SYMBOLCOMMON_NAMEaka. SYNONYMS
win.konni (Back to overview)

Konni

Actor(s): APT37


Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

References
2022-09-06cocomelonccocomelonc
@online{cocomelonc:20220906:malware:a09756f, author = {cocomelonc}, title = {{Malware development tricks: parent PID spoofing. Simple C++ example.}}, date = {2022-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html}, language = {English}, urldate = {2022-11-17} } Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni
2022-07-23BleepingComputerBill Toulas
@online{toulas:20220723:north:79193bd, author = {Bill Toulas}, title = {{North Korean hackers attack EU targets with Konni RAT malware}}, date = {2022-07-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/}, language = {English}, urldate = {2022-07-25} } North Korean hackers attack EU targets with Konni RAT malware
Konni
2022-07-20Securonix Threat LabsD. Iuzvyk, T. Peck, O. Kolesnikov
@online{iuzvyk:20220720:stiffbizon:ae896da, author = {D. Iuzvyk and T. Peck and O. Kolesnikov}, title = {{STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix}}, date = {2022-07-20}, organization = {Securonix Threat Labs}, url = {https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/}, language = {English}, urldate = {2022-07-25} } STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix
Konni
2022-05-02cocomelonccocomelonc
@online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2022-01-26MalwarebytesRoberto Santos
@online{santos:20220126:konni:589b447, author = {Roberto Santos}, title = {{KONNI evolves into stealthier RAT}}, date = {2022-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/}, language = {English}, urldate = {2022-01-31} } KONNI evolves into stealthier RAT
Konni
2022-01-12BleepingComputerIonut Ilascu
@online{ilascu:20220112:hackers:e8e7709, author = {Ionut Ilascu}, title = {{Hackers take over diplomat's email, target Russian deputy minister}}, date = {2022-01-12}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/}, language = {English}, urldate = {2022-07-25} } Hackers take over diplomat's email, target Russian deputy minister
Konni
2022-01-05LumenDanny Adamitis, Steve Rudd
@online{adamitis:20220105:new:4342d69, author = {Danny Adamitis and Steve Rudd}, title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}}, date = {2022-01-05}, organization = {Lumen}, url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/}, language = {English}, urldate = {2022-01-25} } New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Konni
2022-01-03Cluster25Cluster25
@techreport{cluster25:20220103:north:b362bcd, author = {Cluster25}, title = {{North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants}}, date = {2022-01-03}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf}, language = {English}, urldate = {2022-07-25} } North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants
Konni
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze Unidentified 090 (Lazarus)
2021-08-20MalwarebytesHossein Jazi
@online{jazi:20210820:new:2efd65e, author = {Hossein Jazi}, title = {{New variant of Konni malware used in campaign targetting Russia}}, date = {2021-08-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/}, language = {English}, urldate = {2021-08-25} } New variant of Konni malware used in campaign targetting Russia
Konni
2020-08-14Department of Homeland SecurityUS-CERT
@online{uscert:20200814:alert:d3dbb71, author = {US-CERT}, title = {{Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware}}, date = {2020-08-14}, organization = {Department of Homeland Security}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-227a}, language = {English}, urldate = {2020-08-14} } Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni
2020-01-27CyberIntCyberInt
@techreport{cyberint:20200127:konni:5cb8e40, author = {CyberInt}, title = {{Konni Malware 2019 Campaign}}, date = {2020-01-27}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf}, language = {English}, urldate = {2022-07-25} } Konni Malware 2019 Campaign
Konni
2020-01-04Medium d-hunterDoron Karmi
@online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } A Look Into Konni 2019 Campaign
Konni
2019-08-19EST SecurityEast Security Response Center
@online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } Konni APT organization emerges as an attack disguised as Russian document
Konni
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2017-08-15FortinetJasper Manuel
@online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } A Quick Look at a New KONNI RAT Variant
Konni
2017-07-06Cisco TalosPaul Rascagnères
@online{rascagnres:20170706:new:b0410c3, author = {Paul Rascagnères}, title = {{New KONNI Campaign References North Korean Missile Capabilities}}, date = {2017-07-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html}, language = {English}, urldate = {2020-01-10} } New KONNI Campaign References North Korean Missile Capabilities
Konni
2017-07vallejo.ccvallejocc
@online{vallejocc:201707:analysis:b16e1c3, author = {vallejocc}, title = {{Analysis of new variant of Konni RAT}}, date = {2017-07}, organization = {vallejo.cc}, url = {https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/}, language = {English}, urldate = {2019-07-31} } Analysis of new variant of Konni RAT
Konni
2017-05-03Cisco TalosPaul Rascagnères
@online{rascagnres:20170503:konni:8b039a6, author = {Paul Rascagnères}, title = {{KONNI: A Malware Under The Radar For Years}}, date = {2017-05-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html}, language = {English}, urldate = {2020-01-13} } KONNI: A Malware Under The Radar For Years
Konni
Yara Rules
[TLP:WHITE] win_konni_auto (20230125 | Detects win.konni.)
rule win_konni_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.konni."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a8c0df8feffff 300c07 40 3b4514 7c93 8b4dfc 5f }
            // n = 7, score = 800
            //   8a8c0df8feffff       | mov                 cl, byte ptr [ebp + ecx - 0x108]
            //   300c07               | xor                 byte ptr [edi + eax], cl
            //   40                   | inc                 eax
            //   3b4514               | cmp                 eax, dword ptr [ebp + 0x14]
            //   7c93                 | jl                  0xffffff95
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi

        $sequence_1 = { 83c40c 83c618 4f 75cb }
            // n = 4, score = 800
            //   83c40c               | add                 esp, 0xc
            //   83c618               | add                 esi, 0x18
            //   4f                   | dec                 edi
            //   75cb                 | jne                 0xffffffcd

        $sequence_2 = { 8b4de4 8d55e8 52 8d45dc 50 }
            // n = 5, score = 800
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   8d55e8               | lea                 edx, [ebp - 0x18]
            //   52                   | push                edx
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax

        $sequence_3 = { 890d???????? 8815???????? ff15???????? 85c0 7552 8d4de0 51 }
            // n = 7, score = 800
            //   890d????????         |                     
            //   8815????????         |                     
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7552                 | jne                 0x54
            //   8d4de0               | lea                 ecx, [ebp - 0x20]
            //   51                   | push                ecx

        $sequence_4 = { 03c0 33460c 03c0 334610 }
            // n = 4, score = 800
            //   03c0                 | add                 eax, eax
            //   33460c               | xor                 eax, dword ptr [esi + 0xc]
            //   03c0                 | add                 eax, eax
            //   334610               | xor                 eax, dword ptr [esi + 0x10]

        $sequence_5 = { 83e601 8970ec d0f9 0fbef1 }
            // n = 4, score = 800
            //   83e601               | and                 esi, 1
            //   8970ec               | mov                 dword ptr [eax - 0x14], esi
            //   d0f9                 | sar                 cl, 1
            //   0fbef1               | movsx               esi, cl

        $sequence_6 = { 83c418 8b45e4 50 ff15???????? 8b4dfc 33cd }
            // n = 6, score = 800
            //   83c418               | add                 esp, 0x18
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp

        $sequence_7 = { 6a01 ff15???????? 50 a3???????? }
            // n = 4, score = 500
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   50                   | push                eax
            //   a3????????           |                     

        $sequence_8 = { 68b6030000 6a0d 50 ff15???????? }
            // n = 4, score = 500
            //   68b6030000           | push                0x3b6
            //   6a0d                 | push                0xd
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_9 = { 8b9cae68020000 33d2 56 e8???????? 8a9435dec44600 }
            // n = 5, score = 200
            //   8b9cae68020000       | mov                 ebx, dword ptr [esi + ebp*4 + 0x268]
            //   33d2                 | xor                 edx, edx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9435dec44600       | mov                 dl, byte ptr [ebp + esi + 0x46c4de]

        $sequence_10 = { 50 038594040000 59 0bc9 89851a040000 61 7508 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   038594040000         | add                 eax, dword ptr [ebp + 0x494]
            //   59                   | pop                 ecx
            //   0bc9                 | or                  ecx, ecx
            //   89851a040000         | mov                 dword ptr [ebp + 0x41a], eax
            //   61                   | popal               
            //   7508                 | jne                 0xa

        $sequence_11 = { e8???????? 8a8c30dec44600 5e bb01000000 83c604 d3e3 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8a8c30dec44600       | mov                 cl, byte ptr [eax + esi + 0x46c4de]
            //   5e                   | pop                 esi
            //   bb01000000           | mov                 ebx, 1
            //   83c604               | add                 esi, 4
            //   d3e3                 | shl                 ebx, cl

        $sequence_12 = { 68d0070000 ff15???????? 8b4dfc 33cd b801000000 5e }
            // n = 6, score = 200
            //   68d0070000           | push                0x7d0
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi

        $sequence_13 = { ff95b50f0000 898598040000 8bf0 8d7d51 57 56 }
            // n = 6, score = 200
            //   ff95b50f0000         | call                dword ptr [ebp + 0xfb5]
            //   898598040000         | mov                 dword ptr [ebp + 0x498], eax
            //   8bf0                 | mov                 esi, eax
            //   8d7d51               | lea                 edi, [ebp + 0x51]
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_14 = { 50 ffd6 68???????? 8d8df0faffff 51 ffd6 8b35???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   8d8df0faffff         | lea                 ecx, [ebp - 0x510]
            //   51                   | push                ecx
            //   ffd6                 | call                esi
            //   8b35????????         |                     

        $sequence_15 = { 83bd9404000000 899d94040000 0f85d7030000 8d85a0040000 50 ff95b50f0000 898598040000 }
            // n = 7, score = 200
            //   83bd9404000000       | cmp                 dword ptr [ebp + 0x494], 0
            //   899d94040000         | mov                 dword ptr [ebp + 0x494], ebx
            //   0f85d7030000         | jne                 0x3dd
            //   8d85a0040000         | lea                 eax, [ebp + 0x4a0]
            //   50                   | push                eax
            //   ff95b50f0000         | call                dword ptr [ebp + 0xfb5]
            //   898598040000         | mov                 dword ptr [ebp + 0x498], eax

        $sequence_16 = { 33c9 56 e8???????? 8a8c30a6c44600 5e }
            // n = 5, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a8c30a6c44600       | mov                 cl, byte ptr [eax + esi + 0x46c4a6]
            //   5e                   | pop                 esi

        $sequence_17 = { ff95b10f0000 ab b000 ae }
            // n = 4, score = 200
            //   ff95b10f0000         | call                dword ptr [ebp + 0xfb1]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   b000                 | mov                 al, 0
            //   ae                   | scasb               al, byte ptr es:[edi]

        $sequence_18 = { 57 6804010000 8d95f8feffff 52 50 ff15???????? 8d85f8feffff }
            // n = 7, score = 200
            //   57                   | push                edi
            //   6804010000           | push                0x104
            //   8d95f8feffff         | lea                 edx, [ebp - 0x108]
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]

        $sequence_19 = { 8d95f0fcffff 52 6a00 6a00 ff15???????? }
            // n = 5, score = 200
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_20 = { 4c89742420 ff15???????? 488bd8 4885c0 744f }
            // n = 5, score = 200
            //   4c89742420           | dec                 esp
            //   ff15????????         |                     
            //   488bd8               | mov                 dword ptr [esp + 0x20], esi
            //   4885c0               | dec                 eax
            //   744f                 | mov                 ebx, eax

        $sequence_21 = { 68e8030000 ffd7 4e 75f6 5f e9???????? }
            // n = 6, score = 200
            //   68e8030000           | push                0x3e8
            //   ffd7                 | call                edi
            //   4e                   | dec                 esi
            //   75f6                 | jne                 0xfffffff8
            //   5f                   | pop                 edi
            //   e9????????           |                     

        $sequence_22 = { 8d8ea0000000 e8???????? 8b4e08 33db 56 e8???????? 8a9c30c2c44600 }
            // n = 7, score = 200
            //   8d8ea0000000         | lea                 ecx, [esi + 0xa0]
            //   e8????????           |                     
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   e8????????           |                     
            //   8a9c30c2c44600       | mov                 bl, byte ptr [eax + esi + 0x46c4c2]

        $sequence_23 = { ff15???????? 8d95f8feffff 52 ff15???????? 8b3d???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8d95f8feffff         | lea                 edx, [ebp - 0x108]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b3d????????         |                     

        $sequence_24 = { ff15???????? 85c0 755b 57 6804010000 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   755b                 | jne                 0x5d
            //   57                   | push                edi
            //   6804010000           | push                0x104

        $sequence_25 = { a1???????? c705????????58214000 8935???????? a3???????? ff15???????? a3???????? 83f8ff }
            // n = 7, score = 200
            //   a1????????           |                     
            //   c705????????58214000     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     
            //   a3????????           |                     
            //   83f8ff               | cmp                 eax, -1

        $sequence_26 = { 418bc1 d3e8 8842ff 418bc2 d3e8 884203 }
            // n = 6, score = 100
            //   418bc1               | sub                 eax, edx
            //   d3e8                 | dec                 eax
            //   8842ff               | lea                 ecx, [esp + 0x20]
            //   418bc2               | inc                 ecx
            //   d3e8                 | mov                 eax, 0x234
            //   884203               | movups              xmm0, xmmword ptr [ebp + 0x40]

        $sequence_27 = { 85db 0f8486000000 41880e 4b8b84f9a02e0200 4183caff }
            // n = 5, score = 100
            //   85db                 | dec                 eax
            //   0f8486000000         | test                eax, eax
            //   41880e               | je                  0x57
            //   4b8b84f9a02e0200     | dec                 eax
            //   4183caff             | lea                 eax, [0x136ed]

        $sequence_28 = { 0fbec3 8a80e8700010 83e00f eb02 33c0 }
            // n = 5, score = 100
            //   0fbec3               | movsx               eax, bl
            //   8a80e8700010         | mov                 al, byte ptr [eax + 0x100070e8]
            //   83e00f               | and                 eax, 0xf
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_29 = { ff15???????? 440fb75c2428 440fb744242a 440fb74c242c }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   440fb75c2428         | mov                 ebx, dword ptr [esp]
            //   440fb744242a         | inc                 ebp
            //   440fb74c242c         | lea                 edi, [esp - 0x10]

        $sequence_30 = { 8b08 ff15???????? 488d15f3170100 488bcb }
            // n = 4, score = 100
            //   8b08                 | mov                 dword ptr [esp + 0x20], esi
            //   ff15????????         |                     
            //   488d15f3170100       | dec                 eax
            //   488bcb               | mov                 ebx, eax

        $sequence_31 = { 59 0010 d05900 1023 }
            // n = 4, score = 100
            //   59                   | pop                 ecx
            //   0010                 | add                 byte ptr [eax], dl
            //   d05900               | rcr                 byte ptr [ecx], 1
            //   1023                 | adc                 byte ptr [ebx], ah

        $sequence_32 = { 488d05ed360100 c3 4053 4883ec20 8b05???????? bb14000000 85c0 }
            // n = 7, score = 100
            //   488d05ed360100       | mov                 byte ptr [edx - 1], al
            //   c3                   | inc                 ecx
            //   4053                 | mov                 eax, edx
            //   4883ec20             | shr                 eax, cl
            //   8b05????????         |                     
            //   bb14000000           | mov                 byte ptr [edx + 3], al
            //   85c0                 | inc                 ebp

        $sequence_33 = { 488d05e9e9feff 4a8b84f8a02e0200 400f95c7 4503e4 }
            // n = 4, score = 100
            //   488d05e9e9feff       | mov                 ebp, dword ptr [esp + 4]
            //   4a8b84f8a02e0200     | inc                 ebp
            //   400f95c7             | lea                 ebp, [ebx + 0x10]
            //   4503e4               | inc                 esp

        $sequence_34 = { 4c8d6108 4d8b2c24 eb20 4c8d25a4c30000 488b0d???????? bf01000000 897c2460 }
            // n = 7, score = 100
            //   4c8d6108             | mov                 eax, edi
            //   4d8b2c24             | not                 ecx
            //   eb20                 | inc                 ecx
            //   4c8d25a4c30000       | ror                 eax, 0xb
            //   488b0d????????       |                     
            //   bf01000000           | je                  0x278
            //   897c2460             | dec                 eax

        $sequence_35 = { 8b442404 c7405030880010 c7401401000000 c3 56 57 ff15???????? }
            // n = 7, score = 100
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   c7405030880010       | mov                 dword ptr [eax + 0x50], 0x10008830
            //   c7401401000000       | mov                 dword ptr [eax + 0x14], 1
            //   c3                   | ret                 
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_36 = { e8???????? b9ff000000 e8???????? 488bfb 4803ff 4c8d2d25c70000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   b9ff000000           | mov                 ecx, dword ptr [edx + 0x50]
            //   e8????????           |                     
            //   488bfb               | mov                 dword ptr [esp + 4], esi
            //   4803ff               | inc                 ecx
            //   4c8d2d25c70000       | mov                 esi, dword ptr [edx + 0x60]

        $sequence_37 = { 488d4c2420 41b834020000 0f104540 488bd7 }
            // n = 4, score = 100
            //   488d4c2420           | mov                 ecx, edi
            //   41b834020000         | inc                 esi
            //   0f104540             | lea                 edi, [edx + eax]
            //   488bd7               | inc                 esp

        $sequence_38 = { 6a03 57 bf???????? 57 e8???????? 8d45fc }
            // n = 6, score = 100
            //   6a03                 | push                3
            //   57                   | push                edi
            //   bf????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_39 = { 03d1 8bcf 468d3c02 448bc7 f7d1 41c1c80b }
            // n = 6, score = 100
            //   03d1                 | mov                 ebp, edx
            //   8bcf                 | dec                 eax
            //   468d3c02             | mov                 dword ptr [esp + 0x30], 0
            //   448bc7               | inc                 ebp
            //   f7d1                 | lea                 eax, [ecx + 1]
            //   41c1c80b             | mov                 edx, 0x80000000

        $sequence_40 = { 458b4a50 89742404 418b7260 8b6c2404 458d6b10 448b1c24 }
            // n = 6, score = 100
            //   458b4a50             | dec                 eax
            //   89742404             | mov                 edx, edi
            //   418b7260             | dec                 esp
            //   8b6c2404             | lea                 esp, [ecx + 8]
            //   458d6b10             | dec                 ebp
            //   448b1c24             | mov                 ebp, dword ptr [esp]

        $sequence_41 = { 57 33ff 397d08 0f85a3010000 8b7510 53 817e0402010000 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   397d08               | cmp                 dword ptr [ebp + 8], edi
            //   0f85a3010000         | jne                 0x1a9
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   53                   | push                ebx
            //   817e0402010000       | cmp                 dword ptr [esi + 4], 0x102

        $sequence_42 = { 488d542440 4533c9 e8???????? 85c0 7403 894310 488b03 }
            // n = 7, score = 100
            //   488d542440           | mov                 ecx, 0x40
            //   4533c9               | dec                 ecx
            //   e8????????           |                     
            //   85c0                 | lea                 edx, [edi + 1]
            //   7403                 | dec                 esp
            //   894310               | mov                 ebp, eax
            //   488b03               | dec                 esp

        $sequence_43 = { 4533c9 488bea 48c744243000000000 458d4101 ba00000080 c744242820000000 }
            // n = 6, score = 100
            //   4533c9               | dec                 eax
            //   488bea               | test                eax, eax
            //   48c744243000000000     | je    0x54
            //   458d4101             | inc                 ebp
            //   ba00000080           | xor                 ecx, ecx
            //   c744242820000000     | dec                 eax

        $sequence_44 = { 0f8472020000 488b05???????? 488b15???????? 482bc2 }
            // n = 4, score = 100
            //   0f8472020000         | mov                 dword ptr [esp + 0x28], 0x20
            //   488b05????????       |                     
            //   488b15????????       |                     
            //   482bc2               | add                 edx, ecx

        $sequence_45 = { a3???????? 741e 68???????? 68???????? 50 e8???????? }
            // n = 6, score = 100
            //   a3????????           |                     
            //   741e                 | je                  0x20
            //   68????????           |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 330752
}
Download all Yara Rules