Sneed-Reactivity/yara-mikesxrs/Volexity/apt_py_bluelight_ldr.yar

21 lines
762 B
Text
Raw Normal View History

rule apt_py_bluelight_ldr : InkySquid
{
meta:
author = "threatintel@volexity.com"
description = "Python Loader used to execute the BLUELIGHT malware family."
reference = "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
date = "2021-06-22"
hash1 = "80269413be6ad51b8b19631b2f5559c9572842e789bbce031babe6e879d2e120"
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
strings:
$s1 = "\"\".join(chr(ord(" ascii
$s2 = "import ctypes " ascii
$s3 = "ctypes.CFUNCTYPE(ctypes.c_int)" ascii
$s4 = "ctypes.memmove" ascii
$s5 = "python ended" ascii
condition:
all of them
}