SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smokeloader (Back to overview)

SmokeLoader

aka: Dofoil, Sharik, Smoke, Smoke Loader

Actor(s): SMOKY SPIDER

URLhaus            

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

References
2023-08-23LogpointAnish Bogati, Nischal khadgi
@online{bogati:20230823:defending:9322a16, author = {Anish Bogati and Nischal khadgi}, title = {{Defending Against 8base: Uncovering Their Arsenal and Crafting Responses}}, date = {2023-08-23}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/}, language = {English}, urldate = {2023-09-05} } Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base SmokeLoader SystemBC
2023-07-17AcronisAcronis Security
@online{security:20230717:8base:e99c087, author = {Acronis Security}, title = {{8Base ransomware stays unseen for a year}}, date = {2023-07-17}, organization = {Acronis}, url = {https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/}, language = {English}, urldate = {2023-08-09} } 8Base ransomware stays unseen for a year
8Base Phobos SmokeLoader
2023-06-28vmwareDeborah Snyder, Fae Carlisle, Dana Behling, Bria Beathley
@online{snyder:20230628:8base:6caf8b6, author = {Deborah Snyder and Fae Carlisle and Dana Behling and Bria Beathley}, title = {{8Base Ransomware: A Heavy Hitting Player}}, date = {2023-06-28}, organization = {vmware}, url = {https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html}, language = {English}, urldate = {2023-08-03} } 8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC
2023-06-24Twitter (@embee_research)Embee_research
@online{embeeresearch:20230624:smokeloader:9b36b55, author = {Embee_research}, title = {{SmokeLoader - Malware Analysis and Decoding With Procmon}}, date = {2023-06-24}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/smokeloader-analysis-with-procmon/}, language = {English}, urldate = {2023-06-24} } SmokeLoader - Malware Analysis and Decoding With Procmon
SmokeLoader
2023-02-27PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20230227:rig:72076aa, author = {PRODAFT}, title = {{RIG Exploit Kit: In-Depth Analysis}}, date = {2023-02-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf}, language = {English}, urldate = {2023-05-08} } RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2022-11-19MalwarologyRobert Simmons
@online{simmons:20221119:malicious:13718e6, author = {Robert Simmons}, title = {{Malicious Packer pkr_ce1a}}, date = {2022-11-19}, organization = {Malwarology}, url = {https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd}, language = {English}, urldate = {2022-11-25} } Malicious Packer pkr_ce1a
SmokeLoader Vidar
2022-11-17TrellixTrelix
@online{trelix:20221117:trellix:8d385ac, author = {Trelix}, title = {{Trellix Insights: SmokeLoader Exploits Old Vulnerabilities to Drop zgRAT}}, date = {2022-11-17}, organization = {Trellix}, url = {https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US}, language = {English}, urldate = {2023-09-18} } Trellix Insights: SmokeLoader Exploits Old Vulnerabilities to Drop zgRAT
SmokeLoader zgRAT
2022-10-07YouTube (BSides Portland)Pim Trouerbach
@online{trouerbach:20221007:smokeloader:7c5e5b3, author = {Pim Trouerbach}, title = {{SmokeLoader - The Pandora's box of Tricks}}, date = {2022-10-07}, organization = {YouTube (BSides Portland)}, url = {https://youtu.be/QOypldw6hnY?t=3237}, language = {English}, urldate = {2022-10-11} } SmokeLoader - The Pandora's box of Tricks
SmokeLoader
2022-09-29Team CymruS2 Research Team
@online{team:20220929:seychelles:2d1a3c1, author = {S2 Research Team}, title = {{Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.}}, date = {2022-09-29}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore}, language = {English}, urldate = {2022-10-10} } Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2023-02-06} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-31BitSightAndré Tavares
@online{tavares:20220831:tracking:5b4130e, author = {André Tavares}, title = {{Tracking PrivateLoader: Malware Distribution Service}}, date = {2022-08-31}, organization = {BitSight}, url = {https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service}, language = {English}, urldate = {2022-08-31} } Tracking PrivateLoader: Malware Distribution Service
PrivateLoader RedLine Stealer SmokeLoader
2022-08-30Github (vc0RExor)vc0RExor
@online{vc0rexor:20220830:smokeloader:350c787, author = {vc0RExor}, title = {{SmokeLoader - Quick-Analysis}}, date = {2022-08-30}, organization = {Github (vc0RExor)}, url = {https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md}, language = {English}, urldate = {2022-08-31} } SmokeLoader - Quick-Analysis
SmokeLoader
2022-08-25OALabsSergei Frankoff
@online{frankoff:20220825:smokeloader:d02283f, author = {Sergei Frankoff}, title = {{SmokeLoader Triage Taking a look how Smoke Loader works}}, date = {2022-08-25}, organization = {OALabs}, url = {https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html}, language = {English}, urldate = {2022-08-31} } SmokeLoader Triage Taking a look how Smoke Loader works
SmokeLoader
2022-08-08FortinetJames Slaughter
