14 lines
471 B
Text
14 lines
471 B
Text
|
rule nexe_piratesteal {
|
||
|
meta:
|
||
|
author = "Intezer"
|
||
|
description = "Hunting for Nexe compiled PirateStealer Dropper"
|
||
|
tlp = "white"
|
||
|
strings:
|
||
|
$nexe_str = "process.__nexe = {\"resources\""
|
||
|
$steal_str0 = "file.includes(\"iscord\")"
|
||
|
$steal_str1 = "\\app-*\\modules\\discord_desktop_core-*\\discord_desktop_core\\index.js"
|
||
|
$steal_str2 = "pwnBetterDiscord"
|
||
|
condition:
|
||
|
(uint16(0) == 0x5A4D and $nexe_str and 2 of ($steal_str*))
|
||
|
}
|