Sneed-Reactivity/yara-mikesxrs/WithSecure/ducktail_artifacts.yar

21 lines
893 B
Text
Raw Normal View History

rule ducktail_artifacts
{
meta:
author="WithSecure"
description="Detects artifacts found in files associated to DUCKTAIL malware"
date="2022-07-18"
version="1.0"
reference="https://labs.withsecure.com/publications/ducktail"
hash1="3dbd9e1c3d0fd6358d4adcba04fdfc0b6e8acc49"
hash2="9370243589327b458486e3f7637779c2a96b4250"
hash3="b98170b18b906aee771dbd4dbd31e5963a90a50e"
report = "https://www.withsecure.com/en/expertise/research-and-innovation/research/ducktail-an-infostealer-malware"
strings:
$pdb_path_1 = /[a-z]\:\\projects\\(viruttest|virot)\\/i nocase ascii
$pdb_path_2 = /[a-z]\:\\users\\ductai\\/i nocase ascii
$pdb_path_3 = "\\dataextractor.pdb" nocase ascii
$email = "ductai2308@gmail.com" wide ascii
condition:
uint16(0) == 0x5A4D
and any of them
}