{
	"id": "9e3049de-bf7e-4b1e-9a23-65127b0e126a",
	"created_at": "2026-04-06T00:13:21.445467Z",
	"updated_at": "2026-04-10T13:11:22.037828Z",
	"deleted_at": null,
	"sha1_hash": "1eb66c47705950d6e39d0d414512d35b4d31109b",
	"title": "How to Write Yara Rules For DotNet Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85187,
	"plain_text": "How to Write Yara Rules For DotNet Malware\r\nBy Matthew\r\nPublished: 2023-10-10 · Archived: 2026-04-05 17:12:53 UTC\r\ncd3779204da4b07285f94a5c1f8ce4f49de978486e349c67d1aa7d31f2b719ad\r\n5b0636f2d7c3887958d12e183ffd3001026c3a04b159281e075a54b53dc135bb\r\n1cd43d5dfb618f08770ee053211240cd27bab6464dec3d400ec9ddacc1ebc1cf\r\n8b006c056f273a33f0b804d84ef60ae6e0795914615e65f8b4991c0016931f79\r\n894ab1f18462db7243e651c53e05232c2d2a470371a54b2bbc1d84e4066573e8\r\n9088c8195f4522b26eaa3367b570ea8d9360e37f47ff8202a96640692a762647\r\n56e7d5c8f5b3d80944f51cf55252d7a6afb5654ee94e2f4d80bd65038cd2abb3\r\n2a79f8a2a2338ac3697953bf0a8238b6090ae26f713e4ef074004a5157ff41a7\r\nd44462b73fa636477e6fa6e18619988e06bc9670bf90f4233bd3789aa64c2b7a\r\n586ede03d1b7f07179094e675a5316611a5ee5487fbf13546a73fd16fe1be77f\r\nc5e3d9c9f9cb4835ca8f260cb9e2526b194ab2a3b63b4c3f7f216514a787c740\r\nc3f923ac7e179fde74a6c2c39c1a3ea3ce42d34b622ae320b876dbb62abaf312\r\nede6840a04a52e50fb2a7e0eb719009c456987fae9e7e851c9324a6d07370091\r\n2509f23152b0e7fca4560194eba2a01ed18ddafddeee447578940ab5b161a162\r\n9ed0ed8ead046bee3dbbd8608fd2620e5baf20454941b2cbc1cd343475f3ef46\r\n6dd82b0919aa67f58d81cc70240e4888eabc242cc1fe107996de49840054520a\r\nc2b263ce15a33c6ebde0a4fb63593b7387708cd4ac11920a7ae5c186a28b695e\r\n0a6b51c3a40b678dd60e631acb1ce4c39f2f494565ef999feab1f6442e90e9f8\r\n76c0c2b747e6f40b94b3c67c10f6ea16f531b98d12f481206b2d478a4f36dd37\r\nb084e2949f32145677915cd2c9c4d860700af2c97d58880a1e0f208fe13b6485\r\ndd08d330e62c7a33fe278390ddac15cdaf524d7bc3a4546b9e30551b2f8de3f0\r\n8c2fecd088f70243d350551ec49fcb069fbba93d5e8b7ccbb5901599a26838be\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 1 of 24\n\n6b4237adfe7509c60e6c0de6c551d41051020717988bb3b0f5cf5488590dccf6\r\na44b27ffd9185df3a9f37e7edc5913fdb5673777437d6e8ba1e7094f17487d83\r\na635faafb4165d8a86e531da0b881adef73815dfa1c251143d52b644c2913fb8\r\n022292d1ccaa3c1d9bb66439dde658fbf312ad7eb590a22a025752a36b0d41bc\r\na8ae55bb2fb4b93dc4fa8b6480c4609e55469651abc40db0e14495476697a2e6\r\n84fba5aa083c8898d3bd8b2f906c72a4996d84feff39cfdebb5724def638208e\r\nabdad1005802508d1ad920df0f9b79754fa5dc29a7d5161b1ae1e2edcedf0d93\r\ndbfe9f8b6183d20a83093955158331f155322fd14cc45ef257ca8c3d05103f06\r\nd95232762130694935e4dd42e11f587e794d49767bb80371f71c682075beccef\r\ne3b8427b8440f4f6476f5498d364d5d21143f73650e430280db9db96a34e84b1\r\ne2a0625fee49795d0567be3bc1d25d05d1af2c2704ed045880517bae713a21d9\r\nfa1834fecd716149e4fb9c7d053606b6322a493ed89ad7ccbae2d8d6f680b690\r\n366dc30b96e15514e98acaf8cfbd8a5d6f345df4ca8f7bfae8f4fc41a711dcc0\r\ndc854b81ccaf45f7f4a64a2c0e4aa6bea21bebb13ab228e38fcfd3b8362fa562\r\ncaeb1ad2a0d06aefe67a958dc9a12ca3349dca9437d322f29d5bcf4051f3e21b\r\n52b8f4ae7bce08685f0129883967e76b7faf611d96d42e60e1235dcf2046f6bc\r\nf3bd5485b0960e43c4512359ba0b850cda39cb4809367cbe11565dcd3d335f8a\r\n7aeffd93325303664d4bd88bc4dec96dc5489153efb66a41e1a70c66a97dfd19\r\nf215b5b1fbacec83fb12d22f6b116868b028a7831027232d9556fc4fc8c1ef82\r\nd44b47b1ca538638e873d872cf8cd79fc4581a1e3a81f7f6e98d3b2ee934737a\r\na10ba25ea81699ead20fdb0685088753a365aeb9c419bf0711db2fb53c8a09e9\r\ndb88bcb2d97254a5ed3834cf42b9f40add7c7b81f1e99b4075eee064251bd60a\r\n85c75f3041d67959acdbc92c7b4d6d0477e3a43ca97306ec66e7cdec9a5ca5e3\r\nd05eca4f9ce2b9e7423e90bf2a47c3395efdd27c565bd3fe8c655ec3d4f07437\r\neefb7e4338fba8c2d44bfd8398867ae7ecad096f00f8119c047475d2ee998070\r\n790f1b8f9b4c62691de7642339beaafb985ff549b4add6bf53d6e7999b783317\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 2 of 24\n\nbe412cc34e9aa22f8e64f6ea274a99b14c0fb829101b10e6bb9d2ab513543215\r\nc73345dd158cc4c67df65405337e0652febcf56d64780ac1ffceb84de9a7de6b\r\nfa69dfb7d6023e48930bf14c9164975b379e951711a6545c6bcd5e1428cdbf70\r\n9a4f6368fea6d7ecac1eaa7520cdea421c55b94e90609b1cd8973993bf26e9a6\r\nbfec69f1a714a177e5a6266da65ef2e5a2d4c1cfeeedba6abb2aac786ba1a5f0\r\n0bdb880215360d9291ca7ff19b9b9517b37976eaf6164be679026b06848c1929\r\n0206dea57bbbccb9b53fc67555e4bbf0058d8922d87768018bf6b1e4d773078b\r\n1685a861e1735b1e159414e3bdc7927bc995ba00671287ab4f74b4f3e219c495\r\nea5f5a172ef46c3bcd57d47730dbe8e83f2050c74b2eeaa2aa338158472501e1\r\n6775e304766825695406e6bf218296250f6f09d3b0c20a1f9f16a5859eb388f3\r\n857c54a67c02d43c6e3dd91547fa0a6aac238fedad5e33f8bfc660c37fab5c8a\r\n3e475b8b3c87402933ed0a627ed068f9dccef04a2989060fd510eb37568e9b1c\r\nba0780183240c3ec3652c6dc10026af12a8f625ba6e3da6dfc4aae1a17fbb187\r\neb490b5e03cff3fc9eb2c6cae34f4174a45c1adfb54954113f5a506f29b9bad5\r\n91cd1c4bd6e69d6ef2be18074ad29f15d1726a82b22aabfc250f16313211e5a6\r\nc2752014b6eb6a759c366391a2305a1c1842859b0e368d7de2bb227a22549fa7\r\n9aa84ba8588d8bfa69f786bfff8b99fedc5e4ba500ec200b9dd49b8c7744b82b\r\n6034d2712c9afbc0b62b4422f160d6fa8e551259cddf56ab05016b529bbed80d\r\nb2a734b6b875fcc89f01f270e299fa8dae94da73fa71cffad1fb8cb1eab28e1a\r\naca6dece9019ff94ca99e3b782b4e97ffe7a43b9534c80e6993688690703860b\r\nd50c01f89a0422f484ab25de9e539299539543a7e2cd2442bcc93a93f20413ff\r\nd6f7fd1420d878b80e67535c98ecf0fbcb3a7fad0e77b23ffa615ecd81dafed8\r\nc3df145f3984f86188cf3eec2082d64826a125852e9fefa442f5d12978395a2e\r\n8a451ab2bf435134f4bff5ae9647bd05c034dcc2fc9ec5829b9c08cdaeec5e6f\r\nfeb0944e15f32451d004f1170af66daf80052c771146c11a9451719fdcbeb707\r\n84bb16c9ae4ee9206f6cb008cc8cf9a1c148532012436efccbb2250fc986fc27\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 3 of 24\n\n982d314bc23ed4cb75a8ea2d550afccacaa99ada9a0d7d1caa18f1a6fe623790\r\n5631229b765df8d7b0cc224cdd62e2e6e259227de117310541056360f628a6a9\r\n2c5b7901de01356d75cf0ad135a65748c3dc6dd4ad47f780354f3cab72753d34\r\nc80bbfaedb5d72041c5bb78600906af5d8ad308c6563594b48936071923fe98b\r\nfd87738f9111ed5abf828fd47f5b899959366fcef8afcbbbc1c432476883fa9e\r\n14139f9a554ffc33d0fed9595072e5aa2f442196cf1f3fa24669ecf38d4e1624\r\n3d115392aee7c29625999a748ae68ebb99209b62b6bb8552c38f07869dcf2daa\r\n9ae9c8f66b4ca0696752023313989b76d84053c367ad87c5f7b9ad1a416f7d8b\r\n6e50d3cd3044ea6a17b9576cdde5a179003faf90cbf45ede3a0897f1cb5167ef\r\n3549020656815e45b84f246a138306e49e2c3ccf7c79b676e9a7a87a2a1f3e1e\r\n01e6f5ae083f24ade7b9a61488516162b4703f89dccfe3cc571462f21bb4fa0d\r\n40991160de62f53cee94813abf7ab9f89b5e9c7087ea408dc648ed2e920d1345\r\n1584a614fcea5c30b8e9616838aebd7cfb4363db87ce4e678bccd8bfa1a9698c\r\n3aabb644ecc633fce58b2414ff81853094846e66699ee7ca67d55638c4ea0b5c\r\n5ab73e70a6e92ea6aca3e52777ca02350a29014691f15be5e8b01ddf7f78b5c6\r\nd72b8a62d68743d4a6a66097073f7b9f0ef6aa31eb22755d5999dc3a25dfaff7\r\ne55aeecb05161e2640fb66ff6eff94bd1680d1767413760544b6a80349ea8a55\r\na47a7b51a34d0161e9bcaf59164ce31f6181084bbb68657c83bc88be6eccf267\r\n6a5293c56de62c8d74d6b3e26bb0dc250a2b044f820cae3c71f393fe8ffe5fe9\r\n8a47c58cda9df00cd5ca8dbdebf0300f00d7076fef24f2361beed0805ab70c41\r\n8ff98cdb472aaa849beddee3a3e746d981bb3e53c01ea513466403889f48c561\r\nfc86489c6582900f59fd49971b7c9d7c4e0c25d70a69d121ecdda922cc5aaa90\r\n49bcace39faf353558d48fbeaf128419b2c100c8fa5c6431ddc19aefc66a2bb2\r\n15a67f1f7b365e458e5119e378ef79e6bbda934dd539c833e6b06782455a1349\r\nc0b13a3e18675662ea87319858174a4174f6355ace9b348c7c394bec34ae5919\r\nc51026f338c44e1ac9792bcf91ef71f3fb86d75d7439a14cd4328b2d35f31a96\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 4 of 24\n\n56252ecf533df76f386ef31c62a3e8bfda994dbe482ceda7f415bc4018f33740\r\nfac9663132e8e1785dad98482ff36612b1b5b4fa6f5175fc7e1b7e486abf09d9\r\n097937af0829570b20b0663e202553687b733f14998dec58cc7a22e4f8586184\r\nea4714b5fe359d0238a75697e2a230c28951476df1e8d542191ff46df7a2d3c2\r\nd335815c4ca1a9523816380458d4df139ae7a09d0f7bf50832765e714143889b\r\n9e0164f38c952c309d533be6a42701fee18df32d64f3b6609c7849948b2fb366\r\nfc89811dfdfeb0454ab2627ae877b30601995cb89eedb6c40b2558e7e4cbca7c\r\ncdc4ee359a1fec94383233cecb0d83ee39f3e6c7f6d510a02947a5c99d2616de\r\na32154b2fa49d3cee69ed6648c427e5f638bd31f4c9194142f1e65b1102d7b13\r\n9c7474779a921d4925e922d76039c32bd309a1e189585d77e6195e8ab0e6c11b\r\ncb07f5446a23f8ab22040ffb4a131adff4aff0bdf6078350c56f08e943f227f1\r\n734c088a1842be7f3d6d9188be32ee5157a5da7d091f735c6360d89cf734b9e5\r\n7caeafdb0add7edf60fd5e5045dba2e96ef4d98a66dc981bed85f306a573749b\r\nfcf8f2be8e1da3b904d5efd0dfd771ff43175cd6d1bfb61f1ff2a85ed32db74c\r\nd09fa19eddfe804f5da0f935434284de2689c7777592f5d91c1dee458d070428\r\n010cbe645d9181b10c23f9dccb212ac0d40b78f3f71a4f2fc2d3a02d17ceb8ce\r\ncb6891486e790b2034a1761d1a069c719e6fafbbc7ca1a42a727ff9cd33971bd\r\n925602ab71886e0497f42bf86743c85b719f66dd34e37a4e9312dd3140976529\r\n74821f3c07848abbd2ce04a9a0e3336cd49ca92c4438160d37f3f675426b249e\r\n13295a63227c5a598e2cf2121a0834b45feaecf768441894961aa52a772dc913\r\nb75c1c3acbe27492cefd4302f1866b8bf928fd651c693fd3896c93bf5db98a83\r\nf00a7645ae2ad26bbbcec4ba6b541e43a48c825cecbbf057701be2d21675decf\r\n214ddcc566dc8eec2f2e8f2bb4acad3a419a0f1a7ebcff3abe03610da54e5ea7\r\n8c19afb8d19cb9a3f1282f4263bf59875dea4b757c72846a2b8c698f51f1a23c\r\nc7cc956d7e6573b9419d205503dcbc45fa8f28086bfb69af2fedcfd48553f440\r\nc04e9077074f738e87dc0a5b15db8ccb82ddedb72dca1476fae960cf004d32a5\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 5 of 24\n\n431f06fd7ff7c4bdb7248b25a230289593a1250c0ad847a24628565097995e24\r\n3d8e5b37ff380fd9b28a5c5a655ed8b3ec07c677fc1334d9de17ef9900e710e5\r\n51cacb225158e5828a35ab344c5ce17ae373b306296e28a15bd0e71767b09839\r\nccfaf87182ce6b7c78484e819641f51f77abc578f2e9c90e9adcb6417b99bd73\r\n92dc3e763eb5905fc96938ca963cf37ba8bea7cb5d216b3558231863405f4061\r\n5d16786886d1552970bb94732f8ff8359c15a64e4a4786a026ce1afc8a9cc524\r\n1d5f581edfc3020d1112937a48ef1d7c581c4d4f239da31ec9fc1560b8d6f9cd\r\n233db5d8b57c0f32438b5f23d6b3300c905e9cd46654d385ed10649487d5b330\r\na399b33ae5fbdeee9485ef03740d93758bf51aaf502d34d9c89d85a7f3b86dfb\r\n67f353b68928f22dddb5e4aa938f2374da18f60cbe567bbba7602ce4519b6dd8\r\n5cff2a0123868066c09002b176825ddfe61f6cb05da5723466f894b5d76f60f3\r\n0b5f5ba1e2a5335a5bd7f8956e473ad9a12acad301cab2f52ac470bdbe889b90\r\n02382f52e6ec20c837810aead041585c1f3f1b8e6a4fd741c376da56c156385c\r\nf3a1fc0f7d977c4de8ca0fe071eef56c9c93e1e127b9accabf2c71750c30112f\r\n0bc259edadaead9ec5f2ff8cce3279cd33d4cfab1c44d4f5a43c81bac57f19b2\r\na96aed32935afbcdb83aebe9c12530c45aac3a38e25ba9d83ba31f6f0aae0b88\r\n0caf8877a19501a67c6fd3fbf530a452cf5847c111f71e40124222562dfc46ce\r\n5ff9a33656bd46c33d2002b7e0e7caabec4694db5890c63ca13effeb53f40979\r\nf9662afe0b6565e12fd9699091f9704f8ffe2e02cf3a1ea09c2ea001f684b012\r\n7204474b156da5a5d03e7388fc665c5adb6ddc2161a0771d62f54bbf98ebd2fa\r\n6014f7f78826ce14439b4fc5f8f2163a7d85e2c36bc1f4fefb85b214b988fc16\r\n332a9448ae2b17e8adc65d9f89c22ea15b82ce5e980e0d941330a34cb3583421\r\ncb1543966afd57b1d8f7076fa9b96293b4cb0ccec5d55c1b5a5aab2a0f227766\r\nbbfec471aa51ffd0a4b758029e2f627127cc620fc782597fcee15022afb8fb8a\r\n6de1db2d58b43e486cf77baec2f37f574cb76eeb811731bad68670fdb8524082\r\n225ecee04e8b3991931ea6bd4310e16818278779e86a038e8485191d00e15ad5\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 