SYMBOLCOMMON_NAMEaka. SYNONYMS
win.disttrack (Back to overview)

DistTrack

aka: Shamoon

Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY


There is no description at this point.

References
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-03-08CyleraCylera
@techreport{cylera:20220308:link:2b7c36f, author = {Cylera}, title = {{The link between Kwampirs (Orangeworm) and Shamoon APTs}}, date = {2022-03-08}, institution = {Cylera}, url = {https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf}, language = {English}, urldate = {2022-03-10} } The link between Kwampirs (Orangeworm) and Shamoon APTs
DistTrack Kwampirs
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10ZDNetCatalin Cimpanu
@online{cimpanu:20200210:fbi:1904430, author = {Catalin Cimpanu}, title = {{FBI warns about ongoing attacks against software supply chain companies}}, date = {2020-02-10}, organization = {ZDNet}, url = {https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/}, language = {English}, urldate = {2020-02-11} } FBI warns about ongoing attacks against software supply chain companies
DistTrack Kwampirs
2019-12-21MalwareInDepthMyrtus 0x0
@online{0x0:20191221:shamoon:eb1828b, author = {Myrtus 0x0}, title = {{Shamoon 2012 Complete Analysis}}, date = {2019-12-21}, organization = {MalwareInDepth}, url = {https://malwareindepth.com/shamoon-2012/}, language = {English}, urldate = {2020-01-12} } Shamoon 2012 Complete Analysis
DistTrack
2018-12-14SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181214:shamoon:1f24fa5, author = {Critical Attack Discovery and Intelligence Team}, title = {{Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail}}, date = {2018-12-14}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail}, language = {English}, urldate = {2020-04-21} } Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail
DistTrack Filerase StoneDrill OilRig
2018-12-13Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20181213:shamoon:1623fe7, author = {Robert Falcone}, title = {{Shamoon 3 Targets Oil and Gas Organization}}, date = {2018-12-13}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/}, language = {English}, urldate = {2020-01-10} } Shamoon 3 Targets Oil and Gas Organization
DistTrack
2017-03-26Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20170326:shamoon:8a62f1a, author = {Robert Falcone and Bryan Lee}, title = {{Shamoon 2: Delivering Disttrack}}, date = {2017-03-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Delivering Disttrack
DistTrack
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2017-02-27SymantecA L Johnson
@online{johnson:20170227:shamoon:0188f39, author = {A L Johnson}, title = {{Shamoon: Multi-staged destructive attacks limited to specific targets}}, date = {2017-02-27}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Multi-staged destructive attacks limited to specific targets
DistTrack MimiKatz Rocket Kitten
2017-02-05VinRansomwareGregory Paul, Shaunak
@online{paul:20170205:detailed:3a65aaf, author = {Gregory Paul and Shaunak}, title = {{Detailed threat analysis of Shamoon 2.0 Malware}}, date = {2017-02-05}, organization = {VinRansomware}, url = {http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware}, language = {English}, urldate = {2020-01-09} } Detailed threat analysis of Shamoon 2.0 Malware
DistTrack
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:a118a76, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-04-21} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-23SymantecSymantec Security Response
@online{response:20170123:greenbug:96eab4c, author = {Symantec Security Response}, title = {{Greenbug cyberespionage group targeting Middle East, possible links to Shamoon}}, date = {2017-01-23}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon}, language = {English}, urldate = {2020-01-13} } Greenbug cyberespionage group targeting Middle East, possible links to Shamoon
DistTrack ISMDoor Greenbug
2017-01-09Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170109:second:2e36550, author = {Robert Falcone}, title = {{Second Wave of Shamoon 2 Attacks Identified}}, date = {2017-01-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/}, language = {English}, urldate = {2020-01-07} } Second Wave of Shamoon 2 Attacks Identified
DistTrack
2016-12-03Coding and SecurityCoding, Security
@online{coding:20161203:sophisticated:af2cbb4, author = {Coding and Security}, title = {{"Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis}}, date = {2016-12-03}, organization = {Coding and Security}, url = {https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis}, language = {English}, urldate = {2020-01-08} } "Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis
DistTrack
2016-11-30Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20161130:shamoon:6befcf1, author = {Robert Falcone}, title = {{Shamoon 2: Return of the Disttrack Wiper}}, date = {2016-11-30}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412}, language = {English}, urldate = {2019-12-20} } Shamoon 2: Return of the Disttrack Wiper
DistTrack
2016-11-30SymantecA L Johnson
@online{johnson:20161130:shamoon:50feb7c, author = {A L Johnson}, title = {{Shamoon: Back from the dead and destructive as ever}}, date = {2016-11-30}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Shamoon: Back from the dead and destructive as ever
DistTrack OilRig
2012-08-17Contagiodump BlogMila Parkour
@online{parkour:20120817:shamoon:efffab1, author = {Mila Parkour}, title = {{Shamoon or DistTrack.A samples}}, date = {2012-08-17}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html}, language = {English}, urldate = {2019-12-20} } Shamoon or DistTrack.A samples
DistTrack
2012-08-16SymantecSymantec Security Response
@online{response:20120816:shamoon:8f8fe97, author = {Symantec Security Response}, title = {{The Shamoon Attacks}}, date = {2012-08-16}, organization = {Symantec}, url = {https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks}, language = {English}, urldate = {2020-04-21} } The Shamoon Attacks
DistTrack OilRig
2012-08-16Kaspersky LabsGReAT
@online{great:20120816:shamoon:143efb8, author = {GReAT}, title = {{Shamoon the Wiper – Copycats at Work}}, date = {2012-08-16}, organization = {Kaspersky Labs}, url = {https://securelist.com/shamoon-the-wiper-copycats-at-work/}, language = {English}, urldate = {2019-12-20} } Shamoon the Wiper – Copycats at Work
DistTrack
Yara Rules
[TLP:WHITE] win_disttrack_auto (20230125 | Detects win.disttrack.)
rule win_disttrack_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.disttrack."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 6a00 6a00 6848000700 }
            // n = 4, score = 200
            //   52                   | dec                 eax
            //   6a00                 | mov                 dword ptr [ecx], eax
            //   6a00                 | nop                 
            //   6848000700           | dec                 esp

        $sequence_1 = { 58 5e 5d c3 6a0c }
            // n = 5, score = 200
            //   58                   | pop                 eax
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a0c                 | push                0xc

        $sequence_2 = { 68???????? ff15???????? 8d45dc 50 ff15???????? 8b4ddc }
            // n = 6, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   8d45dc               | inc                 ecx
            //   50                   | or                  edx, 0xffffffff
            //   ff15????????         |                     
            //   8b4ddc               | inc                 ecx

        $sequence_3 = { 53 ff15???????? 5d 5b 8bc7 5f 5e }
            // n = 7, score = 200
            //   53                   | dec                 eax
            //   ff15????????         |                     
            //   5d                   | lea                 ebx, [ebp + ebx + 0x1e0]
            //   5b                   | inc                 ecx
            //   8bc7                 | mov                 byte ptr [esi], cl
            //   5f                   | dec                 ebx
            //   5e                   | mov                 eax, dword ptr [ecx + edi*8 + 0x24e80]

        $sequence_4 = { 57 e8???????? 6a07 e8???????? 59 c3 6a10 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   e8????????           |                     
            //   6a07                 | push                7
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   c3                   | ret                 
            //   6a10                 | push                0x10

        $sequence_5 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? }
            // n = 6, score = 200
            //   83c404               | add                 ebx, edx
            //   50                   | dec                 ecx
            //   e8????????           |                     
            //   83c404               | lea                 edx, [esi + 1]
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_6 = { ff15???????? 32c0 488b8d70030000 4833cc e8???????? 4c8d9c2480040000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   32c0                 | dec                 eax
            //   488b8d70030000       | lea                 esi, [0x1527e]
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   4c8d9c2480040000     | mov                 ecx, esi

        $sequence_7 = { ff15???????? 8bd8 83fbff 0f840a010000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   0f840a010000         | je                  0x110

        $sequence_8 = { 838568f8ffff01 80bd67f8ffff00 75e1 8bbd68f8ffff }
            // n = 4, score = 100
            //   838568f8ffff01       | push                0xc
            //   80bd67f8ffff00       | jmp                 0xffffffb4
            //   75e1                 | push                0x16
            //   8bbd68f8ffff         | pop                 eax

        $sequence_9 = { 488d4c2430 488d153d0e0100 41b898000000 498bf1 e8???????? 48638528050000 498b16 }
            // n = 7, score = 100
            //   488d4c2430           | dec                 eax
            //   488d153d0e0100       | lea                 ecx, [esp + 0x30]
            //   41b898000000         | dec                 eax
            //   498bf1               | lea                 edx, [0x10e3d]
            //   e8????????           |                     
            //   48638528050000       | inc                 ecx
            //   498b16               | mov                 eax, 0x98

        $sequence_10 = { e8???????? 488d5510 488d4dd0 488945c8 488d05a0500100 48894510 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d5510             | dec                 ecx
            //   488d4dd0             | mov                 esi, ecx
            //   488945c8             | dec                 eax
            //   488d05a0500100       | arpl                word ptr [ebp + 0x528], ax
            //   48894510             | dec                 ecx

        $sequence_11 = { 57 ff15???????? 8bf0 85f6 741a 83feff 7415 }
            // n = 7, score = 100
            //   57                   | pop                 ebx
            //   ff15????????         |                     
            //   8bf0                 | mov                 eax, edi
            //   85f6                 | pop                 edi
            //   741a                 | pop                 esi
            //   83feff               | lea                 eax, [ebp - 0x24]
            //   7415                 | push                eax

        $sequence_12 = { 41880e 4b8b84f9804e0200 4183caff 4103da 498d5601 458d60f7 }
            // n = 6, score = 100
            //   41880e               | dec                 eax
            //   4b8b84f9804e0200     | lea                 eax, [0x12304]
            //   4183caff             | dec                 eax
            //   4103da               | mov                 ecx, dword ptr [esp + 0x30]
            //   498d5601             | test                eax, eax
            //   458d60f7             | jne                 0x10b

        $sequence_13 = { 488d0550210100 488901 e8???????? 90 }
            // n = 4, score = 100
            //   488d0550210100       | dec                 eax
            //   488901               | lea                 edx, [esp + 0x30]
            //   e8????????           |                     
            //   90                   | dec                 eax

        $sequence_14 = { 7442 4885db 741b f0ff0b 7516 488d0504230100 488b4c2430 }
            // n = 7, score = 100
            //   7442                 | mov                 edx, dword ptr [esi]
            //   4885db               | dec                 eax
            //   741b                 | lea                 edx, [ebp + 0x10]
            //   f0ff0b               | dec                 eax
            //   7516                 | lea                 ecx, [ebp - 0x30]
            //   488d0504230100       | dec                 eax
            //   488b4c2430           | mov                 dword ptr [ebp - 0x38], eax

        $sequence_15 = { 0f84aa000000 0fb6d3 52 e8???????? 83c404 85c0 750e }
            // n = 7, score = 100
            //   0f84aa000000         | je                  0xb0
            //   0fb6d3               | movzx               edx, bl
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10

        $sequence_16 = { 83c40c 56 ff15???????? b8???????? 8d5002 668b08 }
            // n = 6, score = 100
            //   83c40c               | mov                 ecx, dword ptr [ebp - 0x24]
            //   56                   | add                 esp, 4
            //   ff15????????         |                     
            //   b8????????           |                     
            //   8d5002               | push                eax
            //   668b08               | add                 esp, 4

        $sequence_17 = { c1f905 8d3c8d40174200 8bf0 83e61f c1e606 8b0f 0fbe4c3104 }
            // n = 7, score = 100
            //   c1f905               | sar                 ecx, 5
            //   8d3c8d40174200       | lea                 edi, [ecx*4 + 0x421740]
            //   8bf0                 | mov                 esi, eax
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   0fbe4c3104           | movsx               ecx, byte ptr [ecx + esi + 4]

        $sequence_18 = { c1f905 8b0c8d40174200 83e21f c1e206 }
            // n = 4, score = 100
            //   c1f905               | sar                 ecx, 5
            //   8b0c8d40174200       | mov                 ecx, dword ptr [ecx*4 + 0x421740]
            //   83e21f               | and                 edx, 0x1f
            //   c1e206               | shl                 edx, 6

        $sequence_19 = { 488d8de0010000 448bf8 4b8d1c3f 4c8bc3 e8???????? 488d9c1de0010000 }
            // n = 6, score = 100
            //   488d8de0010000       | dec                 eax
            //   448bf8               | test                ebx, ebx
            //   4b8d1c3f             | je                  0x1d
            //   4c8bc3               | lock dec            dword ptr [ebx]
            //   e8????????           |                     
            //   488d9c1de0010000     | jne                 0x1d

        $sequence_20 = { 50 e8???????? 8b8d28fcffff 83c40c 51 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b8d28fcffff         | mov                 ecx, dword ptr [ebp - 0x3d8]
            //   83c40c               | add                 esp, 0xc
            //   51                   | push                ecx

        $sequence_21 = { 0fb64d08 83f901 752d 0fb795d8fdffff }
            // n = 4, score = 100
            //   0fb64d08             | pop                 esi
            //   83f901               | pop                 ebp
            //   752d                 | ret                 
            //   0fb795d8fdffff       | push                0xc

        $sequence_22 = { 8b11 8b7208 8931 8b7208 385e19 7503 }
            // n = 6, score = 100
            //   8b11                 | and                 ecx, 0x1f
            //   8b7208               | dec                 eax
            //   8931                 | sar                 eax, 5
            //   8b7208               | dec                 eax
            //   385e19               | imul                ecx, ecx, 0x58
            //   7503                 | dec                 ecx

        $sequence_23 = { c644240f00 8db2201c0000 837c241000 7566 6800080000 e8???????? }
            // n = 6, score = 100
            //   c644240f00           | mov                 byte ptr [esp + 0xf], 0
            //   8db2201c0000         | lea                 esi, [edx + 0x1c20]
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0
            //   7566                 | jne                 0x68
            //   6800080000           | push                0x800
            //   e8????????           |                     

        $sequence_24 = { 8905???????? 85c0 0f8503010000 488d357e520100 488bce e8???????? 488d542430 }
            // n = 7, score = 100
            //   8905????????         |                     
            //   85c0                 | dec                 eax
            //   0f8503010000         | lea                 eax, [0x150a0]
            //   488d357e520100       | dec                 eax
            //   488bce               | mov                 dword ptr [ebp + 0x10], eax
            //   e8????????           |                     
            //   488d542430           | je                  0x44

        $sequence_25 = { 8b421c ffd0 c745fc01000000 e9???????? 8345e4ff }
            // n = 5, score = 100
            //   8b421c               | mov                 eax, dword ptr [esi + eax*8]
            //   ffd0                 | and                 byte ptr [eax + ecx + 8], 0xfe
            //   c745fc01000000       | push                ebx
            //   e9????????           |                     
            //   8345e4ff             | pop                 ebp

    condition:
        7 of them and filesize < 1112064
}
Download all Yara Rules