SYMBOLCOMMON_NAMEaka. SYNONYMS
win.purplefox (Back to overview)

PurpleFox


Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

References
2022-03-28The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220328:purple:a7adcb0, author = {Ravie Lakshmanan}, title = {{'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks}}, date = {2022-03-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html}, language = {English}, urldate = {2022-03-29} } 'Purple Fox' Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
DirtyMoe FatalRat PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@online{magdy:20220325:purple:bb817d9, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@techreport{magdy:20220325:purple:ef08c67, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)}}, date = {2022-03-25}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (Technical Brief)
PurpleFox
2022-03-25Trend MicroSherif Magdy, Abdelrhman Sharshar, Jay Yaneza
@online{magdy:20220325:purple:fffddcf, author = {Sherif Magdy and Abdelrhman Sharshar and Jay Yaneza}, title = {{Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)}}, date = {2022-03-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt}, language = {English}, urldate = {2022-03-28} } Purple Fox Uses New Arrival Vector and Improves Malware Arsenal (IOCs)
PurpleFox
2022-01-20BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220120:threat:e0eda13, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Purple Fox Rootkit}}, date = {2022-01-20}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit}, language = {English}, urldate = {2022-01-24} } Threat Thursday: Purple Fox Rootkit
PurpleFox
2022-01-04The Cyber Security TimesJohn Greenwood
@online{greenwood:20220104:purple:98da376, author = {John Greenwood}, title = {{Purple Fox malware is actively distributed via Telegram Installers}}, date = {2022-01-04}, organization = {The Cyber Security Times}, url = {https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/}, language = {English}, urldate = {2022-01-06} } Purple Fox malware is actively distributed via Telegram Installers
PurpleFox
2022-01-03MinervaLabsNatalie Zargarov
@online{zargarov:20220103:malicious:23d7ba8, author = {Natalie Zargarov}, title = {{Malicious Telegram Installer Drops Purple Fox Rootkit}}, date = {2022-01-03}, organization = {MinervaLabs}, url = {https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit}, language = {English}, urldate = {2022-01-06} } Malicious Telegram Installer Drops Purple Fox Rootkit
PurpleFox
2021-12-13Trend MicroJay Yaneza, Abdelrhman Sharshar, Sherif Magdy
@online{yaneza:20211213:look:41dc207, author = {Jay Yaneza and Abdelrhman Sharshar and Sherif Magdy}, title = {{A Look Into Purple Fox’s Server Infrastructure}}, date = {2021-12-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html}, language = {English}, urldate = {2021-12-31} } A Look Into Purple Fox’s Server Infrastructure
PurpleFox
2021-10-19Trend MicroAbdelrhman Sharshar, Jay Yaneza, Sherif Magdy
@online{sharshar:20211019:purplefox:06308c3, author = {Abdelrhman Sharshar and Jay Yaneza and Sherif Magdy}, title = {{PurpleFox Adds New Backdoor That Uses WebSockets}}, date = {2021-10-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html}, language = {English}, urldate = {2021-10-24} } PurpleFox Adds New Backdoor That Uses WebSockets
FoxSocket PurpleFox
2021-07-07Twitter (@C0rk1_H)hyabcd
@online{hyabcd:20210707:purplefox:af42cde, author = {hyabcd}, title = {{Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign}}, date = {2021-07-07}, organization = {Twitter (@C0rk1_H)}, url = {https://twitter.com/C0rk1_H/status/1412801973628272641?s=20}, language = {English}, urldate = {2021-07-19} } Tweet on purplefox exploiting PrintNightmare (CVE-2021-34527) vulnerability in cryptocurrency mining campaign
PurpleFox
2021-07-01Trend MicroWilliam Gamazo Sanchez
@online{sanchez:20210701:purplefox:fb8c3c4, author = {William Gamazo Sanchez}, title = {{PurpleFox Using WPAD to Target Indonesian Users}}, date = {2021-07-01}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html}, language = {English}, urldate = {2021-07-02} } PurpleFox Using WPAD to Target Indonesian Users
PurpleFox
2021-06-11TencentThe Tencent Security Threat Intelligence Center
@online{center:20210611:tencent:ed32dd1, author = {The Tencent Security Threat Intelligence Center}, title = {{Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm}}, date = {2021-06-11}, organization = {Tencent}, url = {https://s.tencent.com/research/report/1322.html}, language = {Chinese}, urldate = {2021-06-22} } Tencent Security Report: Purple Fox virus maliciously attacks SQL server and spreads like a worm
PurpleFox
2021-04-15nao_sec blognao_sec
@online{naosec:20210415:exploit:b5fe0b8, author = {nao_sec}, title = {{Exploit Kit still sharpens a sword}}, date = {2021-04-15}, organization = {nao_sec blog}, url = {https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html}, language = {English}, urldate = {2021-04-20} } Exploit Kit still sharpens a sword
PurpleFox
2021-04-14HPPatrick Schläpfer
@online{schlpfer:20210414:from:6649630, author = {Patrick Schläpfer}, title = {{From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411}}, date = {2021-04-14}, organization = {HP}, url = {https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/}, language = {English}, urldate = {2021-04-16} } From PoC to Exploit Kit: Purple Fox now exploits CVE-2021-26411
PurpleFox
2021-03-25MalwarebytesMalwarebytes Labs
@online{labs:20210325:perkiler:3733a75, author = {Malwarebytes Labs}, title = {{Perkiler malware turns to SMB brute force to spread}}, date = {2021-03-25}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/}, language = {English}, urldate = {2021-03-30} } Perkiler malware turns to SMB brute force to spread
PurpleFox
2021-03-24GuardicoreAmit Serper
@online{serper:20210324:purple:86ec5cf, author = {Amit Serper}, title = {{Purple Fox Rootkit Now Propagates as a Worm}}, date = {2021-03-24}, organization = {Guardicore}, url = {https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/}, language = {English}, urldate = {2021-03-25} } Purple Fox Rootkit Now Propagates as a Worm
PurpleFox
2019-09-09Trend MicroJohnlery Triunfante, Earle Earnshaw
@online{triunfante:20190909:purple:4a222ca, author = {Johnlery Triunfante and Earle Earnshaw}, title = {{‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell}}, date = {2019-09-09}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/}, language = {English}, urldate = {2020-01-13} } ‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell
PurpleFox
2017-07-05Trend MicroKevin Y. Huang
@online{huang:20170705:security:8819459, author = {Kevin Y. Huang}, title = {{Security 101: The Impact of Cryptocurrency-Mining Malware}}, date = {2017-07-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware}, language = {English}, urldate = {2020-01-07} } Security 101: The Impact of Cryptocurrency-Mining Malware
PurpleFox
Yara Rules
[TLP:WHITE] win_purplefox_auto (20220411 | Detects win.purplefox.)
rule win_purplefox_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.purplefox."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8918 e8???????? 4c8d15a7c70000 4885c0 }
            // n = 4, score = 100
            //   8918                 | dec                 eax
            //   e8????????           |                     
            //   4c8d15a7c70000       | mov                 ecx, eax
            //   4885c0               | dec                 eax

        $sequence_1 = { 7d12 488d0d20b30000 e8???????? 90 e9???????? }
            // n = 5, score = 100
            //   7d12                 | ret                 
            //   488d0d20b30000       | dec                 eax
            //   e8????????           |                     
            //   90                   | lea                 edx, dword ptr [0xadc8]
            //   e9????????           |                     

        $sequence_2 = { 4c8d842498000000 8bd6 488bcb ff15???????? 8bf8 85c0 7910 }
            // n = 7, score = 100
            //   4c8d842498000000     | dec                 esp
            //   8bd6                 | lea                 eax, dword ptr [esp + 0x98]
            //   488bcb               | mov                 edx, esi
            //   ff15????????         |                     
            //   8bf8                 | dec                 eax
            //   85c0                 | mov                 ecx, ebx
            //   7910                 | mov                 edi, eax

        $sequence_3 = { 893e 897e04 897e08 e8???????? 83c40c eb02 33f6 }
            // n = 7, score = 100
            //   893e                 | add                 esp, 8
            //   897e04               | xor                 edi, edi
            //   897e08               | jmp                 0x71
            //   e8????????           |                     
            //   83c40c               | jmp                 9
            //   eb02                 | xor                 eax, eax
            //   33f6                 | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_4 = { 5b c3 33d2 e8???????? 33c9 85c0 }
            // n = 6, score = 100
            //   5b                   | mov                 dword ptr [esi + 4], edi
            //   c3                   | mov                 dword ptr [esi + 8], edi
            //   33d2                 | add                 esp, 0xc
            //   e8????????           |                     
            //   33c9                 | jmp                 0xa
            //   85c0                 | xor                 esi, esi

        $sequence_5 = { e8???????? eb2b 83f8ff 7526 4c8d25fb8b0000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   eb2b                 | pop                 ebp
            //   83f8ff               | ret                 
            //   7526                 | mov                 eax, dword ptr [eax*8 + 0x40bb2c]
            //   4c8d25fb8b0000       | pop                 ebp

        $sequence_6 = { 8bc6 c1f805 8b0485000c4100 83e61f c1e606 8d443004 }
            // n = 6, score = 100
            //   8bc6                 | cmp                 eax, 5
            //   c1f805               | jge                 0x18
            //   8b0485000c4100       | mov                 cx, word ptr [ebx + eax*2 + 0x10]
            //   83e61f               | mov                 word ptr [eax*2 + 0x410a00], cx
            //   c1e606               | inc                 eax
            //   8d443004             | pop                 ebp

        $sequence_7 = { 488d15c8ad0000 488bc8 ff15???????? 488be8 0f1f4000 8bcf e8???????? }
            // n = 7, score = 100
            //   488d15c8ad0000       | push                edx
            //   488bc8               | push                0
            //   ff15????????         |                     
            //   488be8               | push                3
            //   0f1f4000             | push                eax
            //   8bcf                 | push                eax
            //   e8????????           |                     

        $sequence_8 = { 50 50 6a08 8945fc 8d45f4 50 6804202200 }
            // n = 7, score = 100
            //   50                   | dec                 eax
            //   50                   | mov                 ecx, dword ptr [esp + 0x78]
            //   6a08                 | mov                 eax, ebx
            //   8945fc               | push                1
            //   8d45f4               | mov                 dword ptr [esi], eax
            //   50                   | push                0
            //   6804202200           | mov                 dword ptr [esi + 4], ecx

        $sequence_9 = { 83c408 33ff eb6f 68???????? eb05 68???????? e8???????? }
            // n = 7, score = 100
            //   83c408               | lea                 eax, dword ptr [esp + 0x70]
            //   33ff                 | dec                 eax
            //   eb6f                 | lea                 edx, dword ptr [esp + 0x40]
            //   68????????           |                     
            //   eb05                 | dec                 eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_10 = { 2bc2 d1f8 0f842d010000 33c0 6808020000 }
            // n = 5, score = 100
            //   2bc2                 | sub                 eax, edx
            //   d1f8                 | sar                 eax, 1
            //   0f842d010000         | je                  0x133
            //   33c0                 | xor                 eax, eax
            //   6808020000           | push                0x208

        $sequence_11 = { ba00000010 c744242880000000 c7458030000000 48897588 4889742420 }
            // n = 5, score = 100
            //   ba00000010           | dec                 eax
            //   c744242880000000     | mov                 esi, dword ptr [esp + 0x60]
            //   c7458030000000       | mov                 eax, edi
            //   48897588             | dec                 eax
            //   4889742420           | add                 esp, 0x70

        $sequence_12 = { 8a1d???????? 6a01 8906 6a00 894e04 }
            // n = 5, score = 100
            //   8a1d????????         |                     
            //   6a01                 | lea                 ecx, dword ptr [0x1eb9]
            //   8906                 | dec                 eax
            //   6a00                 | lea                 edx, dword ptr [esp + 0x30]
            //   894e04               | dec                 eax

        $sequence_13 = { ff15???????? 488d442470 488d542440 488d4c2430 4889442438 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488d442470           | mov                 ecx, dword ptr [ecx + 8]
            //   488d542440           | cmp                 eax, 0x103
            //   488d4c2430           | jne                 0x1e
            //   4889442438           | dec                 eax

        $sequence_14 = { a2???????? b58d 38e6 18b8871d8bc1 23a16f7cfad4 52 029e0920bb71 }
            // n = 7, score = 100
            //   a2????????           |                     
            //   b58d                 | inc                 ecx
            //   38e6                 | mov                 eax, 0x206
            //   18b8871d8bc1         | dec                 eax
            //   23a16f7cfad4         | lea                 ecx, dword ptr [esp + 0x52]
            //   52                   | pop                 ebx
            //   029e0920bb71         | ret                 

        $sequence_15 = { 4f 4d 5f c08ede507d0464 0f7fee }
            // n = 5, score = 100
            //   4f                   | xor                 edx, edx
            //   4d                   | xor                 ecx, ecx
            //   5f                   | test                eax, eax
            //   c08ede507d0464       | dec                 eax
            //   0f7fee               | lea                 ecx, dword ptr [0x966f]

        $sequence_16 = { 48898d98010000 898d88010000 66894c2450 488d4c2452 33d2 41b806020000 4889442440 }
            // n = 7, score = 100
            //   48898d98010000       | lea                 ecx, dword ptr [esp + 0x30]
            //   898d88010000         | inc                 ecx
            //   66894c2450           | mov                 cl, 1
            //   488d4c2452           | inc                 ebp
            //   33d2                 | xor                 eax, eax
            //   41b806020000         | dec                 eax
            //   4889442440           | lea                 edx, dword ptr [esp + 0x20]

        $sequence_17 = { 33c0 8945e4 83f805 7d10 668b4c4310 66890c45000a4100 40 }
            // n = 7, score = 100
            //   33c0                 | lea                 ecx, dword ptr [esp + 0x30]
            //   8945e4               | dec                 eax
            //   83f805               | mov                 dword ptr [esp + 0x38], eax
            //   7d10                 | dec                 eax
            //   668b4c4310           | mov                 dword ptr [ebp + 0x198], ecx
            //   66890c45000a4100     | mov                 dword ptr [ebp + 0x188], ecx
            //   40                   | mov                 word ptr [esp + 0x50], cx

        $sequence_18 = { 83ec28 ff15???????? 84c0 740b b8010000c0 8be5 5d }
            // n = 7, score = 100
            //   83ec28               | sub                 esp, 0x28
            //   ff15????????         |                     
            //   84c0                 | test                al, al
            //   740b                 | je                  0xd
            //   b8010000c0           | mov                 eax, 0xc0000001
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_19 = { 488d0d6f960000 483bc1 746d 488b8310010000 4885c0 7461 833800 }
            // n = 7, score = 100
            //   488d0d6f960000       | mov                 eax, esi
            //   483bc1               | sar                 eax, 5
            //   746d                 | mov                 eax, dword ptr [eax*4 + 0x410c00]
            //   488b8310010000       | and                 esi, 0x1f
            //   4885c0               | shl                 esi, 6
            //   7461                 | lea                 eax, dword ptr [eax + esi + 4]
            //   833800               | xor                 eax, eax

        $sequence_20 = { 488b9c2490000000 488b742460 8bc7 4883c470 }
            // n = 4, score = 100
            //   488b9c2490000000     | test                eax, eax
            //   488b742460           | jns                 0x12
            //   8bc7                 | dec                 eax
            //   4883c470             | mov                 ebx, dword ptr [esp + 0x90]

        $sequence_21 = { 488b4908 ff15???????? 3d03010000 751c 488d4c2430 41b101 4533c0 }
            // n = 7, score = 100
            //   488b4908             | mov                 dword ptr [ebp - 0x78], esi
            //   ff15????????         |                     
            //   3d03010000           | dec                 eax
            //   751c                 | mov                 dword ptr [esp + 0x20], esi
            //   488d4c2430           | jns                 0x14
            //   41b101               | dec                 eax
            //   4533c0               | mov                 ecx, dword ptr [ebp + 0x190]

        $sequence_22 = { 6644895c2450 33d2 41b806020000 488d4c2452 e8???????? }
            // n = 5, score = 100
            //   6644895c2450         | lea                 eax, dword ptr [ebp - 0xc]
            //   33d2                 | push                eax
            //   41b806020000         | push                0x222004
            //   488d4c2452           | mov                 dword ptr [esi], edi
            //   e8????????           |                     

        $sequence_23 = { 8d4c2434 51 8d542410 52 ffd7 8d442424 }
            // n = 6, score = 100
            //   8d4c2434             | lea                 ecx, dword ptr [esp + 0x34]
            //   51                   | push                ecx
            //   8d542410             | lea                 edx, dword ptr [esp + 0x10]
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   8d442424             | lea                 eax, dword ptr [esp + 0x24]

        $sequence_24 = { 7912 488b8d90010000 ff15???????? e9???????? 488b8d98010000 4533c9 }
            // n = 6, score = 100
            //   7912                 | mov                 edx, 0x10000000
            //   488b8d90010000       | mov                 dword ptr [esp + 0x28], 0x80
            //   ff15????????         |                     
            //   e9????????           |                     
            //   488b8d98010000       | mov                 dword ptr [ebp - 0x80], 0x30
            //   4533c9               | dec                 eax

        $sequence_25 = { 50 681938addb 60 8d642428 0f839ff1ffff f8 31c0 }
            // n = 7, score = 100
            //   50                   | dec                 eax
            //   681938addb           | cmp                 eax, ecx
            //   60                   | je                  0x6f
            //   8d642428             | dec                 eax
            //   0f839ff1ffff         | mov                 eax, dword ptr [ebx + 0x110]
            //   f8                   | dec                 eax
            //   31c0                 | test                eax, eax

        $sequence_26 = { 0aa0c9848029 1d43db4bce 33c1 b010 dc44df55 }
            // n = 5, score = 100
            //   0aa0c9848029         | dec                 esp
            //   1d43db4bce           | lea                 esp, dword ptr [0x9655]
            //   33c1                 | inc                 sp
            //   b010                 | mov                 dword ptr [esp + 0x50], ebx
            //   dc44df55             | xor                 edx, edx

        $sequence_27 = { 8bf0 56 68???????? ffd3 83c408 85f6 }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   56                   | push                esi
            //   68????????           |                     
            //   ffd3                 | call                ebx
            //   83c408               | add                 esp, 8
            //   85f6                 | test                esi, esi

        $sequence_28 = { e8???????? eb40 4c8d2555960000 488b0d???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   eb40                 | push                8
            //   4c8d2555960000       | mov                 dword ptr [ebp - 4], eax
            //   488b0d????????       |                     

        $sequence_29 = { 5d c3 8b5608 2b5604 8b4dfc 035004 }
            // n = 6, score = 100
            //   5d                   | dec                 eax
            //   c3                   | lea                 ecx, dword ptr [esp + 0x52]
            //   8b5608               | xor                 edx, edx
            //   2b5604               | inc                 ecx
            //   8b4dfc               | mov                 eax, 0x206
            //   035004               | dec                 eax

