Sneed-Reactivity/yara-mikesxrs/Fireeye/MACROCHECK.YAR

rule MACROCHECK
{
    meta:
        description = "Identify office documents with the MACROCHECK credential stealer in them.  It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
        author = "Fireeye Labs"
        version = "1.0"
 
    strings:
        $PARAMpword = "pword=" ascii wide
        $PARAMmsg = "msg=" ascii wide
        $PARAMuname = "uname=" ascii
        $userform = "UserForm" ascii wide
        $userloginform = "UserLoginForm" ascii wide
        $invalid = "Invalid username or password" ascii wide
        $up1 = "uploadPOST" ascii wide
        $up2 = "postUpload" ascii wide
        
    condition:
        all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule MACROCHECK`
			`{`
			`meta:`
			`description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."`
			`author = "Fireeye Labs"`
			`version = "1.0"`

			`strings:`
			`$PARAMpword = "pword=" ascii wide`
			`$PARAMmsg = "msg=" ascii wide`
			`$PARAMuname = "uname=" ascii`
			`$userform = "UserForm" ascii wide`
			`$userloginform = "UserLoginForm" ascii wide`
			`$invalid = "Invalid username or password" ascii wide`
			`$up1 = "uploadPOST" ascii wide`
			`$up2 = "postUpload" ascii wide`

			`condition:`
			`all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))`
			`}`