Sneed-Reactivity/yara-mikesxrs/Mandiant/bloodbank2.yar

15 lines
602 B
Text
Raw Permalink Normal View History

rule FE_APT_Tool_Linux_BLOODBANK_2
{
meta:
author = "Mandiant"
date_created = "2021-05-17"
sha256 = "8bd504ac5fb342d3533fbe0febe7de5c2adcf74a13942c073de6a9db810f9936"
reference_url = "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html"
strings:
$ss1 = "\x00:%4d-%02d-%02d %02d:%02d:%02d \x00"
$ss2 = "\x00ok!\x00"
$ss3 = "\x00\x0a\x0a%s:%s \x00"
$ss4 = "\x00PRIMARY!%s \x00"
condition:
(uint32(0) == 0x464c457f) and all of them
}