6 of 24\n\n60e0a7000b4375315748e211e2138cad2f1fb8faf21087b4bf03a52e13d6c9fc\r\n8ae44dccc0f084e05130c9f9fd069d453b24426f4265d155b0c7a70daab5d083\r\n409c8cec79ff314e41367e3213dbe2cb2411c31877b59581c7707b3426dc018d\r\n0ccd46f9cd00eb6d352242c93bd9b9f512060f0ac7a71ede8d81d7c601ccd4eb\r\n96d636e276c345346570be12061b1f8b4dc8c5c1552f4d8123ac976e9551911b\r\n99e85b31e6fba137cec181857f74183cbe69e86a2674c50023d46d53a7081891\r\nddc5ac2a80d10845bd2669d5c914fdc6d552149fdad1fbc6abc9c47e8d492ddf\r\n8e6fc22728e4d6796944071e2c844401167a9240feb8dd5153a68e111f5cc787\r\n71465ea2b84645eabca2cf0d4a605f55ebe619ab7cb3d533c7f0f9fd6055ef8e\r\nae87f08fa2392ed0f2ca81f2378561d4636063f5ac6ae0c12ff85bf7cf958168\r\n57e0b56de0bd828a43dfd8b373e281e12caa803f20a8bb7496f7ec9877666543\r\nd19069859676a7707f7c3ec23bd2f4145904be67b741a8800667bbc0007a1e0e\r\n3bd0577bffde47cc5534c158e9e4ebc0fe352ff3cb49045ffb5071a740a68979\r\n5a8939bbdce399d97114c876e88f38fefd5de83c1d85c201a66e0fe17c52603d\r\ne1955d41d6c8bb6a1e084099b399374f6d368331da0b7c92acfb43a53139f007\r\n1c92b31f3a469052d1b1995d5d0acfd8a00e78c9925a9ef6deecaeb5d214979d\r\n4a91c6e7e9d76df51b4fdaff2759017dc57972929306404d1abf81c2f2ce4220\r\n2c6a71b4b1ca1d23c97dc41ad8eeabe307daa628461f4e4fb12d36f9ef48d112\r\ncf2a78d02bfc62d41af99b36eef1409e4044ce2a3a3c081a707aa8b9f49bd666\r\nc49722c38967f9c543f296aa008b3bd99709f1ab599e639a0ec295fffc198910\r\n346480e1b6bac109110bb41e169506db7ebcc39114a24dda7201fce3897c99d3\r\nb918459eefdb05e0764c172d889375ffb42c137113824d82a2f873fd7b1014c3\r\nbce56974d66d1fdd0ca847eb25072e5be9dc0a46fa1174340c94c880981838a9\r\n6b3578ddc7689e9f7451a9e50801f7ac48f6cb23d1b19cbecc37e1d6cfa54e0c\r\nb07666833b298d7abbab9edcef93952254fc70a7a54cbb97ef11e64de2461f73\r\na2ac8be6351c4bb4e23c4f58709ada82defcd8473f7d0c2dbf819ebb7ee5b082\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 7 of 24\n\n9b9481dc677ca579f0efff5101f12be40ec97dc8d67b0eb18eaf0fbed89d679d\r\n545b63c7c623de6b22c054b6987023cf457ef0fdb3300f7b804d7433769f3034\r\n1171c74aa57390fa714b81e1d52361b8e471f71ea8d5007822b5b589142510ed\r\ne7c5bf66ec7717f2f14eda181d11811095bf42c024c742d6194a2d7fa1f05259\r\na0b5136523514a01ab5dd22c6ac605c6dc618190912646efc363588edd4ddcfa\r\n7a91dec008e7f9e85582f316a49d160be39848ab894a495b425261c9bed64599\r\n4b0f1f45b50f9d90b8a3f4af1d533984292b16351faab4d505a5375c893207c5\r\nc805e219049a51d138dace3074dbf5bee4f4f97f4ef6b63f91388e98a2d6eb34\r\n3d738f39cdd2141bf5f41fc036862a67e98cbf3ce41b1c3caeae39e14e5146a0\r\ne59acf3d3c69d739f13f21daebda34a0e33f04c9f055489ebdf09c84ab48c4d6\r\naf59ae906778cf92feaae87e838082214224fd50252949c4d3100d496e952f51\r\n3d54da48efdacb5393a0f41a2ac94ba8ab2dcfc2c027a792a2448a765c104671\r\n5eb3afaadc5bdfcec4228bfc2e13330924961dce9480f5e1a570e8a73a65b291\r\n85d15616836780ccb7286b54faeffcbbab88253bfecfd477934d9b94a6e60748\r\n409e73afbde98fe78522e2aad938743ff84915b76936714f57022b228d594bcc\r\n539777e89ab2d920816efeaac70391d411d424409179a3713ac8cf84c2170a1b\r\n6a90cd84ed062b7c5a79b729ba6ce905c23fabe927fe5bbce8f9c6fdbcab17b6\r\n07e889ad34a429f3295011d92258f5d43a6e015eeb072695fc81535f82b460c1\r\nf980857202993c2ffa183af7399ff168d7629e9ffc783ec47019d37d4b808809\r\n50fa028368e760bc85d0216e2ad6f80446fe8698804d8d3cfadbf83481ba68e2\r\nc7bed37995e6e0c2d2632d71214b84af6f3458b08d2be9a1b9a6d845b29461fc\r\n920f9cc0337d2b15c1bd07b090267be8b23690d9ec74a837d299f9879b093ed2\r\n909e6a3a60bc50f1633f1252c42b41eb640828cd7c9bccc1eef7750bbff427a6\r\n310db201423dfc6274b83c013ea1970f9cfc98d69299f3f0894a8ab523bb4abb\r\n578b2ba2dff10c9c0489a5b6035f601453f86d0884e51852c938fb42635f2f81\r\n276ebd923344e188a61957638fd70fc0464b862429e62dd7bba561ebb7c324cc\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 8 of 24\n\nf61f5b33096018b887a2481fafd7e1e1ffcb9439d14886a86fcc8b7c0cbb84bf\r\n605d2cb225dc87033af384e9c71122d932766da2c06ab55fb000993ad0726201\r\n84dba96c71e6d9b5a098e15830bd8226b05d513fdb8fce9dd78bf49bf11e9b6f\r\na1a5b18a607b7c0a42934a416ee1a9da73bae048597bb93926e41fa9e32ae9ba\r\n89adc6d8ba1275e2de3434cd3c98382acb2a0dfe1b0f1eb5c802ac8a0bb6ba54\r\n110893945252604bf4e88f4736e17c770819cda5e5a09a1a1a1bafa4d67d232d\r\n72f45c482b050d91a8653afd26c4acdcdc093ba92cbe1715ffa017d60fe46b1b\r\nfa1f6950bcd1746e1ce9c178e80fd4883f4614044c9a6589a3a732c3cd1f9d51\r\na7940c5fa64d96190512b08801ea5a9b2e146cc4c778c2c60fd5070bc7a6467f\r\n949c42cfcd3a1960fb45df3cedf70d42704453daccdc5175ca5db891e2a3df70\r\n255e9e0a17feda0822bc14e70375984e2a575e28bf694320f2a4698b8c97ad72\r\nb57dad2837efab8c9774abedc67fe237993fafb9e1ab266dff0d074e1e8f5df3\r\nb817a846c29751d233ca7a1ef7882ce22f13e7a60e9bf364c7cf74a2a6b390db\r\nae2015094cb651c0c5cb1c733ce9ce51d162b807844bd49d0f28ae9ec5ca6344\r\n7ad192a13e3e001bdc2f88fcd9bcda481f25d99b0e5fb1392adab16c25f9e40e\r\nbb2c08c18d1ddcaeec3f6c85a9245d1be8b8b291c265a33cba5bfadf0f69582c\r\n9da8ad3765e7115f157bd86b762215936543f19275afcc755692f622e2610e28\r\ne64b24765de45ca19ae6af939e455210641561eb20b1c31ab47b98f05a89e8fb\r\nb569291b7365db6297e553e3ca084efd16133c8d6f6e92331310bd63ab895794\r\ncaf8e871b88a2f2506f5c3f301b31de2ce5572c2fe247bd109015e08777cb119\r\nfa9c73b1973cc52a4ac70e8dc043a9f1fea07e6c92c672964fe96d19cb153a7d\r\nde01e17676ce51e715c6fc116440c405ca4950392946a3aa3e19e28346239abb\r\n80987c1e1ab9a3e969ff4df39acaabd35295c73cb53983d0492c5f2fcac06ecc\r\n3004203a1d06267765c21859aa9d44fd4a6ebbb6d1dc4742e55e075fa067ca23\r\na03f78b80420e10e15a82d7ab616db14786d83ea403029bc245d0c7cc3c554a2\r\na9be395829b64176c4830a72e904e27f27d41bbb9708cc477fb33d79037b44fe\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 