import "pe"

rule Mal_Infostealer_Win32_BlackGuard
{
    meta:
        description = "Detects W32 BlackGuard Infostealer"
        author = "BlackBerry Threat Research team "
        reference = "https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer"
        date = "2022-14-04"
        sha256 = "6AB3B21FA7CB638ED68509BE1ED6302284E8A9CD1A10F9B6837C057154AA6162"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"

    strings:
        $a1 = { 06 91 06 61 20 AA 00 00 00 61 D2 9C 06 17 58 0A }
        $a2 = "System.Data.SQLite"
        $a3 = "FromBase64String"
        $a4 = "BlockInput"
        $a5 = "UploadFile"
        $a6 = "Passwords"
        $a7 = "Discord"
        $a8 = "GetVolumeInformationA"
        $a9 = "NordVPN"
        $a10 = "OpenVPN"
        $a11 = "ProtonVPN"
        $a12 = "OperaCookies"
        $a13 = "EdgeCookies"
        $a14 = "ChromeCookies"

        $b1 = "upche" wide

    condition:
        uint16(0) == 0x5a4d and
        pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
        pe.number_of_sections == 3 and
        pe.section_index(".text") == 0 and
        pe.section_index(".rsrc") == 1 and
        pe.section_index(".reloc") == 2 and
        ((all of ($a*)) or ((12 of ($a*) and all of ($b*))))
}