Skip to content

R
rules
Commit 41b8e378 by Steven K Committed by GitHub
Options

Update MALW_Atmos.yar

parent 24f64c9f
Showing with 56 additions and 57 deletions
malware/MALW_Atmos.yar
...@@ -6,16 +6,16 @@ ...@@ -6,16 +6,16 @@
rule Atmos_Malware : kutuzov_101 Banker Atmos rule Atmos_Malware : kutuzov_101 Banker Atmos
{ {
meta: meta:
description = "Generic Spyware.Citadel.Atmos Signature" description = "Generic Spyware.Citadel.Atmos Signature"
author = "xylitol@temari.fr" author = "xylitol@temari.fr"
reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
date = "20/08/2016" date = "20/08/2016"
// May only the challenge guide you // May only the challenge guide you
strings: strings:
// Check for the presence of MZ and kutuzov license identifier // Check for the presence of MZ and kutuzov license identifier
$MZ = {4D 5A} $MZ = {4D 5A}
$LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii $LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii
// TokenSpy identifiers // TokenSpy identifiers
$TS1 = "X-TS-Rule-Name: %s" wide ascii $TS1 = "X-TS-Rule-Name: %s" wide ascii
...@@ -31,27 +31,27 @@ rule Atmos_Malware : kutuzov_101 Banker Atmos ...@@ -31,27 +31,27 @@ rule Atmos_Malware : kutuzov_101 Banker Atmos
// Hidden VNC identifiers // Hidden VNC identifiers
$VNC1 = "_hvnc_init@4" wide ascii $VNC1 = "_hvnc_init@4" wide ascii
$VNC2 = "_hvnc_uninit@0" wide ascii $VNC2 = "_hvnc_uninit@0" wide ascii
$VNC3 = "_hvnc_start@8" wide ascii $VNC3 = "_hvnc_start@8" wide ascii
$VNC4 = "_hvnc_stop@0" wide ascii $VNC4 = "_hvnc_stop@0" wide ascii
$VNC5 = "_hvnc_wait@0" wide ascii $VNC5 = "_hvnc_wait@0" wide ascii
$VNC6 = "_hvnc_work@0" wide ascii $VNC6 = "_hvnc_work@0" wide ascii
// Browsers identifiers // Browsers identifiers
$WB1 = "nspr4.dll" wide ascii $WB1 = "nspr4.dll" wide ascii
$WB2 = "nss3.dll" wide ascii $WB2 = "nss3.dll" wide ascii
$WB3 = "chrome.dll" wide ascii $WB3 = "chrome.dll" wide ascii
$WB4 = "Internet Explorer" wide ascii $WB4 = "Internet Explorer" wide ascii
$WB5 = "Firefox" wide ascii $WB5 = "Firefox" wide ascii
$WB6 = "Chrome" wide ascii $WB6 = "Chrome" wide ascii
condition: condition:
($MZ at 0 and $LKEY) and ($MZ at 0 and $LKEY) and
( (
(5 of ($TS*) and all of ($WB*)) or (5 of ($TS*) and all of ($WB*)) or
(3 of ($VNC*) and all of ($WB*)) (3 of ($VNC*) and all of ($WB*))
) )
and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb
// Remove the above line if you want to trig also on memory dumps, etc... // Remove the above line if you want to trig also on memory dumps, etc...
} }
...@@ -59,30 +59,30 @@ rule Atmos_Malware : kutuzov_101 Banker Atmos ...@@ -59,30 +59,30 @@ rule Atmos_Malware : kutuzov_101 Banker Atmos
rule Atmos_Packed_Malware : Packed Atmos Banker rule Atmos_Packed_Malware : Packed Atmos Banker
{ {
meta: meta:
description = "Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer" description = "Second Generic Spyware.Citadel.Atmos signture when builder add a packed layer"
author = "xylitol@temari.fr" author = "xylitol@temari.fr"
reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
date = "20/08/2016" date = "20/08/2016"
// May only the challenge guide you // May only the challenge guide you
strings: strings:
$MZ = {4D 5A} $MZ = {4D 5A}
// Entry point identifier with CreateThread pointer in '??' // Entry point identifier with CreateThread pointer in '??'
$a = {55 8B EC 83 EC 0C 53 56 8B 35 ?? ?? ?? 00 57 33 DB BF 00 28 00 00} $a = {55 8B EC 83 EC 0C 53 56 8B 35 ?? ?? ?? 00 57 33 DB BF 00 28 00 00}
// End of main proc with sleep value in '??' and api call to sleep in '??'
$b = {68 ?? ?? ?? ?? FF 15 ?? ?? ?? 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3}
// End of main proc with sleep value in '??' and api call to sleep in '??' // API String identifier (ShellExecuteExW, SHELL32.dll, GetUserNameExW, Secur32.dll)
$b = {68 ?? ?? ?? ?? FF 15 ?? ?? ?? 00 E9 62 FF FF FF E8 69 10 FE FF 5F 5E 5B C9 C3} $c = {53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65}
$d = {74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00}
// API String identifier (ShellExecuteExW, SHELL32.dll, GetUserNameExW, Secur32.dll)
$c = {53 68 65 6C 6C 45 78 65 63 75 74 65 45 78 57 00 53 48 45 4C 4C 33 32 2E 64 6C 6C 00 1E 00 47 65}
$d = {74 55 73 65 72 4E 61 6D 65 45 78 57 00 00 53 65 63 75 72 33 32 2E 64 6C 6C 00 10 00}
// New Thread identifier // New Thread identifier
$e = {55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 ?? 6A FF FF 75 08 FF 15 ?? ?? ?? 00} $e = {55 8B EC 83 E4 F8 83 EC 1C 83 7D 08 00 57 74 ?? 6A FF FF 75 08 FF 15 ?? ?? ?? 00}
condition: condition:
all of them all of them
and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb and filesize < 300KB // Standard size (raw from builder) should be arround ~264kb
// Remove the above line if you want to trig also on memory dumps, etc... // Remove the above line if you want to trig also on memory dumps, etc...
} }
...@@ -91,28 +91,28 @@ rule Atmos_Packed_Malware : Packed Atmos Banker ...@@ -91,28 +91,28 @@ rule Atmos_Packed_Malware : Packed Atmos Banker
rule Atmos_Builder : Cracked kutuzov Builder rule Atmos_Builder : Cracked kutuzov Builder
{ {
meta: meta:
description = "Generic signature for Hacktool.Atmos.Builder cracked version" description = "Generic signature for Hacktool.Atmos.Builder cracked version"
author = "xylitol@temari.fr" author = "xylitol@temari.fr"
reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html" reference = "http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
date = "20/08/2016" date = "20/08/2016"
// May only the challenge guide you // May only the challenge guide you
strings: strings:
// Check for the presence of MZ, kutuzov license identifier, and good hardware ID // Check for the presence of MZ, kutuzov license identifier, and good hardware ID
$MZ = {4D 5A} $MZ = {4D 5A}
$LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii $LKEY = "533D9226E4C1CE0A9815DBEB19235AE4" wide ascii
$HWID = "D19FC0FB14BE23BCF35DA427951BB5AE" wide ascii $HWID = "D19FC0FB14BE23BCF35DA427951BB5AE" wide ascii
// Builder strings identifiers // Builder strings identifiers
$s1 = "url_loader=%S" wide ascii $s1 = "url_loader=%S" wide ascii
$s2 = "url_webinjects=%S" wide ascii $s2 = "url_webinjects=%S" wide ascii
$s3 = "url_tokenspy=%S" wide ascii $s3 = "url_tokenspy=%S" wide ascii
$s4 = "file_webinjects=%S" wide ascii $s4 = "file_webinjects=%S" wide ascii
$s5 = "moneyparser.enabled=%u" wide ascii $s5 = "moneyparser.enabled=%u" wide ascii
$s6 = "enable_luhn10_post=%u" wide ascii $s6 = "enable_luhn10_post=%u" wide ascii
$s7 = "insidevm_enable=%u" wide ascii $s7 = "insidevm_enable=%u" wide ascii
$s8 = "disable_antivirus=%u" wide ascii $s8 = "disable_antivirus=%u" wide ascii
condition: condition:
$MZ at 0 and $LKEY and $HWID and all of ($s*) $MZ at 0 and $LKEY and $HWID and all of ($s*)
} }
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment