hyuunnn · February 17, 2024 09:20
diff --git a/test.yar b/test.yar
 /*
   YARA Rule Set
   Author: hyuunnn
   Date: 2024-02-17
   Identifier: testtestt
   Reference: https://github.com/Neo23x0/yarGen
 */

 /* Rule Set ----------------------------------------------------------------- */

 rule HiddenCobra_BANKSHOT {
   meta:
      description = "testtestt - file HiddenCobra_BANKSHOT"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "aaf4467eb67195527d4cad485e63f3d3302c50604dd4398ae9a64d337519a897"
   strings:
      $x1 = "login.postini.com" fullword ascii /* score: '37.00'*/
      $s2 = "secure.logmein.com" fullword ascii /* score: '26.00'*/
      $s3 = "accounts.google.com" fullword ascii /* score: '24.00'*/
      $s4 = "support.msn.com" fullword ascii /* score: '24.00'*/
      $s5 = "support.oracle.com" fullword ascii /* score: '24.00'*/
      $s6 = "supportprofile.apple.com" fullword ascii /* score: '24.00'*/
      $s7 = "secure.shared.live.com" fullword ascii /* score: '24.00'*/
      $s8 = "C:\\Windows\\Temp\\~DF01.dat" fullword ascii /* score: '24.00'*/
      $s9 = "AdobeARM.exe" fullword wide /* score: '22.00'*/
      $s10 = "secure.skypeassets.com" fullword ascii /* score: '21.00'*/
      $s11 = "urs.microsoft.com" fullword ascii /* score: '21.00'*/
      $s12 = "www.paypalobjects.com" fullword ascii /* score: '21.00'*/
      $s13 = "verify.adobe.com" fullword ascii /* score: '21.00'*/
      $s14 = "www.adobetag.com" fullword ascii /* score: '21.00'*/
      $s15 = "www.linkedin.com" fullword ascii /* score: '21.00'*/
      $s16 = "csc.beap.bc.yahoo.com" fullword ascii /* score: '21.00'*/
      $s17 = "skydrive.live.com" fullword ascii /* score: '21.00'*/
      $s18 = "www.apple.com" fullword ascii /* score: '21.00'*/
      $s19 = "secure.skype.com" fullword ascii /* score: '21.00'*/
      $s20 = "www.paypal.com" fullword ascii /* score: '21.00'*/

      $op0 = { ff 45 0c 83 7d 0c 78 0f 8c 1a ff ff ff ff 75 ec }
      $op1 = { 01 44 24 fc 83 ec 04 5d 05 f8 ff ff ff 39 5c 24 }
      $op2 = { 56 68 83 34 12 00 53 e8 6c 13 00 00 83 c4 0c 85 }
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      ( 1 of ($x*) and 4 of them and all of ($op*) )
 }

 rule _mnt_c_Users_hyuunnnn_Desktop_testtestt_joanap2 {
   meta:
      description = "testtestt - file joanap2"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "9a179e1ca07c1f16c4c1c4ee517322d390cbab34b5d123a876b38d08da1face4"
   strings:
      $s1 = "mssvcdll.dll" fullword ascii /* score: '23.00'*/
      $s2 = "https://www.google.com/index.html" fullword ascii /* score: '17.00'*/
      $s3 = "rundll" fullword ascii /* score: '13.00'*/
      $s4 = ">4>:>>?D?" fullword ascii /* score: '9.00'*/ /* hex encoded string 'M' */
      $s5 = "??0CMssvcdll@@QAE@XZ" fullword ascii /* score: '9.00'*/
      $s6 = "??4CMssvcdll@@QAEAAV0@ABV0@@Z" fullword ascii /* score: '9.00'*/
      $s7 = "?fnMssvcdll@@YAHXZ" fullword ascii /* score: '9.00'*/
      $s8 = "?nMssvcdll@@3HA" fullword ascii /* score: '9.00'*/
      $s9 = "%%s\\%%s%%0%dd.%%s" fullword ascii /* score: '8.00'*/
      $s10 = "%%s\\%%s%%0%dd" fullword ascii /* score: '8.00'*/
      $s11 = "Empty key" fullword ascii /* score: '7.00'*/
      $s12 = "Incorrect key length" fullword ascii /* score: '7.00'*/
      $s13 = "ServiceMain" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.61'*/ /* Goodware String - occured 391 times */
      $s14 = "iamsorry!@1234567" fullword ascii /* score: '4.00'*/
      $s15 = "1A2z3B4y5C6x7D8w9E0v$F_uGtHsIrJqKpLoMnNmOlPkQjRiShTgUfVeWdXcYbZa" fullword ascii /* score: '4.00'*/
      $s16 = "9025jhdho39ehe2" fullword ascii /* score: '4.00'*/
      $s17 = "F~TbKwZi" fullword ascii /* score: '4.00'*/ /* Goodware String - occured 1 times */
      $s18 = "SbE\\lHtQeF" fullword ascii /* score: '4.00'*/ /* Goodware String - occured 1 times */
      $s19 = "QeTbF~ZiKw" fullword ascii /* score: '4.00'*/ /* Goodware String - occured 1 times */
      $s20 = "QeFbF~TiKwZ" fullword ascii /* score: '4.00'*/ /* Goodware String - occured 1 times */

      $op0 = { f7 f9 8b 34 95 94 10 01 10 eb 1a ff d7 8b f0 81 }
      $op1 = { 8d 4c 24 08 51 e8 90 ff ff ff 6a 00 68 30 75 00 }
      $op2 = { ff 15 84 1a 01 10 8b 6c 24 48 8d 54 24 34 52 ff }
   condition:
      uint16(0) == 0x5a4d and filesize < 200KB and
      ( 8 of them and all of ($op*) )
 }

 rule RIFLE_subs {
   meta:
      description = "testtestt - file RIFLE_subs"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "e777a78c907979591ae858a825b46d5e16754aa803cc7f284fd7709bccafadcc"
   strings:
      $s1 = "%s\\cmd.exe /c %s" fullword ascii /* score: '30.00'*/
      $s2 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii /* score: '15.00'*/
      $s3 = " Type Descriptor'" fullword ascii /* score: '10.00'*/
      $s4 = "3*333`3{3" fullword ascii /* score: '9.00'*/ /* hex encoded string '333' */
      $s5 = " constructor or from DllMain." fullword ascii /* score: '9.00'*/
      $s6 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii /* score: '7.00'*/
      $s7 = " Class Hierarchy Descriptor'" fullword ascii /* score: '6.00'*/
      $s8 = " Base Class Descriptor at (" fullword ascii /* score: '6.00'*/
      $s9 = "asdfazxvczxvczxvadsf4" fullword ascii /* score: '5.00'*/
      $s10 = " Complete Object Locator'" fullword ascii /* score: '5.00'*/
      $s11 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" fullword ascii /* PEStudio Blacklist: strings */ /* score: '4.20'*/ /* Goodware String - occured 802 times */
      $s12 = "ktvY3g+RHKcS" fullword ascii /* score: '4.00'*/
      $s13 = "  </trustInfo>" fullword ascii /* score: '4.00'*/
      $s14 = "ltra3juWFbYU2mZIxASI8M8W33xF1WRRfg==" fullword ascii /* score: '4.00'*/
      $s15 = "070A0T0x0" fullword ascii /* score: '4.00'*/ /* Goodware String - occured 1 times */
      $s16 = "md3A3w+RArEn+Xtnzis=" fullword ascii /* score: '4.00'*/
      $s17 = "nMbXyz2wEbE7+3N/yg==" fullword ascii /* score: '4.00'*/
      $s18 = "qN3A0iedBOw3034=" fullword ascii /* score: '4.00'*/
      $s19 = "mNHa7jqdAowy0ndK" fullword ascii /* score: '4.00'*/
      $s20 = "ltrHzyCZHKsp2lF5wh6P9s0O6X111WxKdQ==" fullword ascii /* score: '4.00'*/

      $op0 = { 83 ec 3c a1 44 50 41 00 33 c4 89 44 24 34 8b 44 }
      $op1 = { 8b c7 5f 5b 33 cc e8 79 34 00 00 8b e5 5d c3 cc }
      $op2 = { e8 2d ff ff ff 83 c4 04 3b c7 75 47 57 56 e8 5f }
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      ( 8 of them and all of ($op*) )
 }

 rule RIFLE_substitution {
   meta:
      description = "testtestt - file RIFLE_substitution"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "9ace096d8e4e6cea51ab9fdfff37b9596c92c95998b7215e6e499de6a9685164"
   strings:
      $s1 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii /* score: '15.00'*/
      $s2 = " Type Descriptor'" fullword ascii /* score: '10.00'*/
      $s3 = "8EWMMKf.LMM" fullword ascii /* score: '10.00'*/
      $s4 = "OBuECC1.LMM" fullword ascii /* score: '10.00'*/
      $s5 = "PgXHp9P9.PgP" fullword ascii /* score: '10.00'*/
      $s6 = "OBuBuWC.LMM" fullword ascii /* score: '10.00'*/
      $s7 = "8EMOc1B.LMM" fullword ascii /* score: '10.00'*/
      $s8 = "A8WqWuk.LMM" fullword ascii /* score: '10.00'*/
      $s9 = "5WquWMKf.LMM" fullword ascii /* score: '10.00'*/
      $s10 = "bMWKf.LMM" fullword ascii /* score: '10.00'*/
      $s11 = "cLkc1BKf.LMM" fullword ascii /* score: '10.00'*/
      $s12 = "B6cFWEM1.LMM" fullword ascii /* score: '10.00'*/
      $s13 = "A8WqKf.LMM" fullword ascii /* score: '10.00'*/
      $s14 = "bMWcII.LMM" fullword ascii /* score: '10.00'*/
      $s15 = "uWCc1BKf.LMM" fullword ascii /* score: '10.00'*/
      $s16 = "https://cbi.hanyang.ac.kr/skin/page/board.asp" fullword ascii /* score: '10.00'*/
      $s17 = "FLBKf.LMM" fullword ascii /* score: '10.00'*/
      $s18 = "O8fxKf.LMM" fullword ascii /* score: '10.00'*/
      $s19 = "https://www.asps.co.kr/media/view.asp" fullword ascii /* score: '10.00'*/
      $s20 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)" fullword ascii /* score: '9.00'*/

      $op0 = { c1 eb 10 89 75 f0 0f b6 f3 8b 34 b5 a0 cd 41 00 }
      $op1 = { c1 eb 08 0f b6 f3 8b 34 b5 a0 d1 41 00 8b 5d f0 }
      $op2 = { 80 c7 46 44 ff ff ff ff c6 46 40 00 ff 15 4c a0 }
   condition:
      uint16(0) == 0x5a4d and filesize < 600KB and
      ( 8 of them and all of ($op*) )
 }

 rule s_transform {
   meta:
      description = "testtestt - file s_transform"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "396eea82de08d59370ecceb66be1512b2a84b02660ee4f5a26a0b940dacf18f3"
   strings:
      $x1 = "S^%s\\cmd.exe /c %s" fullword ascii /* score: '33.00'*/
      $s2 = "curity><requestedPrivileges><requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel></requeste" ascii /* score: '23.00'*/
      $s3 = "S^Kernel32.dll" fullword ascii /* score: '20.00'*/
      $s4 = "S^Iphlpapi.dll" fullword ascii /* score: '20.00'*/
      $s5 = "S^wininet.dll" fullword ascii /* score: '20.00'*/
      $s6 = "S^GetProcessHeap" fullword ascii /* score: '20.00'*/
      $s7 = "S^nehomegpa.dll" fullword ascii /* score: '20.00'*/
      $s8 = "S^Advapi32.dll" fullword ascii /* score: '20.00'*/
      $s9 = "re xmlns:ms_windowsSettings=\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\" xmlns=\"http://schemas.microsoft.com/SMI/2" ascii /* score: '17.00'*/
      $s10 = "S^Ws2_32.dll" fullword ascii /* score: '17.00'*/
      $s11 = "S^WinExec" fullword ascii /* score: '16.00'*/
      $s12 = "S^GetTempPathA" fullword ascii /* score: '16.00'*/
      $s13 = "Command is [%s]" fullword ascii /* score: '15.00'*/
      $s14 = "S^CreateMutexA" fullword ascii /* score: '15.00'*/
      $s15 = "Login Success!" fullword ascii /* score: '15.00'*/
      $s16 = "S^ReleaseMutex" fullword ascii /* score: '15.00'*/
      $s17 = "S^CreateProcessA" fullword ascii /* score: '15.00'*/
      $s18 = "S^TerminateProcess" fullword ascii /* score: '15.00'*/
      $s19 = "S^HttpAddRequestHeadersA" fullword ascii /* score: '12.00'*/
      $s20 = "S^GetLastError" fullword ascii /* score: '12.00'*/

      $op0 = { 33 f6 83 fe 10 7d 34 6a 00 b9 10 }
      $op1 = { e9 18 ff ff ff 68 88 13 41 00 e8 e6 10 00 00 a1 }
      $op2 = { e8 82 e6 ff ff 6a 16 58 5d c3 8b 0d 7c 34 41 00 }
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      ( 1 of ($x*) and 4 of them and all of ($op*) )
 }

 rule _mnt_c_Users_hyuunnnn_Desktop_testtestt_joanap {
   meta:
      description = "testtestt - file joanap"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b"
   strings:
      $x1 = "cmd.exe /q /c net share adnim$=%%SystemRoot%% /GRANT:%s,FULL" fullword ascii /* score: '48.50'*/
      $x2 = "cmd.exe /q /c net share adnim$=%SystemRoot%" fullword ascii /* score: '43.00'*/
      $x3 = "cmd.exe /q /c net share adnim$ /delete" fullword ascii /* score: '39.00'*/
      $x4 = "cmd.exe /c %s %d.%d.%d.%d %d" fullword ascii /* score: '36.00'*/
      $s5 = "SVCH0ST.EXE" fullword wide /* score: '22.00'*/
      $s6 = "\\svchost.exe" fullword ascii /* score: '21.00'*/
      $s7 = "LoadLibrary( NTDLL.DLL ) Error:%d" fullword ascii /* score: '19.00'*/
      $s8 = "\\\\%s\\adnim$\\system32\\%s" fullword ascii /* score: '18.50'*/
      $s9 = "msvcrt.bat" fullword ascii /* score: '18.00'*/
      $s10 = "Failed to create service %s, error code = %d" fullword ascii /* score: '15.50'*/
      $s11 = "LogonUser Error!" fullword ascii /* score: '15.00'*/
      $s12 = "perfw06.dat" fullword ascii /* score: '14.00'*/
      $s13 = "password123" fullword ascii /* score: '13.00'*/
      $s14 = "iloveyou" fullword ascii /* PEStudio Blacklist: strings */ /* score: '13.00'*/
      $s15 = "password <=14" fullword ascii /* score: '12.00'*/
      $s16 = "\\perfw06.dat" fullword ascii /* score: '12.00'*/
      $s17 = "password." fullword ascii /* score: '12.00'*/
      $s18 = "%s User or Password is not correct!" fullword ascii /* score: '12.00'*/
      $s19 = "temp123" fullword ascii /* score: '12.00'*/
      $s20 = "1password" fullword ascii /* score: '12.00'*/

      $op0 = { c7 01 f8 91 40 00 c3 56 8b f1 e8 f1 ff ff ff f6 }
      $op1 = { c7 45 e0 78 56 34 12 89 75 ec ff 15 40 91 40 00 }
      $op2 = { e8 c6 4b 00 00 85 c0 7e 10 56 e8 8d ff ff ff 85 }
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      ( 1 of ($x*) and 4 of them and all of ($op*) )
 }

 /* Super Rules ------------------------------------------------------------- */

 rule _RIFLE_subs_RIFLE_substitution_s_transform_0 {
   meta:
      description = "testtestt - from files RIFLE_subs, RIFLE_substitution, s_transform"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "e777a78c907979591ae858a825b46d5e16754aa803cc7f284fd7709bccafadcc"
      hash2 = "9ace096d8e4e6cea51ab9fdfff37b9596c92c95998b7215e6e499de6a9685164"
      hash3 = "396eea82de08d59370ecceb66be1512b2a84b02660ee4f5a26a0b940dacf18f3"
   strings:
      $s1 = " Type Descriptor'" fullword ascii /* score: '10.00'*/
      $s2 = " Class Hierarchy Descriptor'" fullword ascii /* score: '6.00'*/
      $s3 = " Base Class Descriptor at (" fullword ascii /* score: '6.00'*/
      $s4 = " Complete Object Locator'" fullword ascii /* score: '5.00'*/
      $s5 = " delete[]" fullword ascii /* score: '4.00'*/
      $s6 = " delete" fullword ascii /* score: '3.00'*/
      $s7 = " new[]" fullword ascii /* score: '1.00'*/
      $s8 = " Base Class Array'" fullword ascii /* score: '0.00'*/

      $op0 = { 33 f6 83 fe 10 7d 34 6a 00 b9 10 }
      $op1 = { e9 18 ff ff ff 68 88 13 41 00 e8 e6 10 00 00 a1 }
      $op2 = { e8 82 e6 ff ff 6a 16 58 5d c3 8b 0d 7c 34 41 00 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 600KB and ( all of them ) and all of ($op*)
      ) or ( all of them )
 }

 rule _joanap_joanap2_1 {
   meta:
      description = "testtestt - from files joanap, joanap2"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b"
      hash2 = "9a179e1ca07c1f16c4c1c4ee517322d390cbab34b5d123a876b38d08da1face4"
   strings:
      $s1 = "iamsorry!@1234567" fullword ascii /* score: '4.00'*/
      $s2 = "1A2z3B4y5C6x7D8w9E0v$F_uGtHsIrJqKpLoMnNmOlPkQjRiShTgUfVeWdXcYbZa" fullword ascii /* score: '4.00'*/
      $s3 = "9025jhdho39ehe2" fullword ascii /* score: '4.00'*/
      $s4 = "t+SWj " fullword ascii /* score: '1.00'*/
      $s5 = "_[j Y^+M" fullword ascii /* score: '1.00'*/
      $s6 = "tVj@^;" fullword ascii /* score: '1.00'*/

      $op0 = { f7 f9 8b 34 95 94 10 01 10 eb 1a ff d7 8b f0 81 }
      $op1 = { 8d 4c 24 08 51 e8 90 ff ff ff 6a 00 68 30 75 00 }
      $op2 = { ff 15 84 1a 01 10 8b 6c 24 48 8d 54 24 34 52 ff }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and ( all of them ) and all of ($op*)
      ) or ( all of them )
 }

 rule _HiddenCobra_BANKSHOT_RIFLE_substitution_2 {
   meta:
      description = "testtestt - from files HiddenCobra_BANKSHOT, RIFLE_substitution"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "aaf4467eb67195527d4cad485e63f3d3302c50604dd4398ae9a64d337519a897"
      hash2 = "9ace096d8e4e6cea51ab9fdfff37b9596c92c95998b7215e6e499de6a9685164"
   strings:
      $s1 = "ct_init: length != 256" fullword ascii /* score: '4.00'*/ /* Goodware String - occured 1 times */
      $s2 = "ct_init: dist != 256" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s3 = "more < 2" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s4 = "bad compressed size" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s5 = "not enough codes" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s6 = "bad d_code" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s7 = "ct_tally: bad match" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s8 = "ct_init: 256+dist != 512" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s9 = "insufficient lookahead" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s10 = "no future" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s11 = "inconsistent bit counts" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s12 = "wild scan" fullword ascii /* score: '3.00'*/ /* Goodware String - occured 2 times */
      $s13 = "too many codes" fullword ascii /* score: '1.00'*/ /* Goodware String - occured 4 times */
      $s14 = "bad pack level" fullword ascii /* score: '0.00'*/ /* Goodware String - occured 5 times */

      $op0 = { c1 eb 10 89 75 f0 0f b6 f3 8b 34 b5 a0 cd 41 00 }
      $op1 = { c1 eb 08 0f b6 f3 8b 34 b5 a0 d1 41 00 8b 5d f0 }
      $op2 = { 80 c7 46 44 ff ff ff ff c6 46 40 00 ff 15 4c a0 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 600KB and ( 8 of them ) and all of ($op*)
      ) or ( all of them )
 }

 rule _RIFLE_subs_RIFLE_substitution_3 {
   meta:
      description = "testtestt - from files RIFLE_subs, RIFLE_substitution"
      author = "hyuunnn"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-02-17"
      hash1 = "e777a78c907979591ae858a825b46d5e16754aa803cc7f284fd7709bccafadcc"
      hash2 = "9ace096d8e4e6cea51ab9fdfff37b9596c92c95998b7215e6e499de6a9685164"
   strings:
      $s1 = "        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii /* score: '15.00'*/
      $s2 = "  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii /* score: '7.00'*/
      $s3 = "  </trustInfo>" fullword ascii /* score: '4.00'*/
      $s4 = "      <requestedPrivileges>" fullword ascii /* score: '2.00'*/
      $s5 = "      </requestedPrivileges>" fullword ascii /* score: '2.00'*/

      $op0 = { c1 eb 10 89 75 f0 0f b6 f3 8b 34 b5 a0 cd 41 00 }
      $op1 = { c1 eb 08 0f b6 f3 8b 34 b5 a0 d1 41 00 8b 5d f0 }
      $op2 = { 80 c7 46 44 ff ff ff ff c6 46 40 00 ff 15 4c a0 }
   condition:
      ( uint16(0) == 0x5a4d and filesize < 600KB and ( all of them ) and all of ($op*)
      ) or ( all of them )
 }
	/*
	YARA Rule Set
	Author: hyuunnn
	Date: 2024-02-17
	Identifier: testtestt
	Reference: https://github.com/Neo23x0/yarGen
	*/

	/* Rule Set ----------------------------------------------------------------- */

	rule HiddenCobra_BANKSHOT {
	meta:
	description = "testtestt - file HiddenCobra_BANKSHOT"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "aaf4467eb67195527d4cad485e63f3d3302c50604dd4398ae9a64d337519a897"
	strings:
	$x1 = "login.postini.com" fullword ascii /* score: '37.00'*/
	$s2 = "secure.logmein.com" fullword ascii /* score: '26.00'*/
	$s3 = "accounts.google.com" fullword ascii /* score: '24.00'*/
	$s4 = "support.msn.com" fullword ascii /* score: '24.00'*/
	$s5 = "support.oracle.com" fullword ascii /* score: '24.00'*/
	$s6 = "supportprofile.apple.com" fullword ascii /* score: '24.00'*/
	$s7 = "secure.shared.live.com" fullword ascii /* score: '24.00'*/
	$s8 = "C:\\Windows\\Temp\\~DF01.dat" fullword ascii /* score: '24.00'*/
	$s9 = "AdobeARM.exe" fullword wide /* score: '22.00'*/
	$s10 = "secure.skypeassets.com" fullword ascii /* score: '21.00'*/
	$s11 = "urs.microsoft.com" fullword ascii /* score: '21.00'*/
	$s12 = "www.paypalobjects.com" fullword ascii /* score: '21.00'*/
	$s13 = "verify.adobe.com" fullword ascii /* score: '21.00'*/
	$s14 = "www.adobetag.com" fullword ascii /* score: '21.00'*/
	$s15 = "www.linkedin.com" fullword ascii /* score: '21.00'*/
	$s16 = "csc.beap.bc.yahoo.com" fullword ascii /* score: '21.00'*/
	$s17 = "skydrive.live.com" fullword ascii /* score: '21.00'*/
	$s18 = "www.apple.com" fullword ascii /* score: '21.00'*/
	$s19 = "secure.skype.com" fullword ascii /* score: '21.00'*/
	$s20 = "www.paypal.com" fullword ascii /* score: '21.00'*/

	$op0 = { ff 45 0c 83 7d 0c 78 0f 8c 1a ff ff ff ff 75 ec }
	$op1 = { 01 44 24 fc 83 ec 04 5d 05 f8 ff ff ff 39 5c 24 }
	$op2 = { 56 68 83 34 12 00 53 e8 6c 13 00 00 83 c4 0c 85 }
	condition:
	uint16(0) == 0x5a4d and filesize < 300KB and
	( 1 of ($x) and 4 of them and all of ($op) )
	}

	rule _mnt_c_Users_hyuunnnn_Desktop_testtestt_joanap2 {
	meta:
	description = "testtestt - file joanap2"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "9a179e1ca07c1f16c4c1c4ee517322d390cbab34b5d123a876b38d08da1face4"
	strings:
	$s1 = "mssvcdll.dll" fullword ascii /* score: '23.00'*/
	$s2 = "https://www.google.com/index.html" fullword ascii /* score: '17.00'*/
	$s3 = "rundll" fullword ascii /* score: '13.00'*/
	$s4 = ">4>:>>?D?" fullword ascii /* score: '9.00'/ / hex encoded string 'M' */
	$s5 = "??0CMssvcdll@@QAE@XZ" fullword ascii /* score: '9.00'*/
	$s6 = "??4CMssvcdll@@QAEAAV0@ABV0@@Z" fullword ascii /* score: '9.00'*/
	$s7 = "?fnMssvcdll@@YAHXZ" fullword ascii /* score: '9.00'*/
	$s8 = "?nMssvcdll@@3HA" fullword ascii /* score: '9.00'*/
	$s9 = "%%s\\%%s%%0%dd.%%s" fullword ascii /* score: '8.00'*/
	$s10 = "%%s\\%%s%%0%dd" fullword ascii /* score: '8.00'*/
	$s11 = "Empty key" fullword ascii /* score: '7.00'*/
	$s12 = "Incorrect key length" fullword ascii /* score: '7.00'*/
	$s13 = "ServiceMain" fullword ascii /* PEStudio Blacklist: strings / / score: '4.61'/ / Goodware String - occured 391 times */
	$s14 = "iamsorry!@1234567" fullword ascii /* score: '4.00'*/
	$s15 = "1A2z3B4y5C6x7D8w9E0v$F_uGtHsIrJqKpLoMnNmOlPkQjRiShTgUfVeWdXcYbZa" fullword ascii /* score: '4.00'*/
	$s16 = "9025jhdho39ehe2" fullword ascii /* score: '4.00'*/
	$s17 = "F~TbKwZi" fullword ascii /* score: '4.00'/ / Goodware String - occured 1 times */
	$s18 = "SbE\\lHtQeF" fullword ascii /* score: '4.00'/ / Goodware String - occured 1 times */
	$s19 = "QeTbF~ZiKw" fullword ascii /* score: '4.00'/ / Goodware String - occured 1 times */
	$s20 = "QeFbF~TiKwZ" fullword ascii /* score: '4.00'/ / Goodware String - occured 1 times */

	$op0 = { f7 f9 8b 34 95 94 10 01 10 eb 1a ff d7 8b f0 81 }
	$op1 = { 8d 4c 24 08 51 e8 90 ff ff ff 6a 00 68 30 75 00 }
	$op2 = { ff 15 84 1a 01 10 8b 6c 24 48 8d 54 24 34 52 ff }
	condition:
	uint16(0) == 0x5a4d and filesize < 200KB and
	( 8 of them and all of ($op*) )
	}

	rule RIFLE_subs {
	meta:
	description = "testtestt - file RIFLE_subs"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "e777a78c907979591ae858a825b46d5e16754aa803cc7f284fd7709bccafadcc"
	strings:
	$s1 = "%s\\cmd.exe /c %s" fullword ascii /* score: '30.00'*/
	$s2 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii /* score: '15.00'*/
	$s3 = " Type Descriptor'" fullword ascii /* score: '10.00'*/
	$s4 = "3333`3{3" fullword ascii / score: '9.00'/ / hex encoded string '333' */
	$s5 = " constructor or from DllMain." fullword ascii /* score: '9.00'*/
	$s6 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii /* score: '7.00'*/
	$s7 = " Class Hierarchy Descriptor'" fullword ascii /* score: '6.00'*/
	$s8 = " Base Class Descriptor at (" fullword ascii /* score: '6.00'*/
	$s9 = "asdfazxvczxvczxvadsf4" fullword ascii /* score: '5.00'*/
	$s10 = " Complete Object Locator'" fullword ascii /* score: '5.00'*/
	$s11 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" fullword ascii /* PEStudio Blacklist: strings / / score: '4.20'/ / Goodware String - occured 802 times */
	$s12 = "ktvY3g+RHKcS" fullword ascii /* score: '4.00'*/
	$s13 = " </trustInfo>" fullword ascii /* score: '4.00'*/
	$s14 = "ltra3juWFbYU2mZIxASI8M8W33xF1WRRfg==" fullword ascii /* score: '4.00'*/
	$s15 = "070A0T0x0" fullword ascii /* score: '4.00'/ / Goodware String - occured 1 times */
	$s16 = "md3A3w+RArEn+Xtnzis=" fullword ascii /* score: '4.00'*/
	$s17 = "nMbXyz2wEbE7+3N/yg==" fullword ascii /* score: '4.00'*/
	$s18 = "qN3A0iedBOw3034=" fullword ascii /* score: '4.00'*/
	$s19 = "mNHa7jqdAowy0ndK" fullword ascii /* score: '4.00'*/
	$s20 = "ltrHzyCZHKsp2lF5wh6P9s0O6X111WxKdQ==" fullword ascii /* score: '4.00'*/

	$op0 = { 83 ec 3c a1 44 50 41 00 33 c4 89 44 24 34 8b 44 }
	$op1 = { 8b c7 5f 5b 33 cc e8 79 34 00 00 8b e5 5d c3 cc }
	$op2 = { e8 2d ff ff ff 83 c4 04 3b c7 75 47 57 56 e8 5f }
	condition:
	uint16(0) == 0x5a4d and filesize < 300KB and
	( 8 of them and all of ($op*) )
	}

	rule RIFLE_substitution {
	meta:
	description = "testtestt - file RIFLE_substitution"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "9ace096d8e4e6cea51ab9fdfff37b9596c92c95998b7215e6e499de6a9685164"
	strings:
	$s1 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii /* score: '15.00'*/
	$s2 = " Type Descriptor'" fullword ascii /* score: '10.00'*/
	$s3 = "8EWMMKf.LMM" fullword ascii /* score: '10.00'*/
	$s4 = "OBuECC1.LMM" fullword ascii /* score: '10.00'*/
	$s5 = "PgXHp9P9.PgP" fullword ascii /* score: '10.00'*/
	$s6 = "OBuBuWC.LMM" fullword ascii /* score: '10.00'*/
	$s7 = "8EMOc1B.LMM" fullword ascii /* score: '10.00'*/
	$s8 = "A8WqWuk.LMM" fullword ascii /* score: '10.00'*/
	$s9 = "5WquWMKf.LMM" fullword ascii /* score: '10.00'*/
	$s10 = "bMWKf.LMM" fullword ascii /* score: '10.00'*/
	$s11 = "cLkc1BKf.LMM" fullword ascii /* score: '10.00'*/
	$s12 = "B6cFWEM1.LMM" fullword ascii /* score: '10.00'*/
	$s13 = "A8WqKf.LMM" fullword ascii /* score: '10.00'*/
	$s14 = "bMWcII.LMM" fullword ascii /* score: '10.00'*/
	$s15 = "uWCc1BKf.LMM" fullword ascii /* score: '10.00'*/
	$s16 = "https://cbi.hanyang.ac.kr/skin/page/board.asp" fullword ascii /* score: '10.00'*/
	$s17 = "FLBKf.LMM" fullword ascii /* score: '10.00'*/
	$s18 = "O8fxKf.LMM" fullword ascii /* score: '10.00'*/
	$s19 = "https://www.asps.co.kr/media/view.asp" fullword ascii /* score: '10.00'*/
	$s20 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)" fullword ascii /* score: '9.00'*/

	$op0 = { c1 eb 10 89 75 f0 0f b6 f3 8b 34 b5 a0 cd 41 00 }
	$op1 = { c1 eb 08 0f b6 f3 8b 34 b5 a0 d1 41 00 8b 5d f0 }
	$op2 = { 80 c7 46 44 ff ff ff ff c6 46 40 00 ff 15 4c a0 }
	condition:
	uint16(0) == 0x5a4d and filesize < 600KB and
	( 8 of them and all of ($op*) )
	}

	rule s_transform {
	meta:
	description = "testtestt - file s_transform"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "396eea82de08d59370ecceb66be1512b2a84b02660ee4f5a26a0b940dacf18f3"
	strings:
	$x1 = "S^%s\\cmd.exe /c %s" fullword ascii /* score: '33.00'*/
	$s2 = "curity><requestedPrivileges><requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel></requeste" ascii /* score: '23.00'*/
	$s3 = "S^Kernel32.dll" fullword ascii /* score: '20.00'*/
	$s4 = "S^Iphlpapi.dll" fullword ascii /* score: '20.00'*/
	$s5 = "S^wininet.dll" fullword ascii /* score: '20.00'*/
	$s6 = "S^GetProcessHeap" fullword ascii /* score: '20.00'*/
	$s7 = "S^nehomegpa.dll" fullword ascii /* score: '20.00'*/
	$s8 = "S^Advapi32.dll" fullword ascii /* score: '20.00'*/
	$s9 = "re xmlns:ms_windowsSettings=\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\" xmlns=\"http://schemas.microsoft.com/SMI/2" ascii /* score: '17.00'*/
	$s10 = "S^Ws2_32.dll" fullword ascii /* score: '17.00'*/
	$s11 = "S^WinExec" fullword ascii /* score: '16.00'*/
	$s12 = "S^GetTempPathA" fullword ascii /* score: '16.00'*/
	$s13 = "Command is [%s]" fullword ascii /* score: '15.00'*/
	$s14 = "S^CreateMutexA" fullword ascii /* score: '15.00'*/
	$s15 = "Login Success!" fullword ascii /* score: '15.00'*/
	$s16 = "S^ReleaseMutex" fullword ascii /* score: '15.00'*/
	$s17 = "S^CreateProcessA" fullword ascii /* score: '15.00'*/
	$s18 = "S^TerminateProcess" fullword ascii /* score: '15.00'*/
	$s19 = "S^HttpAddRequestHeadersA" fullword ascii /* score: '12.00'*/
	$s20 = "S^GetLastError" fullword ascii /* score: '12.00'*/

	$op0 = { 33 f6 83 fe 10 7d 34 6a 00 b9 10 }
	$op1 = { e9 18 ff ff ff 68 88 13 41 00 e8 e6 10 00 00 a1 }
	$op2 = { e8 82 e6 ff ff 6a 16 58 5d c3 8b 0d 7c 34 41 00 }
	condition:
	uint16(0) == 0x5a4d and filesize < 300KB and
	( 1 of ($x) and 4 of them and all of ($op) )
	}

	rule _mnt_c_Users_hyuunnnn_Desktop_testtestt_joanap {
	meta:
	description = "testtestt - file joanap"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b"
	strings:
	$x1 = "cmd.exe /q /c net share adnim$=%%SystemRoot%% /GRANT:%s,FULL" fullword ascii /* score: '48.50'*/
	$x2 = "cmd.exe /q /c net share adnim$=%SystemRoot%" fullword ascii /* score: '43.00'*/
	$x3 = "cmd.exe /q /c net share adnim$ /delete" fullword ascii /* score: '39.00'*/
	$x4 = "cmd.exe /c %s %d.%d.%d.%d %d" fullword ascii /* score: '36.00'*/
	$s5 = "SVCH0ST.EXE" fullword wide /* score: '22.00'*/
	$s6 = "\\svchost.exe" fullword ascii /* score: '21.00'*/
	$s7 = "LoadLibrary( NTDLL.DLL ) Error:%d" fullword ascii /* score: '19.00'*/
	$s8 = "\\\\%s\\adnim$\\system32\\%s" fullword ascii /* score: '18.50'*/
	$s9 = "msvcrt.bat" fullword ascii /* score: '18.00'*/
	$s10 = "Failed to create service %s, error code = %d" fullword ascii /* score: '15.50'*/
	$s11 = "LogonUser Error!" fullword ascii /* score: '15.00'*/
	$s12 = "perfw06.dat" fullword ascii /* score: '14.00'*/
	$s13 = "password123" fullword ascii /* score: '13.00'*/
	$s14 = "iloveyou" fullword ascii /* PEStudio Blacklist: strings / / score: '13.00'*/
	$s15 = "password <=14" fullword ascii /* score: '12.00'*/
	$s16 = "\\perfw06.dat" fullword ascii /* score: '12.00'*/
	$s17 = "password." fullword ascii /* score: '12.00'*/
	$s18 = "%s User or Password is not correct!" fullword ascii /* score: '12.00'*/
	$s19 = "temp123" fullword ascii /* score: '12.00'*/
	$s20 = "1password" fullword ascii /* score: '12.00'*/

	$op0 = { c7 01 f8 91 40 00 c3 56 8b f1 e8 f1 ff ff ff f6 }
	$op1 = { c7 45 e0 78 56 34 12 89 75 ec ff 15 40 91 40 00 }
	$op2 = { e8 c6 4b 00 00 85 c0 7e 10 56 e8 8d ff ff ff 85 }
	condition:
	uint16(0) == 0x5a4d and filesize < 300KB and
	( 1 of ($x) and 4 of them and all of ($op) )
	}

	/* Super Rules ------------------------------------------------------------- */

	rule _RIFLE_subs_RIFLE_substitution_s_transform_0 {
	meta:
	description = "testtestt - from files RIFLE_subs, RIFLE_substitution, s_transform"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "e777a78c907979591ae858a825b46d5e16754aa803cc7f284fd7709bccafadcc"
	hash2 = "9ace096d8e4e6cea51ab9fdfff37b9596c92c95998b7215e6e499de6a9685164"
	hash3 = "396eea82de08d59370ecceb66be1512b2a84b02660ee4f5a26a0b940dacf18f3"
	strings:
	$s1 = " Type Descriptor'" fullword ascii /* score: '10.00'*/
	$s2 = " Class Hierarchy Descriptor'" fullword ascii /* score: '6.00'*/
	$s3 = " Base Class Descriptor at (" fullword ascii /* score: '6.00'*/
	$s4 = " Complete Object Locator'" fullword ascii /* score: '5.00'*/
	$s5 = " delete[]" fullword ascii /* score: '4.00'*/
	$s6 = " delete" fullword ascii /* score: '3.00'*/
	$s7 = " new[]" fullword ascii /* score: '1.00'*/
	$s8 = " Base Class Array'" fullword ascii /* score: '0.00'*/

	$op0 = { 33 f6 83 fe 10 7d 34 6a 00 b9 10 }
	$op1 = { e9 18 ff ff ff 68 88 13 41 00 e8 e6 10 00 00 a1 }
	$op2 = { e8 82 e6 ff ff 6a 16 58 5d c3 8b 0d 7c 34 41 00 }
	condition:
	( uint16(0) == 0x5a4d and filesize < 600KB and ( all of them ) and all of ($op*)
	) or ( all of them )
	}

	rule _joanap_joanap2_1 {
	meta:
	description = "testtestt - from files joanap, joanap2"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b"
	hash2 = "9a179e1ca07c1f16c4c1c4ee517322d390cbab34b5d123a876b38d08da1face4"
	strings:
	$s1 = "iamsorry!@1234567" fullword ascii /* score: '4.00'*/
	$s2 = "1A2z3B4y5C6x7D8w9E0v$F_uGtHsIrJqKpLoMnNmOlPkQjRiShTgUfVeWdXcYbZa" fullword ascii /* score: '4.00'*/
	$s3 = "9025jhdho39ehe2" fullword ascii /* score: '4.00'*/
	$s4 = "t+SWj " fullword ascii /* score: '1.00'*/
	$s5 = "_[j Y^+M" fullword ascii /* score: '1.00'*/
	$s6 = "tVj@^;" fullword ascii /* score: '1.00'*/

	$op0 = { f7 f9 8b 34 95 94 10 01 10 eb 1a ff d7 8b f0 81 }
	$op1 = { 8d 4c 24 08 51 e8 90 ff ff ff 6a 00 68 30 75 00 }
	$op2 = { ff 15 84 1a 01 10 8b 6c 24 48 8d 54 24 34 52 ff }
	condition:
	( uint16(0) == 0x5a4d and filesize < 300KB and ( all of them ) and all of ($op*)
	) or ( all of them )
	}

	rule _HiddenCobra_BANKSHOT_RIFLE_substitution_2 {
	meta:
	description = "testtestt - from files HiddenCobra_BANKSHOT, RIFLE_substitution"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "aaf4467eb67195527d4cad485e63f3d3302c50604dd4398ae9a64d337519a897"
	hash2 = "9ace096d8e4e6cea51ab9fdfff37b9596c92c95998b7215e6e499de6a9685164"
	strings:
	$s1 = "ct_init: length != 256" fullword ascii /* score: '4.00'/ / Goodware String - occured 1 times */
	$s2 = "ct_init: dist != 256" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s3 = "more < 2" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s4 = "bad compressed size" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s5 = "not enough codes" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s6 = "bad d_code" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s7 = "ct_tally: bad match" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s8 = "ct_init: 256+dist != 512" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s9 = "insufficient lookahead" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s10 = "no future" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s11 = "inconsistent bit counts" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s12 = "wild scan" fullword ascii /* score: '3.00'/ / Goodware String - occured 2 times */
	$s13 = "too many codes" fullword ascii /* score: '1.00'/ / Goodware String - occured 4 times */
	$s14 = "bad pack level" fullword ascii /* score: '0.00'/ / Goodware String - occured 5 times */

	$op0 = { c1 eb 10 89 75 f0 0f b6 f3 8b 34 b5 a0 cd 41 00 }
	$op1 = { c1 eb 08 0f b6 f3 8b 34 b5 a0 d1 41 00 8b 5d f0 }
	$op2 = { 80 c7 46 44 ff ff ff ff c6 46 40 00 ff 15 4c a0 }
	condition:
	( uint16(0) == 0x5a4d and filesize < 600KB and ( 8 of them ) and all of ($op*)
	) or ( all of them )
	}

	rule _RIFLE_subs_RIFLE_substitution_3 {
	meta:
	description = "testtestt - from files RIFLE_subs, RIFLE_substitution"
	author = "hyuunnn"
	reference = "https://github.com/Neo23x0/yarGen"
	date = "2024-02-17"
	hash1 = "e777a78c907979591ae858a825b46d5e16754aa803cc7f284fd7709bccafadcc"
	hash2 = "9ace096d8e4e6cea51ab9fdfff37b9596c92c95998b7215e6e499de6a9685164"
	strings:
	$s1 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>" fullword ascii /* score: '15.00'*/
	$s2 = " <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">" fullword ascii /* score: '7.00'*/
	$s3 = " </trustInfo>" fullword ascii /* score: '4.00'*/
	$s4 = " <requestedPrivileges>" fullword ascii /* score: '2.00'*/
	$s5 = " </requestedPrivileges>" fullword ascii /* score: '2.00'*/

	$op0 = { c1 eb 10 89 75 f0 0f b6 f3 8b 34 b5 a0 cd 41 00 }
	$op1 = { c1 eb 08 0f b6 f3 8b 34 b5 a0 d1 41 00 8b 5d f0 }
	$op2 = { 80 c7 46 44 ff ff ff ff c6 46 40 00 ff 15 4c a0 }
	condition:
	( uint16(0) == 0x5a4d and filesize < 600KB and ( all of them ) and all of ($op*)
	) or ( all of them )
	}