Skip to content

R
rules
Commit 5668b9cf by mmorenog
Options

Update DarkComet.yar

parent a558e3d6
Showing with 3 additions and 3 deletions
malware/DarkComet.yar
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
import "pe" import "pe"
rule DarkComet_2 rule DarkComet_1
{ {
meta: meta:
description = "DarkComet RAT" description = "DarkComet RAT"
...@@ -38,7 +38,7 @@ rule DarkComet_2 ...@@ -38,7 +38,7 @@ rule DarkComet_2
4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*) 4 of ($bot*) or all of ($ddos*) or all of ($keylogger*) or all of ($shell*)
} }
rule DarkComet : rat rule DarkComet_2 : rat
{ {
meta: meta:
description = "DarkComet" description = "DarkComet"
...@@ -97,7 +97,7 @@ rule DarkComet_Keylogger_File ...@@ -97,7 +97,7 @@ rule DarkComet_Keylogger_File
condition: condition:
($magic at 0) and #entry > 10 and #timestamp > 10 ($magic at 0) and #entry > 10 and #timestamp > 10
} }
rule DarkComet rule DarkComet_4
{ meta: { meta:
reference = "https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara" reference = "https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara"
strings: strings:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment