     

        $sequence_41 = { 80a0a0a1001000 40 3bc6 72be 5e c9 }
            // n = 6, score = 100
            //   80a0a0a1001000       | and                 byte ptr [eax + 0x1000a1a0], 0
            //   40                   | inc                 eax
            //   3bc6                 | cmp                 eax, esi
            //   72be                 | jb                  0xffffffc0
            //   5e                   | pop                 esi
            //   c9                   | leave               

        $sequence_42 = { 898424b0000000 498d8378fdffff 4889442420 e8???????? 4533e4 488d0d310c0100 418d542401 }
            // n = 7, score = 100
            //   898424b0000000       | dec                 eax
            //   498d8378fdffff       | test                eax, eax
            //   4889442420           | je                  0x57
            //   e8????????           |                     
            //   4533e4               | dec                 ecx
            //   488d0d310c0100       | add                 ebp, 2
            //   418d542401           | jmp                 0x84

        $sequence_43 = { 8bf0 8bc6 5e c3 ff35???????? }
            // n = 5, score = 100
            //   8bf0                 | mov                 esi, eax
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   ff35????????         |                     

        $sequence_44 = { 4983c502 eb7e 4c8be8 e9???????? 4b8b8cf8a02e0200 }
            // n = 5, score = 100
            //   4983c502             | dec                 eax
            //   eb7e                 | sar                 edx, 3
            //   4c8be8               | dec                 eax
            //   e9????????           |                     
            //   4b8b8cf8a02e0200     | mov                 ebx, dword ptr [esp + 0x338]

        $sequence_45 = { 482bc2 48c1f803 4883f802 770d }
            // n = 4, score = 100
            //   482bc2               | mov                 byte ptr [ebp - 0x41], cl
            //   48c1f803             | mov                 byte ptr [ebp - 0x3d], al
            //   4883f802             | inc                 ecx
            //   770d                 | cmp                 dh, 0xe

        $sequence_46 = { 33d2 4903c8 c744243000010000 e8???????? 488d542430 488d8e08020000 }
            // n = 6, score = 100
            //   33d2                 | je                  0x111
            //   4903c8               | dec                 eax
            //   c744243000010000     | sub                 eax, edx
            //   e8????????           |                     
            //   488d542430           | dec                 eax
            //   488d8e08020000       | sar                 eax, 3

    condition:
        7 of them and filesize < 330752
}
Download all Yara Rules