34 lines
1.1 KiB
Text
34 lines
1.1 KiB
Text
|
rule trojan_win_xe_backwash : XEGroup
|
||
|
{
|
||
|
meta:
|
||
|
author = "threatintel@volexity.com"
|
||
|
date = "2020-09-04"
|
||
|
description = "The BACKWASH malware family, which acts as a reverse shell on the victim machine."
|
||
|
reference = "https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/"
|
||
|
hash = "815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
|
||
|
memory_suitable = 1
|
||
|
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
|
||
|
|
||
|
strings:
|
||
|
$pdb1 = "x:\\MultiOS_ReverseShell-master\\Multi-OS_ReverseShell\\obj\\Release\\XEReverseShell.pdb"
|
||
|
$pdb2 = "\\Release\\XEReverseShell.pdb"
|
||
|
|
||
|
$a1 = "RunServer" ascii
|
||
|
$a2 = "writeShell" ascii
|
||
|
$a3 = "GetIP" ascii
|
||
|
|
||
|
$b1 = "xequit" wide
|
||
|
$b2 = "setshell" wide
|
||
|
|
||
|
condition:
|
||
|
any of ($pdb*) or
|
||
|
(
|
||
|
(
|
||
|
all of ($a*) or
|
||
|
all of ($b*)
|
||
|
) and
|
||
|
filesize < 40KB
|
||
|
)
|
||
|
}
|
||
|
|