Sneed-Reactivity/yara-mikesxrs/AirBnB/malware_windows_apt_whitebear_binary_loader_2.yara
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

17 lines
770 B
Text

rule malware_windows_apt_whitebear_binary_loader_2
{
meta:
description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts"
reference = "https://securelist.com/introducing-whitebear/81638/"
author = "@fusionrace"
md5 = "06bd89448a10aa5c2f4ca46b4709a879"
strings:
// Non-native English-speaker debug messages
$b1 = "i cunt waiting anymore #%d" wide ascii
$b2 = "lights aint turnt off with #%d" wide ascii
$b3 = "Not find process" wide ascii
$b4 = "CMessageProcessingSystem::Receive_TAKE_NOP" wide ascii
$b5 = "CMessageProcessingSystem::Receive_TAKE_CAN_NOT_WORK" wide ascii
condition:
3 of ($b*)
}