Sneed-Reactivity/yara-mikesxrs/phbiohazard/APT20140414_1PE.yar

20 lines
768 B
Text
Raw Normal View History

import "pe"
rule APT20140414_1PE
{
meta:
author = "phbiohazard"
reference = "https://github.com/phbiohazard/Yara"
strings:
$genep1 = {04 01 68 9b 1a 40 00 6a 01 6a 00 6a 00 ff 15 0c}
$genep2 = {e9 3d 87 f8 ff bb d6 fb 04 8a 10 5c d2 70 d9 cb}
$genep3 = {57 56 8b f0 e8 70 fd ff ff 5e e8 6e 01 00 00 5f}
$contep1 = {e9 02 47 83 c6 02 89 f2 83 f9 00}
$contep2 = {e5 44 75 c1 8b 36 0c 44 4d c9 31 8b 8a d7 88 d8}
$contep3 = {9c d1 d4 52 7b c5 99 29 1c d7 46 c5 f9 8c f8 e2}
$contep4 = {e8 ef e4 bb 00 5d c3}
condition:
$genep1 and $contep1 and $contep2 or ($genep2 at pe.entry_point and ($contep3 in (pe.entry_point..pe.entry_point + 65))) or ($genep3 at pe.entry_point and ($contep4 in (pe.entry_point..pe.entry_point + 26)))
}