Sneed-Reactivity/yara-Neo23x0/crime_evilcorp_dridex_banker.yar

31 lines
881 B
Text
Raw Normal View History

/*
https://twitter.com/VK_Intel/status/1247058432223477760
*/
import "pe"
rule crime_win32_dridex_socks5_mod {
meta:
description = "Detects Dridex socks5 module"
author = "@VK_Intel"
date = "2020-04-06"
reference = "https://twitter.com/VK_Intel/status/1247058432223477760"
id = "cee256b1-ad80-55dd-bbd3-0d3f7bc49664"
strings:
$s0 = "socks5_2_x32.dll"
$s1 = "socks5_2_x64.dll"
condition:
any of ($s*) and pe.exports("start")
}
rule crime_win32_hvnc_banker_gen {
meta:
description = "Detects malware banker hidden VNC"
author = "@VK_Intel"
reference = "https://twitter.com/VK_Intel/status/1247058432223477760"
date = "2020-04-06"
id = "5e13f4a9-2231-524f-82b2-fbc6d6a43b6f"
condition:
pe.exports("VncStartServer") and pe.exports("VncStopServer")
}