SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mespinoza (Back to overview)

Mespinoza

aka: pysa

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

References
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@techreport{nazarov:20220623:hateful:bae0681, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs}}, date = {2022-06-23}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-23KasperskyNikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
@online{nazarov:20220623:hateful:9c6bf9a, author = {Nikita Nazarov and Vasily Davydov and Natalya Shornikova and Vladislav Burtsev and Danila Nasonov}, title = {{The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)}}, date = {2022-06-23}, organization = {Kaspersky}, url = {https://securelist.com/modern-ransomware-groups-ttps/106824/}, language = {English}, urldate = {2022-06-27} } The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-04-18SentinelOneJames Haughom
@online{haughom:20220418:from:b73f12b, author = {James Haughom}, title = {{From the Front Lines | Peering into A PYSA Ransomware Attack}}, date = {2022-04-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/}, language = {English}, urldate = {2022-04-20} } From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza
2022-04-14PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20220414:pysa:8b23b04, author = {PRODAFT}, title = {{PYSA (Mespinoza) In-Depth Analysis}}, date = {2022-04-14}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf}, language = {English}, urldate = {2022-04-15} } PYSA (Mespinoza) In-Depth Analysis
Mespinoza
2022-04-13PRODAFT Threat IntelligencePRODAFT
@online{prodaft:20220413:pysa:c002315, author = {PRODAFT}, title = {{[PYSA] Ransomware Group In-Depth Analysis}}, date = {2022-04-13}, organization = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis}, language = {English}, urldate = {2022-04-15} } [PYSA] Ransomware Group In-Depth Analysis
Mespinoza
2022-03-23splunkShannon Davis
@online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-23splunkShannon Davis, SURGe
@techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-01-06Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20220106:mespinozagoldburlapcyborg:b783bdb, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Mespinoza/GoldBurlap/CYBORG SPIDER}}, date = {2022-01-06}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf}, language = {English}, urldate = {2022-05-13} } Mespinoza/GoldBurlap/CYBORG SPIDER
Mespinoza
2021-11-29cybleCyble
@online{cyble:20211129:pysa:4da06b5, author = {Cyble}, title = {{Pysa Ransomware Under the Lens: A Deep-Dive Analysis}}, date = {2021-11-29}, organization = {cyble}, url = {https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/}, language = {English}, urldate = {2021-12-07} } Pysa Ransomware Under the Lens: A Deep-Dive Analysis
Mespinoza
2021-11-05Twitter (@inversecos)inversecos
@online{inversecos:20211105:ttps:2b9481e, author = {inversecos}, title = {{TTPs used by Pysa Ransonmware group}}, date = {2021-11-05}, organization = {Twitter (@inversecos)}, url = {https://twitter.com/inversecos/status/1456486725664993287}, language = {English}, urldate = {2021-11-08} } TTPs used by Pysa Ransonmware group
Mespinoza MimiKatz
2021-09-27CybereasonAleksandar Milenkoski
@online{milenkoski:20210927:threat:843919b, author = {Aleksandar Milenkoski}, title = {{Threat Analysis Report: Inside the Destructive PYSA Ransomware}}, date = {2021-09-27}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware}, language = {English}, urldate = {2021-09-28} } Threat Analysis Report: Inside the Destructive PYSA Ransomware
Mespinoza
2021-09-09Lacework LabsLacework Labs
@online{labs:20210909:pysa:3115858, author = {Lacework Labs}, title = {{PYSA Ransomware Gang adds Linux Support}}, date = {2021-09-09}, organization = {Lacework Labs}, url = {https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/}, language = {English}, urldate = {2021-09-10} } PYSA Ransomware Gang adds Linux Support
Mespinoza
2021-08-24Bleeping ComputerLawrence Abrams
@online{abrams:20210824:ransomware:7095151, author = {Lawrence Abrams}, title = {{Ransomware gang's script shows exactly the files they're after}}, date = {2021-08-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/}, language = {English}, urldate = {2022-01-28} } Ransomware gang's script shows exactly the files they're after
Mespinoza
2021-07-15Palo Alto Networks Unit 42Robert Falcone, Alex Hinchliffe, Quinn Cooke
@online{falcone:20210715:mespinoza:cabb0ab, author = {Robert Falcone and Alex Hinchliffe and Quinn Cooke}, title = {{Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools}}, date = {2021-07-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/}, language = {English}, urldate = {2021-07-20} } Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools
Gasket Mespinoza
2021-06-23BlackberryBlackBerry Research and Intelligence team
@online{team:20210623:pysa:ab64a25, author = {BlackBerry Research and Intelligence team}, title = {{PYSA Loves ChaChi: a New GoLang RAT}}, date = {2021-06-23}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat}, language = {English}, urldate = {2021-06-24} } PYSA Loves ChaChi: a New GoLang RAT
ChaChi Mespinoza
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-03-16FBIFBI
@techreport{fbi:20210316:alert:69b1a21, author = {FBI}, title = {{Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions}}, date = {2021-03-16}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210316.pdf}, language = {English}, urldate = {2021-03-22} } Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions
Mespinoza
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-07Twitter (@campuscodi)Catalin Cimpanu
@online{cimpanu:20210107:londons:3d62f93, author = {Catalin Cimpanu}, title = {{Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware}}, date = {2021-01-07}, organization = {Twitter (@campuscodi)}, url = {https://twitter.com/campuscodi/status/1347223969984897026}, language = {English}, urldate = {2021-01-11} } Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware
Mespinoza
2021SecureworksSecureWorks
@online{secureworks:2021:threat:d17547d, author = {SecureWorks}, title = {{Threat Profile: GOLD BURLAP}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-burlap}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD BURLAP
Empire Downloader Mespinoza MimiKatz GOLD BURLAP
2020-11-23The DFIR ReportThe DFIR Report
@online{report:20201123:pysamespinoza:f0f2544, author = {The DFIR Report}, title = {{PYSA/Mespinoza Ransomware}}, date = {2020-11-23}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/}, language = {English}, urldate = {2021-01-21} } PYSA/Mespinoza Ransomware
Empire Downloader Mespinoza
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-03-19ZDNetCatalin Cimpanu
@online{cimpanu:20200319:france:9882b07, author = {Catalin Cimpanu}, title = {{France warns of new ransomware gang targeting local governments}}, date = {2020-03-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/}, language = {English}, urldate = {2020-03-26} } France warns of new ransomware gang targeting local governments
Mespinoza
2020-03-18CERT-FRCERT-FR
@online{certfr:20200318:rapport:abbc7c4, author = {CERT-FR}, title = {{Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa}}, date = {2020-03-18}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/}, language = {French}, urldate = {2020-03-26} } Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa
Mespinoza
2019-12-14Dissecting MalwareMarius Genheimer
@online{genheimer:20191214:another:7c9c60a, author = {Marius Genheimer}, title = {{Another one for the collection - Mespinoza (Pysa) Ransomware}}, date = {2019-12-14}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html}, language = {English}, urldate = {2020-01-26} } Another one for the collection - Mespinoza (Pysa) Ransomware
Mespinoza
2019-10-11ID RansomwareAndrew Ivanov
@online{ivanov:20191011:mespinoza:e9cd17e, author = {Andrew Ivanov}, title = {{Mespinoza Ransomware}}, date = {2019-10-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html}, language = {English}, urldate = {2020-03-26} } Mespinoza Ransomware
Mespinoza
Yara Rules
[TLP:WHITE] win_mespinoza_auto (20220516 | Detects win.mespinoza.)
rule win_mespinoza_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.mespinoza."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8a4510 884308 8b450c c6430900 83630c00 c703???????? 8a00 }
            // n = 7, score = 200
            //   8a4510               | mov                 al, byte ptr [ebp + 0x10]
            //   884308               | mov                 byte ptr [ebx + 8], al
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   c6430900             | mov                 byte ptr [ebx + 9], 0
            //   83630c00             | and                 dword ptr [ebx + 0xc], 0
            //   c703????????         |                     
            //   8a00                 | mov                 al, byte ptr [eax]

        $sequence_1 = { 8b542450 ff742410 8bcd 52 ff15???????? 8b4c2444 }
            // n = 6, score = 200
            //   8b542450             | mov                 edx, dword ptr [esp + 0x50]
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   8bcd                 | mov                 ecx, ebp
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b4c2444             | mov                 ecx, dword ptr [esp + 0x44]

        $sequence_2 = { 33442418 8b5c2458 d1c0 89442424 c1cf02 8bcf 89542450 }
            // n = 7, score = 200
            //   33442418             | xor                 eax, dword ptr [esp + 0x18]
            //   8b5c2458             | mov                 ebx, dword ptr [esp + 0x58]
            //   d1c0                 | rol                 eax, 1
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   c1cf02               | ror                 edi, 2
            //   8bcf                 | mov                 ecx, edi
            //   89542450             | mov                 dword ptr [esp + 0x50], edx

        $sequence_3 = { 74c4 8d4f24 e8???????? 8bd8 895dac 85d2 0f85cd000000 }
            // n = 7, score = 200
            //   74c4                 | je                  0xffffffc6
            //   8d4f24               | lea                 ecx, [edi + 0x24]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   895dac               | mov                 dword ptr [ebp - 0x54], ebx
            //   85d2                 | test                edx, edx
            //   0f85cd000000         | jne                 0xd3

        $sequence_4 = { d3e3 8d4db4 53 895dec e8???????? 8b4db4 ff750c }
            // n = 7, score = 200
            //   d3e3                 | shl                 ebx, cl
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   53                   | push                ebx
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   e8????????           |                     
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_5 = { 8bcb ff5008 8b4f30 8b7d38 49 50 b801000000 }
            // n = 7, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   ff5008               | call                dword ptr [eax + 8]
            //   8b4f30               | mov                 ecx, dword ptr [edi + 0x30]
            //   8b7d38               | mov                 edi, dword ptr [ebp + 0x38]
            //   49                   | dec                 ecx
            //   50                   | push                eax
            //   b801000000           | mov                 eax, 1

        $sequence_6 = { c74604???????? 5e 8be5 5d c20c00 55 8bec }
            // n = 7, score = 200
            //   c74604????????       |                     
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_7 = { 884709 8911 8b460c 50 8955fc 89560c e8???????? }
            // n = 7, score = 200
            //   884709               | mov                 byte ptr [edi + 9], al
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   50                   | push                eax
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   89560c               | mov                 dword ptr [esi + 0xc], edx
            //   e8????????           |                     

        $sequence_8 = { 8b7508 8bce e8???????? 84c0 7444 8bcf e8???????? }
            // n = 7, score = 200
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7444                 | je                  0x46
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_9 = { 8b4908 8b01 ff600c 6a40 b8???????? e8???????? 68???????? }
            // n = 7, score = 200
            //   8b4908               | mov                 ecx, dword ptr [ecx + 8]
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff600c               | jmp                 dword ptr [eax + 0xc]
            //   6a40                 | push                0x40
            //   b8????????           |                     
            //   e8????????           |                     
            //   68????????           |                     

    condition:
        7 of them and filesize < 1091584
}
Download all Yara Rules