SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skipper (Back to overview)

Skipper

aka: Kotel

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-05-19TelsyWebmaster
@online{webmaster:20190519:following:d15ba1c, author = {Webmaster}, title = {{Following the Turla’s Skipper over the ocean of cyber operations}}, date = {2019-05-19}, organization = {Telsy}, url = {https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/}, language = {English}, urldate = {2020-01-08} } Following the Turla’s Skipper over the ocean of cyber operations
Skipper
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-06-06ESET ResearchJean-Ian Boutin
@online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
HTML5 Encoding Skipper
2016-06-30BitdefenderBitdefender
@techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } Pacifier APT
Skipper
2015BitdefenderCristian Istrate, Andrei Ardelean, Claudiu Cobliș, Marius Tivadar
@techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } New Pacifier APT Components Point to Russian-Linked Turla Group
Skipper
Yara Rules
[TLP:WHITE] win_skipper_auto (20220411 | Detects win.skipper.)
rule win_skipper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.skipper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a03 68???????? 68???????? 6a50 }
            // n = 4, score = 600
            //   6a03                 | dec                 esp
            //   68????????           |                     
            //   68????????           |                     
            //   6a50                 | lea                 ecx, dword ptr [0x8e2d]

        $sequence_1 = { ff15???????? 6a00 6a00 6a00 6a00 50 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   6a00                 | inc                 eax
            //   6a00                 | jmp                 0xffffffec
            //   6a00                 | xor                 eax, eax
            //   6a00                 | mov                 dword ptr [ebp - 0x1c], eax
            //   50                   | cmp                 eax, 0x100

        $sequence_2 = { e8???????? 6804010000 e8???????? 6804010000 8bf8 6a00 57 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   6804010000           | mov                 ecx, dword ptr [ebp - 0x1c]
            //   e8????????           |                     
            //   6804010000           | add                 esp, 0xc
            //   8bf8                 | imul                ecx, ecx, 0x30
            //   6a00                 | mov                 dword ptr [ebp - 0x20], esi
            //   57                   | lea                 esi, dword ptr [ecx + 0x23a6c8]

        $sequence_3 = { 59 5d c3 55 8bec 33c0 50 }
            // n = 7, score = 500
            //   59                   | mov                 dword ptr [esi + 0x5c], 0x2381d8
            //   5d                   | xor                 edi, edi
            //   c3                   | inc                 edi
            //   55                   | mov                 dword ptr [esi + 0x14], edi
            //   8bec                 | test                eax, eax
            //   33c0                 | je                  0x2e
            //   50                   | je                  0xe

        $sequence_4 = { 57 6804010000 c644241300 e8???????? 6804010000 6a00 }
            // n = 6, score = 400
            //   57                   | mov                 dword ptr [ebx + 8], 1
            //   6804010000           | push                6
            //   c644241300           | mov                 dword ptr [ebx + 0xc], eax
            //   e8????????           |                     
            //   6804010000           | lea                 eax, dword ptr [ebx + 0x10]
            //   6a00                 | lea                 ecx, dword ptr [ecx + 0x23a6bc]

        $sequence_5 = { 68???????? 6a50 53 50 ff15???????? 6a00 }
            // n = 6, score = 400
            //   68????????           |                     
            //   6a50                 | push                0x50
            //   53                   | push                0x104
            //   50                   | push                0x104
            //   ff15????????         |                     
            //   6a00                 | mov                 edi, eax

        $sequence_6 = { 81cb00ffffff 43 0fb6c3 8d8dfcfeffff 03c8 46 8a01 }
            // n = 7, score = 400
            //   81cb00ffffff         | push                3
            //   43                   | push                0x50
            //   0fb6c3               | push                0
            //   8d8dfcfeffff         | push                3
            //   03c8                 | push                0x50
            //   46                   | push                0
            //   8a01                 | push                0

        $sequence_7 = { e8???????? 6bc064 2bf0 6bf67b }
            // n = 4, score = 400
            //   e8????????           |                     
            //   6bc064               | push                0x50
            //   2bf0                 | push                0
            //   6bf67b               | push                3

        $sequence_8 = { 83c404 6a00 6a64 52 50 e8???????? }
            // n = 6, score = 300
            //   83c404               | inc                 ecx
            //   6a00                 | mov                 eax, 0x94
            //   6a64                 | dec                 eax
            //   52                   | mov                 dword ptr [eax], ecx
            //   50                   | inc                 ecx
            //   e8????????           |                     

        $sequence_9 = { e8???????? 83c404 6a00 6a64 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   83c404               | push                edx
            //   6a00                 | push                eax
            //   6a64                 | add                 esp, 4

        $sequence_10 = { 6800308000 6a00 6a00 68???????? }
            // n = 4, score = 300
            //   6800308000           | mov                 ecx, dword ptr [ebp - 0x124]
            //   6a00                 | movzx               edx, byte ptr [ebp - 4]
            //   6a00                 | mov                 al, byte ptr [ebp - 0x111]
            //   68????????           |                     

        $sequence_11 = { 038de8feffff 8b85e0feffff 99 f77d0c 8b4508 }
            // n = 5, score = 200
            //   038de8feffff         | push                0x104
            //   8b85e0feffff         | mov                 edi, eax
            //   99                   | push                0x104
            //   f77d0c               | push                0x104
            //   8b4508               | mov                 edi, eax

        $sequence_12 = { 7908 4a 81ca00ffffff 42 8955fc 0fb645f8 }
            // n = 6, score = 200
            //   7908                 | push                0
            //   4a                   | push                0x64
            //   81ca00ffffff         | push                edx
            //   42                   | add                 esp, 4
            //   8955fc               | push                0
            //   0fb645f8             | push                0x64

        $sequence_13 = { 488d5201 3d00010000 7cf1 448bc1 448bc9 }
            // n = 5, score = 200
            //   488d5201             | dec                 eax
            //   3d00010000           | dec                 ebx
            //   7cf1                 | jne                 0xffffff82
            //   448bc1               | inc                 edx
            //   448bc9               | xor                 dl, byte ptr [edi + ebx - 1]

        $sequence_14 = { 81c900ffffff ffc1 4863c1 0fb61404 4403d2 4181e2ff000080 }
            // n = 6, score = 200
            //   81c900ffffff         | movzx               eax, byte ptr [ebp - 4]
            //   ffc1                 | movzx               ecx, byte ptr [ebp + eax - 0x110]
            //   4863c1               | add                 edx, ecx
            //   0fb61404             | and                 edx, 0x800000ff
            //   4403d2               | jns                 0x1a
            //   4181e2ff000080       | dec                 eax

        $sequence_15 = { 8b4d10 038ddcfeffff 0fbe11 0fb685eefeffff 33d0 8b4d18 038ddcfeffff }
            // n = 7, score = 200
            //   8b4d10               | inc                 edx
            //   038ddcfeffff         | mov                 dword ptr [ebp - 4], edx
            //   0fbe11               | movzx               eax, byte ptr [ebp - 8]
            //   0fb685eefeffff       | movzx               edx, byte ptr [ebp - 4]
            //   33d0                 | movzx               eax, byte ptr [ebp - 8]
            //   8b4d18               | mov                 cl, byte ptr [ebp + edx - 0x110]
            //   038ddcfeffff         | mov                 byte ptr [ebp + eax - 0x110], cl

        $sequence_16 = { 488b05???????? 4833c4 4889842400010000 4c8b9c2440010000 33c9 }
            // n = 5, score = 200
            //   488b05????????       |                     
            //   4833c4               | mov                 ecx, dword ptr [ebp + 0x10]
            //   4889842400010000     | mov                 ecx, dword ptr [ebp + 0x10]
            //   4c8b9c2440010000     | add                 ecx, dword ptr [ebp - 0x124]
            //   33c9                 | movsx               edx, byte ptr [ecx]

