win_bazarbackdoor_auto
YARA-2024-1410
High
general
Active
Detects win.bazarbackdoor.
win_bazarbackdoor_auto.yar
Valid Syntax
rule win_bazarbackdoor_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2024-10-31"
version = "1"
description = "Detects win.bazarbackdoor."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor"
malpedia_rule_date = "20241030"
malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
malpedia_version = "20241030"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { ff15???????? 85c0 780a 4898 }
// n = 4, score = 1500
// ff15???????? |
// 85c0 | dec eax
// 780a | mov dword ptr [esp + 0x20], eax
// 4898 | test eax, eax
$sequence_1 = { 41b80f100000 488bce 4889442420 ff15???????? }
// n = 4, score = 1500
// 41b80f100000 | inc ecx
// 488bce | mov eax, 0x100f
// 4889442420 | dec eax
// ff15???????? |
$sequence_2 = { e8???????? 4885c0 740a 488bcf ffd0 }
// n = 5, score = 1300
// e8???????? |
// 4885c0 | test dl, dl
// 740a | je 7
// 488bcf | cmp dl, 0x2e
// ffd0 | jne 0x16
$sequence_3 = { 488d4d80 e8???????? 498bd6 488d4d80 }
// n = 4, score = 1100
// 488d4d80 | js 0xe
// e8???????? |
// 498bd6 | dec eax
// 488d4d80 | cwde
$sequence_4 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 }
// n = 4, score = 1100
// 0fb70f | dec eax
// ff15???????? |
// 0fb74f02 | mov ecx, esi
// 0fb7d8 | dec eax
$sequence_5 = { 0fb74f02 0fb7d8 ff15???????? 0fb74f08 }
// n = 4, score = 1100
// 0fb74f02 | dec eax
// 0fb7d8 | sub ecx, 0xc0
// ff15???????? |
// 0fb74f08 | dec eax
$sequence_6 = { 7507 33c0 e9???????? b8ff000000 }
// n = 4, score = 1000
// 7507 | jne 9
// 33c0 | xor eax, eax
// e9???????? |
// b8ff000000 | mov eax, 0xff
$sequence_7 = { ff15???????? 0fb74f08 440fb7e8 ff15???????? }
// n = 4, score = 1000
// ff15???????? |
// 0fb74f08 | dec eax
// 440fb7e8 | mov dword ptr [esp + 0x28], eax
// ff15???????? |
$sequence_8 = { c3 0fb74c0818 b80b010000 663bc8 }
// n = 4, score = 900
// c3 | mov dword ptr [esp + 0x20], eax
// 0fb74c0818 | test eax, eax
// b80b010000 | js 0x16
// 663bc8 | test eax, eax
$sequence_9 = { cc e8???????? cc 4053 4883ec20 b902000000 }
// n = 6, score = 900
// cc | mov ecx, esi
// e8???????? |
// cc | dec eax
// 4053 | mov dword ptr [esp + 0x20], eax
// 4883ec20 | test eax, eax
// b902000000 | js 0xc
$sequence_10 = { 4885c9 7406 488b11 ff5210 ff15???????? }
// n = 5, score = 900
// 4885c9 | dec eax
// 7406 | mov ecx, esi
// 488b11 | dec eax
// ff5210 | mov dword ptr [esp + 0x20], eax
// ff15???????? |
$sequence_11 = { e8???????? 4c89e1 e8???????? 8b05???????? }
// n = 4, score = 800
// e8???????? |
// 4c89e1 | dec eax
// e8???????? |
// 8b05???????? |
$sequence_12 = { 4889f1 e8???????? 8b05???????? 8b0d???????? }
// n = 4, score = 800
// 4889f1 | dec eax
// e8???????? |
// 8b05???????? |
// 8b0d???????? |
$sequence_13 = { 48c1e108 4803c8 8bc1 488d94059f070000 }
// n = 4, score = 800
// 48c1e108 | inc ebp
// 4803c8 | xor ecx, ecx
// 8bc1 | dec eax
// 488d94059f070000 | mov dword ptr [esp + 0x28], eax
$sequence_14 = { ff15???????? ff15???????? 4d8bc5 33d2 }
// n = 4, score = 800
// ff15???????? |
// ff15???????? |
// 4d8bc5 | mov ecx, esi
// 33d2 | dec eax
$sequence_15 = { e8???????? 4889c7 8b05???????? 8b0d???????? }
// n = 4, score = 800
// e8???????? |
// 4889c7 | test eax, eax
// 8b05???????? |
// 8b0d???????? |
$sequence_16 = { 31ff 4889c1 31d2 4989f0 }
// n = 4, score = 800
// 31ff | dec eax
// 4889c1 | arpl word ptr [esp + 0x30], ax
// 31d2 | dec eax
// 4989f0 | imul eax, eax, 0x10
$sequence_17 = { ff15???????? 4889c1 31d2 4d89e0 }
// n = 4, score = 800
// ff15???????? |
// 4889c1 | dec eax
// 31d2 | lea ecx, [0x238e3]
// 4d89e0 | dec eax
$sequence_18 = { 488d95a0070000 488d442470 41b80f100000 488bce }
// n = 4, score = 800
// 488d95a0070000 | js 0x16
// 488d442470 | dec eax
// 41b80f100000 | cwde
// 488bce | dec eax
$sequence_19 = { 4c89742440 4c89742438 4489742430 4c89742428 }
// n = 4, score = 800
// 4c89742440 | mov eax, 0x100f
// 4c89742438 | dec eax
// 4489742430 | mov ecx, esi
// 4c89742428 | dec eax
$sequence_20 = { 418d5508 488bc8 ff15???????? 488bd8 4885c0 }
// n = 5, score = 800
// 418d5508 | mov dword ptr [esp + 0x20], eax
// 488bc8 | dec eax
// ff15???????? |
// 488bd8 | mov dword ptr [esp + 0x28], eax
// 4885c0 | dec eax
$sequence_21 = { 488d9590050000 488bce ff15???????? 85c0 }
// n = 4, score = 800
// 488d9590050000 | dec eax
// 488bce | cwde
// ff15???????? |
// 85c0 | dec eax
$sequence_22 = { 4533c9 4889442428 488d95a0070000 488d442470 }
// n = 4, score = 800
// 4533c9 | mov ecx, esi
// 4889442428 | dec eax
// 488d95a0070000 | mov dword ptr [esp + 0x20], eax
// 488d442470 | test eax, eax
$sequence_23 = { 4889c1 31d2 4989f8 41ffd6 }
// n = 4, score = 700
// 4889c1 | je 0x62
// 31d2 | dec eax
// 4989f8 | mov eax, dword ptr [esp + 0x30]
// 41ffd6 | dec eax
$sequence_24 = { 488bd3 e8???????? ff15???????? 4c8bc3 33d2 488bc8 }
// n = 6, score = 700
// 488bd3 | lea eax, [esp + 0x70]
// e8???????? |
// ff15???????? |
// 4c8bc3 | inc ecx
// 33d2 | mov eax, 0x100f
// 488bc8 | dec eax
$sequence_25 = { 85c8 0f94c0 833d????????0a 0f9cc1 84c1 7508 30c1 }
// n = 7, score = 700
// 85c8 | cwde
// 0f94c0 | mov eax, 6
// 833d????????0a |
// 0f9cc1 | inc esp
// 84c1 | mov ecx, dword ptr [edi + 0x54]
// 7508 | dec esp
// 30c1 | mov eax, esi
$sequence_26 = { c744242800000001 4533c9 4533c0 c744242002000000 }
// n = 4, score = 700
// c744242800000001 | jne 6
// 4533c9 | movzx edx, byte ptr [ebx + 5]
// 4533c0 | xor eax, eax
// c744242002000000 | cmp cl, 0x73
$sequence_27 = { c744242880000000 c744242003000000 4889f9 ba00000080 41b801000000 }
// n = 5, score = 700
// c744242880000000 | je 0xc
// c744242003000000 | mov edx, 2
// 4889f9 | dec eax
// ba00000080 | mov ecx, esi
// 41b801000000 | call eax
$sequence_28 = { 0fb65305 33c0 80f973 0f94c0 }
// n = 4, score = 700
// 0fb65305 | dec eax
// 33c0 | mov ecx, esi
// 80f973 | dec eax
// 0f94c0 | mov dword ptr [esp + 0x20], eax
$sequence_29 = { 08c1 80f101 7502 ebfe }
// n = 4, score = 700
// 08c1 | inc ebp
// 80f101 | xor ecx, ecx
// 7502 | dec eax
// ebfe | mov dword ptr [esp + 0x30], 0
$sequence_30 = { 08ca 80f201 7502 ebfe }
// n = 4, score = 700
// 08ca | mov ecx, edi
// 80f201 | mov edx, 0x80000000
// 7502 | inc ecx
// ebfe | mov eax, 1
$sequence_31 = { 0f9fc1 38d3 7507 08c1 80f101 744d }
// n = 6, score = 700
// 0f9fc1 | xor edx, edx
// 38d3 | dec ecx
// 7507 | mov eax, ebx
// 08c1 | xor ebp, ebp
// 80f101 | dec eax
// 744d | mov ecx, eax
$sequence_32 = { 89d1 83f1fe 85d1 0f95c2 833d????????09 0f9fc1 89cb }
// n = 7, score = 700
// 89d1 | js 0x16
// 83f1fe | inc ecx
// 85d1 | mov eax, 0x100f
// 0f95c2 | dec eax
// 833d????????09 |
// 0f9fc1 | mov ecx, esi
// 89cb | dec eax
$sequence_33 = { ff15???????? 488bf8 4885c0 7533 }
// n = 4, score = 700
// ff15???????? |
// 488bf8 | jne 0xc
// 4885c0 | movzx edx, cl
// 7533 | cmp cl, 0x73
$sequence_34 = { 89c1 83f1fe 85c1 0f94c0 }
// n = 4, score = 700
// 89c1 | dec eax
// 83f1fe | mov ecx, dword ptr [esp + 0x50]
// 85c1 | inc ebp
// 0f94c0 | xor eax, eax
$sequence_35 = { 89d1 83f1fe 85d1 0f94c2 833d????????0a 0f9cc1 89cb }
// n = 7, score = 700
// 89d1 | mov dword ptr [esp + 0x20], eax
// 83f1fe | test eax, eax
// 85d1 | dec eax
// 0f94c2 | mov ecx, esi
// 833d????????0a |
// 0f9cc1 | dec eax
// 89cb | mov dword ptr [esp + 0x20], eax
$sequence_36 = { ff15???????? 31ed 4889c1 31d2 }
// n = 4, score = 700
// ff15???????? |
// 31ed | add ecx, eax
// 4889c1 | dec eax
// 31d2 | mov eax, ecx
$sequence_37 = { 0fb64b04 0fb6d1 80f973 7504 0fb65305 33c0 }
// n = 6, score = 700
// 0fb64b04 | dec eax
// 0fb6d1 | mov dword ptr [esp + 0x20], eax
// 80f973 | test eax, eax
// 7504 | js 0xe
// 0fb65305 | dec eax
// 33c0 | cwde
$sequence_38 = { 0f9fc1 83fa0a 0f9cc2 30da 7512 08c1 80f101 }
// n = 7, score = 700
// 0f9fc1 | mov ecx, edi
// 83fa0a | mov edx, 0x80000000
// 0f9cc2 | inc ecx
// 30da | mov eax, 1
// 7512 | xor ebp, ebp
// 08c1 | dec eax
// 80f101 | mov ecx, eax
$sequence_39 = { 4889c1 31d2 4989e8 ff15???????? }
// n = 4, score = 600
// 4889c1 | arpl word ptr [esp + 0x30], ax
// 31d2 | dec eax
// 4989e8 | imul eax, eax, 0x10
// ff15???????? |
$sequence_40 = { 4889c1 31d2 4d89f8 ffd3 }
// n = 4, score = 600
// 4889c1 | lea eax, [0x202a]
// 31d2 | dec eax
// 4d89f8 | mov edx, dword ptr [esp + 0x28]
// ffd3 | dec eax
$sequence_41 = { e8???????? 4c897c2420 4889d9 89fa }
// n = 4, score = 600
// e8???????? |
// 4c897c2420 | dec eax
// 4889d9 | add ecx, eax
// 89fa | dec eax
$sequence_42 = { 7405 80fa2e 750f 0fb6c1 }
// n = 4, score = 600
// 7405 | test eax, eax
// 80fa2e | js 0x1c
// 750f | dec eax
// 0fb6c1 | sub ecx, 0xc0
$sequence_43 = { 488d4c2428 e8???????? 4889f1 4889c2 }
// n = 4, score = 500
// 488d4c2428 | cmovg eax, ecx
// e8???????? |
// 4889f1 | cdq
// 4889c2 | sub eax, edx
$sequence_44 = { c744242880000000 c744242003000000 4889f1 ba00000080 }
// n = 4, score = 500
// c744242880000000 | dec esp
// c744242003000000 | lea eax, [0x202a]
// 4889f1 | dec eax
// ba00000080 | mov edx, dword ptr [esp + 0x28]
$sequence_45 = { 4889fa 4189f0 4d89f1 ffd0 }
// n = 4, score = 500
// 4889fa | mov eax, 0x10b
// 4189f0 | cmp cx, ax
// 4d89f1 | mov ecx, 0xe10
// ffd0 | cmp eax, ecx
$sequence_46 = { 6689442470 8d4833 ff15???????? c744242810000000 }
// n = 4, score = 400
// 6689442470 | je 0xc
// 8d4833 | dec eax
// ff15???????? |
// c744242810000000 | mov ecx, edi
$sequence_47 = { 33d2 6a09 68fe6a7a69 42 e8???????? }
// n = 5, score = 400
// 33d2 | xor edx, edx
// 6a09 | push 9
// 68fe6a7a69 | push 0x697a6afe
// 42 | inc edx
// e8???????? |
$sequence_48 = { 7506 8b0e 894c2460 0fb7c0 }
// n = 4, score = 400
// 7506 | dec eax
// 8b0e | cwde
// 894c2460 | dec eax
// 0fb7c0 | test eax, eax
$sequence_49 = { 7512 83fe40 730d 896c846c 8b742468 46 }
// n = 6, score = 400
// 7512 | jne 0x14
// 83fe40 | cmp esi, 0x40
// 730d | jae 0xf
// 896c846c | mov dword ptr [esp + eax*4 + 0x6c], ebp
// 8b742468 | mov esi, dword ptr [esp + 0x68]
// 46 | inc esi
$sequence_50 = { 0fb745e8 50 68???????? e8???????? }
// n = 4, score = 400
// 0fb745e8 | movzx eax, word ptr [ebp - 0x18]
// 50 | push eax
// 68???????? |
// e8???????? |
$sequence_51 = { 50 e8???????? 83c404 33c0 33d2 40 8bc8 }
// n = 7, score = 400
// 50 | push eax
// e8???????? |
// 83c404 | add esp, 4
// 33c0 | xor eax, eax
// 33d2 | xor edx, edx
// 40 | inc eax
// 8bc8 | mov ecx, eax
$sequence_52 = { 66890d???????? 0fb7ca ff15???????? b901000000 66c746020100 }
// n = 5, score = 400
// 66890d???????? |
// 0fb7ca | js 0x13
// ff15???????? |
// b901000000 | dec eax
// 66c746020100 | cwde
$sequence_53 = { 75ef 21542440 6890010000 686a72995d 6a04 }
// n = 5, score = 400
// 75ef | jne 0xfffffff1
// 21542440 | and dword ptr [esp + 0x40], edx
// 6890010000 | push 0x190
// 686a72995d | push 0x5d99726a
// 6a04 | push 4
$sequence_54 = { 51 8bd6 e8???????? 59 59 85c0 }
// n = 6, score = 400
// 51 | push ecx
// 8bd6 | mov edx, esi
// e8???????? |
// 59 | pop ecx
// 59 | pop ecx
// 85c0 | test eax, eax
$sequence_55 = { 33ff 32db 885c2410 c70601000000 eb35 81ffff030000 }
// n = 6, score = 400
// 33ff | xor edi, edi
// 32db | xor bl, bl
// 885c2410 | mov byte ptr [esp + 0x10], bl
// c70601000000 | mov dword ptr [esi], 1
// eb35 | jmp 0x37
// 81ffff030000 | cmp edi, 0x3ff
$sequence_56 = { 6a01 6a04 68???????? ff15???????? 8bf8 83ffff }
// n = 6, score = 300
// 6a01 | push 1
// 6a04 | push 4
// 68???????? |
// ff15???????? |
// 8bf8 | mov edi, eax
// 83ffff | cmp edi, -1
$sequence_57 = { 81feff030000 733c 8a02 3cc0 721e }
// n = 5, score = 300
// 81feff030000 | cmp esi, 0x3ff
// 733c | jae 0x3e
// 8a02 | mov al, byte ptr [edx]
// 3cc0 | cmp al, 0xc0
// 721e | jb 0x20
$sequence_58 = { 88041a 8bd1 41 3bcf }
// n = 4, score = 300
// 88041a | mov byte ptr [edx + ebx], al
// 8bd1 | mov edx, ecx
// 41 | inc ecx
// 3bcf | cmp ecx, edi
$sequence_59 = { 0fb6c9 51 8bca c1f910 0fb6c1 50 8bc2 }
// n = 7, score = 300
// 0fb6c9 | movzx ecx, cl
// 51 | push ecx
// 8bca | mov ecx, edx
// c1f910 | sar ecx, 0x10
// 0fb6c1 | movzx eax, cl
// 50 | push eax
// 8bc2 | mov eax, edx
$sequence_60 = { 2ac2 fec8 88041a 8bd1 }
// n = 4, score = 300
// 2ac2 | sub al, dl
// fec8 | dec al
// 88041a | mov byte ptr [edx + ebx], al
// 8bd1 | mov edx, ecx
$sequence_61 = { 3cc0 721e 0fb6c8 0fb64201 }
// n = 4, score = 300
// 3cc0 | cmp al, 0xc0
// 721e | jb 0x20
// 0fb6c8 | movzx ecx, al
// 0fb64201 | movzx eax, byte ptr [edx + 1]
$sequence_62 = { 8d7001 8d4610 50 6a08 }
// n = 4, score = 300
// 8d7001 | lea esi, [eax + 1]
// 8d4610 | lea eax, [esi + 0x10]
// 50 | push eax
// 6a08 | push 8
$sequence_63 = { 0fb70d???????? 83c40c 8d4101 51 66a3???????? }
// n = 5, score = 300
// 0fb70d???????? |
// 83c40c | add esp, 0xc
// 8d4101 | lea eax, [ecx + 1]
// 51 | push ecx
// 66a3???????? |
$sequence_64 = { 89442438 4863442430 486bc010 488d0de3380200 4803c8 488bc1 }
// n = 6, score = 100
// 89442438 | js 0x16
// 4863442430 | dec eax
// 486bc010 | cwde
// 488d0de3380200 | dec eax
// 4803c8 | mov ecx, esi
// 488bc1 | dec eax
$sequence_65 = { 7460 488b442430 488b00 8b4028 488b4c2440 4803c8 488bc1 }
// n = 7, score = 100
// 7460 | cwde
// 488b442430 | inc ecx
// 488b00 | mov eax, 0x100f
// 8b4028 | dec eax
// 488b4c2440 | mov ecx, esi
// 4803c8 | dec eax
// 488bc1 | mov dword ptr [esp + 0x20], eax
$sequence_66 = { 4c8d052a200000 488b542428 488d4c2420 e8???????? 4889442430 ff542430 }
// n = 6, score = 100
// 4c8d052a200000 | mov dword ptr [esp + 0x20], eax
// 488b542428 | test eax, eax
// 488d4c2420 | inc ecx
// e8???????? |
// 4889442430 | mov eax, 0x100f
// ff542430 | dec eax
$sequence_67 = { 48894c2408 4883ec48 8b442458 89442424 48c744242800000000 41b800100200 }
// n = 6, score = 100
// 48894c2408 | mov eax, ebx
// 4883ec48 | dec eax
// 8b442458 | mov ecx, esi
// 89442424 | dec eax
// 48c744242800000000 | mov dword ptr [esp + 0x20], eax
// 41b800100200 | test eax, eax
$sequence_68 = { 0f848c000000 488b442430 83782000 7460 488b442430 }
// n = 5, score = 100
// 0f848c000000 | inc ecx
// 488b442430 | mov eax, 0x100f
// 83782000 | dec eax
// 7460 | mov ecx, esi
// 488b442430 | dec eax
$sequence_69 = { 4533c0 ba01000000 488b4c2440 ff9424a0000000 89842480000000 }
// n = 5, score = 100
// 4533c0 | dec eax
// ba01000000 | mov ecx, esi
// 488b4c2440 | dec eax
// ff9424a0000000 | mov dword ptr [esp + 0x20], eax
// 89842480000000 | test eax, eax
$sequence_70 = { 488b442430 488b00 83782800 0f848c000000 488b442430 }
// n = 5, score = 100
// 488b442430 | js 0x13
// 488b00 | dec eax
// 83782800 | cwde
// 0f848c000000 | inc ecx
// 488b442430 | mov eax, 0x100f
$sequence_71 = { 488d0de3380200 4803c8 488bc1 48634c2434 488d04c8 48634c2438 8b0488 }
// n = 7, score = 100
// 488d0de3380200 | cwde
// 4803c8 | dec eax
// 488bc1 | mov ecx, esi
// 48634c2434 | dec eax
// 488d04c8 | mov dword ptr [esp + 0x20], eax
// 48634c2438 | test eax, eax
// 8b0488 | js 0x13
condition:
7 of them and filesize < 2088960
}Rule Metadata
author
Felix Bilstein - yara-signator at cocacoding dot com
date
2024-10-31
version
1
description
Detects win.bazarbackdoor.
info
autogenerated rule brought to you by yara-signator
tool
yara-signator v0.6.0
signator_config
callsandjumps;datarefs;binvalue
malpedia_reference
https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor
malpedia_rule_date
20241030
malpedia_hash
26e26953c49c8efafbf72a38076855d578e0a2e4
malpedia_version
20241030
malpedia_license
CC BY-SA 4.0
malpedia_sharing
TLP:WHITE
String Definitions
{"name":"$sequence_0","value":"{ ff15???????? 85c0 780a 4898 }\n \/\/ n = 4, score = 1500\n \/\/ ff15???????? | \n \/\/ 85c0 | dec eax\n \/\/ 780a | mov dword ptr [esp + 0x20], eax\n \/\/ 4898 | test eax, eax"}
{"name":"$sequence_1","value":"{ 41b80f100000 488bce 4889442420 ff15???????? }\n \/\/ n = 4, score = 1500\n \/\/ 41b80f100000 | inc ecx\n \/\/ 488bce | mov eax, 0x100f\n \/\/ 4889442420 | dec eax\n \/\/ ff15???????? |"}
{"name":"$sequence_2","value":"{ e8???????? 4885c0 740a 488bcf ffd0 }\n \/\/ n = 5, score = 1300\n \/\/ e8???????? | \n \/\/ 4885c0 | test dl, dl\n \/\/ 740a | je 7\n \/\/ 488bcf | cmp dl, 0x2e\n \/\/ ffd0 | jne 0x16"}
{"name":"$sequence_3","value":"{ 488d4d80 e8???????? 498bd6 488d4d80 }\n \/\/ n = 4, score = 1100\n \/\/ 488d4d80 | js 0xe\n \/\/ e8???????? | \n \/\/ 498bd6 | dec eax\n \/\/ 488d4d80 | cwde"}
{"name":"$sequence_4","value":"{ 0fb70f ff15???????? 0fb74f02 0fb7d8 }\n \/\/ n = 4, score = 1100\n \/\/ 0fb70f | dec eax\n \/\/ ff15???????? | \n \/\/ 0fb74f02 | mov ecx, esi\n \/\/ 0fb7d8 | dec eax"}
{"name":"$sequence_5","value":"{ 0fb74f02 0fb7d8 ff15???????? 0fb74f08 }\n \/\/ n = 4, score = 1100\n \/\/ 0fb74f02 | dec eax\n \/\/ 0fb7d8 | sub ecx, 0xc0\n \/\/ ff15???????? | \n \/\/ 0fb74f08 | dec eax"}
{"name":"$sequence_6","value":"{ 7507 33c0 e9???????? b8ff000000 }\n \/\/ n = 4, score = 1000\n \/\/ 7507 | jne 9\n \/\/ 33c0 | xor eax, eax\n \/\/ e9???????? | \n \/\/ b8ff000000 | mov eax, 0xff"}
{"name":"$sequence_7","value":"{ ff15???????? 0fb74f08 440fb7e8 ff15???????? }\n \/\/ n = 4, score = 1000\n \/\/ ff15???????? | \n \/\/ 0fb74f08 | dec eax\n \/\/ 440fb7e8 | mov dword ptr [esp + 0x28], eax\n \/\/ ff15???????? |"}
{"name":"$sequence_8","value":"{ c3 0fb74c0818 b80b010000 663bc8 }\n \/\/ n = 4, score = 900\n \/\/ c3 | mov dword ptr [esp + 0x20], eax\n \/\/ 0fb74c0818 | test eax, eax\n \/\/ b80b010000 | js 0x16\n \/\/ 663bc8 | test eax, eax"}
{"name":"$sequence_9","value":"{ cc e8???????? cc 4053 4883ec20 b902000000 }\n \/\/ n = 6, score = 900\n \/\/ cc | mov ecx, esi\n \/\/ e8???????? | \n \/\/ cc | dec eax\n \/\/ 4053 | mov dword ptr [esp + 0x20], eax\n \/\/ 4883ec20 | test eax, eax\n \/\/ b902000000 | js 0xc"}
{"name":"$sequence_10","value":"{ 4885c9 7406 488b11 ff5210 ff15???????? }\n \/\/ n = 5, score = 900\n \/\/ 4885c9 | dec eax\n \/\/ 7406 | mov ecx, esi\n \/\/ 488b11 | dec eax\n \/\/ ff5210 | mov dword ptr [esp + 0x20], eax\n \/\/ ff15???????? |"}
{"name":"$sequence_11","value":"{ e8???????? 4c89e1 e8???????? 8b05???????? }\n \/\/ n = 4, score = 800\n \/\/ e8???????? | \n \/\/ 4c89e1 | dec eax\n \/\/ e8???????? | \n \/\/ 8b05???????? |"}
{"name":"$sequence_12","value":"{ 4889f1 e8???????? 8b05???????? 8b0d???????? }\n \/\/ n = 4, score = 800\n \/\/ 4889f1 | dec eax\n \/\/ e8???????? | \n \/\/ 8b05???????? | \n \/\/ 8b0d???????? |"}
{"name":"$sequence_13","value":"{ 48c1e108 4803c8 8bc1 488d94059f070000 }\n \/\/ n = 4, score = 800\n \/\/ 48c1e108 | inc ebp\n \/\/ 4803c8 | xor ecx, ecx\n \/\/ 8bc1 | dec eax\n \/\/ 488d94059f070000 | mov dword ptr [esp + 0x28], eax"}
{"name":"$sequence_14","value":"{ ff15???????? ff15???????? 4d8bc5 33d2 }\n \/\/ n = 4, score = 800\n \/\/ ff15???????? | \n \/\/ ff15???????? | \n \/\/ 4d8bc5 | mov ecx, esi\n \/\/ 33d2 | dec eax"}
{"name":"$sequence_15","value":"{ e8???????? 4889c7 8b05???????? 8b0d???????? }\n \/\/ n = 4, score = 800\n \/\/ e8???????? | \n \/\/ 4889c7 | test eax, eax\n \/\/ 8b05???????? | \n \/\/ 8b0d???????? |"}
{"name":"$sequence_16","value":"{ 31ff 4889c1 31d2 4989f0 }\n \/\/ n = 4, score = 800\n \/\/ 31ff | dec eax\n \/\/ 4889c1 | arpl word ptr [esp + 0x30], ax\n \/\/ 31d2 | dec eax\n \/\/ 4989f0 | imul eax, eax, 0x10"}
{"name":"$sequence_17","value":"{ ff15???????? 4889c1 31d2 4d89e0 }\n \/\/ n = 4, score = 800\n \/\/ ff15???????? | \n \/\/ 4889c1 | dec eax\n \/\/ 31d2 | lea ecx, [0x238e3]\n \/\/ 4d89e0 | dec eax"}
{"name":"$sequence_18","value":"{ 488d95a0070000 488d442470 41b80f100000 488bce }\n \/\/ n = 4, score = 800\n \/\/ 488d95a0070000 | js 0x16\n \/\/ 488d442470 | dec eax\n \/\/ 41b80f100000 | cwde \n \/\/ 488bce | dec eax"}
{"name":"$sequence_19","value":"{ 4c89742440 4c89742438 4489742430 4c89742428 }\n \/\/ n = 4, score = 800\n \/\/ 4c89742440 | mov eax, 0x100f\n \/\/ 4c89742438 | dec eax\n \/\/ 4489742430 | mov ecx, esi\n \/\/ 4c89742428 | dec eax"}
{"name":"$sequence_20","value":"{ 418d5508 488bc8 ff15???????? 488bd8 4885c0 }\n \/\/ n = 5, score = 800\n \/\/ 418d5508 | mov dword ptr [esp + 0x20], eax\n \/\/ 488bc8 | dec eax\n \/\/ ff15???????? | \n \/\/ 488bd8 | mov dword ptr [esp + 0x28], eax\n \/\/ 4885c0 | dec eax"}
{"name":"$sequence_21","value":"{ 488d9590050000 488bce ff15???????? 85c0 }\n \/\/ n = 4, score = 800\n \/\/ 488d9590050000 | dec eax\n \/\/ 488bce | cwde \n \/\/ ff15???????? | \n \/\/ 85c0 | dec eax"}
{"name":"$sequence_22","value":"{ 4533c9 4889442428 488d95a0070000 488d442470 }\n \/\/ n = 4, score = 800\n \/\/ 4533c9 | mov ecx, esi\n \/\/ 4889442428 | dec eax\n \/\/ 488d95a0070000 | mov dword ptr [esp + 0x20], eax\n \/\/ 488d442470 | test eax, eax"}
{"name":"$sequence_23","value":"{ 4889c1 31d2 4989f8 41ffd6 }\n \/\/ n = 4, score = 700\n \/\/ 4889c1 | je 0x62\n \/\/ 31d2 | dec eax\n \/\/ 4989f8 | mov eax, dword ptr [esp + 0x30]\n \/\/ 41ffd6 | dec eax"}
{"name":"$sequence_24","value":"{ 488bd3 e8???????? ff15???????? 4c8bc3 33d2 488bc8 }\n \/\/ n = 6, score = 700\n \/\/ 488bd3 | lea eax, [esp + 0x70]\n \/\/ e8???????? | \n \/\/ ff15???????? | \n \/\/ 4c8bc3 | inc ecx\n \/\/ 33d2 | mov eax, 0x100f\n \/\/ 488bc8 | dec eax"}
{"name":"$sequence_25","value":"{ 85c8 0f94c0 833d????????0a 0f9cc1 84c1 7508 30c1 }\n \/\/ n = 7, score = 700\n \/\/ 85c8 | cwde \n \/\/ 0f94c0 | mov eax, 6\n \/\/ 833d????????0a | \n \/\/ 0f9cc1 | inc esp\n \/\/ 84c1 | mov ecx, dword ptr [edi + 0x54]\n \/\/ 7508 | dec esp\n \/\/ 30c1 | mov eax, esi"}
{"name":"$sequence_26","value":"{ c744242800000001 4533c9 4533c0 c744242002000000 }\n \/\/ n = 4, score = 700\n \/\/ c744242800000001 | jne 6\n \/\/ 4533c9 | movzx edx, byte ptr [ebx + 5]\n \/\/ 4533c0 | xor eax, eax\n \/\/ c744242002000000 | cmp cl, 0x73"}
{"name":"$sequence_27","value":"{ c744242880000000 c744242003000000 4889f9 ba00000080 41b801000000 }\n \/\/ n = 5, score = 700\n \/\/ c744242880000000 | je 0xc\n \/\/ c744242003000000 | mov edx, 2\n \/\/ 4889f9 | dec eax\n \/\/ ba00000080 | mov ecx, esi\n \/\/ 41b801000000 | call eax"}
{"name":"$sequence_28","value":"{ 0fb65305 33c0 80f973 0f94c0 }\n \/\/ n = 4, score = 700\n \/\/ 0fb65305 | dec eax\n \/\/ 33c0 | mov ecx, esi\n \/\/ 80f973 | dec eax\n \/\/ 0f94c0 | mov dword ptr [esp + 0x20], eax"}
{"name":"$sequence_29","value":"{ 08c1 80f101 7502 ebfe }\n \/\/ n = 4, score = 700\n \/\/ 08c1 | inc ebp\n \/\/ 80f101 | xor ecx, ecx\n \/\/ 7502 | dec eax\n \/\/ ebfe | mov dword ptr [esp + 0x30], 0"}
{"name":"$sequence_30","value":"{ 08ca 80f201 7502 ebfe }\n \/\/ n = 4, score = 700\n \/\/ 08ca | mov ecx, edi\n \/\/ 80f201 | mov edx, 0x80000000\n \/\/ 7502 | inc ecx\n \/\/ ebfe | mov eax, 1"}
{"name":"$sequence_31","value":"{ 0f9fc1 38d3 7507 08c1 80f101 744d }\n \/\/ n = 6, score = 700\n \/\/ 0f9fc1 | xor edx, edx\n \/\/ 38d3 | dec ecx\n \/\/ 7507 | mov eax, ebx\n \/\/ 08c1 | xor ebp, ebp\n \/\/ 80f101 | dec eax\n \/\/ 744d | mov ecx, eax"}
{"name":"$sequence_32","value":"{ 89d1 83f1fe 85d1 0f95c2 833d????????09 0f9fc1 89cb }\n \/\/ n = 7, score = 700\n \/\/ 89d1 | js 0x16\n \/\/ 83f1fe | inc ecx\n \/\/ 85d1 | mov eax, 0x100f\n \/\/ 0f95c2 | dec eax\n \/\/ 833d????????09 | \n \/\/ 0f9fc1 | mov ecx, esi\n \/\/ 89cb | dec eax"}
{"name":"$sequence_33","value":"{ ff15???????? 488bf8 4885c0 7533 }\n \/\/ n = 4, score = 700\n \/\/ ff15???????? | \n \/\/ 488bf8 | jne 0xc\n \/\/ 4885c0 | movzx edx, cl\n \/\/ 7533 | cmp cl, 0x73"}
{"name":"$sequence_34","value":"{ 89c1 83f1fe 85c1 0f94c0 }\n \/\/ n = 4, score = 700\n \/\/ 89c1 | dec eax\n \/\/ 83f1fe | mov ecx, dword ptr [esp + 0x50]\n \/\/ 85c1 | inc ebp\n \/\/ 0f94c0 | xor eax, eax"}
{"name":"$sequence_35","value":"{ 89d1 83f1fe 85d1 0f94c2 833d????????0a 0f9cc1 89cb }\n \/\/ n = 7, score = 700\n \/\/ 89d1 | mov dword ptr [esp + 0x20], eax\n \/\/ 83f1fe | test eax, eax\n \/\/ 85d1 | dec eax\n \/\/ 0f94c2 | mov ecx, esi\n \/\/ 833d????????0a | \n \/\/ 0f9cc1 | dec eax\n \/\/ 89cb | mov dword ptr [esp + 0x20], eax"}
{"name":"$sequence_36","value":"{ ff15???????? 31ed 4889c1 31d2 }\n \/\/ n = 4, score = 700\n \/\/ ff15???????? | \n \/\/ 31ed | add ecx, eax\n \/\/ 4889c1 | dec eax\n \/\/ 31d2 | mov eax, ecx"}
{"name":"$sequence_37","value":"{ 0fb64b04 0fb6d1 80f973 7504 0fb65305 33c0 }\n \/\/ n = 6, score = 700\n \/\/ 0fb64b04 | dec eax\n \/\/ 0fb6d1 | mov dword ptr [esp + 0x20], eax\n \/\/ 80f973 | test eax, eax\n \/\/ 7504 | js 0xe\n \/\/ 0fb65305 | dec eax\n \/\/ 33c0 | cwde"}
{"name":"$sequence_38","value":"{ 0f9fc1 83fa0a 0f9cc2 30da 7512 08c1 80f101 }\n \/\/ n = 7, score = 700\n \/\/ 0f9fc1 | mov ecx, edi\n \/\/ 83fa0a | mov edx, 0x80000000\n \/\/ 0f9cc2 | inc ecx\n \/\/ 30da | mov eax, 1\n \/\/ 7512 | xor ebp, ebp\n \/\/ 08c1 | dec eax\n \/\/ 80f101 | mov ecx, eax"}
{"name":"$sequence_39","value":"{ 4889c1 31d2 4989e8 ff15???????? }\n \/\/ n = 4, score = 600\n \/\/ 4889c1 | arpl word ptr [esp + 0x30], ax\n \/\/ 31d2 | dec eax\n \/\/ 4989e8 | imul eax, eax, 0x10\n \/\/ ff15???????? |"}
{"name":"$sequence_40","value":"{ 4889c1 31d2 4d89f8 ffd3 }\n \/\/ n = 4, score = 600\n \/\/ 4889c1 | lea eax, [0x202a]\n \/\/ 31d2 | dec eax\n \/\/ 4d89f8 | mov edx, dword ptr [esp + 0x28]\n \/\/ ffd3 | dec eax"}
{"name":"$sequence_41","value":"{ e8???????? 4c897c2420 4889d9 89fa }\n \/\/ n = 4, score = 600\n \/\/ e8???????? | \n \/\/ 4c897c2420 | dec eax\n \/\/ 4889d9 | add ecx, eax\n \/\/ 89fa | dec eax"}
{"name":"$sequence_42","value":"{ 7405 80fa2e 750f 0fb6c1 }\n \/\/ n = 4, score = 600\n \/\/ 7405 | test eax, eax\n \/\/ 80fa2e | js 0x1c\n \/\/ 750f | dec eax\n \/\/ 0fb6c1 | sub ecx, 0xc0"}
{"name":"$sequence_43","value":"{ 488d4c2428 e8???????? 4889f1 4889c2 }\n \/\/ n = 4, score = 500\n \/\/ 488d4c2428 | cmovg eax, ecx\n \/\/ e8???????? | \n \/\/ 4889f1 | cdq \n \/\/ 4889c2 | sub eax, edx"}
{"name":"$sequence_44","value":"{ c744242880000000 c744242003000000 4889f1 ba00000080 }\n \/\/ n = 4, score = 500\n \/\/ c744242880000000 | dec esp\n \/\/ c744242003000000 | lea eax, [0x202a]\n \/\/ 4889f1 | dec eax\n \/\/ ba00000080 | mov edx, dword ptr [esp + 0x28]"}
{"name":"$sequence_45","value":"{ 4889fa 4189f0 4d89f1 ffd0 }\n \/\/ n = 4, score = 500\n \/\/ 4889fa | mov eax, 0x10b\n \/\/ 4189f0 | cmp cx, ax\n \/\/ 4d89f1 | mov ecx, 0xe10\n \/\/ ffd0 | cmp eax, ecx"}
{"name":"$sequence_46","value":"{ 6689442470 8d4833 ff15???????? c744242810000000 }\n \/\/ n = 4, score = 400\n \/\/ 6689442470 | je 0xc\n \/\/ 8d4833 | dec eax\n \/\/ ff15???????? | \n \/\/ c744242810000000 | mov ecx, edi"}
{"name":"$sequence_47","value":"{ 33d2 6a09 68fe6a7a69 42 e8???????? }\n \/\/ n = 5, score = 400\n \/\/ 33d2 | xor edx, edx\n \/\/ 6a09 | push 9\n \/\/ 68fe6a7a69 | push 0x697a6afe\n \/\/ 42 | inc edx\n \/\/ e8???????? |"}
{"name":"$sequence_48","value":"{ 7506 8b0e 894c2460 0fb7c0 }\n \/\/ n = 4, score = 400\n \/\/ 7506 | dec eax\n \/\/ 8b0e | cwde \n \/\/ 894c2460 | dec eax\n \/\/ 0fb7c0 | test eax, eax"}
{"name":"$sequence_49","value":"{ 7512 83fe40 730d 896c846c 8b742468 46 }\n \/\/ n = 6, score = 400\n \/\/ 7512 | jne 0x14\n \/\/ 83fe40 | cmp esi, 0x40\n \/\/ 730d | jae 0xf\n \/\/ 896c846c | mov dword ptr [esp + eax*4 + 0x6c], ebp\n \/\/ 8b742468 | mov esi, dword ptr [esp + 0x68]\n \/\/ 46 | inc esi"}
{"name":"$sequence_50","value":"{ 0fb745e8 50 68???????? e8???????? }\n \/\/ n = 4, score = 400\n \/\/ 0fb745e8 | movzx eax, word ptr [ebp - 0x18]\n \/\/ 50 | push eax\n \/\/ 68???????? | \n \/\/ e8???????? |"}
{"name":"$sequence_51","value":"{ 50 e8???????? 83c404 33c0 33d2 40 8bc8 }\n \/\/ n = 7, score = 400\n \/\/ 50 | push eax\n \/\/ e8???????? | \n \/\/ 83c404 | add esp, 4\n \/\/ 33c0 | xor eax, eax\n \/\/ 33d2 | xor edx, edx\n \/\/ 40 | inc eax\n \/\/ 8bc8 | mov ecx, eax"}
{"name":"$sequence_52","value":"{ 66890d???????? 0fb7ca ff15???????? b901000000 66c746020100 }\n \/\/ n = 5, score = 400\n \/\/ 66890d???????? | \n \/\/ 0fb7ca | js 0x13\n \/\/ ff15???????? | \n \/\/ b901000000 | dec eax\n \/\/ 66c746020100 | cwde"}
{"name":"$sequence_53","value":"{ 75ef 21542440 6890010000 686a72995d 6a04 }\n \/\/ n = 5, score = 400\n \/\/ 75ef | jne 0xfffffff1\n \/\/ 21542440 | and dword ptr [esp + 0x40], edx\n \/\/ 6890010000 | push 0x190\n \/\/ 686a72995d | push 0x5d99726a\n \/\/ 6a04 | push 4"}
{"name":"$sequence_54","value":"{ 51 8bd6 e8???????? 59 59 85c0 }\n \/\/ n = 6, score = 400\n \/\/ 51 | push ecx\n \/\/ 8bd6 | mov edx, esi\n \/\/ e8???????? | \n \/\/ 59 | pop ecx\n \/\/ 59 | pop ecx\n \/\/ 85c0 | test eax, eax"}
{"name":"$sequence_55","value":"{ 33ff 32db 885c2410 c70601000000 eb35 81ffff030000 }\n \/\/ n = 6, score = 400\n \/\/ 33ff | xor edi, edi\n \/\/ 32db | xor bl, bl\n \/\/ 885c2410 | mov byte ptr [esp + 0x10], bl\n \/\/ c70601000000 | mov dword ptr [esi], 1\n \/\/ eb35 | jmp 0x37\n \/\/ 81ffff030000 | cmp edi, 0x3ff"}
{"name":"$sequence_56","value":"{ 6a01 6a04 68???????? ff15???????? 8bf8 83ffff }\n \/\/ n = 6, score = 300\n \/\/ 6a01 | push 1\n \/\/ 6a04 | push 4\n \/\/ 68???????? | \n \/\/ ff15???????? | \n \/\/ 8bf8 | mov edi, eax\n \/\/ 83ffff | cmp edi, -1"}
{"name":"$sequence_57","value":"{ 81feff030000 733c 8a02 3cc0 721e }\n \/\/ n = 5, score = 300\n \/\/ 81feff030000 | cmp esi, 0x3ff\n \/\/ 733c | jae 0x3e\n \/\/ 8a02 | mov al, byte ptr [edx]\n \/\/ 3cc0 | cmp al, 0xc0\n \/\/ 721e | jb 0x20"}
{"name":"$sequence_58","value":"{ 88041a 8bd1 41 3bcf }\n \/\/ n = 4, score = 300\n \/\/ 88041a | mov byte ptr [edx + ebx], al\n \/\/ 8bd1 | mov edx, ecx\n \/\/ 41 | inc ecx\n \/\/ 3bcf | cmp ecx, edi"}
{"name":"$sequence_59","value":"{ 0fb6c9 51 8bca c1f910 0fb6c1 50 8bc2 }\n \/\/ n = 7, score = 300\n \/\/ 0fb6c9 | movzx ecx, cl\n \/\/ 51 | push ecx\n \/\/ 8bca | mov ecx, edx\n \/\/ c1f910 | sar ecx, 0x10\n \/\/ 0fb6c1 | movzx eax, cl\n \/\/ 50 | push eax\n \/\/ 8bc2 | mov eax, edx"}
{"name":"$sequence_60","value":"{ 2ac2 fec8 88041a 8bd1 }\n \/\/ n = 4, score = 300\n \/\/ 2ac2 | sub al, dl\n \/\/ fec8 | dec al\n \/\/ 88041a | mov byte ptr [edx + ebx], al\n \/\/ 8bd1 | mov edx, ecx"}
{"name":"$sequence_61","value":"{ 3cc0 721e 0fb6c8 0fb64201 }\n \/\/ n = 4, score = 300\n \/\/ 3cc0 | cmp al, 0xc0\n \/\/ 721e | jb 0x20\n \/\/ 0fb6c8 | movzx ecx, al\n \/\/ 0fb64201 | movzx eax, byte ptr [edx + 1]"}
{"name":"$sequence_62","value":"{ 8d7001 8d4610 50 6a08 }\n \/\/ n = 4, score = 300\n \/\/ 8d7001 | lea esi, [eax + 1]\n \/\/ 8d4610 | lea eax, [esi + 0x10]\n \/\/ 50 | push eax\n \/\/ 6a08 | push 8"}
{"name":"$sequence_63","value":"{ 0fb70d???????? 83c40c 8d4101 51 66a3???????? }\n \/\/ n = 5, score = 300\n \/\/ 0fb70d???????? | \n \/\/ 83c40c | add esp, 0xc\n \/\/ 8d4101 | lea eax, [ecx + 1]\n \/\/ 51 | push ecx\n \/\/ 66a3???????? |"}
{"name":"$sequence_64","value":"{ 89442438 4863442430 486bc010 488d0de3380200 4803c8 488bc1 }\n \/\/ n = 6, score = 100\n \/\/ 89442438 | js 0x16\n \/\/ 4863442430 | dec eax\n \/\/ 486bc010 | cwde \n \/\/ 488d0de3380200 | dec eax\n \/\/ 4803c8 | mov ecx, esi\n \/\/ 488bc1 | dec eax"}
{"name":"$sequence_65","value":"{ 7460 488b442430 488b00 8b4028 488b4c2440 4803c8 488bc1 }\n \/\/ n = 7, score = 100\n \/\/ 7460 | cwde \n \/\/ 488b442430 | inc ecx\n \/\/ 488b00 | mov eax, 0x100f\n \/\/ 8b4028 | dec eax\n \/\/ 488b4c2440 | mov ecx, esi\n \/\/ 4803c8 | dec eax\n \/\/ 488bc1 | mov dword ptr [esp + 0x20], eax"}
{"name":"$sequence_66","value":"{ 4c8d052a200000 488b542428 488d4c2420 e8???????? 4889442430 ff542430 }\n \/\/ n = 6, score = 100\n \/\/ 4c8d052a200000 | mov dword ptr [esp + 0x20], eax\n \/\/ 488b542428 | test eax, eax\n \/\/ 488d4c2420 | inc ecx\n \/\/ e8???????? | \n \/\/ 4889442430 | mov eax, 0x100f\n \/\/ ff542430 | dec eax"}
{"name":"$sequence_67","value":"{ 48894c2408 4883ec48 8b442458 89442424 48c744242800000000 41b800100200 }\n \/\/ n = 6, score = 100\n \/\/ 48894c2408 | mov eax, ebx\n \/\/ 4883ec48 | dec eax\n \/\/ 8b442458 | mov ecx, esi\n \/\/ 89442424 | dec eax\n \/\/ 48c744242800000000 | mov dword ptr [esp + 0x20], eax\n \/\/ 41b800100200 | test eax, eax"}
{"name":"$sequence_68","value":"{ 0f848c000000 488b442430 83782000 7460 488b442430 }\n \/\/ n = 5, score = 100\n \/\/ 0f848c000000 | inc ecx\n \/\/ 488b442430 | mov eax, 0x100f\n \/\/ 83782000 | dec eax\n \/\/ 7460 | mov ecx, esi\n \/\/ 488b442430 | dec eax"}
{"name":"$sequence_69","value":"{ 4533c0 ba01000000 488b4c2440 ff9424a0000000 89842480000000 }\n \/\/ n = 5, score = 100\n \/\/ 4533c0 | dec eax\n \/\/ ba01000000 | mov ecx, esi\n \/\/ 488b4c2440 | dec eax\n \/\/ ff9424a0000000 | mov dword ptr [esp + 0x20], eax\n \/\/ 89842480000000 | test eax, eax"}
{"name":"$sequence_70","value":"{ 488b442430 488b00 83782800 0f848c000000 488b442430 }\n \/\/ n = 5, score = 100\n \/\/ 488b442430 | js 0x13\n \/\/ 488b00 | dec eax\n \/\/ 83782800 | cwde \n \/\/ 0f848c000000 | inc ecx\n \/\/ 488b442430 | mov eax, 0x100f"}
{"name":"$sequence_71","value":"{ 488d0de3380200 4803c8 488bc1 48634c2434 488d04c8 48634c2438 8b0488 }\n \/\/ n = 7, score = 100\n \/\/ 488d0de3380200 | cwde \n \/\/ 4803c8 | dec eax\n \/\/ 488bc1 | mov ecx, esi\n \/\/ 48634c2434 | dec eax\n \/\/ 488d04c8 | mov dword ptr [esp + 0x20], eax\n \/\/ 48634c2438 | test eax, eax\n \/\/ 8b0488 | js 0x13"}
Threat Analysis
This YARA rule is designed to detect general threats.
Severity Level: High
The rule uses pattern matching to identify specific byte sequences, strings, or behavioral patterns associated with malicious activity.
Detection Capabilities
- File-based detection for executables and documents
- Memory scanning for running processes
- Network traffic analysis support
Command Line Usage
# Scan a single file yara win_bazarbackdoor_auto.yar /path/to/suspicious/file # Scan a directory recursively yara -r win_bazarbackdoor_auto.yar /path/to/directory/ # Scan with metadata output yara -m win_bazarbackdoor_auto.yar target_file # Scan process memory (Linux) yara win_bazarbackdoor_auto.yar /proc/[pid]/exe
Integration Examples
Python (yara-python)
import yara
rules = yara.compile(filepath='win_bazarbackdoor_auto.yar')
matches = rules.match('/path/to/file')
ClamAV Integration
clamscan --yara-rules=win_bazarbackdoor_auto.yar /path/to/scan
Rule Information
YARA ID
YARA-2024-1410
Repository
Created
August 19, 2025
Last Updated
August 19, 2025
Last Imported
Never
Threat Intelligence
Risk Level
High
Category
general
Detection Confidence
Analysis Pending
False Positive Rate
Not Available
Last Seen in Wild
No Data
Related Rules
Export Options
Similar Rules in general
YARA-2023-0001
CRI
Detect_Mimic_Ransomware
Detect_Mimic_Ransomware
YARA-2023-0002
MED
SystemBC_malware
Detect_SystemBC
YARA-2023-0003
MED
detect_catB
detect_CatB_ransomware
YARA-2022-0001
MED
detect_Typhon_Stealer
detect_Typhon_Stealer
YARA-2023-0004
MED
Nosu_stealer
Detect_Nosu_stealer
YARA-2022-0002
MED
detect_Lumma_stealer
detect_Lumma_stealer
YARA-2022-0003
MED
detect_StrelaStealer
detect_StrelaStealer
YARA-2022-0004
MED
detect_silence_Downloader
detect_silence_Downloader