SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY

There is no description at this point.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-03-08CyleraCylera
@techreport{cylera:20220308:link:2b7c36f, author = {Cylera}, title = {{The link between Kwampirs (Orangeworm) and Shamoon APTs}}, date = {2022-03-08}, institution = {Cylera}, url = {https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf}, language = {English}, urldate = {2022-03-10} } The link between Kwampirs (Orangeworm) and Shamoon APTs
DistTrack Kwampirs
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
Yara Rules
[TLP:WHITE] win_disttrack_auto (20220808 | Detects win.disttrack.)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.disttrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 58 5e 5d c3 6a0c 68???????? e8???????? }
            // n = 7, score = 200
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_1 = { e8???????? 83c404 50 e8???????? 83c404 68???????? ff15???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | cmp                 eax, ecx
            //   50                   | imul                edx, edx, 0x3e8
            //   e8????????           |                     
            //   83c404               | dec                 eax
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_2 = { ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   5d                   | mov                 eax, dword ptr [ebp - 0x50]
            //   5b                   | dec                 eax
            //   8bc7                 | mov                 dword ptr [eax], edx
            //   5f                   | dec                 eax
            //   5e                   | mov                 eax, dword ptr [ebp - 0x50]

        $sequence_3 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | mov                 ebx, ecx
            //   6a00                 | dec                 eax
            //   6a00                 | test                eax, eax
            //   6848000700           | je                  0x7e

        $sequence_4 = { e8???????? 6a07 e8???????? 59 c3 6a10 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10

        $sequence_5 = { 68???????? ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 6, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d45dc               | dec                 eax
            //   50                   | lea                 ecx, [0x125e7]
            //   ff15????????         |                     
            //   8b4ddc               | dec                 eax

        $sequence_6 = { c3 8bff 56 57 33ff ffb740004200 }
            // n = 6, score = 100
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   56                   | push                esi
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   ffb740004200         | push                dword ptr [edi + 0x420040]

        $sequence_7 = { 8a80446c4200 08443b1d 0fb64601 47 }
            // n = 4, score = 100
            //   8a80446c4200         | dec                 eax
            //   08443b1d             | mov                 eax, dword ptr [esp + 0x28]
            //   0fb64601             | dec                 eax
            //   47                   | mov                 ecx, dword ptr [esp + 0x40]

        $sequence_8 = { 8d3c8540174200 8b07 c1e606 8a4c3004 }
            // n = 4, score = 100
            //   8d3c8540174200       | lea                 edi, [eax*4 + 0x421740]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   c1e606               | shl                 esi, 6
            //   8a4c3004             | mov                 cl, byte ptr [eax + esi + 4]

        $sequence_9 = { 83c802 395938 751e 83c804 eb19 8b542434 8b4a04 }
            // n = 7, score = 100
            //   83c802               | or                  eax, 2
            //   395938               | cmp                 dword ptr [ecx + 0x38], ebx
            //   751e                 | jne                 0x20
            //   83c804               | or                  eax, 4
            //   eb19                 | jmp                 0x1b
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]

        $sequence_10 = { 395938 7503 83c804 83e017 89410c 854110 740d }
            // n = 7, score = 100
            //   395938               | lea                 eax, [ebp - 0x24]
            //   7503                 | push                eax
            //   83c804               | mov                 ecx, dword ptr [ebp - 0x24]
            //   83e017               | add                 esp, 4
            //   89410c               | push                eax
            //   854110               | add                 esp, 4
            //   740d                 | pop                 ebp

        $sequence_11 = { 83f908 7229 f3a5 ff249560474100 }
            // n = 4, score = 100
            //   83f908               | pop                 ebp
            //   7229                 | pop                 ebx
            //   f3a5                 | mov                 eax, edi
            //   ff249560474100       | pop                 edi

        $sequence_12 = { 744f 8b542414 52 68???????? 68???????? }
            // n = 5, score = 100
            //   744f                 | je                  0x51
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   52                   | push                edx
            //   68????????           |                     
            //   68????????           |                     

        $sequence_13 = { 488bd9 4885c0 7479 488d0de7250100 483bc1 }
            // n = 5, score = 100
            //   488bd9               | add                 eax, eax
            //   4885c0               | mov                 edx, eax
            //   7479                 | dec                 eax
            //   488d0de7250100       | lea                 ecx, [esp + edx*2 + 0x40]
            //   483bc1               | dec                 eax

        $sequence_14 = { 84c0 750c 498bcc e8???????? 32c0 }
            // n = 5, score = 100
            //   84c0                 | dec                 eax
            //   750c                 | cmp                 dword ptr [esp + 0x58], ecx
            //   498bcc               | je                  0x3c
            //   e8????????           |                     
            //   32c0                 | dec                 eax

        $sequence_15 = { 8b442450 46891cb7 894704 e9???????? 488d0d957d0100 48394c2458 7427 }
            // n = 7, score = 100
            //   8b442450             | dec                 eax
            //   46891cb7             | lea                 ecx, [0x19b16]
            //   894704               | dec                 eax
            //   e9????????           |                     
            //   488d0d957d0100       | mov                 edx, ecx
            //   48394c2458           | dec                 esp
            //   7427                 | lea                 eax, [0x1c3ec]

        $sequence_16 = { 83c40c 81c600040000 4f 75e4 }
            // n = 4, score = 100
            //   83c40c               | push                edx
            //   81c600040000         | push                0
            //   4f                   | push                0
            //   75e4                 | push                0x70048

        $sequence_17 = { 6a02 8b4518 50 8b4d10 51 }
            // n = 5, score = 100
            //   6a02                 | push                7
            //   8b4518               | pop                 ecx
            //   50                   | ret                 
            //   8b4d10               | push                0x10
            //   51                   | push                ebx

        $sequence_18 = { 488b4308 488d4c2430 48899cc2d03a0200 488b4308 fe8402203b0200 e8???????? }
            // n = 6, score = 100
            //   488b4308             | dec                 eax
            //   488d4c2430           | lea                 edx, [esp + 0xa0]
            //   48899cc2d03a0200     | dec                 eax
            //   488b4308             | lea                 ecx, [esp + 0x30]
            //   fe8402203b0200       | inc                 ecx
            //   e8????????           |                     

        $sequence_19 = { 486bd258 490314c8 488d0d1f9b0100 eb11 488d0d169b0100 488bd1 4c8d05ecc30100 }
            // n = 7, score = 100
            //   486bd258             | dec                 eax
            //   490314c8             | imul                edx, edx, 0x58
            //   488d0d1f9b0100       | dec                 ecx
            //   eb11                 | add                 edx, dword ptr [eax + ecx*8]
            //   488d0d169b0100       | dec                 eax
            //   488bd1               | lea                 ecx, [0x19b1f]
            //   4c8d05ecc30100       | jmp                 0x13

        $sequence_20 = { 488bcf 448bc0 4d03c0 e8???????? 8bd0 488d4c5440 488bd3 }
            // n = 7, score = 100
            //   488bcf               | mov                 eax, dword ptr [esp + 0x50]
            //   448bc0               | inc                 esi
            //   4d03c0               | mov                 dword ptr [edi + esi*4], ebx
            //   e8????????           |                     
            //   8bd0                 | mov                 dword ptr [edi + 4], eax
            //   488d4c5440           | dec                 eax
            //   488bd3               | lea                 ecx, [0x17d95]

        $sequence_21 = { 488d9424a0000000 488d4c2430 41b9ff000000 41b832000000 e8???????? }
            // n = 5, score = 100
            //   488d9424a0000000     | mov                 ecx, edi
            //   488d4c2430           | inc                 esp
            //   41b9ff000000         | mov                 eax, eax
            //   41b832000000         | dec                 ebp
            //   e8????????           |                     

        $sequence_22 = { 69d2e8030000 488b45b0 488910 488b45b0 c6400d10 488b45b0 }
            // n = 6, score = 100
            //   69d2e8030000         | mov                 edx, ebx
            //   488b45b0             | test                al, al
            //   488910               | jne                 0xe
            //   488b45b0             | dec                 ecx
            //   c6400d10             | mov                 ecx, esp
            //   488b45b0             | xor                 al, al

        $sequence_23 = { 8bd0 83e01f c1fa05 8b149540174200 c1e006 8d440224 }
            // n = 6, score = 100
            //   8bd0                 | mov                 edx, eax
            //   83e01f               | and                 eax, 0x1f
            //   c1fa05               | sar                 edx, 5
            //   8b149540174200       | mov                 edx, dword ptr [edx*4 + 0x421740]
            //   c1e006               | shl                 eax, 6
            //   8d440224             | lea                 eax, [edx + eax + 0x24]

        $sequence_24 = { 8945ec 3bf3 7508 32c0 5f 5b 8be5 }
            // n = 7, score = 100
            //   8945ec               | pop                 ebx
            //   3bf3                 | mov                 eax, edi
            //   7508                 | pop                 edi
            //   32c0                 | pop                 esi
            //   5f                   | push                ebx
            //   5b                   | pop                 ebp
            //   8be5                 | pop                 ebx

        $sequence_25 = { 83f903 7c62 8b4708 8d5002 668b08 }
            // n = 5, score = 100
            //   83f903               | cmp                 ecx, 3
            //   7c62                 | jl                  0x64
            //   8b4708               | mov                 eax, dword ptr [edi + 8]
            //   8d5002               | lea                 edx, [eax + 2]
            //   668b08               | mov                 cx, word ptr [eax]

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules