Sneed-Reactivity/yara-mikesxrs/Seth Hardy/urausy_skypedat.yar

rule urausy_skype_dat {
	meta:
		author = "AlienVault Labs"
		description = "Yara rule to match against memory of processes infected by Urausy skype.dat"
	strings:
		$a = "skype.dat" ascii wide
		$b = "skype.ini" ascii wide
		$win1 = "CreateWindow"
		$win2 = "YIWEFHIWQ" ascii wide
		$desk1 = "CreateDesktop"
		$desk2 = "MyDesktop" ascii wide
	condition:
		$a and $b and (all of ($win*) or all of ($desk*))
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule urausy_skype_dat {`
			`meta:`
			`author = "AlienVault Labs"`
			`description = "Yara rule to match against memory of processes infected by Urausy skype.dat"`
			`strings:`
			`$a = "skype.dat" ascii wide`
			`$b = "skype.ini" ascii wide`
			`$win1 = "CreateWindow"`
			`$win2 = "YIWEFHIWQ" ascii wide`
			`$desk1 = "CreateDesktop"`
			`$desk2 = "MyDesktop" ascii wide`
			`condition:`
			`$a and $b and (all of ($win) or all of ($desk))`
			`}`