Sneed-Reactivity/yara-mikesxrs/proofpoint/AdGholas_mem_MIME.yar

19 lines
641 B
Text
Raw Normal View History

rule AdGholas_mem_MIME
{
meta:
malfamily = "AdGholas"
author = "Proofpoint"
reference = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
reference2 = "https://blog.malwarebytes.com/cybercrime/exploits/2016/12/adgholas-malvertising-business-as-usual/"
strings:
$b1=".300000000" ascii nocase wide fullword
$b2=".saz" ascii nocase wide fullword
$b3=".py" ascii nocase wide fullword
$b4=".pcap" ascii nocase wide fullword
$b5=".chls" ascii nocase wide fullword
condition:
all of ($b*)
}