SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skipper (Back to overview)

Skipper

aka: Kotel

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019-05-19TelsyWebmaster
@online{webmaster:20190519:following:d15ba1c, author = {Webmaster}, title = {{Following the Turla’s Skipper over the ocean of cyber operations}}, date = {2019-05-19}, organization = {Telsy}, url = {https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/}, language = {English}, urldate = {2020-01-08} } Following the Turla’s Skipper over the ocean of cyber operations
Skipper
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2023-01-10} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Agent.BTZ Cobra Carbon System Gazer Meterpreter Mosquito Skipper
2017-06-06ESET ResearchJean-Ian Boutin
@online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
HTML5 Encoding Skipper
2016-06-30BitdefenderBitdefender
@techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } Pacifier APT
Skipper
2015BitdefenderCristian Istrate, Andrei Ardelean, Claudiu Cobliș, Marius Tivadar
@techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } New Pacifier APT Components Point to Russian-Linked Turla Group
Skipper
Yara Rules
[TLP:WHITE] win_skipper_auto (20230125 | Detects win.skipper.)
rule win_skipper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.skipper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a00 6a03 68???????? 68???????? 6a50 }
            // n = 6, score = 600
            //   6a00                 | add                 eax, esi
            //   6a00                 | inc                 ecx
            //   6a03                 | and                 eax, 0x800000ff
            //   68????????           |                     
            //   68????????           |                     
            //   6a50                 | jge                 0x19

        $sequence_1 = { ff15???????? 6a00 6a00 6a00 6a00 50 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   6a00                 | push                3
            //   6a00                 | push                0x50
            //   6a00                 | add                 esp, 4
            //   6a00                 | push                0
            //   50                   | push                0x64

        $sequence_2 = { 59 5d c3 55 8bec 33c0 50 }
            // n = 7, score = 500
            //   59                   | push                edx
            //   5d                   | push                eax
            //   c3                   | add                 esp, 4
            //   55                   | push                0
            //   8bec                 | push                0x64
            //   33c0                 | push                edx
            //   50                   | push                eax

        $sequence_3 = { e8???????? 6804010000 e8???????? 6804010000 8bf8 6a00 }
            // n = 6, score = 500
            //   e8????????           |                     
            //   6804010000           | push                eax
            //   e8????????           |                     
            //   6804010000           | add                 esp, 4
            //   8bf8                 | push                0
            //   6a00                 | push                0x64

        $sequence_4 = { 41 0fb6840dfcfeffff 0385f8feffff 898df4feffff 25ff000080 7907 }
            // n = 6, score = 400
            //   41                   | push                0
            //   0fb6840dfcfeffff     | push                0
            //   0385f8feffff         | push                0
            //   898df4feffff         | push                eax
            //   25ff000080           | push                ebx
            //   7907                 | push                esi

        $sequence_5 = { 53 56 57 6804010000 c644241300 e8???????? }
            // n = 6, score = 400
            //   53                   | movzx               edx, byte ptr [ebp + ecx - 0x110]
            //   56                   | movzx               eax, byte ptr [ebp - 4]
            //   57                   | movzx               ecx, byte ptr [ebp + eax - 0x110]
            //   6804010000           | add                 edx, ecx
            //   c644241300           | and                 edx, 0x800000ff
            //   e8????????           |                     

        $sequence_6 = { 6804010000 6a00 57 e8???????? 6a32 6a00 }
            // n = 6, score = 400
            //   6804010000           | xor                 edx, eax
            //   6a00                 | mov                 ecx, dword ptr [ebp + 0x18]
            //   57                   | add                 ecx, dword ptr [ebp - 0x124]
            //   e8????????           |                     
            //   6a32                 | mov                 byte ptr [ecx], dl
            //   6a00                 | jge                 0xd5

        $sequence_7 = { 03d8 03d9 81e3ff000080 7908 4b }
            // n = 5, score = 400
            //   03d8                 | mov                 eax, dword ptr [ebp - 8]
            //   03d9                 | add                 eax, 1
            //   81e3ff000080         | and                 eax, 0x800000ff
            //   7908                 | jns                 0x14
            //   4b                   | dec                 eax

        $sequence_8 = { 6800308000 6a00 6a00 68???????? }
            // n = 4, score = 300
            //   6800308000           | push                0
            //   6a00                 | push                eax
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_9 = { 83c404 6a00 6a64 52 }
            // n = 4, score = 300
            //   83c404               | add                 edx, eax
            //   6a00                 | movzx               eax, byte ptr [edx]
            //   6a64                 | inc                 ecx
            //   52                   | mov                 byte ptr [eax], al

        $sequence_10 = { 4833cc e8???????? 4c8d9c2410010000 498b5b10 498b6b18 498b7320 498b7b28 }
            // n = 7, score = 200
            //   4833cc               | movzx               ecx, byte ptr [eax]
            //   e8????????           |                     
            //   4c8d9c2410010000     | sar                 edx, 2
            //   498b5b10             | mov                 eax, edx
            //   498b6b18             | shr                 eax, 0x1f
            //   498b7320             | add                 edx, eax
            //   498b7b28             | inc                 ecx

        $sequence_11 = { 0f8dcf000000 8b45f8 83c001 25ff000080 7907 48 }
            // n = 6, score = 200
            //   0f8dcf000000         | push                edi
            //   8b45f8               | lea                 eax, [ebp - 0x110]
            //   83c001               | push                eax
            //   25ff000080           | ret                 
            //   7907                 | mov                 eax, dword ptr [ecx*8 + 0x23a7ac]
            //   48                   | pop                 ebp

        $sequence_12 = { 410fb6c0 488d1424 41ffc1 4803d0 }
            // n = 4, score = 200
            //   410fb6c0             | mov                 eax, 0x800
            //   488d1424             | dec                 eax
            //   41ffc1               | mov                 ebx, eax
            //   4803d0               | dec                 eax

        $sequence_13 = { 85ed 0f8e8e000000 492bfb ffc1 }
            // n = 4, score = 200
            //   85ed                 | dec                 ecx
            //   0f8e8e000000         | sub                 eax, esi
            //   492bfb               | dec                 eax
            //   ffc1                 | sar                 eax, 1

        $sequence_14 = { 0fb6c1 4c8d0424 488d1424 4c03c0 410fb6c2 450fb608 }
            // n = 6, score = 200
            //   0fb6c1               | lea                 edx, [0xb282]
            //   4c8d0424             | dec                 eax
            //   488d1424             | sar                 eax, 5
            //   4c03c0               | and                 ecx, 0x1f
            //   410fb6c2             | dec                 esp
            //   450fb608             | lea                 eax, [0x9809]

        $sequence_15 = { 8b85e0feffff 8a8c15f0feffff 888c05f0feffff 0fb695e8feffff 8a85effeffff 888415f0feffff e9???????? }
            // n = 7, score = 200
            //   8b85e0feffff         | mov                 al, byte ptr [ebx]
            //   8a8c15f0feffff       | mov                 eax, ebx
            //   888c05f0feffff       | xor                 eax, eax
            //   0fb695e8feffff       | mov                 dword ptr [ebp - 0x1c], esi
            //   8a85effeffff         | xor                 eax, eax
            //   888415f0feffff       | cmp                 dword ptr [eax + 0x23a6b8], edi
            //   e9????????           |                     

        $sequence_16 = { 4833c4 4889842400010000 4c8b9c2440010000 33c9 4963e9 }
            // n = 5, score = 200
            //   4833c4               | mov                 eax, ecx
            //   4889842400010000     | lea                 edx, [edx + edx*4]
            //   4c8b9c2440010000     | test                ebp, ebp
            //   33c9                 | jle                 0x94
            //   4963e9               | dec                 ecx

        $sequence_17 = { 68???????? a1???????? 50 68???????? e8???????? 83c414 }
            // n = 6, score = 200
            //   68????????           |                     
            //   a1????????           |                     
            //   50                   | cmp                 byte ptr [ebp - 0x135], 0
            //   68????????           |                     
            //   e8????????           |                     
            //   83c414               | jne                 0xffffffe3

        $sequence_18 = { 8a8c05f0feffff 888deffeffff 0fb695e8feffff 8b85e0feffff 8a8c15f0feffff 888c05f0feffff }
            // n = 6, score = 200
            //   8a8c05f0feffff       | and                 esi, 0x1f
            //   888deffeffff         | shl                 esi, 6
            //   0fb695e8feffff       | add                 esi, dword ptr [eax*4 + 0x23b720]
            //   8b85e0feffff         | mov                 eax, dword ptr [ebp - 0x1c]
            //   8a8c15f0feffff       | mov                 eax, dword ptr [eax]
            //   888c05f0feffff       | mov                 dword ptr [esi], eax

        $sequence_19 = { 0fb6940df0feffff 0fb645fc 0fb68c05f0feffff 03d1 81e2ff000080 }
            // n = 5, score = 200
            //   0fb6940df0feffff     | xor                 ecx, ecx
            //   0fb645fc             | cmp                 eax, dword ptr [ecx*8 + 0x23a7a8]
            //   0fb68c05f0feffff     | je                  0x23
            //   03d1                 | mov                 eax, dword ptr [ebp - 4]
            //   81e2ff000080         | push                dword ptr [eax*8 + 0x23a91c]

        $sequence_20 = { 4403c0 4403c6 4181e0ff000080 7d0d 41ffc8 }
            // n = 5, score = 200
            //   4403c0               | sub                 edi, ebx
            //   4403c6               | inc                 ecx
            //   4181e0ff000080       | sub                 eax, edx
            //   7d0d                 | dec                 eax
            //   41ffc8               | arpl                ax, dx

        $sequence_21 = { 33d0 8b4d18 038ddcfeffff 8811 }
            // n = 4, score = 200
            //   33d0                 | push                ebx
            //   8b4d18               | push                edi
            //   038ddcfeffff         | xor                 eax, ebp
            //   8811                 | mov                 dword ptr [ebp - 4], eax

        $sequence_22 = { 8a8415f0feffff 8885eefeffff 8b4d10 038ddcfeffff 0fbe11 0fb685eefeffff 33d0 }
            // n = 7, score = 200
            //   8a8415f0feffff       | push                0x104
            //   8885eefeffff         | push                0
            //   8b4d10               | push                edi
            //   038ddcfeffff         | push                0x32
            //   0fbe11               | push                0
            //   0fb685eefeffff       | add                 ebx, eax
            //   33d0                 | add                 ebx, ecx

        $sequence_23 = { c1fa02 8bc2 c1e81f 03d0 418bc1 8d1492 }
            // n = 6, score = 200
            //   c1fa02               | dec                 eax
            //   8bc2                 | lea                 ecx, [ecx + eax*2]
            //   c1e81f               | inc                 ecx
            //   03d0                 | mov                 ecx, 3
            //   418bc1               | dec                 eax
            //   8d1492               | mov                 eax, ecx

        $sequence_24 = { 2bc2 4863d0 420fb60432 4403c0 4403c6 }
            // n = 5, score = 200
            //   2bc2                 | jne                 0xf9
            //   4863d0               | dec                 eax
            //   420fb60432           | lea                 ecx, [0x5920]
            //   4403c0               | xor                 edx, edx
            //   4403c6               | inc                 ecx

        $sequence_25 = { e9???????? c785dcfeffff00000000 eb0f 8b8ddcfeffff }
            // n = 4, score = 200
            //   e9????????           |                     
            //   c785dcfeffff00000000     | and    ebx, 0x800000ff
            //   eb0f                 | jns                 0x12
            //   8b8ddcfeffff         | dec                 ebx

        $sequence_26 = { 488bc8 ff15???????? 488d15e1580000 488bcb 488905???????? ff15???????? 488bc8 }
            // n = 7, score = 100
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   488d15e1580000       | mov                 ecx, eax
            //   488bcb               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488bc8               | lea                 edx, [0x58e1]

        $sequence_27 = { 80bdcbfeffff00 75e1 8bbdccfeffff 8b0d???????? 890f 8b15???????? 895704 }
            // n = 7, score = 100
            //   80bdcbfeffff00       | add                 eax, esi
            //   75e1                 | inc                 ecx
            //   8bbdccfeffff         | inc                 eax
            //   8b0d????????         |                     
            //   890f                 | inc                 ecx
            //   8b15????????         |                     
            //   895704               | movzx               eax, al

        $sequence_28 = { 8bc3 e8???????? 33c0 e9???????? 8975e4 33c0 39b8b8a62300 }
            // n = 7, score = 100
            //   8bc3                 | inc                 edx
            //   e8????????           |                     
            //   33c0                 | movzx               eax, byte ptr [edx + esi]
            //   e9????????           |                     
            //   8975e4               | inc                 esp
            //   33c0                 | add                 eax, eax
            //   39b8b8a62300         | inc                 esp

        $sequence_29 = { 83c205 8d0c07 81f904010000 8b4dec 72c0 6804010000 e8???????? }
            // n = 7, score = 100
            //   83c205               | push                ebx
            //   8d0c07               | push                eax
            //   81f904010000         | push                0
            //   8b4dec               | push                0
            //   72c0                 | push                3
            //   6804010000           | push                0x50
            //   e8????????           |                     

        $sequence_30 = { 0f85f3000000 488d0d20590000 33d2 41b800080000 ff15???????? 488bd8 }
            // n = 6, score = 100
            //   0f85f3000000         | mov                 edx, ecx
            //   488d0d20590000       | jne                 0xe
            //   33d2                 | dec                 eax
            //   41b800080000         | lea                 ecx, [0xe9ee]
            //   ff15????????         |                     
            //   488bd8               | jmp                 0x10

        $sequence_31 = { 83c404 83bc24a800000010 c78424f00000000f000000 c78424ec00000000000000 c68424dc00000000 720f ffb42494000000 }
            // n = 7, score = 100
            //   83c404               | push                0
            //   83bc24a800000010     | push                0x104
            //   c78424f00000000f000000     | push    0x104
            //   c78424ec00000000000000     | mov    edi, eax
            //   c68424dc00000000     | push                0
            //   720f                 | push                edi
            //   ffb42494000000       | push                0x50

        $sequence_32 = { ffd6 e8???????? e9???????? 6804010000 e8???????? 83c404 }
            // n = 6, score = 100
            //   ffd6                 | push                0
            //   e8????????           |                     
            //   e9????????           |                     
            //   6804010000           | push                0
            //   e8????????           |                     
            //   83c404               | push                0

        $sequence_33 = { 488d0559900000 488981a0000000 83611000 c7411c01000000 c781c800000001000000 b843000000 }
            // n = 6, score = 100
            //   488d0559900000       | dec                 eax
            //   488981a0000000       | mov                 ecx, ebx
            //   83611000             | dec                 eax
            //   c7411c01000000       | mov                 ecx, eax
            //   c781c800000001000000     | dec    eax
            //   b843000000           | lea                 eax, [0x9059]

        $sequence_34 = { 488b442450 488d0d54a90000 488b0cc1 4c8d4c244c 488d9520060000 498b0c0c }
            // n = 6, score = 100
            //   488b442450           | mov                 eax, 0x43
            //   488d0d54a90000       | dec                 esp
            //   488b0cc1             | lea                 esi, [0xa47c]
            //   4c8d4c244c           | dec                 ecx
            //   488d9520060000       | cmp                 dword ptr [esi + ebx*8], 0
            //   498b0c0c             | je                  0xe

        $sequence_35 = { 89442420 488bd1 7509 488d0deee90000 eb02 }
            // n = 5, score = 100
            //   89442420             | mov                 eax, 1
            //   488bd1               | jmp                 0x6a
            //   7509                 | dec                 eax
            //   488d0deee90000       | mov                 eax, dword ptr [esp + 0x50]
            //   eb02                 | dec                 eax

        $sequence_36 = { 4c8d0509980000 488d0c41 41b903000000 488bc1 492bc6 48d1f8 }
            // n = 6, score = 100
            //   4c8d0509980000       | dec                 eax
            //   488d0c41             | lea                 edx, [ebp + 0x620]
            //   41b903000000         | dec                 ecx
            //   488bc1               | mov                 ecx, dword ptr [esp + ecx]
            //   492bc6               | mov                 dword ptr [esp + 0x20], eax
            //   48d1f8               | dec                 eax

        $sequence_37 = { 8888b0a52300 40 ebe6 ff35???????? }
            // n = 4, score = 100
            //   8888b0a52300         | mov                 dword ptr [esp + 0x100], eax
            //   40                   | dec                 esp
            //   ebe6                 | mov                 ebx, dword ptr [esp + 0x140]
            //   ff35????????         |                     

        $sequence_38 = { 55 8bec 8b4508 33c9 3b04cda8a72300 7413 }
            // n = 6, score = 100
            //   55                   | dec                 eax
            //   8bec                 | lea                 edx, [esp]
            //   8b4508               | inc                 ecx
            //   33c9                 | inc                 ecx
            //   3b04cda8a72300       | dec                 eax
            //   7413                 | xor                 ecx, esp

        $sequence_39 = { c3 8b04cdaca72300 5d c3 }
            // n = 4, score = 100
            //   c3                   | mov                 edi, dword ptr [ebx + 0x28]
            //   8b04cdaca72300       | dec                 eax
            //   5d                   | xor                 eax, esp
            //   c3                   | dec                 eax

        $sequence_40 = { a1???????? 33c5 8945fc 57 8d85f0feffff 50 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   33c5                 | dec                 ecx
            //   8945fc               | mov                 ebp, dword ptr [ebx + 0x18]
            //   57                   | dec                 ecx
            //   8d85f0feffff         | mov                 esi, dword ptr [ebx + 0x20]
            //   50                   | dec                 ecx

        $sequence_41 = { 488bcb 488bc3 488d1582b20000 48c1f805 83e11f }
            // n = 5, score = 100
            //   488bcb               | lea                 ecx, [0xa954]
            //   488bc3               | dec                 eax
            //   488d1582b20000       | mov                 ecx, dword ptr [ecx + eax*8]
            //   48c1f805             | dec                 esp
            //   83e11f               | lea                 ecx, [esp + 0x4c]

        $sequence_42 = { 8b45fc ff34c51ca92300 53 57 }
            // n = 4, score = 100
            //   8b45fc               | dec                 esp
            //   ff34c51ca92300       | lea                 ebx, [esp + 0x110]
            //   53                   | dec                 ecx
            //   57                   | mov                 ebx, dword ptr [ebx + 0x10]

        $sequence_43 = { 4c8d357ca40000 49833cde00 7407 b801000000 eb5c }
            // n = 5, score = 100
            //   4c8d357ca40000       | dec                 eax
            //   49833cde00           | mov                 dword ptr [ecx + 0xa0], eax
            //   7407                 | and                 dword ptr [ecx + 0x10], 0
            //   b801000000           | mov                 dword ptr [ecx + 0x1c], 1
            //   eb5c                 | mov                 dword ptr [ecx + 0xc8], 1

        $sequence_44 = { 83e61f c1e606 03348520b72300 8b45e4 8b00 8906 8a03 }
            // n = 7, score = 100
            //   83e61f               | arpl                ax, dx
            //   c1e606               | inc                 edx
            //   03348520b72300       | movzx               eax, byte ptr [edx + esi]
            //   8b45e4               | add                 edx, edx
            //   8b00                 | sub                 eax, edx
            //   8906                 | dec                 eax
            //   8a03                 | arpl                ax, dx

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules