SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skipper (Back to overview)

Skipper

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-05-19TelsyWebmaster
@online{webmaster:20190519:following:d15ba1c, author = {Webmaster}, title = {{Following the Turla’s Skipper over the ocean of cyber operations}}, date = {2019-05-19}, organization = {Telsy}, url = {https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/}, language = {English}, urldate = {2020-01-08} } Following the Turla’s Skipper over the ocean of cyber operations
Skipper
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-06-06ESET ResearchJean-Ian Boutin
@online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
HTML5 Encoding Skipper
2016-06-30BitdefenderBitdefender
@techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } Pacifier APT
Skipper
2015BitdefenderCristian Istrate, Andrei Ardelean, Claudiu Cobliș, Marius Tivadar
@techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } New Pacifier APT Components Point to Russian-Linked Turla Group
Skipper
Yara Rules
[TLP:WHITE] win_skipper_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_skipper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a03 68???????? 68???????? 6a50 }
            // n = 5, score = 600
            // 
            //   6a03                 | push                3
            //   68????????           |                     
            //   68????????           |                     
            //   6a50                 | push                0x50

        $sequence_1 = { 59 5d c3 55 8bec 33c0 50 }
            // n = 7, score = 500
            //   59                   | pop                 ecx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax

        $sequence_2 = { ff15???????? 6a00 6a00 6a00 6a00 50 ff15???????? }
            // n = 7, score = 500
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { 6804010000 e8???????? 6804010000 8bf8 6a00 57 }
            // n = 6, score = 500
            //   6804010000           | push                0x104
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0
            //   57                   | push                edi

        $sequence_4 = { 33c0 40 5f 5e 5d c3 8325????????00 }
            // n = 7, score = 400
            //   33c0                 | push                edi
            //   40                   | push                0
            //   5f                   | push                0
            //   5e                   | push                0
            //   5d                   | push                0
            //   c3                   | push                0x104
            //   8325????????00       |                     

        $sequence_5 = { 895104 c9 c3 55 8bec 83ec10 eb0d }
            // n = 7, score = 400
            //   895104               | push                0x104
            //   c9                   | push                0x104
            //   c3                   | mov                 edi, eax
            //   55                   | push                0
            //   8bec                 | push                edi
            //   83ec10               | push                0
            //   eb0d                 | push                0

        $sequence_6 = { 56 57 ff15???????? 6804010000 6a00 57 }
            // n = 6, score = 400
            //   56                   | push                0x104
            //   57                   | mov                 edi, eax
            //   ff15????????         |                     
            //   6804010000           | push                0
            //   6a00                 | push                0x104
            //   57                   | push                0x104

        $sequence_7 = { e8???????? 68???????? 6804010000 53 e8???????? }
            // n = 5, score = 300
            //   e8????????           |                     
            //   68????????           |                     
            //   6804010000           | push                0x104
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_8 = { 53 e8???????? 6804010000 e8???????? }
            // n = 4, score = 300
            //   53                   | push                ebx
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   e8????????           |                     

        $sequence_9 = { 6800308000 6a00 6a00 68???????? }
            // n = 4, score = 300
            //   6800308000           | push                0x803000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_10 = { e8???????? 83c404 6a00 6a64 52 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   83c404               | push                0
            //   6a00                 | push                edi
            //   6a64                 | push                0x104
            //   52                   | push                0x104

        $sequence_11 = { 4181c800ffffff 41ffc0 410fb6c0 488d1424 41ffc1 4803d0 }
            // n = 6, score = 200
            //   4181c800ffffff       | inc                 edx
            //   41ffc0               | movzx               eax, cl
            //   410fb6c0             | dec                 esp
            //   488d1424             | lea                 eax, [esp]
            //   41ffc1               | dec                 eax
            //   4803d0               | lea                 edx, [esp]

        $sequence_12 = { 6a0b 68???????? 8b15???????? 52 68???????? e8???????? }
            // n = 6, score = 200
            //   6a0b                 | push                0
            //   68????????           |                     
            //   8b15????????         |                     
            //   52                   | push                0
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_13 = { 4833c4 4889842400010000 4c8b9c2440010000 33c9 4963e9 498bf8 }
            // n = 6, score = 200
            //   4833c4               | or                  edx, 0xffffff00
            //   4889842400010000     | dec                 ecx
            //   4c8b9c2440010000     | sub                 edi, ebx
            //   33c9                 | inc                 ecx
            //   4963e9               | and                 ecx, 0x800000ff
            //   498bf8               | jge                 0x17

        $sequence_14 = { 81bde0feffff00010000 0f8d84000000 8b8de0feffff 0fb68c0df0feffff }
            // n = 4, score = 200
            //   81bde0feffff00010000     | push    0x104
            //   0f8d84000000         | mov                 edi, eax
            //   8b8de0feffff         | push                0x104
            //   0fb68c0df0feffff     | push                0x104

        $sequence_15 = { 488d1424 41ffc1 4803d0 48ffc3 0fb602 8843ff 408832 }
            // n = 7, score = 200
            //   488d1424             | push                0
            //   41ffc1               | push                0x64
            //   4803d0               | push                edx
            //   48ffc3               | push                eax
            //   0fb602               | add                 esp, 4
            //   8843ff               | push                0
            //   408832               | push                0x64

        $sequence_16 = { 0f95c0 85c0 74dc e8???????? }
            // n = 4, score = 200
            //   0f95c0               | setne               al
            //   85c0                 | test                eax, eax
            //   74dc                 | je                  0xffffffde
            //   e8????????           |                     

        $sequence_17 = { 888deffeffff 0fb655fc 0fb645f8 8a8c15f0feffff 888c05f0feffff 0fb655fc 8a85effeffff }
            // n = 7, score = 200
            //   888deffeffff         | push                3
            //   0fb655fc             | push                0x50
            //   0fb645f8             | push                0
            //   8a8c15f0feffff       | push                0
            //   888c05f0feffff       | push                3
            //   0fb655fc             | push                0x50
            //   8a85effeffff         | push                3

        $sequence_18 = { 8985e4feffff 81bde4feffff00010000 7d15 8b8de4feffff 8a95e4feffff }
            // n = 5, score = 200
            //   8985e4feffff         | add                 eax, 1
            //   81bde4feffff00010000     | mov    dword ptr [ebp - 0x120], eax
            //   7d15                 | cmp                 dword ptr [ebp - 0x120], 0x100
            //   8b8de4feffff         | jge                 0x9a
            //   8a95e4feffff         | mov                 ecx, dword ptr [ebp - 0x120]

        $sequence_19 = { 74dc e8???????? 85c0 78e3 }
            // n = 4, score = 200
            //   74dc                 | je                  0xffffffde
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   78e3                 | js                  0xffffffe5

        $sequence_20 = { 492bfb ffc1 81e1ff000080 7d0a ffc9 }
            // n = 5, score = 200
            //   492bfb               | inc                 ecx
            //   ffc1                 | add                 edx, ecx
            //   81e1ff000080         | and                 edx, 0x800000ff
            //   7d0a                 | jge                 0x15
            //   ffc9                 | dec                 edx

        $sequence_21 = { c785dcfeffff00000000 eb0f 8b8ddcfeffff 83c101 898ddcfeffff 8b95dcfeffff 3b5514 }
            // n = 7, score = 200
            //   c785dcfeffff00000000     | push    0x64
            //   eb0f                 | push                edx
            //   8b8ddcfeffff         | push                eax
            //   83c101               | add                 esp, 4
            //   898ddcfeffff         | push                0
            //   8b95dcfeffff         | push                0x64
            //   3b5514               | add                 esp, 4

        $sequence_22 = { 41ffca 4181ca00ffffff 41ffc2 0fb6c1 4c8d0424 488d1424 4c03c0 }
            // n = 7, score = 200
            //   41ffca               | dec                 ecx
            //   4181ca00ffffff       | dec                 eax
            //   41ffc2               | xor                 eax, esp
            //   0fb6c1               | dec                 eax
            //   4c8d0424             | mov                 dword ptr [esp + 0x100], eax
            //   488d1424             | dec                 esp
            //   4c03c0               | mov                 ebx, dword ptr [esp + 0x140]

        $sequence_23 = { 0f8dcf000000 8b45f8 83c001 25ff000080 7907 48 0d00ffffff }
            // n = 7, score = 200
            //   0f8dcf000000         | push                0x50
            //   8b45f8               | add                 esp, 4
            //   83c001               | push                0
            //   25ff000080           | push                0x64
            //   7907                 | push                edx
            //   48                   | add                 esp, 4
            //   0d00ffffff           | push                0

        $sequence_24 = { 44880a 410fb610 4103d1 81e2ff000080 }
            // n = 4, score = 200
            //   44880a               | inc                 esp
            //   410fb610             | mov                 byte ptr [edx], cl
            //   4103d1               | inc                 ecx
            //   81e2ff000080         | movzx               edx, byte ptr [eax]

        $sequence_25 = { 8b4508 0fb61410 03ca 81e1ff000080 }
            // n = 4, score = 200
            //   8b4508               | push                0
            //   0fb61410             | push                0
            //   03ca                 | push                eax
            //   81e1ff000080         | push                0x104

        $sequence_26 = { 488bdd 85ed 0f8e8e000000 492bfb }
            // n = 4, score = 200
            //   488bdd               | push                edx
            //   85ed                 | push                eax
            //   0f8e8e000000         | add                 esp, 4
            //   492bfb               | push                0

        $sequence_27 = { 8b4d10 038ddcfeffff 0fbe11 0fb685eefeffff }
            // n = 4, score = 200
            //   8b4d10               | mov                 eax, dword ptr [ebp + 8]
            //   038ddcfeffff         | movzx               edx, byte ptr [eax + edx]
            //   0fbe11               | add                 ecx, edx
            //   0fb685eefeffff       | mov                 byte ptr [ebp - 0x111], cl

        $sequence_28 = { 7d0a ffca 81ca00ffffff ffc2 0fb6c2 49ffc3 0fb61404 }
            // n = 7, score = 200
            //   7d0a                 | inc                 ecx
            //   ffca                 | add                 edx, ecx
            //   81ca00ffffff         | and                 edx, 0x800000ff
            //   ffc2                 | jge                 0xc
            //   0fb6c2               | dec                 edx
            //   49ffc3               | or                  edx, 0xffffff00
            //   0fb61404             | inc                 edx

        $sequence_29 = { 895c2420 e8???????? 48c747180f000000 4885c0 48895f10 488d1517da0000 }
            // n = 6, score = 100
            //   895c2420             | push                0
            //   e8????????           |                     
            //   48c747180f000000     | push                edi
            //   4885c0               | push                0x104
            //   48895f10             | push                0x104
            //   488d1517da0000       | mov                 edi, eax

        $sequence_30 = { 57 33ff 8db7d0a92300 ff36 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   8db7d0a92300         | lea                 esi, [edi + 0x23a9d0]
            //   ff36                 | push                dword ptr [esi]

        $sequence_31 = { c7466888a22300 6a0d e8???????? 59 8365fc00 ff7668 }
            // n = 6, score = 100
            //   c7466888a22300       | mov                 dword ptr [esi + 0x68], 0x23a288
            //   6a0d                 | push                0xd
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   ff7668               | push                dword ptr [esi + 0x68]

        $sequence_32 = { 8b15???????? 895704 66a1???????? 66894708 8a0d???????? 884f0a e8???????? }
            // n = 7, score = 100
            //   8b15????????         |                     
            //   895704               | mov                 dword ptr [edi + 4], edx
            //   66a1????????         |                     
            //   66894708             | mov                 word ptr [edi + 8], ax
            //   8a0d????????         |                     
            //   884f0a               | mov                 byte ptr [edi + 0xa], cl
            //   e8????????           |                     

        $sequence_33 = { 52 ff95dcfeffff 8985ecfeffff 6800800000 6804010000 8b85d8feffff 50 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   ff95dcfeffff         | call                dword ptr [ebp - 0x124]
            //   8985ecfeffff         | mov                 dword ptr [ebp - 0x114], eax
            //   6800800000           | push                0x8000
            //   6804010000           | push                0x104
            //   8b85d8feffff         | mov                 eax, dword ptr [ebp - 0x128]
            //   50                   | push                eax

        $sequence_34 = { e8???????? 33db 488d54245c 488b88c0000000 488d0571ac0000 48399938010000 4a8b0ce8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33db                 | push                0
            //   488d54245c           | push                0
            //   488b88c0000000       | push                0
            //   488d0571ac0000       | push                0
            //   48399938010000       | push                0
            //   4a8b0ce8             | push                eax

        $sequence_35 = { 8b4508 33c9 3b04cda8a72300 7413 41 83f92d }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx
            //   3b04cda8a72300       | cmp                 eax, dword ptr [ecx*8 + 0x23a7a8]
            //   7413                 | je                  0x15
            //   41                   | inc                 ecx
            //   83f92d               | cmp                 ecx, 0x2d

        $sequence_36 = { 48ffcd 75d4 488d1df7a40000 488b4bf8 4885c9 }
            // n = 5, score = 100
            //   48ffcd               | pop                 ebp
            //   75d4                 | ret                 
            //   488d1df7a40000       | push                ebp
            //   488b4bf8             | mov                 ebp, esp
            //   4885c9               | xor                 eax, eax

        $sequence_37 = { 7326 488bcb 488bc3 488d1582b20000 48c1f805 83e11f }
            // n = 6, score = 100
            //   7326                 | push                eax
            //   488bcb               | push                0
            //   488bc3               | push                eax
            //   488d1582b20000       | push                ebx
            //   48c1f805             | mov                 esi, eax
            //   83e11f               | push                edi

        $sequence_38 = { 488bd9 488d3d6c86ffff 488bcf e8???????? 85c0 7422 482bdf }
            // n = 7, score = 100
            //   488bd9               | push                0x104
            //   488d3d6c86ffff       | push                0x104
            //   488bcf               | mov                 edi, eax
            //   e8????????           |                     
            //   85c0                 | push                0
            //   7422                 | push                edi
            //   482bdf               | pop                 ecx

        $sequence_39 = { 7456 8b4de0 8d0c8d20b72300 8901 }
            // n = 4, score = 100
            //   7456                 | je                  0x58
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8d0c8d20b72300       | lea                 ecx, [ecx*4 + 0x23b720]
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_40 = { e8???????? 85c0 0f84bc020000 488d059bac0000 4a8b04e8 41f644040880 0f84a5020000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [esp + 0x20], ebx
            //   0f84bc020000         | dec                 eax
            //   488d059bac0000       | mov                 dword ptr [edi + 0x18], 0xf
            //   4a8b04e8             | dec                 eax
            //   41f644040880         | test                eax, eax
            //   0f84a5020000         | dec                 eax

        $sequence_41 = { 7420 488d15bd580000 488bcb ff15???????? 488bc8 ff15???????? }
            // n = 6, score = 100
            //   7420                 | push                0
            //   488d15bd580000       | push                0
            //   488bcb               | push                0
            //   ff15????????         |                     
            //   488bc8               | push                0
            //   ff15????????         |                     

        $sequence_42 = { 000453 2300 285323 0023 d18a0688078a 46 }
            // n = 6, score = 100
            //   000453               | add                 byte ptr [ebx + edx*2], al
            //   2300                 | and                 eax, dword ptr [eax]
            //   285323               | sub                 byte ptr [ebx + 0x23], dl
            //   0023                 | add                 byte ptr [ebx], ah
            //   d18a0688078a         | ror                 dword ptr [edx - 0x75f877fa], 1
            //   46                   | inc                 esi

        $sequence_43 = { 48833d????????00 741e 488d0de59b0000 e8???????? 85c0 740e }
            // n = 6, score = 100
            //   48833d????????00     |                     
            //   741e                 | push                eax
            //   488d0de59b0000       | push                0x104
            //   e8????????           |                     
            //   85c0                 | push                0x104
            //   740e                 | mov                 edi, eax

        $sequence_44 = { 0fb6c0 eb12 8b45e0 8a80b4a62300 08443b1d 0fb64601 }
            // n = 6, score = 100
            //   0fb6c0               | movzx               eax, al
            //   eb12                 | jmp                 0x14
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8a80b4a62300         | mov                 al, byte ptr [eax + 0x23a6b4]
            //   08443b1d             | or                  byte ptr [ebx + edi + 0x1d], al
            //   0fb64601             | movzx               eax, byte ptr [esi + 1]

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules