Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
LimaBravo.yara 843 Bytes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 
import "pe"

rule LimaBravo
{
	meta:
		copyright = "2015 Novetta Solutions"
		author = "Novetta Threat Research & Interdiction Group - trig@novetta.com"
		Source = "Mwsagent.dll"

	strings:
	/*
		83 C4 34        add     esp, 34h
		83 FD 0A        cmp     ebp, 0Ah
		5D              pop     ebp
		5B              pop     ebx
		7E 12           jle     short loc_1000106F
		57              push    edi             ; Src
		C6 07 4D        mov     byte ptr [edi], 4Dh
		C6 47 01 5A     mov     byte ptr [edi+1], 5Ah
		E8 97 01 00 00  call    ManualImageLoad
	*/

	$a = {83 ?? 34 83 ?? 0A [0-2] 7E ?? 5? C6 ?? 4D C6 [2] 5A E8}

	condition:
		$a in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
}