SYMBOLCOMMON_NAMEaka. SYNONYMS
win.qakbot (Back to overview)

QakBot

aka: Pinkslipbot, Qbot, Quakbot
URLhaus    

There is no description at this point.

References
2020-06-24MorphisecArnold Osipov
@online{osipov:20200624:obfuscated:74bfeed, author = {Arnold Osipov}, title = {{Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex}}, date = {2020-06-24}, organization = {Morphisec}, url = {https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex}, language = {English}, urldate = {2020-06-25} } Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-21Malware and StuffAndreas Klopsch
@online{klopsch:20200621:upnp:f54abe6, author = {Andreas Klopsch}, title = {{UpnP – Messing up Security since years}}, date = {2020-06-21}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/upnp-messing-up-security-since-years/}, language = {English}, urldate = {2020-06-22} } UpnP – Messing up Security since years
QakBot
2020-06-16HornetsecuritySecurity Lab
@online{lab:20200616:qakbot:0353100, author = {Security Lab}, title = {{QakBot malspam leading to ProLock: Nothing personal just business}}, date = {2020-06-16}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/}, language = {English}, urldate = {2020-07-01} } QakBot malspam leading to ProLock: Nothing personal just business
PwndLocker QakBot
2020-06-11F5 LabsDoron Voolf
@online{voolf:20200611:qbot:1bd9fe7, author = {Doron Voolf}, title = {{Qbot Banking Trojan Still Up to Its Old Tricks}}, date = {2020-06-11}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks}, language = {English}, urldate = {2020-06-16} } Qbot Banking Trojan Still Up to Its Old Tricks
QakBot
2020-05-05Malware and StuffAndreas Klopsch
@online{klopsch:20200505:old:84beb5b, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 3}}, date = {2020-05-05}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/}, language = {English}, urldate = {2020-05-05} } An old enemy – Diving into QBot part 3
QakBot
2020-03-30Malware and StuffAndreas Klopsch
@online{klopsch:20200330:old:ed1f6ef, author = {Andreas Klopsch}, title = {{An old enemy – Diving into QBot part 1}}, date = {2020-03-30}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/}, language = {English}, urldate = {2020-04-01} } An old enemy – Diving into QBot part 1
QakBot
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-03Youtube (BSides Belfast)Nick Summerlin, Jorge Rodriguez
@online{summerlin:20200103:demystifying:c0a1a19, author = {Nick Summerlin and Jorge Rodriguez}, title = {{Demystifying QBot Banking Trojan}}, date = {2020-01-03}, organization = {Youtube (BSides Belfast)}, url = {https://www.youtube.com/watch?v=iB1psRMtlqg}, language = {English}, urldate = {2020-02-21} } Demystifying QBot Banking Trojan
QakBot
2020SecureworksSecureWorks
@online{secureworks:2020:gold:00ad0eb, author = {SecureWorks}, title = {{GOLD LAGOON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-lagoon}, language = {English}, urldate = {2020-05-23} } GOLD LAGOON
QakBot
2019-11-12Hatching.ioMarkel Picado
@online{picado:20191112:reversing:de8a8b6, author = {Markel Picado}, title = {{Reversing Qakbot}}, date = {2019-11-12}, organization = {Hatching.io}, url = {https://hatching.io/blog/reversing-qakbot}, language = {English}, urldate = {2020-01-07} } Reversing Qakbot
QakBot
2019-06-03VaronisDolev Taler, Eric Saraga
@online{taler:20190603:varonis:21ad52e, author = {Dolev Taler and Eric Saraga}, title = {{Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims}}, date = {2019-06-03}, organization = {Varonis}, url = {https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/}, language = {English}, urldate = {2020-01-05} } Varonis Exposes Global Cyber Campaign: C2 Server Actively Compromising Thousands of Victims
QakBot
2019-05-02Cisco TalosAshlee Benge, Nick Randolph
@online{benge:20190502:qakbot:8c34660, author = {Ashlee Benge and Nick Randolph}, title = {{Qakbot levels up with new obfuscation techniques}}, date = {2019-05-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html}, language = {English}, urldate = {2019-10-14} } Qakbot levels up with new obfuscation techniques
QakBot
2018-07-29Vitali Kremez BlogVitali Kremez
@online{kremez:20180729:lets:8f04eed, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1}}, date = {2018-07-29}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html}, language = {English}, urldate = {2020-01-06} } Let's Learn: In-Depth Reversing of Qakbot "qbot" Banker Part 1
QakBot
2017-06-02SecurityIntelligenceMike Oppenheim, Kevin Zuk, Matan Meir, Limor Kessem
@online{oppenheim:20170602:qakbot:ffff91a, author = {Mike Oppenheim and Kevin Zuk and Matan Meir and Limor Kessem}, title = {{QakBot Banking Trojan Causes Massive Active Directory Lockouts}}, date = {2017-06-02}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/}, language = {English}, urldate = {2020-01-10} } QakBot Banking Trojan Causes Massive Active Directory Lockouts
QakBot
2017-05-23ThreatVectorCylance Threat Research Team
@online{team:20170523:quakbot:3572c02, author = {Cylance Threat Research Team}, title = {{Quakbot}}, date = {2017-05-23}, organization = {ThreatVector}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html}, language = {English}, urldate = {2020-01-08} } Quakbot
QakBot
2016-08Intel SecuritySanchit Karve, Guilherme Venere, Mark Olea
@techreport{karve:201608:diving:6f604b3, author = {Sanchit Karve and Guilherme Venere and Mark Olea}, title = {{DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN}}, date = {2016-08}, institution = {Intel Security}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf}, language = {English}, urldate = {2019-11-27} } DIVING INTO PINKSLIPBOT’S LATEST CAMPAIGN
QakBot
2016-02-24Johannes Bader BlogJohannes Bader
@online{bader:20160224:dga:735ff10, author = {Johannes Bader}, title = {{The DGA of Qakbot.T}}, date = {2016-02-24}, organization = {Johannes Bader Blog}, url = {https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/}, language = {English}, urldate = {2020-01-06} } The DGA of Qakbot.T
QakBot
2016BAE SystemsBAE Systems
@techreport{systems:2016:return:52c175d, author = {BAE Systems}, title = {{The Return of Qbot}}, date = {2016}, institution = {BAE Systems}, url = {https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf}, language = {English}, urldate = {2019-11-29} } The Return of Qbot
QakBot
2012SymantecNicolas Falliere
@techreport{falliere:2012:w32qakbot:974b5b5, author = {Nicolas Falliere}, title = {{W32.Qakbot in Detail}}, date = {2012}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf}, language = {English}, urldate = {2019-11-28} } W32.Qakbot in Detail
QakBot
2011-05-25Contagio DumpMila Parkour
@online{parkour:20110525:w32qakbot:b814de0, author = {Mila Parkour}, title = {{W32.Qakbot aka W32/Pinkslipbot or infostealer worm}}, date = {2011-05-25}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2010/11/template.html}, language = {English}, urldate = {2019-11-21} } W32.Qakbot aka W32/Pinkslipbot or infostealer worm
QakBot
Yara Rules
[TLP:WHITE] win_qakbot_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_qakbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff5508 8bf0 59 }
            // n = 4, score = 3600
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx

        $sequence_1 = { 57 ff15???????? 33c0 85f6 0f94c0 }
            // n = 5, score = 3600
            //   57                   | push                edi
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   85f6                 | test                esi, esi
            //   0f94c0               | sete                al

        $sequence_2 = { 83c40c 33c0 5b 5f 5e c9 c3 }
            // n = 7, score = 3500
            //   83c40c               | add                 esp, 0xc
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_3 = { 7412 8d85d8feffff 50 57 }
            // n = 4, score = 3500
            //   7412                 | je                  0x14
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_4 = { ff750c 8d85d8feffff 50 ff5508 }
            // n = 4, score = 3500
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8d85d8feffff         | lea                 eax, [ebp - 0x128]
            //   50                   | push                eax
            //   ff5508               | call                dword ptr [ebp + 8]

        $sequence_5 = { 740d 8d45fc 6a00 50 e8???????? 59 }
            // n = 6, score = 3400
            //   740d                 | je                  0xf
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_6 = { ff15???????? 85c0 750c 57 ff15???????? 6afe }
            // n = 6, score = 3400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750c                 | jne                 0xe
            //   57                   | push                edi
            //   ff15????????         |                     
            //   6afe                 | push                -2

        $sequence_7 = { 56 e8???????? 83c40c 8d4514 50 }
            // n = 5, score = 3400
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   50                   | push                eax

        $sequence_8 = { c3 33c9 3d80000000 0f94c1 }
            // n = 4, score = 3400
            //   c3                   | ret                 
            //   33c9                 | xor                 ecx, ecx
            //   3d80000000           | cmp                 eax, 0x80
            //   0f94c1               | sete                cl

        $sequence_9 = { c1e80b 33d0 8bc2 25ad583aff }
            // n = 4, score = 3400
            //   c1e80b               | shr                 eax, 0xb
            //   33d0                 | xor                 edx, eax
            //   8bc2                 | mov                 eax, edx
            //   25ad583aff           | and                 eax, 0xff3a58ad

        $sequence_10 = { 6a00 6a02 ff15???????? 8bf8 83c8ff 3bf8 }
            // n = 6, score = 3400
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   83c8ff               | or                  eax, 0xffffffff
            //   3bf8                 | cmp                 edi, eax

        $sequence_11 = { 7507 c74508???????? e8???????? 85c0 7d08 83c8ff e9???????? }
            // n = 7, score = 3400
            //   7507                 | jne                 9
            //   c74508????????       |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7d08                 | jge                 0xa
            //   83c8ff               | or                  eax, 0xffffffff
            //   e9????????           |                     

