Sneed-Reactivity/yara-mikesxrs/Secuinfra/APT_Bitter_Almond_Rat.yar

40 lines
1.1 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: SECUINFRA Falcon Team
Date: 2022-06-23
Identifier: 0x03-yara_win-Bitter_T-APT-17
Reference: "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
*/
/* Rule Set —————————————————————– */
import "pe"
import "dotnet"
rule APT_Bitter_Almond_RAT {
meta:
description = "Detects Bitter (T-APT-17) Almond RAT (.NET)"
author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
tlp = "WHITE" reference = " https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
date = "2022-06-01" hash = "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396"
strings:
$function0 = "GetMacid" ascii
$function1 = "StartCommWithServer" ascii
$function2 = "sendingSysInfo" ascii
$dbg0 = "*|END|*" wide
$dbg1 = "FILE>" wide
$dbg2 = "[Command Executed Successfully]" wide
condition:
uint16(0) == 0x5a4d
and dotnet.version == "v4.0.30319"
and filesize > 12KB // Size on Disk/1.5
and filesize < 68KB // Size of Image*1.5
and any of ($function*)
and any of ($dbg*)
}