Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
c4b4e23a
Commit
c4b4e23a
authored
Jul 20, 2016
by
mmorenog
Committed by
GitHub
Jul 20, 2016
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update Maldoc_Dridex.yar
parent
646117a1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
49 additions
and
0 deletions
+49
-0
Maldoc_Dridex.yar
Malicious_Documents/Maldoc_Dridex.yar
+49
-0
No files found.
Malicious_Documents/Maldoc_Dridex.yar
View file @
c4b4e23a
...
...
@@ -27,3 +27,52 @@ rule Dridex_Trojan_XML : maldoc {
condition:
all of ($c*)
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
Yara Rule Set
Author: Florian Roth
Date: 2015-12-02
Identifier: Phishing Gina Harrowell Dez 2015
*/
rule PHISH_02Dez2015_dropped_p0o6543f {
meta:
description = "Phishing Wave - file p0o6543f.exe"
author = "Florian Roth"
reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"
date = "2015-12-02"
hash = "db788d6d3a8ed1a6dc9626852587f475e7671e12fa9c9faa73b7277886f1e210"
strings:
$s1 = "netsh.exe" fullword wide
$s2 = "routemon.exe" fullword wide
$s3 = "script=" fullword wide /* Goodware String - occured 4 times */
$s4 = "disconnect" fullword wide /* Goodware String - occured 14 times */
$s5 = "GetClusterResourceTypeKey" fullword ascii /* Goodware String - occured 17 times */
$s6 = "QueryInformationJobObject" fullword ascii /* Goodware String - occured 34 times */
$s7 = "interface" fullword wide /* Goodware String - occured 52 times */
$s8 = "connect" fullword wide /* Goodware String - occured 61 times */
$s9 = "FreeConsole" fullword ascii /* Goodware String - occured 91 times */
condition:
uint16(0) == 0x5a4d and filesize < 250KB and all of them
}
rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658 {
meta:
description = "Phishing Wave - file P-ORD-C-10156-124658.xls"
author = "Florian Roth"
reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"
date = "2015-12-02"
hash = "bc252ede5302240c2fef8bc0291ad5a227906b4e70929a737792e935a5fee209"
strings:
$s1 = "Execute" ascii
$s2 = "Process WriteParameterFiles" fullword ascii
$s3 = "WScript.Shell" fullword ascii
$s4 = "STOCKMASTER" fullword ascii
$s5 = "InsertEmailFax" ascii
condition:
uint16(0) == 0xcfd0 and filesize < 200KB and all of them
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
