40 lines
1.1 KiB
Text
40 lines
1.1 KiB
Text
|
/*
|
||
|
Yara Rule Set
|
||
|
Author: SECUINFRA Falcon Team
|
||
|
Date: 2022-06-23
|
||
|
Identifier: 0x03-yara_win-Bitter_T-APT-17
|
||
|
Reference: "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
|
||
|
*/
|
||
|
|
||
|
/* Rule Set —————————————————————– */
|
||
|
|
||
|
import "pe"
|
||
|
import "dotnet"
|
||
|
|
||
|
rule APT_Bitter_Almond_RAT {
|
||
|
|
||
|
meta:
|
||
|
description = "Detects Bitter (T-APT-17) Almond RAT (.NET)"
|
||
|
author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
|
||
|
tlp = "WHITE" reference = " https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
|
||
|
date = "2022-06-01" hash = "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396"
|
||
|
|
||
|
strings:
|
||
|
$function0 = "GetMacid" ascii
|
||
|
$function1 = "StartCommWithServer" ascii
|
||
|
$function2 = "sendingSysInfo" ascii
|
||
|
$dbg0 = "*|END|*" wide
|
||
|
$dbg1 = "FILE>" wide
|
||
|
$dbg2 = "[Command Executed Successfully]" wide
|
||
|
|
||
|
condition:
|
||
|
uint16(0) == 0x5a4d
|
||
|
and dotnet.version == "v4.0.30319"
|
||
|
and filesize > 12KB // Size on Disk/1.5
|
||
|
and filesize < 68KB // Size of Image*1.5
|
||
|
and any of ($function*)
|
||
|
and any of ($dbg*)
|
||
|
}
|
||
|
|
||
|
|