SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qakbot (Back to overview)

QakBot

aka: Pinkslipbot, Qbot, Quakbot
URLhaus    

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

References
2020-11-27Fiducia & GAD IT AGFrank Boldewin
@techreport{boldewin:20201127:when:9697611, author = {Frank Boldewin}, title = {{When ransomware hits an ATM giant - The Diebold Nixdorf case dissected}}, date = {2020-11-27}, institution = {Fiducia & GAD IT AG}, url = {https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf}, language = {English}, urldate = {2020-12-01} } When ransomware hits an ATM giant - The Diebold Nixdorf case dissected
PwndLocker QakBot
2020-11-20Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@online{skulkin:20201120:locking:cdb06cf, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{The Locking Egregor}}, date = {2020-11-20}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/egregor}, language = {English}, urldate = {2020-11-23} } The Locking Egregor
Egregor QakBot
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-12IntrinsecJean Bichet
@online{bichet:20201112:egregor:1ac0eb1, author = {Jean Bichet}, title = {{Egregor – Prolock: Fraternal Twins ?}}, date = {2020-11-12}, organization = {Intrinsec}, url = {https://www.intrinsec.com/egregor-prolock/}, language = {English}, urldate = {2020-11-23} } Egregor – Prolock: Fraternal Twins ?
Egregor PwndLocker QakBot
2020-10-29CERT-FRCERT-FR
@techreport{certfr:20201029:le:d296223, author = {CERT-FR}, title = {{LE MALWARE-AS-A-SERVICE EMOTET}}, date = {2020-10-29}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf}, language = {English}, urldate = {2020-11-04} } LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot
2020-10-14CrowdStrikeThe Falcon Complete Team
@online{team:20201014:duck:d227846, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3}}, date = {2020-10-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/}, language = {English}, urldate = {2020-11-09} } Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3
QakBot
2020-10-07CrowdStrikeThe Falcon Complete Team
@online{team:20201007:duck:69360c9, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2}}, date = {2020-10-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/}, language = {English}, urldate = {2020-10-12} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2
QakBot Zloader
2020-10-01CrowdStrikeDylan Barker, Quinten Bowen, Ryan Campbell
@online{barker:20201001:duck:edcc017, author = {Dylan Barker and Quinten Bowen and Ryan Campbell}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1}}, date = {2020-10-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/}, language = {English}, urldate = {2020-10-07} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1
QakBot
2020-09-29MicrosoftMicrosoft
@techreport{microsoft:20200929:microsoft:6e5d7b0, author = {Microsoft}, title = {{Microsoft Digital Defense Report}}, date = {2020-09-29}, institution = {Microsoft}, url = {https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf}, language = {English}, urldate = {2020-10-05} } Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-10QuoSec GmbHQuosec Blog
@online{blog:20200910:grap:d2f055d, author = {Quosec Blog}, title = {{grap: Automating QakBot strings decryption}}, date = {2020-09-10}, organization = {QuoSec GmbH}, url = {https://blog.quosec.net/posts/grap_qakbot_strings/}, language = {English}, urldate = {2020-11-09} } grap: Automating QakBot strings decryption
QakBot
2020-09-10Group-IBOleg Skulkin, Semyon Rogachev
@online{skulkin:20200910:lock:a6f630a, author = {Oleg Skulkin and Semyon Rogachev}, title = {{Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting}}, date = {2020-09-10}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/prolock_evolution}, language = {English}, urldate = {2020-09-15} } Lock Like a Pro: Dive in Recent ProLock's Big Game Hunting
PwndLocker QakBot
2020-09-04QuoSec GmbHQuosec Blog
@online{blog:20200904:navigating:75404a6, author = {Quosec Blog}, title = {{Navigating QakBot samples with grap}}, date = {2020-09-04}, organization = {QuoSec GmbH}, url = {https://blog.quosec.net/posts/grap_qakbot_navigation/}, language = {English}, urldate = {2020-11-09} } Navigating QakBot samples with grap
QakBot
2020-08-27CheckpointAlex Ilgayev
@online{ilgayev:20200827:old:8859e51, author = {Alex Ilgayev}, title = {{An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods}}, date = {2020-08-27}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/}, language = {English}, urldate = {2020-08-31} } An Old Bot’s Nasty New Tricks: Exploring Qbot’s Latest Attack Methods
QakBot
2020-08-20MorphisecArnold Osipov
@online{osipov:20200820:qakbot:a7e14ef, author = {Arnold Osipov}, title = {{QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal}}, date = {2020-08-20}, organization = {Morphisec}, url = {https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques}, language = {English}, urldate = {2020-08-25} } QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal
QakBot
2020-07-15N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200715:deep:9b38d20, author = {Abdallah Elshinbary}, title = {{Deep Analysis of QBot Banking Trojan}}, date = {2020-07-15}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/}, language = {English}, urldate = {2020-07-16} } Deep Analysis of QBot Banking Trojan
QakBot
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-21Malware and StuffAndreas Klopsch
@online{klopsch:20200621:upnp:f54abe6, author = {Andreas Klopsch}, title = {{UpnP – Messing up Security since years}}, date = {2020-06-21}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/upnp-messing-up-security-since-years/}, language = {English}, urldate = {2020-06-22} } UpnP – Messing up Security since years
QakBot
2020-06-16HornetsecuritySecurity Lab
@online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot
2020-06-11F5 LabsDoron Voolf
@online{voolf:20200611:qbot:1bd9fe7, author = {Doron Voolf}, title = {{Qbot Banking Trojan Still Up to Its Old Tricks}}, date = {2020-06-11}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks}, language = {English}, urldate = {2020-06-16} } Qbot Banking Trojan Still Up to Its Old Tricks
QakBot
2020-05-05Malware and StuffAndreas Klopsch
@online{klopsch:20200505:old:84beb5b, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 3}}, date = {2020-05-05}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/}, language = {English}, urldate = {2020-05-05} } An old enemy – Diving into QBot part 3
QakBot
2020-03-30Malware and StuffAndreas Klopsch
@online{klopsch:20200330:old:ed1f6ef, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 1}}, date = {2020-03-30}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/}, language = {English}, urldate = {2020-04-01} } An old enemy – Diving into QBot part 1
QakBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-03Youtube (BSides Belfast)Nick Summerlin, Jorge Rodriguez
@online{summerlin:20200103:demystifying:c0a1a19, author = {Nick Summerlin and Jorge Rodriguez}, title = {{Demystifying QBot Banking Trojan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=iB1psRMtlqg}, language = {English}, urldate = {2020-02-21} } Demystifying QBot Banking Trojan
QakBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:00ad0eb, author = {SecureWorks}, title = {{GOLD LAGOON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2020-05-23} } GOLD LAGOON
QakBot
2019-11-12Hatching.ioMarkel Picado
@online{picado:20191112:reversing:de8a8b6, author = {Markel Picado}, title = {{Reversing Qakbot}}, date = {2019-11-12}, organization = {Hatching.io}, url = {https://hatching.io/blog/reversing-qakbot}, language = {English}, urldate = {2020-01-07} } Reversing Qakbot
QakBot
2019-06-03VaronisDolev Taler, Eric Saraga
@online{taler:20190603:varonis:21ad52e, author = {Dolev Taler and Eric Saraga}, title = {{Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims}}, date = {2019-06-03}, organization = {Varonis}, url = {https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/}, language = {English}, urldate = {2020-01-05} } Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims
QakBot
2019-05-02Cisco TalosAshlee Benge, Nick Randolph
@online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } Qakbot levels up with new obfuscation techniques
QakBot
2018-07-29Vitali Kremez BlogVitali Kremez
@online{kremez:20180729:lets:8f04eed, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1}}, date = {2018-07-29}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1
QakBot
2017-11-06MicrosoftMicrosoft Defender ATP Research Team
@online{team:20171106:mitigating:b623a70, author = {Microsoft Defender ATP Research Team}, title = {{Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks}}, date = {2017-11-06}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/}, language = {English}, urldate = {2020-10-23} } Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks
Emotet QakBot
2017-06-02SecurityIntelligenceMike Oppenheim, Kevin Zuk, Matan Meir, Limor Kessem
@online{oppenheim:20170602:qakbot:ffff91a, author = {Mike Oppenheim and Kevin Zuk and Matan Meir and Limor Kessem}, title = {{QakBot Banking Trojan Causes Massive Active Directory Lockouts}}, date = {2017-06-02}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/}, language = {English}, urldate = {2020-01-10} } QakBot Banking Trojan Causes Massive Active Directory Lockouts
QakBot
2017-05-23ThreatVectorCylance Threat Research Team
@online{team:20170523:quakbot:3572c02, author = {Cylance Threat Research Team}, title = {{Quakbot}}, date = {2017-05-23}, organization = {ThreatVector}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html}, language = {English}, urldate = {2020-01-08} } Quakbot
QakBot
2016-08Intel SecuritySanchit Karve, Guilherme Venere, Mark Olea
@techreport{karve:201608:diving:6f604b3, author = {Sanchit Karve and Guilherme Venere and Mark Olea}, title = {{DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN}}, date = {2016-08}, institution = {Intel Security}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf}, language = {English}, urldate = {2019-11-27} } DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN
QakBot
2016-02-24Johannes Bader BlogJohannes Bader
@online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/}, language = {English}, urldate = {2020-01-06} } The DGA of Qakbot.T
QakBot
2016BAE SystemsBAE Systems
@techreport{systems:2016:return:52c175d, author = {BAE Systems}, title = {{The Return of Qbot}}, date = {2016}, institution = {BAE Systems}, url = {https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf}, language = {English}, urldate = {2019-11-29} } The Return of Qbot
QakBot
2012SymantecNicolas Falliere
@techreport{falliere:2012:w32qakbot:974b5b5, author = {Nicolas Falliere}, title = {{W32.Qakbot in Detail}}, date = {2012}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf}, language = {English}, urldate = {2019-11-28} } W32.Qakbot in Detail
QakBot
2011-05-25Contagio DumpMila Parkour
@online{parkour:20110525:w32qakbot:b814de0, author = {Mila Parkour}, title = {{W32.Qakbot aka W32/Pinkslipbot or infostealer worm}}, date = {2011-05-25}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/11/template.html}, language = {English}, urldate = {2019-11-21} } W32.Qakbot aka W32/Pinkslipbot or infostealer worm
QakBot
Yara Rules
[TLP:WHITE] win_qakbot_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_qakbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff5508 8bf0 59 }
            // n = 4, score = 3800
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_1 = { 57 ff15???????? 33c0 85f6 0f94c0 }
            // n = 5, score = 3800
            //   57                   | push                edi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   85f6                 | test                esi, esi
            //   0f94c0               | sete                al

        $sequence_2 = { 8b81c0090000 8b1481 40 8981c0090000 8bc2 }
            // n = 5, score = 3600
            //   8b81c0090000         | mov                 eax, dword ptr [ecx + 0x9c0]
            //   8b1481               | mov                 edx, dword ptr [ecx + eax*4]
            //   40                   | inc                 eax
            //   8981c0090000         | mov                 dword ptr [ecx + 0x9c0], eax
            //   8bc2                 | mov                 eax, edx

        $sequence_3 = { 57 6a00 6a02 ff15???????? 8bf8 83c8ff 3bf8 }
            // n = 7, score = 3600
            //   57                   | push                edi
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83c8ff               | or                  eax, 0xffffffff
            //   3bf8                 | cmp                 edi, eax

        $sequence_4 = { 50 e8???????? 8b06 47 59 }
            // n = 5, score = 3600
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   47                   | inc                 edi
            //   59                   | pop                 ecx

        $sequence_5 = { c74508???????? e8???????? 85c0 7d08 83c8ff e9???????? }
            // n = 6, score = 3600
            //   c74508????????       |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7d08                 | jge                 0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_6 = { c3 33c9 3d80000000 0f94c1 }
            // n = 4, score = 3600
            //   c3                   | ret                 
            //   33c9                 | xor                 ecx, ecx
            //   3d80000000           | cmp                 eax, 0x80
            //   0f94c1               | sete                cl

        $sequence_7 = { 8981c0090000 8bc2 c1e80b 33d0 8bc2 25ad583aff }
            // n = 6, score = 3600
            //   8981c0090000         | mov                 dword ptr [ecx + 0x9c0], eax
            //   8bc2                 | mov                 eax, edx
            //   c1e80b               | shr                 eax, 0xb
            //   33d0                 | xor                 edx, eax
            //   8bc2                 | mov                 eax, edx
            //   25ad583aff           | and                 eax, 0xff3a58ad

        $sequence_8 = { 750c 57 ff15???????? 6afe }
            // n = 4, score = 3600
            //   750c                 | jne                 0xe
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6afe                 | push                -2

        $sequence_9 = { c9 c3 55 8bec 81ecc4090000 }
            // n = 5, score = 3600
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ecc4090000         | sub                 esp, 0x9c4

        $sequence_10 = { 740d 8d45fc 6a00 50 e8???????? 59 59 }
            // n = 7, score = 3600
            //   740d                 | je                  0xf
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_11 = { 7405 8b4df8 8908 ff75fc }
            // n = 4, score = 3600
            //   7405                 | je                  7
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8908                 | mov                 dword ptr [eax], ecx
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_12 = { ff750c 8d85d8feffff 50 ff5508 }
            // n = 4, score = 3500
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]

        $sequence_13 = { 7412 8d85d8feffff 50 57 }
            // n = 4, score = 3500
            //   7412                 | je                  0x14
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_14 = { 83c40c 33c0 5b 5f 5e c9 c3 }
            // n = 7, score = 3500
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_15 = { 33c0 7402 ebfa e8???????? }
            // n = 4, score = 3500
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   e8????????           |                     

        $sequence_16 = { ebfa 83c8ff eb02 33c0 }
            // n = 4, score = 3300
            //   ebfa                 | jmp                 0xfffffffc
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_17 = { 6a00 ff15???????? a3???????? 833d????????00 750b }
            // n = 5, score = 3300
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   a3????????           |                     
            //   833d????????00       |                     
            //   750b                 | jne                 0xd

        $sequence_18 = { 7404 33c0 eb27 6a00 }
            // n = 4, score = 3300
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax
            //   eb27                 | jmp                 0x29
            //   6a00                 | push                0

        $sequence_19 = { 833d????????00 750b 33c0 7402 }
            // n = 4, score = 3300
            //   833d????????00       |                     
            //   750b                 | jne                 0xd
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_20 = { 85c0 750d 33d2 7402 ebfa }
            // n = 5, score = 3300
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf
            //   33d2                 | xor                 edx, edx
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc

        $sequence_21 = { 7402 ebfa 33c0 7402 }
            // n = 4, score = 3300
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4

        $sequence_22 = { 895104 8901 e8???????? 668b742446 }
            // n = 4, score = 100
            //   895104               | mov                 dword ptr [ecx + 4], edx
            //   8901                 | mov                 dword ptr [ecx], eax
            //   e8????????           |                     
            //   668b742446           | mov                 si, word ptr [esp + 0x46]

        $sequence_23 = { 895c2440 89742444 0f8562feffff e9???????? 8b442418 8b4c241c }
            // n = 6, score = 100
            //   895c2440             | mov                 dword ptr [esp + 0x40], ebx
            //   89742444             | mov                 dword ptr [esp + 0x44], esi
            //   0f8562feffff         | jne                 0xfffffe68
            //   e9????????           |                     
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]

        $sequence_24 = { 8b7c247c 31db 89442418 b8ef594a80 29f0 19fb 89c6 }
            // n = 7, score = 100
            //   8b7c247c             | mov                 edi, dword ptr [esp + 0x7c]
            //   31db                 | xor                 ebx, ebx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   b8ef594a80           | mov                 eax, 0x804a59ef
            //   29f0                 | sub                 eax, esi
            //   19fb                 | sbb                 ebx, edi
            //   89c6                 | mov                 esi, eax

        $sequence_25 = { 8874240b 69f60ea9c735 89742404 8b7124 8854240b 89742410 8b7120 }
            // n = 7, score = 100
            //   8874240b             | mov                 byte ptr [esp + 0xb], dh
            //   69f60ea9c735         | imul                esi, esi, 0x35c7a90e
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   8b7124               | mov                 esi, dword ptr [ecx + 0x24]
            //   8854240b             | mov                 byte ptr [esp + 0xb], dl
            //   89742410             | mov                 dword ptr [esp + 0x10], esi
            //   8b7120               | mov                 esi, dword ptr [ecx + 0x20]

        $sequence_26 = { 8945c0 894dbc ffd2 83ec04 8b4de0 8b5114 8b75bc }
            // n = 7, score = 100
            //   8945c0               | mov                 dword ptr [ebp - 0x40], eax
            //   894dbc               | mov                 dword ptr [ebp - 0x44], ecx
            //   ffd2                 | call                edx
            //   83ec04               | sub                 esp, 4
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8b5114               | mov                 edx, dword ptr [ecx + 0x14]
            //   8b75bc               | mov                 esi, dword ptr [ebp - 0x44]

        $sequence_27 = { c7415005000000 8b742470 81f661a0a46a 8a4c2465 }
            // n = 4, score = 100
            //   c7415005000000       | mov                 dword ptr [ecx + 0x50], 5
            //   8b742470             | mov                 esi, dword ptr [esp + 0x70]
            //   81f661a0a46a         | xor                 esi, 0x6aa4a061
            //   8a4c2465             | mov                 cl, byte ptr [esp + 0x65]

        $sequence_28 = { 894c2470 0f84c2feffff eba7 b801000000 8b8c2498000000 }
            // n = 5, score = 100
            //   894c2470             | mov                 dword ptr [esp + 0x70], ecx
            //   0f84c2feffff         | je                  0xfffffec8
            //   eba7                 | jmp                 0xffffffa9
            //   b801000000           | mov                 eax, 1
            //   8b8c2498000000       | mov                 ecx, dword ptr [esp + 0x98]

        $sequence_29 = { 56 83e4f8 83ec28 8b450c 8b4d08 31d2 c74424242309064d }
            // n = 7, score = 100
            //   56                   | push                esi
            //   83e4f8               | and                 esp, 0xfffffff8
            //   83ec28               | sub                 esp, 0x28
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   31d2                 | xor                 edx, edx
            //   c74424242309064d     | mov                 dword ptr [esp + 0x24], 0x4d060923

    condition:
        7 of them and filesize < 958464
}
Download all Yara Rules