Konni (Malware Family)

Konni

Actor(s): APT37

VTCollection

Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

References

2024-02-21 ⋅ DCSO ⋅ Jiro Minier, Johann Aydinbas, Kritika Roy, Olivia Hayward
To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer
Konni

2023-12-27 ⋅ ⋅ Wezard4u ⋅ Sakai
Malicious code impersonating the National Tax Service created by Konni
Konni

2023-11-10 ⋅ NSFOCUS ⋅ NSFOCUS
The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
Cobalt Strike Konni DarkCasino Opal Sleet

2023-01-01 ⋅ ThreatMon ⋅ Seyit Sigirci (@h3xecute), ThreatMon Malware Research Team
The Konni APT Chronicle: Tracing Their Intelligence-Driven Attack Chain
Konni

2022-09-06 ⋅ cocomelonc ⋅ cocomelonc
Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni

2022-07-23 ⋅ BleepingComputer ⋅ Bill Toulas
North Korean hackers attack EU targets with Konni RAT malware
Konni

2022-07-20 ⋅ Securonix Threat Labs ⋅ D. Iuzvyk, O. Kolesnikov, T. Peck
STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix
Konni Opal Sleet

2022-05-02 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC

2022-01-26 ⋅ Malwarebytes ⋅ Roberto Santos
KONNI evolves into stealthier RAT
Konni

2022-01-12 ⋅ BleepingComputer ⋅ Ionut Ilascu
Hackers take over diplomat's email, target Russian deputy minister
Konni

2022-01-05 ⋅ Lumen ⋅ Danny Adamitis, Steve Rudd
New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Konni

2022-01-03 ⋅ Cluster25 ⋅ Cluster25
North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants
Konni

2021-09-06 ⋅ cocomelonc ⋅ cocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze

2021-08-20 ⋅ Malwarebytes ⋅ Hossein Jazi
New variant of Konni malware used in campaign targetting Russia
Konni

2020-08-14 ⋅ Department of Homeland Security ⋅ US-CERT
Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni

2020-01-27 ⋅ CyberInt ⋅ CyberInt
Konni Malware 2019 Campaign
Konni

2020-01-04 ⋅ Medium d-hunter ⋅ Doron Karmi
A Look Into Konni 2019 Campaign
Konni

2019-08-19 ⋅ ⋅ EST Security ⋅ East Security Response Center
Konni APT organization emerges as an attack disguised as Russian document
Konni

2019-05-13 ⋅ Kaspersky Labs ⋅ GReAT
ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37

2017-08-15 ⋅ Fortinet ⋅ Jasper Manuel
A Quick Look at a New KONNI RAT Variant
Konni

2017-07-06 ⋅ Cisco Talos ⋅ Paul Rascagnères
New KONNI Campaign References North Korean Missile Capabilities
Konni

2017-07-01 ⋅ vallejo.cc ⋅ vallejocc
Analysis of new variant of Konni RAT
Konni

2017-05-03 ⋅ Cisco Talos ⋅ Paul Rascagnères
KONNI: A Malware Under The Radar For Years
Konni

Yara Rules

[TLP:WHITE] win_konni_auto (20230808 | Detects win.konni.)

rule win_konni_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.konni."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7908 4e 81ce00ffffff 46 8a9c35f8feffff 8819 889435f8feffff }
            // n = 7, score = 800
            //   7908                 | jns                 0xa
            //   4e                   | dec                 esi
            //   81ce00ffffff         | or                  esi, 0xffffff00
            //   46                   | inc                 esi
            //   8a9c35f8feffff       | mov                 bl, byte ptr [ebp + esi - 0x108]
            //   8819                 | mov                 byte ptr [ecx], bl
            //   889435f8feffff       | mov                 byte ptr [ebp + esi - 0x108], dl

        $sequence_1 = { 8945fc 53 56 57 b910000000 be???????? 8d7db0 }
            // n = 7, score = 800
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   b910000000           | mov                 ecx, 0x10
            //   be????????           |                     
            //   8d7db0               | lea                 edi, [ebp - 0x50]

