SYMBOLCOMMON_NAMEaka. SYNONYMS
win.royal_ransom (Back to overview)

Royal Ransom

Ransomware

References
2023-09-12ANSSIANSSI
@techreport{anssi:20230912:fin12:b0a08e2, author = {ANSSI}, title = {{FIN12: A Cybercriminal Group with Multiple Ransomware}}, date = {2023-09-12}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf}, language = {French}, urldate = {2023-09-20} } FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-07-26TalosNicole Hoffman
@online{hoffman:20230726:incident:4731c33, author = {Nicole Hoffman}, title = {{Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical}}, date = {2023-07-26}, organization = {Talos}, url = {https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/}, language = {English}, urldate = {2023-08-03} } Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
BianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
@online{hammond:20230627:trickbotconti:5e1f20d, author = {Charlotte Hammond and Ole Villadsen}, title = {{The Trickbot/Conti Crypters: Where Are They Now?}}, date = {2023-06-27}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/}, language = {English}, urldate = {2023-07-31} } The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-05-10BridewellBridewell
@online{bridewell:20230510:hunting:461fdf0, author = {Bridewell}, title = {{Hunting for Ursnif}}, date = {2023-05-10}, organization = {Bridewell}, url = {https://www.bridewell.com/insights/news/detail/hunting-for-ursnif}, language = {English}, urldate = {2023-05-15} } Hunting for Ursnif
ISFB Royal Ransom
2023-05-09paloalto Netoworks: Unit42Doel Santos, Daniel Bunce, Anthony Galiette
@online{santos:20230509:threat:c231c7f, author = {Doel Santos and Daniel Bunce and Anthony Galiette}, title = {{Threat Assessment: Royal Ransomware}}, date = {2023-05-09}, organization = {paloalto Netoworks: Unit42}, url = {https://unit42.paloaltonetworks.com/royal-ransomware/}, language = {English}, urldate = {2023-05-10} } Threat Assessment: Royal Ransomware
Royal Ransom Royal Ransom
2023-04-19Bleeping ComputerBill Toulas
@online{toulas:20230419:march:2c99c12, author = {Bill Toulas}, title = {{March 2023 broke ransomware attack records with 459 incidents}}, date = {2023-04-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/}, language = {English}, urldate = {2023-04-28} } March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-11CoalitionLeeann Nicolo
@online{nicolo:20230411:security:f759e09, author = {Leeann Nicolo}, title = {{Security Alert: Royal Ransomware Targeting Firewalls}}, date = {2023-04-11}, organization = {Coalition}, url = {https://www.coalitioninc.com/blog/active-exploitation-firewalls}, language = {English}, urldate = {2023-04-26} } Security Alert: Royal Ransomware Targeting Firewalls
Royal Ransom
2023-04-03TrellixAlexandre Mundo, Max Kersten
@online{mundo:20230403:royal:43c339b, author = {Alexandre Mundo and Max Kersten}, title = {{A Royal Analysis of Royal Ransom}}, date = {2023-04-03}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html}, language = {English}, urldate = {2023-04-06} } A Royal Analysis of Royal Ransom
Royal Ransom
2023-03-30United States District Court (Eastern District of New York)Microsoft, Fortra, HEALTH-ISAC
@techreport{microsoft:20230330:cracked:08c67c0, author = {Microsoft and Fortra and HEALTH-ISAC}, title = {{Cracked Cobalt Strike (1:23-cv-02447)}}, date = {2023-03-30}, institution = {United States District Court (Eastern District of New York)}, url = {https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf}, language = {English}, urldate = {2023-04-28} } Cracked Cobalt Strike (1:23-cv-02447)
Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader
2023-03-10Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20230310:from:6bceb30, author = {Jason Reaves and Joshua Platt}, title = {{From Royal With Love}}, date = {2023-03-10}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65}, language = {English}, urldate = {2023-03-13} } From Royal With Love
Cobalt Strike Conti PLAY Royal Ransom Somnia
2023-03-02CISACISA
@online{cisa:20230302:stopransomware:09958a9, author = {CISA}, title = {{#StopRansomware: Royal Ransomware}}, date = {2023-03-02}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a}, language = {English}, urldate = {2023-03-04} } #StopRansomware: Royal Ransomware
Royal Ransom Royal Ransom
2023-02-27PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20230227:rig:72076aa, author = {PRODAFT}, title = {{RIG Exploit Kit: In-Depth Analysis}}, date = {2023-02-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf}, language = {English}, urldate = {2023-05-08} } RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2023-02-20TrendmicroNathaniel Morales, Ivan Nicole Chavez, Byron Gelera
@online{morales:20230220:royal:36bcea3, author = {Nathaniel Morales and Ivan Nicole Chavez and Byron Gelera}, title = {{Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers}}, date = {2023-02-20}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html}, language = {English}, urldate = {2023-03-04} } Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
Royal Ransom Royal Ransom
2023-02-13KrollLaurie Iacono, Stephen Green
@online{iacono:20230213:royal:c789fcc, author = {Laurie Iacono and Stephen Green}, title = {{Royal Ransomware Deep Dive}}, date = {2023-02-13}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive}, language = {English}, urldate = {2023-04-22} } Royal Ransomware Deep Dive
Cobalt Strike Royal Ransom
2023-01-24ACSCAustralian Cyber Security Centre (ACSC)
@online{acsc:20230124:202301:0fa06a3, author = {Australian Cyber Security Centre (ACSC)}, title = {{2023-01: ACSC Ransomware Profile - Royal}}, date = {2023-01-24}, organization = {ACSC}, url = {https://www.cyber.gov.au/about-us/advisories/2023-01-acsc-ransomware-profile-royal}, language = {English}, urldate = {2023-05-05} } 2023-01: ACSC Ransomware Profile - Royal
Royal Ransom
2023-01-09SOCRadarSOCRadar
@online{socradar:20230109:dark:c166fac, author = {SOCRadar}, title = {{Dark Web Profile: Royal Ransomware}}, date = {2023-01-09}, organization = {SOCRadar}, url = {https://socradar.io/dark-web-profile-royal-ransomware/}, language = {English}, urldate = {2023-01-16} } Dark Web Profile: Royal Ransomware
Royal Ransom
2023-01-05LogpointAnish Bogati
@online{bogati:20230105:crowning:ee8f347, author = {Anish Bogati}, title = {{A crowning achievement: Exploring the exploit of Royal ransomware}}, date = {2023-01-05}, organization = {Logpoint}, url = {https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/}, language = {English}, urldate = {2023-01-06} } A crowning achievement: Exploring the exploit of Royal ransomware
Royal Ransom
2022-12-21TrendmicroIvan Nicole Chavez, Byron Gelera, Monte de Jesus, Don Ovid Ladores, Khristian Joseph Morales
@online{chavez:20221221:conti:d755947, author = {Ivan Nicole Chavez and Byron Gelera and Monte de Jesus and Don Ovid Ladores and Khristian Joseph Morales}, title = {{Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks}}, date = {2022-12-21}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html}, language = {English}, urldate = {2022-12-24} } Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
Royal Ransom
2022-12-14CybereasonEli Salem, Alon Laufer, Mark Tsipershtein
@online{salem:20221214:royal:c5960bd, author = {Eli Salem and Alon Laufer and Mark Tsipershtein}, title = {{Royal Rumble: Analysis of Royal Ransomware}}, date = {2022-12-14}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/royal-ransomware-analysis}, language = {English}, urldate = {2022-12-15} } Royal Rumble: Analysis of Royal Ransomware
Royal Ransom
2022-12-13AvertiumAvertium
@online{avertium:20221213:everything:7b69285, author = {Avertium}, title = {{Everything You Need to Know about Royal Ransomware}}, date = {2022-12-13}, organization = {Avertium}, url = {https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-royal-ransomware}, language = {English}, urldate = {2022-12-24} } Everything You Need to Know about Royal Ransomware
Royal Ransom
2022-11-27SecurityScorecardVlad Pasca
@online{pasca:20221127:technical:c2326cf, author = {Vlad Pasca}, title = {{A Technical Analysis of Royal Ransomware}}, date = {2022-11-27}, organization = {SecurityScorecard}, url = {https://securityscorecard.pathfactory.com/research/the-royal-ransomware}, language = {English}, urldate = {2022-11-28} } A Technical Analysis of Royal Ransomware
Royal Ransom
2022-11-17YoroiLuigi Martire, Carmelo Ragusa
@online{martire:20221117:reconstructing:5b546b1, author = {Luigi Martire and Carmelo Ragusa}, title = {{Reconstructing the last activities of Royal Ransomware}}, date = {2022-11-17}, organization = {Yoroi}, url = {https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/}, language = {English}, urldate = {2022-11-18} } Reconstructing the last activities of Royal Ransomware
Royal Ransom
2022-11-17MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20221117:dev0569:86675d7, author = {Microsoft Security Threat Intelligence}, title = {{DEV-0569 finds new ways to deliver Royal ransomware, various payloads}}, date = {2022-11-17}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/}, language = {English}, urldate = {2023-01-05} } DEV-0569 finds new ways to deliver Royal ransomware, various payloads
Royal Ransom
2022-10-13FortinetShunichi Imano, James Slaughter
@online{imano:20221013:ransomware:d68098e, author = {Shunichi Imano and James Slaughter}, title = {{Ransomware Roundup: Royal Ransomware}}, date = {2022-10-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware}, language = {English}, urldate = {2022-10-25} } Ransomware Roundup: Royal Ransomware
Royal Ransom
2022-09-29BleepingComputerLawrence Abrams
@online{abrams:20220929:new:6e43d69, author = {Lawrence Abrams}, title = {{New Royal Ransomware emerges in multi-million dollar attacks}}, date = {2022-09-29}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/}, language = {English}, urldate = {2022-11-03} } New Royal Ransomware emerges in multi-million dollar attacks
Royal Ransom
Yara Rules
[TLP:WHITE] win_royal_ransom_auto (20230715 | Detects win.royal_ransom.)
rule win_royal_ransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.royal_ransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 834f5404 488d05f53ee4ff 488b5c2430 488987b0020000 b801000000 4883c420 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   834f5404             | mov                 eax, 0x1e6
            //   488d05f53ee4ff       | dec                 eax
            //   488b5c2430           | mov                 ecx, dword ptr [ebx + 0x38]
            //   488987b0020000       | inc                 ecx
            //   b801000000           | mov                 eax, 0x1e6
            //   4883c420             | dec                 eax

        $sequence_1 = { b820000000 e8???????? 482be0 488bda 488bf1 488bcb 488d15e89a1100 }
            // n = 7, score = 100
            //   b820000000           | dec                 eax
            //   e8????????           |                     
            //   482be0               | lea                 ecx, [0x13be42]
            //   488bda               | jmp                 0x1c59
            //   488bf1               | dec                 esp
            //   488bcb               | lea                 eax, [0x162c77]
            //   488d15e89a1100       | mov                 edx, 0x28f

        $sequence_2 = { e8???????? 4c8d05dea70d00 ba2f010000 488d0df2a70d00 e8???????? 4533c0 baae000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8d05dea70d00       | dec                 eax
            //   ba2f010000           | lea                 edx, [0x15ce09]
            //   488d0df2a70d00       | dec                 eax
            //   e8????????           |                     
            //   4533c0               | mov                 ecx, ebx
            //   baae000000           | dec                 eax

        $sequence_3 = { e8???????? 482be0 85d2 488d050ffe1600 488d3d14fe1600 418bd0 480f45f8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   482be0               | test                eax, eax
            //   85d2                 | jne                 0x65d
            //   488d050ffe1600       | dec                 esp
            //   488d3d14fe1600       | lea                 eax, [0xe6472]
            //   418bd0               | mov                 edx, 0x416
            //   480f45f8             | dec                 eax

        $sequence_4 = { e8???????? 488bc8 4885c0 752f 41b920000000 488d0575010000 488d154e061400 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bc8               | inc                 ebp
            //   4885c0               | test                edi, edi
            //   752f                 | inc                 ecx
            //   41b920000000         | cmp                 esi, 0x40
            //   488d0575010000       | je                  0x1d95
            //   488d154e061400       | dec                 eax

        $sequence_5 = { 8bcf e9???????? 4c8b45e0 4533c9 488b55e8 e8???????? 488bf0 }
            // n = 7, score = 100
            //   8bcf                 | lea                 eax, [eax - 2]
            //   e9????????           |                     
            //   4c8b45e0             | cmp                 eax, 6
            //   4533c9               | ja                  0x1cf1
            //   488b55e8             | mov                 eax, 0xf
            //   e8????????           |                     
            //   488bf0               | inc                 ecx

        $sequence_6 = { 448bf5 4d85ff 0f8502010000 e8???????? 4c8d05e0461400 ba27010000 488d0d84461400 }
            // n = 7, score = 100
            //   448bf5               | je                  0x1bb4
            //   4d85ff               | dec                 eax
            //   0f8502010000         | mov                 edx, dword ptr [edi + 0xd0]
            //   e8????????           |                     
            //   4c8d05e0461400       | dec                 eax
            //   ba27010000           | lea                 edx, [0x12bb3e]
            //   488d0d84461400       | dec                 eax

        $sequence_7 = { 85c0 0f8531030000 4c396368 7527 e8???????? 4c8d05e11e1500 badc000000 }
            // n = 7, score = 100
            //   85c0                 | dec                 eax
            //   0f8531030000         | lea                 ecx, [0xe94c8]
            //   4c396368             | mov                 eax, dword ptr [esp + 0x34]
            //   7527                 | dec                 esp
            //   e8????????           |                     
            //   4c8d05e11e1500       | lea                 eax, [0xfa1bc]
            //   badc000000           | mov                 edx, 0xae

        $sequence_8 = { 7534 4181e700000f00 74b6 4181ff00000100 0f8537ffffff 4c8d0da7e20a00 458bc4 }
            // n = 7, score = 100
            //   7534                 | test                eax, eax
            //   4181e700000f00       | jne                 0x64a
            //   74b6                 | dec                 esp
            //   4181ff00000100       | lea                 eax, [0xfea1a]
            //   0f8537ffffff         | dec                 eax
            //   4c8d0da7e20a00       | mov                 ebp, eax
            //   458bc4               | dec                 eax

        $sequence_9 = { e8???????? 4c8d053fd91300 bab7000000 488d0dfbd81300 e8???????? ba8c000000 4533c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8d053fd91300       | arpl                bx, dx
            //   bab7000000           | shr                 ebx, 0x1f
            //   488d0dfbd81300       | inc                 ecx
            //   e8????????           |                     
            //   ba8c000000           | mov                 eax, 0x113
            //   4533c0               | dec                 eax

    condition:
        7 of them and filesize < 6235136
}
[TLP:WHITE] win_royal_ransom_w0   (20230131 | Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family.)
rule win_royal_ransom_w0 {
    meta:
        author = "MCRIT YARA Generator"
        description = "Code-based YARA rule composed from potentially unique basic blocks for the selected set of samples/family."
        date = "2023-01-31"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom"
        malpedia_rule_date = "20230131"
        malpedia_hash = ""
        malpedia_version = "20230131"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        // Rule generation selected 10 picblocks, covering 1/1 input sample(s).
        /* picblockhash: 0x76087cc405bd2363 - coverage: 1/1 samples.
         * 4d8bb4f620c52a00 | mov r14, qword ptr [r14 + rsi*8 + 0x2ac520]
         * 33d2             | xor edx, edx
         * 498bce           | mov rcx, r14
         * 41b800080000     | mov r8d, 0x800
         * ff1517160100     | call qword ptr [rip + 0x11617]
         * 488bd8           | mov rbx, rax
         * 4885c0           | test rax, rax
         * 754f             | jne 0x1401fae20
         */
        $blockhash_0x76087cc405bd2363 = { 4d8bb4f620c52a00 33d2 498bce 41b800080000 ff15???????? 488bd8 4885c0 75?? }

        /* picblockhash: 0xad441b53d9617a84 - coverage: 1/1 samples.
         * 4c8b05964a0d00   | mov r8, qword ptr [rip + 0xd4a96]
         * ba40000000       | mov edx, 0x40
         * 418bc8           | mov ecx, r8d
         * 83e13f           | and ecx, 0x3f
         * 2bd1             | sub edx, ecx
         * 8aca             | mov cl, dl
         * 488bd0           | mov rdx, rax
         * 48d3ca           | ror rdx, cl
         * 4933d0           | xor rdx, r8
         * 4b8794fe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdx
         * eb2d             | jmp 0x1401faed9
         */
        $blockhash_0xad441b53d9617a84 = { 4c8b05???????? ba40000000 418bc8 83e13f 2bd1 8aca 488bd0 48d3ca 4933d0 4b8794fe80312d00 eb?? }

        /* picblockhash: 0x8a5718142d9721e2 - coverage: 1/1 samples.
         * 418bc2           | mov eax, r10d
         * b940000000       | mov ecx, 0x40
         * 83e03f           | and eax, 0x3f
         * 2bc8             | sub ecx, eax
         * 48d3cf           | ror rdi, cl
         * 4933fa           | xor rdi, r10
         * 4b87bcfe80312d00 | xchg qword ptr [r14 + r15*8 + 0x2d3180], rdi
         */
        $blockhash_0x8a5718142d9721e2 = { 418bc2 b940000000 83e03f 2bc8 48d3cf 4933fa 4b87bcfe80312d00 }

        /* picblockhash: 0x9cc1c27925f1c35f - coverage: 1/1 samples.
         * 4b8b84e7d02c2d00   | mov rax, qword ptr [r15 + r12*8 + 0x2d2cd0]
         * 4c8b45af           | mov r8, qword ptr [rbp - 0x51]
         * 4c2bc7             | sub r8, rdi
         * 420fb64cf03e       | movzx ecx, byte ptr [rax + r14*8 + 0x3e]
         * 460fbebc3960022d00 | movsx r15d, byte ptr [rcx + r15 + 0x2d0260]
         * 41ffc7             | inc r15d
         * 458bef             | mov r13d, r15d
         * 442bea             | sub r13d, edx
         * 4d63d5             | movsxd r10, r13d
         * 4d3bd0             | cmp r10, r8
         * 0f8f78020000       | jg 0x1401ffdb9
         */
        $blockhash_0x9cc1c27925f1c35f = { 4b8b84e7d02c2d00 4c8b45af 4c2bc7 420fb64cf03e 460fbebc3960022d00 41ffc7 458bef 442bea 4d63d5 4d3bd0 0f8f???????? }

        /* picblockhash: 0x826769b1e3d9c0fc - coverage: 1/1 samples.
         * 0fb607             | movzx eax, byte ptr [rdi]
         * 498bd5             | mov rdx, r13
         * 482bd7             | sub rdx, rdi
         * 4a0fbeb43860022d00 | movsx rsi, byte ptr [rax + r15 + 0x2d0260]
         * 8d4e01             | lea ecx, [rsi + 1]
         * 4863c1             | movsxd rax, ecx
         * 483bc2             | cmp rax, rdx
         * 0f8fe4010000       | jg 0x1401ffdf3
         */
        $blockhash_0x826769b1e3d9c0fc = { 0fb607 498bd5 482bd7 4a0fbeb43860022d00 8d4e01 4863c1 483bc2 0f8f???????? }

        /* picblockhash: 0x26d7edbd8d267bed - coverage: 1/1 samples.
         * 8a0437           | mov al, byte ptr [rdi + rsi]
         * ffc2             | inc edx
         * 4a8b8ce3d02c2d00 | mov rcx, qword ptr [rbx + r12*8 + 0x2d2cd0]
         * 4803ce           | add rcx, rsi
         * 48ffc6           | inc rsi
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4863c2           | movsxd rax, edx
         * 493bc0           | cmp rax, r8
         * 7ce0             | jl 0x1401ffdcb
         */
        $blockhash_0x26d7edbd8d267bed = { 8a0437 ffc2 4a8b8ce3d02c2d00 4803ce 48ffc6 428844f13e 4863c2 493bc0 7c?? }

        /* picblockhash: 0x11bb0000ce80b5fe - coverage: 1/1 samples.
         * 418a0438         | mov al, byte ptr [r8 + rdi]
         * 41ffc1           | inc r9d
         * 4b8b8cd7d02c2d00 | mov rcx, qword ptr [r15 + r10*8 + 0x2d2cd0]
         * 4903c8           | add rcx, r8
         * 49ffc0           | inc r8
         * 428844d93e       | mov byte ptr [rcx + r11*8 + 0x3e], al
         * 4963c1           | movsxd rax, r9d
         * 483bc2           | cmp rax, rdx
         * 7cde             | jl 0x1401ffe18
         */
        $blockhash_0x11bb0000ce80b5fe = { 418a0438 41ffc1 4b8b8cd7d02c2d00 4903c8 49ffc0 428844d93e 4963c1 483bc2 7c?? }

        /* picblockhash: 0x30abb68a1956753d - coverage: 1/1 samples.
         * 8a07             | mov al, byte ptr [rdi]
         * 4c8d05ab01e0ff   | lea r8, [rip - 0x1ffe55]
         * 4b8b8ce0d02c2d00 | mov rcx, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * ffc3             | inc ebx
         * 895d9b           | mov dword ptr [rbp - 0x65], ebx
         * 428844f13e       | mov byte ptr [rcx + r14*8 + 0x3e], al
         * 4b8b84e0d02c2d00 | mov rax, qword ptr [r8 + r12*8 + 0x2d2cd0]
         * 42804cf03d04     | or byte ptr [rax + r14*8 + 0x3d], 4
         * 38558f           | cmp byte ptr [rbp - 0x71], dl
         * ebcc             | jmp 0x1401ffe46
         */
        $blockhash_0x30abb68a1956753d = { 8a07 4c8d05???????? 4b8b8ce0d02c2d00 ffc3 895d9b 428844f13e 4b8b84e0d02c2d00 42804cf03d04 38558f eb?? }

        /* picblockhash: 0x47083a9897a47573 - coverage: 1/1 samples.
         * 498bc5           | mov rax, r13
         * 4c8d0d21f6dfff   | lea r9, [rip - 0x2009df]
         * 83e03f           | and eax, 0x3f
         * 498bd5           | mov rdx, r13
         * 48c1fa06         | sar rdx, 6
         * 4c8d04c0         | lea r8, [rax + rax*8]
         * 498b84d1d02c2d00 | mov rax, qword ptr [r9 + rdx*8 + 0x2d2cd0]
         * 42f644c03848     | test byte ptr [rax + r8*8 + 0x38], 0x48
         * 7430             | je 0x140200a2d
         */
        $blockhash_0x47083a9897a47573 = { 498bc5 4c8d0d???????? 83e03f 498bd5 48c1fa06 4c8d04c0 498b84d1d02c2d00 42f644c03848 74?? }

        /* picblockhash: 0x37de2b88bfe990b6 - coverage: 1/1 samples.
         * 2bc3             | sub eax, ebx
         * 488d0d2df4dfff   | lea rcx, [rip - 0x200bd3]
         * 488b8ce9d02c2d00 | mov rcx, qword ptr [rcx + rbp*8 + 0x2d2cd0]
         * 8064f93dfd       | and byte ptr [rcx + rdi*8 + 0x3d], 0xfd
         * f7d8             | neg eax
         * 1ac0             | sbb al, al
         * 2402             | and al, 2
         * 0844f93d         | or byte ptr [rcx + rdi*8 + 0x3d], al
         * 8d0412           | lea eax, [rdx + rdx]
         */
        $blockhash_0x37de2b88bfe990b6 = { 2bc3 488d0d???????? 488b8ce9d02c2d00 8064f93dfd f7d8 1ac0 2402 0844f93d 8d0412 }

    condition:
        7 of them and filesize < 5MB
}
Download all Yara Rules