Sneed-Reactivity/yara-mikesxrs/group-ib/albaniiutas_dropper_exe.yar

38 lines
1.6 KiB
Text
Raw Normal View History

import "pe"
rule albaniiutas_dropper_exe
{
meta:
author = "Dmitry Kupin"
company = "Group-IB"
family = "albaniiutas.dropper"
description = "Suspected Albaniiutas dropper"
reference = "https://blog.group-ib.com/task"
sample = "2a3c8dabdee7393094d72ce26ccbce34bff924a1be801f745d184a33119eeda4" // csrss.exe dropped from 83b619f65...
sample = "71750c58eee35107db1a8e4d583f3b1a918dbffbd42a6c870b100a98fd0342e0" // csrss.exe dropped from 690bf6b83...
sample = "83b619f65d49afbb76c849c3f5315dbcb4d2c7f4ddf89ac93c26977e85105f32" // dropper_stage_0 with decoy
sample = "690bf6b83cecbf0ac5c5f4939a9283f194b1a8815a62531a000f3020fee2ec42" // dropper_stage_0 with decoy
severity = 9
date = "2021-07-06"
strings:
$eventname = /[0-9A-F]{8}-[0-9A-F]{4}-4551-8F84-08E738AEC[0-9A-F]{3}/ fullword ascii wide
$rc4_key = { 00 4C 21 51 40 57 23 45 24 52 25 54 5E 59 26 55 2A 41 7C 7D 74 7E 6B 00 } // L!Q@W#E$R%T^Y&U*A|}t~k
$aes256_str_seed = { 00 65 34 65 35 32 37 36 63 30 30 30 30 31 66 66 35 00 } // e4e5276c00001ff5
$s0 = "Release Entery Error" fullword ascii
$s1 = "FileVJCr error" fullword ascii
$s2 = "wchWSMhostr error" fullword ascii
$s3 = "zlib err0r" fullword ascii
$s4 = "De err0r" fullword ascii
$s5 = "CreateFileW_CH error!" fullword ascii
$s6 = "GetConfigOffset error!" fullword ascii
condition:
5 of them or
(
pe.imphash() == "222e118fa8c0eafeef102e49953507b9" or
pe.imphash() == "7210d5941678578c0a31adb5c361254d" or
pe.imphash() == "41e9907a6c468b4118e968a01461a45b"
)
}