32 lines
1.1 KiB
Text
32 lines
1.1 KiB
Text
|
import "pe"
|
||
|
rule trojan_win_pngexe : XEGroup
|
||
|
{
|
||
|
meta:
|
||
|
author = "threatintel@volexity.com"
|
||
|
date = "2020-09-04"
|
||
|
description = "Detects PNGEXE, a simple reverse shell loader."
|
||
|
reference = "https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/"
|
||
|
hash = "72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911"
|
||
|
hash2 = "4d913ecb91bf32fd828d2153342f5462ae6b84c1a5f256107efc88747f7ba16c"
|
||
|
memory_suitable = 0
|
||
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
|
||
|
strings:
|
||
|
$a1 = "amd64.png" ascii
|
||
|
$a2 = "x86.png" ascii
|
||
|
|
||
|
condition:
|
||
|
uint16(0) == 0x5A4D and
|
||
|
(
|
||
|
(
|
||
|
any of ($a*) and
|
||
|
filesize > 30KB and
|
||
|
filesize < 200KB
|
||
|
) or
|
||
|
pe.imphash() == "ca41f83b03cf3bb51082dbd72e3ba1ba" or
|
||
|
pe.imphash() == "e93abc400902e72707edef1f717805f0" or
|
||
|
pe.imphash() == "83a5d4aa20a8aca2a9aa6fc2a0aa30b0"
|
||
|
)
|
||
|
}
|
||
|
|