Sneed-Reactivity/yara-mikesxrs/Volexity/trojan_win_xe_backwash.yar

34 lines
1.1 KiB
Text
Raw Permalink Normal View History

rule trojan_win_xe_backwash : XEGroup
{
meta:
author = "threatintel@volexity.com"
date = "2020-09-04"
description = "The BACKWASH malware family, which acts as a reverse shell on the victim machine."
reference = "https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/"
hash = "815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
memory_suitable = 1
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
strings:
$pdb1 = "x:\\MultiOS_ReverseShell-master\\Multi-OS_ReverseShell\\obj\\Release\\XEReverseShell.pdb"
$pdb2 = "\\Release\\XEReverseShell.pdb"
$a1 = "RunServer" ascii
$a2 = "writeShell" ascii
$a3 = "GetIP" ascii
$b1 = "xequit" wide
$b2 = "setshell" wide
condition:
any of ($pdb*) or
(
(
all of ($a*) or
all of ($b*)
) and
filesize < 40KB
)
}