SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zloader (Back to overview)

Zloader

aka: Terdot, DELoader
URLhaus      

This family describes the (initially small) loader, which downloads Zeus OpenSSL.

In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.
The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

References
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-02-27PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20230227:rig:72076aa, author = {PRODAFT}, title = {{RIG Exploit Kit: In-Depth Analysis}}, date = {2023-02-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf}, language = {English}, urldate = {2023-05-08} } RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-06-24Palo Alto Networks Unit 42Mark Lim, Riley Porter
@online{lim:20220624:there:7a3b762, author = {Mark Lim and Riley Porter}, title = {{There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families}}, date = {2022-06-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/api-hammering-malware-families/}, language = {English}, urldate = {2022-06-27} } There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families
BazarBackdoor Zloader
2022-06-02Youtube (AhmedS Kasmani)AhmedS Kasmani
@online{kasmani:20220602:zloader:a5a0759, author = {AhmedS Kasmani}, title = {{Zloader Malware Analysis - 1. Unpacking First stage.}}, date = {2022-06-02}, organization = {Youtube (AhmedS Kasmani)}, url = {https://www.youtube.com/watch?v=mhX-UoaYnOM}, language = {English}, urldate = {2022-06-04} } Zloader Malware Analysis - 1. Unpacking First stage.
Zloader
2022-04-25CybereasonAleksandar Milenkoski, Loïc Castel, Yonatan Gidnian
@online{milenkoski:20220425:threat:14aee4f, author = {Aleksandar Milenkoski and Loïc Castel and Yonatan Gidnian}, title = {{THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems}}, date = {2022-04-25}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems}, language = {English}, urldate = {2022-04-29} } THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
FAKEUPDATES Zloader
2022-04-25VinCSSm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20220425:re026:6e05ed2, author = {m4n0w4r and Tran Trung Kien}, title = {{[RE026] A Deep Dive into Zloader - the Silent Night}}, date = {2022-04-25}, organization = {VinCSS}, url = {https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html}, language = {English}, urldate = {2022-04-25} } [RE026] A Deep Dive into Zloader - the Silent Night
Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-14Avast DecodedVladimir Martyanov
@online{martyanov:20220414:zloader:23c520a, author = {Vladimir Martyanov}, title = {{Zloader 2: The Silent Night}}, date = {2022-04-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/}, language = {English}, urldate = {2022-04-15} } Zloader 2: The Silent Night
ISFB Raccoon Zloader
2022-04-13MicrosoftAmy Hogan-Burney
@online{hoganburney:20220413:notorious:30afb78, author = {Amy Hogan-Burney}, title = {{Notorious cybercrime gang’s botnet disrupted}}, date = {2022-04-13}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/}, language = {English}, urldate = {2022-04-15} } Notorious cybercrime gang’s botnet disrupted
Ryuk Zloader
2022-04-13ESET ResearchJean-Ian Boutin, Tomáš Procházka
@online{boutin:20220413:eset:7463437, author = {Jean-Ian Boutin and Tomáš Procházka}, title = {{ESET takes part in global operation to disrupt Zloader botnets}}, date = {2022-04-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/}, language = {English}, urldate = {2022-04-14} } ESET takes part in global operation to disrupt Zloader botnets
Cobalt Strike Zloader
2022-04-13UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIAUNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA
@online{georgia:20220413:court:368da90, author = {UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA}, title = {{Court order for taking down Zloader Infrastructure}}, date = {2022-04-13}, organization = {UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA}, url = {https://noticeofpleadings.com/zloader/}, language = {English}, urldate = {2022-04-20} } Court order for taking down Zloader Infrastructure
Zloader
2022-04-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20220413:dismantling:ace8546, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware}}, date = {2022-04-13}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/}, language = {English}, urldate = {2022-04-14} } Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader
2022-03-14CrowdStrikeFalcon OverWatch Team
@online{team:20220314:falcon:6dc1944, author = {Falcon OverWatch Team}, title = {{Falcon OverWatch Threat Hunting Uncovers Ongoing NIGHT SPIDER Zloader Campaign}}, date = {2022-03-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/}, language = {English}, urldate = {2022-03-15} } Falcon OverWatch Threat Hunting Uncovers Ongoing NIGHT SPIDER Zloader Campaign
Zloader
2022-01-19SophosColin Cowie, Mat Gangwer, Stan Andic, Sophos MTR Team
@online{cowie:20220119:zloader:e87c22c, author = {Colin Cowie and Mat Gangwer and Stan Andic and Sophos MTR Team}, title = {{Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike}}, date = {2022-01-19}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/}, language = {English}, urldate = {2022-01-25} } Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike
Cobalt Strike Zloader
2022-01-11Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220111:signed:0f32583, author = {Jason Reaves and Joshua Platt}, title = {{Signed DLL campaigns as a service}}, date = {2022-01-11}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489}, language = {English}, urldate = {2023-01-31} } Signed DLL campaigns as a service
BATLOADER Cobalt Strike ISFB Zloader
2022-01-05Check PointGolan Cohen
@online{cohen:20220105:can:6a1ef46, author = {Golan Cohen}, title = {{Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk}}, date = {2022-01-05}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/}, language = {English}, urldate = {2022-01-18} } Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
Zloader
2021-11-03Team Cymrutcblogposts
@online{tcblogposts:20211103:webinject:f4d41bb, author = {tcblogposts}, title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}}, date = {2021-11-03}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/}, language = {English}, urldate = {2021-11-08} } Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-10-19CiscoArtsiom Holub
@online{holub:20211019:strrat:4522f11, author = {Artsiom Holub}, title = {{STRRAT, ZLoader, and HoneyGain}}, date = {2021-10-19}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain}, language = {English}, urldate = {2021-10-26} } STRRAT, ZLoader, and HoneyGain
STRRAT Zloader
2021-10-18Ali Aqeel
@online{aqeel:20211018:zloader:898c290, author = {Ali Aqeel}, title = {{ZLoader Reversing}}, date = {2021-10-18}, url = {https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/}, language = {English}, urldate = {2021-10-22} } ZLoader Reversing
Zloader
2021-09-29Trend MicroTrend Micro
@online{micro:20210929:zloader:fb242b9, author = {Trend Micro}, title = {{Zloader Campaigns at a Glance}}, date = {2021-09-29}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance}, language = {English}, urldate = {2021-10-19} } Zloader Campaigns at a Glance
Zloader
2021-09-29Trend MicroTrend Micro
@online{micro:20210929:zloader:606c2c8, author = {Trend Micro}, title = {{Zloader Campaigns at a Glance (IOCs)}}, date = {2021-09-29}, organization = {Trend Micro}, url = {https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt}, language = {English}, urldate = {2021-10-20} } Zloader Campaigns at a Glance (IOCs)
Zloader
2021-09-13SentinelOneAntonio Pirozzi, Antonio Cocomazzi
@online{pirozzi:20210913:hide:345ced5, author = {Antonio Pirozzi and Antonio Cocomazzi}, title = {{Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms}}, date = {2021-09-13}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/}, language = {English}, urldate = {2021-09-14} } Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms
Zloader
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-07-08McAfeeKiran Raj, Kishan N.
@online{raj:20210708:zloader:01d74bc, author = {Kiran Raj and Kishan N.}, title = {{Zloader With a New Infection Technique}}, date = {2021-07-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/}, language = {English}, urldate = {2021-07-19} } Zloader With a New Infection Technique
Zloader
2021-06-23K7 SecurityLokesh J
@online{j:20210623:java:d992617, author = {Lokesh J}, title = {{Java Plug-Ins Delivering Zloader}}, date = {2021-06-23}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22458}, language = {English}, urldate = {2021-06-24} } Java Plug-Ins Delivering Zloader
Zloader
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-14GuidePoint SecurityDrew Schmitt
@online{schmitt:20210514:from:944b5f1, author = {Drew Schmitt}, title = {{From ZLoader to DarkSide: A Ransomware Story}}, date = {2021-05-14}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/}, language = {English}, urldate = {2021-05-17} } From ZLoader to DarkSide: A Ransomware Story
DarkSide Cobalt Strike Zloader
2021-05-11Mal-Eatsmal_eats
@online{maleats:20210511:campo:0305ab9, author = {mal_eats}, title = {{Campo, a New Attack Campaign Targeting Japan}}, date = {2021-05-11}, organization = {Mal-Eats}, url = {https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-06-01} } Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-10Mal-Eatsmal_eats
@online{maleats:20210510:overview:50ff3b3, author = {mal_eats}, title = {{Overview of Campo, a new attack campaign targeting Japan}}, date = {2021-05-10}, organization = {Mal-Eats}, url = {https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/}, language = {English}, urldate = {2021-05-13} } Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-04-21PhishLabsJessica Ellis
@online{ellis:20210421:zloader:09056bd, author = {Jessica Ellis}, title = {{ZLoader Dominates Email Payloads in Q1}}, date = {2021-04-21}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1}, language = {English}, urldate = {2021-04-28} } ZLoader Dominates Email Payloads in Q1
Zloader
2021-04-19Cybleinccybleinc
@online{cybleinc:20210419:zloader:f7ffa0a, author = {cybleinc}, title = {{ZLoader Returns Through Spelevo Exploit Kit & Phishing Campaign}}, date = {2021-04-19}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/}, language = {English}, urldate = {2021-04-28} } ZLoader Returns Through Spelevo Exploit Kit & Phishing Campaign
Zloader
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-03-29HornetsecurityHornetsecurity Security Lab
@online{lab:20210329:zloader:15eeb9b, author = {Hornetsecurity Security Lab}, title = {{Zloader email campaign using MHTML to download and decrypt XLS}}, date = {2021-03-29}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/}, language = {English}, urldate = {2021-03-31} } Zloader email campaign using MHTML to download and decrypt XLS
Zloader
2021-03-23Quick HealAnjali Raut
@online{raut:20210323:zloader:ceed7cd, author = {Anjali Raut}, title = {{Zloader: Entailing Different Office Files}}, date = {2021-03-23}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/zloader-entailing-different-office-files/}, language = {English}, urldate = {2021-03-25} } Zloader: Entailing Different Office Files
Zloader
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-10NTT SecurityHiroki Hada
@online{hada:20210310:pseudogatespelevo:79a6fdf, author = {Hiroki Hada}, title = {{日本を標的としたPseudoGateキャンペーンによるSpelevo Exploit Kitを用いた攻撃について}}, date = {2021-03-10}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit}, language = {Japanese}, urldate = {2021-03-11} } 日本を標的としたPseudoGateキャンペーンによるSpelevo Exploit Kitを用いた攻撃について
Zloader
2021-03-05ForcepointRobert Neumann, Kurt Natvig
@online{neumann:20210305:advancements:674749e, author = {Robert Neumann and Kurt Natvig}, title = {{Advancements in Invoicing - A highly sophisticated way to distribute ZLoader}}, date = {2021-03-05}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader}, language = {English}, urldate = {2021-03-30} } Advancements in Invoicing - A highly sophisticated way to distribute ZLoader
Zloader
2021-03Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
@techreport{skulkin:202103:ransomware:992ca10, author = {Oleg Skulkin and Roman Rezvukhin and Semyon Rogachev}, title = {{Ransomware Uncovered 2020/2021}}, date = {2021-03}, institution = {Group-IB}, url = {https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf}, language = {English}, urldate = {2021-06-16} } Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-23PhishLabsJessica Ellis
@online{ellis:20210223:surge:ceb4d8d, author = {Jessica Ellis}, title = {{Surge in ZLoader Attacks Observed}}, date = {2021-02-23}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed}, language = {English}, urldate = {2021-02-25} } Surge in ZLoader Attacks Observed
Zloader
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-12-230xC0DECAFEThomas Barabosch
@online{barabosch:20201223:detect:bd873bc, author = {Thomas Barabosch}, title = {{Detect RC4 in (malicious) binaries}}, date = {2020-12-23}, organization = {0xC0DECAFE}, url = {https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries}, language = {English}, urldate = {2020-12-26} } Detect RC4 in (malicious) binaries
SmokeLoader Zloader
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-18SophosSophos
@techreport{sophos:20201118:sophos:8fd201e, author = {Sophos}, title = {{SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world}}, date = {2020-11-18}, institution = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf}, language = {English}, urldate = {2020-11-19} } SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader
2020-11-16MalwarebytesThreat Intelligence Team
@online{team:20201116:malsmoke:0cddf67, author = {Threat Intelligence Team}, title = {{Malsmoke operators abandon exploit kits in favor of social engineering scheme}}, date = {2020-11-16}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/}, language = {English}, urldate = {2020-11-18} } Malsmoke operators abandon exploit kits in favor of social engineering scheme
Zloader
2020-11-09Bleeping ComputerIonut Ilascu
@online{ilascu:20201109:fake:c6dd7b3, author = {Ionut Ilascu}, title = {{Fake Microsoft Teams updates lead to Cobalt Strike deployment}}, date = {2020-11-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/}, language = {English}, urldate = {2020-11-11} } Fake Microsoft Teams updates lead to Cobalt Strike deployment
Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader
2020-11-06LAC WATCHMatsumoto, Takagen, Ishikawa
@online{matsumoto:20201106:emotetzloader:ba310e4, author = {Matsumoto and Takagen and Ishikawa}, title = {{分析レポート:Emotetの裏で動くバンキングマルウェア「Zloader」に注意}}, date = {2020-11-06}, organization = {LAC WATCH}, url = {https://www.lac.co.jp/lacwatch/people/20201106_002321.html}, language = {Japanese}, urldate = {2020-11-09} } 分析レポート:Emotetの裏で動くバンキングマルウェア「Zloader」に注意
Emotet Zloader
2020-11-05Twitter (@ffforward)TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85, author = {TheAnalyst}, title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}}, date = {2020-11-05}, organization = {Twitter (@ffforward)}, url = {https://twitter.com/ffforward/status/1324281530026524672}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader
2020-10-28SophosLabs UncutSean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader
2020-10-21AlyacAlyac
@online{alyac:20201021:zloader:d78b7b7, author = {Alyac}, title = {{ZLoader 악성코드, 사업 정지 경고로 위장해 유포중}}, date = {2020-10-21}, organization = {Alyac}, url = {https://blog.alyac.co.kr/3322}, language = {Korean}, urldate = {2020-10-29} } ZLoader 악성코드, 사업 정지 경고로 위장해 유포중
Zloader
2020-10-07CrowdStrikeThe Falcon Complete Team
@online{team:20201007:duck:69360c9, author = {The Falcon Complete Team}, title = {{Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2}}, date = {2020-10-07}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/}, language = {English}, urldate = {2020-10-12} } Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2
QakBot Zloader
2020-09-24Click All the Things! BlogJamie Arndt
@online{arndt:20200924:zloader:ad8bf21, author = {Jamie Arndt}, title = {{zLoader XLM Update: Macro code and behavior change}}, date = {2020-09-24}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/}, language = {English}, urldate = {2020-09-25} } zLoader XLM Update: Macro code and behavior change
Zloader
2020-09-02Cisco TalosHolger Unterbrink, Edmund Brumaghin
@online{unterbrink:20200902:salfram:74ae3c9, author = {Holger Unterbrink and Edmund Brumaghin}, title = {{Salfram: Robbing the place without removing your name tag}}, date = {2020-09-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html}, language = {English}, urldate = {2020-09-03} } Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-08-19SecurityLiterateKyle Cucci
@online{cucci:20200819:chantays:3998ebb, author = {Kyle Cucci}, title = {{Chantay’s Resume: Investigating a CV-Themed ZLoader Malware}}, date = {2020-08-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/}, language = {English}, urldate = {2020-09-01} } Chantay’s Resume: Investigating a CV-Themed ZLoader Malware
Zloader
2020-08-14Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200814:zloader:cbd9ad5, author = {Vitali Kremez}, title = {{Tweet on Zloader infection leading to Cobaltstrike Installation}}, date = {2020-08-14}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1294320579311435776}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leading to Cobaltstrike Installation
Cobalt Strike Zloader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-22SentinelOneJason Reaves, Joshua Platt
@online{reaves:20200722:enter:71d9038, author = {Jason Reaves and Joshua Platt}, title = {{Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)}}, date = {2020-07-22}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/}, language = {English}, urldate = {2020-07-23} } Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-19Yet Another Security BlogMichael Weber
@online{weber:20200619:further:8c5635c, author = {Michael Weber}, title = {{Further Evasion in the Forgotten Corners of MS-XLS}}, date = {2020-06-19}, organization = {Yet Another Security Blog}, url = {https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/}, language = {English}, urldate = {2020-06-21} } Further Evasion in the Forgotten Corners of MS-XLS
Zloader
2020-06-19Click All the Things! BlogJamie
@online{jamie:20200619:zloader:dd6729d, author = {Jamie}, title = {{zloader: VBA, R1C1 References, and Other Tomfoolery}}, date = {2020-06-19}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/}, language = {English}, urldate = {2020-06-21} } zloader: VBA, R1C1 References, and Other Tomfoolery
Zloader
2020-06-11Nullteilerfrei BlogLars Wallenborn
@online{wallenborn:20200611:api:495c8ab, author = {Lars Wallenborn}, title = {{API Hashing in the Zloader malware}}, date = {2020-06-11}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/}, language = {English}, urldate = {2020-08-18} } API Hashing in the Zloader malware
Zloader
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-24Nullteilerfrei BlogLars Wallenborn
@online{wallenborn:20200524:zloader:0ce15ba, author = {Lars Wallenborn}, title = {{Zloader String Obfuscation}}, date = {2020-05-24}, organization = {Nullteilerfrei Blog}, url = {https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/}, language = {English}, urldate = {2020-05-26} } Zloader String Obfuscation
Zloader
2020-05-21Malwarebyteshasherezade, prsecurity
@techreport{hasherezade:20200521:silent:95b5ce7, author = {hasherezade and prsecurity}, title = {{The “Silent Night” Zloader/Zbot}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf}, language = {English}, urldate = {2020-05-23} } The “Silent Night” Zloader/Zbot
Zloader
2020-05-20ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team
@online{schwarz:20200520:zloader:e3c523e, author = {Dennis Schwarz and Matthew Mesa and Proofpoint Threat Research Team}, title = {{ZLoader Loads Again: New ZLoader Variant Returns}}, date = {2020-05-20}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns}, language = {English}, urldate = {2020-05-23} } ZLoader Loads Again: New ZLoader Variant Returns
Zloader
2020-05-12Yet Another Security BlogMichael Weber
@online{weber:20200512:evading:0219069, author = {Michael Weber}, title = {{Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format}}, date = {2020-05-12}, organization = {Yet Another Security Blog}, url = {https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/}, language = {English}, urldate = {2020-05-18} } Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format
Zloader
2020-04-26Johannes Bader's BlogJohannes Bader
@online{bader:20200426:dga:edd448c, author = {Johannes Bader}, title = {{The DGA of Zloader}}, date = {2020-04-26}, organization = {Johannes Bader's Blog}, url = {https://johannesbader.ch/blog/the-dga-of-zloader/}, language = {English}, urldate = {2020-04-26} } The DGA of Zloader
Zloader
2020-04-07Youtube (DissectMalware)Malwrologist
@online{malwrologist:20200407:malware:b0d12ef, author = {Malwrologist}, title = {{Malware Analysis in Action - Episode 2}}, date = {2020-04-07}, organization = {Youtube (DissectMalware)}, url = {https://www.youtube.com/watch?v=QBoj6GB79wM}, language = {English}, urldate = {2020-04-26} } Malware Analysis in Action - Episode 2
Zloader
2020-03-30Bleeping ComputerSergiu Gatlan
@online{gatlan:20200330:banking:9d302f2, author = {Sergiu Gatlan}, title = {{Banking Malware Spreading via COVID-19 Relief Payment Phishing}}, date = {2020-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/}, language = {English}, urldate = {2020-04-01} } Banking Malware Spreading via COVID-19 Relief Payment Phishing
Zloader