@online{slaughter:20220808:life:5db63b6, author = {James Slaughter}, title = {{Life After Death - SmokeLoader Continues to Haunt Using Old Vulnerabilities}}, date = {2022-08-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities}, language = {English}, urldate = {2023-09-18} } Life After Death - SmokeLoader Continues to Haunt Using Old Vulnerabilities
SmokeLoader zgRAT
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-07-29BlackberryBlackBerry Research & Intelligence Team
@online{team:20220729:smokeloader:628912d, author = {BlackBerry Research & Intelligence Team}, title = {{SmokeLoader Malware Used to Augment Amadey Infostealer}}, date = {2022-07-29}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer}, language = {English}, urldate = {2022-08-22} } SmokeLoader Malware Used to Augment Amadey Infostealer
Amadey SmokeLoader
2022-07-27DarktraceSam Lister, Shuh Chin Goh
@online{lister:20220727:privateloader:e408698, author = {Sam Lister and Shuh Chin Goh}, title = {{PrivateLoader: Network-Based Indicators of Compromise}}, date = {2022-07-27}, organization = {Darktrace}, url = {https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise}, language = {English}, urldate = {2022-08-30} } PrivateLoader: Network-Based Indicators of Compromise
PrivateLoader SmokeLoader
2022-07-21AhnLabASEC
@online{asec:20220721:amadey:1bbe53b, author = {ASEC}, title = {{Amadey Bot Being Distributed Through SmokeLoader}}, date = {2022-07-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/36634/}, language = {English}, urldate = {2023-03-20} } Amadey Bot Being Distributed Through SmokeLoader
Amadey SmokeLoader
2022-06-21SonicWallSonicWall
@online{sonicwall:20220621:html:63e527d, author = {SonicWall}, title = {{HTML Application Files are being used to distribute Smoke Loader Malware}}, date = {2022-06-21}, organization = {SonicWall}, url = {https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/}, language = {English}, urldate = {2022-06-29} } HTML Application Files are being used to distribute Smoke Loader Malware
SmokeLoader
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-12AhnLabASEC Analysis Team
@online{team:20220412:systembc:7bdd20c, author = {ASEC Analysis Team}, title = {{SystemBC Being Used by Various Attackers}}, date = {2022-04-12}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/33600/}, language = {English}, urldate = {2022-04-15} } SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC
2022-02-18Bleeping ComputerSergiu Gatlan
@online{gatlan:20220218:new:6472349, author = {Sergiu Gatlan}, title = {{New Golang botnet empties Windows users’ cryptocurrency wallets}}, date = {2022-02-18}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/}, language = {English}, urldate = {2022-03-02} } New Golang botnet empties Windows users’ cryptocurrency wallets
Anubis Loader SmokeLoader
2022-02-17BlackberryBlackBerry Research & Intelligence Team
@online{team:20220217:threat:899b90a, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Arkei Infostealer Expands Reach Using SmokeLoader to Target Crypto Wallets and MFA}}, date = {2022-02-17}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer}, language = {English}, urldate = {2022-02-26} } Threat Thursday: Arkei Infostealer Expands Reach Using SmokeLoader to Target Crypto Wallets and MFA
Arkei Stealer SmokeLoader
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022Silent PushSilent Push
@online{push:2022:privacy:921213d, author = {Silent Push}, title = {{Privacy tools (not) for you}}, date = {2022}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/privacy-tools-not-for-you}, language = {English}, urldate = {2022-07-18} } Privacy tools (not) for you
SmokeLoader
2021-06-17Suvaditya Sur
@online{sur:20210617:analysis:74f0f46, author = {Suvaditya Sur}, title = {{Analysis of SmokeLoader}}, date = {2021-06-17}, url = {https://suvaditya.one/malware-analysis/smokeloader/}, language = {English}, urldate = {2022-07-13} } Analysis of SmokeLoader
SmokeLoader
2021-06-10ZAYOTEMFatih YILMAZ, Buğra KÖSE, İrem ALKAŞİ, Esmanur ALİCAN, Çağlar YÜN
@online{yilmaz:20210610:smokeloader:6699a4f, author = {Fatih YILMAZ and Buğra KÖSE and İrem ALKAŞİ and Esmanur ALİCAN and Çağlar YÜN}, title = {{SmokeLoader Technical Analysis Report}}, date = {2021-06-10}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view}, language = {English}, urldate = {2021-06-16} } SmokeLoader Technical Analysis Report
SmokeLoader
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-18ProofpointBrandon Murphy, Dennis Schwarz, Jack Mott, Proofpoint Threat Research Team
@online{murphy:20210318:now:d4bd40e, author = {Brandon Murphy and Dennis Schwarz and Jack Mott and Proofpoint Threat Research Team}, title = {{Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft}}, date = {2021-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft}, language = {English}, urldate = {2021-03-19} } Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft
CopperStealer SmokeLoader
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-18PTSecurityPTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}}, date = {2021-02-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/}, language = {English}, urldate = {2021-02-02} } What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2021-01-11AhnLabASEC Analysis Team
@techreport{team:20210111:smoke:e778162, author = {ASEC Analysis Team}, title = {{Smoke Loader Learns New Tricks}}, date = {2021-01-11}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf}, language = {English}, urldate = {2022-04-14} } Smoke Loader Learns New Tricks
SmokeLoader
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-12-230xC0DECAFEThomas Barabosch
@online{barabosch:20201223:detect:bd873bc, author = {Thomas Barabosch}, title = {{Detect RC4 in (malicious) binaries}}, date = {2020-12-23}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries}, language = {English}, urldate = {2020-12-26} } Detect RC4 in (malicious) binaries
SmokeLoader Zloader
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-12-17TelekomThomas Barabosch
@online{barabosch:20201217:smokeloader:937c780, author = {Thomas Barabosch}, title = {{Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs}}, date = {2020-12-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886}, language = {English}, urldate = {2020-12-18} } Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs
SmokeLoader
2020-09-09MalwarebytesThreat Intelligence Team
@online{team:20200909:malvertising:ed1c3b8, author = {Threat Intelligence Team}, title = {{Malvertising campaigns come back in full swing}}, date = {2020-09-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/}, language = {English}, urldate = {2020-09-15} } Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-09-02Cisco TalosHolger Unterbrink, Edmund Brumaghin
@online{unterbrink:20200902:salfram:74ae3c9, author = {Holger Unterbrink and Edmund Brumaghin}, title = {{Salfram: Robbing the place without removing your name tag}}, date = {2020-09-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html}, language = {English}, urldate = {2020-09-03} } Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-08-27Hatching.ioPete Cowman
@online{cowman:20200827:smokeloader:6b86b56, author = {Pete Cowman}, title = {{Smokeloader Analysis and More Family Detections}}, date = {2020-08-27}, organization = {Hatching.io}, url = {https://hatching.io/blog/tt-2020-08-27/}, language = {English}, urldate = {2020-09-03} } Smokeloader Analysis and More Family Detections
SmokeLoader
2020-06-22m.alvar.esMarcos Alvares
@online{alvares:20200622:comparative:270905b, author = {Marcos Alvares}, title = {{Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case}}, date = {2020-06-22}, organization = {m.alvar.es}, url = {https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html}, language = {English}, urldate = {2021-11-09} } Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case
SmokeLoader
2020-06-21N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200621:deep:1a39a3f, author = {Abdallah Elshinbary}, title = {{Deep Analysis of SmokeLoader}}, date = {2020-06-21}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/}, language = {English}, urldate = {2020-06-22} } Deep Analysis of SmokeLoader
SmokeLoader
2020-06-10m.alvar.esMarcos Alvares
@online{alvares:20200610:unpacking:38f29d6, author = {Marcos Alvares}, title = {{Unpacking Smokeloader and Reconstructing PE Programatically using LIEF}}, date = {2020-06-10}, organization = {m.alvar.es}, url = {https://m.alvar.es/2020/06/unpacking-smokeloader-and.html}, language = {English}, urldate = {2021-11-17} } Unpacking Smokeloader and Reconstructing PE Programatically using LIEF
SmokeLoader
2020-05-24Malware and StuffAndreas Klopsch
@online{klopsch:20200524:examining:842b499, author = {Andreas Klopsch}, title = {{Examining Smokeloader’s Anti Hooking technique}}, date = {2020-05-24}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/}, language = {English}, urldate = {2020-05-25} } Examining Smokeloader’s Anti Hooking technique
SmokeLoader
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200524:operation:2ce432b, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: network infrastructure. Part 3.}}, date = {2020-05-24}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/}, language = {English}, urldate = {2020-11-23} } Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-18Github (DanusMinimus)Dan Lisichkin
@online{lisichkin:20200218:analyzing:f805dad, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2)}}, date = {2020-02-18}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/}, language = {English}, urldate = {2020-02-25} } Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2)
SmokeLoader
2019-11-21SentinelOneMario Ciccarelli
@online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } Going Deep | A Guide to Reversing Smoke Loader Malware
SmokeLoader
2019-10-31m.alvar.esMarcos Alvares
@online{alvares:20191031:dynamic:a295d00, author = {Marcos Alvares}, title = {{Dynamic Imports and Working Around Indirect Calls - Smokeloader Study Case}}, date = {2019-10-31}, organization = {m.alvar.es}, url = {https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html}, language = {English}, urldate = {2021-11-17} } Dynamic Imports and Working Around Indirect Calls - Smokeloader Study Case
SmokeLoader
2019-08-05security.neurolabsMarcos Alvares
@online{alvares:20190805:smokeloaders:3ee435d, author = {Marcos Alvares}, title = {{Smokeloader's Hardcoded Domains - Sneaky Third Party Vendor or Cheap Buyer?}}, date = {2019-08-05}, organization = {security.neurolabs}, url = {http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html}, language = {English}, urldate = {2021-09-19} } Smokeloader's Hardcoded Domains - Sneaky Third Party Vendor or Cheap Buyer?
SmokeLoader
2019-07-09Check PointIsrael Gubi
@online{gubi:20190709:2019:38d9134, author = {Israel Gubi}, title = {{The 2019 Resurgence of Smokeloader}}, date = {2019-07-09}, organization = {Check Point}, url = {https://research.checkpoint.com/2019-resurgence-of-smokeloader/}, language = {English}, urldate = {2020-01-10} } The 2019 Resurgence of Smokeloader
SmokeLoader
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } 2019: The Return of Retefe
Dok Retefe SmokeLoader
2018-12-19Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20181219:analysis:41c2b03, author = {Kaoru Hayashi}, title = {{Analysis of Smoke Loader in New Tsunami Campaign}}, date = {2018-12-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/}, language = {English}, urldate = {2023-05-23} } Analysis of Smoke Loader in New Tsunami Campaign
SmokeLoader
2018-09-18int 0xcc blogRaashid Bhat
@online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait
SmokeLoader
2018-08-14Plug it, play it, burn it, rip itAlberto Ortega
@online{ortega:20180814:antihooking:b194a7c, author = {Alberto Ortega}, title = {{Anti-Hooking checks of SmokeLoader 2018}}, date = {2018-08-14}, organization = {Plug it, play it, burn it, rip it}, url = {https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/}, language = {English}, urldate = {2020-01-13} } Anti-Hooking checks of SmokeLoader 2018
SmokeLoader
2018-07-18CERT.PLMichał Praszmo
@online{praszmo:20180718:dissecting:aa5eca1, author = {Michał Praszmo}, title = {{Dissecting Smoke Loader}}, date = {2018-07-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/dissecting-smoke-loader/}, language = {English}, urldate = {2020-01-13} } Dissecting Smoke Loader
SmokeLoader
2018-07-03Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-04-16SpamhausSpamhaus Malware Labs
@online{labs:20180416:smoke:b91b833, author = {Spamhaus Malware Labs}, title = {{Smoke Loader malware improves after Microsoft spoils its Campaign}}, date = {2018-04-16}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign}, language = {English}, urldate = {2020-01-08} } Smoke Loader malware improves after Microsoft spoils its Campaign
SmokeLoader
2018-04-04MicrosoftMicrosoft Defender ATP Research Team
@online{team:20180404:hunting:fe0f809, author = {Microsoft Defender ATP Research Team}, title = {{Hunting down Dofoil with Windows Defender ATP}}, date = {2018-04-04}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/}, language = {English}, urldate = {2020-01-08} } Hunting down Dofoil with Windows Defender ATP
SmokeLoader
2018-01-12MalwarebytesJérôme Segura
@online{segura:20180112:fake:c7bc448, author = {Jérôme Segura}, title = {{Fake Spectre and Meltdown patch pushes Smoke Loader malware}}, date = {2018-01-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/}, language = {English}, urldate = {2019-12-20} } Fake Spectre and Meltdown patch pushes Smoke Loader malware
SmokeLoader
2017-08-24Blaze's Security BlogBartBlaze
@online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } Crystal Finance Millennium used to spread malware
Chthonic SmokeLoader
2017-08-04PhishLabsJason Davison
@online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis
SmokeLoader
2017-04-03Malware BreakdownMalware Breakdown
@online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader
SmokeLoader
2016-10-17MalwarebytesJérôme Segura
@online{segura:20161017:newlooking:3e62740, author = {Jérôme Segura}, title = {{New-looking Sundown EK drops Smoke Loader, Kronos banker}}, date = {2016-10-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/}, language = {English}, urldate = {2019-12-20} } New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader
2016-08-05MalwarebytesMalwarebytes Labs
@online{labs:20160805:smoke:afada56, author = {Malwarebytes Labs}, title = {{Smoke Loader – downloader with a smokescreen still alive}}, date = {2016-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/}, language = {English}, urldate = {2019-12-20} } Smoke Loader – downloader with a smokescreen still alive
SmokeLoader
2014-10-05Eternal TodoJose Miguel Esparza
@online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } Dissecting SmokeLoader (or Yulia's sweet ass proposition)
SmokeLoader
Yara Rules
[TLP:WHITE] win_smokeloader_auto (20230715 | Detects win.smokeloader.)
rule win_smokeloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.smokeloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8d45f0 50 8d45e8 50 8d45e0 50 }
            // n = 7, score = 1300
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax

        $sequence_1 = { ff15???????? 8bf0 8d45dc 50 6a00 }
            // n = 5, score = 1100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_2 = { 50 8d45e0 50 56 ff15???????? 56 ff15???????? }
            // n = 7, score = 1100
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_3 = { 50 6a00 53 ff15???????? 8d45f0 }
            // n = 5, score = 1100
            //   50                   | push                eax
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_4 = { 57 ff15???????? 6a00 6800000002 6a03 6a00 }
            // n = 6, score = 1100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6800000002           | push                0x2000000
            //   6a03                 | push                3
            //   6a00                 | push                0

        $sequence_5 = { 50 56 681f000f00 57 }
            // n = 4, score = 900
            //   50                   | push                eax
            //   56                   | push                esi
            //   681f000f00           | push                0xf001f
            //   57                   | push                edi

        $sequence_6 = { ff15???????? bf90010000 8bcf e8???????? }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   bf90010000           | mov                 edi, 0x190
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_7 = { 56 8d45fc 50 57 57 6a19 }
            // n = 6, score = 900
            //   56                   | push                0
            //   8d45fc               | push                ebx
            //   50                   | lea                 eax, [ebp - 0x10]
            //   57                   | push                eax
            //   57                   | push                eax
            //   6a19                 | push                0

        $sequence_8 = { 0fb64405dc 50 8d45ec 50 }
            // n = 4, score = 900
            //   0fb64405dc           | push                edi
            //   50                   | inc                 ebx
            //   8d45ec               | cmp                 ebx, 0xf
            //   50                   | lea                 eax, [ebp - 0x10]

        $sequence_9 = { e8???????? 8bf0 8d45fc 50 ff75fc 56 }
            // n = 6, score = 900
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   56                   | push                esi

        $sequence_10 = { 668ce8 6685c0 7406 fe05???????? }
            // n = 4, score = 900
            //   668ce8               | lea                 eax, [ebp - 0x10]
            //   6685c0               | push                eax
            //   7406                 | lea                 eax, [ebp - 0x18]
            //   fe05????????         |                     

        $sequence_11 = { 740a 83c104 83f920 72f0 }
            // n = 4, score = 900
            //   740a                 | je                  0xb
            //   83c104               | mov                 ax, gs
            //   83f920               | test                ax, ax
            //   72f0                 | je                  0xb

        $sequence_12 = { 8b07 03c3 50 ff15???????? }
            // n = 4, score = 800
            //   8b07                 | lea                 eax, [ebp - 0x24]
            //   03c3                 | push                eax
            //   50                   | push                0
            //   ff15????????         |                     

        $sequence_13 = { 7507 33c0 e9???????? e8???????? b904010000 }
            // n = 5, score = 800
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   e8????????           |                     
            //   b904010000           | mov                 ecx, 0x104

        $sequence_14 = { ff15???????? 50 56 6a00 ff15???????? }
            // n = 5, score = 800
            //   ff15????????         |                     
            //   50                   | push                ebx
            //   56                   | lea                 eax, [ebp - 0x10]
            //   6a00                 | mov                 esi, eax
            //   ff15????????         |                     

        $sequence_15 = { 0fb6c2 03f0 23f1 8a443418 88443c18 88543418 0fb64c3c18 }
            // n = 7, score = 700
            //   0fb6c2               | lea                 eax, [ebp - 4]
            //   03f0                 | push                eax
            //   23f1                 | push                dword ptr [ebp - 4]
            //   8a443418             | push                esi
            //   88443c18             | push                0x19
            //   88543418             | je                  0xc
            //   0fb64c3c18           | add                 ecx, 4

        $sequence_16 = { 8802 fec0 42 3c7a }
            // n = 4, score = 700
            //   8802                 | push                eax
            //   fec0                 | lea                 eax, [ebp - 0x14]
            //   42                   | push                eax
            //   3c7a                 | mov                 esi, eax

        $sequence_17 = { 8bec 83ec24 8d45f4 53 56 }
            // n = 5, score = 700
            //   8bec                 | cmp                 ecx, 0x20
            //   83ec24               | jb                  0xfffffff8
            //   8d45f4               | mov                 esi, eax
            //   53                   | lea                 eax, [ebp - 4]
            //   56                   | push                eax

        $sequence_18 = { 31c0 66894603 8d8de8fdffff 50 50 }
            // n = 5, score = 500
            //   31c0                 | xor                 eax, eax
            //   66894603             | mov                 word ptr [esi + 3], ax
            //   8d8de8fdffff         | lea                 ecx, [ebp - 0x218]
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_19 = { 89c6 6804010000 56 57 }
            // n = 4, score = 500
            //   89c6                 | mov                 esi, eax
            //   6804010000           | push                0x104
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_20 = { 8b4514 898608020000 56 6aff }
            // n = 4, score = 500
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   898608020000         | mov                 dword ptr [esi + 0x208], eax
            //   56                   | push                esi
            //   6aff                 | push                -1

        $sequence_21 = { 8d95f0fdffff c70200000000 6800800000 52 51 }
            // n = 5, score = 500
            //   8d95f0fdffff         | lea                 edx, [ebp - 0x210]
            //   c70200000000         | mov                 dword ptr [edx], 0
            //   6800800000           | push                0x8000
            //   52                   | push                edx
            //   51                   | push                ecx

        $sequence_22 = { ffb5f0fdffff 50 53 e8???????? 8d8decfdffff }
            // n = 5, score = 500
            //   ffb5f0fdffff         | push                dword ptr [ebp - 0x210]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8d8decfdffff         | lea                 ecx, [ebp - 0x214]

        $sequence_23 = { 8d85f0fdffff 8b750c 8b7d10 50 57 }
            // n = 5, score = 500
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_24 = { c60653 56 6a00 6a00 6a00 }
            // n = 5, score = 500
            //   c60653               | mov                 byte ptr [esi], 0x53
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_25 = { 50 50 50 51 50 50 56 }
            // n = 7, score = 500
            //   50                   | push                eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   51                   | push                ecx
            //   50                   | push                eax
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_26 = { 89cf fc b280 31db }
            // n = 4, score = 400
            //   89cf                 | mov                 edi, 0x190
            //   fc                   | mov                 ecx, edi
            //   b280                 | jne                 9
            //   31db                 | xor                 eax, eax

        $sequence_27 = { 60 89c6 89cf fc }
            // n = 4, score = 400
            //   60                   | dec                 eax
            //   89c6                 | mov                 ecx, eax
            //   89cf                 | dec                 eax
            //   fc                   | mov                 esi, eax

        $sequence_28 = { fc 5f 5e 5b }
            // n = 4, score = 400
            //   fc                   | mov                 byte ptr [ebp - 0xb], 0x74
            //   5f                   | mov                 ecx, dword ptr [ebp - 0x60]
            //   5e                   | mov                 edx, dword ptr [ebp - 0x64]
            //   5b                   | mov                 dword ptr [ecx + 0x58], edx

        $sequence_29 = { 30d0 aa e2f3 7505 }
            // n = 4, score = 400
            //   30d0                 | xor                 al, dl
            //   aa                   | stosb               byte ptr es:[edi], al
            //   e2f3                 | loop                0xfffffff5
            //   7505                 | jne                 7

        $sequence_30 = { 55 89e5 81ec5c060000 53 56 }
            // n = 5, score = 400
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   81ec5c060000         | sub                 esp, 0x65c
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_31 = { 4885c0 7405 2b5804 75da b001 488b5c2440 488b6c2448 }
            // n = 7, score = 300
            //   4885c0               | inc                 ebp
            //   7405                 | test                bh, bh
            //   2b5804               | je                  0xc
            //   75da                 | dec                 eax
            //   b001                 | arpl                word ptr [ebx + 0x3c], cx
            //   488b5c2440           | mov                 edi, dword ptr [ecx + ebx + 0x28]
            //   488b6c2448           | dec                 eax

        $sequence_32 = { 85d2 0f8ea5000000 895dec 8955e8 }
            // n = 4, score = 300
            //   85d2                 | dec                 ecx
            //   0f8ea5000000         | dec                 ebx
            //   895dec               | test                edx, edx
            //   8955e8               | jle                 0xab

        $sequence_33 = { 49 8d3c8c 8b37 4c }
            // n = 4, score = 300
            //   49                   | dec                 ecx
            //   8d3c8c               | lea                 edi, [esp + ecx*4]
            //   8b37                 | mov                 esi, dword ptr [edi]
            //   4c                   | dec                 esp

        $sequence_34 = { 4f 8d1c10 41 8b4b18 }
            // n = 4, score = 300
            //   4f                   | dec                 edi
            //   8d1c10               | lea                 ebx, [eax + edx]
            //   41                   | inc                 ecx
            //   8b4b18               | mov                 ecx, dword ptr [ebx + 0x18]

        $sequence_35 = { 4c8bc3 4889442420 ff15???????? 4584ff 740a 48634b3c 8b7c1928 }
            // n = 7, score = 300
            //   4c8bc3               | je                  0x1b
            //   4889442420           | lea                 edx, [eax + 1]
            //   ff15????????         |                     
            //   4584ff               | dec                 esp
            //   740a                 | mov                 eax, ebx
            //   48634b3c             | dec                 eax
            //   8b7c1928             | mov                 dword ptr [esp + 0x20], eax

        $sequence_36 = { 7421 81fe7f000001 7419 8d5001 ff15???????? }
            // n = 5, score = 300
            //   7421                 | mov                 dword ptr [ebp - 0x14], ebx
            //   81fe7f000001         | mov                 dword ptr [ebp - 0x18], edx
            //   7419                 | je                  0x23
            //   8d5001               | cmp                 esi, 0x100007f
            //   ff15????????         |                     

        $sequence_37 = { 55 89e5 81ec54040000 53 }
            // n = 4, score = 300
            //   55                   | xor                 eax, eax
            //   89e5                 | lodsb               al, byte ptr [esi]
            //   81ec54040000         | add                 edx, eax
            //   53                   | test                eax, eax

        $sequence_38 = { 03ca 0fb6c1 8a0c04 300f 48ffc7 49ffcb }
            // n = 6, score = 300
            //   03ca                 | add                 ecx, edx
            //   0fb6c1               | movzx               eax, cl
            //   8a0c04               | mov                 cl, byte ptr [esp + eax]
            //   300f                 | xor                 byte ptr [edi], cl
            //   48ffc7               | dec                 eax
            //   49ffcb               | inc                 edi

        $sequence_39 = { c1e205 01c2 31c0 ac }
            // n = 4, score = 300
            //   c1e205               | dec                 ebp
            //   01c2                 | add                 esp, eax
            //   31c0                 | dec                 ecx
            //   ac                   | dec                 ecx

        $sequence_40 = { 4c 01c7 8b048f 4c }
            // n = 4, score = 300
            //   4c                   | dec                 esp
            //   01c7                 | add                 edi, eax
            //   8b048f               | mov                 eax, dword ptr [edi + ecx*4]
            //   4c                   | dec                 esp

        $sequence_41 = { 8b4b18 45 8b6320 4d 01c4 ffc9 49 }
            // n = 7, score = 300
            //   8b4b18               | mov                 ecx, dword ptr [ebx + 0x18]
            //   45                   | inc                 ebp
            //   8b6320               | mov                 esp, dword ptr [ebx + 0x20]
            //   4d                   | dec                 ebp
            //   01c4                 | add                 esp, eax
            //   ffc9                 | dec                 ecx
            //   49                   | dec                 ecx

        $sequence_42 = { 31c0 ac 01c2 85c0 }
            // n = 4, score = 300
            //   31c0                 | xor                 eax, eax
            //   ac                   | lodsb               al, byte ptr [esi]
            //   01c2                 | add                 edx, eax
            //   85c0                 | test                eax, eax

        $sequence_43 = { 4c 01c7 668b0c4f 41 8b7b1c 4c 01c7 }
            // n = 7, score = 300
            //   4c                   | dec                 esp
            //   01c7                 | add                 edi, eax
            //   668b0c4f             | mov                 cx, word ptr [edi + ecx*2]
            //   41                   | inc                 ecx
            //   8b7b1c               | mov                 edi, dword ptr [ebx + 0x1c]
            //   4c                   | dec                 esp
            //   01c7                 | add                 edi, eax

        $sequence_44 = { 8b5590 895108 683174bc7f 8b45e4 50 }
            // n = 5, score = 200
            //   8b5590               | push                0xf001f
            //   895108               | push                edi
            //   683174bc7f           | movzx               eax, byte ptr [ebp + eax - 0x24]
            //   8b45e4               | push                eax
            //   50                   | lea                 eax, [ebp - 0x14]

        $sequence_45 = { 5b c9 c20800 55 89e5 83ec04 }
            // n = 6, score = 200
            //   5b                   | loop                0xfffffff6
            //   c9                   | jne                 0xb
            //   c20800               | je                  0xb
            //   55                   | xor                 al, dl
            //   89e5                 | stosb               byte ptr es:[edi], al
            //   83ec04               | loop                0xfffffff8

        $sequence_46 = { 85c0 7589 8b55fc 52 e8???????? 8be5 }
            // n = 6, score = 200
            //   85c0                 | push                eax
            //   7589                 | mov                 dword ptr [ebp - 0x5c], eax
            //   8b55fc               | mov                 edx, dword ptr [ebp - 0x70]
            //   52                   | mov                 dword ptr [ecx + 8], edx
            //   e8????????           |                     
            //   8be5                 | push                0x7fbc7431

        $sequence_47 = { e8???????? 8945b4 8b4da0 8b55b4 89514c 68a8edf2ce }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8945b4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b4da0               | push                eax
            //   8b55b4               | push                eax
            //   89514c               | push                9
            //   68a8edf2ce           | mov                 ecx, dword ptr [ebp - 0x54]

        $sequence_48 = { 8b55cc 895144 68d770a437 8b8578ffffff 50 e8???????? 8945a4 }
            // n = 7, score = 200
            //   8b55cc               | lea                 eax, [ebp - 4]
            //   895144               | push                eax
            //   68d770a437           | push                dword ptr [ebp - 4]
            //   8b8578ffffff         | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8945a4               | push                esi

        $sequence_49 = { 89c2 8b453c 8b7c2878 01ef 8b7720 01ee 56 }
            // n = 7, score = 200
            //   89c2                 | xor                 ebx, ebx
            //   8b453c               | pushal              
            //   8b7c2878             | mov                 esi, eax
            //   01ef                 | mov                 edi, ecx
            //   8b7720               | cld                 
            //   01ee                 | mov                 dl, 0x80
            //   56                   | mov                 esi, eax

        $sequence_50 = { 01ee 56 ad 01e8 31c9 c1c108 3208 }
            // n = 7, score = 200
            //   01ee                 | sub                 esi, eax
            //   56                   | shr                 esi, 1
            //   ad                   | add                 esi, dword ptr [edi + 0x24]
            //   01e8                 | movzx               eax, word ptr [esi + ebp - 2]
            //   31c9                 | add                 esp, -0x30
            //   c1c108               | push                ds
            //   3208                 | push                ebx

        $sequence_51 = { 75f5 31d1 75ec 58 29c6 d1ee }
            // n = 6, score = 200
            //   75f5                 | add                 esi, ebp
            //   31d1                 | push                esi
            //   75ec                 | add                 eax, ebp
            //   58                   | pop                 esi
            //   29c6                 | ret                 
            //   d1ee                 | pushal              

        $sequence_52 = { 83c4d0 1e 53 56 }
            // n = 4, score = 200
            //   83c4d0               | mov                 edi, ecx
            //   1e                   | cld                 
            //   53                   | rol                 ecx, 8
            //   56                   | xor                 cl, byte ptr [eax]

        $sequence_53 = { 01e8 5e c3 60 89c6 }
            // n = 5, score = 200
            //   01e8                 | mov                 edi, ecx
            //   5e                   | cld                 
            //   c3                   | mov                 dl, 0x80
            //   60                   | xor                 ebx, ebx
            //   89c6                 | mov                 esi, eax

        $sequence_54 = { 50 6a09 8b4dac 51 e8???????? 8945b0 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   6a09                 | mov                 edx, dword ptr [ebp - 0x34]
            //   8b4dac               | mov                 dword ptr [ecx + 0x44], edx
            //   51                   | push                0x37a470d7
            //   e8????????           |                     
            //   8945b0               | mov                 eax, dword ptr [ebp - 0x88]

        $sequence_55 = { e8???????? 8945bc 8b4da0 8b55bc 8911 c645f46e c645f574 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8945bc               | push                edx
            //   8b4da0               | mov                 esp, ebp
            //   8b55bc               | mov                 dword ptr [ebp - 0x4c], eax
            //   8911                 | mov                 ecx, dword ptr [ebp - 0x60]
            //   c645f46e             | mov                 edx, dword ptr [ebp - 0x4c]
            //   c645f574             | mov                 dword ptr [ecx + 0x4c], edx

        $sequence_56 = { aa e2f3 7506 7404 }
            // n = 4, score = 200
            //   aa                   | push                ebx
            //   e2f3                 | leave               
            //   7506                 | ret                 0x10
            //   7404                 | push                ebp

        $sequence_57 = { 68afb61a39 8b45e4 50 e8???????? 8945c0 8b4da0 }
            // n = 6, score = 200
            //   68afb61a39           | push                ecx
            //   8b45e4               | mov                 dword ptr [ebp - 0x50], eax
            //   50                   | test                eax, eax
            //   e8????????           |                     
            //   8945c0               | jne                 0xffffff8d
            //   8b4da0               | mov                 edx, dword ptr [ebp - 4]

        $sequence_58 = { c1c108 3208 40 803800 }
            // n = 4, score = 200
            //   c1c108               | mov                 eax, dword ptr [ebp + 0x3c]
            //   3208                 | mov                 edi, dword ptr [eax + ebp + 0x78]
            //   40                   | add                 edi, ebp
            //   803800               | mov                 esi, dword ptr [edi + 0x20]

        $sequence_59 = { 8b4da0 8b559c 895158 682bed9b51 8b8578ffffff }
            // n = 5, score = 200
            //   8b4da0               | push                0xcef2eda8
            //   8b559c               | push                0x391ab6af
            //   895158               | mov                 eax, dword ptr [ebp - 0x1c]
            //   682bed9b51           | push                eax
            //   8b8578ffffff         | mov                 dword ptr [ebp - 0x40], eax

        $sequence_60 = { e8???????? d6 0055d0 28a9a228510b a2???????? a1???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   d6                   | xchg                eax, ebp
            //   0055d0               | aaa                 
            //   28a9a228510b         | jge                 0xe
            //   a2????????           |                     
            //   a1????????           |                     

        $sequence_61 = { fd 5d 5d 5d de9955d89d29 5a 9a18a15c5d5d5d }
            // n = 7, score = 100
            //   fd                   | je                  0xd
            //   5d                   | pop                 ebx
            //   5d                   | leave               
            //   5d                   | ret                 8
            //   de9955d89d29         | push                ebp
            //   5a                   | mov                 ebp, esp
            //   9a18a15c5d5d5d       | sub                 esp, 4

        $sequence_62 = { 189dd465d010 95 37 7d0a 37 5c }
            // n = 6, score = 100
            //   189dd465d010         | add                 ebx, ebp
            //   95                   | arpl                word ptr [ebp + 0x29], bx
            //   37                   | dec                 esp
            //   7d0a                 | or                  esp, dword ptr [edx - 0x6227baf2]
            //   37                   | push                edx
            //   5c                   | std                 

        $sequence_63 = { 6e a7 03b65759dcb3 197b5d 5d b658 5d }
            // n = 7, score = 100
            //   6e                   | pop                 ebp
            //   a7                   | pop                 ebp
            //   03b65759dcb3         | pop                 ebp
            //   197b5d               | ficomp              word ptr [ecx + 0x299dd855]
            //   5d                   | pop                 edx
            //   b658                 | lcall               0x5d5d:0x5d5ca118
            //   5d                   | sbb                 byte ptr [ebp + 0x10d065d4], bl

        $sequence_64 = { 03dd 635d29 4c 0ba20e45d89d 52 }
            // n = 5, score = 100
            //   03dd                 | jne                 0xd
            //   635d29               | xor                 al, dl
            //   4c                   | stosb               byte ptr es:[edi], al
            //   0ba20e45d89d         | loop                0xfffffff8
            //   52                   | jne                 0xd

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules