Merge pull request #325 from techhelplist/master

marap new sig, shifu filename fixed

Merge pull request #325 from techhelplist/master
marap new sig, shifu filename fixed
a761e0e4 · jovimon · GitHub · 73ab5f67 · d9d82f1d · a761e0e4
Unverified Commit a761e0e4 authored Aug 27, 2018 by jovimon Committed by GitHub Aug 27, 2018
Show whitespace changes
Inline Side-by-side

Showing with 30 additions and 0 deletions

MALW_marap.yar malware/MALW_marap.yar +30 -0

MALW_shifu_shiz.yar malware/MALW_shifu_shiz.yar +0 -0

No files found.
--- a/malware/MALW_marap.yar
+++ b/malware/MALW_marap.yar
+rule marap 
+{
+    meta:
+        author = " J from THL <j@techhelplist.com>"
+        date = "2018-08-19"
+        reference1 = "https://www.virustotal.com/#/file/61dfc4d535d86359c2f09dbdd8f14c0a2e6367e5bb7377812f323a94d32341ba/detection"
+        reference2 = "https://www.virustotal.com/#/file/c0c85f93a4f425a23c2659dce11e3b1c8b9353b566751b32fcb76b3d8b723b94/detection"
+        reference3 = "https://threatpost.com/highly-flexible-marap-malware-enters-the-financial-scene/136623/"
+        reference4 = "https://www.bleepingcomputer.com/news/security/necurs-botnet-pushing-new-marap-malware/"
+        version = 1
+        maltype = "Downloader"
+        filetype = "memory"
+    strings:
+        $text01 = "%02X-%02X-%02X-%02X-%02X-%02X" wide
+        $text02 = "%s, base=0x%p" wide
+        $text03 = "pid=%d" wide
+        $text04 = "%s %s" wide
+        $text05 = "%d|%d|%s|%s|%s" wide
+        $text06 = "%s|1|%d|%d|%d|%d|%d|%s" wide
+        $text07 = "%d#%s#%s#%s#%d#%s#%s#%d#%s#%s#%s#%s#%d" wide
+        $text08 = "%s|1|%d|%d|%d|%d|%d|%s#%s#%s#%s#%d#%d#%d" wide
+        $text09 = "%s|0|%d" wide
+        $text10 = "%llx" wide
+        $text11 = "%s -a" wide
+    condition:
+        7 of them
+}
--- a/malware/MALW_shifu_shiz
+++ b/malware/MALW_shifu_shiz