new rules for MedusaHTTP version from 2019 and AlMashreq agent.

7f9c5902 · Jamie Bennion · b21ea3d0 · 7f9c5902 · 7f9c5902
Commit 7f9c5902 authored Aug 13, 2019 by Jamie Bennion
Show whitespace changes
Inline Side-by-side

Showing with 67 additions and 0 deletions

MALW_AlMashreq.yar malware/MALW_AlMashreq.yar +31 -0

MALW_MedusaHTTP_2019.yar malware/MALW_MedusaHTTP_2019.yar +36 -0

No files found.
--- a/malware/MALW_AlMashreq.yar
+++ b/malware/MALW_AlMashreq.yar
+
+
+rule almashreq_agent_dotnet : almashreq_agent_dotnet
+{
+    meta:
+        description = "Memory rule for a .net RAT/Agent first found with .pdb referencing almashreq"
+	author = "J from THL <j@techhelplist.com> with thx to @malwrhunterteam !!1!"
+        date = "2019-05-12"
+        reference1 = "https://twitter.com/JayTHL/status/1127334608142503936"
+        reference2 = "https://www.virustotal.com/#/file/f6e1e425650abc6c0465758edf3c089a1dde5b9f58d26a50d3b8682cc38f12c8/details"
+        reference3 = "https://www.virustotal.com/#/file/7e4231dc2bdab53f494b84bc13c6cb99478a6405405004c649478323ed5a9071/detection"
+        reference4 = "https://www.virustotal.com/#/file/3cbaf6ddba3869ab68baf458afb25d2c8ba623153c43708bad2f312c4663161b/detection"
+        reference5 = "https://www.virustotal.com/#/file/0f5424614b3519a340198dd82ad0abc9711a23c3283dc25b519affe5d2959a92/detection" 
+        maltype = "agent"
+	filetype = "memory"
+
+    strings:
+        $s01 = "WriteElementString(@\"PCName\"," wide
+        $s02 = "WriteElementString(@\"Command\"," wide
+        $s03 = "WriteElementStringRaw(@\"commandID\"," wide
+	$s04 = /^Try Run$/ wide
+        $s05 = " is running in PC :" wide
+        $s06 = "SOAPAction: \"http://tempuri.org/Set\"" wide
+        $s07 = "Try Run</obj><name>" wide
+        $s08 = "Disable</obj><name>" wide
+        $s09 = "http://tempuri.org/" wide
+
+ 	condition: 
+ 		7 of them
+}
+
--- a/malware/MALW_MedusaHTTP_2019.yar
+++ b/malware/MALW_MedusaHTTP_2019.yar
+
+rule MedussaHTTP_2019
+{
+
+    meta:
+        author = "J from THL <j@techhelplist.com>"
+        date = "2019-08-12"
+        reference1 = "https://app.any.run/tasks/68c8f400-eba5-4d6c-b1f1-8b07d4c014a4/"
+        reference2 = "https://www.netscout.com/blog/asert/medusahttp-ddos-slithers-back-spotlight"
+        reference3 = "https://twitter.com/malware_traffic/status/1161034462983008261"
+        version = 1
+        maltype = "Bot"
+        filetype = "memory"
+        description = "MedussaHTTP v20190812"
+
+    strings:
+        $text01 = "|check|" ascii
+        $text02 = "POST!" ascii
+        $text03 = "httpactive" ascii
+        $text04 = "httpstrong" ascii
+        $text05 = "httppost" ascii
+        $text06 = "slavicdragon" ascii
+        $text07 = "slavicnodragon" ascii
+        $text08 = "smartflood" ascii
+        $text09 = "stop-all" ascii
+        $text10 = "botkill" ascii
+        $text11 = "updatehash" ascii
+        $text12 = "xyz=" ascii
+        $text13 = "abc=" ascii
+
+
+
+    condition:
+        9 of them
+}
+