        $sequence_2 = { 7527 0fb655eb 0fb645ea 52 }
            // n = 4, score = 800
            //   7527                 | jne                 0x29
            //   0fb655eb             | movzx               edx, byte ptr [ebp - 0x15]
            //   0fb645ea             | movzx               eax, byte ptr [ebp - 0x16]
            //   52                   | push                edx

        $sequence_3 = { 889435f8feffff 0fb609 0fb6d2 03ca 81e1ff000080 7908 }
            // n = 6, score = 800
            //   889435f8feffff       | mov                 byte ptr [ebp + esi - 0x108], dl
            //   0fb609               | movzx               ecx, byte ptr [ecx]
            //   0fb6d2               | movzx               edx, dl
            //   03ca                 | add                 ecx, edx
            //   81e1ff000080         | and                 ecx, 0x800000ff
            //   7908                 | jns                 0xa

        $sequence_4 = { 0fbef1 d0f9 83e601 884c15f4 8970e8 42 }
            // n = 6, score = 800
            //   0fbef1               | movsx               esi, cl
            //   d0f9                 | sar                 cl, 1
            //   83e601               | and                 esi, 1
            //   884c15f4             | mov                 byte ptr [ebp + edx - 0xc], cl
            //   8970e8               | mov                 dword ptr [eax - 0x18], esi
            //   42                   | inc                 edx

        $sequence_5 = { 49 81c900ffffff 41 8a940df8feffff 8d8c0df8feffff 0fb6da 03f3 }
            // n = 7, score = 800
            //   49                   | dec                 ecx
            //   81c900ffffff         | or                  ecx, 0xffffff00
            //   41                   | inc                 ecx
            //   8a940df8feffff       | mov                 dl, byte ptr [ebp + ecx - 0x108]
            //   8d8c0df8feffff       | lea                 ecx, [ebp + ecx - 0x108]
            //   0fb6da               | movzx               ebx, dl
            //   03f3                 | add                 esi, ebx

        $sequence_6 = { 83e601 897004 d0f9 0fbef1 83e601 8930 }
            // n = 6, score = 800
            //   83e601               | and                 esi, 1
            //   897004               | mov                 dword ptr [eax + 4], esi
            //   d0f9                 | sar                 cl, 1
            //   0fbef1               | movsx               esi, cl
            //   83e601               | and                 esi, 1
            //   8930                 | mov                 dword ptr [eax], esi

        $sequence_7 = { 68b6030000 6a0d 50 ff15???????? }
            // n = 4, score = 500
            //   68b6030000           | push                0x3b6
            //   6a0d                 | push                0xd
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 6a01 ff15???????? 50 a3???????? }
            // n = 4, score = 500
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   50                   | push                eax
            //   a3????????           |                     

        $sequence_9 = { 33c9 83f802 7508 890d???????? }
            // n = 4, score = 300
            //   33c9                 | xor                 ecx, ecx
            //   83f802               | cmp                 eax, 2
            //   7508                 | jne                 0xa
            //   890d????????         |                     

        $sequence_10 = { eb1e 83f804 740f c705????????02000000 }
            // n = 4, score = 300
            //   eb1e                 | jmp                 0x20
            //   83f804               | cmp                 eax, 4
            //   740f                 | je                  0x11
            //   c705????????02000000     |     

        $sequence_11 = { 740f c705????????02000000 83f801 750a c705????????01000000 890d???????? }
            // n = 6, score = 300
            //   740f                 | je                  0x11
            //   c705????????02000000     |     
            //   83f801               | cmp                 eax, 1
            //   750a                 | jne                 0xc
            //   c705????????01000000     |     
            //   890d????????         |                     

        $sequence_12 = { 7508 890d???????? eb1e 83f804 }
            // n = 4, score = 300
            //   7508                 | jne                 0xa
            //   890d????????         |                     
            //   eb1e                 | jmp                 0x20
            //   83f804               | cmp                 eax, 4

        $sequence_13 = { 8916 56 e8???????? 8a8c30dec44600 }
            // n = 4, score = 200
            //   8916                 | mov                 dword ptr [esi], edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]

        $sequence_14 = { e8???????? 83c40c 6804010000 8d8df4fdffff 51 ff15???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6804010000           | push                0x104
            //   8d8df4fdffff         | lea                 ecx, [ebp - 0x20c]
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_15 = { 83e203 83f908 7229 f3a5 ff2495f0444000 8bc7 }
            // n = 6, score = 200
            //   83e203               | and                 edx, 3
            //   83f908               | cmp                 ecx, 8
            //   7229                 | jb                  0x2b
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495f0444000       | jmp                 dword ptr [edx*4 + 0x4044f0]
            //   8bc7                 | mov                 eax, edi

        $sequence_16 = { 8d85f8feffff 50 ffd6 68???????? 8d8df0faffff }
            // n = 5, score = 200
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d8df0faffff         | lea                 ecx, [ebp - 0x510]

        $sequence_17 = { 4c89742420 ff15???????? 488bd8 4885c0 744f }
            // n = 5, score = 200
            //   4c89742420           | dec                 esp
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x20], esi
            //   4885c0               | dec                 eax
            //   744f                 | mov                 ebx, eax

        $sequence_18 = { bbedffffff 03dd 81eb00200200 83bd9404000000 899d94040000 0f85d7030000 }
            // n = 6, score = 200
            //   bbedffffff           | mov                 ebx, 0xffffffed
            //   03dd                 | add                 ebx, ebp
            //   81eb00200200         | sub                 ebx, 0x22000
            //   83bd9404000000       | cmp                 dword ptr [ebp + 0x494], 0
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx
            //   0f85d7030000         | jne                 0x3dd

        $sequence_19 = { e9???????? 8b35???????? 68???????? 8d85f8feffff }
            // n = 4, score = 200
            //   e9????????           |                     
            //   8b35????????         |                     
            //   68????????           |                     
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]

        $sequence_20 = { ff95b50f0000 898598040000 8bf0 8d7d51 }
            // n = 4, score = 200
            //   ff95b50f0000         | call                dword ptr [ebp + 0xfb5]
            //   898598040000         | mov                 dword ptr [ebp + 0x498], eax
            //   8bf0                 | mov                 esi, eax
            //   8d7d51               | lea                 edi, [ebp + 0x51]

        $sequence_21 = { 6804010000 8d95f8feffff 52 50 ff15???????? }
            // n = 5, score = 200
            //   6804010000           | push                0x104
            //   8d95f8feffff         | lea                 edx, [ebp - 0x108]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_22 = { 50 038594040000 59 0bc9 89851a040000 61 7508 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   038594040000         | add                 eax, dword ptr [ebp + 0x494]
            //   59                   | pop                 ecx
            //   0bc9                 | or                  ecx, ecx
            //   89851a040000         | mov                 dword ptr [ebp + 0x41a], eax
            //   61                   | popal               
            //   7508                 | jne                 0xa

        $sequence_23 = { 8b4e08 33db 56 e8???????? 8a9c30c2c44600 }
            // n = 5, score = 200
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]

        $sequence_24 = { 8bf0 8d7d51 57 56 ff95b10f0000 ab }
            // n = 6, score = 200
            //   8bf0                 | mov                 esi, eax
            //   8d7d51               | lea                 edi, [ebp + 0x51]
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff95b10f0000         | call                dword ptr [ebp + 0xfb1]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_25 = { 33d2 56 e8???????? 8a9435dec44600 5e 84c0 8bfa }
            // n = 7, score = 200
            //   33d2                 | xor                 edx, edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9435dec44600       | mov                 dl, byte ptr [ebp + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   84c0                 | test                al, al
            //   8bfa                 | mov                 edi, edx

        $sequence_26 = { 56 33d2 898ddcfeffff 40 57 }
            // n = 5, score = 200
            //   56                   | cmp                 eax, 2
            //   33d2                 | jne                 0xd
            //   898ddcfeffff         | jmp                 0x25
            //   40                   | push                0x208
            //   57                   | push                0

        $sequence_27 = { 6808020000 6a00 56 c745fc00010000 e8???????? 83c40c 8d45fc }
            // n = 7, score = 200
            //   6808020000           | je                  0x14
            //   6a00                 | cmp                 eax, 1
            //   56                   | jne                 0x14
            //   c745fc00010000       | jmp                 0x20
            //   e8????????           |                     
            //   83c40c               | cmp                 eax, 4
            //   8d45fc               | je                  0x14

        $sequence_28 = { ebab c745e428614000 817de42c614000 7311 8b45e4 }
            // n = 5, score = 200
            //   ebab                 | jmp                 0xffffffad
            //   c745e428614000       | mov                 dword ptr [ebp - 0x1c], 0x406128
            //   817de42c614000       | cmp                 dword ptr [ebp - 0x1c], 0x40612c
            //   7311                 | jae                 0x13
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_29 = { 6a00 6a00 8d8df8feffff 51 8d95f0fcffff }
            // n = 5, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]

        $sequence_30 = { 68???????? 8d8df0faffff 51 ffd6 8b35???????? }
            // n = 5, score = 200
            //   68????????           |                     
            //   8d8df0faffff         | lea                 ecx, [ebp - 0x510]
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8b35????????         |                     

        $sequence_31 = { 51 6689442414 e8???????? 6808020000 8d942420020000 6a00 }
            // n = 6, score = 200
            //   51                   | cmp                 eax, 1
            //   6689442414           | jne                 0xa
            //   e8????????           |                     
            //   6808020000           | jmp                 0x20
            //   8d942420020000       | cmp                 eax, 4
            //   6a00                 | cmp                 eax, 2

        $sequence_32 = { e8???????? 8a8c30a6c44600 5e 8b442414 03ca 03c1 89442414 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8a8c30a6c44600       | mov                 cl, byte ptr [eax + esi + 0x46c4a6]
            //   5e                   | pop                 esi
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   03ca                 | add                 ecx, edx
            //   03c1                 | add                 eax, ecx
            //   89442414             | mov                 dword ptr [esp + 0x14], eax

        $sequence_33 = { 33c0 56 51 668985e8fdffff e8???????? }
            // n = 5, score = 200
            //   33c0                 | jne                 0xa
            //   56                   | jmp                 0x22
            //   51                   | cmp                 eax, 4
            //   668985e8fdffff       | xor                 ecx, ecx
            //   e8????????           |                     

        $sequence_34 = { 488bda 488b15???????? 4889442458 89442450 488b05???????? 482bc2 }
            // n = 6, score = 100
            //   488bda               | dec                 eax
            //   488b15????????       |                     
            //   4889442458           | test                eax, eax
            //   89442450             | je                  0x51
            //   488b05????????       |                     
            //   482bc2               | dec                 eax

        $sequence_35 = { 48ffc9 48ffc1 7440 488d542448 458d4e2e }
            // n = 5, score = 100
            //   48ffc9               | xor                 eax, eax
            //   48ffc1               | dec                 eax
            //   7440                 | mov                 ecx, 0x80000002
            //   488d542448           | dec                 eax
            //   458d4e2e             | sub                 esp, 0x20

        $sequence_36 = { 8bd9 e8???????? 4885c0 7509 488d051f390100 }
            // n = 5, score = 100
            //   8bd9                 | jmp                 dword ptr [eax*4 + 0x1000bbd1]
            //   e8????????           |                     
            //   4885c0               | push                edi
            //   7509                 | mov                 edi, dword ptr [ebp + 0x10]
            //   488d051f390100       | mov                 dword ptr [ebp - 0x10c], eax

        $sequence_37 = { 4883ec20 488bd9 e8???????? 4c8d1d4b9b0000 }
            // n = 4, score = 100
            //   4883ec20             | je                  0xffffff57
            //   488bd9               | cmp                 eax, 7
            //   e8????????           |                     
            //   4c8d1d4b9b0000       | ja                  0xa20

        $sequence_38 = { 488b01 8b08 ff15???????? 488d15f3170100 488bcb }
            // n = 5, score = 100
            //   488b01               | dec                 eax
            //   8b08                 | mov                 ebx, ecx
            //   ff15????????         |                     
            //   488d15f3170100       | dec                 esp
            //   488bcb               | lea                 ebx, [0x9b4b]

        $sequence_39 = { e8???????? 59 3bc7 59 a3???????? 7419 68???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   3bc7                 | cmp                 eax, edi
            //   59                   | pop                 ecx
            //   a3????????           |                     
            //   7419                 | je                  0x1b
            //   68????????           |                     

