/* Yara rule to detect IcedID banking trojan generic This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule IceID_Bank_trojan { meta: description = "Detects IcedID..adjusted several times" author = "unixfreaxjp" org = "MalwareMustDie" date = "2018-01-14" strings: $header = { 4D 5A } $magic1 = { E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 6A ?? 68 ?? ?? } $st01 = "CCmdTarget" fullword nocase wide ascii $st02 = "CUserException" fullword nocase wide ascii $st03 = "FileType" fullword nocase wide ascii $st04 = "FlsGetValue" fullword nocase wide ascii $st05 = "AVCShellWrapper@@" fullword nocase wide ascii $st06 = "AVCCmdTarget@@" fullword nocase wide ascii $st07 = "AUCThreadData@@" fullword nocase wide ascii $st08 = "AVCUserException@@" fullword nocase wide ascii condition: $header at 0 and all of ($magic*) and 6 of ($st0*) and pe.sections[0].name contains ".text" and pe.sections[1].name contains ".rdata" and pe.sections[2].name contains ".data" and pe.sections[3].name contains ".rsrc" and pe.characteristics & pe.EXECUTABLE_IMAGE and pe.characteristics & pe.RELOCS_STRIPPED }