Skip to content

R
rules
Commit 8f68fefd by j0sm1
Options

Delete COZY_FANCY_BEAR_modified_VmUpgradeHelper 

Delete COZY_FANCY_BEAR_modified_VmUpgradeHelper rule
parent 56f8e2f9
Showing with 0 additions and 16 deletions
malware/malware.yar
...@@ -9874,22 +9874,6 @@ rule COZY_FANCY_BEAR_pagemgr_Hunt { ...@@ -9874,22 +9874,6 @@ rule COZY_FANCY_BEAR_pagemgr_Hunt {
condition: condition:
uint16(0) == 0x5a4d and 1 of them uint16(0) == 0x5a4d and 1 of them
} }
rule COZY_FANCY_BEAR_modified_VmUpgradeHelper {
meta:
description = "Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report"
author = "Florian Roth"
reference = "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
date = "2016-06-14"
strings:
$s1 = "VMware, Inc." wide fullword
$s2 = "Virtual hardware upgrade helper service" fullword wide
$s3 = "vmUpgradeHelper\\vmUpgradeHelper.pdb" ascii
condition:
uint16(0) == 0x5a4d and
filename == "VmUpgradeHelper.exe" and
not all of ($s*)
}
/* /*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment