SYMBOLCOMMON_NAMEaka. SYNONYMS
win.remcos (Back to overview)

Remcos

aka: RemcosRAT, Remvio, Socmer

Actor(s): APT33, The Gorgon Group

URLhaus          

Remcos (acronym of Remote Control & Surveillance Software) is a Remote Access Software used to remotely control computers.
Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.
Remcos can be used for surveillance and penetration testing purposes, and in some instances has been used in hacking campaigns.

References
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-07-19MalwarebytesErika Noerenberg
@online{noerenberg:20210719:remcos:fdf8bd6, author = {Erika Noerenberg}, title = {{Remcos RAT delivered via Visual Basic}}, date = {2021-07-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/}, language = {English}, urldate = {2021-07-26} } Remcos RAT delivered via Visual Basic
Remcos
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-05-13AnomaliTara Gould, Gage Mele
@online{gould:20210513:threat:6115cfb, author = {Tara Gould and Gage Mele}, title = {{Threat Actors Use MSBuild to Deliver RATs Filelessly}}, date = {2021-05-13}, organization = {Anomali}, url = {https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly}, language = {English}, urldate = {2021-05-17} } Threat Actors Use MSBuild to Deliver RATs Filelessly
Remcos
2021-05-05ZscalerAniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-03-18CybereasonDaniel Frank
@online{frank:20210318:cybereason:22a301a, author = {Daniel Frank}, title = {{Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware}}, date = {2021-03-18}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers}, language = {English}, urldate = {2021-03-19} } Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware
NetWire RC Remcos
2021-03-16MorphisecNadav Lorber
@online{lorber:20210316:tracking:2d8ef0b, author = {Nadav Lorber}, title = {{Tracking HCrypt: An Active Crypter as a Service}}, date = {2021-03-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service}, language = {English}, urldate = {2021-05-13} } Tracking HCrypt: An Active Crypter as a Service
AsyncRAT LimeRAT Remcos
2021-02-18PTSecurityPTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2021-01-13BitdefenderJanos Gergo Szeles
@techreport{szeles:20210113:remcos:5ffdb28, author = {Janos Gergo Szeles}, title = {{Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign}}, date = {2021-01-13}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf}, language = {English}, urldate = {2021-01-18} } Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign
Remcos
2021-01-11ESET ResearchMatías Porolli
@online{porolli:20210111:operation:409662d, author = {Matías Porolli}, title = {{Operation Spalax: Targeted malware attacks in Colombia}}, date = {2021-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/}, language = {English}, urldate = {2021-01-18} } Operation Spalax: Targeted malware attacks in Colombia
Agent Tesla AsyncRAT NjRAT Remcos
2020-12-07ProofpointProofpoint Threat Research Team
@online{team:20201207:commodity:027b864, author = {Proofpoint Threat Research Team}, title = {{Commodity .NET Packers use Embedded Images to Hide Payloads}}, date = {2020-12-07}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads}, language = {English}, urldate = {2020-12-10} } Commodity .NET Packers use Embedded Images to Hide Payloads
Agent Tesla Loki Password Stealer (PWS) Remcos
2020-11-18G DataG-Data
@online{gdata:20201118:business:f4eda3a, author = {G-Data}, title = {{Business as usual: Criminal Activities in Times of a Global Pandemic}}, date = {2020-11-18}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire}, language = {English}, urldate = {2020-11-23} } Business as usual: Criminal Activities in Times of a Global Pandemic
Agent Tesla Nanocore RAT NetWire RC Remcos
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-13Github (1d8)1d8
@online{1d8:20200713:remcos:531702d, author = {1d8}, title = {{Remcos RAT Macro Dropper Doc}}, date = {2020-07-13}, organization = {Github (1d8)}, url = {https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD}, language = {English}, urldate = {2020-07-16} } Remcos RAT Macro Dropper Doc
Remcos
2020-06-11Talos IntelligenceKendall McKay, Joe Marshall
@online{mckay:20200611:tor2mine:ee5dda6, author = {Kendall McKay and Joe Marshall}, title = {{Tor2Mine is up to their old tricks — and adds a few new ones}}, date = {2020-06-11}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html}, language = {English}, urldate = {2020-06-12} } Tor2Mine is up to their old tricks — and adds a few new ones
Azorult Remcos
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-05-14360 Total Securitykate
@online{kate:20200514:vendetta:06e3cde, author = {kate}, title = {{Vendetta - new threat actor from Europe}}, date = {2020-05-14}, organization = {360 Total Security}, url = {https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/}, language = {English}, urldate = {2020-05-18} } Vendetta - new threat actor from Europe
Nanocore RAT Remcos
2020-04-02Cisco TalosVanja Svajcer
@online{svajcer:20200402:azorult:97b15f2, author = {Vanja Svajcer}, title = {{AZORult brings friends to the party}}, date = {2020-04-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html}, language = {English}, urldate = {2020-04-07} } AZORult brings friends to the party
Azorult Remcos
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2019-10-21FortinetXiaopeng Zhang, Chris Navarrete
@online{zhang:20191021:new:b72bcde, author = {Xiaopeng Zhang and Chris Navarrete}, title = {{New Variant of Remcos RAT Observed In the Wild}}, date = {2019-10-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html}, language = {English}, urldate = {2019-11-21} } New Variant of Remcos RAT Observed In the Wild
