win.smokeloader (Back to overview)

SmokeLoader

aka: Dofoil, Smoke
URLhaus            

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

References
2019-11-21 ⋅ SentinelOneMario Ciccarelli
@online{ciccarelli:20191121:going:0e7cac5, author = {Mario Ciccarelli}, title = {{Going Deep | A Guide to Reversing Smoke Loader Malware}}, date = {2019-11-21}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/}, language = {English}, urldate = {2020-01-07} } Going Deep | A Guide to Reversing Smoke Loader Malware
SmokeLoader
2019-07-09 ⋅ Check PointIsrael Gubi
@online{gubi:20190709:2019:38d9134, author = {Israel Gubi}, title = {{The 2019 Resurgence of Smokeloader}}, date = {2019-07-09}, organization = {Check Point}, url = {https://research.checkpoint.com/2019-resurgence-of-smokeloader/}, language = {English}, urldate = {2020-01-10} } The 2019 Resurgence of Smokeloader
SmokeLoader
2019-05-02 ⋅ ProofpointBryan Campbell, Proofpoint Threat Insight Team
@online{campbell:20190502:2019:1fe00f6, author = {Bryan Campbell and Proofpoint Threat Insight Team}, title = {{2019: The Return of Retefe}}, date = {2019-05-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe}, language = {English}, urldate = {2019-12-20} } 2019: The Return of Retefe
Dok Retefe SmokeLoader
2018-09-18 ⋅ int 0xcc blogRaashid Bhat
@online{bhat:20180918:taste:e7dd98d, author = {Raashid Bhat}, title = {{A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait}}, date = {2018-09-18}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait}, language = {English}, urldate = {2020-01-10} } A taste of our own medicine: How SmokeLoader is deceiving configuration extraction by using binary code as bait
SmokeLoader
2018-08-14 ⋅ Plug it, play it, burn it, rip itAlberto Ortega
@online{ortega:20180814:antihooking:b194a7c, author = {Alberto Ortega}, title = {{Anti-Hooking checks of SmokeLoader 2018}}, date = {2018-08-14}, organization = {Plug it, play it, burn it, rip it}, url = {https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/}, language = {English}, urldate = {2020-01-13} } Anti-Hooking checks of SmokeLoader 2018
SmokeLoader
2018-07-18 ⋅ CERT.PLMichał Praszmo
@online{praszmo:20180718:dissecting:aa5eca1, author = {Michał Praszmo}, title = {{Dissecting Smoke Loader}}, date = {2018-07-18}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/dissecting-smoke-loader/}, language = {English}, urldate = {2020-01-13} } Dissecting Smoke Loader
SmokeLoader
2018-07-03 ⋅ Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-04-16 ⋅ SpamhausSpamhaus Malware Labs
@online{labs:20180416:smoke:b91b833, author = {Spamhaus Malware Labs}, title = {{Smoke Loader malware improves after Microsoft spoils its Campaign}}, date = {2018-04-16}, organization = {Spamhaus}, url = {https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign}, language = {English}, urldate = {2020-01-08} } Smoke Loader malware improves after Microsoft spoils its Campaign
SmokeLoader
2018-04-04 ⋅ MicrosoftMicrosoft Defender ATP Research Team
@online{team:20180404:hunting:fe0f809, author = {Microsoft Defender ATP Research Team}, title = {{Hunting down Dofoil with Windows Defender ATP}}, date = {2018-04-04}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/}, language = {English}, urldate = {2020-01-08} } Hunting down Dofoil with Windows Defender ATP
SmokeLoader
2018-01-12 ⋅ MalwarebytesJérôme Segura
@online{segura:20180112:fake:c7bc448, author = {Jérôme Segura}, title = {{Fake Spectre and Meltdown patch pushes Smoke Loader malware}}, date = {2018-01-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/}, language = {English}, urldate = {2019-12-20} } Fake Spectre and Meltdown patch pushes Smoke Loader malware
SmokeLoader
2017-08-04 ⋅ PhishLabsJason Davison
@online{davison:20170804:smoke:06d64d3, author = {Jason Davison}, title = {{Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis}}, date = {2017-08-04}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis}, language = {English}, urldate = {2020-01-08} } Smoke Loader Adds Additional Obfuscation Methods to Mitigate Analysis
SmokeLoader
2017-04-03 ⋅ Malware BreakdownMalware Breakdown
@online{breakdown:20170403:shadow:962f78d, author = {Malware Breakdown}, title = {{Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader}}, date = {2017-04-03}, organization = {Malware Breakdown}, url = {https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/}, language = {English}, urldate = {2019-12-18} } Shadow Server Domains Leading to RIG Exploit Kit Dropping Smoke Loader
SmokeLoader
2016-10-17 ⋅ MalwarebytesJérôme Segura
@online{segura:20161017:newlooking:3e62740, author = {Jérôme Segura}, title = {{New-looking Sundown EK drops Smoke Loader, Kronos banker}}, date = {2016-10-17}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/}, language = {English}, urldate = {2019-12-20} } New-looking Sundown EK drops Smoke Loader, Kronos banker
Kronos SmokeLoader
2016-08-05 ⋅ MalwarebytesMalwarebytes Labs
@online{labs:20160805:smoke:afada56, author = {Malwarebytes Labs}, title = {{Smoke Loader – downloader with a smokescreen still alive}}, date = {2016-08-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/}, language = {English}, urldate = {2019-12-20} } Smoke Loader – downloader with a smokescreen still alive
SmokeLoader
2014-10-05 ⋅ Eternal TodoJose Miguel Esparza
@online{esparza:20141005:dissecting:93f306b, author = {Jose Miguel Esparza}, title = {{Dissecting SmokeLoader (or Yulia's sweet ass proposition)}}, date = {2014-10-05}, organization = {Eternal Todo}, url = {https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo}, language = {English}, urldate = {2020-01-13} } Dissecting SmokeLoader (or Yulia's sweet ass proposition)
SmokeLoader
Yara Rules
[TLP:WHITE] win_smokeloader_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_smokeloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { ff15???????? 8d45f0 50 8d45e8 50 8d45e0 }
            // n = 6, score = 1100
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]

        $sequence_1 = { 8d45e0 50 56 ff15???????? 56 }
            // n = 5, score = 900
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_2 = { 57 ff15???????? 6a00 6800000002 6a03 6a00 6a03 }
            // n = 7, score = 900
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6800000002           | push                0x2000000
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a03                 | push                3

        $sequence_3 = { ff15???????? 8bf0 8d45dc 50 6a00 53 }
            // n = 6, score = 900
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   53                   | push                ebx

        $sequence_4 = { 6a00 53 ff15???????? 8d45f0 }
            // n = 4, score = 900
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]

        $sequence_5 = { 668ce8 6685c0 7406 fe05???????? }
            // n = 4, score = 800
            //   668ce8               | mov                 ax, gs
            //   6685c0               | test                ax, ax
            //   7406                 | je                  8
            //   fe05????????         |                     

        $sequence_6 = { 8b07 03c3 50 ff15???????? }
            // n = 4, score = 700
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   03c3                 | add                 eax, ebx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 56 6800000008 6a40 8d45f0 50 }
            // n = 5, score = 700
            //   56                   | push                esi
            //   6800000008           | push                0x8000000
            //   6a40                 | push                0x40
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_8 = { e8???????? ff75f8 ff15???????? 5e 8bc7 }
            // n = 5, score = 700
            //   e8????????           |                     
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   8bc7                 | mov                 eax, edi

        $sequence_9 = { ff15???????? 50 56 6a00 ff15???????? }
            // n = 5, score = 700
            //   ff15????????         |                     
            //   50                   | push                eax
            //   56                   | push                esi
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_10 = { 72f0 eb19 8365fc00 8d45fc 50 }
            // n = 5, score = 700
            //   72f0                 | jb                  0xfffffff2
            //   eb19                 | jmp                 0x1b
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_11 = { 53 8bf0 ff15???????? 33ff }
            // n = 4, score = 700
            //   53                   | push                ebx
            //   8bf0                 | mov                 esi, eax
            //   ff15????????         |                     
            //   33ff                 | xor                 edi, edi

        $sequence_12 = { 83c410 56 53 53 ff15???????? }
            // n = 5, score = 700
            //   83c410               | add                 esp, 0x10
            //   56                   | push                esi
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_13 = { ff15???????? bf90010000 8bcf e8???????? }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   bf90010000           | mov                 edi, 0x190
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_14 = { 6a40 56 6a01 8d45f8 50 }
            // n = 5, score = 700
            //   6a40                 | push                0x40
            //   56                   | push                esi
            //   6a01                 | push                1
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax

        $sequence_15 = { 7507 33c0 e9???????? e8???????? b904010000 }
            // n = 5, score = 600
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   e8????????           |                     
            //   b904010000           | mov                 ecx, 0x104

        $sequence_16 = { ff15???????? 8325?????????? e8???????? 8b0d???????? }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   8325??????????       |                     
            //   e8????????           |                     
            //   8b0d????????         |                     

        $sequence_17 = { 8d95f0fdffff c70200000000 6800800000 52 }
            // n = 4, score = 500
            //   8d95f0fdffff         | lea                 ecx, [ebp - 0x218]
            //   c70200000000         | push                eax
            //   6800800000           | push                eax
            //   52                   | push                eax

        $sequence_18 = { 6800800000 52 51 6aff }
            // n = 4, score = 500
            //   6800800000           | push                eax
            //   52                   | push                ebx
            //   51                   | lea                 ecx, [ebp - 0x214]
            //   6aff                 | lea                 edx, [ebp - 0x210]

        $sequence_19 = { 66894603 8d8de8fdffff 50 50 50 50 }
            // n = 6, score = 500
            //   66894603             | mov                 byte ptr [esi], 0x53
            //   8d8de8fdffff         | push                esi
            //   50                   | push                0
            //   50                   | push                0
            //   50                   | push                0
            //   50                   | mov                 word ptr [esi + 3], ax

        $sequence_20 = { 60 8b4e54 81ee00010000 89c7 }
            // n = 4, score = 500
            //   60                   | pushal              
            //   8b4e54               | mov                 ecx, dword ptr [esi + 0x54]
            //   81ee00010000         | sub                 esi, 0x100
            //   89c7                 | mov                 edi, eax

        $sequence_21 = { 8985ecfdffff ffb5f0fdffff 50 53 }
            // n = 4, score = 500
            //   8985ecfdffff         | push                dword ptr [ebp - 0x210]
            //   ffb5f0fdffff         | push                eax
            //   50                   | push                ebx
            //   53                   | lea                 ecx, [ebp - 0x214]

        $sequence_22 = { e8???????? 8d8decfdffff 8d95f0fdffff c70200000000 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   8d8decfdffff         | lea                 eax, [ebp - 0x210]
            //   8d95f0fdffff         | mov                 esi, dword ptr [ebp + 0xc]
            //   c70200000000         | mov                 edi, dword ptr [ebp + 0x10]

        $sequence_23 = { 83c608 31c0 66ad a900300000 740b 25ff0f0000 }
            // n = 6, score = 500
            //   83c608               | add                 esi, 8
            //   31c0                 | xor                 eax, eax
            //   66ad                 | lodsw               ax, word ptr [esi]
            //   a900300000           | test                eax, 0x3000
            //   740b                 | je                  0xd
            //   25ff0f0000           | and                 eax, 0xfff

        $sequence_24 = { 8b7e0c 01c7 8b7614 01ee }
            // n = 4, score = 500
            //   8b7e0c               | mov                 edi, dword ptr [esi + 0xc]
            //   01c7                 | add                 edi, eax
            //   8b7614               | mov                 esi, dword ptr [esi + 0x14]
            //   01ee                 | add                 esi, ebp

        $sequence_25 = { c60653 56 6a00 6a00 6a00 }
            // n = 5, score = 500
            //   c60653               | push                dword ptr [ebp + 0x14]
            //   56                   | push                dword ptr [ebp + 0x10]
            //   6a00                 | mov                 dword ptr [ebp - 8], eax
            //   6a00                 | mov                 eax, dword ptr [ebp - 8]
            //   6a00                 | mov                 ecx, dword ptr [eax + 0x68]

        $sequence_26 = { f3a4 5e 83c628 59 }
            // n = 4, score = 500
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   5e                   | pop                 esi
            //   83c628               | add                 esi, 0x28
            //   59                   | pop                 ecx

        $sequence_27 = { 01d4 8d85f0fdffff 8b750c 8b7d10 50 57 56 }
            // n = 7, score = 500
            //   01d4                 | mov                 byte ptr [esi], 0x53
            //   8d85f0fdffff         | push                esi
            //   8b750c               | push                0
            //   8b7d10               | push                0
            //   50                   | push                0
            //   57                   | add                 esp, edx
            //   56                   | lea                 eax, [ebp - 0x210]

        $sequence_28 = { 2910 e2ea ebd4 61 }
            // n = 4, score = 500
            //   2910                 | sub                 dword ptr [eax], edx
            //   e2ea                 | loop                0xffffffec
            //   ebd4                 | jmp                 0xffffffd6
            //   61                   | popal               

        $sequence_29 = { 8b4e04 83e908 d1e9 83c608 31c0 66ad }
            // n = 6, score = 500
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   83e908               | sub                 ecx, 8
            //   d1e9                 | shr                 ecx, 1
            //   83c608               | add                 esi, 8
            //   31c0                 | xor                 eax, eax
            //   66ad                 | lodsw               ax, word ptr [esi]

        $sequence_30 = { 29da 8db088000000 8b36 85f6 742e 01de 833e00 }
            // n = 7, score = 500
            //   29da                 | sub                 edx, ebx
            //   8db088000000         | lea                 esi, [eax + 0x88]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   85f6                 | test                esi, esi
            //   742e                 | je                  0x30
            //   01de                 | add                 esi, ebx
            //   833e00               | cmp                 dword ptr [esi], 0

        $sequence_31 = { 50 53 e8???????? 8d8decfdffff }
            // n = 4, score = 500
            //   50                   | lea                 ecx, [ebp - 0x218]
            //   53                   | push                eax
            //   e8????????           |                     
            //   8d8decfdffff         | push                eax

        $sequence_32 = { 742e 01de 833e00 7427 8b3e 8b4e04 83e908 }
            // n = 7, score = 500
            //   742e                 | je                  0x30
            //   01de                 | add                 esi, ebx
            //   833e00               | cmp                 dword ptr [esi], 0
            //   7427                 | je                  0x29
            //   8b3e                 | mov                 edi, dword ptr [esi]
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   83e908               | sub                 ecx, 8

        $sequence_33 = { 31c9 648b7130 8b760c 8b761c 8b6e08 8b7e20 8b36 }
            // n = 7, score = 300
            //   31c9                 | xor                 ecx, ecx
            //   648b7130             | mov                 esi, dword ptr fs:[ecx + 0x30]
            //   8b760c               | mov                 esi, dword ptr [esi + 0xc]
            //   8b761c               | mov                 esi, dword ptr [esi + 0x1c]
            //   8b6e08               | mov                 ebp, dword ptr [esi + 8]
            //   8b7e20               | mov                 edi, dword ptr [esi + 0x20]
            //   8b36                 | mov                 esi, dword ptr [esi]

        $sequence_34 = { 85c0 75f3 c3 56 89c2 8b453c }
            // n = 6, score = 300
            //   85c0                 | test                eax, eax
            //   75f3                 | jne                 0xfffffff5
            //   c3                   | ret                 
            //   56                   | push                esi
            //   89c2                 | mov                 edx, eax
            //   8b453c               | mov                 eax, dword ptr [ebp + 0x3c]

        $sequence_35 = { 89d0 c1e205 01c2 31c0 ac 01c2 85c0 }
            // n = 7, score = 300
            //   89d0                 | mov                 eax, edx
            //   c1e205               | shl                 edx, 5
            //   01c2                 | add                 edx, eax
            //   31c0                 | xor                 eax, eax
            //   ac                   | lodsb               al, byte ptr [esi]
            //   01c2                 | add                 edx, eax
            //   85c0                 | test                eax, eax

        $sequence_36 = { d1ee 037724 0fb7442efe c1e002 03471c 8b0428 }
            // n = 6, score = 300
            //   d1ee                 | shr                 esi, 1
            //   037724               | add                 esi, dword ptr [edi + 0x24]
            //   0fb7442efe           | movzx               eax, word ptr [esi + ebp - 2]
            //   c1e002               | shl                 eax, 2
            //   03471c               | add                 eax, dword ptr [edi + 0x1c]
            //   8b0428               | mov                 eax, dword ptr [eax + ebp]

        $sequence_37 = { e8???????? 8946fc ad 85c0 75f3 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   8946fc               | mov                 dword ptr [esi - 4], eax
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   75f3                 | jne                 0xfffffff5

        $sequence_38 = { c1c108 3208 40 803800 }
            // n = 4, score = 300
            //   c1c108               | rol                 ecx, 8
            //   3208                 | xor                 cl, byte ptr [eax]
            //   40                   | inc                 eax
            //   803800               | cmp                 byte ptr [eax], 0

        $sequence_39 = { 56 89c2 8b453c 8b7c2878 01ef 8b7720 01ee }
            // n = 7, score = 300
            //   56                   | push                esi
            //   89c2                 | mov                 edx, eax
            //   8b453c               | mov                 eax, dword ptr [ebp + 0x3c]
            //   8b7c2878             | mov                 edi, dword ptr [eax + ebp + 0x78]
            //   01ef                 | add                 edi, ebp
            //   8b7720               | mov                 esi, dword ptr [edi + 0x20]
            //   01ee                 | add                 esi, ebp

        $sequence_40 = { 75f5 31d1 75ec 58 29c6 d1ee }
            // n = 6, score = 300
            //   75f5                 | jne                 0xfffffff7
            //   31d1                 | xor                 ecx, edx
            //   75ec                 | jne                 0xffffffee
            //   58                   | pop                 eax
            //   29c6                 | sub                 esi, eax
            //   d1ee                 | shr                 esi, 1

        $sequence_41 = { ad 01e8 31c9 c1c108 }
            // n = 4, score = 300
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   01e8                 | add                 eax, ebp
            //   31c9                 | xor                 ecx, ecx
            //   c1c108               | rol                 ecx, 8

        $sequence_42 = { 8b55e0 52 6a00 68ffff1f00 e8???????? 8945ac 6a00 }
            // n = 7, score = 200
            //   8b55e0               | xor                 edx, edx
            //   52                   | dec                 eax
            //   6a00                 | mov                 ecx, esi
            //   68ffff1f00           | dec                 eax
            //   e8????????           |                     
            //   8945ac               | mov                 ebx, eax
            //   6a00                 | mov                 edx, dword ptr [ebp - 0x20]

        $sequence_43 = { 33d2 453bd3 7f33 8a043a 4a8d0c06 }
            // n = 5, score = 200
            //   33d2                 | xor                 edx, edx
            //   453bd3               | inc                 ebp
            //   7f33                 | cmp                 edx, ebx
            //   8a043a               | jg                  0x35
            //   4a8d0c06             | mov                 al, byte ptr [edx + edi]

        $sequence_44 = { 5e 5b c9 c20800 56 ffb5c8feffff }
            // n = 6, score = 200
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   56                   | push                esi
            //   ffb5c8feffff         | push                dword ptr [ebp - 0x138]

        $sequence_45 = { 8945b8 8b4da0 8b55b8 89516c 687cda686e 8b45e4 50 }
            // n = 7, score = 200
            //   8945b8               | push                ebp
            //   8b4da0               | mov                 ebp, esp
            //   8b55b8               | sub                 esp, 8
            //   89516c               | mov                 eax, dword ptr [ebp + 0x10]
            //   687cda686e           | sub                 eax, 0x34bf10
            //   8b45e4               | mov                 dword ptr [ebp - 0x48], eax
            //   50                   | mov                 ecx, dword ptr [ebp - 0x60]

        $sequence_46 = { 894df4 ff7518 ff7514 ff7510 }
            // n = 4, score = 200
            //   894df4               | push                0x6e68da7c
            //   ff7518               | mov                 eax, dword ptr [ebp - 0x1c]
            //   ff7514               | push                eax
            //   ff7510               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_47 = { 55 8bec 83ec08 8b4510 2d10bf3400 }
            // n = 5, score = 200
            //   55                   | imul                eax, eax, 0x28
            //   8bec                 | mov                 ecx, dword ptr [ebp - 0x14]
            //   83ec08               | mov                 edx, dword ptr [ebp - 0x28]
            //   8b4510               | add                 edx, dword ptr [ecx + eax + 0xc]
            //   2d10bf3400           | push                edx

        $sequence_48 = { 68ddf553cd 8b45e4 50 e8???????? 894594 }
            // n = 5, score = 200
            //   68ddf553cd           | mov                 byte ptr [ebp - 0x3d], 0x6c
            //   8b45e4               | mov                 byte ptr [ebp - 0x3c], 0x6c
            //   50                   | mov                 byte ptr [ebp - 0x3b], 0
            //   e8????????           |                     
            //   894594               | lea                 eax, [ebp - 0x40]

        $sequence_49 = { 4883ec50 488bf1 488bfa 488d4de8 41b901000000 }
            // n = 5, score = 200
            //   4883ec50             | mov                 eax, edx
            //   488bf1               | shl                 edx, 5
            //   488bfa               | add                 edx, eax
            //   488d4de8             | xor                 eax, eax
            //   41b901000000         | lodsb               al, byte ptr [esi]

        $sequence_50 = { 8b4590 6bc028 8b4dec 8b55d8 0354010c 52 }
            // n = 6, score = 200
            //   8b4590               | push                edx
            //   6bc028               | push                0
            //   8b4dec               | push                0x1fffff
            //   8b55d8               | mov                 dword ptr [ebp - 0x54], eax
            //   0354010c             | push                0
            //   52                   | mov                 eax, dword ptr [ebp - 0x70]

        $sequence_51 = { 8b4a10 85c9 7411 8b7a0c 037d08 8b7214 }
            // n = 6, score = 200
            //   8b4a10               | dec                 edx
            //   85c9                 | lea                 ecx, [esi + eax]
            //   7411                 | mov                 ecx, dword ptr [edx + 0x10]
            //   8b7a0c               | test                ecx, ecx
            //   037d08               | je                  0x15
            //   8b7214               | mov                 edi, dword ptr [edx + 0xc]

        $sequence_52 = { 89459c eb0c 8b4d9c 81c100100000 894d9c 8b5514 }
            // n = 6, score = 200
            //   89459c               | push                eax
            //   eb0c                 | push                0xcd53f5dd
            //   8b4d9c               | mov                 eax, dword ptr [ebp - 0x1c]
            //   81c100100000         | push                eax
            //   894d9c               | mov                 dword ptr [ebp - 0x6c], eax
            //   8b5514               | mov                 dword ptr [ebp - 0x64], eax

        $sequence_53 = { c645c264 c645c36c c645c46c c645c500 8d45c0 50 }
            // n = 6, score = 200
            //   c645c264             | mov                 edx, dword ptr [ebp - 0x48]
            //   c645c36c             | mov                 dword ptr [ecx + 0x6c], edx
            //   c645c46c             | push                0x6e68da7c
            //   c645c500             | mov                 eax, dword ptr [ebp - 0x1c]
            //   8d45c0               | push                eax
            //   50                   | mov                 byte ptr [ebp - 0x3e], 0x64

        $sequence_54 = { ff15???????? 8b442440 85c0 7e02 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   85c0                 | test                eax, eax
            //   7e02                 | jle                 4

    condition:
        7 of them
}
Download all Yara Rules