SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zebrocy (Back to overview)

Zebrocy

aka: Zekapab

Actor(s): Sofacy


There is no description at this point.

References
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:48c68a0, author = {SecureWorks}, title = {{IRON TWILIGHT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-twilight}, language = {English}, urldate = {2020-05-23} } IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2019-10-24MeltX0R SecurityMeltX0R
@online{meltx0r:20191024:10242019:6438b53, author = {MeltX0R}, title = {{10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan}}, date = {2019-10-24}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2019/10/24/apt28.html}, language = {English}, urldate = {2020-01-07} } 10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan
Zebrocy
2019-09-24ESET ResearchESET Research
@online{research:20190924:no:a84b64a, author = {ESET Research}, title = {{No summer vacations for Zebrocy}}, date = {2019-09-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/}, language = {English}, urldate = {2019-11-14} } No summer vacations for Zebrocy
Zebrocy
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-06-03Kaspersky LabsGReAT
@online{great:20190603:zebrocys:25be7a9, author = {GReAT}, title = {{Zebrocy’s Multilanguage Malware Salad}}, date = {2019-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/zebrocys-multilanguage-malware-salad/90680/}, language = {English}, urldate = {2019-12-20} } Zebrocy’s Multilanguage Malware Salad
Zebrocy
2019-05-22ESET ResearchESET Research
@online{research:20190522:journey:0627ad7, author = {ESET Research}, title = {{A journey to Zebrocy land}}, date = {2019-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/}, language = {English}, urldate = {2019-11-14} } A journey to Zebrocy land
Zebrocy
2019-05-20Check PointBen Herzog
@online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy
2019-01-24Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } GreyEnergy’s overlap with Zebrocy
GreyEnergy Zebrocy
2019-01-11Kaspersky LabsGReAT
@online{great:20190111:zebrocy:671fed1, author = {GReAT}, title = {{A Zebrocy Go Downloader}}, date = {2019-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-zebrocy-go-downloader/89419/}, language = {English}, urldate = {2019-12-20} } A Zebrocy Go Downloader
Zebrocy
2018-12-21Vitali Kremez
@online{kremez:20181221:lets:46e594a, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader}}, date = {2018-12-21}, url = {https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html}, language = {English}, urldate = {2019-12-24} } Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader
Zebrocy
2018-12-18paloalto Networks Unit 42Robert Falcone
@online{falcone:20181218:sofacy:3573b82, author = {Robert Falcone}, title = {{Sofacy Creates New ‘Go’ Variant of Zebrocy Tool}}, date = {2018-12-18}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/}, language = {English}, urldate = {2020-01-07} } Sofacy Creates New ‘Go’ Variant of Zebrocy Tool
Zebrocy
2018-12-10Vitali Kremez BlogVitali Kremez
@online{kremez:20181210:lets:f947fb1, author = {Vitali Kremez}, title = {{Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight}}, date = {2018-12-10}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html}, language = {English}, urldate = {2020-01-09} } Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight
Zebrocy
2018-11-29AccentureMichael Yip
@online{yip:20181129:snakemackerel:aa02eba, author = {Michael Yip}, title = {{Snakemackerel delivers Zekapab malware}}, date = {2018-11-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware}, language = {English}, urldate = {2019-12-10} } Snakemackerel delivers Zekapab malware
Zebrocy Sofacy
2018-11-20ESET ResearchESET Research
@online{research:20181120:sednit:caedbdb, author = {ESET Research}, title = {{Sednit: What’s going on with Zebrocy?}}, date = {2018-11-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/}, language = {English}, urldate = {2019-11-14} } Sednit: What’s going on with Zebrocy?
Zebrocy
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy Sofacy
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } Sofacy Group’s Parallel Attacks
Koadic Zebrocy
2018-04-24ESET ResearchESET Research
@online{research:20180424:sednit:ab398cd, author = {ESET Research}, title = {{Sednit update: Analysis of Zebrocy}}, date = {2018-04-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/}, language = {English}, urldate = {2019-11-14} } Sednit update: Analysis of Zebrocy
Zebrocy Zebrocy (AutoIT)
Yara Rules
[TLP:WHITE] win_zebrocy_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_zebrocy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89435c 33c0 894350 894354 8b4308 8b10 }
            // n = 6, score = 1100
            //   89435c               | mov                 dword ptr [ebx + 0x5c], eax
            //   33c0                 | xor                 eax, eax
            //   894350               | mov                 dword ptr [ebx + 0x50], eax
            //   894354               | mov                 dword ptr [ebx + 0x54], eax
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   8b10                 | mov                 edx, dword ptr [eax]

        $sequence_1 = { 64ff32 648922 8b5508 81faffff0000 7605 e8???????? }
            // n = 6, score = 1100
            //   64ff32               | push                dword ptr fs:[edx]
            //   648922               | mov                 dword ptr fs:[edx], esp
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   81faffff0000         | cmp                 edx, 0xffff
            //   7605                 | jbe                 7
            //   e8????????           |                     

        $sequence_2 = { e8???????? 8b4dd4 b201 a1???????? e8???????? e8???????? eb21 }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   b201                 | mov                 dl, 1
            //   a1????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   eb21                 | jmp                 0x23

        $sequence_3 = { 8945e4 b8???????? 8945e8 8d55e4 8b45f8 8b80b0000000 b901000000 }
            // n = 7, score = 1100
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   b8????????           |                     
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8d55e4               | lea                 edx, [ebp - 0x1c]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b80b0000000         | mov                 eax, dword ptr [eax + 0xb0]
            //   b901000000           | mov                 ecx, 1

        $sequence_4 = { 8902 eb60 c745fc1c000000 8d45fc 50 8d45d0 }
            // n = 6, score = 1100
            //   8902                 | mov                 dword ptr [edx], eax
            //   eb60                 | jmp                 0x62
            //   c745fc1c000000       | mov                 dword ptr [ebp - 4], 0x1c
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   8d45d0               | lea                 eax, [ebp - 0x30]

        $sequence_5 = { bf01000000 e9???????? 8d45e8 8b55fc }
            // n = 4, score = 1100
            //   bf01000000           | mov                 edi, 1
            //   e9????????           |                     
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_6 = { 8b4dfc 0fbf0c51 3bd9 7507 e8???????? eb67 }
            // n = 6, score = 1100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   0fbf0c51             | movsx               ecx, word ptr [ecx + edx*2]
            //   3bd9                 | cmp                 ebx, ecx
            //   7507                 | jne                 9
            //   e8????????           |                     
            //   eb67                 | jmp                 0x69

        $sequence_7 = { 6683e802 7408 6683e815 743a }
            // n = 4, score = 1100
            //   6683e802             | sub                 ax, 2
            //   7408                 | je                  0xa
            //   6683e815             | sub                 ax, 0x15
            //   743a                 | je                  0x3c

        $sequence_8 = { 896c2404 e8???????? 8b442408 89442418 }
            // n = 4, score = 700
            //   896c2404             | mov                 dword ptr [esp + 4], ebp
            //   e8????????           |                     
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_9 = { 8b74242c e9???????? e8???????? 0f0b e8???????? 0f0b }
            // n = 6, score = 700
            //   8b74242c             | mov                 esi, dword ptr [esp + 0x2c]
            //   e9????????           |                     
            //   e8????????           |                     
            //   0f0b                 | ud2                 
            //   e8????????           |                     
            //   0f0b                 | ud2                 

        $sequence_10 = { 895c244c 83c42c c3 e8???????? 0f0b e8???????? }
            // n = 6, score = 700
            //   895c244c             | mov                 dword ptr [esp + 0x4c], ebx
            //   83c42c               | add                 esp, 0x2c
            //   c3                   | ret                 
            //   e8????????           |                     
            //   0f0b                 | ud2                 
            //   e8????????           |                     

        $sequence_11 = { e9???????? 95 80f808 95 }
            // n = 4, score = 500
            //   e9????????           |                     
            //   95                   | xchg                eax, ebp
            //   80f808               | cmp                 al, 8
            //   95                   | xchg                eax, ebp

        $sequence_12 = { 0f848b000000 8b442418 83f801 7d0a b801000000 e9???????? }
            // n = 6, score = 500
            //   0f848b000000         | je                  0x91
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   83f801               | cmp                 eax, 1
            //   7d0a                 | jge                 0xc
            //   b801000000           | mov                 eax, 1
            //   e9????????           |                     

        $sequence_13 = { 90 e8???????? 81c4bc000000 c3 90 }
            // n = 5, score = 500
            //   90                   | nop                 
            //   e8????????           |                     
            //   81c4bc000000         | add                 esp, 0xbc
            //   c3                   | ret                 
            //   90                   | nop                 

        $sequence_14 = { 895c2408 8944240c c7442410ffff1000 e8???????? }
            // n = 4, score = 500
            //   895c2408             | mov                 dword ptr [esp + 8], ebx
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   c7442410ffff1000     | mov                 dword ptr [esp + 0x10], 0x10ffff
            //   e8????????           |                     

        $sequence_15 = { e8???????? 8b4c2414 8b442428 8b542420 e9???????? 8b05???????? 8b0d???????? }
            // n = 7, score = 500
            //   e8????????           |                     
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   8b542420             | mov                 edx, dword ptr [esp + 0x20]
            //   e9????????           |                     
            //   8b05????????         |                     
            //   8b0d????????         |                     

        $sequence_16 = { 89442404 e8???????? 8b4c2408 8b6c240c }
            // n = 4, score = 500
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8b6c240c             | mov                 ebp, dword ptr [esp + 0xc]

        $sequence_17 = { bdffffffff e9???????? 31db e9???????? 31db e9???????? }
            // n = 6, score = 500
            //   bdffffffff           | mov                 ebp, 0xffffffff
            //   e9????????           |                     
            //   31db                 | xor                 ebx, ebx
            //   e9????????           |                     
            //   31db                 | xor                 ebx, ebx
            //   e9????????           |                     

        $sequence_18 = { 89442430 8b442470 89442434 8b442474 89442438 c744244800000000 c744244c00000000 }
            // n = 7, score = 500
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   8b442470             | mov                 eax, dword ptr [esp + 0x70]
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   8b442474             | mov                 eax, dword ptr [esp + 0x74]
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   c744244800000000     | mov                 dword ptr [esp + 0x48], 0
            //   c744244c00000000     | mov                 dword ptr [esp + 0x4c], 0

        $sequence_19 = { 648b0d14000000 8b8900000000 3b6108 0f8616020000 83ec30 }
            // n = 5, score = 500
            //   648b0d14000000       | mov                 ecx, dword ptr fs:[0x14]
            //   8b8900000000         | mov                 ecx, dword ptr [ecx]
            //   3b6108               | cmp                 esp, dword ptr [ecx + 8]
            //   0f8616020000         | jbe                 0x21c
            //   83ec30               | sub                 esp, 0x30

        $sequence_20 = { 39c8 0f87c4000000 29c1 8b54244c }
            // n = 4, score = 500
            //   39c8                 | cmp                 eax, ecx
            //   0f87c4000000         | ja                  0xca
            //   29c1                 | sub                 ecx, eax
            //   8b54244c             | mov                 edx, dword ptr [esp + 0x4c]

        $sequence_21 = { 5e 5d c20400 8b01 55 89e5 }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp

        $sequence_22 = { e9???????? 8bb5f4f4ffff e9???????? 8b542408 8d420c 8b8aecf4ffff }
            // n = 6, score = 100
            //   e9????????           |                     
            //   8bb5f4f4ffff         | mov                 esi, dword ptr [ebp - 0xb0c]
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d420c               | lea                 eax, [edx + 0xc]
            //   8b8aecf4ffff         | mov                 ecx, dword ptr [edx - 0xb14]

        $sequence_23 = { 0f8422020000 8b4004 03c3 8d7de8 e8???????? 8bf8 }
            // n = 6, score = 100
            //   0f8422020000         | je                  0x228
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   03c3                 | add                 eax, ebx
            //   8d7de8               | lea                 edi, [ebp - 0x18]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_24 = { e8???????? 52 89c1 e8???????? 85c0 89c3 7405 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   52                   | push                edx
            //   89c1                 | mov                 ecx, eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   89c3                 | mov                 ebx, eax
            //   7405                 | je                  7

        $sequence_25 = { 8d8d5cf7ffff e8???????? 6a04 8d9d40f7ffff c645fc08 e8???????? 83c404 }
            // n = 7, score = 100
            //   8d8d5cf7ffff         | lea                 ecx, [ebp - 0x8a4]
            //   e8????????           |                     
            //   6a04                 | push                4
            //   8d9d40f7ffff         | lea                 ebx, [ebp - 0x8c0]
            //   c645fc08             | mov                 byte ptr [ebp - 4], 8
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_26 = { 89d8 e8???????? 890c24 8b4de4 89c2 e8???????? 85c0 }
            // n = 7, score = 100
            //   89d8                 | mov                 eax, ebx
            //   e8????????           |                     
            //   890c24               | mov                 dword ptr [esp], ecx
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   89c2                 | mov                 edx, eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_27 = { c78568ffffff24434200 e8???????? 83c404 3975e8 }
            // n = 4, score = 100
            //   c78568ffffff24434200     | mov    dword ptr [ebp - 0x98], 0x424324
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   3975e8               | cmp                 dword ptr [ebp - 0x18], esi

        $sequence_28 = { 0fb6d1 89d9 e8???????? 89c1 }
            // n = 4, score = 100
            //   0fb6d1               | movzx               edx, cl
            //   89d9                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   89c1                 | mov                 ecx, eax

        $sequence_29 = { 33ff ffb710904200 ff15???????? 898710904200 83c704 }
            // n = 5, score = 100
            //   33ff                 | xor                 edi, edi
            //   ffb710904200         | push                dword ptr [edi + 0x429010]
            //   ff15????????         |                     
            //   898710904200         | mov                 dword ptr [edi + 0x429010], eax
            //   83c704               | add                 edi, 4

        $sequence_30 = { e8???????? 8bf8 8d7508 885dfc }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   8d7508               | lea                 esi, [ebp + 8]
            //   885dfc               | mov                 byte ptr [ebp - 4], bl

        $sequence_31 = { ff15???????? 52 8945dc c70424f5ffffff ff15???????? 51 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   52                   | push                edx
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   c70424f5ffffff       | mov                 dword ptr [esp], 0xfffffff5
            //   ff15????????         |                     
            //   51                   | push                ecx

        $sequence_32 = { c705????????27ec4000 c705????????10904100 c605????????01 c705????????68000000 c705????????d8c44100 c705????????83eb4000 }
            // n = 6, score = 100
            //   c705????????27ec4000     |     
            //   c705????????10904100     |     
            //   c605????????01       |                     
            //   c705????????68000000     |     
            //   c705????????d8c44100     |     
            //   c705????????83eb4000     |     

        $sequence_33 = { 8b1495c0a84200 c1e006 8d440224 802080 }
            // n = 4, score = 100
            //   8b1495c0a84200       | mov                 edx, dword ptr [edx*4 + 0x42a8c0]
            //   c1e006               | shl                 eax, 6
            //   8d440224             | lea                 eax, [edx + eax + 0x24]
            //   802080               | and                 byte ptr [eax], 0x80

        $sequence_34 = { 7402 8b17 39c2 7e1e 807c07083f 7517 }
            // n = 6, score = 100
            //   7402                 | je                  4
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   39c2                 | cmp                 edx, eax
            //   7e1e                 | jle                 0x20
            //   807c07083f           | cmp                 byte ptr [edi + eax + 8], 0x3f
            //   7517                 | jne                 0x19

        $sequence_35 = { 5e 5f 5d c3 55 8d049502000000 }
            // n = 6, score = 100
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8d049502000000       | lea                 eax, [edx*4 + 2]

        $sequence_36 = { 8b8d78f7ffff 51 e9???????? ff15???????? 83bd8cf7ffff10 e9???????? 83bd8cf7ffff10 }
            // n = 7, score = 100
            //   8b8d78f7ffff         | mov                 ecx, dword ptr [ebp - 0x888]
            //   51                   | push                ecx
            //   e9????????           |                     
            //   ff15????????         |                     
            //   83bd8cf7ffff10       | cmp                 dword ptr [ebp - 0x874], 0x10
            //   e9????????           |                     
            //   83bd8cf7ffff10       | cmp                 dword ptr [ebp - 0x874], 0x10

    condition:
        7 of them and filesize < 9453568
}
Download all Yara Rules