Skip to content

R
rules
Commit 36bbd7ed by mmorenog Committed by GitHub
Options

Update RAT_PolishBankRAT.yar

parent 38b81fe8
Showing with 3 additions and 3 deletions
malware/RAT_PolishBankRAT.yar
rule PolishBankRAT-srservice_xorloop { rule PolishBankRATsrservice_xorloop {
meta: meta:
author = “Booz Allen Hamilton Dark Labs” author = “Booz Allen Hamilton Dark Labs”
description = “Finds the custom xor decode loop for <PolishBankRAT-srservice>” description = “Finds the custom xor decode loop for <PolishBankRAT-srservice>”
...@@ -23,7 +23,7 @@ condition: ...@@ -23,7 +23,7 @@ condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $loop (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $loop
} }
rule PolishBankRAT-fdsvc_decode2 { rule PolishBankRATfdsvc_decode2 {
meta: meta:
author = “Booz Allen Hamilton Dark Labs” author = “Booz Allen Hamilton Dark Labs”
description = “Find a constant used as part of a payload decoding function in PolishBankRAT-fdsvc” description = “Find a constant used as part of a payload decoding function in PolishBankRAT-fdsvc”
...@@ -43,7 +43,7 @@ condition: ...@@ -43,7 +43,7 @@ condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
} }
rule decoded_PolishBankRAT-fdsvc_strings { rule decoded_PolishBankRATfdsvc_strings {
meta: meta:
author = “Booz Allen Hamilton Dark Labs” author = “Booz Allen Hamilton Dark Labs”
description = “Finds hard coded strings in PolishBankRAT-fdsvc” description = “Finds hard coded strings in PolishBankRAT-fdsvc”
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment