08e8d462fe
RED PILL 🔴 💊
23 lines
1.3 KiB
Text
23 lines
1.3 KiB
Text
rule KASPERAGENT_MICROPSIA_PDB
|
|
{
|
|
meta:
|
|
Author = "@X0RC1SM"
|
|
Description = "Looking for unique PDB"
|
|
Reference = "https://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"
|
|
Reference2 = "http://www.clearskysec.com/micro-kasper/"
|
|
Date = "2017-04-05"
|
|
strings:
|
|
$PDB1 = "C:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New folder (2)\\kasper\\Release\\kasper.pdb"
|
|
$PDB2 = "C:\\Users\\Yousef\\Desktop\\MergeFiles\\Loader v0\\Loader\\obj\\Release\\Loader.pdb"
|
|
$PDB3 = "c:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New folder (2)\\s7 - Copy - Copy 19-2-17\\Release\\s7.pdb"
|
|
$PDB4 = "c:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New folder (2)\\s7\\Release\\s7.pdb"
|
|
$PDB5 = "C:\\Users\\Progress\\Desktop\\Loader v0\\Loader\\obj\\Release\\Loader.pdb"
|
|
$PDB6 = "D:\\Merge\\Debug\\testproj.pdb"
|
|
$PDB7 = "c:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New folder (2)\\kasper - Copy - 21-2-17\\Release\\kasper.pdb"
|
|
$PDB8 = "C:\\Users\\Yousef\\Desktop\\MergeFiles\\merge photos\\Loader v0\\Loader\\obj\\Release\\Loader.pdb"
|
|
$PDB9 = "C:\\Users\\Yousef\\Desktop\\Loader v0\\Loader\\obj\\Release\\Loader.pdb"
|
|
$PDB10 = "C:\\Users\\Yousef\\"
|
|
$PDB11 = "C:\\Users\\USA\\Documents\\Visual Studio"
|
|
condition:
|
|
any of them
|
|
}
|