Sneed-Reactivity/yara-Neo23x0/gen_susp_bat_aux.yar


rule SUSP_BAT_Aux_Jan20_1 {
   meta:
      description = "Detects BAT file often dropped to cleanup temp dirs during infection"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9"
      date = "2020-01-29"
      score = 65
      hash1 = "f5d558ec505b635b1e37557350562ad6f79b3da5cf2cf74db6e6e648b7a47127"
      id = "c97f189e-a0c2-532e-b087-8669da72a2ad"
   strings:
      $s1 = "if exist \"C:\\Users\\" ascii
      $s2 = "\\AppData\\Local\\Temp\\" ascii
      $s3 = "del \"C:\\Users\\" ascii
      $s4 = ".bat\"" ascii
      $s5 = ".exe\" goto" ascii
   condition:
      uint8(0) == 0x3a and filesize <= 1KB and all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule SUSP_BAT_Aux_Jan20_1 {`
			`meta:`
			`description = "Detects BAT file often dropped to cleanup temp dirs during infection"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9"`
			`date = "2020-01-29"`
			`score = 65`
			`hash1 = "f5d558ec505b635b1e37557350562ad6f79b3da5cf2cf74db6e6e648b7a47127"`
			`id = "c97f189e-a0c2-532e-b087-8669da72a2ad"`
			`strings:`
			`$s1 = "if exist \"C:\\Users\\" ascii`
			`$s2 = "\\AppData\\Local\\Temp\\" ascii`
			`$s3 = "del \"C:\\Users\\" ascii`
			`$s4 = ".bat\"" ascii`
			`$s5 = ".exe\" goto" ascii`
			`condition:`
			`uint8(0) == 0x3a and filesize <= 1KB and all of them`
			`}`