SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skipper (Back to overview)

Skipper

aka: Kotel

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-05-19TelsyWebmaster
@online{webmaster:20190519:following:d15ba1c, author = {Webmaster}, title = {{Following the Turla’s Skipper over the ocean of cyber operations}}, date = {2019-05-19}, organization = {Telsy}, url = {https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/}, language = {English}, urldate = {2020-01-08} } Following the Turla’s Skipper over the ocean of cyber operations
Skipper
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-06-06ESET ResearchJean-Ian Boutin
@online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
HTML5 Encoding Skipper
2016-06-30BitdefenderBitdefender
@techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } Pacifier APT
Skipper
2015BitdefenderCristian Istrate, Andrei Ardelean, Claudiu Cobliș, Marius Tivadar
@techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } New Pacifier APT Components Point to Russian-Linked Turla Group
Skipper
Yara Rules
[TLP:WHITE] win_skipper_auto (20211008 | Detects win.skipper.)
rule win_skipper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.skipper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a03 68???????? 68???????? 6a50 }
            // n = 5, score = 600
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   68????????           |                     
            //   68????????           |                     
            //   6a50                 | push                0x50

        $sequence_1 = { 59 5d c3 55 8bec 33c0 50 }
            // n = 7, score = 500
            //   59                   | pop                 ecx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax

        $sequence_2 = { 50 ff15???????? 6a00 6a00 6a00 6a00 50 }
            // n = 7, score = 500
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 6804010000 e8???????? 6804010000 8bf8 6a00 57 e8???????? }
            // n = 7, score = 500
            //   6804010000           | push                0x104
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_4 = { e8???????? 53 6a11 68???????? b9???????? e8???????? }
            // n = 6, score = 400
            //   e8????????           |                     
            //   53                   | push                ebx
            //   6a11                 | push                0x11
            //   68????????           |                     
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_5 = { 2bf0 6bf67b 56 e8???????? }
            // n = 4, score = 400
            //   2bf0                 | sub                 esi, eax
            //   6bf67b               | imul                esi, esi, 0x7b
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_6 = { 8b85f8feffff 8a1a 0fb6c0 8d8dfcfeffff 03c8 }
            // n = 5, score = 400
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   8a1a                 | mov                 bl, byte ptr [edx]
            //   0fb6c0               | movzx               eax, al
            //   8d8dfcfeffff         | lea                 ecx, dword ptr [ebp - 0x104]
            //   03c8                 | add                 ecx, eax

        $sequence_7 = { 0f8e9b000000 297d08 8b8df4feffff 41 81e1ff000080 7908 49 }
            // n = 7, score = 400
            //   0f8e9b000000         | jle                 0xa1
            //   297d08               | sub                 dword ptr [ebp + 8], edi
            //   8b8df4feffff         | mov                 ecx, dword ptr [ebp - 0x10c]
            //   41                   | inc                 ecx
            //   81e1ff000080         | and                 ecx, 0x800000ff
            //   7908                 | jns                 0xa
            //   49                   | dec                 ecx

        $sequence_8 = { 6800308000 6a00 6a00 68???????? }
            // n = 4, score = 300
            //   6800308000           | push                0x50
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_9 = { 53 e8???????? 6804010000 e8???????? }
            // n = 4, score = 300
            //   53                   | push                0
            //   e8????????           |                     
            //   6804010000           | push                0
            //   e8????????           |                     

        $sequence_10 = { e8???????? 83c404 6a00 6a64 52 50 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   83c404               | add                 edx, ecx
            //   6a00                 | and                 edx, 0x800000ff
            //   6a64                 | jge                 0x12
            //   52                   | dec                 edx
            //   50                   | movzx               edx, byte ptr [esp + eax]

        $sequence_11 = { 8b85e0feffff 8a8c15f0feffff 888c05f0feffff 0fb695e8feffff 8a85effeffff 888415f0feffff }
            // n = 6, score = 200
            //   8b85e0feffff         | idiv                dword ptr [ebp + 0xc]
            //   8a8c15f0feffff       | mov                 cl, byte ptr [ebp + edx - 0x110]
            //   888c05f0feffff       | mov                 byte ptr [ebp + eax - 0x110], cl
            //   0fb695e8feffff       | movzx               edx, byte ptr [ebp - 4]
            //   8a85effeffff         | mov                 al, byte ptr [ebp - 0x111]
            //   888415f0feffff       | mov                 byte ptr [ebp + edx - 0x110], al

        $sequence_12 = { 41ffc0 410fb6c0 488d1424 41ffc1 }
            // n = 4, score = 200
            //   41ffc0               | dec                 ecx
            //   410fb6c0             | inc                 ebx
            //   488d1424             | movzx               edx, byte ptr [esp + eax]
            //   41ffc1               | inc                 edx

        $sequence_13 = { 4403c6 4181e0ff000080 7d0d 41ffc8 4181c800ffffff 41ffc0 }
            // n = 6, score = 200
            //   4403c6               | inc                 ecx
            //   4181e0ff000080       | movzx               eax, al
            //   7d0d                 | dec                 eax
            //   41ffc8               | lea                 edx, dword ptr [esp]
            //   4181c800ffffff       | inc                 ecx
            //   41ffc0               | inc                 ecx

        $sequence_14 = { 6a0b 68???????? 8b15???????? 52 68???????? e8???????? 83c414 }
            // n = 7, score = 200
            //   6a0b                 | sub                 byte ptr [ebx + 0x23], ah
            //   68????????           |                     
            //   8b15????????         |                     
            //   52                   | add                 byte ptr [ebx], ah
            //   68????????           |                     
            //   e8????????           |                     
            //   83c414               | ror                 dword ptr [edx - 0x75f877fa], 1

        $sequence_15 = { 0fb6940df0feffff 0fb645fc 0fb68c05f0feffff 03d1 81e2ff000080 }
            // n = 5, score = 200
            //   0fb6940df0feffff     | lea                 eax, dword ptr [esi*8 + 0x23a070]
            //   0fb645fc             | mov                 dword ptr [eax], edi
            //   0fb68c05f0feffff     | push                dword ptr [eax*8 + 0x23a91c]
            //   03d1                 | push                ebx
            //   81e2ff000080         | push                edi

        $sequence_16 = { 7d15 8b8de4feffff 8a95e4feffff 88940df0feffff }
            // n = 4, score = 200
            //   7d15                 | push                esi
            //   8b8de4feffff         | add                 esp, 0x14
            //   8a95e4feffff         | mov                 eax, dword ptr [ebp - 4]
            //   88940df0feffff       | push                dword ptr [eax*8 + 0x23a91c]

        $sequence_17 = { 4803d0 0fb602 418800 44880a 410fb610 4103d1 81e2ff000080 }
            // n = 7, score = 200
            //   4803d0               | inc                 esp
            //   0fb602               | add                 edx, edx
            //   418800               | dec                 eax
            //   44880a               | add                 edx, eax
            //   410fb610             | movzx               eax, byte ptr [edx]
            //   4103d1               | inc                 ecx
            //   81e2ff000080         | mov                 byte ptr [eax], al

        $sequence_18 = { 498bf8 488d1424 448bd1 8bc1 0f1f840000000000 }
            // n = 5, score = 200
            //   498bf8               | dec                 eax
            //   488d1424             | xor                 eax, esp
            //   448bd1               | dec                 eax
            //   8bc1                 | mov                 dword ptr [esp + 0x100], eax
            //   0f1f840000000000     | dec                 esp

        $sequence_19 = { 8b8de0feffff 0fb68c0df0feffff 038de8feffff 8b85e0feffff 99 f77d0c }
            // n = 6, score = 200
            //   8b8de0feffff         | add                 esp, 0xc
            //   0fb68c0df0feffff     | test                eax, eax
            //   038de8feffff         | jge                 0x12
            //   8b85e0feffff         | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   99                   | mov                 byte ptr [eax + 0x23a5b0], cl
            //   f77d0c               | inc                 eax

        $sequence_20 = { 0fb645f8 8a8c05f0feffff 888deffeffff 0fb655fc }
            // n = 4, score = 200
            //   0fb645f8             | mov                 eax, dword ptr [ecx*8 + 0x23a7ac]
            //   8a8c05f0feffff       | pop                 ebp
            //   888deffeffff         | ret                 
            //   0fb655fc             | add                 eax, 0xffffff44

        $sequence_21 = { 0fb685eefeffff 33d0 8b4d18 038ddcfeffff }
            // n = 4, score = 200
            //   0fb685eefeffff       | push                ebx
            //   33d0                 | push                edi
            //   8b4d18               | cmp                 dword ptr [esi*8 + 0x23a074], 1
            //   038ddcfeffff         | jne                 0x20

        $sequence_22 = { ffc1 4863c1 0fb61404 4403d2 }
            // n = 4, score = 200
            //   ffc1                 | inc                 ecx
            //   4863c1               | dec                 eax
            //   0fb61404             | arpl                cx, ax
            //   4403d2               | movzx               edx, byte ptr [esp + eax]

        $sequence_23 = { ffca 81ca00ffffff ffc2 0fb6c2 49ffc3 0fb61404 4232541fff }
            // n = 7, score = 200
            //   ffca                 | inc                 esp
            //   81ca00ffffff         | mov                 byte ptr [edx], cl
            //   ffc2                 | inc                 ecx
            //   0fb6c2               | movzx               edx, byte ptr [eax]
            //   49ffc3               | inc                 ecx
            //   0fb61404             | add                 edx, ecx
            //   4232541fff           | and                 edx, 0x800000ff

        $sequence_24 = { 4156 4881ec10010000 488b05???????? 4833c4 4889842400010000 4c8b9c2440010000 }
            // n = 6, score = 200
            //   4156                 | xor                 dl, byte ptr [edi + ebx - 1]
            //   4881ec10010000       | inc                 ebp
            //   488b05????????       |                     
            //   4833c4               | movzx               ecx, byte ptr [eax]
            //   4889842400010000     | dec                 eax
            //   4c8b9c2440010000     | add                 edx, eax

        $sequence_25 = { 03d2 2bc2 4863d0 420fb60432 4403c0 }
            // n = 5, score = 200
            //   03d2                 | movzx               eax, byte ptr [edx]
            //   2bc2                 | inc                 ecx
            //   4863d0               | mov                 byte ptr [eax], al
            //   420fb60432           | inc                 ecx
            //   4403c0               | inc                 eax

        $sequence_26 = { 898ddcfeffff 8b95dcfeffff 3b5514 0f8dcf000000 8b45f8 83c001 25ff000080 }
            // n = 7, score = 200
            //   898ddcfeffff         | push                0
            //   8b95dcfeffff         | push                0
            //   3b5514               | push                0
            //   0f8dcf000000         | push                0
            //   8b45f8               | push                0
            //   83c001               | push                eax
            //   25ff000080           | pop                 ecx

        $sequence_27 = { 56 e8???????? 83c414 8b45fc ff34c51ca92300 53 57 }
            // n = 7, score = 100
            //   56                   | add                 esp, 0xc
            //   e8????????           |                     
            //   83c414               | lea                 eax, dword ptr [esp + 0x13]
            //   8b45fc               | push                0
            //   ff34c51ca92300       | push                eax
            //   53                   | mov                 ecx, esi
            //   57                   | mov                 dword ptr [ebp - 4], 1

        $sequence_28 = { 6a00 8b95e4feffff 52 ff15???????? 8985d8feffff }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   8b95e4feffff         | push                0
            //   52                   | push                0x803000
            //   ff15????????         |                     
            //   8985d8feffff         | push                0

        $sequence_29 = { 48894c2450 488d542450 488d4c2420 e8???????? 488d050dad0000 }
            // n = 5, score = 100
            //   48894c2450           | dec                 eax
            //   488d542450           | inc                 ecx
            //   488d4c2420           | or                  eax, 0xffffff00
            //   e8????????           |                     
            //   488d050dad0000       | inc                 ecx

        $sequence_30 = { bf???????? 833cf574a0230001 751e 8d04f570a02300 8938 }
            // n = 5, score = 100
            //   bf????????           |                     
            //   833cf574a0230001     | mov                 byte ptr [ebp - 4], 0
            //   751e                 | cmp                 dword ptr [ebp - 0x14], 0x10
            //   8d04f570a02300       | dec                 ecx
            //   8938                 | arpl                cx, bp

        $sequence_31 = { 7329 488bcb 488bc3 488d15cfa30000 48c1f805 }
            // n = 5, score = 100
            //   7329                 | inc                 eax
            //   488bcb               | dec                 eax
            //   488bc3               | arpl                ax, dx
            //   488d15cfa30000       | inc                 edx
            //   48c1f805             | movzx               eax, byte ptr [edx + esi]

        $sequence_32 = { 58 5d c3 8b04cdaca72300 5d c3 0544ffffff }
            // n = 7, score = 100
            //   58                   | push                0
            //   5d                   | push                0x803000
            //   c3                   | push                0
            //   8b04cdaca72300       | push                0
            //   5d                   | push                0
            //   c3                   | push                0x803000
            //   0544ffffff           | push                0

        $sequence_33 = { 88480c 488d4c2450 e8???????? 488d4c2450 }
            // n = 4, score = 100
            //   88480c               | nop                 dword ptr [eax + eax]
            //   488d4c2450           | jle                 0x94
            //   e8????????           |                     
            //   488d4c2450           | dec                 ecx

        $sequence_34 = { 488d0d431a0000 e8???????? 488d1db77e0000 488d3dd07e0000 }
            // n = 4, score = 100
            //   488d0d431a0000       | inc                 esp
            //   e8????????           |                     
            //   488d1db77e0000       | add                 eax, eax
            //   488d3dd07e0000       | inc                 esp

        $sequence_35 = { 50 e8???????? 83c40c 8d442413 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | push                0
            //   8d442413             | push                0

        $sequence_36 = { 8d85f0feffff 50 8b8dd8feffff 51 8b95e4feffff 52 }
            // n = 6, score = 100
            //   8d85f0feffff         | push                0
            //   50                   | push                ebx
            //   8b8dd8feffff         | push                0x104
            //   51                   | push                0x104
            //   8b95e4feffff         | push                0
            //   52                   | push                ebx

        $sequence_37 = { 2300 285323 0023 d18a0688078a 46 018847018a46 }
            // n = 6, score = 100
            //   2300                 | push                0x104
            //   285323               | mov                 edi, eax
            //   0023                 | push                0
            //   d18a0688078a         | push                edi
            //   46                   | push                0x104
            //   018847018a46         | push                0x104

        $sequence_38 = { 66890c4590b22300 40 ebe8 33c0 8945e4 3d01010000 }
            // n = 6, score = 100
            //   66890c4590b22300     | mov                 edi, eax
            //   40                   | push                0
            //   ebe8                 | push                edi
            //   33c0                 | push                0x104
            //   8945e4               | push                0x104
            //   3d01010000           | mov                 edi, eax

        $sequence_39 = { ff15???????? 83f857 0f85db010000 488d0df4580000 ff15???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   83f857               | and                 eax, 0x800000ff
            //   0f85db010000         | jge                 0xf
            //   488d0df4580000       | inc                 ecx
            //   ff15????????         |                     

        $sequence_40 = { 6689816a020000 488d0553d20000 488981b8000000 b90d000000 e8???????? 90 488b83b8000000 }
            // n = 7, score = 100
            //   6689816a020000       | movzx               eax, byte ptr [edx + esi]
            //   488d0553d20000       | inc                 esp
            //   488981b8000000       | add                 eax, eax
            //   b90d000000           | inc                 esp
            //   e8????????           |                     
            //   90                   | add                 eax, esi
            //   488b83b8000000       | inc                 ecx

        $sequence_41 = { a3???????? a1???????? c705????????66162300 8935???????? a3???????? ff15???????? }
            // n = 6, score = 100
            //   a3????????           |                     
            //   a1????????           |                     
            //   c705????????66162300     |     
            //   8935????????         |                     
            //   a3????????           |                     
            //   ff15????????         |                     

        $sequence_42 = { 6804010000 6a00 53 895c2448 e8???????? 83c40c 56 }
            // n = 7, score = 100
            //   6804010000           | push                eax
            //   6a00                 | push                eax
            //   53                   | push                0
            //   895c2448             | push                0
            //   e8????????           |                     
            //   83c40c               | push                0
            //   56                   | push                0

        $sequence_43 = { e8???????? 833b00 7514 488d0531ae0000 483bd8 7408 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   833b00               | dec                 eax
            //   7514                 | lea                 edx, dword ptr [esp]
            //   488d0531ae0000       | inc                 esp
            //   483bd8               | mov                 edx, ecx
            //   7408                 | mov                 eax, ecx

        $sequence_44 = { 488bcb e8???????? e9???????? 4c8d25939f0000 8bee }
            // n = 5, score = 100
            //   488bcb               | add                 eax, esi
            //   e8????????           |                     
            //   e9????????           |                     
            //   4c8d25939f0000       | dec                 ecx
            //   8bee                 | mov                 edi, eax

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules