Sneed-Reactivity/yara-mikesxrs/Dragonthreatlabs/apt_c16_win_memory_pcclient.yar

19 lines
603 B
Text
Raw Normal View History

import "pe"
rule apt_c16_win_memory_pcclient : Memory APT
{
meta:
author = "@dragonthreatlab"
md5 = "ec532bbe9d0882d403473102e9724557"
description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check."
date = "2015/01/11"
reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html"
strings:
$str1 = "Kill You" ascii
$str2 = "%4d-%02d-%02d %02d:%02d:%02d" ascii
$str3 = "%4.2f KB" ascii
$encodefunc = {8A 08 32 CA 02 CA 88 08 40 4E 75 F4}
condition:
all of them
}