Merge pull request #94 from adamziaja/patch-1

Create APT_bestia.yar

Merge pull request #94 from adamziaja/patch-1
Create APT_bestia.yar
9fdc8192 · mmorenog · bcc4dc90 · 6acdcdab · 9fdc8192
Commit 9fdc8192 authored Mar 01, 2016 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 34 additions and 0 deletions

APT_bestia.yar malware/APT_bestia.yar +34 -0

No files found.
--- a/malware/APT_bestia.yar
+++ b/malware/APT_bestia.yar
+rule APT_bestia
+{
+meta:
+    author = "Adam Ziaja <adam@adamziaja.com> http://adamziaja.com"
+    date = "2014-03-19"
+    description = "Bestia.3.02.012.07 malware used in APT attacks on Polish government"
+    references = "http://zaufanatrzeciastrona.pl/post/ukierunkowany-atak-na-pracownikow-polskich-samorzadow/" /* PL */
+    hash0 = "9bb03bb5af40d1202378f95a6485fba8"
+    hash1 = "7d9a806e0da0b869b10870dd6c7692c5"
+    maltype = "apt"
+    filetype = "exe"
+strings:
+    /* generated with https://github.com/Xen0ph0n/YaraGenerator */
+    $string0 = "u4(UeK"
+    $string1 = "nMiq/'p"
+    $string2 = "_9pJMf"
+    $string3 = "ICMP.DLL"
+    $string4 = "EG}QAp"
+    $string5 = "tsjWj:U"
+    $string6 = "FileVersion" wide
+    $string7 = "O2nQpp"
+    $string8 = "2}W8we"
+    $string9 = "ILqkC:l"
+    $string10 = "f1yzMk"
+    $string11 = "AutoIt v3 Script: 3, 3, 8, 1" wide
+    $string12 = "wj<1uH"
+    $string13 = "6fL-uD"
+    $string14 = "B9Iavo<"
+    $string15 = "rUS)sO"
+    $string16 = "FJH{_/f"
+    $string17 = "3e 03V"
+condition:
+    17 of them
+}