Insurance Sector Targeted Malware Analysis Report
marketing302922
1 views
10 slides
Oct 06, 2025
Slide 1 of 10
1
2
3
4
5
6
7
8
9
10
About This Presentation
In this report prepared by Brandefense Intelligence Analysts, The malicious file named "megane_2018 _ 1.8_ruhsat.rar", which targets the employees of insurance companies operating in Turkey, has been examined. The malware attack, triggering RAT (Remote Access Trojan) is shared in the repor...
Slide Content
Insurance Sector Targeted Malware
Analysis Report
Author: Threat Intelligence Team
Release Date: 22.03.2022
Report ID: MARBD19032022
Analysis Report
Author: Threat Intelligence Team
Release Date: 22.03.2022
Report ID: MARBD19032022
2
Overview
InthisreportpreparedbyBrandefenseIntelligenceAnalysts,Themaliciousfilenamed
"megane_2018_1.8_ruhsat.rar",whichtargetstheemployeesofinsurancecompaniesoperatingin
Turkey,hasbeenexamined.Themalwareattack,triggeringRAT(RemoteAccessTrojan)issharedinthe
reportwithtechnicaldetails.
Ithasfeaturescalled"InfoStealer"ininfectedsystems;Ithasbeenobservedthatusersareengagedin
activitiesaimedatobtainingpersonalandpaymentinformation.Examinedtechnicalfeaturesand
behaviorofmalicioussoftware;Itisthoughttobebeneficialtocybersecurityproducts,SOC
employees,andteams.
Thecharacteristicsofthemalware'sactivitiesintheinfectedsystems;shouldbeconsideredcrucial
know-howinthedetectionandpreventionstages.Therefore,itisrecommendedthattheIoCfindings
andYARArulessharedinthelastsectionsofthereportbesavedtosecuritydevicesandblocked
indefinitely.
Itisrecommendedtoraiseawarenessoftheinstitution'semployeesagainstmalicioussoftwareattacks
carriedoutwithsimilargoalsandmotivationsandtoprovidebasiclevelcybersecuritytrainingforthe
employees.
Malware Analysis Report
Overview
InthisreportpreparedbyBrandefenseIntelligenceAnalysts,Themaliciousfilenamed
"megane_2018_1.8_ruhsat.rar",whichtargetstheemployeesofinsurancecompaniesoperatingin
Turkey,hasbeenexamined.Themalwareattack,triggeringRAT(RemoteAccessTrojan)issharedinthe
reportwithtechnicaldetails.
Ithasfeaturescalled"InfoStealer"ininfectedsystems;Ithasbeenobservedthatusersareengagedin
activitiesaimedatobtainingpersonalandpaymentinformation.Examinedtechnicalfeaturesand
behaviorofmalicioussoftware;Itisthoughttobebeneficialtocybersecurityproducts,SOC
employees,andteams.
Thecharacteristicsofthemalware'sactivitiesintheinfectedsystems;shouldbeconsideredcrucial
know-howinthedetectionandpreventionstages.Therefore,itisrecommendedthattheIoCfindings
andYARArulessharedinthelastsectionsofthereportbesavedtosecuritydevicesandblocked
indefinitely.
Itisrecommendedtoraiseawarenessoftheinstitution'semployeesagainstmalicioussoftwareattacks
carriedoutwithsimilargoalsandmotivationsandtoprovidebasiclevelcybersecuritytrainingforthe
employees.
Malware Analysis Report
3
Technical Analysis
Themalwaresampleconsistsofamalicious2-stagepayloadexaminedinthereport.Thefirststage
payloadofthesoftwareisnamedHamburgerci.exe.Hamburgerci.exewasusedtoensurepersistence
andinstallQuasarRATopen-sourcemalware,usedasasecondstagepayload,onthetargetsystem.
RegistryChangeandSystemPersistence
WhentheprogramcalledHamburgerci.exeisrun,itsavesthefilepathspecifiedintheregistrybelowto
ensurepersistenceonthetargetsystem;
•C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\CCleener.exe
•HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Ccleener
ThisbehaviormeansthatthemalwarewillrunitselfasCCleaner.exe,launchingitselfeverytimethe
computerbootsup.
Malware Analysis Report
Malicious File Details
SHA25659ff1b4d1e6596c67ea9d07eb11160773a9bba6a302964cc9314de9187276
024
SSDEEP1536:FlnyfA7AXGa05wCHnIbd0Kk/E+N6Rccb:qA74Ga05wwgs/E+Nqccb
File TypeWin32 EXE
Figure 1: Registry Change Made by Hamburgerci.Exe for Persistence
Aftertheregistrymentionedabovechangeismade,theactionsexplainedinthefollowingProcess
Activitiessectiontakeplace.
Technical Analysis
Themalwaresampleconsistsofamalicious2-stagepayloadexaminedinthereport.Thefirststage
payloadofthesoftwareisnamedHamburgerci.exe.Hamburgerci.exewasusedtoensurepersistence
andinstallQuasarRATopen-sourcemalware,usedasasecondstagepayload,onthetargetsystem.
RegistryChangeandSystemPersistence
WhentheprogramcalledHamburgerci.exeisrun,itsavesthefilepathspecifiedintheregistrybelowto
ensurepersistenceonthetargetsystem;
•C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\CCleener.exe
•HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Ccleener
ThisbehaviormeansthatthemalwarewillrunitselfasCCleaner.exe,launchingitselfeverytimethe
computerbootsup.
Malware Analysis Report
Malicious File Details
SHA25659ff1b4d1e6596c67ea9d07eb11160773a9bba6a302964cc9314de9187276
024
SSDEEP1536:FlnyfA7AXGa05wCHnIbd0Kk/E+N6Rccb:qA74Ga05wwgs/E+Nqccb
File TypeWin32 EXE
Figure 1: Registry Change Made by Hamburgerci.Exe for Persistence
Aftertheregistrymentionedabovechangeismade,theactionsexplainedinthefollowingProcess
Activitiessectiontakeplace.
4
ThesecondstageinthissectionisPayload;PersistencemechanismsthatQuasarRATcanimplement
willalsobementioned.
QuasarRATusesdifferentpersistencetechniquesdependingonthetypeofuserloggedintothe
operatingsystem.Forexample,iftheuseris"Admin,"itusestheScheduledTasksfunctionality.
Otherwise,itusestheSoftware\\Microsoft\\Windows\\CurrentVersion\\Runregistrykey.
Malware Analysis Report
Figure 2: Persistence mechanism selection based on logged in user type
ProcessActivityandEvasion
Afterthehamburgerci.exefileisrunanditcompletestheregistrychangenecessaryforpersistence,it
startsaprocesscalledMSBuild.exe.
ThisbehaviorisseenasanefforttostayhiddenbyimpersonatingthelegitimateWindowsprocess
MSBuild.exe.However,theMSBuildprocess,whichwaslaunchedasasecond-stagepayload,wasfound
tobemalwarecalledopensourceQuasarRAT.
MutexCreation
AMutexobjectnamedQSR_MUTEX_<random18characters>iscreatedtoensureresource
managementontheprogramtargetsystemandtoensurethatonlyoneinstanceisrunningatatime.
Forexample,QSR_MUTEX_o3tx54dW3kzxA7agCLisasampleMutexobjectcreatedbyQuasarRAT,and
theMutexvaluewillchangeeachtimetheprogramreruns.
ThesecondstageinthissectionisPayload;PersistencemechanismsthatQuasarRATcanimplement
willalsobementioned.
QuasarRATusesdifferentpersistencetechniquesdependingonthetypeofuserloggedintothe
operatingsystem.Forexample,iftheuseris"Admin,"itusestheScheduledTasksfunctionality.
Otherwise,itusestheSoftware\\Microsoft\\Windows\\CurrentVersion\\Runregistrykey.
Malware Analysis Report
Figure 2: Persistence mechanism selection based on logged in user type
ProcessActivityandEvasion
Afterthehamburgerci.exefileisrunanditcompletestheregistrychangenecessaryforpersistence,it
startsaprocesscalledMSBuild.exe.
ThisbehaviorisseenasanefforttostayhiddenbyimpersonatingthelegitimateWindowsprocess
MSBuild.exe.However,theMSBuildprocess,whichwaslaunchedasasecond-stagepayload,wasfound
tobemalwarecalledopensourceQuasarRAT.
MutexCreation
AMutexobjectnamedQSR_MUTEX_<random18characters>iscreatedtoensureresource
managementontheprogramtargetsystemandtoensurethatonlyoneinstanceisrunningatatime.
Forexample,QSR_MUTEX_o3tx54dW3kzxA7agCLisasampleMutexobjectcreatedbyQuasarRAT,and
theMutexvaluewillchangeeachtimetheprogramreruns.
5
NetworkInteraction
QuasarprovidestheIPaddress,country,ISP,etc.,ofthetargetsystemitisrunningon.MakesanHTTP
GETrequesttohttp://ip-api.com/jsontogetnetworkconfigurationinformationsuchasItuses
Mozilla/5.0(WindowsNT6.3;rv:48.0)Gecko/20100101Firefox/48.0User-Agentwhen
makingthisrequest.TheUser-AgentinquestionbelongstotheFirefoxbrowserrunningonWindows
8.1.AnotherdetectedUser-Agent;
Mozilla/5.0(Macintosh;IntelMacOSX10_9_3)AppleWebKit/537.75.14(KHTML,like
Gecko)Version/7.0.3Safari/7046A194A.
TheQuasarRATinitiatesaTCPconnectionwithIP:3.66.30.119andPort:3131.
Malware Analysis Report
Figure 3: Piece of Code Used to Open a TCP Connection to a Remote Server
Nodomainresolutionisperformedunderattackercontrolinnetworkcommunicationintheanalyzed
malwaresample.Insteadofadomain,theIPaddressiskepthard-codedintheprogram.Wehave
determinedthattheIPaddressinquestionishostedonAmazonAWS.
NetworkInteraction
QuasarprovidestheIPaddress,country,ISP,etc.,ofthetargetsystemitisrunningon.MakesanHTTP
GETrequesttohttp://ip-api.com/jsontogetnetworkconfigurationinformationsuchasItuses
Mozilla/5.0(WindowsNT6.3;rv:48.0)Gecko/20100101Firefox/48.0User-Agentwhen
makingthisrequest.TheUser-AgentinquestionbelongstotheFirefoxbrowserrunningonWindows
8.1.AnotherdetectedUser-Agent;
Mozilla/5.0(Macintosh;IntelMacOSX10_9_3)AppleWebKit/537.75.14(KHTML,like
Gecko)Version/7.0.3Safari/7046A194A.
TheQuasarRATinitiatesaTCPconnectionwithIP:3.66.30.119andPort:3131.
Malware Analysis Report
Figure 3: Piece of Code Used to Open a TCP Connection to a Remote Server
Nodomainresolutionisperformedunderattackercontrolinnetworkcommunicationintheanalyzed
malwaresample.Insteadofadomain,theIPaddressiskepthard-codedintheprogram.Wehave
determinedthattheIPaddressinquestionishostedonAmazonAWS.
6
Deobfuscation
TheprogramkeepsthestatementsusedatruntimeasBase64encodedaftertheyareencryptedusing
theAESalgorithm.
Malware Analysis Report
Figure 4: String Values Stored as Encrypted and Encoded
Deobfuscation
TheprogramkeepsthestatementsusedatruntimeasBase64encodedaftertheyareencryptedusing
theAESalgorithm.
Malware Analysis Report
Figure 4: String Values Stored as Encrypted and Encoded
7
Theplain-textequivalentsoftheexpressionskeptincipherbelowarelistedbelow:
Malware Analysis Report
t7Vojnwq18Vj47YvCrF3Fdb13T3khCp1DciR0eyCKDI1oIVLGqLI6PLQ2SIb4kpPuzGjWYYLUaQv
0n5HHPCsMip7ZJ9CVoY5LLhTEo5QDRI=
QSR_MUTEX_o3tx54dW3kzx
A7agCL
daWXHTm6VLCYgc+XWlu70AOu0dWmVxO1YU3zJQOq+zSpFqLIfpu+SG0aTqngsLmmqIKe3Y
O1sx60AAVSRJ7cbQ==Client.exe
f+Oa3NiCiD7PzxkUtJ0fU8/SNJ+JRIkyFKrK96T9CdvFwu7hqIXN5B65BlnkGEcd/YdPMI30QinZz9
EB7d302Q==SubDir
2PuFCq1a1pASycJnicmA
Key for generating the input
parameter to be passed to
the AES algorithm
aKUuts5mZtHkPIWSoQMOWpSYyNXWUIuJOn+RopxqXr/hIgQbM1ALW7TkIfxAXlLG/2HskbY
/DI965PVycMs0rw==Logs
CJn1yjK3Ex+0NrjUNNZOe/+dvMDsfq1//hplsnfLzbJu0XE2oBBzLBMhp0Ue76fDCVUuqp8Qdlp
bh4VdcGVBYX17Bt8AU26ddei4xhv7u/U=Quasar Client Startup
TheQuasarRATfollowsthefollowingproceduresinthedecryptionprocess:
1.Byusingthe2PuFCq1a1pASycJnicmAkey,the"key"valuetobepassedasinputtothefunction
wheretheAESalgorithmisappliedisgenerated.
