Create APT_quarkspwdump.yar

malware/APT_quarkspwdump.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+rule QuarksPwDump_Gen {
+	meta:
+		description = "Detects all QuarksPWDump versions"
+		author = "Florian Roth"
+		date = "2015-09-29"
+		score = 80
+		hash1 = "2b86e6aea37c324ce686bd2b49cf5b871d90f51cec24476daa01dd69543b54fa"
+		hash2 = "87e4c76cd194568e65287f894b4afcef26d498386de181f568879dde124ff48f"
+		hash3 = "a59be92bf4cce04335bd1a1fcf08c1a94d5820b80c068b3efe13e2ca83d857c9"
+		hash4 = "c5cbb06caa5067fdf916e2f56572435dd40439d8e8554d3354b44f0fd45814ab"
+		hash5 = "677c06db064ee8d8777a56a641f773266a4d8e0e48fbf0331da696bea16df6aa"
+		hash6 = "d3a1eb1f47588e953b9759a76dfa3f07a3b95fab8d8aa59000fd98251d499674"
+		hash7 = "8a81b3a75e783765fe4335a2a6d1e126b12e09380edc4da8319efd9288d88819"
+	strings:
+		$s1 = "OpenProcessToken() error: 0x%08X" fullword ascii
+		$s2 = "%d dumped" fullword ascii
+		$s3 = "AdjustTokenPrivileges() error: 0x%08X" fullword ascii
+		$s4 = "\\SAM-%u.dmp" fullword ascii
+	condition:
+		all of them
+}