13 lines
471 B
Text
13 lines
471 B
Text
rule nexe_piratesteal {
|
|
meta:
|
|
author = "Intezer"
|
|
description = "Hunting for Nexe compiled PirateStealer Dropper"
|
|
tlp = "white"
|
|
strings:
|
|
$nexe_str = "process.__nexe = {\"resources\""
|
|
$steal_str0 = "file.includes(\"iscord\")"
|
|
$steal_str1 = "\\app-*\\modules\\discord_desktop_core-*\\discord_desktop_core\\index.js"
|
|
$steal_str2 = "pwnBetterDiscord"
|
|
condition:
|
|
(uint16(0) == 0x5A4D and $nexe_str and 2 of ($steal_str*))
|
|
}
|