SYMBOLCOMMON_NAMEaka. SYNONYMS
win.smokeloader (Back to overview)

SmokeLoader

aka: Dofoil, Sharik, Smoke, Smoke Loader

Actor(s): SMOKY SPIDER

URLhaus            

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

References
2020-06-22security.neurolabsMarcos Alvares
@online{alvares:20200622:comparative:270905b, author = {Marcos Alvares}, title = {{Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case}}, date = {2020-06-22}, organization = {security.neurolabs}, url = {http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html}, language = {English}, urldate = {2020-06-24} } Comparative analysis between Bindiff and Diaphora - Patched Smokeloader Study Case
SmokeLoader
2020-06-21N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200621:deep:1a39a3f, author = {Abdallah Elshinbary}, title = {{Deep Analysis of SmokeLoader}}, date = {2020-06-21}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/}, language = {English}, urldate = {2020-06-22} } Deep Analysis of SmokeLoader
SmokeLoader
2020-05-24Malware and StuffAndreas Klopsch
@online{klopsch:20200524:examining:842b499, author = {Andreas Klopsch}, title = {{Examining Smokeloader’s Anti Hooking technique}}, date = {2020-05-24}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/}, language = {English}, urldate = {2020-05-25} } Examining Smokeloader’s Anti Hooking technique
SmokeLoader
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-18Github (DanusMinimus)Dan Lisichkin
@online{lisichkin:20200218:analyzing:f805dad, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2)}}, date = {2020-02-18}, organization = {Github (DanusMinimus)}, url = {https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/}, language = {English}, urldate = {2020-02-25} } Analyzing Modern Malware Techniques Part 4: I’m afraid of no packer(Part 1 of 2)
SmokeLoader
2019-11-21SentinelOneMario Ciccarelli
@online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } Going Deep | A Guide to Reversing Smoke Loader Malware
SmokeLoader
2019-07-09Check PointIsrael Gubi
@online{gubi:20190709:2019:38d9134, author = {Israel Gubi}, title = {{The 2019 Resurgence of Smokeloader}}, date = {2019-07-09}, organization = {Check Point}, url = {https://research.checkpoint.com/2019-resurgence-of-smokeloader/}, language = {English}, urldate = {2020-01-10} } The 2019 Resurgence of Smokeloader
SmokeLoader
2019-05-02ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } 2019: The Return of Retefe
Dok Retefe SmokeLoader
2018-09-18int 0xcc blogRaashid Bhat
@online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait
SmokeLoader
2018-08-14Plug it, play it, burn it, rip itAlberto Ortega
@online{ortega:20180814:antihooking:b194a7c, author = {Alberto Ortega}, title = {{Anti-Hooking checks of SmokeLoader 2018}}, date = {2018-08-14}, organization = {Plug it, play it, burn it, rip it}, url = {https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/}, language = {English}, urldate = {2020-01-13} } Anti-Hooking checks of SmokeLoader 2018
SmokeLoader
2018-07-18CERT.PLMichał Praszmo
@online{praszmo:20180718:dissecting:aa5eca1, author = {Michał Praszmo}, title = {{Dissecting Smoke Loader}}, date = {2018-07-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/dissecting-smoke-loader/}, language = {English}, urldate = {2020-01-13} } Dissecting Smoke Loader
SmokeLoader
2018-07-03Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-04-16SpamhausSpamhaus Malware Labs
@online{labs:20180416:smoke:b91b833, author = {Spamhaus Malware Labs}, title = {{Smoke Loader malware improves after Microsoft spoils its Campaign}}, date = {2018-04-16}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign}, language = {English}, urldate = {2020-01-08} } Smoke Loader malware improves after Microsoft spoils its Campaign
SmokeLoader
2018-04-04MicrosoftMicrosoft Defender ATP Research Team
@online{team:20180404:hunting:fe0f809, author = {Microsoft Defender ATP Research Team}, title = {{Hunting down Dofoil with Windows Defender ATP}}, date = {2018-04-04}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/}, language = {English}, urldate = {2020-01-08} } Hunting down Dofoil with Windows Defender ATP
SmokeLoader
2018-01-12MalwarebytesJérôme Segura
@online{segura:20180112:fake:c7bc448, author = {Jérôme Segura}, title = {{Fake Spectre and Meltdown patch pushes Smoke Loader malware}}, date = {2018-01-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/}, language = {English}, urldate = {2019-12-20} } Fake Spectre and Meltdown patch pushes Smoke Loader malware
SmokeLoader
2017-08-24Blaze's Security BlogBartBlaze
@online{bartblaze:20170824:crystal:16adb4a, author = {BartBlaze}, title = {{Crystal Finance Millennium used to spread malware}}, date = {2017-08-24}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html}, language = {English}, urldate = {2020-02-01} } Crystal Finance Millennium used to spread malware
Chthonic SmokeLoader
2017-08-04PhishLabsJason Davison
@online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis
SmokeLoader
2017-04-03Malware BreakdownMalware Breakdown
@online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader
SmokeLoader
2016-10-17MalwarebytesJérôme Segura
@online{segura:20161017:newlooking:3e62740, author = {Jérôme Segura}, title = {{New-looking Sundown EK drops Smoke Loader, Kronos banker}}, date = {2016-10-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/}, language = {English}, urldate = {2019-12-20} } New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader
2016-08-05MalwarebytesMalwarebytes Labs
@online{labs:20160805:smoke:afada56, author = {Malwarebytes Labs}, title = {{Smoke Loader – downloader with a smokescreen still alive}}, date = {2016-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/}, language = {English}, urldate = {2019-12-20} } Smoke Loader – downloader with a smokescreen still alive
SmokeLoader
2014-10-05Eternal TodoJose Miguel Esparza
@online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } Dissecting SmokeLoader (or Yulia's sweet ass proposition)
SmokeLoader
Yara Rules
[TLP:WHITE] win_smokeloader_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_smokeloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8d45f0 50 8d45e8 50 8d45e0 50 }
            // n = 7, score = 1300
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax

        $sequence_1 = { 8bf0 8d45dc 50 6a00 53 }
            // n = 5, score = 1100
            //   8bf0                 | mov                 esi, eax
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   53                   | push                ebx

        $sequence_2 = { 57 ff15???????? 6a00 6800000002 }
            // n = 4, score = 1100
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6800000002           | push                0x2000000

        $sequence_3 = { 6a00 53 ff15???????? 8d45f0 }
            // n = 4, score = 1100
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_4 = { 8d45e0 50 56 ff15???????? 56 ff15???????? }
            // n = 6, score = 1100
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_5 = { 668ce8 6685c0 7406 fe05???????? }
            // n = 4, score = 900
            //   668ce8               | mov                 ax, gs
            //   6685c0               | test                ax, ax
            //   7406                 | je                  8
            //   fe05????????         |                     

        $sequence_6 = { ff15???????? bf90010000 8bcf e8???????? }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   bf90010000           | mov                 edi, 0x190
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_7 = { 8d45f0 50 56 681f000f00 57 ff15???????? }
            // n = 6, score = 800
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   56                   | push                esi
            //   681f000f00           | push                0xf001f
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_8 = { 33c0 e9???????? e8???????? b904010000 }
            // n = 4, score = 800
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   e8????????           |                     
            //   b904010000           | mov                 ecx, 0x104

        $sequence_9 = { 56 ff15???????? 50 56 6a00 ff15???????? }
            // n = 6, score = 800
            //   56                   | push                esi
            //   ff15????????         |                     
            //   50                   | push                eax
            //   56                   | push                esi
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_10 = { 56 6800000008 6a40 8d45f0 50 }
            // n = 5, score = 800
            //   56                   | push                esi
            //   6800000008           | push                0x8000000
            //   6a40                 | push                0x40
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_11 = { 8b07 03c3 50 ff15???????? }
            // n = 4, score = 800
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   03c3                 | add                 eax, ebx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_12 = { 6a40 56 6a01 8d45f8 50 }
            // n = 5, score = 800
            //   6a40                 | push                0x40
            //   56                   | push                esi
            //   6a01                 | push                1
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax

        $sequence_13 = { 681f000f00 50 ff15???????? 6800a00f00 50 a3???????? }
            // n = 6, score = 800
            //   681f000f00           | push                0xf001f
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6800a00f00           | push                0xfa000
            //   50                   | push                eax
            //   a3????????           |                     

        $sequence_14 = { ff15???????? 8325????????00 e8???????? 8b0d???????? }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   8325????????00       |                     
            //   e8????????           |                     
            //   8b0d????????         |                     

        $sequence_15 = { e8???????? ff75f8 ff15???????? 5e 8bc7 }
            // n = 5, score = 800
            //   e8????????           |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   8bc7                 | mov                 eax, edi

        $sequence_16 = { 83f920 72f0 eb19 8365fc00 8d45fc }
            // n = 5, score = 800
            //   83f920               | cmp                 ecx, 0x20
            //   72f0                 | jb                  0xfffffff2
            //   eb19                 | jmp                 0x1b
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8d45fc               | lea                 eax, [ebp - 4]

        $sequence_17 = { c70200000000 6800800000 52 51 }
            // n = 4, score = 500
            //   c70200000000         | push                ebx
            //   6800800000           | lea                 ecx, [ebp - 0x214]
            //   52                   | lea                 edx, [ebp - 0x210]
            //   51                   | push                eax

        $sequence_18 = { 01d4 8d85f0fdffff 8b750c 8b7d10 }
            // n = 4, score = 500
            //   01d4                 | mov                 dword ptr [ebp - 0x84], ecx
            //   8d85f0fdffff         | mov                 edx, dword ptr [ebp - 0x84]
            //   8b750c               | mov                 edx, dword ptr [ebp - 0x40]
            //   8b7d10               | mov                 dword ptr [ecx + 0x14], edx

        $sequence_19 = { 8d8decfdffff 8d95f0fdffff c70200000000 6800800000 }
            // n = 4, score = 500
            //   8d8decfdffff         | mov                 esi, dword ptr [ebp + 0xc]
            //   8d95f0fdffff         | mov                 edi, dword ptr [ebp + 0x10]
            //   c70200000000         | push                dword ptr [ebp - 0x210]
            //   6800800000           | push                eax

        $sequence_20 = { 89c6 6804010000 56 57 }
            // n = 4, score = 500
            //   89c6                 | mov                 esi, dword ptr [ebp + 0xc]
            //   6804010000           | mov                 edi, dword ptr [ebp + 0x10]
            //   56                   | push                eax
            //   57                   | push                edi

        $sequence_21 = { 8b4514 898608020000 56 6aff }
            // n = 4, score = 500
            //   8b4514               | push                edx
            //   898608020000         | lea                 eax, [ebp - 0x210]
            //   56                   | mov                 esi, dword ptr [ebp + 0xc]
            //   6aff                 | mov                 edi, dword ptr [ebp + 0x10]

        $sequence_22 = { 31c0 66894603 8d8de8fdffff 50 50 }
            // n = 5, score = 500
            //   31c0                 | mov                 eax, dword ptr [ebp - 0x1c]
            //   66894603             | push                eax
            //   8d8de8fdffff         | je                  0x6f
            //   50                   | mov                 eax, dword ptr [ebp - 0x10]
            //   50                   | mov                 ecx, dword ptr [eax + 0xc]

        $sequence_23 = { 50 53 e8???????? 8d8decfdffff 8d95f0fdffff }
            // n = 5, score = 500
            //   50                   | mov                 byte ptr [ebp - 0x3e], 0x64
            //   53                   | mov                 byte ptr [ebp - 0x3d], 0x6c
            //   e8????????           |                     
            //   8d8decfdffff         | mov                 byte ptr [ebp - 0x3c], 0x6c
            //   8d95f0fdffff         | sub                 esp, 0xc

        $sequence_24 = { e8???????? 2500300038 005800 2500300038 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   2500300038           | mov                 edx, dword ptr [ebp - 0x2c]
            //   005800               | mov                 dword ptr [ecx + 0x20], edx
            //   2500300038           | push                0x3fc1bd8d

        $sequence_25 = { 30d0 aa e2f3 7505 }
            // n = 4, score = 400
            //   30d0                 | lea                 ecx, [ebp - 0x214]
            //   aa                   | lea                 edx, [ebp - 0x210]
            //   e2f3                 | mov                 dword ptr [edx], 0
            //   7505                 | push                0x8000

        $sequence_26 = { 89c6 89cf fc b280 31db a4 }
            // n = 6, score = 400
            //   89c6                 | mov                 esi, eax
            //   89cf                 | mov                 edi, ecx
            //   fc                   | cld                 
            //   b280                 | mov                 dl, 0x80
            //   31db                 | xor                 ebx, ebx
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]

        $sequence_27 = { ff15???????? 8b442440 85c0 7e02 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   85c0                 | test                eax, eax
            //   7e02                 | jle                 4

        $sequence_28 = { 7d0b 498bc9 e8???????? 4c8bc8 488b5c2430 488b6c2438 }
            // n = 6, score = 300
            //   7d0b                 | mov                 esp, ecx
            //   498bc9               | dec                 eax
            //   e8????????           |                     
            //   4c8bc8               | mov                 dword ptr [esp + 0x28], eax
            //   488b5c2430           | dec                 eax
            //   488b6c2438           | and                 dword ptr [esp + 0x20], 0

        $sequence_29 = { 41bc01000000 458af4 eb5b 488bcf e8???????? }
            // n = 5, score = 300
            //   41bc01000000         | push                edi
            //   458af4               | inc                 ebx
            //   eb5b                 | cmp                 ebx, 0xf
            //   488bcf               | mov                 eax, dword ptr [ebp + 0x14]
            //   e8????????           |                     

        $sequence_30 = { 4155 4156 4157 488d68a1 4881ec90000000 4c8be1 }
            // n = 6, score = 300
            //   4155                 | inc                 ecx
            //   4156                 | push                ebp
            //   4157                 | inc                 ecx
            //   488d68a1             | push                esi
            //   4881ec90000000       | inc                 ecx
            //   4c8be1               | push                edi

        $sequence_31 = { 4889442428 488364242000 498bcf e8???????? 488bc8 488bf8 e8???????? }
            // n = 7, score = 300
            //   4889442428           | dec                 eax
            //   488364242000         | lea                 ebp, [eax - 0x5f]
            //   498bcf               | dec                 eax
            //   e8????????           |                     
            //   488bc8               | sub                 esp, 0x90
            //   488bf8               | dec                 esp
            //   e8????????           |                     

        $sequence_32 = { 488975df 41b910000000 4c8d45d7 eb22 2b75e7 41b907000000 }
            // n = 6, score = 300
            //   488975df             | dec                 ecx
            //   41b910000000         | mov                 ecx, edi
            //   4c8d45d7             | dec                 eax
            //   eb22                 | mov                 ecx, eax
            //   2b75e7               | dec                 eax
            //   41b907000000         | mov                 edi, eax

        $sequence_33 = { 85d2 745b 4f 8d1c10 41 8b4b18 }
            // n = 6, score = 200
            //   85d2                 | jmp                 0x6d
            //   745b                 | dec                 eax
            //   4f                   | mov                 ecx, edi
            //   8d1c10               | mov                 byte ptr [edx], al
            //   41                   | dec                 eax
            //   8b4b18               | inc                 edx

        $sequence_34 = { eb09 8b4d8c 83c101 894d8c 8b55fc 0fb74202 39458c }
            // n = 7, score = 200
            //   eb09                 | lea                 eax, [ebp - 0x29]
            //   8b4d8c               | jmp                 0x3c
            //   83c101               | sub                 esi, dword ptr [ebp - 0x19]
            //   894d8c               | inc                 ecx
            //   8b55fc               | mov                 ecx, 7
            //   0fb74202             | inc                 esp
            //   39458c               | movzx               edx, al

        $sequence_35 = { 31c9 c1c108 3208 40 803800 }
            // n = 5, score = 200
            //   31c9                 | xor                 ecx, ecx
            //   c1c108               | rol                 ecx, 8
            //   3208                 | xor                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   803800               | cmp                 byte ptr [eax], 0

        $sequence_36 = { 83ec54 c645c06e c645c174 c645c264 c645c36c c645c46c }
            // n = 6, score = 200
            //   83ec54               | mov                 byte ptr [esp + edx], dl
            //   c645c06e             | inc                 edx
            //   c645c174             | movzx               ecx, byte ptr [esp + ecx]
            //   c645c264             | add                 ecx, edx
            //   c645c36c             | mov                 dword ptr [ebp - 0x60], eax
            //   c645c46c             | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_37 = { e8???????? 8945a0 e8???????? 8945e4 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8945a0               | mov                 ebx, dword ptr [esp + 0x30]
            //   e8????????           |                     
            //   8945e4               | dec                 eax

        $sequence_38 = { 48 897dc0 6685f6 7453 48 }
            // n = 5, score = 200
            //   48                   | dec                 ecx
            //   897dc0               | dec                 ecx
            //   6685f6               | jne                 0xffffffe3
            //   7453                 | xor                 al, dl
            //   48                   | stosb               byte ptr es:[edi], al

        $sequence_39 = { e8???????? 43 7265 61 7465 54 6872656164 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   43                   | dec                 eax
            //   7265                 | mov                 ecx, eax
            //   61                   | call                dword ptr [ebp - 0x10]
            //   7465                 | dec                 eax
            //   54                   | add                 byte ptr gs:[eax + 0x48], bl
            //   6872656164           | mov                 ecx, dword ptr [ebp - 0x38]

        $sequence_40 = { 56 89c2 8b453c 8b7c2878 01ef 8b7720 01ee }
            // n = 7, score = 200
            //   56                   | push                esi
            //   89c2                 | mov                 edx, eax
            //   8b453c               | mov                 eax, dword ptr [ebp + 0x3c]
            //   8b7c2878             | mov                 edi, dword ptr [eax + ebp + 0x78]
            //   01ef                 | add                 edi, ebp
            //   8b7720               | mov                 esi, dword ptr [edi + 0x20]
            //   01ee                 | add                 esi, ebp

        $sequence_41 = { 8b8578ffffff 50 e8???????? 8945ac 8b4da0 8b55ac }
            // n = 6, score = 200
            //   8b8578ffffff         | inc                 edx
            //   50                   | mov                 al, byte ptr [esp + edx]
            //   e8????????           |                     
            //   8945ac               | inc                 edx
            //   8b4da0               | mov                 byte ptr [esp + ecx], al
            //   8b55ac               | inc                 edx

        $sequence_42 = { d1ee 037724 0fb7442efe c1e002 }
            // n = 4, score = 200
            //   d1ee                 | shr                 esi, 1
            //   037724               | add                 esi, dword ptr [edi + 0x24]
            //   0fb7442efe           | movzx               eax, word ptr [esi + ebp - 2]
            //   c1e002               | shl                 eax, 2

        $sequence_43 = { 0345c8 3945b4 760b 6a00 8b4dac 51 e8???????? }
            // n = 7, score = 200
            //   0345c8               | mov                 ebp, dword ptr [esp + 0x38]
            //   3945b4               | dec                 eax
            //   760b                 | mov                 dword ptr [ebp - 0x21], esi
            //   6a00                 | inc                 ecx
            //   8b4dac               | mov                 ecx, 0x10
            //   51                   | dec                 esp
            //   e8????????           |                     

        $sequence_44 = { 75f5 31d1 75ec 58 }
            // n = 4, score = 200
            //   75f5                 | jne                 0xfffffff7
            //   31d1                 | xor                 ecx, edx
            //   75ec                 | jne                 0xffffffee
            //   58                   | pop                 eax

        $sequence_45 = { 668b0c4f 41 8b7b1c 4c 01c7 }
            // n = 5, score = 200
            //   668b0c4f             | mov                 ecx, 0x104
            //   41                   | inc                 ecx
            //   8b7b1c               | mov                 esp, 1
            //   4c                   | inc                 ebp
            //   01c7                 | mov                 dh, ah

        $sequence_46 = { 8b4da0 8b55d4 895120 688dbdc13f 8b45e4 50 }
            // n = 6, score = 200
            //   8b4da0               | jmp                 0x1c
            //   8b55d4               | mov                 ecx, dword ptr [ebp - 0x74]
            //   895120               | add                 ecx, 1
            //   688dbdc13f           | mov                 dword ptr [ebp - 0x74], ecx
            //   8b45e4               | mov                 edx, dword ptr [ebp - 4]
            //   50                   | movzx               eax, word ptr [edx + 2]

        $sequence_47 = { 56 ad 01e8 31c9 }
            // n = 4, score = 200
            //   56                   | push                esi
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   01e8                 | add                 eax, ebp
            //   31c9                 | xor                 ecx, ecx

        $sequence_48 = { 746d 8b45f0 8b480c 898d7cffffff 8b957cffffff }
            // n = 5, score = 200
            //   746d                 | cmp                 dword ptr [ebp - 0x74], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x88]
            //   8b480c               | push                eax
            //   898d7cffffff         | mov                 dword ptr [ebp - 0x54], eax
            //   8b957cffffff         | mov                 ecx, dword ptr [ebp - 0x60]

        $sequence_49 = { 48 89442428 ff55e8 48 89c1 ff55f0 48 }
            // n = 7, score = 200
            //   48                   | mov                 byte ptr [esi], 0x53
            //   89442428             | push                esi
            //   ff55e8               | push                0
            //   48                   | push                0
            //   89c1                 | push                0
            //   ff55f0               | mov                 edi, 0x190
            //   48                   | mov                 ecx, edi

        $sequence_50 = { 65005848 8b4dc8 48 89c2 }
            // n = 4, score = 200
            //   65005848             | jne                 0xb
            //   8b4dc8               | xor                 eax, eax
            //   48                   | mov                 ecx, 0x104
            //   89c2                 | xor                 eax, eax

        $sequence_51 = { ad 85c0 75f3 c3 }
            // n = 4, score = 200
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   75f3                 | jne                 0xfffffff5
            //   c3                   | ret                 

        $sequence_52 = { 83ec0c e8???????? 8945f8 8b45f8 8b4864 894df4 ff750c }
            // n = 7, score = 200
            //   83ec0c               | add                 eax, dword ptr [ebp - 0x38]
            //   e8????????           |                     
            //   8945f8               | cmp                 dword ptr [ebp - 0x4c], eax
            //   8b45f8               | jbe                 0x16
            //   8b4864               | push                0
            //   894df4               | mov                 ecx, dword ptr [ebp - 0x54]
            //   ff750c               | push                ecx

        $sequence_53 = { 5e c3 60 89c6 89cf }
            // n = 5, score = 200
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   60                   | pushal              
            //   89c6                 | mov                 esi, eax
            //   89cf                 | mov                 edi, ecx

        $sequence_54 = { 48 89c2 ff55d8 48 8945f0 }
            // n = 5, score = 200
            //   48                   | loop                0xfffffff6
            //   89c2                 | jne                 0xa
            //   ff55d8               | dec                 eax
            //   48                   | mov                 dword ptr [esp + 0x28], eax
            //   8945f0               | call                dword ptr [ebp - 0x18]

    condition:
        7 of them and filesize < 245760
}
Download all Yara Rules