        $sequence_40 = { 743e 8305????????20 8d0c9de0a30010 8d9080040000 8901 3bc2 }
            // n = 6, score = 100
            //   743e                 | je                  0x40
            //   8305????????20       |                     
            //   8d0c9de0a30010       | lea                 ecx, [ebx*4 + 0x1000a3e0]
            //   8d9080040000         | lea                 edx, [eax + 0x480]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   3bc2                 | cmp                 eax, edx

        $sequence_41 = { 4885c0 7438 33c0 4883c9ff 4c8d8600010000 488bfb }
            // n = 6, score = 100
            //   4885c0               | mov                 ebx, edx
            //   7438                 | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x58], eax
            //   4883c9ff             | mov                 dword ptr [esp + 0x50], eax
            //   4c8d8600010000       | dec                 eax
            //   488bfb               | sub                 eax, edx

        $sequence_42 = { 8d04c0 8b0c8de0a30010 8a448104 83e040 c3 55 8bec }
            // n = 7, score = 100
            //   8d04c0               | lea                 eax, [eax + eax*8]
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]
            //   8a448104             | mov                 al, byte ptr [ecx + eax*4 + 4]
            //   83e040               | and                 eax, 0x40
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_43 = { 83c410 837dfc08 752f 68???????? 53 e8???????? }
            // n = 6, score = 100
            //   83c410               | add                 esp, 0x10
            //   837dfc08             | cmp                 dword ptr [ebp - 4], 8
            //   752f                 | jne                 0x31
            //   68????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_44 = { 448d5bf0 498d4e10 4963d3 4d8bcd 4d8bc4 }
            // n = 5, score = 100
            //   448d5bf0             | dec                 eax
            //   498d4e10             | test                eax, eax
            //   4963d3               | je                  0x3a
            //   4d8bcd               | xor                 eax, eax
            //   4d8bc4               | dec                 eax

        $sequence_45 = { 8b8fa8af0100 488b87a0af0100 400fb6d6 f6d2 881401 ff87a8af0100 8b97a8af0100 }
            // n = 7, score = 100
            //   8b8fa8af0100         | xor                 esi, esi
            //   488b87a0af0100       | push                edi
            //   400fb6d6             | mov                 edi, dword ptr [ebp + 0x10]
            //   f6d2                 | mov                 dword ptr [ebp - 0x10c], eax
            //   881401               | xor                 esi, esi
            //   ff87a8af0100         | dec                 esp
            //   8b97a8af0100         | mov                 dword ptr [esp + 0x20], esi

        $sequence_46 = { 59 8a4dff 8d3c85e0a30010 8bc3 80c901 83e01f 884d0b }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   8a4dff               | mov                 cl, byte ptr [ebp - 1]
            //   8d3c85e0a30010       | lea                 edi, [eax*4 + 0x1000a3e0]
            //   8bc3                 | mov                 eax, ebx
            //   80c901               | or                  cl, 1
            //   83e01f               | and                 eax, 0x1f
            //   884d0b               | mov                 byte ptr [ebp + 0xb], cl

        $sequence_47 = { 488905???????? 8905???????? 488b05???????? 4533c0 48c7c102000080 488905???????? }
            // n = 6, score = 100
            //   488905????????       |                     
            //   8905????????         |                     
            //   488b05????????       |                     
            //   4533c0               | lea                 eax, [ebp - 4]
            //   48c7c102000080       | cmp                 eax, edx
            //   488905????????       |                     

        $sequence_48 = { 8bc3 c1f905 83e01f 8b0c8de0a30010 8d04c0 }
            // n = 5, score = 100
            //   8bc3                 | mov                 eax, ebx
            //   c1f905               | sar                 ecx, 5
            //   83e01f               | and                 eax, 0x1f
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]
            //   8d04c0               | lea                 eax, [eax + eax*8]

        $sequence_49 = { 8b442448 448b6e4c 448b7e44 c1e808 4c8bf3 8b5e48 }
            // n = 6, score = 100
            //   8b442448             | dec                 eax
            //   448b6e4c             | mov                 ebx, eax
            //   448b7e44             | dec                 eax
            //   c1e808               | test                eax, eax
            //   4c8bf3               | je                  0x5c
            //   8b5e48               | inc                 ebp

    condition:
        7 of them and filesize < 330752
}

Download all Yara Rules

Konni Propose Change

References

Yara Rules

Konni