SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bankshot (Back to overview)

Bankshot

aka: COPPERHEDGE

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2017-12-13US-CERTUS-CERT
@techreport{uscert:20171213:malware:89db625, author = {US-CERT}, title = {{Malware Analysis Report (MAR) - 10135536-B}}, date = {2017-12-13}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (MAR) - 10135536-B
Bankshot
Yara Rules
[TLP:WHITE] win_bankshot_auto (20211008 | Detects win.bankshot.)
rule win_bankshot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.bankshot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 }
            // n = 7, score = 300
            //   8bf8                 | mov                 edi, eax
            //   8d5101               | lea                 edx, dword ptr [ecx + 1]
            //   8a01                 | mov                 al, byte ptr [ecx]
            //   41                   | inc                 ecx
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   57                   | push                edi

        $sequence_1 = { 55 8bec 81ec48040000 a1???????? 33c5 8945f8 53 }
            // n = 7, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   81ec48040000         | sub                 esp, 0x448
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   53                   | push                ebx

        $sequence_2 = { 51 50 6a00 68e9fd0000 ffd3 }
            // n = 5, score = 300
            //   51                   | push                ecx
            //   50                   | push                eax
            //   6a00                 | push                0
            //   68e9fd0000           | push                0xfde9
            //   ffd3                 | call                ebx

        $sequence_3 = { 74a6 83fe04 7c13 33c0 5f 5e 5b }
            // n = 7, score = 200
            //   74a6                 | xor                 eax, ebp
            //   83fe04               | mov                 dword ptr [ebp - 8], eax
            //   7c13                 | push                ebx
            //   33c0                 | mov                 ebp, esp
            //   5f                   | sub                 esp, 0x448
            //   5e                   | xor                 eax, ebp
            //   5b                   | mov                 dword ptr [ebp - 8], eax

        $sequence_4 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 }
            // n = 7, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c700????????         |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   898850030000         | mov                 dword ptr [eax + 0x350], ecx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   59                   | pop                 ecx
            //   c74048b8e40110       | mov                 dword ptr [eax + 0x48], 0x1001e4b8

        $sequence_5 = { 83c40c e8???????? 99 b907000000 }
            // n = 4, score = 200
            //   83c40c               | dec                 esp
            //   e8????????           |                     
            //   99                   | mov                 ebx, dword ptr [esp + 0x4c]
            //   b907000000           | dec                 eax

        $sequence_6 = { 894de4 3998c0e10110 0f84ea000000 41 83c030 894de4 3df0000000 }
            // n = 7, score = 200
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   3998c0e10110         | cmp                 dword ptr [eax + 0x1001e1c0], ebx
            //   0f84ea000000         | je                  0xf0
            //   41                   | inc                 ecx
            //   83c030               | add                 eax, 0x30
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   3df0000000           | cmp                 eax, 0xf0

        $sequence_7 = { 8b45fc 817848b8e40110 7409 ff7048 e8???????? }
            // n = 5, score = 200
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   817848b8e40110       | cmp                 dword ptr [eax + 0x48], 0x1001e4b8
            //   7409                 | je                  0xb
            //   ff7048               | push                dword ptr [eax + 0x48]
            //   e8????????           |                     

        $sequence_8 = { 83faff 7474 33c0 85d2 7e6e }
            // n = 5, score = 200
            //   83faff               | mov                 dword ptr [ebp - 8], eax
            //   7474                 | push                ebx
            //   33c0                 | mov                 edi, eax
            //   85d2                 | lea                 edx, dword ptr [ecx + 1]
            //   7e6e                 | mov                 al, byte ptr [ecx]

        $sequence_9 = { 50 e8???????? 83c40c 8d8500b9ffff 33ff 6828050000 }
            // n = 6, score = 200
            //   50                   | push                ebx
            //   e8????????           |                     
            //   83c40c               | je                  0xf
            //   8d8500b9ffff         | push                eax
            //   33ff                 | call                edi
            //   6828050000           | mov                 dword ptr [ebp - 0x4540], 0

        $sequence_10 = { 8b7510 8bda 894dfc 57 8b7d0c 85f6 785b }
            // n = 7, score = 200
            //   8b7510               | push                eax
            //   8bda                 | push                0
            //   894dfc               | push                0xfde9
            //   57                   | call                ebx
            //   8b7d0c               | push                ebp
            //   85f6                 | mov                 ebp, esp
            //   785b                 | sub                 esp, 0x448

        $sequence_11 = { 740d 50 ffd7 c785c0baffff00000000 8b85bcbaffff 85c0 7403 }
            // n = 7, score = 200
            //   740d                 | lea                 edx, dword ptr [esp + 0x10]
            //   50                   | mov                 esi, eax
            //   ffd7                 | push                ecx
            //   c785c0baffff00000000     | lea    edx, dword ptr [esp + 0x28c]
            //   8b85bcbaffff         | add                 esi, eax
            //   85c0                 | sub                 esp, 0x448
            //   7403                 | xor                 eax, ebp

        $sequence_12 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 }
            // n = 7, score = 200
            //   c74048b8e40110       | mov                 dword ptr [eax + 0x48], 0x1001e4b8
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   6689486c             | mov                 word ptr [eax + 0x6c], cx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   66898872010000       | mov                 word ptr [eax + 0x172], cx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83a04c03000000       | and                 dword ptr [eax + 0x34c], 0

        $sequence_13 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6b45e430             | imul                eax, dword ptr [ebp - 0x1c], 0x30
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8d80d0e10110         | lea                 eax, dword ptr [eax + 0x1001e1d0]

        $sequence_14 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   89861c020000         | mov                 dword ptr [esi + 0x21c], eax
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8d4e0c               | lea                 ecx, dword ptr [esi + 0xc]
            //   6a06                 | push                6
            //   8d90c4e10110         | lea                 edx, dword ptr [eax + 0x1001e1c4]

        $sequence_15 = { 81fa00010000 7313 8a87bce10110 08441619 42 }
            // n = 5, score = 200
            //   81fa00010000         | cmp                 edx, 0x100
            //   7313                 | jae                 0x15
            //   8a87bce10110         | mov                 al, byte ptr [edi + 0x1001e1bc]
            //   08441619             | or                  byte ptr [esi + edx + 0x19], al
            //   42                   | inc                 edx

        $sequence_16 = { 57 33ff 8bcf 8bc7 894de4 3998c0e10110 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   8bcf                 | mov                 ecx, edi
            //   8bc7                 | mov                 eax, edi
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   3998c0e10110         | cmp                 dword ptr [eax + 0x1001e1c0], ebx

        $sequence_17 = { 6800020000 6a40 ff15???????? 8bbc2478020000 8bac2474020000 8bb42470020000 }
            // n = 6, score = 100
            //   6800020000           | nop                 dword ptr [eax + eax]
            //   6a40                 | inc                 ecx
            //   ff15????????         |                     
            //   8bbc2478020000       | mov                 eax, dword ptr [ecx]
            //   8bac2474020000       | inc                 ecx
            //   8bb42470020000       | mov                 ecx, dword ptr [ecx - 8]

        $sequence_18 = { 33c0 488b8d70440000 4833cc e8???????? 4881c488450000 415f 415c }
            // n = 7, score = 100
            //   33c0                 | cmp                 eax, -1
            //   488b8d70440000       | mov                 ecx, 0x40
            //   4833cc               | dec                 ebp
            //   e8????????           |                     
            //   4881c488450000       | mov                 esi, eax
            //   415f                 | dec                 eax
            //   415c                 | lea                 edx, dword ptr [esp + 0x30]

        $sequence_19 = { ba00000080 458d4103 488d0da9970000 ff15???????? 488bf8 4883f8ff }
            // n = 6, score = 100
            //   ba00000080           | mov                 ecx, ebx
            //   458d4103             | dec                 eax
            //   488d0da9970000       | lea                 edx, dword ptr [0xfb72]
            //   ff15????????         |                     
            //   488bf8               | mov                 edx, 0x80000000
            //   4883f8ff             | inc                 ebp

        $sequence_20 = { c644243229 c644243376 c644243470 c6442435a9 }
            // n = 4, score = 100
            //   c644243229           | dec                 eax
            //   c644243376           | lea                 esi, dword ptr [esp + 0x5c]
            //   c644243470           | dec                 eax
            //   c6442435a9           | lea                 edi, dword ptr [0xdc61]

        $sequence_21 = { 4983c110 0f1f440000 418b01 418b49f8 3bc1 0f4fc8 41030a }
            // n = 7, score = 100
            //   4983c110             | inc                 ecx
            //   0f1f440000           | pop                 edi
            //   418b01               | inc                 ecx
            //   418b49f8             | pop                 esp
            //   3bc1                 | dec                 eax
            //   0f4fc8               | lea                 edx, dword ptr [0x893f]
            //   41030a               | dec                 eax

        $sequence_22 = { 50 ff730c ff55d4 85c0 0f8419010000 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ff730c               | push                dword ptr [ebx + 0xc]
            //   ff55d4               | call                dword ptr [ebp - 0x2c]
            //   85c0                 | test                eax, eax
            //   0f8419010000         | je                  0x11f

        $sequence_23 = { 488d153f890000 488bc8 891d???????? c705????????01000000 48893d???????? ff15???????? b9d0070000 }
            // n = 7, score = 100
            //   488d153f890000       | dec                 eax
            //   488bc8               | mov                 ecx, edi
            //   891d????????         |                     
            //   c705????????01000000     |     
            //   48893d????????       |                     
            //   ff15????????         |                     
            //   b9d0070000           | dec                 eax

        $sequence_24 = { eb23 6a00 6a00 6a00 6a01 8b85f8f3ffff }
            // n = 6, score = 100
            //   eb23                 | movzx               eax, byte ptr [ebp - 0x437]
            //   6a00                 | push                eax
            //   6a00                 | movzx               eax, byte ptr [ebp - 0x438]
            //   6a00                 | push                eax
            //   6a01                 | add                 esp, 0xc
            //   8b85f8f3ffff         | cdq                 

        $sequence_25 = { c685f8fcffff00 68ff010000 6a00 8d95f9fcffff }
            // n = 4, score = 100
            //   c685f8fcffff00       | cdq                 
            //   68ff010000           | mov                 ecx, 7
            //   6a00                 | add                 esp, 0xc
            //   8d95f9fcffff         | cdq                 

        $sequence_26 = { 48897c2420 4154 4883ec20 4c8b511c 4d8be0 }
            // n = 5, score = 100
            //   48897c2420           | mov                 ecx, dword ptr [ebp + 0x4470]
            //   4154                 | dec                 eax
            //   4883ec20             | xor                 ecx, esp
            //   4c8b511c             | dec                 eax
            //   4d8be0               | add                 esp, 0x4588

        $sequence_27 = { 2bf2 8b4dd8 8910 b800000000 0f4485bcfbffff }
            // n = 5, score = 100
            //   2bf2                 | sub                 esi, edx
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   8910                 | mov                 dword ptr [eax], edx
            //   b800000000           | mov                 eax, 0
            //   0f4485bcfbffff       | cmove               eax, dword ptr [ebp - 0x444]

        $sequence_28 = { 0f849e000000 8b6c2428 8b15???????? a1???????? 6a01 }
            // n = 5, score = 100
            //   0f849e000000         | cdq                 
            //   8b6c2428             | mov                 ecx, 7
            //   8b15????????         |                     
            //   a1????????           |                     
            //   6a01                 | idiv                ecx

        $sequence_29 = { 89542424 8d4641 8d4c2408 50 51 8d942478020000 68???????? }
            // n = 7, score = 100
            //   89542424             | cmp                 eax, ecx
            //   8d4641               | cmovg               ecx, eax
            //   8d4c2408             | inc                 ecx
            //   50                   | add                 ecx, dword ptr [edx]
            //   51                   | test                byte ptr [esp + 0x30], 0x10
            //   8d942478020000       | je                  0xa9
            //   68????????           |                     

        $sequence_30 = { 488d542420 488bcb ff15???????? 488d1572fb0000 }
            // n = 4, score = 100
            //   488d542420           | dec                 eax
            //   488bcb               | lea                 edx, dword ptr [esp + 0x20]
            //   ff15????????         |                     
            //   488d1572fb0000       | dec                 eax

        $sequence_31 = { 50 8b4d0c 83c101 51 e8???????? 83c408 }
            // n = 6, score = 100
            //   50                   | add                 esp, 0xc
            //   8b4d0c               | lea                 eax, dword ptr [ebp - 0x4700]
            //   83c101               | xor                 edi, edi
            //   51                   | push                0x528
            //   e8????????           |                     
            //   83c408               | push                eax

        $sequence_32 = { 51 ff15???????? 6a01 6a06 }
            // n = 4, score = 100
            //   51                   | mov                 ecx, 7
            //   ff15????????         |                     
            //   6a01                 | idiv                ecx
            //   6a06                 | add                 ecx, 0x580

        $sequence_33 = { b940000000 4d8bf0 ff15???????? 488d542430 488bcf 488be8 33db }
            // n = 7, score = 100
            //   b940000000           | lea                 eax, dword ptr [ecx + 3]
            //   4d8bf0               | dec                 eax
            //   ff15????????         |                     
            //   488d542430           | lea                 ecx, dword ptr [0x97a9]
            //   488bcf               | dec                 eax
            //   488be8               | mov                 edi, eax
            //   33db                 | dec                 eax

        $sequence_34 = { e9???????? 33d2 41b800010000 488d0d69980000 e8???????? 4c8b5c244c 4c891d???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   33d2                 | mov                 ebp, eax
            //   41b800010000         | xor                 ebx, ebx
            //   488d0d69980000       | xor                 eax, eax
            //   e8????????           |                     
            //   4c8b5c244c           | dec                 eax
            //   4c891d????????       |                     

        $sequence_35 = { 81c180050000 51 ff15???????? 8b95f8f3ffff 894204 eb23 }
            // n = 6, score = 100
            //   81c180050000         | js                  0x68
            //   51                   | je                  0xffffffa8
            //   ff15????????         |                     
            //   8b95f8f3ffff         | cmp                 esi, 4
            //   894204               | jl                  0x18
            //   eb23                 | xor                 eax, eax

        $sequence_36 = { 8b95acf7ffff 52 ff15???????? 89859cf7ffff c78574f7ffff00000000 }
            // n = 5, score = 100
            //   8b95acf7ffff         | pop                 edi
            //   52                   | pop                 esi
            //   ff15????????         |                     
            //   89859cf7ffff         | pop                 ebx
            //   c78574f7ffff00000000     | push    eax

        $sequence_37 = { e8???????? e9???????? 8b542408 8d8424a0000000 50 8bcf e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d8424a0000000       | lea                 eax, dword ptr [esp + 0xa0]
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_38 = { c745dce3ce4000 8b4518 8945e0 8b450c }
            // n = 4, score = 100
            //   c745dce3ce4000       | add                 esp, 0xc
            //   8b4518               | cdq                 
            //   8945e0               | mov                 ecx, 7
            //   8b450c               | idiv                ecx

        $sequence_39 = { 43 eb0a 3c08 0f8480000000 33db 3bfe 7535 }
            // n = 7, score = 100
            //   43                   | mov                 ecx, 2
            //   eb0a                 | repe cmpsb          byte ptr [esi], byte ptr es:[edi]
            //   3c08                 | je                  0xc9
            //   0f8480000000         | add                 esp, 0xc
            //   33db                 | cdq                 
            //   3bfe                 | mov                 ecx, 7
            //   7535                 | add                 esp, 0xc

        $sequence_40 = { 80bdabfbffff00 75e2 8b8da0fbffff 2b8d7cfbffff 8b957cfbffff 899570fbffff }
            // n = 6, score = 100
            //   80bdabfbffff00       | mov                 ecx, 7
            //   75e2                 | add                 esp, 0xc
            //   8b8da0fbffff         | cdq                 
            //   2b8d7cfbffff         | mov                 ecx, 7
            //   8b957cfbffff         | idiv                ecx
            //   899570fbffff         | add                 esp, 0xc

        $sequence_41 = { 744e 6a64 c785b8fbffff01000000 ff9550f7ffff }
            // n = 4, score = 100
            //   744e                 | je                  0x50
            //   6a64                 | push                0x64
            //   c785b8fbffff01000000     | mov    dword ptr [ebp - 0x448], 1
            //   ff9550f7ffff         | call                dword ptr [ebp - 0x8b0]

        $sequence_42 = { 6a00 e8???????? 83c404 8d4c2420 51 ff15???????? 8d542410 }
            // n = 7, score = 100
            //   6a00                 | add                 esp, 0xc
            //   e8????????           |                     
            //   83c404               | cdq                 
            //   8d4c2420             | mov                 ecx, 7
            //   51                   | push                0x200
            //   ff15????????         |                     
            //   8d542410             | push                0x40

        $sequence_43 = { ff15???????? 68???????? 53 8945dc ff15???????? 68???????? 53 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   68????????           |                     
            //   53                   | push                ebx
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   ff15????????         |                     
            //   68????????           |                     
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 860160
}
Download all Yara Rules