9 of 24\n\n26e099e5d19474fdb7b1e2b7a0136d59b27148add33cf50f6cf870426c4ce772\r\nd9262bbe5edd66e51bfc1f1c9a9a38e7d6ced8ac8204d7afd3d50e97ea048f3f\r\n9037d211a9733098179265f48349346d443695d30a61fa1ad490656d587b1212\r\n0cbf0d4823ac522a7bf6c27e149423ff729de339fc0189331f2480f50b87f3cd\r\nd803c2b2eae242a5ac10d3ac4ebc6dae25686d72dd594ba6f74a8640640bbf6d\r\n60ca09a773d121cdba60d418359c81d65a36b34af8f03f74ba484f8ed93e6821\r\n6b0717527047a417c69ca0320627425efdb90120367136b275a3c4fa4314fb43\r\n8d5a650ea0e2007046e94dddb2714071ca09030ed5124c0de2d486dec6b66155\r\n37208f1cf4311b1c2ab82b596ac2dfe36ec9cc46a344008d38ef688e6be5971a\r\na09611af25bf6a2c64f91ed275df8b05aa487dd67fb91dfc2dd25be273a037fe\r\nd89a8fa17d017b01443451e0d1daeca4a354aece668fea15d2e179a75e842933\r\nbede37a476ca9c81eb008431625f8e6948ae0ba279ee37f8dfd30bb5417bc163\r\nf28567ccedf08c956f47650212f06724b58ce6fec2ed558f6fd54cb08c1114e4\r\n2bfc7b3413d97c3168651b5c61e6738114249f9570f7702af467734eb0d138f9\r\nd24793207e0ac93b900b15568174e644bd4e696b3b4bebcb108802497e4bc654\r\nc7c12b8001aa3f087051119270f85d023c1a60204365b3cb9070b95291758ed4\r\n5f587a2baa19ebd3e30a74d1300e8ccc125c83f4d54b7ce43d03418443ce7ffb\r\nd1a663401c9e0c9ec3ef1f9fd86a2fa584bbcb2520327aa72413b48befea3441\r\n8d72c2cb85ac1d506403594695a95c6920722b637d02e351f742ddd73dfa2e41\r\nc2db4ec235d7bcc4c7bea322ab3467812a6f0c0d3e59e81d4ac5a4f42d325413\r\n69edfb84497578c27092e71c7591c47cafab35591c490c88fbded9af5a8f9c3e\r\n4ed2a2c86b4d78a6a5a735889400157c60c76ed087c156f76faeebb06331e4f8\r\naf191d55c272a87f32af63ce3f303e37e9e4f5a8fa3c9b0aa768e04b32c86e45\r\n86cf0dc105b3936d23f4f35d879493dbb39a9c52c017b2dbe8bd7ceda44bdd82\r\n18e333aedd9cc2443504b58336c7a48ffcc58ae96b119fe9df5debc377489a69\r\n895ceefdf08fa67185f5ceb8ae9beb7ea34a9e18eb5d1d83138387a5b967dd88\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 10 of 24\n\n0ef4363b91fe0bc3768efbec01936bd76fa22f6fe9c9f09b632ca9ace39c4664\r\nb1fba5af005cb7c1c2769310a534eb00fe8eb6536fae4a02ab309012320bf94d\r\n413211a147d158f4bc02db022e6206ca97cfcf97d5834030be956a6cd7807462\r\n8bb30172570a834786fe19027cfe27fbc14421f9e335756c5aaf43b15e735c80\r\nbe6fd5540ca4e0da050f50ec584b77441e24075743d338a80fbe7b14ce11d3b9\r\n4f907d1d00ee129d28ea511c5b12fa1d926db035a93bb56da54c97da446a7ad1\r\n8c085560c0f7d6585ccb1b5bb21e809038c1e94081f7a282855da3b80b6d3bc6\r\naa3326e7f079ea9910a5ed11641741e4de945852b3704c04d4968f3f591342a9\r\nfe80006844faa8f8abf80fccf21465e0e2e43ec3658f043610aea27516dd5fc8\r\n124ba397a87aafdbbc11ad59c3c9469b358dcb3c30852e7c55d8ce0f4da00d5f\r\n8d751ebba75b14f55ff50e3a04a4cd7f68d42f4099404d3ef135434baf07b889\r\n3229ec4a15298c88494e61e42f697e4057ee1a03d5a956f2f158f6ae7189002f\r\n0886beb4a2cf6c9ca558ce3022a2345772fec71b59f4b7952e97d96f5774e28e\r\n158007ca0402e5798f282cc165d16972b2b17c8fcc1bfcd8c83730ff95b0514b\r\nea80c34ab0c4023411bf8867c673b021a0f2a1100c3f9f1ba2f7feb7d96a2fa9\r\nfdd6a48c9f5d40b295099916072b3f4323b88e5d6743bac55b7ccc3c288ab138\r\n12cd280cd3ec946e791591ef52f5540d2f9cd5fc1e53b9b796fca346521862e6\r\n1572cb7809605fffd2b5f231c0bf113665bdeb6d26d21566a833f275c99f10b8\r\n3d63ba953d2bc769d3c4eec503898b568421a7399182b8bb88e2e3318f22d860\r\nd315f064a4ec5fad0e4fb060749060bbc83f08555cfa791adff31be8104781c0\r\ndcedf503d33df63b76ce0f1e073cd662a9e603578e2135e3ad485d5b1b3d3b80\r\n6af44534876f15e4e91489d114d3da3016b5254cf55e13b5cb879d69aa779363\r\n8a169dd4a1081b0d31d721685393681a72e7e2f371e4489106e2e2620abd5667\r\nb4e6d12366a4cb74003c75c6b62f6077b6e989b45ca8dd340bea4bdb20782c8c\r\nfd213abc3409af32d0bd34b9771483341486557d9770a21e0c9e95893f336e1e\r\nac261770ed61e6f38077475016b53535cc508268d9f4cde7ffd0aa0f6756ace4\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 11 of 24\n\nb9e6a4bf58116c292333fa7352b841363afc76a5ac42f56a13b4404e6a05a2c9\r\n2c29d4cd67cb879daca1783e882edbc89a1861dad1f5d37db64c2c3ae90ccf2b\r\n350960960a32ccd9b26220b71957a7591a1fa680179272ba34316acbc62657cb\r\n59677e35633e7f0ee48f33f562bce4ba82747db77ee353b445371c6ca0ceda82\r\nf138185750e5578dbbf7fdab1fc25a17e75f0a5495c7c2eee8f20eb0a0aee83e\r\n7bfc2013a4348707c9a9341a188ab4470e263ea13d9ead4d581a5b01c7da95bf\r\n94e9bede2ad4d59ff789b75d1f93aa993b7bf211c1a2df91c1e634fa121c18bb\r\n7d7ffc4deb8f6d1ed13c7e057702bd2d1bd5840e548d015b31477b1afbec6c75\r\n6c08a7d2a718f0ec284e0faac64b71609a0f278f2de75da84179e98b6dd81717\r\na9f8df1fa60307e31e0ab3af3294293877ac53d9b5f18519ea2bd53aa3540e1a\r\n19a71531ea0323f89ebe422b0639d46980bc9d7a80516bfb651a4ae948d8bced\r\nd073eddbfd105ef491f8ed62d340032ec11ab9928e27a3f166ae4cbdd829b36f\r\nfe95671cfd2d940e40a0bf1ef6a5464f79553f5bf48ce15296509c7d6de185c6\r\n3f62fcd731288b6905dff10c6325d794c4d1f6efad8085a5b07d19e6d3fc7d1d\r\n2a20f13f1f6f1f9c34b1d50db884dbba58c27429727d86705f6ac617a2f35ba2\r\n66614cddb018f17d959b8aa84dc606d5a5a0fc61b0f3666f152db360cd25d3ac\r\n0cc3a0f8b48ef8d8562b9cdf9c7cfe7f63faf43a5ac6dc6973dc8bf13b6c88cf\r\nebbb7c2362a0e6419c15a9308e0926aa05273dee3eaca8048fbb695770bde00c\r\n22889600bd08b0b5bb99606a746173d672a1bfbc445774059e14606720c135be\r\n68af7a9fd9018c6f53056b3efd207735b6aec5f4aec35d57c81557f810c96412\r\n65ef82a20155f3211131c9b63c787e4ba5d4b22292a92b8684bac2826ab3fbaf\r\ncc6d59e8667f343e25da262e6b25c3797c891c6b56ef797f9f05b44bc9a58e40\r\n5b4f932fb4ff3ea716806ade6b9a664cb856e3a9b055b613a60504d4e01e8e19\r\n58fa775e3ffae9fda681b2c2c1c2c48bec7992a3ab3de67b62f7a59fcdeed62c\r\n127166d6299847c6bc03141eab0c91cc33a7825b1b3385a54efa24f546bc3527\r\n035c46550d01673b6c56f71a4b92f5e846f1b1a2d784e0b1e3bd569136368792\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 12 of 24\n\nc2e9c1b71769fe72c45a6985ed44994aab1b5032d085f75a3ec93abbc4d3922c\r\nc930b7b389953de4a75e889278f368fccea44f435c499a154aa692eb7847978c\r\nef9590c8b0eb4e6a87caa491ffe5de99504c295a5df217153c3fc3e9d1db046d\r\ncd66ed333cfc899e97c6f3c805ef2a1875e91abf29f3144d629e5056bcb0624f\r\n8afeaf976bd26c17b8045ced0b8a0b39198e9f054a3857a999b8b5b11035698b\r\ncf6fa8cf292f5e5c907502fe824f53e9a5cb935d522b26c87b9ef21a3aa0c02f\r\na665e545cc4500e701786eb2f9379bbc711d6228deb7bd73701ff3c8a0f16a9c\r\nba5a2accbf4fb714291ced8591c8927c3d124715b11a74929a223486a69012a0\r\ncd30e7bdaac744d54166f266000569a86da82067e725f52cd4b32252347231b5\r\nd8883d2bebe36e3734352579cf9259ffc18e57e18a6cbeca6e3f16897f577dac\r\n84dfaeaf05f38e93b8e3caf9f7bdf7f009c5e6b52643af42e665173f80d722e9\r\nf4965a66382b8e08dd570856537ba311278e6a677b62cc208b5ce6c868f33ab6\r\n7f2056739d2bc4025ceaffb6c11bef4f826e004c8e4d1a88b0e862659f2573bd\r\n1e68b12335cbe6510fec7329c168486aa59c4afdbf86c0986971593b9c445c42\r\n43ef37f58fa0b87cd479cbaf8cae24a2686ab8c65ccdcdd2c544364918226142\r\ne219c7692363d60c72f0ff86fce93ce17a4de8b4487299aa247ff672a23b51bb\r\n574e344842491593493e45957d0824fb3b1b098d43851c5a0e2a68199c4a28ea\r\n73322e078cff40fc307d85c44373f12fd3eb2bb79921b56398250a2540ab2041\r\n3f677cbdad42987fd876d343c43facefa8899927bc87e865308cb9e5b12c31a5\r\n78dd77aeb8eddd08ebcffe6fe5aee8adeca93cf302c60f9b5be94e63532fd1dd\r\nbf19d5753ca574c1c28ba54ab9697f1b32e9aadcf02433a923886802f8e03b58\r\n78d081cd2bcbef77d8aa2f346eaa372e008ba08805ff5a97a78aa720a9b6711a\r\n3823aab67bb0c2a0654844f337a63404ef2aa8cb25b113e9279060f54582a2cf\r\neb801ec1842284fe27fa857764657c9f5b8915f17ae1b215e7ddd935df99b37f\r\n91e2ce4efc7bc21c5949aa3588f794843618c034ef01dac57e6c0dbda616b9be\r\n9a5d781e1a55fbacdbbd59abeb9c4ab9953e4080d38b03f7d834a932fd195f68\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 13 of 24\n\n1189442df4aab025619e67016b3fef7c8ac5561ceb4b1d1a6aa41dc45e081350\r\na46ab997eb9fe71fb92103eae13b4a839409c8e92fe62c05cff6defeb9d7e63d\r\n8913cec6cbe3ab2117579092571ebedfbdd0920fdf8f738517ce1b2304b2eda0\r\n102ead4a67e581826e24344ee11eda36684a416e0859ecab61d7271d410fc3e5\r\nb542501efc37d5e924f1b3bdfa01fb22b2b0c30b3e456bc4251936eda9c04751\r\n6312e6c96112663887d6c645ec3ac28eed20793bf652b1b047b25f120f038839\r\n374f9cda82394d67079e07b9820340a8b0b56d8d03aee0d14483112c79abf054\r\ncf2ee7eb8b7752ee67c4ae3841da04e42dcb3f5fe7070ccfdeab964828ee6f4e\r\n673813aeb8e8eef053a66a17feedd5f0c1a2a0b4a40b0cd5bc7b131f6d26c92d\r\n89ef7867492a4fc60f721c0049f390dac6571b56587304bc9e114c7da5c76776\r\n359b8a5479719b13f0d91d7ce6b7000bcbd399cd38a966313298b65b0f200e48\r\n6953311741e525d87e1adc4c059beebd651a9f68b372921b2461f18fb6c58d36\r\nd6aaa66ca79bc49452a184140f4f08c324f84f38a3087dac3e44b67d426c15a9\r\n4ed8fed31a4d279baa475a137b4706270ad33e185514cd50bfe91da8bc2c85c0\r\n587ad4c3addbeadd320f2264dd77cfb1ff7c26b303920c4f1952961c61dead65\r\n1d387437a809ad69c618a90330eefc6b1cf42f2c4f9ff325f625387faf65f1d4\r\n273a0d734d13943e142efb8ec2e2fccbc388d184e04c21f9fe09c2303e8af841\r\n96204087db53a1d8ecc186b10346f55b89560b4a4ebef9db98b845bfbb70ed3c\r\n063fdf0a15ceaaf0acb843c34067b167e88d86bc27e88671a007c5fd22308358\r\n65536b9cb6a887f0a1a56183a2457c0325f9757a5b3fa0406365e6b756bde482\r\nfc81d9ecd330dfa4a0c3b673070a836dd95702352b3d7b9036972a8e11438b0e\r\n22c1861ee7b03f18b0450b26e950cfe71599ec7842f768577da8f92e79d68581\r\nd561ee4d6657d9e465885281abb1589efd2828d47f5033ec10b04a85446f9930\r\n15723a4b0e16cc0b8010e35ea3d4bf48c2c291cc247821f701ed6112b2aa00ef\r\n22eed594d424dcb890e53916fef86e80d36833100c8dc605af894c52e156fc56\r\nbc3a7ba547b8a0f5cc6be6748eb9fa06ae2d09ca4b3c158add5e4868197c72ff\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 14 of 24\n\n8d07a2a48e4c8c3adc8ce2e5b6c5427c6b9a4c847431e208fb52aab51cde499c\r\n2478d00c1845fb381f4a95ec1b5e7a6fc06fa561c33b4d5425f4ae6651038f46\r\naef2f52ba5434a78a7f3a8d0ac2dce45f17af8d9c4b8574d83a46b254e3e501d\r\nae89ce969fa27fb2387b64f721c46b4349ae6671e4ebe0ced9d6a6b369dac25f\r\n70b9af50319b0ea9009f6cbe5d83bbeda677ae91427061b4a75ce0586c217cd9\r\nad00794fad5f05d585a1b2428e6ecedc0ac13dce01019f61e186fdf870086321\r\n9827bd562f66f35b15526b9e51956d9602ed5146a54afd70a666eee4b8b9bbc8\r\n5fb4aaf0d1c542fa8d71f3ec630f5fd64532ad985d1db0d573ef8ac7398a98d5\r\n0bc0bc3e5b57c08340f3cedd0ed25c8c25762bab8ccd65c7b5b7f791c504e798\r\n87df98ce409ea7e26bb37979820ee2bfa53a3e1b9a06e4aae849e5d7235d5026\r\nedaa8b9f5332aa694546923586bedf59072a0c4393197816cdd2e560cf442030\r\n198ff25ae64e79d730be54473556ee0e6e5abb897708512838c3e609e0685fac\r\nbc78ec3c51c7196cd446f68e84606d5c3825162e1cad027b0f23603ccb2fc51c\r\n66ac5e37b797f06aaa4b9988fc253728f78e2616d39c947d5503270940008661\r\n1148db3aaf5a05a4417caabaef319be91bae987c86dfec8fe4ae915d754feee0\r\n6917f594412e3365a45c89d03c7d24ee7655dcc72fa2ca5d7d363356fc463d15\r\nf39f8938e5b5f0f8c56195aede06926108df6f3b9f68a43e9018b6e49c5db9eb\r\nda922487bb4c37a65402da371e3c24a42ba05e5b0168f1bfe8bbf483fdd5484e\r\n3dbc43f22c9ddddc690fbced32eb230efa42cec00bbd6a76ad00f11c84e73170\r\n638155d89afb819284dc3113295f1c89b09f515d7a2fbb4aef4a826d952aca5a\r\n4f62bf0f5879470263297acf7b297d9b68c12c6422f7913e4822b08de609dadd\r\na99138a6fc4f44c76bb021d2db24bab1bf4f3668c125d8b62e4dabd32a1c1252\r\n10eaefe9ee391efd3b36fd4b611dc55e8a01aa0eeade1c6fcd1dccfef2a8f16e\r\nfaf62974fb6164d592f0df8df5142e648ba557c260bb9f7dff95c1f6fdb3e62d\r\n6c84b962d87c079e47b2d713abbd83d4d84141de5c63a56ed76e3d87ddb2ac08\r\n4b79018c5282e446ba71fce1a1380b91c28c8171af70e6927b881f5fbc78b2e4\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 15 of 24\n\n9997d0fa518a0629fd279a263f4eb2a48157514f3e5b6b099b5b781296190ba8\r\n1095c72395f44c4ffb52166b735a43a73b850c207c18911b186b2597cfdff1d9\r\n1a5fb8d42dcc121007c4c61d6c04135f5c9037804b91693fbe6fa209c38dbab2\r\nc06bdd6716fd331021d8998b44d9564f6762a548cd75454ccd47b3fcd77c25b1\r\na79cf98cf569ef3dca2cda29fe4d3d795323ff04830be25597a7ff0459b616d5\r\n1d7853c8f73f71d2cebb2b7051db9cbe960fb1d8a7a11b25ed07bcac0691c2f9\r\n622d3fae11fb72c1723959e13d72fca40310ebba71814ff2006f022495e43642\r\nd5970f8a7a1af31a9b232838e478f3d6a992399e14d7ab49cacbbc61bd263f68\r\n1eca8af68ae800d466cc84c35617833c19927ba7798f50e3ec1eb14702b70d94\r\nc7476e3171be452564ce80f4ad32960cbd9d0dce355fe64a57e5e2a5b8eee553\r\n4f24169422c09baf830ed1d6798292ec8642327d288ddb9c1958a460db54d14b\r\n44111d6aefbbaa8fbd03ca977256190fc2fc6494cdc88143eedf5fd5a5d35d5a\r\na4e2e0a936c0b39b314798ef0f29ebd28abb5a9f96573ebed9085124dbac23da\r\n12e51da472ef56ceddaf7003c426471809f708b3ef4e8723c7d917a0b2b5d751\r\nc68933a150a3930ab10c71e7b7d8f6fceb700e71e40b0db02cae1645a31bb81d\r\n35e4cbb575b206562f8137f90909607313c62d93ad132eb15e0aa5d132d4c232\r\na7917fcda306ff6e8ff7184b426d375e07d87b80d67deb9b78098a09870c7a1d\r\n665e86bca353d50ddab9131f4363f0db9296a2bf63aebcccc527d93a78b0ac2d\r\n81fc7e8eb634f4915e257ce22410e812aa876111a275534dbf7e0f390ea3785b\r\ndb8b3cce27a2c25f0e2a7c60b52fafe0543a6bd7d0efeb2c4b9dedb2950e3b9a\r\ne5cc3a637bfc6c43eb98c9470156cb59a33d3bc4a00f7f41c6fd7a9090d4259c\r\n273bebdb90b68699e0503dd2bd4e798dc796ae237a3b712d28b6a15bf159113c\r\n52d5b1b05b1467dc5e4ccd5484d7e90b18c10b5b1c3c0cc80f91a4f6f468ebe5\r\na4e251c7a6916979e4f1a7ebbb05b229ddaa172854e7e2814d67fe212ff4d74e\r\n18930277715eaa1fc26ba214e71ba5c45b9da8451bb56487843e3c6b186be2cf\r\n1e88cf5f731cb5709338c474340dd1e49158cca9dfe86239c83bc64f1cee1377\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 16 of 24\n\n7c65f253762292b557bec797c24b326581a933216ab2fcd640792fa588b14190\r\n07dd866081de21f9de0381b07472e1e2a9111fa537e5a3e4b4ec8b41bdeff509\r\nb292148c8a2af8d19986a005f369b2486520e8dcccb563d9f773431c86730d76\r\n50cfd43c89ef41b0110db43fc58bcc3896ca5eee6eaf1147598b8943a8d10dd8\r\n7902d3f8af71dfaafec2f022a930b11917d999be97fc5cbea666d2304a9c573c\r\n4be97e27e3b869ea728c0975a0cc353d0d4d09c4d535af98b6a4e15fb0b6363c\r\nc709f1fb9360839c290aa29410fdcc18533b2ca3c7af78b7e400315bbb339022\r\nd62d827e52c7ecfb79a6b4676b8ee86a97372941dba54ecbadd54156de352dc5\r\n4c33beec45cdcb37f23a240d2799662be2bdf3894c126c4fb9ac98a2acb253ec\r\n071046a3e8f34c355f0c0d0f636b53433fdb324a6e460a6dd459df7b101a9c2a\r\n7baafadb775ebb4d97e4021a733200f784abc1fc6567a2a755f8e5d65c77e29a\r\nabb67fe6cdc14872138e8a32409f85755a7e4ac9b52d67137efc3c2fb8e932b6\r\n08429d07efc7e389fee4716bde1103463cea592918d4ef49cc61a54e4657d36f\r\nd3beda27b66f9f5901e2b3251f1007cd55eb4570af3e9f0446acac8fe07c7159\r\nc77a64f262d38eed930d8a4e414b9dd9249ceb276275a9f8c21a07f3beb4be9b\r\ne8cfdd9e321becc697464febcde9727beae99cf967517467859bae5ee2d761ee\r\n432d74b0828e930173c8d853518c1ea39a91a7d9e805fb436c29fbb9a06afd2c\r\nb7468fdda8a4e5985f625fe8328c227b059e1263eece4bd61e1e3ce7122083d4\r\na708a261d5e203c7c0c789cf33f251c03eb3879f24e5ee3ac8f4f7c0991a895f\r\ne4c7302e9fac79e8b33cf89ecb038139011d159148592024c2b696598efa86b4\r\nd5eb6447ce72f44bd58e8e72aee1369ec2c5634ba04c0ae97493b4073127a395\r\n13a6113875ce9745029aaf46433a25ddcb5e7aba9912be66b09e84fedb688f22\r\nf4a74294fb587bdf5cf32d2d58aec90458e13c3cdfa2bbdd2ac14722e1c5e4c2\r\n72ed9a6d3da7acd289de898ea0657b9265767a8659c29de1a864b95aa501c232\r\nf9386045906acfbb2faabfe06fe4e0475ab7f2dcdfebd58a2e40b531e064fb23\r\naed04c910be5854a9b3fb3feae66a28d18898bc95b36a86640636a319c53f280\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 17 of 24\n\n2d1f46eb0a885e40c434425e5ec5d741d17f66abc3e63b646b7da53c4734d881\r\nddf80c905896909531e54e2ad3a748e4b01f7baee199b79a182e36fd78d16d74\r\n9b9271f77d3dd2d41dbb300d64f7896f1c16cac30ef3b0d89c2f71f9d42e648d\r\n0464b64028a7af3bdb024a9e404892d0faeb3dbecad17a4b998d062072364f36\r\na6d6741666bdc0f5901c7023e50b2a2d45f692231cf179058126c83aac7db207\r\nf053bb023056264d68ce0fac5407ce980b90625aac9a164e770a26d7c533e108\r\n2296d34687d0684d6e726b6f5c1aee87993cc303a9f10d39866703461e48b347\r\n8c6c1fa83245db5d0f9dcf51e55cef022e2c8083447f16dd9eedef72a29eea98\r\n3c7676a6ac978a303b47a478084feb497adb29ec2693cec3f2e4135e1fe4a974\r\n45972319213555f2f32b95a6350e056ae4c3067026e0f872cb145c607f632987\r\n1d3c0c4bf43c6f12ac606378af3151e9ccf5ba325fb9a40aada9491716153007\r\n550935dbdd4fb1472bcb126400b9305d0904c79051ab450187ff48e044c47269\r\nd92b279e2c085e66a87f7782e14970de5e2c74afabb0efe4fcb6082c6c488830\r\n1f3f1f885e8d2572e3c3804b703751d71a7017b0528d90ccc3a890f905545fc9\r\n700b402a1229a1a7ccb845db7effd2c3dba828027651fe4a83c2f32349f3ae5d\r\n97c6e918c3df984783e24ffc2819839dc1a90df1582207741785b569bfb69294\r\n210fac78b1b922203250e7daf7954c9cf3925e1d671843fb10f70d1270ce45c1\r\n8274c619dc8e529f1f25f4edea6fb3851f838a700a6a907e0c757c69b4487128\r\n6282ee51fed1424b960ee49c62c49d9d9cc1e3542ee17e8ee4aad3234e786ef3\r\n485b659fd86857cd822e59dd105c80a2c8d7584b09c56445da2cbbd2d2154c58\r\n18ef4eb061c3fd5083e3f35b0b8b5ac595219494922fcd12d3752e4a24c929d6\r\n41951a8b6b90ddf7be69bb9c033facebf7d8cbf3fde2336d9a5f1a867dd9eee0\r\n226468acd12213b63dd8fd0f566698f824884a7c919d544632197392f7a686ba\r\n462628fd86b0db2331b12e79c6171000bb4ff4b121fb59b51f514d99c1c82550\r\n44bd1ca0cdd829faa31ab278e7524caec07ce96f7edd12d720390118b3ea5570\r\nc378c9853591e091014eae114db7830c960759be5aab305f556b722d71cda41f\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 18 of 24\n\ncdc30ddbfc12727cf121b59e058d06b916e59010229ea7e9fc3f9e604e291018\r\n584f79e14f43c65ae789887829e565be4a2353c98c17b1589477de973d8e0b1b\r\n0fd20127d901c884702367bb04f43280d66fb10e13c630dc33d63859a68bbb9b\r\nfe98286cf3ecdb07fc0d14addd5290484e279932bb380459dc9af0f75dd6adab\r\n0701b4203c62c1cb80c3bc16135ba29aad68d16b18f153ba4c5f3fd4e3721e30\r\n536f9f3cc93bf32be8501fbccdaf2747154e5f225e28798795d3a58b01aad727\r\n4be4f0754c0f17f6526dec3cfb1575e23c22c82cf476534c7a6e74629541fc7f\r\n615051cd3070bea7abf78364e9267e1717aa477f7e3970b37d0195bf46c8377c\r\n4c6506449a6b0745a53142403fb89a6847a38605429acba4c2ff1d650581ef1a\r\n7943e203a5b491aa668e52fbaaf28a0fbbbd66050be793aa693de76ec75f2098\r\n69ec521a4ec400367b6c7eda23f59d642ee4dd5f2f315599891eff067ffb9646\r\n20f081c2959fff2f00ee79d044b69056aa32e4a8b6e6413edbdcad298e991fd0\r\n4102ebd6c734219f1cbc024a51a0e298f5831433872360b23d3ea31e23a1a119\r\n764c0bc7476a42d2b4519f21a1ab98a60cb7744ee15e3c78e556a4921747c4e7\r\n6c71e2b4685fead08b71f970e8320af133fa403887d2579b2aa2c29c9347c6b1\r\nce321aa2f3deb4616acfe968e8a092816bc43a7018ac67726be5eefbc717e1fa\r\n013dfc0791c5a42f812b81afbfb5a133610d44acab492b127fe16c94414cea10\r\n5671ec9ba4617880bef3212980e798c07ace68b40f19f5ecb1c350e06aabc9ea\r\nb2e8aff6ea23837daa71c9ec70b1f046f57033bbc8c3dd9c0efc8950bc711d36\r\na70a9d8ccf4941cd991a1b3d53d0bc45e21eda19270a031ef3cb58f350543e27\r\n019fb224a1d7c9a989a1fe4deca85a36bdd75103467e9146937808015ea51ea1\r\n46951e1fb34e9a26496f3ebda46115c984f17bf20aa41a7149e1142cf5940c4a\r\ncb3822da876ebe6b41b1d9d323bf997e72ade76b762fa2ea545f49f690621b89\r\n92d74148a3eb3c9c731c0653646e9aa6a7749a31b07e7dd928b039adada269b8\r\nc32f362b565d9d823514dc4b512f78a345ae3debed65f6f0a2a8665ba929724f\r\nc6a1f009a525b700837fbe6e0b46739a3c091afce39a28c6f4874b1f9156efa7\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 19 of 24\n\n437a2f59dbd6e2a5bd310bff74c5bcae3e0ba07f2f55daf6d7615a4f9a37fb51\r\n82e4f2ecc124c3fb3e9ff6d316d9b5de7bc20074c525b0e65bbffb6e6fdc8c45\r\n04beceba763f24f0f4e6bdff12b14332b9589700e897354769350f8c8d9e3045\r\nb282f15f0f0229c752f13d5bdb4204fc1e122c92569aa4c18ef82956742ea002\r\nc116de17bb97d46e8596687a6f6812f5d2d9ad600c48574960920759347dd8dd\r\na70b4a1496399ff4e8093310d5e72c939ce25faee624ebf4f99c4b0d0f0b273e\r\n08d80cc23fc3670ea4764156a75961e81320c0c51a291a336d819b732f414cac\r\n361a99afc38ea7aaf04ebb231c4555e4ffe11d77db3711aca6f3f5b747d7ead7\r\n7f4331f37476f0f700b7f64e2c23fd61fb5cdaf1f24170cbf924e40ffe23186b\r\n589e25ff06fd0916c99c6ed17dca2c1d191b313448c1d04c62b8b951bec229ba\r\nfbce72438627da5767059d2f925ac2a318283149c77cd507a7b82ddb614fc6fe\r\n64b4fdff6a88ebf1ba203f97e6a6d0a5428033bc68dbbba82a617b45f3b49dab\r\n49c357cd4f7c7f6e5b2d3e19b92535c914f2e2ef5404d07f9f0bc44ee00cf48a\r\n1c5a7b286a452bfe4ca2ccf6f548260de52705608c93c7fe49092ed8c21d50d7\r\n95af390c2ac66a71ef8a8b8cfc197a4139e6a51180cce245aa8ea975192dc7a6\r\n0e5c367f5a20d2ece4fc8ea0fc95a13c851ceaede4907d83de34f8652bade9d9\r\n887372e109c14a6eeb36079c2e75de51709daa3866e8e7d12afff06d96df07a2\r\nc9d644ee27b8a2f7dd30779a427d532cca2b9d1d391d0757dbf4e4a33edb50f2\r\n1260a52314397b47c6ea095f8c5d67a592c566487c988cd01e2e3cec0c1df051\r\n696b218587b880dd46b4227bf2fdb9cff5f835e6f48954e85fdd80ed26f3feb5\r\nbf80eb460ba1a75ab65eef2d41d865c1559988490fe08ca87ac0304a9a4d0ebf\r\n49fddfe014e432902e3fb76a2fe93e2c4115126b9691212c2168483f7e7f1983\r\n49e3aa5c235d616e850a4af24901e45169be3307941059f42799b71fb913e8e4\r\nc9296a8db6fbcd8fdec47d1748f45d84dbe4e0939095136967341f98d61d1d5d\r\n6772dc15d8188eaae48564e8da85d484d172026fa799f045d415a113c6e504cc\r\n50ffeba0fe8424616f994ef6905c1d6211fc5f67ef5a91e696a570a51503f305\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 20 of 24\n\n17bf88f21ee3cb175befc8cfdbdee08e98b0bcc27985430eceeae8fd9ee1b1f6\r\ncad4c164e7a6d8043eaa53b5ea8e37a91655100518cfde2db8f6e0ab83456047\r\nc3594f18225b4961db0e30881691bb3b8408eaf82f6fe6e4ad0d1968dfe45c9e\r\ne5a402fc5d2fd3a632f882cf092bd34ad170b0c1c8f6c96ccc97cd5f42289e44\r\na3c4991faddf84cfbdf3e12e3d0cd1d0c2623b2308779c22b841c995249fcd7d\r\n7464d3b26c62e1725996f7e67a190356b30c6c95e06107b6bd654e0c4788a840\r\n0d8f71a387c3bac359c64a9bded69b5704440ea5feac1d7a32090d144200648e\r\n96ddb513f905e4e99f8dc09d267493acceaf9a07934f633c1d63ba2f8ac153ea\r\nc4b394e3465ca3b06b3a393a72d07ec3751f21322e57f644e8514308696b63b2\r\n5ec0797ecc28d3237425614e017f11b9681479e7b38db4860151b00776802294\r\n08ccd2a4239993293c1da5855542d8256351736146169b1c3acaf1461094f1a5\r\n4901fe6e2b0dd3c31b44cdacb77da77a60597d4e3f8b1f654238ec0fdf4991f6\r\n994c80b9e8cccd793084e142f475b80a287c9878ccf374ffd7628b9ddfda3f86\r\n9eaef04a038fbef59949ebdb5e6f2ecc4d93baf9c83c7bc840506ed5b6b044cd\r\n294e93207682d4ba5ec8808475d38c1c6e3c0734ead768626081f2f70347133d\r\n5bc487944fa142ed7609375271f11dded8330803ee868069071b3a613c622eab\r\nda43c627b1d0c24d11c091e7f4bfb2510eab64e7a9b25795c46c3e6bc944640e\r\n59d402fb6eed40b6c2b78765ab89f70e8b2c859768e552c5fc033a9ac27bce98\r\ne5d307b38dfbb210662b249196163f630a27c024308c058364b6d615dd686af6\r\n5c45111d4ad85d6f00369ed5db67f08b26f72a45f0a4c369aa9a53671d10fa6d\r\n87e167b3ac137078d0ec0b89937e615f4ed8fd731d46dbe2f4a7d6a700aeca27\r\n50e547042d91f02de4c1e48f1d0c372112a645292a7a3481ffa50b8d42306168\r\n1fcc34da13cf257a5401b94d9e6a8e8b57ae7d4019ae8b01190d6ef887555f50\r\ne50df8043eb2ea3022f5b366812ebcc1a7bca38eb74fe4331b5348429ccb1643\r\nc5d1a0b702d24dfd0f01e7a341fd3861c85733593edaf1b83d6c533a016bdbc6\r\nfd2950ed68c371c046eedea5a42ff08eb8d92896791c620643850ed3069ba328\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 21 of 24\n\n01d3b8685d9bffdd69496ffa63fa00155e75d3d295bec50b487e29060106c983\r\n09bbf92b68d85cdb272f385dede876d7566f21f1229373812b1899c785cb0a38\r\n21bab213e8b680c73984268a1cd7b3826b91aa4d3d71e4dbf54ee224dd9a53ad\r\n51c03995798adfce4355e077b136d3550251562be3150f638f0446f27f024165\r\n5247099a7274a0c966bac76cbf2eadfbb5469668e9826ca441b205be0081d37b\r\n5382f12b64611d6094d9f3f323f4839b02a41666e99c48295c37417f7346cada\r\neb63190af9e5d65ec8d0cb37ab25a80ce1c3dd0bb2210afbbdb51a401672c4a1\r\n7632c451c64fab7c82133c628e5885fb17df696a6691b075572301bf99cb874d\r\n1d6008d6f20fdf2684734748c278552e6d132b8b4d2fda2418c7aee2214bbb56\r\n35ee3a10a50d3b4fd40b3f4a3951f352b3942bca6e70039318252f94a153c1d2\r\n06223680e309029b20f313fbd7a76bbddd8cd6a3c68854e82a1e45a3cb324beb\r\n99fd855161e5ac7664552d386c7c2116d4c9ee71864ccea26a936f5c1078f55a\r\n8913f0d73f2451b071f5cbd7c0f5219060e58b88ca5f127281a00a4ac6003420\r\n2389804fa78725a4e34bacb0c84fcf545b42c53afbc67f27142756cd11349b16\r\nff98ef2ca94ca12bb7b4871a185aa0f85aec63de7d267bf3739c50d104e040d9\r\n738b5b0500af55729079145958bcd4c9c043c7e73a43cf6a2c714a0bdedd0cb8\r\nbfbae32e07d71c120b82252859caafe521d715a8541a697db6ef15c6ffcc6a81\r\nb9460ec36ce4503e35dcb64ac866eef259923f467cae4f0a94ab7b8705d5abe0\r\n5b1f5e569fd959ba510fbbc89a4270f6c828401935a73e9abe98592854141599\r\n2e305df3d35e7d388e6f1ec4721b872aee15762f41503cef62d8c9c7b41a6caf\r\nc5317bb05c20b4bce89ca9bcd4a95eb824badafa1f6bf4deebbe9edd9b67fe01\r\n1ec2e233fd9f3efa46bbd868cdcc50e37cdcbf7c9a56229a9a73e7da9cf5f537\r\n66b9fbe8c0cb2fd04f33eaa001272d2454d19c83f47f6018b89e9ef255881b0b\r\nc3e770ce902c3505ba711572a29f7009a865b94e90c31b864e7212f443973f33\r\n58f9ab818b72b4eed18ca05f72411c7138f63cf7002468943abea817dbeca92c\r\ne5923f3a9d307bdef38bc1272764163144ff54b50ba9559616639852a7e5a8e2\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 22 of 24\n\n75310e5f46bf865166745cab4c59908a8776dcd702f92dc12e6d4c4beae275bd\r\n8e9de59abf0497dfc1399d18c1d41d52c933678681d673cf68c26da4832ad084\r\nedad77792baeab71271da3d6177a5760da5fed7ccc06a05efe16296094006ecf\r\n5b38725e505922f00c3d5a3af2ed0a136b9ca90545492d376958a40b0998d05b\r\n36e5989dcaeccb2780a8baab651fe772996db8d957b261d40fece82555ad5282\r\n4da25e2ff6594efd2e5f71e6da0ed0246f161cc177821257fd98e25237e84127\r\n9fe53dd5538f75e4d80e4c1877212278f4357626b82b52db0fabd551535feba5\r\n8df40e5a302de6e62c3f33c030f49ecee6dc2e1a7c7c4ff21f956b7b35a141b9\r\n320b1c481c265f3f261f3976a2368d48797a681cbcad3437420aeb50a5a7fd26\r\n8da9258c0fcdd2e58f8a558adc6f9f587a6aabd5613827b66201f39ee3ff4c13\r\n3ad835871dbfc16ab05f3feb34778b49fdeb55fe7f60908b6aa4f449566ca609\r\n09191b8aeb028670b293d0446000c70b7c3616684470eb03a79ca4b9184bacec\r\nc5ca71df33e83f8a2012f8a9c8ca112306a3535078a1278882d7e9354cc21ccb\r\nec68a0f9923e5d22e01c6f0fe562318caded81907d0f07806e75ef4228d2a1ef\r\n3600a8d5f833dfb0999e0905998116af5e64e39b3e48d6ba732635f218799da4\r\ne5e7830b52eca53670a105a59a4cf9edee77f1e14cfbb945265a970a4ff8332b\r\n0120cd580471e2095397ec78c2d2c9a7b921d30367bc9df6da959bd0c8083dfa\r\n1becafef332882ce73323d263fe38added093312cbaa9b612f99758d1dcc7961\r\n754e5e743cd6b7e5f46db32e5bc0ed0ac9598972228f7560b568153a418ffff2\r\n0938fca638d7b96fb97b4346d084b4c46fc6c38fa451db8e08fc1a699eabe7c3\r\nfcfc6c9d2be7f33226650d93ffad0babe986f5f3f342f755857361e7bb051501\r\n1efae5b6cb92febfebb214e2e614581cb402b65f16aa93ec3567e32a9951d83f\r\n5d0de4a2407ef7c1db44c829b8d36a4f5ef625d647c6eafc061978e64d93ad1a\r\n13b3833a24203f82ef3f58570c5143bc40d1f39e7abcf7b34df3aa8a810d607e\r\n119af5cf3c1cca2f1877648d81569a72f850076b8f297a773207dcdc64d6de8e\r\n80cb1edd8bc62c97236da0e1a921c04d9893ba03b9698a1710740b14741b7de8\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 23 of 24\n\n4783fc4f4ed6a876ff887fc38439c73dd43efc437037d03243c8c4dfb198df25\r\n350be3905b617fd3c9797f4639ca8f1028638299866c16229779a5a97e226db9\r\n8f89153fc26e75380795a57e39456803d45d90ed13a6595b85a3ba3eef452261\r\ne222e65bd07eb962a2941d05dda961000c2ec3cb56bbdbcd757fd67850737406\r\nea2cf112e4a740b9c462ec93b9157c9cc5f86ee2bb490f32a7c552d4411af6e1\r\ne38026f2750b8710819c91729a589c6a043721a5998766aed363feacf7550a6a\r\n4d81fe33c5ab8acd5b7af51e1f3b853d6f071cc1bd7571b822dc9f4a47e4b67a\r\n6dc0a58a23677d21cd18b3ddd479ed3f212148715ddc5351e9d1ab82c342caf7\r\n97f739acd32886d4a0df621839b6a61be81b54f230f12c93f6797dea3a015200\r\n529d95f398f264a13cb8a0d72e5c6fd6e1c467d7c360c19d75eba956fa4fbe17\r\n7dc906a1292f69c2cacec4c0bd27beb96362a00883ba36ee4d5192b04e0bd97e\r\n7690fa1beb1ee32fb688a6cf69a9c975713c128c65b65424b65256e8b20e4c93\r\nSource: https://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nhttps://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://embee-research.ghost.io/yara-rule-development-il-instructions-in-redline-malware/"
	],
	"report_names": [
		"yara-rule-development-il-instructions-in-redline-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434401,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1eb66c47705950d6e39d0d414512d35b4d31109b.pdf",
		"text": "https://archive.orkl.eu/1eb66c47705950d6e39d0d414512d35b4d31109b.txt",
		"img": "https://archive.orkl.eu/1eb66c47705950d6e39d0d414512d35b4d31109b.jpg"
	}
}