Sneed-Reactivity/yara-mikesxrs/Blackberry/Mal_Infostealer_Win32_BlackGuard.yar

40 lines
1.5 KiB
Text
Raw Permalink Normal View History

import "pe"
rule Mal_Infostealer_Win32_BlackGuard
{
meta:
description = "Detects W32 BlackGuard Infostealer"
author = "BlackBerry Threat Research team "
reference = "https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer"
date = "2022-14-04"
sha256 = "6AB3B21FA7CB638ED68509BE1ED6302284E8A9CD1A10F9B6837C057154AA6162"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
strings:
$a1 = { 06 91 06 61 20 AA 00 00 00 61 D2 9C 06 17 58 0A }
$a2 = "System.Data.SQLite"
$a3 = "FromBase64String"
$a4 = "BlockInput"
$a5 = "UploadFile"
$a6 = "Passwords"
$a7 = "Discord"
$a8 = "GetVolumeInformationA"
$a9 = "NordVPN"
$a10 = "OpenVPN"
$a11 = "ProtonVPN"
$a12 = "OperaCookies"
$a13 = "EdgeCookies"
$a14 = "ChromeCookies"
$b1 = "upche" wide
condition:
uint16(0) == 0x5a4d and
pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
pe.number_of_sections == 3 and
pe.section_index(".text") == 0 and
pe.section_index(".rsrc") == 1 and
pe.section_index(".reloc") == 2 and
((all of ($a*)) or ((12 of ($a*) and all of ($b*))))
}