Sneed-Reactivity/yara-mikesxrs/alienvault/EzuriLoader.yar

rule EzuriLoader : LinuxMalware {
    meta:
        author = "AT&T Alien Labs"
        type = "malware"
        description = "Detects Ezuri Golang loader."
        copyright = "AT&T Cybersecurity 2020"
        reference = "283e0172063d1a23c20c6bca1ed0d2bb"
        report = "https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader"
    strings:
        $a1 = "ezuri/stub/main.go"
        $a2 = "main.runFromMemory"
        $a3 = "main.aesDec"
    condition:
        uint32(0) == 0x464c457f and
        filesize < 20MB and all of ($a*)
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 17:43:35 +00:00			`rule EzuriLoader : LinuxMalware {`
			`meta:`
			`author = "AT&T Alien Labs"`
			`type = "malware"`
			`description = "Detects Ezuri Golang loader."`
			`copyright = "AT&T Cybersecurity 2020"`
			`reference = "283e0172063d1a23c20c6bca1ed0d2bb"`
			`report = "https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader"`
			`strings:`
			`$a1 = "ezuri/stub/main.go"`
			`$a2 = "main.runFromMemory"`
			`$a3 = "main.aesDec"`
			`condition:`
			`uint32(0) == 0x464c457f and`
			`filesize < 20MB and all of ($a*)`
			`}`