SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ghost_rat (Back to overview)

Ghost RAT

aka: Farfli, Gh0st RAT, PCRat

Actor(s): EMISSARY PANDA, Hurricane Panda, Lazarus Group, Leviathan, Red Menshen, Stone Panda

VTCollection     URLhaus    

According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.

Below is a list of Gh0st RAT capabilities.
Take full control of the remote screen on the infected bot.
Provide real time as well as offline keystroke logging.
Provide live feed of webcam, microphone of infected host.
Download remote binaries on the infected remote host.
Take control of remote shutdown and reboot of host.
Disable infected computer remote pointer and keyboard input.
Enter into shell of remote infected host with full control.
Provide a list of all the active processes.
Clear all existing SSDT of all existing hooks.

References
2023-04-24CofenseAustin Jones
Open-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release
Ghost RAT
2023-04-13Intel 471Jorge Rodriguez, Souhail Hammou
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT
BBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt
2022-09-15SymantecThreat Hunter Team
Webworm: Espionage Attackers Testing and Using Older Modified RATs
9002 RAT Ghost RAT Trochilus RAT
2022-07-18Palo Alto Networks Unit 42Unit 42
Iron Taurus
CHINACHOPPER Ghost RAT Wonknu ZXShell APT27
2022-05-23Trend MicroDaniel Lunghi, Jaromír Hořejší
Operation Earth Berberoka
reptile oRAT Ghost RAT PlugX pupy Earth Berberoka
2022-04-27Trend MicroDaniel Lunghi, Jaromír Hořejší
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
2022-04-15Center for Internet SecurityCIS
Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-04-01The Hacker NewsRavie Lakshmanan
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit
Fire Chili Ghost RAT
2022-03-30FortinetEliran Voronovitch, Rotem Sde-Or
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Fire Chili Ghost RAT
2022-03-16AhnLabASEC Analysis Team
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers
Ghost RAT Kingminer
2022-02-11Cisco TalosTalos
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2021-12-14Trend MicroNick Dai, Ted Lee, Vickie Su
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23
2021-10-05BlackberryThe BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT
2021-10-04JPCERT/CCShusei Tomonaga
Malware Gh0stTimes Used by BlackTech
Gh0stTimes Ghost RAT
2021-05-05ZscalerAniruddha Dolas, Manohar Ghule, Mohd Sadique
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-04-28Trend MicroJaromír Hořejší, Joseph C Chen
Water Pamola Attacked Online Shops Via Malicious Orders
Ghost RAT
2021-04-02Dr.WebDr.Web
Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT TA428
2021-02-22tccontre Blogtcontre
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload
Ghost RAT
2021-02-01ESET ResearchIgnacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy Red Dev 17
2021-01-15SwisscomMarkus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT
2020-12-18SeqritePavankumar Chaudhari
RAT used by Chinese cyberspies infiltrating Indian businesses
Ghost RAT
2020-12-10Intel 471Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-10-27Dr.WebDr.Web
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-07-28NTTNTT Security
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-20Risky.bizDaniel Gordon
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-06-14BushidoTokenBushidoToken
Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-05PrevailionDanny Adamitis
The Gh0st Remains the Same
Ghost RAT
2020-06-04PTSecurityPT ESC Threat Intelligence
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020-05-20Medium Asuna AmawakaAsuna Amawaka
What happened between the BigBadWolf and the Tiger?
Ghost RAT
2020-05-14Avast DecodedLuigino Camastra
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
BYEBY Ghost RAT Microcin MimiKatz Vicious Panda
2020-03-05SophosLabsSergei Shevchenko
Cloud Snooper Attack Bypasses AWS Security Measures
Cloud Snooper Ghost RAT
2020-01-01SecureworksSecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27
2020-01-01SecureworksSecureWorks
BRONZE GLOBE
EtumBot Ghost RAT APT12
2020-01-01SecureworksSecureWorks
BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020-01-01SecureworksSecureWorks
BRONZE EDISON
Ghost RAT sykipot APT4 SAMURAI PANDA
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
GALLIUM: Targeting global telecom
CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-11-04TencentTencent Security Mikan TIC
APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-09-23MITREMITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
2019-09-17TalosChristopher Evans, David Liebenberg
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-04-25DATANETKim Seon-ae
Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT
2019-02-27SecureworksCTU Research Team
A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-01-07IntezerIgnacio Sanmillan
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-04-20NCC GroupNikolaos Pantazopoulos
Decoding network data from a Gh0st RAT variant
Ghost RAT APT27
2018-04-17NCC GroupNikolaos Pantazopoulos
Decoding network data from a Gh0st RAT variant
Ghost RAT APT27
2018-02-01BitdefenderBitdefender Team
Operation PZCHAO Inside a highly specialized espionage infrastructure
Ghost RAT APT27
2018-01-04Malware Traffic AnalysisBrad Duncan
MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2017-12-19ProofpointDarien Huss
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-19ProofpointDarien Huss
North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba
2017-05-31MITREMITRE ATT&CK
PittyTiger
Enfal Ghost RAT MimiKatz Poison Ivy APT24
2017-05-31MITREMITRE ATT&CK
Axiom
Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17
2017-05-31MITREMITRE
APT18
Ghost RAT HttpBrowser APT18
2017-02-25Financial Security InstituteKyoung-Ju Kwak (郭炅周)
Silent RIFLE: Response Against Advanced Threat
Ghost RAT
2016-04-22CylanceIsaac Palmer
The Ghost Dragon
Ghost RAT
2012-01-01Norman ASASnorre Fagerland
The many faces of Gh0st Rat
Ghost RAT
2011-06-29SymantecJohn McDonald
Inside a Back Door Attack
Ghost RAT Dust Storm
2009-03-28Infinitum LabsInformation Warfare Monitor
Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet
Yara Rules
[TLP:WHITE] win_ghost_rat_auto (20230808 | Detects win.ghost_rat.)
rule win_ghost_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.ghost_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a01 56 ff15???????? 5e c20800 }
            // n = 5, score = 500
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   c20800               | ret                 8

        $sequence_1 = { 8bd9 e8???????? 8b4d08 3bc8 }
            // n = 4, score = 500
            //   8bd9                 | mov                 ebx, ecx
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3bc8                 | cmp                 ecx, eax

        $sequence_2 = { 8b400c 85c0 7505 a1???????? 50 8bce }
            // n = 6, score = 500
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   a1????????           |                     
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi

        $sequence_3 = { 8be5 5d c20400 894df4 }
            // n = 4, score = 400
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx

        $sequence_4 = { 894df4 c745f800000000 df6df4 83ec08 dc0d???????? }
            // n = 5, score = 400
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   df6df4               | fild                qword ptr [ebp - 0xc]
            //   83ec08               | sub                 esp, 8
            //   dc0d????????         |                     

        $sequence_5 = { 6a6b 8bce e8???????? 5f }
            // n = 4, score = 400
            //   6a6b                 | push                0x6b
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   5f                   | pop                 edi

        $sequence_6 = { e8???????? 8b8e549f0000 83c41c 89848e14030000 8b86549f0000 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   8b8e549f0000         | mov                 ecx, dword ptr [esi + 0x9f54]
            //   83c41c               | add                 esp, 0x1c
            //   89848e14030000       | mov                 dword ptr [esi + ecx*4 + 0x314], eax
            //   8b86549f0000         | mov                 eax, dword ptr [esi + 0x9f54]

        $sequence_7 = { 8d7b01 c60396 f3a5 53 8bcd }
            // n = 5, score = 300
            //   8d7b01               | lea                 edi, [ebx + 1]
            //   c60396               | mov                 byte ptr [ebx], 0x96
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   53                   | push                ebx
            //   8bcd                 | mov                 ecx, ebp

        $sequence_8 = { 8db714030000 8b06 6aff 50 }
            // n = 4, score = 300
            //   8db714030000         | lea                 esi, [edi + 0x314]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   6aff                 | push                -1
            //   50                   | push                eax

        $sequence_9 = { 8b5614 8b02 8b400c 85c0 }
            // n = 4, score = 300
            //   8b5614               | mov                 edx, dword ptr [esi + 0x14]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   85c0                 | test                eax, eax

        $sequence_10 = { e9???????? 8d45dc 50 681f000200 }
            // n = 4, score = 300
            //   e9????????           |                     
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   681f000200           | push                0x2001f

        $sequence_11 = { 50 ff15???????? ffb6a8000000 ff15???????? ffb6ac000000 }
            // n = 5, score = 300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   ffb6a8000000         | push                dword ptr [esi + 0xa8]
            //   ff15????????         |                     
            //   ffb6ac000000         | push                dword ptr [esi + 0xac]

        $sequence_12 = { 8dbd85feffff f3ab 66ab aa }
            // n = 4, score = 300
            //   8dbd85feffff         | lea                 edi, [ebp - 0x17b]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al

        $sequence_13 = { 6a00 6a00 c705????????20010000 e8???????? 8b35???????? }
            // n = 5, score = 300
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   c705????????20010000     |     
            //   e8????????           |                     
            //   8b35????????         |                     

        $sequence_14 = { e8???????? 8d85c0feffff 50 57 ff15???????? 8bf8 83ffff }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8d85c0feffff         | lea                 eax, [ebp - 0x140]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1

        $sequence_15 = { 83c40c 8d85b8feffff 50 8d85b4fdffff }
            // n = 4, score = 300
            //   83c40c               | add                 esp, 0xc
            //   8d85b8feffff         | lea                 eax, [ebp - 0x148]
            //   50                   | push                eax
            //   8d85b4fdffff         | lea                 eax, [ebp - 0x24c]

        $sequence_16 = { 8bce e8???????? 8b4df4 5f b001 5e }
            // n = 6, score = 300
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   5f                   | pop                 edi
            //   b001                 | mov                 al, 1
            //   5e                   | pop                 esi

        $sequence_17 = { 8bf0 83c40c 46 750b 5f 5e 33c0 }
            // n = 7, score = 300
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   46                   | inc                 esi
            //   750b                 | jne                 0xd
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax

        $sequence_18 = { ff15???????? 6a01 ff7620 ff15???????? 8b4e04 e8???????? }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   6a01                 | push                1
            //   ff7620               | push                dword ptr [esi + 0x20]
            //   ff15????????         |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   e8????????           |                     

        $sequence_19 = { ff7510 ff75dc ff15???????? 85c0 7507 c745e401000000 834dfcff }
            // n = 7, score = 300
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7507                 | jne                 9
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   834dfcff             | or                  dword ptr [ebp - 4], 0xffffffff

        $sequence_20 = { 56 53 e8???????? 83c408 84c0 750b }
            // n = 6, score = 300
            //   56                   | push                esi
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   84c0                 | test                al, al
            //   750b                 | jne                 0xd

        $sequence_21 = { 68???????? 50 6802000080 e8???????? 83c41c 5f 5e }
            // n = 7, score = 300
            //   68????????           |                     
            //   50                   | push                eax
            //   6802000080           | push                0x80000002
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_22 = { 6a00 50 e8???????? 83c40c ff7508 6a40 ff15???????? }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a40                 | push                0x40
            //   ff15????????         |                     

        $sequence_23 = { 8365fc00 ff7508 ff15???????? 40 50 ff15???????? 59 }
            // n = 7, score = 300
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   ff15????????         |                     
            //   59                   | pop                 ecx

        $sequence_24 = { 8b4608 8b7e20 8b36 813f6b006500 7406 }
            // n = 5, score = 200
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   8b7e20               | mov                 edi, dword ptr [esi + 0x20]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   813f6b006500         | cmp                 dword ptr [edi], 0x65006b
            //   7406                 | je                  8

        $sequence_25 = { c7014c696272 83e9fc c70161727941 83e9fc }
            // n = 4, score = 200
            //   c7014c696272         | mov                 dword ptr [ecx], 0x7262694c
            //   83e9fc               | sub                 ecx, -4
            //   c70161727941         | mov                 dword ptr [ecx], 0x41797261
            //   83e9fc               | sub                 ecx, -4

        $sequence_26 = { 813f6b006500 7406 813f4b004500 75e8 }
            // n = 4, score = 200
            //   813f6b006500         | cmp                 dword ptr [edi], 0x65006b
            //   7406                 | je                  8
            //   813f4b004500         | cmp                 dword ptr [edi], 0x45004b
            //   75e8                 | jne                 0xffffffea

        $sequence_27 = { c7014c6f6164 83e9fc c7014c696272 83e9fc }
            // n = 4, score = 200
            //   c7014c6f6164         | mov                 dword ptr [ecx], 0x64616f4c
            //   83e9fc               | sub                 ecx, -4
            //   c7014c696272         | mov                 dword ptr [ecx], 0x7262694c
            //   83e9fc               | sub                 ecx, -4

        $sequence_28 = { 7475 8b45bc 8b08 894db4 }
            // n = 4, score = 100
            //   7475                 | je                  0x77
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   894db4               | mov                 dword ptr [ebp - 0x4c], ecx

        $sequence_29 = { 8911 eb26 8b45b4 8b4d08 8d540102 }
            // n = 5, score = 100
            //   8911                 | mov                 dword ptr [ecx], edx
            //   eb26                 | jmp                 0x28
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d540102             | lea                 edx, [ecx + eax + 2]

        $sequence_30 = { 8b55dc 8b7a18 8b7220 0375f8 33c9 }
            // n = 5, score = 100
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   8b7a18               | mov                 edi, dword ptr [edx + 0x18]
            //   8b7220               | mov                 esi, dword ptr [edx + 0x20]
            //   0375f8               | add                 esi, dword ptr [ebp - 8]
            //   33c9                 | xor                 ecx, ecx

        $sequence_31 = { 6bc928 8b9538ffffff 8b8560ffffff 03440a0c 8985fcfeffff }
            // n = 5, score = 100
            //   6bc928               | imul                ecx, ecx, 0x28
            //   8b9538ffffff         | mov                 edx, dword ptr [ebp - 0xc8]
            //   8b8560ffffff         | mov                 eax, dword ptr [ebp - 0xa0]
            //   03440a0c             | add                 eax, dword ptr [edx + ecx + 0xc]
            //   8985fcfeffff         | mov                 dword ptr [ebp - 0x104], eax

    condition:
        7 of them and filesize < 357376
}
Download all Yara Rules