Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_apt_whitebear_binary_loader_1.yara

rule malware_windows_apt_whitebear_binary_loader_1
{
    meta:
        description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts"
        reference = "https://securelist.com/introducing-whitebear/81638/"
        author = "@fusionrace"
        md5 = "b099b82acb860d9a9a571515024b35f0"
    strings:
        // Output messages
        $a1 = "### PE STORAGE ###" wide ascii
        $a2 = "### CRYPTO 0 ###" wide ascii
        $a3 = "### EXTERNAL STORAGE ###" wide ascii
        $a4 = "### CRYPTO 1 ###" wide ascii
        $a5 = "### QUEUES ###" wide ascii
        $a6 = "### TRANSPORT ###" wide ascii
        $a7 = "### EXECUTION SUBSYSTEM ###" wide ascii
        $a8 = "### AUTORUN MANAGER ###" wide ascii
        $a9 = "### INJECT MANAGER ###" wide ascii
        $a10 = "### LOCAL TRANSPORT MANAGER ###" wide ascii
    condition:
        6 of ($a*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule malware_windows_apt_whitebear_binary_loader_1`
			`{`
			`meta:`
			`description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts"`
			`reference = "https://securelist.com/introducing-whitebear/81638/"`
			`author = "@fusionrace"`
			`md5 = "b099b82acb860d9a9a571515024b35f0"`
			`strings:`
			`// Output messages`
			`$a1 = "### PE STORAGE ###" wide ascii`
			`$a2 = "### CRYPTO 0 ###" wide ascii`
			`$a3 = "### EXTERNAL STORAGE ###" wide ascii`
			`$a4 = "### CRYPTO 1 ###" wide ascii`
			`$a5 = "### QUEUES ###" wide ascii`
			`$a6 = "### TRANSPORT ###" wide ascii`
			`$a7 = "### EXECUTION SUBSYSTEM ###" wide ascii`
			`$a8 = "### AUTORUN MANAGER ###" wide ascii`
			`$a9 = "### INJECT MANAGER ###" wide ascii`
			`$a10 = "### LOCAL TRANSPORT MANAGER ###" wide ascii`
			`condition:`
			`6 of ($a*)`
			`}`