Konni (Malware Family)

Konni

Actor(s): APT37

VTCollection

Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

References

2024-02-21 ⋅ DCSO ⋅ Jiro Minier, Johann Aydinbas, Kritika Roy, Olivia Hayward
To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer
Konni

2023-12-27 ⋅ ⋅ Wezard4u ⋅ Sakai
Malicious code impersonating the National Tax Service created by Konni
Konni

2023-11-10 ⋅ NSFOCUS ⋅ NSFOCUS
The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits
Cobalt Strike Konni DarkCasino Opal Sleet

2023-01-01 ⋅ ThreatMon ⋅ Seyit Sigirci (@h3xecute), ThreatMon Malware Research Team
The Konni APT Chronicle: Tracing Their Intelligence-Driven Attack Chain
Konni

2022-09-06 ⋅ cocomelonc ⋅ cocomelonc
Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni

2022-07-23 ⋅ BleepingComputer ⋅ Bill Toulas
North Korean hackers attack EU targets with Konni RAT malware
Konni

2022-07-20 ⋅ Securonix Threat Labs ⋅ Den Iyzvyk, Oleg Kolesnikov, Tim Peck
STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix
Konni Opal Sleet

2022-05-02 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC

2022-01-26 ⋅ Malwarebytes ⋅ Roberto Santos
KONNI evolves into stealthier RAT
Konni

2022-01-12 ⋅ BleepingComputer ⋅ Ionut Ilascu
Hackers take over diplomat's email, target Russian deputy minister
Konni

2022-01-05 ⋅ Lumen ⋅ Danny Adamitis, Steve Rudd
New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Konni

2022-01-03 ⋅ Cluster25 ⋅ Cluster25
North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants
Konni

2021-08-20 ⋅ Malwarebytes ⋅ Hossein Jazi
New variant of Konni malware used in campaign targetting Russia
Konni

2020-08-14 ⋅ Department of Homeland Security ⋅ US-CERT
Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni

2020-01-27 ⋅ CyberInt ⋅ CyberInt
Konni Malware 2019 Campaign
Konni

2020-01-04 ⋅ Medium d-hunter ⋅ Doron Karmi
A Look Into Konni 2019 Campaign
Konni

2019-08-19 ⋅ ⋅ EST Security ⋅ East Security Response Center
Konni APT organization emerges as an attack disguised as Russian document
Konni

2019-05-13 ⋅ Kaspersky Labs ⋅ GReAT
ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37

2017-08-15 ⋅ Fortinet ⋅ Jasper Manuel
A Quick Look at a New KONNI RAT Variant
Konni

2017-07-06 ⋅ Cisco Talos ⋅ Paul Rascagnères
New KONNI Campaign References North Korean Missile Capabilities
Konni

2017-07-01 ⋅ vallejo.cc ⋅ vallejocc
Analysis of new variant of Konni RAT
Konni

2017-05-03 ⋅ Cisco Talos ⋅ Paul Rascagnères
KONNI: A Malware Under The Radar For Years
Konni

Yara Rules

[TLP:WHITE] win_konni_auto (20260504 | Detects win.konni.)

rule win_konni_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.konni."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8945f4 8945f8 8d45e4 50 6a01 6a00 }
            // n = 6, score = 800
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6a00                 | push                0

        $sequence_1 = { 300c07 40 3b4514 7c93 }
            // n = 4, score = 800
            //   300c07               | xor                 byte ptr [edi + eax], cl
            //   40                   | inc                 eax
            //   3b4514               | cmp                 eax, dword ptr [ebp + 0x14]
            //   7c93                 | jl                  0xffffff95

        $sequence_2 = { 0fbef1 83e601 8970f4 d0f9 0fbef1 }
            // n = 5, score = 800
            //   0fbef1               | movsx               esi, cl
            //   83e601               | and                 esi, 1
            //   8970f4               | mov                 dword ptr [eax - 0xc], esi
            //   d0f9                 | sar                 cl, 1
            //   0fbef1               | movsx               esi, cl

        $sequence_3 = { 884c15f4 8970e8 42 83c020 83fa03 7c98 }
            // n = 6, score = 800
            //   884c15f4             | mov                 byte ptr [ebp + edx - 0xc], cl
            //   8970e8               | mov                 dword ptr [eax - 0x18], esi
            //   42                   | inc                 edx
            //   83c020               | add                 eax, 0x20
            //   83fa03               | cmp                 edx, 3
            //   7c98                 | jl                  0xffffff9a

        $sequence_4 = { ff15???????? e8???????? 8b4dfc f7d8 5f }
            // n = 5, score = 800
            //   ff15????????         |                     
            //   e8????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   f7d8                 | neg                 eax
            //   5f                   | pop                 edi

        $sequence_5 = { 7cf1 33c9 8bc1 99 f7bdf4feffff 8a9c0df8feffff 0fb6c3 }
            // n = 7, score = 800
            //   7cf1                 | jl                  0xfffffff3
            //   33c9                 | xor                 ecx, ecx
            //   8bc1                 | mov                 eax, ecx
            //   99                   | cdq                 
            //   f7bdf4feffff         | idiv                dword ptr [ebp - 0x10c]
            //   8a9c0df8feffff       | mov                 bl, byte ptr [ebp + ecx - 0x108]
            //   0fb6c3               | movzx               eax, bl

        $sequence_6 = { 6a3d 68???????? 53 e8???????? 53 }
            // n = 5, score = 800
            //   6a3d                 | push                0x3d
            //   68????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_7 = { 56 57 8b7d10 8985f4feffff }
            // n = 4, score = 800
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   8985f4feffff         | mov                 dword ptr [ebp - 0x10c], eax

        $sequence_8 = { 7508 890d???????? eb1e 83f804 }
            // n = 4, score = 500
            //   7508                 | jmp                 0x20
            //   890d????????         |                     
            //   eb1e                 | cmp                 eax, 4
            //   83f804               | je                  0x14

        $sequence_9 = { 6a01 ff15???????? 50 a3???????? e8???????? }
            // n = 5, score = 500
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   50                   | push                eax
            //   a3????????           |                     
            //   e8????????           |                     

        $sequence_10 = { 33c9 83f802 7508 890d???????? }
            // n = 4, score = 500
            //   33c9                 | sub                 ebx, 0x22000
            //   83f802               | cmp                 dword ptr [ebp + 0x494], 0
            //   7508                 | mov                 dword ptr [ebp + 0x494], ebx
            //   890d????????         |                     

        $sequence_11 = { eb1e 83f804 740f c705????????02000000 83f801 750a c705????????01000000 }
            // n = 7, score = 500
            //   eb1e                 | mov                 dword ptr [esp + 0x130], edi
            //   83f804               | dec                 esp
            //   740f                 | mov                 dword ptr [esp + 0x138], esp
            //   c705????????02000000     |     
            //   83f801               | inc                 ebp
            //   750a                 | xor                 esp, esp
            //   c705????????01000000     |     

        $sequence_12 = { 68b6030000 6a0d 50 ff15???????? }
            // n = 4, score = 500
            //   68b6030000           | push                0x3b6
            //   6a0d                 | push                0xd
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_13 = { eb02 33c9 e8???????? 8bf8 }
            // n = 4, score = 400
            //   eb02                 | jmp                 0x20
            //   33c9                 | jmp                 0x20
            //   e8????????           |                     
            //   8bf8                 | cmp                 eax, 4

        $sequence_14 = { e8???????? 83c408 85c0 7552 8b560c 68???????? 52 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c408               | cmp                 eax, 1
            //   85c0                 | jne                 0x11
            //   7552                 | jmp                 0x20
            //   8b560c               | cmp                 eax, 4
            //   68????????           |                     
            //   52                   | je                  0x14

        $sequence_15 = { 8d3c10 8b95f0feffff 8995e4feffff 8b95f8feffff }
            // n = 4, score = 300
            //   8d3c10               | jne                 0xd
            //   8b95f0feffff         | jmp                 0x25
            //   8995e4feffff         | cmp                 eax, 4
            //   8b95f8feffff         | xor                 ecx, ecx

        $sequence_16 = { 56 57 50 e8???????? 83c40c 6820010000 e8???????? }
            // n = 7, score = 300
            //   56                   | cmp                 eax, 2
            //   57                   | jne                 0xd
            //   50                   | jmp                 0x25
            //   e8????????           |                     
            //   83c40c               | xor                 ecx, ecx
            //   6820010000           | cmp                 eax, 2
            //   e8????????           |                     

        $sequence_17 = { 885a08 0fb641f0 3245f9 83c110 8801 0fb6460c 3245fa }
            // n = 7, score = 300
            //   885a08               | cmp                 eax, 2
            //   0fb641f0             | jne                 0xd
            //   3245f9               | jmp                 0x25
            //   83c110               | cmp                 eax, 4
            //   8801                 | je                  0x1b
            //   0fb6460c             | cmp                 eax, 4
            //   3245fa               | je                  0x11

        $sequence_18 = { ff15???????? 8d95f8feffff 52 ff15???????? 8b3d???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8d95f8feffff         | lea                 edx, [ebp - 0x108]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b3d????????         |                     

        $sequence_19 = { 6a00 6a00 8d8df8feffff 51 8d95f0fcffff 52 6a00 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d8df8feffff         | lea                 ecx, [ebp - 0x108]
            //   51                   | push                ecx
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]
            //   52                   | push                edx
            //   6a00                 | push                0

        $sequence_20 = { 33c0 8db768020000 8916 56 e8???????? 8a8c30dec44600 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   8db768020000         | lea                 esi, [edi + 0x268]
            //   8916                 | mov                 dword ptr [esi], edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]

        $sequence_21 = { 49ffc0 49ffc9 75d5 0fb645bd 0fb64db9 8845b9 0fb645c1 }
            // n = 7, score = 200
            //   49ffc0               | jmp                 0x22
            //   49ffc9               | cmp                 eax, 4
            //   75d5                 | je                  0x18
            //   0fb645bd             | cmp                 eax, 1
            //   0fb64db9             | jne                 0xc
            //   8845b9               | jmp                 0x20
            //   0fb645c1             | cmp                 eax, 4

        $sequence_22 = { 2bcb 81e2ffffff00 d3ea 33c9 56 e8???????? 8a8c30a6c44600 }
            // n = 7, score = 200
            //   2bcb                 | sub                 ecx, ebx
            //   81e2ffffff00         | and                 edx, 0xffffff
            //   d3ea                 | shr                 edx, cl
            //   33c9                 | xor                 ecx, ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30a6c44600       | mov                 cl, byte ptr [eax + esi + 0x46c4a6]

        $sequence_23 = { e8???????? 8a9435dec44600 5e 84c0 8bfa }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8a9435dec44600       | mov                 dl, byte ptr [ebp + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   84c0                 | test                al, al
            //   8bfa                 | mov                 edi, edx

        $sequence_24 = { e8???????? 8a8c30dec44600 5e bb01000000 83c604 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   bb01000000           | mov                 ebx, 1
            //   83c604               | add                 esi, 4

        $sequence_25 = { 899d94040000 0f85d7030000 8d85a0040000 50 ff95b50f0000 898598040000 8bf0 }
            // n = 7, score = 200
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx
            //   0f85d7030000         | jne                 0x3dd
            //   8d85a0040000         | lea                 eax, [ebp + 0x4a0]
            //   50                   | push                eax
            //   ff95b50f0000         | call                dword ptr [ebp + 0xfb5]
            //   898598040000         | mov                 dword ptr [ebp + 0x498], eax
            //   8bf0                 | mov                 esi, eax

        $sequence_26 = { 450fb60424 450fb65c24ff 410fb67c2402 450fb6542401 410fb6d0 440fb6cf }
            // n = 6, score = 200
            //   450fb60424           | jne                 0xc
            //   450fb65c24ff         | jmp                 0x20
            //   410fb67c2402         | cmp                 eax, 4
            //   450fb6542401         | je                  0x14
            //   410fb6d0             | jmp                 0x20
            //   440fb6cf             | cmp                 eax, 4

        $sequence_27 = { 4c89742420 ff15???????? 488bd8 4885c0 744f }
            // n = 5, score = 200
            //   4c89742420           | dec                 esp
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x20], esi
            //   4885c0               | dec                 eax
            //   744f                 | mov                 ebx, eax

        $sequence_28 = { 5d bbedffffff 03dd 81eb00200200 83bd9404000000 899d94040000 }
            // n = 6, score = 200
            //   5d                   | pop                 ebp
            //   bbedffffff           | mov                 ebx, 0xffffffed
            //   03dd                 | add                 ebx, ebp
            //   81eb00200200         | sub                 ebx, 0x22000
            //   83bd9404000000       | cmp                 dword ptr [ebp + 0x494], 0
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx

        $sequence_29 = { 33db 56 e8???????? 8a9c30c2c44600 5e 83f908 7232 }
            // n = 7, score = 200
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]
            //   5e                   | pop                 esi
            //   83f908               | cmp                 ecx, 8
            //   7232                 | jb                  0x34

        $sequence_30 = { 6a00 50 c685f4fdffff00 e8???????? 83c40c 6804010000 }
            // n = 6, score = 200
            //   6a00                 | push                0
            //   50                   | push                eax
            //   c685f4fdffff00       | mov                 byte ptr [ebp - 0x20c], 0
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6804010000           | push                0x104

        $sequence_31 = { 50 038594040000 59 0bc9 89851a040000 61 7508 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   038594040000         | add                 eax, dword ptr [ebp + 0x494]
            //   59                   | pop                 ecx
            //   0bc9                 | or                  ecx, ecx
            //   89851a040000         | mov                 dword ptr [ebp + 0x41a], eax
            //   61                   | popal               
            //   7508                 | jne                 0xa

        $sequence_32 = { 7524 a1???????? a3???????? a1???????? c705????????58214000 }
            // n = 5, score = 200
            //   7524                 | jne                 0x26
            //   a1????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   c705????????58214000     |     

        $sequence_33 = { 51 ffd6 8b35???????? 8d95f0faffff }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8b35????????         |                     
            //   8d95f0faffff         | lea                 edx, [ebp - 0x510]

        $sequence_34 = { 33c0 4883c9ff 498bfb f2ae 48f7d1 488d51ff }
            // n = 6, score = 200
            //   33c0                 | cmp                 eax, 4
            //   4883c9ff             | je                  0x1b
            //   498bfb               | cmp                 eax, 2
            //   f2ae                 | jne                 0xa
            //   48f7d1               | jmp                 0x22
            //   488d51ff             | cmp                 eax, 1

        $sequence_35 = { 004044 40 00644440 0023 }
            // n = 4, score = 200
            //   004044               | add                 byte ptr [eax + 0x44], al
            //   40                   | inc                 eax
            //   00644440             | add                 byte ptr [esp + eax*2 + 0x40], ah
            //   0023                 | add                 byte ptr [ebx], ah

        $sequence_36 = { 41b850000000 4533c9 488bd3 488bc8 }
            // n = 4, score = 200
            //   41b850000000         | dec                 eax
            //   4533c9               | test                eax, eax
            //   488bd3               | je                  0x51
            //   488bc8               | inc                 ecx

        $sequence_37 = { 488bd6 e8???????? 4885c0 740a }
            // n = 4, score = 200
            //   488bd6               | je                  0x14
            //   e8????????           |                     
            //   4885c0               | cmp                 eax, 2
            //   740a                 | jne                 0xa

        $sequence_38 = { 8d95f8feffff 52 50 ff15???????? 8d85f8feffff 50 ff15???????? }
            // n = 7, score = 200
            //   8d95f8feffff         | lea                 edx, [ebp - 0x108]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_39 = { 52 8d85f8feffff 50 ffd6 }
            // n = 4, score = 200
            //   52                   | push                edx
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   ffd6                 | call                esi

        $sequence_40 = { e8???????? 59 3bc7 59 a3???????? 741e }
            // n = 6, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   3bc7                 | cmp                 eax, edi
            //   59                   | pop                 ecx
            //   a3????????           |                     
            //   741e                 | je                  0x20

