Sneed-Reactivity/yara-mikesxrs/Mikesxrs/CN_group_PDB.yar

15 lines
560 B
Text
Raw Normal View History

rule CN_group_PDB
{
meta:
Author = "mikesxrs"
Description = "Looking for unique 1937CN group PDB"
Reference = "https://www.votiro.com/single-post/2017/08/23/Votiro-Labs-exposed-a-new-hacking-campaign-targeting-Vietnamese-organisations-using-a-weaponized-Word-documents"
Date = "2017-08-23"
strings:
$PDB1 = "G:\\Work\\Bison\\BisonNewHNStubDll\\Release\\Goopdate.pdb" ascii wide nocase
$PDB2 = "G:\\Work\\Bison\\" ascii wide nocase
$PDB3 = "\\BisonNewHNStubDll\\Release\\Goopdate.pdb" ascii wide nocase
condition:
any of them
}