rule hancitor_dropper : vb_win32api { meta: author = "Jeff White - jwhite@paloaltonetworks.com @noottrak" date = "18AUG2016" hash1 = "03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a" hash2 = "4b3912077ef47515b2b74bc1f39de44ddd683a3a79f45c93777e49245f0e9848" hash3 = "a78972ac6dee8c7292ae06783cfa1f918bacfe956595d30a0a8d99858ce94b5a" reference = "https://github.com/pan-unit42/public_tools/tree/master/hancitor" strings: $api_01 = { 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 } // VirtualAlloc $api_02 = { 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 } // RtlMoveMemory $api_04 = { 00 43 61 6C 6C 57 69 6E 64 6F 77 50 72 6F 63 41 00 } // CallWindowProcAi $magic = { 50 4F 4C 41 } // POLA condition: uint32be(0) == 0xD0CF11E0 and all of ($api_*) and $magic } /* SAMPLES: 000f7832251ae4ba41c42c46d83cbf13d0b2aed0c1f949fbe68b728fdcb2fada_S2.exe 0002218f5c47ef709e390288e4268a02bb9d9087a996bb55d3a9c23d68a46760_S2.exe 000fa485eda66fd4b5acd3fee4e2cdf5bd8e82a4968d27c202fe4747dfb57d00_S2.exe 001451cfe7d492163ebcdaa2a3da9eb849ab0bd509cd969dd75965c88c19d5d4_S2.exe 001627a8adaf2ea97b19dd4f6b915abf57bd41b4fe7af33d5f9f381a97d04a3d_S2.exe 001856ba5da54bdf6cb87c61254af2ca9f936e83402e43579177bd0f4ac1f120_S2.exe 0022f6c5ec68cabb34eee693cb23cb72a1099719b93f552cb9a09a99a0086afc_S2.exe 002763b63f07529dd29c7840fed0e1bc68c974364b3aa64f7b6b225ca191f87f_S2.exe 002ccf946b928eb123790aa8a6a4e1574827f6d387c661003df6e095d1d9137b_S2.exe 002d93a56d6da0d4cd39c1d1bb36ebfb8bb493b0a204882120fc305c1b840caa_S2.exe 0031be555860fee238837c1004d2f0ec353487ce6f9d0715106bb5670d965862_S2.exe 0033f126d294bdda76e68d8dc994189a5d82e728e9e2cbe273789107bd855e06_S2.exe 0039b33d9b86b02a4df6a605018a9749693ea3d871b187d9d1e1e0ec58e63f26_S2.exe 003e0e981f9ec2f4ff844161dc2aca600df38965b9dd586532ede80f6367e90b_S2.exe 0042539fb052745f1568b089bf86e41d393b981cdfc7201f7d8bdde145714fe2_S2.exe 0043d7cf12ad497de3cc4739a435f1765ec4c65e05e1f21faecfe40cc9d4fc35_S2.exe 004fa50455bac533cfa150660a6148ed20eb19a1169aa48991367eabb7494f1e_S2.exe 00509f0c3436a02e09a49226169d28979d0b4eb42375cf2dbb1733cc67333b73_S2.exe 0056fc1baedc78d43638f509d4a2ff617567cdffe4e0aa6a9892d80b076b2e4d_S2.exe 0058b39843b0c37520a28a4d239de2e934a811159fe6a310e63b9fcf85ac2cf7_S2.exe 005b3491673d414c65c0b2c8c351b672dd41a1679c97ffd7e4e0a6b1d00580a9_S2.exe 005dee83851ee0db47b705b4ac6857bc4649e59c47418208d62ce3cc0c1f9a02_S2.exe 006446a6303d85b5427139c6bc08c0f12e361d49cd7fa1ccc3e431d2fdd56d8c_S2.exe 006495c7fb7388f0513a24d9d09bf9517d5a3fd05c0da7d39311f6e6cf0f8fe3_S2.exe 0065a97402349fbbe5195effd6329ed89eb276ac3f728c7f8827d913d1296037_S2.exe 006cc18d23ba7ec78ce5d3e78cde63157abd05b1e1908c93c35f99933637a6e7_S2.exe 006cc87046164b41330918db95150f16227aa235865c4c95283b2d5fb9bd0d18_S2.exe 008d53efab6e0be2f356ce86581414db9804d46170eea4b408b6f23690a35487_S2.exe 009794dbe2aefed8ebd0d433c4b5c8931f6b3c1eaf0fbb34ad3fb247ae8dd0b5_S2.exe 009b714c0a6731f2eadd04dab409172d34986526a298b7a1fe4f51152bf6773e_S2.exe 00a1fb0d0a45ec998f65a458e55790e49944bb36b9398d7be495aa7ac7f27ac4_S2.exe 00a24e6e5da9bea88f695e7b15621f418f683ce0b185ee67ba66e91bfe360e53_S2.exe 00a90d131960bbad21a4f787f328d69b3af514f6e800cea606deb97aa0393e29_S2.exe 00aae024d89ebdee5464f410fe588f31a1888f84eb68ee6dddb1ddf9b86012aa_S2.exe 00ae14dc7815f74b083abc290d561d59fa8bc9717c22423fdec109bedc0de170_S2.exe 00b088c257b7aab93e262445085337261a8b6d4369e9e48c6fe840c56971d8c2_S2.exe 00b3c741c366252a8472046960b35636cf6c651a73d94d2810d14446dfae6db1_S2.exe 00b46ed617c1d651dadd8b4abad8b644f30e49e0d12bc378dfb720f9b55b6277_S2.exe 00b4f5d82ff5636d87821e2eb367c63bf83f478d4d4c480a3d9bc920bcd23f4a_S2.exe 00b515429f4b16a501d7c97999eb884210dcf5b413b3896e11c03a926b31289f_S2.exe 00bdb09cd6dfc308cc101aa009240ba612df781c62efb705f7b2ba9c198494d9_S2.exe 00c4a1abded604c193671ac83935cf5e84bf272b5b574c26dfc814821d38155e_S2.exe 00c7f1f0183fdb23eba1c5bfbe94518bbe22093bd8ae648c8c242229ca65c46a_S2.exe 00c9f1276737f9ab4eb49c6c3a8c955cae7085fb7744ab0f0b90cc6b83eea377_S2.exe 00d552f43b11e0017ff34576e2fbe5d47db4c5141ed0cc7cad1a6367a5161839_S2.exe 00dc95924de13484980037630e916271fdf0568fbb77b2dbe0b622f526b403ba_S2.exe 00ded1b849e87b266e63924bf17e7e142899d1dd57d6085ec6490c29c65c6008_S2.exe 00e67a9a4b5be7bd31fbc88bb3b6e34107f1a93b2b6dab0598cedcfb410fe256_S2.exe 00e706f9118c32ed1cd3ce9e0444053c47daffc3e7e53b32061ec039834292ca_S2.exe 00f0424b7659c7ec499c70cfcea411f71672fc89c92f564bf11b0a043059d2dd_S2.exe BYTES: 558bec833d805b400000750bff1540404000a3805b4000833d805b40000074158b4508506a008b0d805b400051ff1544404000eb0233c05dc3cccccccccccccc558bec833d805b40000074138b4508506a008b0d805b400051ff15484040005dc3cccccccccccccccccccccccccccccc558bec83ec088b45088945f88b4d10894dfc8b551083ea01895510837dfc0074138b45088a4d0c88088b550883c201895508ebd88b45f88be55dc3cccccccccc558bec83ec088b45088945f88b4d10894dfc8b551083ea01895510837dfc00741e8b45088b4d0c8a1188108b450883c0018945088b4d0c83c101894d0cebcd8b45f88be55dc3cccccccccccccccccccc558bec833d885b400000750ac705885b40005c504000b80100000085c074498b0d885b40000fbe1183fa7c740ca1885b40000fbe0885c975088b5508c60200eb278b45088b0d885b40008a1188108b450883c0018945088b0d885b400083c101890d885b4000ebae8b15885b40000fbe0283f87c750f8b0d885b400083c101890d885b40008b15885b40000fbe0285c0750ec705885b40000000000033c0eb05b8010000005dc3cccccccccccccccccc558bec833d845b40000075186a006a006a006a006880414000ff1514414000a3845b4000a1845b40005dc3cccccccccc558bec81ec74020000a10450400033c58945fc6a3c6a008d85a8fdffff50e86dfeffff83c40cc785a8fdffff3c0000008d8df8feffff898db8fdffffc785bcfdffff040100008d95f4fdffff8995d4fdffffc785d8fdffff040100008d85a8fdffff506a006a008b4d0c51ff151041400085c0750733c0e97902000083bdb4fdffff00750ac785b4fdffff0300000083bdb4fdffff03741083bdb4fdffff04740733c0e94d020000e823ffffff898594fdffff83bd94fdffff00750733c0e932020000