Sneed-Reactivity/yara-mikesxrs/Mandiant/REGEORG_Tuneller_generic.yar

41 lines
661 B
Text
Raw Permalink Normal View History

rule REGEORG_Tuneller_generic
{
meta:
author = "Mandiant"
reference = "https://www.mandiant.com/resources/unc3524-eye-spy-email"
date_created = "2021-12-20"
date_modified = "2021-12-20"
md5 = "ba22992ce835dadcd06bff4ab7b162f9"
strings:
$s1 = "System.Net.IPEndPoint"
$s2 = "Response.AddHeader"
$s3 = "Request.InputStream.Read"
$s4 = "Request.Headers.Get"
$s5 = "Response.Write"
$s6 = "System.Buffer.BlockCopy"
$s7 = "Response.BinaryWrite"
$s8 = "SocketException soex"
condition:
filesize < 1MB and 7 of them
}