MALW_hancitor.yar

rule hancitor {
	meta:
		description = "Memory string yara for Hancitor"
		author = "J from THL <j@techhelplist.com>"
		reference1 = "https://researchcenter.paloaltonetworks.com/2018/02/threat-brief-hancitor-actors/"
		reference2 = "https://www.virustotal.com/#/file/43e17f30b78c085e9bda8cadf5063cd5cec9edaa7441594ba1fe51391cc1c486/"
		reference3 = "https://www.virustotal.com/#/file/d135f03b9fdc709651ac9d0264e155c5580b072577a8ff24c90183b126b5e12a/"
		date = "2018-09-18"
		maltype1 = "Botnet"
		filetype = "memory"

	strings:
		$a = "GUID="	ascii
                $b = "&BUILD="	ascii
                $c = "&INFO="	ascii
                $d = "&IP="	ascii
                $e = "&TYPE=" 	ascii
                $f = "php|http"	ascii
		$g = "GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d" ascii fullword


	condition:
		5 of ($a,$b,$c,$d,$e,$f) or $g

}