08e8d462fe
RED PILL 🔴 💊
62 lines
1.8 KiB
Text
62 lines
1.8 KiB
Text
rule GravityRAT_G1_PDB
|
|
{
|
|
meta:
|
|
author = "Michael Worth"
|
|
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
|
description = "PDB path for Gravity RAT G1"
|
|
|
|
strings:
|
|
$PDB1 = "f:\\F\\Windows Work\\G1\\Adeel's Laptop\\G1 Main Virus\\systemInterrupts\\gravity\\obj\\x86\\Debug\\systemInterrupts.pdb"
|
|
$PDB2 = "f:\\F\\Windows Work\\G1\\Adeel's Laptop\\"
|
|
$PDB3 = "\\gravity\\obj\\x86\\Debug\\"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule GravityRAT_G2_PDB
|
|
{
|
|
meta:
|
|
author = "Michael Worth"
|
|
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
|
description = "PDB path for Gravity RAT G2"
|
|
|
|
strings:
|
|
$PDB1 = "e:\\Windows Work\\G2\\G2 Main Virus\\Microsoft Virus Solutions (G2 v5) (Current)\\Microsoft Virus Solutions\\obj\\Debug\\Windows Wireless 802.11.pdb"
|
|
$PDB2 = "e:\\Windows Work\\G2\\"
|
|
$PDB3 = "\\G2\\G2 Main Virus\\Microsoft Virus Solutions (G2"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule GravityRAT_G3_PDB
|
|
{
|
|
meta:
|
|
author = "Michael Worth"
|
|
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
|
description = "PDB path for Gravity RAT G3"
|
|
|
|
strings:
|
|
$PDB1 = "F:\\Projects\\g3\\G3 Version 4.0\\G3\\G3\\obj\\Release\\Intel Core.pdb"
|
|
$PDB2 = "F:\\Projects\\g3\\G3 Version "
|
|
$PDB3 = "\\G3\\G3\\obj\\Release\\"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule GravityRAT_GX_PDB
|
|
{
|
|
meta:
|
|
author = "Michael Worth"
|
|
reference = "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
|
description = "PDB path for Gravity RAT GX"
|
|
|
|
strings:
|
|
$PDB1 = "C:\\Users\\The Invincible\\Desktop\\gx\\gx-current-program\\LSASS\\obj\\Release\\LSASS.pdb"
|
|
$PDB2 = "C:\\Users\\The Invincible\\D"
|
|
$PDB3 = "Desktop\\gx\\gx-"
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
|
|
|