668b95c0fdffff6689959cfdffffc78598fdffff0081088483bdb4fdffff0475118b8598fdffff0d00308000898598fdffff6a006a006a036a006a000fb78d9cfdffff518d95f8feffff528b8594fdffff50ff150c4140008985a0fdffff83bda0fdffff00750733c0e9c4010000837d0801750cc78590fdffffc8414000eb0ac78590fdffffd04140006a008b8d98fdffff5168085040006a006a008d95f4fdffff528b8590fdffff508b8da0fdffff51ff15084140008985a4fdffff83bda4fdffff0075148b95a0fdffff52ff150441400033c0e95801000083bdb4fdffff047550c785e8fdffff040000008d85e8fdffff508d8df0fdffff516a1f8b95a4fdffff52ff15004140008b85f0fdffff0d001100008985f0fdffff6a048d8df0fdffff516a1f8b95a4fdffff52ff1518414000c7858cfdffff00000000837d100074108b451050ff154c40400089858cfdffff8b8d8cfdffff518b5510526810504000ff154c4040005068105040008b85a4fdffff50ff15f4404000c785ecfdffff00000000c785e4fdffff040000006a008d8de4fdffff518d95ecfdffff5268130000208b85a4fdffff50ff15f840400081bdecfdffffc80000007545837d1400743f8b4d1c518b551883ea01528b4514508b8da4fdffff51ff15fc40400085c074168b551c833a00760e8b451c8b088b5514c6040a00eb098b451cc700000000008b8da4fdffff51ff15044140008b95a0fdffff52ff150441400081bdecfdffffc80000007507b801000000eb0233c08b4dfc33cde8b42400008be55dc3cccccccccccccccccccccccccc558bec8b4518508b4d14518b5510528b450c508b4d08516a01e8d2fcffff83c4185dc3cccccccccccccccccccccccccc558bec8b4518508b4d14518b5510528b450c508b4d08516a00e8a2fcffff83c4185dc3cccccccccccccccccccccccccc558bec81ec74020000a10450400033c58945fc6a3c6a008d85a4fdffff50e8fdfaffff83c40cc785a4fdffff3c0000008d8df8feffff898db4fdffffc785b8fdffff040100008d95f4fdffff8995d0fdffffc785d4fdffff040100008d85a4fdffff506a006a008b4d0851ff151041400085c0750733c0e97402000083bdb0fdffff00750ac785b0fdffff0300000083bdb0fdffff03741083bdb0fdffff04740733c0e948020000e8b3fbffff898590fdffff83bd90fdffff00750733c0e92d020000ba500000006689959cfdffffc78594fdffff0081088483bdb0fdffff04751eb8bb0100006689859cfdffff8b8d94fdffff81c900308000898d94fdffff6a016a006a036a006a000fb7959cfdffff528d85f8feffff508b8d90fdffff51ff150c414000898598fdffff83bd98fdffff00750733c0e9b40100006a018b9594fdffff5268085040006a006a008d85f4fdffff5068d44140008b8d98fdffff51ff15084140008985a0fdffff83bda0fdffff0075148b9598fdffff52ff150441400033c0e96601000083bdb0fdffff047550c785e8fdffff040000008d85e8fdffff508d8df0fdffff516a1f8b95a0fdffff52ff15004140008b85f0fdffff0d001100008985f0fdffff6a048d8df0fdffff516a1f8b95a0fdffff52ff15184140006a006a006810504000ff154c4040005068105040008b85a0fdffff50ff15f4404000c785ecfdffff00000000c785e4fdffff040000006a008d8de4fdffff518d95ecfdffff5268130000208b85a0fdffff50ff15f840400081bdecfdffffc8000000757a837d0c0074748b4d14c70100000000ba0100000085d274628d85e0fdffff508b4d10518b550c528b85a0fdffff50ff15fc40400089858cfdffff83bd8cfdffff01753383bde0fdffff00742a8b4d0c038de0fdffff894d0c8b55102b95e0fdffff8955108b45148b08038de0fdffff8b5514890aeb02eb02eb958b85a0fdffff50ff15044140008b8d98fdffff51ff150441400081bdecfdffffc80000007507b801000000eb0233c08b4dfc33cde8492100008be55dc3cccc558bec81ec14010000a10450400033c58945fc68040100008d85f8feffff50ff15504040008985ecfeffff83bdecfeffff00745bb9010000006bd1038995f0feffff81bdf0feffff040100007302eb05e8222200008b85f0feffffc68405f8feffff006a006a006a006a008d8df4feffff516a006a008d95f8feffff52ff155440400085c074088b85f4feffffeb0233c08b4dfc33cde8a82000008be55dc3cc558bec83ec2ca10450400033c58945fc0f57c0660f1345e4c745f0008000008b45f050e8e8f6ffff83c4048945e08b4de0894dec8d55f0528b45ec506a006a006a02ff151c4040008945dc837ddc00754d837dec0074476a086a008d4df451e81cf7ffff83c40c8b55ec8b4234508b4dec83c12c518d55f452e842f7ffff83c40c8b45e43345f48b4de8334df88945e4894de88b55ec8b42088945ecebb38b4de051e8a9f6ffff83c404e8b1feffff33d28945d48955d88b45d48b55d8b120e8fc2100003345e43355e88b4dfc33cde8cf1f00008be55dc3cccccccccccccccc558beca1385c40000b053c5c40007510e80bffffffa3385c400089153c5c4000a1385c40008b153c5c40005dc3cccccc558bec83ec08a10450400033c58945fcb8010000006bc8000fbe91145c400085d2741668145c40008b450850ff1558404000b801000000eb468d4df8516a2068145c40006a0068d8414000e8d0faffff83c41483f801751668145c40008b550852ff1558404000b801000000eb1168f04140008b450850ff155840400033c08b4dfc33cde80a1f00008be55dc3cccccc558bec81ec0c020000a10450400033c58945fcc785f8fdffff00010000c785f4fdffff000000008d85f8fdffff508b8df8fdffff518d95fcfdffff5268f8414000e87afaffff83c41083f801755db8010000006bc8000fbe940dfcfdffff83fa3c7548b801000000c1e0000fbe8c05fcfdffff83f9217533ba01000000d1e20fbe8415fcfdffff83f864751fb9010000006bd1030fbe8415fcfdffff83f86f750ac785f4fdffff010000008b85f4fdffff8b4dfc33cde8481e00008be55dc3cc558becb8010000006bc8008b55080fbe040a83f87b757eb901000000d1e18b55080fbe040a83f83a756bb901000000c1e1008b55080fbe040a83f8727450b901000000c1e1008b55080fbe040a83f875743cb901000000c1e1008b55080fbe040a83f8647428b901000000c1e1008b55080fbe040a83f86c7414b901000000c1e1008b55080fbe040a83f86e7507b801000000eb0233c05dc3cccccccccccccc558becb801000000c1e0008b4d080fbe140183fa3a756bb8010000006bc8008b55080fbe040a83f8727450b9010000006bd1008b45080fbe0c1083f975743cba010000006bc2008b4d080fbe140183fa647428b8010000006bc8008b55080fbe040a83f86c7414b9010000006bd1008b45080fbe0c1083f96e7507b801000000eb0233c05dc3cccccccccccccccccccc558bec81ec44050000a10450400033c58945fcff155c4040008985d8faffffe82cfdffff8985bcfaffff8995c0faffff8d85dcfeffff50e8040c000083c4048d4ddc51e838fdffff83c4048b95d8faffff81e2ffff00000fb7c225ff0000000fb6c8898dc4faffff8b95d8faffff81e2ffff00000fb7c2c1e80825ff0000000fb6c8898dc8faffffe8131c00008985ccfaffff83bdccfaffff01750cc785d4faffff0c424000eb0ac785d4faffff104240008b95d4faffff528b85c8faffff508b8dc4faffff518d55dc528d85dcfeffff50684c5040008b8dc0faffff518b95bcfaffff5268144240008d85dcfaffff50ff15ec40400083c428833d105c40000075236800040000e873f2ffff83c404a3105c4000b9010000006bd100a1105c4000c6041000c785d0faffff0100000083bdd0faffff010f858b000000b9010000006bd100a1105c40000fbe0c1085c975158b15105c400052e822f3ffff */