1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule Vinsula_Sayad_Binder : infostealer
{
meta:
Author = "Vinsula, Inc"
Date = "2014/06/20"
Description = "Sayad Infostealer Binder"
Reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"
strings:
$pdbstr = "\\Projects\\C#\\Sayad\\Source\\Binder\\obj\\Debug\\Binder.pdb"
$delphinativestr = "DelphiNative.dll" nocase
$sqlite3str = "sqlite3.dll" nocase
$winexecstr = "WinExec"
$sayadconfig = "base.dll" wide
condition:
all of them
}
rule Vinsula_Sayad_Client : infostealer
{
meta:
Author = "Vinsula, Inc"
Date = "2014/06/20"
Description = "Sayad Infostealer Client"
Reference = "http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/"
strings:
$pdbstr = "\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb"
$sayadconfig = "base.dll" wide
$sqlite3str = "sqlite3.dll" nocase
$debugstr01 = "Config loaded" wide
$debugstr02 = "Config parsed" wide
$debugstr03 = "storage uploader" wide
$debugstr04 = "updater" wide
$debugstr05 = "keylogger" wide
$debugstr06 = "Screenshot" wide
$debugstr07 = "sqlite found & start collectiong data" wide
$debugstr08 = "Machine info collected" wide
$debugstr09 = "browser ok" wide
$debugstr10 = "messenger ok" wide
$debugstr11 = "vpn ok" wide
$debugstr12 = "ftp client ok" wide
$debugstr13 = "ftp server ok" wide
$debugstr14 = "rdp ok" wide
$debugstr15 = "kerio ok" wide
$debugstr16 = "skype ok" wide
$debugstr17 = "serialize data ok" wide
$debugstr18 = "Keylogged" wide
condition:
all of them
}