SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mount_locker (Back to overview)

Mount Locker

aka: DagonLocker, MountLocker, QuantumLocker

According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020
The MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.
Victim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.
The ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.

References
2023-04-03The DFIR ReportThe DFIR Report
@online{report:20230403:malicious:238465b, author = {The DFIR Report}, title = {{Malicious ISO File Leads to Domain Wide Ransomware}}, date = {2023-04-03}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2023-04-06} } Malicious ISO File Leads to Domain Wide Ransomware
Cobalt Strike IcedID Mount Locker
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2022-11-28The DFIR ReportThe DFIR Report
@online{report:20221128:emotet:53a5fed, author = {The DFIR Report}, title = {{Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware}}, date = {2022-11-28}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/}, language = {English}, urldate = {2022-11-28} } Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware
Emotet Mount Locker
2022-11-10IntezerNicole Fishbein
@online{fishbein:20221110:how:6b334be, author = {Nicole Fishbein}, title = {{How LNK Files Are Abused by Threat Actors}}, date = {2022-11-10}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/}, language = {English}, urldate = {2022-11-11} } How LNK Files Are Abused by Threat Actors
BumbleBee Emotet Mount Locker QakBot
2022-10-25MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20221025:dev0832:5d16a04, author = {Microsoft Security Threat Intelligence}, title = {{DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector}}, date = {2022-10-25}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/}, language = {English}, urldate = {2023-02-03} } DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector
BlackCat Mount Locker Zeppelin
2022-10-10RiskIQMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20221010:dev0832:07768a3, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns}}, date = {2022-10-10}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/47766fbd}, language = {English}, urldate = {2022-10-19} } DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin
2022-09-14SecurityScorecardVlad Pasca
@online{pasca:20220914:detailed:f0a7a7f, author = {Vlad Pasca}, title = {{A Detailed Analysis of the Quantum Ransomware}}, date = {2022-09-14}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/research/quantum-ransomware}, language = {English}, urldate = {2022-09-15} } A Detailed Analysis of the Quantum Ransomware
Mount Locker
2022-08-22MicrosoftMicrosoft
@online{microsoft:20220822:extortion:67c26d4, author = {Microsoft}, title = {{Extortion Economics - Ransomware’s new business model}}, date = {2022-08-22}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v}, language = {English}, urldate = {2022-08-31} } Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-05-19IBMCharlotte Hammond, Ole Villadsen, Golo Mühr
@online{hammond:20220519:itg23:eab10e2, author = {Charlotte Hammond and Ole Villadsen and Golo Mühr}, title = {{ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups}}, date = {2022-05-19}, organization = {IBM}, url = {https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/}, language = {English}, urldate = {2022-05-25} } ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
IcedID ISFB Mount Locker
2022-05-09CybereasonLior Rochberger
@online{rochberger:20220509:cybereason:9178f63, author = {Lior Rochberger}, title = {{Cybereason vs. Quantum Locker Ransomware}}, date = {2022-05-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware}, language = {English}, urldate = {2022-05-11} } Cybereason vs. Quantum Locker Ransomware
IcedID Mount Locker
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9, author = {The BlackBerry Research & Intelligence Team}, title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}}, date = {2021-11-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/zebra2104}, language = {English}, urldate = {2021-11-08} } Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-10-18The DFIR ReportThe DFIR Report
@online{report:20211018:icedid:0b574b0, author = {The DFIR Report}, title = {{IcedID to XingLocker Ransomware in 24 hours}}, date = {2021-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/}, language = {English}, urldate = {2021-10-22} } IcedID to XingLocker Ransomware in 24 hours
Cobalt Strike IcedID Mount Locker
2021-10-15Trend MicroFernando Mercês
@online{mercs:20211015:ransomware:c944933, author = {Fernando Mercês}, title = {{Ransomware Operators Found Using New "Franchise" Business Model}}, date = {2021-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html}, language = {English}, urldate = {2021-10-24} } Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-08-04kienmanowar Blogm4n0w4r, Tran Trung Kien
@online{m4n0w4r:20210804:quicknote:791df11, author = {m4n0w4r and Tran Trung Kien}, title = {{[QuickNote] MountLocker – Some pseudo-code snippets}}, date = {2021-08-04}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/}, language = {English}, urldate = {2021-09-09} } [QuickNote] MountLocker – Some pseudo-code snippets
Mount Locker
2021-08-04CrowdStrikeFalcon OverWatch Team, CrowdStrike Intelligence Team, CrowdStrike IR
@online{team:20210804:prophet:e6e6a99, author = {Falcon OverWatch Team and CrowdStrike Intelligence Team and CrowdStrike IR}, title = {{PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity}}, date = {2021-08-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/}, language = {English}, urldate = {2021-09-02} } PROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity
Cobalt Strike Egregor Mount Locker
2021-07-14Intel 471Intel 471
@online{471:20210714:how:0cf4b03, author = {Intel 471}, title = {{How cybercriminals create turbulence for the transportation industry}}, date = {2021-07-14}, organization = {Intel 471}, url = {https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry}, language = {English}, urldate = {2021-07-29} } How cybercriminals create turbulence for the transportation industry
Mount Locker Nefilim
2021-06-23SymantecThreat Hunter Team
@online{team:20210623:ransomware:d88988e, author = {Threat Hunter Team}, title = {{Ransomware: Growing Number of Attackers Using Virtual Machines}}, date = {2021-06-23}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines}, language = {English}, urldate = {2021-06-25} } Ransomware: Growing Number of Attackers Using Virtual Machines
Mount Locker
2021-05-23Chuongdong blogChuong Dong
@online{dong:20210523:mountlocker:4b3d011, author = {Chuong Dong}, title = {{MountLocker Ransomware}}, date = {2021-05-23}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/}, language = {English}, urldate = {2021-06-16} } MountLocker Ransomware
Mount Locker
2021-05-18Github (Finch4)Finch
@online{finch:20210518:analysis:434b2ec, author = {Finch}, title = {{Analysis of MountLocker}}, date = {2021-05-18}, organization = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker}, language = {English}, urldate = {2021-05-26} } Analysis of MountLocker
Mount Locker
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-23GuidePoint SecurityDrew Schmitt
@online{schmitt:20210423:mount:ccc9271, author = {Drew Schmitt}, title = {{Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation}}, date = {2021-04-23}, organization = {GuidePoint Security}, url = {https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/}, language = {English}, urldate = {2021-04-28} } Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation
Mount Locker
2021-03-31SophosMichael Heller
@online{heller:20210331:sophos:43ef878, author = {Michael Heller}, title = {{Sophos MTR in Real Time: What is Astro Locker Team?}}, date = {2021-03-31}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/}, language = {English}, urldate = {2021-04-06} } Sophos MTR in Real Time: What is Astro Locker Team?
Mount Locker
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-23Dissecting MalwareMarius Genheimer
@online{genheimer:20201223:between:e482082, author = {Marius Genheimer}, title = {{Between a rock and a hard place - Exploring Mount Locker Ransomware}}, date = {2020-12-23}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html}, language = {English}, urldate = {2021-01-21} } Between a rock and a hard place - Exploring Mount Locker Ransomware
Mount Locker
2020-12-11BlackberryBlackBerry Research and Intelligence team
@online{team:20201211:mountlocker:9c495cb, author = {BlackBerry Research and Intelligence team}, title = {{MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates}}, date = {2020-12-11}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates}, language = {English}, urldate = {2020-12-14} } MountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates
Cobalt Strike Mount Locker
2020-11-19Bleeping ComputerLawrence Abrams
@online{abrams:20201119:mount:0294998, author = {Lawrence Abrams}, title = {{Mount Locker ransomware now targets your TurboTax tax returns}}, date = {2020-11-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/}, language = {English}, urldate = {2020-11-23} } Mount Locker ransomware now targets your TurboTax tax returns
Mount Locker
2020-11-13Bleeping ComputerSergiu Gatlan
@online{gatlan:20201113:biotech:cbe6093, author = {Sergiu Gatlan}, title = {{Biotech research firm Miltenyi Biotec hit by ransomware, data leaked}}, date = {2020-11-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/}, language = {English}, urldate = {2020-11-19} } Biotech research firm Miltenyi Biotec hit by ransomware, data leaked
Mount Locker
2020-09-24Bleeping ComputerLawrence Abrams
@online{abrams:20200924:mount:0456f2a, author = {Lawrence Abrams}, title = {{Mount Locker ransomware joins the multi-million dollar ransom game}}, date = {2020-09-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/}, language = {English}, urldate = {2020-10-02} } Mount Locker ransomware joins the multi-million dollar ransom game
Mount Locker
Yara Rules
[TLP:WHITE] win_mount_locker_auto (20230407 | Detects win.mount_locker.)
rule win_mount_locker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.mount_locker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4d8bc8 4c8bc2 4c8bf2 8bf1 33d2 }
            // n = 5, score = 500
            //   4d8bc8               | inc                 ebp
            //   4c8bc2               | xor                 ecx, ecx
            //   4c8bf2               | inc                 ebp
            //   8bf1                 | xor                 eax, eax
            //   33d2                 | dec                 ebp

        $sequence_1 = { 4c8d442430 488364242000 4533c9 488b4c2458 33d2 c744243001000000 c744243c02000000 }
            // n = 7, score = 500
            //   4c8d442430           | mov                 ecx, eax
            //   488364242000         | dec                 esp
            //   4533c9               | mov                 eax, edx
            //   488b4c2458           | dec                 esp
            //   33d2                 | mov                 esi, edx
            //   c744243001000000     | mov                 esi, ecx
            //   c744243c02000000     | xor                 edx, edx

        $sequence_2 = { 81e10000ffff 81f900000780 7503 0fb7c0 }
            // n = 4, score = 500
            //   81e10000ffff         | dec                 ebp
            //   81f900000780         | mov                 ecx, eax
            //   7503                 | dec                 esp
            //   0fb7c0               | mov                 eax, edx

        $sequence_3 = { 488d4df0 4889442428 4533c9 4533c0 }
            // n = 4, score = 500
            //   488d4df0             | dec                 eax
            //   4889442428           | lea                 ecx, [ebp - 0x10]
            //   4533c9               | dec                 eax
            //   4533c0               | mov                 dword ptr [esp + 0x28], eax

        $sequence_4 = { 488b0b 41b902000000 4533c0 33d2 }
            // n = 4, score = 500
            //   488b0b               | xor                 edx, edx
            //   41b902000000         | xor                 ecx, ecx
            //   4533c0               | dec                 ebp
            //   33d2                 | mov                 ecx, eax

        $sequence_5 = { 4c8b05???????? 488bcb 488b15???????? e8???????? }
            // n = 4, score = 500
            //   4c8b05????????       |                     
            //   488bcb               | inc                 ebp
            //   488b15????????       |                     
            //   e8????????           |                     

        $sequence_6 = { f30f5905???????? 0f5ad0 66490f7ed0 e8???????? }
            // n = 4, score = 500
            //   f30f5905????????     |                     
            //   0f5ad0               | dec                 esp
            //   66490f7ed0           | mov                 eax, edx
            //   e8????????           |                     

        $sequence_7 = { 66833f5c 4a8d1c30 751a 66837e0a5c 7513 66837e0c3f 740c }
            // n = 7, score = 400
            //   66833f5c             | dec                 esp
            //   4a8d1c30             | mov                 esi, edx
            //   751a                 | dec                 esp
            //   66837e0a5c           | lea                 eax, [esp + 0x30]
            //   7513                 | dec                 eax
            //   66837e0c3f           | and                 dword ptr [esp + 0x20], 0
            //   740c                 | inc                 ebp

        $sequence_8 = { c3 bb68000000 488d4c2450 448bc3 33d2 }
            // n = 5, score = 300
            //   c3                   | dec                 ebp
            //   bb68000000           | mov                 ecx, eax
            //   488d4c2450           | dec                 esp
            //   448bc3               | mov                 eax, edx
            //   33d2                 | dec                 esp

        $sequence_9 = { 7505 e8???????? 833d????????00 7409 833d????????00 7505 e8???????? }
            // n = 7, score = 300
            //   7505                 | cmp                 eax, 0x52e
            //   e8????????           |                     
            //   833d????????00       |                     
            //   7409                 | mov                 ecx, eax
            //   833d????????00       |                     
            //   7505                 | and                 ecx, 0xffff0000
            //   e8????????           |                     

        $sequence_10 = { ff15???????? 8bc8 81e10000ffff 81f900000780 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   8bc8                 | movzx               eax, ax
            //   81e10000ffff         | mov                 ecx, eax
            //   81f900000780         | and                 ecx, 0xffff0000

        $sequence_11 = { ff15???????? 85c0 7509 f0ff05???????? }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   85c0                 | jne                 0xb
            //   7509                 | movzx               eax, ax
            //   f0ff05????????       |                     

        $sequence_12 = { 33c9 ff15???????? 8bd8 85c0 7433 488364242800 4c8d442430 }
            // n = 7, score = 300
            //   33c9                 | mov                 ecx, dword ptr [esp + 0x58]
            //   ff15????????         |                     
            //   8bd8                 | xor                 edx, edx
            //   85c0                 | mov                 dword ptr [esp + 0x30], 1
            //   7433                 | mov                 dword ptr [esp + 0x3c], 2
            //   488364242800         | dec                 ecx
            //   4c8d442430           | mov                 ebp, eax

        $sequence_13 = { ff35???????? 8d4580 ff7618 ff760c }
            // n = 4, score = 100
            //   ff35????????         |                     
            //   8d4580               | dec                 eax
            //   ff7618               | mov                 dword ptr [esp + 0x10], esi
            //   ff760c               | push                edi

        $sequence_14 = { 6a09 5d 57 56 8d442414 }
            // n = 5, score = 100
            //   6a09                 | dec                 eax
            //   5d                   | sub                 esp, 0x20
            //   57                   | cmp                 word ptr [ecx + 2], 0x3a
            //   56                   | dec                 eax
            //   8d442414             | mov                 edi, ecx

        $sequence_15 = { f7d8 c3 55 8bec 83ec30 68???????? }
            // n = 6, score = 100
            //   f7d8                 | jne                 0x24
            //   c3                   | cmp                 word ptr [esi + 0xc], 0x3f
            //   55                   | je                  0x24
            //   8bec                 | dec                 eax
            //   83ec30               | mov                 dword ptr [esp + 8], ebx
            //   68????????           |                     

        $sequence_16 = { 8d4580 50 68???????? e8???????? ff7508 8d4580 }
            // n = 6, score = 100
            //   8d4580               | jne                 0x2e
            //   50                   | dec                 eax
            //   68????????           |                     
            //   e8????????           |                     
            //   ff7508               | and                 dword ptr [esp + 0x20], 0
            //   8d4580               | inc                 ebp

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules