21 lines
816 B
Text
21 lines
816 B
Text
|
import "pe"
|
||
|
rule SILKLOADER
|
||
|
{
|
||
|
meta:
|
||
|
author="WithSecure"
|
||
|
description="Detects SILKLOADER samples"
|
||
|
date="2023-03-15"
|
||
|
version="1.0"
|
||
|
reference="https://labs.withsecure.com/publications/silkloader"
|
||
|
hash1="c83ac6dc96febd49c7c558e8cf85dd8bcb3a84fdc78b3ba72ebf681566dc1865"
|
||
|
hash2="e4dadabd1cee7215ff6e31e01f6b0dd820851685836592a14f982f2c7972fc25"
|
||
|
hash3="d77a59e6ba3a8f3c000a8a8955af77d2898f220f7bf3c0968bf0d7c8ac25a5ad"
|
||
|
report = "https://www.withsecure.com/content/dam/with-secure/ja/news-library/20230316_WithSecure_Silkloader_Report_ENG.pdf"
|
||
|
strings:
|
||
|
$str1 = {5400520041004e005300460045005200}
|
||
|
$str2 = {760062006300630073006200}
|
||
|
condition:
|
||
|
pe.is_pe
|
||
|
and pe.characteristics & pe.DLL
|
||
|
and all of them
|
||
|
}
|