Sneed-Reactivity/yara-mikesxrs/HP_Security/trickbot_maldoc_embedded_dll_september_2020.yar

19 lines
646 B
Text
Raw Permalink Normal View History

rule trickbot_maldoc_embedded_dll_september_2020 {
meta:
author = "HP-Bromium Threat Research"
reference = "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/"
date = "2020-10-03"
sharing = "TLP:WHITE"
strings:
$magic = { D0 CF 11 E0 A1 B1 1A E1 }
$s1 = "EncryptedPackage" wide
$s2 = "{FF9A3F03-56EF-4613-BDD5-5A41C1D07246}" wide
$s3 = { FF FF FF FF FF FF FF FF FF FF ( 90 90 | 10 10 | E2 E2 | 17 17 ) FF FF FF FF FF FF FF FF FF FF }
condition:
$magic at 0 and
all of ($s*) and
(filesize > 500KB and filesize < 1000KB)
}