08e8d462fe
RED PILL 🔴 💊
13 lines
467 B
Text
13 lines
467 B
Text
rule malware_windows_winnti_loadperf_dll_loader
|
|
{
|
|
meta:
|
|
description = "Winnti APT group; gzwrite64 imported from loadoerf.ini"
|
|
reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/"
|
|
author = "@mimeframe"
|
|
md5 = "879ce99e253e598a3c156258a9e81457"
|
|
strings:
|
|
$s1 = "loadoerf.ini" fullword ascii wide
|
|
$s2 = "gzwrite64" fullword ascii wide
|
|
condition:
|
|
all of ($s*)
|
|
}
|