Skip to content

R
rules
Commit 454726b2 by Marc Rivero López Committed by GitHub
Options

Update APT_OpDustStorm.yar

parent 3a930631
Showing with 6 additions and 0 deletions
malware/APT_OpDustStorm.yar
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
rule Misdat_Backdoor_Packed rule Misdat_Backdoor_Packed
{ {
meta: meta:
author = "Cylance SPEAR Team" author = "Cylance SPEAR Team"
note = "Probably Prone to False Positive" note = "Probably Prone to False Positive"
...@@ -21,6 +22,7 @@ rule Misdat_Backdoor_Packed ...@@ -21,6 +22,7 @@ rule Misdat_Backdoor_Packed
rule MiSType_Backdoor_Packed rule MiSType_Backdoor_Packed
{ {
meta: meta:
author = "Cylance SPEAR Team" author = "Cylance SPEAR Team"
note = "Probably Prone to False Positive" note = "Probably Prone to False Positive"
...@@ -36,6 +38,7 @@ rule MiSType_Backdoor_Packed ...@@ -36,6 +38,7 @@ rule MiSType_Backdoor_Packed
rule Misdat_Backdoor rule Misdat_Backdoor
{ {
meta: meta:
author = "Cylance SPEAR Team" author = "Cylance SPEAR Team"
/* Decode Function /* Decode Function
...@@ -55,6 +58,7 @@ rule Misdat_Backdoor ...@@ -55,6 +58,7 @@ rule Misdat_Backdoor
CODE:00406C9E 4E dec esi CODE:00406C9E 4E dec esi
CODE:00406C9F 75 C9 jnz short loc_406C6A CODE:00406C9F 75 C9 jnz short loc_406C6A
*/ */
strings: strings:
$imul = {03 45 F8 69 C0 D9 DB 00 00 05 3B DA 00 00} $imul = {03 45 F8 69 C0 D9 DB 00 00 05 3B DA 00 00}
$delphi = {50 45 00 00 4C 01 08 00 19 5E 42 2A} $delphi = {50 45 00 00 4C 01 08 00 19 5E 42 2A}
...@@ -65,6 +69,7 @@ rule Misdat_Backdoor ...@@ -65,6 +69,7 @@ rule Misdat_Backdoor
rule SType_Backdoor rule SType_Backdoor
{ {
meta: meta:
author = "Cylance SPEAR Team" author = "Cylance SPEAR Team"
...@@ -99,6 +104,7 @@ rule SType_Backdoor ...@@ -99,6 +104,7 @@ rule SType_Backdoor
rule Zlib_Backdoor rule Zlib_Backdoor
{ {
meta: meta:
author = "Cylance SPEAR Team" author = "Cylance SPEAR Team"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment