Sneed-Reactivity/yara-mikesxrs/kevthehermit/Imminent3.yar

rule Imminent
{
    meta:
        author = " Kevin Breen <kevin@techanarchy.net>"
        date = "2014/04"
        ref = "http://malwareconfig.com/stats/Imminent"
        maltype = "Remote Access Trojan"
        filetype = "exe"

    strings:
        $v1a = "DecodeProductKey"
        $v1b = "StartHTTPFlood"
        $v1c = "CodeKey"
        $v1d = "MESSAGEBOX"
        $v1e = "GetFilezillaPasswords"
        $v1f = "DataIn"
        $v1g = "UDPzSockets"
        $v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}

        $v2a = "<URL>k__BackingField"
        $v2b = "<RunHidden>k__BackingField"
        $v2c = "DownloadAndExecute"
        $v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide
        $v2e = "england.png" wide
        $v2f = "Showed Messagebox" wide
    condition:
        all of ($v1*) or all of ($v2*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00			`rule Imminent`
			`{`
			`meta:`
			`author = " Kevin Breen <kevin@techanarchy.net>"`
			`date = "2014/04"`
			`ref = "http://malwareconfig.com/stats/Imminent"`
			`maltype = "Remote Access Trojan"`
			`filetype = "exe"`

			`strings:`
			`$v1a = "DecodeProductKey"`
			`$v1b = "StartHTTPFlood"`
			`$v1c = "CodeKey"`
			`$v1d = "MESSAGEBOX"`
			`$v1e = "GetFilezillaPasswords"`
			`$v1f = "DataIn"`
			`$v1g = "UDPzSockets"`
			`$v1h = {52 00 54 00 5F 00 52 00 43 00 44 00 41 00 54 00 41}`

			`$v2a = "<URL>k__BackingField"`
			`$v2b = "<RunHidden>k__BackingField"`
			`$v2c = "DownloadAndExecute"`
			`$v2d = "-CHECK & PING -n 2 127.0.0.1 & EXIT" wide`
			`$v2e = "england.png" wide`
			`$v2f = "Showed Messagebox" wide`
			`condition:`
			`all of ($v1) or all of ($v2)`
			`}`