{
    "type": "bundle",
    "id": "bundle--e7fd5d80-6b18-4d8c-a2fd-04b5c4f14c46",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--e9407c41-5eeb-4d30-9b75-921573f60588",
            "created": "2023-03-08T12:51:45.329146Z",
            "modified": "2023-03-08T12:51:45.329226Z",
            "name": "Xorhex",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--8bb614b6-ad56-4f7b-b88e-df1d87f703cb",
            "created": "2026-06-24T19:23:26.814127Z",
            "modified": "2026-06-24T19:23:26.814127Z",
            "name": "YARA Rule",
            "pattern": "rule follow_the_fallchill_call { /* 0x10001030 C645EC78 mov byte ptr [ebp - 0x14], 0x78 0x10001034 C645ED29 mov byte ptr [ebp - 0x13], 0x29 0x10001038 C645EE2E mov byte ptr [ebp - 0x12], 0x2e 0x1000103c C645EF4C mov byte ptr [ebp - 0x11], 0x4c 0x10001040 C645F05D mov byte ptr [ebp - 0x10], 0x5d 0x10001044 C645F1A3 mov byte ptr [ebp - 0xf], 0xa3 0x10001048 C645F2B5 mov byte ptr [ebp - 0xe], 0xb5 0x1000104c C645F3D0 mov byte ptr [ebp - 0xd], 0xd0 0x10001050 C645F467 mov byte ptr [ebp - 0xc], 0x67 0x10001054 C645F5F0 mov byte ptr [ebp - 0xb], 0xf0 0x10001058 C645F681 mov byte ptr [ebp - 0xa], 0x81 0x1000105c C645F7B7 mov byte ptr [ebp - 9], 0xb7 0x10001060 C645F836 mov byte ptr [ebp - 8], 0x36 0x10001064 C645F9E5 mov byte ptr [ebp - 7], 0xe5 0x10001068 C645FAD5 mov byte ptr [ebp - 6], 0xd5 0x1000106c C645FB93 mov byte ptr [ebp - 5], 0x93 0x10001070 6A10 push 0x10 0x10001072 8D4DEC lea ecx, [ebp - 0x14] 0x10001075 51 push ecx 0x10001076 8D95E8FEFFFF lea edx, [ebp - 0x118] 0x1000107c 52 push edx 0x1000107d E8DE0C0000 call 0x10001d60 */ strings: $call_instr = { C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? C6 45 ?? ?? 6A ?? 8D 4D ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? } $cmp = { 81 7D ?? 00 01 00 00 } condition: console.hex(\"Relative offset to function address: \", int32(@call_instr+!call_instr-4)) and console.hex(\"Next Instruction Address: \", @call_instr+!call_instr) and console.hex(\"Start of Function: \", @call_instr+!call_instr+int32(@call_instr+!call_instr-4)) and $cmp in (@call_instr+!call_instr+int32(@call_instr+!call_instr-4)..@call_instr+!call_instr+int32(@call_instr+!call_instr-4)+32) }",
            "pattern_type": "yara",
            "valid_from": "2022-07-31T00:00:00Z"
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--8b62af0f-e10a-49c7-a8e6-d2b49437fbaa",
            "hashes": {
                "SHA-256": "d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3"
            }
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--d735dc96-d0fc-49a6-a5dc-43a5ae371b98",
            "created_by_ref": "identity--e9407c41-5eeb-4d30-9b75-921573f60588",
            "created": "2026-06-24T19:23:26.817776Z",
            "modified": "2026-06-24T19:23:26.817776Z",
            "name": "YARA - FOLLOWING FALLCHILL'S E8 CALL",
            "published": "2022-07-31T00:00:00Z",
            "object_refs": [
                "identity--e9407c41-5eeb-4d30-9b75-921573f60588",
                "indicator--8bb614b6-ad56-4f7b-b88e-df1d87f703cb",
                "file--8b62af0f-e10a-49c7-a8e6-d2b49437fbaa"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://blog.xorhex.com/blog/yarafollowingfallchills_e8_call/"
                }
            ]
        }
    ]
}