SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2023-08-31AhnLabSanseo
@online{sanseo:20230831:analysis:c771be9, author = {Sanseo}, title = {{Analysis of Andariel’s New Attack Activities}}, date = {2023-08-31}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/56405/}, language = {English}, urldate = {2023-09-01} } Analysis of Andariel’s New Attack Activities
Andardoor BlackRemote Tiger RAT Volgmer
2023-08-22AhnLabASEC Analysis Team
@online{team:20230822:analyzing:a2e958c, author = {ASEC Analysis Team}, title = {{Analyzing the new attack activity of the Andariel group}}, date = {2023-08-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/56256/}, language = {Korean}, urldate = {2023-08-28} } Analyzing the new attack activity of the Andariel group
Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer
2023-04-12Kaspersky LabsSeongsu Park
@online{park:20230412:following:851b624, author = {Seongsu Park}, title = {{Following the Lazarus group by tracking DeathNote campaign}}, date = {2023-04-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-lazarus-group-deathnote-campaign/109490/}, language = {English}, urldate = {2023-07-28} } Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2021-09-07LIFARSVlad Pasca
@techreport{pasca:20210907:detailed:2e29866, author = {Vlad Pasca}, title = {{A Detailed Analysis of Lazarus’ RAT Called FALLCHILL}}, date = {2021-09-07}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf}, language = {English}, urldate = {2022-01-20} } A Detailed Analysis of Lazarus’ RAT Called FALLCHILL
Volgmer
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2023-07-24} } Lazarus targets defense industry with ThreatNeedle
HTTP(S) uploader LPEClient Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } How to communicate between RAT infected devices (White paper)
Volgmer
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20230715 | Detects win.volgmer.)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.volgmer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 }
            // n = 7, score = 300
            //   488b4d40             | dec                 esp
            //   4833cc               | mov                 dword ptr [esp + 0x518], esp
            //   e8????????           |                     
            //   4c8d9c2450010000     | dec                 eax
            //   498b5b18             | lea                 ecx, [ebp + 0x2f0]
            //   498b7b20             | dec                 esp
            //   498be3               | mov                 dword ptr [esp + 0x510], edi

        $sequence_1 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? 4833c4 }
            // n = 6, score = 300
            //   48897c2418           | xor                 ebx, ebx
            //   55                   | dec                 eax
            //   488d6c24b0           | lea                 eax, [esp + 0x40]
            //   4881ec50010000       | dec                 esp
            //   488b05????????       |                     
            //   4833c4               | mov                 dword ptr [esp + 0x38], ebx

        $sequence_2 = { e8???????? 8905???????? 85c0 7543 488b7c2440 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8905????????         |                     
            //   85c0                 | dec                 eax
            //   7543                 | mov                 dword ptr [esp + 0x38], ebx
            //   488b7c2440           | dec                 eax

        $sequence_3 = { ff15???????? 448b4c2440 48895c2438 488d442448 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   448b4c2440           | mov                 dword ptr [esp + 0x558], esi
            //   48895c2438           | dec                 esp
            //   488d442448           | mov                 dword ptr [esp + 0x518], esp

        $sequence_4 = { 024c1420 0fb6c1 0fb64c0420 304bff 4983ea01 75a9 488b4d40 }
            // n = 7, score = 200
            //   024c1420             | mov                 dword ptr [ebp - 0x20], 0x6ebae0
            //   0fb6c1               | sub                 eax, 0xf
            //   0fb64c0420           | je                  0x5d
            //   304bff               | mov                 edx, edi
            //   4983ea01             | sar                 edx, 6
            //   75a9                 | mov                 eax, edi
            //   488b4d40             | and                 eax, 0x3f

        $sequence_5 = { e9???????? 4889b42458050000 4c89a42418050000 488d8df0020000 }
            // n = 4, score = 200
            //   e9????????           |                     
            //   4889b42458050000     | lea                 ecx, [esp + 0x40]
            //   4c89a42418050000     | inc                 ecx
            //   488d8df0020000       | mov                 eax, 0x208

        $sequence_6 = { e9???????? 48899c2498020000 488b5908 33d2 488d4c2440 41b808020000 4183f902 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   48899c2498020000     | dec                 eax
            //   488b5908             | mov                 dword ptr [esp + 0x298], ebx
            //   33d2                 | dec                 eax
            //   488d4c2440           | mov                 ebx, dword ptr [ecx + 8]
            //   41b808020000         | xor                 edx, edx
            //   4183f902             | dec                 eax

        $sequence_7 = { 488d8d70040000 488bf3 482bf1 0f1f4000 66660f1f840000000000 448b45d8 }
            // n = 6, score = 200
            //   488d8d70040000       | mov                 ecx, ebx
            //   488bf3               | jmp                 0xffffffc8
            //   482bf1               | mov                 dword ptr [ebp - 0x20], 0x6ebae8
            //   0f1f4000             | mov                 dword ptr [ebp - 0x20], 0x6ebaf0
            //   66660f1f840000000000     | mov    dword ptr [ebp - 0x20], 0x6ebaf8
            //   448b45d8             | and                 esi, 0x3f

        $sequence_8 = { eb50 e8???????? 4533db 488d442440 }
            // n = 4, score = 200
            //   eb50                 | dec                 eax
            //   e8????????           |                     
            //   4533db               | mov                 dword ptr [esp + 0x38], ebx
            //   488d442440           | dec                 eax

        $sequence_9 = { d1c6 c1c105 03c6 89742404 03c3 }
            // n = 5, score = 200
            //   d1c6                 | jmp                 0x52
            //   c1c105               | inc                 ebp
            //   03c6                 | xor                 ebx, ebx
            //   89742404             | dec                 eax
            //   03c3                 | lea                 eax, [esp + 0x40]

        $sequence_10 = { 90 807c100100 488d5201 75f5 8d4201 668903 }
            // n = 6, score = 200
            //   90                   | mov                 ecx, edi
            //   807c100100           | dec                 eax
            //   488d5201             | lea                 edx, [esp + 0x40]
            //   75f5                 | dec                 esp
            //   8d4201               | mov                 eax, esi
            //   668903               | dec                 eax

        $sequence_11 = { 772f b92c010000 ff15???????? 498b4d18 4c8bce 4c897c2430 }
            // n = 6, score = 200
            //   772f                 | lock xadd           dword ptr [eax], ebx
            //   b92c010000           | dec                 ebx
            //   ff15????????         |                     
            //   498b4d18             | jne                 0x1f
            //   4c8bce               | mov                 eax, dword ptr [ebp - 4]
            //   4c897c2430           | cmp                 dword ptr [eax + 0x48], 0x6ee4b8

        $sequence_12 = { e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_13 = { 7320 85ff 7e1c 8b742440 4533c9 e9???????? }
            // n = 6, score = 200
            //   7320                 | sar                 ecx, 6
            //   85ff                 | imul                esi, esi, 0x30
            //   7e1c                 | mov                 ecx, dword ptr [ecx*4 + 0x6ef180]
            //   8b742440             | and                 byte ptr [ecx + esi + 0x28], 0xfd
            //   4533c9               | mov                 eax, dword ptr [eax + 0x48]
            //   e9????????           |                     

        $sequence_14 = { 488d8d30110000 e8???????? 8bd7 c6843d3011000000 488d8d30110000 }
            // n = 5, score = 200
            //   488d8d30110000       | imul                ecx, eax, 0x30
            //   e8????????           |                     
            //   8bd7                 | mov                 eax, dword ptr [edx*4 + 0x6ef180]
            //   c6843d3011000000     | test                byte ptr [eax + ecx + 0x28], 1
            //   488d8d30110000       | jne                 0x1936

        $sequence_15 = { 3c9f 3da43dab3d b13d cd3d }
            // n = 4, score = 100
            //   3c9f                 | sub                 esp, 0x150
            //   3da43dab3d           | dec                 eax
            //   b13d                 | mov                 dword ptr [esp + 0x18], edi
            //   cd3d                 | push                ebp

        $sequence_16 = { ff7508 8d83200c0000 50 e8???????? 33db }
            // n = 5, score = 100
            //   ff7508               | dec                 eax
            //   8d83200c0000         | mov                 dword ptr [esp + 0x18], edi
            //   50                   | push                ebp
            //   e8????????           |                     
            //   33db                 | dec                 eax

        $sequence_17 = { 6888210000 50 8d856cdaffff 50 8d8b200c0000 }
            // n = 5, score = 100
            //   6888210000           | lea                 ebp, [esp - 0x50]
            //   50                   | dec                 eax
            //   8d856cdaffff         | sub                 esp, 0x150
            //   50                   | dec                 eax
            //   8d8b200c0000         | xor                 eax, esp

        $sequence_18 = { 83e63f c1f906 6bf630 8b0c8d80f16e00 80643128fd }
            // n = 5, score = 100
            //   83e63f               | add                 eax, ebx
            //   c1f906               | mov                 ebx, dword ptr [esp + 0xa8]
            //   6bf630               | inc                 ecx
            //   8b0c8d80f16e00       | mov                 dword ptr [esp + 8], eax
            //   80643128fd           | dec                 ebp

        $sequence_19 = { 397310 b850000000 b9bb010000 0f45c1 89831c0c0000 eb15 }
            // n = 6, score = 100
            //   397310               | dec                 eax
            //   b850000000           | lea                 ebp, [esp - 0x50]
            //   b9bb010000           | dec                 eax
            //   0f45c1               | sub                 esp, 0x150
            //   89831c0c0000         | dec                 eax
            //   eb15                 | mov                 dword ptr [esp + 0x10], ebx

        $sequence_20 = { 8bd7 c1fa06 8bc7 83e03f 6bc830 8b049580f16e00 f644082801 }
            // n = 7, score = 100
            //   8bd7                 | dec                 eax
            //   c1fa06               | xor                 eax, esp
            //   8bc7                 | dec                 eax
            //   83e03f               | mov                 dword ptr [esp + 0x18], edi
            //   6bc830               | push                ebp
            //   8b049580f16e00       | dec                 eax
            //   f644082801           | lea                 ebp, [esp - 0x50]

        $sequence_21 = { 8b4048 f00fc118 4b 7515 8b45fc 817848b8e46e00 }
            // n = 6, score = 100
            //   8b4048               | test                edi, edi
            //   f00fc118             | je                  0x2a
            //   4b                   | dec                 eax
            //   7515                 | mov                 dword ptr [esp + 0x18], edi
            //   8b45fc               | push                ebp
            //   817848b8e46e00       | dec                 eax

        $sequence_22 = { 8bd6 8bd8 899df0f3ffff 8d4201 0f1f00 8a0a }
            // n = 6, score = 100
            //   8bd6                 | dec                 eax
            //   8bd8                 | xor                 ecx, esp
            //   899df0f3ffff         | dec                 esp
            //   8d4201               | lea                 ebx, [esp + 0x150]
            //   0f1f00               | dec                 ecx
            //   8a0a                 | mov                 ebx, dword ptr [ebx + 0x18]

        $sequence_23 = { ebc6 c745e0e8ba6e00 e9???????? c745e0f0ba6e00 e9???????? c745e0f8ba6e00 e9???????? }
            // n = 7, score = 100
            //   ebc6                 | rol                 esi, 1
            //   c745e0e8ba6e00       | rol                 ecx, 5
            //   e9????????           |                     
            //   c745e0f0ba6e00       | add                 eax, esi
            //   e9????????           |                     
            //   c745e0f8ba6e00       | mov                 dword ptr [esp + 4], esi
            //   e9????????           |                     

        $sequence_24 = { 0f8530190000 8d0d90b86e00 ba1b000000 e8???????? }
            // n = 4, score = 100
            //   0f8530190000         | dec                 eax
            //   8d0d90b86e00         | sub                 esp, 0x150
            //   ba1b000000           | dec                 eax
            //   e8????????           |                     

        $sequence_25 = { 837e0c00 8bf8 0f84f7030000 8d8618030000 50 }
            // n = 5, score = 100
            //   837e0c00             | dec                 ecx
            //   8bf8                 | mov                 edi, dword ptr [ebx + 0x20]
            //   0f84f7030000         | dec                 ecx
            //   8d8618030000         | mov                 esp, ebx
            //   50                   | nop                 

        $sequence_26 = { 50 e8???????? 6a00 6a00 8d8c2484000000 6a32 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d8c2484000000       | lea                 ecx, [esp + 0x84]
            //   6a32                 | push                0x32

        $sequence_27 = { c6442425b8 c64424267c c64424278d c6442429c1 c644242bff c644242c99 c644242d21 }
            // n = 7, score = 100
            //   c6442425b8           | mov                 byte ptr [esp + 0x25], 0xb8
            //   c64424267c           | mov                 byte ptr [esp + 0x26], 0x7c
            //   c64424278d           | mov                 byte ptr [esp + 0x27], 0x8d
            //   c6442429c1           | mov                 byte ptr [esp + 0x29], 0xc1
            //   c644242bff           | mov                 byte ptr [esp + 0x2b], 0xff
            //   c644242c99           | mov                 byte ptr [esp + 0x2c], 0x99
            //   c644242d21           | mov                 byte ptr [esp + 0x2d], 0x21

        $sequence_28 = { 8bfb be1e000000 f3ab 8b4c2454 8d431c 894b04 }
            // n = 6, score = 100
            //   8bfb                 | mov                 edi, ebx
            //   be1e000000           | mov                 esi, 0x1e
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b4c2454             | mov                 ecx, dword ptr [esp + 0x54]
            //   8d431c               | lea                 eax, [ebx + 0x1c]
            //   894b04               | mov                 dword ptr [ebx + 4], ecx

        $sequence_29 = { eb7c c745e0e0ba6e00 ebbb d9e8 8b4510 dd18 }
            // n = 6, score = 100
            //   eb7c                 | xor                 eax, esp
            //   c745e0e0ba6e00       | dec                 eax
            //   ebbb                 | mov                 dword ptr [ebp + 0x40], eax
            //   d9e8                 | dec                 eax
            //   8b4510               | mov                 dword ptr [esp + 0x18], edi
            //   dd18                 | push                ebp

        $sequence_30 = { 8d3c85c8f47300 8b0f 85c9 740b 8d4101 f7d8 }
            // n = 6, score = 100
            //   8d3c85c8f47300       | dec                 eax
            //   8b0f                 | lea                 ebp, [esp - 0x50]
            //   85c9                 | dec                 eax
            //   740b                 | sub                 esp, 0x150
            //   8d4101               | dec                 eax
            //   f7d8                 | mov                 ecx, dword ptr [ebp + 0x40]

        $sequence_31 = { 50 03fb 897c2420 e8???????? 8b0d???????? 83c410 a3???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   03fb                 | add                 edi, ebx
            //   897c2420             | mov                 dword ptr [esp + 0x20], edi
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   83c410               | add                 esp, 0x10
            //   a3????????           |                     

        $sequence_32 = { 50 8b85a4f8ffff 0fb7048534976e00 8d0485308e6e00 50 8d8590faffff }
            // n = 6, score = 100
            //   50                   | dec                 eax
            //   8b85a4f8ffff         | lea                 ebp, [esp - 0x50]
            //   0fb7048534976e00     | dec                 eax
            //   8d0485308e6e00       | sub                 esp, 0x150
            //   50                   | dec                 eax
            //   8d8590faffff         | mov                 dword ptr [esp + 0x10], ebx

        $sequence_33 = { 59 83cfff 897de4 8365fc00 8b049d80f17300 }
            // n = 5, score = 100
            //   59                   | dec                 eax
            //   83cfff               | mov                 dword ptr [esp + 0x10], ebx
            //   897de4               | dec                 eax
            //   8365fc00             | mov                 dword ptr [esp + 0x18], edi
            //   8b049d80f17300       | push                ebp

        $sequence_34 = { 3bf5 7554 8b742414 6aff 56 }
            // n = 5, score = 100
            //   3bf5                 | cmp                 esi, ebp
            //   7554                 | jne                 0x56
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   6aff                 | push                -1
            //   56                   | push                esi

        $sequence_35 = { c745e0e0ba6e00 e9???????? 83e80f 7451 }
            // n = 4, score = 100
            //   c745e0e0ba6e00       | lea                 ebp, [esp - 0x50]
            //   e9????????           |                     
            //   83e80f               | dec                 eax
            //   7451                 | sub                 esp, 0x150

        $sequence_36 = { 7448 8d8c2488040000 8d542460 51 52 e8???????? 83c408 }
            // n = 7, score = 100
            //   7448                 | je                  0x4a
            //   8d8c2488040000       | lea                 ecx, [esp + 0x488]
            //   8d542460             | lea                 edx, [esp + 0x60]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules