Sneed-Reactivity/yara-mikesxrs/ballastsecurity/maazben.yara

16 lines
597 B
Text
Raw Normal View History

rule maazben
{
meta:
author = "Brian Wallace @botnet_hunter"
author_email = "bwall@ballastsecurity.net"
date = "2014-03-13"
description = "Identify Maazben"
strings:
$encrypted1 = {d4 2a 47 00 44 6d 47 00}
$encrypted2 = "__CxxFrameHandler"
$str1 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)"
$str2 = "%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats"
$str3 = "MCIDRV_VER"
condition:
($encrypted1 and $encrypted2) or ($str1 and $str2 and $str3)
}