Sneed-Reactivity/yara-Neo23x0/apt_op_shadowhammer.yar

23 lines
1.1 KiB
Text
Raw Normal View History

rule MAL_APT_Operation_ShadowHammer_MalSetup {
meta:
description = "Detects a malicious file used by BARIUM group in Operation ShadowHammer"
date = "2019-03-25"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
score = 80
hash1 = "ac0711afee5a157d084251f3443a40965fc63c57955e3a241df866cfc7315223"
hash2 = "9acd43af36f2d38077258cb2ace42d6737b43be499367e90037f4605318325f8"
hash3 = "bca9583263f92c55ba191140668d8299ef6b760a1e940bddb0a7580ce68fef82"
hash4 = "c299b6dd210ab5779f3abd9d10544f9cae31cd5c6afc92c0fc16c8f43def7596"
hash5 = "6aedfef62e7a8ab7b8ab3ff57708a55afa1a2a6765f86d581bc99c738a68fc74"
hash6 = "cfbec77180bd67cceb2e17e64f8a8beec5e8875f47c41936b67a60093e07fcfd"
reference = "https://securelist.com/operation-shadowhammer/89992/"
id = "000f840a-848d-5f82-84bf-70690efbd4de"
strings:
$x1 = "\\AsusShellCode\\Release" ascii
$x2 = "\\AsusShellCode\\Debug"
condition:
uint16(0) == 0x5a4d and 1 of them
}