Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_de_tool.yara

17 lines
548 B
Text
Raw Permalink Normal View History

rule malware_windows_moonlightmaze_de_tool
{
meta:
description = "Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool"
reference = "https://en.wikipedia.org/wiki/Moonlight_Maze"
author = "Kaspersky Lab"
md5_1 = "4bc7ed168fb78f0dc688ee2be20c9703"
md5_2 = "8b56e8552a74133da4bc5939b5f74243"
strings:
$a1 = "Vnuk: %d" ascii fullword
$a2 = "Syn: %d" ascii fullword
//%s\r%s\r%s\r%s\r ->
$a3 = {25 73 0A 25 73 0A 25 73 0A 25 73 0A}
condition:
2 of ($a*)
}