8
mins read

Technical Analysis of ALPHV/BlackCat Ransomware

A thorough technical analysis of BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries.

Mehardeep Singh Sawhney
May 22, 2023
Green Alert
Last Update posted on
February 3, 2024
Proactive Monitoring of the Dark Web for your organization

Proactively monitor and defend against malware with CloudSEK XVigil Malware Logs module, ensuring the integrity of your digital assets

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Hansika Saxena

In recent years, ransomware attacks have become increasingly common, with new strains being discovered all the time. One such strain is BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries. The operators of the ransomware are seen employing double extortion techniques, which involve not only encrypting the system but also stealing sensitive files from their victims. Reportedly, another tool is used with the ransomware for stealing data.

BlackCat ransomware is written in Rust and comes in the form of a command-line tool, which can be run with different arguments. It is capable of killing multiple processes and services. One of its key features is its ability to escalate privileges and bypass User Account Control (UAC). This sophisticated malware uses either AES or ChaCha20 encryption (depending on its configuration) to encrypt all the files on a victim's system. Additionally, it has sandbox evasion capabilities, making it hard to analyze the sample. The ransomware requires arguments to run, making it impossible to analyze by a sandbox. In this blog, we'll take a closer look at the characteristics and technicalities of this Rust-written ransomware.

Historical Campaign Overview

It has been witnessed that attackers that use the BlackCat ransomware also reportedly use a .NET stealer tool named ExMatter, developed by the same APT group, in order to download files from the victim machine. This is what makes this attack even more formidable since this gives attackers the leverage to use a technique known as double extortion, which involves the added pressure of leaking stolen files possibly containing sensitive data. (Refer to the Appendix for a YARA rule that helps with hunting BlackCat.)

Technical Analysis

The BlackCat binary comes in the form of a command-line tool that can be run using different arguments. For example:

  • By using –verbose, the logs created by BlackCat will be displayed on the console. 
  • The –ui option displays a GUI-like display in the terminal window, showing the progress and information related to the files being encrypted on the system.
Screenshot of the GUI-like displayed shown upon using the UI option

Out of these arguments, only one of them is essential to the execution of the binary, which is the access-token argument.

List of the arguments that can be used while running the binary

Pre-Encryption Operations

As mentioned earlier, the binary will only run if it is supplied with a 32-character long access token. It uses the GetCommandLineW API in order to check whether the access token is correctly supplied.

Using GetCommandLineW to check whether the access token is correctly supplied

Depending on the version of the Ransomware, this token can either be random (like in this sample), or as seen in the latest versions, this access token is a 32-character key used to encrypt the configuration of the Ransomware embedded within the binary. Latest versions do this in order to stop security researchers from extracting the configuration. This also serves as an anti-sandboxing measure, since automated analysis tools will not be able to execute the sample unless they are configured to supply the access token. 

Ransom Note

Once the access token is supplied to the binary, the Ransomware proceeds by decrypting the ransom note embedded within the binary and storing it for later use. It also sets the ransom note as the Desktop wallpaper.

Decrypted ransom note stored for later use

After this, the Ransomware prepares itself to escalate privileges by creating a new thread using the CreateThread API.

Privilege Escalation & UAC Bypass

BlackCat ransomware performs a UAC bypass by abusing Microsoft COM (component object model). This attack involves using COM objects of a binary known as Microsoft CMSTP (Connection Manager Profile Installer), particularly the CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}.

The ransomware uses CoGetObject to register itself with the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, which is legitimately used to execute applications with elevated privileges. This technique allows it to bypass the UAC prompt and perform its malicious actions without being detected or blocked by the system's security measures.

Using CoGetObject to register itself with {3E5FC7F9-9A51-4367-9063-A120244FBEC7} in order to gain elevated privileges

Once the ransomware elevates privileges, it executes within the newly created thread and carries its arguments forward from its previous instance.

BlackCat executes itself within the new thread with elevated privileges using the same arguments as before

After this, BlackCat uses the LookupPrivilegeValueW API in order to look for local identifiers for a list of privileges. Each of these privileges enables the running process to run system-level operations. (Refer to the Appendix for a complete list and description of each privilege). The binary then uses AdjustTokenPriveleges in order to grant itself those privileges.

List of privileges sought out by BlackCat

 

Using LookupPrivilegeValueW and AdjustTokenPrivileges in order to grant itself privileges

Finally, BlackCat ends its preparation for encryption by doing the following:

  • Deleting all volume shadow copies using vssadmin and wmic commads, thus making data recovery much harder.
  • Disabling Automatic Repair using bcdedit, in order to prevent the recovery of system-related files.
  • Clearing event logs.
  • Terminating all active services and processes.

Note: BlackCat has its configuration embedded within itself and decrypts it at runtime. The configuration contains information about the public key to be used in order to encrypt the key, any specific services to terminate, an exception list, etc.

Screenshot displaying the BlackCat configuration

Data Encryption

The sample of BlackCat utilized for this analysis employs AES for encryption. The steps involved in encrypting are as follows:

  • BlackCat first traverses the system by using a loop of FindFirstFile and FindNextFIle in order to find all the files on the system.
  • The ransom note is written to each directory using WriteFile.
Screenshot of the ransom note left by BlackCat

  • Using BCryptGenRandom, the ransomware calculates a random AES key.
  • A JSON block is created for each file, which contains the AES key that is used to encrypt the file, and information about the file.
JSON block containing information about the key and file

  • The AES key is further encrypted using the RSA public key stored in the BlackCat configuration.
  • The file is encrypted using AES, and the contents are written to the file using ReadFile and WriteFile. The new extension of the file is mentioned in the BlackCat configuration.
Using AES to encrypt the file

Post-Encryption Operations

Once BlackCat is done encrypting all files on the system, the Desktop wallpaper is changed, instructing the user to refer to the ransom note. 

Changed Desktop background

The .onion URL specified in the ransom note is unique to each victim, as each sample uses a different access token, supplied to the URL as a parameter. The onion URL contains information about the files encrypted/stolen and instructions on how to pay the ransom.

Indicators of Compromise (IoCs)

SHA256

847FB7609F53ED334D5AFFBB07256C21CB5E6F68B1CC14004F5502D714D2A456

3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1

9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26

f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083

Appendix

List of Security Privileges & Responsibilities Targeted by BlackCat

Security Privilege

Responsibility

SeIncreaseQuotaPrivilege

Allows a process to increase the memory quota assigned to it.

SeSecurityPrivilege

Allows a process to read or modify the security settings of objects in the system.

SeTakeOwnershipPrivilege

Allows a process to take ownership of any object in the system.

SeLoadDriverPrivilege

Allows a process to load device drivers.

SeSystemProfilePrivilege

Allows a process to gather profiling information for the entire system.

SeSystemtimePrivilege

Allows a process to change the system time.

SeProfileSingleProcessPrivilege

Allows a process to profile a single process.

SeIncreaseBasePriorityPrivilege

Allows a process to increase the base priority of a thread.

SeCreatePagefilePrivilege

Allows a process to create a pagefile.

SeBackupPrivilege

Allows a process to perform backup and restore operations.

SeRestorePrivilege

Allows a process to restore backed-up objects.

SeShutdownPrivilege

Allows a process to shut down the system.

SeDebugPrivilege

Allows a process to debug other processes.

SeSystemEnvironmentPrivilege

Allows a process to modify system environment variables.

SeChangeNotifyPrivilege

Allows a process to receive notifications when an object is modified.

SeRemoteShutdownPrivilege

Allows a process to shut down remote systems.

SeUndockPrivilege

Allows a process to undock a laptop computer.

SeManageVolumePrivilege

Allows a process to manage volume and disk configurations.

SeImpersonatePrivilege

Allows a process to impersonate other users or groups.

YARA Rule for BlackCat Threat Hunting


rule win_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 81f90a010000 7e6a 81f9e2030000 0f8fcc000000 81f90b010000 }
            // n = 6, score = 600
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2
            //   0f8fcc000000         | jg                  0xd2
            //   81f90b010000         | cmp                 ecx, 0x10b

        $sequence_1 = { 85f6 0f8482000000 bb03000000 8d0437 }
            // n = 4, score = 600
            //   85f6                 | test                esi, esi
            //   0f8482000000         | je                  0x88
            //   bb03000000           | mov                 ebx, 3
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_2 = { 885405cc 48 eb19 89ca 83fa63 7fbe }
            // n = 6, score = 600
            //   885405cc             | mov                 byte ptr [ebp + eax - 0x34], dl
            //   48                   | dec                 eax
            //   eb19                 | jmp                 0x1b
            //   89ca                 | mov                 edx, ecx
            //   83fa63               | cmp                 edx, 0x63
            //   7fbe                 | jg                  0xffffffc0

        $sequence_3 = { f20f104808 8d45d4 894dec c645f004 8d4dec }
            // n = 5, score = 600
            //   f20f104808           | movsd               xmm1, qword ptr [eax + 8]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   c645f004             | mov                 byte ptr [ebp - 0x10], 4
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_4 = { 3d32210000 747b 3d33210000 0f8571050000 8b07 }
            // n = 5, score = 600
            //   3d32210000           | cmp                 eax, 0x2132
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_5 = { b005 5e 5d c3 81f90a010000 7e6a 81f9e2030000 }
            // n = 7, score = 600
            //   b005                 | mov                 al, 5
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2

        $sequence_6 = { 747b 3d33210000 0f8571050000 8b07 83f00a }
            // n = 5, score = 600
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83f00a               | xor                 eax, 0xa

        $sequence_7 = { b806000000 c7460400000000 894608 c70601000000 83c430 }
            // n = 5, score = 600
            //   b806000000           | mov                 eax, 6
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   c70601000000         | mov                 dword ptr [esi], 1
            //   83c430               | add                 esp, 0x30

        $sequence_8 = { 89d0 ba3e000000 897e0c f7e2 }
            // n = 4, score = 600
            //   89d0                 | mov                 eax, edx
            //   ba3e000000           | mov                 edx, 0x3e
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   f7e2                 | mul                 edx

        $sequence_9 = { c6410b00 66c741090000 8b45ec 894110 c7411400000000 b801000000 8901 }
            // n = 7, score = 600
            //   c6410b00             | mov                 byte ptr [ecx + 0xb], 0
            //   66c741090000         | mov                 word ptr [ecx + 9], 0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   c7411400000000       | mov                 dword ptr [ecx + 0x14], 0
            //   b801000000           | mov                 eax, 1
            //   8901                 | mov                 dword ptr [ecx], eax

    condition:
        7 of them and filesize < 29981696
}

Author

Mehardeep Singh Sawhney

Extremely passionate about cyber security and it's real application in protecting Information Assets. Love learning about new ways to exploit devices

Predict Cyber threats against your organization

Related Posts
Blog Image
October 25, 2024

The BRICS-Bait Rug Pull – How Scammers Use International Credibility to Deceive Investors

CloudSEK’s TRIAD team created this report based on an analysis of the increasing trend of cryptocurrency counterfeiting, in which tokens impersonate government organizations to provide some legitimacy to their “rug pull” scams. An example of this scam is covered in this report where threat actors have created a counterfeit token named “BRICS”. This token is aimed at exploiting the focus on the BRICS Summit held in Kazan, Russia, and the increased interest in investments and expansion of the BRICS government organization which comprises different countries (Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates)

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.

Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Ransomware

8

min read

Technical Analysis of ALPHV/BlackCat Ransomware

A thorough technical analysis of BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries.

Authors
Mehardeep Singh Sawhney
Extremely passionate about cyber security and it's real application in protecting Information Assets. Love learning about new ways to exploit devices
Co-Authors

In recent years, ransomware attacks have become increasingly common, with new strains being discovered all the time. One such strain is BlackCat ransomware, which has been causing havoc for organizations across the world. ALPHV, also known as BlackCat, is a ransomware family first seen in late 2021 and has been targeting multiple firms across industries. The operators of the ransomware are seen employing double extortion techniques, which involve not only encrypting the system but also stealing sensitive files from their victims. Reportedly, another tool is used with the ransomware for stealing data.

BlackCat ransomware is written in Rust and comes in the form of a command-line tool, which can be run with different arguments. It is capable of killing multiple processes and services. One of its key features is its ability to escalate privileges and bypass User Account Control (UAC). This sophisticated malware uses either AES or ChaCha20 encryption (depending on its configuration) to encrypt all the files on a victim's system. Additionally, it has sandbox evasion capabilities, making it hard to analyze the sample. The ransomware requires arguments to run, making it impossible to analyze by a sandbox. In this blog, we'll take a closer look at the characteristics and technicalities of this Rust-written ransomware.

Historical Campaign Overview

It has been witnessed that attackers that use the BlackCat ransomware also reportedly use a .NET stealer tool named ExMatter, developed by the same APT group, in order to download files from the victim machine. This is what makes this attack even more formidable since this gives attackers the leverage to use a technique known as double extortion, which involves the added pressure of leaking stolen files possibly containing sensitive data. (Refer to the Appendix for a YARA rule that helps with hunting BlackCat.)

Technical Analysis

The BlackCat binary comes in the form of a command-line tool that can be run using different arguments. For example:

  • By using –verbose, the logs created by BlackCat will be displayed on the console. 
  • The –ui option displays a GUI-like display in the terminal window, showing the progress and information related to the files being encrypted on the system.
Screenshot of the GUI-like displayed shown upon using the UI option

Out of these arguments, only one of them is essential to the execution of the binary, which is the access-token argument.

List of the arguments that can be used while running the binary

Pre-Encryption Operations

As mentioned earlier, the binary will only run if it is supplied with a 32-character long access token. It uses the GetCommandLineW API in order to check whether the access token is correctly supplied.

Using GetCommandLineW to check whether the access token is correctly supplied

Depending on the version of the Ransomware, this token can either be random (like in this sample), or as seen in the latest versions, this access token is a 32-character key used to encrypt the configuration of the Ransomware embedded within the binary. Latest versions do this in order to stop security researchers from extracting the configuration. This also serves as an anti-sandboxing measure, since automated analysis tools will not be able to execute the sample unless they are configured to supply the access token. 

Ransom Note

Once the access token is supplied to the binary, the Ransomware proceeds by decrypting the ransom note embedded within the binary and storing it for later use. It also sets the ransom note as the Desktop wallpaper.

Decrypted ransom note stored for later use

After this, the Ransomware prepares itself to escalate privileges by creating a new thread using the CreateThread API.

Privilege Escalation & UAC Bypass

BlackCat ransomware performs a UAC bypass by abusing Microsoft COM (component object model). This attack involves using COM objects of a binary known as Microsoft CMSTP (Connection Manager Profile Installer), particularly the CMSTPLUA interface {3E5FC7F9-9A51-4367-9063-A120244FBEC7}.

The ransomware uses CoGetObject to register itself with the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7}, which is legitimately used to execute applications with elevated privileges. This technique allows it to bypass the UAC prompt and perform its malicious actions without being detected or blocked by the system's security measures.

Using CoGetObject to register itself with {3E5FC7F9-9A51-4367-9063-A120244FBEC7} in order to gain elevated privileges

Once the ransomware elevates privileges, it executes within the newly created thread and carries its arguments forward from its previous instance.

BlackCat executes itself within the new thread with elevated privileges using the same arguments as before

After this, BlackCat uses the LookupPrivilegeValueW API in order to look for local identifiers for a list of privileges. Each of these privileges enables the running process to run system-level operations. (Refer to the Appendix for a complete list and description of each privilege). The binary then uses AdjustTokenPriveleges in order to grant itself those privileges.

List of privileges sought out by BlackCat

 

Using LookupPrivilegeValueW and AdjustTokenPrivileges in order to grant itself privileges

Finally, BlackCat ends its preparation for encryption by doing the following:

  • Deleting all volume shadow copies using vssadmin and wmic commads, thus making data recovery much harder.
  • Disabling Automatic Repair using bcdedit, in order to prevent the recovery of system-related files.
  • Clearing event logs.
  • Terminating all active services and processes.

Note: BlackCat has its configuration embedded within itself and decrypts it at runtime. The configuration contains information about the public key to be used in order to encrypt the key, any specific services to terminate, an exception list, etc.

Screenshot displaying the BlackCat configuration

Data Encryption

The sample of BlackCat utilized for this analysis employs AES for encryption. The steps involved in encrypting are as follows:

  • BlackCat first traverses the system by using a loop of FindFirstFile and FindNextFIle in order to find all the files on the system.
  • The ransom note is written to each directory using WriteFile.
Screenshot of the ransom note left by BlackCat

  • Using BCryptGenRandom, the ransomware calculates a random AES key.
  • A JSON block is created for each file, which contains the AES key that is used to encrypt the file, and information about the file.
JSON block containing information about the key and file

  • The AES key is further encrypted using the RSA public key stored in the BlackCat configuration.
  • The file is encrypted using AES, and the contents are written to the file using ReadFile and WriteFile. The new extension of the file is mentioned in the BlackCat configuration.
Using AES to encrypt the file

Post-Encryption Operations

Once BlackCat is done encrypting all files on the system, the Desktop wallpaper is changed, instructing the user to refer to the ransom note. 

Changed Desktop background

The .onion URL specified in the ransom note is unique to each victim, as each sample uses a different access token, supplied to the URL as a parameter. The onion URL contains information about the files encrypted/stolen and instructions on how to pay the ransom.

Indicators of Compromise (IoCs)

SHA256

847FB7609F53ED334D5AFFBB07256C21CB5E6F68B1CC14004F5502D714D2A456

3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1

9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26

f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083

Appendix

List of Security Privileges & Responsibilities Targeted by BlackCat

Security Privilege

Responsibility

SeIncreaseQuotaPrivilege

Allows a process to increase the memory quota assigned to it.

SeSecurityPrivilege

Allows a process to read or modify the security settings of objects in the system.

SeTakeOwnershipPrivilege

Allows a process to take ownership of any object in the system.

SeLoadDriverPrivilege

Allows a process to load device drivers.

SeSystemProfilePrivilege

Allows a process to gather profiling information for the entire system.

SeSystemtimePrivilege

Allows a process to change the system time.

SeProfileSingleProcessPrivilege

Allows a process to profile a single process.

SeIncreaseBasePriorityPrivilege

Allows a process to increase the base priority of a thread.

SeCreatePagefilePrivilege

Allows a process to create a pagefile.

SeBackupPrivilege

Allows a process to perform backup and restore operations.

SeRestorePrivilege

Allows a process to restore backed-up objects.

SeShutdownPrivilege

Allows a process to shut down the system.

SeDebugPrivilege

Allows a process to debug other processes.

SeSystemEnvironmentPrivilege

Allows a process to modify system environment variables.

SeChangeNotifyPrivilege

Allows a process to receive notifications when an object is modified.

SeRemoteShutdownPrivilege

Allows a process to shut down remote systems.

SeUndockPrivilege

Allows a process to undock a laptop computer.

SeManageVolumePrivilege

Allows a process to manage volume and disk configurations.

SeImpersonatePrivilege

Allows a process to impersonate other users or groups.

YARA Rule for BlackCat Threat Hunting


rule win_blackcat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.blackcat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 81f90a010000 7e6a 81f9e2030000 0f8fcc000000 81f90b010000 }
            // n = 6, score = 600
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2
            //   0f8fcc000000         | jg                  0xd2
            //   81f90b010000         | cmp                 ecx, 0x10b

        $sequence_1 = { 85f6 0f8482000000 bb03000000 8d0437 }
            // n = 4, score = 600
            //   85f6                 | test                esi, esi
            //   0f8482000000         | je                  0x88
            //   bb03000000           | mov                 ebx, 3
            //   8d0437               | lea                 eax, [edi + esi]

        $sequence_2 = { 885405cc 48 eb19 89ca 83fa63 7fbe }
            // n = 6, score = 600
            //   885405cc             | mov                 byte ptr [ebp + eax - 0x34], dl
            //   48                   | dec                 eax
            //   eb19                 | jmp                 0x1b
            //   89ca                 | mov                 edx, ecx
            //   83fa63               | cmp                 edx, 0x63
            //   7fbe                 | jg                  0xffffffc0

        $sequence_3 = { f20f104808 8d45d4 894dec c645f004 8d4dec }
            // n = 5, score = 600
            //   f20f104808           | movsd               xmm1, qword ptr [eax + 8]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   c645f004             | mov                 byte ptr [ebp - 0x10], 4
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_4 = { 3d32210000 747b 3d33210000 0f8571050000 8b07 }
            // n = 5, score = 600
            //   3d32210000           | cmp                 eax, 0x2132
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_5 = { b005 5e 5d c3 81f90a010000 7e6a 81f9e2030000 }
            // n = 7, score = 600
            //   b005                 | mov                 al, 5
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   81f90a010000         | cmp                 ecx, 0x10a
            //   7e6a                 | jle                 0x6c
            //   81f9e2030000         | cmp                 ecx, 0x3e2

        $sequence_6 = { 747b 3d33210000 0f8571050000 8b07 83f00a }
            // n = 5, score = 600
            //   747b                 | je                  0x7d
            //   3d33210000           | cmp                 eax, 0x2133
            //   0f8571050000         | jne                 0x577
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   83f00a               | xor                 eax, 0xa

        $sequence_7 = { b806000000 c7460400000000 894608 c70601000000 83c430 }
            // n = 5, score = 600
            //   b806000000           | mov                 eax, 6
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   c70601000000         | mov                 dword ptr [esi], 1
            //   83c430               | add                 esp, 0x30

        $sequence_8 = { 89d0 ba3e000000 897e0c f7e2 }
            // n = 4, score = 600
            //   89d0                 | mov                 eax, edx
            //   ba3e000000           | mov                 edx, 0x3e
            //   897e0c               | mov                 dword ptr [esi + 0xc], edi
            //   f7e2                 | mul                 edx

        $sequence_9 = { c6410b00 66c741090000 8b45ec 894110 c7411400000000 b801000000 8901 }
            // n = 7, score = 600
            //   c6410b00             | mov                 byte ptr [ecx + 0xb], 0
            //   66c741090000         | mov                 word ptr [ecx + 9], 0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   c7411400000000       | mov                 dword ptr [ecx + 0x14], 0
            //   b801000000           | mov                 eax, 1
            //   8901                 | mov                 dword ptr [ecx], eax

    condition:
        7 of them and filesize < 29981696
}