14 lines
467 B
Text
14 lines
467 B
Text
|
rule malware_windows_winnti_loadperf_dll_loader
|
||
|
{
|
||
|
meta:
|
||
|
description = "Winnti APT group; gzwrite64 imported from loadoerf.ini"
|
||
|
reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/"
|
||
|
author = "@mimeframe"
|
||
|
md5 = "879ce99e253e598a3c156258a9e81457"
|
||
|
strings:
|
||
|
$s1 = "loadoerf.ini" fullword ascii wide
|
||
|
$s2 = "gzwrite64" fullword ascii wide
|
||
|
condition:
|
||
|
all of ($s*)
|
||
|
}
|