SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zeus (Back to overview)

Zeus

aka: Zbot
URLhaus      

There is no description at this point.

References
2022-10-31paloalto Netoworks: Unit42Or Chechik
@online{chechik:20221031:banking:c421ac8, author = {Or Chechik}, title = {{Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure}}, date = {2022-10-31}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/banking-trojan-techniques/}, language = {English}, urldate = {2022-10-31} } Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus
2022-02-11Cisco TalosTalos
@online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2021-09-09Recorded FutureInsikt Group
@techreport{group:20210909:dark:cd6bb6a, author = {Insikt Group}, title = {{Dark Covenant: Connections Between the Russian State and Criminal Actors}}, date = {2021-09-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf}, language = {English}, urldate = {2021-09-10} } Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-07-21MalwarebytesMalwarebytes
@online{malwarebytes:20210721:life:2751d60, author = {Malwarebytes}, title = {{The life and death of the ZeuS Trojan}}, date = {2021-07-21}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/}, language = {English}, urldate = {2021-07-22} } The life and death of the ZeuS Trojan
Zeus
2021-07-01Kryptos LogicKryptos Logic Vantage Team
@online{team:20210701:trickbot:1df5ec3, author = {Kryptos Logic Vantage Team}, title = {{TrickBot and Zeus}}, date = {2021-07-01}, organization = {Kryptos Logic}, url = {https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/}, language = {English}, urldate = {2021-07-11} } TrickBot and Zeus
TrickBot Zeus
2021-05-07Department of JusticeOffice of Public Affairs
@online{affairs:20210507:four:8efdc7e, author = {Office of Public Affairs}, title = {{Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals}}, date = {2021-05-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals}, language = {English}, urldate = {2021-05-11} } Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals
Citadel SpyEye Zeus
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c81b928, author = {SecureWorks}, title = {{Threat Profile: GOLD EVERGREEN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2021-05-28} } Threat Profile: GOLD EVERGREEN
CryptoLocker Pony Zeus GOLD EVERGREEN
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-07-17CERT-FRCERT-FR
@techreport{certfr:20200717:malware:5c58cdf, author = {CERT-FR}, title = {{The Malware Dridex: Origins and Uses}}, date = {2020-07-17}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf}, language = {English}, urldate = {2020-07-20} } The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:gold:cbab642, author = {SecureWorks}, title = {{GOLD EVERGREEN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-evergreen}, language = {English}, urldate = {2020-05-23} } GOLD EVERGREEN
CryptoLocker Pony Zeus
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:f48e53c, author = {SecureWorks}, title = {{BRONZE WOODLAND}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland}, language = {English}, urldate = {2020-05-23} } BRONZE WOODLAND
PlugX Zeus Roaming Tiger
2019-12-19KrebsOnSecurityBrian Krebs
@online{krebs:20191219:inside:c7595ad, author = {Brian Krebs}, title = {{Inside ‘Evil Corp,’ a $100M Cybercrime Menace}}, date = {2019-12-19}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/}, language = {English}, urldate = {2020-11-02} } Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2017-11-02AnomaliAnomali
@techreport{anomali:20171102:country:853fdd8, author = {Anomali}, title = {{Country Profile: Russian Federation}}, date = {2017-11-02}, institution = {Anomali}, url = {https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf}, language = {English}, urldate = {2020-09-23} } Country Profile: Russian Federation
Zeus
2017-05-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20170515:evolution:d0e74ea, author = {Counter Threat Unit ResearchTeam}, title = {{Evolution of the GOLD EVERGREEN Threat Group}}, date = {2017-05-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group}, language = {English}, urldate = {2021-05-28} } Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN
2017-03-21WiredGarrett M. Graff, Chad Hagen
@online{graff:20170321:inside:3dc9a2d, author = {Garrett M. Graff and Chad Hagen}, title = {{Inside the Hunt for Russia’s Most Notorious Hacker}}, date = {2017-03-21}, organization = {Wired}, url = {https://www.wired.com/2017/03/russian-hacker-spy-botnet/}, language = {English}, urldate = {2021-07-20} } Inside the Hunt for Russia’s Most Notorious Hacker
Gameover P2P Murofet Zeus
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus
2012-12-24Contagio DumpMila Parkour
@online{parkour:20121224:dec:927ddb9, author = {Mila Parkour}, title = {{Dec 2012 Linux.Chapro - trojan Apache iframer}}, date = {2012-12-24}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html}, language = {English}, urldate = {2019-12-20} } Dec 2012 Linux.Chapro - trojan Apache iframer
Chapro Zeus
2010-09-07S21secMikel Gastesi
@online{gastesi:20100907:zeus:330336f, author = {Mikel Gastesi}, title = {{ZeuS: The missing link}}, date = {2010-09-07}, organization = {S21sec}, url = {https://www.s21sec.com/en/zeus-the-missing-link/}, language = {English}, urldate = {2020-01-17} } ZeuS: The missing link
Zeus
2010-08-01Contagio DumpMila Parkour
@online{parkour:20100801:zeus:3a2cfe8, author = {Mila Parkour}, title = {{Zeus Trojan Research Links}}, date = {2010-08-01}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html}, language = {English}, urldate = {2019-12-04} } Zeus Trojan Research Links
Zeus
2010-07-24SophosJames Wyke
@online{wyke:20100724:why:17e044c, author = {James Wyke}, title = {{Why won’t my sample run?}}, date = {2010-07-24}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2010/07/24/sample-run/}, language = {English}, urldate = {2020-01-13} } Why won’t my sample run?
Zeus
2010-07-14Contagiodump BlogMila Parkour
@online{parkour:20100714:zeus:996ba0d, author = {Mila Parkour}, title = {{ZeuS Version scheme by the trojan author}}, date = {2010-07-14}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html}, language = {English}, urldate = {2019-12-20} } ZeuS Version scheme by the trojan author
Zeus
2010-05-03SymantecKarthik Selvaraj
@online{selvaraj:20100503:brief:d35dcb7, author = {Karthik Selvaraj}, title = {{A Brief Look at Zeus/Zbot 2.0}}, date = {2010-05-03}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20}, language = {English}, urldate = {2019-12-06} } A Brief Look at Zeus/Zbot 2.0
Zeus
2010-04-26SymantecPeter Coogan
@online{coogan:20100426:spyeyes:fb53c77, author = {Peter Coogan}, title = {{SpyEye’s "Kill Zeus" Bark is Worse Than its Bite}}, date = {2010-04-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite}, language = {English}, urldate = {2019-12-16} } SpyEye’s "Kill Zeus" Bark is Worse Than its Bite
Zeus
2010-04-19MalwareIntelligenceJorge Mieres
@online{mieres:20100419:zeus:5a230a6, author = {Jorge Mieres}, title = {{ZeuS on IRS Scam remains actively exploited}}, date = {2010-04-19}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html}, language = {English}, urldate = {2019-11-27} } ZeuS on IRS Scam remains actively exploited
Zeus
2010-03-15MalwareIntelligenceMalwareIntelligence
@online{malwareintelligence:20100315:new:d307b96, author = {MalwareIntelligence}, title = {{New phishing campaign against Facebook led by Zeus}}, date = {2010-03-15}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html}, language = {English}, urldate = {2020-01-07} } New phishing campaign against Facebook led by Zeus
Zeus
2010-03-10SecureworksKevin Stevens, Don Jackson
@online{stevens:20100310:zeus:be8ff11, author = {Kevin Stevens and Don Jackson}, title = {{ZeuS Banking Trojan Report}}, date = {2010-03-10}, organization = {Secureworks}, url = {https://www.secureworks.com/research/zeus?threat=zeus}, language = {English}, urldate = {2020-01-13} } ZeuS Banking Trojan Report
Zeus
2010-02-20MalwareIntelligenceJorge Mieres
@online{mieres:20100220:facebook:13a2eb5, author = {Jorge Mieres}, title = {{Facebook & VISA phishing campaign proposed by ZeuS}}, date = {2010-02-20}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html}, language = {English}, urldate = {2020-01-06} } Facebook & VISA phishing campaign proposed by ZeuS
Zeus
2010-02-02EternalTODO BlogJose Miguel Esparza
@online{esparza:20100202:zeus:c1a8f1f, author = {Jose Miguel Esparza}, title = {{ZeuS spreading via Facebook}}, date = {2010-02-02}, organization = {EternalTODO Blog}, url = {http://eternal-todo.com/blog/zeus-spreading-facebook}, language = {English}, urldate = {2019-07-11} } ZeuS spreading via Facebook
Zeus
2010-01-25Ernesto Martin
@online{martin:20100125:leveraging:2c0f7d8, author = {Ernesto Martin}, title = {{Leveraging ZeuS to send spam through social networks}}, date = {2010-01-25}, url = {http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html}, language = {English}, urldate = {2019-10-28} } Leveraging ZeuS to send spam through social networks
Zeus
2010MandiantEro Carrera, Peter Silberman
@techreport{carrera:2010:state:687e608, author = {Ero Carrera and Peter Silberman}, title = {{State of Malware: Family Ties}}, date = {2010}, institution = {Mandiant}, url = {https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf}, language = {English}, urldate = {2022-01-28} } State of Malware: Family Ties
Bredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus
2009-11-06Eternal TodoJose Miguel Esparza
@online{esparza:20091106:new:f49d94c, author = {Jose Miguel Esparza}, title = {{New ZeuS binary}}, date = {2009-11-06}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/new-zeus-binary}, language = {English}, urldate = {2020-01-08} } New ZeuS binary
Zeus
2009-10-01Eternal TodoJose Miguel Esparza
@online{esparza:20091001:detecting:3586ef7, author = {Jose Miguel Esparza}, title = {{Detecting ZeuS}}, date = {2009-10-01}, organization = {Eternal Todo}, url = {http://eternal-todo.com/blog/detecting-zeus}, language = {English}, urldate = {2020-01-10} } Detecting ZeuS
Zeus
2009-07-11MalwareIntelligenceMalwareIntelligence
@online{malwareintelligence:20090711:special:df61090, author = {MalwareIntelligence}, title = {{Special!!! ZeuS Botnet for Dummies}}, date = {2009-07-11}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html}, language = {English}, urldate = {2020-01-07} } Special!!! ZeuS Botnet for Dummies
Zeus
2009SymantecNicolas Falliere, Eric Chien
@techreport{falliere:2009:zeus:73559c2, author = {Nicolas Falliere and Eric Chien}, title = {{Zeus: King of the Bots}}, date = {2009}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf}, language = {English}, urldate = {2020-01-07} } Zeus: King of the Bots
Zeus
2006-11-13Secure Science CorporationMicael Ligh
@techreport{ligh:20061113:malware:d305d70, author = {Micael Ligh}, title = {{Malware Case Study - ZeusMalware}}, date = {2006-11-13}, institution = {Secure Science Corporation}, url = {https://www.mnin.org/write/ZeusMalware.pdf}, language = {English}, urldate = {2019-11-23} } Malware Case Study - ZeusMalware
Zeus
Yara Rules
[TLP:WHITE] win_zeus_auto (20221125 | Detects win.zeus.)
rule win_zeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.zeus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb58 833f00 7651 8b5f08 }
            // n = 4, score = 700
            //   eb58                 | jmp                 0x5a
            //   833f00               | cmp                 dword ptr [edi], 0
            //   7651                 | jbe                 0x53
            //   8b5f08               | mov                 ebx, dword ptr [edi + 8]

        $sequence_1 = { 81f900020000 7f7b c60000 0fb645fb }
            // n = 4, score = 600
            //   81f900020000         | cmp                 ecx, 0x200
            //   7f7b                 | jg                  0x7d
            //   c60000               | mov                 byte ptr [eax], 0
            //   0fb645fb             | movzx               eax, byte ptr [ebp - 5]

        $sequence_2 = { eb16 83f910 7415 83f90f 7410 83f911 740b }
            // n = 7, score = 600
            //   eb16                 | jmp                 0x18
            //   83f910               | cmp                 ecx, 0x10
            //   7415                 | je                  0x17
            //   83f90f               | cmp                 ecx, 0xf
            //   7410                 | je                  0x12
            //   83f911               | cmp                 ecx, 0x11
            //   740b                 | je                  0xd

        $sequence_3 = { eb03 8b4df8 8a01 894df4 eb0c 3c3b }
            // n = 6, score = 600
            //   eb03                 | jmp                 5
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   eb0c                 | jmp                 0xe
            //   3c3b                 | cmp                 al, 0x3b

        $sequence_4 = { c9 c20c00 55 8bec 81ec34040000 53 56 }
            // n = 7, score = 600
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec34040000         | sub                 esp, 0x434
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_5 = { 8d4702 ff7508 c6443a0100 e8???????? eb02 32c0 5f }
            // n = 7, score = 600
            //   8d4702               | lea                 eax, [edi + 2]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   c6443a0100           | mov                 byte ptr [edx + edi + 1], 0
            //   e8????????           |                     
            //   eb02                 | jmp                 4
            //   32c0                 | xor                 al, al
            //   5f                   | pop                 edi

        $sequence_6 = { 8b16 8b02 03c2 897808 85ff }
            // n = 5, score = 600
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   03c2                 | add                 eax, edx
            //   897808               | mov                 dword ptr [eax + 8], edi
            //   85ff                 | test                edi, edi

        $sequence_7 = { 8d442428 50 0fb64304 50 }
            // n = 4, score = 600
            //   8d442428             | lea                 eax, [esp + 0x28]
            //   50                   | push                eax
            //   0fb64304             | movzx               eax, byte ptr [ebx + 4]
            //   50                   | push                eax

        $sequence_8 = { e8???????? 84c0 7442 6a10 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7442                 | je                  0x44
            //   6a10                 | push                0x10

        $sequence_9 = { 891d???????? 891d???????? ffd6 68???????? }
            // n = 4, score = 500
            //   891d????????         |                     
            //   891d????????         |                     
            //   ffd6                 | call                esi
            //   68????????           |                     

        $sequence_10 = { 8bf3 6810270000 ff35???????? ff15???????? }
            // n = 4, score = 500
            //   8bf3                 | mov                 esi, ebx
            //   6810270000           | push                0x2710
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_11 = { 8d8db0fdffff e8???????? 8ad8 84db }
            // n = 4, score = 400
            //   8d8db0fdffff         | lea                 ecx, [ebp - 0x250]
            //   e8????????           |                     
            //   8ad8                 | mov                 bl, al
            //   84db                 | test                bl, bl

        $sequence_12 = { c20400 55 8bec f6451802 }
            // n = 4, score = 300
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   f6451802             | test                byte ptr [ebp + 0x18], 2

        $sequence_13 = { ff15???????? 5e 8ac3 5b c20800 55 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   8ac3                 | mov                 al, bl
            //   5b                   | pop                 ebx
            //   c20800               | ret                 8
            //   55                   | push                ebp

        $sequence_14 = { 0f82ec000000 8b1b 81f309080002 81fb5d515047 }
            // n = 4, score = 200
            //   0f82ec000000         | jb                  0xf2
            //   8b1b                 | mov                 ebx, dword ptr [ebx]
            //   81f309080002         | xor                 ebx, 0x2000809
            //   81fb5d515047         | cmp                 ebx, 0x4750515d

        $sequence_15 = { 3d5c5b4550 740b 3d59495351 0f85ca000000 807b0420 0f85c0000000 33c0 }
            // n = 7, score = 200
            //   3d5c5b4550           | cmp                 eax, 0x50455b5c
            //   740b                 | je                  0xd
            //   3d59495351           | cmp                 eax, 0x51534959
            //   0f85ca000000         | jne                 0xd0
            //   807b0420             | cmp                 byte ptr [ebx + 4], 0x20
            //   0f85c0000000         | jne                 0xc6
            //   33c0                 | xor                 eax, eax

        $sequence_16 = { 6809080002 8bc6 50 8d45fc 50 e8???????? }
            // n = 6, score = 200
            //   6809080002           | push                0x2000809
            //   8bc6                 | mov                 eax, esi
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_17 = { 56 57 33f6 56 50 68???????? }
            // n = 6, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_18 = { 740c 81fb45415356 0f85b2000000 b365 6a15 }
            // n = 5, score = 200
            //   740c                 | je                  0xe
            //   81fb45415356         | cmp                 ebx, 0x56534145
            //   0f85b2000000         | jne                 0xb8
            //   b365                 | mov                 bl, 0x65
            //   6a15                 | push                0x15

        $sequence_19 = { 81fb4f4d4156 7408 81fb59495354 7506 }
            // n = 4, score = 200
            //   81fb4f4d4156         | cmp                 ebx, 0x56414d4f
            //   7408                 | je                  0xa
            //   81fb59495354         | cmp                 ebx, 0x54534959
            //   7506                 | jne                 8

        $sequence_20 = { 81fb5d515047 7410 81fb4f4d4156 7408 }
            // n = 4, score = 200
            //   81fb5d515047         | cmp                 ebx, 0x4750515d
            //   7410                 | je                  0x12
            //   81fb4f4d4156         | cmp                 ebx, 0x56414d4f
            //   7408                 | je                  0xa

        $sequence_21 = { 50 c707000e0000 c7470809080002 e8???????? 83674200 6a78 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   c707000e0000         | mov                 dword ptr [edi], 0xe00
            //   c7470809080002       | mov                 dword ptr [edi + 8], 0x2000809
            //   e8????????           |                     
            //   83674200             | and                 dword ptr [edi + 0x42], 0
            //   6a78                 | push                0x78

        $sequence_22 = { 57 8d75f4 e8???????? 84c0 0f84ac000000 b809080002 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   8d75f4               | lea                 esi, [ebp - 0xc]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f84ac000000         | je                  0xb2
            //   b809080002           | mov                 eax, 0x2000809

    condition:
        7 of them and filesize < 319488
}
Download all Yara Rules