08e8d462fe
RED PILL 🔴 💊
24 lines
No EOL
793 B
Text
24 lines
No EOL
793 B
Text
rule N3utrino
|
|
{
|
|
meta:
|
|
Author = "Nick Hoffman"
|
|
Description = "Detects versions of Neutrino malware"
|
|
ref = "http://www.morphick.com/resources/lab-blog/evening-n3utrino"
|
|
|
|
strings:
|
|
$post_host_information = "getcmd=1&uid=%s&os=%s&av=%s&nat=%s&version=%s&serial=%s&quality=%i"
|
|
$post_cc_information = "dumpgrab=1&track_type=%s&track_data=%s&process_name=%s"
|
|
$post_taskexec = "taskexec=1&task_id=%s"
|
|
$post_taskfail = "taskfail=1&task_id=%s"
|
|
|
|
$command1 = "loader"
|
|
$command2 = "findfile"
|
|
$command3 = "spread"
|
|
$command4 = "archive"
|
|
$command5 = "usb"
|
|
$command6 = "botkiller"
|
|
$command7 = "dwflood"
|
|
$command8 = "keylogger"
|
|
condition:
|
|
4 of ($command*) or any of ($post*)
|
|
} |