1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
rule marcher1
{
meta:
author = "Antonio S. <asanchez@koodous.com>"
source = "https://analyst.koodous.com/rulesets/890"
description = "This rule detects is to detect a type of banking malware"
sample = "33b1a9e4a1591c1a39fdd5295874e365dbde9448098254a938525385498da070"
strings:
$a = "cmVudCYmJg=="
$b = "dXNzZCYmJg=="
condition:
all of them
}
rule marcher2
{
meta:
author = "Antonio S. <asanchez@koodous.com>"
source = "https://analyst.koodous.com/rulesets/890"
strings:
$a = "HDNRQ2gOlm"
$b = "lElvyohc9Y1X+nzVUEjW8W3SbUA"
condition:
all of them
}
rule marcher3
{
meta:
author = "Antonio S. <asanchez@koodous.com>"
source = "https://analyst.koodous.com/rulesets/890"
sample1 = "087710b944c09c3905a5a9c94337a75ad88706587c10c632b78fad52ec8dfcbe"
sample2 = "fa7a9145b8fc32e3ac16fa4a4cf681b2fa5405fc154327f879eaf71dd42595c2"
strings:
$a = "certificado # 73828394"
$b = "A compania TMN informa que o vosso sistema Android tem vulnerabilidade"
condition:
all of them
}
rule marcher_v2
{
meta:
description = "This rule detects a new variant of Marcher"
sample = "27c3b0aaa2be02b4ee2bfb5b26b2b90dbefa020b9accc360232e0288ac34767f"
author = "Antonio S. <asanchez@koodous.com>"
source = "https://analyst.koodous.com/rulesets/1301"
strings:
$a = /assets\/[a-z]{1,12}.datPK/
$b = "mastercard_img"
$c = "visa_verifed"
condition:
all of them
}