Sneed-Reactivity/yara-Neo23x0/apt_plugx.yar

37 lines
1.7 KiB
Text
Raw Normal View History

rule APTGroupX_PlugXTrojanLoader_StringDecode {
meta:
author = "Jay DiMartino"
description = "Rule to detect PlugX Malware"
score = 80
reference = "https://t.co/4xQ8G2mNap"
hash1 = "0535e8c300204e257f0fa57630f386e9fcc8e779"
hash2 = "088ebf9ccde958f32d11f4e7eb14f5332332f97d"
hash3 = "0c999d0bffa007e9e6b6fe593933b52f40c75b3d"
hash4 = "2f644e7131ec0a4f12ce04ba1e54d23856dbbfbf"
hash5 = "3be9148ad132ca342d5fbabea1119a175ef1df7c"
hash6 = "4c1ee94ec0e15491fc4f6b4095f67eee6309e62a"
hash7 = "587af7ce05e61d4c312d6bae12ea380116b08d7e"
hash8 = "5990efd83b5646a7ba419541d3a2c19260224ca3"
hash9 = "67970367c250c44a5feb263843cf45fd91336df5"
hash10 = "68f53f7188910a4cf67843aedd38c1523f1f2e7c"
hash11 = "962dc7e0ad37286df012f623423ac4182fe791ca"
hash12 = "aa0976906807af2e1b127608040aa3ef6e118a13"
hash13 = "b170d015e32b39fa4ac15f94d58e45e65cd16d6c"
hash14 = "c9b3d2cef3b34c7ee18fc2f60ff022965959613d"
hash15 = "cd425ce7f3e4a823d9027780e1b439759c4dc665"
hash16 = "d5e82513c6472d3826a22d9a15c05af8c0d33b58"
hash17 = "d9b32084f27ef13001060e1dcee8a1a9e95d89a6"
hash18 = "daa2d1cb9148b7ba5a86fa9ab593678e77c92672"
hash19 = "e2c098a95d1c1f0e29f207af9c5ffc5bd69a92ee"
hash20 = "ef8cf68dc3c80e9cb5a3fa0f92b544eab583812e"
hash21 = "f0fc0a4e4e0748464caa6a202d0083cd33458677"
hash22 = "fe1abe55529c1d6aa6b2a2f02d7e41ea58040feb"
id = "c6017327-b44d-5b1d-95aa-6e1f9fbf5583"
strings:
$byte1 = { 8A [2-4] 8A [2-4] FF 05 00 30 00 10 [0-5] 2A [1-6] 80 [2-7] 02 [1-6] 88 0? }
$byte2 = { 8B [2-4] 8A [2-4] FF 05 00 30 00 10 [0-5] 2A [1-6] 80 [2-7] 02 [1-6] 88 0? }
condition:
any of them
}