        $sequence_30 = { 50 ff15???????? 3945f8 7426 68???????? ffd3 83c404 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3945f8               | cmp                 dword ptr [ebp - 8], eax
            //   7426                 | je                  0x28
            //   68????????           |                     
            //   ffd3                 | call                ebx
            //   83c404               | add                 esp, 4

        $sequence_31 = { 8d95fcfdffff 52 6a00 6a03 }
            // n = 4, score = 100
            //   8d95fcfdffff         | mov                 dword ptr [esp + 0x40], eax
            //   52                   | mov                 ebx, eax
            //   6a00                 | test                eax, eax
            //   6a03                 | jns                 0x15

        $sequence_32 = { 9c 895c244c 9c 896c244c 9c 883c24 8d642450 }
            // n = 7, score = 100
            //   9c                   | dec                 esp
            //   895c244c             | lea                 esp, dword ptr [0x8bfb]
            //   9c                   | jge                 0x14
            //   896c244c             | dec                 eax
            //   9c                   | lea                 ecx, dword ptr [0xb320]
            //   883c24               | nop                 
            //   8d642450             | mov                 dword ptr [eax], ebx

        $sequence_33 = { 46 0e 54 1e b44c }
            // n = 5, score = 100
            //   46                   | je                  0x6f
            //   0e                   | cmp                 dword ptr [eax], 0
            //   54                   | jmp                 0x2d
            //   1e                   | cmp                 eax, -1
            //   b44c                 | jne                 0x2b

        $sequence_34 = { 6a01 6a00 6a00 8d55e0 52 ff15???????? }
            // n = 6, score = 100
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d55e0               | lea                 edx, dword ptr [ebp - 0x20]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_35 = { ff742420 9d 68001ee4ea 9c }
            // n = 4, score = 100
            //   ff742420             | dec                 esp
            //   9d                   | lea                 edx, dword ptr [0xc7a7]
            //   68001ee4ea           | dec                 eax
            //   9c                   | test                eax, eax

        $sequence_36 = { 488d542420 488d0dcb1e0000 ff15???????? 488d542430 488d0db91e0000 ff15???????? 488d542430 }
            // n = 7, score = 100
            //   488d542420           | dec                 eax
            //   488d0dcb1e0000       | mov                 ecx, dword ptr [ebp + 0x198]
            //   ff15????????         |                     
            //   488d542430           | inc                 ebp
            //   488d0db91e0000       | xor                 ecx, ecx
            //   ff15????????         |                     
            //   488d542430           | dec                 eax

        $sequence_37 = { 8b3d???????? 8d842448020000 8d4c2418 89442428 51 8d542428 8d442444 }
            // n = 7, score = 100
            //   8b3d????????         |                     
            //   8d842448020000       | lea                 eax, dword ptr [esp + 0x248]
            //   8d4c2418             | lea                 ecx, dword ptr [esp + 0x18]
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   51                   | push                ecx
            //   8d542428             | lea                 edx, dword ptr [esp + 0x28]
            //   8d442444             | lea                 eax, dword ptr [esp + 0x44]

        $sequence_38 = { 8978f4 8b0b 8948e8 8b5304 8950ec }
            // n = 5, score = 100
            //   8978f4               | mov                 dword ptr [eax - 0xc], edi
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8948e8               | mov                 dword ptr [eax - 0x18], ecx
            //   8b5304               | mov                 edx, dword ptr [ebx + 4]
            //   8950ec               | mov                 dword ptr [eax - 0x14], edx

        $sequence_39 = { 99 43 3658 3f 47 }
            // n = 5, score = 100
            //   99                   | dec                 eax
            //   43                   | lea                 eax, dword ptr [esp + 0x50]
            //   3658                 | dec                 eax
            //   3f                   | mov                 dword ptr [esp + 0x60], edx
            //   47                   | dec                 eax

    condition:
        7 of them and filesize < 1983488
}
Download all Yara Rules