Sneed-Reactivity/yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar

45 lines
2.8 KiB
Text
Raw Normal View History

rule injector_ZZ_dotRunpeX_oldnew {
meta:
description = "Detects new and old version of dotRunpeX - configurable .NET injector"
author = "Jiri Vinopal (jiriv)"
date = "2022-10-30"
hash1_New = "373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232" // injects Formbook
hash2_New = "41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636" // injects Formbook
hash3_New = "5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80" // injects AsyncRat
hash4_New = "8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504" // injects Remcos
hash5_New = "8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591" // injects Formbook
hash6_New = "cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db" // injects AgentTesla
hash7_New = "fa8a67642514b69731c2ce6d9e980e2a9c9e409b3947f2c9909d81f6eac81452" // injects AsyncRat
hash8_New = "eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5" // injects SnakeKeylogger
hash1_Old = "1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc" // injects Lokibot
hash2_Old = "317e6817bba0f54e1547dd9acf24ee17a4cda1b97328cc69dc1ec16e11c258fc" // injects Redline
hash3_Old = "65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b" // injects SnakeKeylogger
hash4_Old = "68ae2ee5ed7e793c1a49cbf1b0dd7f5a3de9cb783b51b0953880994a79037326" // injects Lokibot
hash5_Old = "81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e" // injects SnakeKeylogger
report = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/"
strings:
// Used ImplMap imports (PInvoke)
$implmap1 = "VirtualAllocEx"
$implmap2 = "CreateProcess"
$implmap3 = "CreateRemoteThread"
$implmap4 = "Wow64SetThreadContext"
$implmap5 = "Wow64GetThreadContext"
$implmap6 = "RtlInitUnicodeString"
$implmap7 = "NtLoadDriver"
$implmap8 = "LoadLibrary"
$implmap9 = "VirtualProtect"
$implmap10 = "AdjustTokenPrivileges"
$implmap11 = "GetProcAddress"
$modulerefKernel1 = "Kernel32"
$modulerefKernel2 = "kernel32"
$modulerefNtdll1 = "Ntdll"
$modulerefNtdll2 = "ntdll"
$regPath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TaskKill" wide // Registry path for installing Sysinternals Procexp driver
$rsrcName = "BIDEN_HARRIS_PERFECT_ASSHOLE" wide
$koiVM1 = "KoiVM"
$koiVM2 = "#Koi"
condition:
uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and ($regPath or $rsrcName or 1 of ($koiVM*)) and
9 of ($implmap*) and 1 of ($modulerefKernel*) and 1 of ($modulerefNtdll*)
}