16 lines
442 B
Text
16 lines
442 B
Text
|
import "pe"
|
||
|
rule Check_UserNames
|
||
|
{
|
||
|
meta:
|
||
|
Author = "Nick Hoffman"
|
||
|
Description = "Looks for malware checking for common sandbox usernames"
|
||
|
Sample = "de1af0e97e94859d372be7fcf3a5daa5"
|
||
|
strings:
|
||
|
$user1 = "MALTEST" wide ascii
|
||
|
$user2 = "TEQUILABOOMBOOM" wide ascii
|
||
|
$user3 = "SANDBOX" wide ascii
|
||
|
$user4 = "VIRUS" wide ascii
|
||
|
$user5 = "MALWARE" wide ascii
|
||
|
condition:
|
||
|
all of ($user*) and pe.imports("advapi32.dll","GetUserNameA")
|
||
|
}
|