13 lines
431 B
Text
13 lines
431 B
Text
|
rule APT28_SkinnyBoy_Dropper: RUSSIAN THREAT ACTOR {
|
||
|
meta:
|
||
|
author = "Cluster25"
|
||
|
hash1 = "12331809c3e03d84498f428a37a28cf6cbb1dafe98c36463593ad12898c588c9"
|
||
|
report = "https://21649046.fs1.hubspotusercontent-na1.net/hubfs/21649046/2021-05_FancyBear.pdf"
|
||
|
strings:
|
||
|
$ = "cmd /c DEL " ascii
|
||
|
$ = " \"" ascii
|
||
|
$ = {8a 08 40 84 c9 75 f9}
|
||
|
$ = {0f b7 84 0d fc fe ff ff 66 31 84 0d fc fd ff ff}
|
||
|
condition:
|
||
|
(uint16(0) == 0x5A4D and all of them)
|
||
|
}
|