        $sequence_17 = { 0fb61404 4232541fff 418853ff 48ffcb 0f8575ffffff }
            // n = 5, score = 200
            //   0fb61404             | movzx               eax, byte ptr [ebp - 0x112]
            //   4232541fff           | xor                 edx, eax
            //   418853ff             | mov                 ecx, dword ptr [ebp + 0x18]
            //   48ffcb               | add                 ecx, dword ptr [ebp - 0x124]
            //   0f8575ffffff         | inc                 ecx

        $sequence_18 = { 0f8575ffffff b001 488b8c2400010000 4833cc e8???????? 4c8d9c2410010000 }
            // n = 6, score = 200
            //   0f8575ffffff         | inc                 ecx
            //   b001                 | and                 edx, 0x800000ff
            //   488b8c2400010000     | movzx               eax, byte ptr [edx]
            //   4833cc               | mov                 byte ptr [ebx - 1], al
            //   e8????????           |                     
            //   4c8d9c2410010000     | inc                 eax

        $sequence_19 = { 0fb6c1 4c8d0424 488d1424 4c03c0 410fb6c2 450fb608 4803d0 }
            // n = 7, score = 200
            //   0fb6c1               | mov                 ebx, dword ptr [esp + 0x140]
            //   4c8d0424             | xor                 ecx, ecx
            //   488d1424             | movzx               edx, byte ptr [esp + eax]
            //   4c03c0               | inc                 edx
            //   410fb6c2             | xor                 dl, byte ptr [edi + ebx - 1]
            //   450fb608             | inc                 ecx
            //   4803d0               | mov                 byte ptr [ebx - 1], dl

        $sequence_20 = { 81ca00ffffff 42 0fb6d2 8a8415f0feffff 8885eefeffff }
            // n = 5, score = 200
            //   81ca00ffffff         | push                edx
            //   42                   | add                 esp, 4
            //   0fb6d2               | push                0
            //   8a8415f0feffff       | push                0x64
            //   8885eefeffff         | push                edx

        $sequence_21 = { 0fb602 8843ff 408832 4181f900010000 }
            // n = 4, score = 200
            //   0fb602               | xor                 eax, esp
            //   8843ff               | dec                 eax
            //   408832               | mov                 dword ptr [esp + 0x100], eax
            //   4181f900010000       | dec                 esp

        $sequence_22 = { 88940df0feffff ebd0 c785e8feffff00000000 c785e0feffff00000000 eb0f }
            // n = 5, score = 200
            //   88940df0feffff       | push                0x104
            //   ebd0                 | push                0x104
            //   c785e8feffff00000000     | mov    edi, eax
            //   c785e0feffff00000000     | push    0
            //   eb0f                 | push                0x104

        $sequence_23 = { 0fb695e8feffff 8a85effeffff 888415f0feffff e9???????? c785dcfeffff00000000 eb0f 8b8ddcfeffff }
            // n = 7, score = 200
            //   0fb695e8feffff       | push                0
            //   8a85effeffff         | push                edi
            //   888415f0feffff       | push                0
            //   e9????????           |                     
            //   c785dcfeffff00000000     | push    0
            //   eb0f                 | push                0
            //   8b8ddcfeffff         | push                0

        $sequence_24 = { 4181e2ff000080 7d0d 41ffca 4181ca00ffffff 41ffc2 0fb6c1 }
            // n = 6, score = 200
            //   4181e2ff000080       | inc                 ecx
            //   7d0d                 | mov                 byte ptr [ebx - 1], dl
            //   41ffca               | dec                 eax
            //   4181ca00ffffff       | dec                 ebx
            //   41ffc2               | jne                 0xffffff82
            //   0fb6c1               | mov                 al, 1

        $sequence_25 = { 41 898de8feffff 8b85e0feffff 8a8c05f0feffff 888deffeffff 0fb695e8feffff }
            // n = 6, score = 200
            //   41                   | movzx               edx, byte ptr [ebp - 4]
            //   898de8feffff         | or                  edx, 0xffffff00
            //   8b85e0feffff         | inc                 edx
            //   8a8c05f0feffff       | movzx               edx, dl
            //   888deffeffff         | mov                 al, byte ptr [ebp + edx - 0x110]
            //   0fb695e8feffff       | mov                 byte ptr [ebp - 0x112], al

        $sequence_26 = { 0fb655fc 0fb645f8 8a8c15f0feffff 888c05f0feffff 0fb655fc }
            // n = 5, score = 200
            //   0fb655fc             | push                edx
            //   0fb645f8             | push                eax
            //   8a8c15f0feffff       | add                 esp, 4
            //   888c05f0feffff       | push                0
            //   0fb655fc             | push                0x64

        $sequence_27 = { 4c8d0d2d8e0000 33d2 4d8bc1 413b08 }
            // n = 4, score = 100
            //   4c8d0d2d8e0000       | dec                 esp
            //   33d2                 | lea                 edi, dword ptr [0xa532]
            //   4d8bc1               | and                 ebx, 0x1f
            //   413b08               | jns                 0x43

        $sequence_28 = { 75f6 488b0d???????? 33d2 41b894000000 488908 8b0d???????? }
            // n = 6, score = 100
            //   75f6                 | dec                 eax
            //   488b0d????????       |                     
            //   33d2                 | lea                 ecx, dword ptr [0x6ecb]
            //   41b894000000         | mov                 dword ptr [esp + 0x30], ebx
            //   488908               | push                edi
            //   8b0d????????         |                     

        $sequence_29 = { 740c c785d4feffff3a040000 eb0a c785d4feffffffff1f00 8b4508 50 6a00 }
            // n = 7, score = 100
            //   740c                 | inc                 ecx
            //   c785d4feffff3a040000     | inc    edx
            //   eb0a                 | movzx               eax, cl
            //   c785d4feffffffff1f00     | dec    eax
            //   8b4508               | xor                 eax, esp
            //   50                   | dec                 eax
            //   6a00                 | mov                 dword ptr [esp + 0x100], eax

        $sequence_30 = { 8888a8a42300 40 ebe9 33c0 8945e4 3d00010000 }
            // n = 6, score = 100
            //   8888a8a42300         | dec                 eax
            //   40                   | add                 edx, eax
            //   ebe9                 | dec                 eax
            //   33c0                 | lea                 edx, dword ptr [edx + 1]
            //   8945e4               | cmp                 eax, 0x100
            //   3d00010000           | jl                  0xfffffff3

        $sequence_31 = { 4863d9 488bf3 48c1fe05 4c8d3d32a50000 83e31f }
            // n = 5, score = 100
            //   4863d9               | dec                 eax
            //   488bf3               | mov                 ecx, dword ptr [esp + 0x38]
            //   48c1fe05             | dec                 eax
            //   4c8d3d32a50000       | lea                 edx, dword ptr [0x95ac]
            //   83e31f               | dec                 eax

        $sequence_32 = { 8bf1 c745fc00000000 c785acfeffff00000000 6a00 c746140f000000 c7461000000000 }
            // n = 6, score = 100
            //   8bf1                 | mov                 ebp, esp
            //   c745fc00000000       | xor                 eax, eax
            //   c785acfeffff00000000     | push    eax
            //   6a00                 | push                0
            //   c746140f000000       | push                0
            //   c7461000000000       | push                0

        $sequence_33 = { 8985e4feffff 6a04 6800300000 6804010000 6a00 }
            // n = 5, score = 100
            //   8985e4feffff         | mov                 al, 1
            //   6a04                 | dec                 eax
            //   6800300000           | mov                 ecx, dword ptr [esp + 0x100]
            //   6804010000           | dec                 eax
            //   6a00                 | xor                 ecx, esp

        $sequence_34 = { 5d c3 8b04cdaca72300 5d c3 0544ffffff }
            // n = 6, score = 100
            //   5d                   | inc                 ecx
            //   c3                   | and                 edx, 0x800000ff
            //   8b04cdaca72300       | jge                 0xf
            //   5d                   | inc                 ecx
            //   c3                   | dec                 edx
            //   0544ffffff           | jne                 0xffffff7b

        $sequence_35 = { 7d10 668b4c4310 66890c4590b22300 40 ebe8 33c0 }
            // n = 6, score = 100
            //   7d10                 | dec                 esp
            //   668b4c4310           | lea                 ebx, dword ptr [esp + 0x110]
            //   66890c4590b22300     | dec                 eax
            //   40                   | mov                 dword ptr [esp + 0x20], edi
            //   ebe8                 | inc                 ecx
            //   33c0                 | push                esi

        $sequence_36 = { e8???????? 488d1d2baa0000 4885c0 7404 488d5810 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   488d1d2baa0000       | dec                 eax
            //   4885c0               | lea                 ebx, dword ptr [0xaa2b]
            //   7404                 | dec                 eax
            //   488d5810             | test                eax, eax

        $sequence_37 = { 741b 488b4c2438 488d15ac950000 ff15???????? 4885c0 }
            // n = 5, score = 100
            //   741b                 | je                  6
            //   488b4c2438           | dec                 eax
            //   488d15ac950000       | lea                 ebx, dword ptr [eax + 0x10]
            //   ff15????????         |                     
            //   4885c0               | je                  0x1d

        $sequence_38 = { e8???????? 8b4de4 83c40c 6bc930 8975e0 8db1c8a62300 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b4de4               | inc                 esp
            //   83c40c               | mov                 eax, ecx
            //   6bc930               | inc                 esp
            //   8975e0               | mov                 ecx, ecx
            //   8db1c8a62300         | inc                 ecx

        $sequence_39 = { 68e0930400 ffd7 46 83fe64 7c91 6a44 8d44244c }
            // n = 7, score = 100
            //   68e0930400           | push                0
            //   ffd7                 | push                3
            //   46                   | push                0x50
            //   83fe64               | pop                 ecx
            //   7c91                 | pop                 ebp
            //   6a44                 | ret                 
            //   8d44244c             | push                ebp

        $sequence_40 = { 57 4883ec20 bf24000000 488d1d24a50000 }
            // n = 4, score = 100
            //   57                   | dec                 eax
            //   4883ec20             | mov                 esi, ebx
            //   bf24000000           | dec                 eax
            //   488d1d24a50000       | sar                 esi, 5

        $sequence_41 = { c7465cd8812300 33ff 47 897e14 85c0 7424 }
            // n = 6, score = 100
            //   c7465cd8812300       | and                 edx, 0x800000ff
            //   33ff                 | jge                 0x16
            //   47                   | inc                 ecx
            //   897e14               | dec                 edx
            //   85c0                 | inc                 ecx
            //   7424                 | or                  edx, 0xffffff00

        $sequence_42 = { 51 6a00 6a00 8b95e4feffff 52 ff95dcfeffff 8985ecfeffff }
            // n = 7, score = 100
            //   51                   | dec                 esp
            //   6a00                 | mov                 ebx, dword ptr [esp + 0x140]
            //   6a00                 | xor                 ecx, ecx
            //   8b95e4feffff         | dec                 ecx
            //   52                   | arpl                cx, bp
            //   ff95dcfeffff         | inc                 esp
            //   8985ecfeffff         | add                 edx, edx

        $sequence_43 = { 4883ec30 bf01000000 8bcf e8???????? b84d5a0000 66390502deffff 7404 }
            // n = 7, score = 100
            // 
            //   bf01000000           | mov                 edi, 1
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   b84d5a0000           | mov                 eax, 0x5a4d
            //   66390502deffff       | cmp                 word ptr [0xffffde02], ax
            //   7404                 | je                  6

        $sequence_44 = { 7941 488d0dcb6e0000 895c2430 ff15???????? }
            // n = 4, score = 100
            //   7941                 | test                eax, eax
            //   488d0dcb6e0000       | dec                 eax
            //   895c2430             | arpl                cx, bx
            //   ff15????????         |                     

        $sequence_45 = { 00984e4000bc 4e 40 0023 }
            // n = 4, score = 100
            //   00984e4000bc         | push                0
            //   4e                   | push                0x104
            //   40                   | push                0x104
            //   0023                 | mov                 edi, eax

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules