Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-mikesxrs/Booz Allen Hamilton/PolishBankRAT.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK 
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

57 lines
2.1 KiB
Text
Raw Permalink Blame History

rule PolishBankRAT_srservice_xorloop {
meta:
author = "Booz Allen Hamilton Dark Labs"
description = "Finds the custom xor decode loop for <PolishBankRAT-srservice>"
reference = "https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-against-financial-institutions/"
strings:
$loop = { 48 8B CD E8 60 FF FF FF 48 FF C3 32 44 1E FF 48 FF CF 88 43 FF }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $loop
}
rule PolishBankRAT_fdsvc_xor_loop {
meta:
author = "Booz Allen Hamilton Dark Labs"
description = "Finds the custom xor decode loop for <PolishBankRAT-fdsvc>"
reference = "https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-against-financial-institutions/"
strings:
$loop = {0F B6 42 FF 48 8D 52 FF 30 42 01 FF CF 75 F1}
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $loop
}
rule PolishBankRAT_fdsvc_decode2 {
meta:
author = "Booz Allen Hamilton Dark Labs"
description = "Find a constant used as part of a payload decoding function in PolishBankRAT-fdsvc"
reference = "https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-against-financial-institutions/"
strings:
$part1 = {A6 EB 96}
$part2 = {61 B2 E2 EF}
$part3 = {0D CB E8 C4}
$part4 = {5A F1 66 9C}
$part5 = {A4 80 CD 9A}
$part6 = {F1 2F 46 25}
$part7 = {2F DB 16 26}
$part8 = {4B C4 3F 3C}
$str1 = "This program cannot be run in DOS mode"
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule decoded_PolishBankRAT_fdsvc_strings {
meta:
author = "Booz Allen Hamilton Dark Labs"
description = "Finds hard coded strings in PolishBankRAT-fdsvc"
reference = "https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-against-financial-institutions/"
strings:
$str1 = "ssylka" wide ascii
$str2 = "ustanavlivat" wide ascii
$str3 = "poluchit" wide ascii
$str4 = "pereslat" wide ascii
$str5 = "derzhat" wide ascii
$str6 = "vykhodit" wide ascii
$str7 = "Nachalo" wide ascii
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and 4 of ($str*)
}
Reference in a new issue View git blame Copy permalink