SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY

There is no description at this point.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-03-08CyleraCylera
@techreport{cylera:20220308:link:2b7c36f, author = {Cylera}, title = {{The link between Kwampirs (Orangeworm) and Shamoon APTs}}, date = {2022-03-08}, institution = {Cylera}, url = {https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf}, language = {English}, urldate = {2022-03-10} } The link between Kwampirs (Orangeworm) and Shamoon APTs
DistTrack Kwampirs
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
Yara Rules
[TLP:WHITE] win_disttrack_auto (20230808 | Detects win.disttrack.)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.disttrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | xor                 ecx, ecx
            //   6a00                 | mov                 dword ptr [esp + 0x28], 0x8000000
            //   6a00                 | mov                 dword ptr [esp + 0x20], ebx
            //   6848000700           | test                eax, eax

        $sequence_1 = { ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   5d                   | dec                 eax
            //   5b                   | arpl                word ptr [eax + 4], cx
            //   8bc7                 | dec                 eax
            //   5f                   | lea                 eax, [0x127b0]
            //   5e                   | dec                 eax

        $sequence_2 = { 68???????? ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 6, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d45dc               | jle                 0x68
            //   50                   | dec                 eax
            //   ff15????????         |                     
            //   8b4ddc               | mov                 eax, dword ptr [esi]

        $sequence_3 = { e8???????? 6a07 e8???????? 59 c3 6a10 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10

        $sequence_4 = { e8???????? 83c404 50 e8???????? 83c404 68???????? ff15???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c404               | xor                 eax, eax
            //   50                   | dec                 ecx
            //   e8????????           |                     
            //   83c404               | mov                 edx, esp
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_5 = { 488bc8 e8???????? ebd1 498b94dca0940100 }
            // n = 4, score = 100
            //   488bc8               | and                 dword ptr [ebx + 8], 0
            //   e8????????           |                     
            //   ebd1                 | dec                 eax
            //   498b94dca0940100     | lea                 eax, [0x145cf]

        $sequence_6 = { 41bd08000000 4180fdfe 760d 488d0d392e0100 e8???????? }
            // n = 5, score = 100
            //   41bd08000000         | test                eax, eax
            //   4180fdfe             | jne                 0x27
            //   760d                 | mov                 esi, 1
            //   488d0d392e0100       | dec                 eax
            //   e8????????           |                     

        $sequence_7 = { 7442 488d157a840000 488bcf e8???????? 85c0 7525 }
            // n = 6, score = 100
            //   7442                 | dec                 eax
            //   488d157a840000       | lea                 ecx, [0x14ac7]
            //   488bcf               | jne                 0x19
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7525                 | lea                 ecx, [0x14ab1]

        $sequence_8 = { 895c2440 895c2444 899c24d8000000 899c24b0000000 899c24b8000000 }
            // n = 5, score = 100
            //   895c2440             | mov                 dword ptr [esp + 0x40], ebx
            //   895c2444             | mov                 dword ptr [esp + 0x44], ebx
            //   899c24d8000000       | mov                 dword ptr [esp + 0xd8], ebx
            //   899c24b0000000       | mov                 dword ptr [esp + 0xb0], ebx
            //   899c24b8000000       | mov                 dword ptr [esp + 0xb8], ebx

        $sequence_9 = { 884c30ff 3bf3 72e6 8b75ec 6a00 }
            // n = 5, score = 100
            //   884c30ff             | pop                 edi
            //   3bf3                 | pop                 esi
            //   72e6                 | lea                 eax, [ebp - 0x24]
            //   8b75ec               | push                eax
            //   6a00                 | mov                 ecx, dword ptr [ebp - 0x24]

        $sequence_10 = { c3 8b04cd44ec4200 5d c3 0544ffffff }
            // n = 5, score = 100
            //   c3                   | mov                 eax, edi
            //   8b04cd44ec4200       | pop                 edi
            //   5d                   | pop                 esi
            //   c3                   | add                 esp, 4
            //   0544ffffff           | push                eax

        $sequence_11 = { 57 4883ec20 488d0dc74a0100 e8???????? 48833d????????00 7510 488d0db14a0100 }
            // n = 7, score = 100
            //   57                   | inc                 edx
            //   4883ec20             | jmp                 0xffffffe3
            //   488d0dc74a0100       | push                edi
            //   e8????????           |                     
            //   48833d????????00     |                     
            //   7510                 | dec                 eax
            //   488d0db14a0100       | sub                 esp, 0x20

        $sequence_12 = { 0fb7da 6683fa30 0f862b010000 8b44241c 33c9 66894c4422 66895c4420 }
            // n = 7, score = 100
            //   0fb7da               | mov                 eax, edi
            //   6683fa30             | pop                 edi
            //   0f862b010000         | pop                 esi
            //   8b44241c             | push                ebx
            //   33c9                 | pop                 ebp
            //   66894c4422           | pop                 ebx
            //   66895c4420           | mov                 eax, edi

        $sequence_13 = { 885df3 8b4104 80781900 8bf9 7514 38580c }
            // n = 6, score = 100
            //   885df3               | add                 esp, 4
            //   8b4104               | push                eax
            //   80781900             | add                 esp, 4
            //   8bf9                 | add                 esp, 4
            //   7514                 | push                eax
            //   38580c               | add                 esp, 4

        $sequence_14 = { c7450800000000 e8???????? 68???????? 8d4df4 51 c745f46c924100 }
            // n = 6, score = 100
            //   c7450800000000       | mov                 dword ptr [ebp + 8], 0
            //   e8????????           |                     
            //   68????????           |                     
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   51                   | push                ecx
            //   c745f46c924100       | mov                 dword ptr [ebp - 0xc], 0x41926c

        $sequence_15 = { e8???????? 03f0 56 e8???????? 83c404 c745fc00000000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   03f0                 | add                 esp, 4
            //   56                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   c745fc00000000       | lea                 eax, [ebp - 0x24]

        $sequence_16 = { 51 ff15???????? 8b55d4 8955e4 8b45d8 }
            // n = 5, score = 100
            //   51                   | add                 esp, 4
            //   ff15????????         |                     
            //   8b55d4               | add                 esp, 4
            //   8955e4               | push                eax
            //   8b45d8               | add                 esp, 4

        $sequence_17 = { 8bc1 eb0c 0fb6c9 0fbe8968004200 }
            // n = 4, score = 100
            //   8bc1                 | mov                 eax, ecx
            //   eb0c                 | jmp                 0xe
            //   0fb6c9               | movzx               ecx, cl
            //   0fbe8968004200       | movsx               ecx, byte ptr [ecx + 0x420068]

        $sequence_18 = { 8b4004 80781900 74ee 80791900 7505 8bc8 }
            // n = 6, score = 100
            //   8b4004               | push                edx
            //   80781900             | push                0
            //   74ee                 | push                0
            //   80791900             | push                0x70048
            //   7505                 | pop                 ebp
            //   8bc8                 | pop                 ebx

        $sequence_19 = { 4533c0 498bd4 33c9 c744242800000008 895c2420 ff15???????? 85c0 }
            // n = 7, score = 100
            //   4533c0               | dec                 eax
            //   498bd4               | mov                 dword ptr [ebx], eax
            //   33c9                 | dec                 eax
            //   c744242800000008     | lea                 ecx, [esp + 0x28]
            //   895c2420             | inc                 ecx
            //   ff15????????         |                     
            //   85c0                 | mov                 ebp, 8

        $sequence_20 = { 75f9 2bc2 56 57 8d7801 }
            // n = 5, score = 100
            //   75f9                 | jne                 0xfffffffb
            //   2bc2                 | sub                 eax, edx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d7801               | lea                 edi, [eax + 1]

        $sequence_21 = { be01000000 4883630800 488d05cf450100 488903 488d4c2428 }
            // n = 5, score = 100
            //   be01000000           | je                  0x44
            //   4883630800           | dec                 eax
            //   488d05cf450100       | lea                 edx, [0x847a]
            //   488903               | dec                 eax
            //   488d4c2428           | mov                 ecx, edi

        $sequence_22 = { 48634804 488d05b0270100 48894419e8 4883c430 }
            // n = 4, score = 100
            //   48634804             | inc                 ecx
            //   488d05b0270100       | cmp                 ch, 0xfe
            //   48894419e8           | jbe                 0x19
            //   4883c430             | dec                 eax

        $sequence_23 = { 52 50 68???????? ff15???????? 8d34f5b0044200 89442420 33ff }
            // n = 7, score = 100
            //   52                   | push                edx
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d34f5b0044200       | lea                 esi, [esi*8 + 0x4204b0]
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   33ff                 | xor                 edi, edi

        $sequence_24 = { 7d13 4863ca 8a44191c 42888401602a0200 ffc2 ebe1 }
            // n = 6, score = 100
            //   7d13                 | jge                 0x15
            //   4863ca               | dec                 eax
            //   8a44191c             | arpl                dx, cx
            //   42888401602a0200     | mov                 al, byte ptr [ecx + ebx + 0x1c]
            //   ffc2                 | inc                 edx
            //   ebe1                 | mov                 byte ptr [ecx + eax + 0x22a60], al

        $sequence_25 = { 8d842498030000 64a300000000 8b4508 33db 89442430 }
            // n = 5, score = 100
            //   8d842498030000       | lea                 eax, [esp + 0x398]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33db                 | xor                 ebx, ebx
            //   89442430             | mov                 dword ptr [esp + 0x30], eax

        $sequence_26 = { 3bc3 0f8476010000 68???????? 68???????? }
            // n = 4, score = 100
            //   3bc3                 | cmp                 eax, ebx
            //   0f8476010000         | je                  0x17c
            //   68????????           |                     
            //   68????????           |                     

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules