SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY


There is no description at this point.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-03-08CyleraCylera
@techreport{cylera:20220308:link:2b7c36f, author = {Cylera}, title = {{The link between Kwampirs (Orangeworm) and Shamoon APTs}}, date = {2022-03-08}, institution = {Cylera}, url = {https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf}, language = {English}, urldate = {2022-03-10} } The link between Kwampirs (Orangeworm) and Shamoon APTs
DistTrack Kwampirs
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
Yara Rules
[TLP:WHITE] win_disttrack_auto (20230407 | Detects win.disttrack.)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.disttrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 7, score = 200
            //   53                   | pop                 esi
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   5b                   | ret                 
            //   8bc7                 | push                0xc
            //   5f                   | push                0x16
            //   5e                   | pop                 eax

        $sequence_1 = { 6a16 58 5e 5d c3 6a0c }
            // n = 6, score = 200
            //   6a16                 | dec                 eax
            //   58                   | mov                 eax, edx
            //   5e                   | and                 edx, 0x1f
            //   5d                   | dec                 eax
            //   c3                   | sar                 eax, 5
            //   6a0c                 | dec                 eax

        $sequence_2 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? e8???????? }
            // n = 7, score = 200
            //   83c404               | pop                 esi
            //   50                   | pop                 ebp
            //   e8????????           |                     
            //   83c404               | ret                 
            //   68????????           |                     
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_3 = { e8???????? 6a07 e8???????? 59 c3 6a10 68???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   6a07                 | dec                 esp
            //   e8????????           |                     
            //   59                   | mov                 ebx, edx
            //   c3                   | dec                 eax
            //   6a10                 | mov                 ecx, edi
            //   68????????           |                     

        $sequence_4 = { ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8d45dc               | pop                 esi
            //   50                   | pop                 ebp
            //   ff15????????         |                     
            //   8b4ddc               | ret                 

        $sequence_5 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | pop                 eax
            //   6a00                 | pop                 esi
            //   6a00                 | pop                 ebp
            //   6848000700           | ret                 

        $sequence_6 = { 48635004 488d0589470100 4889440ae8 488d0545460100 488901 }
            // n = 5, score = 100
            //   48635004             | mov                 ecx, ebp
            //   488d0589470100       | test                al, al
            //   4889440ae8           | jne                 0xe
            //   488d0545460100       | dec                 eax
            //   488901               | arpl                word ptr [eax + 4], dx

        $sequence_7 = { a1???????? 8b0d???????? 8917 8b15???????? }
            // n = 4, score = 100
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   8917                 | add                 esp, 4
            //   8b15????????         |                     

        $sequence_8 = { 8985b0feffff 8a4d82 888db4feffff 8d5580 52 b9???????? }
            // n = 6, score = 100
            //   8985b0feffff         | push                0x10
            //   8a4d82               | add                 esp, 4
            //   888db4feffff         | push                eax
            //   8d5580               | add                 esp, 4
            //   52                   | add                 esp, 4
            //   b9????????           |                     

        $sequence_9 = { 4a8d8c5de0090000 e8???????? 488d95e0090000 498bcd e8???????? 84c0 750c }
            // n = 7, score = 100
            //   4a8d8c5de0090000     | dec                 edx
            //   e8????????           |                     
            //   488d95e0090000       | lea                 ecx, [ebp + ebx*2 + 0x9e0]
            //   498bcd               | dec                 eax
            //   e8????????           |                     
            //   84c0                 | lea                 edx, [ebp + 0x9e0]
            //   750c                 | dec                 ecx

        $sequence_10 = { 6a00 8d442420 50 57 8d8c24f4000000 51 53 }
            // n = 7, score = 100
            //   6a00                 | push                0xc
            //   8d442420             | push                0x16
            //   50                   | pop                 eax
            //   57                   | pop                 esi
            //   8d8c24f4000000       | pop                 ebp
            //   51                   | ret                 
            //   53                   | push                0xc

        $sequence_11 = { 6a03 6a00 6a07 68000000c0 57 ff15???????? }
            // n = 6, score = 100
            //   6a03                 | jne                 0x20
            //   6a00                 | xor                 eax, eax
            //   6a07                 | jne                 0x15
            //   68000000c0           | mov                 dword ptr [ebp - 4], 0xffffffff
            //   57                   | mov                 eax, dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_12 = { c744244cbcc24100 c684249c00000000 c684249500000000 8954247c 89842480000000 895c2458 895c2468 }
            // n = 7, score = 100
            //   c744244cbcc24100     | push                0x10
            //   c684249c00000000     | jmp                 0xffffffb4
            //   c684249500000000     | push                0x16
            //   8954247c             | pop                 eax
            //   89842480000000       | pop                 esi
            //   895c2458             | pop                 ebp
            //   895c2468             | ret                 

        $sequence_13 = { 488bc6 488d15b06d0100 83e11f 48c1f805 486bc958 }
            // n = 5, score = 100
            //   488bc6               | lea                 eax, [0x122b0]
            //   488d15b06d0100       | dec                 esp
            //   83e11f               | cmp                 edx, eax
            //   48c1f805             | je                  0x13
            //   486bc958             | dec                 eax

        $sequence_14 = { 498bcb e8???????? 488d15d8670100 488bca e8???????? 488d0db1670100 }
            // n = 6, score = 100
            //   498bcb               | lea                 edx, [0x16db0]
            //   e8????????           |                     
            //   488d15d8670100       | and                 ecx, 0x1f
            //   488bca               | dec                 eax
            //   e8????????           |                     
            //   488d0db1670100       | sar                 eax, 5

        $sequence_15 = { 7511 488d05b0220100 4c3bd0 7405 }
            // n = 4, score = 100
            //   7511                 | dec                 eax
            //   488d05b0220100       | lea                 eax, [0x14789]
            //   4c3bd0               | dec                 eax
            //   7405                 | mov                 dword ptr [edx + ecx - 0x18], eax

        $sequence_16 = { 33c0 0fbe84c170ff4100 6a07 c1f804 59 8985a4fbffff }
            // n = 6, score = 100
            //   33c0                 | mov                 ecx, dword ptr [ebp - 0xc]
            //   0fbe84c170ff4100     | pop                 ebp
            //   6a07                 | pop                 ebx
            //   c1f804               | mov                 eax, edi
            //   59                   | pop                 edi
            //   8985a4fbffff         | pop                 esi

        $sequence_17 = { 488d0de0fa0000 488bc2 83e21f 48c1f805 486bd258 488b04c1 }
            // n = 6, score = 100
            //   488d0de0fa0000       | mov                 ebp, ecx
            //   488bc2               | dec                 eax
            //   83e21f               | test                ecx, ecx
            //   48c1f805             | je                  0x141
            //   486bd258             | dec                 eax
            //   488b04c1             | test                edx, edx

        $sequence_18 = { 51 89450c e8???????? 83c40c 037d0c c6043b00 5f }
            // n = 7, score = 100
            //   51                   | push                0xc
            //   89450c               | pop                 eax
            //   e8????????           |                     
            //   83c40c               | pop                 esi
            //   037d0c               | pop                 ebp
            //   c6043b00             | ret                 
            //   5f                   | push                0xc

        $sequence_19 = { d436 d836 dc36 2637 2c37 3037 3437 }
            // n = 7, score = 100
            //   d436                 | push                7
            //   d836                 | pop                 ecx
            //   dc36                 | ret                 
            //   2637                 | push                0x10
            //   2c37                 | push                edi
            //   3037                 | push                7
            //   3437                 | pop                 ecx

        $sequence_20 = { 488d3d676a0100 4c8bda 488bcf e8???????? 488bd7 498bca 448d0400 }
            // n = 7, score = 100
            //   488d3d676a0100       | je                  0x141
            //   4c8bda               | dec                 ebp
            //   488bcf               | test                eax, eax
            //   e8????????           |                     
            //   488bd7               | dec                 eax
            //   498bca               | mov                 eax, esi
            //   448d0400             | dec                 eax

        $sequence_21 = { 8d9530ffffff 0f95c0 52 8845ec e8???????? 8b0d???????? b330 }
            // n = 7, score = 100
            //   8d9530ffffff         | push                eax
            //   0f95c0               | add                 esp, 4
            //   52                   | push                ebx
            //   8845ec               | pop                 ebp
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   b330                 | pop                 ebx

        $sequence_22 = { 68???????? 8d4de4 51 c745e408924100 e8???????? }
            // n = 5, score = 100
            //   68????????           |                     
            //   8d4de4               | push                7
            //   51                   | pop                 ecx
            //   c745e408924100       | ret                 
            //   e8????????           |                     

        $sequence_23 = { 33c0 5d c3 8b04c57caa4100 5d c3 }
            // n = 6, score = 100
            //   33c0                 | ret                 
            //   5d                   | push                0x10
            //   c3                   | pop                 eax
            //   8b04c57caa4100       | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_24 = { 488be9 4885c9 0f843b010000 4885d2 0f8432010000 4d85c0 }
            // n = 6, score = 100
            //   488be9               | dec                 eax
            //   4885c9               | lea                 eax, [0x14645]
            //   0f843b010000         | dec                 eax
            //   4885d2               | mov                 dword ptr [ecx], eax
            //   0f8432010000         | jne                 0x13
            //   4d85c0               | dec                 eax

        $sequence_25 = { 8d45ec 50 8b4d08 e8???????? 8b4508 8be5 }
            // n = 6, score = 100
            //   8d45ec               | push                0xc
            //   50                   | push                edi
            //   8b4d08               | push                7
            //   e8????????           |                     
            //   8b4508               | pop                 ecx
            //   8be5                 | ret                 

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules