Sneed-Reactivity/yara-mikesxrs/group-ib/webdavo_rat.yar

31 lines
913 B
Text
Raw Normal View History

import "pe"
rule webdavo_rat
{
meta:
author = "Dmitry Kupin"
company = "Group-IB"
family = "webdavo.rat"
description = "Suspected Webdav-O RAT (YaDisk)"
reference = "https://blog.group-ib.com/task"
sample = "7874c9ab2828bc3bf920e8cdee027e745ff059237c61b7276bbba5311147ebb6" // x86
sample = "849e6ed87188de6dc9f2ef37e7c446806057677c6e05a367abbd649784abdf77" // x64
severity = 9
date = "2021-06-10"
strings:
$rc4_key_0 = { 8A 4F 01 47 34 C9 75 F8 2B C8 C1 E9 D2 F3 A5 8B }
$rc4_key_1 = { C3 02 03 04 05 DD EE 08 09 10 11 12 1F D2 15 16 }
$s0 = "y_dll.dll" fullword ascii
$s1 = "test3.txt" fullword ascii
$s2 = "DELETE" fullword wide
$s3 = "PROPFIND" fullword wide
condition:
(any of ($rc4_key*) or 3 of ($s*)) or
(
pe.imphash() == "43021febc8494d66a8bc60d0fa953473" or
pe.imphash() == "68320a454321f215a3b6fcd7d585626b"
)
}