Skip to content

R
rules
Commit deffe3ee by mmorenog
Options

Update IndiaHotel.yara

parent 3410fea7
Showing with 1 additions and 7 deletions
malware/Operation_Blockbuster/IndiaHotel.yara
...@@ -16,13 +16,7 @@ rule IndiaHotel ...@@ -16,13 +16,7 @@ rule IndiaHotel
E8 FA 60 00 00 call ??_L@YGXPAXIHP6EX0@Z1@Z; `eh vector constructor iterator'(void *,uint,int,void (*)(void *),void (*)(void *)) E8 FA 60 00 00 call ??_L@YGXPAXIHP6EX0@Z1@Z; `eh vector constructor iterator'(void *,uint,int,void (*)(void *),void (*)(void *))
*/ */
$fileExtractorArraySetup = { $fileExtractorArraySetup = {6A 0A 8D [5-6] 68 10 02 00 00 50 E8}
6A 0A
8D [5-6]
68 10 02 00 00
50
E8
}
condition: condition:
$fileExtractorArraySetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size)) $fileExtractorArraySetup in ((pe.sections[pe.section_index(".text")].raw_data_offset)..(pe.sections[pe.section_index(".text")].raw_data_offset + pe.sections[pe.section_index(".text")].raw_data_size))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment