Update APT_Prikormka.yar

malware/APT_Prikormka.yar

@@ -32,26 +32,26 @@
 
 rule PrikormkaDropper
 {
+    
     strings:
         $mz = { 4D 5A }
-
         $kd1 = "KDSTORAGE" wide
         $kd2 = "KDSTORAGE_64" wide
         $kd3 = "KDRUNDRV32" wide
         $kd4 = "KDRAR" wide
-
         $bin1 = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F}
         $bin2 = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16}
         $bin3 = {4D 00 4D 00 43 00 00 00 67 00 75 00 69 00 64 00 56 00 47 00 41 00 00 00 5F 00 73 00 76 00 67 00}
-
         $inj1 = "?AVCinj2008Dlg@@" ascii
         $inj2 = "?AVCinj2008App@@" ascii
+
     condition:
         ($mz at 0) and ((any of ($bin*)) or (3 of ($kd*)) or (all of ($inj*)))
 }
 
 rule PrikormkaModule
 {
+    
     strings:
         $mz = { 4D 5A }
 
@@ -111,9 +111,9 @@ rule PrikormkaModule
 
 rule PrikormkaEarlyVersion
 {
+    
     strings:
         $mz = { 4D 5A }
-
         $str36 = "IntelRestore" ascii fullword
         $str37 = "Resent" wide fullword
         $str38 = "ocp8.1" wide fullword
@@ -123,12 +123,14 @@ rule PrikormkaEarlyVersion
         $str42 = "smdhost.dll" ascii fullword
         $str43 = "KDLLCFX" wide fullword
         $str44 = "KDLLRUNDRV" wide fullword
+  
     condition:
         ($mz at 0) and (2 of ($str*))
 }
 
 rule Prikormka
 {
+    
     meta:
         Author      = "Anton Cherepanov"
         Date        = "2016/05/10"
@@ -136,6 +138,7 @@ rule Prikormka
         Source = "https://github.com/eset/malware-ioc/"
         Contact = "threatintel@eset.com"
         License = "BSD 2-Clause"
+    
     condition:
         PrikormkaDropper or PrikormkaModule or PrikormkaEarlyVersion
 }