2.Base64encodedstringexpressionsaredecoded.
3.IttransfersthedecodeddatatotheAESalgorithm,andafterdecryption,actual(cleartext)
expressionsareobtainedwiththeGetStringfunction.
Capabilities
-Aftercompletingtheoperationsmentionedsofar,QuasarRATstartsthemoduleresponsiblefor
Keyloggingactivities.
Figure 5: Piece of Code that Initializes the Keylogging Module
Theplain-textequivalentsoftheexpressionskeptincipherbelowarelistedbelow:
Malware Analysis Report
t7Vojnwq18Vj47YvCrF3Fdb13T3khCp1DciR0eyCKDI1oIVLGqLI6PLQ2SIb4kpPuzGjWYYLUaQv
0n5HHPCsMip7ZJ9CVoY5LLhTEo5QDRI=
QSR_MUTEX_o3tx54dW3kzx
A7agCL
daWXHTm6VLCYgc+XWlu70AOu0dWmVxO1YU3zJQOq+zSpFqLIfpu+SG0aTqngsLmmqIKe3Y
O1sx60AAVSRJ7cbQ==Client.exe
f+Oa3NiCiD7PzxkUtJ0fU8/SNJ+JRIkyFKrK96T9CdvFwu7hqIXN5B65BlnkGEcd/YdPMI30QinZz9
EB7d302Q==SubDir
2PuFCq1a1pASycJnicmA
Key for generating the input
parameter to be passed to
the AES algorithm
aKUuts5mZtHkPIWSoQMOWpSYyNXWUIuJOn+RopxqXr/hIgQbM1ALW7TkIfxAXlLG/2HskbY
/DI965PVycMs0rw==Logs
CJn1yjK3Ex+0NrjUNNZOe/+dvMDsfq1//hplsnfLzbJu0XE2oBBzLBMhp0Ue76fDCVUuqp8Qdlp
bh4VdcGVBYX17Bt8AU26ddei4xhv7u/U=Quasar Client Startup
TheQuasarRATfollowsthefollowingproceduresinthedecryptionprocess:
1.Byusingthe2PuFCq1a1pASycJnicmAkey,the"key"valuetobepassedasinputtothefunction
wheretheAESalgorithmisappliedisgenerated.
2.Base64encodedstringexpressionsaredecoded.
3.IttransfersthedecodeddatatotheAESalgorithm,andafterdecryption,actual(cleartext)
expressionsareobtainedwiththeGetStringfunction.
Capabilities
-Aftercompletingtheoperationsmentionedsofar,QuasarRATstartsthemoduleresponsiblefor
Keyloggingactivities.
Figure 5: Piece of Code that Initializes the Keylogging Module
8
Afterthekeyloggingmoduleisstarted,theearlierTCPconnectionisestablished,andtheattackerwaits
foracommand.Atthispoint,adynamicobservationcannotbemadeasnofunctionalityisrecorded.
However,whenwehaveexaminedthestaticfeaturesoftheprogram,we'vebeenobservedthatithas
thecapabilitiestoperformthefollowingoperations:
•First,itcapturesregistereduserlog-inandcookieinformationinwebbrowsers.
•E.g.
•OperaSoftware\OperaStable\LoginData
•Google\Chrome\UserData\Default\Cookies
•Google\Chrome\UserData\Default\LoginData
•ItcapturesuserandserverinformationstoredininstalledFTPclients.
•E.g;
•{0}\FileZilla\recentservers.xml
•Recordingkeyboardinputs(Keylogging),takingscreenshots,takingimagesfromthecomputer
camera.
•Asaresultofthecommandssentbytheattacker,itdownloadsfilesfromtheremoteservertothe
targetsystem.
Malware Analysis Report
Hash
(MD5 / SHA256)Explanation
59ff1b4d1e6596c67ea9d07eb11160773a9bba6a302964cc9314de9187276024Hamburgerci.exe
4039db260879ff259aa9abbe0b2c14edfbcbf49b2c73c87e5dfde9179fc1affbQuasar RAT / MSBuild.exe
Tablo1:Firststagepayload
IoC(Indicator of Compromises)
IP:Port
3.66.30.119:3131
Afterthekeyloggingmoduleisstarted,theearlierTCPconnectionisestablished,andtheattackerwaits
foracommand.Atthispoint,adynamicobservationcannotbemadeasnofunctionalityisrecorded.
However,whenwehaveexaminedthestaticfeaturesoftheprogram,we'vebeenobservedthatithas
thecapabilitiestoperformthefollowingoperations:
•First,itcapturesregistereduserlog-inandcookieinformationinwebbrowsers.
•E.g.
•OperaSoftware\OperaStable\LoginData
•Google\Chrome\UserData\Default\Cookies
•Google\Chrome\UserData\Default\LoginData
•ItcapturesuserandserverinformationstoredininstalledFTPclients.
•E.g;
•{0}\FileZilla\recentservers.xml
•Recordingkeyboardinputs(Keylogging),takingscreenshots,takingimagesfromthecomputer
camera.
•Asaresultofthecommandssentbytheattacker,itdownloadsfilesfromtheremoteservertothe
targetsystem.
Malware Analysis Report
Hash
(MD5 / SHA256)Explanation
59ff1b4d1e6596c67ea9d07eb11160773a9bba6a302964cc9314de9187276024Hamburgerci.exe
4039db260879ff259aa9abbe0b2c14edfbcbf49b2c73c87e5dfde9179fc1affbQuasar RAT / MSBuild.exe
Tablo1:Firststagepayload
IoC(Indicator of Compromises)
IP:Port
3.66.30.119:3131
9
ruleMSBuild_Quasar{
meta:
hash1=
"4039db260879ff259aa9abbe0b2c14edfbcbf49b2c73c87e5dfde9179fc1affb"
strings:
$s1=
"t7Vojnwq18Vj47YvCrF3Fdb13T3khCp1DciR0eyCKDI1oIVLGqLI6PLQ2SIb4kpPuzGjWYYLUaQv0n5H
HPCsMip7ZJ9CVoY5LLhTEo5QDRI="fullwordascii
$s2=
"daWXHTm6VLCYgc+XWlu70AOu0dWmVxO1YU3zJQOq+zSpFqLIfpu+SG0aTqngsLmmqIKe3YO1sx6
0AAVSRJ7cbQ=="ascii
$s3=
"f+Oa3NiCiD7PzxkUtJ0fU8/SNJ+JRIkyFKrK96T9CdvFwu7hqIXN5B65BlnkGEcd/YdPMI30QinZz9EB7d
302Q=="ascii
$s4="2PuFCq1a1pASycJnicmA"fullwordwide
$s5="Mozilla/5.0(WindowsNT6.3;rv:48.0)Gecko/20100101Firefox/48.0"fullwordascii
$s6="get_encryptedPassword"fullwordascii
$s7="DoDownloadAndExecute"fullwordascii
$s8="Google\\Chrome\\UserData\\Default\\Cookies"fullwordascii
$s9="Client.exe"fullwordwide
$s10=
"aKUuts5mZtHkPIWSoQMOWpSYyNXWUIuJOn+RopxqXr/hIgQbM1ALW7TkIfxAXlLG/2HskbY/DI965PVycMs
0rw=="fullwordwide
$s16="Google\\Chrome\\UserData\\Default\\LoginData"fullwordascii
$s12="OperaSoftware\\OperaStable\\LoginData"fullwordwide
$s13="Mozilla/5.0(Macintosh;IntelMacOSX10_9_3)AppleWebKit/537.75.14(KHTML,likeGecko)
Version/7.0.3Safari/7046A194A"fullwordascii
condition:
uint16(0)==0x5a4dandfilesize<1000KBand
4ofthem
Malware Analysis Report
YARA -1
ruleMSBuild_Quasar{
meta:
hash1=
"4039db260879ff259aa9abbe0b2c14edfbcbf49b2c73c87e5dfde9179fc1affb"
strings:
$s1=
"t7Vojnwq18Vj47YvCrF3Fdb13T3khCp1DciR0eyCKDI1oIVLGqLI6PLQ2SIb4kpPuzGjWYYLUaQv0n5H
HPCsMip7ZJ9CVoY5LLhTEo5QDRI="fullwordascii
$s2=
"daWXHTm6VLCYgc+XWlu70AOu0dWmVxO1YU3zJQOq+zSpFqLIfpu+SG0aTqngsLmmqIKe3YO1sx6
0AAVSRJ7cbQ=="ascii
$s3=
"f+Oa3NiCiD7PzxkUtJ0fU8/SNJ+JRIkyFKrK96T9CdvFwu7hqIXN5B65BlnkGEcd/YdPMI30QinZz9EB7d
302Q=="ascii
$s4="2PuFCq1a1pASycJnicmA"fullwordwide
$s5="Mozilla/5.0(WindowsNT6.3;rv:48.0)Gecko/20100101Firefox/48.0"fullwordascii
$s6="get_encryptedPassword"fullwordascii
$s7="DoDownloadAndExecute"fullwordascii
$s8="Google\\Chrome\\UserData\\Default\\Cookies"fullwordascii
$s9="Client.exe"fullwordwide
$s10=
"aKUuts5mZtHkPIWSoQMOWpSYyNXWUIuJOn+RopxqXr/hIgQbM1ALW7TkIfxAXlLG/2HskbY/DI965PVycMs
0rw=="fullwordwide
$s16="Google\\Chrome\\UserData\\Default\\LoginData"fullwordascii
$s12="OperaSoftware\\OperaStable\\LoginData"fullwordwide
$s13="Mozilla/5.0(Macintosh;IntelMacOSX10_9_3)AppleWebKit/537.75.14(KHTML,likeGecko)
Version/7.0.3Safari/7046A194A"fullwordascii
condition:
uint16(0)==0x5a4dandfilesize<1000KBand
4ofthem
Malware Analysis Report
YARA -1
10
ruleHamburgerci{
meta:
hash1=
"59ff1b4d1e6596c67ea9d07eb11160773a9bba6a302964cc9314de9187276024"
strings:
$path1="C:\\Users\\merce\\OneDrive\\Desktop\\HamburgerSiparisiOtomasyonu-
main\\HamburgerSiparisiOtomasyonu-main\\Hamburgerci\\Hamburgerc"ascii
$s1="Hamburgerci.exe"fullwordwide
$s2="get_ToplamTutar"fullwordascii
$s3="get_EkstraAdi"fullwordascii
$s4="get_EkstraMalzeme"fullwordascii
$s5="get_SeciliMen"fullwordascii
$s6="menuler"fullwordascii
$s7="koleksiyon"fullwordascii
$s8="ekstralar"fullwordascii
$s9="Hamburgerci.Properties.Resources.resources"fullwordascii
condition:
uint16(0)==0x5a4dandfilesize<200KBand
1of($path*)andallofthem
}
Malware Analysis Report
YARA -2
ruleHamburgerci{
meta:
hash1=
"59ff1b4d1e6596c67ea9d07eb11160773a9bba6a302964cc9314de9187276024"
strings:
$path1="C:\\Users\\merce\\OneDrive\\Desktop\\HamburgerSiparisiOtomasyonu-
main\\HamburgerSiparisiOtomasyonu-main\\Hamburgerci\\Hamburgerc"ascii
$s1="Hamburgerci.exe"fullwordwide
$s2="get_ToplamTutar"fullwordascii
$s3="get_EkstraAdi"fullwordascii
$s4="get_EkstraMalzeme"fullwordascii
$s5="get_SeciliMen"fullwordascii
$s6="menuler"fullwordascii
$s7="koleksiyon"fullwordascii
$s8="ekstralar"fullwordascii
$s9="Hamburgerci.Properties.Resources.resources"fullwordascii
condition:
uint16(0)==0x5a4dandfilesize<200KBand
1of($path*)andallofthem
}
Malware Analysis Report
YARA -2
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1
- Slides 10
- Age 57 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views