Sneed-Reactivity/yara-mikesxrs/WithSecure/SILKLOADER.yar

21 lines
816 B
Text
Raw Normal View History

import "pe"
rule SILKLOADER
{
meta:
author="WithSecure"
description="Detects SILKLOADER samples"
date="2023-03-15"
version="1.0"
reference="https://labs.withsecure.com/publications/silkloader"
hash1="c83ac6dc96febd49c7c558e8cf85dd8bcb3a84fdc78b3ba72ebf681566dc1865"
hash2="e4dadabd1cee7215ff6e31e01f6b0dd820851685836592a14f982f2c7972fc25"
hash3="d77a59e6ba3a8f3c000a8a8955af77d2898f220f7bf3c0968bf0d7c8ac25a5ad"
report = "https://www.withsecure.com/content/dam/with-secure/ja/news-library/20230316_WithSecure_Silkloader_Report_ENG.pdf"
strings:
$str1 = {5400520041004e005300460045005200}
$str2 = {760062006300630073006200}
condition:
pe.is_pe
and pe.characteristics & pe.DLL
and all of them
}