        $sequence_12 = { 8b81c0090000 8b1481 40 8981c0090000 8bc2 c1e80b 33d0 }
            // n = 7, score = 3400
            //   8b81c0090000         | mov                 eax, dword ptr [ecx + 0x9c0]
            //   8b1481               | mov                 edx, dword ptr [ecx + eax*4]
            //   40                   | inc                 eax
            //   8981c0090000         | mov                 dword ptr [ecx + 0x9c0], eax
            //   8bc2                 | mov                 eax, edx
            //   c1e80b               | shr                 eax, 0xb
            //   33d0                 | xor                 edx, eax

        $sequence_13 = { e9???????? 33c0 7402 ebfa }
            // n = 4, score = 3300
            //   e9????????           |                     
            //   33c0                 | xor                 eax, eax
            //   7402                 | je                  4
            //   ebfa                 | jmp                 0xfffffffc

        $sequence_14 = { 33c0 e9???????? 8d45f0 50 6a02 }
            // n = 5, score = 3200
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   6a02                 | push                2

        $sequence_15 = { 68???????? e8???????? 83c408 837d0800 }
            // n = 4, score = 3200
            //   68????????           |                     
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0

        $sequence_16 = { 83c408 8b5508 8b45fc 8902 8b45fc }
            // n = 5, score = 3200
            //   83c408               | add                 esp, 8
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8902                 | mov                 dword ptr [edx], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_17 = { 894df8 8b55f8 52 8b4508 8b08 51 8b55fc }
            // n = 7, score = 3200
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   51                   | push                ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_18 = { c745fc00000000 6860ea0000 a1???????? 50 e8???????? 83c408 8945fc }
            // n = 7, score = 3200
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   6860ea0000           | push                0xea60
            //   a1????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_19 = { 8bec 6a00 6800000800 6a00 }
            // n = 4, score = 3200
            //   8bec                 | mov                 ebp, esp
            //   6a00                 | push                0
            //   6800000800           | push                0x80000
            //   6a00                 | push                0

        $sequence_20 = { 56 83e4f8 83ec60 8b4508 31c9 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   83e4f8               | and                 esp, 0xfffffff8
            //   83ec60               | sub                 esp, 0x60
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   31c9                 | xor                 ecx, ecx

        $sequence_21 = { 6689742466 8b7c2448 8b5c2434 033c8b }
            // n = 4, score = 100
            //   6689742466           | mov                 word ptr [esp + 0x66], si
            //   8b7c2448             | mov                 edi, dword ptr [esp + 0x48]
            //   8b5c2434             | mov                 ebx, dword ptr [esp + 0x34]
            //   033c8b               | add                 edi, dword ptr [ebx + ecx*4]

        $sequence_22 = { 890424 8b4df4 894c2404 8b55ec ffd2 83ec08 b966000000 }
            // n = 7, score = 100
            //   890424               | mov                 dword ptr [esp], eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   ffd2                 | call                edx
            //   83ec08               | sub                 esp, 8
            //   b966000000           | mov                 ecx, 0x66

        $sequence_23 = { 8b7c2448 8b440720 01c7 8b442468 bb0af56163 }
            // n = 5, score = 100
            //   8b7c2448             | mov                 edi, dword ptr [esp + 0x48]
            //   8b440720             | mov                 eax, dword ptr [edi + eax + 0x20]
            //   01c7                 | add                 edi, eax
            //   8b442468             | mov                 eax, dword ptr [esp + 0x68]
            //   bb0af56163           | mov                 ebx, 0x6361f50a

        $sequence_24 = { 8b4df8 803c0100 8945f0 8955f4 74da ebe0 }
            // n = 6, score = 100
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   803c0100             | cmp                 byte ptr [ecx + eax], 0
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   74da                 | je                  0xffffffdc
            //   ebe0                 | jmp                 0xffffffe2

        $sequence_25 = { 8b8c24e4000000 8a9424d7000000 229424d7000000 81c163f804c4 }
            // n = 4, score = 100
            //   8b8c24e4000000       | mov                 ecx, dword ptr [esp + 0xe4]
            //   8a9424d7000000       | mov                 dl, byte ptr [esp + 0xd7]
            //   229424d7000000       | and                 dl, byte ptr [esp + 0xd7]
            //   81c163f804c4         | add                 ecx, 0xc404f863

        $sequence_26 = { 83ec10 8b942484000000 8b7c243c 8b5c244c 0faffb }
            // n = 5, score = 100
            //   83ec10               | sub                 esp, 0x10
            //   8b942484000000       | mov                 edx, dword ptr [esp + 0x84]
            //   8b7c243c             | mov                 edi, dword ptr [esp + 0x3c]
            //   8b5c244c             | mov                 ebx, dword ptr [esp + 0x4c]
            //   0faffb               | imul                edi, ebx

        $sequence_27 = { 89f7 81c71ad6f45b 897dec 66c780e40000004c01 }
            // n = 4, score = 100
            //   89f7                 | mov                 edi, esi
            //   81c71ad6f45b         | add                 edi, 0x5bf4d61a
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   66c780e40000004c01     | mov    word ptr [eax + 0xe4], 0x14c

    condition:
        7 of them and filesize < 958464
}
Download all Yara Rules