win.maze (Back to overview)


aka: ChaCha

Actor(s): FIN6, TA2101


Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).

The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

2024-02-15Department of JusticeOffice of Public Affairs
Foreign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses
Egregor IcedID Maze Zeus
2024-02-15Bleeping ComputerSergiu Gatlan
Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison
Egregor IcedID Maze Zeus
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-05Intel 471Intel 471
Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-23splunkShannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-02-23splunkShannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-09Bleeping ComputerLawrence Abrams
Ransomware dev releases Egregor, Maze master decryption keys
Egregor Maze Sekhmet
2022-02-09Security AffairsPierluigi Paganini
Master decryption keys for Maze, Egregor, and Sekhmet ransomware leaked online
Egregor m0yv Maze Sekhmet
Identification of a new cybercriminal group: Lockean
DoppelPaymer Egregor Maze PwndLocker REvil
Identification of a new cyber criminal group: Lockean
Cobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-10Bleeping ComputerSergiu Gatlan
Crytek confirms Egregor ransomware attack, customer data theft
Egregor Maze
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-09The RecordCatalin Cimpanu
Ransomwhere project wants to create a database of past ransomware payments
Egregor Mailto Maze REvil
2021-07-01DomainToolsChad Anderson
The Most Prolific Ransomware Families: A Defenders Guide
REvil Conti Egregor Maze REvil
2021-06-16ProofpointDaniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577
2021-05-18The RecordCatalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-18Bleeping ComputerIonut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Bleeping ComputerLawrence Abrams
Data leak marketplaces aim to take over the extortion economy
Babuk Maze
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-27CrowdStrikeEben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
The Egregor Ransomware
Egregor Maze Sekhmet
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25FireEyeBrendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-04ChainanalysisChainalysis Team
Blockchain Analysis Shows Connections Between Four of 2020’s Biggest Ransomware Strains
DoppelPaymer Egregor Maze SunCrypt
2021-01-01TalosTalos Incident Response
Evicting Maze
Cobalt Strike Maze
Threat Profile: GOLD VILLAGE
Maze TA2101
2020-12-16AccenturePaul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-14Medium Killbitkillbit
Applying the Diamond Model to Cognizant (MSP) vs. Maze Ransomware
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-09CiscoCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-12-08SophosAnand Aijan, Bill Kearney, Gabor Szappanos, Mark Loman, Peter Mackenzie, Sean Gallagher, Sergio Bestulic, Syed Shahram
Egregor ransomware: Maze’s heir apparent
Egregor Maze
2020-12-07Minerva LabsTom Roter
Egregor Ransomware - An In-Depth Analysis
Egregor Maze Sekhmet
2020-12-01Trend MicroRyan Flores
The Impact of Modern Ransomware on Manufacturing Networks
Maze Petya REvil
2020-11-18KELAVictoria Kivilevich
Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-11Kaspersky LabsDmitry Bestuzhev, Fedor Sinitsyn
Targeted ransomware: it’s not just about encrypting your data! Part 1 - “Old and New Friends”
Egregor Maze RagnarLocker
2020-11-06TelsyTelsy Research Team
Malware Analysis Report: Trying not to walk in the dark woods. A way out of the Maze
2020-10-29Bleeping ComputerLawrence Abrams
Maze ransomware is shutting down its cybercrime operation
Egregor Maze
2020-10-28BitdefenderRuben Andrei Condor
A Decade of WMI Abuse – an Overview of Techniques in Modern Malware
sLoad Emotet Maze
2020-10-26CheckpointEyal Itkin, Itay Cohen
Exploit Developer Spotlight: The Story of PlayBit
Dyre Maze PyLocky Ramnit REvil
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-21Kaspersky LabsFedor Sinitsyn, Nikita Galimov, Vladimir Kuskov
Life of Maze ransomware
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER
2020-10-01KELAVictoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-25StateScoopBenjamin Freed
Baltimore ransomware attack was early attempt at data extortion, new report shows
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-22Sophos SecOpsGreg Iddon
MTR Casebook: Blocking a $15 million Maze ransomware attack
2020-09-17Bleeping ComputerLawrence Abrams
Maze ransomware now encrypts via virtual machines to evade detection
2020-09-17SophosLabs UncutAndrew Brandt, Peter Mackenzie
Maze attackers adopt Ragnar Locker virtual machine technique
2020-09-01Cisco TalosCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
Case Study: Catching a Human-Operated Maze Ransomware Attack In Action
2020-08-04ZDNetCatalin Cimpanu
Ransomware gang publishes tens of GBs of internal data from LG and Xerox
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-22SentinelOneJason Reaves, Joshua Platt
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-15MandiantCorey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-06-18Quick HealPreksha Saxena
Maze ransomware continues to be a threat to the consumers
Notice of Data Breach
2020-06-16BleepingComputerSergiu Gatlan
Chipmaker MaxLinear reports data breach after Maze Ransomware attack
2020-06-04Sophos Naked SecurityLisa Vaas
Nuclear missile contractor hacked in Maze ransomware attack
2020-05-21BrightTALK (FireEye)Jeremy Kennelly, Kimberly Goody
Navigating MAZE: Analysis of a Rising Ransomware Threat
2020-05-12SophosLabs UncutSophos
Maze ransomware: extorting victims for 1 year and counting
2020-05-07FireEye IncJeremy Kennelly, Joshua Shilko, Kimberly Goody
Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
2020-05-07REDTEAM.PLAdam Ziaja
Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-05-04BluelivBlueliv Team
Escape from the Maze
2020-05-01CrowdStrikeShaun Hurley
The Many Paths Through Maze
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-18Bleeping ComputerLawrence Abrams
IT services giant Cognizant suffers Maze Ransomware cyber attack
Cognizant Security Incident Update
2020-03-26McAfeeAlexandre Mundo
Ransomware Maze
2020-03-26TechCrunchZack Whittaker
Cyber insurer Chubb had data stolen in Maze ransomware attack
2020-03-25BitdefenderBitdefender Team
A Technical Look into Maze Ransomware
2020-03-24Bleeping ComputerLawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-12CyberbitDor Neemani, Hod Gavriel, Omer Fishel
Lost in the Maze
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03Bleeping ComputerLawrence Abrams
Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-02-20McAfeeChristiaan Beek, Darren Fitzpatrick, Eamonn Ryan
CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II
Cobalt Strike LockerGoga Maze MegaCortex
2020-01-30ZATAZDamien Bancal
Cyber attaque à l’encontre des serveurs de Bouygues Construction
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
Project Lurus
2020-01-01BlackberryBlackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-12-24Bleeping ComputerLawrence Abrams
Maze Ransomware Releases Files Stolen from City of Pensacola
2019-12-18Github (albertzsigovits)Albert Zsigovits
Maze ransomware
2019-12-17CiscoDave Liebenberg, JJ Cummings
Incident Response lessons from recent Maze ransomware attacks
2019-12-16KrebsOnSecurityBrian Krebs
Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
2019-12-11Bleeping ComputerLawrence Abrams
Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand
2019-11-21Bleeping ComputerLawrence Abrams
Allied Universal Breached by Maze Ransomware, Stolen Data Leaked
2019-11-14ProofpointBryan Campbell, Proofpoint Threat Insight Team
TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
Maze TA2101
2019-11-08Twitter (@certbund)CERT-Bund
Tweet on Spam Mails containing MAZE
2019-10-18Bleeping ComputerSergiu Gatlan
Maze Ransomware Now Delivered by Spelevo Exploit Kit
2019-05-13Amigo A
ChaCha Ransomware
Twisted Spider
Maze TA2101
Yara Rules
[TLP:WHITE] win_maze_auto (20230808 | Detects win.maze.)
rule win_maze_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.maze."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { 53 57 56 83ec10 8b4510 8b4d0c }
            // n = 6, score = 2400
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   83ec10               | sub                 esp, 0x10
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_1 = { 8945f0 c745f000000000 8b45f0 83c410 5e 5f }
            // n = 6, score = 2400
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c410               | add                 esp, 0x10
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_2 = { 60 8b7d08 8b4d10 8b450c f3aa 61 8945f0 }
            // n = 7, score = 2400
            //   60                   | pushal              
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   61                   | popal               
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_3 = { 83ec10 8b4510 8b4d0c 8b5508 837d0800 8945ec }
            // n = 6, score = 2400
            //   83ec10               | sub                 esp, 0x10
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_4 = { 8945ec 894de8 8955e4 7509 c745f000000000 eb17 60 }
            // n = 7, score = 2400
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   8955e4               | mov                 dword ptr [ebp - 0x1c], edx
            //   7509                 | jne                 0xb
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   eb17                 | jmp                 0x19
            //   60                   | pushal              

        $sequence_5 = { 89c8 0500000001 83d200 89d7 }
            // n = 4, score = 2300
            //   89c8                 | mov                 eax, ecx
            //   0500000001           | add                 eax, 0x1000000
            //   83d200               | adc                 edx, 0
            //   89d7                 | mov                 edi, edx

        $sequence_6 = { 89c7 e8???????? 83c40c 57 55 8dbc24f4000000 }
            // n = 6, score = 2300
            //   89c7                 | mov                 edi, eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   57                   | push                edi
            //   55                   | push                ebp
            //   8dbc24f4000000       | lea                 edi, [esp + 0xf4]

        $sequence_7 = { 89c8 01d6 ba53c6f0ff f7e2 }
            // n = 4, score = 2300
            //   89c8                 | mov                 eax, ecx
            //   01d6                 | add                 esi, edx
            //   ba53c6f0ff           | mov                 edx, 0xfff0c653
            //   f7e2                 | mul                 edx

        $sequence_8 = { 41 41 41 41 41 41 41 }
            // n = 7, score = 1600
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx

        $sequence_9 = { 83ec20 56 be???????? 56 6a00 6801001200 }
            // n = 6, score = 1400
            //   83ec20               | sub                 esp, 0x20
            //   56                   | push                esi
            //   be????????           |                     
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6801001200           | push                0x120001

        $sequence_10 = { 8d45ec 56 8945f8 6a00 8d45f4 50 c745f40c000000 }
            // n = 7, score = 1400
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   56                   | push                esi
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   6a00                 | push                0
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   c745f40c000000       | mov                 dword ptr [ebp - 0xc], 0xc

        $sequence_11 = { b904000000 6bd109 8b4d08 8b941100100000 c1ea0a }
            // n = 5, score = 100
            //   b904000000           | mov                 ecx, 4
            //   6bd109               | imul                edx, ecx, 9
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b941100100000       | mov                 edx, dword ptr [ecx + edx + 0x1000]
            //   c1ea0a               | shr                 edx, 0xa

        $sequence_12 = { b948040000 b8cccccccc f3ab a1???????? 33c5 8945ec 50 }
            // n = 7, score = 100
            //   b948040000           | mov                 ecx, 0x448
            //   b8cccccccc           | mov                 eax, 0xcccccccc
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   50                   | push                eax

        $sequence_13 = { 898d6cfeffff 8b4dfc 8b5508 8b848a10080000 }
            // n = 4, score = 100
            //   898d6cfeffff         | mov                 dword ptr [ebp - 0x194], ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b848a10080000       | mov                 eax, dword ptr [edx + ecx*4 + 0x810]

        $sequence_14 = { 8b8c1040100000 c1e10a ba04000000 c1e200 8b4508 8b941040100000 c1ea16 }
            // n = 7, score = 100
            //   8b8c1040100000       | mov                 ecx, dword ptr [eax + edx + 0x1040]
            //   c1e10a               | shl                 ecx, 0xa
            //   ba04000000           | mov                 edx, 4
            //   c1e200               | shl                 edx, 0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b941040100000       | mov                 edx, dword ptr [eax + edx + 0x1040]
            //   c1ea16               | shr                 edx, 0x16

        $sequence_15 = { 899594fdffff 8b8d9cfdffff 338d98fdffff 038d94fdffff 8b55fc }
            // n = 5, score = 100
            //   899594fdffff         | mov                 dword ptr [ebp - 0x26c], edx
            //   8b8d9cfdffff         | mov                 ecx, dword ptr [ebp - 0x264]
            //   338d98fdffff         | xor                 ecx, dword ptr [ebp - 0x268]
            //   038d94fdffff         | add                 ecx, dword ptr [ebp - 0x26c]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_16 = { 8b54813c c1e209 8b45fc 8b4d08 8b44813c }
            // n = 5, score = 100
            //   8b54813c             | mov                 edx, dword ptr [ecx + eax*4 + 0x3c]
            //   c1e209               | shl                 edx, 9
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b44813c             | mov                 eax, dword ptr [ecx + eax*4 + 0x3c]

        $sequence_17 = { 8985e4feffff 8b45fc 8b4d08 8b548134 }
            // n = 4, score = 100
            //   8985e4feffff         | mov                 dword ptr [ebp - 0x11c], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b548134             | mov                 edx, dword ptr [ecx + eax*4 + 0x34]

        $sequence_18 = { 8b4dfc 8b5508 8b848a1c080000 c1e017 8b4dfc 8b5508 8b8c8a1c080000 }
            // n = 7, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b848a1c080000       | mov                 eax, dword ptr [edx + ecx*4 + 0x81c]
            //   c1e017               | shl                 eax, 0x17
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b8c8a1c080000       | mov                 ecx, dword ptr [edx + ecx*4 + 0x81c]

        7 of them and filesize < 2318336
Download all Yara Rules