Sneed-Reactivity/yara-mikesxrs/Mandiant/M_APT_Downloader_BEATDROP.yar

31 lines
614 B
Text
Raw Permalink Normal View History

rule M_APT_Downloader_BEATDROP
{
meta:
author = "Mandiant"
description = "Rule looking for BEATDROP malware"
reference = "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns"
strings:
$ntdll1 = "ntdll" ascii fullword
$ntdll2 = "C:\\Windows\\System32\\ntdll.dll" ascii fullword nocase
$url1 = "api.trello.com" ascii
$url2 = "/members/me/boards?key=" ascii
$url3 = "/cards?key=" ascii
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 1MB and all of them
}