        $sequence_41 = { e8???????? 488d8d60050000 33d2 41b800040000 c744244000040000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488d8d60050000       | mov                 ecx, 0x20019
            //   33d2                 | dec                 esp
            //   41b800040000         | mov                 ebp, eax
            //   c744244000040000     | dec                 eax

        $sequence_42 = { 48899c2420010000 4889bc2430010000 4c89a42438010000 4533e4 0f1f00 }
            // n = 5, score = 100
            //   48899c2420010000     | lea                 eax, [esp + 0x40]
            //   4889bc2430010000     | dec                 eax
            //   4c89a42438010000     | lea                 edx, [0x11879]
            //   4533e4               | inc                 ebp
            //   0f1f00               | xor                 eax, eax

        $sequence_43 = { 488d442440 488d1579180100 4533c0 4889442420 }
            // n = 4, score = 100
            //   488d442440           | dec                 eax
            //   488d1579180100       | mov                 edx, ebx
            //   4533c0               | dec                 eax
            //   4889442420           | mov                 ecx, eax

        $sequence_44 = { a3???????? 85c0 59 bf???????? }
            // n = 4, score = 100
            //   a3????????           |                     
            //   85c0                 | test                eax, eax
            //   59                   | pop                 ecx
            //   bf????????           |                     

        $sequence_45 = { 99 f7fd 4863c2 420fb60c20 4403d9 4403df }
            // n = 6, score = 100
            //   99                   | lea                 eax, [esp + 0x48]
            //   f7fd                 | inc                 ebp
            //   4863c2               | xor                 eax, eax
            //   420fb60c20           | dec                 eax
            //   4403d9               | mov                 edx, ebx
            //   4403df               | dec                 eax

        $sequence_46 = { 8d0500a00010 83780800 753b b0ff 8bff }
            // n = 5, score = 100
            //   8d0500a00010         | lea                 eax, [0x1000a000]
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   753b                 | jne                 0x3d
            //   b0ff                 | mov                 al, 0xff
            //   8bff                 | mov                 edi, edi

        $sequence_47 = { 56 53 e8???????? 57 68???????? e8???????? }
            // n = 6, score = 100
            //   56                   | push                esi
            //   53                   | push                ebx
            //   e8????????           |                     
            //   57                   | push                edi
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_48 = { e8???????? 4533f6 41b919000200 4c8be8 488d442448 4533c0 488bd3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4533f6               | dec                 eax
            //   41b919000200         | mov                 ecx, eax
            //   4c8be8               | inc                 ecx
            //   488d442448           | mov                 eax, 0x50
            //   4533c0               | inc                 ebp
            //   488bd3               | xor                 ecx, ecx

        $sequence_49 = { e8???????? 4c8d4d08 4c8d442448 488d156d140100 488d4c2448 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   4c8d4d08             | mov                 dword ptr [esp + 0x28], 3
            //   4c8d442448           | inc                 ebp
            //   488d156d140100       | xor                 esi, esi
            //   488d4c2448           | inc                 ecx

        $sequence_50 = { c1f905 8d04c0 be00800000 8b0c8de0a30010 8d548104 8a4c8104 }
            // n = 6, score = 100
            //   c1f905               | sar                 ecx, 5
            //   8d04c0               | lea                 eax, [eax + eax*8]
            //   be00800000           | mov                 esi, 0x8000
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]
            //   8d548104             | lea                 edx, [ecx + eax*4 + 4]
            //   8a4c8104             | mov                 cl, byte ptr [ecx + eax*4 + 4]

        $sequence_51 = { c1f905 83e01f 8b0c8de0a30010 8d04c0 8d0481 eb05 }
            // n = 6, score = 100
            //   c1f905               | sar                 ecx, 5
            //   83e01f               | and                 eax, 0x1f
            //   8b0c8de0a30010       | mov                 ecx, dword ptr [ecx*4 + 0x1000a3e0]
            //   8d04c0               | lea                 eax, [eax + eax*8]
            //   8d0481               | lea                 eax, [ecx + eax*4]
            //   eb05                 | jmp                 7

    condition:
        7 of them and filesize < 2361344
}

Download all Yara Rules

Konni Propose Change

References

Yara Rules

Konni