Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-mikesxrs/1aN0rmus/pos_malware.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

76 lines
No EOL
2.2 KiB
Text
Raw Permalink Blame History

// Point of Sale (POS) Malware
rule pos_memory_scrapper2
{
meta:
author = "@patrickrolsen"
maltype = "Point of Sale (POS) Malware Memory Scraper"
version = "0.2"
description = "POS Memory Scraper"
reference = "7f9cdc380eeed16eaab3e48d59f271aa http://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html"
date = "01/03/2014"
strings:
$magic = { 4D 5A } // MZ Header
$string1 = "kartoxa" nocase
$string2 = "CC2 region:"
$string3 = "CC memregion:"
$string4 = "target pid:"
$string5 = "scan all processes:"
$string6 = "<pid> <PATTERN>"
$string7 = "KAPTOXA" nocase
condition:
($magic at 0) and all of ($string*)
}
rule pos_malwre_dexter_stardust
{
meta:
author = "@patrickrolsen"
maltype = "Dexter Malware - StarDust Variant"
version = "0.1"
description = "Table 2 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
reference = "16b596de4c0e4d2acdfdd6632c80c070, 2afaa709ef5260184cbda8b521b076e1, and e3dd1dc82ddcfaf410372ae7e6b2f658"
date = "12/30/2013"
strings:
$magic = { 4D 5A } // MZ Header
$string1 = "ceh_3\\.\\ceh_4\\..\\ceh_6"
$string2 = "Yatoed3fe3rex23030am39497403"
$string3 = "Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19"
$string4 = "CommonFile.exe"
condition:
($magic at 0) and all of ($string*)
}
rule pos_malware_project_hook
{
meta:
author = "@patrickrolsen"
maltype = "Project Hook"
version = "0.1"
description = "Table 1 arbornetworks.com/asert/wp-content/uploads/2013/12/Dexter-and-Project-Hook-Break-the-Bank.pdf"
reference = "759154d20849a25315c4970fe37eac59"
date = "12/30/2013"
strings:
$magic = { 4D 5A } // MZ Header
$string1 = "CallImage.exe"
$string2 = "BurpSwim"
$string3 = "Work\\Project\\Load"
$string4 = "WortHisnal"
condition:
($magic at 0) and all of ($string*)
}
rule pdb_strings_Rescator
{
meta:
author = "@patrickrolsen"
maltype = "N/A Threat Intel..."
version = "0.2"
description = "Rescator PDB strings within binaries"
date = "01/03/2014"
strings:
$magic = { 4D 5A } // MZ Header
$pdb1 = "\\Projects\\Rescator" nocase
condition:
($magic at 0) and $pdb1
}
Reference in a new issue View git blame Copy permalink