Skip to content

R
rules
Commit 9cd8a071 by mmorenog
Options

Update APT_Prikormka.yar

parent 4f9dc6be
Showing with 5 additions and 5 deletions
malware/APT_Prikormka.yar
......@@ -35,10 +35,10 @@ private rule PrikormkaDropper
strings:
$mz = { 4D 5A }
$kd = "KDSTORAGE" wide
$kd = "KDSTORAGE_64" wide
$kd = "KDRUNDRV32" wide
$kd = "KDRAR" wide
$kd1 = "KDSTORAGE" wide
$kd1 = "KDSTORAGE_64" wide
$kd1 = "KDRUNDRV32" wide
$kd1 = "KDRAR" wide
$bin = {69 65 04 15 00 14 1E 4A 16 42 08 6C 21 61 24 0F}
$bin = {76 6F 05 04 16 1B 0D 5E 0D 42 08 6C 20 45 18 16}
......@@ -47,7 +47,7 @@ private rule PrikormkaDropper
$inj = "?AVCinj2008Dlg@@" ascii
$inj = "?AVCinj2008App@@" ascii
condition:
($mz at 0) and ((any of ($bin)) or (3 of ($kd)) or (all of ($inj)))
($mz at 0) and ((any of ($bin)) or (3 of ($kd1)) or (all of ($inj)))
}
private rule PrikormkaModule
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment