Update and rename APT_threatgroup_3390.yar to APT_ThreatGroup_3390.yar

02c6be57 · mmorenog · GitHub · 5d3c5f98 · 02c6be57
Commit 02c6be57 authored Jul 20, 2016 by mmorenog Committed by GitHub Jul 20, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 8 deletions

APT_ThreatGroup_3390.yar malware/APT_ThreatGroup_3390.yar +8 -8

No files found.
--- a/malware/APT_threatgroup_3390.yar
+++ b/malware/APT_threatgroup_3390.yar
@@ -9,7 +9,7 @@
 	Identifier: Threat Group 3390
 */
-rule HttpBrowser_RAT_dropper_Gen1 {
+rule HttpBrowser_RAT_dropper_Gen1 : RAT Dropper APT {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
 		author = "Florian Roth"
@@ -49,7 +49,7 @@ rule HttpBrowser_RAT_dropper_Gen1 {
 		uint16(0) == 0x5a4d and filesize < 400KB and all of ($x*) and 1 of ($op*)
 }
-rule HttpBrowser_RAT_Sample1 {
+rule HttpBrowser_RAT_Sample1  : RAT APT  {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com"
 		author = "Florian Roth"
@@ -64,7 +64,7 @@ rule HttpBrowser_RAT_Sample1 {
 		uint16(0) == 0x5a4d and filesize < 100KB and $s0
 }
-rule HttpBrowser_RAT_Sample2 {
+rule HttpBrowser_RAT_Sample2  : RAT APT {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Sample"
 		author = "Florian Roth"
@@ -81,7 +81,7 @@ rule HttpBrowser_RAT_Sample2 {
 		uint16(0) == 0x5a4d and filesize < 250KB and all of them
 }
-rule HttpBrowser_RAT_Gen {
+rule HttpBrowser_RAT_Gen : RAT APT  {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Generic"
 		author = "Florian Roth"
@@ -119,7 +119,7 @@ rule HttpBrowser_RAT_Gen {
 		uint16(0) == 0x5a4d and filesize < 45KB and filesize > 20KB and all of them
 }
-rule PlugX_NvSmartMax_Gen {
+rule PlugX_NvSmartMax_Gen : PlugX APT {
 	meta:
 		description = "Threat Group 3390 APT Sample - PlugX NvSmartMax Generic"
 		author = "Florian Roth"
@@ -147,7 +147,7 @@ rule PlugX_NvSmartMax_Gen {
 		uint16(0) == 0x5a4d and filesize < 800KB and all of ($s*) and 1 of ($op*)
 }
-rule HttpBrowser_RAT_dropper_Gen2 {
+rule HttpBrowser_RAT_dropper_Gen2 : Dropper RAT {
 	meta:
 		description = "Threat Group 3390 APT Sample - HttpBrowser RAT Dropper"
 		author = "Florian Roth"
@@ -174,7 +174,7 @@ rule HttpBrowser_RAT_dropper_Gen2 {
 		uint16(0) == 0x5a4d and filesize < 400KB and 3 of ($s*) and 1 of ($op*)
 }
-rule ThreatGroup3390_Strings {
+rule ThreatGroup3390_Strings : APT {
 	meta:
 		description = "Threat Group 3390 APT - Strings"
 		author = "Florian Roth"
@@ -191,7 +191,7 @@ rule ThreatGroup3390_Strings {
 		1 of them and filesize < 30KB
 }
-rule ThreatGroup3390_C2 {
+rule ThreatGroup3390_C2 : C2 APT {
 	meta:
 		description = "Threat Group 3390 APT - C2 Server"
 		author = "Florian Roth"