Sneed-Reactivity/yara-mikesxrs/optiv/autoit_scripting_pos_malware.yar

66 lines
1.6 KiB
Text
Raw Normal View History

rule wow32_exe
{
meta:
description = "wow32-exe"
thread_level = 3
in_the_wild = true
reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"
strings:
$a = "avsupport@autoitscript.com" wide ascii
$b = "compiled AutoIt script" wide ascii
condition:
$a and $b
}
rule cdosys_dll
{
meta:
description = "cdosys-dll"
thread_level = 3
in_the_wild = true
reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"
strings:
$a = "Microsoft CDO for Windows Library" wide ascii
$b = "CDOSYS.DLL" wide ascii
condition:
$a and $b
}
rule winhttp_exe
{
meta:
description = "winhttp-exe"
thread_level = 3
in_the_wild = true
reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"
strings:
$a = "SeDebugPrivilege" wide ascii
$b = "SearchInject" wide ascii
$c = "Searcher.dll" wide ascii
condition:
$a and $b and $c
}
rule Searcher_dll
{
meta:
description = "Searcher-dll"
thread_level = 3
in_the_wild = true
reference = "https://www.optiv.com/blog/autoit-scripting-in-pos-malware"
strings:
$a = "EncodePointer" wide ascii
$b = "CONOUT$" wide ascii
$c = "%s%i_%s_%i.log" wide ascii
condition:
$a and $b and $c
}