Sneed-Reactivity/yara-mikesxrs/alienvault/APT1_RARSilent_EXE_PDF.yar

private rule APT1_RARSilent_EXE_PDF
{
    meta:
        author = "AlienVault Labs"
        info = "CommentCrew-threat-apt1"

    strings:
        $winrar1 = "WINRAR.SFX" wide ascii
        $winrar2 = ";The comment below contains SFX script commands" wide ascii
        $winrar3 = "Silent=1" wide ascii

        $str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/
        $str2 = "Steup=\"" wide ascii
    condition:
        all of ($winrar*) and 1 of ($str*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`private rule APT1_RARSilent_EXE_PDF`
			`{`
			`meta:`
			`author = "AlienVault Labs"`
			`info = "CommentCrew-threat-apt1"`

			`strings:`
			`$winrar1 = "WINRAR.SFX" wide ascii`
			`$winrar2 = ";The comment below contains SFX script commands" wide ascii`
			`$winrar3 = "Silent=1" wide ascii`

			`$str1 = /Setup=[\s\w\"]+\.(exe\|pdf\|doc)/`
			`$str2 = "Steup=\"" wide ascii`
			`condition:`
			`all of ($winrar) and 1 of ($str)`
			`}`