Remcos
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-09-07Dissecting MalwareMarius Genheimer
@online{genheimer:20190907:malicious:37195ec, author = {Marius Genheimer}, title = {{Malicious RATatouille}}, date = {2019-09-07}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/malicious-ratatouille.html}, language = {English}, urldate = {2020-03-27} } Malicious RATatouille
Remcos
2019-08-22Youtube (OALabs)Sergei Frankoff
@online{frankoff:20190822:remcos:b86c5bd, author = {Sergei Frankoff}, title = {{Remcos RAT Unpacked From VB6 With x64dbg Debugger}}, date = {2019-08-22}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=DIH4SvKuktM}, language = {English}, urldate = {2020-01-10} } Remcos RAT Unpacked From VB6 With x64dbg Debugger
Remcos
2019-08-15Trend MicroAliakbar Zahravi
@online{zahravi:20190815:analysis:fadf6bc, author = {Aliakbar Zahravi}, title = {{Analysis: New Remcos RAT Arrives Via Phishing Email}}, date = {2019-08-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html}, language = {English}, urldate = {2021-08-25} } Analysis: New Remcos RAT Arrives Via Phishing Email
Remcos
2019-06-19Check PointKobi Eisenkraft, Moshe Hayun
@online{eisenkraft:20190619:check:0a79b2b, author = {Kobi Eisenkraft and Moshe Hayun}, title = {{Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany}}, date = {2019-06-19}, organization = {Check Point}, url = {https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/}, language = {English}, urldate = {2020-01-08} } Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany
Remcos
2019-05-08VMRayFrancis Montesino
@online{montesino:20190508:get:ed8ceb4, author = {Francis Montesino}, title = {{Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0}}, date = {2019-05-08}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/smart-memory-dumping/}, language = {English}, urldate = {2020-01-13} } Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0
Remcos
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2018-08-22Cisco TalosEdmund Brumaghin, Holger Unterbrink, Eric Kuhla, Lilia Gonzalez Medina
@online{brumaghin:20180822:picking:925912d, author = {Edmund Brumaghin and Holger Unterbrink and Eric Kuhla and Lilia Gonzalez Medina}, title = {{Picking Apart Remcos Botnet-In-A-Box}}, date = {2018-08-22}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html}, language = {English}, urldate = {2019-10-23} } Picking Apart Remcos Botnet-In-A-Box
Remcos
2018-08-02Palo Alto Networks Unit 42Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-03-02KrabsOnSecurityMr. Krabs
@online{krabs:20180302:analysing:7b1f12f, author = {Mr. Krabs}, title = {{Analysing Remcos RAT’s executable}}, date = {2018-03-02}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/}, language = {English}, urldate = {2019-07-31} } Analysing Remcos RAT’s executable
Remcos
2018-03-01My Online SecurityMy Online Security
@online{security:20180301:fake:7f835ef, author = {My Online Security}, title = {{Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments}}, date = {2018-03-01}, organization = {My Online Security}, url = {https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/}, language = {English}, urldate = {2020-01-13} } Fake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments
Remcos
2018-01-23RiskIQYonathan Klijnsma
@online{klijnsma:20180123:espionage:f3d28b0, author = {Yonathan Klijnsma}, title = {{Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors}}, date = {2018-01-23}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/}, language = {English}, urldate = {2019-12-24} } Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors
Remcos
2017-12-22Malware Traffic AnalysisBrad Duncan
@online{duncan:20171222:malspam:4a3fd87, author = {Brad Duncan}, title = {{MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT}}, date = {2017-12-22}, organization = {Malware Traffic Analysis}, url = {http://malware-traffic-analysis.net/2017/12/22/index.html}, language = {English}, urldate = {2019-07-11} } MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT
Remcos
2017-07-01Secrary Bloglasha
@online{lasha:20170701:remcos:984d85c, author = {lasha}, title = {{Remcos RAT}}, date = {2017-07-01}, organization = {Secrary Blog}, url = {https://secrary.com/ReversingMalware/RemcosRAT/}, language = {English}, urldate = {2020-01-09} } Remcos RAT
Remcos
2017-02-14FortinetFloser Bacurio, Joie Salvio
@online{bacurio:20170214:remcos:e924c55, author = {Floser Bacurio and Joie Salvio}, title = {{REMCOS: A New RAT In The Wild}}, date = {2017-02-14}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2}, language = {English}, urldate = {2020-01-09} } REMCOS: A New RAT In The Wild
Remcos
Yara Rules
[TLP:WHITE] win_remcos_auto (20210616 | Detects win.remcos.)
rule win_remcos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.remcos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d041f 50 53 e8???????? 83c418 }
            // n = 5, score = 1400
            //   8d041f               | lea                 eax, dword ptr [edi + ebx]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_1 = { 8bd8 57 6a02 53 ff15???????? 53 8bf8 }
            // n = 7, score = 1400
            //   8bd8                 | mov                 ebx, eax
            //   57                   | push                edi
            //   6a02                 | push                2
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   8bf8                 | mov                 edi, eax

        $sequence_2 = { 8bec 56 8bf1 ff750c ff7508 e8???????? 8bc6 }
            // n = 7, score = 1400
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { 8bc8 ff15???????? 50 ff15???????? 50 e8???????? }
            // n = 6, score = 1400
            //   8bc8                 | mov                 ecx, eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 8bcf ff7508 e8???????? 83450810 4e }
            // n = 5, score = 1400
            //   8bcf                 | mov                 ecx, edi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83450810             | add                 dword ptr [ebp + 8], 0x10
            //   4e                   | dec                 esi

        $sequence_5 = { 83ec10 8bdc 50 8d4508 }
            // n = 4, score = 1400
            //   83ec10               | sub                 esp, 0x10
            //   8bdc                 | mov                 ebx, esp
            //   50                   | push                eax
            //   8d4508               | lea                 eax, dword ptr [ebp + 8]

        $sequence_6 = { 803e00 0f8485000000 8d45fc 6a0a 50 56 ff15???????? }
            // n = 7, score = 1400
            //   803e00               | cmp                 byte ptr [esi], 0
            //   0f8485000000         | je                  0x8b
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   6a0a                 | push                0xa
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_7 = { 2b4508 6a0c 99 59 f7f9 8bce }
            // n = 6, score = 1400
            //   2b4508               | sub                 eax, dword ptr [ebp + 8]
            //   6a0c                 | push                0xc
            //   99                   | cdq                 
            //   59                   | pop                 ecx
            //   f7f9                 | idiv                ecx
            //   8bce                 | mov                 ecx, esi

        $sequence_8 = { 897d0c 8bce e8???????? 8bd8 6a00 035d0c }
            // n = 6, score = 1400
            //   897d0c               | mov                 dword ptr [ebp + 0xc], edi
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   6a00                 | push                0
            //   035d0c               | add                 ebx, dword ptr [ebp + 0xc]

        $sequence_9 = { 894e08 e9???????? 8b4d08 8bd0 2bd1 c1fa04 3bd3 }
            // n = 7, score = 1400
            //   894e08               | mov                 dword ptr [esi + 8], ecx
            //   e9????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8bd0                 | mov                 edx, eax
            //   2bd1                 | sub                 edx, ecx
            //   c1fa04               | sar                 edx, 4
            //   3bd3                 | cmp                 edx, ebx

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules