1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule APT_bestia
{
meta:
author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com"
date = "2014-03-19"
description = "Bestia.3.02.012.07 malware used in APT attacks on Polish government"
references = "http://zaufanatrzeciastrona.pl/post/ukierunkowany-atak-na-pracownikow-polskich-samorzadow/" /* PL */
hash0 = "9bb03bb5af40d1202378f95a6485fba8"
hash1 = "7d9a806e0da0b869b10870dd6c7692c5"
maltype = "apt"
filetype = "exe"
strings:
/* generated with https://github.com/Xen0ph0n/YaraGenerator */
$string0 = "u4(UeK"
$string1 = "nMiq/'p"
$string2 = "_9pJMf"
$string3 = "ICMP.DLL"
$string4 = "EG}QAp"
$string5 = "tsjWj:U"
$string6 = "FileVersion" wide
$string7 = "O2nQpp"
$string8 = "2}W8we"
$string9 = "ILqkC:l"
$string10 = "f1yzMk"
$string11 = "AutoIt v3 Script: 3, 3, 8, 1" wide
$string12 = "wj<1uH"
$string13 = "6fL-uD"
$string14 = "B9Iavo<"
$string15 = "rUS)sO"
$string16 = "FJH{_/f"
$string17 = "3e 03V"
condition:
17 of them
}