SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zebrocy (Back to overview)

Zebrocy

aka: Zekapab

Actor(s): APT28


According to brandefense, Zebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since 2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader and Dropper take responsibility for discovery processes and downloading the main malware on the systems. At the same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.

This malware, which is not considered new, has variants in many languages from the past to the present. These include programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know advanced threat actors and groups revise their malicious software among their toolkits at certain time intervals using different languages and technologies.

References
2022-12-27Palo Alto Networks Unit 42Esmid Idrizovic, Bob Jung, Daniel Raygoza, Sean Hughes
@online{idrizovic:20221227:navigating:4cd52c5, author = {Esmid Idrizovic and Bob Jung and Daniel Raygoza and Sean Hughes}, title = {{Navigating the Vast Ocean of Sandbox Evasions}}, date = {2022-12-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/}, language = {English}, urldate = {2022-12-29} } Navigating the Vast Ocean of Sandbox Evasions
TrickBot Zebrocy
2022-12-09cocomelonccocomelonc
@online{cocomelonc:20221209:malware:cff0b3d, author = {cocomelonc}, title = {{Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.}}, date = {2022-12-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html}, language = {English}, urldate = {2022-12-12} } Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.
Attor Zebrocy
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:fighting:865c81e, author = {Unit 42}, title = {{Fighting Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/fighting-ursa/}, language = {English}, urldate = {2022-07-29} } Fighting Ursa
Cannon Zebrocy APT28
2022-04-10BrandefenseBrandefense
@online{brandefense:20220410:zebrocy:467d0a0, author = {Brandefense}, title = {{Zebrocy Malware Technical Analysis Report}}, date = {2022-04-10}, organization = {Brandefense}, url = {https://brandefense.io/zebrocy-malware-technical-analysis-report/}, language = {English}, urldate = {2022-05-03} } Zebrocy Malware Technical Analysis Report
Zebrocy
2021-10-26KasperskyKaspersky Lab ICS CERT
@techreport{cert:20211026:attacks:6f30d0f, author = {Kaspersky Lab ICS CERT}, title = {{APT attacks on industrial organizations in H1 2021}}, date = {2021-10-26}, institution = {Kaspersky}, url = {https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf}, language = {English}, urldate = {2021-11-08} } APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-05-20Github (microsoft)Microsoft
@online{microsoft:20210520:microsoft:41112d3, author = {Microsoft}, title = {{Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares}}, date = {2021-05-20}, organization = {Github (microsoft)}, url = {https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries}, language = {English}, urldate = {2021-05-25} } Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2020-12-09IntezerJoakim Kennedy
@online{kennedy:20201209:zebra:1c73168, author = {Joakim Kennedy}, title = {{A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy}}, date = {2020-12-09}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/}, language = {English}, urldate = {2020-12-10} } A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Zebrocy
2020-10-29US-CERTUS-CERT
@online{uscert:20201029:malware:8122496, author = {US-CERT}, title = {{Malware Analysis Report (AR20-303B): ZEBROCY Backdoor}}, date = {2020-10-29}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b}, language = {English}, urldate = {2020-11-02} } Malware Analysis Report (AR20-303B): ZEBROCY Backdoor
Zebrocy
2020-10-23360360 Threat Intelligence Center
@online{center:20201023:apt28:099c6cd, author = {360 Threat Intelligence Center}, title = {{APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析}}, date = {2020-10-23}, organization = {360}, url = {https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g}, language = {Chinese}, urldate = {2020-10-26} } APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析
Zebrocy
2020-09-22Bleeping ComputerAx Sharma
@online{sharma:20200922:russian:c3158b2, author = {Ax Sharma}, title = {{Russian hackers use fake NATO training docs to breach govt networks}}, date = {2020-09-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/}, language = {English}, urldate = {2020-09-24} } Russian hackers use fake NATO training docs to breach govt networks
Zebrocy APT28
2020-09-22QuoScientQuoIntelligence
@online{quointelligence:20200922:apt28:9bfda0c, author = {QuoIntelligence}, title = {{APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure}}, date = {2020-09-22}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/}, language = {English}, urldate = {2020-09-23} } APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
Zebrocy APT28
2020-07-01360360 Threat Intelligence Center
@online{center:20200701::fc5fdee, author = {360 Threat Intelligence Center}, title = {{游走在东欧和中亚的奇幻熊}}, date = {2020-07-01}, organization = {360}, url = {https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og}, language = {Chinese}, urldate = {2020-10-26} } 游走在东欧和中亚的奇幻熊
Zebrocy
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:iron:48c68a0, author = {SecureWorks}, title = {{IRON TWILIGHT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-twilight}, language = {English}, urldate = {2020-05-23} } IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2019-10-24MeltX0R SecurityMeltX0R
@online{meltx0r:20191024:10242019:6438b53, author = {MeltX0R}, title = {{10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan}}, date = {2019-10-24}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2019/10/24/apt28.html}, language = {English}, urldate = {2020-01-07} } 10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan
Zebrocy
2019-09-24ESET ResearchESET Research
@online{research:20190924:no:a84b64a, author = {ESET Research}, title = {{No summer vacations for Zebrocy}}, date = {2019-09-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/}, language = {English}, urldate = {2019-11-14} } No summer vacations for Zebrocy
Zebrocy
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-06-03Kaspersky LabsGReAT
@online{great:20190603:zebrocys:25be7a9, author = {GReAT}, title = {{Zebrocy’s Multilanguage Malware Salad}}, date = {2019-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/zebrocys-multilanguage-malware-salad/90680/}, language = {English}, urldate = {2019-12-20} } Zebrocy’s Multilanguage Malware Salad
Zebrocy
2019-05-22ESET ResearchESET Research
@online{research:20190522:journey:0627ad7, author = {ESET Research}, title = {{A journey to Zebrocy land}}, date = {2019-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/}, language = {English}, urldate = {2019-11-14} } A journey to Zebrocy land
Zebrocy
2019-05-20Check PointBen Herzog
@online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy
2019-04-01Macnica NetworksMacnica Networks
@techreport{networks:20190401:trends:cf738dc, author = {Macnica Networks}, title = {{Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018}}, date = {2019-04-01}, institution = {Macnica Networks}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf}, language = {Japanese}, urldate = {2021-03-02} } Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2019-01-24Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } GreyEnergy’s overlap with Zebrocy
GreyEnergy Zebrocy
2019-01-11Kaspersky LabsGReAT
@online{great:20190111:zebrocy:671fed1, author = {GReAT}, title = {{A Zebrocy Go Downloader}}, date = {2019-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-zebrocy-go-downloader/89419/}, language = {English}, urldate = {2019-12-20} } A Zebrocy Go Downloader
Zebrocy
2018-12-21Vitali Kremez
@online{kremez:20181221:lets:46e594a, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader}}, date = {2018-12-21}, url = {https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html}, language = {English}, urldate = {2019-12-24} } Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader
Zebrocy
2018-12-18paloalto Networks Unit 42Robert Falcone
@online{falcone:20181218:sofacy:3573b82, author = {Robert Falcone}, title = {{Sofacy Creates New ‘Go’ Variant of Zebrocy Tool}}, date = {2018-12-18}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/}, language = {English}, urldate = {2020-01-07} } Sofacy Creates New ‘Go’ Variant of Zebrocy Tool
Zebrocy
2018-12-10Vitali Kremez BlogVitali Kremez
@online{kremez:20181210:lets:f947fb1, author = {Vitali Kremez}, title = {{Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight}}, date = {2018-12-10}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html}, language = {English}, urldate = {2020-01-09} } Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight
Zebrocy
2018-11-29AccentureMichael Yip
@online{yip:20181129:snakemackerel:aa02eba, author = {Michael Yip}, title = {{Snakemackerel delivers Zekapab malware}}, date = {2018-11-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware}, language = {English}, urldate = {2019-12-10} } Snakemackerel delivers Zekapab malware
Zebrocy APT28
2018-11-20ESET ResearchESET Research
@online{research:20181120:sednit:caedbdb, author = {ESET Research}, title = {{Sednit: What’s going on with Zebrocy?}}, date = {2018-11-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/}, language = {English}, urldate = {2019-11-14} } Sednit: What’s going on with Zebrocy?
Zebrocy
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy APT28
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } Sofacy Group’s Parallel Attacks
Koadic Zebrocy
2018-04-24ESET ResearchESET Research
@online{research:20180424:sednit:ab398cd, author = {ESET Research}, title = {{Sednit update: Analysis of Zebrocy}}, date = {2018-04-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/}, language = {English}, urldate = {2019-11-14} } Sednit update: Analysis of Zebrocy
Zebrocy Zebrocy (AutoIT)
Yara Rules
[TLP:WHITE] win_zebrocy_auto (20230715 | Detects win.zebrocy.)
rule win_zebrocy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.zebrocy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 014158 11515c e8???????? dc6360 }
            // n = 4, score = 100
            //   014158               | add                 dword ptr [ecx + 0x58], eax
            //   11515c               | adc                 dword ptr [ecx + 0x5c], edx
            //   e8????????           |                     
            //   dc6360               | fsub                qword ptr [ebx + 0x60]

        $sequence_1 = { 837ddc00 0f8c9d000000 7f08 85f6 0f8493000000 }
            // n = 5, score = 100
            //   837ddc00             | cmp                 dword ptr [ebp - 0x24], 0
            //   0f8c9d000000         | jl                  0xa3
            //   7f08                 | jg                  0xa
            //   85f6                 | test                esi, esi
            //   0f8493000000         | je                  0x99

        $sequence_2 = { 0103 83c41c 5b 5e }
            // n = 4, score = 100
            //   0103                 | add                 dword ptr [ebx], eax
            //   83c41c               | add                 esp, 0x1c
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

        $sequence_3 = { 0110 8b7dd4 ba???????? 89470c }
            // n = 4, score = 100
            //   0110                 | add                 dword ptr [eax], edx
            //   8b7dd4               | mov                 edi, dword ptr [ebp - 0x2c]
            //   ba????????           |                     
            //   89470c               | mov                 dword ptr [edi + 0xc], eax

        $sequence_4 = { 56 8b7508 57 8b3d???????? 68007f0000 33db }
            // n = 6, score = 100
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   68007f0000           | push                0x7f00
            //   33db                 | xor                 ebx, ebx

        $sequence_5 = { e8???????? 8bc8 8bc6 c644246001 e8???????? be10000000 3974242c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8bc6                 | mov                 eax, esi
            //   c644246001           | mov                 byte ptr [esp + 0x60], 1
            //   e8????????           |                     
            //   be10000000           | mov                 esi, 0x10
            //   3974242c             | cmp                 dword ptr [esp + 0x2c], esi

        $sequence_6 = { 0103 8b0e ba???????? e8???????? }
            // n = 4, score = 100
            //   0103                 | add                 dword ptr [ebx], eax
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   ba????????           |                     
            //   e8????????           |                     

        $sequence_7 = { 8b8c2480000000 6a00 56 6a00 6a00 6a00 6a00 }
            // n = 7, score = 100
            //   8b8c2480000000       | mov                 ecx, dword ptr [esp + 0x80]
            //   6a00                 | push                0
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_8 = { 0102 8b45d4 89500c 89c1 }
            // n = 4, score = 100
            //   0102                 | add                 dword ptr [edx], eax
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   89500c               | mov                 dword ptr [eax + 0xc], edx
            //   89c1                 | mov                 ecx, eax

        $sequence_9 = { 014150 8b550c 115154 014158 }
            // n = 4, score = 100
            //   014150               | add                 dword ptr [ecx + 0x50], eax
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   115154               | adc                 dword ptr [ecx + 0x54], edx
            //   014158               | add                 dword ptr [ecx + 0x58], eax

        $sequence_10 = { 8d95b0f7ffff e8???????? c645fc0e 8b8dc4f6ffff 6aff 83c102 }
            // n = 6, score = 100
            //   8d95b0f7ffff         | lea                 edx, [ebp - 0x850]
            //   e8????????           |                     
            //   c645fc0e             | mov                 byte ptr [ebp - 4], 0xe
            //   8b8dc4f6ffff         | mov                 ecx, dword ptr [ebp - 0x93c]
            //   6aff                 | push                -1
            //   83c102               | add                 ecx, 2

        $sequence_11 = { 0103 31d2 85ff 8b03 }
            // n = 4, score = 100
            //   0103                 | add                 dword ptr [ebx], eax
            //   31d2                 | xor                 edx, edx
            //   85ff                 | test                edi, edi
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_12 = { 68???????? e8???????? 85ff 0f84ee000000 8d1438 8955fc }
            // n = 6, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   85ff                 | test                edi, edi
            //   0f84ee000000         | je                  0xf4
            //   8d1438               | lea                 edx, [eax + edi]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_13 = { b9???????? 8dbdb0f7ffff e8???????? 3ac3 7437 }
            // n = 5, score = 100
            //   b9????????           |                     
            //   8dbdb0f7ffff         | lea                 edi, [ebp - 0x850]
            //   e8????????           |                     
            //   3ac3                 | cmp                 al, bl
            //   7437                 | je                  0x39

        $sequence_14 = { 50 e9???????? 83f802 0f8525010000 83ec1c }
            // n = 5, score = 100
            //   50                   | push                eax
            //   e9????????           |                     
            //   83f802               | cmp                 eax, 2
            //   0f8525010000         | jne                 0x12b
            //   83ec1c               | sub                 esp, 0x1c

        $sequence_15 = { 0110 5e 5f 5d }
            // n = 4, score = 100
            //   0110                 | add                 dword ptr [eax], edx
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules