SYMBOLCOMMON_NAMEaka. SYNONYMS
win.photoloader (Back to overview)

PhotoLoader

aka: GZIPLOADER

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

References
2023-07-04Leandro Froes
@online{froes:20230704:reversing:95bf851, author = {Leandro Froes}, title = {{Reversing a recent IcedID Crypter}}, date = {2023-07-04}, url = {https://leandrofroes.github.io/posts/Reversing-a-recent-IcedID-Crypter/}, language = {English}, urldate = {2023-08-10} } Reversing a recent IcedID Crypter
PhotoLoader
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
@online{hammond:20230627:trickbotconti:5e1f20d, author = {Charlotte Hammond and Ole Villadsen}, title = {{The Trickbot/Conti Crypters: Where Are They Now?}}, date = {2023-06-27}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/}, language = {English}, urldate = {2023-07-31} } The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-06-22DeepInstinctShaul Vilkomir-Preisman, Mark Vaitzman, Deep Instinct Threat Lab
@online{vilkomirpreisman:20230622:pindos:8a86833, author = {Shaul Vilkomir-Preisman and Mark Vaitzman and Deep Instinct Threat Lab}, title = {{PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID}}, date = {2023-06-22}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid}, language = {English}, urldate = {2023-08-10} } PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID
PindOS BumbleBee PhotoLoader
2023-05-30Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20230530:cold:c92393b, author = {Brad Duncan}, title = {{Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID}}, date = {2023-05-30}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/}, language = {English}, urldate = {2023-08-10} } Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID
IcedID PhotoLoader
2023-05-22The DFIR ReportThe DFIR Report
@online{report:20230522:icedid:ecec658, author = {The DFIR Report}, title = {{IcedID Macro Ends in Nokoyawa Ransomware}}, date = {2023-05-22}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/}, language = {English}, urldate = {2023-08-10} } IcedID Macro Ends in Nokoyawa Ransomware
IcedID Nokoyawa Ransomware PhotoLoader
2023-05-04ElasticCyril François
@online{franois:20230504:unpacking:7f892ff, author = {Cyril François}, title = {{Unpacking ICEDID}}, date = {2023-05-04}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/unpacking-icedid}, language = {English}, urldate = {2023-05-05} } Unpacking ICEDID
IcedID PhotoLoader
2023-05-03unpac.meSean Wilson
@online{wilson:20230503:unpacme:ed52c88, author = {Sean Wilson}, title = {{UnpacMe Weekly: New Version of IcedId Loader}}, date = {2023-05-03}, organization = {unpac.me}, url = {https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader}, language = {English}, urldate = {2023-05-04} } UnpacMe Weekly: New Version of IcedId Loader
IcedID PhotoLoader
2023-05-03Youtube (Guided Hacking)Guided Hacking
@online{hacking:20230503:polyglot:dade492, author = {Guided Hacking}, title = {{PolyGlot Malware Analysis​ - IcedID Stager}}, date = {2023-05-03}, organization = {Youtube (Guided Hacking)}, url = {https://www.youtube.com/watch?v=4j8t9kFLFIY}, language = {English}, urldate = {2023-05-05} } PolyGlot Malware Analysis​ - IcedID Stager
PhotoLoader
2023-05-03Palo Alto Networks Unit 42Mark Lim, Daniel Raygoza, Bob Jung
@online{lim:20230503:teasing:eef7ae4, author = {Mark Lim and Daniel Raygoza and Bob Jung}, title = {{Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale}}, date = {2023-05-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing}, language = {English}, urldate = {2023-05-04} } Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
IcedID PhotoLoader
2023-04-28DISCARDED PodcastJoe Wise, Pim Trouerbach
@online{wise:20230428:beyond:b45d805, author = {Joe Wise and Pim Trouerbach}, title = {{Beyond Banking: IcedID Gets Forked}}, date = {2023-04-28}, organization = {DISCARDED Podcast}, url = {https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1}, language = {English}, urldate = {2023-05-04} } Beyond Banking: IcedID Gets Forked
IcedID PhotoLoader
2023-04-21SophosColin Cowie, Paul Jaramillo
@techreport{cowie:20230421:icedid:506b299, author = {Colin Cowie and Paul Jaramillo}, title = {{IcedID: Defrosting a Recent Campaign Illustrating evolving tactics and shared infrastructure}}, date = {2023-04-21}, institution = {Sophos}, url = {https://www.first.org/resources/papers/amsterdam23/IcedID-FIRST-AMS-2023.pdf}, language = {English}, urldate = {2023-08-10} } IcedID: Defrosting a Recent Campaign Illustrating evolving tactics and shared infrastructure
IcedID PhotoLoader
2023-04-12InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20230412:recent:66863ee, author = {Brad Duncan}, title = {{Recent IcedID (Bokbot) activity}}, date = {2023-04-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/29740}, language = {English}, urldate = {2023-04-18} } Recent IcedID (Bokbot) activity
IcedID PhotoLoader
2023-04-06OALabsSergei Frankoff
@online{frankoff:20230406:photoloader:76a4798, author = {Sergei Frankoff}, title = {{PhotoLoader ICEDID}}, date = {2023-04-06}, organization = {OALabs}, url = {https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html}, language = {English}, urldate = {2023-05-02} } PhotoLoader ICEDID
PhotoLoader
2023-03-27ProofpointPim Trouerbach, Kelsey Merriman, Joe Wise
