Sneed-Reactivity/yara-mikesxrs/ballastsecurity/evora.yara

17 lines
509 B
Text
Raw Normal View History

rule evora {
meta:
author = "Brian Wallace @botnet_hunter"
date = "2015-10-20"
description = "Identify Evora"
strings:
$a1 = "{A872638D-DC2B9B23}"
$a2 = "Mozilla/4.0 (compatible; MSIE 8.0)" wide
$a3 = "/%x/thread_%02d%02d%02d%02d.html" wide
$a4 = "F95F6E38" wide
$b1 = "{A872638D-DC2B9B23}"
$b2 = "{F40150C7-B623-41bc-8693-0445343A3A69}" wide
$b3 = "Global\\%d" wide
condition:
all of ($a*) or all of ($b*)
}