31 lines
614 B
Text
31 lines
614 B
Text
|
rule M_APT_Downloader_BEATDROP
|
||
|
|
||
|
{
|
||
|
|
||
|
meta:
|
||
|
|
||
|
author = "Mandiant"
|
||
|
|
||
|
description = "Rule looking for BEATDROP malware"
|
||
|
|
||
|
reference = "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns"
|
||
|
|
||
|
strings:
|
||
|
|
||
|
$ntdll1 = "ntdll" ascii fullword
|
||
|
|
||
|
$ntdll2 = "C:\\Windows\\System32\\ntdll.dll" ascii fullword nocase
|
||
|
|
||
|
$url1 = "api.trello.com" ascii
|
||
|
|
||
|
$url2 = "/members/me/boards?key=" ascii
|
||
|
|
||
|
$url3 = "/cards?key=" ascii
|
||
|
|
||
|
condition:
|
||
|
|
||
|
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 1MB and all of them
|
||
|
|
||
|
}
|
||
|
|