Add FE_APT_9002 from nyx0 PR

We add the rule FE_APT_9002 rule. commit: df966a88c82d00d3eae4c6ad5c7ce2c579a113e0

Add FE_APT_9002 from nyx0 PR
We add the rule FE_APT_9002 rule. commit: df966a88c82d00d3eae4c6ad5c7ce2c579a113e0
45bd5dd9 · j0sm1 · f755caa8 · 45bd5dd9
Commit 45bd5dd9 authored May 04, 2015 by j0sm1
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 0 deletions

APT9002.yar malware/APT9002.yar +15 -0

No files found.
--- a/malware/APT9002.yar
+++ b/malware/APT9002.yar
@@ -53,4 +53,19 @@ rule APT9002 : Family
        APT9002Code or APT9002Strings
 }
+rule FE_APT_9002 : RAT
+{
+    meta:
+        Author      = "FireEye Labs"
+        Date        = "2013/11/10"
+        Description = "Strings inside"
+        Reference   = "Useful link"
+    strings:
+        $mz = { 4d 5a }
+        $a = "rat_UnInstall" wide ascii
+    condition:
+        ($mz at 0) and $a
+}