SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smokeloader (Back to overview)

SmokeLoader

aka: Dofoil, Sharik, Smoke, Smoke Loader

Actor(s): SMOKY SPIDER

URLhaus            

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

References
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Ransomware Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zeppelin Ransomware Zloader
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-18ProofpointBrandon Murphy, Dennis Schwarz, Jack Mott, Proofpoint Threat Research Team
@online{murphy:20210318:now:d4bd40e, author = {Brandon Murphy and Dennis Schwarz and Jack Mott and Proofpoint Threat Research Team}, title = {{Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft}}, date = {2021-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft}, language = {English}, urldate = {2021-03-19} } Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft
CopperStealer SmokeLoader
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-02-18PTSecurityPTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210201:what:2e12897, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{What tracking an attacker email infrastructure tells us about persistent cybercriminal operations}}, date = {2021-02-01}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/}, language = {English}, urldate = {2021-02-02} } What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP Ransomware
2020-12-230xC0DECAFEThomas Barabosch
@online{barabosch:20201223:detect:bd873bc, author = {Thomas Barabosch}, title = {{Detect RC4 in (malicious) binaries}}, date = {2020-12-23}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries}, language = {English}, urldate = {2020-12-26} } Detect RC4 in (malicious) binaries
SmokeLoader Zloader
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-12-17TelekomThomas Barabosch
@online{barabosch:20201217:smokeloader:937c780, author = {Thomas Barabosch}, title = {{Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs}}, date = {2020-12-17}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886}, language = {English}, urldate = {2020-12-18} } Smokeloader is still alive and kickin’ – A new way to encrypt CC server URLs
SmokeLoader
2020-09-09MalwarebytesThreat Intelligence Team
@online{team:20200909:malvertising:ed1c3b8, author = {Threat Intelligence Team}, title = {{Malvertising campaigns come back in full swing}}, date = {2020-09-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/}, language = {English}, urldate = {2020-09-15} } Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-09-02Cisco TalosHolger Unterbrink, Edmund Brumaghin
@online{unterbrink:20200902:salfram:74ae3c9, author = {Holger Unterbrink and Edmund Brumaghin}, title = {{Salfram: Robbing the place without removing your name tag}}, date = {2020-09-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html}, language = {English}, urldate = {2020-09-03} } Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-08-27Hatching.ioPete Cowman
@online{cowman:20200827:smokeloader:6b86b56, author = {Pete Cowman}, title = {{Smokeloader Analysis and More Family Detections}}, date = {2020-08-27}, organization = {Hatching.io}, url = {https://hatching.io/blog/tt-2020-08-27/}, language = {English}, urldate = {2020-09-03} } Smokeloader Analysis and More Family Detections
SmokeLoader
2020-06-22security.neurolabsMarcos Alvares
@online{alvares:20200622:comparative:270905b, author = {Marcos Alvares}, title = {{Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case}}, date = {2020-06-22}, organization = {security.neurolabs}, url = {http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html}, language = {English}, urldate = {2020-06-24} } Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case
SmokeLoader
2020-06-21N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200621:deep:1a39a3f, author = {Abdallah Elshinbary}, title = {{Deep Analysis of SmokeLoader}}, date = {2020-06-21}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/}, language = {English}, urldate = {2020-06-22} } Deep Analysis of SmokeLoader
SmokeLoader
2020-05-24Malware and StuffAndreas Klopsch
@online{klopsch:20200524:examining:842b499, author = {Andreas Klopsch}, title = {{Examining Smokeloader’s Anti Hooking technique}}, date = {2020-05-24}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/}, language = {English}, urldate = {2020-05-25} } Examining Smokeloader’s Anti Hooking technique
SmokeLoader
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200524:operation:2ce432b, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: network infrastructure. Part 3.}}, date = {2020-05-24}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/}, language = {English}, urldate = {2020-11-23} } Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-18Github (DanusMinimus)Dan Lisichkin
@online{lisichkin:20200218:analyzing:f805dad, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2)}}, date = {2020-02-18}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/}, language = {English}, urldate = {2020-02-25} } Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2)
SmokeLoader
2019-11-21SentinelOneMario Ciccarelli
@online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } Going Deep | A Guide to Reversing Smoke Loader Malware
SmokeLoader
2019-07-09Check PointIsrael Gubi
@online{gubi:20190709:2019:38d9134, author = {Israel Gubi}, title = {{The 2019 Resurgence of Smokeloader}}, date = {2019-07-09}, organization = {Check Point}, url = {https://research.checkpoint.com/2019-resurgence-of-smokeloader/}, language = {English}, urldate = {2020-01-10} } The 2019 Resurgence of Smokeloader
SmokeLoader
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } 2019: The Return of Retefe
Dok Retefe SmokeLoader
2018-09-18int 0xcc blogRaashid Bhat
@online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait
SmokeLoader
2018-08-14Plug it, play it, burn it, rip itAlberto Ortega
@online{ortega:20180814:antihooking:b194a7c, author = {Alberto Ortega}, title = {{Anti-Hooking checks of SmokeLoader 2018}}, date = {2018-08-14}, organization = {Plug it, play it, burn it, rip it}, url = {https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/}, language = {English}, urldate = {2020-01-13} } Anti-Hooking checks of SmokeLoader 2018
SmokeLoader
2018-07-18CERT.PLMichał Praszmo
@online{praszmo:20180718:dissecting:aa5eca1, author = {Michał Praszmo}, title = {{Dissecting Smoke Loader}}, date = {2018-07-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/dissecting-smoke-loader/}, language = {English}, urldate = {2020-01-13} } Dissecting Smoke Loader
SmokeLoader
2018-07-03Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-04-16SpamhausSpamhaus Malware Labs
@online{labs:20180416:smoke:b91b833, author = {Spamhaus Malware Labs}, title = {{Smoke Loader malware improves after Microsoft spoils its Campaign}}, date = {2018-04-16}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign}, language = {English}, urldate = {2020-01-08} } Smoke Loader malware improves after Microsoft spoils its Campaign
SmokeLoader
2018-04-04MicrosoftMicrosoft Defender ATP Research Team
@online{team:20180404:hunting:fe0f809, author = {Microsoft Defender ATP Research Team}, title = {{Hunting down Dofoil with Windows Defender ATP}}, date = {2018-04-04}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/}, language = {English}, urldate = {2020-01-08} } Hunting down Dofoil with Windows Defender ATP
SmokeLoader
2018-01-12MalwarebytesJérôme Segura
@online{segura:20180112:fake:c7bc448, author = {Jérôme Segura}, title = {{Fake Spectre and Meltdown patch pushes Smoke Loader malware}}, date = {2018-01-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/}, language = {English}, urldate = {2019-12-20} } Fake Spectre and Meltdown patch pushes Smoke Loader malware
SmokeLoader
2017-08-24Blaze's Security BlogBartBlaze
@online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } Crystal Finance Millennium used to spread malware
Chthonic SmokeLoader
2017-08-04PhishLabsJason Davison
@online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis
SmokeLoader
2017-04-03Malware BreakdownMalware Breakdown
@online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader
SmokeLoader
2016-10-17MalwarebytesJérôme Segura
@online{segura:20161017:newlooking:3e62740, author = {Jérôme Segura}, title = {{New-looking Sundown EK drops Smoke Loader, Kronos banker}}, date = {2016-10-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/}, language = {English}, urldate = {2019-12-20} } New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader
2016-08-05MalwarebytesMalwarebytes Labs
@online{labs:20160805:smoke:afada56, author = {Malwarebytes Labs}, title = {{Smoke Loader – downloader with a smokescreen still alive}}, date = {2016-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/}, language = {English}, urldate = {2019-12-20} } Smoke Loader – downloader with a smokescreen still alive
SmokeLoader
2014-10-05Eternal TodoJose Miguel Esparza
@online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } Dissecting SmokeLoader (or Yulia's sweet ass proposition)
SmokeLoader
Yara Rules
[TLP:WHITE] win_smokeloader_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_smokeloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8d45f0 50 8d45e8 50 8d45e0 50 }
            // n = 7, score = 1300
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax

        $sequence_1 = { 50 8d45e0 50 56 ff15???????? 56 }
            // n = 6, score = 1100
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_2 = { 57 ff15???????? 6a00 6800000002 6a03 }
            // n = 5, score = 1100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6800000002           | push                0x2000000
            //   6a03                 | push                3

        $sequence_3 = { ff15???????? 8bf0 8d45dc 50 6a00 53 ff15???????? }
            // n = 7, score = 1100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_4 = { ff15???????? bf90010000 8bcf e8???????? }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   bf90010000           | mov                 edi, 0x190
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_5 = { 668ce8 6685c0 7406 fe05???????? }
            // n = 4, score = 900
            //   668ce8               | mov                 ax, gs
            //   6685c0               | test                ax, ax
            //   7406                 | je                  8
            //   fe05????????         |                     

        $sequence_6 = { 33c0 e9???????? e8???????? b904010000 }
            // n = 4, score = 800
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   e8????????           |                     
            //   b904010000           | mov                 ecx, 0x104

        $sequence_7 = { 56 ff15???????? 50 56 6a00 ff15???????? }
            // n = 6, score = 800
            //   56                   | push                esi
            //   ff15????????         |                     
            //   50                   | push                eax
            //   56                   | push                esi
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_8 = { 50 ff15???????? 6800a00f00 50 a3???????? }
            // n = 5, score = 800
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6800a00f00           | push                0xfa000
            //   50                   | push                eax
            //   a3????????           |                     

        $sequence_9 = { ff75f8 ff15???????? 53 ff75f4 ff15???????? }
            // n = 5, score = 800
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     

        $sequence_10 = { 56 8d45fc 50 57 57 6a19 }
            // n = 6, score = 800
            //   56                   | push                esi
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   57                   | push                edi
            //   57                   | push                edi
            //   6a19                 | push                0x19

        $sequence_11 = { 83c410 56 53 53 ff15???????? }
            // n = 5, score = 800
            //   83c410               | add                 esp, 0x10
            //   56                   | push                esi
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_12 = { 8b07 03c3 50 ff15???????? }
            // n = 4, score = 800
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   03c3                 | add                 eax, ebx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_13 = { ff35???????? ff15???????? ff35???????? 6aff ff15???????? }
            // n = 5, score = 800
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   6aff                 | push                -1
            //   ff15????????         |                     

        $sequence_14 = { 57 ff15???????? 43 83fb0f }
            // n = 4, score = 700
            //   57                   | push                edi
            //   ff15????????         |                     
            //   43                   | inc                 ebx
            //   83fb0f               | cmp                 ebx, 0xf

        $sequence_15 = { 8d8decfdffff 8d95f0fdffff c70200000000 6800800000 }
            // n = 4, score = 500
            //   8d8decfdffff         | push                eax
            //   8d95f0fdffff         | lea                 ecx, [ebp - 0x214]
            //   c70200000000         | lea                 edx, [ebp - 0x210]
            //   6800800000           | mov                 dword ptr [edx], 0

        $sequence_16 = { 8985ecfdffff ffb5f0fdffff 50 53 }
            // n = 4, score = 500
            //   8985ecfdffff         | push                eax
            //   ffb5f0fdffff         | push                eax
            //   50                   | push                ecx
            //   53                   | push                eax

        $sequence_17 = { 8d85f0fdffff 8b750c 8b7d10 50 57 56 53 }
            // n = 7, score = 500
            //   8d85f0fdffff         | lea                 edx, [ebp - 0x210]
            //   8b750c               | mov                 byte ptr [esi], 0x53
            //   8b7d10               | push                esi
            //   50                   | push                0
            //   57                   | push                0
            //   56                   | push                0
            //   53                   | xor                 eax, eax

        $sequence_18 = { 31c0 66894603 8d8de8fdffff 50 }
            // n = 4, score = 500
            //   31c0                 | mov                 ecx, dword ptr [ebp - 4]
            //   66894603             | movzx               edx, word ptr [ecx + 2]
            //   8d8de8fdffff         | cmp                 dword ptr [ebp + 0x10], 0
            //   50                   | jne                 0x76

        $sequence_19 = { 50 53 e8???????? 8d8decfdffff 8d95f0fdffff }
            // n = 5, score = 500
            //   50                   | call                dword ptr [ebp - 0xc]
            //   53                   | cmp                 dword ptr [ebp - 4], 0
            //   e8????????           |                     
            //   8d8decfdffff         | je                  0x5d
            //   8d95f0fdffff         | mov                 eax, dword ptr [ebp + 8]

        $sequence_20 = { 6800800000 52 51 6aff }
            // n = 4, score = 500
            //   6800800000           | push                eax
            //   52                   | push                eax
            //   51                   | push                eax
            //   6aff                 | push                ecx

        $sequence_21 = { 8d8de8fdffff 50 50 50 50 51 50 }
            // n = 7, score = 500
            //   8d8de8fdffff         | mov                 ecx, dword ptr [ebp - 0x10]
            //   50                   | mov                 edx, dword ptr [ebp - 0x28]
            //   50                   | mov                 dword ptr [ecx + 8], edx
            //   50                   | mov                 eax, dword ptr [ebp - 0x10]
            //   50                   | mov                 ecx, dword ptr [ebp - 0x60]
            //   51                   | mov                 edx, dword ptr [ebp - 0x54]
            //   50                   | mov                 dword ptr [ecx + 0x28], edx

        $sequence_22 = { c60653 56 6a00 6a00 6a00 }
            // n = 5, score = 500
            //   c60653               | mov                 dword ptr [ebp - 0x70], 0
            //   56                   | jmp                 0x12
            //   6a00                 | mov                 eax, dword ptr [ebp - 0x70]
            //   6a00                 | add                 eax, 1
            //   6a00                 | mov                 dword ptr [ebp - 0x70], eax

        $sequence_23 = { 55 89e5 81ec5c060000 53 56 }
            // n = 5, score = 400
            //   55                   | push                eax
            //   89e5                 | mov                 esi, eax
            //   81ec5c060000         | push                0x104
            //   53                   | push                esi
            //   56                   | push                edi

        $sequence_24 = { fc 5f 5e 5b }
            // n = 4, score = 400
            //   fc                   | mov                 bl, 2
            //   5f                   | mov                 esi, eax
            //   5e                   | mov                 edi, ecx
            //   5b                   | cld                 

        $sequence_25 = { 30d0 aa e2f3 7505 }
            // n = 4, score = 400
            //   30d0                 | mov                 esi, eax
            //   aa                   | dec                 eax
            //   e2f3                 | test                eax, eax
            //   7505                 | jne                 0x13

        $sequence_26 = { 89c6 89cf fc b280 31db a4 b302 }
            // n = 7, score = 400
            //   89c6                 | mov                 esi, eax
            //   89cf                 | mov                 edi, ecx
            //   fc                   | cld                 
            //   b280                 | mov                 dl, 0x80
            //   31db                 | xor                 ebx, ebx
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   b302                 | mov                 bl, 2

        $sequence_27 = { 4c 01c7 668b0c4f 41 }
            // n = 4, score = 300
            //   4c                   | mov                 ecx, ebx
            //   01c7                 | dec                 eax
            //   668b0c4f             | mov                 ecx, esi
            //   41                   | push                ebp

        $sequence_28 = { ff15???????? 8b442440 85c0 7e02 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   85c0                 | test                eax, eax
            //   7e02                 | jle                 4

        $sequence_29 = { 41ffc1 4c3bc3 7ed6 83c8ff 488b5c2430 488b742438 4883c420 }
            // n = 7, score = 300
            //   41ffc1               | mov                 edx, eax
            //   4c3bc3               | dec                 eax
            //   7ed6                 | mov                 ebx, eax
            //   83c8ff               | dec                 eax
            //   488b5c2430           | mov                 ebp, dword ptr [esp + 0x68]
            //   488b742438           | dec                 eax
            //   4883c420             | mov                 eax, ebx

        $sequence_30 = { 0fc9 32c1 c1f908 49ffca }
            // n = 4, score = 300
            //   0fc9                 | mov                 ebx, edx
            //   32c1                 | dec                 eax
            //   c1f908               | mov                 ecx, esi
            //   49ffca               | dec                 eax

        $sequence_31 = { 31c0 ac 01c2 85c0 }
            // n = 4, score = 300
            //   31c0                 | inc                 edi
            //   ac                   | dec                 ecx
            //   01c2                 | add                 esi, 4
            //   85c0                 | dec                 eax

        $sequence_32 = { ffc9 49 8d3c8c 8b37 }
            // n = 4, score = 300
            //   ffc9                 | mov                 cx, word ptr [edi + ecx*2]
            //   49                   | inc                 ecx
            //   8d3c8c               | mov                 edi, dword ptr [ebx + 0x1c]
            //   8b37                 | dec                 esp

        $sequence_33 = { 8d1c10 41 8b4b18 45 8b6320 4d }
            // n = 6, score = 300
            //   8d1c10               | arpl                di, ax
            //   41                   | dec                 eax
            //   8b4b18               | lea                 edx, [esp + 0x44]
            //   45                   | dec                 eax
            //   8b6320               | mov                 ecx, ebx
            //   4d                   | dec                 eax

        $sequence_34 = { 668b0c4f 41 8b7b1c 4c 01c7 8b048f }
            // n = 6, score = 300
            //   668b0c4f             | push                esi
            //   41                   | push                ebp
            //   8b7b1c               | mov                 ebp, esp
            //   4c                   | sub                 esp, 0x65c
            //   01c7                 | push                ebx
            //   8b048f               | xor                 al, dl

        $sequence_35 = { 8d3c8c 8b37 4c 01c6 }
            // n = 4, score = 300
            //   8d3c8c               | pop                 ebx
            //   8b37                 | lea                 ebx, [eax + edx]
            //   4c                   | inc                 ecx
            //   01c6                 | mov                 ecx, dword ptr [ebx + 0x18]

        $sequence_36 = { ff15???????? 488bf0 4885c0 7511 ffc7 4983c604 4863c7 }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   488bf0               | push                ebx
            //   4885c0               | lea                 ecx, [ebp - 0x214]
            //   7511                 | lea                 edx, [ebp - 0x210]
            //   ffc7                 | lea                 esi, [ebp - 0x208]
            //   4983c604             | mov                 byte ptr [esi], 0x53
            //   4863c7               | push                esi

        $sequence_37 = { 89d0 c1e205 01c2 31c0 ac }
            // n = 5, score = 300
            //   89d0                 | inc                 ebp
            //   c1e205               | mov                 esp, dword ptr [ebx + 0x20]
            //   01c2                 | dec                 ebp
            //   31c0                 | dec                 esp
            //   ac                   | add                 edi, eax

        $sequence_38 = { 48897010 48897818 55 488d68a1 4881ec90000000 488bf1 488bda }
            // n = 7, score = 300
            //   48897010             | dec                 eax
            //   48897818             | mov                 dword ptr [eax + 0x10], esi
            //   55                   | dec                 eax
            //   488d68a1             | mov                 dword ptr [eax + 0x18], edi
            //   4881ec90000000       | push                ebp
            //   488bf1               | dec                 eax
            //   488bda               | lea                 ebp, [eax - 0x5f]

        $sequence_39 = { 488bce 488bd0 488bd8 e8???????? 488b6c2468 488bc3 }
            // n = 6, score = 300
            //   488bce               | dec                 eax
            //   488bd0               | sub                 esp, 0x90
            //   488bd8               | dec                 eax
            //   e8????????           |                     
            //   488b6c2468           | mov                 esi, ecx
            //   488bc3               | dec                 eax

        $sequence_40 = { 89c2 8b453c 8b7c2878 01ef 8b7720 01ee }
            // n = 6, score = 200
            //   89c2                 | mov                 edx, eax
            //   8b453c               | mov                 eax, dword ptr [ebp + 0x3c]
            //   8b7c2878             | mov                 edi, dword ptr [eax + ebp + 0x78]
            //   01ef                 | add                 edi, ebp
            //   8b7720               | mov                 esi, dword ptr [edi + 0x20]
            //   01ee                 | add                 esi, ebp

        $sequence_41 = { c7459000000000 eb09 8b4590 83c001 894590 8b4dfc 0fb75102 }
            // n = 7, score = 200
            //   c7459000000000       | je                  0x19
            //   eb09                 | mov                 eax, dword ptr [ebp + 8]
            //   8b4590               | jb                  0xd
            //   83c001               | mov                 eax, dword ptr [ebp - 0x48]
            //   894590               | add                 eax, dword ptr [ebp - 0x38]
            //   8b4dfc               | cmp                 dword ptr [ebp - 0x4c], eax
            //   0fb75102             | jbe                 0x16

        $sequence_42 = { c1c108 3208 40 803800 }
            // n = 4, score = 200
            //   c1c108               | rol                 ecx, 8
            //   3208                 | xor                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   803800               | cmp                 byte ptr [eax], 0

        $sequence_43 = { 83c4d0 1e 53 56 57 007508 bbb84340c1 }
            // n = 7, score = 200
            //   83c4d0               | add                 esp, -0x30
            //   1e                   | push                ds
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   007508               | add                 byte ptr [ebp + 8], dh
            //   bbb84340c1           | mov                 ebx, 0xc14043b8

        $sequence_44 = { 8945f8 8b45f8 8b4868 894df4 ff750c ff7508 ff55f4 }
            // n = 7, score = 200
            //   8945f8               | cmp                 dword ptr [ebp - 0x70], edx
            //   8b45f8               | jge                 0x3c
            //   8b4868               | mov                 eax, dword ptr [ebp - 0x70]
            //   894df4               | imul                eax, eax, 0x28
            //   ff750c               | mov                 ecx, dword ptr [ebp - 0x14]
            //   ff7508               | mov                 cl, byte ptr [ebp - 0x1d]
            //   ff55f4               | mov                 byte ptr [ebp - 0x14], cl

        $sequence_45 = { 75f5 31d1 75ec 58 29c6 d1ee }
            // n = 6, score = 200
            //   75f5                 | jne                 0xfffffff7
            //   31d1                 | xor                 ecx, edx
            //   75ec                 | jne                 0xffffffee
            //   58                   | pop                 eax
            //   29c6                 | sub                 esi, eax
            //   d1ee                 | shr                 esi, 1

        $sequence_46 = { 8b4dfc 0fb75102 395590 7d37 8b4590 6bc028 8b4dec }
            // n = 7, score = 200
            //   8b4dfc               | inc                 ecx
            //   0fb75102             | dec                 esp
            //   395590               | cmp                 eax, ebx
            //   7d37                 | jle                 0xffffffdb
            //   8b4590               | or                  eax, 0xffffffff
            //   6bc028               | dec                 eax
            //   8b4dec               | mov                 ebx, dword ptr [esp + 0x30]

        $sequence_47 = { 8a4de3 884dec 8a5508 8855ed 837d1000 740d 8b4508 }
            // n = 7, score = 200
            //   8a4de3               | dec                 eax
            //   884dec               | mov                 esi, dword ptr [esp + 0x38]
            //   8a5508               | dec                 eax
            //   8855ed               | add                 esp, 0x20
            //   837d1000             | inc                 ecx
            //   740d                 | mov                 ecx, dword ptr [edx + 0x1c]
            //   8b4508               | dec                 ecx

        $sequence_48 = { 0fb7442efe c1e002 03471c 8b0428 01e8 5e }
            // n = 6, score = 200
            //   0fb7442efe           | movzx               eax, word ptr [esi + ebp - 2]
            //   c1e002               | shl                 eax, 2
            //   03471c               | add                 eax, dword ptr [edi + 0x1c]
            //   8b0428               | mov                 eax, dword ptr [eax + ebp]
            //   01e8                 | add                 eax, ebp
            //   5e                   | pop                 esi

        $sequence_49 = { 837d1000 7570 8b4df0 8b55d8 895108 8b45f0 }
            // n = 6, score = 200
            //   837d1000             | mov                 eax, dword ptr [ebp - 8]
            //   7570                 | sub                 eax, edx
            //   8b4df0               | mov                 dword ptr [ebp - 8], eax
            //   8b55d8               | mov                 cl, byte ptr [ebp - 0x1d]
            //   895108               | mov                 byte ptr [ebp - 0x14], cl
            //   8b45f0               | mov                 dword ptr [ebp - 8], eax

        $sequence_50 = { e8???????? e8???????? 837dfc00 7457 8b4508 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   837dfc00             | mov                 dl, byte ptr [ebp + 8]
            //   7457                 | mov                 byte ptr [ebp - 0x13], dl
            //   8b4508               | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_51 = { 8b45f8 2bc2 8945f8 8a4de3 884dec }
            // n = 5, score = 200
            //   8b45f8               | dec                 ebp
            //   2bc2                 | cmp                 ecx, edx
            //   8945f8               | jle                 0x22
            //   8a4de3               | mov                 ecx, dword ptr [ebp - 4]
            //   884dec               | movzx               edx, word ptr [ecx + 2]

        $sequence_52 = { c3 56 89c2 8b453c }
            // n = 4, score = 200
            //   c3                   | ret                 
            //   56                   | push                esi
            //   89c2                 | mov                 edx, eax
            //   8b453c               | mov                 eax, dword ptr [ebp + 0x3c]

        $sequence_53 = { 29c6 d1ee 037724 0fb7442efe c1e002 }
            // n = 5, score = 200
            //   29c6                 | sub                 esi, eax
            //   d1ee                 | shr                 esi, 1
            //   037724               | add                 esi, dword ptr [edi + 0x24]
            //   0fb7442efe           | movzx               eax, word ptr [esi + ebp - 2]
            //   c1e002               | shl                 eax, 2

        $sequence_54 = { 720b 8b45b8 0345c8 3945b4 760b }
            // n = 5, score = 200
            //   720b                 | add                 ecx, ebx
            //   8b45b8               | inc                 esp
            //   0345c8               | mov                 ecx, dword ptr [ecx + eax*4]
            //   3945b4               | dec                 ebp
            //   760b                 | add                 ecx, ebx

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules