Skip to content

R
rules
Commit 1b1c9665 by Marc Rivero López Committed by GitHub
Options

Update APT_Hellsing.yar 

Fixed style rule
parent b047b622
Showing with 12 additions and 14 deletions
malware/APT_Hellsing.yar
...@@ -4,9 +4,9 @@ ...@@ -4,9 +4,9 @@
import "pe" import "pe"
rule apt_hellsing_implantstrings
rule apt_hellsing_implantstrings : PE
{ {
meta: meta:
Author = "Costin Raiu, Kaspersky Lab" Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07" Date = "2015-04-07"
...@@ -15,16 +15,12 @@ rule apt_hellsing_implantstrings : PE ...@@ -15,16 +15,12 @@ rule apt_hellsing_implantstrings : PE
strings: strings:
$mz="MZ" $mz="MZ"
$a1="the file uploaded failed !" $a1="the file uploaded failed !"
$a2="ping 127.0.0.1" $a2="ping 127.0.0.1"
$b1="the file downloaded failed !" $b1="the file downloaded failed !"
$b2="common.asp" $b2="common.asp"
$c="xweber_server.exe" $c="xweber_server.exe"
$d="action=" $d="action="
$debugpath1="d:\\Hellsing\\release\\msger\\" nocase $debugpath1="d:\\Hellsing\\release\\msger\\" nocase
$debugpath2="d:\\hellsing\\sys\\xrat\\" nocase $debugpath2="d:\\hellsing\\sys\\xrat\\" nocase
$debugpath3="D:\\Hellsing\\release\\exe\\" nocase $debugpath3="D:\\Hellsing\\release\\exe\\" nocase
...@@ -32,7 +28,6 @@ rule apt_hellsing_implantstrings : PE ...@@ -32,7 +28,6 @@ rule apt_hellsing_implantstrings : PE
$debugpath5="e:\\Hellsing\\release\\clare" nocase $debugpath5="e:\\Hellsing\\release\\clare" nocase
$debugpath6="e:\\Hellsing\\release\\irene\\" nocase $debugpath6="e:\\Hellsing\\release\\irene\\" nocase
$debugpath7="d:\\hellsing\\sys\\irene\\" nocase $debugpath7="d:\\hellsing\\sys\\irene\\" nocase
$e="msger_server.dll" $e="msger_server.dll"
$f="ServiceMain" $f="ServiceMain"
...@@ -40,8 +35,9 @@ rule apt_hellsing_implantstrings : PE ...@@ -40,8 +35,9 @@ rule apt_hellsing_implantstrings : PE
($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000 ($mz at 0) and (all of ($a*)) or (all of ($b*)) or ($c and $d) or (any of ($debugpath*)) or ($e and $f) and filesize < 500000
} }
rule apt_hellsing_installer : PE rule apt_hellsing_installer
{ {
meta: meta:
Author = "Costin Raiu, Kaspersky Lab" Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07" Date = "2015-04-07"
...@@ -50,9 +46,7 @@ rule apt_hellsing_installer : PE ...@@ -50,9 +46,7 @@ rule apt_hellsing_installer : PE
strings: strings:
$mz="MZ" $mz="MZ"
$cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\"" $cmd="cmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\""
$a1="xweber_install_uac.exe" $a1="xweber_install_uac.exe"
$a2="system32\\cmd.exe" wide $a2="system32\\cmd.exe" wide
$a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=" $a4="S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y="
...@@ -67,8 +61,9 @@ rule apt_hellsing_installer : PE ...@@ -67,8 +61,9 @@ rule apt_hellsing_installer : PE
($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000 ($mz at 0) and ($cmd and (2 of ($a*))) and filesize < 500000
} }
rule apt_hellsing_proxytool : PE rule apt_hellsing_proxytool
{ {
meta: meta:
Author = "Costin Raiu, Kaspersky Lab" Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07" Date = "2015-04-07"
...@@ -88,8 +83,9 @@ rule apt_hellsing_proxytool : PE ...@@ -88,8 +83,9 @@ rule apt_hellsing_proxytool : PE
($mz at 0) and (2 of ($a*)) and filesize < 300000 ($mz at 0) and (2 of ($a*)) and filesize < 300000
} }
rule apt_hellsing_xkat : PE rule apt_hellsing_xkat
{ {
meta: meta:
Author = "Costin Raiu, Kaspersky Lab" Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07" Date = "2015-04-07"
...@@ -115,8 +111,9 @@ rule apt_hellsing_xkat : PE ...@@ -115,8 +111,9 @@ rule apt_hellsing_xkat : PE
($mz at 0) and (6 of ($a*)) and filesize < 300000 ($mz at 0) and (6 of ($a*)) and filesize < 300000
} }
rule apt_hellsing_msgertype2 : PE rule apt_hellsing_msgertype2
{ {
meta: meta:
Author = "Costin Raiu, Kaspersky Lab" Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07" Date = "2015-04-07"
...@@ -136,8 +133,9 @@ rule apt_hellsing_msgertype2 : PE ...@@ -136,8 +133,9 @@ rule apt_hellsing_msgertype2 : PE
($mz at 0) and (4 of ($a*)) and filesize < 500000 ($mz at 0) and (4 of ($a*)) and filesize < 500000
} }
rule apt_hellsing_irene : PE rule apt_hellsing_irene
{ {
meta: meta:
Author = "Costin Raiu, Kaspersky Lab" Author = "Costin Raiu, Kaspersky Lab"
Date = "2015-04-07" Date = "2015-04-07"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment