SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zloader (Back to overview)

Zloader

aka: Terdot, DELoader
URLhaus      

This family describes the (initially small) loader, which downloads Zeus OpenSSL.

In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.
The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

References
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-19Click All the Things! BlogJamie
@online{jamie:20200619:zloader:dd6729d, author = {Jamie}, title = {{zloader: VBA, R1C1 References, and Other Tomfoolery}}, date = {2020-06-19}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/}, language = {English}, urldate = {2020-06-21} } zloader: VBA, R1C1 References, and Other Tomfoolery
Zloader
2020-06-19Yet Another Security BlogMichael Weber
@online{weber:20200619:further:8c5635c, author = {Michael Weber}, title = {{Further Evasion in the Forgotten Corners of MS-XLS}}, date = {2020-06-19}, organization = {Yet Another Security Blog}, url = {https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/}, language = {English}, urldate = {2020-06-21} } Further Evasion in the Forgotten Corners of MS-XLS
Zloader
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-24Nullteilerfrei BlogLars Wallenborn
@online{wallenborn:20200524:zloader:0ce15ba, author = {Lars Wallenborn}, title = {{Zloader String Obfuscation}}, date = {2020-05-24}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/}, language = {English}, urldate = {2020-05-26} } Zloader String Obfuscation
Zloader
2020-05-21Malwarebyteshasherezade, prsecurity
@techreport{hasherezade:20200521:silent:95b5ce7, author = {hasherezade and prsecurity}, title = {{The “Silent Night” Zloader/Zbot}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf}, language = {English}, urldate = {2020-05-23} } The “Silent Night” Zloader/Zbot
Zloader
2020-05-20ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
@online{schwarz:20200520:zloader:e3c523e, author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team}, title = {{ZLoader Loads Again: New ZLoader Variant Returns}}, date = {2020-05-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns}, language = {English}, urldate = {2020-05-23} } ZLoader Loads Again: New ZLoader Variant Returns
Zloader
2020-05-12Yet Another Security BlogMichael Weber
@online{weber:20200512:evading:0219069, author = {Michael Weber}, title = {{Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format}}, date = {2020-05-12}, organization = {Yet Another Security Blog}, url = {https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/}, language = {English}, urldate = {2020-05-18} } Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format
Zloader
2020-04-26Johannes Bader's BlogJohannes Bader
@online{bader:20200426:dga:edd448c, author = {Johannes Bader}, title = {{The DGA of Zloader}}, date = {2020-04-26}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-zloader/}, language = {English}, urldate = {2020-04-26} } The DGA of Zloader
Zloader
2020-04-07Youtube (DissectMalware)Malwrologist
@online{malwrologist:20200407:malware:b0d12ef, author = {Malwrologist}, title = {{Malware Analysis in Action - Episode 2}}, date = {2020-04-07}, organization = {Youtube (DissectMalware)}, url = {https://www.youtube.com/watch?v=QBoj6GB79wM}, language = {English}, urldate = {2020-04-26} } Malware Analysis in Action - Episode 2
Zloader
2020-03-30IBMAmir Gandler, Limor Kessem
@online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
Zeus OpenSSL Zloader
2020-03-30Bleeping ComputerSergiu Gatlan
@online{gatlan:20200330:banking:9d302f2, author = {Sergiu Gatlan}, title = {{Banking Malware Spreading via COVID-19 Relief Payment Phishing}}, date = {2020-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/}, language = {English}, urldate = {2020-04-01} } Banking Malware Spreading via COVID-19 Relief Payment Phishing
Zloader
2020-03-13ComaeMatt Suiche
@online{suiche:20200313:yet:d14d3a8, author = {Matt Suiche}, title = {{Yet Another Active Email Campaign With Malicious Excel Files Identified}}, date = {2020-03-13}, organization = {Comae}, url = {https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/}, language = {English}, urldate = {2020-06-16} } Yet Another Active Email Campaign With Malicious Excel Files Identified
Zloader
2018-09-06int 0xcc blogRaashid Bhat
@online{bhat:20180906:dissecting:8c82fb5, author = {Raashid Bhat}, title = {{Dissecting DEloader malware with obfuscation}}, date = {2018-09-06}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware}, language = {English}, urldate = {2020-01-06} } Dissecting DEloader malware with obfuscation
Zloader
2017-06-15Limor Kessem
@online{kessem:20170615:zeus:7c4b8e4, author = {Limor Kessem}, title = {{Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?}}, date = {2017-06-15}, url = {https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/}, language = {English}, urldate = {2019-12-02} } Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?
Zloader
2017-01-26SecurityIntelligenceLimor Kessem
@online{kessem:20170126:around:eaefc0c, author = {Limor Kessem}, title = {{Around the World With Zeus Sphinx: From Canada to Australia and Back}}, date = {2017-01-26}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/}, language = {English}, urldate = {2020-01-07} } Around the World With Zeus Sphinx: From Canada to Australia and Back
Zloader
2017-01-26MalwarebytesMalwarebytes Labs
@online{labs:20170126:zbot:b625eef, author = {Malwarebytes Labs}, title = {{Zbot with legitimate applications on board}}, date = {2017-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/}, language = {English}, urldate = {2019-12-20} } Zbot with legitimate applications on board
Zloader
2016-09-22ForcepointNicholas Griffin
@online{griffin:20160922:zeus:94d0df7, author = {Nicholas Griffin}, title = {{Zeus Delivered by DELoader to Defraud Customers of Canadian Banks}}, date = {2016-09-22}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks}, language = {English}, urldate = {2020-01-13} } Zeus Delivered by DELoader to Defraud Customers of Canadian Banks
Zloader
2016-06-21FortinetFloser Bacurio, Roland Dela Paz
@online{bacurio:20160621:curious:8607f46, author = {Floser Bacurio and Roland Dela Paz}, title = {{The Curious Case of an Unknown Trojan Targeting German-Speaking Users}}, date = {2016-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html}, language = {English}, urldate = {2020-01-08} } The Curious Case of an Unknown Trojan Targeting German-Speaking Users
Zloader
Yara Rules
[TLP:WHITE] win_zloader_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_zloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d7514 8975f8 56 52 }
            // n = 4, score = 1700
            //   8d7514               | lea                 esi, [ebp + 0x14]
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   56                   | push                esi
            //   52                   | push                edx

        $sequence_1 = { 83c404 89f1 89c3 e8???????? }
            // n = 4, score = 1700
            //   83c404               | add                 esp, 4
            //   89f1                 | mov                 ecx, esi
            //   89c3                 | mov                 ebx, eax
            //   e8????????           |                     

        $sequence_2 = { 8d4df0 51 53 50 6801000080 }
            // n = 5, score = 1700
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   50                   | push                eax
            //   6801000080           | push                0x80000001

        $sequence_3 = { 8b4508 ff30 57 e8???????? 83c40c 66c7045f0000 }
            // n = 6, score = 1700
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff30                 | push                dword ptr [eax]
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   66c7045f0000         | mov                 word ptr [edi + ebx*2], 0

        $sequence_4 = { 57 56 8b5d08 31f6 }
            // n = 4, score = 1700
            //   57                   | push                edi
            //   56                   | push                esi
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   31f6                 | xor                 esi, esi

        $sequence_5 = { 50 e8???????? 89f1 e8???????? 89f1 }
            // n = 5, score = 1700
            //   50                   | push                eax
            //   e8????????           |                     
            //   89f1                 | mov                 ecx, esi
            //   e8????????           |                     
            //   89f1                 | mov                 ecx, esi

        $sequence_6 = { e8???????? 84c0 740e e8???????? e8???????? }
            // n = 5, score = 1700
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   740e                 | je                  0x10
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_7 = { e8???????? 83c404 89f0 81c408020000 5e 5f 5b }
            // n = 7, score = 1700
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   89f0                 | mov                 eax, esi
            //   81c408020000         | add                 esp, 0x208
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_8 = { 56 50 a1???????? 89c1 }
            // n = 4, score = 1300
            //   56                   | push                esi
            //   50                   | push                eax
            //   a1????????           |                     
            //   89c1                 | mov                 ecx, eax

        $sequence_9 = { 57 56 83ec1c 89d7 }
            // n = 4, score = 1000
            //   57                   | push                edi
            //   56                   | push                esi
            //   83ec1c               | sub                 esp, 0x1c
            //   89d7                 | mov                 edi, edx

        $sequence_10 = { 83c41c 5e 5f 5b 5d e9???????? }
            // n = 6, score = 900
            //   83c41c               | add                 esp, 0x1c
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   e9????????           |                     

        $sequence_11 = { 89e5 53 57 56 83ec14 8b7d10 }
            // n = 6, score = 700
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   83ec14               | sub                 esp, 0x14
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]

        $sequence_12 = { 53 57 56 50 8b4510 31db }
            // n = 6, score = 700
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   50                   | push                eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   31db                 | xor                 ebx, ebx

        $sequence_13 = { 50 56 56 56 ff7514 }
            // n = 5, score = 600
            //   50                   | push                eax
            //   56                   | push                esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   ff7514               | push                dword ptr [ebp + 0x14]

        $sequence_14 = { 68???????? ff742408 e8???????? 59 59 84c0 }
            // n = 6, score = 600
            //   68????????           |                     
            //   ff742408             | push                dword ptr [esp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   84c0                 | test                al, al

        $sequence_15 = { 84c0 7432 68???????? ff742408 }
            // n = 4, score = 600
            //   84c0                 | test                al, al
            //   7432                 | je                  0x34
            //   68????????           |                     
            //   ff742408             | push                dword ptr [esp + 8]

        $sequence_16 = { 83c414 c3 56 ff742410 8b74240c ff742410 56 }
            // n = 7, score = 500
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   56                   | push                esi
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   56                   | push                esi

        $sequence_17 = { 83c408 5e 5d c3 55 89e5 57 }
            // n = 7, score = 500
            //   83c408               | add                 esp, 8
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   57                   | push                edi

        $sequence_18 = { 8bc3 5b c3 8b44240c 83f8ff 750a }
            // n = 6, score = 500
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   83f8ff               | cmp                 eax, -1
            //   750a                 | jne                 0xc

        $sequence_19 = { 6aff 50 e8???????? 8d857cffffff 50 }
            // n = 5, score = 500
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d857cffffff         | lea                 eax, [ebp - 0x84]
            //   50                   | push                eax

        $sequence_20 = { 3bd0 7cf5 5f c6043000 5e c3 56 }
            // n = 7, score = 500
            //   3bd0                 | cmp                 edx, eax
            //   7cf5                 | jl                  0xfffffff7
            //   5f                   | pop                 edi
            //   c6043000             | mov                 byte ptr [eax + esi], 0
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_21 = { 50 89542444 e8???????? 03c0 6689442438 }
            // n = 5, score = 500
            //   50                   | push                eax
            //   89542444             | mov                 dword ptr [esp + 0x44], edx
            //   e8????????           |                     
            //   03c0                 | add                 eax, eax
            //   6689442438           | mov                 word ptr [esp + 0x38], ax

        $sequence_22 = { 8d442418 99 52 50 8d44243c 99 52 }
            // n = 7, score = 500
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   99                   | cdq                 
            //   52                   | push                edx

        $sequence_23 = { 6689442438 8b442438 83c002 668944243a }
            // n = 4, score = 500
            //   6689442438           | mov                 word ptr [esp + 0x38], ax
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   83c002               | add                 eax, 2
            //   668944243a           | mov                 word ptr [esp + 0x3a], ax

        $sequence_24 = { 5e c3 56 57 8b7c2414 83ffff }
            // n = 6, score = 500
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]
            //   83ffff               | cmp                 edi, -1

        $sequence_25 = { 57 56 8b550c 8b4d08 }
            // n = 4, score = 400
            //   57                   | push                edi
            //   56                   | push                esi
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_26 = { e8???????? 6a40 6800300000 50 53 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   6a40                 | push                0x40
            //   6800300000           | push                0x3000
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_27 = { 0fb7e8 53 55 8d442474 50 }
            // n = 5, score = 400
            //   0fb7e8               | movzx               ebp, ax
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   8d442474             | lea                 eax, [esp + 0x74]
            //   50                   | push                eax

        $sequence_28 = { c7462401000000 c7462800004001 e8???????? 89460c }
            // n = 4, score = 400
            //   c7462401000000       | mov                 dword ptr [esi + 0x24], 1
            //   c7462800004001       | mov                 dword ptr [esi + 0x28], 0x1400000
            //   e8????????           |                     
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_29 = { e8???????? 83c414 c3 8b542404 85d2 7503 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   85d2                 | test                edx, edx
            //   7503                 | jne                 5

        $sequence_30 = { ff7508 8d85f0fdffff 68???????? 6804010000 }
            // n = 4, score = 300
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   68????????           |                     
            //   6804010000           | push                0x104

        $sequence_31 = { 57 50 e8???????? 68???????? 56 e8???????? 8bf0 }
            // n = 7, score = 300
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_32 = { 68???????? 6804010000 50 e8???????? 83c414 8d45fc 50 }
            // n = 7, score = 300
            //   68????????           |                     
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_33 = { 33db 68???????? 6880000000 50 }
            // n = 4, score = 300
            //   33db                 | xor                 ebx, ebx
            //   68????????           |                     
            //   6880000000           | push                0x80
            //   50                   | push                eax

        $sequence_34 = { 83c40c 5e 8bc3 5b c3 8b4c2404 33c0 }
            // n = 7, score = 300
            //   83c40c               | add                 esp, 0xc
            //   5e                   | pop                 esi
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   33c0                 | xor                 eax, eax

        $sequence_35 = { 53 56 57 ff750c 33db 68???????? }
            // n = 6, score = 300
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   33db                 | xor                 ebx, ebx
            //   68????????           |                     

        $sequence_36 = { 5e 5b c3 8bc2 ebf8 53 8b5c240c }
            // n = 7, score = 300
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8bc2                 | mov                 eax, edx
            //   ebf8                 | jmp                 0xfffffffa
            //   53                   | push                ebx
            //   8b5c240c             | mov                 ebx, dword ptr [esp + 0xc]

        $sequence_37 = { 50 6a72 e8???????? 59 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   6a72                 | push                0x72
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_38 = { 68???????? ff742410 e8???????? 6823af2930 56 ff742410 e8???????? }
            // n = 7, score = 300
            //   68????????           |                     
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   e8????????           |                     
            //   6823af2930           | push                0x3029af23
            //   56                   | push                esi
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1105920
}
Download all Yara Rules