49 lines
1.4 KiB
Text
49 lines
1.4 KiB
Text
|
import "pe"
|
||
|
|
||
|
rule apt_RU_turla_comlook
|
||
|
{
|
||
|
meta:
|
||
|
date="20/01/22"
|
||
|
Author = "ClearSky Cybersecurity"
|
||
|
TLP = "WHITE"
|
||
|
|
||
|
strings:
|
||
|
|
||
|
$a1 = "\x00Server switched.\x00"
|
||
|
$a2 = "\x00Message handling error!\x00"
|
||
|
$a3 = "\x00Incorrect username in IMAP request.\x00"
|
||
|
$a4 = "\x00Incorrect password in IMAP request.\x00"
|
||
|
$a5 = "atexit failed to register curl_global_cleanup.\x00"
|
||
|
$a6 = "curl FetchMessagePart failed."
|
||
|
$a7 = "curl PerformQuery failed."
|
||
|
$a8 = "curl SendResult failed."
|
||
|
$a9 = "Cannot copy data for sending buffer."
|
||
|
$a10 = "Initialization of libcurl has failed."
|
||
|
$a11 = "COULDN'T OPEN PIPES TO RECEIVE EXECUTION RESULT\x00"
|
||
|
$a12 = "OPERATION PERFORMED SUCCESSFULLY WITHOUT WAITING FOR RESULT\x00"
|
||
|
$a13 = "OPERATION PERFORMED SUCCESSFULLY WITH NULL RESULT.\x00"
|
||
|
$a14 = "COMMAND IS EMPTY.\x00"
|
||
|
$a15 = "Antispam Marisuite for The Bat!"
|
||
|
$a16 = "\x00CMD_EXECUTION_PIPE_OPEN_ERROR\x00"
|
||
|
$a17 = "\x00CONFIG_LAST_COMMAND_DATE_REG_WRITE_ERROR\x00"
|
||
|
$a18 = "\x00IMAP_MAILSERVER_FORMAT_INCORRECT\x00"
|
||
|
$a19 = "\x00GET_UIDS_TO_CHECK_PARSING_ERROR\x00"
|
||
|
|
||
|
$b1 = "\x00SEARCH UID \x00"
|
||
|
$b2 = "\x00 +FLAGS \\Deleted\x00"
|
||
|
$b3 = "\x00UID SEARCH SENTSINCE \x00"
|
||
|
$b4 = "Software\\RIT\\The Bat!\x00" wide
|
||
|
|
||
|
condition:
|
||
|
filesize < 10MB and uint16(0) == 0x5A4D and
|
||
|
(
|
||
|
pe.imphash() == "ee4ac9f3c15a225a117392a01b78686e" or
|
||
|
2 of ($a*) or
|
||
|
3 of ($b*) or
|
||
|
(
|
||
|
pe.imports("TBP_Intialize") and
|
||
|
any of ($a*)
|
||
|
)
|
||
|
)
|
||
|
}
|