Update APT_Hellsing.yar

Fixed style rule

Update APT_Hellsing.yar
Fixed style rule
1b1c9665 · Marc Rivero López · GitHub · b047b622 · 1b1c9665
Commit 1b1c9665 authored Jan 22, 2017 by Marc Rivero López Committed by GitHub Jan 22, 2017
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 14 deletions

APT_Hellsing.yar malware/APT_Hellsing.yar +12 -14

No files found.
--- a/malware/APT_Hellsing.yar
+++ b/malware/APT_Hellsing.yar
@@ -4,9 +4,9 @@

 import "pe"

-
-rule apt_hellsing_implantstrings : PE
+rule apt_hellsing_implantstrings
 { 
+  
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
@@ -15,16 +15,12 @@ rule apt_hellsing_implantstrings : PE

    strings: 
        $mz="MZ"
-
        $a1="the file uploaded failed !" 
        $a2="ping 127.0.0.1"      
-		
        $b1="the file downloaded failed !" 
        $b2="common.asp"
-		
        $c="xweber_server.exe" 
        $d="action="
-
        $debugpath1="d:\\Hellsing\\release\\msger\\" nocase 
        $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase 
        $debugpath3="D:\\Hellsing\\release\\exe\\" nocase 
@@ -32,7 +28,6 @@ rule apt_hellsing_implantstrings : PE
        $debugpath5="e:\\Hellsing\\release\\clare" nocase 
        $debugpath6="e:\\Hellsing\\release\\irene\\" nocase 
        $debugpath7="d:\\hellsing\\sys\\irene\\" nocase
-
        $e="msger_server.dll"
        $f="ServiceMain"

@@ -40,8 +35,9 @@ rule apt_hellsing_implantstrings : PE
        ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
 }

-rule apt_hellsing_installer : PE
+rule apt_hellsing_installer
 {
+    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
@@ -50,9 +46,7 @@ rule apt_hellsing_installer : PE

    strings: 
        $mz="MZ"
-		
        $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
-		
        $a1="xweber_install_uac.exe"
        $a2="system32\\cmd.exe" wide
        $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" 
@@ -67,8 +61,9 @@ rule apt_hellsing_installer : PE
        ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
 }

-rule apt_hellsing_proxytool : PE
+rule apt_hellsing_proxytool
 {
+    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
@@ -88,8 +83,9 @@ rule apt_hellsing_proxytool : PE
        ($mz at 0) and (2 of ($a*)) and filesize < 300000
 }

-rule apt_hellsing_xkat : PE
+rule apt_hellsing_xkat 
 {
+    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
@@ -115,8 +111,9 @@ rule apt_hellsing_xkat : PE
        ($mz at 0) and (6 of ($a*)) and filesize < 300000
 }

-rule apt_hellsing_msgertype2 : PE
+rule apt_hellsing_msgertype2
 {
+    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"
@@ -136,8 +133,9 @@ rule apt_hellsing_msgertype2 : PE
        ($mz at 0) and (4 of ($a*)) and filesize < 500000
 }

-rule apt_hellsing_irene : PE
+rule apt_hellsing_irene
 {
+    
    meta:
        Author = "Costin Raiu, Kaspersky Lab"
        Date = "2015-04-07"