@online{trouerbach:20230327:fork:62e7699, author = {Pim Trouerbach and Kelsey Merriman and Joe Wise}, title = {{Fork in the Ice: The New Era of IcedID}}, date = {2023-03-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid}, language = {English}, urldate = {2023-08-11} } Fork in the Ice: The New Era of IcedID
IcedID PHOTOFORK PHOTOLITE PhotoLoader
2023-03-17ElasticCyril François, Daniel Stepanic
@online{franois:20230317:thawing:b8065d4, author = {Cyril François and Daniel Stepanic}, title = {{Thawing the permafrost of ICEDID Summary}}, date = {2023-03-17}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary}, language = {English}, urldate = {2023-03-20} } Thawing the permafrost of ICEDID Summary
IcedID PhotoLoader
2023-02-24Team CymruTeam Cymru
@online{cymru:20230224:desde:d9ec280, author = {Team Cymru}, title = {{Desde Chile con Malware (From Chile with Malware)}}, date = {2023-02-24}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/from-chile-with-malware}, language = {English}, urldate = {2023-03-13} } Desde Chile con Malware (From Chile with Malware)
IcedID PhotoLoader
2023-01-19CiscoGuilherme Venere
@online{venere:20230119:following:c60f349, author = {Guilherme Venere}, title = {{Following the LNK metadata trail}}, date = {2023-01-19}, organization = {Cisco}, url = {https://blog.talosintelligence.com/following-the-lnk-metadata-trail}, language = {English}, urldate = {2023-04-06} } Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2022-10-27MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20221027:raspberry:b6d1ce4, author = {Microsoft Security Threat Intelligence}, title = {{Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity}}, date = {2022-10-27}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/}, language = {English}, urldate = {2023-03-13} } Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak
2022-10-07Team CymruS2 Research Team
@online{team:20221007:visualizza:0ed3fe8, author = {S2 Research Team}, title = {{A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon}}, date = {2022-10-07}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns}, language = {English}, urldate = {2022-10-10} } A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader
2022-09-27Palo Alto Networks Unit 42Mark Lim
@online{lim:20220927:more:5992cc3, author = {Mark Lim}, title = {{More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID}}, date = {2022-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/}, language = {English}, urldate = {2022-09-30} } More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
PhotoLoader
2022-07-07FortinetErin Lin
@online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-04Twitter (@felixw3000)Felix
@online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
@online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-02-22eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220222:icedid:67f870d, author = {eSentire Threat Response Unit (TRU)}, title = {{IcedID to Cobalt Strike In Under 20 Minutes}}, date = {2022-02-22}, organization = {eSentire}, url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes}, language = {English}, urldate = {2022-05-23} } IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2021-04-13Silent PushMartijn Grooten
@online{grooten:20210413:malicious:094869a, author = {Martijn Grooten}, title = {{Malicious infrastructure as a service}}, date = {2021-04-13}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service}, language = {English}, urldate = {2022-06-09} } Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-03-31Silent PushMartijn Grooten
@online{grooten:20210331:icedid:42c6051, author = {Martijn Grooten}, title = {{IcedID Command and Control Infrastructure}}, date = {2021-03-31}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/icedid-command-and-control-infrastructure}, language = {English}, urldate = {2022-06-09} } IcedID Command and Control Infrastructure
IcedID PhotoLoader
2021AWAKEAwake Security
@online{security:2021:breaking:3bdfe99, author = {Awake Security}, title = {{Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)}}, date = {2021}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/}, language = {English}, urldate = {2022-06-09} } Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2020-04-28Random REJason Reaves
@online{reaves:20200428:icedid:9b7de2f, author = {Jason Reaves}, title = {{IcedID PhotoLoader evolution}}, date = {2020-04-28}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html}, language = {English}, urldate = {2022-03-23} } IcedID PhotoLoader evolution
PhotoLoader
Yara Rules
[TLP:WHITE] win_photoloader_auto (20230715 | Detects win.photoloader.)
rule win_photoloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.photoloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48c1e310 0f31 48c1e220 480bc2 0fb7c8 480bd9 8bcb }
            // n = 7, score = 700
            //   48c1e310             | dec                 eax
            //   0f31                 | shl                 ebx, 0x10
            //   48c1e220             | rdtsc               
            //   480bc2               | dec                 eax
            //   0fb7c8               | shl                 edx, 0x20
            //   480bd9               | dec                 eax
            //   8bcb                 | or                  eax, edx

        $sequence_1 = { 488bd6 488d0c5f e8???????? 4803d8 488d0c5f e8???????? 488bc7 }
            // n = 7, score = 700
            //   488bd6               | dec                 eax
            //   488d0c5f             | or                  ebx, ecx
            //   e8????????           |                     
            //   4803d8               | mov                 ecx, ebx
            //   488d0c5f             | and                 ecx, 0xf
            //   e8????????           |                     
            //   488bc7               | dec                 eax

        $sequence_2 = { 0fb7c8 480bd9 8bcb 83e10f ff15???????? 4883ef01 75dc }
            // n = 7, score = 700
            //   0fb7c8               | or                  ebx, ecx
            //   480bd9               | dec                 eax
            //   8bcb                 | shl                 edx, 0x20
            //   83e10f               | dec                 eax
            //   ff15????????         |                     
            //   4883ef01             | or                  eax, edx
            //   75dc                 | movzx               ecx, ax

        $sequence_3 = { 4803d8 488d0c5f e8???????? 4803d8 488bd6 488d0c5f e8???????? }
            // n = 7, score = 700
            //   4803d8               | lea                 ecx, [edi + ebx*2]
            //   488d0c5f             | dec                 eax
            //   e8????????           |                     
            //   4803d8               | or                  eax, edx
            //   488bd6               | movzx               ecx, ax
            //   488d0c5f             | dec                 eax
            //   e8????????           |                     

        $sequence_4 = { b800000004 4c8d9c2480030000 498b5b10 498b7318 498b7b20 }
            // n = 5, score = 600
            //   b800000004           | mov                 ecx, ebx
            //   4c8d9c2480030000     | and                 ecx, 0xf
            //   498b5b10             | dec                 eax
            //   498b7318             | shl                 ebx, 0x10
            //   498b7b20             | rdtsc               

        $sequence_5 = { 498bd6 884301 488d466a 4889830e030000 48c783160300005c020000 }
            // n = 5, score = 600
            //   498bd6               | mov                 eax, ebx
            //   884301               | dec                 eax
            //   488d466a             | or                  eax, edx
            //   4889830e030000       | movzx               ecx, ax
            //   48c783160300005c020000     | dec    eax

        $sequence_6 = { 488da878fdffff 4881ec80030000 448b7102 4c8d4c2460 488db1c6020000 e8???????? }
            // n = 6, score = 500
            //   488da878fdffff       | dec                 eax
            //   4881ec80030000       | or                  eax, edx
            //   448b7102             | movzx               ecx, ax
            //   4c8d4c2460           | dec                 eax
            //   488db1c6020000       | or                  ebx, ecx
            //   e8????????           |                     

        $sequence_7 = { 33db 8d7b04 48c1e310 0f31 }
            // n = 4, score = 500
            //   33db                 | or                  eax, edx
            //   8d7b04               | movzx               ecx, ax
            //   48c1e310             | dec                 eax
            //   0f31                 | or                  ebx, ecx

        $sequence_8 = { 33d2 488bc8 ff15???????? b800000004 4c8d9c2480030000 }
            // n = 5, score = 500
            //   33d2                 | or                  ebx, ecx
            //   488bc8               | rdtsc               
            //   ff15????????         |                     
            //   b800000004           | dec                 eax
            //   4c8d9c2480030000     | shl                 edx, 0x20

        $sequence_9 = { f30f7f85d8050000 c785e805000065727300 c785f000000057696e68 c785f40000007474702e c785f8000000646c6c00 e8???????? 660f6f05???????? }
            // n = 7, score = 400
            //   f30f7f85d8050000     | dec                 esp
            //   c785e805000065727300     | lea    ebx, [esp + 0x380]
            //   c785f000000057696e68     | dec    eax
            //   c785f40000007474702e     | mov    ecx, eax
            //   c785f8000000646c6c00     | mov    eax, 0x4000000
            //   e8????????           |                     
            //   660f6f05????????     |                     

        $sequence_10 = { c7858000000057696e68 c785840000007474702e c78588000000646c6c00 e8???????? }
            // n = 4, score = 400
            //   c7858000000057696e68     | mov    ecx, eax
            //   c785840000007474702e     | mov    eax, 0x4000000
            //   c78588000000646c6c00     | dec    esp
            //   e8????????           |                     

        $sequence_11 = { f30f7f8540070000 c7851001000057696e68 c785140100007474702e c78518010000646c6c00 e8???????? 660f6f05???????? }
            // n = 6, score = 400
            //   f30f7f8540070000     | dec                 esp
            //   c7851001000057696e68     | lea    ebx, [esp + 0x380]
            //   c785140100007474702e     | dec    ecx
            //   c78518010000646c6c00     | mov    ebx, dword ptr [ebx + 0x10]
            //   e8????????           |                     
            //   660f6f05????????     |                     

        $sequence_12 = { 4883ec28 eb0b b9e8030000 ff15???????? 833d????????00 74ec 33c9 }
            // n = 7, score = 400
            //   4883ec28             | add                 ebx, eax
            //   eb0b                 | dec                 eax
            //   b9e8030000           | mov                 edx, esi
            //   ff15????????         |                     
            //   833d????????00       |                     
            //   74ec                 | dec                 eax
            //   33c9                 | shl                 edx, 0x20

        $sequence_13 = { 6685c9 75d8 3bd5 7594 }
            // n = 4, score = 400
            //   6685c9               | mov                 ecx, eax
            //   75d8                 | mov                 eax, 0x4000000
            //   3bd5                 | dec                 esp
            //   7594                 | lea                 ebx, [esp + 0x380]

        $sequence_14 = { 66c785940700007000 c785a00100006b65726e c785a4010000656c3332 c785a80100002e646c6c }
            // n = 4, score = 400
            //   66c785940700007000     | dec    ecx
            //   c785a00100006b65726e     | mov    esi, dword ptr [ebx + 0x18]
            //   c785a4010000656c3332     | dec    ecx
            //   c785a80100002e646c6c     | mov    edi, dword ptr [ebx + 0x20]