2020-03-30IBMAmir Gandler, Limor Kessem
@online{gandler:20200330:zeus:bef1da7, author = {Amir Gandler and Limor Kessem}, title = {{Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy}}, date = {2020-03-30}, organization = {IBM}, url = {https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/}, language = {English}, urldate = {2020-04-01} } Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
Zeus OpenSSL Zloader
2020-03-13ComaeMatt Suiche
@online{suiche:20200313:yet:d14d3a8, author = {Matt Suiche}, title = {{Yet Another Active Email Campaign With Malicious Excel Files Identified}}, date = {2020-03-13}, organization = {Comae}, url = {https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/}, language = {English}, urldate = {2021-04-06} } Yet Another Active Email Campaign With Malicious Excel Files Identified
Zloader
2018-09-06int 0xcc blogRaashid Bhat
@online{bhat:20180906:dissecting:8c82fb5, author = {Raashid Bhat}, title = {{Dissecting DEloader malware with obfuscation}}, date = {2018-09-06}, organization = {int 0xcc blog}, url = {https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware}, language = {English}, urldate = {2020-01-06} } Dissecting DEloader malware with obfuscation
Zloader
2017-06-15Limor Kessem
@online{kessem:20170615:zeus:7c4b8e4, author = {Limor Kessem}, title = {{Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?}}, date = {2017-06-15}, url = {https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/}, language = {English}, urldate = {2019-12-02} } Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?
Zloader
2017-01-26MalwarebytesMalwarebytes Labs
@online{labs:20170126:zbot:b625eef, author = {Malwarebytes Labs}, title = {{Zbot with legitimate applications on board}}, date = {2017-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/}, language = {English}, urldate = {2019-12-20} } Zbot with legitimate applications on board
Zloader
2017-01-26SecurityIntelligenceLimor Kessem
@online{kessem:20170126:around:eaefc0c, author = {Limor Kessem}, title = {{Around the World With Zeus Sphinx: From Canada to Australia and Back}}, date = {2017-01-26}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/}, language = {English}, urldate = {2020-01-07} } Around the World With Zeus Sphinx: From Canada to Australia and Back
Zloader
2016-09-22ForcepointNicholas Griffin
@online{griffin:20160922:zeus:94d0df7, author = {Nicholas Griffin}, title = {{Zeus Delivered by DELoader to Defraud Customers of Canadian Banks}}, date = {2016-09-22}, organization = {Forcepoint}, url = {https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks}, language = {English}, urldate = {2020-01-13} } Zeus Delivered by DELoader to Defraud Customers of Canadian Banks
Zloader
2016-06-21FortinetFloser Bacurio, Roland Dela Paz
@online{bacurio:20160621:curious:8607f46, author = {Floser Bacurio and Roland Dela Paz}, title = {{The Curious Case of an Unknown Trojan Targeting German-Speaking Users}}, date = {2016-06-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html}, language = {English}, urldate = {2020-01-08} } The Curious Case of an Unknown Trojan Targeting German-Speaking Users
Zloader
Yara Rules
[TLP:WHITE] win_zloader_auto (20230715 | Detects win.zloader.)
rule win_zloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.zloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb7c0 57 50 53 e8???????? 83c40c }
            // n = 6, score = 2000
            //   0fb7c0               | movzx               eax, ax
            //   57                   | push                edi
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { 57 56 89ce ff7508 }
            // n = 4, score = 2000
            //   57                   | push                edi
            //   56                   | push                esi
            //   89ce                 | mov                 esi, ecx
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_2 = { 0fb7450c 8d9df0feffff 53 50 ff7508 e8???????? }
            // n = 6, score = 2000
            //   0fb7450c             | movzx               eax, word ptr [ebp + 0xc]
            //   8d9df0feffff         | lea                 ebx, [ebp - 0x110]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_3 = { 56 8b7508 8b7d0c 89f1 }
            // n = 4, score = 2000
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   89f1                 | mov                 ecx, esi

        $sequence_4 = { 57 56 e8???????? 81c410010000 }
            // n = 4, score = 2000
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   81c410010000         | add                 esp, 0x110

        $sequence_5 = { 31db 8d8df0feffff e8???????? 89d8 81c404010000 5e }
            // n = 6, score = 2000
            //   31db                 | xor                 ebx, ebx
            //   8d8df0feffff         | lea                 ecx, [ebp - 0x110]
            //   e8????????           |                     
            //   89d8                 | mov                 eax, ebx
            //   81c404010000         | add                 esp, 0x104
            //   5e                   | pop                 esi

        $sequence_6 = { 50 8b4508 ff30 57 }
            // n = 4, score = 2000
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff30                 | push                dword ptr [eax]
            //   57                   | push                edi

        $sequence_7 = { 55 89e5 ff750c 6a00 ff7508 e8???????? 83c40c }
            // n = 7, score = 2000
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_8 = { 56 50 a1???????? 89c1 }
            // n = 4, score = 1300
            //   56                   | push                esi
            //   50                   | push                eax
            //   a1????????           |                     
            //   89c1                 | mov                 ecx, eax

        $sequence_9 = { 56 50 8b4510 31db }
            // n = 4, score = 700
            //   56                   | push                esi
            //   50                   | push                eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   31db                 | xor                 ebx, ebx

        $sequence_10 = { 5e 8bc3 5b c3 8b44240c 83f8ff 750a }
            // n = 7, score = 600
            //   5e                   | pop                 esi
            //   8bc3                 | mov                 eax, ebx
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   83f8ff               | cmp                 eax, -1
            //   750a                 | jne                 0xc

        $sequence_11 = { c6043000 5e c3 56 57 8b7c2414 }
            // n = 6, score = 600
            //   c6043000             | mov                 byte ptr [eax + esi], 0
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]

        $sequence_12 = { 50 56 56 56 ff7514 }
            // n = 5, score = 600
            //   50                   | push                eax
            //   56                   | push                esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   ff7514               | push                dword ptr [ebp + 0x14]

        $sequence_13 = { 59 84c0 7432 68???????? }
            // n = 4, score = 600
            //   59                   | pop                 ecx
            //   84c0                 | test                al, al
            //   7432                 | je                  0x34
            //   68????????           |                     

        $sequence_14 = { 68???????? ff742408 e8???????? 59 59 84c0 741e }
            // n = 7, score = 600
            //   68????????           |                     
            //   ff742408             | push                dword ptr [esp + 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   84c0                 | test                al, al
            //   741e                 | je                  0x20

        $sequence_15 = { 50 89542444 e8???????? 03c0 }
            // n = 4, score = 500
            //   50                   | push                eax
            //   89542444             | mov                 dword ptr [esp + 0x44], edx
            //   e8????????           |                     
            //   03c0                 | add                 eax, eax

        $sequence_16 = { 6689442438 8b442438 83c002 668944243a }
            // n = 4, score = 500
            //   6689442438           | mov                 word ptr [esp + 0x38], ax
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   83c002               | add                 eax, 2
            //   668944243a           | mov                 word ptr [esp + 0x3a], ax

        $sequence_17 = { 6aff 50 e8???????? 8d857cffffff 50 }
            // n = 5, score = 500
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d857cffffff         | lea                 eax, [ebp - 0x84]
            //   50                   | push                eax

        $sequence_18 = { 83c408 5e 5d c3 55 89e5 57 }
            // n = 7, score = 500
            //   83c408               | add                 esp, 8
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   57                   | push                edi

        $sequence_19 = { 99 52 50 8d44243c 99 52 50 }
            // n = 7, score = 500
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax
            //   8d44243c             | lea                 eax, [esp + 0x3c]
            //   99                   | cdq                 
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_20 = { 81c4a8020000 5e 5f 5b }
            // n = 4, score = 500
            //   81c4a8020000         | add                 esp, 0x2a8
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_21 = { 89e5 53 57 56 81eca8020000 }
            // n = 5, score = 500
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   81eca8020000         | sub                 esp, 0x2a8

        $sequence_22 = { c7462401000000 c7462800004001 e8???????? 89460c }
            // n = 4, score = 500
            //   c7462401000000       | mov                 dword ptr [esi + 0x24], 1
            //   c7462800004001       | mov                 dword ptr [esi + 0x28], 0x1400000
            //   e8????????           |                     
            //   89460c               | mov                 dword ptr [esi + 0xc], eax

        $sequence_23 = { e9???????? 31c0 83c40c 5e }
            // n = 4, score = 500
            //   e9????????           |                     
            //   31c0                 | xor                 eax, eax
            //   83c40c               | add                 esp, 0xc
            //   5e                   | pop                 esi

        $sequence_24 = { 83c414 c3 56 ff742410 }
            // n = 4, score = 500
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   56                   | push                esi
            //   ff742410             | push                dword ptr [esp + 0x10]

        $sequence_25 = { 6a00 e8???????? 83c414 c3 8b542404 85d2 7503 }
            // n = 7, score = 500
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   c3                   | ret                 
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   85d2                 | test                edx, edx
            //   7503                 | jne                 5

        $sequence_26 = { e8???????? 03c0 6689442438 8b442438 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   03c0                 | add                 eax, eax
            //   6689442438           | mov                 word ptr [esp + 0x38], ax
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]

        $sequence_27 = { 56 83ec18 89d6 89cf }
            // n = 4, score = 400
            //   56                   | push                esi
            //   83ec18               | sub                 esp, 0x18
            //   89d6                 | mov                 esi, edx
            //   89cf                 | mov                 edi, ecx

        $sequence_28 = { 0bc3 a3???????? e8???????? 8bc8 eb06 8b0d???????? 85c9 }
            // n = 7, score = 400
            //   0bc3                 | or                  eax, ebx
            //   a3????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   eb06                 | jmp                 8
            //   8b0d????????         |                     
            //   85c9                 | test                ecx, ecx

        $sequence_29 = { 8b45f0 8d4dec 894c240c 89442408 89742404 893c24 e8???????? }
            // n = 7, score = 400
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   89742404             | mov                 dword ptr [esp + 4], esi
            //   893c24               | mov                 dword ptr [esp], edi
            //   e8????????           |                     

        $sequence_30 = { 68???????? 56 e8???????? 5e c3 56 }
            // n = 6, score = 300
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_31 = { ebf7 8d442410 50 ff742410 ff742410 ff742410 }
            // n = 6, score = 300
            //   ebf7                 | jmp                 0xfffffff9
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   ff742410             | push                dword ptr [esp + 0x10]

        $sequence_32 = { 50 e8???????? 68???????? 56 e8???????? 8bf0 59 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   68????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_33 = { 56 68???????? ff742410 e8???????? 6823af2930 56 ff742410 }
            // n = 7, score = 300
            //   56                   | push                esi
            //   68????????           |                     
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   e8????????           |                     
            //   6823af2930           | push                0x3029af23
            //   56                   | push                esi
            //   ff742410             | push                dword ptr [esp + 0x10]

        $sequence_34 = { 33db 68???????? 6880000000 50 e8???????? 83c410 }
            // n = 6, score = 300
            //   33db                 | xor                 ebx, ebx
            //   68????????           |                     
            //   6880000000           | push                0x80
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_35 = { 5b c3 8bc2 ebf7 8d442410 }
            // n = 5, score = 300
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   8bc2                 | mov                 eax, edx
            //   ebf7                 | jmp                 0xfffffff9
            //   8d442410             | lea                 eax, [esp + 0x10]

        $sequence_36 = { 33f6 e8???????? ff7508 8d85f0fdffff 68???????? }
            // n = 5, score = 300
            //   33f6                 | xor                 esi, esi
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   68????????           |                     

        $sequence_37 = { 50 6a72 e8???????? 59 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   6a72                 | push                0x72
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_38 = { 8d4580 50 8d8578fdffff 50 68???????? 6804010000 ff7508 }
            // n = 7, score = 300
            //   8d4580               | lea                 eax, [ebp - 0x80]
            //   50                   | push                eax
            //   8d8578fdffff         | lea                 eax, [ebp - 0x288]
            //   50                   | push                eax
            //   68????????           |                     
            //   6804010000           | push                0x104
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_39 = { 56 57 ff750c 33db 68???????? 6880000000 }
            // n = 6, score = 300
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   33db                 | xor                 ebx, ebx
            //   68????????           |                     
            //   6880000000           | push                0x80

        $sequence_40 = { ebf8 53 8b5c240c 55 33ed }
            // n = 5, score = 300
            //   ebf8                 | jmp                 0xfffffffa
            //   53                   | push                ebx
            //   8b5c240c             | mov                 ebx, dword ptr [esp + 0xc]
            //   55                   | push                ebp
            //   33ed                 | xor                 ebp, ebp

    condition:
        7 of them and filesize < 1105920
}
Download all Yara Rules