Sneed-Reactivity/yara-Neo23x0/crime_bluenoroff_pos.yar


rule BluenoroffPoS_DLL {
   meta:
      description = "Bluenoroff POS malware - hkp.dll"
      author = "http://blog.trex.re.kr/"
      reference = "http://blog.trex.re.kr/3?category=737685"
      date = "2018-06-07"
      id = "d2b34b50-c7eb-5852-ba5d-734dd5038c2e"
   strings:
      $dll = "ksnetadsl.dll" ascii wide fullword nocase
      $exe = "xplatform.exe" ascii wide fullword nocase
      $agent = "Nimo Software HTTP Retriever 1.0" ascii wide nocase
      $log_file = "c:\\windows\\temp\\log.tmp" ascii wide nocase
      $base_addr = "%d-BaseAddr:0x%x" ascii wide nocase
      $func_addr = "%d-FuncAddr:0x%x" ascii wide nocase
      $HF_S = "HF-S(%d)" ascii wide
      $HF_T = "HF-T(%d)" ascii wide
   condition:
      5 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule BluenoroffPoS_DLL {`
			`meta:`
			`description = "Bluenoroff POS malware - hkp.dll"`
			`author = "http://blog.trex.re.kr/"`
			`reference = "http://blog.trex.re.kr/3?category=737685"`
			`date = "2018-06-07"`
			`id = "d2b34b50-c7eb-5852-ba5d-734dd5038c2e"`
			`strings:`
			`$dll = "ksnetadsl.dll" ascii wide fullword nocase`
			`$exe = "xplatform.exe" ascii wide fullword nocase`
			`$agent = "Nimo Software HTTP Retriever 1.0" ascii wide nocase`
			`$log_file = "c:\\windows\\temp\\log.tmp" ascii wide nocase`
			`$base_addr = "%d-BaseAddr:0x%x" ascii wide nocase`
			`$func_addr = "%d-FuncAddr:0x%x" ascii wide nocase`
			`$HF_S = "HF-S(%d)" ascii wide`
			`$HF_T = "HF-T(%d)" ascii wide`
			`condition:`
			`5 of them`
			`}`