Bug with COZY_FANCY_BEAR_modified_VmUpgradeHelper

Deleted COZY_FANCY_BEAR_modified_VmUpgradeHelper

Bug with COZY_FANCY_BEAR_modified_VmUpgradeHelper
Deleted COZY_FANCY_BEAR_modified_VmUpgradeHelper
287e89e6 · j0sm1 · cad50e65 · 287e89e6 · 287e89e6
Commit 287e89e6 authored Aug 01, 2016 by j0sm1
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 16 deletions

APT_fancybear_dnc.yar malware/APT_fancybear_dnc.yar +0 -16

malware.yar malware/malware.yar +0 -0

No files found.
--- a/malware/APT_fancybear_dnc.yar
+++ b/malware/APT_fancybear_dnc.yar
@@ -32,19 +32,3 @@ rule COZY_FANCY_BEAR_pagemgr_Hunt {
 	condition:
 		uint16(0) == 0x5a4d and 1 of them
 }
-
-rule COZY_FANCY_BEAR_modified_VmUpgradeHelper {
-	meta:
-		description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report"
-		author = "Florian Roth"
-		reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
-		date = "2016-06-14"
-	strings:
-		$s1 = "VMware, Inc." wide fullword
-		$s2 = "Virtual hardware upgrade helper service" fullword wide
-		$s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii
-	condition:
-		uint16(0) == 0x5a4d and
-		filename == "VmUpgradeHelper.exe" and
-		not all of ($s*)
-}
--- a/malware/malware.yar
+++ b/malware/malware.yar