Added DarkComet_Keylogger_File from Loki thor-hacktools.yar

f829fd52 · David André · 0cf03a8b · f829fd52
Commit f829fd52 authored May 20, 2015 by David André
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletions

DarkComet.yar malware/DarkComet.yar +15 -1

No files found.
--- a/malware/DarkComet.yar
+++ b/malware/DarkComet.yar
@@ -58,4 +58,18 @@ rule DarkComet : rat
 		any of them
 }

-
+rule DarkComet_Keylogger_File
+{
+	meta:
+		author = "Florian Roth"
+		description = "Looks like a keylogger file created by DarkComet Malware"
+		date = "25.07.14"
+		reference = "https://raw.githubusercontent.com/Neo23x0/Loki/master/signatures/thor-hacktools.yar"
+		score = 50
+	strings:
+		$magic = "::"
+		$entry = /\n:: [A-Z]/
+		$timestamp = /\([0-9]?[0-9]:[0-9][0-9]:[0-9][0-9] [AP]M\)/
+	condition:
+		($magic at 0) and #entry > 10 and #timestamp > 10
+}