Sneed-Reactivity/yara-mikesxrs/optiv/autoit_scripting_pos_malware.yar

rule wow32_exe
{
       meta:
              description = "wow32-exe"
              thread_level = 3
              in_the_wild = true
              reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"

       strings:
              $a = "avsupport@autoitscript.com" wide ascii
              $b = "compiled AutoIt script" wide ascii

       condition:
              $a and $b
}

rule cdosys_dll
{
       meta:
              description = "cdosys-dll"
              thread_level = 3
              in_the_wild = true
              reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"

       strings:
              $a = "Microsoft CDO for Windows Library" wide ascii
              $b = "CDOSYS.DLL" wide ascii

       condition:
              $a and $b
}

rule winhttp_exe
{
       meta:
              description = "winhttp-exe"
              thread_level = 3
              in_the_wild = true
              reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"

       strings:
              $a = "SeDebugPrivilege" wide ascii
              $b = "SearchInject" wide ascii
              $c = "Searcher.dll" wide ascii

       condition:
              $a and $b and $c
}

rule Searcher_dll
{
       meta:
              description = "Searcher-dll"
              thread_level = 3
              in_the_wild = true
              reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"

       strings:
              $a = "EncodePointer" wide ascii
              $b = "CONOUT$" wide ascii
              $c = "%s%i_%s_%i.log" wide ascii

       condition:
              $a and $b and $c
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule wow32_exe`
			`{`
			`meta:`
			`description = "wow32-exe"`
			`thread_level = 3`
			`in_the_wild = true`
			`reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"`

			`strings:`
			`$a = "avsupport@autoitscript.com" wide ascii`
			`$b = "compiled AutoIt script" wide ascii`

			`condition:`
			`$a and $b`
			`}`

			`rule cdosys_dll`
			`{`
			`meta:`
			`description = "cdosys-dll"`
			`thread_level = 3`
			`in_the_wild = true`
			`reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"`

			`strings:`
			`$a = "Microsoft CDO for Windows Library" wide ascii`
			`$b = "CDOSYS.DLL" wide ascii`

			`condition:`
			`$a and $b`
			`}`

			`rule winhttp_exe`
			`{`
			`meta:`
			`description = "winhttp-exe"`
			`thread_level = 3`
			`in_the_wild = true`
			`reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"`

			`strings:`
			`$a = "SeDebugPrivilege" wide ascii`
			`$b = "SearchInject" wide ascii`
			`$c = "Searcher.dll" wide ascii`

			`condition:`
			`$a and $b and $c`
			`}`

			`rule Searcher_dll`
			`{`
			`meta:`
			`description = "Searcher-dll"`
			`thread_level = 3`
			`in_the_wild = true`
			`reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"`

			`strings:`
			`$a = "EncodePointer" wide ascii`
			`$b = "CONOUT$" wide ascii`
			`$c = "%s%i_%s_%i.log" wide ascii`

			`condition:`
			`$a and $b and $c`
			`}`