SYMBOLCOMMON_NAMEaka. SYNONYMS
win.maze (Back to overview)

Maze

aka: ChaCha

Actor(s): FIN6, TA2101


Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).

The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

References
2020-06-18Quick HealPreksha Saxena
@online{saxena:20200618:maze:76ca64b, author = {Preksha Saxena}, title = {{Maze ransomware continues to be a threat to the consumers}}, date = {2020-06-18}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/}, language = {English}, urldate = {2020-07-02} } Maze ransomware continues to be a threat to the consumers
Maze
2020-06-17CognizantCognizant
@techreport{cognizant:20200617:notice:37fe994, author = {Cognizant}, title = {{Notice of Data Breach}}, date = {2020-06-17}, institution = {Cognizant}, url = {https://oag.ca.gov/system/files/Letter%204.pdf}, language = {English}, urldate = {2020-06-18} } Notice of Data Breach
Maze
2020-06-16BleepingComputerSergiu Gatlan
@online{gatlan:20200616:chipmaker:0e801b8, author = {Sergiu Gatlan}, title = {{Chipmaker MaxLinear reports data breach after Maze Ransomware attack}}, date = {2020-06-16}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-17} } Chipmaker MaxLinear reports data breach after Maze Ransomware attack
Maze
2020-06-04Sophos Naked SecurityLisa Vaas
@online{vaas:20200604:nuclear:9d471e1, author = {Lisa Vaas}, title = {{Nuclear missile contractor hacked in Maze ransomware attack}}, date = {2020-06-04}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/}, language = {English}, urldate = {2020-06-04} } Nuclear missile contractor hacked in Maze ransomware attack
Maze
2020-05-21BrightTALK (FireEye)Kimberly Goody, Jeremy Kennelly
@online{goody:20200521:navigating:a2eae5f, author = {Kimberly Goody and Jeremy Kennelly}, title = {{Navigating MAZE: Analysis of a Rising Ransomware Threat}}, date = {2020-05-21}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat}, language = {English}, urldate = {2020-06-05} } Navigating MAZE: Analysis of a Rising Ransomware Threat
Maze
2020-05-07FireEye IncKimberly Goody, Jeremy Kennelly, Joshua Shilko
@online{goody:20200507:navigating:7147cb7, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko}, title = {{Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents}}, date = {2020-05-07}, organization = {FireEye Inc}, url = {https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html}, language = {English}, urldate = {2020-05-11} } Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
Maze
2020-05-07REDTEAM.PLAdam Ziaja
@online{ziaja:20200507:sodinokibi:f5c5cd1, author = {Adam Ziaja}, title = {{Sodinokibi / REvil ransomware}}, date = {2020-05-07}, organization = {REDTEAM.PL}, url = {https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html}, language = {English}, urldate = {2020-05-13} } Sodinokibi / REvil ransomware
Maze MimiKatz REvil
2020-05-04BluelivBlueliv Team
@online{team:20200504:escape:63ebdfa, author = {Blueliv Team}, title = {{Escape from the Maze}}, date = {2020-05-04}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/}, language = {English}, urldate = {2020-05-11} } Escape from the Maze
Maze
2020-05-01CrowdStrikeShaun Hurley
@online{hurley:20200501:many:22ed72c, author = {Shaun Hurley}, title = {{The Many Paths Through Maze}}, date = {2020-05-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/}, language = {English}, urldate = {2020-05-05} } The Many Paths Through Maze
Maze
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-18CognizantCognizant
@online{cognizant:20200418:cognizant:0e20ac0, author = {Cognizant}, title = {{Cognizant Security Incident Update}}, date = {2020-04-18}, organization = {Cognizant}, url = {https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update}, language = {English}, urldate = {2020-04-20} } Cognizant Security Incident Update
Maze
2020-04-18Bleeping ComputerLawrence Abrams
@online{abrams:20200418:it:bb2d626, author = {Lawrence Abrams}, title = {{IT services giant Cognizant suffers Maze Ransomware cyber attack}}, date = {2020-04-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/}, language = {English}, urldate = {2020-04-20} } IT services giant Cognizant suffers Maze Ransomware cyber attack
Maze
2020-03-26TechCrunchZack Whittaker
@online{whittaker:20200326:cyber:4b23d0a, author = {Zack Whittaker}, title = {{Cyber insurer Chubb had data stolen in Maze ransomware attack}}, date = {2020-03-26}, organization = {TechCrunch}, url = {https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/}, language = {English}, urldate = {2020-03-27} } Cyber insurer Chubb had data stolen in Maze ransomware attack
Maze
2020-03-26McAfeeAlexandre Mundo
@online{mundo:20200326:ransomware:05f2b18, author = {Alexandre Mundo}, title = {{Ransomware Maze}}, date = {2020-03-26}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/}, language = {English}, urldate = {2020-03-26} } Ransomware Maze
Maze
2020-03-25BitdefenderBitdefender Team
@techreport{team:20200325:technical:b3e1af1, author = {Bitdefender Team}, title = {{A Technical Look into Maze Ransomware}}, date = {2020-03-25}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf}, language = {English}, urldate = {2020-04-20} } A Technical Look into Maze Ransomware
Maze
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-12CyberbitDor Neemani, Omer Fishel, Hod Gavriel
@techreport{neemani:20200312:lost:80ccbd2, author = {Dor Neemani and Omer Fishel and Hod Gavriel}, title = {{Lost in the Maze}}, date = {2020-03-12}, institution = {Cyberbit}, url = {https://www.docdroid.net/dUpPY5s/maze.pdf}, language = {English}, urldate = {2020-03-22} } Lost in the Maze
Maze
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03Bleeping ComputerLawrence Abrams
@online{abrams:20200303:ransomware:8be6fa7, author = {Lawrence Abrams}, title = {{Ransomware Attackers Use Your Cloud Backups Against You}}, date = {2020-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/}, language = {English}, urldate = {2020-03-04} } Ransomware Attackers Use Your Cloud Backups Against You
DoppelPaymer Maze
2020-01-30ZATAZDamien Bancal
@online{bancal:20200130:cyber:0a267d4, author = {Damien Bancal}, title = {{Cyber attaque à l’encontre des serveurs de Bouygues Construction}}, date = {2020-01-30}, organization = {ZATAZ}, url = {https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/}, language = {French}, urldate = {2020-02-03} } Cyber attaque à l’encontre des serveurs de Bouygues Construction
Maze
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-22DeloitteDeloitte
@online{deloitte:20200122:project:0a44796, author = {Deloitte}, title = {{Project Lurus}}, date = {2020-01-22}, organization = {Deloitte}, url = {https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF}, language = {English}, urldate = {2020-02-13} } Project Lurus
Maze
2020SecureworksSecureWorks
@online{secureworks:2020:gold:95fe871, author = {SecureWorks}, title = {{GOLD VILLAGE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-village}, language = {English}, urldate = {2020-05-23} } GOLD VILLAGE
Maze
2019-12-24Bleeping ComputerLawrence Abrams
@online{abrams:20191224:maze:33a4e28, author = {Lawrence Abrams}, title = {{Maze Ransomware Releases Files Stolen from City of Pensacola}}, date = {2019-12-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/}, language = {English}, urldate = {2020-02-13} } Maze Ransomware Releases Files Stolen from City of Pensacola
Maze
2019-12-18Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20191218:maze:22cb5d6, author = {Albert Zsigovits}, title = {{Maze ransomware}}, date = {2019-12-18}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md}, language = {English}, urldate = {2020-04-20} } Maze ransomware
Maze
2019-12-17CiscoJJ Cummings, Dave Liebenberg
@online{cummings:20191217:incident:44acf5c, author = {JJ Cummings and Dave Liebenberg}, title = {{Incident Response lessons from recent Maze ransomware attacks}}, date = {2019-12-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html}, language = {English}, urldate = {2020-01-09} } Incident Response lessons from recent Maze ransomware attacks
Maze
2019-12-16KrebsOnSecurityBrian Krebs
@online{krebs:20191216:ransomware:f4d7d8c, author = {Brian Krebs}, title = {{Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up}}, date = {2019-12-16}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/}, language = {English}, urldate = {2020-01-08} } Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up
Maze
2019-12-11Bleeping ComputerLawrence Abrams
@online{abrams:20191211:maze:acb23da, author = {Lawrence Abrams}, title = {{Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand}}, date = {2019-12-11}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/}, language = {English}, urldate = {2020-01-09} } Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand
Maze
2019-11-21Bleeping ComputerLawrence Abrams
@online{abrams:20191121:allied:a3d69d7, author = {Lawrence Abrams}, title = {{Allied Universal Breached by Maze Ransomware, Stolen Data Leaked}}, date = {2019-11-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/}, language = {English}, urldate = {2020-01-08} } Allied Universal Breached by Maze Ransomware, Stolen Data Leaked
Maze
2019-11-14ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20191114:ta2101:e79f6fb, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{TA2101 plays government imposter to distribute malware to German, Italian, and US organizations}}, date = {2019-11-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us}, language = {English}, urldate = {2019-11-27} } TA2101 plays government imposter to distribute malware to German, Italian, and US organizations
Maze TA2101
2019-11-08Twitter (@certbund)CERT-Bund
@online{certbund:20191108:spam:0630ad5, author = {CERT-Bund}, title = {{Tweet on Spam Mails containing MAZE}}, date = {2019-11-08}, organization = {Twitter (@certbund)}, url = {https://twitter.com/certbund/status/1192756294307995655}, language = {English}, urldate = {2020-01-08} } Tweet on Spam Mails containing MAZE
Maze
2019-10-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20191018:maze:fb2c4b6, author = {Sergiu Gatlan}, title = {{Maze Ransomware Now Delivered by Spelevo Exploit Kit}}, date = {2019-10-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/}, language = {English}, urldate = {2019-12-17} } Maze Ransomware Now Delivered by Spelevo Exploit Kit
Maze
2019-05-13Amigo A
@online{a:20190513:chacha:840508a, author = {Amigo A}, title = {{ChaCha Ransomware}}, date = {2019-05-13}, url = {https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html}, language = {Russian}, urldate = {2019-12-02} } ChaCha Ransomware
Maze
Yara Rules
[TLP:WHITE] win_maze_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_maze_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f810 7d32 88441500 c644150300 8d7204 81feff000000 }
            // n = 6, score = 2300
            //   83f810               | cmp                 eax, 0x10
            //   7d32                 | jge                 0x34
            //   88441500             | mov                 byte ptr [ebp + edx], al
            //   c644150300           | mov                 byte ptr [ebp + edx + 3], 0
            //   8d7204               | lea                 esi, [edx + 4]
            //   81feff000000         | cmp                 esi, 0xff

        $sequence_1 = { 09d7 0fb65019 89bc24b0000000 0fb6781c }
            // n = 4, score = 2300
            //   09d7                 | or                  edi, edx
            //   0fb65019             | movzx               edx, byte ptr [eax + 0x19]
            //   89bc24b0000000       | mov                 dword ptr [esp + 0xb0], edi
            //   0fb6781c             | movzx               edi, byte ptr [eax + 0x1c]

        $sequence_2 = { 8b6c2410 55 e8???????? 83c40c 8a442402 b900000000 }
            // n = 6, score = 2300
            //   8b6c2410             | mov                 ebp, dword ptr [esp + 0x10]
            //   55                   | push                ebp
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8a442402             | mov                 al, byte ptr [esp + 2]
            //   b900000000           | mov                 ecx, 0

        $sequence_3 = { 894c2418 138424f8000000 8b4c2424 89442450 038c244c010000 }
            // n = 5, score = 2300
            //   894c2418             | mov                 dword ptr [esp + 0x18], ecx
            //   138424f8000000       | adc                 eax, dword ptr [esp + 0xf8]
            //   8b4c2424             | mov                 ecx, dword ptr [esp + 0x24]
            //   89442450             | mov                 dword ptr [esp + 0x50], eax
            //   038c244c010000       | add                 ecx, dword ptr [esp + 0x14c]

        $sequence_4 = { 8d842424010000 50 53 8d442464 50 e8???????? }
            // n = 6, score = 2300
            //   8d842424010000       | lea                 eax, [esp + 0x124]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   8d442464             | lea                 eax, [esp + 0x64]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { 8b442428 8994247c010000 8d0400 89442454 f7eb 8984248c010000 89f0 }
            // n = 7, score = 2300
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   8994247c010000       | mov                 dword ptr [esp + 0x17c], edx
            //   8d0400               | lea                 eax, [eax + eax]
            //   89442454             | mov                 dword ptr [esp + 0x54], eax
            //   f7eb                 | imul                ebx
            //   8984248c010000       | mov                 dword ptr [esp + 0x18c], eax
            //   89f0                 | mov                 eax, esi

        $sequence_6 = { 89742458 0fb6701a c1e110 09d1 0fb6501b }
            // n = 5, score = 2300
            //   89742458             | mov                 dword ptr [esp + 0x58], esi
            //   0fb6701a             | movzx               esi, byte ptr [eax + 0x1a]
            //   c1e110               | shl                 ecx, 0x10
            //   09d1                 | or                  ecx, edx
            //   0fb6501b             | movzx               edx, byte ptr [eax + 0x1b]

        $sequence_7 = { 8d840414020000 50 8d442410 50 55 e8???????? 8b44240c }
            // n = 7, score = 2300
            //   8d840414020000       | lea                 eax, [esp + eax + 0x214]
            //   50                   | push                eax
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   55                   | push                ebp
            //   e8????????           |                     
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]

        $sequence_8 = { 29d0 8945d4 8d85e8feffff 8d4801 8a10 40 }
            // n = 6, score = 1400
            //   29d0                 | sub                 eax, edx
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   8d4801               | lea                 ecx, [eax + 1]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax

        $sequence_9 = { 6a00 6801001200 ff15???????? 85c0 a3???????? 7533 }
            // n = 6, score = 1400
            //   6a00                 | push                0
            //   6801001200           | push                0x120001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7533                 | jne                 0x35

        $sequence_10 = { 50 8d542408 6a04 52 6a00 6a00 }
            // n = 6, score = 1400
            //   50                   | push                eax
            //   8d542408             | lea                 edx, [esp + 8]
            //   6a04                 | push                4
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_11 = { 6a03 53 6a02 6800000040 8d4500 50 }
            // n = 6, score = 1400
            //   6a03                 | push                3
            //   53                   | push                ebx
            //   6a02                 | push                2
            //   6800000040           | push                0x40000000
            //   8d4500               | lea                 eax, [ebp]
            //   50                   | push                eax

        $sequence_12 = { 743e 8d442404 6a00 50 8d542408 6a04 }
            // n = 6, score = 1400
            //   743e                 | je                  0x40
            //   8d442404             | lea                 eax, [esp + 4]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8d542408             | lea                 edx, [esp + 8]
            //   6a04                 | push                4

        $sequence_13 = { 6800000080 8d4500 50 8b35???????? }
            // n = 4, score = 1400
            //   6800000080           | push                0x80000000
            //   8d4500               | lea                 eax, [ebp]
            //   50                   | push                eax
            //   8b35????????         |                     

        $sequence_14 = { 8b0d???????? 83c8ff 85c9 c744240400000000 }
            // n = 4, score = 1400
            //   8b0d????????         |                     
            //   83c8ff               | or                  eax, 0xffffffff
            //   85c9                 | test                ecx, ecx
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0

        $sequence_15 = { 55 89e5 50 8b4508 31c9 8945fc }
            // n = 6, score = 1400
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   31c9                 | xor                 ecx, ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_16 = { 8b8c0a40100000 c1e918 0bc1 898584feffff ba04000000 6bc206 }
            // n = 6, score = 100
            //   8b8c0a40100000       | mov                 ecx, dword ptr [edx + ecx + 0x1040]
            //   c1e918               | shr                 ecx, 0x18
            //   0bc1                 | or                  eax, ecx
            //   898584feffff         | mov                 dword ptr [ebp - 0x17c], eax
            //   ba04000000           | mov                 edx, 4
            //   6bc206               | imul                eax, edx, 6

        $sequence_17 = { c1e108 ba04000000 c1e203 8b4508 8b941040100000 c1ea18 0bca }
            // n = 7, score = 100
            //   c1e108               | shl                 ecx, 8
            //   ba04000000           | mov                 edx, 4
            //   c1e203               | shl                 edx, 3
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b941040100000       | mov                 edx, dword ptr [eax + edx + 0x1040]
            //   c1ea18               | shr                 edx, 0x18
            //   0bca                 | or                  ecx, edx

        $sequence_18 = { 6bd10f 8b4508 8b8c1000100000 c1e118 ba04000000 }
            // n = 5, score = 100
            //   6bd10f               | imul                edx, ecx, 0xf
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b8c1000100000       | mov                 ecx, dword ptr [eax + edx + 0x1000]
            //   c1e118               | shl                 ecx, 0x18
            //   ba04000000           | mov                 edx, 4

        $sequence_19 = { 8b4508 8b8c0840100000 c1e916 0bd1 8995e8fdffff }
            // n = 5, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b8c0840100000       | mov                 ecx, dword ptr [eax + ecx + 0x1040]
            //   c1e916               | shr                 ecx, 0x16
            //   0bd1                 | or                  edx, ecx
            //   8995e8fdffff         | mov                 dword ptr [ebp - 0x218], edx

        $sequence_20 = { c1e810 8845e6 0fb64de7 0fb655e6 8b4508 8b8c8800080000 }
            // n = 6, score = 100
            //   c1e810               | shr                 eax, 0x10
            //   8845e6               | mov                 byte ptr [ebp - 0x1a], al
            //   0fb64de7             | movzx               ecx, byte ptr [ebp - 0x19]
            //   0fb655e6             | movzx               edx, byte ptr [ebp - 0x1a]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b8c8800080000       | mov                 ecx, dword ptr [eax + ecx*4 + 0x800]

        $sequence_21 = { 8b5508 8b848a08080000 038584feffff 8b8d8cfeffff 338d88feffff 03c1 338580feffff }
            // n = 7, score = 100
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b848a08080000       | mov                 eax, dword ptr [edx + ecx*4 + 0x808]
            //   038584feffff         | add                 eax, dword ptr [ebp - 0x17c]
            //   8b8d8cfeffff         | mov                 ecx, dword ptr [ebp - 0x174]
            //   338d88feffff         | xor                 ecx, dword ptr [ebp - 0x178]
            //   03c1                 | add                 eax, ecx
            //   338580feffff         | xor                 eax, dword ptr [ebp - 0x180]

        $sequence_22 = { c1e009 8b4dfc 8b5508 8b4c8a10 c1e917 }
            // n = 5, score = 100
            //   c1e009               | shl                 eax, 9
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4c8a10             | mov                 ecx, dword ptr [edx + ecx*4 + 0x10]
            //   c1e917               | shr                 ecx, 0x17

        $sequence_23 = { c1e118 ba04000000 6bc207 8b5508 8b840200100000 c1e808 0bc8 }
            // n = 7, score = 100
            //   c1e118               | shl                 ecx, 0x18
            //   ba04000000           | mov                 edx, 4
            //   6bc207               | imul                eax, edx, 7
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b840200100000       | mov                 eax, dword ptr [edx + eax + 0x1000]
            //   c1e808               | shr                 eax, 8
            //   0bc8                 | or                  ecx, eax

    condition:
        7 of them and filesize < 2318336
}
Download all Yara Rules