SANCTIONS BE DAMNED | FROM DRIDEX TO MACAW, THE EVOLUTION OF EVIL CORP
Common Information
| Type | Value |
|---|---|
| UUID | 703ee8b6-802e-4ca4-b44c-8617e9d9de72 |
| Fingerprint | 96bfb2d2fbbf2b7c69f1279dedd4174a82988816571805ae3c951c94912df09b |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 23, 2022, 9:37 a.m. |
| Added to db | April 14, 2024, 2:19 a.m. |
| Last updated | Aug. 31, 2024, 5:10 a.m. |
| Headline | SANCTIONS BE DAMNED | FROM DRIDEX TO MACAW, THE EVOLUTION OF EVIL CORP |
| Title | SANCTIONS BE DAMNED | FROM DRIDEX TO MACAW, THE EVOLUTION OF EVIL CORP |
| Detected Hints/Tags/Attributes | 262/3/254 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1373 | twitter.com |
|
| Details | Domain | 128 | www.fbi.gov |
|
| Details | Domain | 49 | home.treasury.gov |
|
| Details | Domain | 6 | adversary.crowdstrike.com |
|
| Details | Domain | 172 | www.crowdstrike.com |
|
| Details | Domain | 71 | news.sophos.com |
|
| Details | Domain | 6 | awakesecurity.com |
|
| Details | Domain | 70 | nakedsecurity.sophos.com |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 102 | sourceforge.net |
|
| Details | Domain | 31 | blog.morphisec.com |
|
| Details | Domain | 3 | general.one |
|
| Details | Domain | 3 | everywhere.search |
|
| Details | Domain | 81 | blog.malwarebytes.com |
|
| Details | Domain | 8 | www.bromium.com |
|
| Details | Domain | 15 | www.vmray.com |
|
| Details | Domain | 26 | www.accenture.com |
|
| Details | Domain | 9 | www.abuseipdb.com |
|
| Details | Domain | 1 | refinedbewbs.com |
|
| Details | Domain | 360 | attack.mitre.org |
|
| Details | Domain | 219 | gist.github.com |
|
| Details | Domain | 2 | o76s3m7l5ogig4u5.onion |
|
| Details | Domain | 2 | 5lyi3c7x3ioakru4.onion |
|
| Details | Domain | 1 | ixltdyumdlthrtgx.onion |
|
| Details | Domain | 89 | protonmail.ch |
|
| Details | Domain | 2 | eclipso.ch |
|
| Details | Domain | 396 | protonmail.com |
|
| Details | Domain | 167 | tutanota.com |
|
| Details | Domain | 84 | airmail.cc |
|
| Details | Domain | 144 | cock.li |
|
| Details | Domain | 3 | armormail.net |
|
| Details | Domain | 12 | secmail.pro |
|
| Details | Domain | 23 | tutanota.de |
|
| Details | Domain | 2 | bingoshow.xyz |
|
| Details | Domain | 1 | login.nuwealthmedia.com |
|
| Details | Domain | 1 | news.pocketstay.com |
|
| Details | Domain | 1 | services.accountablitypartner.com |
|
| Details | Domain | 1 | login.wwpcrisis.com |
|
| Details | Domain | 1 | login.markbrey.com |
|
| Details | Domain | 1 | nodes.fioressence.com |
|
| Details | Domain | 1 | push.youbyashboutique.com |
|
| Details | Domain | 1 | office.drpease.com |
|
| Details | Domain | 3 | consultane.com |
|
| Details | Domain | 1 | lafeedback.com |
|
| Details | Domain | 2 | websitelistbuilder.com |
|
| Details | Domain | 2 | twimg-us.azureedge.net |
|
| Details | Domain | 3 | cutyoutube.com |
|
| Details | Domain | 2 | cdn.auditor.adobe.com |
|
| Details | Domain | 4 | cofeedback.com |
|
| Details | Domain | 2 | roofingspecialists.info |
|
| Details | Domain | 2 | wholesalerandy.com |
|
| Details | Domain | 1 | pieceofheavenptc.info |
|
| Details | Domain | 3 | currentteach.com |
|
| Details | Domain | 3 | newschools.info |
|
| Details | Domain | 1 | firsino.com |
|
| Details | Domain | 2 | potasip.com |
|
| Details | Domain | 2 | adsmarketart.com |
|
| Details | Domain | 2 | advancedanalysis.be |
|
| Details | 1 | 84550@protonmail.ch |
||
| Details | 1 | 67146@eclipso.ch |
||
| Details | 1 | 91645@protonmail.ch |
||
| Details | 1 | 61258@eclipso.ch |
||
| Details | 1 | 48907@protonmail.com |
||
| Details | 1 | 78470@tutanota.com |
||
| Details | 1 | 29051@protonmail.ch |
||
| Details | 1 | 98722@airmail.cc |
||
| Details | 1 | phcontactme@cock.li |
||
| Details | 1 | rickhood@armormail.net |
||
| Details | 1 | meredithpatrick@protonmail.com |
||
| Details | 1 | chooc9@secmail.pro |
||
| Details | 1 | jeey5o@tutanota.de |
||
| Details | 1 | rei5ah@protonmail.com |
||
| Details | File | 2 | head-fake-tackling-disruptive-ransomware-attacks.html |
|
| Details | File | 1 | ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader.html |
|
| Details | File | 12 | c:\windows\system32\vssadmin.exe |
|
| Details | File | 33 | c:\windows\system32\notepad.exe |
|
| Details | File | 1 | c:\users\admin\desktop\phoenix-help.txt |
|
| Details | File | 345 | vssadmin.exe |
|
| Details | File | 1 | how-to-decrypt-dvxr9.txt |
|
| Details | File | 351 | recycle.bin |
|
| Details | File | 1 | phoenix-help.txt |
|
| Details | File | 1 | payloadbin-readme.txt |
|
| Details | File | 2 | c:\users\lucas\documents\awards.xls |
|
| Details | File | 2 | c:\users\lucas\documents\onenote notebooks\personal\contact-to-decrypt.txt |
|
| Details | File | 2 | c:\users\lucas\documents\pexels-photo-46710.jpeg |
|
| Details | File | 2 | c:\users\lucas\desktop\ppt_ch10.ppt |
|
| Details | File | 2 | c:\users\lucas\desktop\wef_future_of_jobs.pdf |
|
| Details | File | 2 | wsqmcons.exe |
|
| Details | File | 2 | macaw_sample.exe |
|
| Details | File | 2 | bromium-emotet-technical-analysis-report.pdf |
|
| Details | File | 7 | 'msxml2.xml |
|
| Details | File | 2 | classicstartmenu.exe |
|
| Details | File | 1 | 1db0000.exe |
|
| Details | File | 1 | mod_c.exe |
|
| Details | File | 1 | chikenchuchu123.exe |
|
| Details | File | 1 | smpl.tmp |
|
| Details | File | 2 | coreldrw.exe |
|
| Details | File | 1 | cobaltstrike_2.txt |
|
| Details | File | 1 | rad3f3e7.tmp |
|
| Details | File | 1 | trustedikstaller.exe |
|
| Details | File | 1 | slcaa.exe |
|
| Details | File | 1 | hexba8.tmp |
|
| Details | File | 1 | lznyd.exe |
|
| Details | File | 11 | ie4uinit.exe |
|
| Details | File | 1 | amad.exe |
|
| Details | Github username | 14 | hfiref0x |
|
| Details | Github username | 1 | tera0017 |
|
| Details | Github username | 1 | antonio-s1 |
|
| Details | md5 | 1 | 3fc7f20aabeef2d3290e3b71d7f639fd |
|
| Details | md5 | 1 | 2F5338DABD40348C71D858459FE7B8ED |
|
| Details | sha1 | 1 | ebfedc636bad6877923a4e0bbcb16493ed0acc61 |
|
| Details | sha1 | 1 | a21562f8f1177e17d7975065d13ff0182cbef1c2 |
|
| Details | sha1 | 1 | 8a974ac76fb587855d488629944abfa1fb5822e3 |
|
| Details | sha1 | 1 | b4061d4227e08cfaa3190dea9926571fca2736a1 |
|
| Details | sha1 | 1 | f8e52380b6f3668d4de6df416c8da389c0d98fe8 |
|
| Details | sha1 | 1 | c9b25177db2f6eaddb4b028a9284b4fb5c3ffcd0 |
|
| Details | sha1 | 1 | 7bcea3fbfcb4c170c57c9050499e1fae40f5d731 |
|
| Details | sha1 | 1 | e23637ea81751e558fca17ef1a54b6e39d2e83c3 |
|
| Details | sha1 | 1 | 16aaf95ff91ccf05e5920858f9f637abf2511e57 |
|
| Details | sha1 | 1 | 3cb0cb07cc2542f1d98060adccda726ea865db98 |
|
| Details | sha1 | 1 | d0d68281f8459b5558559fbbf8c6c8ab4ddfec8b |
|
| Details | sha1 | 1 | f8fc84030c579070b36c99c836ac4b5c32bbc2c4 |
|
| Details | sha1 | 1 | 61f1c5e966450e6050e2e284765f7d0c169e5a15 |
|
| Details | sha1 | 1 | fe0c77959bc7c016a49f71c765de947e3294a667 |
|
| Details | sha1 | 1 | fade3f5ffca06cceef202ddeae9339ea64d1ad7a |
|
| Details | sha1 | 2 | 763d356d30e81d1cd15f6bc6a31f96181edb0b8f |
|
| Details | sha1 | 1 | 1d65057dd11cf6218fb9a425b6ac31e3c58dd508 |
|
| Details | sha1 | 1 | c3154048ac74ceac75fdc62820ef66f1bdb31334 |
|
| Details | sha256 | 1 | 7ccbdcde5a9b30f8b2b866a5ca173063dec7bc92034e7cf10e3eebff017f3c23 |
|
| Details | sha256 | 1 | f6d738baea6802cbbb3ae63b39bf65fbd641a1f0d2f0c819a8c56f677b97bed1 |
|
| Details | sha256 | 1 | c7372ffaf831ad963c0a9348beeaadb5e814ceeb878a0cc7709473343d63a51c |
|
| Details | IPv4 | 2 | 185.82.127.86 |
|
| Details | IPv4 | 2 | 130.0.233.178 |
|
| Details | IPv4 | 1 | 37.48.84.156 |
|
| Details | IPv4 | 3 | 179.43.169.30 |
|
| Details | IPv4 | 2 | 79.110.52.138 |
|
| Details | IPv4 | 1 | 81.4.122.193 |
|
| Details | IPv4 | 2 | 195.189.96.41 |
|
| Details | IPv4 | 1 | 23.227.193.137 |
|
| Details | IPv4 | 1 | 138.124.180.216 |
|
| Details | IPv4 | 2 | 185.162.131.99 |
|
| Details | IPv4 | 2 | 185.250.151.33 |
|
| Details | IPv4 | 2 | 82.148.28.9 |
|
| Details | IPv4 | 1 | 54.192.229.106 |
|
| Details | IPv4 | 1 | 54.192.229.20 |
|
| Details | IPv4 | 1 | 54.192.229.43 |
|
| Details | IPv4 | 1 | 54.192.229.71 |
|
| Details | MITRE ATT&CK Techniques | 21 | T1584.004 |
|
| Details | MITRE ATT&CK Techniques | 183 | T1189 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1047 |
|
| Details | MITRE ATT&CK Techniques | 460 | T1059.001 |
|
| Details | MITRE ATT&CK Techniques | 239 | T1106 |
|
| Details | MITRE ATT&CK Techniques | 86 | T1548.002 |
|
| Details | MITRE ATT&CK Techniques | 66 | T1584 |
|
| Details | MITRE ATT&CK Techniques | 78 | T1548 |
|
| Details | MITRE ATT&CK Techniques | 44 | T1134.001 |
|
| Details | MITRE ATT&CK Techniques | 298 | T1562.001 |
|
| Details | MITRE ATT&CK Techniques | 19 | T1027.004 |
|
| Details | MITRE ATT&CK Techniques | 34 | T1027.001 |
|
| Details | MITRE ATT&CK Techniques | 121 | T1218 |
|
| Details | MITRE ATT&CK Techniques | 97 | T1497.001 |
|
| Details | MITRE ATT&CK Techniques | 42 | T1027.005 |
|
| Details | MITRE ATT&CK Techniques | 116 | T1134 |
|
| Details | MITRE ATT&CK Techniques | 235 | T1562 |
|
| Details | MITRE ATT&CK Techniques | 627 | T1027 |
|
| Details | MITRE ATT&CK Techniques | 238 | T1497 |
|
| Details | MITRE ATT&CK Techniques | 107 | T1564 |
|
| Details | MITRE ATT&CK Techniques | 55 | T1553.002 |
|
| Details | MITRE ATT&CK Techniques | 48 | T1480 |
|
| Details | MITRE ATT&CK Techniques | 183 | T1036.005 |
|
| Details | MITRE ATT&CK Techniques | 36 | T1558.003 |
|
| Details | MITRE ATT&CK Techniques | 99 | T1087.002 |
|
| Details | MITRE ATT&CK Techniques | 124 | T1482 |
|
| Details | MITRE ATT&CK Techniques | 56 | T1553 |
|
| Details | MITRE ATT&CK Techniques | 348 | T1036 |
|
| Details | MITRE ATT&CK Techniques | 27 | T1558 |
|
| Details | MITRE ATT&CK Techniques | 179 | T1087 |
|
| Details | MITRE ATT&CK Techniques | 74 | T1069.002 |
|
| Details | MITRE ATT&CK Techniques | 585 | T1083 |
|
| Details | MITRE ATT&CK Techniques | 176 | T1135 |
|
| Details | MITRE ATT&CK Techniques | 72 | T1087.001 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 472 | T1486 |
|
| Details | MITRE ATT&CK Techniques | 65 | T1069 |
|
| Details | Url | 1 | https://www.fireeye.com/blog/threat-research/2019/10/head-fake-tackling-disruptive-ransomware-attacks.html |
|
| Details | Url | 1 | https://twitter.com/nca_uk/status/1202618928209498114?s=20 |
|
| Details | Url | 2 | https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev |
|
| Details | Url | 13 | https://home.treasury.gov/news/press-releases/sm845 |
|
| Details | Url | 1 | https://adversary.crowdstrike.com/en-us/adversary/doppel-spider |
|
| Details | Url | 6 | https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2 |
|
| Details | Url | 1 | https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage |
|
| Details | Url | 1 | https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium |
|
| Details | Url | 1 | https://twitter.com/demonslay335/status/1339324224029274118?s=20 |
|
| Details | Url | 2 | https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker |
|
| Details | Url | 1 | https://twitter.com/fwosar/status/1401110845820747797?s=20 |
|
| Details | Url | 1 | https://www.zdnet.com/article/hacker-gang-behind-garmin-attack-doesnt-have-a-history-of-stealing-user-data/?&web_view=true |
|
| Details | Url | 1 | https://nakedsecurity.sophos.com/2017/08/10/watch-out-for-emotet-the-trojan-thats-nearly-a-worm |
|
| Details | Url | 1 | https://www.trendmicro.com/it_it/research/18/l/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader.html |
|
| Details | Url | 4 | https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group |
|
| Details | Url | 7 | https://github.com/hfiref0x/uacme |
|
| Details | Url | 1 | https://sourceforge.net/projects/rsaref |
|
| Details | Url | 1 | https://blog.morphisec.com/bitpaymer-ransomware-with-new-custom-packer-framework |
|
| Details | Url | 3 | https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure |
|
| Details | Url | 1 | https://techcrunch.com/2021/10/12/olympus-confirms-us-cyberattack-weeks-after-blackmatter-ransomware-hit-emea-systems |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/sinclair-tv-stations-crippled-by-weekend-ransomware-attack |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks |
|
| Details | Url | 1 | https://blog.malwarebytes.com/threat-analysis/2015/12/malware-crypters-the-deceptive-first-layer |
|
| Details | Url | 2 | https://www.bromium.com/wp-content/uploads/2019/07/bromium-emotet-technical-analysis-report.pdf |
|
| Details | Url | 8 | https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group |
|
| Details | Url | 1 | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software |
|
| Details | Url | 1 | https://github.com/tera0017/de-cryptone |
|
| Details | Url | 2 | https://www.vmray.com/cyber-security-blog/wastedlocker-ransomware-threat-bulletin |
|
| Details | Url | 1 | https://www.accenture.com/us-en/blogs/security/ransomware-hades |
|
| Details | Url | 1 | https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware |
|
| Details | Url | 1 | https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies |
|
| Details | Url | 1 | https://www.abuseipdb.com/check/185.82.127.86 |
|
| Details | Url | 1 | https://www.darktrace.com/en/blog/how-ai-stopped-a-wasted-locker-intrusion-before-ransomware-deployed |
|
| Details | Url | 1 | https://www.securonix.com/securonix-threat-research-detecting-wastedlocker-ransomware-using-security-analytics |
|
| Details | Url | 1 | https://answers.microsoft.com/en-us/windows/forum/all/block-or-avoid-wastedlocker-ransomeware-detected |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1584/004 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1189 |
|
| Details | Url | 5 | https://attack.mitre.org/techniques/t1047 |
|
| Details | Url | 2 | https://attack.mitre.org/groups/g0119 |
|
| Details | Url | 5 | https://attack.mitre.org/techniques/t1106 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1548/002 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1134/001 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1562/001/dri |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1027/004 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1027/001 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1218 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1497/001 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1027/002 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1027/005 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1564 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1553/002 |
