SYMBOLCOMMON_NAMEaka. SYNONYMS
win.purplefox (Back to overview)

PurpleFox


Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

References
2022-03-28The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220328:purple:a7adcb0, author = {Ravie Lakshmanan}, title = {{'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks}}, date = {2022-03-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html}, language = {English}, urldate = {2022-03-29} } 'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
DirtyMoe FatalRat PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@online{magdy:20220325:purple:bb817d9, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@techreport{magdy:20220325:purple:ef08c67, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)}}, date = {2022-03-25}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)
PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@online{magdy:20220325:purple:fffddcf, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)
PurpleFox
2022-01-20BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220120:threat:e0eda13, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Purple Fox Rootkit}}, date = {2022-01-20}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit}, language = {English}, urldate = {2022-01-24} } Threat Thursday: Purple Fox Rootkit
PurpleFox
2022-01-04The Cyber Security TimesJohn Greenwood
@online{greenwood:20220104:purple:98da376, author = {John Greenwood}, title = {{Purple Fox malware is actively distributed via Telegram Installers}}, date = {2022-01-04}, organization = {The Cyber Security Times}, url = {https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/}, language = {English}, urldate = {2022-01-06} } Purple Fox malware is actively distributed via Telegram Installers
PurpleFox
2022-01-03MinervaLabsNatalie Zargarov
@online{zargarov:20220103:malicious:23d7ba8, author = {Natalie Zargarov}, title = {{Malicious Telegram Installer Drops Purple Fox Rootkit}}, date = {2022-01-03}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit}, language = {English}, urldate = {2022-01-06} } Malicious Telegram Installer Drops Purple Fox Rootkit
PurpleFox
2021-12-13Trend MicroJay Yaneza, Abdelrhman Sharshar, Sherif Magdy
@online{yaneza:20211213:look:41dc207, author = {Jay Yaneza and Abdelrhman Sharshar and Sherif Magdy}, title = {{A Look Into Purple Fox’s Server Infrastructure}}, date = {2021-12-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html}, language = {English}, urldate = {2021-12-31} } A Look Into Purple Fox’s Server Infrastructure
PurpleFox
2021-10-19Trend MicroAbdelrhman Sharshar, Jay Yaneza, Sherif Magdy
@online{sharshar:20211019:purplefox:06308c3, author = {Abdelrhman Sharshar and Jay Yaneza and Sherif Magdy}, title = {{PurpleFox Adds New Backdoor That Uses WebSockets}}, date = {2021-10-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html}, language = {English}, urldate = {2021-10-24} } PurpleFox Adds New Backdoor That Uses WebSockets
FoxSocket PurpleFox
2021-07-07Twitter (@C0rk1_H)hyabcd
@online{hyabcd:20210707:purplefox:af42cde, author = {hyabcd}, title = {{Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign}}, date = {2021-07-07}, organization = {Twitter (@C0rk1_H)}, url = {https://twitter.com/C0rk1_H/status/1412801973628272641?s=20}, language = {English}, urldate = {2021-07-19} } Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign
PurpleFox
2021-07-01Trend MicroWilliam Gamazo Sanchez
@online{sanchez:20210701:purplefox:fb8c3c4, author = {William Gamazo Sanchez}, title = {{PurpleFox Using WPAD to Target Indonesian Users}}, date = {2021-07-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html}, language = {English}, urldate = {2021-07-02} } PurpleFox Using WPAD to Target Indonesian Users
PurpleFox
2021-06-11TencentThe Tencent Security Threat Intelligence Center
@online{center:20210611:tencent:ed32dd1, author = {The Tencent Security Threat Intelligence Center}, title = {{Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm}}, date = {2021-06-11}, organization = {Tencent}, url = {https://s.tencent.com/research/report/1322.html}, language = {Chinese}, urldate = {2021-06-22} } Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm
PurpleFox
2021-04-15nao_sec blognao_sec
@online{naosec:20210415:exploit:b5fe0b8, author = {nao_sec}, title = {{Exploit Kit still sharpens a sword}}, date = {2021-04-15}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html}, language = {English}, urldate = {2021-04-20} } Exploit Kit still sharpens a sword
PurpleFox
2021-04-14HPPatrick Schläpfer
@online{schlpfer:20210414:from:6649630, author = {Patrick Schläpfer}, title = {{From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411}}, date = {2021-04-14}, organization = {HP}, url = {https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/}, language = {English}, urldate = {2021-04-16} } From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411
PurpleFox
2021-03-25MalwarebytesMalwarebytes Labs
@online{labs:20210325:perkiler:3733a75, author = {Malwarebytes Labs}, title = {{Perkiler malware turns to SMB brute force to spread}}, date = {2021-03-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/}, language = {English}, urldate = {2021-03-30} } Perkiler malware turns to SMB brute force to spread
PurpleFox
2021-03-24GuardicoreAmit Serper
@online{serper:20210324:purple:86ec5cf, author = {Amit Serper}, title = {{Purple Fox Rootkit Now Propagates as a Worm}}, date = {2021-03-24}, organization = {Guardicore}, url = {https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/}, language = {English}, urldate = {2021-03-25} } Purple Fox Rootkit Now Propagates as a Worm
PurpleFox
2019-09-09Trend MicroJohnlery Triunfante, Earle Earnshaw
@online{triunfante:20190909:purple:4a222ca, author = {Johnlery Triunfante and Earle Earnshaw}, title = {{‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell}}, date = {2019-09-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/}, language = {English}, urldate = {2020-01-13} } ‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell
PurpleFox
2017-07-05Trend MicroKevin Y. Huang
@online{huang:20170705:security:8819459, author = {Kevin Y. Huang}, title = {{Security 101: The Impact of Cryptocurrency-Mining Malware}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware}, language = {English}, urldate = {2020-01-07} } Security 101: The Impact of Cryptocurrency-Mining Malware
PurpleFox
Yara Rules
[TLP:WHITE] win_purplefox_auto (20230125 | Detects win.purplefox.)
rule win_purplefox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.purplefox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c70424051583a5 60 66894500 9c 9c 68837ab369 68e52d2e1c }
            // n = 7, score = 100
            //   c70424051583a5       | mov                 edi, dword ptr [ebx + 0x10]
            //   60                   | dec                 eax
            //   66894500             | test                edi, edi
            //   9c                   | je                  0x19
            //   9c                   | dec                 eax
            //   68837ab369           | mov                 dword ptr [esp + 0x20], eax
            //   68e52d2e1c           | inc                 esp

        $sequence_1 = { 488b9c2490000000 488b742460 8bc7 4883c470 415e }
            // n = 5, score = 100
            //   488b9c2490000000     | mov                 ecx, dword ptr [edx + 0x50]
            //   488b742460           | dec                 eax
            //   8bc7                 | test                ecx, ecx
            //   4883c470             | dec                 eax
            //   415e                 | add                 esp, 0x58

        $sequence_2 = { 4883c458 c3 48890d???????? 8bca 48895c2468 }
            // n = 5, score = 100
            //   4883c458             | xor                 edx, edx
            //   c3                   | inc                 ecx
            //   48890d????????       |                     
            //   8bca                 | mov                 eax, 0x400
            //   48895c2468           | dec                 eax

        $sequence_3 = { c744243801000000 c744243004000000 4c8d4de7 4c8d450f 488d4d77 ba00000010 }
            // n = 6, score = 100
            //   c744243801000000     | mov                 dword ptr [ecx], eax
            //   c744243004000000     | dec                 eax
            //   4c8d4de7             | mov                 eax, dword ptr [edx + 0x38]
            //   4c8d450f             | dec                 eax
            //   488d4d77             | mov                 dword ptr [ecx + 8], eax
            //   ba00000010           | dec                 eax

        $sequence_4 = { 4889442420 8b05???????? 448d4201 89442428 }
            // n = 4, score = 100
            //   4889442420           | shl                 esi, 6
            //   8b05????????         |                     
            //   448d4201             | add                 esi, dword ptr [eax*4 + 0x410c00]
            //   89442428             | mov                 dword ptr [ebp - 0x1c], 1

        $sequence_5 = { ef ef 9d 1b11 58 dc4a3f }
            // n = 6, score = 100
            //   ef                   | cmp                 ebx, ecx
            //   ef                   | jb                  0x40
            //   9d                   | dec                 eax
            //   1b11                 | lea                 eax, [0xd668]
            //   58                   | dec                 eax
            //   dc4a3f               | cmp                 ebx, eax

        $sequence_6 = { eb40 4c8d2555960000 488b0d???????? e9???????? }
            // n = 4, score = 100
            //   eb40                 | cmp                 al, 0x6c
            //   4c8d2555960000       | cmp                 al, 0x70
            //   488b0d????????       |                     
            //   e9????????           |                     

        $sequence_7 = { 488d0568d60000 483bd8 7732 488bd3 48b8abaaaaaaaaaaaa2a 482bd1 48f7ea }
            // n = 7, score = 100
            //   488d0568d60000       | xor                 ebx, ebx
            //   483bd8               | mov                 ebp, esp
            //   7732                 | xor                 eax, eax
            //   488bd3               | sub                 esp, 0xc
            //   48b8abaaaaaaaaaaaa2a     | cmp    dword ptr [ecx], eax
            //   482bd1               | cmp                 al, 0x64
            //   48f7ea               | cmp                 al, 0x68

        $sequence_8 = { ff3424 895c2404 881c24 9c }
            // n = 4, score = 100
            //   ff3424               | ja                  0x40
            //   895c2404             | dec                 eax
            //   881c24               | mov                 dword ptr [esp + 0x50], eax
            //   9c                   | dec                 eax

        $sequence_9 = { 488901 488b4238 48894108 488b4a50 4885c9 }
            // n = 5, score = 100
            //   488901               | dec                 eax
            //   488b4238             | mov                 ecx, dword ptr [ebp + 0x408]
            //   48894108             | mov                 eax, ebx
            //   488b4a50             | dec                 eax
            //   4885c9               | lea                 ecx, [ebp - 0x30]

        $sequence_10 = { 4c89642458 488b0b 488d8424a0000000 4533c9 4533c0 }
            // n = 5, score = 100
            //   4c89642458           | dec                 esp
            //   488b0b               | mov                 dword ptr [esp + 0x58], esp
            //   488d8424a0000000     | dec                 eax
            //   4533c9               | mov                 ecx, dword ptr [ebx]
            //   4533c0               | dec                 eax

        $sequence_11 = { 83c404 8d5802 8d642400 668b08 83c002 6685c9 75f5 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   8d5802               | lea                 ebx, [eax + 2]
            //   8d642400             | lea                 esp, [esp]
            //   668b08               | mov                 cx, word ptr [eax]
            //   83c002               | add                 eax, 2
            //   6685c9               | test                cx, cx
            //   75f5                 | jne                 0xfffffff7

        $sequence_12 = { 9d 197b99 9b b0cf }
            // n = 4, score = 100
            //   9d                   | ror                 dword ptr [eax - 9], 1
            //   197b99               | jmp                 0x42
            //   9b                   | dec                 esp
            //   b0cf                 | lea                 esp, [0x9655]

        $sequence_13 = { 488b8d08040000 ff15???????? 8bc3 e9???????? 488d4dd0 33d2 41b800040000 }
            // n = 7, score = 100
            //   488b8d08040000       | lea                 eax, [esp + 0xa0]
            //   ff15????????         |                     
            //   8bc3                 | inc                 ebp
            //   e9????????           |                     
            //   488d4dd0             | xor                 ecx, ecx
            //   33d2                 | inc                 ebp
            //   41b800040000         | xor                 eax, eax

        $sequence_14 = { 83c40c 66894de4 8945ec 8d55f8 }
            // n = 4, score = 100
            //   83c40c               | add                 esp, 0xc
            //   66894de4             | mov                 word ptr [ebp - 0x1c], cx
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8d55f8               | lea                 edx, [ebp - 8]

        $sequence_15 = { f9 83ee01 660fbed2 00c3 feca 668b5500 f9 }
            // n = 7, score = 100
            //   f9                   | jmp                 0x7e
            //   83ee01               | dec                 esp
            //   660fbed2             | lea                 esp, [0x963a]
            //   00c3                 | jmp                 0x6e
            //   feca                 | dec                 eax
            //   668b5500             | lea                 ecx, [0xd2e4]
            //   f9                   | dec                 eax

        $sequence_16 = { 6a00 8d8dfcfdffff 51 6800010000 }
            // n = 4, score = 100
            //   6a00                 | inc                 ecx
            //   8d8dfcfdffff         | mov                 ecx, 0x80000000
            //   51                   | inc                 ebp
            //   6800010000           | xor                 eax, eax

        $sequence_17 = { 8bec 33c0 83ec0c 3901 }
            // n = 4, score = 100
            //   8bec                 | mov                 dword ptr [ebp + 0x190], ecx
            //   33c0                 | dec                 eax
            //   83ec0c               | mov                 dword ptr [ebp + 0x198], ecx
            //   3901                 | mov                 dword ptr [ebp + 0x188], ecx

        $sequence_18 = { ffd3 8b3d???????? 8d842448020000 8d4c2418 89442428 51 }
            // n = 6, score = 100
            //   ffd3                 | call                ebx
            //   8b3d????????         |                     
            //   8d842448020000       | lea                 eax, [esp + 0x248]
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   51                   | push                ecx

        $sequence_19 = { 9c 60 8d642428 0f837eb90600 e8???????? 42 }
            // n = 6, score = 100
            //   9c                   | lea                 eax, [edx + 1]
            //   60                   | mov                 dword ptr [esp + 0x28], eax
            //   8d642428             | dec                 eax
            //   0f837eb90600         | lea                 eax, [0xd668]
            //   e8????????           |                     
            //   42                   | dec                 eax

        $sequence_20 = { 8b5708 8b4a08 8b5510 8948f0 8950e0 }
            // n = 5, score = 100
            //   8b5708               | mov                 edx, dword ptr [edi + 8]
            //   8b4a08               | mov                 ecx, dword ptr [edx + 8]
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8948f0               | mov                 dword ptr [eax - 0x10], ecx
            //   8950e0               | mov                 dword ptr [eax - 0x20], edx

        $sequence_21 = { 33db 53 53 8b35???????? }
            // n = 4, score = 100
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   8b35????????         |                     

        $sequence_22 = { 488b0d???????? eb7c 4c8d253a960000 488b0d???????? eb6c }
            // n = 5, score = 100
            //   488b0d????????       |                     
            //   eb7c                 | cmp                 al, 0xba
            //   4c8d253a960000       | mov                 dword ptr [ebp - 0x260], eax
            //   488b0d????????       |                     
            //   eb6c                 | cmp                 eax, ecx

        $sequence_23 = { ffd3 83c404 5b 5e }
            // n = 4, score = 100
            //   ffd3                 | call                ebx
            //   83c404               | add                 esp, 4
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

        $sequence_24 = { 48897c2430 e8???????? 488b7b10 4885ff 7410 }
            // n = 5, score = 100
            //   48897c2430           | pop                 ebx
            //   e8????????           |                     
            //   488b7b10             | mov                 ecx, dword ptr [ebp - 4]
            //   4885ff               | xor                 ecx, ebp
            //   7410                 | and                 esi, 0x1f

        $sequence_25 = { 8345fc02 ff4df8 75b3 035b04 833b00 }
            // n = 5, score = 100
            //   8345fc02             | pop                 esi
            //   ff4df8               | test                eax, eax
            //   75b3                 | js                  0x18b
            //   035b04               | dec                 eax
            //   833b00               | lea                 eax, [ebp + 0x198]

        $sequence_26 = { 33f6 c744246800010000 488bf9 4889742460 89742458 }
            // n = 5, score = 100
            //   33f6                 | dec                 esp
            //   c744246800010000     | lea                 ecx, [ebp - 0x19]
            //   488bf9               | dec                 esp
            //   4889742460           | lea                 eax, [ebp + 0xf]
            //   89742458             | dec                 eax

        $sequence_27 = { 85c0 0f8885010000 488d8598010000 41b900000080 4533c0 4889442430 488b05???????? }
            // n = 7, score = 100
            //   85c0                 | ret                 
            //   0f8885010000         | mov                 ecx, edx
            //   488d8598010000       | dec                 eax
            //   41b900000080         | mov                 dword ptr [esp + 0x68], ebx
            //   4533c0               | mov                 dword ptr [esp + 0x38], 1
            //   4889442430           | mov                 dword ptr [esp + 0x30], 4
            //   488b05????????       |                     

        $sequence_28 = { 488d0de4d20000 483bd9 723e 488d0568d60000 483bd8 7732 }
            // n = 6, score = 100
            //   488d0de4d20000       | ja                  0x9d1
            //   483bd9               | jmp                 dword ptr [eax*4 + 0x4031b7]
            //   723e                 | push                edx
            //   488d0568d60000       | mov                 edx, dword ptr [eax + 4]
            //   483bd8               | push                0
            //   7732                 | push                0

        $sequence_29 = { f9 3dae3e37e8 09c9 60 9c }
            // n = 5, score = 100
            //   f9                   | mov                 eax, 0xaaaaaaab
            //   3dae3e37e8           | stosb               byte ptr es:[edi], al
            //   09c9                 | stosb               byte ptr es:[edi], al
            //   60                   | stosb               byte ptr es:[edi], al
            //   9c                   | sub                 cl, byte ptr [eax + 0x2b]

        $sequence_30 = { 83e61f c1e606 033485000c4100 c745e401000000 33db }
            // n = 5, score = 100
            //   83e61f               | mov                 edi, ecx
            //   c1e606               | dec                 eax
            //   033485000c4100       | mov                 dword ptr [esp + 0x60], esi
            //   c745e401000000       | mov                 dword ptr [esp + 0x58], esi
            //   33db                 | dec                 eax

        $sequence_31 = { ff15???????? 8945f0 85c0 7910 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   85c0                 | test                eax, eax
            //   7910                 | jns                 0x12

        $sequence_32 = { 483bdf 72ed 48833d????????00 741f 488d0d36c60000 e8???????? 85c0 }
            // n = 7, score = 100
            //   483bdf               | lea                 ecx, [ebp - 0x204]
            //   72ed                 | push                ecx
            //   48833d????????00     |                     
            //   741f                 | push                0x100
            //   488d0d36c60000       | add                 esp, 8
            //   e8????????           |                     
            //   85c0                 | xor                 eax, eax

        $sequence_33 = { e8???????? 83c408 33c0 5b 8b4dfc 33cd e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | dec                 eax
            //   33c0                 | mov                 dword ptr [esp + 0x30], eax
            //   5b                   | xor                 esi, esi
            //   8b4dfc               | mov                 dword ptr [esp + 0x68], 0x100
            //   33cd                 | dec                 eax
            //   e8????????           |                     

        $sequence_34 = { 4889442450 4889442458 89742450 85f6 7410 488b4f10 e8???????? }
            // n = 7, score = 100
            //   4889442450           | push                4
            //   4889442458           | dec                 eax
            //   89742450             | cmp                 ebx, edi
            //   85f6                 | jb                  0xffffffef
            //   7410                 | je                  0x23
            //   488b4f10             | dec                 eax
            //   e8????????           |                     

        $sequence_35 = { 8985a0fdffff 3bc1 0f87cb090000 ff2485b7314000 }
            // n = 4, score = 100
            //   8985a0fdffff         | mov                 dword ptr [ebp - 0x20], 0x40b178
            //   3bc1                 | cmp                 dword ptr [ebp - 0x20], 0x40b17c
            //   0f87cb090000         | jae                 0x21
            //   ff2485b7314000       | add                 dword ptr [ebp - 4], 2

        $sequence_36 = { 3c64 3c68 3c6c 3c70 3cba }
            // n = 5, score = 100
            //   3c64                 | mov                 word ptr [esp + 0x50], cx
            //   3c68                 | dec                 eax
            //   3c6c                 | lea                 ecx, [esp + 0x52]
            //   3c70                 | xor                 edx, edx
            //   3cba                 | jmp                 0xffffffe8

        $sequence_37 = { 6685c9 75f5 2bc3 d1f8 7471 }
            // n = 5, score = 100
            //   6685c9               | test                cx, cx
            //   75f5                 | jne                 0xfffffff7
            //   2bc3                 | sub                 eax, ebx
            //   d1f8                 | sar                 eax, 1
            //   7471                 | je                  0x73

        $sequence_38 = { c8343658 b636 3658 1b38 3658 }
            // n = 5, score = 100
            //   c8343658             | cmp                 ebx, eax
            //   b636                 | ja                  0x37
            //   3658                 | dec                 eax
            //   1b38                 | mov                 edx, ebx
            //   3658                 | dec                 eax

        $sequence_39 = { ebe6 c745e078b14000 817de07cb14000 7311 }
            // n = 4, score = 100
            //   ebe6                 | mov                 eax, edi
            //   c745e078b14000       | dec                 eax
            //   817de07cb14000       | add                 esp, 0x70
            //   7311                 | inc                 ecx

    condition:
        7 of them and filesize < 1983488
}
Download all Yara Rules