Sneed-Reactivity/yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar

rule TeamViwer_backdoor
{

meta:
date = "2019-04-14"
description = "Detects malicious TeamViewer DLLs"
reference = "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/"

strings:

// PostMessageW hook function
$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}

condition:
uint16(0) == 0x5a4d and $x1
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule TeamViwer_backdoor`
			`{`

			`meta:`
			`date = "2019-04-14"`
			`description = "Detects malicious TeamViewer DLLs"`
			`reference = "https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/"`

			`strings:`

			`// PostMessageW hook function`
			`$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}`

			`condition:`
			`uint16(0) == 0x5a4d and $x1`
			`}`