        $sequence_15 = { c745e4416c6c6f 66c745e86300 c785b00300004b65726e c785b4030000656c3332 }
            // n = 4, score = 400
            //   c745e4416c6c6f       | dec                 esp
            //   66c745e86300         | mov                 eax, ebx
            //   c785b00300004b65726e     | xor    edx, edx
            //   c785b4030000656c3332     | dec    eax

        $sequence_16 = { c7457057696e48 c745747474704f c7457870656e00 c7858000000057696e68 c785840000007474702e }
            // n = 5, score = 400
            //   c7457057696e48       | mov                 ecx, eax
            //   c745747474704f       | mov                 eax, 0x4000000
            //   c7457870656e00       | dec                 esp
            //   c7858000000057696e68     | lea    ebx, [esp + 0x380]
            //   c785840000007474702e     | dec    eax

        $sequence_17 = { c3 4883ec38 83fa01 751f 488364242800 }
            // n = 5, score = 400
            //   c3                   | dec                 eax
            //   4883ec38             | add                 ebx, eax
            //   83fa01               | dec                 eax
            //   751f                 | mov                 edx, esi
            //   488364242800         | dec                 eax

        $sequence_18 = { 0f4dc8 69ff01010000 0fbec1 03f8 c1e010 33f8 }
            // n = 6, score = 400
            //   0f4dc8               | dec                 ecx
            //   69ff01010000         | mov                 ebx, dword ptr [ebx + 0x10]
            //   0fbec1               | dec                 esp
            //   03f8                 | mov                 eax, ebx
            //   c1e010               | xor                 edx, edx
            //   33f8                 | dec                 eax

        $sequence_19 = { 48ffc1 4983e801 75ec b801000000 eba6 488bc4 48895808 }
            // n = 7, score = 300
            //   48ffc1               | dec                 eax
            //   4983e801             | or                  eax, edx
            //   75ec                 | movzx               ecx, ax
            //   b801000000           | lea                 edi, [ebx + 4]
            //   eba6                 | dec                 eax
            //   488bc4               | shl                 ebx, 0x10
            //   48895808             | rdtsc               

        $sequence_20 = { 8a440414 88441c14 8b442410 884c0414 8a441c14 02c2 0fb6c0 }
            // n = 7, score = 200
            //   8a440414             | dec                 eax
            //   88441c14             | add                 ebx, ecx
            //   8b442410             | dec                 eax
            //   884c0414             | lea                 ecx, [edi + ebx*2]
            //   8a441c14             | dec                 eax
            //   02c2                 | add                 ebx, eax
            //   0fb6c0               | dec                 eax

        $sequence_21 = { 8bf8 83ffff 7504 33c0 eb7f 53 }
            // n = 6, score = 200
            //   8bf8                 | lea                 ecx, [edi + ebx*2]
            //   83ffff               | dec                 eax
            //   7504                 | sub                 esp, 0x28
            //   33c0                 | jmp                 0xd
            //   eb7f                 | mov                 ecx, 0x3e8
            //   53                   | je                  0xfffffff5

        $sequence_22 = { 8bd7 8d0c5d00000000 50 03cd e8???????? 59 }
            // n = 6, score = 200
            //   8bd7                 | dec                 eax
            //   8d0c5d00000000       | lea                 ecx, [edi + ebx*2]
            //   50                   | dec                 eax
            //   03cd                 | add                 ebx, ecx
            //   e8????????           |                     
            //   59                   | dec                 eax

        $sequence_23 = { 55 56 33c0 8d6c240c 57 }
            // n = 5, score = 200
            //   55                   | add                 ebx, ecx
            //   56                   | dec                 eax
            //   33c0                 | lea                 ecx, [edi + ebx*2]
            //   8d6c240c             | dec                 eax
            //   57                   | add                 ebx, eax

        $sequence_24 = { 8903 8d44242c 50 6804010000 }
            // n = 4, score = 200
            //   8903                 | jmp                 0xd
            //   8d44242c             | mov                 ecx, 0x3e8
            //   50                   | dec                 eax
            //   6804010000           | arpl                ax, cx

        $sequence_25 = { 51 ffd6 ff74243c 03f8 55 68???????? 8d047b }
            // n = 7, score = 200
            //   51                   | dec                 eax
            //   ffd6                 | lea                 ecx, [edi + ebx*2]
            //   ff74243c             | dec                 eax
            //   03f8                 | add                 ebx, eax
            //   55                   | dec                 eax
            //   68????????           |                     
            //   8d047b               | add                 ebx, ecx

        $sequence_26 = { 0fa2 894500 33c0 895d04 40 894d08 89550c }
            // n = 7, score = 200
            //   0fa2                 | dec                 eax
            //   894500               | sub                 esp, 0x28
            //   33c0                 | jmp                 0xd
            //   895d04               | mov                 ecx, 0x3e8
            //   40                   | dec                 eax
            //   894d08               | arpl                ax, cx
            //   89550c               | dec                 eax

        $sequence_27 = { 897c241c e8???????? 83c40c 89742438 68???????? 68???????? }
            // n = 6, score = 200
            //   897c241c             | lea                 ecx, [edi + ebx*2]
            //   e8????????           |                     
            //   83c40c               | dec                 eax
            //   89742438             | add                 ebx, eax
            //   68????????           |                     
            //   68????????           |                     

        $sequence_28 = { b801000000 eba6 48895c2408 48896c2410 }
            // n = 4, score = 200
            //   b801000000           | dec                 eax
            //   eba6                 | lea                 eax, [esi + 0x6a]
            //   48895c2408           | dec                 eax
            //   48896c2410           | mov                 dword ptr [ebx + 0x30e], eax

        $sequence_29 = { 7508 c744244078000000 4c8d442440 488bce 488d15f35e0000 e8???????? 488d9570010000 }
            // n = 7, score = 100
            //   7508                 | dec                 eax
            //   c744244078000000     | shl                 edx, 0x20
            //   4c8d442440           | dec                 eax
            //   488bce               | or                  eax, edx
            //   488d15f35e0000       | lea                 edi, [ebx + 4]
            //   e8????????           |                     
            //   488d9570010000       | dec                 eax

        $sequence_30 = { 85c0 7507 488d1517550000 ff15???????? }
            // n = 4, score = 100
            //   85c0                 | dec                 eax
            //   7507                 | shl                 ebx, 0x10
            //   488d1517550000       | rdtsc               
            //   ff15????????         |                     

        $sequence_31 = { e8???????? 4885c0 488d1569510000 488bf8 480f45d0 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   4885c0               | shl                 edx, 0x20
            //   488d1569510000       | xor                 ebx, ebx
            //   488bf8               | lea                 edi, [ebx + 4]
            //   480f45d0             | dec                 eax

        $sequence_32 = { 4803d8 488d153c5f0000 4c8bc7 488d0c5e e8???????? }
            // n = 5, score = 100
            //   4803d8               | movzx               ecx, ax
            //   488d153c5f0000       | dec                 eax
            //   4c8bc7               | or                  ebx, ecx
            //   488d0c5e             | lea                 edi, [ebx + 4]
            //   e8????????           |                     

        $sequence_33 = { 488d0c5e 4c8d057d5e0000 488d15fe5d0000 ff15???????? 4863c8 4803d9 }
            // n = 6, score = 100
            //   488d0c5e             | lea                 edi, [ebx + 4]
            //   4c8d057d5e0000       | dec                 eax
            //   488d15fe5d0000       | shl                 ebx, 0x10
            //   ff15????????         |                     
            //   4863c8               | rdtsc               
            //   4803d9               | dec                 eax

        $sequence_34 = { f7d8 488d0c5f 4c8d05c4590000 488bd6 451bc9 4183e120 }
            // n = 6, score = 100
            //   f7d8                 | dec                 eax
            //   488d0c5f             | shl                 edx, 0x20
            //   4c8d05c4590000       | dec                 eax
            //   488bd6               | or                  eax, edx
            //   451bc9               | movzx               ecx, ax
            //   4183e120             | xor                 ebx, ebx

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules