Sneed-Reactivity/yara-Neo23x0/apt_coreimpact_agent.yar

/*
	Core Impact Agent known from RocketKitten and WoolenGoldfish APT
*/


rule CoreImpact_sysdll_exe {
   meta:
      description = "Detects a malware sysdll.exe from the Rocket Kitten APT"
      author = "Florian Roth (Nextron Systems)"
      score = 70
      date = "27.12.2014"
      modified = "2023-01-06"
      hash = "f89a4d4ae5cca6d69a5256c96111e707"
      id = "bac55c00-5d14-59ca-8597-f52b4577be0c"
   strings:
      $s0 = "d:\\nightly\\sandbox_avg10_vc9_SP1_2011\\source\\avg10\\avg9_all_vs90\\bin\\Rele" ascii

      $s1 = "Mozilla/5.0" fullword ascii
      $s3 = "index.php?c=%s&r=%lx" fullword ascii
      $s4 = "index.php?c=%s&r=%x" fullword ascii
      $s5 = "127.0.0.1" fullword ascii
      $s6 = "/info.dat" ascii
      $s7 = "needroot" fullword ascii
      $s8 = "./plugins/" ascii
   condition:
      $s0 or 6 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`/*`
			`Core Impact Agent known from RocketKitten and WoolenGoldfish APT`
			`*/`


			`rule CoreImpact_sysdll_exe {`
			`meta:`
			`description = "Detects a malware sysdll.exe from the Rocket Kitten APT"`
			`author = "Florian Roth (Nextron Systems)"`
			`score = 70`
			`date = "27.12.2014"`
			`modified = "2023-01-06"`
			`hash = "f89a4d4ae5cca6d69a5256c96111e707"`
			`id = "bac55c00-5d14-59ca-8597-f52b4577be0c"`
			`strings:`
			`$s0 = "d:\\nightly\\sandbox_avg10_vc9_SP1_2011\\source\\avg10\\avg9_all_vs90\\bin\\Rele" ascii`

			`$s1 = "Mozilla/5.0" fullword ascii`
			`$s3 = "index.php?c=%s&r=%lx" fullword ascii`
			`$s4 = "index.php?c=%s&r=%x" fullword ascii`
			`$s5 = "127.0.0.1" fullword ascii`
			`$s6 = "/info.dat" ascii`
			`$s7 = "needroot" fullword ascii`
			`$s8 = "./plugins/" ascii`
			`condition:`
			`$s0 or 6 of them`
			`}`