rule CredentialStealer_Generic_Backdoor { meta: description = "Detects credential stealer byed on many strings that indicate password store access" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "Internal Research" date = "2017-06-07" hash1 = "edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c" id = "b3124f6c-4e18-562c-84d9-d51e086da446" strings: $s1 = "GetOperaLoginData" fullword ascii $s2 = "GetInternetExplorerCredentialsPasswords" fullword ascii $s3 = "%s\\Opera Software\\Opera Stable\\Login Data" fullword ascii $s4 = "select * from moz_logins" fullword ascii $s5 = "%s\\Google\\Chrome\\User Data\\Default\\Login Data" fullword ascii $s6 = "Host.dll.Windows" fullword ascii $s7 = "GetInternetExplorerVaultPasswords" fullword ascii $s8 = "GetWindowsLiveMessengerPasswords" fullword ascii $s9 = "%s\\Chromium\\User Data\\Default\\Login Data" fullword ascii $s10 = "%s\\Opera\\Opera\\profile\\wand.dat" fullword ascii condition: ( uint16(0) == 0x5a4d and 4 of them ) }