Sneed-Reactivity/yara-mikesxrs/ballastsecurity/elise.yara

16 lines
459 B
Text
Raw Normal View History

rule elise{
meta:
author = "Brian Wallace @botnet_hunter"
date = "2015-10-20"
description = "Identify Elise"
strings:
$a1 = "Mozilla/4.0 (compatible; MSIE 8.0)" wide
$a2 = "KERNEL32.DLL" wide
$a3 = "Content-Length: 0" wide
$a4 = "/%x/page_%02d%02d%02d%02d.html" wide
$a5 = "%s=;expires=Thu, 01-Jan-1970 00:00:01 GMT"
$a6 = "000ELISEA380.TMP"
condition:
all of them
}