Sneed-Reactivity/yara-mikesxrs/clearskysec/comlook.yar

49 lines
1.4 KiB
Text
Raw Normal View History

import "pe"
rule apt_RU_turla_comlook
{
meta:
date="20/01/22"
Author = "ClearSky Cybersecurity"
TLP = "WHITE"
strings:
$a1 = "\x00Server switched.\x00"
$a2 = "\x00Message handling error!\x00"
$a3 = "\x00Incorrect username in IMAP request.\x00"
$a4 = "\x00Incorrect password in IMAP request.\x00"
$a5 = "atexit failed to register curl_global_cleanup.\x00"
$a6 = "curl FetchMessagePart failed."
$a7 = "curl PerformQuery failed."
$a8 = "curl SendResult failed."
$a9 = "Cannot copy data for sending buffer."
$a10 = "Initialization of libcurl has failed."
$a11 = "COULDN'T OPEN PIPES TO RECEIVE EXECUTION RESULT\x00"
$a12 = "OPERATION PERFORMED SUCCESSFULLY WITHOUT WAITING FOR RESULT\x00"
$a13 = "OPERATION PERFORMED SUCCESSFULLY WITH NULL RESULT.\x00"
$a14 = "COMMAND IS EMPTY.\x00"
$a15 = "Antispam Marisuite for The Bat!"
$a16 = "\x00CMD_EXECUTION_PIPE_OPEN_ERROR\x00"
$a17 = "\x00CONFIG_LAST_COMMAND_DATE_REG_WRITE_ERROR\x00"
$a18 = "\x00IMAP_MAILSERVER_FORMAT_INCORRECT\x00"
$a19 = "\x00GET_UIDS_TO_CHECK_PARSING_ERROR\x00"
$b1 = "\x00SEARCH UID \x00"
$b2 = "\x00 +FLAGS \\Deleted\x00"
$b3 = "\x00UID SEARCH SENTSINCE \x00"
$b4 = "Software\\RIT\\The Bat!\x00" wide
condition:
filesize < 10MB and uint16(0) == 0x5A4D and
(
pe.imphash() == "ee4ac9f3c15a225a117392a01b78686e" or
2 of ($a*) or
3 of ($b*) or
(
pe.imports("TBP_Intialize") and
any of ($a*)
)
)
}