Sneed-Reactivity/yara-Neo23x0/crime_evilcorp_dridex_banker.yar


/*
https://twitter.com/VK_Intel/status/1247058432223477760
*/

import "pe"

rule crime_win32_dridex_socks5_mod {
    meta:
        description = "Detects Dridex socks5 module"
        author = "@VK_Intel"
        date = "2020-04-06"
        reference = "https://twitter.com/VK_Intel/status/1247058432223477760"
        id = "cee256b1-ad80-55dd-bbd3-0d3f7bc49664"
    strings:
        $s0 = "socks5_2_x32.dll"
        $s1 = "socks5_2_x64.dll"
    condition:
        any of ($s*) and pe.exports("start")
}

rule crime_win32_hvnc_banker_gen {
    meta:
        description = "Detects malware banker hidden VNC"
        author = "@VK_Intel"
        reference = "https://twitter.com/VK_Intel/status/1247058432223477760"
        date = "2020-04-06"
        id = "5e13f4a9-2231-524f-82b2-fbc6d6a43b6f"
    condition:
        pe.exports("VncStartServer") and pe.exports("VncStopServer")
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`/*`
			`https://twitter.com/VK_Intel/status/1247058432223477760`
			`*/`

			`import "pe"`

			`rule crime_win32_dridex_socks5_mod {`
			`meta:`
			`description = "Detects Dridex socks5 module"`
			`author = "@VK_Intel"`
			`date = "2020-04-06"`
			`reference = "https://twitter.com/VK_Intel/status/1247058432223477760"`
			`id = "cee256b1-ad80-55dd-bbd3-0d3f7bc49664"`
			`strings:`
			`$s0 = "socks5_2_x32.dll"`
			`$s1 = "socks5_2_x64.dll"`
			`condition:`
			`any of ($s*) and pe.exports("start")`
			`}`

			`rule crime_win32_hvnc_banker_gen {`
			`meta:`
			`description = "Detects malware banker hidden VNC"`
			`author = "@VK_Intel"`
			`reference = "https://twitter.com/VK_Intel/status/1247058432223477760"`
			`date = "2020-04-06"`
			`id = "5e13f4a9-2231-524f-82b2-fbc6d6a43b6f"`
			`condition:`
			`pe.exports("VncStartServer") and pe.exports("VncStopServer")`
			`}`