Sneed-Reactivity/yara-mikesxrs/Volexity/trojan_win_backwash_cpp.yar

20 lines
679 B
Text
Raw Permalink Normal View History

rule trojan_win_backwash_cpp : XEGroup
{
meta:
author = "threatintel@volexity.com"
description = "CPP loader for the Backwash malware."
reference = "https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/"
date = "2021-11-17"
hash1 = "0cf93de64aa4dba6cec99aa5989fc9c5049bc46ca5f3cb327b49d62f3646a852"
memory_suitable = 1
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
strings:
$s1 = "cor1dbg.dll" wide
$s2 = "XEReverseShell.exe" wide
$s3 = "XOJUMAN=" wide
condition:
2 of them
}