Sneed-Reactivity/yara-mikesxrs/Mikesxrs/GravityRAT_G1-GX.yar

63 lines
1.8 KiB
Text
Raw Normal View History

rule GravityRAT_G1_PDB
{
meta:
author = "Michael Worth"
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
description = "PDB path for Gravity RAT G1"
strings:
$PDB1 = "f:\\F\\Windows Work\\G1\\Adeel's Laptop\\G1 Main Virus\\systemInterrupts\\gravity\\obj\\x86\\Debug\\systemInterrupts.pdb"
$PDB2 = "f:\\F\\Windows Work\\G1\\Adeel's Laptop\\"
$PDB3 = "\\gravity\\obj\\x86\\Debug\\"
condition:
any of them
}
rule GravityRAT_G2_PDB
{
meta:
author = "Michael Worth"
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
description = "PDB path for Gravity RAT G2"
strings:
$PDB1 = "e:\\Windows Work\\G2\\G2 Main Virus\\Microsoft Virus Solutions (G2 v5) (Current)\\Microsoft Virus Solutions\\obj\\Debug\\Windows Wireless 802.11.pdb"
$PDB2 = "e:\\Windows Work\\G2\\"
$PDB3 = "\\G2\\G2 Main Virus\\Microsoft Virus Solutions (G2"
condition:
any of them
}
rule GravityRAT_G3_PDB
{
meta:
author = "Michael Worth"
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
description = "PDB path for Gravity RAT G3"
strings:
$PDB1 = "F:\\Projects\\g3\\G3 Version 4.0\\G3\\G3\\obj\\Release\\Intel Core.pdb"
$PDB2 = "F:\\Projects\\g3\\G3 Version "
$PDB3 = "\\G3\\G3\\obj\\Release\\"
condition:
any of them
}
rule GravityRAT_GX_PDB
{
meta:
author = "Michael Worth"
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
description = "PDB path for Gravity RAT GX"
strings:
$PDB1 = "C:\\Users\\The Invincible\\Desktop\\gx\\gx-current-program\\LSASS\\obj\\Release\\LSASS.pdb"
$PDB2 = "C:\\Users\\The Invincible\\D"
$PDB3 = "Desktop\\gx\\gx-"
condition:
any of them
}