|
| Details | Url | 1 | https://attack.mitre.org/techniques/t1480 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1036/005 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1558/003 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1087/002 |
|
| Details | Url | 5 | https://attack.mitre.org/techniques/t1482 |
|
| Details | Url | 2 | https://attack.mitre.org/techniques/t1069/002 |
|
| Details | Url | 7 | https://attack.mitre.org/techniques/t1083 |
|
| Details | Url | 4 | https://attack.mitre.org/techniques/t1135 |
|
| Details | Url | 3 | https://attack.mitre.org/techniques/t1087/001 |
|
| Details | Url | 10 | https://attack.mitre.org/techniques/t1105 |
|
| Details | Url | 9 | https://attack.mitre.org/techniques/t1486 |
|
| Details | Url | 1 | https://gist.github.com/antonio-s1/1fc53ed220012a |
|
| Details | Url | 1 | https://t.me/phdecrypt |
|
| Details | Windows Registry Key | 4 | HKEY_CLASSES_ROOT\interface |
|
| Details | Yara rule | 1 | rule CryptOne {
meta:
Author = "@Tera0017/@SentinelOne"
Family = "Evil Corp Packer-CryptOne"
strings:
$x86_code1 = { 68 FC 4A 06 00 68 F4 E0 01 00 E8 }
$x86_code2 = { 6A 15 E8 [4] 83 C4 04 A3 [4] 68 45 7E 00 00 }
$x86_code3 = { 83 C4 08 8B 55 ?? 8B 45 ?? 8D 8C 10 [4] 89 }
$x64_code1 = { C7 ?? ?? ?? 05 0D 00 00 }
$x64_code2 = { 48 03 44 24 48 48 03 44 24 48 48 03 44 24 48 48 03 44 24 48 }
$x64_code3 = { 41 8D 84 03 ?? ?? 00 00 }
$str1 = "\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}"
$str2 = "\\{b196b287-bab4-101a-b69c-00aa00341d07}"
condition:
(all of ($x64*)) or (all of ($x86*)) or (any of ($str*) and (2 of ($x64*) or 2 of ($x86*)))
} |
|
| Details | Yara rule | 1 | rule CryptONE_1111111Version {
meta:
Author = "SentinelLabs"
Family = "Evil Corp CryptOne"
strings:
$str1 = "111111111\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}" ascii wide
$str2 = "111111111\\{b196b287-bab4-101a-b69c-00aa00341d07}" ascii wide
condition:
any of them
} |
|
| Details | Yara rule | 1 | rule MAL_JS_SocGholish_Mar21_1 : js socgholish {
meta:
description = "Triggers on SocGholish JS files"
author = "Nils Kuhnert"
date = "2021-03-29"
hash = "7ccbdcde5a9b30f8b2b866a5ca173063dec7bc92034e7cf10e3eebff017f3c23"
hash = "f6d738baea6802cbbb3ae63b39bf65fbd641a1f0d2f0c819a8c56f677b97bed1"
hash = "c7372ffaf831ad963c0a9348beeaadb5e814ceeb878a0cc7709473343d63a51c"
strings:
$try = "try"
$s1 = "new ActiveXObject('Scripting.FileSystemObject');"
$s2 = "['DeleteFile']"
$s3 = "['WScript']['ScriptFullName']"
$s4 = "['WScript']['Sleep'](1000)"
$s5 = "new ActiveXObject('MSXML2.XMLHTTP')"
$s6 = "this['eval']"
$s7 = "String['fromCharCode']"
$s8 = "2), 16),"
$s9 = "= 103,"
$s10 = "'00000000'"
condition:
$try in (0 .. 10) and filesize > 3KB and filesize < 5KB and 8 of ($s*)
} |
|
| Details | Yara rule | 1 | import "pe"
rule hades_section_name {
meta:
Author = "SentinelLabs"
Family = "Evil Corp Hades"
condition:
(int16(0) == 0x5A4D) and (for any i in (0 .. pe.number_of_sections - 1) : ( pe.sections[i].name == ".obX0" ))
} |
|
| Details | Yara rule | 1 | rule PayloadBin_digital_cert {
meta:
Author = "SentinelLabs"
Family = "Evil Corp PayloadBIN digital cert signature"
strings:
$signer1 = "TAKE CARE SP Z O O"
$serial1 = { 00 98 9A 33 B7 2A 2A A2 9E 32 D0 A5 E1 55 C5 39 63 }
condition:
(int16(0) == 0x5A4D) and (($signer1) and ($serial1))
} |