Sneed-Reactivity/yara-mikesxrs/Mikesxrs/KASPERAGENT_MICROPSIA_PDB.yar

24 lines
1.3 KiB
Text
Raw Normal View History

rule KASPERAGENT_MICROPSIA_PDB
{
meta:
Author = "@X0RC1SM"
Description = "Looking for unique PDB"
Reference = "https://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"
Reference2 = "http://www.clearskysec.com/micro-kasper/"
Date = "2017-04-05"
strings:
$PDB1 = "C:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New folder (2)\\kasper\\Release\\kasper.pdb"
$PDB2 = "C:\\Users\\Yousef\\Desktop\\MergeFiles\\Loader v0\\Loader\\obj\\Release\\Loader.pdb"
$PDB3 = "c:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New folder (2)\\s7 - Copy - Copy 19-2-17\\Release\\s7.pdb"
$PDB4 = "c:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New folder (2)\\s7\\Release\\s7.pdb"
$PDB5 = "C:\\Users\\Progress\\Desktop\\Loader v0\\Loader\\obj\\Release\\Loader.pdb"
$PDB6 = "D:\\Merge\\Debug\\testproj.pdb"
$PDB7 = "c:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New folder (2)\\kasper - Copy - 21-2-17\\Release\\kasper.pdb"
$PDB8 = "C:\\Users\\Yousef\\Desktop\\MergeFiles\\merge photos\\Loader v0\\Loader\\obj\\Release\\Loader.pdb"
$PDB9 = "C:\\Users\\Yousef\\Desktop\\Loader v0\\Loader\\obj\\Release\\Loader.pdb"
$PDB10 = "C:\\Users\\Yousef\\"
$PDB11 = "C:\\Users\\USA\\Documents\\Visual Studio"
condition:
any of them
}