SYMBOLCOMMON_NAMEaka. SYNONYMS
win.purplefox (Back to overview)

PurpleFox


Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

References
2022-03-28The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220328:purple:a7adcb0, author = {Ravie Lakshmanan}, title = {{'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks}}, date = {2022-03-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html}, language = {English}, urldate = {2022-03-29} } 'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
DirtyMoe FatalRat PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@online{magdy:20220325:purple:bb817d9, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@techreport{magdy:20220325:purple:ef08c67, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)}}, date = {2022-03-25}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)
PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@online{magdy:20220325:purple:fffddcf, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)
PurpleFox
2022-01-20BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220120:threat:e0eda13, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Purple Fox Rootkit}}, date = {2022-01-20}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit}, language = {English}, urldate = {2022-01-24} } Threat Thursday: Purple Fox Rootkit
PurpleFox
2022-01-04The Cyber Security TimesJohn Greenwood
@online{greenwood:20220104:purple:98da376, author = {John Greenwood}, title = {{Purple Fox malware is actively distributed via Telegram Installers}}, date = {2022-01-04}, organization = {The Cyber Security Times}, url = {https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/}, language = {English}, urldate = {2022-01-06} } Purple Fox malware is actively distributed via Telegram Installers
PurpleFox
2022-01-03MinervaLabsNatalie Zargarov
@online{zargarov:20220103:malicious:23d7ba8, author = {Natalie Zargarov}, title = {{Malicious Telegram Installer Drops Purple Fox Rootkit}}, date = {2022-01-03}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit}, language = {English}, urldate = {2022-01-06} } Malicious Telegram Installer Drops Purple Fox Rootkit
PurpleFox
2021-12-13Trend MicroJay Yaneza, Abdelrhman Sharshar, Sherif Magdy
@online{yaneza:20211213:look:41dc207, author = {Jay Yaneza and Abdelrhman Sharshar and Sherif Magdy}, title = {{A Look Into Purple Fox’s Server Infrastructure}}, date = {2021-12-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html}, language = {English}, urldate = {2021-12-31} } A Look Into Purple Fox’s Server Infrastructure
PurpleFox
2021-10-19Trend MicroAbdelrhman Sharshar, Jay Yaneza, Sherif Magdy
@online{sharshar:20211019:purplefox:06308c3, author = {Abdelrhman Sharshar and Jay Yaneza and Sherif Magdy}, title = {{PurpleFox Adds New Backdoor That Uses WebSockets}}, date = {2021-10-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html}, language = {English}, urldate = {2021-10-24} } PurpleFox Adds New Backdoor That Uses WebSockets
FoxSocket PurpleFox
2021-07-07Twitter (@C0rk1_H)hyabcd
@online{hyabcd:20210707:purplefox:af42cde, author = {hyabcd}, title = {{Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign}}, date = {2021-07-07}, organization = {Twitter (@C0rk1_H)}, url = {https://twitter.com/C0rk1_H/status/1412801973628272641?s=20}, language = {English}, urldate = {2021-07-19} } Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign
PurpleFox
2021-07-01Trend MicroWilliam Gamazo Sanchez
@online{sanchez:20210701:purplefox:fb8c3c4, author = {William Gamazo Sanchez}, title = {{PurpleFox Using WPAD to Target Indonesian Users}}, date = {2021-07-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html}, language = {English}, urldate = {2021-07-02} } PurpleFox Using WPAD to Target Indonesian Users
PurpleFox
2021-06-11TencentThe Tencent Security Threat Intelligence Center
@online{center:20210611:tencent:ed32dd1, author = {The Tencent Security Threat Intelligence Center}, title = {{Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm}}, date = {2021-06-11}, organization = {Tencent}, url = {https://s.tencent.com/research/report/1322.html}, language = {Chinese}, urldate = {2021-06-22} } Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm
PurpleFox
2021-04-15nao_sec blognao_sec
@online{naosec:20210415:exploit:b5fe0b8, author = {nao_sec}, title = {{Exploit Kit still sharpens a sword}}, date = {2021-04-15}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html}, language = {English}, urldate = {2021-04-20} } Exploit Kit still sharpens a sword
PurpleFox
2021-04-14HPPatrick Schläpfer
@online{schlpfer:20210414:from:6649630, author = {Patrick Schläpfer}, title = {{From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411}}, date = {2021-04-14}, organization = {HP}, url = {https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/}, language = {English}, urldate = {2021-04-16} } From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411
PurpleFox
2021-03-25MalwarebytesMalwarebytes Labs
@online{labs:20210325:perkiler:3733a75, author = {Malwarebytes Labs}, title = {{Perkiler malware turns to SMB brute force to spread}}, date = {2021-03-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/}, language = {English}, urldate = {2021-03-30} } Perkiler malware turns to SMB brute force to spread
PurpleFox
2021-03-24GuardicoreAmit Serper
@online{serper:20210324:purple:86ec5cf, author = {Amit Serper}, title = {{Purple Fox Rootkit Now Propagates as a Worm}}, date = {2021-03-24}, organization = {Guardicore}, url = {https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/}, language = {English}, urldate = {2021-03-25} } Purple Fox Rootkit Now Propagates as a Worm
PurpleFox
2019-09-09Trend MicroJohnlery Triunfante, Earle Earnshaw
@online{triunfante:20190909:purple:4a222ca, author = {Johnlery Triunfante and Earle Earnshaw}, title = {{‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell}}, date = {2019-09-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/}, language = {English}, urldate = {2020-01-13} } ‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell
PurpleFox
2017-07-05Trend MicroKevin Y. Huang
@online{huang:20170705:security:8819459, author = {Kevin Y. Huang}, title = {{Security 101: The Impact of Cryptocurrency-Mining Malware}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware}, language = {English}, urldate = {2020-01-07} } Security 101: The Impact of Cryptocurrency-Mining Malware
PurpleFox
Yara Rules
[TLP:WHITE] win_purplefox_auto (20220808 | Detects win.purplefox.)
rule win_purplefox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.purplefox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48897c2430 4c897c2420 4103ec ba00300000 }
            // n = 4, score = 100
            //   48897c2430           | movsx               eax, byte ptr [esi + eax + 4]
            //   4c897c2420           | jae                 0x7f
            //   4103ec               | dec                 eax
            //   ba00300000           | mov                 ebx, edi

        $sequence_1 = { 488b9c24f0040000 4881c4d0040000 5f 5e }
            // n = 4, score = 100
            //   488b9c24f0040000     | lea                 ecx, [esp + 0x40]
            //   4881c4d0040000       | inc                 ecx
            //   5f                   | mov                 al, 1
            //   5e                   | dec                 eax

        $sequence_2 = { 8b4f08 83c408 8d85dcfdffff e8???????? }
            // n = 4, score = 100
            //   8b4f08               | push                eax
            //   83c408               | add                 esp, 4
            //   8d85dcfdffff         | mov                 ecx, dword ptr [edi + 4]
            //   e8????????           |                     

        $sequence_3 = { 7416 8bc8 83e11f 8bf0 c1fe05 c1e106 030cb5000c4100 }
            // n = 7, score = 100
            //   7416                 | push                ecx
            //   8bc8                 | call                ebx
            //   83e11f               | ja                  0x9d1
            //   8bf0                 | jmp                 dword ptr [eax*4 + 0x4031b7]
            //   c1fe05               | or                  dword ptr [ebp - 0x218], 0xffffffff
            //   c1e106               | mov                 dword ptr [ebp - 0x26c], esi
            //   030cb5000c4100       | mov                 ebx, eax

        $sequence_4 = { c647ff00 f6d4 53 9f }
            // n = 4, score = 100
            //   c647ff00             | lea                 edx, [0xf83d]
            //   f6d4                 | add                 edi, edi
            //   53                   | jmp                 0xffffffce
            //   9f                   | test                eax, eax

        $sequence_5 = { 87cd 33fb 43 14da 96 e4ea }
            // n = 6, score = 100
            //   87cd                 | arpl                cx, bx
            //   33fb                 | dec                 eax
            //   43                   | lea                 ebp, [0x7377]
            //   14da                 | jmp                 0xffffffe8
            //   96                   | inc                 ebp
            //   e4ea                 | xor                 eax, eax

        $sequence_6 = { 4533c9 4533c0 418bd5 488bcd 48c744242000000000 ff15???????? }
            // n = 6, score = 100
            //   4533c9               | push                esi
            //   4533c0               | push                edi
            //   418bd5               | dec                 eax
            //   488bcd               | sub                 esp, 0x50
            //   48c744242000000000     | mov    ecx, ecx
            //   ff15????????         |                     

        $sequence_7 = { 68???????? ffd3 83c404 b80d0000c0 5f 5e 5b }
            // n = 7, score = 100
            //   68????????           |                     
            //   ffd3                 | dec                 ecx
            //   83c404               | mov                 ebx, dword ptr [esp + 0x18]
            //   b80d0000c0           | inc                 ebp
            //   5f                   | xor                 esi, esi
            //   5e                   | dec                 eax
            //   5b                   | mov                 ebx, dword ptr [esp + 0x4f0]

        $sequence_8 = { c740f8???????? 8948fc c640dfe0 8bc6 }
            // n = 4, score = 100
            //   c740f8????????       |                     
            //   8948fc               | dec                 eax
            //   c640dfe0             | lea                 ecx, [0x1eb9]
            //   8bc6                 | dec                 eax

        $sequence_9 = { ebe6 4533c0 488d1587d30000 458d4803 498bc8 4c8d153df80000 }
            // n = 6, score = 100
            //   ebe6                 | and                 ebx, 0x1f
            //   4533c0               | dec                 eax
            //   488d1587d30000       | mov                 dword ptr [esp + 8], ebx
            //   458d4803             | push                edi
            //   498bc8               | dec                 eax
            //   4c8d153df80000       | sub                 esp, 0x20

        $sequence_10 = { 8b4e18 8908 8b5628 8b461c }
            // n = 4, score = 100
            //   8b4e18               | mov                 edx, dword ptr [ebp + 0xc]
            //   8908                 | mov                 dword ptr [esi + 0xc], edx
            //   8b5628               | jmp                 0x3b
            //   8b461c               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_11 = { 4883ec20 85c9 7871 3b0d???????? 7369 4863d9 488d2d77730000 }
            // n = 7, score = 100
            //   4883ec20             | dec                 eax
            //   85c9                 | mov                 esi, edi
            //   7871                 | dec                 eax
            //   3b0d????????         |                     
            //   7369                 | sar                 esi, 5
            //   4863d9               | dec                 esp
            //   488d2d77730000       | lea                 esp, [0x79fa]

        $sequence_12 = { b079 d8d4 2971e5 fc 3ae0 ec 2b6359 }
            // n = 7, score = 100
            //   b079                 | dec                 eax
            //   d8d4                 | mov                 dword ptr [esp + 0x30], edi
            //   2971e5               | dec                 esp
            //   fc                   | mov                 dword ptr [esp + 0x20], edi
            //   3ae0                 | inc                 ecx
            //   ec                   | add                 ebp, esp
            //   2b6359               | mov                 edx, 0x3000

        $sequence_13 = { ff15???????? 488d4c2440 41b001 488bd6 ff15???????? 84c0 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488d4c2440           | inc                 ebp
            //   41b001               | xor                 ecx, ecx
            //   488bd6               | inc                 ebp
            //   ff15????????         |                     
            //   84c0                 | xor                 eax, eax

        $sequence_14 = { 8bd8 57 e8???????? 8bf0 83c404 85f6 }
            // n = 6, score = 100
            //   8bd8                 | lea                 eax, [esp + 0x250]
            //   57                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | add                 esp, 0xc
            //   83c404               | push                0x208
            //   85f6                 | mov                 ecx, dword ptr [ebp - 8]

        $sequence_15 = { ff15???????? 488d542420 488d0dcb1e0000 ff15???????? 488d542430 488d0db91e0000 ff15???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d542420           | mov                 edx, esi
            //   488d0dcb1e0000       | test                al, al
            //   ff15????????         |                     
            //   488d542430           | dec                 eax
            //   488d0db91e0000       | lea                 ecx, [0x1e5d]
            //   ff15????????         |                     

        $sequence_16 = { e8???????? 16 8a6ac1 57 b329 29fb }
            // n = 6, score = 100
            //   e8????????           |                     
            //   16                   | movzx               ecx, word ptr [edi]
            //   8a6ac1               | movzx               eax, cx
            //   57                   | inc                 cx
            //   b329                 | and                 eax, edi
            //   29fb                 | cmp                 ax, dx

        $sequence_17 = { f9 85f5 894dfc f9 e9???????? 83ee01 f9 }
            // n = 7, score = 100
            //   f9                   | dec                 eax
            //   85f5                 | lea                 edx, [0x46a0]
            //   894dfc               | dec                 eax
            //   f9                   | mov                 ecx, esi
            //   e9????????           |                     
            //   83ee01               | dec                 eax
            //   f9                   | mov                 ecx, eax

        $sequence_18 = { f655e4 5f 652c3b 79af 150d93dd6d 00be368cfc44 ffc4 }
            // n = 7, score = 100
            //   f655e4               | dec                 eax
            //   5f                   | lea                 edx, [0xd387]
            //   652c3b               | inc                 ebp
            //   79af                 | lea                 ecx, [eax + 3]
            //   150d93dd6d           | dec                 ecx
            //   00be368cfc44         | mov                 ecx, eax
            //   ffc4                 | dec                 esp

        $sequence_19 = { ffd6 8bf0 3bf3 7d1e 8b4de8 }
            // n = 5, score = 100
            //   ffd6                 | mov                 dword ptr [esp + 0x20], eax
            //   8bf0                 | mov                 edi, eax
            //   3bf3                 | test                eax, eax
            //   7d1e                 | jns                 0xf
            //   8b4de8               | cmp                 eax, 0xc0000023

        $sequence_20 = { ff34c518fc4000 ff15???????? 5d c3 6a0c 68???????? }
            // n = 6, score = 100
            //   ff34c518fc4000       | push                edi
            //   ff15????????         |                     
            //   5d                   | mov                 esi, eax
            //   c3                   | add                 esp, 4
            //   6a0c                 | test                esi, esi
            //   68????????           |                     

        $sequence_21 = { 66ffc6 19d6 8b7500 f5 55 38da }
            // n = 6, score = 100
            //   66ffc6               | mov                 ebx, ecx
            //   19d6                 | dec                 esp
            //   8b7500               | lea                 ebx, [0xa117]
            //   f5                   | je                  0x6b
            //   55                   | mov                 esi, eax
            //   38da                 | nop                 word ptr [eax + eax]

        $sequence_22 = { e8???????? 83c404 e9???????? 8b4f04 68???????? 51 ffd3 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | mov                 dword ptr [eax - 4], ecx
            //   e9????????           |                     
            //   8b4f04               | mov                 byte ptr [eax - 0x21], 0xe0
            //   68????????           |                     
            //   51                   | mov                 eax, esi
            //   ffd3                 | call                esi

        $sequence_23 = { 4053 4883ec20 488bd9 e8???????? 4c8d1d17a10000 }
            // n = 5, score = 100
            //   4053                 | and                 ecx, 0x1f
            //   4883ec20             | mov                 esi, eax
            //   488bd9               | sar                 esi, 5
            //   e8????????           |                     
            //   4c8d1d17a10000       | shl                 ecx, 6

        $sequence_24 = { 8d842450020000 50 e8???????? 83c40c 6808020000 }
            // n = 5, score = 100
            //   8d842450020000       | jne                 0xd3
            //   50                   | call                ebx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 4
            //   6808020000           | mov                 eax, 0xc000000d

        $sequence_25 = { 448b6908 8b4918 498b5c2418 4533f6 }
            // n = 4, score = 100
            //   448b6908             | mov                 ecx, ebp
            //   8b4918               | dec                 eax
            //   498b5c2418           | mov                 dword ptr [esp + 0x20], 0
            //   4533f6               | dec                 eax

        $sequence_26 = { 6a00 6800020000 50 ff15???????? }
            // n = 4, score = 100
            //   6a00                 | lea                 ecx, [0x1ecb]
            //   6800020000           | dec                 eax
            //   50                   | lea                 edx, [esp + 0x30]
            //   ff15????????         |                     

        $sequence_27 = { 95 c0fb04 c0f305 c1e012 d495 89e8 }
            // n = 6, score = 100
            //   95                   | dec                 eax
            //   c0fb04               | sub                 esp, 0x20
            //   c0f305               | test                ecx, ecx
            //   c1e012               | js                  0x73
            //   d495                 | jae                 0x6d
            //   89e8                 | dec                 eax

        $sequence_28 = { 0f87cb090000 ff2485b7314000 838de8fdffffff 89b594fdffff }
            // n = 4, score = 100
            //   0f87cb090000         | mov                 esi, eax
            //   ff2485b7314000       | cmp                 esi, ebx
            //   838de8fdffffff       | jge                 0x24
            //   89b594fdffff         | mov                 ecx, dword ptr [ebp - 0x18]

        $sequence_29 = { 48895c2408 57 4883ec20 488d0563690000 }
            // n = 4, score = 100
            //   48895c2408           | add                 esp, 8
            //   57                   | lea                 eax, [ebp - 0x224]
            //   4883ec20             | je                  0x18
            //   488d0563690000       | mov                 ecx, eax

        $sequence_30 = { 737d 488bdf 488bf7 48c1fe05 4c8d25fa790000 83e31f }
            // n = 6, score = 100
            //   737d                 | jmp                 0xffffffad
            //   488bdf               | mov                 dword ptr [ebp - 0x1c], 0x40b168
            //   488bf7               | cmp                 dword ptr [ebp - 0x1c], 0x40b174
            //   48c1fe05             | jae                 0x1a
            //   4c8d25fa790000       | mov                 eax, dword ptr [ebp - 0x1c]
            //   83e31f               | mov                 ecx, dword ptr [edi + 8]

        $sequence_31 = { 7408 8b550c 89560c eb36 8b4510 8b4d0c 6a00 }
            // n = 7, score = 100
            //   7408                 | dec                 eax
            //   8b550c               | add                 esp, 0x4d0
            //   89560c               | pop                 edi
            //   eb36                 | pop                 esi
            //   8b4510               | dec                 eax
            //   8b4d0c               | lea                 edx, [esp + 0x20]
            //   6a00                 | dec                 eax

        $sequence_32 = { ebab c745e468b14000 817de474b14000 7311 8b45e4 }
            // n = 5, score = 100
            //   ebab                 | mov                 eax, dword ptr [esi + 0x1c]
            //   c745e468b14000       | push                eax
            //   817de474b14000       | call                ebx
            //   7311                 | mov                 eax, dword ptr [ebp - 8]
            //   8b45e4               | add                 esp, 8

        $sequence_33 = { 6603c9 66890e 488d0d75120000 4c8d9c2430020000 498b5b10 498b7318 }
            // n = 6, score = 100
            //   6603c9               | add                 cx, cx
            //   66890e               | mov                 word ptr [esi], cx
            //   488d0d75120000       | dec                 eax
            //   4c8d9c2430020000     | lea                 ecx, [0x1275]
            //   498b5b10             | dec                 esp
            //   498b7318             | lea                 ebx, [esp + 0x230]

        $sequence_34 = { 488d15a0460000 488bce 488905???????? ff15???????? 488bc8 }
            // n = 5, score = 100
            //   488d15a0460000       | and                 esi, 0x1f
            //   488bce               | shl                 esi, 6
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488bc8               | mov                 eax, dword ptr [edi]

        $sequence_35 = { 7469 8bf0 66660f1f840000000000 0fb70f 0fb7c1 664123c7 663bc2 }
            // n = 7, score = 100
            //   7469                 | add                 ecx, dword ptr [esi*4 + 0x410c00]
            //   8bf0                 | push                dword ptr [eax*8 + 0x40fc18]
            //   66660f1f840000000000     | pop    ebp
            //   0fb70f               | ret                 
            //   0fb7c1               | push                0xc
            //   664123c7             | lea                 edi, [eax*4 + 0x410c00]
            //   663bc2               | mov                 esi, ebx

        $sequence_36 = { 750b 80780175 7505 385002 741f 40 }
            // n = 6, score = 100
            //   750b                 | push                ecx
            //   80780175             | call                esi
            //   7505                 | mov                 edx, dword ptr [ebp - 0x28]
            //   385002               | mov                 ecx, dword ptr [esi + 0x18]
            //   741f                 | mov                 dword ptr [eax], ecx
            //   40                   | mov                 edx, dword ptr [esi + 0x28]

        $sequence_37 = { 8b4df8 8b35???????? 51 ffd6 8b55d8 }
            // n = 5, score = 100
            //   8b4df8               | pop                 edi
            //   8b35????????         |                     
            //   51                   | pop                 esi
            //   ffd6                 | pop                 ebx
            //   8b55d8               | je                  0xa

        $sequence_38 = { 56 57 4883ec50 8bc9 }
            // n = 4, score = 100
            //   56                   | dec                 ecx
            //   57                   | mov                 ebx, dword ptr [ebx + 0x10]
            //   4883ec50             | dec                 ecx
            //   8bc9                 | mov                 esi, dword ptr [ebx + 0x18]

        $sequence_39 = { 488d0d5d1e0000 ff15???????? 488d4c2440 e8???????? 8bf0 }
            // n = 5, score = 100
            //   488d0d5d1e0000       | inc                 ecx
            //   ff15????????         |                     
            //   488d4c2440           | mov                 edx, ebp
            //   e8????????           |                     
            //   8bf0                 | dec                 eax

    condition:
        7 of them and filesize < 1983488
}
Download all Yara Rules