SYMBOLCOMMON_NAMEaka. SYNONYMS
win.systembc (Back to overview)

SystemBC

aka: Coroxy, DroxiDat

SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

References
2023-09-12ANSSIANSSI
@techreport{anssi:20230912:fin12:b0a08e2, author = {ANSSI}, title = {{FIN12: A Cybercriminal Group with Multiple Ransomware}}, date = {2023-09-12}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf}, language = {French}, urldate = {2023-09-20} } FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-08-23LogpointAnish Bogati, Nischal khadgi
@online{bogati:20230823:defending:9322a16, author = {Anish Bogati and Nischal khadgi}, title = {{Defending Against 8base: Uncovering Their Arsenal and Crafting Responses}}, date = {2023-08-23}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/}, language = {English}, urldate = {2023-09-05} } Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base SmokeLoader SystemBC
2023-08-10KasperskyKurt Baumgartner
@online{baumgartner:20230810:focus:2b93571, author = {Kurt Baumgartner}, title = {{Focus on DroxiDat/SystemBC}}, date = {2023-08-10}, organization = {Kaspersky}, url = {https://securelist.com/focus-on-droxidat-systembc/110302/}, language = {English}, urldate = {2023-08-11} } Focus on DroxiDat/SystemBC
SystemBC
2023-06-28vmwareDeborah Snyder, Fae Carlisle, Dana Behling, Bria Beathley
@online{snyder:20230628:8base:6caf8b6, author = {Deborah Snyder and Fae Carlisle and Dana Behling and Bria Beathley}, title = {{8Base Ransomware: A Heavy Hitting Player}}, date = {2023-06-28}, organization = {vmware}, url = {https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html}, language = {English}, urldate = {2023-08-03} } 8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
@online{hammond:20230627:trickbotconti:5e1f20d, author = {Charlotte Hammond and Ole Villadsen}, title = {{The Trickbot/Conti Crypters: Where Are They Now?}}, date = {2023-06-27}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/}, language = {English}, urldate = {2023-07-31} } The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-06-22ReliaquestCaroline Fenstermacher
@online{fenstermacher:20230622:goot:936a660, author = {Caroline Fenstermacher}, title = {{Goot to Loot - How a Gootloader Infection Led to Credential Access}}, date = {2023-06-22}, organization = {Reliaquest}, url = {https://www.reliaquest.com/blog/gootloader-infection-credential-access/}, language = {English}, urldate = {2023-07-31} } Goot to Loot - How a Gootloader Infection Led to Credential Access
GootLoader SystemBC
2023-05-15CrowdStrikeCrowdStrike
@online{crowdstrike:20230515:hypervisor:2fc5adc, author = {CrowdStrike}, title = {{Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks}}, date = {2023-05-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/}, language = {English}, urldate = {2023-07-31} } Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks
BlackCat SystemBC
2023-04-19SymantecThreat Hunter Team
@online{team:20230419:play:01359b7, author = {Threat Hunter Team}, title = {{Play Ransomware Group Using New Custom Data-Gathering Tools}}, date = {2023-04-19}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy}, language = {English}, urldate = {2023-07-31} } Play Ransomware Group Using New Custom Data-Gathering Tools
PLAY SystemBC
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-30eSentireeSentire Threat Response Unit (TRU)
@online{tru:20230330:esentire:e789d22, author = {eSentire Threat Response Unit (TRU)}, title = {{eSentire Threat Intelligence Malware Analysis: BatLoader}}, date = {2023-03-30}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader}, language = {English}, urldate = {2023-07-31} } eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-02-14CybereasonCybereason Incident Response (IR) team
@techreport{team:20230214:gootloader:8d38f70, author = {Cybereason Incident Response (IR) team}, title = {{GootLoader - SEO Poisoning and Large Payloads Leading to Compromise}}, date = {2023-02-14}, institution = {Cybereason}, url = {https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf}, language = {English}, urldate = {2023-07-31} } GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC
2023-02-09cyber.wtf blogHendrik Eckardt
@online{eckardt:20230209:defeating:d89bf8b, author = {Hendrik Eckardt}, title = {{Defeating VMProtect’s Latest Tricks}}, date = {2023-02-09}, organization = {cyber.wtf blog}, url = {https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks/}, language = {English}, urldate = {2023-07-31} } Defeating VMProtect’s Latest Tricks
SystemBC
2023-01-23KrollStephen Green, Elio Biasiotto
@online{green:20230123:black:dd89d21, author = {Stephen Green and Elio Biasiotto}, title = {{Black Basta – Technical Analysis}}, date = {2023-01-23}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis}, language = {English}, urldate = {2023-04-22} } Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2023-01-16IntrinsecIntrinsec
@online{intrinsec:20230116:proxynotshell:b9b864c, author = {Intrinsec}, title = {{ProxyNotShell – OWASSRF – Merry Xchange}}, date = {2023-01-16}, organization = {Intrinsec}, url = {https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/}, language = {English}, urldate = {2023-03-13} } ProxyNotShell – OWASSRF – Merry Xchange
Cobalt Strike SystemBC
2022-10-28velociraptorMatt Green
@online{green:20221028:windowscarvingsystembc:536f406, author = {Matt Green}, title = {{Windows.Carving.SystemBC - SystemBC RAT configuration Purser for Velociraptor}}, date = {2022-10-28}, organization = {velociraptor}, url = {https://docs.velociraptor.app/exchange/artifacts/pages/systembc/}, language = {English}, urldate = {2023-07-31} } Windows.Carving.SystemBC - SystemBC RAT configuration Purser for Velociraptor
SystemBC
2022-10-10RiskIQMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20221010:dev0832:07768a3, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns}}, date = {2022-10-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/47766fbd}, language = {English}, urldate = {2022-10-19} } DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin
2022-09-21BitSightJoão Batista
@online{batista:20220921:systembc:4aca73f, author = {João Batista}, title = {{SystemBC: The Multipurpose Proxy Bot Still Breathes}}, date = {2022-09-21}, organization = {BitSight}, url = {https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes}, language = {English}, urldate = {2022-09-22} } SystemBC: The Multipurpose Proxy Bot Still Breathes
SystemBC
2022-09-06CISAUS-CERT, FBI, CISA, MS-ISAC
@online{uscert:20220906:alert:4058a6d, author = {US-CERT and FBI and CISA and MS-ISAC}, title = {{Alert (AA22-249A) #StopRansomware: Vice Society}}, date = {2022-09-06}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-249a}, language = {English}, urldate = {2022-09-16} } Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-08-30CiscoVanja Svajcer
@online{svajcer:20220830:modernloader:5b62dce, author = {Vanja Svajcer}, title = {{ModernLoader delivers multiple stealers, cryptominers and RATs}}, date = {2022-08-30}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html}, language = {English}, urldate = {2022-08-31} } ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC
2022-06-01ElasticDaniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
@online{stepanic:20220601:cuba:333f7c1, author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease}, title = {{CUBA Ransomware Campaign Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-05-24BitSightJoão Batista, Pedro Umbelino, BitSight
@online{batista:20220524:emotet:cae57f1, author = {João Batista and Pedro Umbelino and BitSight}, title = {{Emotet Botnet Rises Again}}, date = {2022-05-24}, organization = {BitSight}, url = {https://www.bitsight.com/blog/emotet-botnet-rises-again}, language = {English}, urldate = {2022-05-25} } Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-12AhnLabASEC Analysis Team
@online{team:20220412:systembc:7bdd20c, author = {ASEC Analysis Team}, title = {{SystemBC Being Used by Various Attackers}}, date = {2022-04-12}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/33600/}, language = {English}, urldate = {2022-04-15} } SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC
2022-03-04Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220304:systembc:e808a92, author = {Jason Reaves and Joshua Platt}, title = {{SystemBC, PowerShell version}}, date = {2022-03-04}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c}, language = {English}, urldate = {2023-07-31} } SystemBC, PowerShell version
SystemBC
2022-01-19MandiantAdrian Sanchez Hernandez, Paul Tarter, Ervin James Ocampo
@online{hernandez:20220119:one:b4b3bf7, author = {Adrian Sanchez Hernandez and Paul Tarter and Ervin James Ocampo}, title = {{One Source to Rule Them All: Chasing AVADDON Ransomware}}, date = {2022-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/chasing-avaddon-ransomware}, language = {English}, urldate = {2022-01-24} } One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-06-07Medium walmartglobaltechJoshua Platt, Jason Reaves
@online{platt:20210607:inside:6c363a7, author = {Joshua Platt and Jason Reaves}, title = {{Inside the SystemBC Malware-As-A-Service}}, date = {2021-06-07}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6}, language = {English}, urldate = {2021-06-08} } Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-05-19Intel 471Intel 471
@online{471:20210519:look:5ba9516, author = {Intel 471}, title = {{Look how many cybercriminals love Cobalt Strike}}, date = {2021-05-19}, organization = {Intel 471}, url = {https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor}, language = {English}, urldate = {2021-05-19} } Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-10F-SecureCallum Roxan, Sami Ruohonen
@online{roxan:20210510:prelude:1bb57bb, author = {Callum Roxan and Sami Ruohonen}, title = {{Prelude to Ransomware: SystemBC}}, date = {2021-05-10}, organization = {F-Secure}, url = {https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/}, language = {English}, urldate = {2021-05-11} } Prelude to Ransomware: SystemBC
SystemBC
2021-04-21SophosLabs UncutSean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
@online{gallagher:20210421:nearly:53964a7, author = {Sean Gallagher and Suriya Natarajan and Anand Aijan and Michael Wood and Sivagnanam Gn and Markel Picado and Andrew Brandt}, title = {{Nearly half of malware now use TLS to conceal communications}}, date = {2021-04-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/}, language = {English}, urldate = {2021-04-28} } Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-01Reversing LabsRobert Simmons
@online{simmons:20210401:code:885c081, author = {Robert Simmons}, title = {{Code Reuse Across Packers and DLL Loaders}}, date = {2021-04-01}, organization = {Reversing Labs}, url = {https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders}, language = {English}, urldate = {2021-04-09} } Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2020-12-16SophosLabs UncutSean Gallagher, Sivagnanam Gn
@online{gallagher:20201216:ransomware:0b0fdf2, author = {Sean Gallagher and Sivagnanam Gn}, title = {{Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor}}, date = {2020-12-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/16/systembc/}, language = {English}, urldate = {2020-12-17} } Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
SystemBC
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2019-07-31ProofpointKade Harmon, Kafeine, Dennis Schwarz, Proofpoint Threat Insight Team
@online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC
Yara Rules
[TLP:WHITE] win_systembc_auto (20230715 | Detects win.systembc.)
rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.systembc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4518 ab b801000000 5e }
            // n = 4, score = 800
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   b801000000           | mov                 eax, 1
            //   5e                   | pop                 esi

        $sequence_1 = { 8955fc 8975f0 8b049a 8945e8 8b02 8945f8 }
            // n = 6, score = 800
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   8b049a               | mov                 eax, dword ptr [edx + ebx*4]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_2 = { 64a130000000 8b400c 8b700c 8b5810 8b36 8b7e30 33c9 }
            // n = 7, score = 800
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b700c               | mov                 esi, dword ptr [eax + 0xc]
            //   8b5810               | mov                 ebx, dword ptr [eax + 0x10]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   8b7e30               | mov                 edi, dword ptr [esi + 0x30]
            //   33c9                 | xor                 ecx, ecx

        $sequence_3 = { e8???????? 68???????? 50 e8???????? ffd0 6a00 }
            // n = 6, score = 800
            //   e8????????           |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   6a00                 | push                0

        $sequence_4 = { 02c2 368a8c2800fcffff 36888c2b00fcffff 3688942800fcffff 02ca 368a8c2900fcffff 300e }
            // n = 7, score = 800
            //   02c2                 | add                 al, dl
            //   368a8c2800fcffff     | mov                 cl, byte ptr ss:[eax + ebp - 0x400]
            //   36888c2b00fcffff     | mov                 byte ptr ss:[ebx + ebp - 0x400], cl
            //   3688942800fcffff     | mov                 byte ptr ss:[eax + ebp - 0x400], dl
            //   02ca                 | add                 cl, dl
            //   368a8c2900fcffff     | mov                 cl, byte ptr ss:[ecx + ebp - 0x400]
            //   300e                 | xor                 byte ptr [esi], cl

        $sequence_5 = { 50 e8???????? ffd0 8b85f4feffff }
            // n = 4, score = 800
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   8b85f4feffff         | mov                 eax, dword ptr [ebp - 0x10c]

        $sequence_6 = { 895df4 894dec 8955fc 8975f0 }
            // n = 4, score = 800
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi

        $sequence_7 = { 46 4f 75cc 33c0 8dbd00fcffff b940000000 fc }
            // n = 7, score = 800
            //   46                   | inc                 esi
            //   4f                   | dec                 edi
            //   75cc                 | jne                 0xffffffce
            //   33c0                 | xor                 eax, eax
            //   8dbd00fcffff         | lea                 edi, [ebp - 0x400]
            //   b940000000           | mov                 ecx, 0x40
            //   fc                   | cld                 

        $sequence_8 = { e8???????? ffd0 6a00 6a00 6a00 6a00 }
            // n = 6, score = 800
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_9 = { 6aff ff75d8 e8???????? 8d85d8fdffff }
            // n = 4, score = 800
            //   6aff                 | push                -1
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   e8????????           |                     
            //   8d85d8fdffff         | lea                 eax, [ebp - 0x228]

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules